From 87984a1a04bc6eb2e2c8a24efac1b35a5cc4bc7b Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 23 Jan 2022 09:49:16 -0500 Subject: [PATCH] Fixes for 5.10 Signed-off-by: Sasha Levin --- ...-add-the-thinkpad-not-charging-quirk.patch | 85 ++ ..._device_always_present-into-acpi_dev.patch | 209 +++ ...lushing-of-ec-work-while-suspended-t.patch | 218 +++ ...-platform-device-for-bcm4752-and-lnv.patch | 79 ++ ...-present-quirk-for-the-pci0.sdhb.brc.patch | 75 + ...pecifying-acpi_device_override_statu.patch | 109 ++ ...m2-device-on-lenovo-yoga-book-from-a.patch | 49 + ...-expand-the-acpi_access_-definitions.patch | 56 + ...fix-the-refclass_refof-case-in-acpi_.patch | 57 + ...-wrong-interpretation-of-pcc-address.patch | 86 ++ ...do-not-flush-cpu-cache-when-entering.patch | 82 ++ ...-avoid-deleting-the-same-object-twic.patch | 48 + ...sing-rwsem-around-snd_ctl_remove-cal.patch | 40 + ...ssing-rwsem-around-snd_ctl_remove-ca.patch | 42 + ...pile-error-when-oss_debug-is-enabled.patch | 41 + ...sing-rwsem-around-snd_ctl_remove-cal.patch | 41 + ...-set-upper-limit-of-processed-events.patch | 87 ++ ...rop-superfluous-0-in-presonus-studio.patch | 64 + ...ix-db-level-of-bose-revolve-soundlin.patch | 57 + ...ysfs-pm-attributes-as-read-only-for-.patch | 55 + ...ptr-deref-with-unexpected-wdcmsg_tar.patch | 63 + ...pressor-avoid-unpredictable-nop-enco.patch | 100 ++ ...8x-add-generic-compatible-to-uart-no.patch | 51 + ...as4220-b-fis-index-block-with-128-ki.patch | 65 + ...map3-n900-fix-lp5523-for-multi-color.patch | 141 ++ ...x-dtbs_check-warning-on-ili9341-dts-.patch | 44 + ...ebug_imx21_imx27_uart-to-debug_imx27.patch | 121 ++ ...le-rcar-gen2-add-missing-of_node_put.patch | 52 + ...-shouldn-t-use-dc-zva-when-dczid_el0.patch | 54 + ...c-fix-spi-nor-flash-node-name-for-od.patch | 38 + ...c-meson-g12-fix-gpu-operating-point-.patch | 43 + ...a-qds-move-rtc-node-to-the-correct-i.patch | 54 + ...vell-cn9130-add-gpio-and-spi-aliases.patch | 48 + ...l-cn9130-enable-cp0-gpio-controllers.patch | 46 + ...on-gxbb-wetek-fix-hdmi-in-early-boot.patch | 46 + ...-gxbb-wetek-fix-missing-gpio-binding.patch | 39 + ...64-dts-qcom-c630-fix-soundcard-setup.patch | 89 ++ ...com-ipq6018-fix-gpio-ranges-property.patch | 41 + ...m-msm8916-fix-mmc-controller-aliases.patch | 40 + ...-dts-renesas-cat875-add-rx-tx-delays.patch | 42 + ...00-main-fix-dtbs_check-serdes_ln_ctr.patch | 37 + ...-j7200-correct-the-d-cache-sets-info.patch | 58 + ...ts-ti-k3-j7200-fix-the-l2-cache-sets.patch | 47 + ...-ti-k3-j721e-correct-cache-sets-info.patch | 51 + ...ts-ti-k3-j721e-fix-the-l2-cache-sets.patch | 47 + ...te-clear-copy-_page-as-position-inde.patch | 65 + ...st-length-of-ccplex-cluster-mmio-reg.patch | 35 + ...tegra194-hda-clock-reset-names-order.patch | 47 + ...a-remove-non-existent-tegra194-reset.patch | 40 + ...fine-the-check-of-available-clock-di.patch | 159 +++ .../asoc-fsl_mqs-fix-module_alias.patch | 33 + ...-test-dmaengine_submit-result-before.patch | 65 + ...mediatek-check-for-error-clk-pointer.patch | 68 + ...mediatek-mt8173-fix-device_node-leak.patch | 78 ++ ...mediatek-mt8183-fix-device_node-leak.patch | 58 + ...le-device_property_read_u32_array-er.patch | 65 + ...g-idma-check-of-ioremap-return-value.patch | 40 + ...op-selecting-non-existing-snd_soc_un.patch | 53 + queue-5.10/ath10k-fix-tx-hanging.patch | 56 + ...dlock-by-change-ieee80211_queue_work.patch | 205 +++ ...se-deadlock-warning-reported-by-lock.patch | 181 +++ ...ll-ptr-access-during-mgmt-tx-cleanup.patch | 119 ++ ...ar-the-keys-properly-via-disable_key.patch | 64 + ...l-pointer-dereference-in-ath11k_mac_.patch | 59 + ...rash-caused-by-uninitialized-tx-ring.patch | 80 ++ ...ing-uninitialized-kernel-timer-durin.patch | 98 ++ ...etsi-regd-with-weather-radar-overlap.patch | 240 ++++ queue-5.10/ath11k-fix-napi-related-hang.patch | 109 ++ ...t-rsn-wpa-present-state-for-open-bss.patch | 59 + ..._stats_cfg-with-proper-pdev-mask-to-.patch | 68 + ...ce-parameters-for-ce-interrupts-conf.patch | 78 ++ ...-bound-memcpy-in-ath9k_hif_usb_rx_st.patch | 90 ++ ...rspace-is-penalized-the-same-as-the-.patch | 71 + ...tialized-variable-in-ax25_setsockopt.patch | 75 + ...led-fix-off-by-one-maximum-with-defa.patch | 133 ++ ...led-override-default-length-with-qco.patch | 65 + ...led-pass-number-of-elements-to-read-.patch | 56 + ...led-respect-enabled-strings-in-set_b.patch | 135 ++ ...led-use-cpu_to_le16-macro-to-perform.patch | 96 ++ ...led-validate-enabled-string-indices-.patch | 60 + ...-netlink-usage-in-unprivileged-conta.patch | 174 +++ ...er-fix-handling-of-error-during-copy.patch | 47 + ...uetooth-btmtksdio-fix-resume-failure.patch | 39 + ...ix-possible-panic-when-cmtp_init_soc.patch | 54 + ...bugfs-entry-leak-in-hci_register_dev.patch | 40 + ...luetooth-hci_bcm-check-for-error-irq.patch | 46 + ...a-fix-null-vs-is_err_or_null-check-i.patch | 39 + ...hci_qca-stop-ibs-timer-during-bt-off.patch | 38 + ...cap-fix-not-initializing-sk_peer_pid.patch | 68 + ...bluetooth-l2cap-fix-using-wrong-mode.patch | 54 + ...uninitialized-variables-in-l2cap_soc.patch | 74 + ...-stop-proccessing-malicious-adv-data.patch | 54 + ...h-vhci-set-hci_quirk_valid_le_states.patch | 35 + .../bpf-adjust-btf-log-size-limit.patch | 37 + ..._log_kernel-log-level-for-bpf-bpf_bt.patch | 81 ++ ...-warn-in-bpf_warn_invalid_xdp_action.patch | 51 + ...e-bogus-looking-registers-after-null.patch | 53 + ...f-so_sndbuf-handling-in-_bpf_setsock.patch | 46 + ...g-check-to-enable-bpf-support-for-br.patch | 96 ++ ...ool-enable-line-buffering-for-stdout.patch | 41 + ...move-bug_on-eie-in-find_parent_nodes.patch | 54 + ...s-remove-bug_on-in-find_parent_nodes.patch | 42 + ...d-missing-newline-to-printed-strings.patch | 44 + ...ing_startstop-fix-set-but-not-used-v.patch | 63 + ...x_can-xcan_probe-check-for-error-irq.patch | 48 + ...event-cgroup-id-fields-should-be-u64.patch | 86 ++ ...r-mwave-adjust-io-port-register-size.patch | 51 + ...bcm-2835-pick-the-closest-clock-rate.patch | 46 + ...2835-remove-rounding-up-the-dividers.patch | 82 ++ ...-remove-kfrees-on-static-allocations.patch | 84 ++ .../clk-imx8mn-fix-imx8mn_clko1_sels.patch | 50 + ...fix-the-sdm_en-bit-for-mpll0-on-gxbb.patch | 144 ++ ...dc-s-clock-turn-off-by-clk_disable_u.patch | 75 + ...d-accidental-unstable-marking-of-clo.patch | 164 +++ ...ce-reduce-clocksource-skew-threshold.patch | 216 +++ ...2-lptimer-cnt-remove-iio-counter-abi.patch | 484 +++++++ ...ialization-of-min-and-max-frequency-.patch | 54 + ...rypto-jitter-consider-32-lsb-for-apt.patch | 57 + ...-fix-spelling-mistake-messge-message.patch | 59 + ...-undetected-pfvf-timeout-in-ack-loop.patch | 59 + ...pfvf-send-message-direction-agnostic.patch | 81 ++ ...e-unnecessary-collision-prevention-s.patch | 60 + ...ce-fix-uaf-on-qce_ahash_register_one.patch | 39 + ...fix-uaf-on-qce_skcipher_register_one.patch | 39 + ...to-stm32-cryp-check-early-input-data.patch | 241 ++++ ...m32-cryp-fix-bugs-and-crash-in-tests.patch | 1214 +++++++++++++++++ ...pto-stm32-cryp-fix-ctr-counter-carry.patch | 78 ++ ...crypto-stm32-cryp-fix-double-pm-exit.patch | 38 + ...pto-stm32-cryp-fix-lrw-chaining-mode.patch | 41 + ...p-fix-xts-and-race-condition-in-cryp.patch | 42 + ...-last-sparse-warning-in-stm32_cryp_c.patch | 37 + ...ert-broken-pm_runtime_resume_and_get.patch | 73 + ...-allow-reading-debugfs-files-that-ar.patch | 40 + ...-defensive-bounds-check-to-insert_at.patch | 45 + ...lloc_dax-error-handling-in-alloc_dev.patch | 40 + ...mon-add-bounds-check-to-sm_ll_lookup.patch | 37 + ...mmp-stop-referencing-config-slave_id.patch | 63 + ...ay-check-top_pipe_to_program-pointer.patch | 47 + ...ay-set-vblank_disable_immediate-for-.patch | 50 + ...-null-pointer-dereference-in-amdgpu_.patch | 65 + ...amdgpu-fixup-bad-vram-size-on-gmc-v8.patch | 61 + ...ay-connector-fix-an-uninitialized-po.patch | 39 + ...mi-handle-eld-when-drm_bridge_attach.patch | 146 ++ ...hips-ensure-both-bridges-are-probed-.patch | 251 ++++ ...n65dsi86-set-max-register-for-regmap.patch | 40 + ...ider-completed-fence-seqno-in-hang-c.patch | 59 + ...ll-ptr-deref-in-drm_dev_init_release.patch | 86 ++ ...ning-when-config_debug_sg-y-config_d.patch | 39 + ...ayport-driver-need-algorithm-rationa.patch | 41 + ...msm-dpu-fix-safe-status-debugfs-file.patch | 41 + ...gm200-avoid-touching-pmu-outside-of-.patch | 104 ++ ...x-p079zca-delete-panel-on-attach-fai.patch | 57 + ...splay-kd097d04-delete-panel-on-attac.patch | 44 + ...ation-quirks-add-quirk-for-the-lenov.patch | 43 + ...n_kms-fix-a-null-pointer-dereference.patch | 122 ++ ...du-fix-crtc-timings-when-cmm-is-used.patch | 82 ++ ...-dsi-disable-pll-clock-on-bind-error.patch | 64 + ...-fix-unbalanced-clock-on-probe-error.patch | 51 + ...i-hold-pm-runtime-across-bind-unbind.patch | 156 +++ .../drm-tegra-vic-fix-dma-api-misuse.patch | 57 + ...vboxvideo-fix-a-null-vs-is_err-check.patch | 40 + .../drm-vc4-hdmi-set-a-default-hsm-rate.patch | 61 + ...mal-fix-definition-of-cooling-maps-c.patch | 67 + ...e-the-quirk-for-version-instead-of-d.patch | 38 + ...d-trim-error-on-fs-with-small-groups.patch | 72 + ...ax-size-check-for-user-space-request.patch | 82 ++ ...ang-in-watchdog-when-disk-is-ejected.patch | 52 + ...l-kernel_getpeername-in-error_report.patch | 144 ++ ...r-user-dlm-messages-for-kernel-locks.patch | 118 ++ ...-fix-build-with-config_ipv6-disabled.patch | 49 + ...use-sk-sk_socket-instead-of-con-sock.patch | 36 + ...or-null-pointer-after-calling-devm_i.patch | 96 ++ ...ert-aspeed_gpio.lock-to-raw_spinlock.patch | 258 ++++ ...not-set-the-irq-type-if-the-irq-is-a.patch | 61 + ...-reset-quirks-when-the-fn-key-is-not.patch | 38 + ...params-invalid-parameter-check-in-uc.patch | 62 + ...-invalid-parameter-check-in-uc.patch-21754 | 53 + ...-invalid-parameter-check-in-uc.patch-23659 | 53 + ...-invalid-parameter-check-in-uc.patch-27529 | 59 + ...ow-inverting-the-absolute-x-y-values.patch | 55 + ...eturn-freed-object-in-hsi_new_client.patch | 35 + ...75203-fix-wrong-power-up-delay-value.patch | 39 + ...ci-fix-to-change-data-types-of-hcnt-.patch | 45 + ...ilently-correct-invalid-transfer-siz.patch | 63 + .../i2c-mpc-correct-i2c-reset-procedure.patch | 70 + .../iommu-amd-remove-iommu_init_ga.patch | 69 + ...e-ga-log-tail-pointer-on-host-resume.patch | 95 ++ ...-arm-fix-table-descriptor-paddr-form.patch | 69 + ...race-between-fq-timeout-and-teardown.patch | 53 + ...isable-redistributors-view-of-the-vp.patch | 63 + ...s-bad-data-after-failed-firmware-loa.patch | 69 + ...d-clearing-a-just-saved-session-prot.patch | 59 + .../iwlwifi-mvm-fix-32-bit-build-in-ftm.patch | 40 + ...-mvm-fix-calculation-of-frame-length.patch | 72 + ...hronize-with-fw-after-multicast-comm.patch | 72 + ...-roc-running-status-bits-before-remo.patch | 67 + ...div_s64-instead-of-do_div-in-iwl_mvm.patch | 56 + ...e-sure-prph_info-is-set-when-treatin.patch | 45 + ...emove-module-loading-failure-message.patch | 51 + ...k-reading-a-page-that-is-used-in-jff.patch | 133 ++ ...uppress-failed-alloc-warning-in-h_co.patch | 44 + ...uppress-warnings-when-allocating-too.patch | 53 + ...dd-the-return-value-check-of-kcalloc.patch | 37 + ...that-.btf-and-.btf.ext-sections-cont.patch | 43 + ...211-allow-non-standard-vht-mcs-10-11.patch | 49 + ...-mode-detect-always-time-out-at-2nd-.patch | 56 + ...ate-signal-status-immediately-to-ens.patch | 66 + ...d-missing-media_device_cleanup-in-at.patch | 44 + ...d-null-check-for-asd-obtained-from-a.patch | 463 +++++++ ...-not-use-err-var-when-checking-port-.patch | 64 + ...media-atomisp-fix-enum-formats-logic.patch | 82 ++ ...media-atomisp-fix-ifdefs-in-sh_css.c.patch | 137 ++ ...x-inverted-error-check-for-ia_css_mi.patch | 79 ++ ...fix-inverted-logic-in-buffers_needed.patch | 49 + ...x-punit_ddr_dvfs_enable-argument-for.patch | 89 ++ .../media-atomisp-fix-try_fmt-logic.patch | 115 ++ ...x-uninitialized-bug-in-gmin_get_pmic.patch | 38 + ...ndle-errors-at-sh_css_create_isp_par.patch | 53 + ...2680-fix-ov2680_set_fmt-clobbering-t.patch | 139 ++ ...tomisp-set-per-device-s-default-mode.patch | 158 +++ ...add-missing-check-in-flexcop_pci_isr.patch | 163 +++ ...coda960-jpeg-encoder-buffer-overflow.patch | 95 ++ ...doa-handle-dma_set_coherent_mask-err.patch | 41 + ...ib8000-fix-a-memleak-in-dib8000_init.patch | 55 + ...x-uaf-when-dvb_register_device-fails.patch | 104 ++ .../media-dw2102-fix-use-after-free.patch | 407 ++++++ ...x-fix-memory-leak-in-em28xx_init_dev.patch | 81 ++ ...dia-hantro-fix-probe-func-error-path.patch | 51 + ...b-receiver-overflow-should-be-report.patch | 39 + ...itialize-the-spinlock-prior-to-using.patch | 51 + ...a-m920x-don-t-use-stack-on-usb-reads.patch | 59 + ...-possible-null-ptr-deref-in-msi001_p.patch | 58 + ...-call-v4l2_m2m_ctx_release-first-whe.patch | 86 ++ ...correct-the-selection-of-hsfreqrange.patch | 83 ++ ...-update-format-alignment-constraints.patch | 69 + ...xium_gemini-fix-a-null-pointer-deref.patch | 74 + ...xium_orion-fix-a-null-pointer-derefe.patch | 74 + ...b-fix-a-null-pointer-dereference-in-.patch | 64 + ...i2157-fix-warm-tuner-state-detection.patch | 61 + ...-fix-possible-memory-leak-in-si470x_.patch | 62 + ...dia-atomisp-pci-balance-braces-aroun.patch | 79 ++ ...ncrease-uvc_ctrl_control_timeout-to-.patch | 45 + ...d-calling-core_clk_setrate-concurren.patch | 210 +++ ...-fix-a-potential-null-pointer-derefe.patch | 43 + ...-fix-a-resource-leak-in-the-error-ha.patch | 61 + ...-venc-vdec-fix-probe-dependency-erro.patch | 343 +++++ ...elpers-control-core-power-domain-man.patch | 124 ++ ...videobuf2-fix-the-size-printk-format.patch | 50 + ...pc-if-return-error-in-case-devm_iore.patch | 41 + ...flexcom-remove-ifdef-config_pm_sleep.patch | 54 + .../mfd-atmel-flexcom-use-.resume_noirq.patch | 56 + ...ic-use-cpu-id-check-instead-of-_hrv-.patch | 88 ++ ..._cpu_mips64_r5-config-for-mips-relea.patch | 52 + ...m63xx-add-support-for-clk_set_parent.patch | 48 + ...onfig-reference-to-phys_addr_t_64bit.patch | 52 + ...antiq-add-support-for-clk_set_parent.patch | 48 + ...ngson64-use-three-arguments-for-slti.patch | 62 + ...put_device-after-of_find_device_by_n.patch | 67 + ...-octeon-fix-build-errors-using-clang.patch | 62 + ...3-config-fix-task-hung-when-firmware.patch | 95 ++ ...ci-add-shutdown-method-in-pci-driver.patch | 96 ++ ...-avoid-flow-control-for-emad-packets.patch | 95 ++ ...toring-of-ocr-for-mmc_quirk_nonstd_s.patch | 57 + .../mmc-meson-mx-sdhc-add-irq-check.patch | 44 + .../mmc-meson-mx-sdio-add-irq-check.patch | 44 + ...-if-check-return-value-of-rpcif_sw_i.patch | 42 + ...us-rpc-if-fix-bug-in-rpcif_hb_remove.patch | 97 ++ .../mwifiex-fix-possible-abba-deadlock.patch | 82 ++ ...x-skb_over_panic-in-mwifiex_usb_recv.patch | 68 + ...g-avoid-printing-debug-logs-when-bon.patch | 71 + ...emini-allow-any-rgmii-interface-mode.patch | 71 + ...7830-handle-usb-read-errors-properly.patch | 56 + ...demote-probed-message-to-debug-print.patch | 40 + ...mand-entry-semaphore-up-once-got-ind.patch | 72 + ...block-routes-with-nexthop-objects-in.patch | 48 + ...5e-fix-page-dma-map-unmap-attributes.patch | 76 ++ ...l-configure-rgmii-delays-for-88e1118.patch | 55 + ...phy-prefer-1000baset-over-1000basekx.patch | 58 + ...-the-queue-counts-in-the-unregistrat.patch | 38 + ...idge-add-support-for-pppoe-filtering.patch | 77 ++ ...usterip-fix-refcount-leak-in-cluster.patch | 48 + ...t_pipapo-allocate-pcpu-scratch-maps-.patch | 58 + ...om-fix-api-breakage-in-nr_setsockopt.patch | 78 ++ ...mem-core-set-size-for-sysfs-bin-file.patch | 37 + ...dle-argument-length-mismatch-error-m.patch | 42 + ...it-dma-address-test-requires-arch-su.patch | 40 + ...warning-on-powerpc-frame-size-warnin.patch | 69 + .../openrisc-add-clone3-abi-wrapper.patch | 63 + ...-calling-faulthandler_disabled-twice.patch | 53 + ...-pci_irq_vector-pci_irq_get_affinity.patch | 97 ++ ...a-fix-setting-of-kthread-task-states.patch | 55 + ...tatic-fix-a-null-pointer-dereference.patch | 56 + ...-fix-a-null-pointer-dereference.patch-3767 | 55 + ...x-missing-check-in-mtk_mipi_tx_probe.patch | 37 + ...3ss-fix-unintended-writing-zeros-to-.patch | 61 + ...m-cpr-use-div64_ul-instead-of-do_div.patch | 38 + ...afety-net-to-supplier-device-release.patch | 137 ++ ...et-mt6397-check-for-null-res-pointer.patch | 38 + ...ix-shift-out-of-bounds-in-kasan-init.patch | 56 + ...0x-map-32mbytes-of-memory-at-startup.patch | 57 + ...ert-some-cpu_setup-and-cpu_restore-f.patch | 619 +++++++++ .../powerpc-6xx-add-missing-of_node_put.patch | 64 + ...owerpc-btext-add-missing-of_node_put.patch | 63 + ...powerpc-cell-add-missing-of_node_put.patch | 57 + ...ix-inaccurate-cpu-state-info-in-vmco.patch | 133 ++ ...dump-appropriately-with-crash_kexec_.patch | 76 ++ ...rpc-irq-add-helper-to-set-regs-softe.patch | 68 + ...-pmu-callbacks-to-clear-pending-pmi-.patch | 275 ++++ ...r0-control-for-pmu-registers-under-p.patch | 114 ++ ...e-perf-irq-nmi-handling-details-into.patch | 202 +++ ...-add-additional-missing-lockdep_regi.patch | 53 + ...mac-add-missing-lockdep_register_key.patch | 61 + ...erpc-powernv-add-missing-of_node_put.patch | 59 + ...t-fix-improper-check-of-prom_getprop.patch | 37 + ...-setup_profiling_timer-under-config_.patch | 44 + ...-fix-missed-watchdog-reset-due-to-me.patch | 111 ++ ...-missing-null-check-after-calling-km.patch | 44 + ...ure-minimum-packet-size-in-ppp_write.patch | 104 ++ ...row-away-excess-input-to-crng_fast_l.patch | 95 ++ ...rent-cpu-as-exp-qs-in-ipi-loop-secon.patch | 61 + ...n-the-whole-bitmap-when-checking-if-.patch | 70 + ..._resolve_ib_dev-continue-search-even.patch | 66 + ..._find_gid-continue-search-even-after.patch | 47 + ...-queue-pair-state-when-being-queried.patch | 37 + .../rdma-hns-validate-the-pkey-index.patch | 37 + ...x-reporting-max_-send-recv-_wr-attrs.patch | 49 + ...l-regmap_debugfs_exit-prior-to-_init.patch | 61 + ...md-align-probe-function-with-rpmh-re.patch | 171 +++ ...-block-offload-of-outer-header-csum-.patch | 51 + .../rocker-fix-a-sleeping-in-atomic-bug.patch | 38 + ...x-out-of-bounds-read-in-rsi_read_pkt.patch | 108 ++ ...se-after-free-in-rsi_rx_done_handler.patch | 88 ++ ...te-rx-settings-to-prevent-potential-.patch | 79 ++ ...etection-of-per-cpu-kthreads-waking-.patch | 48 + ...er-cpu-kthread-and-wakee-stacking-fo.patch | 47 + ...restart-rt-period-timer-when-rt-runt.patch | 99 ++ ...re-install-fix-ctex-support-on-debia.patch | 39 + ...ways-set-request-queue-runtime-activ.patch | 121 ++ ...r-sli4-firmware-dump-before-doing-dr.patch | 188 +++ ...te-warn_on-check-in-pm8001_mpi_build.patch | 42 + queue-5.10/scsi-sr-don-t-use-gfp_dma.patch | 61 + ...ce-conditions-related-to-driver-data.patch | 87 ++ ...x-bpf_object-leak-in-skb_ctx-selftes.patch | 36 + ...-clone3-add-case-clone3_args_no_test.patch | 47 + ...-make-kprobe-profile-testcase-descri.patch | 41 + ...s-avoid-false-negatives-if-test-has-.patch | 40 + ...c-spectre_v2-return-skip-code-when-m.patch | 43 + ...potential-memleak-in-selinux_add_opt.patch | 63 + ...1-do-not-request-memory-region-twice.patch | 106 ++ ...-mctrl-register-state-and-cached-cop.patch | 53 + ...rop-cr-register-reset-on-set_termios.patch | 58 + queue-5.10/series | 399 ++++++ ...fix-referenced-node-in-error-message.patch | 36 + ...x-wrong-node-passed-to-find-nargs_pr.patch | 43 + ...ifc-add-missing-pm_runtime_disable-i.patch | 38 + ...ing-greybus-audio-check-null-pointer.patch | 91 ++ ...-return-error-code-from-rtllib_softm.patch | 71 + ...-rtllib_module-fix-error-handle-case.patch | 72 + ...ix-put-order-in-teedev_close_context.patch | 41 + ...ers-imx-implement-runtime-pm-support.patch | 308 +++++ ...imx8mm-enable-adc-when-enabling-moni.patch | 53 + ...ime-pm-activate-both-ends-of-the-dev.patch | 74 + ...locality-before-write-tpm_int_enable.patch | 44 + ...rror-handling-path-in-tpm_tis_core_i.patch | 44 + ...l-atmel-call-dma_async_issue_pending.patch | 50 + ...-check-return-code-of-dmaengine_subm.patch | 59 + ...isable-ucr4_oren-in-.stop_rx-instead.patch | 70 + ...serial-uartlite-allow-64-bit-address.patch | 39 + ...-fix-error-handling-in-udf_new_inode.patch | 45 + ...-uio_dmem_genirq-catch-the-exception.patch | 41 + queue-5.10/um-fix-ndelay-udelay-defines.patch | 46 + ...ame-function-names-to-avoid-conflict.patch | 104 ++ ...x-time-travel-external-time-propagat.patch | 59 + ...x-null-vs-is_err-checking-in-dwc3_qc.patch | 44 + ...fix-memory-leak-on-device-disconnect.patch | 52 + ...s-use-stream_open-for-endpoint-files.patch | 65 + ...y-for-superspeed-hub-resume-to-let-l.patch | 97 ++ ...uhci-add-aspeed-ast2600-uhci-support.patch | 36 + ...get_user-put_user-reported-by-sparse.patch | 86 ++ ...airing-of-init_scan-finish_scan-and-.patch | 201 +++ ...fix-dma-channel-enable-disable-cycle.patch | 125 ++ ...d-rate-mapping-for-5ghz-legacy-rates.patch | 52 + ...-beacon-not-connection-loss-on-misse.patch | 51 + ...e-band-before-determining-rate-on-rx.patch | 126 ++ ...block-into-reset-before-freeing-memo.patch | 49 + ...e-dma-channel-descriptor-allocations.patch | 38 + ...-fix-a-double-free-in-iwl_txq_dyn_al.patch | 43 + ...sed-move-clang_flags-to-beginning-of.patch | 69 + ...e-config_kallsyms_all-y-in-the-defco.patch | 45 + ...strumentation-during-task-work-queue.patch | 52 + ...void-out-of-bounds-write-when-settin.patch | 55 + queue-5.10/x86-mce-mark-mce_end-noinstr.patch | 66 + .../x86-mce-mark-mce_panic-noinstr.patch | 69 + .../x86-mce-mark-mce_read_aux-noinstr.patch | 36 + ...bal-tlb-when-switching-to-trampoline.patch | 103 ++ ...-variable-into-switch-case-statement.patch | 49 + .../xfrm-fix-a-small-bug-in-xfrm_sa_len.patch | 38 + ...ace-with-if_id-0-should-return-error.patch | 69 + ...sa-mapping-change-message-to-user-sp.patch | 211 +++ ...-policy-should-fail-if-xfrma_if_id-0.patch | 84 ++ 400 files changed, 31957 insertions(+) create mode 100644 queue-5.10/acpi-battery-add-the-thinkpad-not-charging-quirk.patch create mode 100644 queue-5.10/acpi-change-acpi_device_always_present-into-acpi_dev.patch create mode 100644 queue-5.10/acpi-ec-rework-flushing-of-ec-work-while-suspended-t.patch create mode 100644 queue-5.10/acpi-scan-create-platform-device-for-bcm4752-and-lnv.patch create mode 100644 queue-5.10/acpi-x86-add-not-present-quirk-for-the-pci0.sdhb.brc.patch create mode 100644 queue-5.10/acpi-x86-allow-specifying-acpi_device_override_statu.patch create mode 100644 queue-5.10/acpi-x86-drop-pwm2-device-on-lenovo-yoga-book-from-a.patch create mode 100644 queue-5.10/acpica-actypes.h-expand-the-acpi_access_-definitions.patch create mode 100644 queue-5.10/acpica-executer-fix-the-refclass_refof-case-in-acpi_.patch create mode 100644 queue-5.10/acpica-fix-wrong-interpretation-of-pcc-address.patch create mode 100644 queue-5.10/acpica-hardware-do-not-flush-cpu-cache-when-entering.patch create mode 100644 queue-5.10/acpica-utilities-avoid-deleting-the-same-object-twic.patch create mode 100644 queue-5.10/alsa-hda-add-missing-rwsem-around-snd_ctl_remove-cal.patch create mode 100644 queue-5.10/alsa-jack-add-missing-rwsem-around-snd_ctl_remove-ca.patch create mode 100644 queue-5.10/alsa-oss-fix-compile-error-when-oss_debug-is-enabled.patch create mode 100644 queue-5.10/alsa-pcm-add-missing-rwsem-around-snd_ctl_remove-cal.patch create mode 100644 queue-5.10/alsa-seq-set-upper-limit-of-processed-events.patch create mode 100644 queue-5.10/alsa-usb-audio-drop-superfluous-0-in-presonus-studio.patch create mode 100644 queue-5.10/alsa-usb-audio-fix-db-level-of-bose-revolve-soundlin.patch create mode 100644 queue-5.10/amdgpu-pm-make-sysfs-pm-attributes-as-read-only-for-.patch create mode 100644 queue-5.10/ar5523-fix-null-ptr-deref-with-unexpected-wdcmsg_tar.patch create mode 100644 queue-5.10/arm-9159-1-decompressor-avoid-unpredictable-nop-enco.patch create mode 100644 queue-5.10/arm-dts-armada-38x-add-generic-compatible-to-uart-no.patch create mode 100644 queue-5.10/arm-dts-gemini-nas4220-b-fis-index-block-with-128-ki.patch create mode 100644 queue-5.10/arm-dts-omap3-n900-fix-lp5523-for-multi-color.patch create mode 100644 queue-5.10/arm-dts-stm32-fix-dtbs_check-warning-on-ili9341-dts-.patch create mode 100644 queue-5.10/arm-imx-rename-debug_imx21_imx27_uart-to-debug_imx27.patch create mode 100644 queue-5.10/arm-shmobile-rcar-gen2-add-missing-of_node_put.patch create mode 100644 queue-5.10/arm64-clear_page-shouldn-t-use-dc-zva-when-dczid_el0.patch create mode 100644 queue-5.10/arm64-dts-amlogic-fix-spi-nor-flash-node-name-for-od.patch create mode 100644 queue-5.10/arm64-dts-amlogic-meson-g12-fix-gpu-operating-point-.patch create mode 100644 queue-5.10/arm64-dts-ls1028a-qds-move-rtc-node-to-the-correct-i.patch create mode 100644 queue-5.10/arm64-dts-marvell-cn9130-add-gpio-and-spi-aliases.patch create mode 100644 queue-5.10/arm64-dts-marvell-cn9130-enable-cp0-gpio-controllers.patch create mode 100644 queue-5.10/arm64-dts-meson-gxbb-wetek-fix-hdmi-in-early-boot.patch create mode 100644 queue-5.10/arm64-dts-meson-gxbb-wetek-fix-missing-gpio-binding.patch create mode 100644 queue-5.10/arm64-dts-qcom-c630-fix-soundcard-setup.patch create mode 100644 queue-5.10/arm64-dts-qcom-ipq6018-fix-gpio-ranges-property.patch create mode 100644 queue-5.10/arm64-dts-qcom-msm8916-fix-mmc-controller-aliases.patch create mode 100644 queue-5.10/arm64-dts-renesas-cat875-add-rx-tx-delays.patch create mode 100644 queue-5.10/arm64-dts-ti-j7200-main-fix-dtbs_check-serdes_ln_ctr.patch create mode 100644 queue-5.10/arm64-dts-ti-k3-j7200-correct-the-d-cache-sets-info.patch create mode 100644 queue-5.10/arm64-dts-ti-k3-j7200-fix-the-l2-cache-sets.patch create mode 100644 queue-5.10/arm64-dts-ti-k3-j721e-correct-cache-sets-info.patch create mode 100644 queue-5.10/arm64-dts-ti-k3-j721e-fix-the-l2-cache-sets.patch create mode 100644 queue-5.10/arm64-lib-annotate-clear-copy-_page-as-position-inde.patch create mode 100644 queue-5.10/arm64-tegra-adjust-length-of-ccplex-cluster-mmio-reg.patch create mode 100644 queue-5.10/arm64-tegra-fix-tegra194-hda-clock-reset-names-order.patch create mode 100644 queue-5.10/arm64-tegra-remove-non-existent-tegra194-reset.patch create mode 100644 queue-5.10/asoc-fsl_asrc-refine-the-check-of-available-clock-di.patch create mode 100644 queue-5.10/asoc-fsl_mqs-fix-module_alias.patch create mode 100644 queue-5.10/asoc-intel-catpt-test-dmaengine_submit-result-before.patch create mode 100644 queue-5.10/asoc-mediatek-check-for-error-clk-pointer.patch create mode 100644 queue-5.10/asoc-mediatek-mt8173-fix-device_node-leak.patch create mode 100644 queue-5.10/asoc-mediatek-mt8183-fix-device_node-leak.patch create mode 100644 queue-5.10/asoc-rt5663-handle-device_property_read_u32_array-er.patch create mode 100644 queue-5.10/asoc-samsung-idma-check-of-ioremap-return-value.patch create mode 100644 queue-5.10/asoc-uniphier-drop-selecting-non-existing-snd_soc_un.patch create mode 100644 queue-5.10/ath10k-fix-tx-hanging.patch create mode 100644 queue-5.10/ath11k-avoid-deadlock-by-change-ieee80211_queue_work.patch create mode 100644 queue-5.10/ath11k-avoid-false-deadlock-warning-reported-by-lock.patch create mode 100644 queue-5.10/ath11k-avoid-null-ptr-access-during-mgmt-tx-cleanup.patch create mode 100644 queue-5.10/ath11k-clear-the-keys-properly-via-disable_key.patch create mode 100644 queue-5.10/ath11k-fix-a-null-pointer-dereference-in-ath11k_mac_.patch create mode 100644 queue-5.10/ath11k-fix-crash-caused-by-uninitialized-tx-ring.patch create mode 100644 queue-5.10/ath11k-fix-deleting-uninitialized-kernel-timer-durin.patch create mode 100644 queue-5.10/ath11k-fix-etsi-regd-with-weather-radar-overlap.patch create mode 100644 queue-5.10/ath11k-fix-napi-related-hang.patch create mode 100644 queue-5.10/ath11k-reset-rsn-wpa-present-state-for-open-bss.patch create mode 100644 queue-5.10/ath11k-send-ppdu_stats_cfg-with-proper-pdev-mask-to-.patch create mode 100644 queue-5.10/ath11k-use-host-ce-parameters-for-ce-interrupts-conf.patch create mode 100644 queue-5.10/ath9k-fix-out-of-bound-memcpy-in-ath9k_hif_usb_rx_st.patch create mode 100644 queue-5.10/audit-ensure-userspace-is-penalized-the-same-as-the-.patch create mode 100644 queue-5.10/ax25-uninitialized-variable-in-ax25_setsockopt.patch create mode 100644 queue-5.10/backlight-qcom-wled-fix-off-by-one-maximum-with-defa.patch create mode 100644 queue-5.10/backlight-qcom-wled-override-default-length-with-qco.patch create mode 100644 queue-5.10/backlight-qcom-wled-pass-number-of-elements-to-read-.patch create mode 100644 queue-5.10/backlight-qcom-wled-respect-enabled-strings-in-set_b.patch create mode 100644 queue-5.10/backlight-qcom-wled-use-cpu_to_le16-macro-to-perform.patch create mode 100644 queue-5.10/backlight-qcom-wled-validate-enabled-string-indices-.patch create mode 100644 queue-5.10/batman-adv-allow-netlink-usage-in-unprivileged-conta.patch create mode 100644 queue-5.10/binder-fix-handling-of-error-during-copy.patch create mode 100644 queue-5.10/bluetooth-btmtksdio-fix-resume-failure.patch create mode 100644 queue-5.10/bluetooth-cmtp-fix-possible-panic-when-cmtp_init_soc.patch create mode 100644 queue-5.10/bluetooth-fix-debugfs-entry-leak-in-hci_register_dev.patch create mode 100644 queue-5.10/bluetooth-hci_bcm-check-for-error-irq.patch create mode 100644 queue-5.10/bluetooth-hci_qca-fix-null-vs-is_err_or_null-check-i.patch create mode 100644 queue-5.10/bluetooth-hci_qca-stop-ibs-timer-during-bt-off.patch create mode 100644 queue-5.10/bluetooth-l2cap-fix-not-initializing-sk_peer_pid.patch create mode 100644 queue-5.10/bluetooth-l2cap-fix-using-wrong-mode.patch create mode 100644 queue-5.10/bluetooth-l2cap-uninitialized-variables-in-l2cap_soc.patch create mode 100644 queue-5.10/bluetooth-stop-proccessing-malicious-adv-data.patch create mode 100644 queue-5.10/bluetooth-vhci-set-hci_quirk_valid_le_states.patch create mode 100644 queue-5.10/bpf-adjust-btf-log-size-limit.patch create mode 100644 queue-5.10/bpf-disallow-bpf_log_kernel-log-level-for-bpf-bpf_bt.patch create mode 100644 queue-5.10/bpf-do-not-warn-in-bpf_warn_invalid_xdp_action.patch create mode 100644 queue-5.10/bpf-don-t-promote-bogus-looking-registers-after-null.patch create mode 100644 queue-5.10/bpf-fix-so_rcvbuf-so_sndbuf-handling-in-_bpf_setsock.patch create mode 100644 queue-5.10/bpf-remove-config-check-to-enable-bpf-support-for-br.patch create mode 100644 queue-5.10/bpftool-enable-line-buffering-for-stdout.patch create mode 100644 queue-5.10/btrfs-remove-bug_on-eie-in-find_parent_nodes.patch create mode 100644 queue-5.10/btrfs-remove-bug_on-in-find_parent_nodes.patch create mode 100644 queue-5.10/can-mcp251xfd-add-missing-newline-to-printed-strings.patch create mode 100644 queue-5.10/can-softing-softing_startstop-fix-set-but-not-used-v.patch create mode 100644 queue-5.10/can-xilinx_can-xcan_probe-check-for-error-irq.patch create mode 100644 queue-5.10/cgroup-trace-event-cgroup-id-fields-should-be-u64.patch create mode 100644 queue-5.10/char-mwave-adjust-io-port-register-size.patch create mode 100644 queue-5.10/clk-bcm-2835-pick-the-closest-clock-rate.patch create mode 100644 queue-5.10/clk-bcm-2835-remove-rounding-up-the-dividers.patch create mode 100644 queue-5.10/clk-bm1880-remove-kfrees-on-static-allocations.patch create mode 100644 queue-5.10/clk-imx8mn-fix-imx8mn_clko1_sels.patch create mode 100644 queue-5.10/clk-meson-gxbb-fix-the-sdm_en-bit-for-mpll0-on-gxbb.patch create mode 100644 queue-5.10/clk-stm32-fix-ltdc-s-clock-turn-off-by-clk_disable_u.patch create mode 100644 queue-5.10/clocksource-avoid-accidental-unstable-marking-of-clo.patch create mode 100644 queue-5.10/clocksource-reduce-clocksource-skew-threshold.patch create mode 100644 queue-5.10/counter-stm32-lptimer-cnt-remove-iio-counter-abi.patch create mode 100644 queue-5.10/cpufreq-fix-initialization-of-min-and-max-frequency-.patch create mode 100644 queue-5.10/crypto-jitter-consider-32-lsb-for-apt.patch create mode 100644 queue-5.10/crypto-qat-fix-spelling-mistake-messge-message.patch create mode 100644 queue-5.10/crypto-qat-fix-undetected-pfvf-timeout-in-ack-loop.patch create mode 100644 queue-5.10/crypto-qat-make-pfvf-send-message-direction-agnostic.patch create mode 100644 queue-5.10/crypto-qat-remove-unnecessary-collision-prevention-s.patch create mode 100644 queue-5.10/crypto-qce-fix-uaf-on-qce_ahash_register_one.patch create mode 100644 queue-5.10/crypto-qce-fix-uaf-on-qce_skcipher_register_one.patch create mode 100644 queue-5.10/crypto-stm32-cryp-check-early-input-data.patch create mode 100644 queue-5.10/crypto-stm32-cryp-fix-bugs-and-crash-in-tests.patch create mode 100644 queue-5.10/crypto-stm32-cryp-fix-ctr-counter-carry.patch create mode 100644 queue-5.10/crypto-stm32-cryp-fix-double-pm-exit.patch create mode 100644 queue-5.10/crypto-stm32-cryp-fix-lrw-chaining-mode.patch create mode 100644 queue-5.10/crypto-stm32-cryp-fix-xts-and-race-condition-in-cryp.patch create mode 100644 queue-5.10/crypto-stm32-fix-last-sparse-warning-in-stm32_cryp_c.patch create mode 100644 queue-5.10/crypto-stm32-revert-broken-pm_runtime_resume_and_get.patch create mode 100644 queue-5.10/debugfs-lockdown-allow-reading-debugfs-files-that-ar.patch create mode 100644 queue-5.10/dm-btree-add-a-defensive-bounds-check-to-insert_at.patch create mode 100644 queue-5.10/dm-fix-alloc_dax-error-handling-in-alloc_dev.patch create mode 100644 queue-5.10/dm-space-map-common-add-bounds-check-to-sm_ll_lookup.patch create mode 100644 queue-5.10/dmaengine-pxa-mmp-stop-referencing-config-slave_id.patch create mode 100644 queue-5.10/drm-amd-display-check-top_pipe_to_program-pointer.patch create mode 100644 queue-5.10/drm-amdgpu-display-set-vblank_disable_immediate-for-.patch create mode 100644 queue-5.10/drm-amdgpu-fix-a-null-pointer-dereference-in-amdgpu_.patch create mode 100644 queue-5.10/drm-amdgpu-fixup-bad-vram-size-on-gmc-v8.patch create mode 100644 queue-5.10/drm-bridge-display-connector-fix-an-uninitialized-po.patch create mode 100644 queue-5.10/drm-bridge-dw-hdmi-handle-eld-when-drm_bridge_attach.patch create mode 100644 queue-5.10/drm-bridge-megachips-ensure-both-bridges-are-probed-.patch create mode 100644 queue-5.10/drm-bridge-ti-sn65dsi86-set-max-register-for-regmap.patch create mode 100644 queue-5.10/drm-etnaviv-consider-completed-fence-seqno-in-hang-c.patch create mode 100644 queue-5.10/drm-fix-null-ptr-deref-in-drm_dev_init_release.patch create mode 100644 queue-5.10/drm-lima-fix-warning-when-config_debug_sg-y-config_d.patch create mode 100644 queue-5.10/drm-msm-dp-displayport-driver-need-algorithm-rationa.patch create mode 100644 queue-5.10/drm-msm-dpu-fix-safe-status-debugfs-file.patch create mode 100644 queue-5.10/drm-nouveau-pmu-gm200-avoid-touching-pmu-outside-of-.patch create mode 100644 queue-5.10/drm-panel-innolux-p079zca-delete-panel-on-attach-fai.patch create mode 100644 queue-5.10/drm-panel-kingdisplay-kd097d04-delete-panel-on-attac.patch create mode 100644 queue-5.10/drm-panel-orientation-quirks-add-quirk-for-the-lenov.patch create mode 100644 queue-5.10/drm-radeon-radeon_kms-fix-a-null-pointer-dereference.patch create mode 100644 queue-5.10/drm-rcar-du-fix-crtc-timings-when-cmm-is-used.patch create mode 100644 queue-5.10/drm-rockchip-dsi-disable-pll-clock-on-bind-error.patch create mode 100644 queue-5.10/drm-rockchip-dsi-fix-unbalanced-clock-on-probe-error.patch create mode 100644 queue-5.10/drm-rockchip-dsi-hold-pm-runtime-across-bind-unbind.patch create mode 100644 queue-5.10/drm-tegra-vic-fix-dma-api-misuse.patch create mode 100644 queue-5.10/drm-vboxvideo-fix-a-null-vs-is_err-check.patch create mode 100644 queue-5.10/drm-vc4-hdmi-set-a-default-hsm-rate.patch create mode 100644 queue-5.10/dt-bindings-thermal-fix-definition-of-cooling-maps-c.patch create mode 100644 queue-5.10/edac-synopsys-use-the-quirk-for-version-instead-of-d.patch create mode 100644 queue-5.10/ext4-avoid-trim-error-on-fs-with-small-groups.patch create mode 100644 queue-5.10/floppy-add-max-size-check-for-user-space-request.patch create mode 100644 queue-5.10/floppy-fix-hang-in-watchdog-when-disk-is-ejected.patch create mode 100644 queue-5.10/fs-dlm-don-t-call-kernel_getpeername-in-error_report.patch create mode 100644 queue-5.10/fs-dlm-filter-user-dlm-messages-for-kernel-locks.patch create mode 100644 queue-5.10/fs-dlm-fix-build-with-config_ipv6-disabled.patch create mode 100644 queue-5.10/fs-dlm-use-sk-sk_socket-instead-of-con-sock.patch create mode 100644 queue-5.10/fsl-fman-check-for-null-pointer-after-calling-devm_i.patch create mode 100644 queue-5.10/gpio-aspeed-convert-aspeed_gpio.lock-to-raw_spinlock.patch create mode 100644 queue-5.10/gpiolib-acpi-do-not-set-the-irq-type-if-the-irq-is-a.patch create mode 100644 queue-5.10/hid-apple-do-not-reset-quirks-when-the-fn-key-is-not.patch create mode 100644 queue-5.10/hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch create mode 100644 queue-5.10/hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch-21754 create mode 100644 queue-5.10/hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch-23659 create mode 100644 queue-5.10/hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch-27529 create mode 100644 queue-5.10/hid-quirks-allow-inverting-the-absolute-x-y-values.patch create mode 100644 queue-5.10/hsi-core-fix-return-freed-object-in-hsi_new_client.patch create mode 100644 queue-5.10/hwmon-mr75203-fix-wrong-power-up-delay-value.patch create mode 100644 queue-5.10/i2c-designware-pci-fix-to-change-data-types-of-hcnt-.patch create mode 100644 queue-5.10/i2c-i801-don-t-silently-correct-invalid-transfer-siz.patch create mode 100644 queue-5.10/i2c-mpc-correct-i2c-reset-procedure.patch create mode 100644 queue-5.10/iommu-amd-remove-iommu_init_ga.patch create mode 100644 queue-5.10/iommu-amd-restore-ga-log-tail-pointer-on-host-resume.patch create mode 100644 queue-5.10/iommu-io-pgtable-arm-fix-table-descriptor-paddr-form.patch create mode 100644 queue-5.10/iommu-iova-fix-race-between-fq-timeout-and-teardown.patch create mode 100644 queue-5.10/irqchip-gic-v4-disable-redistributors-view-of-the-vp.patch create mode 100644 queue-5.10/iwlwifi-fix-leaks-bad-data-after-failed-firmware-loa.patch create mode 100644 queue-5.10/iwlwifi-mvm-avoid-clearing-a-just-saved-session-prot.patch create mode 100644 queue-5.10/iwlwifi-mvm-fix-32-bit-build-in-ftm.patch create mode 100644 queue-5.10/iwlwifi-mvm-fix-calculation-of-frame-length.patch create mode 100644 queue-5.10/iwlwifi-mvm-synchronize-with-fw-after-multicast-comm.patch create mode 100644 queue-5.10/iwlwifi-mvm-test-roc-running-status-bits-before-remo.patch create mode 100644 queue-5.10/iwlwifi-mvm-use-div_s64-instead-of-do_div-in-iwl_mvm.patch create mode 100644 queue-5.10/iwlwifi-pcie-make-sure-prph_info-is-set-when-treatin.patch create mode 100644 queue-5.10/iwlwifi-remove-module-loading-failure-message.patch create mode 100644 queue-5.10/jffs2-gc-deadlock-reading-a-page-that-is-used-in-jff.patch create mode 100644 queue-5.10/kvm-ppc-book3s-suppress-failed-alloc-warning-in-h_co.patch create mode 100644 queue-5.10/kvm-ppc-book3s-suppress-warnings-when-allocating-too.patch create mode 100644 queue-5.10/lib-mpi-add-the-return-value-check-of-kcalloc.patch create mode 100644 queue-5.10/libbpf-validate-that-.btf-and-.btf.ext-sections-cont.patch create mode 100644 queue-5.10/mac80211-allow-non-standard-vht-mcs-10-11.patch create mode 100644 queue-5.10/media-aspeed-fix-mode-detect-always-time-out-at-2nd-.patch create mode 100644 queue-5.10/media-aspeed-update-signal-status-immediately-to-ens.patch create mode 100644 queue-5.10/media-atomisp-add-missing-media_device_cleanup-in-at.patch create mode 100644 queue-5.10/media-atomisp-add-null-check-for-asd-obtained-from-a.patch create mode 100644 queue-5.10/media-atomisp-do-not-use-err-var-when-checking-port-.patch create mode 100644 queue-5.10/media-atomisp-fix-enum-formats-logic.patch create mode 100644 queue-5.10/media-atomisp-fix-ifdefs-in-sh_css.c.patch create mode 100644 queue-5.10/media-atomisp-fix-inverted-error-check-for-ia_css_mi.patch create mode 100644 queue-5.10/media-atomisp-fix-inverted-logic-in-buffers_needed.patch create mode 100644 queue-5.10/media-atomisp-fix-punit_ddr_dvfs_enable-argument-for.patch create mode 100644 queue-5.10/media-atomisp-fix-try_fmt-logic.patch create mode 100644 queue-5.10/media-atomisp-fix-uninitialized-bug-in-gmin_get_pmic.patch create mode 100644 queue-5.10/media-atomisp-handle-errors-at-sh_css_create_isp_par.patch create mode 100644 queue-5.10/media-atomisp-ov2680-fix-ov2680_set_fmt-clobbering-t.patch create mode 100644 queue-5.10/media-atomisp-set-per-device-s-default-mode.patch create mode 100644 queue-5.10/media-b2c2-add-missing-check-in-flexcop_pci_isr.patch create mode 100644 queue-5.10/media-coda-fix-coda960-jpeg-encoder-buffer-overflow.patch create mode 100644 queue-5.10/media-coda-imx-vdoa-handle-dma_set_coherent_mask-err.patch create mode 100644 queue-5.10/media-dib8000-fix-a-memleak-in-dib8000_init.patch create mode 100644 queue-5.10/media-dmxdev-fix-uaf-when-dvb_register_device-fails.patch create mode 100644 queue-5.10/media-dw2102-fix-use-after-free.patch create mode 100644 queue-5.10/media-em28xx-fix-memory-leak-in-em28xx_init_dev.patch create mode 100644 queue-5.10/media-hantro-fix-probe-func-error-path.patch create mode 100644 queue-5.10/media-igorplugusb-receiver-overflow-should-be-report.patch create mode 100644 queue-5.10/media-imx-pxp-initialize-the-spinlock-prior-to-using.patch create mode 100644 queue-5.10/media-m920x-don-t-use-stack-on-usb-reads.patch create mode 100644 queue-5.10/media-msi001-fix-possible-null-ptr-deref-in-msi001_p.patch create mode 100644 queue-5.10/media-mtk-vcodec-call-v4l2_m2m_ctx_release-first-whe.patch create mode 100644 queue-5.10/media-rcar-csi2-correct-the-selection-of-hsfreqrange.patch create mode 100644 queue-5.10/media-rcar-vin-update-format-alignment-constraints.patch create mode 100644 queue-5.10/media-saa7146-hexium_gemini-fix-a-null-pointer-deref.patch create mode 100644 queue-5.10/media-saa7146-hexium_orion-fix-a-null-pointer-derefe.patch create mode 100644 queue-5.10/media-saa7146-mxb-fix-a-null-pointer-dereference-in-.patch create mode 100644 queue-5.10/media-si2157-fix-warm-tuner-state-detection.patch create mode 100644 queue-5.10/media-si470x-i2c-fix-possible-memory-leak-in-si470x_.patch create mode 100644 queue-5.10/media-staging-media-atomisp-pci-balance-braces-aroun.patch create mode 100644 queue-5.10/media-uvcvideo-increase-uvc_ctrl_control_timeout-to-.patch create mode 100644 queue-5.10/media-venus-avoid-calling-core_clk_setrate-concurren.patch create mode 100644 queue-5.10/media-venus-core-fix-a-potential-null-pointer-derefe.patch create mode 100644 queue-5.10/media-venus-core-fix-a-resource-leak-in-the-error-ha.patch create mode 100644 queue-5.10/media-venus-core-venc-vdec-fix-probe-dependency-erro.patch create mode 100644 queue-5.10/media-venus-pm_helpers-control-core-power-domain-man.patch create mode 100644 queue-5.10/media-videobuf2-fix-the-size-printk-format.patch create mode 100644 queue-5.10/memory-renesas-rpc-if-return-error-in-case-devm_iore.patch create mode 100644 queue-5.10/mfd-atmel-flexcom-remove-ifdef-config_pm_sleep.patch create mode 100644 queue-5.10/mfd-atmel-flexcom-use-.resume_noirq.patch create mode 100644 queue-5.10/mfd-intel_soc_pmic-use-cpu-id-check-instead-of-_hrv-.patch create mode 100644 queue-5.10/mips-add-sys_has_cpu_mips64_r5-config-for-mips-relea.patch create mode 100644 queue-5.10/mips-bcm63xx-add-support-for-clk_set_parent.patch create mode 100644 queue-5.10/mips-fix-kconfig-reference-to-phys_addr_t_64bit.patch create mode 100644 queue-5.10/mips-lantiq-add-support-for-clk_set_parent.patch create mode 100644 queue-5.10/mips-loongson64-use-three-arguments-for-slti.patch create mode 100644 queue-5.10/mips-octeon-add-put_device-after-of_find_device_by_n.patch create mode 100644 queue-5.10/mips-octeon-fix-build-errors-using-clang.patch create mode 100644 queue-5.10/misc-lattice-ecp3-config-fix-task-hung-when-firmware.patch create mode 100644 queue-5.10/mlxsw-pci-add-shutdown-method-in-pci-driver.patch create mode 100644 queue-5.10/mlxsw-pci-avoid-flow-control-for-emad-packets.patch create mode 100644 queue-5.10/mmc-core-fixup-storing-of-ocr-for-mmc_quirk_nonstd_s.patch create mode 100644 queue-5.10/mmc-meson-mx-sdhc-add-irq-check.patch create mode 100644 queue-5.10/mmc-meson-mx-sdio-add-irq-check.patch create mode 100644 queue-5.10/mtd-hyperbus-rpc-if-check-return-value-of-rpcif_sw_i.patch create mode 100644 queue-5.10/mtd-hyperbus-rpc-if-fix-bug-in-rpcif_hb_remove.patch create mode 100644 queue-5.10/mwifiex-fix-possible-abba-deadlock.patch create mode 100644 queue-5.10/mwifiex-fix-skb_over_panic-in-mwifiex_usb_recv.patch create mode 100644 queue-5.10/net-bonding-debug-avoid-printing-debug-logs-when-bon.patch create mode 100644 queue-5.10/net-gemini-allow-any-rgmii-interface-mode.patch create mode 100644 queue-5.10/net-mcs7830-handle-usb-read-errors-properly.patch create mode 100644 queue-5.10/net-mdio-demote-probed-message-to-debug-print.patch create mode 100644 queue-5.10/net-mlx5-set-command-entry-semaphore-up-once-got-ind.patch create mode 100644 queue-5.10/net-mlx5e-don-t-block-routes-with-nexthop-objects-in.patch create mode 100644 queue-5.10/net-mlx5e-fix-page-dma-map-unmap-attributes.patch create mode 100644 queue-5.10/net-phy-marvell-configure-rgmii-delays-for-88e1118.patch create mode 100644 queue-5.10/net-phy-prefer-1000baset-over-1000basekx.patch create mode 100644 queue-5.10/net-sysfs-update-the-queue-counts-in-the-unregistrat.patch create mode 100644 queue-5.10/netfilter-bridge-add-support-for-pppoe-filtering.patch create mode 100644 queue-5.10/netfilter-ipt_clusterip-fix-refcount-leak-in-cluster.patch create mode 100644 queue-5.10/netfilter-nft_set_pipapo-allocate-pcpu-scratch-maps-.patch create mode 100644 queue-5.10/netrom-fix-api-breakage-in-nr_setsockopt.patch create mode 100644 queue-5.10/nvmem-core-set-size-for-sysfs-bin-file.patch create mode 100644 queue-5.10/of-base-fix-phandle-argument-length-mismatch-error-m.patch create mode 100644 queue-5.10/of-unittest-64-bit-dma-address-test-requires-arch-su.patch create mode 100644 queue-5.10/of-unittest-fix-warning-on-powerpc-frame-size-warnin.patch create mode 100644 queue-5.10/openrisc-add-clone3-abi-wrapper.patch create mode 100644 queue-5.10/parisc-avoid-calling-faulthandler_disabled-twice.patch create mode 100644 queue-5.10/pci-msi-fix-pci_irq_vector-pci_irq_get_affinity.patch create mode 100644 queue-5.10/pcmcia-fix-setting-of-kthread-task-states.patch create mode 100644 queue-5.10/pcmcia-rsrc_nonstatic-fix-a-null-pointer-dereference.patch create mode 100644 queue-5.10/pcmcia-rsrc_nonstatic-fix-a-null-pointer-dereference.patch-3767 create mode 100644 queue-5.10/phy-mediatek-fix-missing-check-in-mtk_mipi_tx_probe.patch create mode 100644 queue-5.10/phy-uniphier-usb3ss-fix-unintended-writing-zeros-to-.patch create mode 100644 queue-5.10/pm-avs-qcom-cpr-use-div64_ul-instead-of-do_div.patch create mode 100644 queue-5.10/pm-runtime-add-safety-net-to-supplier-device-release.patch create mode 100644 queue-5.10/power-reset-mt6397-check-for-null-res-pointer.patch create mode 100644 queue-5.10/powerpc-32s-fix-shift-out-of-bounds-in-kasan-init.patch create mode 100644 queue-5.10/powerpc-40x-map-32mbytes-of-memory-at-startup.patch create mode 100644 queue-5.10/powerpc-64s-convert-some-cpu_setup-and-cpu_restore-f.patch create mode 100644 queue-5.10/powerpc-6xx-add-missing-of_node_put.patch create mode 100644 queue-5.10/powerpc-btext-add-missing-of_node_put.patch create mode 100644 queue-5.10/powerpc-cell-add-missing-of_node_put.patch create mode 100644 queue-5.10/powerpc-fadump-fix-inaccurate-cpu-state-info-in-vmco.patch create mode 100644 queue-5.10/powerpc-handle-kdump-appropriately-with-crash_kexec_.patch create mode 100644 queue-5.10/powerpc-irq-add-helper-to-set-regs-softe.patch create mode 100644 queue-5.10/powerpc-perf-fix-pmu-callbacks-to-clear-pending-pmi-.patch create mode 100644 queue-5.10/powerpc-perf-mmcr0-control-for-pmu-registers-under-p.patch create mode 100644 queue-5.10/powerpc-perf-move-perf-irq-nmi-handling-details-into.patch create mode 100644 queue-5.10/powerpc-powermac-add-additional-missing-lockdep_regi.patch create mode 100644 queue-5.10/powerpc-powermac-add-missing-lockdep_register_key.patch create mode 100644 queue-5.10/powerpc-powernv-add-missing-of_node_put.patch create mode 100644 queue-5.10/powerpc-prom_init-fix-improper-check-of-prom_getprop.patch create mode 100644 queue-5.10/powerpc-smp-move-setup_profiling_timer-under-config_.patch create mode 100644 queue-5.10/powerpc-watchdog-fix-missed-watchdog-reset-due-to-me.patch create mode 100644 queue-5.10/powerpc-xive-add-missing-null-check-after-calling-km.patch create mode 100644 queue-5.10/ppp-ensure-minimum-packet-size-in-ppp_write.patch create mode 100644 queue-5.10/random-do-not-throw-away-excess-input-to-crng_fast_l.patch create mode 100644 queue-5.10/rcu-exp-mark-current-cpu-as-exp-qs-in-ipi-loop-secon.patch create mode 100644 queue-5.10/rdma-bnxt_re-scan-the-whole-bitmap-when-checking-if-.patch create mode 100644 queue-5.10/rdma-cma-let-cma_resolve_ib_dev-continue-search-even.patch create mode 100644 queue-5.10/rdma-core-let-ib_find_gid-continue-search-even-after.patch create mode 100644 queue-5.10/rdma-cxgb4-set-queue-pair-state-when-being-queried.patch create mode 100644 queue-5.10/rdma-hns-validate-the-pkey-index.patch create mode 100644 queue-5.10/rdma-qedr-fix-reporting-max_-send-recv-_wr-attrs.patch create mode 100644 queue-5.10/regmap-call-regmap_debugfs_exit-prior-to-_init.patch create mode 100644 queue-5.10/regulator-qcom_smd-align-probe-function-with-rpmh-re.patch create mode 100644 queue-5.10/revert-net-mlx5e-block-offload-of-outer-header-csum-.patch create mode 100644 queue-5.10/rocker-fix-a-sleeping-in-atomic-bug.patch create mode 100644 queue-5.10/rsi-fix-out-of-bounds-read-in-rsi_read_pkt.patch create mode 100644 queue-5.10/rsi-fix-use-after-free-in-rsi_rx_done_handler.patch create mode 100644 queue-5.10/rtw88-8822c-update-rx-settings-to-prevent-potential-.patch create mode 100644 queue-5.10/sched-fair-fix-detection-of-per-cpu-kthreads-waking-.patch create mode 100644 queue-5.10/sched-fair-fix-per-cpu-kthread-and-wakee-stacking-fo.patch create mode 100644 queue-5.10/sched-rt-try-to-restart-rt-period-timer-when-rt-runt.patch create mode 100644 queue-5.10/scripts-sphinx-pre-install-fix-ctex-support-on-debia.patch create mode 100644 queue-5.10/scsi-block-pm-always-set-request-queue-runtime-activ.patch create mode 100644 queue-5.10/scsi-lpfc-trigger-sli4-firmware-dump-before-doing-dr.patch create mode 100644 queue-5.10/scsi-pm80xx-update-warn_on-check-in-pm8001_mpi_build.patch create mode 100644 queue-5.10/scsi-sr-don-t-use-gfp_dma.patch create mode 100644 queue-5.10/scsi-ufs-fix-race-conditions-related-to-driver-data.patch create mode 100644 queue-5.10/selftests-bpf-fix-bpf_object-leak-in-skb_ctx-selftes.patch create mode 100644 queue-5.10/selftests-clone3-clone3-add-case-clone3_args_no_test.patch create mode 100644 queue-5.10/selftests-ftrace-make-kprobe-profile-testcase-descri.patch create mode 100644 queue-5.10/selftests-harness-avoid-false-negatives-if-test-has-.patch create mode 100644 queue-5.10/selftests-powerpc-spectre_v2-return-skip-code-when-m.patch create mode 100644 queue-5.10/selinux-fix-potential-memleak-in-selinux_add_opt.patch create mode 100644 queue-5.10/serial-amba-pl011-do-not-request-memory-region-twice.patch create mode 100644 queue-5.10/serial-core-keep-mctrl-register-state-and-cached-cop.patch create mode 100644 queue-5.10/serial-pl010-drop-cr-register-reset-on-set_termios.patch create mode 100644 queue-5.10/soc-ti-pruss-fix-referenced-node-in-error-message.patch create mode 100644 queue-5.10/software-node-fix-wrong-node-passed-to-find-nargs_pr.patch create mode 100644 queue-5.10/spi-spi-meson-spifc-add-missing-pm_runtime_disable-i.patch create mode 100644 queue-5.10/staging-greybus-audio-check-null-pointer.patch create mode 100644 queue-5.10/staging-rtl8192e-return-error-code-from-rtllib_softm.patch create mode 100644 queue-5.10/staging-rtl8192e-rtllib_module-fix-error-handle-case.patch create mode 100644 queue-5.10/tee-fix-put-order-in-teedev_close_context.patch create mode 100644 queue-5.10/thermal-drivers-imx-implement-runtime-pm-support.patch create mode 100644 queue-5.10/thermal-drivers-imx8mm-enable-adc-when-enabling-moni.patch create mode 100644 queue-5.10/thunderbolt-runtime-pm-activate-both-ends-of-the-dev.patch create mode 100644 queue-5.10/tpm-add-request_locality-before-write-tpm_int_enable.patch create mode 100644 queue-5.10/tpm_tis-fix-an-error-handling-path-in-tpm_tis_core_i.patch create mode 100644 queue-5.10/tty-serial-atmel-call-dma_async_issue_pending.patch create mode 100644 queue-5.10/tty-serial-atmel-check-return-code-of-dmaengine_subm.patch create mode 100644 queue-5.10/tty-serial-imx-disable-ucr4_oren-in-.stop_rx-instead.patch create mode 100644 queue-5.10/tty-serial-uartlite-allow-64-bit-address.patch create mode 100644 queue-5.10/udf-fix-error-handling-in-udf_new_inode.patch create mode 100644 queue-5.10/uio-uio_dmem_genirq-catch-the-exception.patch create mode 100644 queue-5.10/um-fix-ndelay-udelay-defines.patch create mode 100644 queue-5.10/um-registers-rename-function-names-to-avoid-conflict.patch create mode 100644 queue-5.10/um-virtio_uml-fix-time-travel-external-time-propagat.patch create mode 100644 queue-5.10/usb-dwc3-qcom-fix-null-vs-is_err-checking-in-dwc3_qc.patch create mode 100644 queue-5.10/usb-ftdi-elan-fix-memory-leak-on-device-disconnect.patch create mode 100644 queue-5.10/usb-gadget-f_fs-use-stream_open-for-endpoint-files.patch create mode 100644 queue-5.10/usb-hub-add-delay-for-superspeed-hub-resume-to-let-l.patch create mode 100644 queue-5.10/usb-uhci-add-aspeed-ast2600-uhci-support.patch create mode 100644 queue-5.10/w1-misuse-of-get_user-put_user-reported-by-sparse.patch create mode 100644 queue-5.10/wcn36xx-ensure-pairing-of-init_scan-finish_scan-and-.patch create mode 100644 queue-5.10/wcn36xx-fix-dma-channel-enable-disable-cycle.patch create mode 100644 queue-5.10/wcn36xx-fix-rx-bd-rate-mapping-for-5ghz-legacy-rates.patch create mode 100644 queue-5.10/wcn36xx-indicate-beacon-not-connection-loss-on-misse.patch create mode 100644 queue-5.10/wcn36xx-populate-band-before-determining-rate-on-rx.patch create mode 100644 queue-5.10/wcn36xx-put-dxe-block-into-reset-before-freeing-memo.patch create mode 100644 queue-5.10/wcn36xx-release-dma-channel-descriptor-allocations.patch create mode 100644 queue-5.10/wireless-iwlwifi-fix-a-double-free-in-iwl_txq_dyn_al.patch create mode 100644 queue-5.10/x86-boot-compressed-move-clang_flags-to-beginning-of.patch create mode 100644 queue-5.10/x86-kbuild-enable-config_kallsyms_all-y-in-the-defco.patch create mode 100644 queue-5.10/x86-mce-allow-instrumentation-during-task-work-queue.patch create mode 100644 queue-5.10/x86-mce-inject-avoid-out-of-bounds-write-when-settin.patch create mode 100644 queue-5.10/x86-mce-mark-mce_end-noinstr.patch create mode 100644 queue-5.10/x86-mce-mark-mce_panic-noinstr.patch create mode 100644 queue-5.10/x86-mce-mark-mce_read_aux-noinstr.patch create mode 100644 queue-5.10/x86-mm-flush-global-tlb-when-switching-to-trampoline.patch create mode 100644 queue-5.10/x86-uaccess-move-variable-into-switch-case-statement.patch create mode 100644 queue-5.10/xfrm-fix-a-small-bug-in-xfrm_sa_len.patch create mode 100644 queue-5.10/xfrm-interface-with-if_id-0-should-return-error.patch create mode 100644 queue-5.10/xfrm-rate-limit-sa-mapping-change-message-to-user-sp.patch create mode 100644 queue-5.10/xfrm-state-and-policy-should-fail-if-xfrma_if_id-0.patch diff --git a/queue-5.10/acpi-battery-add-the-thinkpad-not-charging-quirk.patch b/queue-5.10/acpi-battery-add-the-thinkpad-not-charging-quirk.patch new file mode 100644 index 00000000000..7ce0656b016 --- /dev/null +++ b/queue-5.10/acpi-battery-add-the-thinkpad-not-charging-quirk.patch @@ -0,0 +1,85 @@ +From 9d55c7243b7a53d12cb614a18ed4217ae7b794a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Dec 2021 22:20:14 +0100 +Subject: ACPI: battery: Add the ThinkPad "Not Charging" quirk +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit e96c1197aca628f7d2480a1cc3214912b40b3414 ] + +The EC/ACPI firmware on Lenovo ThinkPads used to report a status +of "Unknown" when the battery is between the charge start and +charge stop thresholds. On Windows, it reports "Not Charging" +so the quirk has been added to also report correctly. + +Now the "status" attribute returns "Not Charging" when the +battery on ThinkPads is not physicaly charging. + +Signed-off-by: Thomas Weißschuh +Reviewed-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/battery.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c +index e04352c1dc2ce..2376f57b3617a 100644 +--- a/drivers/acpi/battery.c ++++ b/drivers/acpi/battery.c +@@ -59,6 +59,7 @@ static int battery_bix_broken_package; + static int battery_notification_delay_ms; + static int battery_ac_is_broken; + static int battery_check_pmic = 1; ++static int battery_quirk_notcharging; + static unsigned int cache_time = 1000; + module_param(cache_time, uint, 0644); + MODULE_PARM_DESC(cache_time, "cache time in milliseconds"); +@@ -222,6 +223,8 @@ static int acpi_battery_get_property(struct power_supply *psy, + val->intval = POWER_SUPPLY_STATUS_CHARGING; + else if (acpi_battery_is_charged(battery)) + val->intval = POWER_SUPPLY_STATUS_FULL; ++ else if (battery_quirk_notcharging) ++ val->intval = POWER_SUPPLY_STATUS_NOT_CHARGING; + else + val->intval = POWER_SUPPLY_STATUS_UNKNOWN; + break; +@@ -1105,6 +1108,12 @@ battery_do_not_check_pmic_quirk(const struct dmi_system_id *d) + return 0; + } + ++static int __init battery_quirk_not_charging(const struct dmi_system_id *d) ++{ ++ battery_quirk_notcharging = 1; ++ return 0; ++} ++ + static const struct dmi_system_id bat_dmi_table[] __initconst = { + { + /* NEC LZ750/LS */ +@@ -1149,6 +1158,19 @@ static const struct dmi_system_id bat_dmi_table[] __initconst = { + DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo MIIX 320-10ICR"), + }, + }, ++ { ++ /* ++ * On Lenovo ThinkPads the BIOS specification defines ++ * a state when the bits for charging and discharging ++ * are both set to 0. That state is "Not Charging". ++ */ ++ .callback = battery_quirk_not_charging, ++ .ident = "Lenovo ThinkPad", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad"), ++ }, ++ }, + {}, + }; + +-- +2.34.1 + diff --git a/queue-5.10/acpi-change-acpi_device_always_present-into-acpi_dev.patch b/queue-5.10/acpi-change-acpi_device_always_present-into-acpi_dev.patch new file mode 100644 index 00000000000..9b0db6cd638 --- /dev/null +++ b/queue-5.10/acpi-change-acpi_device_always_present-into-acpi_dev.patch @@ -0,0 +1,209 @@ +From 6389c2aab5a8fba4abd44252e049477cfdee68fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Nov 2021 18:05:31 +0100 +Subject: ACPI: Change acpi_device_always_present() into + acpi_device_override_status() + +From: Hans de Goede + +[ Upstream commit 1a68b346a2c9969c05e80a3b99a9ab160b5655c0 ] + +Currently, acpi_bus_get_status() calls acpi_device_always_present() to +allow platform quirks to override the _STA return to report that a +device is present (status = ACPI_STA_DEFAULT) independent of the _STA +return. + +In some cases it might also be useful to have the opposite functionality +and have a platform quirk which marks a device as not present (status = 0) +to work around ACPI table bugs. + +Change acpi_device_always_present() into a more generic +acpi_device_override_status() function to allow this. + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/bus.c | 4 +-- + drivers/acpi/x86/utils.c | 64 +++++++++++++++++++++++----------------- + include/acpi/acpi_bus.h | 5 ++-- + 3 files changed, 42 insertions(+), 31 deletions(-) + +diff --git a/drivers/acpi/bus.c b/drivers/acpi/bus.c +index e317214aabec5..5e14288fcabe9 100644 +--- a/drivers/acpi/bus.c ++++ b/drivers/acpi/bus.c +@@ -98,8 +98,8 @@ int acpi_bus_get_status(struct acpi_device *device) + acpi_status status; + unsigned long long sta; + +- if (acpi_device_always_present(device)) { +- acpi_set_device_status(device, ACPI_STA_DEFAULT); ++ if (acpi_device_override_status(device, &sta)) { ++ acpi_set_device_status(device, sta); + return 0; + } + +diff --git a/drivers/acpi/x86/utils.c b/drivers/acpi/x86/utils.c +index baaa44edc9441..c6b0782dcced5 100644 +--- a/drivers/acpi/x86/utils.c ++++ b/drivers/acpi/x86/utils.c +@@ -22,54 +22,63 @@ + * Some BIOS-es (temporarily) hide specific APCI devices to work around Windows + * driver bugs. We use DMI matching to match known cases of this. + * +- * We work around this by always reporting ACPI_STA_DEFAULT for these +- * devices. Note this MUST only be done for devices where this is safe. ++ * Likewise sometimes some not-actually present devices are sometimes ++ * reported as present, which may cause issues. + * +- * This forcing of devices to be present is limited to specific CPU (SoC) +- * models both to avoid potentially causing trouble on other models and +- * because some HIDs are re-used on different SoCs for completely +- * different devices. ++ * We work around this by using the below quirk list to override the status ++ * reported by the _STA method with a fixed value (ACPI_STA_DEFAULT or 0). ++ * Note this MUST only be done for devices where this is safe. ++ * ++ * This status overriding is limited to specific CPU (SoC) models both to ++ * avoid potentially causing trouble on other models and because some HIDs ++ * are re-used on different SoCs for completely different devices. + */ +-struct always_present_id { ++struct override_status_id { + struct acpi_device_id hid[2]; + struct x86_cpu_id cpu_ids[2]; + struct dmi_system_id dmi_ids[2]; /* Optional */ + const char *uid; ++ unsigned long long status; + }; + +-#define X86_MATCH(model) X86_MATCH_INTEL_FAM6_MODEL(model, NULL) +- +-#define ENTRY(hid, uid, cpu_models, dmi...) { \ ++#define ENTRY(status, hid, uid, cpu_model, dmi...) { \ + { { hid, }, {} }, \ +- { cpu_models, {} }, \ ++ { X86_MATCH_INTEL_FAM6_MODEL(cpu_model, NULL), {} }, \ + { { .matches = dmi }, {} }, \ + uid, \ ++ status, \ + } + +-static const struct always_present_id always_present_ids[] = { ++#define PRESENT_ENTRY_HID(hid, uid, cpu_model, dmi...) \ ++ ENTRY(ACPI_STA_DEFAULT, hid, uid, cpu_model, dmi) ++ ++#define NOT_PRESENT_ENTRY_HID(hid, uid, cpu_model, dmi...) \ ++ ENTRY(0, hid, uid, cpu_model, dmi) ++ ++static const struct override_status_id override_status_ids[] = { + /* + * Bay / Cherry Trail PWM directly poked by GPU driver in win10, + * but Linux uses a separate PWM driver, harmless if not used. + */ +- ENTRY("80860F09", "1", X86_MATCH(ATOM_SILVERMONT), {}), +- ENTRY("80862288", "1", X86_MATCH(ATOM_AIRMONT), {}), ++ PRESENT_ENTRY_HID("80860F09", "1", ATOM_SILVERMONT, {}), ++ PRESENT_ENTRY_HID("80862288", "1", ATOM_AIRMONT, {}), + + /* + * The INT0002 device is necessary to clear wakeup interrupt sources + * on Cherry Trail devices, without it we get nobody cared IRQ msgs. + */ +- ENTRY("INT0002", "1", X86_MATCH(ATOM_AIRMONT), {}), ++ PRESENT_ENTRY_HID("INT0002", "1", ATOM_AIRMONT, {}), + /* + * On the Dell Venue 11 Pro 7130 and 7139, the DSDT hides + * the touchscreen ACPI device until a certain time + * after _SB.PCI0.GFX0.LCD.LCD1._ON gets called has passed + * *and* _STA has been called at least 3 times since. + */ +- ENTRY("SYNA7500", "1", X86_MATCH(HASWELL_L), { ++ PRESENT_ENTRY_HID("SYNA7500", "1", HASWELL_L, { + DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), + DMI_MATCH(DMI_PRODUCT_NAME, "Venue 11 Pro 7130"), + }), +- ENTRY("SYNA7500", "1", X86_MATCH(HASWELL_L), { ++ PRESENT_ENTRY_HID("SYNA7500", "1", HASWELL_L, { + DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), + DMI_MATCH(DMI_PRODUCT_NAME, "Venue 11 Pro 7139"), + }), +@@ -85,19 +94,19 @@ static const struct always_present_id always_present_ids[] = { + * was copy-pasted from the GPD win, so it has a disabled KIOX000A + * node which we should not enable, thus we also check the BIOS date. + */ +- ENTRY("KIOX000A", "1", X86_MATCH(ATOM_AIRMONT), { ++ PRESENT_ENTRY_HID("KIOX000A", "1", ATOM_AIRMONT, { + DMI_MATCH(DMI_BOARD_VENDOR, "AMI Corporation"), + DMI_MATCH(DMI_BOARD_NAME, "Default string"), + DMI_MATCH(DMI_PRODUCT_NAME, "Default string"), + DMI_MATCH(DMI_BIOS_DATE, "02/21/2017") + }), +- ENTRY("KIOX000A", "1", X86_MATCH(ATOM_AIRMONT), { ++ PRESENT_ENTRY_HID("KIOX000A", "1", ATOM_AIRMONT, { + DMI_MATCH(DMI_BOARD_VENDOR, "AMI Corporation"), + DMI_MATCH(DMI_BOARD_NAME, "Default string"), + DMI_MATCH(DMI_PRODUCT_NAME, "Default string"), + DMI_MATCH(DMI_BIOS_DATE, "03/20/2017") + }), +- ENTRY("KIOX000A", "1", X86_MATCH(ATOM_AIRMONT), { ++ PRESENT_ENTRY_HID("KIOX000A", "1", ATOM_AIRMONT, { + DMI_MATCH(DMI_BOARD_VENDOR, "AMI Corporation"), + DMI_MATCH(DMI_BOARD_NAME, "Default string"), + DMI_MATCH(DMI_PRODUCT_NAME, "Default string"), +@@ -105,26 +114,27 @@ static const struct always_present_id always_present_ids[] = { + }), + }; + +-bool acpi_device_always_present(struct acpi_device *adev) ++bool acpi_device_override_status(struct acpi_device *adev, unsigned long long *status) + { + bool ret = false; + unsigned int i; + +- for (i = 0; i < ARRAY_SIZE(always_present_ids); i++) { +- if (acpi_match_device_ids(adev, always_present_ids[i].hid)) ++ for (i = 0; i < ARRAY_SIZE(override_status_ids); i++) { ++ if (acpi_match_device_ids(adev, override_status_ids[i].hid)) + continue; + + if (!adev->pnp.unique_id || +- strcmp(adev->pnp.unique_id, always_present_ids[i].uid)) ++ strcmp(adev->pnp.unique_id, override_status_ids[i].uid)) + continue; + +- if (!x86_match_cpu(always_present_ids[i].cpu_ids)) ++ if (!x86_match_cpu(override_status_ids[i].cpu_ids)) + continue; + +- if (always_present_ids[i].dmi_ids[0].matches[0].slot && +- !dmi_check_system(always_present_ids[i].dmi_ids)) ++ if (override_status_ids[i].dmi_ids[0].matches[0].slot && ++ !dmi_check_system(override_status_ids[i].dmi_ids)) + continue; + ++ *status = override_status_ids[i].status; + ret = true; + break; + } +diff --git a/include/acpi/acpi_bus.h b/include/acpi/acpi_bus.h +index 6ad3b89a8a2e0..0f5366792d22e 100644 +--- a/include/acpi/acpi_bus.h ++++ b/include/acpi/acpi_bus.h +@@ -605,9 +605,10 @@ int acpi_enable_wakeup_device_power(struct acpi_device *dev, int state); + int acpi_disable_wakeup_device_power(struct acpi_device *dev); + + #ifdef CONFIG_X86 +-bool acpi_device_always_present(struct acpi_device *adev); ++bool acpi_device_override_status(struct acpi_device *adev, unsigned long long *status); + #else +-static inline bool acpi_device_always_present(struct acpi_device *adev) ++static inline bool acpi_device_override_status(struct acpi_device *adev, ++ unsigned long long *status) + { + return false; + } +-- +2.34.1 + diff --git a/queue-5.10/acpi-ec-rework-flushing-of-ec-work-while-suspended-t.patch b/queue-5.10/acpi-ec-rework-flushing-of-ec-work-while-suspended-t.patch new file mode 100644 index 00000000000..af6af00488c --- /dev/null +++ b/queue-5.10/acpi-ec-rework-flushing-of-ec-work-while-suspended-t.patch @@ -0,0 +1,218 @@ +From 612ef8c6c4ab1518a5ff11ffb58e492722c7b6d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Nov 2021 19:36:51 +0100 +Subject: ACPI: EC: Rework flushing of EC work while suspended to idle + +From: Rafael J. Wysocki + +[ Upstream commit 4a9af6cac050dce2e895ec3205c4615383ad9112 ] + +The flushing of pending work in the EC driver uses drain_workqueue() +to flush the event handling work that can requeue itself via +advance_transaction(), but this is problematic, because that +work may also be requeued from the query workqueue. + +Namely, if an EC transaction is carried out during the execution of +a query handler, it involves calling advance_transaction() which +may queue up the event handling work again. This causes the kernel +to complain about attempts to add a work item to the EC event +workqueue while it is being drained and worst-case it may cause a +valid event to be skipped. + +To avoid this problem, introduce two new counters, events_in_progress +and queries_in_progress, incremented when a work item is queued on +the event workqueue or the query workqueue, respectively, and +decremented at the end of the corresponding work function, and make +acpi_ec_dispatch_gpe() the workqueues in a loop until the both of +these counters are zero (or system wakeup is pending) instead of +calling acpi_ec_flush_work(). + +At the same time, change __acpi_ec_flush_work() to call +flush_workqueue() instead of drain_workqueue() to flush the event +workqueue. + +While at it, use the observation that the work item queued in +acpi_ec_query() cannot be pending at that time, because it is used +only once, to simplify the code in there. + +Additionally, clean up a comment in acpi_ec_query() and adjust white +space in acpi_ec_event_processor(). + +Fixes: f0ac20c3f613 ("ACPI: EC: Fix flushing of pending work") +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/ec.c | 57 +++++++++++++++++++++++++++++++---------- + drivers/acpi/internal.h | 2 ++ + 2 files changed, 45 insertions(+), 14 deletions(-) + +diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c +index be3e0921a6c00..3f2e5ea9ab6b7 100644 +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -166,6 +166,7 @@ struct acpi_ec_query { + struct transaction transaction; + struct work_struct work; + struct acpi_ec_query_handler *handler; ++ struct acpi_ec *ec; + }; + + static int acpi_ec_query(struct acpi_ec *ec, u8 *data); +@@ -469,6 +470,7 @@ static void acpi_ec_submit_query(struct acpi_ec *ec) + ec_dbg_evt("Command(%s) submitted/blocked", + acpi_ec_cmd_string(ACPI_EC_COMMAND_QUERY)); + ec->nr_pending_queries++; ++ ec->events_in_progress++; + queue_work(ec_wq, &ec->work); + } + } +@@ -535,7 +537,7 @@ static void acpi_ec_enable_event(struct acpi_ec *ec) + #ifdef CONFIG_PM_SLEEP + static void __acpi_ec_flush_work(void) + { +- drain_workqueue(ec_wq); /* flush ec->work */ ++ flush_workqueue(ec_wq); /* flush ec->work */ + flush_workqueue(ec_query_wq); /* flush queries */ + } + +@@ -1116,7 +1118,7 @@ void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit) + } + EXPORT_SYMBOL_GPL(acpi_ec_remove_query_handler); + +-static struct acpi_ec_query *acpi_ec_create_query(u8 *pval) ++static struct acpi_ec_query *acpi_ec_create_query(struct acpi_ec *ec, u8 *pval) + { + struct acpi_ec_query *q; + struct transaction *t; +@@ -1124,11 +1126,13 @@ static struct acpi_ec_query *acpi_ec_create_query(u8 *pval) + q = kzalloc(sizeof (struct acpi_ec_query), GFP_KERNEL); + if (!q) + return NULL; ++ + INIT_WORK(&q->work, acpi_ec_event_processor); + t = &q->transaction; + t->command = ACPI_EC_COMMAND_QUERY; + t->rdata = pval; + t->rlen = 1; ++ q->ec = ec; + return q; + } + +@@ -1145,13 +1149,21 @@ static void acpi_ec_event_processor(struct work_struct *work) + { + struct acpi_ec_query *q = container_of(work, struct acpi_ec_query, work); + struct acpi_ec_query_handler *handler = q->handler; ++ struct acpi_ec *ec = q->ec; + + ec_dbg_evt("Query(0x%02x) started", handler->query_bit); ++ + if (handler->func) + handler->func(handler->data); + else if (handler->handle) + acpi_evaluate_object(handler->handle, NULL, NULL, NULL); ++ + ec_dbg_evt("Query(0x%02x) stopped", handler->query_bit); ++ ++ spin_lock_irq(&ec->lock); ++ ec->queries_in_progress--; ++ spin_unlock_irq(&ec->lock); ++ + acpi_ec_delete_query(q); + } + +@@ -1161,7 +1173,7 @@ static int acpi_ec_query(struct acpi_ec *ec, u8 *data) + int result; + struct acpi_ec_query *q; + +- q = acpi_ec_create_query(&value); ++ q = acpi_ec_create_query(ec, &value); + if (!q) + return -ENOMEM; + +@@ -1183,19 +1195,20 @@ static int acpi_ec_query(struct acpi_ec *ec, u8 *data) + } + + /* +- * It is reported that _Qxx are evaluated in a parallel way on +- * Windows: ++ * It is reported that _Qxx are evaluated in a parallel way on Windows: + * https://bugzilla.kernel.org/show_bug.cgi?id=94411 + * +- * Put this log entry before schedule_work() in order to make +- * it appearing before any other log entries occurred during the +- * work queue execution. ++ * Put this log entry before queue_work() to make it appear in the log ++ * before any other messages emitted during workqueue handling. + */ + ec_dbg_evt("Query(0x%02x) scheduled", value); +- if (!queue_work(ec_query_wq, &q->work)) { +- ec_dbg_evt("Query(0x%02x) overlapped", value); +- result = -EBUSY; +- } ++ ++ spin_lock_irq(&ec->lock); ++ ++ ec->queries_in_progress++; ++ queue_work(ec_query_wq, &q->work); ++ ++ spin_unlock_irq(&ec->lock); + + err_exit: + if (result) +@@ -1253,6 +1266,10 @@ static void acpi_ec_event_handler(struct work_struct *work) + ec_dbg_evt("Event stopped"); + + acpi_ec_check_event(ec); ++ ++ spin_lock_irqsave(&ec->lock, flags); ++ ec->events_in_progress--; ++ spin_unlock_irqrestore(&ec->lock, flags); + } + + static void acpi_ec_handle_interrupt(struct acpi_ec *ec) +@@ -2034,6 +2051,7 @@ void acpi_ec_set_gpe_wake_mask(u8 action) + + bool acpi_ec_dispatch_gpe(void) + { ++ bool work_in_progress; + u32 ret; + + if (!first_ec) +@@ -2054,8 +2072,19 @@ bool acpi_ec_dispatch_gpe(void) + if (ret == ACPI_INTERRUPT_HANDLED) + pm_pr_dbg("ACPI EC GPE dispatched\n"); + +- /* Flush the event and query workqueues. */ +- acpi_ec_flush_work(); ++ /* Drain EC work. */ ++ do { ++ acpi_ec_flush_work(); ++ ++ pm_pr_dbg("ACPI EC work flushed\n"); ++ ++ spin_lock_irq(&first_ec->lock); ++ ++ work_in_progress = first_ec->events_in_progress + ++ first_ec->queries_in_progress > 0; ++ ++ spin_unlock_irq(&first_ec->lock); ++ } while (work_in_progress && !pm_wakeup_pending()); + + return false; + } +diff --git a/drivers/acpi/internal.h b/drivers/acpi/internal.h +index a958ad60a3394..125e4901c9b47 100644 +--- a/drivers/acpi/internal.h ++++ b/drivers/acpi/internal.h +@@ -184,6 +184,8 @@ struct acpi_ec { + struct work_struct work; + unsigned long timestamp; + unsigned long nr_pending_queries; ++ unsigned int events_in_progress; ++ unsigned int queries_in_progress; + bool busy_polling; + unsigned int polling_guard; + }; +-- +2.34.1 + diff --git a/queue-5.10/acpi-scan-create-platform-device-for-bcm4752-and-lnv.patch b/queue-5.10/acpi-scan-create-platform-device-for-bcm4752-and-lnv.patch new file mode 100644 index 00000000000..af044a63911 --- /dev/null +++ b/queue-5.10/acpi-scan-create-platform-device-for-bcm4752-and-lnv.patch @@ -0,0 +1,79 @@ +From b87063ba97aa4c8f1aead141468b9a2c0dcda780 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Dec 2021 12:57:47 +0100 +Subject: ACPI: scan: Create platform device for BCM4752 and LNV4752 ACPI nodes + +From: Hans de Goede + +[ Upstream commit f85196bdd5a50da74670250564740fc852b3c239 ] + +BCM4752 and LNV4752 ACPI nodes describe a Broadcom 4752 GPS module +attached to an UART of the system. + +The GPS modules talk a custom protocol which only works with a closed- +source Android gpsd daemon which knows this protocol. + +The ACPI nodes also describe GPIOs to turn the GPS on/off these are +handled by the net/rfkill/rfkill-gpio.c code. This handling predates the +addition of enumeration of ACPI instantiated serdevs to the kernel and +was broken by that addition, because the ACPI scan code now no longer +instantiates platform_device-s for these nodes. + +Rename the i2c_multi_instantiate_ids HID list to ignore_serial_bus_ids +and add the BCM4752 and LNV4752 HIDs, so that rfkill-gpio gets +a platform_device to bind to again; and so that a tty cdev for gpsd +gets created for these. + +Fixes: e361d1f85855 ("ACPI / scan: Fix enumeration for special UART devices") +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/scan.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c +index de0533bd4e086..67a5ee2fedfd3 100644 +--- a/drivers/acpi/scan.c ++++ b/drivers/acpi/scan.c +@@ -1577,6 +1577,7 @@ static bool acpi_device_enumeration_by_parent(struct acpi_device *device) + { + struct list_head resource_list; + bool is_serial_bus_slave = false; ++ static const struct acpi_device_id ignore_serial_bus_ids[] = { + /* + * These devices have multiple I2cSerialBus resources and an i2c-client + * must be instantiated for each, each with its own i2c_device_id. +@@ -1585,11 +1586,18 @@ static bool acpi_device_enumeration_by_parent(struct acpi_device *device) + * drivers/platform/x86/i2c-multi-instantiate.c driver, which knows + * which i2c_device_id to use for each resource. + */ +- static const struct acpi_device_id i2c_multi_instantiate_ids[] = { + {"BSG1160", }, + {"BSG2150", }, + {"INT33FE", }, + {"INT3515", }, ++ /* ++ * HIDs of device with an UartSerialBusV2 resource for which userspace ++ * expects a regular tty cdev to be created (instead of the in kernel ++ * serdev) and which have a kernel driver which expects a platform_dev ++ * such as the rfkill-gpio driver. ++ */ ++ {"BCM4752", }, ++ {"LNV4752", }, + {} + }; + +@@ -1603,8 +1611,7 @@ static bool acpi_device_enumeration_by_parent(struct acpi_device *device) + fwnode_property_present(&device->fwnode, "baud"))) + return true; + +- /* Instantiate a pdev for the i2c-multi-instantiate drv to bind to */ +- if (!acpi_match_device_ids(device, i2c_multi_instantiate_ids)) ++ if (!acpi_match_device_ids(device, ignore_serial_bus_ids)) + return false; + + INIT_LIST_HEAD(&resource_list); +-- +2.34.1 + diff --git a/queue-5.10/acpi-x86-add-not-present-quirk-for-the-pci0.sdhb.brc.patch b/queue-5.10/acpi-x86-add-not-present-quirk-for-the-pci0.sdhb.brc.patch new file mode 100644 index 00000000000..bce2e0b092a --- /dev/null +++ b/queue-5.10/acpi-x86-add-not-present-quirk-for-the-pci0.sdhb.brc.patch @@ -0,0 +1,75 @@ +From 920cc8e5e1a6a3c822be75f5a24e38596a92ec66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Nov 2021 18:05:33 +0100 +Subject: ACPI / x86: Add not-present quirk for the PCI0.SDHB.BRC1 device on + the GPD win + +From: Hans de Goede + +[ Upstream commit 57d2dbf710d832841872fb15ebb79429cab90fae ] + +The GPD win and its sibling the GPD pocket (99% the same electronics in a +different case) use a PCI wifi card. But the ACPI tables on both variants +contain a bug where the SDIO MMC controller for SDIO wifi cards is enabled +despite this. This SDIO MMC controller has a PCI0.SDHB.BRC1 child-device +which _PS3 method sets a GPIO causing the PCI wifi card to turn off. + +At the moment there is a pretty ugly kludge in the sdhci-acpi.c code, +just to work around the bug in the DSDT of this single design. This can +be solved cleaner/simply with a quirk overriding the _STA return of the +broken PCI0.SDHB.BRC1 PCI0.SDHB.BRC1 child with a status value of 0, +so that its power_manageable flag gets cleared, avoiding this problem. + +Note that even though it is not used, the _STA method for the MMC +controller is deliberately not overridden. If the status of the MMC +controller were forced to 0 it would never get suspended, which would +cause these mini-laptops to not reach S0i3 level when suspended. + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/x86/utils.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/drivers/acpi/x86/utils.c b/drivers/acpi/x86/utils.c +index 91bbc4b6b8035..3f9a162be84e3 100644 +--- a/drivers/acpi/x86/utils.c ++++ b/drivers/acpi/x86/utils.c +@@ -94,9 +94,10 @@ static const struct override_status_id override_status_ids[] = { + /* + * The GPD win BIOS dated 20170221 has disabled the accelerometer, the + * drivers sometimes cause crashes under Windows and this is how the +- * manufacturer has solved this :| Note that the the DMI data is less +- * generic then it seems, a board_vendor of "AMI Corporation" is quite +- * rare and a board_name of "Default String" also is rare. ++ * manufacturer has solved this :| The DMI match may not seem unique, ++ * but it is. In the 67000+ DMI decode dumps from linux-hardware.org ++ * only 116 have board_vendor set to "AMI Corporation" and of those 116 ++ * only the GPD win and pocket entries' board_name is "Default string". + * + * Unfortunately the GPD pocket also uses these strings and its BIOS + * was copy-pasted from the GPD win, so it has a disabled KIOX000A +@@ -120,6 +121,19 @@ static const struct override_status_id override_status_ids[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "Default string"), + DMI_MATCH(DMI_BIOS_DATE, "05/25/2017") + }), ++ ++ /* ++ * The GPD win/pocket have a PCI wifi card, but its DSDT has the SDIO ++ * mmc controller enabled and that has a child-device which _PS3 ++ * method sets a GPIO causing the PCI wifi card to turn off. ++ * See above remark about uniqueness of the DMI match. ++ */ ++ NOT_PRESENT_ENTRY_PATH("\\_SB_.PCI0.SDHB.BRC1", ATOM_AIRMONT, { ++ DMI_EXACT_MATCH(DMI_BOARD_VENDOR, "AMI Corporation"), ++ DMI_EXACT_MATCH(DMI_BOARD_NAME, "Default string"), ++ DMI_EXACT_MATCH(DMI_BOARD_SERIAL, "Default string"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Default string"), ++ }), + }; + + bool acpi_device_override_status(struct acpi_device *adev, unsigned long long *status) +-- +2.34.1 + diff --git a/queue-5.10/acpi-x86-allow-specifying-acpi_device_override_statu.patch b/queue-5.10/acpi-x86-allow-specifying-acpi_device_override_statu.patch new file mode 100644 index 00000000000..197aefb79b8 --- /dev/null +++ b/queue-5.10/acpi-x86-allow-specifying-acpi_device_override_statu.patch @@ -0,0 +1,109 @@ +From 6f8b3cbf77abec6b3c75cae98005d83e17e8ff29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Nov 2021 18:05:32 +0100 +Subject: ACPI / x86: Allow specifying acpi_device_override_status() quirks by + path + +From: Hans de Goede + +[ Upstream commit ba46e42e925b5d09b4e441f8de3db119cc7df58f ] + +Not all ACPI-devices have a HID + UID, allow specifying quirks for +acpi_device_override_status() by path too. + +Note this moves the path/HID+UID check to after the CPU + DMI checks +since the path lookup is somewhat costly. + +This way this lookup is only done on devices where the other checks +match. + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/x86/utils.c | 42 ++++++++++++++++++++++++++++++---------- + 1 file changed, 32 insertions(+), 10 deletions(-) + +diff --git a/drivers/acpi/x86/utils.c b/drivers/acpi/x86/utils.c +index c6b0782dcced5..91bbc4b6b8035 100644 +--- a/drivers/acpi/x86/utils.c ++++ b/drivers/acpi/x86/utils.c +@@ -38,22 +38,30 @@ struct override_status_id { + struct x86_cpu_id cpu_ids[2]; + struct dmi_system_id dmi_ids[2]; /* Optional */ + const char *uid; ++ const char *path; + unsigned long long status; + }; + +-#define ENTRY(status, hid, uid, cpu_model, dmi...) { \ ++#define ENTRY(status, hid, uid, path, cpu_model, dmi...) { \ + { { hid, }, {} }, \ + { X86_MATCH_INTEL_FAM6_MODEL(cpu_model, NULL), {} }, \ + { { .matches = dmi }, {} }, \ + uid, \ ++ path, \ + status, \ + } + + #define PRESENT_ENTRY_HID(hid, uid, cpu_model, dmi...) \ +- ENTRY(ACPI_STA_DEFAULT, hid, uid, cpu_model, dmi) ++ ENTRY(ACPI_STA_DEFAULT, hid, uid, NULL, cpu_model, dmi) + + #define NOT_PRESENT_ENTRY_HID(hid, uid, cpu_model, dmi...) \ +- ENTRY(0, hid, uid, cpu_model, dmi) ++ ENTRY(0, hid, uid, NULL, cpu_model, dmi) ++ ++#define PRESENT_ENTRY_PATH(path, cpu_model, dmi...) \ ++ ENTRY(ACPI_STA_DEFAULT, "", NULL, path, cpu_model, dmi) ++ ++#define NOT_PRESENT_ENTRY_PATH(path, cpu_model, dmi...) \ ++ ENTRY(0, "", NULL, path, cpu_model, dmi) + + static const struct override_status_id override_status_ids[] = { + /* +@@ -120,13 +128,6 @@ bool acpi_device_override_status(struct acpi_device *adev, unsigned long long *s + unsigned int i; + + for (i = 0; i < ARRAY_SIZE(override_status_ids); i++) { +- if (acpi_match_device_ids(adev, override_status_ids[i].hid)) +- continue; +- +- if (!adev->pnp.unique_id || +- strcmp(adev->pnp.unique_id, override_status_ids[i].uid)) +- continue; +- + if (!x86_match_cpu(override_status_ids[i].cpu_ids)) + continue; + +@@ -134,6 +135,27 @@ bool acpi_device_override_status(struct acpi_device *adev, unsigned long long *s + !dmi_check_system(override_status_ids[i].dmi_ids)) + continue; + ++ if (override_status_ids[i].path) { ++ struct acpi_buffer path = { ACPI_ALLOCATE_BUFFER, NULL }; ++ bool match; ++ ++ if (acpi_get_name(adev->handle, ACPI_FULL_PATHNAME, &path)) ++ continue; ++ ++ match = strcmp((char *)path.pointer, override_status_ids[i].path) == 0; ++ kfree(path.pointer); ++ ++ if (!match) ++ continue; ++ } else { ++ if (acpi_match_device_ids(adev, override_status_ids[i].hid)) ++ continue; ++ ++ if (!adev->pnp.unique_id || ++ strcmp(adev->pnp.unique_id, override_status_ids[i].uid)) ++ continue; ++ } ++ + *status = override_status_ids[i].status; + ret = true; + break; +-- +2.34.1 + diff --git a/queue-5.10/acpi-x86-drop-pwm2-device-on-lenovo-yoga-book-from-a.patch b/queue-5.10/acpi-x86-drop-pwm2-device-on-lenovo-yoga-book-from-a.patch new file mode 100644 index 00000000000..cb31a772c3a --- /dev/null +++ b/queue-5.10/acpi-x86-drop-pwm2-device-on-lenovo-yoga-book-from-a.patch @@ -0,0 +1,49 @@ +From fad821cb7508114378004c6e355ef5f6ff49f056 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Nov 2021 18:05:30 +0100 +Subject: ACPI / x86: Drop PWM2 device on Lenovo Yoga Book from always present + table + +From: Hans de Goede + +[ Upstream commit d431dfb764b145369be820fcdfd50f2159b9bbc2 ] + +It turns out that there is a WMI object which controls the PWM2 device +used for the keyboard backlight and that WMI object also provides some +other useful functionality. + +The upcoming lenovo-yogabook-wmi driver will offer both backlight +control and the other functionality, so there no longer is a need +to have the lpss-pwm driver binding to PWM2 for backlight control; +and this is now actually undesirable because this will cause both +the WMI code and the lpss-pwm driver to poke at the same PWM +controller. + +Drop the always-present quirk for the PWM2 ACPI-device, so that the + lpss-pwm controller will no longer bind to it. + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/x86/utils.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/acpi/x86/utils.c b/drivers/acpi/x86/utils.c +index bdc1ba00aee9f..baaa44edc9441 100644 +--- a/drivers/acpi/x86/utils.c ++++ b/drivers/acpi/x86/utils.c +@@ -54,10 +54,6 @@ static const struct always_present_id always_present_ids[] = { + ENTRY("80860F09", "1", X86_MATCH(ATOM_SILVERMONT), {}), + ENTRY("80862288", "1", X86_MATCH(ATOM_AIRMONT), {}), + +- /* Lenovo Yoga Book uses PWM2 for keyboard backlight control */ +- ENTRY("80862289", "2", X86_MATCH(ATOM_AIRMONT), { +- DMI_MATCH(DMI_PRODUCT_NAME, "Lenovo YB1-X9"), +- }), + /* + * The INT0002 device is necessary to clear wakeup interrupt sources + * on Cherry Trail devices, without it we get nobody cared IRQ msgs. +-- +2.34.1 + diff --git a/queue-5.10/acpica-actypes.h-expand-the-acpi_access_-definitions.patch b/queue-5.10/acpica-actypes.h-expand-the-acpi_access_-definitions.patch new file mode 100644 index 00000000000..961a387f374 --- /dev/null +++ b/queue-5.10/acpica-actypes.h-expand-the-acpi_access_-definitions.patch @@ -0,0 +1,56 @@ +From e1f66cae86eaf549cb1a7a60b3242869feb9432b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Dec 2021 16:57:34 +0100 +Subject: ACPICA: actypes.h: Expand the ACPI_ACCESS_ definitions + +From: Mark Langsdorf + +[ Upstream commit f81bdeaf816142e0729eea0cc84c395ec9673151 ] + +ACPICA commit bc02c76d518135531483dfc276ed28b7ee632ce1 + +The current ACPI_ACCESS_*_WIDTH defines do not provide a way to +test that size is small enough to not cause an overflow when +applied to a 32-bit integer. + +Rather than adding more magic numbers, add ACPI_ACCESS_*_SHIFT, +ACPI_ACCESS_*_MAX, and ACPI_ACCESS_*_DEFAULT #defines and +redefine ACPI_ACCESS_*_WIDTH in terms of the new #defines. + +This was inititally reported on Linux where a size of 102 in +ACPI_ACCESS_BIT_WIDTH caused an overflow error in the SPCR +initialization code. + +Link: https://github.com/acpica/acpica/commit/bc02c76d +Signed-off-by: Mark Langsdorf +Signed-off-by: Bob Moore +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + include/acpi/actypes.h | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/include/acpi/actypes.h b/include/acpi/actypes.h +index 647cb11d0a0a3..7334037624c5c 100644 +--- a/include/acpi/actypes.h ++++ b/include/acpi/actypes.h +@@ -536,8 +536,14 @@ typedef u64 acpi_integer; + * Can be used with access_width of struct acpi_generic_address and access_size of + * struct acpi_resource_generic_register. + */ +-#define ACPI_ACCESS_BIT_WIDTH(size) (1 << ((size) + 2)) +-#define ACPI_ACCESS_BYTE_WIDTH(size) (1 << ((size) - 1)) ++#define ACPI_ACCESS_BIT_SHIFT 2 ++#define ACPI_ACCESS_BYTE_SHIFT -1 ++#define ACPI_ACCESS_BIT_MAX (31 - ACPI_ACCESS_BIT_SHIFT) ++#define ACPI_ACCESS_BYTE_MAX (31 - ACPI_ACCESS_BYTE_SHIFT) ++#define ACPI_ACCESS_BIT_DEFAULT (8 - ACPI_ACCESS_BIT_SHIFT) ++#define ACPI_ACCESS_BYTE_DEFAULT (8 - ACPI_ACCESS_BYTE_SHIFT) ++#define ACPI_ACCESS_BIT_WIDTH(size) (1 << ((size) + ACPI_ACCESS_BIT_SHIFT)) ++#define ACPI_ACCESS_BYTE_WIDTH(size) (1 << ((size) + ACPI_ACCESS_BYTE_SHIFT)) + + /******************************************************************************* + * +-- +2.34.1 + diff --git a/queue-5.10/acpica-executer-fix-the-refclass_refof-case-in-acpi_.patch b/queue-5.10/acpica-executer-fix-the-refclass_refof-case-in-acpi_.patch new file mode 100644 index 00000000000..1ca95fe3e76 --- /dev/null +++ b/queue-5.10/acpica-executer-fix-the-refclass_refof-case-in-acpi_.patch @@ -0,0 +1,57 @@ +From fffcd4cc15e035083f3a1a954c83dee9df0c9767 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Dec 2021 17:31:05 +0100 +Subject: ACPICA: Executer: Fix the REFCLASS_REFOF case in + acpi_ex_opcode_1A_0T_1R() + +From: Rafael J. Wysocki + +[ Upstream commit 24ea5f90ec9548044a6209685c5010edd66ffe8f ] + +ACPICA commit d984f12041392fa4156b52e2f7e5c5e7bc38ad9e + +If Operand[0] is a reference of the ACPI_REFCLASS_REFOF class, +acpi_ex_opcode_1A_0T_1R () calls acpi_ns_get_attached_object () to +obtain return_desc which may require additional resolution with +the help of acpi_ex_read_data_from_field (). If the latter fails, +the reference counter of the original return_desc is decremented +which is incorrect, because acpi_ns_get_attached_object () does not +increment the reference counter of the object returned by it. + +This issue may lead to premature deletion of the attached object +while it is still attached and a use-after-free and crash in the +host OS. For example, this may happen when on evaluation of ref_of() +a local region field where there is no registered handler for the +given Operation Region. + +Fix it by making acpi_ex_opcode_1A_0T_1R () return Status right away +after a acpi_ex_read_data_from_field () failure. + +Link: https://github.com/acpica/acpica/commit/d984f120 +Link: https://github.com/acpica/acpica/pull/685 +Reported-by: Lenny Szubowicz +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Bob Moore +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/exoparg1.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/acpi/acpica/exoparg1.c b/drivers/acpi/acpica/exoparg1.c +index a46d685a3ffcf..9d67dfd93d5b6 100644 +--- a/drivers/acpi/acpica/exoparg1.c ++++ b/drivers/acpi/acpica/exoparg1.c +@@ -1007,7 +1007,8 @@ acpi_status acpi_ex_opcode_1A_0T_1R(struct acpi_walk_state *walk_state) + (walk_state, return_desc, + &temp_desc); + if (ACPI_FAILURE(status)) { +- goto cleanup; ++ return_ACPI_STATUS ++ (status); + } + + return_desc = temp_desc; +-- +2.34.1 + diff --git a/queue-5.10/acpica-fix-wrong-interpretation-of-pcc-address.patch b/queue-5.10/acpica-fix-wrong-interpretation-of-pcc-address.patch new file mode 100644 index 00000000000..90e50511c45 --- /dev/null +++ b/queue-5.10/acpica-fix-wrong-interpretation-of-pcc-address.patch @@ -0,0 +1,86 @@ +From 6efa5b49a44c79380043a2e04be3f93dc84e4f1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Dec 2021 17:31:54 +0100 +Subject: ACPICA: Fix wrong interpretation of PCC address + +From: Sudeep Holla + +[ Upstream commit 9a3b8655db1ada31c82189ae13f40eb25da48c35 ] + +ACPICA commit 41be6afacfdaec2dba3a5ed368736babc2a7aa5c + +With the PCC Opregion in the firmware and we are hitting below kernel crash: + +-->8 +Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 + Workqueue: pm pm_runtime_work + pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : __memcpy+0x54/0x260 + lr : acpi_ex_write_data_to_field+0xb8/0x194 + Call trace: + __memcpy+0x54/0x260 + acpi_ex_store_object_to_node+0xa4/0x1d4 + acpi_ex_store+0x44/0x164 + acpi_ex_opcode_1A_1T_1R+0x25c/0x508 + acpi_ds_exec_end_op+0x1b4/0x44c + acpi_ps_parse_loop+0x3a8/0x614 + acpi_ps_parse_aml+0x90/0x2f4 + acpi_ps_execute_method+0x11c/0x19c + acpi_ns_evaluate+0x1ec/0x2b0 + acpi_evaluate_object+0x170/0x2b0 + acpi_device_set_power+0x118/0x310 + acpi_dev_suspend+0xd4/0x180 + acpi_subsys_runtime_suspend+0x28/0x38 + __rpm_callback+0x74/0x328 + rpm_suspend+0x2d8/0x624 + pm_runtime_work+0xa4/0xb8 + process_one_work+0x194/0x25c + worker_thread+0x260/0x49c + kthread+0x14c/0x30c + ret_from_fork+0x10/0x20 + Code: f9000006 f81f80a7 d65f03c0 361000c2 (b9400026) + ---[ end trace 24d8a032fa77b68a ]--- + +The reason for the crash is that the PCC channel index passed via region.address +in acpi_ex_store_object_to_node is interpreted as the channel subtype +incorrectly. + +Assuming the PCC op_region support is not used by any other type, let us +remove the subtype check as the AML has no access to the subtype information. +Once we remove it, the kernel crash disappears and correctly complains about +missing PCC Opregion handler. + +ACPI Error: No handler for Region [PFRM] ((____ptrval____)) [PCC] (20210730/evregion-130) +ACPI Error: Region PCC (ID=10) has no handler (20210730/exfldio-261) +ACPI Error: Aborting method \_SB.ETH0._PS3 due to previous error (AE_NOT_EXIST) (20210730/psparse-531) + +Link: https://github.com/acpica/acpica/commit/41be6afa +Signed-off-by: Sudeep Holla +Signed-off-by: Bob Moore +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/exfield.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/drivers/acpi/acpica/exfield.c b/drivers/acpi/acpica/exfield.c +index 3323a2ba6a313..b3230e511870a 100644 +--- a/drivers/acpi/acpica/exfield.c ++++ b/drivers/acpi/acpica/exfield.c +@@ -326,12 +326,7 @@ acpi_ex_write_data_to_field(union acpi_operand_object *source_desc, + obj_desc->field.base_byte_offset, + source_desc->buffer.pointer, data_length); + +- if ((obj_desc->field.region_obj->region.address == +- PCC_MASTER_SUBSPACE +- && MASTER_SUBSPACE_COMMAND(obj_desc->field. +- base_byte_offset)) +- || GENERIC_SUBSPACE_COMMAND(obj_desc->field. +- base_byte_offset)) { ++ if (MASTER_SUBSPACE_COMMAND(obj_desc->field.base_byte_offset)) { + + /* Perform the write */ + +-- +2.34.1 + diff --git a/queue-5.10/acpica-hardware-do-not-flush-cpu-cache-when-entering.patch b/queue-5.10/acpica-hardware-do-not-flush-cpu-cache-when-entering.patch new file mode 100644 index 00000000000..87dbd578b04 --- /dev/null +++ b/queue-5.10/acpica-hardware-do-not-flush-cpu-cache-when-entering.patch @@ -0,0 +1,82 @@ +From d144261187d92e9160ea89c9ddcfea0d4bc0e9a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Dec 2021 17:33:51 +0100 +Subject: ACPICA: Hardware: Do not flush CPU cache when entering S4 and S5 + +From: Kirill A. Shutemov + +[ Upstream commit 1d4e0b3abb168b2ee1eca99c527cffa1b80b6161 ] + +ACPICA commit 3dd7e1f3996456ef81bfe14cba29860e8d42949e + +According to ACPI 6.4, Section 16.2, the CPU cache flushing is +required on entering to S1, S2, and S3, but the ACPICA code +flushes the CPU cache regardless of the sleep state. + +Blind cache flush on entering S5 causes problems for TDX. + +Flushing happens with WBINVD that is not supported in the TDX +environment. + +TDX only supports S5 and adjusting ACPICA code to conform to the +spec more strictly fixes the issue. + +Link: https://github.com/acpica/acpica/commit/3dd7e1f3 +Signed-off-by: Kirill A. Shutemov +[ rjw: Subject and changelog edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Bob Moore +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/hwesleep.c | 4 +++- + drivers/acpi/acpica/hwsleep.c | 4 +++- + drivers/acpi/acpica/hwxfsleep.c | 2 -- + 3 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/acpi/acpica/hwesleep.c b/drivers/acpi/acpica/hwesleep.c +index 4836a4b8b38b8..142a755be6881 100644 +--- a/drivers/acpi/acpica/hwesleep.c ++++ b/drivers/acpi/acpica/hwesleep.c +@@ -104,7 +104,9 @@ acpi_status acpi_hw_extended_sleep(u8 sleep_state) + + /* Flush caches, as per ACPI specification */ + +- ACPI_FLUSH_CPU_CACHE(); ++ if (sleep_state < ACPI_STATE_S4) { ++ ACPI_FLUSH_CPU_CACHE(); ++ } + + status = acpi_os_enter_sleep(sleep_state, sleep_control, 0); + if (status == AE_CTRL_TERMINATE) { +diff --git a/drivers/acpi/acpica/hwsleep.c b/drivers/acpi/acpica/hwsleep.c +index fcc84d196238a..6a20bb5059c1d 100644 +--- a/drivers/acpi/acpica/hwsleep.c ++++ b/drivers/acpi/acpica/hwsleep.c +@@ -110,7 +110,9 @@ acpi_status acpi_hw_legacy_sleep(u8 sleep_state) + + /* Flush caches, as per ACPI specification */ + +- ACPI_FLUSH_CPU_CACHE(); ++ if (sleep_state < ACPI_STATE_S4) { ++ ACPI_FLUSH_CPU_CACHE(); ++ } + + status = acpi_os_enter_sleep(sleep_state, pm1a_control, pm1b_control); + if (status == AE_CTRL_TERMINATE) { +diff --git a/drivers/acpi/acpica/hwxfsleep.c b/drivers/acpi/acpica/hwxfsleep.c +index f1645d87864c3..3948c34d85830 100644 +--- a/drivers/acpi/acpica/hwxfsleep.c ++++ b/drivers/acpi/acpica/hwxfsleep.c +@@ -162,8 +162,6 @@ acpi_status acpi_enter_sleep_state_s4bios(void) + return_ACPI_STATUS(status); + } + +- ACPI_FLUSH_CPU_CACHE(); +- + status = acpi_hw_write_port(acpi_gbl_FADT.smi_command, + (u32)acpi_gbl_FADT.s4_bios_request, 8); + if (ACPI_FAILURE(status)) { +-- +2.34.1 + diff --git a/queue-5.10/acpica-utilities-avoid-deleting-the-same-object-twic.patch b/queue-5.10/acpica-utilities-avoid-deleting-the-same-object-twic.patch new file mode 100644 index 00000000000..ea2852c6456 --- /dev/null +++ b/queue-5.10/acpica-utilities-avoid-deleting-the-same-object-twic.patch @@ -0,0 +1,48 @@ +From 4fcacae5dc35ee90f9e364ea61785d575f607a6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Dec 2021 17:29:45 +0100 +Subject: ACPICA: Utilities: Avoid deleting the same object twice in a row + +From: Rafael J. Wysocki + +[ Upstream commit 1cdfe9e346b4c5509ffe19ccde880fd259d9f7a3 ] + +ACPICA commit c11af67d8f7e3d381068ce7771322f2b5324d687 + +If original_count is 0 in acpi_ut_update_ref_count (), +acpi_ut_delete_internal_obj () is invoked for the target object, which is +incorrect, because that object has been deleted once already and the +memory allocated to store it may have been reclaimed and allocated +for a different purpose by the host OS. Moreover, a confusing debug +message following the "Reference Count is already zero, cannot +decrement" warning is printed in that case. + +To fix this issue, make acpi_ut_update_ref_count () return after finding +that original_count is 0 and printing the above warning. + +Link: https://github.com/acpica/acpica/commit/c11af67d +Link: https://github.com/acpica/acpica/pull/652 +Reported-by: Mark Asselstine +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Bob Moore +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/utdelete.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/acpi/acpica/utdelete.c b/drivers/acpi/acpica/utdelete.c +index 72d2c0b656339..cb1750e7a6281 100644 +--- a/drivers/acpi/acpica/utdelete.c ++++ b/drivers/acpi/acpica/utdelete.c +@@ -422,6 +422,7 @@ acpi_ut_update_ref_count(union acpi_operand_object *object, u32 action) + ACPI_WARNING((AE_INFO, + "Obj %p, Reference Count is already zero, cannot decrement\n", + object)); ++ return; + } + + ACPI_DEBUG_PRINT_RAW((ACPI_DB_ALLOCATIONS, +-- +2.34.1 + diff --git a/queue-5.10/alsa-hda-add-missing-rwsem-around-snd_ctl_remove-cal.patch b/queue-5.10/alsa-hda-add-missing-rwsem-around-snd_ctl_remove-cal.patch new file mode 100644 index 00000000000..0dba14817dd --- /dev/null +++ b/queue-5.10/alsa-hda-add-missing-rwsem-around-snd_ctl_remove-cal.patch @@ -0,0 +1,40 @@ +From 659b9b42e91f434b93e665a604eddf129345d709 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Nov 2021 08:13:14 +0100 +Subject: ALSA: hda: Add missing rwsem around snd_ctl_remove() calls + +From: Takashi Iwai + +[ Upstream commit 80bd64af75b4bb11c0329bc66c35da2ddfb66d88 ] + +snd_ctl_remove() has to be called with card->controls_rwsem held (when +called after the card instantiation). This patch add the missing +rwsem calls around it. + +Fixes: d13bd412dce2 ("ALSA: hda - Manage kcontrol lists") +Link: https://lore.kernel.org/r/20211116071314.15065-3-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_codec.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c +index 6dece719be669..39281106477eb 100644 +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -1727,8 +1727,11 @@ void snd_hda_ctls_clear(struct hda_codec *codec) + { + int i; + struct hda_nid_item *items = codec->mixers.list; ++ ++ down_write(&codec->card->controls_rwsem); + for (i = 0; i < codec->mixers.used; i++) + snd_ctl_remove(codec->card, items[i].kctl); ++ up_write(&codec->card->controls_rwsem); + snd_array_free(&codec->mixers); + snd_array_free(&codec->nids); + } +-- +2.34.1 + diff --git a/queue-5.10/alsa-jack-add-missing-rwsem-around-snd_ctl_remove-ca.patch b/queue-5.10/alsa-jack-add-missing-rwsem-around-snd_ctl_remove-ca.patch new file mode 100644 index 00000000000..df3efa1eff4 --- /dev/null +++ b/queue-5.10/alsa-jack-add-missing-rwsem-around-snd_ctl_remove-ca.patch @@ -0,0 +1,42 @@ +From 4e4e99dbbf1b730ad5cea36a36b2be03e7be9769 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Nov 2021 08:13:12 +0100 +Subject: ALSA: jack: Add missing rwsem around snd_ctl_remove() calls + +From: Takashi Iwai + +[ Upstream commit 06764dc931848c3a9bc01a63bbf76a605408bb54 ] + +snd_ctl_remove() has to be called with card->controls_rwsem held (when +called after the card instantiation). This patch add the missing +rwsem calls around it. + +Fixes: 9058cbe1eed2 ("ALSA: jack: implement kctl creating for jack devices") +Link: https://lore.kernel.org/r/20211116071314.15065-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/jack.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/core/jack.c b/sound/core/jack.c +index d6502dff247a8..dc2e06ae24149 100644 +--- a/sound/core/jack.c ++++ b/sound/core/jack.c +@@ -54,10 +54,13 @@ static int snd_jack_dev_free(struct snd_device *device) + struct snd_card *card = device->card; + struct snd_jack_kctl *jack_kctl, *tmp_jack_kctl; + ++ down_write(&card->controls_rwsem); + list_for_each_entry_safe(jack_kctl, tmp_jack_kctl, &jack->kctl_list, list) { + list_del_init(&jack_kctl->list); + snd_ctl_remove(card, jack_kctl->kctl); + } ++ up_write(&card->controls_rwsem); ++ + if (jack->private_free) + jack->private_free(jack); + +-- +2.34.1 + diff --git a/queue-5.10/alsa-oss-fix-compile-error-when-oss_debug-is-enabled.patch b/queue-5.10/alsa-oss-fix-compile-error-when-oss_debug-is-enabled.patch new file mode 100644 index 00000000000..fe67cea6391 --- /dev/null +++ b/queue-5.10/alsa-oss-fix-compile-error-when-oss_debug-is-enabled.patch @@ -0,0 +1,41 @@ +From 3ebc0bb92baa5fa235d948d848836338605325bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Dec 2021 16:58:54 +0800 +Subject: ALSA: oss: fix compile error when OSS_DEBUG is enabled + +From: Bixuan Cui + +[ Upstream commit 8e7daf318d97f25e18b2fc7eb5909e34cd903575 ] + +Fix compile error when OSS_DEBUG is enabled: + sound/core/oss/pcm_oss.c: In function 'snd_pcm_oss_set_trigger': + sound/core/oss/pcm_oss.c:2055:10: error: 'substream' undeclared (first + use in this function); did you mean 'csubstream'? + pcm_dbg(substream->pcm, "pcm_oss: trigger = 0x%x\n", trigger); + ^ + +Fixes: 61efcee8608c ("ALSA: oss: Use standard printk helpers") +Signed-off-by: Bixuan Cui +Link: https://lore.kernel.org/r/1638349134-110369-1-git-send-email-cuibixuan@linux.alibaba.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/oss/pcm_oss.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c +index 77727a69c3c4e..d79febeebf0c5 100644 +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -2056,7 +2056,7 @@ static int snd_pcm_oss_set_trigger(struct snd_pcm_oss_file *pcm_oss_file, int tr + int err, cmd; + + #ifdef OSS_DEBUG +- pcm_dbg(substream->pcm, "pcm_oss: trigger = 0x%x\n", trigger); ++ pr_debug("pcm_oss: trigger = 0x%x\n", trigger); + #endif + + psubstream = pcm_oss_file->streams[SNDRV_PCM_STREAM_PLAYBACK]; +-- +2.34.1 + diff --git a/queue-5.10/alsa-pcm-add-missing-rwsem-around-snd_ctl_remove-cal.patch b/queue-5.10/alsa-pcm-add-missing-rwsem-around-snd_ctl_remove-cal.patch new file mode 100644 index 00000000000..cb0c94fc9d5 --- /dev/null +++ b/queue-5.10/alsa-pcm-add-missing-rwsem-around-snd_ctl_remove-cal.patch @@ -0,0 +1,41 @@ +From bff66270a555a23939b901e9a60f44b5ee885af4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Nov 2021 08:13:13 +0100 +Subject: ALSA: PCM: Add missing rwsem around snd_ctl_remove() calls + +From: Takashi Iwai + +[ Upstream commit 5471e9762e1af4b7df057a96bfd46cc250979b88 ] + +snd_ctl_remove() has to be called with card->controls_rwsem held (when +called after the card instantiation). This patch add the missing +rwsem calls around it. + +Fixes: a8ff48cb7083 ("ALSA: pcm: Free chmap at PCM free callback, too") +Link: https://lore.kernel.org/r/20211116071314.15065-2-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/pcm.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/sound/core/pcm.c b/sound/core/pcm.c +index 41cbdac5b1cfa..a8ae5928decda 100644 +--- a/sound/core/pcm.c ++++ b/sound/core/pcm.c +@@ -810,7 +810,11 @@ EXPORT_SYMBOL(snd_pcm_new_internal); + static void free_chmap(struct snd_pcm_str *pstr) + { + if (pstr->chmap_kctl) { +- snd_ctl_remove(pstr->pcm->card, pstr->chmap_kctl); ++ struct snd_card *card = pstr->pcm->card; ++ ++ down_write(&card->controls_rwsem); ++ snd_ctl_remove(card, pstr->chmap_kctl); ++ up_write(&card->controls_rwsem); + pstr->chmap_kctl = NULL; + } + } +-- +2.34.1 + diff --git a/queue-5.10/alsa-seq-set-upper-limit-of-processed-events.patch b/queue-5.10/alsa-seq-set-upper-limit-of-processed-events.patch new file mode 100644 index 00000000000..df41e280544 --- /dev/null +++ b/queue-5.10/alsa-seq-set-upper-limit-of-processed-events.patch @@ -0,0 +1,87 @@ +From 08a024018e5190c7de4b9f553fd985769a397022 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Dec 2021 17:51:46 +0100 +Subject: ALSA: seq: Set upper limit of processed events + +From: Takashi Iwai + +[ Upstream commit 6fadb494a638d8b8a55864ecc6ac58194f03f327 ] + +Currently ALSA sequencer core tries to process the queued events as +much as possible when they become dispatchable. If applications try +to queue too massive events to be processed at the very same timing, +the sequencer core would still try to process such all events, either +in the interrupt context or via some notifier; in either away, it +might be a cause of RCU stall or such problems. + +As a potential workaround for those problems, this patch adds the +upper limit of the amount of events to be processed. The remaining +events are processed in the next batch, so they won't be lost. + +For the time being, it's limited up to 1000 events per queue, which +should be high enough for any normal usages. + +Reported-by: Zqiang +Reported-by: syzbot+bb950e68b400ab4f65f8@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20211102033222.3849-1-qiang.zhang1211@gmail.com +Link: https://lore.kernel.org/r/20211207165146.2888-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/seq/seq_queue.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/sound/core/seq/seq_queue.c b/sound/core/seq/seq_queue.c +index 71a6ea62c3be7..4ff0b927230c2 100644 +--- a/sound/core/seq/seq_queue.c ++++ b/sound/core/seq/seq_queue.c +@@ -234,12 +234,15 @@ struct snd_seq_queue *snd_seq_queue_find_name(char *name) + + /* -------------------------------------------------------- */ + ++#define MAX_CELL_PROCESSES_IN_QUEUE 1000 ++ + void snd_seq_check_queue(struct snd_seq_queue *q, int atomic, int hop) + { + unsigned long flags; + struct snd_seq_event_cell *cell; + snd_seq_tick_time_t cur_tick; + snd_seq_real_time_t cur_time; ++ int processed = 0; + + if (q == NULL) + return; +@@ -262,6 +265,8 @@ void snd_seq_check_queue(struct snd_seq_queue *q, int atomic, int hop) + if (!cell) + break; + snd_seq_dispatch_event(cell, atomic, hop); ++ if (++processed >= MAX_CELL_PROCESSES_IN_QUEUE) ++ goto out; /* the rest processed at the next batch */ + } + + /* Process time queue... */ +@@ -271,14 +276,19 @@ void snd_seq_check_queue(struct snd_seq_queue *q, int atomic, int hop) + if (!cell) + break; + snd_seq_dispatch_event(cell, atomic, hop); ++ if (++processed >= MAX_CELL_PROCESSES_IN_QUEUE) ++ goto out; /* the rest processed at the next batch */ + } + ++ out: + /* free lock */ + spin_lock_irqsave(&q->check_lock, flags); + if (q->check_again) { + q->check_again = 0; +- spin_unlock_irqrestore(&q->check_lock, flags); +- goto __again; ++ if (processed < MAX_CELL_PROCESSES_IN_QUEUE) { ++ spin_unlock_irqrestore(&q->check_lock, flags); ++ goto __again; ++ } + } + q->check_blocked = 0; + spin_unlock_irqrestore(&q->check_lock, flags); +-- +2.34.1 + diff --git a/queue-5.10/alsa-usb-audio-drop-superfluous-0-in-presonus-studio.patch b/queue-5.10/alsa-usb-audio-drop-superfluous-0-in-presonus-studio.patch new file mode 100644 index 00000000000..65cbe85bda5 --- /dev/null +++ b/queue-5.10/alsa-usb-audio-drop-superfluous-0-in-presonus-studio.patch @@ -0,0 +1,64 @@ +From ed3853b4e66585a6a73958d4cd5c907ad3635bef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Dec 2021 09:38:33 +0100 +Subject: ALSA: usb-audio: Drop superfluous '0' in Presonus Studio 1810c's ID + +From: Takashi Iwai + +[ Upstream commit 1e583aef12aa74afd37c1418255cc4b74e023236 ] + +The vendor ID of Presonus Studio 1810c had a superfluous '0' in its +USB ID. Drop it. + +Fixes: 8dc5efe3d17c ("ALSA: usb-audio: Add support for Presonus Studio 1810c") +Link: https://lore.kernel.org/r/20211202083833.17784-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/format.c | 2 +- + sound/usb/mixer_quirks.c | 2 +- + sound/usb/quirks.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sound/usb/format.c b/sound/usb/format.c +index 4693384db0695..e8a63ea2189d1 100644 +--- a/sound/usb/format.c ++++ b/sound/usb/format.c +@@ -365,7 +365,7 @@ static int parse_uac2_sample_rate_range(struct snd_usb_audio *chip, + for (rate = min; rate <= max; rate += res) { + + /* Filter out invalid rates on Presonus Studio 1810c */ +- if (chip->usb_id == USB_ID(0x0194f, 0x010c) && ++ if (chip->usb_id == USB_ID(0x194f, 0x010c) && + !s1810c_valid_sample_rate(fp, rate)) + goto skip_rate; + +diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c +index 8297117f4766e..86fdd669f3fd7 100644 +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -3033,7 +3033,7 @@ int snd_usb_mixer_apply_create_quirk(struct usb_mixer_interface *mixer) + err = snd_rme_controls_create(mixer); + break; + +- case USB_ID(0x0194f, 0x010c): /* Presonus Studio 1810c */ ++ case USB_ID(0x194f, 0x010c): /* Presonus Studio 1810c */ + err = snd_sc1810_init_mixer(mixer); + break; + case USB_ID(0x2a39, 0x3fb0): /* RME Babyface Pro FS */ +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index 75d4d317b34b6..6333a2ecb848a 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1310,7 +1310,7 @@ int snd_usb_apply_interface_quirk(struct snd_usb_audio *chip, + if (chip->usb_id == USB_ID(0x0763, 0x2012)) + return fasttrackpro_skip_setting_quirk(chip, iface, altno); + /* presonus studio 1810c: skip altsets incompatible with device_setup */ +- if (chip->usb_id == USB_ID(0x0194f, 0x010c)) ++ if (chip->usb_id == USB_ID(0x194f, 0x010c)) + return s1810c_skip_setting_quirk(chip, iface, altno); + + +-- +2.34.1 + diff --git a/queue-5.10/alsa-usb-audio-fix-db-level-of-bose-revolve-soundlin.patch b/queue-5.10/alsa-usb-audio-fix-db-level-of-bose-revolve-soundlin.patch new file mode 100644 index 00000000000..f3fc4488a9a --- /dev/null +++ b/queue-5.10/alsa-usb-audio-fix-db-level-of-bose-revolve-soundlin.patch @@ -0,0 +1,57 @@ +From c099882669f5b46b5314444229371ccf01d5cbe8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Nov 2021 07:54:15 +0100 +Subject: ALSA: usb-audio: Fix dB level of Bose Revolve+ SoundLink + +From: Takashi Iwai + +[ Upstream commit 02eb1d098e26f34c8f047b0b1cee6f4433a34bd1 ] + +Bose Revolve+ SoundLink (0a57:40fa) advertises invalid dB level for +the speaker volume. This patch provides the correction in the mixer +map quirk table entry. + +Note that this requires the prerequisite change to add min_mute flag +to the dB map table. + +BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1192375 +Link: https://lore.kernel.org/r/20211116065415.11159-4-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/mixer_maps.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/sound/usb/mixer_maps.c b/sound/usb/mixer_maps.c +index 8f6823df944ff..01a30968e7e1f 100644 +--- a/sound/usb/mixer_maps.c ++++ b/sound/usb/mixer_maps.c +@@ -337,6 +337,13 @@ static const struct usbmix_name_map bose_companion5_map[] = { + { 0 } /* terminator */ + }; + ++/* Bose Revolve+ SoundLink, correction of dB maps */ ++static const struct usbmix_dB_map bose_soundlink_dB = {-8283, -0, true}; ++static const struct usbmix_name_map bose_soundlink_map[] = { ++ { 2, NULL, .dB = &bose_soundlink_dB }, ++ { 0 } /* terminator */ ++}; ++ + /* Sennheiser Communications Headset [PC 8], the dB value is reported as -6 negative maximum */ + static const struct usbmix_dB_map sennheiser_pc8_dB = {-9500, 0}; + static const struct usbmix_name_map sennheiser_pc8_map[] = { +@@ -551,6 +558,11 @@ static const struct usbmix_ctl_map usbmix_ctl_maps[] = { + .id = USB_ID(0x05a7, 0x1020), + .map = bose_companion5_map, + }, ++ { ++ /* Bose Revolve+ SoundLink */ ++ .id = USB_ID(0x05a7, 0x40fa), ++ .map = bose_soundlink_map, ++ }, + { + /* Corsair Virtuoso SE (wired mode) */ + .id = USB_ID(0x1b1c, 0x0a3d), +-- +2.34.1 + diff --git a/queue-5.10/amdgpu-pm-make-sysfs-pm-attributes-as-read-only-for-.patch b/queue-5.10/amdgpu-pm-make-sysfs-pm-attributes-as-read-only-for-.patch new file mode 100644 index 00000000000..a927a34a4d1 --- /dev/null +++ b/queue-5.10/amdgpu-pm-make-sysfs-pm-attributes-as-read-only-for-.patch @@ -0,0 +1,55 @@ +From af7fe2d12c6487f37d44f1e2cb531defefbe8c02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Dec 2021 20:57:53 +0800 +Subject: amdgpu/pm: Make sysfs pm attributes as read-only for VFs + +From: Marina Nikolic + +[ Upstream commit 11c9cc95f818f0f187e9b579a7f136f532b42445 ] + +== Description == +Setting values of pm attributes through sysfs +should not be allowed in SRIOV mode. +These calls will not be processed by FW anyway, +but error handling on sysfs level should be improved. + +== Changes == +This patch prohibits performing of all set commands +in SRIOV mode on sysfs level. +It offers better error handling as calls that are +not allowed will not be propagated further. + +== Test == +Writing to any sysfs file in passthrough mode will succeed. +Writing to any sysfs file in ONEVF mode will yield error: +"calling process does not have sufficient permission to execute a command". + +Signed-off-by: Marina Nikolic +Acked-by: Evan Quan +Reviewed-by: Lijo Lazar +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/amdgpu_pm.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/gpu/drm/amd/pm/amdgpu_pm.c b/drivers/gpu/drm/amd/pm/amdgpu_pm.c +index 9f383b9041d28..49109614510b8 100644 +--- a/drivers/gpu/drm/amd/pm/amdgpu_pm.c ++++ b/drivers/gpu/drm/amd/pm/amdgpu_pm.c +@@ -2098,6 +2098,12 @@ static int default_attr_update(struct amdgpu_device *adev, struct amdgpu_device_ + } + } + ++ /* setting should not be allowed from VF */ ++ if (amdgpu_sriov_vf(adev)) { ++ dev_attr->attr.mode &= ~S_IWUGO; ++ dev_attr->store = NULL; ++ } ++ + #undef DEVICE_ATTR_IS + + return 0; +-- +2.34.1 + diff --git a/queue-5.10/ar5523-fix-null-ptr-deref-with-unexpected-wdcmsg_tar.patch b/queue-5.10/ar5523-fix-null-ptr-deref-with-unexpected-wdcmsg_tar.patch new file mode 100644 index 00000000000..ea4ba30c104 --- /dev/null +++ b/queue-5.10/ar5523-fix-null-ptr-deref-with-unexpected-wdcmsg_tar.patch @@ -0,0 +1,63 @@ +From dbaabd7796f97487f3849855abc43cf43652fd86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 18:37:49 -0400 +Subject: ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply + +From: Zekun Shen + +[ Upstream commit ae80b6033834342601e99f74f6a62ff5092b1cee ] + +Unexpected WDCMSG_TARGET_START replay can lead to null-ptr-deref +when ar->tx_cmd->odata is NULL. The patch adds a null check to +prevent such case. + +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] + ar5523_cmd+0x46a/0x581 [ar5523] + ar5523_probe.cold+0x1b7/0x18da [ar5523] + ? ar5523_cmd_rx_cb+0x7a0/0x7a0 [ar5523] + ? __pm_runtime_set_status+0x54a/0x8f0 + ? _raw_spin_trylock_bh+0x120/0x120 + ? pm_runtime_barrier+0x220/0x220 + ? __pm_runtime_resume+0xb1/0xf0 + usb_probe_interface+0x25b/0x710 + really_probe+0x209/0x5d0 + driver_probe_device+0xc6/0x1b0 + device_driver_attach+0xe2/0x120 + +I found the bug using a custome USBFuzz port. It's a research work +to fuzz USB stack/drivers. I modified it to fuzz ath9k driver only, +providing hand-crafted usb descriptors to QEMU. + +After fixing the code (fourth byte in usb packet) to WDCMSG_TARGET_START, +I got the null-ptr-deref bug. I believe the bug is triggerable whenever +cmd->odata is NULL. After patching, I tested with the same input and no +longer see the KASAN report. + +This was NOT tested on a real device. + +Signed-off-by: Zekun Shen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/YXsmPQ3awHFLuAj2@10-18-43-117.dynapool.wireless.nyu.edu +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ar5523/ar5523.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c +index 49cc4b7ed5163..1baec4b412c8d 100644 +--- a/drivers/net/wireless/ath/ar5523/ar5523.c ++++ b/drivers/net/wireless/ath/ar5523/ar5523.c +@@ -153,6 +153,10 @@ static void ar5523_cmd_rx_cb(struct urb *urb) + ar5523_err(ar, "Invalid reply to WDCMSG_TARGET_START"); + return; + } ++ if (!cmd->odata) { ++ ar5523_err(ar, "Unexpected WDCMSG_TARGET_START reply"); ++ return; ++ } + memcpy(cmd->odata, hdr + 1, sizeof(u32)); + cmd->olen = sizeof(u32); + cmd->res = 0; +-- +2.34.1 + diff --git a/queue-5.10/arm-9159-1-decompressor-avoid-unpredictable-nop-enco.patch b/queue-5.10/arm-9159-1-decompressor-avoid-unpredictable-nop-enco.patch new file mode 100644 index 00000000000..e4800203462 --- /dev/null +++ b/queue-5.10/arm-9159-1-decompressor-avoid-unpredictable-nop-enco.patch @@ -0,0 +1,100 @@ +From 76eeedf91c3ceb21b12e94105ce379f6b97e4ca7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Nov 2021 16:28:43 +0100 +Subject: ARM: 9159/1: decompressor: Avoid UNPREDICTABLE NOP encoding + +From: Andre Przywara + +[ Upstream commit a92882a4d270fbcc021ee6848de5e48b7f0d27f3 ] + +In the decompressor's head.S we need to start with an instruction that +is some kind of NOP, but also mimics as the PE/COFF header, when the +kernel is linked as an UEFI application. The clever solution here is +"tstne r0, #0x4d000", which in the worst case just clobbers the +condition flags, and bears the magic "MZ" signature in the lowest 16 bits. + +However the encoding used (0x13105a4d) is actually not valid, since bits +[15:12] are supposed to be 0 (written as "(0)" in the ARM ARM). +Violating this is UNPREDICTABLE, and *can* trigger an UNDEFINED +exception. Common Cortex cores seem to ignore those bits, but QEMU +chooses to trap, so the code goes fishing because of a missing exception +handler at this point. We are just saved by the fact that commonly (with +-kernel or when running from U-Boot) the "Z" bit is set, so the +instruction is never executed. See [0] for more details. + +To make things more robust and avoid UNPREDICTABLE behaviour in the +kernel code, lets replace this with a "two-instruction NOP": +The first instruction is an exclusive OR, the effect of which the second +instruction reverts. This does not leave any trace, neither in a +register nor in the condition flags. Also it's a perfectly valid +encoding. Kudos to Peter Maydell for coming up with this gem. + +[0] https://lore.kernel.org/qemu-devel/YTPIdbUCmwagL5%2FD@os.inf.tu-dresden.de/T/ + +Link: https://lore.kernel.org/linux-arm-kernel/20210908162617.104962-1-andre.przywara@arm.com/T/ + +Fixes: 81a0bc39ea19 ("ARM: add UEFI stub support") +Signed-off-by: Andre Przywara +Reported-by: Adam Lackorzynski +Suggested-by: Peter Maydell +Reviewed-by: Ard Biesheuvel +Reviewed-by: Linus Walleij +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/boot/compressed/efi-header.S | 22 ++++++++++++++-------- + arch/arm/boot/compressed/head.S | 3 ++- + 2 files changed, 16 insertions(+), 9 deletions(-) + +diff --git a/arch/arm/boot/compressed/efi-header.S b/arch/arm/boot/compressed/efi-header.S +index c0e7a745103e2..230030c130853 100644 +--- a/arch/arm/boot/compressed/efi-header.S ++++ b/arch/arm/boot/compressed/efi-header.S +@@ -9,16 +9,22 @@ + #include + + .macro __nop +-#ifdef CONFIG_EFI_STUB +- @ This is almost but not quite a NOP, since it does clobber the +- @ condition flags. But it is the best we can do for EFI, since +- @ PE/COFF expects the magic string "MZ" at offset 0, while the +- @ ARM/Linux boot protocol expects an executable instruction +- @ there. +- .inst MZ_MAGIC | (0x1310 << 16) @ tstne r0, #0x4d000 +-#else + AR_CLASS( mov r0, r0 ) + M_CLASS( nop.w ) ++ .endm ++ ++ .macro __initial_nops ++#ifdef CONFIG_EFI_STUB ++ @ This is a two-instruction NOP, which happens to bear the ++ @ PE/COFF signature "MZ" in the first two bytes, so the kernel ++ @ is accepted as an EFI binary. Booting via the UEFI stub ++ @ will not execute those instructions, but the ARM/Linux ++ @ boot protocol does, so we need some NOPs here. ++ .inst MZ_MAGIC | (0xe225 << 16) @ eor r5, r5, 0x4d000 ++ eor r5, r5, 0x4d000 @ undo previous insn ++#else ++ __nop ++ __nop + #endif + .endm + +diff --git a/arch/arm/boot/compressed/head.S b/arch/arm/boot/compressed/head.S +index 247ce90559901..7a38c63b62bf0 100644 +--- a/arch/arm/boot/compressed/head.S ++++ b/arch/arm/boot/compressed/head.S +@@ -190,7 +190,8 @@ start: + * were patching the initial instructions of the kernel, i.e + * had started to exploit this "patch area". + */ +- .rept 7 ++ __initial_nops ++ .rept 5 + __nop + .endr + #ifndef CONFIG_THUMB2_KERNEL +-- +2.34.1 + diff --git a/queue-5.10/arm-dts-armada-38x-add-generic-compatible-to-uart-no.patch b/queue-5.10/arm-dts-armada-38x-add-generic-compatible-to-uart-no.patch new file mode 100644 index 00000000000..a74c83f32b8 --- /dev/null +++ b/queue-5.10/arm-dts-armada-38x-add-generic-compatible-to-uart-no.patch @@ -0,0 +1,51 @@ +From e0875c78586cabc7d3fe8084846d821f81318284 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Nov 2021 17:46:04 +0100 +Subject: ARM: dts: armada-38x: Add generic compatible to UART nodes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +[ Upstream commit 62480772263ab6b52e758f2346c70a526abd1d28 ] + +Add generic compatible string "ns16550a" to serial port nodes of Armada +38x. + +This makes it possible to use earlycon. + +Fixes: 0d3d96ab0059 ("ARM: mvebu: add Device Tree description of the Armada 380/385 SoCs") +Signed-off-by: Pali Rohár +Signed-off-by: Marek Behún +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/armada-38x.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/armada-38x.dtsi b/arch/arm/boot/dts/armada-38x.dtsi +index 9b1a24cc5e91f..df3c8d1d8f641 100644 +--- a/arch/arm/boot/dts/armada-38x.dtsi ++++ b/arch/arm/boot/dts/armada-38x.dtsi +@@ -168,7 +168,7 @@ + }; + + uart0: serial@12000 { +- compatible = "marvell,armada-38x-uart"; ++ compatible = "marvell,armada-38x-uart", "ns16550a"; + reg = <0x12000 0x100>; + reg-shift = <2>; + interrupts = ; +@@ -178,7 +178,7 @@ + }; + + uart1: serial@12100 { +- compatible = "marvell,armada-38x-uart"; ++ compatible = "marvell,armada-38x-uart", "ns16550a"; + reg = <0x12100 0x100>; + reg-shift = <2>; + interrupts = ; +-- +2.34.1 + diff --git a/queue-5.10/arm-dts-gemini-nas4220-b-fis-index-block-with-128-ki.patch b/queue-5.10/arm-dts-gemini-nas4220-b-fis-index-block-with-128-ki.patch new file mode 100644 index 00000000000..ccbc3f341ca --- /dev/null +++ b/queue-5.10/arm-dts-gemini-nas4220-b-fis-index-block-with-128-ki.patch @@ -0,0 +1,65 @@ +From c1aebd449644c5ddc66818c263594c658453c27e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Dec 2021 01:43:34 +0100 +Subject: ARM: dts: gemini: NAS4220-B: fis-index-block with 128 KiB sectors + +From: Christian Lamparter + +[ Upstream commit 4754eab7e5a78bdefe7a960c5c260c95ebbb5fa6 ] + +Steven Maddox reported in the OpenWrt bugzilla, that his +RaidSonic IB-NAS4220-B was no longer booting with the new +OpenWrt 21.02 (uses linux 5.10's device-tree). However, it was +working with the previous OpenWrt 19.07 series (uses 4.14). + +|[ 5.548038] No RedBoot partition table detected in 30000000.flash +|[ 5.618553] Searching for RedBoot partition table in 30000000.flash at offset 0x0 +|[ 5.739093] No RedBoot partition table detected in 30000000.flash +|... +|[ 7.039504] Waiting for root device /dev/mtdblock3... + +The provided bootlog shows that the RedBoot partition parser was +looking for the partition table "at offset 0x0". Which is strange +since the comment in the device-tree says it should be at 0xfe0000. + +Further digging on the internet led to a review site that took +some useful PCB pictures of their review unit back in February 2009. +Their picture shows a Spansion S29GL128N11TFI01 flash chip. + +>From Spansion's Datasheet: +"S29GL128N: One hundred twenty-eight 64 Kword (128 Kbyte) sectors" +Steven also provided a "cat /sys/class/mtd/mtd0/erasesize" from his +unit: "131072". + +With the 128 KiB Sector/Erasesize in mind. This patch changes the +fis-index-block property to (0xfe0000 / 0x20000) = 0x7f. + +Fixes: b5a923f8c739 ("ARM: dts: gemini: Switch to redboot partition parsing") +Reported-by: Steven Maddox +Signed-off-by: Christian Lamparter +Signed-off-by: Linus Walleij +Tested-by: Steven Maddox +Link: https://lore.kernel.org/r/20211206004334.4169408-1-linus.walleij@linaro.org' +Bugzilla: https://bugs.openwrt.org/index.php?do=details&task_id=4137 +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/gemini-nas4220b.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/gemini-nas4220b.dts b/arch/arm/boot/dts/gemini-nas4220b.dts +index 13112a8a5dd88..6544c730340fa 100644 +--- a/arch/arm/boot/dts/gemini-nas4220b.dts ++++ b/arch/arm/boot/dts/gemini-nas4220b.dts +@@ -84,7 +84,7 @@ + partitions { + compatible = "redboot-fis"; + /* Eraseblock at 0xfe0000 */ +- fis-index-block = <0x1fc>; ++ fis-index-block = <0x7f>; + }; + }; + +-- +2.34.1 + diff --git a/queue-5.10/arm-dts-omap3-n900-fix-lp5523-for-multi-color.patch b/queue-5.10/arm-dts-omap3-n900-fix-lp5523-for-multi-color.patch new file mode 100644 index 00000000000..0533bfe5395 --- /dev/null +++ b/queue-5.10/arm-dts-omap3-n900-fix-lp5523-for-multi-color.patch @@ -0,0 +1,141 @@ +From 87f41512e1f9017602ec7949b6cee073de0e77d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Dec 2021 23:40:06 +0100 +Subject: ARM: dts: omap3-n900: Fix lp5523 for multi color + +From: Sicelo A. Mhlongo + +[ Upstream commit e9af026a3b24f59d7af4609f73e0ef60a4d6d516 ] + +Since the LED multicolor framework support was added in commit +92a81562e695 ("leds: lp55xx: Add multicolor framework support to lp55xx") +LEDs on this platform stopped working. + +Fixes: 92a81562e695 ("leds: lp55xx: Add multicolor framework support to lp55xx") +Fixes: ac219bf3c9bd ("leds: lp55xx: Convert to use GPIO descriptors") +Signed-off-by: Merlijn Wajer +Signed-off-by: Sicelo A. Mhlongo +Signed-off-by: Pavel Machek +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/omap3-n900.dts | 50 +++++++++++++++++++++++++------- + 1 file changed, 40 insertions(+), 10 deletions(-) + +diff --git a/arch/arm/boot/dts/omap3-n900.dts b/arch/arm/boot/dts/omap3-n900.dts +index 32335d4ce478b..d40c3d2c4914e 100644 +--- a/arch/arm/boot/dts/omap3-n900.dts ++++ b/arch/arm/boot/dts/omap3-n900.dts +@@ -8,6 +8,7 @@ + + #include "omap34xx.dtsi" + #include ++#include + + /* + * Default secure signed bootloader (Nokia X-Loader) does not enable L3 firewall +@@ -630,63 +631,92 @@ + }; + + lp5523: lp5523@32 { ++ #address-cells = <1>; ++ #size-cells = <0>; + compatible = "national,lp5523"; + reg = <0x32>; + clock-mode = /bits/ 8 <0>; /* LP55XX_CLOCK_AUTO */ +- enable-gpio = <&gpio2 9 GPIO_ACTIVE_HIGH>; /* 41 */ ++ enable-gpios = <&gpio2 9 GPIO_ACTIVE_HIGH>; /* 41 */ + +- chan0 { ++ led@0 { ++ reg = <0>; + chan-name = "lp5523:kb1"; + led-cur = /bits/ 8 <50>; + max-cur = /bits/ 8 <100>; ++ color = ; ++ function = LED_FUNCTION_KBD_BACKLIGHT; + }; + +- chan1 { ++ led@1 { ++ reg = <1>; + chan-name = "lp5523:kb2"; + led-cur = /bits/ 8 <50>; + max-cur = /bits/ 8 <100>; ++ color = ; ++ function = LED_FUNCTION_KBD_BACKLIGHT; + }; + +- chan2 { ++ led@2 { ++ reg = <2>; + chan-name = "lp5523:kb3"; + led-cur = /bits/ 8 <50>; + max-cur = /bits/ 8 <100>; ++ color = ; ++ function = LED_FUNCTION_KBD_BACKLIGHT; + }; + +- chan3 { ++ led@3 { ++ reg = <3>; + chan-name = "lp5523:kb4"; + led-cur = /bits/ 8 <50>; + max-cur = /bits/ 8 <100>; ++ color = ; ++ function = LED_FUNCTION_KBD_BACKLIGHT; + }; + +- chan4 { ++ led@4 { ++ reg = <4>; + chan-name = "lp5523:b"; + led-cur = /bits/ 8 <50>; + max-cur = /bits/ 8 <100>; ++ color = ; ++ function = LED_FUNCTION_STATUS; + }; + +- chan5 { ++ led@5 { ++ reg = <5>; + chan-name = "lp5523:g"; + led-cur = /bits/ 8 <50>; + max-cur = /bits/ 8 <100>; ++ color = ; ++ function = LED_FUNCTION_STATUS; + }; + +- chan6 { ++ led@6 { ++ reg = <6>; + chan-name = "lp5523:r"; + led-cur = /bits/ 8 <50>; + max-cur = /bits/ 8 <100>; ++ color = ; ++ function = LED_FUNCTION_STATUS; + }; + +- chan7 { ++ led@7 { ++ reg = <7>; + chan-name = "lp5523:kb5"; + led-cur = /bits/ 8 <50>; + max-cur = /bits/ 8 <100>; ++ color = ; ++ function = LED_FUNCTION_KBD_BACKLIGHT; + }; + +- chan8 { ++ led@8 { ++ reg = <8>; + chan-name = "lp5523:kb6"; + led-cur = /bits/ 8 <50>; + max-cur = /bits/ 8 <100>; ++ color = ; ++ function = LED_FUNCTION_KBD_BACKLIGHT; + }; + }; + +-- +2.34.1 + diff --git a/queue-5.10/arm-dts-stm32-fix-dtbs_check-warning-on-ili9341-dts-.patch b/queue-5.10/arm-dts-stm32-fix-dtbs_check-warning-on-ili9341-dts-.patch new file mode 100644 index 00000000000..fe7ecf7bf8d --- /dev/null +++ b/queue-5.10/arm-dts-stm32-fix-dtbs_check-warning-on-ili9341-dts-.patch @@ -0,0 +1,44 @@ +From 8f489055545240202d5579a25653e88be855d2bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Jul 2021 11:44:02 +0800 +Subject: ARM: dts: stm32: fix dtbs_check warning on ili9341 dts binding on + stm32f429 disco + +From: Dillon Min + +[ Upstream commit b046049e59dca5e5830dc75ed16acf7657a95161 ] + +Since the compatible string defined from ilitek,ili9341.yaml is +"st,sf-tc240t-9370-t", "ilitek,ili9341" + +so, append "ilitek,ili9341" to avoid the below dtbs_check warning. + +arch/arm/boot/dts/stm32f429-disco.dt.yaml: display@1: compatible: +['st,sf-tc240t-9370-t'] is too short + +Fixes: a726e2f000ec ("ARM: dts: stm32: enable ltdc binding with ili9341, gyro l3gd20 on stm32429-disco board") +Signed-off-by: Dillon Min +Reported-by: kernel test robot +Reviewed-by: Linus Walleij +Signed-off-by: Alexandre Torgue +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/stm32f429-disco.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/stm32f429-disco.dts b/arch/arm/boot/dts/stm32f429-disco.dts +index 075ac57d0bf4a..6435e099c6326 100644 +--- a/arch/arm/boot/dts/stm32f429-disco.dts ++++ b/arch/arm/boot/dts/stm32f429-disco.dts +@@ -192,7 +192,7 @@ + + display: display@1{ + /* Connect panel-ilitek-9341 to ltdc */ +- compatible = "st,sf-tc240t-9370-t"; ++ compatible = "st,sf-tc240t-9370-t", "ilitek,ili9341"; + reg = <1>; + spi-3wire; + spi-max-frequency = <10000000>; +-- +2.34.1 + diff --git a/queue-5.10/arm-imx-rename-debug_imx21_imx27_uart-to-debug_imx27.patch b/queue-5.10/arm-imx-rename-debug_imx21_imx27_uart-to-debug_imx27.patch new file mode 100644 index 00000000000..da93294d358 --- /dev/null +++ b/queue-5.10/arm-imx-rename-debug_imx21_imx27_uart-to-debug_imx27.patch @@ -0,0 +1,121 @@ +From 467719fea5cf492457a3eacd2861887cfeb941bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 16:19:33 +0200 +Subject: ARM: imx: rename DEBUG_IMX21_IMX27_UART to DEBUG_IMX27_UART + +From: Lukas Bulwahn + +[ Upstream commit b0100bce4ff82ec1ccd3c1f3d339fd2df6a81784 ] + +Since commit 4b563a066611 ("ARM: imx: Remove imx21 support"), the config +DEBUG_IMX21_IMX27_UART is really only debug support for IMX27. + +So, rename this option to DEBUG_IMX27_UART and adjust dependencies in +Kconfig and rename the definitions to IMX27 as further clean-up. + +This issue was discovered with ./scripts/checkkconfigsymbols.py, which +reported that DEBUG_IMX21_IMX27_UART depends on the non-existing config +SOC_IMX21. + +Signed-off-by: Lukas Bulwahn +Reviewed-by: Arnd Bergmann +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/Kconfig.debug | 14 +++++++------- + arch/arm/include/debug/imx-uart.h | 18 +++++++++--------- + 2 files changed, 16 insertions(+), 16 deletions(-) + +diff --git a/arch/arm/Kconfig.debug b/arch/arm/Kconfig.debug +index 8986a91a6f31b..dd1cf70353986 100644 +--- a/arch/arm/Kconfig.debug ++++ b/arch/arm/Kconfig.debug +@@ -400,12 +400,12 @@ choice + Say Y here if you want kernel low-level debugging support + on i.MX25. + +- config DEBUG_IMX21_IMX27_UART +- bool "i.MX21 and i.MX27 Debug UART" +- depends on SOC_IMX21 || SOC_IMX27 ++ config DEBUG_IMX27_UART ++ bool "i.MX27 Debug UART" ++ depends on SOC_IMX27 + help + Say Y here if you want kernel low-level debugging support +- on i.MX21 or i.MX27. ++ on i.MX27. + + config DEBUG_IMX28_UART + bool "i.MX28 Debug UART" +@@ -1523,7 +1523,7 @@ config DEBUG_IMX_UART_PORT + int "i.MX Debug UART Port Selection" + depends on DEBUG_IMX1_UART || \ + DEBUG_IMX25_UART || \ +- DEBUG_IMX21_IMX27_UART || \ ++ DEBUG_IMX27_UART || \ + DEBUG_IMX31_UART || \ + DEBUG_IMX35_UART || \ + DEBUG_IMX50_UART || \ +@@ -1591,12 +1591,12 @@ config DEBUG_LL_INCLUDE + default "debug/icedcc.S" if DEBUG_ICEDCC + default "debug/imx.S" if DEBUG_IMX1_UART || \ + DEBUG_IMX25_UART || \ +- DEBUG_IMX21_IMX27_UART || \ ++ DEBUG_IMX27_UART || \ + DEBUG_IMX31_UART || \ + DEBUG_IMX35_UART || \ + DEBUG_IMX50_UART || \ + DEBUG_IMX51_UART || \ +- DEBUG_IMX53_UART ||\ ++ DEBUG_IMX53_UART || \ + DEBUG_IMX6Q_UART || \ + DEBUG_IMX6SL_UART || \ + DEBUG_IMX6SX_UART || \ +diff --git a/arch/arm/include/debug/imx-uart.h b/arch/arm/include/debug/imx-uart.h +index c8eb83d4b8964..3edbb3c5b42bf 100644 +--- a/arch/arm/include/debug/imx-uart.h ++++ b/arch/arm/include/debug/imx-uart.h +@@ -11,13 +11,6 @@ + #define IMX1_UART_BASE_ADDR(n) IMX1_UART##n##_BASE_ADDR + #define IMX1_UART_BASE(n) IMX1_UART_BASE_ADDR(n) + +-#define IMX21_UART1_BASE_ADDR 0x1000a000 +-#define IMX21_UART2_BASE_ADDR 0x1000b000 +-#define IMX21_UART3_BASE_ADDR 0x1000c000 +-#define IMX21_UART4_BASE_ADDR 0x1000d000 +-#define IMX21_UART_BASE_ADDR(n) IMX21_UART##n##_BASE_ADDR +-#define IMX21_UART_BASE(n) IMX21_UART_BASE_ADDR(n) +- + #define IMX25_UART1_BASE_ADDR 0x43f90000 + #define IMX25_UART2_BASE_ADDR 0x43f94000 + #define IMX25_UART3_BASE_ADDR 0x5000c000 +@@ -26,6 +19,13 @@ + #define IMX25_UART_BASE_ADDR(n) IMX25_UART##n##_BASE_ADDR + #define IMX25_UART_BASE(n) IMX25_UART_BASE_ADDR(n) + ++#define IMX27_UART1_BASE_ADDR 0x1000a000 ++#define IMX27_UART2_BASE_ADDR 0x1000b000 ++#define IMX27_UART3_BASE_ADDR 0x1000c000 ++#define IMX27_UART4_BASE_ADDR 0x1000d000 ++#define IMX27_UART_BASE_ADDR(n) IMX27_UART##n##_BASE_ADDR ++#define IMX27_UART_BASE(n) IMX27_UART_BASE_ADDR(n) ++ + #define IMX31_UART1_BASE_ADDR 0x43f90000 + #define IMX31_UART2_BASE_ADDR 0x43f94000 + #define IMX31_UART3_BASE_ADDR 0x5000c000 +@@ -112,10 +112,10 @@ + + #ifdef CONFIG_DEBUG_IMX1_UART + #define UART_PADDR IMX_DEBUG_UART_BASE(IMX1) +-#elif defined(CONFIG_DEBUG_IMX21_IMX27_UART) +-#define UART_PADDR IMX_DEBUG_UART_BASE(IMX21) + #elif defined(CONFIG_DEBUG_IMX25_UART) + #define UART_PADDR IMX_DEBUG_UART_BASE(IMX25) ++#elif defined(CONFIG_DEBUG_IMX27_UART) ++#define UART_PADDR IMX_DEBUG_UART_BASE(IMX27) + #elif defined(CONFIG_DEBUG_IMX31_UART) + #define UART_PADDR IMX_DEBUG_UART_BASE(IMX31) + #elif defined(CONFIG_DEBUG_IMX35_UART) +-- +2.34.1 + diff --git a/queue-5.10/arm-shmobile-rcar-gen2-add-missing-of_node_put.patch b/queue-5.10/arm-shmobile-rcar-gen2-add-missing-of_node_put.patch new file mode 100644 index 00000000000..553e84352eb --- /dev/null +++ b/queue-5.10/arm-shmobile-rcar-gen2-add-missing-of_node_put.patch @@ -0,0 +1,52 @@ +From d13552a3431ffd37257111e04f851460fb21df79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Oct 2021 21:45:03 -0400 +Subject: ARM: shmobile: rcar-gen2: Add missing of_node_put() + +From: Wan Jiabing + +[ Upstream commit 85744f2d938c5f3cfc44cb6533c157469634da93 ] + +Fix following coccicheck warning: +./arch/arm/mach-shmobile/regulator-quirk-rcar-gen2.c:156:1-33: Function +for_each_matching_node_and_match should have of_node_put() before break +and goto. + +Early exits from for_each_matching_node_and_match() should decrement the +node reference counter. + +Signed-off-by: Wan Jiabing +Link: https://lore.kernel.org/r/20211018014503.7598-1-wanjiabing@vivo.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/arm/mach-shmobile/regulator-quirk-rcar-gen2.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mach-shmobile/regulator-quirk-rcar-gen2.c b/arch/arm/mach-shmobile/regulator-quirk-rcar-gen2.c +index ee949255ced3f..09ef73b99dd86 100644 +--- a/arch/arm/mach-shmobile/regulator-quirk-rcar-gen2.c ++++ b/arch/arm/mach-shmobile/regulator-quirk-rcar-gen2.c +@@ -154,8 +154,10 @@ static int __init rcar_gen2_regulator_quirk(void) + return -ENODEV; + + for_each_matching_node_and_match(np, rcar_gen2_quirk_match, &id) { +- if (!of_device_is_available(np)) ++ if (!of_device_is_available(np)) { ++ of_node_put(np); + break; ++ } + + ret = of_property_read_u32(np, "reg", &addr); + if (ret) /* Skip invalid entry and continue */ +@@ -164,6 +166,7 @@ static int __init rcar_gen2_regulator_quirk(void) + quirk = kzalloc(sizeof(*quirk), GFP_KERNEL); + if (!quirk) { + ret = -ENOMEM; ++ of_node_put(np); + goto err_mem; + } + +-- +2.34.1 + diff --git a/queue-5.10/arm64-clear_page-shouldn-t-use-dc-zva-when-dczid_el0.patch b/queue-5.10/arm64-clear_page-shouldn-t-use-dc-zva-when-dczid_el0.patch new file mode 100644 index 00000000000..2b4ff733e9c --- /dev/null +++ b/queue-5.10/arm64-clear_page-shouldn-t-use-dc-zva-when-dczid_el0.patch @@ -0,0 +1,54 @@ +From 61bb8b104b70f6d25a553d67f1977606718c94b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Dec 2021 16:47:35 -0800 +Subject: arm64: clear_page() shouldn't use DC ZVA when DCZID_EL0.DZP == 1 + +From: Reiji Watanabe + +[ Upstream commit f0616abd4e67143b45b04b565839148458857347 ] + +Currently, clear_page() uses DC ZVA instruction unconditionally. But it +should make sure that DCZID_EL0.DZP, which indicates whether or not use +of DC ZVA instruction is prohibited, is zero when using the instruction. +Use STNP instead when DCZID_EL0.DZP == 1. + +Fixes: f27bb139c387 ("arm64: Miscellaneous library functions") +Signed-off-by: Reiji Watanabe +Reviewed-by: Robin Murphy +Link: https://lore.kernel.org/r/20211206004736.1520989-2-reijiw@google.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/lib/clear_page.S | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/arch/arm64/lib/clear_page.S b/arch/arm64/lib/clear_page.S +index b84b179edba3a..1fd5d790ab800 100644 +--- a/arch/arm64/lib/clear_page.S ++++ b/arch/arm64/lib/clear_page.S +@@ -16,6 +16,7 @@ + */ + SYM_FUNC_START_PI(clear_page) + mrs x1, dczid_el0 ++ tbnz x1, #4, 2f /* Branch if DC ZVA is prohibited */ + and w1, w1, #0xf + mov x2, #4 + lsl x1, x2, x1 +@@ -25,5 +26,14 @@ SYM_FUNC_START_PI(clear_page) + tst x0, #(PAGE_SIZE - 1) + b.ne 1b + ret ++ ++2: stnp xzr, xzr, [x0] ++ stnp xzr, xzr, [x0, #16] ++ stnp xzr, xzr, [x0, #32] ++ stnp xzr, xzr, [x0, #48] ++ add x0, x0, #64 ++ tst x0, #(PAGE_SIZE - 1) ++ b.ne 2b ++ ret + SYM_FUNC_END_PI(clear_page) + EXPORT_SYMBOL(clear_page) +-- +2.34.1 + diff --git a/queue-5.10/arm64-dts-amlogic-fix-spi-nor-flash-node-name-for-od.patch b/queue-5.10/arm64-dts-amlogic-fix-spi-nor-flash-node-name-for-od.patch new file mode 100644 index 00000000000..83960cf55f2 --- /dev/null +++ b/queue-5.10/arm64-dts-amlogic-fix-spi-nor-flash-node-name-for-od.patch @@ -0,0 +1,38 @@ +From 4527d24b662db9cb6964a821d51b225d574de26b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 20:28:13 +0200 +Subject: arm64: dts: amlogic: Fix SPI NOR flash node name for ODROID N2/N2+ + +From: Alexander Stein + +[ Upstream commit 95d35256b564aca33fb661eac77dc94bfcffc8df ] + +Fix the schema warning: "spi-flash@0: $nodename:0: 'spi-flash@0' does + not match '^flash(@.*)?$'" from jedec,spi-nor.yaml + +Fixes: a084eaf3096c ("arm64: dts: meson-g12b-odroid-n2: add SPIFC controller node") +Reviewed-by: Neil Armstrong +Signed-off-by: Alexander Stein +Signed-off-by: Neil Armstrong +Link: https://lore.kernel.org/r/20211026182813.900775-3-alexander.stein@mailbox.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-g12b-odroid-n2.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-g12b-odroid-n2.dtsi b/arch/arm64/boot/dts/amlogic/meson-g12b-odroid-n2.dtsi +index 59b5f39088757..b9b8cd4b5ba9d 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-g12b-odroid-n2.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-g12b-odroid-n2.dtsi +@@ -543,7 +543,7 @@ + pinctrl-0 = <&nor_pins>; + pinctrl-names = "default"; + +- mx25u64: spi-flash@0 { ++ mx25u64: flash@0 { + #address-cells = <1>; + #size-cells = <1>; + compatible = "mxicy,mx25u6435f", "jedec,spi-nor"; +-- +2.34.1 + diff --git a/queue-5.10/arm64-dts-amlogic-meson-g12-fix-gpu-operating-point-.patch b/queue-5.10/arm64-dts-amlogic-meson-g12-fix-gpu-operating-point-.patch new file mode 100644 index 00000000000..3aabe4b6bcb --- /dev/null +++ b/queue-5.10/arm64-dts-amlogic-meson-g12-fix-gpu-operating-point-.patch @@ -0,0 +1,43 @@ +From 0cb2a472ebe5762e82e7adb16947d589774e4213 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 20:28:12 +0200 +Subject: arm64: dts: amlogic: meson-g12: Fix GPU operating point table node + name + +From: Alexander Stein + +[ Upstream commit bb98a6fd0b0e227cefb2ba91cea2b55455f203b7 ] + +Starting with commit 94274f20f6bf ("dt-bindings: opp: Convert to DT +schema") the opp node name has a mandatory pattern. This change +fixes the dtbs_check warning: +gpu-opp-table: $nodename:0: 'gpu-opp-table' does not match +'^opp-table(-[a-z0-9]+)?$' +Put the 'gpu' part at the end to match the pattern. + +Fixes: 916a0edc43f0 ("arm64: dts: amlogic: meson-g12: add the Mali OPP table and use DVFS") +Reviewed-by: Neil Armstrong +Signed-off-by: Alexander Stein +Signed-off-by: Neil Armstrong +Link: https://lore.kernel.org/r/20211026182813.900775-2-alexander.stein@mailbox.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi b/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi +index 959b299344e54..7342c8a2b322d 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi +@@ -52,7 +52,7 @@ + secure-monitor = <&sm>; + }; + +- gpu_opp_table: gpu-opp-table { ++ gpu_opp_table: opp-table-gpu { + compatible = "operating-points-v2"; + + opp-124999998 { +-- +2.34.1 + diff --git a/queue-5.10/arm64-dts-ls1028a-qds-move-rtc-node-to-the-correct-i.patch b/queue-5.10/arm64-dts-ls1028a-qds-move-rtc-node-to-the-correct-i.patch new file mode 100644 index 00000000000..5c5216c5f9d --- /dev/null +++ b/queue-5.10/arm64-dts-ls1028a-qds-move-rtc-node-to-the-correct-i.patch @@ -0,0 +1,54 @@ +From 7d2eacdef2781d593ae1f74f18b2437f6a364214 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Dec 2021 03:32:38 -0600 +Subject: arm64: dts: ls1028a-qds: move rtc node to the correct i2c bus + +From: Biwen Li + +[ Upstream commit cbe9d948eadfe352ad45495a7cc5bf20a1b29d90 ] + +The i2c rtc is on i2c2 bus not i2c1 bus, so fix it in dts. + +Signed-off-by: Biwen Li +Signed-off-by: Li Yang +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/fsl-ls1028a-qds.dts | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/arch/arm64/boot/dts/freescale/fsl-ls1028a-qds.dts b/arch/arm64/boot/dts/freescale/fsl-ls1028a-qds.dts +index 13cdc958ba3ea..71858c9376c25 100644 +--- a/arch/arm64/boot/dts/freescale/fsl-ls1028a-qds.dts ++++ b/arch/arm64/boot/dts/freescale/fsl-ls1028a-qds.dts +@@ -261,11 +261,6 @@ + vcc-supply = <&sb_3v3>; + }; + +- rtc@51 { +- compatible = "nxp,pcf2129"; +- reg = <0x51>; +- }; +- + eeprom@56 { + compatible = "atmel,24c512"; + reg = <0x56>; +@@ -307,6 +302,15 @@ + + }; + ++&i2c1 { ++ status = "okay"; ++ ++ rtc@51 { ++ compatible = "nxp,pcf2129"; ++ reg = <0x51>; ++ }; ++}; ++ + &enetc_port1 { + phy-handle = <&qds_phy1>; + phy-connection-type = "rgmii-id"; +-- +2.34.1 + diff --git a/queue-5.10/arm64-dts-marvell-cn9130-add-gpio-and-spi-aliases.patch b/queue-5.10/arm64-dts-marvell-cn9130-add-gpio-and-spi-aliases.patch new file mode 100644 index 00000000000..292fb91b692 --- /dev/null +++ b/queue-5.10/arm64-dts-marvell-cn9130-add-gpio-and-spi-aliases.patch @@ -0,0 +1,48 @@ +From e91313a1fa42171d000699b614c5db6281f1e008 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Nov 2021 14:44:02 +0100 +Subject: arm64: dts: marvell: cn9130: add GPIO and SPI aliases + +From: Robert Marko + +[ Upstream commit effd42600b987c1e95f946b14fefc1c7639e7439 ] + +CN9130 has one CP115 built in, which like the CP110 has 2 GPIO and 2 SPI +controllers built-in. + +However, unlike the Armada 7k and 8k the SoC DTSI doesn't add the required +aliases as both the Orion SPI driver and MVEBU GPIO drivers require the +aliases to be present. + +So add the required aliases for GPIO and SPI controllers. + +Fixes: 6b8970bd8d7a ("arm64: dts: marvell: Add support for Marvell CN9130 SoC support") + +Signed-off-by: Robert Marko +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/marvell/cn9130.dtsi | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/arch/arm64/boot/dts/marvell/cn9130.dtsi b/arch/arm64/boot/dts/marvell/cn9130.dtsi +index a2b7e5ec979d3..71769ac7f0585 100644 +--- a/arch/arm64/boot/dts/marvell/cn9130.dtsi ++++ b/arch/arm64/boot/dts/marvell/cn9130.dtsi +@@ -11,6 +11,13 @@ + model = "Marvell Armada CN9130 SoC"; + compatible = "marvell,cn9130", "marvell,armada-ap807-quad", + "marvell,armada-ap807"; ++ ++ aliases { ++ gpio1 = &cp0_gpio1; ++ gpio2 = &cp0_gpio2; ++ spi1 = &cp0_spi0; ++ spi2 = &cp0_spi1; ++ }; + }; + + /* +-- +2.34.1 + diff --git a/queue-5.10/arm64-dts-marvell-cn9130-enable-cp0-gpio-controllers.patch b/queue-5.10/arm64-dts-marvell-cn9130-enable-cp0-gpio-controllers.patch new file mode 100644 index 00000000000..5532d89239f --- /dev/null +++ b/queue-5.10/arm64-dts-marvell-cn9130-enable-cp0-gpio-controllers.patch @@ -0,0 +1,46 @@ +From efe095f452eae2e0d8156d78780b1558c9653762 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Nov 2021 14:44:03 +0100 +Subject: arm64: dts: marvell: cn9130: enable CP0 GPIO controllers + +From: Robert Marko + +[ Upstream commit 0734f8311ce72c9041e5142769eff2083889c172 ] + +CN9130 has a built-in CP115 which has 2 GPIO controllers, but unlike in +Armada 7k and 8k both are left disabled by the SoC DTSI. + +This first of all makes no sense as they are always present due to being +SoC built-in and its an issue as boards like CN9130-CRB use the CPO GPIO2 +pins for regulators and SD card support without enabling them first. + +So, enable both of them like Armada 7k and 8k do. + +Fixes: 6b8970bd8d7a ("arm64: dts: marvell: Add support for Marvell CN9130 SoC support") + +Signed-off-by: Robert Marko +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/marvell/cn9130.dtsi | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/arm64/boot/dts/marvell/cn9130.dtsi b/arch/arm64/boot/dts/marvell/cn9130.dtsi +index 71769ac7f0585..327b04134134f 100644 +--- a/arch/arm64/boot/dts/marvell/cn9130.dtsi ++++ b/arch/arm64/boot/dts/marvell/cn9130.dtsi +@@ -42,3 +42,11 @@ + #undef CP11X_PCIE0_BASE + #undef CP11X_PCIE1_BASE + #undef CP11X_PCIE2_BASE ++ ++&cp0_gpio1 { ++ status = "okay"; ++}; ++ ++&cp0_gpio2 { ++ status = "okay"; ++}; +-- +2.34.1 + diff --git a/queue-5.10/arm64-dts-meson-gxbb-wetek-fix-hdmi-in-early-boot.patch b/queue-5.10/arm64-dts-meson-gxbb-wetek-fix-hdmi-in-early-boot.patch new file mode 100644 index 00000000000..533e4f05fd4 --- /dev/null +++ b/queue-5.10/arm64-dts-meson-gxbb-wetek-fix-hdmi-in-early-boot.patch @@ -0,0 +1,46 @@ +From 908b262647e59d9e97e9dae081b7b163a3caa40b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Oct 2021 05:25:20 +0000 +Subject: arm64: dts: meson-gxbb-wetek: fix HDMI in early boot + +From: Christian Hewitt + +[ Upstream commit 8182a35868db5f053111d5d9d4da8fcb3f99259d ] + +Mark the VDDIO_AO18 regulator always-on and set hdmi-supply for the hdmi_tx +node to ensure HDMI is powered in the early stages of boot. + +Fixes: fb72c03e0e32 ("ARM64: dts: meson-gxbb-wetek: add a wetek specific dtsi to cleanup hub and play2") + +Signed-off-by: Christian Hewitt +Reviewed-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://lore.kernel.org/r/20211012052522.30873-2-christianshewitt@gmail.com +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-gxbb-wetek.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-gxbb-wetek.dtsi b/arch/arm64/boot/dts/amlogic/meson-gxbb-wetek.dtsi +index a350fee1264d7..8e2af986cebaf 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-gxbb-wetek.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-gxbb-wetek.dtsi +@@ -64,6 +64,7 @@ + regulator-name = "VDDIO_AO18"; + regulator-min-microvolt = <1800000>; + regulator-max-microvolt = <1800000>; ++ regulator-always-on; + }; + + vcc_3v3: regulator-vcc_3v3 { +@@ -161,6 +162,7 @@ + status = "okay"; + pinctrl-0 = <&hdmi_hpd_pins>, <&hdmi_i2c_pins>; + pinctrl-names = "default"; ++ hdmi-supply = <&vddio_ao18>; + }; + + &hdmi_tx_tmds_port { +-- +2.34.1 + diff --git a/queue-5.10/arm64-dts-meson-gxbb-wetek-fix-missing-gpio-binding.patch b/queue-5.10/arm64-dts-meson-gxbb-wetek-fix-missing-gpio-binding.patch new file mode 100644 index 00000000000..056987f5b6b --- /dev/null +++ b/queue-5.10/arm64-dts-meson-gxbb-wetek-fix-missing-gpio-binding.patch @@ -0,0 +1,39 @@ +From 2b8c885196f6cc73dc716a225068dfd44b6e7f70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Oct 2021 05:25:21 +0000 +Subject: arm64: dts: meson-gxbb-wetek: fix missing GPIO binding + +From: Christian Hewitt + +[ Upstream commit c019abb2feba3cbbd7cf7178f8e6499c4fa6fced ] + +The absence of this binding appears to be harmless in Linux but it breaks +Ethernet support in mainline u-boot. So add the binding (which is present +in all other u-boot supported GXBB device-trees). + +Fixes: fb72c03e0e32 ("ARM64: dts: meson-gxbb-wetek: add a wetek specific dtsi to cleanup hub and play2") + +Signed-off-by: Christian Hewitt +Reviewed-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://lore.kernel.org/r/20211012052522.30873-3-christianshewitt@gmail.com +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-gxbb-wetek.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-gxbb-wetek.dtsi b/arch/arm64/boot/dts/amlogic/meson-gxbb-wetek.dtsi +index 8e2af986cebaf..a4d34398da358 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-gxbb-wetek.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-gxbb-wetek.dtsi +@@ -6,6 +6,7 @@ + */ + + #include "meson-gxbb.dtsi" ++#include + + / { + aliases { +-- +2.34.1 + diff --git a/queue-5.10/arm64-dts-qcom-c630-fix-soundcard-setup.patch b/queue-5.10/arm64-dts-qcom-c630-fix-soundcard-setup.patch new file mode 100644 index 00000000000..9ccad8ea059 --- /dev/null +++ b/queue-5.10/arm64-dts-qcom-c630-fix-soundcard-setup.patch @@ -0,0 +1,89 @@ +From c56f37c8be6a06ec01f87ef0760253a22aa1f42c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Dec 2021 17:53:41 +0000 +Subject: arm64: dts: qcom: c630: Fix soundcard setup + +From: Srinivas Kandagatla + +[ Upstream commit c02b360ca67ebeb9de07b47b2fe53f964c2561d1 ] + +Currently Soundcard has 1 rx device for headset and SoundWire Speaker Playback. + +This setup has issues, ex if we try to play on headset the audio stream is +also sent to SoundWire Speakers and we will hear sound in both headsets and speakers. + +Make a separate device for Speakers and Headset so that the streams are +different and handled properly. + +Fixes: 45021d35fcb2 ("arm64: dts: qcom: c630: Enable audio support") +Signed-off-by: Srinivas Kandagatla +Tested-by: Steev Klimaszewski +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20211209175342.20386-2-srinivas.kandagatla@linaro.org +Signed-off-by: Sasha Levin +--- + .../boot/dts/qcom/sdm850-lenovo-yoga-c630.dts | 27 +++++++++++++++++++ + 1 file changed, 27 insertions(+) + +diff --git a/arch/arm64/boot/dts/qcom/sdm850-lenovo-yoga-c630.dts b/arch/arm64/boot/dts/qcom/sdm850-lenovo-yoga-c630.dts +index ad6561843ba28..e080c317b5e3d 100644 +--- a/arch/arm64/boot/dts/qcom/sdm850-lenovo-yoga-c630.dts ++++ b/arch/arm64/boot/dts/qcom/sdm850-lenovo-yoga-c630.dts +@@ -365,6 +365,10 @@ + dai@1 { + reg = <1>; + }; ++ ++ dai@2 { ++ reg = <2>; ++ }; + }; + + &sound { +@@ -377,6 +381,7 @@ + "SpkrLeft IN", "SPK1 OUT", + "SpkrRight IN", "SPK2 OUT", + "MM_DL1", "MultiMedia1 Playback", ++ "MM_DL3", "MultiMedia3 Playback", + "MultiMedia2 Capture", "MM_UL2"; + + mm1-dai-link { +@@ -393,6 +398,13 @@ + }; + }; + ++ mm3-dai-link { ++ link-name = "MultiMedia3"; ++ cpu { ++ sound-dai = <&q6asmdai MSM_FRONTEND_DAI_MULTIMEDIA3>; ++ }; ++ }; ++ + slim-dai-link { + link-name = "SLIM Playback"; + cpu { +@@ -422,6 +434,21 @@ + sound-dai = <&wcd9340 1>; + }; + }; ++ ++ slim-wcd-dai-link { ++ link-name = "SLIM WCD Playback"; ++ cpu { ++ sound-dai = <&q6afedai SLIMBUS_1_RX>; ++ }; ++ ++ platform { ++ sound-dai = <&q6routing>; ++ }; ++ ++ codec { ++ sound-dai = <&wcd9340 2>; ++ }; ++ }; + }; + + &tlmm { +-- +2.34.1 + diff --git a/queue-5.10/arm64-dts-qcom-ipq6018-fix-gpio-ranges-property.patch b/queue-5.10/arm64-dts-qcom-ipq6018-fix-gpio-ranges-property.patch new file mode 100644 index 00000000000..ed53c93e096 --- /dev/null +++ b/queue-5.10/arm64-dts-qcom-ipq6018-fix-gpio-ranges-property.patch @@ -0,0 +1,41 @@ +From a29456590af4fb9cff455fb4374dcce2c80bddd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Dec 2021 09:27:10 +0200 +Subject: arm64: dts: qcom: ipq6018: Fix gpio-ranges property + +From: Baruch Siach + +[ Upstream commit 72cb4c48a46a7cfa58eb5842c0d3672ddd5bd9ad ] + +There must be three parameters in gpio-ranges property. Fixes this not +very helpful error message: + + OF: /soc/pinctrl@1000000: (null) = 3 found 3 + +Fixes: 1e8277854b49 ("arm64: dts: Add ipq6018 SoC and CP01 board support") +Cc: Sricharan R +Signed-off-by: Baruch Siach +Tested-by: Bryan O'Donoghue +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/8a744cfd96aff5754bfdcf7298d208ddca5b319a.1638862030.git.baruch@tkos.co.il +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/ipq6018.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/ipq6018.dtsi b/arch/arm64/boot/dts/qcom/ipq6018.dtsi +index 9cb8f7a052df9..2a1f03cdb52c7 100644 +--- a/arch/arm64/boot/dts/qcom/ipq6018.dtsi ++++ b/arch/arm64/boot/dts/qcom/ipq6018.dtsi +@@ -221,7 +221,7 @@ + interrupts = ; + gpio-controller; + #gpio-cells = <2>; +- gpio-ranges = <&tlmm 0 80>; ++ gpio-ranges = <&tlmm 0 0 80>; + interrupt-controller; + #interrupt-cells = <2>; + +-- +2.34.1 + diff --git a/queue-5.10/arm64-dts-qcom-msm8916-fix-mmc-controller-aliases.patch b/queue-5.10/arm64-dts-qcom-msm8916-fix-mmc-controller-aliases.patch new file mode 100644 index 00000000000..15c046414f7 --- /dev/null +++ b/queue-5.10/arm64-dts-qcom-msm8916-fix-mmc-controller-aliases.patch @@ -0,0 +1,40 @@ +From 4326f067557773f304cd1cb6926e2c9b73650628 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Dec 2021 05:05:59 +0300 +Subject: arm64: dts: qcom: msm8916: fix MMC controller aliases + +From: Dmitry Baryshkov + +[ Upstream commit b0293c19d42f6d6951c2fab9a47fed50baf2c14d ] + +Change sdhcN aliases to mmcN to make them actually work. Currently the +board uses non-standard aliases sdhcN, which do not work, resulting in +mmc0 and mmc1 hosts randomly changing indices between boots. + +Fixes: c4da5a561627 ("arm64: dts: qcom: Add msm8916 sdhci configuration nodes") +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20211201020559.1611890-1-dmitry.baryshkov@linaro.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8916.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/msm8916.dtsi b/arch/arm64/boot/dts/qcom/msm8916.dtsi +index b1ffc056eea0b..291276a38d7cd 100644 +--- a/arch/arm64/boot/dts/qcom/msm8916.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8916.dtsi +@@ -18,8 +18,8 @@ + #size-cells = <2>; + + aliases { +- sdhc1 = &sdhc_1; /* SDC1 eMMC slot */ +- sdhc2 = &sdhc_2; /* SDC2 SD card slot */ ++ mmc0 = &sdhc_1; /* SDC1 eMMC slot */ ++ mmc1 = &sdhc_2; /* SDC2 SD card slot */ + }; + + chosen { }; +-- +2.34.1 + diff --git a/queue-5.10/arm64-dts-renesas-cat875-add-rx-tx-delays.patch b/queue-5.10/arm64-dts-renesas-cat875-add-rx-tx-delays.patch new file mode 100644 index 00000000000..e72e715234e --- /dev/null +++ b/queue-5.10/arm64-dts-renesas-cat875-add-rx-tx-delays.patch @@ -0,0 +1,42 @@ +From a880961b1b3a17a17f5f144b381d1fce587c0a05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Nov 2021 14:28:30 +0000 +Subject: arm64: dts: renesas: cat875: Add rx/tx delays + +From: Biju Das + +[ Upstream commit e1a9faddffe7e555304dc2e3284c84fbee0679ee ] + +The CAT875 sub board from Silicon Linux uses a Realtek PHY. + +The phy driver commit bbc4d71d63549bcd003 ("net: phy: realtek: fix +rtl8211e rx/tx delay config") introduced NFS mount failures. Now it +needs both rx/tx delays for the NFS mount to work. + +This patch fixes the NFS mount failure issue by adding "rgmii-id" mode +to the avb device node. + +Signed-off-by: Biju Das +Fixes: bbc4d71d63549bcd ("net: phy: realtek: fix rtl8211e rx/tx delay config") +Link: https://lore.kernel.org/r/20211115142830.12651-1-biju.das.jz@bp.renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/cat875.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/renesas/cat875.dtsi b/arch/arm64/boot/dts/renesas/cat875.dtsi +index 801ea54b027c4..20f8adc635e72 100644 +--- a/arch/arm64/boot/dts/renesas/cat875.dtsi ++++ b/arch/arm64/boot/dts/renesas/cat875.dtsi +@@ -18,6 +18,7 @@ + pinctrl-names = "default"; + renesas,no-ether-link; + phy-handle = <&phy0>; ++ phy-mode = "rgmii-id"; + status = "okay"; + + phy0: ethernet-phy@0 { +-- +2.34.1 + diff --git a/queue-5.10/arm64-dts-ti-j7200-main-fix-dtbs_check-serdes_ln_ctr.patch b/queue-5.10/arm64-dts-ti-j7200-main-fix-dtbs_check-serdes_ln_ctr.patch new file mode 100644 index 00000000000..7cb5956ff71 --- /dev/null +++ b/queue-5.10/arm64-dts-ti-j7200-main-fix-dtbs_check-serdes_ln_ctr.patch @@ -0,0 +1,37 @@ +From 640411df231f5212834aab917009cb6a365ddb72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Nov 2021 14:15:54 +0530 +Subject: arm64: dts: ti: j7200-main: Fix 'dtbs_check' serdes_ln_ctrl node + +From: Kishon Vijay Abraham I + +[ Upstream commit 4d3984906397581dc0ccb6a02bf16b6ff82c9192 ] + +Fix 'dtbs_check' in serdes_ln_ctrl (serdes-ln-ctrl@4080) node by +changing the node name to mux-controller@4080. + +Signed-off-by: Kishon Vijay Abraham I +Reviewed-by: Aswath Govindraju +Signed-off-by: Vignesh Raghavendra +Link: https://lore.kernel.org/r/20211126084555.17797-2-kishon@ti.com +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/ti/k3-j7200-main.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/ti/k3-j7200-main.dtsi b/arch/arm64/boot/dts/ti/k3-j7200-main.dtsi +index 5832ad830ed14..1ab9f9604af6c 100644 +--- a/arch/arm64/boot/dts/ti/k3-j7200-main.dtsi ++++ b/arch/arm64/boot/dts/ti/k3-j7200-main.dtsi +@@ -25,7 +25,7 @@ + #size-cells = <1>; + ranges = <0x00 0x00 0x00100000 0x1c000>; + +- serdes_ln_ctrl: serdes-ln-ctrl@4080 { ++ serdes_ln_ctrl: mux-controller@4080 { + compatible = "mmio-mux"; + #mux-control-cells = <1>; + mux-reg-masks = <0x4080 0x3>, <0x4084 0x3>, /* SERDES0 lane0/1 select */ +-- +2.34.1 + diff --git a/queue-5.10/arm64-dts-ti-k3-j7200-correct-the-d-cache-sets-info.patch b/queue-5.10/arm64-dts-ti-k3-j7200-correct-the-d-cache-sets-info.patch new file mode 100644 index 00000000000..c1b6255fc26 --- /dev/null +++ b/queue-5.10/arm64-dts-ti-k3-j7200-correct-the-d-cache-sets-info.patch @@ -0,0 +1,58 @@ +From 9fe9780f2b7dec56508836963fda5ce783d5f7da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Nov 2021 22:26:40 -0600 +Subject: arm64: dts: ti: k3-j7200: Correct the d-cache-sets info + +From: Nishanth Menon + +[ Upstream commit a172c86931709d6663318609d71a811333bdf4b0 ] + +A72 Cluster (chapter 1.3.1 [1]) has 48KB Icache, 32KB Dcache and 1MB L2 Cache + - ICache is 3-way set-associative + - Dcache is 2-way set-associative + - Line size are 64bytes + +32KB (Dcache)/64 (fixed line length of 64 bytes) = 512 ways +512 ways / 2 (Dcache is 2-way per set) = 256 sets. + +So, correct the d-cache-sets info. + +[1] https://www.ti.com/lit/pdf/spruiu1 + +Fixes: d361ed88455f ("arm64: dts: ti: Add support for J7200 SoC") +Reported-by: Peng Fan +Signed-off-by: Nishanth Menon +Reviewed-by: Pratyush Yadav +Reviewed-by: Kishon Vijay Abraham I +Signed-off-by: Vignesh Raghavendra +Link: https://lore.kernel.org/r/20211113042640.30955-1-nm@ti.com +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/ti/k3-j7200.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/ti/k3-j7200.dtsi b/arch/arm64/boot/dts/ti/k3-j7200.dtsi +index 081b8f3d44c44..03a9623f0f956 100644 +--- a/arch/arm64/boot/dts/ti/k3-j7200.dtsi ++++ b/arch/arm64/boot/dts/ti/k3-j7200.dtsi +@@ -60,7 +60,7 @@ + i-cache-sets = <256>; + d-cache-size = <0x8000>; + d-cache-line-size = <64>; +- d-cache-sets = <128>; ++ d-cache-sets = <256>; + next-level-cache = <&L2_0>; + }; + +@@ -74,7 +74,7 @@ + i-cache-sets = <256>; + d-cache-size = <0x8000>; + d-cache-line-size = <64>; +- d-cache-sets = <128>; ++ d-cache-sets = <256>; + next-level-cache = <&L2_0>; + }; + }; +-- +2.34.1 + diff --git a/queue-5.10/arm64-dts-ti-k3-j7200-fix-the-l2-cache-sets.patch b/queue-5.10/arm64-dts-ti-k3-j7200-fix-the-l2-cache-sets.patch new file mode 100644 index 00000000000..8cee37106ca --- /dev/null +++ b/queue-5.10/arm64-dts-ti-k3-j7200-fix-the-l2-cache-sets.patch @@ -0,0 +1,47 @@ +From a8610b45a8e142c6202d9a8d4895b1a6ad88ce07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Nov 2021 22:36:38 -0600 +Subject: arm64: dts: ti: k3-j7200: Fix the L2 cache sets + +From: Nishanth Menon + +[ Upstream commit d0c826106f3fc11ff97285102b576b65576654ae ] + +A72's L2 cache[1] on J7200[2] is 1MB. A72's L2 is fixed line length of +64 bytes and 16-way set-associative cache structure. + +1MB of L2 / 64 (line length) = 16384 ways +16384 ways / 16 = 1024 sets + +Fix the l2 cache-sets. + +[1] https://developer.arm.com/documentation/100095/0003/Level-2-Memory-System/About-the-L2-memory-system +[2] https://www.ti.com/lit/pdf/spruiu1 + +Fixes: d361ed88455f ("arm64: dts: ti: Add support for J7200 SoC") +Reported-by: Peng Fan +Signed-off-by: Nishanth Menon +Reviewed-by: Pratyush Yadav +Signed-off-by: Vignesh Raghavendra +Link: https://lore.kernel.org/r/20211113043638.4358-1-nm@ti.com +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/ti/k3-j7200.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/ti/k3-j7200.dtsi b/arch/arm64/boot/dts/ti/k3-j7200.dtsi +index 66169bcf7c9a4..081b8f3d44c44 100644 +--- a/arch/arm64/boot/dts/ti/k3-j7200.dtsi ++++ b/arch/arm64/boot/dts/ti/k3-j7200.dtsi +@@ -84,7 +84,7 @@ + cache-level = <2>; + cache-size = <0x100000>; + cache-line-size = <64>; +- cache-sets = <2048>; ++ cache-sets = <1024>; + next-level-cache = <&msmc_l3>; + }; + +-- +2.34.1 + diff --git a/queue-5.10/arm64-dts-ti-k3-j721e-correct-cache-sets-info.patch b/queue-5.10/arm64-dts-ti-k3-j721e-correct-cache-sets-info.patch new file mode 100644 index 00000000000..76420719f6d --- /dev/null +++ b/queue-5.10/arm64-dts-ti-k3-j721e-correct-cache-sets-info.patch @@ -0,0 +1,51 @@ +From e89d7b105aaee823f0323e932a0b61e481b0cc00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Nov 2021 14:31:55 +0800 +Subject: arm64: dts: ti: k3-j721e: correct cache-sets info + +From: Peng Fan + +[ Upstream commit 7a0df1f969c14939f60a7f9a6af72adcc314675f ] + +A72 Cluster has 48KB Icache, 32KB Dcache and 1MB L2 Cache + - ICache is 3-way set-associative + - Dcache is 2-way set-associative + - Line size are 64bytes + +So correct the cache-sets info. + +Fixes: 2d87061e70dea ("arm64: dts: ti: Add Support for J721E SoC") +Signed-off-by: Peng Fan +Reviewed-by: Nishanth Menon +Signed-off-by: Vignesh Raghavendra +Link: https://lore.kernel.org/r/20211112063155.3485777-1-peng.fan@oss.nxp.com +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/ti/k3-j721e.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/ti/k3-j721e.dtsi b/arch/arm64/boot/dts/ti/k3-j721e.dtsi +index cc483f7344af3..d1ef9fbe4981d 100644 +--- a/arch/arm64/boot/dts/ti/k3-j721e.dtsi ++++ b/arch/arm64/boot/dts/ti/k3-j721e.dtsi +@@ -61,7 +61,7 @@ + i-cache-sets = <256>; + d-cache-size = <0x8000>; + d-cache-line-size = <64>; +- d-cache-sets = <128>; ++ d-cache-sets = <256>; + next-level-cache = <&L2_0>; + }; + +@@ -75,7 +75,7 @@ + i-cache-sets = <256>; + d-cache-size = <0x8000>; + d-cache-line-size = <64>; +- d-cache-sets = <128>; ++ d-cache-sets = <256>; + next-level-cache = <&L2_0>; + }; + }; +-- +2.34.1 + diff --git a/queue-5.10/arm64-dts-ti-k3-j721e-fix-the-l2-cache-sets.patch b/queue-5.10/arm64-dts-ti-k3-j721e-fix-the-l2-cache-sets.patch new file mode 100644 index 00000000000..009d1ac09d0 --- /dev/null +++ b/queue-5.10/arm64-dts-ti-k3-j721e-fix-the-l2-cache-sets.patch @@ -0,0 +1,47 @@ +From fb2906b98c3ec0179a0edd0b4b48d023145b893d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Nov 2021 22:36:39 -0600 +Subject: arm64: dts: ti: k3-j721e: Fix the L2 cache sets + +From: Nishanth Menon + +[ Upstream commit e9ba3a5bc6fdc2c796c69fdaf5ed6c9957cf9f9d ] + +A72's L2 cache[1] on J721e[2] is 1MB. A72's L2 is fixed line length of +64 bytes and 16-way set-associative cache structure. + +1MB of L2 / 64 (line length) = 16384 ways +16384 ways / 16 = 1024 sets + +Fix the l2 cache-sets. + +[1] https://developer.arm.com/documentation/100095/0003/Level-2-Memory-System/About-the-L2-memory-system +[2] http://www.ti.com/lit/pdf/spruil1 + +Fixes: 2d87061e70de ("arm64: dts: ti: Add Support for J721E SoC") +Reported-by: Peng Fan +Signed-off-by: Nishanth Menon +Reviewed-by: Pratyush Yadav +Signed-off-by: Vignesh Raghavendra +Link: https://lore.kernel.org/r/20211113043639.4413-1-nm@ti.com +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/ti/k3-j721e.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/ti/k3-j721e.dtsi b/arch/arm64/boot/dts/ti/k3-j721e.dtsi +index d1ef9fbe4981d..a199227327ed2 100644 +--- a/arch/arm64/boot/dts/ti/k3-j721e.dtsi ++++ b/arch/arm64/boot/dts/ti/k3-j721e.dtsi +@@ -85,7 +85,7 @@ + cache-level = <2>; + cache-size = <0x100000>; + cache-line-size = <64>; +- cache-sets = <2048>; ++ cache-sets = <1024>; + next-level-cache = <&msmc_l3>; + }; + +-- +2.34.1 + diff --git a/queue-5.10/arm64-lib-annotate-clear-copy-_page-as-position-inde.patch b/queue-5.10/arm64-lib-annotate-clear-copy-_page-as-position-inde.patch new file mode 100644 index 00000000000..3ad94b09929 --- /dev/null +++ b/queue-5.10/arm64-lib-annotate-clear-copy-_page-as-position-inde.patch @@ -0,0 +1,65 @@ +From 06906eacb4e7abaaa8fb270e65026c27bac71778 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Mar 2021 10:01:09 +0000 +Subject: arm64: lib: Annotate {clear, copy}_page() as position-independent + +From: Will Deacon + +[ Upstream commit 8d9902055c57548bb342dc3ca78caa21e9643024 ] + +clear_page() and copy_page() are suitable for use outside of the kernel +address space, so annotate them as position-independent code. + +Signed-off-by: Will Deacon +Signed-off-by: Quentin Perret +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20210319100146.1149909-2-qperret@google.com +Signed-off-by: Sasha Levin +--- + arch/arm64/lib/clear_page.S | 4 ++-- + arch/arm64/lib/copy_page.S | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arm64/lib/clear_page.S b/arch/arm64/lib/clear_page.S +index 073acbf02a7c8..b84b179edba3a 100644 +--- a/arch/arm64/lib/clear_page.S ++++ b/arch/arm64/lib/clear_page.S +@@ -14,7 +14,7 @@ + * Parameters: + * x0 - dest + */ +-SYM_FUNC_START(clear_page) ++SYM_FUNC_START_PI(clear_page) + mrs x1, dczid_el0 + and w1, w1, #0xf + mov x2, #4 +@@ -25,5 +25,5 @@ SYM_FUNC_START(clear_page) + tst x0, #(PAGE_SIZE - 1) + b.ne 1b + ret +-SYM_FUNC_END(clear_page) ++SYM_FUNC_END_PI(clear_page) + EXPORT_SYMBOL(clear_page) +diff --git a/arch/arm64/lib/copy_page.S b/arch/arm64/lib/copy_page.S +index e7a793961408d..29144f4cd4492 100644 +--- a/arch/arm64/lib/copy_page.S ++++ b/arch/arm64/lib/copy_page.S +@@ -17,7 +17,7 @@ + * x0 - dest + * x1 - src + */ +-SYM_FUNC_START(copy_page) ++SYM_FUNC_START_PI(copy_page) + alternative_if ARM64_HAS_NO_HW_PREFETCH + // Prefetch three cache lines ahead. + prfm pldl1strm, [x1, #128] +@@ -75,5 +75,5 @@ alternative_else_nop_endif + stnp x16, x17, [x0, #112 - 256] + + ret +-SYM_FUNC_END(copy_page) ++SYM_FUNC_END_PI(copy_page) + EXPORT_SYMBOL(copy_page) +-- +2.34.1 + diff --git a/queue-5.10/arm64-tegra-adjust-length-of-ccplex-cluster-mmio-reg.patch b/queue-5.10/arm64-tegra-adjust-length-of-ccplex-cluster-mmio-reg.patch new file mode 100644 index 00000000000..7268f43f00b --- /dev/null +++ b/queue-5.10/arm64-tegra-adjust-length-of-ccplex-cluster-mmio-reg.patch @@ -0,0 +1,35 @@ +From 4ef5a6062b7938a2ea37b9f3013a7237316aafca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Dec 2021 14:28:29 +0100 +Subject: arm64: tegra: Adjust length of CCPLEX cluster MMIO region + +From: Thierry Reding + +[ Upstream commit 2b14cbd643feea5fc17c6e8bead4e71088c69acd ] + +The Tegra186 CCPLEX cluster register region is 4 MiB is length, not 4 +MiB - 1. This was likely presumed to be the "limit" rather than length. +Fix it up. + +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/nvidia/tegra186.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/nvidia/tegra186.dtsi b/arch/arm64/boot/dts/nvidia/tegra186.dtsi +index 0c46ab7bbbf37..eec6418ecdb1a 100644 +--- a/arch/arm64/boot/dts/nvidia/tegra186.dtsi ++++ b/arch/arm64/boot/dts/nvidia/tegra186.dtsi +@@ -985,7 +985,7 @@ + + ccplex@e000000 { + compatible = "nvidia,tegra186-ccplex-cluster"; +- reg = <0x0 0x0e000000 0x0 0x3fffff>; ++ reg = <0x0 0x0e000000 0x0 0x400000>; + + nvidia,bpmp = <&bpmp>; + }; +-- +2.34.1 + diff --git a/queue-5.10/arm64-tegra-fix-tegra194-hda-clock-reset-names-order.patch b/queue-5.10/arm64-tegra-fix-tegra194-hda-clock-reset-names-order.patch new file mode 100644 index 00000000000..4d8e48ff1cf --- /dev/null +++ b/queue-5.10/arm64-tegra-fix-tegra194-hda-clock-reset-names-order.patch @@ -0,0 +1,47 @@ +From bf9222167401a87bf57f372608e74a9a75450331 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Nov 2020 13:36:20 +0530 +Subject: arm64: tegra: Fix Tegra194 HDA {clock,reset}-names ordering + +From: Sameer Pujar + +[ Upstream commit 48f6e195039486bc303118948f49a9873acc888f ] + +As per the HDA binding doc reorder {clock,reset}-names entries for +Tegra194. This also serves as a preparation for converting existing +binding doc to json-schema. + +Signed-off-by: Sameer Pujar +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/nvidia/tegra194.dtsi | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/arch/arm64/boot/dts/nvidia/tegra194.dtsi b/arch/arm64/boot/dts/nvidia/tegra194.dtsi +index 9b5007e5f790f..815df654e6387 100644 +--- a/arch/arm64/boot/dts/nvidia/tegra194.dtsi ++++ b/arch/arm64/boot/dts/nvidia/tegra194.dtsi +@@ -782,13 +782,13 @@ + reg = <0x3510000 0x10000>; + interrupts = ; + clocks = <&bpmp TEGRA194_CLK_HDA>, +- <&bpmp TEGRA194_CLK_HDA2CODEC_2X>, +- <&bpmp TEGRA194_CLK_HDA2HDMICODEC>; +- clock-names = "hda", "hda2codec_2x", "hda2hdmi"; ++ <&bpmp TEGRA194_CLK_HDA2HDMICODEC>, ++ <&bpmp TEGRA194_CLK_HDA2CODEC_2X>; ++ clock-names = "hda", "hda2hdmi", "hda2codec_2x"; + resets = <&bpmp TEGRA194_RESET_HDA>, +- <&bpmp TEGRA194_RESET_HDA2CODEC_2X>, +- <&bpmp TEGRA194_RESET_HDA2HDMICODEC>; +- reset-names = "hda", "hda2codec_2x", "hda2hdmi"; ++ <&bpmp TEGRA194_RESET_HDA2HDMICODEC>, ++ <&bpmp TEGRA194_RESET_HDA2CODEC_2X>; ++ reset-names = "hda", "hda2hdmi", "hda2codec_2x"; + power-domains = <&bpmp TEGRA194_POWER_DOMAIN_DISP>; + interconnects = <&mc TEGRA194_MEMORY_CLIENT_HDAR &emc>, + <&mc TEGRA194_MEMORY_CLIENT_HDAW &emc>; +-- +2.34.1 + diff --git a/queue-5.10/arm64-tegra-remove-non-existent-tegra194-reset.patch b/queue-5.10/arm64-tegra-remove-non-existent-tegra194-reset.patch new file mode 100644 index 00000000000..ef204deeeb5 --- /dev/null +++ b/queue-5.10/arm64-tegra-remove-non-existent-tegra194-reset.patch @@ -0,0 +1,40 @@ +From 10d3e72a6f576fe45553b0bdcb7c55b5998effe0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Dec 2021 17:23:51 +0530 +Subject: arm64: tegra: Remove non existent Tegra194 reset + +From: Sameer Pujar + +[ Upstream commit 146b3a77af8091cabbd1decc51d67799e69682d2 ] + +Tegra194 does not really have "hda2codec_2x" related reset. Hence drop +this entry to reflect actual HW. + +Fixes: 4878cc0c9fab ("arm64: tegra: Add HDA controller on Tegra194") +Signed-off-by: Sameer Pujar +Link: https://lore.kernel.org/r/1640260431-11613-4-git-send-email-spujar@nvidia.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/nvidia/tegra194.dtsi | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/boot/dts/nvidia/tegra194.dtsi b/arch/arm64/boot/dts/nvidia/tegra194.dtsi +index 815df654e6387..05cf606b85c9f 100644 +--- a/arch/arm64/boot/dts/nvidia/tegra194.dtsi ++++ b/arch/arm64/boot/dts/nvidia/tegra194.dtsi +@@ -786,9 +786,8 @@ + <&bpmp TEGRA194_CLK_HDA2CODEC_2X>; + clock-names = "hda", "hda2hdmi", "hda2codec_2x"; + resets = <&bpmp TEGRA194_RESET_HDA>, +- <&bpmp TEGRA194_RESET_HDA2HDMICODEC>, +- <&bpmp TEGRA194_RESET_HDA2CODEC_2X>; +- reset-names = "hda", "hda2hdmi", "hda2codec_2x"; ++ <&bpmp TEGRA194_RESET_HDA2HDMICODEC>; ++ reset-names = "hda", "hda2hdmi"; + power-domains = <&bpmp TEGRA194_POWER_DOMAIN_DISP>; + interconnects = <&mc TEGRA194_MEMORY_CLIENT_HDAR &emc>, + <&mc TEGRA194_MEMORY_CLIENT_HDAW &emc>; +-- +2.34.1 + diff --git a/queue-5.10/asoc-fsl_asrc-refine-the-check-of-available-clock-di.patch b/queue-5.10/asoc-fsl_asrc-refine-the-check-of-available-clock-di.patch new file mode 100644 index 00000000000..4ba6eb65d0c --- /dev/null +++ b/queue-5.10/asoc-fsl_asrc-refine-the-check-of-available-clock-di.patch @@ -0,0 +1,159 @@ +From 2cefbd11ccdc49ab20eb745af75d8fc009dcc435 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jan 2022 19:08:03 +0800 +Subject: ASoC: fsl_asrc: refine the check of available clock divider + +From: Shengjiu Wang + +[ Upstream commit 320386343451ab6a3577e0ee200dac56a6182944 ] + +According to RM, the clock divider range is from 1 to 8, clock +prescaling ratio may be any power of 2 from 1 to 128. +So the supported divider is not all the value between +1 and 1024, just limited value in that range. + +Create table for the supported divder and add function to +check the clock divider is available by comparing with +the table. + +Fixes: d0250cf4f2ab ("ASoC: fsl_asrc: Add an option to select internal ratio mode") +Signed-off-by: Shengjiu Wang +Link: https://lore.kernel.org/r/1641380883-20709-1-git-send-email-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_asrc.c | 69 +++++++++++++++++++++++++++++++++------- + 1 file changed, 58 insertions(+), 11 deletions(-) + +diff --git a/sound/soc/fsl/fsl_asrc.c b/sound/soc/fsl/fsl_asrc.c +index 02c81d2e34ad0..5e3c71f025f45 100644 +--- a/sound/soc/fsl/fsl_asrc.c ++++ b/sound/soc/fsl/fsl_asrc.c +@@ -19,6 +19,7 @@ + #include "fsl_asrc.h" + + #define IDEAL_RATIO_DECIMAL_DEPTH 26 ++#define DIVIDER_NUM 64 + + #define pair_err(fmt, ...) \ + dev_err(&asrc->pdev->dev, "Pair %c: " fmt, 'A' + index, ##__VA_ARGS__) +@@ -101,6 +102,55 @@ static unsigned char clk_map_imx8qxp[2][ASRC_CLK_MAP_LEN] = { + }, + }; + ++/* ++ * According to RM, the divider range is 1 ~ 8, ++ * prescaler is power of 2 from 1 ~ 128. ++ */ ++static int asrc_clk_divider[DIVIDER_NUM] = { ++ 1, 2, 4, 8, 16, 32, 64, 128, /* divider = 1 */ ++ 2, 4, 8, 16, 32, 64, 128, 256, /* divider = 2 */ ++ 3, 6, 12, 24, 48, 96, 192, 384, /* divider = 3 */ ++ 4, 8, 16, 32, 64, 128, 256, 512, /* divider = 4 */ ++ 5, 10, 20, 40, 80, 160, 320, 640, /* divider = 5 */ ++ 6, 12, 24, 48, 96, 192, 384, 768, /* divider = 6 */ ++ 7, 14, 28, 56, 112, 224, 448, 896, /* divider = 7 */ ++ 8, 16, 32, 64, 128, 256, 512, 1024, /* divider = 8 */ ++}; ++ ++/* ++ * Check if the divider is available for internal ratio mode ++ */ ++static bool fsl_asrc_divider_avail(int clk_rate, int rate, int *div) ++{ ++ u32 rem, i; ++ u64 n; ++ ++ if (div) ++ *div = 0; ++ ++ if (clk_rate == 0 || rate == 0) ++ return false; ++ ++ n = clk_rate; ++ rem = do_div(n, rate); ++ ++ if (div) ++ *div = n; ++ ++ if (rem != 0) ++ return false; ++ ++ for (i = 0; i < DIVIDER_NUM; i++) { ++ if (n == asrc_clk_divider[i]) ++ break; ++ } ++ ++ if (i == DIVIDER_NUM) ++ return false; ++ ++ return true; ++} ++ + /** + * fsl_asrc_sel_proc - Select the pre-processing and post-processing options + * @inrate: input sample rate +@@ -330,12 +380,12 @@ static int fsl_asrc_config_pair(struct fsl_asrc_pair *pair, bool use_ideal_rate) + enum asrc_word_width input_word_width; + enum asrc_word_width output_word_width; + u32 inrate, outrate, indiv, outdiv; +- u32 clk_index[2], div[2], rem[2]; ++ u32 clk_index[2], div[2]; + u64 clk_rate; + int in, out, channels; + int pre_proc, post_proc; + struct clk *clk; +- bool ideal; ++ bool ideal, div_avail; + + if (!config) { + pair_err("invalid pair config\n"); +@@ -415,8 +465,7 @@ static int fsl_asrc_config_pair(struct fsl_asrc_pair *pair, bool use_ideal_rate) + clk = asrc_priv->asrck_clk[clk_index[ideal ? OUT : IN]]; + + clk_rate = clk_get_rate(clk); +- rem[IN] = do_div(clk_rate, inrate); +- div[IN] = (u32)clk_rate; ++ div_avail = fsl_asrc_divider_avail(clk_rate, inrate, &div[IN]); + + /* + * The divider range is [1, 1024], defined by the hardware. For non- +@@ -425,7 +474,7 @@ static int fsl_asrc_config_pair(struct fsl_asrc_pair *pair, bool use_ideal_rate) + * only result in different converting speeds. So remainder does not + * matter, as long as we keep the divider within its valid range. + */ +- if (div[IN] == 0 || (!ideal && (div[IN] > 1024 || rem[IN] != 0))) { ++ if (div[IN] == 0 || (!ideal && !div_avail)) { + pair_err("failed to support input sample rate %dHz by asrck_%x\n", + inrate, clk_index[ideal ? OUT : IN]); + return -EINVAL; +@@ -436,13 +485,12 @@ static int fsl_asrc_config_pair(struct fsl_asrc_pair *pair, bool use_ideal_rate) + clk = asrc_priv->asrck_clk[clk_index[OUT]]; + clk_rate = clk_get_rate(clk); + if (ideal && use_ideal_rate) +- rem[OUT] = do_div(clk_rate, IDEAL_RATIO_RATE); ++ div_avail = fsl_asrc_divider_avail(clk_rate, IDEAL_RATIO_RATE, &div[OUT]); + else +- rem[OUT] = do_div(clk_rate, outrate); +- div[OUT] = clk_rate; ++ div_avail = fsl_asrc_divider_avail(clk_rate, outrate, &div[OUT]); + + /* Output divider has the same limitation as the input one */ +- if (div[OUT] == 0 || (!ideal && (div[OUT] > 1024 || rem[OUT] != 0))) { ++ if (div[OUT] == 0 || (!ideal && !div_avail)) { + pair_err("failed to support output sample rate %dHz by asrck_%x\n", + outrate, clk_index[OUT]); + return -EINVAL; +@@ -621,8 +669,7 @@ static void fsl_asrc_select_clk(struct fsl_asrc_priv *asrc_priv, + clk_index = asrc_priv->clk_map[j][i]; + clk_rate = clk_get_rate(asrc_priv->asrck_clk[clk_index]); + /* Only match a perfect clock source with no remainder */ +- if (clk_rate != 0 && (clk_rate / rate[j]) <= 1024 && +- (clk_rate % rate[j]) == 0) ++ if (fsl_asrc_divider_avail(clk_rate, rate[j], NULL)) + break; + } + +-- +2.34.1 + diff --git a/queue-5.10/asoc-fsl_mqs-fix-module_alias.patch b/queue-5.10/asoc-fsl_mqs-fix-module_alias.patch new file mode 100644 index 00000000000..1e57ce80530 --- /dev/null +++ b/queue-5.10/asoc-fsl_mqs-fix-module_alias.patch @@ -0,0 +1,33 @@ +From bd74ea99b1ed5a4fb55b7603d6a9b13192fb214a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jan 2022 13:22:16 +0000 +Subject: ASoC: fsl_mqs: fix MODULE_ALIAS + +From: Alyssa Ross + +[ Upstream commit 9f3d45318dd9e739ed62e4218839a7a824d3cced ] + +modprobe can't handle spaces in aliases. + +Fixes: 9e28f6532c61 ("ASoC: fsl_mqs: Add MQS component driver") +Signed-off-by: Alyssa Ross +Link: https://lore.kernel.org/r/20220104132218.1690103-1-hi@alyssa.is +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_mqs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/fsl/fsl_mqs.c b/sound/soc/fsl/fsl_mqs.c +index 69aeb0e71844d..0d4efbed41dab 100644 +--- a/sound/soc/fsl/fsl_mqs.c ++++ b/sound/soc/fsl/fsl_mqs.c +@@ -337,4 +337,4 @@ module_platform_driver(fsl_mqs_driver); + MODULE_AUTHOR("Shengjiu Wang "); + MODULE_DESCRIPTION("MQS codec driver"); + MODULE_LICENSE("GPL v2"); +-MODULE_ALIAS("platform: fsl-mqs"); ++MODULE_ALIAS("platform:fsl-mqs"); +-- +2.34.1 + diff --git a/queue-5.10/asoc-intel-catpt-test-dmaengine_submit-result-before.patch b/queue-5.10/asoc-intel-catpt-test-dmaengine_submit-result-before.patch new file mode 100644 index 00000000000..dad46590c46 --- /dev/null +++ b/queue-5.10/asoc-intel-catpt-test-dmaengine_submit-result-before.patch @@ -0,0 +1,65 @@ +From b7a16a0e46fd0d1e54bc086da72acd4d735d642b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Dec 2021 12:57:39 +0100 +Subject: ASoC: Intel: catpt: Test dmaengine_submit() result before moving on + +From: Cezary Rojewski + +[ Upstream commit 2a9a72e290d4a4741e673f86b9fba9bfb319786d ] + +After calling dmaengine_submit(), the submitted transfer descriptor +belongs to the DMA engine. Pointer to that descriptor may no longer be +valid after the call and should be tested before awaiting transfer +completion. + +Reported-by: Kevin Tian +Suggested-by: Dave Jiang +Fixes: 4fac9b31d0b9 ("ASoC: Intel: Add catpt base members") +Signed-off-by: Cezary Rojewski +Link: https://lore.kernel.org/r/20211216115743.2130622-2-cezary.rojewski@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/catpt/dsp.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/intel/catpt/dsp.c b/sound/soc/intel/catpt/dsp.c +index 9e807b9417321..38a92bbc1ed56 100644 +--- a/sound/soc/intel/catpt/dsp.c ++++ b/sound/soc/intel/catpt/dsp.c +@@ -65,6 +65,7 @@ static int catpt_dma_memcpy(struct catpt_dev *cdev, struct dma_chan *chan, + { + struct dma_async_tx_descriptor *desc; + enum dma_status status; ++ int ret; + + desc = dmaengine_prep_dma_memcpy(chan, dst_addr, src_addr, size, + DMA_CTRL_ACK); +@@ -77,13 +78,22 @@ static int catpt_dma_memcpy(struct catpt_dev *cdev, struct dma_chan *chan, + catpt_updatel_shim(cdev, HMDC, + CATPT_HMDC_HDDA(CATPT_DMA_DEVID, chan->chan_id), + CATPT_HMDC_HDDA(CATPT_DMA_DEVID, chan->chan_id)); +- dmaengine_submit(desc); ++ ++ ret = dma_submit_error(dmaengine_submit(desc)); ++ if (ret) { ++ dev_err(cdev->dev, "submit tx failed: %d\n", ret); ++ goto clear_hdda; ++ } ++ + status = dma_wait_for_async_tx(desc); ++ ret = (status == DMA_COMPLETE) ? 0 : -EPROTO; ++ ++clear_hdda: + /* regardless of status, disable access to HOST memory in demand mode */ + catpt_updatel_shim(cdev, HMDC, + CATPT_HMDC_HDDA(CATPT_DMA_DEVID, chan->chan_id), 0); + +- return (status == DMA_COMPLETE) ? 0 : -EPROTO; ++ return ret; + } + + int catpt_dma_memcpy_todsp(struct catpt_dev *cdev, struct dma_chan *chan, +-- +2.34.1 + diff --git a/queue-5.10/asoc-mediatek-check-for-error-clk-pointer.patch b/queue-5.10/asoc-mediatek-check-for-error-clk-pointer.patch new file mode 100644 index 00000000000..f1257ffdf60 --- /dev/null +++ b/queue-5.10/asoc-mediatek-check-for-error-clk-pointer.patch @@ -0,0 +1,68 @@ +From 03bd1f87ff5d6ce3ab03125fd451d9e19581d07e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Dec 2021 09:51:57 +0800 +Subject: ASoC: mediatek: Check for error clk pointer + +From: Jiasheng Jiang + +[ Upstream commit 9de2b9286a6dd16966959b3cb34fc2ddfd39213e ] + +Yes, you are right and now the return code depending on the +init_clks(). + +Fixes: 6078c651947a ("soc: mediatek: Refine scpsys to support multiple platform") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20211222015157.1025853-1-jiasheng@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/soc/mediatek/mtk-scpsys.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/soc/mediatek/mtk-scpsys.c b/drivers/soc/mediatek/mtk-scpsys.c +index ca75b14931ec9..670cc82d17dc2 100644 +--- a/drivers/soc/mediatek/mtk-scpsys.c ++++ b/drivers/soc/mediatek/mtk-scpsys.c +@@ -411,12 +411,17 @@ out: + return ret; + } + +-static void init_clks(struct platform_device *pdev, struct clk **clk) ++static int init_clks(struct platform_device *pdev, struct clk **clk) + { + int i; + +- for (i = CLK_NONE + 1; i < CLK_MAX; i++) ++ for (i = CLK_NONE + 1; i < CLK_MAX; i++) { + clk[i] = devm_clk_get(&pdev->dev, clk_names[i]); ++ if (IS_ERR(clk[i])) ++ return PTR_ERR(clk[i]); ++ } ++ ++ return 0; + } + + static struct scp *init_scp(struct platform_device *pdev, +@@ -426,7 +431,7 @@ static struct scp *init_scp(struct platform_device *pdev, + { + struct genpd_onecell_data *pd_data; + struct resource *res; +- int i, j; ++ int i, j, ret; + struct scp *scp; + struct clk *clk[CLK_MAX]; + +@@ -481,7 +486,9 @@ static struct scp *init_scp(struct platform_device *pdev, + + pd_data->num_domains = num; + +- init_clks(pdev, clk); ++ ret = init_clks(pdev, clk); ++ if (ret) ++ return ERR_PTR(ret); + + for (i = 0; i < num; i++) { + struct scp_domain *scpd = &scp->domains[i]; +-- +2.34.1 + diff --git a/queue-5.10/asoc-mediatek-mt8173-fix-device_node-leak.patch b/queue-5.10/asoc-mediatek-mt8173-fix-device_node-leak.patch new file mode 100644 index 00000000000..9350023d110 --- /dev/null +++ b/queue-5.10/asoc-mediatek-mt8173-fix-device_node-leak.patch @@ -0,0 +1,78 @@ +From 2002a4529652ab72f67fe71ea2fe916ba5578e01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Dec 2021 14:47:16 +0800 +Subject: ASoC: mediatek: mt8173: fix device_node leak + +From: Tzung-Bi Shih + +[ Upstream commit 493433785df0075afc0c106ab65f10a605d0b35d ] + +Fixes the device_node leak. + +Signed-off-by: Tzung-Bi Shih +Link: https://lore.kernel.org/r/20211224064719.2031210-2-tzungbi@google.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/mediatek/mt8173/mt8173-max98090.c | 3 +++ + sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c | 2 ++ + sound/soc/mediatek/mt8173/mt8173-rt5650-rt5676.c | 2 ++ + sound/soc/mediatek/mt8173/mt8173-rt5650.c | 2 ++ + 4 files changed, 9 insertions(+) + +diff --git a/sound/soc/mediatek/mt8173/mt8173-max98090.c b/sound/soc/mediatek/mt8173/mt8173-max98090.c +index fc94314bfc02f..3bdd4931316cd 100644 +--- a/sound/soc/mediatek/mt8173/mt8173-max98090.c ++++ b/sound/soc/mediatek/mt8173/mt8173-max98090.c +@@ -180,6 +180,9 @@ static int mt8173_max98090_dev_probe(struct platform_device *pdev) + if (ret) + dev_err(&pdev->dev, "%s snd_soc_register_card fail %d\n", + __func__, ret); ++ ++ of_node_put(codec_node); ++ of_node_put(platform_node); + return ret; + } + +diff --git a/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c b/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c +index 0f28dc2217c09..390da5bf727eb 100644 +--- a/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c ++++ b/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c +@@ -218,6 +218,8 @@ static int mt8173_rt5650_rt5514_dev_probe(struct platform_device *pdev) + if (ret) + dev_err(&pdev->dev, "%s snd_soc_register_card fail %d\n", + __func__, ret); ++ ++ of_node_put(platform_node); + return ret; + } + +diff --git a/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5676.c b/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5676.c +index 077c6ee067806..c8e4e85e10575 100644 +--- a/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5676.c ++++ b/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5676.c +@@ -285,6 +285,8 @@ static int mt8173_rt5650_rt5676_dev_probe(struct platform_device *pdev) + if (ret) + dev_err(&pdev->dev, "%s snd_soc_register_card fail %d\n", + __func__, ret); ++ ++ of_node_put(platform_node); + return ret; + } + +diff --git a/sound/soc/mediatek/mt8173/mt8173-rt5650.c b/sound/soc/mediatek/mt8173/mt8173-rt5650.c +index c28ebf891cb05..e168d31f44459 100644 +--- a/sound/soc/mediatek/mt8173/mt8173-rt5650.c ++++ b/sound/soc/mediatek/mt8173/mt8173-rt5650.c +@@ -323,6 +323,8 @@ static int mt8173_rt5650_dev_probe(struct platform_device *pdev) + if (ret) + dev_err(&pdev->dev, "%s snd_soc_register_card fail %d\n", + __func__, ret); ++ ++ of_node_put(platform_node); + return ret; + } + +-- +2.34.1 + diff --git a/queue-5.10/asoc-mediatek-mt8183-fix-device_node-leak.patch b/queue-5.10/asoc-mediatek-mt8183-fix-device_node-leak.patch new file mode 100644 index 00000000000..7db23aade49 --- /dev/null +++ b/queue-5.10/asoc-mediatek-mt8183-fix-device_node-leak.patch @@ -0,0 +1,58 @@ +From 43452cbedf3a6298c6cf4aa11a6876f21713d90a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Dec 2021 14:47:17 +0800 +Subject: ASoC: mediatek: mt8183: fix device_node leak + +From: Tzung-Bi Shih + +[ Upstream commit cb006006fe6221f092fadaffd3f219288304c9ad ] + +Fixes the device_node leak. + +Signed-off-by: Tzung-Bi Shih +Link: https://lore.kernel.org/r/20211224064719.2031210-3-tzungbi@google.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/mediatek/mt8183/mt8183-da7219-max98357.c | 6 +++++- + sound/soc/mediatek/mt8183/mt8183-mt6358-ts3a227-max98357.c | 7 ++++++- + 2 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/mediatek/mt8183/mt8183-da7219-max98357.c b/sound/soc/mediatek/mt8183/mt8183-da7219-max98357.c +index 20d31b69a5c00..9cc0f26b08fbc 100644 +--- a/sound/soc/mediatek/mt8183/mt8183-da7219-max98357.c ++++ b/sound/soc/mediatek/mt8183/mt8183-da7219-max98357.c +@@ -787,7 +787,11 @@ static int mt8183_da7219_max98357_dev_probe(struct platform_device *pdev) + return ret; + } + +- return devm_snd_soc_register_card(&pdev->dev, card); ++ ret = devm_snd_soc_register_card(&pdev->dev, card); ++ ++ of_node_put(platform_node); ++ of_node_put(hdmi_codec); ++ return ret; + } + + #ifdef CONFIG_OF +diff --git a/sound/soc/mediatek/mt8183/mt8183-mt6358-ts3a227-max98357.c b/sound/soc/mediatek/mt8183/mt8183-mt6358-ts3a227-max98357.c +index 79ba2f2d84522..14ce8b93597f3 100644 +--- a/sound/soc/mediatek/mt8183/mt8183-mt6358-ts3a227-max98357.c ++++ b/sound/soc/mediatek/mt8183/mt8183-mt6358-ts3a227-max98357.c +@@ -720,7 +720,12 @@ mt8183_mt6358_ts3a227_max98357_dev_probe(struct platform_device *pdev) + __func__, ret); + } + +- return devm_snd_soc_register_card(&pdev->dev, card); ++ ret = devm_snd_soc_register_card(&pdev->dev, card); ++ ++ of_node_put(platform_node); ++ of_node_put(ec_codec); ++ of_node_put(hdmi_codec); ++ return ret; + } + + #ifdef CONFIG_OF +-- +2.34.1 + diff --git a/queue-5.10/asoc-rt5663-handle-device_property_read_u32_array-er.patch b/queue-5.10/asoc-rt5663-handle-device_property_read_u32_array-er.patch new file mode 100644 index 00000000000..42e75e71e3e --- /dev/null +++ b/queue-5.10/asoc-rt5663-handle-device_property_read_u32_array-er.patch @@ -0,0 +1,65 @@ +From 297fb4c1df7a254d81f3da5b771c8d4504497ecf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Dec 2021 11:15:50 +0800 +Subject: ASoC: rt5663: Handle device_property_read_u32_array error codes + +From: Jiasheng Jiang + +[ Upstream commit 2167c0b205960607fb136b4bb3c556a62be1569a ] + +The return value of device_property_read_u32_array() is not always 0. +To catch the exception in case that devm_kzalloc failed and the +rt5663->imp_table was NULL, which caused the failure of +device_property_read_u32_array. + +Fixes: 450f0f6a8fb4 ("ASoC: rt5663: Add the manual offset field to compensate the DC offset") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20211215031550.70702-1-jiasheng@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt5663.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/codecs/rt5663.c b/sound/soc/codecs/rt5663.c +index 619fb9a031e39..db8a41aaa3859 100644 +--- a/sound/soc/codecs/rt5663.c ++++ b/sound/soc/codecs/rt5663.c +@@ -3461,6 +3461,7 @@ static void rt5663_calibrate(struct rt5663_priv *rt5663) + static int rt5663_parse_dp(struct rt5663_priv *rt5663, struct device *dev) + { + int table_size; ++ int ret; + + device_property_read_u32(dev, "realtek,dc_offset_l_manual", + &rt5663->pdata.dc_offset_l_manual); +@@ -3477,9 +3478,11 @@ static int rt5663_parse_dp(struct rt5663_priv *rt5663, struct device *dev) + table_size = sizeof(struct impedance_mapping_table) * + rt5663->pdata.impedance_sensing_num; + rt5663->imp_table = devm_kzalloc(dev, table_size, GFP_KERNEL); +- device_property_read_u32_array(dev, ++ ret = device_property_read_u32_array(dev, + "realtek,impedance_sensing_table", + (u32 *)rt5663->imp_table, table_size); ++ if (ret) ++ return ret; + } + + return 0; +@@ -3504,8 +3507,11 @@ static int rt5663_i2c_probe(struct i2c_client *i2c, + + if (pdata) + rt5663->pdata = *pdata; +- else +- rt5663_parse_dp(rt5663, &i2c->dev); ++ else { ++ ret = rt5663_parse_dp(rt5663, &i2c->dev); ++ if (ret) ++ return ret; ++ } + + for (i = 0; i < ARRAY_SIZE(rt5663->supplies); i++) + rt5663->supplies[i].supply = rt5663_supply_names[i]; +-- +2.34.1 + diff --git a/queue-5.10/asoc-samsung-idma-check-of-ioremap-return-value.patch b/queue-5.10/asoc-samsung-idma-check-of-ioremap-return-value.patch new file mode 100644 index 00000000000..042ede241a5 --- /dev/null +++ b/queue-5.10/asoc-samsung-idma-check-of-ioremap-return-value.patch @@ -0,0 +1,40 @@ +From d8f56b9d11cbb2e5c893a4d970ffd26521f84d47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Dec 2021 11:40:26 +0800 +Subject: ASoC: samsung: idma: Check of ioremap return value + +From: Jiasheng Jiang + +[ Upstream commit 3ecb46755eb85456b459a1a9f952c52986bce8ec ] + +Because of the potential failure of the ioremap(), the buf->area could +be NULL. +Therefore, we need to check it and return -ENOMEM in order to transfer +the error. + +Fixes: f09aecd50f39 ("ASoC: SAMSUNG: Add I2S0 internal dma driver") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20211228034026.1659385-1-jiasheng@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/samsung/idma.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/samsung/idma.c b/sound/soc/samsung/idma.c +index 66bcc2f97544b..c3f1b054e2389 100644 +--- a/sound/soc/samsung/idma.c ++++ b/sound/soc/samsung/idma.c +@@ -360,6 +360,8 @@ static int preallocate_idma_buffer(struct snd_pcm *pcm, int stream) + buf->addr = idma.lp_tx_addr; + buf->bytes = idma_hardware.buffer_bytes_max; + buf->area = (unsigned char * __force)ioremap(buf->addr, buf->bytes); ++ if (!buf->area) ++ return -ENOMEM; + + return 0; + } +-- +2.34.1 + diff --git a/queue-5.10/asoc-uniphier-drop-selecting-non-existing-snd_soc_un.patch b/queue-5.10/asoc-uniphier-drop-selecting-non-existing-snd_soc_un.patch new file mode 100644 index 00000000000..fc4c11aad05 --- /dev/null +++ b/queue-5.10/asoc-uniphier-drop-selecting-non-existing-snd_soc_un.patch @@ -0,0 +1,53 @@ +From fabdb583456180c3f1637672ac5efce564ce2e8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Nov 2021 10:51:57 +0100 +Subject: ASoC: uniphier: drop selecting non-existing SND_SOC_UNIPHIER_AIO_DMA + +From: Lukas Bulwahn + +[ Upstream commit 49f893253ab43566e34332a969324531fea463f6 ] + +Commit f37fe2f9987b ("ASoC: uniphier: add support for UniPhier AIO common +driver") adds configs SND_SOC_UNIPHIER_{LD11,PXS2}, which select the +non-existing config SND_SOC_UNIPHIER_AIO_DMA. + +Hence, ./scripts/checkkconfigsymbols.py warns: + + SND_SOC_UNIPHIER_AIO_DMA + Referencing files: sound/soc/uniphier/Kconfig + +Probably, there is actually no further config intended to be selected +here. So, just drop selecting the non-existing config. + +Fixes: f37fe2f9987b ("ASoC: uniphier: add support for UniPhier AIO common driver") +Signed-off-by: Lukas Bulwahn +Link: https://lore.kernel.org/r/20211125095158.8394-2-lukas.bulwahn@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/uniphier/Kconfig | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/sound/soc/uniphier/Kconfig b/sound/soc/uniphier/Kconfig +index aa3592ee1358b..ddfa6424c656b 100644 +--- a/sound/soc/uniphier/Kconfig ++++ b/sound/soc/uniphier/Kconfig +@@ -23,7 +23,6 @@ config SND_SOC_UNIPHIER_LD11 + tristate "UniPhier LD11/LD20 Device Driver" + depends on SND_SOC_UNIPHIER + select SND_SOC_UNIPHIER_AIO +- select SND_SOC_UNIPHIER_AIO_DMA + help + This adds ASoC driver for Socionext UniPhier LD11/LD20 + input and output that can be used with other codecs. +@@ -34,7 +33,6 @@ config SND_SOC_UNIPHIER_PXS2 + tristate "UniPhier PXs2 Device Driver" + depends on SND_SOC_UNIPHIER + select SND_SOC_UNIPHIER_AIO +- select SND_SOC_UNIPHIER_AIO_DMA + help + This adds ASoC driver for Socionext UniPhier PXs2 + input and output that can be used with other codecs. +-- +2.34.1 + diff --git a/queue-5.10/ath10k-fix-tx-hanging.patch b/queue-5.10/ath10k-fix-tx-hanging.patch new file mode 100644 index 00000000000..1bcf656456f --- /dev/null +++ b/queue-5.10/ath10k-fix-tx-hanging.patch @@ -0,0 +1,56 @@ +From c3e9ab82375edc58d6f40fa866c97c28b8835407 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 May 2021 15:58:06 +0700 +Subject: ath10k: Fix tx hanging + +From: Sebastian Gottschall + +[ Upstream commit e8a91863eba3966a447d2daa1526082d52b5db2a ] + +While running stress tests in roaming scenarios (switching ap's every 5 +seconds, we discovered a issue which leads to tx hangings of exactly 5 +seconds while or after scanning for new accesspoints. We found out that +this hanging is triggered by ath10k_mac_wait_tx_complete since the +empty_tx_wq was not wake when the num_tx_pending counter reaches zero. +To fix this, we simply move the wake_up call to htt_tx_dec_pending, +since this call was missed on several locations within the ath10k code. + +Signed-off-by: Sebastian Gottschall +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210505085806.11474-1-s.gottschall@dd-wrt.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/htt_tx.c | 3 +++ + drivers/net/wireless/ath/ath10k/txrx.c | 2 -- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/htt_tx.c b/drivers/net/wireless/ath/ath10k/htt_tx.c +index 1fc0a312ab587..5f67da47036cf 100644 +--- a/drivers/net/wireless/ath/ath10k/htt_tx.c ++++ b/drivers/net/wireless/ath/ath10k/htt_tx.c +@@ -147,6 +147,9 @@ void ath10k_htt_tx_dec_pending(struct ath10k_htt *htt) + htt->num_pending_tx--; + if (htt->num_pending_tx == htt->max_num_pending_tx - 1) + ath10k_mac_tx_unlock(htt->ar, ATH10K_TX_PAUSE_Q_FULL); ++ ++ if (htt->num_pending_tx == 0) ++ wake_up(&htt->empty_tx_wq); + } + + int ath10k_htt_tx_inc_pending(struct ath10k_htt *htt) +diff --git a/drivers/net/wireless/ath/ath10k/txrx.c b/drivers/net/wireless/ath/ath10k/txrx.c +index aefe1f7f906c0..f51f1cf2c6a40 100644 +--- a/drivers/net/wireless/ath/ath10k/txrx.c ++++ b/drivers/net/wireless/ath/ath10k/txrx.c +@@ -82,8 +82,6 @@ int ath10k_txrx_tx_unref(struct ath10k_htt *htt, + flags = skb_cb->flags; + ath10k_htt_tx_free_msdu_id(htt, tx_done->msdu_id); + ath10k_htt_tx_dec_pending(htt); +- if (htt->num_pending_tx == 0) +- wake_up(&htt->empty_tx_wq); + spin_unlock_bh(&htt->tx_lock); + + rcu_read_lock(); +-- +2.34.1 + diff --git a/queue-5.10/ath11k-avoid-deadlock-by-change-ieee80211_queue_work.patch b/queue-5.10/ath11k-avoid-deadlock-by-change-ieee80211_queue_work.patch new file mode 100644 index 00000000000..c515831ac72 --- /dev/null +++ b/queue-5.10/ath11k-avoid-deadlock-by-change-ieee80211_queue_work.patch @@ -0,0 +1,205 @@ +From 0aacd9614dcb1a337e2ef26a25d27b18c300399b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Dec 2021 17:23:36 +0200 +Subject: ath11k: avoid deadlock by change ieee80211_queue_work for + regd_update_work + +From: Wen Gong + +[ Upstream commit ed05c7cf1286d7e31e7623bce55ff135723591bf ] + +When enable debug config, it print below warning while shut down wlan +interface shuh as run "ifconfig wlan0 down". + +The reason is because ar->regd_update_work is ran once, and it is will +call wiphy_lock(ar->hw->wiphy) in function ath11k_regd_update() which +is running in workqueue of ieee80211_local queued by ieee80211_queue_work(). +Another thread from "ifconfig wlan0 down" will also accuqire the lock +by wiphy_lock(sdata->local->hw.wiphy) in function ieee80211_stop(), and +then it call ieee80211_stop_device() to flush_workqueue(local->workqueue), +this will wait the workqueue of ieee80211_local finished. Then deadlock +will happen easily if the two thread run meanwhile. + +Below warning disappeared after this change. + +[ 914.088798] ath11k_pci 0000:05:00.0: mac remove interface (vdev 0) +[ 914.088806] ath11k_pci 0000:05:00.0: mac stop 11d scan +[ 914.088810] ath11k_pci 0000:05:00.0: mac stop 11d vdev id 0 +[ 914.088827] ath11k_pci 0000:05:00.0: htc ep 2 consumed 1 credits (total 0) +[ 914.088841] ath11k_pci 0000:05:00.0: send 11d scan stop vdev id 0 +[ 914.088849] ath11k_pci 0000:05:00.0: htc insufficient credits ep 2 required 1 available 0 +[ 914.088856] ath11k_pci 0000:05:00.0: htc insufficient credits ep 2 required 1 available 0 +[ 914.096434] ath11k_pci 0000:05:00.0: rx ce pipe 2 len 16 +[ 914.096442] ath11k_pci 0000:05:00.0: htc ep 2 got 1 credits (total 1) +[ 914.096481] ath11k_pci 0000:05:00.0: htc ep 2 consumed 1 credits (total 0) +[ 914.096491] ath11k_pci 0000:05:00.0: WMI vdev delete id 0 +[ 914.111598] ath11k_pci 0000:05:00.0: rx ce pipe 2 len 16 +[ 914.111628] ath11k_pci 0000:05:00.0: htc ep 2 got 1 credits (total 1) +[ 914.114659] ath11k_pci 0000:05:00.0: rx ce pipe 2 len 20 +[ 914.114742] ath11k_pci 0000:05:00.0: htc rx completion ep 2 skb pK-error +[ 914.115977] ath11k_pci 0000:05:00.0: vdev delete resp for vdev id 0 +[ 914.116685] ath11k_pci 0000:05:00.0: vdev 00:03:7f:29:61:11 deleted, vdev_id 0 + +[ 914.117583] ====================================================== +[ 914.117592] WARNING: possible circular locking dependency detected +[ 914.117600] 5.16.0-rc1-wt-ath+ #1 Tainted: G OE +[ 914.117611] ------------------------------------------------------ +[ 914.117618] ifconfig/2805 is trying to acquire lock: +[ 914.117628] ffff9c00a62bb548 ((wq_completion)phy0){+.+.}-{0:0}, at: flush_workqueue+0x87/0x470 +[ 914.117674] + but task is already holding lock: +[ 914.117682] ffff9c00baea07d0 (&rdev->wiphy.mtx){+.+.}-{4:4}, at: ieee80211_stop+0x38/0x180 [mac80211] +[ 914.117872] + which lock already depends on the new lock. + +[ 914.117880] + the existing dependency chain (in reverse order) is: +[ 914.117888] + -> #3 (&rdev->wiphy.mtx){+.+.}-{4:4}: +[ 914.117910] __mutex_lock+0xa0/0x9c0 +[ 914.117930] mutex_lock_nested+0x1b/0x20 +[ 914.117944] reg_process_self_managed_hints+0x3a/0xb0 [cfg80211] +[ 914.118093] wiphy_regulatory_register+0x47/0x80 [cfg80211] +[ 914.118229] wiphy_register+0x84f/0x9c0 [cfg80211] +[ 914.118353] ieee80211_register_hw+0x6b1/0xd90 [mac80211] +[ 914.118486] ath11k_mac_register+0x6af/0xb60 [ath11k] +[ 914.118550] ath11k_core_qmi_firmware_ready+0x383/0x4a0 [ath11k] +[ 914.118598] ath11k_qmi_driver_event_work+0x347/0x4a0 [ath11k] +[ 914.118656] process_one_work+0x228/0x670 +[ 914.118669] worker_thread+0x4d/0x440 +[ 914.118680] kthread+0x16d/0x1b0 +[ 914.118697] ret_from_fork+0x22/0x30 +[ 914.118714] + -> #2 (rtnl_mutex){+.+.}-{4:4}: +[ 914.118736] __mutex_lock+0xa0/0x9c0 +[ 914.118751] mutex_lock_nested+0x1b/0x20 +[ 914.118767] rtnl_lock+0x17/0x20 +[ 914.118783] ath11k_regd_update+0x15a/0x260 [ath11k] +[ 914.118841] ath11k_regd_update_work+0x15/0x20 [ath11k] +[ 914.118897] process_one_work+0x228/0x670 +[ 914.118909] worker_thread+0x4d/0x440 +[ 914.118920] kthread+0x16d/0x1b0 +[ 914.118934] ret_from_fork+0x22/0x30 +[ 914.118948] + -> #1 ((work_completion)(&ar->regd_update_work)){+.+.}-{0:0}: +[ 914.118972] process_one_work+0x1fa/0x670 +[ 914.118984] worker_thread+0x4d/0x440 +[ 914.118996] kthread+0x16d/0x1b0 +[ 914.119010] ret_from_fork+0x22/0x30 +[ 914.119023] + -> #0 ((wq_completion)phy0){+.+.}-{0:0}: +[ 914.119045] __lock_acquire+0x146d/0x1cf0 +[ 914.119057] lock_acquire+0x19b/0x360 +[ 914.119067] flush_workqueue+0xae/0x470 +[ 914.119084] ieee80211_stop_device+0x3b/0x50 [mac80211] +[ 914.119260] ieee80211_do_stop+0x5d7/0x830 [mac80211] +[ 914.119409] ieee80211_stop+0x45/0x180 [mac80211] +[ 914.119557] __dev_close_many+0xb3/0x120 +[ 914.119573] __dev_change_flags+0xc3/0x1d0 +[ 914.119590] dev_change_flags+0x29/0x70 +[ 914.119605] devinet_ioctl+0x653/0x810 +[ 914.119620] inet_ioctl+0x193/0x1e0 +[ 914.119631] sock_do_ioctl+0x4d/0xf0 +[ 914.119649] sock_ioctl+0x262/0x340 +[ 914.119665] __x64_sys_ioctl+0x96/0xd0 +[ 914.119678] do_syscall_64+0x3d/0xd0 +[ 914.119694] entry_SYSCALL_64_after_hwframe+0x44/0xae +[ 914.119709] + other info that might help us debug this: + +[ 914.119717] Chain exists of: + (wq_completion)phy0 --> rtnl_mutex --> &rdev->wiphy.mtx + +[ 914.119745] Possible unsafe locking scenario: + +[ 914.119752] CPU0 CPU1 +[ 914.119758] ---- ---- +[ 914.119765] lock(&rdev->wiphy.mtx); +[ 914.119778] lock(rtnl_mutex); +[ 914.119792] lock(&rdev->wiphy.mtx); +[ 914.119807] lock((wq_completion)phy0); +[ 914.119819] + *** DEADLOCK *** + +[ 914.119827] 2 locks held by ifconfig/2805: +[ 914.119837] #0: ffffffffba3dc010 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock+0x17/0x20 +[ 914.119872] #1: ffff9c00baea07d0 (&rdev->wiphy.mtx){+.+.}-{4:4}, at: ieee80211_stop+0x38/0x180 [mac80211] +[ 914.120039] + stack backtrace: +[ 914.120048] CPU: 0 PID: 2805 Comm: ifconfig Tainted: G OE 5.16.0-rc1-wt-ath+ #1 +[ 914.120064] Hardware name: LENOVO 418065C/418065C, BIOS 83ET63WW (1.33 ) 07/29/2011 +[ 914.120074] Call Trace: +[ 914.120084] +[ 914.120094] dump_stack_lvl+0x73/0xa4 +[ 914.120119] dump_stack+0x10/0x12 +[ 914.120135] print_circular_bug.isra.44+0x221/0x2e0 +[ 914.120165] check_noncircular+0x106/0x150 +[ 914.120203] __lock_acquire+0x146d/0x1cf0 +[ 914.120215] ? __lock_acquire+0x146d/0x1cf0 +[ 914.120245] lock_acquire+0x19b/0x360 +[ 914.120259] ? flush_workqueue+0x87/0x470 +[ 914.120286] ? lockdep_init_map_type+0x6b/0x250 +[ 914.120310] flush_workqueue+0xae/0x470 +[ 914.120327] ? flush_workqueue+0x87/0x470 +[ 914.120344] ? lockdep_hardirqs_on+0xd7/0x150 +[ 914.120391] ieee80211_stop_device+0x3b/0x50 [mac80211] +[ 914.120565] ? ieee80211_stop_device+0x3b/0x50 [mac80211] +[ 914.120736] ieee80211_do_stop+0x5d7/0x830 [mac80211] +[ 914.120906] ieee80211_stop+0x45/0x180 [mac80211] +[ 914.121060] __dev_close_many+0xb3/0x120 +[ 914.121081] __dev_change_flags+0xc3/0x1d0 +[ 914.121109] dev_change_flags+0x29/0x70 +[ 914.121131] devinet_ioctl+0x653/0x810 +[ 914.121149] ? __might_fault+0x77/0x80 +[ 914.121179] inet_ioctl+0x193/0x1e0 +[ 914.121194] ? inet_ioctl+0x193/0x1e0 +[ 914.121218] ? __might_fault+0x77/0x80 +[ 914.121238] ? _copy_to_user+0x68/0x80 +[ 914.121266] sock_do_ioctl+0x4d/0xf0 +[ 914.121283] ? inet_stream_connect+0x60/0x60 +[ 914.121297] ? sock_do_ioctl+0x4d/0xf0 +[ 914.121329] sock_ioctl+0x262/0x340 +[ 914.121347] ? sock_ioctl+0x262/0x340 +[ 914.121362] ? exit_to_user_mode_prepare+0x13b/0x280 +[ 914.121388] ? syscall_enter_from_user_mode+0x20/0x50 +[ 914.121416] __x64_sys_ioctl+0x96/0xd0 +[ 914.121430] ? br_ioctl_call+0x90/0x90 +[ 914.121445] ? __x64_sys_ioctl+0x96/0xd0 +[ 914.121465] do_syscall_64+0x3d/0xd0 +[ 914.121482] entry_SYSCALL_64_after_hwframe+0x44/0xae +[ 914.121497] RIP: 0033:0x7f0ed051737b +[ 914.121513] Code: 0f 1e fa 48 8b 05 15 3b 0d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e5 3a 0d 00 f7 d8 64 89 01 48 +[ 914.121527] RSP: 002b:00007fff7be38b98 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 +[ 914.121544] RAX: ffffffffffffffda RBX: 00007fff7be38ba0 RCX: 00007f0ed051737b +[ 914.121555] RDX: 00007fff7be38ba0 RSI: 0000000000008914 RDI: 0000000000000004 +[ 914.121566] RBP: 00007fff7be38c60 R08: 000000000000000a R09: 0000000000000001 +[ 914.121576] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000fffffffe +[ 914.121586] R13: 0000000000000004 R14: 0000000000000000 R15: 0000000000000000 +[ 914.121620] + +Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-01720.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1 + +Signed-off-by: Wen Gong +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211201071745.17746-2-quic_wgong@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/wmi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c +index acf1641ce88fd..53846dc9a5c5a 100644 +--- a/drivers/net/wireless/ath/ath11k/wmi.c ++++ b/drivers/net/wireless/ath/ath11k/wmi.c +@@ -5422,7 +5422,7 @@ static int ath11k_reg_chan_list_event(struct ath11k_base *ab, struct sk_buff *sk + ar = ab->pdevs[pdev_idx].ar; + kfree(ab->new_regd[pdev_idx]); + ab->new_regd[pdev_idx] = regd; +- ieee80211_queue_work(ar->hw, &ar->regd_update_work); ++ queue_work(ab->workqueue, &ar->regd_update_work); + } else { + /* This regd would be applied during mac registration and is + * held constant throughout for regd intersection purpose +-- +2.34.1 + diff --git a/queue-5.10/ath11k-avoid-false-deadlock-warning-reported-by-lock.patch b/queue-5.10/ath11k-avoid-false-deadlock-warning-reported-by-lock.patch new file mode 100644 index 00000000000..c4abbc9408b --- /dev/null +++ b/queue-5.10/ath11k-avoid-false-deadlock-warning-reported-by-lock.patch @@ -0,0 +1,181 @@ +From 20a7c4d040169dc85a484dfc76988a2b3e8e9379 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Dec 2021 09:19:49 +0800 +Subject: ath11k: Avoid false DEADLOCK warning reported by lockdep + +From: Baochen Qiang + +[ Upstream commit 767c94caf0efad136157110787fe221b74cb5c8a ] + +With CONFIG_LOCKDEP=y and CONFIG_DEBUG_SPINLOCK=y, lockdep reports +below warning: + +[ 166.059415] ============================================ +[ 166.059416] WARNING: possible recursive locking detected +[ 166.059418] 5.15.0-wt-ath+ #10 Tainted: G W O +[ 166.059420] -------------------------------------------- +[ 166.059421] kworker/0:2/116 is trying to acquire lock: +[ 166.059423] ffff9905f2083160 (&srng->lock){+.-.}-{2:2}, at: ath11k_hal_reo_cmd_send+0x20/0x490 [ath11k] +[ 166.059440] + but task is already holding lock: +[ 166.059442] ffff9905f2083230 (&srng->lock){+.-.}-{2:2}, at: ath11k_dp_process_reo_status+0x95/0x2d0 [ath11k] +[ 166.059491] + other info that might help us debug this: +[ 166.059492] Possible unsafe locking scenario: + +[ 166.059493] CPU0 +[ 166.059494] ---- +[ 166.059495] lock(&srng->lock); +[ 166.059498] lock(&srng->lock); +[ 166.059500] + *** DEADLOCK *** + +[ 166.059501] May be due to missing lock nesting notation + +[ 166.059502] 3 locks held by kworker/0:2/116: +[ 166.059504] #0: ffff9905c0081548 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x1f6/0x660 +[ 166.059511] #1: ffff9d2400a5fe68 ((debug_obj_work).work){+.+.}-{0:0}, at: process_one_work+0x1f6/0x660 +[ 166.059517] #2: ffff9905f2083230 (&srng->lock){+.-.}-{2:2}, at: ath11k_dp_process_reo_status+0x95/0x2d0 [ath11k] +[ 166.059532] + stack backtrace: +[ 166.059534] CPU: 0 PID: 116 Comm: kworker/0:2 Kdump: loaded Tainted: G W O 5.15.0-wt-ath+ #10 +[ 166.059537] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0059.2019.1112.1124 11/12/2019 +[ 166.059539] Workqueue: events free_obj_work +[ 166.059543] Call Trace: +[ 166.059545] +[ 166.059547] dump_stack_lvl+0x56/0x7b +[ 166.059552] __lock_acquire+0xb9a/0x1a50 +[ 166.059556] lock_acquire+0x1e2/0x330 +[ 166.059560] ? ath11k_hal_reo_cmd_send+0x20/0x490 [ath11k] +[ 166.059571] _raw_spin_lock_bh+0x33/0x70 +[ 166.059574] ? ath11k_hal_reo_cmd_send+0x20/0x490 [ath11k] +[ 166.059584] ath11k_hal_reo_cmd_send+0x20/0x490 [ath11k] +[ 166.059594] ath11k_dp_tx_send_reo_cmd+0x3f/0x130 [ath11k] +[ 166.059605] ath11k_dp_rx_tid_del_func+0x221/0x370 [ath11k] +[ 166.059618] ath11k_dp_process_reo_status+0x22f/0x2d0 [ath11k] +[ 166.059632] ? ath11k_dp_service_srng+0x2ea/0x2f0 [ath11k] +[ 166.059643] ath11k_dp_service_srng+0x2ea/0x2f0 [ath11k] +[ 166.059655] ath11k_pci_ext_grp_napi_poll+0x1c/0x70 [ath11k_pci] +[ 166.059659] __napi_poll+0x28/0x230 +[ 166.059664] net_rx_action+0x285/0x310 +[ 166.059668] __do_softirq+0xe6/0x4d2 +[ 166.059672] irq_exit_rcu+0xd2/0xf0 +[ 166.059675] common_interrupt+0xa5/0xc0 +[ 166.059678] +[ 166.059679] +[ 166.059680] asm_common_interrupt+0x1e/0x40 +[ 166.059683] RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70 +[ 166.059686] Code: 83 c7 18 e8 2a 95 43 ff 48 89 ef e8 22 d2 43 ff 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 63 2e 40 ff 65 8b 05 8c 59 97 5c 85 c0 74 0a 5b 5d c3 e8 00 6a +[ 166.059689] RSP: 0018:ffff9d2400a5fca0 EFLAGS: 00000206 +[ 166.059692] RAX: 0000000000000002 RBX: 0000000000000200 RCX: 0000000000000006 +[ 166.059694] RDX: 0000000000000000 RSI: ffffffffa404879b RDI: 0000000000000001 +[ 166.059696] RBP: ffff9905c0053000 R08: 0000000000000001 R09: 0000000000000001 +[ 166.059698] R10: ffff9d2400a5fc50 R11: 0000000000000001 R12: ffffe186c41e2840 +[ 166.059700] R13: 0000000000000001 R14: ffff9905c78a1c68 R15: 0000000000000001 +[ 166.059704] free_debug_processing+0x257/0x3d0 +[ 166.059708] ? free_obj_work+0x1f5/0x250 +[ 166.059712] __slab_free+0x374/0x5a0 +[ 166.059718] ? kmem_cache_free+0x2e1/0x370 +[ 166.059721] ? free_obj_work+0x1f5/0x250 +[ 166.059724] kmem_cache_free+0x2e1/0x370 +[ 166.059727] free_obj_work+0x1f5/0x250 +[ 166.059731] process_one_work+0x28b/0x660 +[ 166.059735] ? process_one_work+0x660/0x660 +[ 166.059738] worker_thread+0x37/0x390 +[ 166.059741] ? process_one_work+0x660/0x660 +[ 166.059743] kthread+0x176/0x1a0 +[ 166.059746] ? set_kthread_struct+0x40/0x40 +[ 166.059749] ret_from_fork+0x22/0x30 +[ 166.059754] + +Since these two lockes are both initialized in ath11k_hal_srng_setup, +they are assigned with the same key. As a result lockdep suspects that +the task is trying to acquire the same lock (due to same key) while +already holding it, and thus reports the DEADLOCK warning. However as +they are different spinlock instances, the warning is false positive. + +On the other hand, even no dead lock indeed, this is a major issue for +upstream regression testing as it disables lockdep functionality. + +Fix it by assigning separate lock class key for each srng->lock. + +Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-01720.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1 +Signed-off-by: Baochen Qiang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211209011949.151472-1-quic_bqiang@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/hal.c | 22 ++++++++++++++++++++++ + drivers/net/wireless/ath/ath11k/hal.h | 2 ++ + 2 files changed, 24 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath11k/hal.c b/drivers/net/wireless/ath/ath11k/hal.c +index 9904c0eb75875..f3b9108ab6bd0 100644 +--- a/drivers/net/wireless/ath/ath11k/hal.c ++++ b/drivers/net/wireless/ath/ath11k/hal.c +@@ -991,6 +991,7 @@ int ath11k_hal_srng_setup(struct ath11k_base *ab, enum hal_ring_type type, + srng->msi_data = params->msi_data; + srng->initialized = 1; + spin_lock_init(&srng->lock); ++ lockdep_set_class(&srng->lock, hal->srng_key + ring_id); + + for (i = 0; i < HAL_SRNG_NUM_REG_GRP; i++) { + srng->hwreg_base[i] = srng_config->reg_start[i] + +@@ -1237,6 +1238,24 @@ static int ath11k_hal_srng_create_config(struct ath11k_base *ab) + return 0; + } + ++static void ath11k_hal_register_srng_key(struct ath11k_base *ab) ++{ ++ struct ath11k_hal *hal = &ab->hal; ++ u32 ring_id; ++ ++ for (ring_id = 0; ring_id < HAL_SRNG_RING_ID_MAX; ring_id++) ++ lockdep_register_key(hal->srng_key + ring_id); ++} ++ ++static void ath11k_hal_unregister_srng_key(struct ath11k_base *ab) ++{ ++ struct ath11k_hal *hal = &ab->hal; ++ u32 ring_id; ++ ++ for (ring_id = 0; ring_id < HAL_SRNG_RING_ID_MAX; ring_id++) ++ lockdep_unregister_key(hal->srng_key + ring_id); ++} ++ + int ath11k_hal_srng_init(struct ath11k_base *ab) + { + struct ath11k_hal *hal = &ab->hal; +@@ -1256,6 +1275,8 @@ int ath11k_hal_srng_init(struct ath11k_base *ab) + if (ret) + goto err_free_cont_rdp; + ++ ath11k_hal_register_srng_key(ab); ++ + return 0; + + err_free_cont_rdp: +@@ -1270,6 +1291,7 @@ void ath11k_hal_srng_deinit(struct ath11k_base *ab) + { + struct ath11k_hal *hal = &ab->hal; + ++ ath11k_hal_unregister_srng_key(ab); + ath11k_hal_free_cont_rdp(ab); + ath11k_hal_free_cont_wrp(ab); + kfree(hal->srng_config); +diff --git a/drivers/net/wireless/ath/ath11k/hal.h b/drivers/net/wireless/ath/ath11k/hal.h +index 1f1b29cd0aa39..5fbfded8d546c 100644 +--- a/drivers/net/wireless/ath/ath11k/hal.h ++++ b/drivers/net/wireless/ath/ath11k/hal.h +@@ -888,6 +888,8 @@ struct ath11k_hal { + /* shadow register configuration */ + u32 shadow_reg_addr[HAL_SHADOW_NUM_REGS]; + int num_shadow_reg_configured; ++ ++ struct lock_class_key srng_key[HAL_SRNG_RING_ID_MAX]; + }; + + u32 ath11k_hal_reo_qdesc_size(u32 ba_window_size, u8 tid); +-- +2.34.1 + diff --git a/queue-5.10/ath11k-avoid-null-ptr-access-during-mgmt-tx-cleanup.patch b/queue-5.10/ath11k-avoid-null-ptr-access-during-mgmt-tx-cleanup.patch new file mode 100644 index 00000000000..15f7f3b0160 --- /dev/null +++ b/queue-5.10/ath11k-avoid-null-ptr-access-during-mgmt-tx-cleanup.patch @@ -0,0 +1,119 @@ +From 5f86583d93518cc33b3c85b6a626e0692c8e0cdc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Nov 2021 15:00:14 +0530 +Subject: ath11k: Avoid NULL ptr access during mgmt tx cleanup + +From: Sriram R + +[ Upstream commit a93789ae541c7d5c1c2a4942013adb6bcc5e2848 ] + +Currently 'ar' reference is not added in skb_cb during +WMI mgmt tx. Though this is generally not used during tx completion +callbacks, on interface removal the remaining idr cleanup callback +uses the ar ptr from skb_cb from mgmt txmgmt_idr. Hence +fill them during tx call for proper usage. + +Also free the skb which is missing currently in these +callbacks. + +Crash_info: + +[19282.489476] Unable to handle kernel NULL pointer dereference at virtual address 00000000 +[19282.489515] pgd = 91eb8000 +[19282.496702] [00000000] *pgd=00000000 +[19282.502524] Internal error: Oops: 5 [#1] PREEMPT SMP ARM +[19282.783728] PC is at ath11k_mac_vif_txmgmt_idr_remove+0x28/0xd8 [ath11k] +[19282.789170] LR is at idr_for_each+0xa0/0xc8 + +Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-00729-QCAHKSWPL_SILICONZ-3 v2 +Signed-off-by: Sriram R +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1637832614-13831-1-git-send-email-quic_srirrama@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/mac.c | 35 +++++++++++++++------------ + 1 file changed, 20 insertions(+), 15 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c +index 18e841e1a016d..cc9122f420243 100644 +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -1,6 +1,7 @@ + // SPDX-License-Identifier: BSD-3-Clause-Clear + /* + * Copyright (c) 2018-2019 The Linux Foundation. All rights reserved. ++ * Copyright (c) 2021 Qualcomm Innovation Center, Inc. All rights reserved. + */ + + #include +@@ -3883,23 +3884,32 @@ static int __ath11k_set_antenna(struct ath11k *ar, u32 tx_ant, u32 rx_ant) + return 0; + } + +-int ath11k_mac_tx_mgmt_pending_free(int buf_id, void *skb, void *ctx) ++static void ath11k_mac_tx_mgmt_free(struct ath11k *ar, int buf_id) + { +- struct sk_buff *msdu = skb; ++ struct sk_buff *msdu; + struct ieee80211_tx_info *info; +- struct ath11k *ar = ctx; +- struct ath11k_base *ab = ar->ab; + + spin_lock_bh(&ar->txmgmt_idr_lock); +- idr_remove(&ar->txmgmt_idr, buf_id); ++ msdu = idr_remove(&ar->txmgmt_idr, buf_id); + spin_unlock_bh(&ar->txmgmt_idr_lock); +- dma_unmap_single(ab->dev, ATH11K_SKB_CB(msdu)->paddr, msdu->len, ++ ++ if (!msdu) ++ return; ++ ++ dma_unmap_single(ar->ab->dev, ATH11K_SKB_CB(msdu)->paddr, msdu->len, + DMA_TO_DEVICE); + + info = IEEE80211_SKB_CB(msdu); + memset(&info->status, 0, sizeof(info->status)); + + ieee80211_free_txskb(ar->hw, msdu); ++} ++ ++int ath11k_mac_tx_mgmt_pending_free(int buf_id, void *skb, void *ctx) ++{ ++ struct ath11k *ar = ctx; ++ ++ ath11k_mac_tx_mgmt_free(ar, buf_id); + + return 0; + } +@@ -3908,17 +3918,10 @@ static int ath11k_mac_vif_txmgmt_idr_remove(int buf_id, void *skb, void *ctx) + { + struct ieee80211_vif *vif = ctx; + struct ath11k_skb_cb *skb_cb = ATH11K_SKB_CB((struct sk_buff *)skb); +- struct sk_buff *msdu = skb; + struct ath11k *ar = skb_cb->ar; +- struct ath11k_base *ab = ar->ab; + +- if (skb_cb->vif == vif) { +- spin_lock_bh(&ar->txmgmt_idr_lock); +- idr_remove(&ar->txmgmt_idr, buf_id); +- spin_unlock_bh(&ar->txmgmt_idr_lock); +- dma_unmap_single(ab->dev, skb_cb->paddr, msdu->len, +- DMA_TO_DEVICE); +- } ++ if (skb_cb->vif == vif) ++ ath11k_mac_tx_mgmt_free(ar, buf_id); + + return 0; + } +@@ -3933,6 +3936,8 @@ static int ath11k_mac_mgmt_tx_wmi(struct ath11k *ar, struct ath11k_vif *arvif, + int buf_id; + int ret; + ++ ATH11K_SKB_CB(skb)->ar = ar; ++ + spin_lock_bh(&ar->txmgmt_idr_lock); + buf_id = idr_alloc(&ar->txmgmt_idr, skb, 0, + ATH11K_TX_MGMT_NUM_PENDING_MAX, GFP_ATOMIC); +-- +2.34.1 + diff --git a/queue-5.10/ath11k-clear-the-keys-properly-via-disable_key.patch b/queue-5.10/ath11k-clear-the-keys-properly-via-disable_key.patch new file mode 100644 index 00000000000..0b75a489e8f --- /dev/null +++ b/queue-5.10/ath11k-clear-the-keys-properly-via-disable_key.patch @@ -0,0 +1,64 @@ +From e1d7b2c91a20cbeb3ef5af9d3eb1a995347b5627 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Nov 2021 11:04:40 +0100 +Subject: ath11k: clear the keys properly via DISABLE_KEY + +From: Karthikeyan Kathirvel + +[ Upstream commit 436a4e88659842a7cf634d7cc088c8f2cc94ebf5 ] + +DISABLE_KEY sets the key_len to 0, firmware will not delete the keys if +key_len is 0. Changing from security mode to open mode will cause mcast +to be still encrypted without vdev restart. + +Set the proper key_len for DISABLE_KEY cmd to clear the keys in +firmware. + +Tested-on: IPQ6018 hw1.0 AHB WLAN.HK.2.5.0.1-01100-QCAHKSWPL_SILICONZ-1 + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Reported-by: Sven Eckelmann +Signed-off-by: Karthikeyan Kathirvel +[sven@narfation.org: split into separate patches, clean up commit message] +Signed-off-by: Sven Eckelmann + +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211115100441.33771-1-sven@narfation.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/mac.c | 4 +--- + drivers/net/wireless/ath/ath11k/wmi.c | 3 ++- + 2 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c +index 0924bc8b35205..304e158f09751 100644 +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -2395,9 +2395,7 @@ static int ath11k_install_key(struct ath11k_vif *arvif, + return 0; + + if (cmd == DISABLE_KEY) { +- /* TODO: Check if FW expects value other than NONE for del */ +- /* arg.key_cipher = WMI_CIPHER_NONE; */ +- arg.key_len = 0; ++ arg.key_cipher = WMI_CIPHER_NONE; + arg.key_data = NULL; + goto install; + } +diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c +index e84127165d858..acf1641ce88fd 100644 +--- a/drivers/net/wireless/ath/ath11k/wmi.c ++++ b/drivers/net/wireless/ath/ath11k/wmi.c +@@ -1665,7 +1665,8 @@ int ath11k_wmi_vdev_install_key(struct ath11k *ar, + tlv = (struct wmi_tlv *)(skb->data + sizeof(*cmd)); + tlv->header = FIELD_PREP(WMI_TLV_TAG, WMI_TAG_ARRAY_BYTE) | + FIELD_PREP(WMI_TLV_LEN, key_len_aligned); +- memcpy(tlv->value, (u8 *)arg->key_data, key_len_aligned); ++ if (arg->key_data) ++ memcpy(tlv->value, (u8 *)arg->key_data, key_len_aligned); + + ret = ath11k_wmi_cmd_send(wmi, skb, WMI_VDEV_INSTALL_KEY_CMDID); + if (ret) { +-- +2.34.1 + diff --git a/queue-5.10/ath11k-fix-a-null-pointer-dereference-in-ath11k_mac_.patch b/queue-5.10/ath11k-fix-a-null-pointer-dereference-in-ath11k_mac_.patch new file mode 100644 index 00000000000..b061e4b3f5b --- /dev/null +++ b/queue-5.10/ath11k-fix-a-null-pointer-dereference-in-ath11k_mac_.patch @@ -0,0 +1,59 @@ +From 06f6a24f2e796a868a8a4e93341e042c32fb645c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Dec 2021 11:53:07 +0200 +Subject: ath11k: Fix a NULL pointer dereference in ath11k_mac_op_hw_scan() + +From: Zhou Qingyang + +[ Upstream commit eccd25136386a04ebf46a64f3a34e8e0fab6d9e1 ] + +In ath11k_mac_op_hw_scan(), the return value of kzalloc() is directly +used in memcpy(), which may lead to a NULL pointer dereference on +failure of kzalloc(). + +Fix this bug by adding a check of arg.extraie.ptr. + +This bug was found by a static analyzer. The analysis employs +differential checking to identify inconsistent security operations +(e.g., checks or kfrees) between two code paths and confirms that the +inconsistent operations are not recovered in the current function or +the callers, so they constitute bugs. + +Note that, as a bug found by static analysis, it can be a false +positive or hard to trigger. Multiple researchers have cross-reviewed +the bug. + +Builds with CONFIG_ATH11K=m show no new warnings, and our static +analyzer no longer warns about this code. + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Signed-off-by: Zhou Qingyang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211202155348.71315-1-zhou1615@umn.edu +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/mac.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c +index 835ce805b63ec..18e841e1a016d 100644 +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -2320,9 +2320,12 @@ static int ath11k_mac_op_hw_scan(struct ieee80211_hw *hw, + arg.scan_id = ATH11K_SCAN_ID; + + if (req->ie_len) { ++ arg.extraie.ptr = kmemdup(req->ie, req->ie_len, GFP_KERNEL); ++ if (!arg.extraie.ptr) { ++ ret = -ENOMEM; ++ goto exit; ++ } + arg.extraie.len = req->ie_len; +- arg.extraie.ptr = kzalloc(req->ie_len, GFP_KERNEL); +- memcpy(arg.extraie.ptr, req->ie, req->ie_len); + } + + if (req->n_ssids) { +-- +2.34.1 + diff --git a/queue-5.10/ath11k-fix-crash-caused-by-uninitialized-tx-ring.patch b/queue-5.10/ath11k-fix-crash-caused-by-uninitialized-tx-ring.patch new file mode 100644 index 00000000000..73a8bf103d5 --- /dev/null +++ b/queue-5.10/ath11k-fix-crash-caused-by-uninitialized-tx-ring.patch @@ -0,0 +1,80 @@ +From 33ce58c79651d9f08b4492e4a357d97be82b2991 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 09:16:05 +0800 +Subject: ath11k: Fix crash caused by uninitialized TX ring + +From: Baochen Qiang + +[ Upstream commit 273703ebdb01b6c5f1aaf4b98fb57b177609055c ] + +Commit 31582373a4a8 ("ath11k: Change number of TCL rings to one for +QCA6390") avoids initializing the other entries of dp->tx_ring cause +the corresponding TX rings on QCA6390/WCN6855 are not used, but leaves +those ring masks in ath11k_hw_ring_mask_qca6390.tx unchanged. Normally +this is OK because we will only get interrupts from the first TX ring +on these chips and thus only the first entry of dp->tx_ring is involved. + +In case of one MSI vector, all DP rings share the same IRQ. For each +interrupt, all rings have to be checked, which means the other entries +of dp->tx_ring are involved. However since they are not initialized, +system crashes. + +Fix this issue by simply removing those ring masks. + +crash stack: +[ 102.907438] BUG: kernel NULL pointer dereference, address: 0000000000000028 +[ 102.907447] #PF: supervisor read access in kernel mode +[ 102.907451] #PF: error_code(0x0000) - not-present page +[ 102.907453] PGD 1081f0067 P4D 1081f0067 PUD 1081f1067 PMD 0 +[ 102.907460] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI +[ 102.907465] CPU: 0 PID: 3511 Comm: apt-check Kdump: loaded Tainted: G E 5.15.0-rc4-wt-ath+ #20 +[ 102.907470] Hardware name: AMD Celadon-RN/Celadon-RN, BIOS RCD1005E 10/08/2020 +[ 102.907472] RIP: 0010:ath11k_dp_tx_completion_handler+0x201/0x830 [ath11k] +[ 102.907497] Code: 3c 24 4e 8d ac 37 10 04 00 00 4a 8d bc 37 68 04 00 00 48 89 3c 24 48 63 c8 89 83 84 18 00 00 48 c1 e1 05 48 03 8b 78 18 00 00 <8b> 51 08 89 d6 83 e6 07 89 74 24 24 83 fe 03 74 04 85 f6 75 63 41 +[ 102.907501] RSP: 0000:ffff9b7340003e08 EFLAGS: 00010202 +[ 102.907505] RAX: 0000000000000001 RBX: ffff8e21530c0100 RCX: 0000000000000020 +[ 102.907508] RDX: 0000000000000000 RSI: 00000000fffffe00 RDI: ffff8e21530c1938 +[ 102.907511] RBP: ffff8e21530c0000 R08: 0000000000000001 R09: 0000000000000000 +[ 102.907513] R10: ffff8e2145534c10 R11: 0000000000000001 R12: ffff8e21530c2938 +[ 102.907515] R13: ffff8e21530c18e0 R14: 0000000000000100 R15: ffff8e21530c2978 +[ 102.907518] FS: 00007f5d4297e740(0000) GS:ffff8e243d600000(0000) knlGS:0000000000000000 +[ 102.907521] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 102.907524] CR2: 0000000000000028 CR3: 00000001034ea000 CR4: 0000000000350ef0 +[ 102.907527] Call Trace: +[ 102.907531] +[ 102.907537] ath11k_dp_service_srng+0x5c/0x2f0 [ath11k] +[ 102.907556] ath11k_pci_ext_grp_napi_poll+0x21/0x70 [ath11k_pci] +[ 102.907562] __napi_poll+0x2c/0x160 +[ 102.907570] net_rx_action+0x251/0x310 +[ 102.907576] __do_softirq+0x107/0x2fc +[ 102.907585] irq_exit_rcu+0x74/0x90 +[ 102.907593] common_interrupt+0x83/0xa0 +[ 102.907600] +[ 102.907601] asm_common_interrupt+0x1e/0x40 + +Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-01720.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1 + +Signed-off-by: Baochen Qiang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211026011605.58615-1-quic_bqiang@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/hw.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/hw.c b/drivers/net/wireless/ath/ath11k/hw.c +index 66331da350129..f6282e8702923 100644 +--- a/drivers/net/wireless/ath/ath11k/hw.c ++++ b/drivers/net/wireless/ath/ath11k/hw.c +@@ -246,8 +246,6 @@ const struct ath11k_hw_ring_mask ath11k_hw_ring_mask_ipq8074 = { + const struct ath11k_hw_ring_mask ath11k_hw_ring_mask_qca6390 = { + .tx = { + ATH11K_TX_RING_MASK_0, +- ATH11K_TX_RING_MASK_1, +- ATH11K_TX_RING_MASK_2, + }, + .rx_mon_status = { + 0, 0, 0, 0, +-- +2.34.1 + diff --git a/queue-5.10/ath11k-fix-deleting-uninitialized-kernel-timer-durin.patch b/queue-5.10/ath11k-fix-deleting-uninitialized-kernel-timer-durin.patch new file mode 100644 index 00000000000..cda7b6fe9d7 --- /dev/null +++ b/queue-5.10/ath11k-fix-deleting-uninitialized-kernel-timer-durin.patch @@ -0,0 +1,98 @@ +From 52d26fca889d62f821799582673d32639515fc9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Dec 2021 23:07:01 +0530 +Subject: ath11k: Fix deleting uninitialized kernel timer during fragment cache + flush + +From: Rameshkumar Sundaram + +[ Upstream commit ba53ee7f7f38cf0592b8be1dcdabaf8f7535f8c1 ] + +frag_timer will be created & initialized for stations when +they associate and will be deleted during every key installation +while flushing old fragments. + +For AP interface self peer will be created and Group keys +will be installed for this peer, but there will be no real +Station entry & hence frag_timer won't be created and +initialized, deleting such uninitialized kernel timers causes below +warnings and backtraces printed with CONFIG_DEBUG_OBJECTS_TIMERS +enabled. + +[ 177.828008] ODEBUG: assert_init not available (active state 0) object type: timer_list hint: 0x0 +[ 177.836833] WARNING: CPU: 3 PID: 188 at lib/debugobjects.c:508 debug_print_object+0xb0/0xf0 +[ 177.845185] Modules linked in: ath11k_pci ath11k qmi_helpers qrtr_mhi qrtr ns mhi +[ 177.852679] CPU: 3 PID: 188 Comm: hostapd Not tainted 5.14.0-rc3-32919-g4034139e1838-dirty #14 +[ 177.865805] pstate: 60000005 (nZCv daif -PAN -UAO -TCO BTYPE=--) +[ 177.871804] pc : debug_print_object+0xb0/0xf0 +[ 177.876155] lr : debug_print_object+0xb0/0xf0 +[ 177.880505] sp : ffffffc01169b5a0 +[ 177.883810] x29: ffffffc01169b5a0 x28: ffffff80081c2320 x27: ffffff80081c4078 +[ 177.890942] x26: ffffff8003fe8f28 x25: ffffff8003de9890 x24: ffffffc01134d738 +[ 177.898075] x23: ffffffc010948f20 x22: ffffffc010b2d2e0 x21: ffffffc01169b628 +[ 177.905206] x20: ffffffc01134d700 x19: ffffffc010c80d98 x18: 00000000000003f6 +[ 177.912339] x17: 203a657079742074 x16: 63656a626f202930 x15: 0000000000000152 +[ 177.919471] x14: 0000000000000152 x13: 00000000ffffffea x12: ffffffc010d732e0 +[ 177.926603] x11: 0000000000000003 x10: ffffffc010d432a0 x9 : ffffffc010d432f8 +[ 177.933735] x8 : 000000000002ffe8 x7 : c0000000ffffdfff x6 : 0000000000000001 +[ 177.940866] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 00000000ffffffff +[ 177.947997] x2 : ffffffc010c93240 x1 : ffffff80023624c0 x0 : 0000000000000054 +[ 177.955130] Call trace: +[ 177.957567] debug_print_object+0xb0/0xf0 +[ 177.961570] debug_object_assert_init+0x124/0x178 +[ 177.966269] try_to_del_timer_sync+0x1c/0x70 +[ 177.970536] del_timer_sync+0x30/0x50 +[ 177.974192] ath11k_peer_frags_flush+0x34/0x68 [ath11k] +[ 177.979439] ath11k_mac_op_set_key+0x1e4/0x338 [ath11k] +[ 177.984673] ieee80211_key_enable_hw_accel+0xc8/0x3d0 +[ 177.989722] ieee80211_key_replace+0x360/0x740 +[ 177.994160] ieee80211_key_link+0x16c/0x210 +[ 177.998337] ieee80211_add_key+0x138/0x338 +[ 178.002426] nl80211_new_key+0xfc/0x258 +[ 178.006257] genl_family_rcv_msg_doit.isra.17+0xd8/0x120 +[ 178.011565] genl_rcv_msg+0xd8/0x1c8 +[ 178.015134] netlink_rcv_skb+0x38/0xf8 +[ 178.018877] genl_rcv+0x34/0x48 +[ 178.022012] netlink_unicast+0x174/0x230 +[ 178.025928] netlink_sendmsg+0x188/0x388 +[ 178.029845] ____sys_sendmsg+0x218/0x250 +[ 178.033763] ___sys_sendmsg+0x68/0x90 +[ 178.037418] __sys_sendmsg+0x44/0x88 +[ 178.040988] __arm64_sys_sendmsg+0x20/0x28 +[ 178.045077] invoke_syscall.constprop.5+0x54/0xe0 +[ 178.049776] do_el0_svc+0x74/0xc0 +[ 178.053084] el0_svc+0x10/0x18 +[ 178.056133] el0t_64_sync_handler+0x88/0xb0 +[ 178.060310] el0t_64_sync+0x148/0x14c +[ 178.063966] ---[ end trace 8a5cf0bf9d34a058 ]--- + +Add changes to not to delete frag timer for peers during +group key installation. + +Tested on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-01092-QCAHKSWPL_SILICONZ-1 + +Fixes: c3944a562102 ("ath11k: Clear the fragment cache during key install") +Signed-off-by: Rameshkumar Sundaram +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1639071421-25078-1-git-send-email-quic_ramess@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/mac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c +index b4f8494e3c707..835ce805b63ec 100644 +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -2531,7 +2531,7 @@ static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd, + /* flush the fragments cache during key (re)install to + * ensure all frags in the new frag list belong to the same key. + */ +- if (peer && cmd == SET_KEY) ++ if (peer && sta && cmd == SET_KEY) + ath11k_peer_frags_flush(ar, peer); + spin_unlock_bh(&ab->base_lock); + +-- +2.34.1 + diff --git a/queue-5.10/ath11k-fix-etsi-regd-with-weather-radar-overlap.patch b/queue-5.10/ath11k-fix-etsi-regd-with-weather-radar-overlap.patch new file mode 100644 index 00000000000..21ce131fae7 --- /dev/null +++ b/queue-5.10/ath11k-fix-etsi-regd-with-weather-radar-overlap.patch @@ -0,0 +1,240 @@ +From 8967b15bc90f4c0d440a33f754aefddc444de9a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Nov 2021 11:29:55 +0200 +Subject: ath11k: Fix ETSI regd with weather radar overlap + +From: Sven Eckelmann + +[ Upstream commit 086c921a354089f209318501038d43c98d3f409f ] + +Some ETSI countries have a small overlap in the wireless-regdb with an ETSI +channel (5590-5650). A good example is Australia: + + country AU: DFS-ETSI + (2400 - 2483.5 @ 40), (36) + (5150 - 5250 @ 80), (23), NO-OUTDOOR, AUTO-BW + (5250 - 5350 @ 80), (20), NO-OUTDOOR, AUTO-BW, DFS + (5470 - 5600 @ 80), (27), DFS + (5650 - 5730 @ 80), (27), DFS + (5730 - 5850 @ 80), (36) + (57000 - 66000 @ 2160), (43), NO-OUTDOOR + +If the firmware (or the BDF) is shipped with these rules then there is only +a 10 MHz overlap with the weather radar: + +* below: 5470 - 5590 +* weather radar: 5590 - 5600 +* above: (none for the rule "5470 - 5600 @ 80") + +There are several wrong assumption in the ath11k code: + +* there is always a valid range below the weather radar + (actually: there could be no range below the weather radar range OR range + could be smaller than 20 MHz) +* intersected range in the weather radar range is valid + (actually: the range could be smaller than 20 MHz) +* range above weather radar is either empty or valid + (actually: the range could be smaller than 20 MHz) + +These wrong assumption will lead in this example to a rule + + (5590 - 5600 @ 20), (N/A, 27), (600000 ms), DFS, AUTO-BW + +which is invalid according to is_valid_reg_rule() because the freq_diff is +only 10 MHz but the max_bandwidth is set to 20 MHz. Which results in a +rejection like: + + WARNING: at backports-20210222_001-4.4.60-b157d2276/net/wireless/reg.c:3984 + [...] + Call trace: + [] reg_get_max_bandwidth+0x300/0x3a8 [cfg80211] + [] regulatory_set_wiphy_regd_sync+0x3c/0x98 [cfg80211] + [] ath11k_regd_update+0x1a8/0x210 [ath11k] + [] ath11k_regd_update_work+0x18/0x20 [ath11k] + [] process_one_work+0x1f8/0x340 + [] worker_thread+0x25c/0x448 + [] kthread+0xd0/0xd8 + [] ret_from_fork+0x10/0x40 + ath11k c000000.wifi: failed to perform regd update : -22 + Invalid regulatory domain detected + +To avoid this, the algorithm has to be changed slightly. Instead of +splitting a rule which overlaps with the weather radar range into 3 pieces +and accepting the first two parts blindly, it must actually be checked for +each piece whether it is a valid range. And only if it is valid, add it to +the output array. + +When these checks are in place, the processed rules for AU would end up as + + country AU: DFS-ETSI + (2400 - 2483 @ 40), (N/A, 36), (N/A) + (5150 - 5250 @ 80), (6, 23), (N/A), NO-OUTDOOR, AUTO-BW + (5250 - 5350 @ 80), (6, 20), (0 ms), NO-OUTDOOR, DFS, AUTO-BW + (5470 - 5590 @ 80), (6, 27), (0 ms), DFS, AUTO-BW + (5650 - 5730 @ 80), (6, 27), (0 ms), DFS, AUTO-BW + (5730 - 5850 @ 80), (6, 36), (N/A), AUTO-BW + +and will be accepted by the wireless regulatory code. + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211112153116.1214421-1-sven@narfation.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/reg.c | 103 ++++++++++++++------------ + 1 file changed, 56 insertions(+), 47 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/reg.c b/drivers/net/wireless/ath/ath11k/reg.c +index b8f9f34408879..e34311516b958 100644 +--- a/drivers/net/wireless/ath/ath11k/reg.c ++++ b/drivers/net/wireless/ath/ath11k/reg.c +@@ -456,6 +456,9 @@ ath11k_reg_adjust_bw(u16 start_freq, u16 end_freq, u16 max_bw) + { + u16 bw; + ++ if (end_freq <= start_freq) ++ return 0; ++ + bw = end_freq - start_freq; + bw = min_t(u16, bw, max_bw); + +@@ -463,8 +466,10 @@ ath11k_reg_adjust_bw(u16 start_freq, u16 end_freq, u16 max_bw) + bw = 80; + else if (bw >= 40 && bw < 80) + bw = 40; +- else if (bw < 40) ++ else if (bw >= 20 && bw < 40) + bw = 20; ++ else ++ bw = 0; + + return bw; + } +@@ -488,73 +493,77 @@ ath11k_reg_update_weather_radar_band(struct ath11k_base *ab, + struct cur_reg_rule *reg_rule, + u8 *rule_idx, u32 flags, u16 max_bw) + { ++ u32 start_freq; + u32 end_freq; + u16 bw; + u8 i; + + i = *rule_idx; + ++ /* there might be situations when even the input rule must be dropped */ ++ i--; ++ ++ /* frequencies below weather radar */ + bw = ath11k_reg_adjust_bw(reg_rule->start_freq, + ETSI_WEATHER_RADAR_BAND_LOW, max_bw); ++ if (bw > 0) { ++ i++; + +- ath11k_reg_update_rule(regd->reg_rules + i, reg_rule->start_freq, +- ETSI_WEATHER_RADAR_BAND_LOW, bw, +- reg_rule->ant_gain, reg_rule->reg_power, +- flags); ++ ath11k_reg_update_rule(regd->reg_rules + i, ++ reg_rule->start_freq, ++ ETSI_WEATHER_RADAR_BAND_LOW, bw, ++ reg_rule->ant_gain, reg_rule->reg_power, ++ flags); + +- ath11k_dbg(ab, ATH11K_DBG_REG, +- "\t%d. (%d - %d @ %d) (%d, %d) (%d ms) (FLAGS %d)\n", +- i + 1, reg_rule->start_freq, ETSI_WEATHER_RADAR_BAND_LOW, +- bw, reg_rule->ant_gain, reg_rule->reg_power, +- regd->reg_rules[i].dfs_cac_ms, +- flags); +- +- if (reg_rule->end_freq > ETSI_WEATHER_RADAR_BAND_HIGH) +- end_freq = ETSI_WEATHER_RADAR_BAND_HIGH; +- else +- end_freq = reg_rule->end_freq; ++ ath11k_dbg(ab, ATH11K_DBG_REG, ++ "\t%d. (%d - %d @ %d) (%d, %d) (%d ms) (FLAGS %d)\n", ++ i + 1, reg_rule->start_freq, ++ ETSI_WEATHER_RADAR_BAND_LOW, bw, reg_rule->ant_gain, ++ reg_rule->reg_power, regd->reg_rules[i].dfs_cac_ms, ++ flags); ++ } + +- bw = ath11k_reg_adjust_bw(ETSI_WEATHER_RADAR_BAND_LOW, end_freq, +- max_bw); ++ /* weather radar frequencies */ ++ start_freq = max_t(u32, reg_rule->start_freq, ++ ETSI_WEATHER_RADAR_BAND_LOW); ++ end_freq = min_t(u32, reg_rule->end_freq, ETSI_WEATHER_RADAR_BAND_HIGH); + +- i++; ++ bw = ath11k_reg_adjust_bw(start_freq, end_freq, max_bw); ++ if (bw > 0) { ++ i++; + +- ath11k_reg_update_rule(regd->reg_rules + i, +- ETSI_WEATHER_RADAR_BAND_LOW, end_freq, bw, +- reg_rule->ant_gain, reg_rule->reg_power, +- flags); ++ ath11k_reg_update_rule(regd->reg_rules + i, start_freq, ++ end_freq, bw, reg_rule->ant_gain, ++ reg_rule->reg_power, flags); + +- regd->reg_rules[i].dfs_cac_ms = ETSI_WEATHER_RADAR_BAND_CAC_TIMEOUT; ++ regd->reg_rules[i].dfs_cac_ms = ETSI_WEATHER_RADAR_BAND_CAC_TIMEOUT; + +- ath11k_dbg(ab, ATH11K_DBG_REG, +- "\t%d. (%d - %d @ %d) (%d, %d) (%d ms) (FLAGS %d)\n", +- i + 1, ETSI_WEATHER_RADAR_BAND_LOW, end_freq, +- bw, reg_rule->ant_gain, reg_rule->reg_power, +- regd->reg_rules[i].dfs_cac_ms, +- flags); +- +- if (end_freq == reg_rule->end_freq) { +- regd->n_reg_rules--; +- *rule_idx = i; +- return; ++ ath11k_dbg(ab, ATH11K_DBG_REG, ++ "\t%d. (%d - %d @ %d) (%d, %d) (%d ms) (FLAGS %d)\n", ++ i + 1, start_freq, end_freq, bw, ++ reg_rule->ant_gain, reg_rule->reg_power, ++ regd->reg_rules[i].dfs_cac_ms, flags); + } + ++ /* frequencies above weather radar */ + bw = ath11k_reg_adjust_bw(ETSI_WEATHER_RADAR_BAND_HIGH, + reg_rule->end_freq, max_bw); ++ if (bw > 0) { ++ i++; + +- i++; +- +- ath11k_reg_update_rule(regd->reg_rules + i, ETSI_WEATHER_RADAR_BAND_HIGH, +- reg_rule->end_freq, bw, +- reg_rule->ant_gain, reg_rule->reg_power, +- flags); ++ ath11k_reg_update_rule(regd->reg_rules + i, ++ ETSI_WEATHER_RADAR_BAND_HIGH, ++ reg_rule->end_freq, bw, ++ reg_rule->ant_gain, reg_rule->reg_power, ++ flags); + +- ath11k_dbg(ab, ATH11K_DBG_REG, +- "\t%d. (%d - %d @ %d) (%d, %d) (%d ms) (FLAGS %d)\n", +- i + 1, ETSI_WEATHER_RADAR_BAND_HIGH, reg_rule->end_freq, +- bw, reg_rule->ant_gain, reg_rule->reg_power, +- regd->reg_rules[i].dfs_cac_ms, +- flags); ++ ath11k_dbg(ab, ATH11K_DBG_REG, ++ "\t%d. (%d - %d @ %d) (%d, %d) (%d ms) (FLAGS %d)\n", ++ i + 1, ETSI_WEATHER_RADAR_BAND_HIGH, ++ reg_rule->end_freq, bw, reg_rule->ant_gain, ++ reg_rule->reg_power, regd->reg_rules[i].dfs_cac_ms, ++ flags); ++ } + + *rule_idx = i; + } +-- +2.34.1 + diff --git a/queue-5.10/ath11k-fix-napi-related-hang.patch b/queue-5.10/ath11k-fix-napi-related-hang.patch new file mode 100644 index 00000000000..2bb732cf43d --- /dev/null +++ b/queue-5.10/ath11k-fix-napi-related-hang.patch @@ -0,0 +1,109 @@ +From 1043b4ea9752ec684985ad9db0a8ef162d8786e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Sep 2020 12:52:54 -0700 +Subject: ath11k: Fix napi related hang + +From: Ben Greear + +[ Upstream commit d943fdad7589653065be0e20aadc6dff37725ed4 ] + +Similar to the same bug in ath10k, a napi disable w/out it being enabled +will hang forever. I believe I saw this while trying rmmod after driver +had some failure on startup. Fix it by keeping state on whether napi is +enabled or not. + +And, remove un-used napi pointer in ath11k driver base struct. + +Signed-off-by: Ben Greear +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200903195254.29379-1-greearb@candelatech.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/ahb.c | 12 +++++++++--- + drivers/net/wireless/ath/ath11k/core.h | 2 +- + drivers/net/wireless/ath/ath11k/pci.c | 12 +++++++++--- + 3 files changed, 19 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/ahb.c b/drivers/net/wireless/ath/ath11k/ahb.c +index e8cca58e18ffc..9ff6e68533142 100644 +--- a/drivers/net/wireless/ath/ath11k/ahb.c ++++ b/drivers/net/wireless/ath/ath11k/ahb.c +@@ -175,8 +175,11 @@ static void __ath11k_ahb_ext_irq_disable(struct ath11k_base *ab) + + ath11k_ahb_ext_grp_disable(irq_grp); + +- napi_synchronize(&irq_grp->napi); +- napi_disable(&irq_grp->napi); ++ if (irq_grp->napi_enabled) { ++ napi_synchronize(&irq_grp->napi); ++ napi_disable(&irq_grp->napi); ++ irq_grp->napi_enabled = false; ++ } + } + } + +@@ -300,7 +303,10 @@ static void ath11k_ahb_ext_irq_enable(struct ath11k_base *ab) + for (i = 0; i < ATH11K_EXT_IRQ_GRP_NUM_MAX; i++) { + struct ath11k_ext_irq_grp *irq_grp = &ab->ext_irq_grp[i]; + +- napi_enable(&irq_grp->napi); ++ if (!irq_grp->napi_enabled) { ++ napi_enable(&irq_grp->napi); ++ irq_grp->napi_enabled = true; ++ } + ath11k_ahb_ext_grp_enable(irq_grp); + } + } +diff --git a/drivers/net/wireless/ath/ath11k/core.h b/drivers/net/wireless/ath/ath11k/core.h +index c8e36251068c9..d2f2898d17b49 100644 +--- a/drivers/net/wireless/ath/ath11k/core.h ++++ b/drivers/net/wireless/ath/ath11k/core.h +@@ -124,6 +124,7 @@ struct ath11k_ext_irq_grp { + u32 num_irq; + u32 grp_id; + u64 timestamp; ++ bool napi_enabled; + struct napi_struct napi; + struct net_device napi_ndev; + }; +@@ -687,7 +688,6 @@ struct ath11k_base { + u32 wlan_init_status; + int irq_num[ATH11K_IRQ_NUM_MAX]; + struct ath11k_ext_irq_grp ext_irq_grp[ATH11K_EXT_IRQ_GRP_NUM_MAX]; +- struct napi_struct *napi; + struct ath11k_targ_cap target_caps; + u32 ext_service_bitmap[WMI_SERVICE_EXT_BM_SIZE]; + bool pdevs_macaddr_valid; +diff --git a/drivers/net/wireless/ath/ath11k/pci.c b/drivers/net/wireless/ath/ath11k/pci.c +index d7eb6b7160bb4..105e344240c10 100644 +--- a/drivers/net/wireless/ath/ath11k/pci.c ++++ b/drivers/net/wireless/ath/ath11k/pci.c +@@ -416,8 +416,11 @@ static void __ath11k_pci_ext_irq_disable(struct ath11k_base *sc) + + ath11k_pci_ext_grp_disable(irq_grp); + +- napi_synchronize(&irq_grp->napi); +- napi_disable(&irq_grp->napi); ++ if (irq_grp->napi_enabled) { ++ napi_synchronize(&irq_grp->napi); ++ napi_disable(&irq_grp->napi); ++ irq_grp->napi_enabled = false; ++ } + } + } + +@@ -436,7 +439,10 @@ static void ath11k_pci_ext_irq_enable(struct ath11k_base *ab) + for (i = 0; i < ATH11K_EXT_IRQ_GRP_NUM_MAX; i++) { + struct ath11k_ext_irq_grp *irq_grp = &ab->ext_irq_grp[i]; + +- napi_enable(&irq_grp->napi); ++ if (!irq_grp->napi_enabled) { ++ napi_enable(&irq_grp->napi); ++ irq_grp->napi_enabled = true; ++ } + ath11k_pci_ext_grp_enable(irq_grp); + } + } +-- +2.34.1 + diff --git a/queue-5.10/ath11k-reset-rsn-wpa-present-state-for-open-bss.patch b/queue-5.10/ath11k-reset-rsn-wpa-present-state-for-open-bss.patch new file mode 100644 index 00000000000..4ec2a996dcc --- /dev/null +++ b/queue-5.10/ath11k-reset-rsn-wpa-present-state-for-open-bss.patch @@ -0,0 +1,59 @@ +From cccffccf0abf507494f1013e8acab7a9dfc0ac03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Nov 2021 11:04:41 +0100 +Subject: ath11k: reset RSN/WPA present state for open BSS + +From: Karthikeyan Kathirvel + +[ Upstream commit 64bc3aa02ae78b1fcb1b850e0eb1f0622002bfaa ] + +The ath11k driver is caching the information about RSN/WPA IE in the +configured beacon template. The cached information is used during +associations to figure out whether 4-way PKT/2-way GTK peer flags need to +be set or not. + +But the code never cleared the state when no such IE was found. This can +for example happen when moving from an WPA/RSN to an open setup. The +(seemingly connected) peer was then not able to communicate over the +link because the firmware assumed a different (encryption enabled) state +for the peer. + +Tested-on: IPQ6018 hw1.0 AHB WLAN.HK.2.5.0.1-01100-QCAHKSWPL_SILICONZ-1 + +Fixes: 01e34233c645 ("ath11k: fix wmi peer flags in peer assoc command") +Cc: Venkateswara Naralasetty +Reported-by: Sven Eckelmann +Signed-off-by: Karthikeyan Kathirvel +[sven@narfation.org: split into separate patches, clean up commit message] +Signed-off-by: Sven Eckelmann + +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211115100441.33771-2-sven@narfation.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/mac.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c +index 304e158f09751..b4f8494e3c707 100644 +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -792,11 +792,15 @@ static int ath11k_mac_setup_bcn_tmpl(struct ath11k_vif *arvif) + + if (cfg80211_find_ie(WLAN_EID_RSN, ies, (skb_tail_pointer(bcn) - ies))) + arvif->rsnie_present = true; ++ else ++ arvif->rsnie_present = false; + + if (cfg80211_find_vendor_ie(WLAN_OUI_MICROSOFT, + WLAN_OUI_TYPE_MICROSOFT_WPA, + ies, (skb_tail_pointer(bcn) - ies))) + arvif->wpaie_present = true; ++ else ++ arvif->wpaie_present = false; + + ret = ath11k_wmi_bcn_tmpl(ar, arvif->vdev_id, &offs, bcn); + +-- +2.34.1 + diff --git a/queue-5.10/ath11k-send-ppdu_stats_cfg-with-proper-pdev-mask-to-.patch b/queue-5.10/ath11k-send-ppdu_stats_cfg-with-proper-pdev-mask-to-.patch new file mode 100644 index 00000000000..605974d9e9c --- /dev/null +++ b/queue-5.10/ath11k-send-ppdu_stats_cfg-with-proper-pdev-mask-to-.patch @@ -0,0 +1,68 @@ +From 226c358e3647b51432e3f4e90fe3491394354b55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Nov 2021 17:10:48 +0200 +Subject: ath11k: Send PPDU_STATS_CFG with proper pdev mask to firmware + +From: Rameshkumar Sundaram + +[ Upstream commit 16a2c3d5406f95ef6139de52669c60a39443f5f7 ] + +HTT_PPDU_STATS_CFG_PDEV_ID bit mask for target FW PPDU stats request message +was set as bit 8 to 15. Bit 8 is reserved for soc stats and pdev id starts from +bit 9. Hence change the bitmask as bit 9 to 15 and fill the proper pdev id in +the request message. + +In commit 701e48a43e15 ("ath11k: add packet log support for QCA6390"), both +HTT_PPDU_STATS_CFG_PDEV_ID and pdev_mask were changed, but this pdev_mask +calculation is not valid for platforms which has multiple pdevs with 1 rxdma +per pdev, as this is writing same value(i.e. 2) for all pdevs. Hence fixed it +to consider pdev_idx as well, to make it compatible for both single and multi +pd cases. + +Tested on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-01092-QCAHKSWPL_SILICONZ-1 +Tested on: IPQ6018 hw1.0 WLAN.HK.2.5.0.1-01067-QCAHKSWPL_SILICONZ-1 + +Fixes: 701e48a43e15 ("ath11k: add packet log support for QCA6390") + +Co-developed-by: Sathishkumar Muruganandam +Signed-off-by: Sathishkumar Muruganandam +Signed-off-by: Rameshkumar Sundaram +Signed-off-by: Jouni Malinen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210721212029.142388-10-jouni@codeaurora.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/dp.h | 3 ++- + drivers/net/wireless/ath/ath11k/dp_tx.c | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/dp.h b/drivers/net/wireless/ath/ath11k/dp.h +index ee8db812589b3..c4972233149f4 100644 +--- a/drivers/net/wireless/ath/ath11k/dp.h ++++ b/drivers/net/wireless/ath/ath11k/dp.h +@@ -514,7 +514,8 @@ struct htt_ppdu_stats_cfg_cmd { + } __packed; + + #define HTT_PPDU_STATS_CFG_MSG_TYPE GENMASK(7, 0) +-#define HTT_PPDU_STATS_CFG_PDEV_ID GENMASK(15, 8) ++#define HTT_PPDU_STATS_CFG_SOC_STATS BIT(8) ++#define HTT_PPDU_STATS_CFG_PDEV_ID GENMASK(15, 9) + #define HTT_PPDU_STATS_CFG_TLV_TYPE_BITMASK GENMASK(31, 16) + + enum htt_ppdu_stats_tag_type { +diff --git a/drivers/net/wireless/ath/ath11k/dp_tx.c b/drivers/net/wireless/ath/ath11k/dp_tx.c +index 21dfd08d3debb..092eee735da29 100644 +--- a/drivers/net/wireless/ath/ath11k/dp_tx.c ++++ b/drivers/net/wireless/ath/ath11k/dp_tx.c +@@ -894,7 +894,7 @@ int ath11k_dp_tx_htt_h2t_ppdu_stats_req(struct ath11k *ar, u32 mask) + cmd->msg = FIELD_PREP(HTT_PPDU_STATS_CFG_MSG_TYPE, + HTT_H2T_MSG_TYPE_PPDU_STATS_CFG); + +- pdev_mask = 1 << (i + 1); ++ pdev_mask = 1 << (ar->pdev_idx + i); + cmd->msg |= FIELD_PREP(HTT_PPDU_STATS_CFG_PDEV_ID, pdev_mask); + cmd->msg |= FIELD_PREP(HTT_PPDU_STATS_CFG_TLV_TYPE_BITMASK, mask); + +-- +2.34.1 + diff --git a/queue-5.10/ath11k-use-host-ce-parameters-for-ce-interrupts-conf.patch b/queue-5.10/ath11k-use-host-ce-parameters-for-ce-interrupts-conf.patch new file mode 100644 index 00000000000..8a0967d89cc --- /dev/null +++ b/queue-5.10/ath11k-use-host-ce-parameters-for-ce-interrupts-conf.patch @@ -0,0 +1,78 @@ +From 6d0caec8de773a7dcaccf477ae9f066853076640 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Nov 2021 19:11:31 +0200 +Subject: ath11k: Use host CE parameters for CE interrupts configuration + +From: Anilkumar Kolli + +[ Upstream commit b689f091aafd1a874b2f88137934276ab0fca480 ] + +CE interrupt configuration uses host ce parameters to assign/free +interrupts. Use host ce parameters to enable/disable interrupts. +This patch fixes below BUG, + +BUG: KASAN: global-out-of-bounds in 0xffffffbffdfb035c at addr +ffffffbffde6eeac + Read of size 4 by task kworker/u8:2/132 + Address belongs to variable ath11k_core_qmi_firmware_ready+0x1b0/0x5bc [ath11k] + +OOB is due to ath11k_ahb_ce_irqs_enable() iterates ce_count(which is 12) +times and accessing 12th element in target_ce_config +(which has only 11 elements) from ath11k_ahb_ce_irq_enable(). + +With this change host ce configs are used to enable/disable interrupts. + +Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-00471-QCAHKSWPL_SILICONZ-1 + +Fixes: 967c1d1131fa ("ath11k: move target ce configs to hw_params") +Signed-off-by: Anilkumar Kolli +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1637249558-12793-1-git-send-email-akolli@codeaurora.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/ahb.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/ahb.c b/drivers/net/wireless/ath/ath11k/ahb.c +index 430723c64adce..e8cca58e18ffc 100644 +--- a/drivers/net/wireless/ath/ath11k/ahb.c ++++ b/drivers/net/wireless/ath/ath11k/ahb.c +@@ -206,13 +206,13 @@ static void ath11k_ahb_clearbit32(struct ath11k_base *ab, u8 bit, u32 offset) + + static void ath11k_ahb_ce_irq_enable(struct ath11k_base *ab, u16 ce_id) + { +- const struct ce_pipe_config *ce_config; ++ const struct ce_attr *ce_attr; + +- ce_config = &ab->hw_params.target_ce_config[ce_id]; +- if (__le32_to_cpu(ce_config->pipedir) & PIPEDIR_OUT) ++ ce_attr = &ab->hw_params.host_ce_config[ce_id]; ++ if (ce_attr->src_nentries) + ath11k_ahb_setbit32(ab, ce_id, CE_HOST_IE_ADDRESS); + +- if (__le32_to_cpu(ce_config->pipedir) & PIPEDIR_IN) { ++ if (ce_attr->dest_nentries) { + ath11k_ahb_setbit32(ab, ce_id, CE_HOST_IE_2_ADDRESS); + ath11k_ahb_setbit32(ab, ce_id + CE_HOST_IE_3_SHIFT, + CE_HOST_IE_3_ADDRESS); +@@ -221,13 +221,13 @@ static void ath11k_ahb_ce_irq_enable(struct ath11k_base *ab, u16 ce_id) + + static void ath11k_ahb_ce_irq_disable(struct ath11k_base *ab, u16 ce_id) + { +- const struct ce_pipe_config *ce_config; ++ const struct ce_attr *ce_attr; + +- ce_config = &ab->hw_params.target_ce_config[ce_id]; +- if (__le32_to_cpu(ce_config->pipedir) & PIPEDIR_OUT) ++ ce_attr = &ab->hw_params.host_ce_config[ce_id]; ++ if (ce_attr->src_nentries) + ath11k_ahb_clearbit32(ab, ce_id, CE_HOST_IE_ADDRESS); + +- if (__le32_to_cpu(ce_config->pipedir) & PIPEDIR_IN) { ++ if (ce_attr->dest_nentries) { + ath11k_ahb_clearbit32(ab, ce_id, CE_HOST_IE_2_ADDRESS); + ath11k_ahb_clearbit32(ab, ce_id + CE_HOST_IE_3_SHIFT, + CE_HOST_IE_3_ADDRESS); +-- +2.34.1 + diff --git a/queue-5.10/ath9k-fix-out-of-bound-memcpy-in-ath9k_hif_usb_rx_st.patch b/queue-5.10/ath9k-fix-out-of-bound-memcpy-in-ath9k_hif_usb_rx_st.patch new file mode 100644 index 00000000000..6303d977837 --- /dev/null +++ b/queue-5.10/ath9k-fix-out-of-bound-memcpy-in-ath9k_hif_usb_rx_st.patch @@ -0,0 +1,90 @@ +From e921e15bec68c4b3f55f5ac8630e048350016e65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 18:21:42 -0400 +Subject: ath9k: Fix out-of-bound memcpy in ath9k_hif_usb_rx_stream + +From: Zekun Shen + +[ Upstream commit 6ce708f54cc8d73beca213cec66ede5ce100a781 ] + +Large pkt_len can lead to out-out-bound memcpy. Current +ath9k_hif_usb_rx_stream allows combining the content of two urb +inputs to one pkt. The first input can indicate the size of the +pkt. Any remaining size is saved in hif_dev->rx_remain_len. +While processing the next input, memcpy is used with rx_remain_len. + +4-byte pkt_len can go up to 0xffff, while a single input is 0x4000 +maximum in size (MAX_RX_BUF_SIZE). Thus, the patch adds a check for +pkt_len which must not exceed 2 * MAX_RX_BUG_SIZE. + +BUG: KASAN: slab-out-of-bounds in ath9k_hif_usb_rx_cb+0x490/0xed7 [ath9k_htc] +Read of size 46393 at addr ffff888018798000 by task kworker/0:1/23 + +CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 5.6.0 #63 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), +BIOS rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014 +Workqueue: events request_firmware_work_func +Call Trace: + + dump_stack+0x76/0xa0 + print_address_description.constprop.0+0x16/0x200 + ? ath9k_hif_usb_rx_cb+0x490/0xed7 [ath9k_htc] + ? ath9k_hif_usb_rx_cb+0x490/0xed7 [ath9k_htc] + __kasan_report.cold+0x37/0x7c + ? ath9k_hif_usb_rx_cb+0x490/0xed7 [ath9k_htc] + kasan_report+0xe/0x20 + check_memory_region+0x15a/0x1d0 + memcpy+0x20/0x50 + ath9k_hif_usb_rx_cb+0x490/0xed7 [ath9k_htc] + ? hif_usb_mgmt_cb+0x2d9/0x2d9 [ath9k_htc] + ? _raw_spin_lock_irqsave+0x7b/0xd0 + ? _raw_spin_trylock_bh+0x120/0x120 + ? __usb_unanchor_urb+0x12f/0x210 + __usb_hcd_giveback_urb+0x1e4/0x380 + usb_giveback_urb_bh+0x241/0x4f0 + ? __hrtimer_run_queues+0x316/0x740 + ? __usb_hcd_giveback_urb+0x380/0x380 + tasklet_action_common.isra.0+0x135/0x330 + __do_softirq+0x18c/0x634 + irq_exit+0x114/0x140 + smp_apic_timer_interrupt+0xde/0x380 + apic_timer_interrupt+0xf/0x20 + +I found the bug using a custome USBFuzz port. It's a research work +to fuzz USB stack/drivers. I modified it to fuzz ath9k driver only, +providing hand-crafted usb descriptors to QEMU. + +After fixing the value of pkt_tag to ATH_USB_RX_STREAM_MODE_TAG in QEMU +emulation, I found the KASAN report. The bug is triggerable whenever +pkt_len is above two MAX_RX_BUG_SIZE. I used the same input that crashes +to test the driver works when applying the patch. + +Signed-off-by: Zekun Shen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/YXsidrRuK6zBJicZ@10-18-43-117.dynapool.wireless.nyu.edu +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c +index 860da13bfb6ac..f06eec99de688 100644 +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -590,6 +590,13 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev, + return; + } + ++ if (pkt_len > 2 * MAX_RX_BUF_SIZE) { ++ dev_err(&hif_dev->udev->dev, ++ "ath9k_htc: invalid pkt_len (%x)\n", pkt_len); ++ RX_STAT_INC(skb_dropped); ++ return; ++ } ++ + pad_len = 4 - (pkt_len & 0x3); + if (pad_len == 4) + pad_len = 0; +-- +2.34.1 + diff --git a/queue-5.10/audit-ensure-userspace-is-penalized-the-same-as-the-.patch b/queue-5.10/audit-ensure-userspace-is-penalized-the-same-as-the-.patch new file mode 100644 index 00000000000..a6df62432e9 --- /dev/null +++ b/queue-5.10/audit-ensure-userspace-is-penalized-the-same-as-the-.patch @@ -0,0 +1,71 @@ +From a2ac4a0a719cbdb829c31ea666305656d05aa30b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Dec 2021 15:45:20 -0500 +Subject: audit: ensure userspace is penalized the same as the kernel when + under pressure + +From: Paul Moore + +[ Upstream commit 8f110f530635af44fff1f4ee100ecef0bac62510 ] + +Due to the audit control mutex necessary for serializing audit +userspace messages we haven't been able to block/penalize userspace +processes that attempt to send audit records while the system is +under audit pressure. The result is that privileged userspace +applications have a priority boost with respect to audit as they are +not bound by the same audit queue throttling as the other tasks on +the system. + +This patch attempts to restore some balance to the system when under +audit pressure by blocking these privileged userspace tasks after +they have finished their audit processing, and dropped the audit +control mutex, but before they return to userspace. + +Reported-by: Gaosheng Cui +Tested-by: Gaosheng Cui +Reviewed-by: Richard Guy Briggs +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + kernel/audit.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/kernel/audit.c b/kernel/audit.c +index d784000921da3..2a38cbaf3ddb7 100644 +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -1540,6 +1540,20 @@ static void audit_receive(struct sk_buff *skb) + nlh = nlmsg_next(nlh, &len); + } + audit_ctl_unlock(); ++ ++ /* can't block with the ctrl lock, so penalize the sender now */ ++ if (audit_backlog_limit && ++ (skb_queue_len(&audit_queue) > audit_backlog_limit)) { ++ DECLARE_WAITQUEUE(wait, current); ++ ++ /* wake kauditd to try and flush the queue */ ++ wake_up_interruptible(&kauditd_wait); ++ ++ add_wait_queue_exclusive(&audit_backlog_wait, &wait); ++ set_current_state(TASK_UNINTERRUPTIBLE); ++ schedule_timeout(audit_backlog_wait_time); ++ remove_wait_queue(&audit_backlog_wait, &wait); ++ } + } + + /* Log information about who is connecting to the audit multicast socket */ +@@ -1824,7 +1838,9 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, + * task_tgid_vnr() since auditd_pid is set in audit_receive_msg() + * using a PID anchored in the caller's namespace + * 2. generator holding the audit_cmd_mutex - we don't want to block +- * while holding the mutex */ ++ * while holding the mutex, although we do penalize the sender ++ * later in audit_receive() when it is safe to block ++ */ + if (!(auditd_test_task(current) || audit_ctl_owner_current())) { + long stime = audit_backlog_wait_time; + +-- +2.34.1 + diff --git a/queue-5.10/ax25-uninitialized-variable-in-ax25_setsockopt.patch b/queue-5.10/ax25-uninitialized-variable-in-ax25_setsockopt.patch new file mode 100644 index 00000000000..d0403139325 --- /dev/null +++ b/queue-5.10/ax25-uninitialized-variable-in-ax25_setsockopt.patch @@ -0,0 +1,75 @@ +From 0b5465ae2d933bc03c6b3985364278d0ffc5b21e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jan 2022 10:13:12 +0300 +Subject: ax25: uninitialized variable in ax25_setsockopt() + +From: Dan Carpenter + +[ Upstream commit 9371937092d5fd502032c1bb4475b36b39b1f1b3 ] + +The "opt" variable is unsigned long but we only copy 4 bytes from +the user so the lower 4 bytes are uninitialized. + +I have changed the integer overflow checks from ULONG to UINT as well. +This is a slight API change but I don't expect it to break anything. + +Fixes: a7b75c5a8c41 ("net: pass a sockptr_t into ->setsockopt") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ax25/af_ax25.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c +index 22278807b3f36..5e84dce5ff7ae 100644 +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -536,7 +536,7 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname, + ax25_cb *ax25; + struct net_device *dev; + char devname[IFNAMSIZ]; +- unsigned long opt; ++ unsigned int opt; + int res = 0; + + if (level != SOL_AX25) +@@ -568,7 +568,7 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname, + break; + + case AX25_T1: +- if (opt < 1 || opt > ULONG_MAX / HZ) { ++ if (opt < 1 || opt > UINT_MAX / HZ) { + res = -EINVAL; + break; + } +@@ -577,7 +577,7 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname, + break; + + case AX25_T2: +- if (opt < 1 || opt > ULONG_MAX / HZ) { ++ if (opt < 1 || opt > UINT_MAX / HZ) { + res = -EINVAL; + break; + } +@@ -593,7 +593,7 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname, + break; + + case AX25_T3: +- if (opt < 1 || opt > ULONG_MAX / HZ) { ++ if (opt < 1 || opt > UINT_MAX / HZ) { + res = -EINVAL; + break; + } +@@ -601,7 +601,7 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname, + break; + + case AX25_IDLE: +- if (opt > ULONG_MAX / (60 * HZ)) { ++ if (opt > UINT_MAX / (60 * HZ)) { + res = -EINVAL; + break; + } +-- +2.34.1 + diff --git a/queue-5.10/backlight-qcom-wled-fix-off-by-one-maximum-with-defa.patch b/queue-5.10/backlight-qcom-wled-fix-off-by-one-maximum-with-defa.patch new file mode 100644 index 00000000000..fd34c5b8b35 --- /dev/null +++ b/queue-5.10/backlight-qcom-wled-fix-off-by-one-maximum-with-defa.patch @@ -0,0 +1,133 @@ +From a7edfc7e9249d3aba528172712b651701d25d307 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Nov 2021 21:34:54 +0100 +Subject: backlight: qcom-wled: Fix off-by-one maximum with default num_strings + +From: Marijn Suijten + +[ Upstream commit 5ada78b26f935f8751852dffa24f6b545b1d2517 ] + +When not specifying num-strings in the DT the default is used, but +1 is +added to it which turns WLED3 into 4 and WLED4/5 into 5 strings instead +of 3 and 4 respectively, causing out-of-bounds reads and register +read/writes. This +1 exists for a deficiency in the DT parsing code, +and is simply omitted entirely - solving this oob issue - by parsing the +property separately much like qcom,enabled-strings. + +This also enables more stringent checks on the maximum value when +qcom,enabled-strings is provided in the DT, by parsing num-strings after +enabled-strings to allow it to check against (and in a subsequent patch +override) the length of enabled-strings: it is invalid to set +num-strings higher than that. +The DT currently utilizes it to get around an incorrect fixed read of +four elements from that array (has been addressed in a prior patch) by +setting a lower num-strings where desired. + +Fixes: 93c64f1ea1e8 ("leds: add Qualcomm PM8941 WLED driver") +Signed-off-by: Marijn Suijten +Reviewed-By: AngeloGioacchino Del Regno +Reviewed-by: Daniel Thompson +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20211115203459.1634079-5-marijn.suijten@somainline.org +Signed-off-by: Sasha Levin +--- + drivers/video/backlight/qcom-wled.c | 48 ++++++++++------------------- + 1 file changed, 16 insertions(+), 32 deletions(-) + +diff --git a/drivers/video/backlight/qcom-wled.c b/drivers/video/backlight/qcom-wled.c +index 92df5a9f6ae51..9e09165984b48 100644 +--- a/drivers/video/backlight/qcom-wled.c ++++ b/drivers/video/backlight/qcom-wled.c +@@ -1256,21 +1256,6 @@ static const struct wled_var_cfg wled5_ovp_cfg = { + .size = 16, + }; + +-static u32 wled3_num_strings_values_fn(u32 idx) +-{ +- return idx + 1; +-} +- +-static const struct wled_var_cfg wled3_num_strings_cfg = { +- .fn = wled3_num_strings_values_fn, +- .size = 3, +-}; +- +-static const struct wled_var_cfg wled4_num_strings_cfg = { +- .fn = wled3_num_strings_values_fn, +- .size = 4, +-}; +- + static u32 wled3_switch_freq_values_fn(u32 idx) + { + return 19200 / (2 * (1 + idx)); +@@ -1344,11 +1329,6 @@ static int wled_configure(struct wled *wled) + .val_ptr = &cfg->switch_freq, + .cfg = &wled3_switch_freq_cfg, + }, +- { +- .name = "qcom,num-strings", +- .val_ptr = &cfg->num_strings, +- .cfg = &wled3_num_strings_cfg, +- }, + }; + + const struct wled_u32_opts wled4_opts[] = { +@@ -1372,11 +1352,6 @@ static int wled_configure(struct wled *wled) + .val_ptr = &cfg->switch_freq, + .cfg = &wled3_switch_freq_cfg, + }, +- { +- .name = "qcom,num-strings", +- .val_ptr = &cfg->num_strings, +- .cfg = &wled4_num_strings_cfg, +- }, + }; + + const struct wled_u32_opts wled5_opts[] = { +@@ -1400,11 +1375,6 @@ static int wled_configure(struct wled *wled) + .val_ptr = &cfg->switch_freq, + .cfg = &wled3_switch_freq_cfg, + }, +- { +- .name = "qcom,num-strings", +- .val_ptr = &cfg->num_strings, +- .cfg = &wled4_num_strings_cfg, +- }, + { + .name = "qcom,modulator-sel", + .val_ptr = &cfg->mod_sel, +@@ -1523,8 +1493,6 @@ static int wled_configure(struct wled *wled) + *bool_opts[i].val_ptr = true; + } + +- cfg->num_strings = cfg->num_strings + 1; +- + string_len = of_property_count_elems_of_size(dev->of_node, + "qcom,enabled-strings", + sizeof(u32)); +@@ -1555,6 +1523,22 @@ static int wled_configure(struct wled *wled) + } + } + ++ rc = of_property_read_u32(dev->of_node, "qcom,num-strings", &val); ++ if (!rc) { ++ if (val < 1 || val > wled->max_string_count) { ++ dev_err(dev, "qcom,num-strings must be between 1 and %d\n", ++ wled->max_string_count); ++ return -EINVAL; ++ } ++ ++ if (string_len > 0 && val > string_len) { ++ dev_err(dev, "qcom,num-strings exceeds qcom,enabled-strings\n"); ++ return -EINVAL; ++ } ++ ++ cfg->num_strings = val; ++ } ++ + return 0; + } + +-- +2.34.1 + diff --git a/queue-5.10/backlight-qcom-wled-override-default-length-with-qco.patch b/queue-5.10/backlight-qcom-wled-override-default-length-with-qco.patch new file mode 100644 index 00000000000..15a508b00c0 --- /dev/null +++ b/queue-5.10/backlight-qcom-wled-override-default-length-with-qco.patch @@ -0,0 +1,65 @@ +From 8ca6047a5356f77524c77e6ae1a48f3415ee6105 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Nov 2021 21:34:55 +0100 +Subject: backlight: qcom-wled: Override default length with + qcom,enabled-strings + +From: Marijn Suijten + +[ Upstream commit 2b4b49602f9feca7b7a84eaa33ad9e666c8aa695 ] + +The length of qcom,enabled-strings as property array is enough to +determine the number of strings to be enabled, without needing to set +qcom,num-strings to override the default number of strings when less +than the default (which is also the maximum) is provided in DT. + +This also introduces an extra warning when qcom,num-strings is set, +denoting that it is not necessary to set both anymore. It is usually +more concise to set just qcom,num-length when a zero-based, contiguous +range of strings is needed (the majority of the cases), or to only set +qcom,enabled-strings when a specific set of indices is desired. + +Fixes: 775d2ffb4af6 ("backlight: qcom-wled: Restructure the driver for WLED3") +Signed-off-by: Marijn Suijten +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: Daniel Thompson +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20211115203459.1634079-6-marijn.suijten@somainline.org +Signed-off-by: Sasha Levin +--- + drivers/video/backlight/qcom-wled.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/video/backlight/qcom-wled.c b/drivers/video/backlight/qcom-wled.c +index 9e09165984b48..70fcee74866a5 100644 +--- a/drivers/video/backlight/qcom-wled.c ++++ b/drivers/video/backlight/qcom-wled.c +@@ -1521,6 +1521,8 @@ static int wled_configure(struct wled *wled) + return -EINVAL; + } + } ++ ++ cfg->num_strings = string_len; + } + + rc = of_property_read_u32(dev->of_node, "qcom,num-strings", &val); +@@ -1531,9 +1533,13 @@ static int wled_configure(struct wled *wled) + return -EINVAL; + } + +- if (string_len > 0 && val > string_len) { +- dev_err(dev, "qcom,num-strings exceeds qcom,enabled-strings\n"); +- return -EINVAL; ++ if (string_len > 0) { ++ dev_warn(dev, "Only one of qcom,num-strings or qcom,enabled-strings" ++ " should be set\n"); ++ if (val > string_len) { ++ dev_err(dev, "qcom,num-strings exceeds qcom,enabled-strings\n"); ++ return -EINVAL; ++ } + } + + cfg->num_strings = val; +-- +2.34.1 + diff --git a/queue-5.10/backlight-qcom-wled-pass-number-of-elements-to-read-.patch b/queue-5.10/backlight-qcom-wled-pass-number-of-elements-to-read-.patch new file mode 100644 index 00000000000..cab24bbad11 --- /dev/null +++ b/queue-5.10/backlight-qcom-wled-pass-number-of-elements-to-read-.patch @@ -0,0 +1,56 @@ +From a4bc0a2ad0acfe8d42383b777aeb30bdd61b5748 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Nov 2021 21:34:52 +0100 +Subject: backlight: qcom-wled: Pass number of elements to read to + read_u32_array + +From: Marijn Suijten + +[ Upstream commit e29e24bdabfeddbf8b1a4ecac1af439a85150438 ] + +of_property_read_u32_array takes the number of elements to read as last +argument. This does not always need to be 4 (sizeof(u32)) but should +instead be the size of the array in DT as read just above with +of_property_count_elems_of_size. + +To not make such an error go unnoticed again the driver now bails +accordingly when of_property_read_u32_array returns an error. +Surprisingly the indentation of newlined arguments is lining up again +after prepending `rc = `. + +Fixes: 775d2ffb4af6 ("backlight: qcom-wled: Restructure the driver for WLED3") +Signed-off-by: Marijn Suijten +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: Daniel Thompson +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20211115203459.1634079-3-marijn.suijten@somainline.org +Signed-off-by: Sasha Levin +--- + drivers/video/backlight/qcom-wled.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/backlight/qcom-wled.c b/drivers/video/backlight/qcom-wled.c +index 2c4290f082025..92df5a9f6ae51 100644 +--- a/drivers/video/backlight/qcom-wled.c ++++ b/drivers/video/backlight/qcom-wled.c +@@ -1535,10 +1535,15 @@ static int wled_configure(struct wled *wled) + return -EINVAL; + } + +- of_property_read_u32_array(dev->of_node, ++ rc = of_property_read_u32_array(dev->of_node, + "qcom,enabled-strings", + wled->cfg.enabled_strings, +- sizeof(u32)); ++ string_len); ++ if (rc) { ++ dev_err(dev, "Failed to read %d elements from qcom,enabled-strings: %d\n", ++ string_len, rc); ++ return rc; ++ } + + for (i = 0; i < string_len; ++i) { + if (wled->cfg.enabled_strings[i] >= wled->max_string_count) { +-- +2.34.1 + diff --git a/queue-5.10/backlight-qcom-wled-respect-enabled-strings-in-set_b.patch b/queue-5.10/backlight-qcom-wled-respect-enabled-strings-in-set_b.patch new file mode 100644 index 00000000000..29f505cda3e --- /dev/null +++ b/queue-5.10/backlight-qcom-wled-respect-enabled-strings-in-set_b.patch @@ -0,0 +1,135 @@ +From 7a44bcccf1149d558c7c543f17c0e80e01fed7c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Nov 2021 21:34:59 +0100 +Subject: backlight: qcom-wled: Respect enabled-strings in set_brightness + +From: Marijn Suijten + +[ Upstream commit ec961cf3241153e0f27d850f1bf0f172e7d27a21 ] + +The hardware is capable of controlling any non-contiguous sequence of +LEDs specified in the DT using qcom,enabled-strings as u32 +array, and this also follows from the DT-bindings documentation. The +numbers specified in this array represent indices of the LED strings +that are to be enabled and disabled. + +Its value is appropriately used to setup and enable string modules, but +completely disregarded in the set_brightness paths which only iterate +over the number of strings linearly. +Take an example where only string 2 is enabled with +qcom,enabled_strings=<2>: this string is appropriately enabled but +subsequent brightness changes would have only touched the zero'th +brightness register because num_strings is 1 here. This is simply +addressed by looking up the string for this index in the enabled_strings +array just like the other codepaths that iterate over num_strings. + +Likewise enabled_strings is now also used in the autodetection path for +consistent behaviour: when a list of strings is specified in DT only +those strings will be probed for autodetection, analogous to how the +number of strings that need to be probed is already bound by +qcom,num-strings. After all autodetection uses the set_brightness +helpers to set an initial value, which could otherwise end up changing +brightness on a different set of strings. + +Fixes: 775d2ffb4af6 ("backlight: qcom-wled: Restructure the driver for WLED3") +Fixes: 03b2b5e86986 ("backlight: qcom-wled: Add support for WLED4 peripheral") +Signed-off-by: Marijn Suijten +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: Daniel Thompson +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20211115203459.1634079-10-marijn.suijten@somainline.org +Signed-off-by: Sasha Levin +--- + drivers/video/backlight/qcom-wled.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/drivers/video/backlight/qcom-wled.c b/drivers/video/backlight/qcom-wled.c +index 13368044d0a75..486d35da01507 100644 +--- a/drivers/video/backlight/qcom-wled.c ++++ b/drivers/video/backlight/qcom-wled.c +@@ -237,7 +237,7 @@ static int wled3_set_brightness(struct wled *wled, u16 brightness) + + for (i = 0; i < wled->cfg.num_strings; ++i) { + rc = regmap_bulk_write(wled->regmap, wled->ctrl_addr + +- WLED3_SINK_REG_BRIGHT(i), ++ WLED3_SINK_REG_BRIGHT(wled->cfg.enabled_strings[i]), + &v, sizeof(v)); + if (rc < 0) + return rc; +@@ -260,7 +260,7 @@ static int wled4_set_brightness(struct wled *wled, u16 brightness) + + for (i = 0; i < wled->cfg.num_strings; ++i) { + rc = regmap_bulk_write(wled->regmap, wled->sink_addr + +- WLED4_SINK_REG_BRIGHT(i), ++ WLED4_SINK_REG_BRIGHT(wled->cfg.enabled_strings[i]), + &v, sizeof(v)); + if (rc < 0) + return rc; +@@ -571,7 +571,7 @@ unlock_mutex: + + static void wled_auto_string_detection(struct wled *wled) + { +- int rc = 0, i, delay_time_us; ++ int rc = 0, i, j, delay_time_us; + u32 sink_config = 0; + u8 sink_test = 0, sink_valid = 0, val; + bool fault_set; +@@ -618,14 +618,15 @@ static void wled_auto_string_detection(struct wled *wled) + + /* Iterate through the strings one by one */ + for (i = 0; i < wled->cfg.num_strings; i++) { +- sink_test = BIT((WLED4_SINK_REG_CURR_SINK_SHFT + i)); ++ j = wled->cfg.enabled_strings[i]; ++ sink_test = BIT((WLED4_SINK_REG_CURR_SINK_SHFT + j)); + + /* Enable feedback control */ + rc = regmap_write(wled->regmap, wled->ctrl_addr + +- WLED3_CTRL_REG_FEEDBACK_CONTROL, i + 1); ++ WLED3_CTRL_REG_FEEDBACK_CONTROL, j + 1); + if (rc < 0) { + dev_err(wled->dev, "Failed to enable feedback for SINK %d rc = %d\n", +- i + 1, rc); ++ j + 1, rc); + goto failed_detect; + } + +@@ -634,7 +635,7 @@ static void wled_auto_string_detection(struct wled *wled) + WLED4_SINK_REG_CURR_SINK, sink_test); + if (rc < 0) { + dev_err(wled->dev, "Failed to configure SINK %d rc=%d\n", +- i + 1, rc); ++ j + 1, rc); + goto failed_detect; + } + +@@ -661,7 +662,7 @@ static void wled_auto_string_detection(struct wled *wled) + + if (fault_set) + dev_dbg(wled->dev, "WLED OVP fault detected with SINK %d\n", +- i + 1); ++ j + 1); + else + sink_valid |= sink_test; + +@@ -701,15 +702,16 @@ static void wled_auto_string_detection(struct wled *wled) + /* Enable valid sinks */ + if (wled->version == 4) { + for (i = 0; i < wled->cfg.num_strings; i++) { ++ j = wled->cfg.enabled_strings[i]; + if (sink_config & +- BIT(WLED4_SINK_REG_CURR_SINK_SHFT + i)) ++ BIT(WLED4_SINK_REG_CURR_SINK_SHFT + j)) + val = WLED4_SINK_REG_STR_MOD_MASK; + else + /* Disable modulator_en for unused sink */ + val = 0; + + rc = regmap_write(wled->regmap, wled->sink_addr + +- WLED4_SINK_REG_STR_MOD_EN(i), val); ++ WLED4_SINK_REG_STR_MOD_EN(j), val); + if (rc < 0) { + dev_err(wled->dev, "Failed to configure MODULATOR_EN rc=%d\n", + rc); +-- +2.34.1 + diff --git a/queue-5.10/backlight-qcom-wled-use-cpu_to_le16-macro-to-perform.patch b/queue-5.10/backlight-qcom-wled-use-cpu_to_le16-macro-to-perform.patch new file mode 100644 index 00000000000..30975c0d6e8 --- /dev/null +++ b/queue-5.10/backlight-qcom-wled-use-cpu_to_le16-macro-to-perform.patch @@ -0,0 +1,96 @@ +From ef17325983d8e30c80cbb2b8d51fcb068f37ae72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Nov 2021 21:34:53 +0100 +Subject: backlight: qcom-wled: Use cpu_to_le16 macro to perform conversion + +From: Marijn Suijten + +[ Upstream commit 0a139358548968b2ff308257b4fbeec7badcc3e1 ] + +The kernel already provides appropriate primitives to perform endianness +conversion which should be used in favour of manual bit-wrangling. + +Signed-off-by: Marijn Suijten +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: Daniel Thompson +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20211115203459.1634079-4-marijn.suijten@somainline.org +Signed-off-by: Sasha Levin +--- + drivers/video/backlight/qcom-wled.c | 23 +++++++++++------------ + 1 file changed, 11 insertions(+), 12 deletions(-) + +diff --git a/drivers/video/backlight/qcom-wled.c b/drivers/video/backlight/qcom-wled.c +index 70fcee74866a5..13368044d0a75 100644 +--- a/drivers/video/backlight/qcom-wled.c ++++ b/drivers/video/backlight/qcom-wled.c +@@ -231,14 +231,14 @@ struct wled { + static int wled3_set_brightness(struct wled *wled, u16 brightness) + { + int rc, i; +- u8 v[2]; ++ __le16 v; + +- v[0] = brightness & 0xff; +- v[1] = (brightness >> 8) & 0xf; ++ v = cpu_to_le16(brightness & WLED3_SINK_REG_BRIGHT_MAX); + + for (i = 0; i < wled->cfg.num_strings; ++i) { + rc = regmap_bulk_write(wled->regmap, wled->ctrl_addr + +- WLED3_SINK_REG_BRIGHT(i), v, 2); ++ WLED3_SINK_REG_BRIGHT(i), ++ &v, sizeof(v)); + if (rc < 0) + return rc; + } +@@ -250,18 +250,18 @@ static int wled4_set_brightness(struct wled *wled, u16 brightness) + { + int rc, i; + u16 low_limit = wled->max_brightness * 4 / 1000; +- u8 v[2]; ++ __le16 v; + + /* WLED4's lower limit of operation is 0.4% */ + if (brightness > 0 && brightness < low_limit) + brightness = low_limit; + +- v[0] = brightness & 0xff; +- v[1] = (brightness >> 8) & 0xf; ++ v = cpu_to_le16(brightness & WLED3_SINK_REG_BRIGHT_MAX); + + for (i = 0; i < wled->cfg.num_strings; ++i) { + rc = regmap_bulk_write(wled->regmap, wled->sink_addr + +- WLED4_SINK_REG_BRIGHT(i), v, 2); ++ WLED4_SINK_REG_BRIGHT(i), ++ &v, sizeof(v)); + if (rc < 0) + return rc; + } +@@ -273,21 +273,20 @@ static int wled5_set_brightness(struct wled *wled, u16 brightness) + { + int rc, offset; + u16 low_limit = wled->max_brightness * 1 / 1000; +- u8 v[2]; ++ __le16 v; + + /* WLED5's lower limit is 0.1% */ + if (brightness < low_limit) + brightness = low_limit; + +- v[0] = brightness & 0xff; +- v[1] = (brightness >> 8) & 0x7f; ++ v = cpu_to_le16(brightness & WLED5_SINK_REG_BRIGHT_MAX_15B); + + offset = (wled->cfg.mod_sel == MOD_A) ? + WLED5_SINK_REG_MOD_A_BRIGHTNESS_LSB : + WLED5_SINK_REG_MOD_B_BRIGHTNESS_LSB; + + rc = regmap_bulk_write(wled->regmap, wled->sink_addr + offset, +- v, 2); ++ &v, sizeof(v)); + return rc; + } + +-- +2.34.1 + diff --git a/queue-5.10/backlight-qcom-wled-validate-enabled-string-indices-.patch b/queue-5.10/backlight-qcom-wled-validate-enabled-string-indices-.patch new file mode 100644 index 00000000000..ad0fb37c47d --- /dev/null +++ b/queue-5.10/backlight-qcom-wled-validate-enabled-string-indices-.patch @@ -0,0 +1,60 @@ +From 79b28bb71ffc79e6213804d64cd3b373c64dea61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Nov 2021 21:34:51 +0100 +Subject: backlight: qcom-wled: Validate enabled string indices in DT + +From: Marijn Suijten + +[ Upstream commit c05b21ebc5bce3ecc78c2c71afd76d92c790a2ac ] + +The strings passed in DT may possibly cause out-of-bounds register +accesses and should be validated before use. + +Fixes: 775d2ffb4af6 ("backlight: qcom-wled: Restructure the driver for WLED3") +Signed-off-by: Marijn Suijten +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: Daniel Thompson +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20211115203459.1634079-2-marijn.suijten@somainline.org +Signed-off-by: Sasha Levin +--- + drivers/video/backlight/qcom-wled.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/drivers/video/backlight/qcom-wled.c b/drivers/video/backlight/qcom-wled.c +index cd11c57764381..2c4290f082025 100644 +--- a/drivers/video/backlight/qcom-wled.c ++++ b/drivers/video/backlight/qcom-wled.c +@@ -1528,12 +1528,28 @@ static int wled_configure(struct wled *wled) + string_len = of_property_count_elems_of_size(dev->of_node, + "qcom,enabled-strings", + sizeof(u32)); +- if (string_len > 0) ++ if (string_len > 0) { ++ if (string_len > wled->max_string_count) { ++ dev_err(dev, "Cannot have more than %d strings\n", ++ wled->max_string_count); ++ return -EINVAL; ++ } ++ + of_property_read_u32_array(dev->of_node, + "qcom,enabled-strings", + wled->cfg.enabled_strings, + sizeof(u32)); + ++ for (i = 0; i < string_len; ++i) { ++ if (wled->cfg.enabled_strings[i] >= wled->max_string_count) { ++ dev_err(dev, ++ "qcom,enabled-strings index %d at %d is out of bounds\n", ++ wled->cfg.enabled_strings[i], i); ++ return -EINVAL; ++ } ++ } ++ } ++ + return 0; + } + +-- +2.34.1 + diff --git a/queue-5.10/batman-adv-allow-netlink-usage-in-unprivileged-conta.patch b/queue-5.10/batman-adv-allow-netlink-usage-in-unprivileged-conta.patch new file mode 100644 index 00000000000..0d5a0289183 --- /dev/null +++ b/queue-5.10/batman-adv-allow-netlink-usage-in-unprivileged-conta.patch @@ -0,0 +1,174 @@ +From 08688887e9cf0ebaaa123a2927bdd233eb277b81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Oct 2021 22:30:12 +0100 +Subject: batman-adv: allow netlink usage in unprivileged containers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Lüssing + +[ Upstream commit 9057d6c23e7388ee9d037fccc9a7bc8557ce277b ] + +Currently, creating a batman-adv interface in an unprivileged LXD +container and attaching secondary interfaces to it with "ip" or "batctl" +works fine. However all batctl debug and configuration commands +fail: + + root@container:~# batctl originators + Error received: Operation not permitted + root@container:~# batctl orig_interval + 1000 + root@container:~# batctl orig_interval 2000 + root@container:~# batctl orig_interval + 1000 + +To fix this change the generic netlink permissions from GENL_ADMIN_PERM +to GENL_UNS_ADMIN_PERM. This way a batman-adv interface is fully +maintainable as root from within a user namespace, from an unprivileged +container. + +All except one batman-adv netlink setting are per interface and do not +leak information or change settings from the host system and are +therefore save to retrieve or modify as root from within an unprivileged +container. + +"batctl routing_algo" / BATADV_CMD_GET_ROUTING_ALGOS is the only +exception: It provides the batman-adv kernel module wide default routing +algorithm. However it is read-only from netlink and an unprivileged +container is still not allowed to modify +/sys/module/batman_adv/parameters/routing_algo. Instead it is advised to +use the newly introduced "batctl if create routing_algo RA_NAME" / +IFLA_BATADV_ALGO_NAME to set the routing algorithm on interface +creation, which already works fine in an unprivileged container. + +Cc: Tycho Andersen +Signed-off-by: Linus Lüssing +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/netlink.c | 30 +++++++++++++++--------------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +diff --git a/net/batman-adv/netlink.c b/net/batman-adv/netlink.c +index c7a55647b520e..121459704b069 100644 +--- a/net/batman-adv/netlink.c ++++ b/net/batman-adv/netlink.c +@@ -1361,21 +1361,21 @@ static const struct genl_small_ops batadv_netlink_ops[] = { + { + .cmd = BATADV_CMD_TP_METER, + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +- .flags = GENL_ADMIN_PERM, ++ .flags = GENL_UNS_ADMIN_PERM, + .doit = batadv_netlink_tp_meter_start, + .internal_flags = BATADV_FLAG_NEED_MESH, + }, + { + .cmd = BATADV_CMD_TP_METER_CANCEL, + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +- .flags = GENL_ADMIN_PERM, ++ .flags = GENL_UNS_ADMIN_PERM, + .doit = batadv_netlink_tp_meter_cancel, + .internal_flags = BATADV_FLAG_NEED_MESH, + }, + { + .cmd = BATADV_CMD_GET_ROUTING_ALGOS, + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +- .flags = GENL_ADMIN_PERM, ++ .flags = GENL_UNS_ADMIN_PERM, + .dumpit = batadv_algo_dump, + }, + { +@@ -1390,68 +1390,68 @@ static const struct genl_small_ops batadv_netlink_ops[] = { + { + .cmd = BATADV_CMD_GET_TRANSTABLE_LOCAL, + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +- .flags = GENL_ADMIN_PERM, ++ .flags = GENL_UNS_ADMIN_PERM, + .dumpit = batadv_tt_local_dump, + }, + { + .cmd = BATADV_CMD_GET_TRANSTABLE_GLOBAL, + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +- .flags = GENL_ADMIN_PERM, ++ .flags = GENL_UNS_ADMIN_PERM, + .dumpit = batadv_tt_global_dump, + }, + { + .cmd = BATADV_CMD_GET_ORIGINATORS, + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +- .flags = GENL_ADMIN_PERM, ++ .flags = GENL_UNS_ADMIN_PERM, + .dumpit = batadv_orig_dump, + }, + { + .cmd = BATADV_CMD_GET_NEIGHBORS, + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +- .flags = GENL_ADMIN_PERM, ++ .flags = GENL_UNS_ADMIN_PERM, + .dumpit = batadv_hardif_neigh_dump, + }, + { + .cmd = BATADV_CMD_GET_GATEWAYS, + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +- .flags = GENL_ADMIN_PERM, ++ .flags = GENL_UNS_ADMIN_PERM, + .dumpit = batadv_gw_dump, + }, + { + .cmd = BATADV_CMD_GET_BLA_CLAIM, + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +- .flags = GENL_ADMIN_PERM, ++ .flags = GENL_UNS_ADMIN_PERM, + .dumpit = batadv_bla_claim_dump, + }, + { + .cmd = BATADV_CMD_GET_BLA_BACKBONE, + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +- .flags = GENL_ADMIN_PERM, ++ .flags = GENL_UNS_ADMIN_PERM, + .dumpit = batadv_bla_backbone_dump, + }, + { + .cmd = BATADV_CMD_GET_DAT_CACHE, + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +- .flags = GENL_ADMIN_PERM, ++ .flags = GENL_UNS_ADMIN_PERM, + .dumpit = batadv_dat_cache_dump, + }, + { + .cmd = BATADV_CMD_GET_MCAST_FLAGS, + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +- .flags = GENL_ADMIN_PERM, ++ .flags = GENL_UNS_ADMIN_PERM, + .dumpit = batadv_mcast_flags_dump, + }, + { + .cmd = BATADV_CMD_SET_MESH, + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +- .flags = GENL_ADMIN_PERM, ++ .flags = GENL_UNS_ADMIN_PERM, + .doit = batadv_netlink_set_mesh, + .internal_flags = BATADV_FLAG_NEED_MESH, + }, + { + .cmd = BATADV_CMD_SET_HARDIF, + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +- .flags = GENL_ADMIN_PERM, ++ .flags = GENL_UNS_ADMIN_PERM, + .doit = batadv_netlink_set_hardif, + .internal_flags = BATADV_FLAG_NEED_MESH | + BATADV_FLAG_NEED_HARDIF, +@@ -1467,7 +1467,7 @@ static const struct genl_small_ops batadv_netlink_ops[] = { + { + .cmd = BATADV_CMD_SET_VLAN, + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +- .flags = GENL_ADMIN_PERM, ++ .flags = GENL_UNS_ADMIN_PERM, + .doit = batadv_netlink_set_vlan, + .internal_flags = BATADV_FLAG_NEED_MESH | + BATADV_FLAG_NEED_VLAN, +-- +2.34.1 + diff --git a/queue-5.10/binder-fix-handling-of-error-during-copy.patch b/queue-5.10/binder-fix-handling-of-error-during-copy.patch new file mode 100644 index 00000000000..04763683412 --- /dev/null +++ b/queue-5.10/binder-fix-handling-of-error-during-copy.patch @@ -0,0 +1,47 @@ +From af58ec3457a0f27118ddf2cd2da1d145997f94ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Nov 2021 10:51:49 -0800 +Subject: binder: fix handling of error during copy + +From: Todd Kjos + +[ Upstream commit fe6b1869243f23a485a106c214bcfdc7aa0ed593 ] + +If a memory copy function fails to copy the whole buffer, +a positive integar with the remaining bytes is returned. +In binder_translate_fd_array() this can result in an fd being +skipped due to the failed copy, but the loop continues +processing fds since the early return condition expects a +negative integer on error. + +Fix by returning "ret > 0 ? -EINVAL : ret" to handle this case. + +Fixes: bb4a2e48d510 ("binder: return errors from buffer copy functions") +Suggested-by: Dan Carpenter +Acked-by: Christian Brauner +Signed-off-by: Todd Kjos +Link: https://lore.kernel.org/r/20211130185152.437403-2-tkjos@google.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/android/binder.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/android/binder.c b/drivers/android/binder.c +index 80e2bbb36422e..366b124057081 100644 +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -2657,8 +2657,8 @@ static int binder_translate_fd_array(struct binder_fd_array_object *fda, + if (!ret) + ret = binder_translate_fd(fd, offset, t, thread, + in_reply_to); +- if (ret < 0) +- return ret; ++ if (ret) ++ return ret > 0 ? -EINVAL : ret; + } + return 0; + } +-- +2.34.1 + diff --git a/queue-5.10/bluetooth-btmtksdio-fix-resume-failure.patch b/queue-5.10/bluetooth-btmtksdio-fix-resume-failure.patch new file mode 100644 index 00000000000..3e0f48cd2b4 --- /dev/null +++ b/queue-5.10/bluetooth-btmtksdio-fix-resume-failure.patch @@ -0,0 +1,39 @@ +From 3c6e64d4f25cd696de95ffcaca852f989e5a52f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Dec 2021 02:02:47 +0800 +Subject: Bluetooth: btmtksdio: fix resume failure + +From: Sean Wang + +[ Upstream commit 561ae1d46a8ddcbc13162d5771f5ed6c8249e730 ] + +btmtksdio have to rely on MMC_PM_KEEP_POWER in pm_flags to avoid that +SDIO power is being shut off during the device is in suspend. That fixes +the SDIO command fails to access the bus after the device is resumed. + +Fixes: 7f3c563c575e7 ("Bluetooth: btmtksdio: Add runtime PM support to SDIO based Bluetooth") +Co-developed-by: Mark-yw Chen +Signed-off-by: Mark-yw Chen +Signed-off-by: Sean Wang +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btmtksdio.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/bluetooth/btmtksdio.c b/drivers/bluetooth/btmtksdio.c +index 5f9f027956317..74856a5862162 100644 +--- a/drivers/bluetooth/btmtksdio.c ++++ b/drivers/bluetooth/btmtksdio.c +@@ -1042,6 +1042,8 @@ static int btmtksdio_runtime_suspend(struct device *dev) + if (!bdev) + return 0; + ++ sdio_set_host_pm_flags(func, MMC_PM_KEEP_POWER); ++ + sdio_claim_host(bdev->func); + + sdio_writel(bdev->func, C_FW_OWN_REQ_SET, MTK_REG_CHLPCR, &err); +-- +2.34.1 + diff --git a/queue-5.10/bluetooth-cmtp-fix-possible-panic-when-cmtp_init_soc.patch b/queue-5.10/bluetooth-cmtp-fix-possible-panic-when-cmtp_init_soc.patch new file mode 100644 index 00000000000..d2bef4aa73b --- /dev/null +++ b/queue-5.10/bluetooth-cmtp-fix-possible-panic-when-cmtp_init_soc.patch @@ -0,0 +1,54 @@ +From 27c3edf2c078593cacfa08d1cfaa5edab77e39b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Oct 2021 21:10:12 +0800 +Subject: Bluetooth: cmtp: fix possible panic when cmtp_init_sockets() fails + +From: Wang Hai + +[ Upstream commit 2a7ca7459d905febf519163bd9e3eed894de6bb7 ] + +I got a kernel BUG report when doing fault injection test: + +------------[ cut here ]------------ +kernel BUG at lib/list_debug.c:45! +... +RIP: 0010:__list_del_entry_valid.cold+0x12/0x4d +... +Call Trace: + proto_unregister+0x83/0x220 + cmtp_cleanup_sockets+0x37/0x40 [cmtp] + cmtp_exit+0xe/0x1f [cmtp] + do_syscall_64+0x35/0xb0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +If cmtp_init_sockets() in cmtp_init() fails, cmtp_init() still returns +success. This will cause a kernel bug when accessing uncreated ctmp +related data when the module exits. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/cmtp/core.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/net/bluetooth/cmtp/core.c b/net/bluetooth/cmtp/core.c +index 0a2d78e811cf5..83eb84e8e688f 100644 +--- a/net/bluetooth/cmtp/core.c ++++ b/net/bluetooth/cmtp/core.c +@@ -501,9 +501,7 @@ static int __init cmtp_init(void) + { + BT_INFO("CMTP (CAPI Emulation) ver %s", VERSION); + +- cmtp_init_sockets(); +- +- return 0; ++ return cmtp_init_sockets(); + } + + static void __exit cmtp_exit(void) +-- +2.34.1 + diff --git a/queue-5.10/bluetooth-fix-debugfs-entry-leak-in-hci_register_dev.patch b/queue-5.10/bluetooth-fix-debugfs-entry-leak-in-hci_register_dev.patch new file mode 100644 index 00000000000..3dd8895a8ed --- /dev/null +++ b/queue-5.10/bluetooth-fix-debugfs-entry-leak-in-hci_register_dev.patch @@ -0,0 +1,40 @@ +From 55c476410c683051704e5dd1071cc211c137bbaf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Oct 2021 16:55:46 +0800 +Subject: Bluetooth: Fix debugfs entry leak in hci_register_dev() + +From: Wei Yongjun + +[ Upstream commit 5a4bb6a8e981d3d0d492aa38412ee80b21033177 ] + +Fault injection test report debugfs entry leak as follows: + +debugfs: Directory 'hci0' with parent 'bluetooth' already present! + +When register_pm_notifier() failed in hci_register_dev(), the debugfs +create by debugfs_create_dir() do not removed in the error handing path. + +Add the remove debugfs code to fix it. + +Signed-off-by: Wei Yongjun +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index 2ad66f64879f1..2e7998bad133b 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -3810,6 +3810,7 @@ int hci_register_dev(struct hci_dev *hdev) + return id; + + err_wqueue: ++ debugfs_remove_recursive(hdev->debugfs); + destroy_workqueue(hdev->workqueue); + destroy_workqueue(hdev->req_workqueue); + err: +-- +2.34.1 + diff --git a/queue-5.10/bluetooth-hci_bcm-check-for-error-irq.patch b/queue-5.10/bluetooth-hci_bcm-check-for-error-irq.patch new file mode 100644 index 00000000000..5d2bfe10282 --- /dev/null +++ b/queue-5.10/bluetooth-hci_bcm-check-for-error-irq.patch @@ -0,0 +1,46 @@ +From cd4ad2f6078068001eaa8cb93f2c2fdbe63df19a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Dec 2021 10:53:18 +0800 +Subject: Bluetooth: hci_bcm: Check for error irq + +From: Jiasheng Jiang + +[ Upstream commit b38cd3b42fba66cc538edb9cf77e07881f43f8e2 ] + +For the possible failure of the platform_get_irq(), the returned irq +could be error number and will finally cause the failure of the +request_irq(). +Consider that platform_get_irq() can now in certain cases return +-EPROBE_DEFER, and the consequences of letting request_irq() effectively +convert that into -EINVAL, even at probe time rather than later on. +So it might be better to check just now. + +Fixes: 0395ffc1ee05 ("Bluetooth: hci_bcm: Add PM for BCM devices") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_bcm.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/hci_bcm.c b/drivers/bluetooth/hci_bcm.c +index 8ea5ca8d71d6d..259a643377c24 100644 +--- a/drivers/bluetooth/hci_bcm.c ++++ b/drivers/bluetooth/hci_bcm.c +@@ -1164,7 +1164,12 @@ static int bcm_probe(struct platform_device *pdev) + return -ENOMEM; + + dev->dev = &pdev->dev; +- dev->irq = platform_get_irq(pdev, 0); ++ ++ ret = platform_get_irq(pdev, 0); ++ if (ret < 0) ++ return ret; ++ ++ dev->irq = ret; + + /* Initialize routing field to an unused value */ + dev->pcm_int_params[0] = 0xff; +-- +2.34.1 + diff --git a/queue-5.10/bluetooth-hci_qca-fix-null-vs-is_err_or_null-check-i.patch b/queue-5.10/bluetooth-hci_qca-fix-null-vs-is_err_or_null-check-i.patch new file mode 100644 index 00000000000..ede75af9fcd --- /dev/null +++ b/queue-5.10/bluetooth-hci_qca-fix-null-vs-is_err_or_null-check-i.patch @@ -0,0 +1,39 @@ +From ea65e7d46be33ff538f6bfff24973489fad1b87e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Dec 2021 08:02:49 +0000 +Subject: Bluetooth: hci_qca: Fix NULL vs IS_ERR_OR_NULL check in + qca_serdev_probe + +From: Miaoqian Lin + +[ Upstream commit 6845667146a28c09b5dfc401c1ad112374087944 ] + +The function devm_gpiod_get_index() return error pointers on error. +Thus devm_gpiod_get_index_optional() could return NULL and error pointers. +The same as devm_gpiod_get_optional() function. Using IS_ERR_OR_NULL() +check to catch error pointers. + +Fixes: 77131dfe ("Bluetooth: hci_qca: Replace devm_gpiod_get() with devm_gpiod_get_optional()") +Signed-off-by: Miaoqian Lin +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_qca.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c +index 4f8a32601c1b6..dc7ee5dd2eeca 100644 +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -1990,7 +1990,7 @@ static int qca_serdev_probe(struct serdev_device *serdev) + + qcadev->bt_en = devm_gpiod_get_optional(&serdev->dev, "enable", + GPIOD_OUT_LOW); +- if (!qcadev->bt_en) { ++ if (IS_ERR_OR_NULL(qcadev->bt_en)) { + dev_warn(&serdev->dev, "failed to acquire enable gpio\n"); + power_ctrl_enabled = false; + } +-- +2.34.1 + diff --git a/queue-5.10/bluetooth-hci_qca-stop-ibs-timer-during-bt-off.patch b/queue-5.10/bluetooth-hci_qca-stop-ibs-timer-during-bt-off.patch new file mode 100644 index 00000000000..4916b9ff8e2 --- /dev/null +++ b/queue-5.10/bluetooth-hci_qca-stop-ibs-timer-during-bt-off.patch @@ -0,0 +1,38 @@ +From dfa08834ccca214bd542c284f387dcae253eedeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Dec 2021 12:59:05 +0530 +Subject: Bluetooth: hci_qca: Stop IBS timer during BT OFF + +From: Panicker Harish + +[ Upstream commit df1e5c51492fd93ffc293acdcc6f00698d19fedc ] + +The IBS timers are not stopped properly once BT OFF is triggered. +we could see IBS commands being sent along with version command, +so stopped IBS timers while Bluetooth is off. + +Fixes: 3e4be65eb82c ("Bluetooth: hci_qca: Add poweroff support during hci down for wcn3990") +Signed-off-by: Panicker Harish +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_qca.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c +index 4184faef9f169..4f8a32601c1b6 100644 +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -1844,6 +1844,9 @@ static int qca_power_off(struct hci_dev *hdev) + hu->hdev->hw_error = NULL; + hu->hdev->cmd_timeout = NULL; + ++ del_timer_sync(&qca->wake_retrans_timer); ++ del_timer_sync(&qca->tx_idle_timer); ++ + /* Stop sending shutdown command if soc crashes. */ + if (soc_type != QCA_ROME + && qca->memdump_state == QCA_MEMDUMP_IDLE) { +-- +2.34.1 + diff --git a/queue-5.10/bluetooth-l2cap-fix-not-initializing-sk_peer_pid.patch b/queue-5.10/bluetooth-l2cap-fix-not-initializing-sk_peer_pid.patch new file mode 100644 index 00000000000..d57e2f3f0ac --- /dev/null +++ b/queue-5.10/bluetooth-l2cap-fix-not-initializing-sk_peer_pid.patch @@ -0,0 +1,68 @@ +From d698650b9d233a19982b11e96f4e21c2516d0a39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Oct 2021 13:26:25 -0700 +Subject: Bluetooth: L2CAP: Fix not initializing sk_peer_pid + +From: Luiz Augusto von Dentz + +[ Upstream commit f5ff291098f70a70b344df1e388596755c3c8315 ] + +In order to group sockets being connected using L2CAP_MODE_EXT_FLOWCTL +the pid is used but sk_peer_pid was not being initialized as it is +currently only done for af_unix. + +Fixes: b48596d1dc25 ("Bluetooth: L2CAP: Add get_peer_pid callback") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_sock.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index 160c016a5dfb9..4574c5cb1b596 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -172,6 +172,21 @@ done: + return err; + } + ++static void l2cap_sock_init_pid(struct sock *sk) ++{ ++ struct l2cap_chan *chan = l2cap_pi(sk)->chan; ++ ++ /* Only L2CAP_MODE_EXT_FLOWCTL ever need to access the PID in order to ++ * group the channels being requested. ++ */ ++ if (chan->mode != L2CAP_MODE_EXT_FLOWCTL) ++ return; ++ ++ spin_lock(&sk->sk_peer_lock); ++ sk->sk_peer_pid = get_pid(task_tgid(current)); ++ spin_unlock(&sk->sk_peer_lock); ++} ++ + static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, + int alen, int flags) + { +@@ -243,6 +258,8 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, + if (chan->psm && bdaddr_type_is_le(chan->src_type) && !chan->mode) + chan->mode = L2CAP_MODE_LE_FLOWCTL; + ++ l2cap_sock_init_pid(sk); ++ + err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid), + &la.l2_bdaddr, la.l2_bdaddr_type); + if (err) +@@ -298,6 +315,8 @@ static int l2cap_sock_listen(struct socket *sock, int backlog) + goto done; + } + ++ l2cap_sock_init_pid(sk); ++ + sk->sk_max_ack_backlog = backlog; + sk->sk_ack_backlog = 0; + +-- +2.34.1 + diff --git a/queue-5.10/bluetooth-l2cap-fix-using-wrong-mode.patch b/queue-5.10/bluetooth-l2cap-fix-using-wrong-mode.patch new file mode 100644 index 00000000000..b1cdfd9be5c --- /dev/null +++ b/queue-5.10/bluetooth-l2cap-fix-using-wrong-mode.patch @@ -0,0 +1,54 @@ +From 4a56383883d91ef61cc394e709d365c059d12931 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Dec 2021 15:35:48 -0800 +Subject: Bluetooth: L2CAP: Fix using wrong mode + +From: Luiz Augusto von Dentz + +[ Upstream commit 30d57722732d9736554f85f75f9d7ad5402d192e ] + +If user has a set to use SOCK_STREAM the socket would default to +L2CAP_MODE_ERTM which later needs to be adjusted if the destination +address is LE which doesn't support such mode. + +Fixes: 15f02b9105625 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_sock.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index 4574c5cb1b596..251017c69ab7f 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -161,7 +161,11 @@ static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen) + break; + } + +- if (chan->psm && bdaddr_type_is_le(chan->src_type)) ++ /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and ++ * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set. ++ */ ++ if (chan->psm && bdaddr_type_is_le(chan->src_type) && ++ chan->mode != L2CAP_MODE_EXT_FLOWCTL) + chan->mode = L2CAP_MODE_LE_FLOWCTL; + + chan->state = BT_BOUND; +@@ -255,7 +259,11 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, + return -EINVAL; + } + +- if (chan->psm && bdaddr_type_is_le(chan->src_type) && !chan->mode) ++ /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and ++ * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set. ++ */ ++ if (chan->psm && bdaddr_type_is_le(chan->src_type) && ++ chan->mode != L2CAP_MODE_EXT_FLOWCTL) + chan->mode = L2CAP_MODE_LE_FLOWCTL; + + l2cap_sock_init_pid(sk); +-- +2.34.1 + diff --git a/queue-5.10/bluetooth-l2cap-uninitialized-variables-in-l2cap_soc.patch b/queue-5.10/bluetooth-l2cap-uninitialized-variables-in-l2cap_soc.patch new file mode 100644 index 00000000000..ee40cefd69d --- /dev/null +++ b/queue-5.10/bluetooth-l2cap-uninitialized-variables-in-l2cap_soc.patch @@ -0,0 +1,74 @@ +From 47bd74f86a10778369775801b1c9439da03ea9bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jan 2022 10:16:44 +0300 +Subject: Bluetooth: L2CAP: uninitialized variables in l2cap_sock_setsockopt() + +From: Dan Carpenter + +[ Upstream commit 2b70d4f9b20635ac328836e50d183632e1930f94 ] + +The "opt" variable is a u32, but on some paths only the top bytes +were initialized and the others contained random stack data. + +Fixes: a7b75c5a8c41 ("net: pass a sockptr_t into ->setsockopt") +Signed-off-by: Dan Carpenter +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_sock.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index 251017c69ab7f..d2c6785205992 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -903,6 +903,8 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + struct l2cap_conn *conn; + int len, err = 0; + u32 opt; ++ u16 mtu; ++ u8 mode; + + BT_DBG("sk %p", sk); + +@@ -1085,16 +1087,16 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + break; + } + +- if (copy_from_sockptr(&opt, optval, sizeof(u16))) { ++ if (copy_from_sockptr(&mtu, optval, sizeof(u16))) { + err = -EFAULT; + break; + } + + if (chan->mode == L2CAP_MODE_EXT_FLOWCTL && + sk->sk_state == BT_CONNECTED) +- err = l2cap_chan_reconfigure(chan, opt); ++ err = l2cap_chan_reconfigure(chan, mtu); + else +- chan->imtu = opt; ++ chan->imtu = mtu; + + break; + +@@ -1116,14 +1118,14 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, + break; + } + +- if (copy_from_sockptr(&opt, optval, sizeof(u8))) { ++ if (copy_from_sockptr(&mode, optval, sizeof(u8))) { + err = -EFAULT; + break; + } + +- BT_DBG("opt %u", opt); ++ BT_DBG("mode %u", mode); + +- err = l2cap_set_mode(chan, opt); ++ err = l2cap_set_mode(chan, mode); + if (err) + break; + +-- +2.34.1 + diff --git a/queue-5.10/bluetooth-stop-proccessing-malicious-adv-data.patch b/queue-5.10/bluetooth-stop-proccessing-malicious-adv-data.patch new file mode 100644 index 00000000000..10b322814c1 --- /dev/null +++ b/queue-5.10/bluetooth-stop-proccessing-malicious-adv-data.patch @@ -0,0 +1,54 @@ +From 759209074f8aefd79d7a835c410d558ee33a23f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Nov 2021 10:12:12 +0300 +Subject: Bluetooth: stop proccessing malicious adv data + +From: Pavel Skripkin + +[ Upstream commit 3a56ef719f0b9682afb8a86d64b2399e36faa4e6 ] + +Syzbot reported slab-out-of-bounds read in hci_le_adv_report_evt(). The +problem was in missing validaion check. + +We should check if data is not malicious and we can read next data block. +If we won't check ptr validness, code can read a way beyond skb->end and +it can cause problems, of course. + +Fixes: e95beb414168 ("Bluetooth: hci_le_adv_report_evt code refactoring") +Reported-and-tested-by: syzbot+e3fcb9c4f3c2a931dc40@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 9f52145bb7b76..7ffcca9ae82a1 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -5661,7 +5661,8 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) + struct hci_ev_le_advertising_info *ev = ptr; + s8 rssi; + +- if (ev->length <= HCI_MAX_AD_LENGTH) { ++ if (ev->length <= HCI_MAX_AD_LENGTH && ++ ev->data + ev->length <= skb_tail_pointer(skb)) { + rssi = ev->data[ev->length]; + process_adv_report(hdev, ev->evt_type, &ev->bdaddr, + ev->bdaddr_type, NULL, 0, rssi, +@@ -5671,6 +5672,11 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) + } + + ptr += sizeof(*ev) + ev->length + 1; ++ ++ if (ptr > (void *) skb_tail_pointer(skb) - sizeof(*ev)) { ++ bt_dev_err(hdev, "Malicious advertising data. Stopping processing"); ++ break; ++ } + } + + hci_dev_unlock(hdev); +-- +2.34.1 + diff --git a/queue-5.10/bluetooth-vhci-set-hci_quirk_valid_le_states.patch b/queue-5.10/bluetooth-vhci-set-hci_quirk_valid_le_states.patch new file mode 100644 index 00000000000..431f01ad891 --- /dev/null +++ b/queue-5.10/bluetooth-vhci-set-hci_quirk_valid_le_states.patch @@ -0,0 +1,35 @@ +From fadfa472b38c9c935950bc00768128bab8bc4615 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Dec 2021 12:22:01 -0800 +Subject: Bluetooth: vhci: Set HCI_QUIRK_VALID_LE_STATES + +From: Luiz Augusto von Dentz + +[ Upstream commit cfb4c313be670fd4bd09650216620fa4514cdb93 ] + +This set HCI_QUIRK_VALID_LE_STATES quirk which is required for the likes +of experimental LE simultaneous roles. + +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_vhci.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c +index 8ab26dec5f6e8..8469f9876dd26 100644 +--- a/drivers/bluetooth/hci_vhci.c ++++ b/drivers/bluetooth/hci_vhci.c +@@ -121,6 +121,8 @@ static int __vhci_create_device(struct vhci_data *data, __u8 opcode) + if (opcode & 0x80) + set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks); + ++ set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks); ++ + if (hci_register_dev(hdev) < 0) { + BT_ERR("Can't register HCI device"); + hci_free_dev(hdev); +-- +2.34.1 + diff --git a/queue-5.10/bpf-adjust-btf-log-size-limit.patch b/queue-5.10/bpf-adjust-btf-log-size-limit.patch new file mode 100644 index 00000000000..d31fb763016 --- /dev/null +++ b/queue-5.10/bpf-adjust-btf-log-size-limit.patch @@ -0,0 +1,37 @@ +From fd74353b5ab402a580d771a466673abc1b91f38b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Dec 2021 10:10:29 -0800 +Subject: bpf: Adjust BTF log size limit. + +From: Alexei Starovoitov + +[ Upstream commit c5a2d43e998a821701029f23e25b62f9188e93ff ] + +Make BTF log size limit to be the same as the verifier log size limit. +Otherwise tools that progressively increase log size and use the same log +for BTF loading and program loading will be hitting hard to debug EINVAL. + +Signed-off-by: Alexei Starovoitov +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20211201181040.23337-7-alexei.starovoitov@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/btf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c +index aaf2fbaa0cc76..72534a6f4b96e 100644 +--- a/kernel/bpf/btf.c ++++ b/kernel/bpf/btf.c +@@ -4135,7 +4135,7 @@ static struct btf *btf_parse(void __user *btf_data, u32 btf_data_size, + log->len_total = log_size; + + /* log attributes have to be sane */ +- if (log->len_total < 128 || log->len_total > UINT_MAX >> 8 || ++ if (log->len_total < 128 || log->len_total > UINT_MAX >> 2 || + !log->level || !log->ubuf) { + err = -EINVAL; + goto errout; +-- +2.34.1 + diff --git a/queue-5.10/bpf-disallow-bpf_log_kernel-log-level-for-bpf-bpf_bt.patch b/queue-5.10/bpf-disallow-bpf_log_kernel-log-level-for-bpf-bpf_bt.patch new file mode 100644 index 00000000000..ae19dbb295c --- /dev/null +++ b/queue-5.10/bpf-disallow-bpf_log_kernel-log-level-for-bpf-bpf_bt.patch @@ -0,0 +1,81 @@ +From f36978f7b253c56e6d275bae138e4617a10dd7c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Dec 2021 13:30:01 +0800 +Subject: bpf: Disallow BPF_LOG_KERNEL log level for bpf(BPF_BTF_LOAD) + +From: Hou Tao + +[ Upstream commit 866de407444398bc8140ea70de1dba5f91cc34ac ] + +BPF_LOG_KERNEL is only used internally, so disallow bpf_btf_load() +to set log level as BPF_LOG_KERNEL. The same checking has already +been done in bpf_check(), so factor out a helper to check the +validity of log attributes and use it in both places. + +Fixes: 8580ac9404f6 ("bpf: Process in-kernel BTF") +Signed-off-by: Hou Tao +Signed-off-by: Alexei Starovoitov +Acked-by: Yonghong Song +Acked-by: Martin KaFai Lau +Link: https://lore.kernel.org/bpf/20211203053001.740945-1-houtao1@huawei.com +Signed-off-by: Sasha Levin +--- + include/linux/bpf_verifier.h | 7 +++++++ + kernel/bpf/btf.c | 3 +-- + kernel/bpf/verifier.c | 6 +++--- + 3 files changed, 11 insertions(+), 5 deletions(-) + +diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h +index 6e330ff2f28df..391bc1480dfb1 100644 +--- a/include/linux/bpf_verifier.h ++++ b/include/linux/bpf_verifier.h +@@ -367,6 +367,13 @@ static inline bool bpf_verifier_log_needed(const struct bpf_verifier_log *log) + log->level == BPF_LOG_KERNEL); + } + ++static inline bool ++bpf_verifier_log_attr_valid(const struct bpf_verifier_log *log) ++{ ++ return log->len_total >= 128 && log->len_total <= UINT_MAX >> 2 && ++ log->level && log->ubuf && !(log->level & ~BPF_LOG_MASK); ++} ++ + #define BPF_MAX_SUBPROGS 256 + + struct bpf_subprog_info { +diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c +index 72534a6f4b96e..dc497eaf22663 100644 +--- a/kernel/bpf/btf.c ++++ b/kernel/bpf/btf.c +@@ -4135,8 +4135,7 @@ static struct btf *btf_parse(void __user *btf_data, u32 btf_data_size, + log->len_total = log_size; + + /* log attributes have to be sane */ +- if (log->len_total < 128 || log->len_total > UINT_MAX >> 2 || +- !log->level || !log->ubuf) { ++ if (!bpf_verifier_log_attr_valid(log)) { + err = -EINVAL; + goto errout; + } +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index b43c9de34a2c2..c623c3e549210 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -12349,11 +12349,11 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr, + log->ubuf = (char __user *) (unsigned long) attr->log_buf; + log->len_total = attr->log_size; + +- ret = -EINVAL; + /* log attributes have to be sane */ +- if (log->len_total < 128 || log->len_total > UINT_MAX >> 2 || +- !log->level || !log->ubuf || log->level & ~BPF_LOG_MASK) ++ if (!bpf_verifier_log_attr_valid(log)) { ++ ret = -EINVAL; + goto err_unlock; ++ } + } + + if (IS_ERR(btf_vmlinux)) { +-- +2.34.1 + diff --git a/queue-5.10/bpf-do-not-warn-in-bpf_warn_invalid_xdp_action.patch b/queue-5.10/bpf-do-not-warn-in-bpf_warn_invalid_xdp_action.patch new file mode 100644 index 00000000000..99bacadaf92 --- /dev/null +++ b/queue-5.10/bpf-do-not-warn-in-bpf_warn_invalid_xdp_action.patch @@ -0,0 +1,51 @@ +From f0bc84dfac6293184200e65b914a95ae38bbb264 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Nov 2021 11:08:06 +0100 +Subject: bpf: Do not WARN in bpf_warn_invalid_xdp_action() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Paolo Abeni + +[ Upstream commit 2cbad989033bff0256675c38f96f5faab852af4b ] + +The WARN_ONCE() in bpf_warn_invalid_xdp_action() can be triggered by +any bugged program, and even attaching a correct program to a NIC +not supporting the given action. + +The resulting splat, beyond polluting the logs, fouls automated tools: +e.g. a syzkaller reproducers using an XDP program returning an +unsupported action will never pass validation. + +Replace the WARN_ONCE with a less intrusive pr_warn_once(). + +Signed-off-by: Paolo Abeni +Signed-off-by: Daniel Borkmann +Acked-by: Toke Høiland-Jørgensen +Link: https://lore.kernel.org/bpf/016ceec56e4817ebb2a9e35ce794d5c917df572c.1638189075.git.pabeni@redhat.com +Signed-off-by: Sasha Levin +--- + net/core/filter.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/core/filter.c b/net/core/filter.c +index 706c31ae65b01..7fa4283f2a8c0 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -7921,9 +7921,9 @@ void bpf_warn_invalid_xdp_action(u32 act) + { + const u32 act_max = XDP_REDIRECT; + +- WARN_ONCE(1, "%s XDP return value %u, expect packet loss!\n", +- act > act_max ? "Illegal" : "Driver unsupported", +- act); ++ pr_warn_once("%s XDP return value %u, expect packet loss!\n", ++ act > act_max ? "Illegal" : "Driver unsupported", ++ act); + } + EXPORT_SYMBOL_GPL(bpf_warn_invalid_xdp_action); + +-- +2.34.1 + diff --git a/queue-5.10/bpf-don-t-promote-bogus-looking-registers-after-null.patch b/queue-5.10/bpf-don-t-promote-bogus-looking-registers-after-null.patch new file mode 100644 index 00000000000..d665c8fee91 --- /dev/null +++ b/queue-5.10/bpf-don-t-promote-bogus-looking-registers-after-null.patch @@ -0,0 +1,53 @@ +From 18e7be3d4962d36afb2c27443d7e7e9f14643ed4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jan 2022 11:35:13 -0800 +Subject: bpf: Don't promote bogus looking registers after null check. + +From: Daniel Borkmann + +[ Upstream commit e60b0d12a95dcf16a63225cead4541567f5cb517 ] + +If we ever get to a point again where we convert a bogus looking _or_null +typed register containing a non-zero fixed or variable offset, then lets not +reset these bounds to zero since they are not and also don't promote the register +to a type, but instead leave it as _or_null. Converting to a unknown +register could be an avenue as well, but then if we run into this case it would +allow to leak a kernel pointer this way. + +Fixes: f1174f77b50c ("bpf/verifier: rework value tracking") +Signed-off-by: Daniel Borkmann +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index c623c3e549210..015bf2ba4a0b6 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -7725,15 +7725,15 @@ static void mark_ptr_or_null_reg(struct bpf_func_state *state, + { + if (reg_type_may_be_null(reg->type) && reg->id == id && + !WARN_ON_ONCE(!reg->id)) { +- /* Old offset (both fixed and variable parts) should +- * have been known-zero, because we don't allow pointer +- * arithmetic on pointers that might be NULL. +- */ + if (WARN_ON_ONCE(reg->smin_value || reg->smax_value || + !tnum_equals_const(reg->var_off, 0) || + reg->off)) { +- __mark_reg_known_zero(reg); +- reg->off = 0; ++ /* Old offset (both fixed and variable parts) should ++ * have been known-zero, because we don't allow pointer ++ * arithmetic on pointers that might be NULL. If we ++ * see this happening, don't convert the register. ++ */ ++ return; + } + if (is_null) { + reg->type = SCALAR_VALUE; +-- +2.34.1 + diff --git a/queue-5.10/bpf-fix-so_rcvbuf-so_sndbuf-handling-in-_bpf_setsock.patch b/queue-5.10/bpf-fix-so_rcvbuf-so_sndbuf-handling-in-_bpf_setsock.patch new file mode 100644 index 00000000000..0bbf207e819 --- /dev/null +++ b/queue-5.10/bpf-fix-so_rcvbuf-so_sndbuf-handling-in-_bpf_setsock.patch @@ -0,0 +1,46 @@ +From 59b6dc6355d50f2082fa6111a527b72bac614e2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jan 2022 10:31:48 +0900 +Subject: bpf: Fix SO_RCVBUF/SO_SNDBUF handling in _bpf_setsockopt(). + +From: Kuniyuki Iwashima + +[ Upstream commit 04c350b1ae6bdb12b84009a4d0bf5ab4e621c47b ] + +The commit 4057765f2dee ("sock: consistent handling of extreme +SO_SNDBUF/SO_RCVBUF values") added a change to prevent underflow +in setsockopt() around SO_SNDBUF/SO_RCVBUF. + +This patch adds the same change to _bpf_setsockopt(). + +Fixes: 4057765f2dee ("sock: consistent handling of extreme SO_SNDBUF/SO_RCVBUF values") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20220104013153.97906-2-kuniyu@amazon.co.jp +Signed-off-by: Sasha Levin +--- + net/core/filter.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/core/filter.c b/net/core/filter.c +index abd58dce49bbc..706c31ae65b01 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -4711,12 +4711,14 @@ static int _bpf_setsockopt(struct sock *sk, int level, int optname, + switch (optname) { + case SO_RCVBUF: + val = min_t(u32, val, sysctl_rmem_max); ++ val = min_t(int, val, INT_MAX / 2); + sk->sk_userlocks |= SOCK_RCVBUF_LOCK; + WRITE_ONCE(sk->sk_rcvbuf, + max_t(int, val * 2, SOCK_MIN_RCVBUF)); + break; + case SO_SNDBUF: + val = min_t(u32, val, sysctl_wmem_max); ++ val = min_t(int, val, INT_MAX / 2); + sk->sk_userlocks |= SOCK_SNDBUF_LOCK; + WRITE_ONCE(sk->sk_sndbuf, + max_t(int, val * 2, SOCK_MIN_SNDBUF)); +-- +2.34.1 + diff --git a/queue-5.10/bpf-remove-config-check-to-enable-bpf-support-for-br.patch b/queue-5.10/bpf-remove-config-check-to-enable-bpf-support-for-br.patch new file mode 100644 index 00000000000..9e357608ab4 --- /dev/null +++ b/queue-5.10/bpf-remove-config-check-to-enable-bpf-support-for-br.patch @@ -0,0 +1,96 @@ +From b8eb326a948f241d240e233eb44a1e013f39dbf6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Dec 2021 13:03:15 +0530 +Subject: bpf: Remove config check to enable bpf support for branch records + +From: Kajol Jain + +[ Upstream commit db52f57211b4e45f0ebb274e2c877b211dc18591 ] + +Branch data available to BPF programs can be very useful to get stack traces +out of userspace application. + +Commit fff7b64355ea ("bpf: Add bpf_read_branch_records() helper") added BPF +support to capture branch records in x86. Enable this feature also for other +architectures as well by removing checks specific to x86. + +If an architecture doesn't support branch records, bpf_read_branch_records() +still has appropriate checks and it will return an -EINVAL in that scenario. +Based on UAPI helper doc in include/uapi/linux/bpf.h, unsupported architectures +should return -ENOENT in such case. Hence, update the appropriate check to +return -ENOENT instead. + +Selftest 'perf_branches' result on power9 machine which has the branch stacks +support: + + - Before this patch: + + [command]# ./test_progs -t perf_branches + #88/1 perf_branches/perf_branches_hw:FAIL + #88/2 perf_branches/perf_branches_no_hw:OK + #88 perf_branches:FAIL + Summary: 0/1 PASSED, 0 SKIPPED, 1 FAILED + + - After this patch: + + [command]# ./test_progs -t perf_branches + #88/1 perf_branches/perf_branches_hw:OK + #88/2 perf_branches/perf_branches_no_hw:OK + #88 perf_branches:OK + Summary: 1/2 PASSED, 0 SKIPPED, 0 FAILED + +Selftest 'perf_branches' result on power9 machine which doesn't have branch +stack report: + + - After this patch: + + [command]# ./test_progs -t perf_branches + #88/1 perf_branches/perf_branches_hw:SKIP + #88/2 perf_branches/perf_branches_no_hw:OK + #88 perf_branches:OK + Summary: 1/1 PASSED, 1 SKIPPED, 0 FAILED + +Fixes: fff7b64355eac ("bpf: Add bpf_read_branch_records() helper") +Suggested-by: Peter Zijlstra +Signed-off-by: Kajol Jain +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20211206073315.77432-1-kjain@linux.ibm.com +Signed-off-by: Sasha Levin +--- + kernel/trace/bpf_trace.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c +index ba644760f5076..a9e074769881f 100644 +--- a/kernel/trace/bpf_trace.c ++++ b/kernel/trace/bpf_trace.c +@@ -1517,9 +1517,6 @@ static const struct bpf_func_proto bpf_perf_prog_read_value_proto = { + BPF_CALL_4(bpf_read_branch_records, struct bpf_perf_event_data_kern *, ctx, + void *, buf, u32, size, u64, flags) + { +-#ifndef CONFIG_X86 +- return -ENOENT; +-#else + static const u32 br_entry_size = sizeof(struct perf_branch_entry); + struct perf_branch_stack *br_stack = ctx->data->br_stack; + u32 to_copy; +@@ -1528,7 +1525,7 @@ BPF_CALL_4(bpf_read_branch_records, struct bpf_perf_event_data_kern *, ctx, + return -EINVAL; + + if (unlikely(!br_stack)) +- return -EINVAL; ++ return -ENOENT; + + if (flags & BPF_F_GET_BRANCH_RECORDS_SIZE) + return br_stack->nr * br_entry_size; +@@ -1540,7 +1537,6 @@ BPF_CALL_4(bpf_read_branch_records, struct bpf_perf_event_data_kern *, ctx, + memcpy(buf, br_stack->entries, to_copy); + + return to_copy; +-#endif + } + + static const struct bpf_func_proto bpf_read_branch_records_proto = { +-- +2.34.1 + diff --git a/queue-5.10/bpftool-enable-line-buffering-for-stdout.patch b/queue-5.10/bpftool-enable-line-buffering-for-stdout.patch new file mode 100644 index 00000000000..d3c81de9f29 --- /dev/null +++ b/queue-5.10/bpftool-enable-line-buffering-for-stdout.patch @@ -0,0 +1,41 @@ +From cd50d12cbf7d205a602bc8aa405958925feae98b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Dec 2021 22:45:28 +0100 +Subject: bpftool: Enable line buffering for stdout + +From: Paul Chaignon + +[ Upstream commit 1a1a0b0364ad291bd8e509da104ac8b5b1afec5d ] + +The output of bpftool prog tracelog is currently buffered, which is +inconvenient when piping the output into other commands. A simple +tracelog | grep will typically not display anything. This patch fixes it +by enabling line buffering on stdout for the whole bpftool binary. + +Fixes: 30da46b5dc3a ("tools: bpftool: add a command to dump the trace pipe") +Signed-off-by: Quentin Monnet +Signed-off-by: Paul Chaignon +Signed-off-by: Andrii Nakryiko +Acked-by: Yonghong Song +Link: https://lore.kernel.org/bpf/20211220214528.GA11706@Mem +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/bpf/bpftool/main.c b/tools/bpf/bpftool/main.c +index c58a135dc355e..1854d6b978604 100644 +--- a/tools/bpf/bpftool/main.c ++++ b/tools/bpf/bpftool/main.c +@@ -396,6 +396,8 @@ int main(int argc, char **argv) + }; + int opt, ret; + ++ setlinebuf(stdout); ++ + last_do_help = do_help; + pretty_output = false; + json_output = false; +-- +2.34.1 + diff --git a/queue-5.10/btrfs-remove-bug_on-eie-in-find_parent_nodes.patch b/queue-5.10/btrfs-remove-bug_on-eie-in-find_parent_nodes.patch new file mode 100644 index 00000000000..5388d534676 --- /dev/null +++ b/queue-5.10/btrfs-remove-bug_on-eie-in-find_parent_nodes.patch @@ -0,0 +1,54 @@ +From f3b7c277e9d3b9f8febc50f84312076252dc516c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Nov 2021 16:45:35 -0400 +Subject: btrfs: remove BUG_ON(!eie) in find_parent_nodes + +From: Josef Bacik + +[ Upstream commit 9f05c09d6baef789726346397438cca4ec43c3ee ] + +If we're looking for leafs that point to a data extent we want to record +the extent items that point at our bytenr. At this point we have the +reference and we know for a fact that this leaf should have a reference +to our bytenr. However if there's some sort of corruption we may not +find any references to our leaf, and thus could end up with eie == NULL. +Replace this BUG_ON() with an ASSERT() and then return -EUCLEAN for the +mortals. + +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/backref.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c +index 8b471579e26e1..baff31a147e7d 100644 +--- a/fs/btrfs/backref.c ++++ b/fs/btrfs/backref.c +@@ -1366,10 +1366,18 @@ again: + goto out; + if (!ret && extent_item_pos) { + /* +- * we've recorded that parent, so we must extend +- * its inode list here ++ * We've recorded that parent, so we must extend ++ * its inode list here. ++ * ++ * However if there was corruption we may not ++ * have found an eie, return an error in this ++ * case. + */ +- BUG_ON(!eie); ++ ASSERT(eie); ++ if (!eie) { ++ ret = -EUCLEAN; ++ goto out; ++ } + while (eie->next) + eie = eie->next; + eie->next = ref->inode_list; +-- +2.34.1 + diff --git a/queue-5.10/btrfs-remove-bug_on-in-find_parent_nodes.patch b/queue-5.10/btrfs-remove-bug_on-in-find_parent_nodes.patch new file mode 100644 index 00000000000..058f335523d --- /dev/null +++ b/queue-5.10/btrfs-remove-bug_on-in-find_parent_nodes.patch @@ -0,0 +1,42 @@ +From 6e92d99a610d876725deed549ef01df55efd5f63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Nov 2021 16:45:34 -0400 +Subject: btrfs: remove BUG_ON() in find_parent_nodes() + +From: Josef Bacik + +[ Upstream commit fcba0120edf88328524a4878d1d6f4ad39f2ec81 ] + +We search for an extent entry with .offset = -1, which shouldn't be a +thing, but corruption happens. Add an ASSERT() for the developers, +return -EUCLEAN for mortals. + +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/backref.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c +index 6e447bdaf9ec8..8b471579e26e1 100644 +--- a/fs/btrfs/backref.c ++++ b/fs/btrfs/backref.c +@@ -1213,7 +1213,12 @@ again: + ret = btrfs_search_slot(trans, fs_info->extent_root, &key, path, 0, 0); + if (ret < 0) + goto out; +- BUG_ON(ret == 0); ++ if (ret == 0) { ++ /* This shouldn't happen, indicates a bug or fs corruption. */ ++ ASSERT(ret != 0); ++ ret = -EUCLEAN; ++ goto out; ++ } + + #ifdef CONFIG_BTRFS_FS_RUN_SANITY_TESTS + if (trans && likely(trans->type != __TRANS_DUMMY) && +-- +2.34.1 + diff --git a/queue-5.10/can-mcp251xfd-add-missing-newline-to-printed-strings.patch b/queue-5.10/can-mcp251xfd-add-missing-newline-to-printed-strings.patch new file mode 100644 index 00000000000..c0e1a0dab72 --- /dev/null +++ b/queue-5.10/can-mcp251xfd-add-missing-newline-to-printed-strings.patch @@ -0,0 +1,44 @@ +From 931ce9a67b7f7490807eab2fe8a95c38d84cac25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Oct 2021 17:05:25 +0200 +Subject: can: mcp251xfd: add missing newline to printed strings + +From: Marc Kleine-Budde + +[ Upstream commit 3bd9d8ce6f8c5c43ee2f1106021db0f98882cc75 ] + +This patch adds the missing newline to printed strings. + +Fixes: 55e5b97f003e ("can: mcp25xxfd: add driver for Microchip MCP25xxFD SPI CAN") +Link: https://lore.kernel.org/all/20220105154300.1258636-4-mkl@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c +index 4e13f6dfb91a2..e0b322ab03628 100644 +--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c ++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c +@@ -2497,7 +2497,7 @@ static int mcp251xfd_register_chip_detect(struct mcp251xfd_priv *priv) + if (!mcp251xfd_is_251X(priv) && + priv->devtype_data.model != devtype_data->model) { + netdev_info(ndev, +- "Detected %s, but firmware specifies a %s. Fixing up.", ++ "Detected %s, but firmware specifies a %s. Fixing up.\n", + __mcp251xfd_get_model_str(devtype_data->model), + mcp251xfd_get_model_str(priv)); + } +@@ -2534,7 +2534,7 @@ static int mcp251xfd_register_check_rx_int(struct mcp251xfd_priv *priv) + return 0; + + netdev_info(priv->ndev, +- "RX_INT active after softreset, disabling RX_INT support."); ++ "RX_INT active after softreset, disabling RX_INT support.\n"); + devm_gpiod_put(&priv->spi->dev, priv->rx_int); + priv->rx_int = NULL; + +-- +2.34.1 + diff --git a/queue-5.10/can-softing-softing_startstop-fix-set-but-not-used-v.patch b/queue-5.10/can-softing-softing_startstop-fix-set-but-not-used-v.patch new file mode 100644 index 00000000000..f039165cd29 --- /dev/null +++ b/queue-5.10/can-softing-softing_startstop-fix-set-but-not-used-v.patch @@ -0,0 +1,63 @@ +From cb2b8afd2162fd88ecd6b372357870147a693b1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Jan 2022 21:57:51 +0100 +Subject: can: softing: softing_startstop(): fix set but not used variable + warning + +From: Marc Kleine-Budde + +[ Upstream commit 370d988cc529598ebaec6487d4f84c2115dc696b ] + +In the function softing_startstop() the variable error_reporting is +assigned but not used. The code that uses this variable is commented +out. Its stated that the functionality is not finally verified. + +To fix the warning: + +| drivers/net/can/softing/softing_fw.c:424:9: error: variable 'error_reporting' set but not used [-Werror,-Wunused-but-set-variable] + +remove the comment, activate the code, but add a "0 &&" to the if +expression and rely on the optimizer rather than the preprocessor to +remove the code. + +Link: https://lore.kernel.org/all/20220109103126.1872833-1-mkl@pengutronix.de +Fixes: 03fd3cf5a179 ("can: add driver for Softing card") +Cc: Kurt Van Dijck +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/softing/softing_fw.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/can/softing/softing_fw.c b/drivers/net/can/softing/softing_fw.c +index ccd649a8e37bd..bad69a4abec10 100644 +--- a/drivers/net/can/softing/softing_fw.c ++++ b/drivers/net/can/softing/softing_fw.c +@@ -565,18 +565,19 @@ int softing_startstop(struct net_device *dev, int up) + if (ret < 0) + goto failed; + } +- /* enable_error_frame */ +- /* ++ ++ /* enable_error_frame ++ * + * Error reporting is switched off at the moment since + * the receiving of them is not yet 100% verified + * This should be enabled sooner or later +- * +- if (error_reporting) { ++ */ ++ if (0 && error_reporting) { + ret = softing_fct_cmd(card, 51, "enable_error_frame"); + if (ret < 0) + goto failed; + } +- */ ++ + /* initialize interface */ + iowrite16(1, &card->dpram[DPRAM_FCT_PARAM + 2]); + iowrite16(1, &card->dpram[DPRAM_FCT_PARAM + 4]); +-- +2.34.1 + diff --git a/queue-5.10/can-xilinx_can-xcan_probe-check-for-error-irq.patch b/queue-5.10/can-xilinx_can-xcan_probe-check-for-error-irq.patch new file mode 100644 index 00000000000..628adf5b882 --- /dev/null +++ b/queue-5.10/can-xilinx_can-xcan_probe-check-for-error-irq.patch @@ -0,0 +1,48 @@ +From 88910b70ce313210a594a7c02640066f80e0f3ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Dec 2021 10:13:24 +0800 +Subject: can: xilinx_can: xcan_probe(): check for error irq + +From: Jiasheng Jiang + +[ Upstream commit c6564c13dae25cd7f8e1de5127b4da4500ee5844 ] + +For the possible failure of the platform_get_irq(), the returned irq +could be error number and will finally cause the failure of the +request_irq(). + +Consider that platform_get_irq() can now in certain cases return +-EPROBE_DEFER, and the consequences of letting request_irq() +effectively convert that into -EINVAL, even at probe time rather than +later on. So it might be better to check just now. + +Fixes: b1201e44f50b ("can: xilinx CAN controller support") +Link: https://lore.kernel.org/all/20211224021324.1447494-1-jiasheng@iscas.ac.cn +Signed-off-by: Jiasheng Jiang +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/xilinx_can.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/xilinx_can.c b/drivers/net/can/xilinx_can.c +index 48d746e18f302..375998263af7a 100644 +--- a/drivers/net/can/xilinx_can.c ++++ b/drivers/net/can/xilinx_can.c +@@ -1762,7 +1762,12 @@ static int xcan_probe(struct platform_device *pdev) + spin_lock_init(&priv->tx_lock); + + /* Get IRQ for the device */ +- ndev->irq = platform_get_irq(pdev, 0); ++ ret = platform_get_irq(pdev, 0); ++ if (ret < 0) ++ goto err_free; ++ ++ ndev->irq = ret; ++ + ndev->flags |= IFF_ECHO; /* We support local echo */ + + platform_set_drvdata(pdev, ndev); +-- +2.34.1 + diff --git a/queue-5.10/cgroup-trace-event-cgroup-id-fields-should-be-u64.patch b/queue-5.10/cgroup-trace-event-cgroup-id-fields-should-be-u64.patch new file mode 100644 index 00000000000..8ba8b818077 --- /dev/null +++ b/queue-5.10/cgroup-trace-event-cgroup-id-fields-should-be-u64.patch @@ -0,0 +1,86 @@ +From b3a48c6dc02a35c1f0a9467167f6d10a3f3b1161 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Dec 2021 09:56:58 -0700 +Subject: cgroup: Trace event cgroup id fields should be u64 + +From: William Kucharski + +[ Upstream commit e14da77113bb890d7bf9e5d17031bdd476a7ce5e ] + +Various trace event fields that store cgroup IDs were declared as +ints, but cgroup_id(() returns a u64 and the structures and associated +TP_printk() calls were not updated to reflect this. + +Fixes: 743210386c03 ("cgroup: use cgrp->kn->id as the cgroup ID") +Signed-off-by: William Kucharski +Reviewed-by: Steven Rostedt (VMware) +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + include/trace/events/cgroup.h | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/include/trace/events/cgroup.h b/include/trace/events/cgroup.h +index 7f42a3de59e6b..dd7d7c9efecdf 100644 +--- a/include/trace/events/cgroup.h ++++ b/include/trace/events/cgroup.h +@@ -59,8 +59,8 @@ DECLARE_EVENT_CLASS(cgroup, + + TP_STRUCT__entry( + __field( int, root ) +- __field( int, id ) + __field( int, level ) ++ __field( u64, id ) + __string( path, path ) + ), + +@@ -71,7 +71,7 @@ DECLARE_EVENT_CLASS(cgroup, + __assign_str(path, path); + ), + +- TP_printk("root=%d id=%d level=%d path=%s", ++ TP_printk("root=%d id=%llu level=%d path=%s", + __entry->root, __entry->id, __entry->level, __get_str(path)) + ); + +@@ -126,8 +126,8 @@ DECLARE_EVENT_CLASS(cgroup_migrate, + + TP_STRUCT__entry( + __field( int, dst_root ) +- __field( int, dst_id ) + __field( int, dst_level ) ++ __field( u64, dst_id ) + __field( int, pid ) + __string( dst_path, path ) + __string( comm, task->comm ) +@@ -142,7 +142,7 @@ DECLARE_EVENT_CLASS(cgroup_migrate, + __assign_str(comm, task->comm); + ), + +- TP_printk("dst_root=%d dst_id=%d dst_level=%d dst_path=%s pid=%d comm=%s", ++ TP_printk("dst_root=%d dst_id=%llu dst_level=%d dst_path=%s pid=%d comm=%s", + __entry->dst_root, __entry->dst_id, __entry->dst_level, + __get_str(dst_path), __entry->pid, __get_str(comm)) + ); +@@ -171,8 +171,8 @@ DECLARE_EVENT_CLASS(cgroup_event, + + TP_STRUCT__entry( + __field( int, root ) +- __field( int, id ) + __field( int, level ) ++ __field( u64, id ) + __string( path, path ) + __field( int, val ) + ), +@@ -185,7 +185,7 @@ DECLARE_EVENT_CLASS(cgroup_event, + __entry->val = val; + ), + +- TP_printk("root=%d id=%d level=%d path=%s val=%d", ++ TP_printk("root=%d id=%llu level=%d path=%s val=%d", + __entry->root, __entry->id, __entry->level, __get_str(path), + __entry->val) + ); +-- +2.34.1 + diff --git a/queue-5.10/char-mwave-adjust-io-port-register-size.patch b/queue-5.10/char-mwave-adjust-io-port-register-size.patch new file mode 100644 index 00000000000..1c023d29a38 --- /dev/null +++ b/queue-5.10/char-mwave-adjust-io-port-register-size.patch @@ -0,0 +1,51 @@ +From af56d698ff0c09a055806f66bc25e1e1e22d6c68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Dec 2021 00:42:06 -0800 +Subject: char/mwave: Adjust io port register size + +From: Kees Cook + +[ Upstream commit f5912cc19acd7c24b2dbf65a6340bf194244f085 ] + +Using MKWORD() on a byte-sized variable results in OOB read. Expand the +size of the reserved area so both MKWORD and MKBYTE continue to work +without overflow. Silences this warning on a -Warray-bounds build: + +drivers/char/mwave/3780i.h:346:22: error: array subscript 'short unsigned int[0]' is partly outside array bounds of 'DSP_ISA_SLAVE_CONTROL[1]' [-Werror=array-bounds] + 346 | #define MKWORD(var) (*((unsigned short *)(&var))) + | ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/char/mwave/3780i.h:356:40: note: in definition of macro 'OutWordDsp' + 356 | #define OutWordDsp(index,value) outw(value,usDspBaseIO+index) + | ^~~~~ +drivers/char/mwave/3780i.c:373:41: note: in expansion of macro 'MKWORD' + 373 | OutWordDsp(DSP_IsaSlaveControl, MKWORD(rSlaveControl)); + | ^~~~~~ +drivers/char/mwave/3780i.c:358:31: note: while referencing 'rSlaveControl' + 358 | DSP_ISA_SLAVE_CONTROL rSlaveControl; + | ^~~~~~~~~~~~~ + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20211203084206.3104326-1-keescook@chromium.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/char/mwave/3780i.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/char/mwave/3780i.h b/drivers/char/mwave/3780i.h +index 9ccb6b270b071..95164246afd1a 100644 +--- a/drivers/char/mwave/3780i.h ++++ b/drivers/char/mwave/3780i.h +@@ -68,7 +68,7 @@ typedef struct { + unsigned char ClockControl:1; /* RW: Clock control: 0=normal, 1=stop 3780i clocks */ + unsigned char SoftReset:1; /* RW: Soft reset 0=normal, 1=soft reset active */ + unsigned char ConfigMode:1; /* RW: Configuration mode, 0=normal, 1=config mode */ +- unsigned char Reserved:5; /* 0: Reserved */ ++ unsigned short Reserved:13; /* 0: Reserved */ + } DSP_ISA_SLAVE_CONTROL; + + +-- +2.34.1 + diff --git a/queue-5.10/clk-bcm-2835-pick-the-closest-clock-rate.patch b/queue-5.10/clk-bcm-2835-pick-the-closest-clock-rate.patch new file mode 100644 index 00000000000..34c7c1e76ad --- /dev/null +++ b/queue-5.10/clk-bcm-2835-pick-the-closest-clock-rate.patch @@ -0,0 +1,46 @@ +From 190694d1bd3d0a23ec15f9e74fa1e8fc8e7b85de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Sep 2021 14:54:15 +0200 +Subject: clk: bcm-2835: Pick the closest clock rate + +From: Maxime Ripard + +[ Upstream commit 5517357a4733d7cf7c17fc79d0530cfa47add372 ] + +The driver currently tries to pick the closest rate that is lower than +the rate being requested. + +This causes an issue with clk_set_min_rate() since it actively checks +for the rounded rate to be above the minimum that was just set. + +Let's change the logic a bit to pick the closest rate to the requested +rate, no matter if it's actually higher or lower. + +Fixes: 6d18b8adbe67 ("clk: bcm2835: Support for clock parent selection") +Signed-off-by: Maxime Ripard +Acked-by: Stephen Boyd +Reviewed-by: Nicolas Saenz Julienne +Tested-by: Nicolas Saenz Julienne # boot and basic functionality +Tested-by: Michael Stapelberg +Link: https://patchwork.freedesktop.org/patch/msgid/20210922125419.4125779-2-maxime@cerno.tech +Signed-off-by: Sasha Levin +--- + drivers/clk/bcm/clk-bcm2835.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/bcm/clk-bcm2835.c b/drivers/clk/bcm/clk-bcm2835.c +index 1ac803e14fa3e..a919ee9c3fcb8 100644 +--- a/drivers/clk/bcm/clk-bcm2835.c ++++ b/drivers/clk/bcm/clk-bcm2835.c +@@ -1217,7 +1217,7 @@ static int bcm2835_clock_determine_rate(struct clk_hw *hw, + rate = bcm2835_clock_choose_div_and_prate(hw, i, req->rate, + &div, &prate, + &avgrate); +- if (rate > best_rate && rate <= req->rate) { ++ if (abs(req->rate - rate) < abs(req->rate - best_rate)) { + best_parent = parent; + best_prate = prate; + best_rate = rate; +-- +2.34.1 + diff --git a/queue-5.10/clk-bcm-2835-remove-rounding-up-the-dividers.patch b/queue-5.10/clk-bcm-2835-remove-rounding-up-the-dividers.patch new file mode 100644 index 00000000000..17b4f5bb029 --- /dev/null +++ b/queue-5.10/clk-bcm-2835-remove-rounding-up-the-dividers.patch @@ -0,0 +1,82 @@ +From 281b0bce10bf3ebdd2e1453cd070d63757b3ddb7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Sep 2021 14:54:16 +0200 +Subject: clk: bcm-2835: Remove rounding up the dividers + +From: Maxime Ripard + +[ Upstream commit 8ca011ef4af48a7af7b15afd8a4a44039dd04cea ] + +The driver, once it found a divider, tries to round it up by increasing +the least significant bit of the fractional part by one when the +round_up argument is set and there's a remainder. + +However, since it increases the divider it will actually reduce the +clock rate below what we were asking for, leading to issues with +clk_set_min_rate() that will complain that our rounded clock rate is +below the minimum of the rate. + +Since the dividers are fairly precise already, let's remove that part so +that we can have clk_set_min_rate() working. + +This is effectively a revert of 9c95b32ca093 ("clk: bcm2835: add a round +up ability to the clock divisor"). + +Fixes: 9c95b32ca093 ("clk: bcm2835: add a round up ability to the clock divisor") +Signed-off-by: Maxime Ripard +Acked-by: Stephen Boyd +Reviewed-by: Nicolas Saenz Julienne +Tested-by: Nicolas Saenz Julienne # boot and basic functionality +Tested-by: Michael Stapelberg +Link: https://patchwork.freedesktop.org/patch/msgid/20210922125419.4125779-3-maxime@cerno.tech +Signed-off-by: Sasha Levin +--- + drivers/clk/bcm/clk-bcm2835.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/drivers/clk/bcm/clk-bcm2835.c b/drivers/clk/bcm/clk-bcm2835.c +index a919ee9c3fcb8..178886823b90c 100644 +--- a/drivers/clk/bcm/clk-bcm2835.c ++++ b/drivers/clk/bcm/clk-bcm2835.c +@@ -933,8 +933,7 @@ static int bcm2835_clock_is_on(struct clk_hw *hw) + + static u32 bcm2835_clock_choose_div(struct clk_hw *hw, + unsigned long rate, +- unsigned long parent_rate, +- bool round_up) ++ unsigned long parent_rate) + { + struct bcm2835_clock *clock = bcm2835_clock_from_hw(hw); + const struct bcm2835_clock_data *data = clock->data; +@@ -946,10 +945,6 @@ static u32 bcm2835_clock_choose_div(struct clk_hw *hw, + + rem = do_div(temp, rate); + div = temp; +- +- /* Round up and mask off the unused bits */ +- if (round_up && ((div & unused_frac_mask) != 0 || rem != 0)) +- div += unused_frac_mask + 1; + div &= ~unused_frac_mask; + + /* different clamping limits apply for a mash clock */ +@@ -1080,7 +1075,7 @@ static int bcm2835_clock_set_rate(struct clk_hw *hw, + struct bcm2835_clock *clock = bcm2835_clock_from_hw(hw); + struct bcm2835_cprman *cprman = clock->cprman; + const struct bcm2835_clock_data *data = clock->data; +- u32 div = bcm2835_clock_choose_div(hw, rate, parent_rate, false); ++ u32 div = bcm2835_clock_choose_div(hw, rate, parent_rate); + u32 ctl; + + spin_lock(&cprman->regs_lock); +@@ -1131,7 +1126,7 @@ static unsigned long bcm2835_clock_choose_div_and_prate(struct clk_hw *hw, + + if (!(BIT(parent_idx) & data->set_rate_parent)) { + *prate = clk_hw_get_rate(parent); +- *div = bcm2835_clock_choose_div(hw, rate, *prate, true); ++ *div = bcm2835_clock_choose_div(hw, rate, *prate); + + *avgrate = bcm2835_clock_rate_from_divisor(clock, *prate, *div); + +-- +2.34.1 + diff --git a/queue-5.10/clk-bm1880-remove-kfrees-on-static-allocations.patch b/queue-5.10/clk-bm1880-remove-kfrees-on-static-allocations.patch new file mode 100644 index 00000000000..f40f72469bb --- /dev/null +++ b/queue-5.10/clk-bm1880-remove-kfrees-on-static-allocations.patch @@ -0,0 +1,84 @@ +From 060dff553a266c214d67402a68cf519369472629 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Dec 2021 15:42:44 +0000 +Subject: clk: bm1880: remove kfrees on static allocations + +From: Conor Dooley + +[ Upstream commit c861c1be3897845313a0df47804b1db37c7052e1 ] + +bm1880_clk_unregister_pll & bm1880_clk_unregister_div both try to +free statically allocated variables, so remove those kfrees. + +For example, if we take L703 kfree(div_hw): +- div_hw is a bm1880_div_hw_clock pointer +- in bm1880_clk_register_plls this is pointed to an element of arg1: + struct bm1880_div_hw_clock *clks +- in the probe, where bm1880_clk_register_plls is called arg1 is + bm1880_div_clks, defined on L371: + static struct bm1880_div_hw_clock bm1880_div_clks[] + +Signed-off-by: Conor Dooley +Fixes: 1ab4601da55b ("clk: Add common clock driver for BM1880 SoC") +Link: https://lore.kernel.org/r/20211223154244.1024062-1-conor.dooley@microchip.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-bm1880.c | 20 ++------------------ + 1 file changed, 2 insertions(+), 18 deletions(-) + +diff --git a/drivers/clk/clk-bm1880.c b/drivers/clk/clk-bm1880.c +index e6d6599d310a1..fad78a22218e8 100644 +--- a/drivers/clk/clk-bm1880.c ++++ b/drivers/clk/clk-bm1880.c +@@ -522,14 +522,6 @@ static struct clk_hw *bm1880_clk_register_pll(struct bm1880_pll_hw_clock *pll_cl + return hw; + } + +-static void bm1880_clk_unregister_pll(struct clk_hw *hw) +-{ +- struct bm1880_pll_hw_clock *pll_hw = to_bm1880_pll_clk(hw); +- +- clk_hw_unregister(hw); +- kfree(pll_hw); +-} +- + static int bm1880_clk_register_plls(struct bm1880_pll_hw_clock *clks, + int num_clks, + struct bm1880_clock_data *data) +@@ -555,7 +547,7 @@ static int bm1880_clk_register_plls(struct bm1880_pll_hw_clock *clks, + + err_clk: + while (i--) +- bm1880_clk_unregister_pll(data->hw_data.hws[clks[i].pll.id]); ++ clk_hw_unregister(data->hw_data.hws[clks[i].pll.id]); + + return PTR_ERR(hw); + } +@@ -695,14 +687,6 @@ static struct clk_hw *bm1880_clk_register_div(struct bm1880_div_hw_clock *div_cl + return hw; + } + +-static void bm1880_clk_unregister_div(struct clk_hw *hw) +-{ +- struct bm1880_div_hw_clock *div_hw = to_bm1880_div_clk(hw); +- +- clk_hw_unregister(hw); +- kfree(div_hw); +-} +- + static int bm1880_clk_register_divs(struct bm1880_div_hw_clock *clks, + int num_clks, + struct bm1880_clock_data *data) +@@ -729,7 +713,7 @@ static int bm1880_clk_register_divs(struct bm1880_div_hw_clock *clks, + + err_clk: + while (i--) +- bm1880_clk_unregister_div(data->hw_data.hws[clks[i].div.id]); ++ clk_hw_unregister(data->hw_data.hws[clks[i].div.id]); + + return PTR_ERR(hw); + } +-- +2.34.1 + diff --git a/queue-5.10/clk-imx8mn-fix-imx8mn_clko1_sels.patch b/queue-5.10/clk-imx8mn-fix-imx8mn_clko1_sels.patch new file mode 100644 index 00000000000..a02f3909d51 --- /dev/null +++ b/queue-5.10/clk-imx8mn-fix-imx8mn_clko1_sels.patch @@ -0,0 +1,50 @@ +From fe63e12684bfabe481263c264b44d47a17b895a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Nov 2021 07:32:02 -0600 +Subject: clk: imx8mn: Fix imx8mn_clko1_sels + +From: Adam Ford + +[ Upstream commit 570727e9acfac1c2330a01dd5e1272e9c3acec08 ] + +When attempting to use sys_pll1_80m as the parent for clko1, the +system hangs. This is due to the fact that the source select +for sys_pll1_80m was incorrectly pointing to m7_alt_pll_clk, which +doesn't yet exist. + +According to Rev 3 of the TRM, The imx8mn_clko1_sels also incorrectly +references an osc_27m which does not exist, nor does an entry for +source select bits 010b. Fix both by inserting a dummy clock into +the missing space in the table and renaming the incorrectly name clock +with dummy. + +Fixes: 96d6392b54db ("clk: imx: Add support for i.MX8MN clock driver") +Signed-off-by: Adam Ford +Reviewed-by: Fabio Estevam +Link: https://lore.kernel.org/r/20211117133202.775633-1-aford173@gmail.com +Signed-off-by: Abel Vesa +Signed-off-by: Sasha Levin +--- + drivers/clk/imx/clk-imx8mn.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/clk/imx/clk-imx8mn.c b/drivers/clk/imx/clk-imx8mn.c +index 33a7ddc23cd24..db122d94db583 100644 +--- a/drivers/clk/imx/clk-imx8mn.c ++++ b/drivers/clk/imx/clk-imx8mn.c +@@ -274,9 +274,9 @@ static const char * const imx8mn_pdm_sels[] = {"osc_24m", "sys_pll2_100m", "audi + + static const char * const imx8mn_dram_core_sels[] = {"dram_pll_out", "dram_alt_root", }; + +-static const char * const imx8mn_clko1_sels[] = {"osc_24m", "sys_pll1_800m", "osc_27m", +- "sys_pll1_200m", "audio_pll2_out", "vpu_pll", +- "sys_pll1_80m", }; ++static const char * const imx8mn_clko1_sels[] = {"osc_24m", "sys_pll1_800m", "dummy", ++ "sys_pll1_200m", "audio_pll2_out", "sys_pll2_500m", ++ "dummy", "sys_pll1_80m", }; + static const char * const imx8mn_clko2_sels[] = {"osc_24m", "sys_pll2_200m", "sys_pll1_400m", + "sys_pll2_166m", "sys_pll3_out", "audio_pll1_out", + "video_pll1_out", "osc_32k", }; +-- +2.34.1 + diff --git a/queue-5.10/clk-meson-gxbb-fix-the-sdm_en-bit-for-mpll0-on-gxbb.patch b/queue-5.10/clk-meson-gxbb-fix-the-sdm_en-bit-for-mpll0-on-gxbb.patch new file mode 100644 index 00000000000..2f16b1fd394 --- /dev/null +++ b/queue-5.10/clk-meson-gxbb-fix-the-sdm_en-bit-for-mpll0-on-gxbb.patch @@ -0,0 +1,144 @@ +From 10db839f155dfdc0f8b7ce64aba90a5252d688fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Oct 2021 14:50:06 +0100 +Subject: clk: meson: gxbb: Fix the SDM_EN bit for MPLL0 on GXBB + +From: Martin Blumenstingl + +[ Upstream commit ff54938dd190d85f740b9bf9dde59b550936b621 ] + +There are reports that 48kHz audio does not work on the WeTek Play 2 +(which uses a GXBB SoC), while 44.1kHz audio works fine on the same +board. There are also reports of 48kHz audio working fine on GXL and +GXM SoCs, which are using an (almost) identical AIU (audio controller). + +Experimenting has shown that MPLL0 is causing this problem. In the .dts +we have by default: + assigned-clocks = <&clkc CLKID_MPLL0>, + <&clkc CLKID_MPLL1>, + <&clkc CLKID_MPLL2>; + assigned-clock-rates = <294912000>, + <270950400>, + <393216000>; +The MPLL0 rate is divisible by 48kHz without remainder and the MPLL1 +rate is divisible by 44.1kHz without remainder. Swapping these two clock +rates "fixes" 48kHz audio but breaks 44.1kHz audio. + +Everything looks normal when looking at the info provided by the common +clock framework while playing 48kHz audio (via I2S with mclk-fs = 256): + mpll_prediv 1 1 0 2000000000 + mpll0_div 1 1 0 294909641 + mpll0 1 1 0 294909641 + cts_amclk_sel 1 1 0 294909641 + cts_amclk_div 1 1 0 12287902 + cts_amclk 1 1 0 12287902 + +meson-clk-msr however shows that the actual MPLL0 clock is off by more +than 38MHz: + mp0_out 333322917 +/-10416Hz + +The rate seen by meson-clk-msr is very close to what we would get when +SDM (the fractional part) was ignored: + (2000000000Hz * 16384) / ((16384 * 6) = 333.33MHz +If SDM was considered the we should get close to: + (2000000000Hz * 16384) / ((16384 * 6) + 12808) = 294.9MHz + +Further experimenting shows that HHI_MPLL_CNTL7[15] does not have any +effect on the rate of MPLL0 as seen my meson-clk-msr (regardless of +whether that bit is zero or one the rate is always the same according to +meson-clk-msr). Using HHI_MPLL_CNTL[25] on the other hand as SDM_EN +results in SDM being considered for the rate output by the hardware. The +rate - as seen by meson-clk-msr - matches with what we expect when +SDM_EN is enabled (fractional part is being considered, resulting in a +294.9MHz output) or disable (fractional part being ignored, resulting in +a 333.33MHz output). + +Reported-by: Christian Hewitt +Tested-by: Christian Hewitt +Signed-off-by: Martin Blumenstingl +Signed-off-by: Jerome Brunet +Link: https://lore.kernel.org/r/20211031135006.1508796-1-martin.blumenstingl@googlemail.com +Signed-off-by: Sasha Levin +--- + drivers/clk/meson/gxbb.c | 44 +++++++++++++++++++++++++++++++++++++--- + 1 file changed, 41 insertions(+), 3 deletions(-) + +diff --git a/drivers/clk/meson/gxbb.c b/drivers/clk/meson/gxbb.c +index 0a68af6eec3dd..d42551a46ec91 100644 +--- a/drivers/clk/meson/gxbb.c ++++ b/drivers/clk/meson/gxbb.c +@@ -712,6 +712,35 @@ static struct clk_regmap gxbb_mpll_prediv = { + }; + + static struct clk_regmap gxbb_mpll0_div = { ++ .data = &(struct meson_clk_mpll_data){ ++ .sdm = { ++ .reg_off = HHI_MPLL_CNTL7, ++ .shift = 0, ++ .width = 14, ++ }, ++ .sdm_en = { ++ .reg_off = HHI_MPLL_CNTL, ++ .shift = 25, ++ .width = 1, ++ }, ++ .n2 = { ++ .reg_off = HHI_MPLL_CNTL7, ++ .shift = 16, ++ .width = 9, ++ }, ++ .lock = &meson_clk_lock, ++ }, ++ .hw.init = &(struct clk_init_data){ ++ .name = "mpll0_div", ++ .ops = &meson_clk_mpll_ops, ++ .parent_hws = (const struct clk_hw *[]) { ++ &gxbb_mpll_prediv.hw ++ }, ++ .num_parents = 1, ++ }, ++}; ++ ++static struct clk_regmap gxl_mpll0_div = { + .data = &(struct meson_clk_mpll_data){ + .sdm = { + .reg_off = HHI_MPLL_CNTL7, +@@ -748,7 +777,16 @@ static struct clk_regmap gxbb_mpll0 = { + .hw.init = &(struct clk_init_data){ + .name = "mpll0", + .ops = &clk_regmap_gate_ops, +- .parent_hws = (const struct clk_hw *[]) { &gxbb_mpll0_div.hw }, ++ .parent_data = &(const struct clk_parent_data) { ++ /* ++ * Note: ++ * GXL and GXBB have different SDM_EN registers. We ++ * fallback to the global naming string mechanism so ++ * mpll0_div picks up the appropriate one. ++ */ ++ .name = "mpll0_div", ++ .index = -1, ++ }, + .num_parents = 1, + .flags = CLK_SET_RATE_PARENT, + }, +@@ -3043,7 +3081,7 @@ static struct clk_hw_onecell_data gxl_hw_onecell_data = { + [CLKID_VAPB_1] = &gxbb_vapb_1.hw, + [CLKID_VAPB_SEL] = &gxbb_vapb_sel.hw, + [CLKID_VAPB] = &gxbb_vapb.hw, +- [CLKID_MPLL0_DIV] = &gxbb_mpll0_div.hw, ++ [CLKID_MPLL0_DIV] = &gxl_mpll0_div.hw, + [CLKID_MPLL1_DIV] = &gxbb_mpll1_div.hw, + [CLKID_MPLL2_DIV] = &gxbb_mpll2_div.hw, + [CLKID_MPLL_PREDIV] = &gxbb_mpll_prediv.hw, +@@ -3438,7 +3476,7 @@ static struct clk_regmap *const gxl_clk_regmaps[] = { + &gxbb_mpll0, + &gxbb_mpll1, + &gxbb_mpll2, +- &gxbb_mpll0_div, ++ &gxl_mpll0_div, + &gxbb_mpll1_div, + &gxbb_mpll2_div, + &gxbb_cts_amclk_div, +-- +2.34.1 + diff --git a/queue-5.10/clk-stm32-fix-ltdc-s-clock-turn-off-by-clk_disable_u.patch b/queue-5.10/clk-stm32-fix-ltdc-s-clock-turn-off-by-clk_disable_u.patch new file mode 100644 index 00000000000..72937950931 --- /dev/null +++ b/queue-5.10/clk-stm32-fix-ltdc-s-clock-turn-off-by-clk_disable_u.patch @@ -0,0 +1,75 @@ +From 3390f86760e805a0833945af009b773a1f775160 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 15:11:21 +0800 +Subject: clk: stm32: Fix ltdc's clock turn off by clk_disable_unused() after + system enter shell + +From: Dillon Min + +[ Upstream commit 6fc058a72f3b7b07fc4de6d66ad1f68951b00f6e ] + +stm32's clk driver register two ltdc gate clk to clk core by +clk_hw_register_gate() and clk_hw_register_composite() + +first: 'stm32f429_gates[]', clk name is 'ltdc', which no user to use. +second: 'stm32f429_aux_clk[]', clk name is 'lcd-tft', used by ltdc driver + +both of them point to the same offset of stm32's RCC register. after +kernel enter console, clk core turn off ltdc's clk as 'stm32f429_gates[]' +is no one to use. but, actually 'stm32f429_aux_clk[]' is in use. + +stm32f469/746/769 have the same issue, fix it. + +Fixes: daf2d117cbca ("clk: stm32f4: Add lcd-tft clock") +Link: https://lore.kernel.org/linux-arm-kernel/1590564453-24499-7-git-send-email-dillon.minfei@gmail.com/ +Link: https://lore.kernel.org/lkml/CAPTRvHkf0cK_4ZidM17rPo99gWDmxgqFt4CDUjqFFwkOeQeFDg@mail.gmail.com/ +Signed-off-by: Dillon Min +Reviewed-by: Patrice Chotard +Acked-by: Gabriel Fernandez +Acked-by: Stephen Boyd +Link: https://lore.kernel.org/r/1635232282-3992-10-git-send-email-dillon.minfei@gmail.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-stm32f4.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/clk/clk-stm32f4.c b/drivers/clk/clk-stm32f4.c +index 5c75e3d906c20..682a18b392f08 100644 +--- a/drivers/clk/clk-stm32f4.c ++++ b/drivers/clk/clk-stm32f4.c +@@ -129,7 +129,6 @@ static const struct stm32f4_gate_data stm32f429_gates[] __initconst = { + { STM32F4_RCC_APB2ENR, 20, "spi5", "apb2_div" }, + { STM32F4_RCC_APB2ENR, 21, "spi6", "apb2_div" }, + { STM32F4_RCC_APB2ENR, 22, "sai1", "apb2_div" }, +- { STM32F4_RCC_APB2ENR, 26, "ltdc", "apb2_div" }, + }; + + static const struct stm32f4_gate_data stm32f469_gates[] __initconst = { +@@ -211,7 +210,6 @@ static const struct stm32f4_gate_data stm32f469_gates[] __initconst = { + { STM32F4_RCC_APB2ENR, 20, "spi5", "apb2_div" }, + { STM32F4_RCC_APB2ENR, 21, "spi6", "apb2_div" }, + { STM32F4_RCC_APB2ENR, 22, "sai1", "apb2_div" }, +- { STM32F4_RCC_APB2ENR, 26, "ltdc", "apb2_div" }, + }; + + static const struct stm32f4_gate_data stm32f746_gates[] __initconst = { +@@ -286,7 +284,6 @@ static const struct stm32f4_gate_data stm32f746_gates[] __initconst = { + { STM32F4_RCC_APB2ENR, 21, "spi6", "apb2_div" }, + { STM32F4_RCC_APB2ENR, 22, "sai1", "apb2_div" }, + { STM32F4_RCC_APB2ENR, 23, "sai2", "apb2_div" }, +- { STM32F4_RCC_APB2ENR, 26, "ltdc", "apb2_div" }, + }; + + static const struct stm32f4_gate_data stm32f769_gates[] __initconst = { +@@ -364,7 +361,6 @@ static const struct stm32f4_gate_data stm32f769_gates[] __initconst = { + { STM32F4_RCC_APB2ENR, 21, "spi6", "apb2_div" }, + { STM32F4_RCC_APB2ENR, 22, "sai1", "apb2_div" }, + { STM32F4_RCC_APB2ENR, 23, "sai2", "apb2_div" }, +- { STM32F4_RCC_APB2ENR, 26, "ltdc", "apb2_div" }, + { STM32F4_RCC_APB2ENR, 30, "mdio", "apb2_div" }, + }; + +-- +2.34.1 + diff --git a/queue-5.10/clocksource-avoid-accidental-unstable-marking-of-clo.patch b/queue-5.10/clocksource-avoid-accidental-unstable-marking-of-clo.patch new file mode 100644 index 00000000000..e40bc9c865c --- /dev/null +++ b/queue-5.10/clocksource-avoid-accidental-unstable-marking-of-clo.patch @@ -0,0 +1,164 @@ +From fdb0c5c656c7b885343692e8aabb549b645f7e46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Nov 2021 14:14:36 -0500 +Subject: clocksource: Avoid accidental unstable marking of clocksources + +From: Waiman Long + +[ Upstream commit c86ff8c55b8ae68837b2fa59dc0c203907e9a15f ] + +Since commit db3a34e17433 ("clocksource: Retry clock read if long delays +detected") and commit 2e27e793e280 ("clocksource: Reduce clocksource-skew +threshold"), it is found that tsc clocksource fallback to hpet can +sometimes happen on both Intel and AMD systems especially when they are +running stressful benchmarking workloads. Of the 23 systems tested with +a v5.14 kernel, 10 of them have switched to hpet clock source during +the test run. + +The result of falling back to hpet is a drastic reduction of performance +when running benchmarks. For example, the fio performance tests can +drop up to 70% whereas the iperf3 performance can drop up to 80%. + +4 hpet fallbacks happened during bootup. They were: + + [ 8.749399] clocksource: timekeeping watchdog on CPU13: hpet read-back delay of 263750ns, attempt 4, marking unstable + [ 12.044610] clocksource: timekeeping watchdog on CPU19: hpet read-back delay of 186166ns, attempt 4, marking unstable + [ 17.336941] clocksource: timekeeping watchdog on CPU28: hpet read-back delay of 182291ns, attempt 4, marking unstable + [ 17.518565] clocksource: timekeeping watchdog on CPU34: hpet read-back delay of 252196ns, attempt 4, marking unstable + +Other fallbacks happen when the systems were running stressful +benchmarks. For example: + + [ 2685.867873] clocksource: timekeeping watchdog on CPU117: hpet read-back delay of 57269ns, attempt 4, marking unstable + [46215.471228] clocksource: timekeeping watchdog on CPU8: hpet read-back delay of 61460ns, attempt 4, marking unstable + +Commit 2e27e793e280 ("clocksource: Reduce clocksource-skew threshold"), +changed the skew margin from 100us to 50us. I think this is too small +and can easily be exceeded when running some stressful workloads on a +thermally stressed system. So it is switched back to 100us. + +Even a maximum skew margin of 100us may be too small in for some systems +when booting up especially if those systems are under thermal stress. To +eliminate the case that the large skew is due to the system being too +busy slowing down the reading of both the watchdog and the clocksource, +an extra consecutive read of watchdog clock is being done to check this. + +The consecutive watchdog read delay is compared against +WATCHDOG_MAX_SKEW/2. If the delay exceeds the limit, we assume that +the system is just too busy. A warning will be printed to the console +and the clock skew check is skipped for this round. + +Fixes: db3a34e17433 ("clocksource: Retry clock read if long delays detected") +Fixes: 2e27e793e280 ("clocksource: Reduce clocksource-skew threshold") +Signed-off-by: Waiman Long +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + kernel/time/clocksource.c | 50 ++++++++++++++++++++++++++++++++------- + 1 file changed, 41 insertions(+), 9 deletions(-) + +diff --git a/kernel/time/clocksource.c b/kernel/time/clocksource.c +index d0803a69a2009..e34ceb91f4c5a 100644 +--- a/kernel/time/clocksource.c ++++ b/kernel/time/clocksource.c +@@ -105,7 +105,7 @@ static u64 suspend_start; + * This delay could be due to SMIs, NMIs, or to VCPU preemptions. Used as + * a lower bound for cs->uncertainty_margin values when registering clocks. + */ +-#define WATCHDOG_MAX_SKEW (50 * NSEC_PER_USEC) ++#define WATCHDOG_MAX_SKEW (100 * NSEC_PER_USEC) + + #ifdef CONFIG_CLOCKSOURCE_WATCHDOG + static void clocksource_watchdog_work(struct work_struct *work); +@@ -200,17 +200,24 @@ void clocksource_mark_unstable(struct clocksource *cs) + static ulong max_cswd_read_retries = 3; + module_param(max_cswd_read_retries, ulong, 0644); + +-static bool cs_watchdog_read(struct clocksource *cs, u64 *csnow, u64 *wdnow) ++enum wd_read_status { ++ WD_READ_SUCCESS, ++ WD_READ_UNSTABLE, ++ WD_READ_SKIP ++}; ++ ++static enum wd_read_status cs_watchdog_read(struct clocksource *cs, u64 *csnow, u64 *wdnow) + { + unsigned int nretries; +- u64 wd_end, wd_delta; +- int64_t wd_delay; ++ u64 wd_end, wd_end2, wd_delta; ++ int64_t wd_delay, wd_seq_delay; + + for (nretries = 0; nretries <= max_cswd_read_retries; nretries++) { + local_irq_disable(); + *wdnow = watchdog->read(watchdog); + *csnow = cs->read(cs); + wd_end = watchdog->read(watchdog); ++ wd_end2 = watchdog->read(watchdog); + local_irq_enable(); + + wd_delta = clocksource_delta(wd_end, *wdnow, watchdog->mask); +@@ -221,13 +228,34 @@ static bool cs_watchdog_read(struct clocksource *cs, u64 *csnow, u64 *wdnow) + pr_warn("timekeeping watchdog on CPU%d: %s retried %d times before success\n", + smp_processor_id(), watchdog->name, nretries); + } +- return true; ++ return WD_READ_SUCCESS; + } ++ ++ /* ++ * Now compute delay in consecutive watchdog read to see if ++ * there is too much external interferences that cause ++ * significant delay in reading both clocksource and watchdog. ++ * ++ * If consecutive WD read-back delay > WATCHDOG_MAX_SKEW/2, ++ * report system busy, reinit the watchdog and skip the current ++ * watchdog test. ++ */ ++ wd_delta = clocksource_delta(wd_end2, wd_end, watchdog->mask); ++ wd_seq_delay = clocksource_cyc2ns(wd_delta, watchdog->mult, watchdog->shift); ++ if (wd_seq_delay > WATCHDOG_MAX_SKEW/2) ++ goto skip_test; + } + + pr_warn("timekeeping watchdog on CPU%d: %s read-back delay of %lldns, attempt %d, marking unstable\n", + smp_processor_id(), watchdog->name, wd_delay, nretries); +- return false; ++ return WD_READ_UNSTABLE; ++ ++skip_test: ++ pr_info("timekeeping watchdog on CPU%d: %s wd-wd read-back delay of %lldns\n", ++ smp_processor_id(), watchdog->name, wd_seq_delay); ++ pr_info("wd-%s-wd read-back delay of %lldns, clock-skew test skipped!\n", ++ cs->name, wd_delay); ++ return WD_READ_SKIP; + } + + static u64 csnow_mid; +@@ -290,6 +318,7 @@ static void clocksource_watchdog(struct timer_list *unused) + int next_cpu, reset_pending; + int64_t wd_nsec, cs_nsec; + struct clocksource *cs; ++ enum wd_read_status read_ret; + u32 md; + + spin_lock(&watchdog_lock); +@@ -307,9 +336,12 @@ static void clocksource_watchdog(struct timer_list *unused) + continue; + } + +- if (!cs_watchdog_read(cs, &csnow, &wdnow)) { +- /* Clock readout unreliable, so give it up. */ +- __clocksource_unstable(cs); ++ read_ret = cs_watchdog_read(cs, &csnow, &wdnow); ++ ++ if (read_ret != WD_READ_SUCCESS) { ++ if (read_ret == WD_READ_UNSTABLE) ++ /* Clock readout unreliable, so give it up. */ ++ __clocksource_unstable(cs); + continue; + } + +-- +2.34.1 + diff --git a/queue-5.10/clocksource-reduce-clocksource-skew-threshold.patch b/queue-5.10/clocksource-reduce-clocksource-skew-threshold.patch new file mode 100644 index 00000000000..9df50c95999 --- /dev/null +++ b/queue-5.10/clocksource-reduce-clocksource-skew-threshold.patch @@ -0,0 +1,216 @@ +From 2504285adc869fb4d34186f9c7d1e18d8d95cb19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 May 2021 12:01:22 -0700 +Subject: clocksource: Reduce clocksource-skew threshold + +From: Paul E. McKenney + +[ Upstream commit 2e27e793e280ff12cb5c202a1214c08b0d3a0f26 ] + +Currently, WATCHDOG_THRESHOLD is set to detect a 62.5-millisecond skew in +a 500-millisecond WATCHDOG_INTERVAL. This requires that clocks be skewed +by more than 12.5% in order to be marked unstable. Except that a clock +that is skewed by that much is probably destroying unsuspecting software +right and left. And given that there are now checks for false-positive +skews due to delays between reading the two clocks, it should be possible +to greatly decrease WATCHDOG_THRESHOLD, at least for fine-grained clocks +such as TSC. + +Therefore, add a new uncertainty_margin field to the clocksource structure +that contains the maximum uncertainty in nanoseconds for the corresponding +clock. This field may be initialized manually, as it is for +clocksource_tsc_early and clocksource_jiffies, which is copied to +refined_jiffies. If the field is not initialized manually, it will be +computed at clock-registry time as the period of the clock in question +based on the scale and freq parameters to __clocksource_update_freq_scale() +function. If either of those two parameters are zero, the +tens-of-milliseconds WATCHDOG_THRESHOLD is used as a cowardly alternative +to dividing by zero. No matter how the uncertainty_margin field is +calculated, it is bounded below by twice WATCHDOG_MAX_SKEW, that is, by 100 +microseconds. + +Note that manually initialized uncertainty_margin fields are not adjusted, +but there is a WARN_ON_ONCE() that triggers if any such field is less than +twice WATCHDOG_MAX_SKEW. This WARN_ON_ONCE() is intended to discourage +production use of the one-nanosecond uncertainty_margin values that are +used to test the clock-skew code itself. + +The actual clock-skew check uses the sum of the uncertainty_margin fields +of the two clocksource structures being compared. Integer overflow is +avoided because the largest computed value of the uncertainty_margin +fields is one billion (10^9), and double that value fits into an +unsigned int. However, if someone manually specifies (say) UINT_MAX, +they will get what they deserve. + +Note that the refined_jiffies uncertainty_margin field is initialized to +TICK_NSEC, which means that skew checks involving this clocksource will +be sufficently forgiving. In a similar vein, the clocksource_tsc_early +uncertainty_margin field is initialized to 32*NSEC_PER_MSEC, which +replicates the current behavior and allows custom setting if needed +in order to address the rare skews detected for this clocksource in +current mainline. + +Suggested-by: Thomas Gleixner +Signed-off-by: Paul E. McKenney +Signed-off-by: Thomas Gleixner +Acked-by: Feng Tang +Link: https://lore.kernel.org/r/20210527190124.440372-4-paulmck@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/tsc.c | 1 + + include/linux/clocksource.h | 3 +++ + kernel/time/clocksource.c | 48 +++++++++++++++++++++++++++++-------- + kernel/time/jiffies.c | 15 ++++++------ + 4 files changed, 50 insertions(+), 17 deletions(-) + +diff --git a/arch/x86/kernel/tsc.c b/arch/x86/kernel/tsc.c +index f9f1b45e5ddc4..13d1a0ac8916a 100644 +--- a/arch/x86/kernel/tsc.c ++++ b/arch/x86/kernel/tsc.c +@@ -1127,6 +1127,7 @@ static int tsc_cs_enable(struct clocksource *cs) + static struct clocksource clocksource_tsc_early = { + .name = "tsc-early", + .rating = 299, ++ .uncertainty_margin = 32 * NSEC_PER_MSEC, + .read = read_tsc, + .mask = CLOCKSOURCE_MASK(64), + .flags = CLOCK_SOURCE_IS_CONTINUOUS | +diff --git a/include/linux/clocksource.h b/include/linux/clocksource.h +index 83a3ebff74560..8f87c1a6f3231 100644 +--- a/include/linux/clocksource.h ++++ b/include/linux/clocksource.h +@@ -42,6 +42,8 @@ struct module; + * @shift: Cycle to nanosecond divisor (power of two) + * @max_idle_ns: Maximum idle time permitted by the clocksource (nsecs) + * @maxadj: Maximum adjustment value to mult (~11%) ++ * @uncertainty_margin: Maximum uncertainty in nanoseconds per half second. ++ * Zero says to use default WATCHDOG_THRESHOLD. + * @archdata: Optional arch-specific data + * @max_cycles: Maximum safe cycle value which won't overflow on + * multiplication +@@ -93,6 +95,7 @@ struct clocksource { + u32 shift; + u64 max_idle_ns; + u32 maxadj; ++ u32 uncertainty_margin; + #ifdef CONFIG_ARCH_CLOCKSOURCE_DATA + struct arch_clocksource_data archdata; + #endif +diff --git a/kernel/time/clocksource.c b/kernel/time/clocksource.c +index 74492f08660c4..d0803a69a2009 100644 +--- a/kernel/time/clocksource.c ++++ b/kernel/time/clocksource.c +@@ -93,6 +93,20 @@ static char override_name[CS_NAME_LEN]; + static int finished_booting; + static u64 suspend_start; + ++/* ++ * Threshold: 0.0312s, when doubled: 0.0625s. ++ * Also a default for cs->uncertainty_margin when registering clocks. ++ */ ++#define WATCHDOG_THRESHOLD (NSEC_PER_SEC >> 5) ++ ++/* ++ * Maximum permissible delay between two readouts of the watchdog ++ * clocksource surrounding a read of the clocksource being validated. ++ * This delay could be due to SMIs, NMIs, or to VCPU preemptions. Used as ++ * a lower bound for cs->uncertainty_margin values when registering clocks. ++ */ ++#define WATCHDOG_MAX_SKEW (50 * NSEC_PER_USEC) ++ + #ifdef CONFIG_CLOCKSOURCE_WATCHDOG + static void clocksource_watchdog_work(struct work_struct *work); + static void clocksource_select(void); +@@ -119,17 +133,9 @@ static int clocksource_watchdog_kthread(void *data); + static void __clocksource_change_rating(struct clocksource *cs, int rating); + + /* +- * Interval: 0.5sec Threshold: 0.0625s ++ * Interval: 0.5sec. + */ + #define WATCHDOG_INTERVAL (HZ >> 1) +-#define WATCHDOG_THRESHOLD (NSEC_PER_SEC >> 4) +- +-/* +- * Maximum permissible delay between two readouts of the watchdog +- * clocksource surrounding a read of the clocksource being validated. +- * This delay could be due to SMIs, NMIs, or to VCPU preemptions. +- */ +-#define WATCHDOG_MAX_SKEW (100 * NSEC_PER_USEC) + + static void clocksource_watchdog_work(struct work_struct *work) + { +@@ -284,6 +290,7 @@ static void clocksource_watchdog(struct timer_list *unused) + int next_cpu, reset_pending; + int64_t wd_nsec, cs_nsec; + struct clocksource *cs; ++ u32 md; + + spin_lock(&watchdog_lock); + if (!watchdog_running) +@@ -330,7 +337,8 @@ static void clocksource_watchdog(struct timer_list *unused) + continue; + + /* Check the deviation from the watchdog clocksource. */ +- if (abs(cs_nsec - wd_nsec) > WATCHDOG_THRESHOLD) { ++ md = cs->uncertainty_margin + watchdog->uncertainty_margin; ++ if (abs(cs_nsec - wd_nsec) > md) { + pr_warn("timekeeping watchdog on CPU%d: Marking clocksource '%s' as unstable because the skew is too large:\n", + smp_processor_id(), cs->name); + pr_warn(" '%s' wd_now: %llx wd_last: %llx mask: %llx\n", +@@ -985,6 +993,26 @@ void __clocksource_update_freq_scale(struct clocksource *cs, u32 scale, u32 freq + clocks_calc_mult_shift(&cs->mult, &cs->shift, freq, + NSEC_PER_SEC / scale, sec * scale); + } ++ ++ /* ++ * If the uncertainty margin is not specified, calculate it. ++ * If both scale and freq are non-zero, calculate the clock ++ * period, but bound below at 2*WATCHDOG_MAX_SKEW. However, ++ * if either of scale or freq is zero, be very conservative and ++ * take the tens-of-milliseconds WATCHDOG_THRESHOLD value for the ++ * uncertainty margin. Allow stupidly small uncertainty margins ++ * to be specified by the caller for testing purposes, but warn ++ * to discourage production use of this capability. ++ */ ++ if (scale && freq && !cs->uncertainty_margin) { ++ cs->uncertainty_margin = NSEC_PER_SEC / (scale * freq); ++ if (cs->uncertainty_margin < 2 * WATCHDOG_MAX_SKEW) ++ cs->uncertainty_margin = 2 * WATCHDOG_MAX_SKEW; ++ } else if (!cs->uncertainty_margin) { ++ cs->uncertainty_margin = WATCHDOG_THRESHOLD; ++ } ++ WARN_ON_ONCE(cs->uncertainty_margin < 2 * WATCHDOG_MAX_SKEW); ++ + /* + * Ensure clocksources that have large 'mult' values don't overflow + * when adjusted. +diff --git a/kernel/time/jiffies.c b/kernel/time/jiffies.c +index eddcf49704445..65409abcca8e1 100644 +--- a/kernel/time/jiffies.c ++++ b/kernel/time/jiffies.c +@@ -49,13 +49,14 @@ static u64 jiffies_read(struct clocksource *cs) + * for "tick-less" systems. + */ + static struct clocksource clocksource_jiffies = { +- .name = "jiffies", +- .rating = 1, /* lowest valid rating*/ +- .read = jiffies_read, +- .mask = CLOCKSOURCE_MASK(32), +- .mult = TICK_NSEC << JIFFIES_SHIFT, /* details above */ +- .shift = JIFFIES_SHIFT, +- .max_cycles = 10, ++ .name = "jiffies", ++ .rating = 1, /* lowest valid rating*/ ++ .uncertainty_margin = 32 * NSEC_PER_MSEC, ++ .read = jiffies_read, ++ .mask = CLOCKSOURCE_MASK(32), ++ .mult = TICK_NSEC << JIFFIES_SHIFT, /* details above */ ++ .shift = JIFFIES_SHIFT, ++ .max_cycles = 10, + }; + + __cacheline_aligned_in_smp DEFINE_RAW_SPINLOCK(jiffies_lock); +-- +2.34.1 + diff --git a/queue-5.10/counter-stm32-lptimer-cnt-remove-iio-counter-abi.patch b/queue-5.10/counter-stm32-lptimer-cnt-remove-iio-counter-abi.patch new file mode 100644 index 00000000000..d1a7cf14a04 --- /dev/null +++ b/queue-5.10/counter-stm32-lptimer-cnt-remove-iio-counter-abi.patch @@ -0,0 +1,484 @@ +From d003066876e6939954d6fee9632d38c09c42bd3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Jan 2021 14:22:22 +0100 +Subject: counter: stm32-lptimer-cnt: remove iio counter abi + +From: Fabrice Gasnier + +[ Upstream commit 01f68f067dc39df9c9d95d759ee61517eb4b0fcf ] + +Currently, the STM32 LP Timer counter driver registers into both IIO and +counter subsystems, which is redundant. + +Remove the IIO counter ABI and IIO registration from the STM32 LP Timer +counter driver since it's been superseded by the Counter subsystem +as discussed in [1]. + +Keep only the counter subsystem related part. +Move a part of the ABI documentation into a driver comment. + +This also removes a duplicate ABI warning +$ scripts/get_abi.pl validate +... +/sys/bus/iio/devices/iio:deviceX/in_count0_preset is defined 2 times: + ./Documentation/ABI/testing/sysfs-bus-iio-timer-stm32:100 + ./Documentation/ABI/testing/sysfs-bus-iio-lptimer-stm32:0 + +[1] https://lkml.org/lkml/2021/1/19/347 + +Acked-by: William Breathitt Gray +Signed-off-by: Fabrice Gasnier +Link: https://lore.kernel.org/r/1611926542-2490-1-git-send-email-fabrice.gasnier@foss.st.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + .../ABI/testing/sysfs-bus-iio-lptimer-stm32 | 62 ---- + drivers/counter/Kconfig | 2 +- + drivers/counter/stm32-lptimer-cnt.c | 297 +++--------------- + 3 files changed, 37 insertions(+), 324 deletions(-) + delete mode 100644 Documentation/ABI/testing/sysfs-bus-iio-lptimer-stm32 + +diff --git a/Documentation/ABI/testing/sysfs-bus-iio-lptimer-stm32 b/Documentation/ABI/testing/sysfs-bus-iio-lptimer-stm32 +deleted file mode 100644 +index 73498ff666bd7..0000000000000 +--- a/Documentation/ABI/testing/sysfs-bus-iio-lptimer-stm32 ++++ /dev/null +@@ -1,62 +0,0 @@ +-What: /sys/bus/iio/devices/iio:deviceX/in_count0_preset +-KernelVersion: 4.13 +-Contact: fabrice.gasnier@st.com +-Description: +- Reading returns the current preset value. Writing sets the +- preset value. Encoder counts continuously from 0 to preset +- value, depending on direction (up/down). +- +-What: /sys/bus/iio/devices/iio:deviceX/in_count_quadrature_mode_available +-KernelVersion: 4.13 +-Contact: fabrice.gasnier@st.com +-Description: +- Reading returns the list possible quadrature modes. +- +-What: /sys/bus/iio/devices/iio:deviceX/in_count0_quadrature_mode +-KernelVersion: 4.13 +-Contact: fabrice.gasnier@st.com +-Description: +- Configure the device counter quadrature modes: +- +- - non-quadrature: +- Encoder IN1 input servers as the count input (up +- direction). +- +- - quadrature: +- Encoder IN1 and IN2 inputs are mixed to get direction +- and count. +- +-What: /sys/bus/iio/devices/iio:deviceX/in_count_polarity_available +-KernelVersion: 4.13 +-Contact: fabrice.gasnier@st.com +-Description: +- Reading returns the list possible active edges. +- +-What: /sys/bus/iio/devices/iio:deviceX/in_count0_polarity +-KernelVersion: 4.13 +-Contact: fabrice.gasnier@st.com +-Description: +- Configure the device encoder/counter active edge: +- +- - rising-edge +- - falling-edge +- - both-edges +- +- In non-quadrature mode, device counts up on active edge. +- +- In quadrature mode, encoder counting scenarios are as follows: +- +- +---------+----------+--------------------+--------------------+ +- | Active | Level on | IN1 signal | IN2 signal | +- | edge | opposite +----------+---------+----------+---------+ +- | | signal | Rising | Falling | Rising | Falling | +- +---------+----------+----------+---------+----------+---------+ +- | Rising | High -> | Down | - | Up | - | +- | edge | Low -> | Up | - | Down | - | +- +---------+----------+----------+---------+----------+---------+ +- | Falling | High -> | - | Up | - | Down | +- | edge | Low -> | - | Down | - | Up | +- +---------+----------+----------+---------+----------+---------+ +- | Both | High -> | Down | Up | Up | Down | +- | edges | Low -> | Up | Down | Down | Up | +- +---------+----------+----------+---------+----------+---------+ +diff --git a/drivers/counter/Kconfig b/drivers/counter/Kconfig +index 2de53ab0dd252..cbdf84200e278 100644 +--- a/drivers/counter/Kconfig ++++ b/drivers/counter/Kconfig +@@ -41,7 +41,7 @@ config STM32_TIMER_CNT + + config STM32_LPTIMER_CNT + tristate "STM32 LP Timer encoder counter driver" +- depends on (MFD_STM32_LPTIMER || COMPILE_TEST) && IIO ++ depends on MFD_STM32_LPTIMER || COMPILE_TEST + help + Select this option to enable STM32 Low-Power Timer quadrature encoder + and counter driver. +diff --git a/drivers/counter/stm32-lptimer-cnt.c b/drivers/counter/stm32-lptimer-cnt.c +index fd6828e2d34f5..937439635d53f 100644 +--- a/drivers/counter/stm32-lptimer-cnt.c ++++ b/drivers/counter/stm32-lptimer-cnt.c +@@ -12,8 +12,8 @@ + + #include + #include +-#include + #include ++#include + #include + #include + #include +@@ -107,249 +107,27 @@ static int stm32_lptim_setup(struct stm32_lptim_cnt *priv, int enable) + return regmap_update_bits(priv->regmap, STM32_LPTIM_CFGR, mask, val); + } + +-static int stm32_lptim_write_raw(struct iio_dev *indio_dev, +- struct iio_chan_spec const *chan, +- int val, int val2, long mask) +-{ +- struct stm32_lptim_cnt *priv = iio_priv(indio_dev); +- int ret; +- +- switch (mask) { +- case IIO_CHAN_INFO_ENABLE: +- if (val < 0 || val > 1) +- return -EINVAL; +- +- /* Check nobody uses the timer, or already disabled/enabled */ +- ret = stm32_lptim_is_enabled(priv); +- if ((ret < 0) || (!ret && !val)) +- return ret; +- if (val && ret) +- return -EBUSY; +- +- ret = stm32_lptim_setup(priv, val); +- if (ret) +- return ret; +- return stm32_lptim_set_enable_state(priv, val); +- +- default: +- return -EINVAL; +- } +-} +- +-static int stm32_lptim_read_raw(struct iio_dev *indio_dev, +- struct iio_chan_spec const *chan, +- int *val, int *val2, long mask) +-{ +- struct stm32_lptim_cnt *priv = iio_priv(indio_dev); +- u32 dat; +- int ret; +- +- switch (mask) { +- case IIO_CHAN_INFO_RAW: +- ret = regmap_read(priv->regmap, STM32_LPTIM_CNT, &dat); +- if (ret) +- return ret; +- *val = dat; +- return IIO_VAL_INT; +- +- case IIO_CHAN_INFO_ENABLE: +- ret = stm32_lptim_is_enabled(priv); +- if (ret < 0) +- return ret; +- *val = ret; +- return IIO_VAL_INT; +- +- case IIO_CHAN_INFO_SCALE: +- /* Non-quadrature mode: scale = 1 */ +- *val = 1; +- *val2 = 0; +- if (priv->quadrature_mode) { +- /* +- * Quadrature encoder mode: +- * - both edges, quarter cycle, scale is 0.25 +- * - either rising/falling edge scale is 0.5 +- */ +- if (priv->polarity > 1) +- *val2 = 2; +- else +- *val2 = 1; +- } +- return IIO_VAL_FRACTIONAL_LOG2; +- +- default: +- return -EINVAL; +- } +-} +- +-static const struct iio_info stm32_lptim_cnt_iio_info = { +- .read_raw = stm32_lptim_read_raw, +- .write_raw = stm32_lptim_write_raw, +-}; +- +-static const char *const stm32_lptim_quadrature_modes[] = { +- "non-quadrature", +- "quadrature", +-}; +- +-static int stm32_lptim_get_quadrature_mode(struct iio_dev *indio_dev, +- const struct iio_chan_spec *chan) +-{ +- struct stm32_lptim_cnt *priv = iio_priv(indio_dev); +- +- return priv->quadrature_mode; +-} +- +-static int stm32_lptim_set_quadrature_mode(struct iio_dev *indio_dev, +- const struct iio_chan_spec *chan, +- unsigned int type) +-{ +- struct stm32_lptim_cnt *priv = iio_priv(indio_dev); +- +- if (stm32_lptim_is_enabled(priv)) +- return -EBUSY; +- +- priv->quadrature_mode = type; +- +- return 0; +-} +- +-static const struct iio_enum stm32_lptim_quadrature_mode_en = { +- .items = stm32_lptim_quadrature_modes, +- .num_items = ARRAY_SIZE(stm32_lptim_quadrature_modes), +- .get = stm32_lptim_get_quadrature_mode, +- .set = stm32_lptim_set_quadrature_mode, +-}; +- +-static const char * const stm32_lptim_cnt_polarity[] = { +- "rising-edge", "falling-edge", "both-edges", +-}; +- +-static int stm32_lptim_cnt_get_polarity(struct iio_dev *indio_dev, +- const struct iio_chan_spec *chan) +-{ +- struct stm32_lptim_cnt *priv = iio_priv(indio_dev); +- +- return priv->polarity; +-} +- +-static int stm32_lptim_cnt_set_polarity(struct iio_dev *indio_dev, +- const struct iio_chan_spec *chan, +- unsigned int type) +-{ +- struct stm32_lptim_cnt *priv = iio_priv(indio_dev); +- +- if (stm32_lptim_is_enabled(priv)) +- return -EBUSY; +- +- priv->polarity = type; +- +- return 0; +-} +- +-static const struct iio_enum stm32_lptim_cnt_polarity_en = { +- .items = stm32_lptim_cnt_polarity, +- .num_items = ARRAY_SIZE(stm32_lptim_cnt_polarity), +- .get = stm32_lptim_cnt_get_polarity, +- .set = stm32_lptim_cnt_set_polarity, +-}; +- +-static ssize_t stm32_lptim_cnt_get_ceiling(struct stm32_lptim_cnt *priv, +- char *buf) +-{ +- return snprintf(buf, PAGE_SIZE, "%u\n", priv->ceiling); +-} +- +-static ssize_t stm32_lptim_cnt_set_ceiling(struct stm32_lptim_cnt *priv, +- const char *buf, size_t len) +-{ +- int ret; +- +- if (stm32_lptim_is_enabled(priv)) +- return -EBUSY; +- +- ret = kstrtouint(buf, 0, &priv->ceiling); +- if (ret) +- return ret; +- +- if (priv->ceiling > STM32_LPTIM_MAX_ARR) +- return -EINVAL; +- +- return len; +-} +- +-static ssize_t stm32_lptim_cnt_get_preset_iio(struct iio_dev *indio_dev, +- uintptr_t private, +- const struct iio_chan_spec *chan, +- char *buf) +-{ +- struct stm32_lptim_cnt *priv = iio_priv(indio_dev); +- +- return stm32_lptim_cnt_get_ceiling(priv, buf); +-} +- +-static ssize_t stm32_lptim_cnt_set_preset_iio(struct iio_dev *indio_dev, +- uintptr_t private, +- const struct iio_chan_spec *chan, +- const char *buf, size_t len) +-{ +- struct stm32_lptim_cnt *priv = iio_priv(indio_dev); +- +- return stm32_lptim_cnt_set_ceiling(priv, buf, len); +-} +- +-/* LP timer with encoder */ +-static const struct iio_chan_spec_ext_info stm32_lptim_enc_ext_info[] = { +- { +- .name = "preset", +- .shared = IIO_SEPARATE, +- .read = stm32_lptim_cnt_get_preset_iio, +- .write = stm32_lptim_cnt_set_preset_iio, +- }, +- IIO_ENUM("polarity", IIO_SEPARATE, &stm32_lptim_cnt_polarity_en), +- IIO_ENUM_AVAILABLE("polarity", &stm32_lptim_cnt_polarity_en), +- IIO_ENUM("quadrature_mode", IIO_SEPARATE, +- &stm32_lptim_quadrature_mode_en), +- IIO_ENUM_AVAILABLE("quadrature_mode", &stm32_lptim_quadrature_mode_en), +- {} +-}; +- +-static const struct iio_chan_spec stm32_lptim_enc_channels = { +- .type = IIO_COUNT, +- .channel = 0, +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW) | +- BIT(IIO_CHAN_INFO_ENABLE) | +- BIT(IIO_CHAN_INFO_SCALE), +- .ext_info = stm32_lptim_enc_ext_info, +- .indexed = 1, +-}; +- +-/* LP timer without encoder (counter only) */ +-static const struct iio_chan_spec_ext_info stm32_lptim_cnt_ext_info[] = { +- { +- .name = "preset", +- .shared = IIO_SEPARATE, +- .read = stm32_lptim_cnt_get_preset_iio, +- .write = stm32_lptim_cnt_set_preset_iio, +- }, +- IIO_ENUM("polarity", IIO_SEPARATE, &stm32_lptim_cnt_polarity_en), +- IIO_ENUM_AVAILABLE("polarity", &stm32_lptim_cnt_polarity_en), +- {} +-}; +- +-static const struct iio_chan_spec stm32_lptim_cnt_channels = { +- .type = IIO_COUNT, +- .channel = 0, +- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW) | +- BIT(IIO_CHAN_INFO_ENABLE) | +- BIT(IIO_CHAN_INFO_SCALE), +- .ext_info = stm32_lptim_cnt_ext_info, +- .indexed = 1, +-}; +- + /** + * enum stm32_lptim_cnt_function - enumerates LPTimer counter & encoder modes + * @STM32_LPTIM_COUNTER_INCREASE: up count on IN1 rising, falling or both edges + * @STM32_LPTIM_ENCODER_BOTH_EDGE: count on both edges (IN1 & IN2 quadrature) ++ * ++ * In non-quadrature mode, device counts up on active edge. ++ * In quadrature mode, encoder counting scenarios are as follows: ++ * +---------+----------+--------------------+--------------------+ ++ * | Active | Level on | IN1 signal | IN2 signal | ++ * | edge | opposite +----------+---------+----------+---------+ ++ * | | signal | Rising | Falling | Rising | Falling | ++ * +---------+----------+----------+---------+----------+---------+ ++ * | Rising | High -> | Down | - | Up | - | ++ * | edge | Low -> | Up | - | Down | - | ++ * +---------+----------+----------+---------+----------+---------+ ++ * | Falling | High -> | - | Up | - | Down | ++ * | edge | Low -> | - | Down | - | Up | ++ * +---------+----------+----------+---------+----------+---------+ ++ * | Both | High -> | Down | Up | Up | Down | ++ * | edges | Low -> | Up | Down | Down | Up | ++ * +---------+----------+----------+---------+----------+---------+ + */ + enum stm32_lptim_cnt_function { + STM32_LPTIM_COUNTER_INCREASE, +@@ -484,7 +262,7 @@ static ssize_t stm32_lptim_cnt_ceiling_read(struct counter_device *counter, + { + struct stm32_lptim_cnt *const priv = counter->priv; + +- return stm32_lptim_cnt_get_ceiling(priv, buf); ++ return snprintf(buf, PAGE_SIZE, "%u\n", priv->ceiling); + } + + static ssize_t stm32_lptim_cnt_ceiling_write(struct counter_device *counter, +@@ -493,8 +271,22 @@ static ssize_t stm32_lptim_cnt_ceiling_write(struct counter_device *counter, + const char *buf, size_t len) + { + struct stm32_lptim_cnt *const priv = counter->priv; ++ unsigned int ceiling; ++ int ret; ++ ++ if (stm32_lptim_is_enabled(priv)) ++ return -EBUSY; ++ ++ ret = kstrtouint(buf, 0, &ceiling); ++ if (ret) ++ return ret; ++ ++ if (ceiling > STM32_LPTIM_MAX_ARR) ++ return -EINVAL; ++ ++ priv->ceiling = ceiling; + +- return stm32_lptim_cnt_set_ceiling(priv, buf, len); ++ return len; + } + + static const struct counter_count_ext stm32_lptim_cnt_ext[] = { +@@ -630,32 +422,19 @@ static int stm32_lptim_cnt_probe(struct platform_device *pdev) + { + struct stm32_lptimer *ddata = dev_get_drvdata(pdev->dev.parent); + struct stm32_lptim_cnt *priv; +- struct iio_dev *indio_dev; +- int ret; + + if (IS_ERR_OR_NULL(ddata)) + return -EINVAL; + +- indio_dev = devm_iio_device_alloc(&pdev->dev, sizeof(*priv)); +- if (!indio_dev) ++ priv = devm_kzalloc(&pdev->dev, sizeof(*priv), GFP_KERNEL); ++ if (!priv) + return -ENOMEM; + +- priv = iio_priv(indio_dev); + priv->dev = &pdev->dev; + priv->regmap = ddata->regmap; + priv->clk = ddata->clk; + priv->ceiling = STM32_LPTIM_MAX_ARR; + +- /* Initialize IIO device */ +- indio_dev->name = dev_name(&pdev->dev); +- indio_dev->dev.of_node = pdev->dev.of_node; +- indio_dev->info = &stm32_lptim_cnt_iio_info; +- if (ddata->has_encoder) +- indio_dev->channels = &stm32_lptim_enc_channels; +- else +- indio_dev->channels = &stm32_lptim_cnt_channels; +- indio_dev->num_channels = 1; +- + /* Initialize Counter device */ + priv->counter.name = dev_name(&pdev->dev); + priv->counter.parent = &pdev->dev; +@@ -673,10 +452,6 @@ static int stm32_lptim_cnt_probe(struct platform_device *pdev) + + platform_set_drvdata(pdev, priv); + +- ret = devm_iio_device_register(&pdev->dev, indio_dev); +- if (ret) +- return ret; +- + return devm_counter_register(&pdev->dev, &priv->counter); + } + +-- +2.34.1 + diff --git a/queue-5.10/cpufreq-fix-initialization-of-min-and-max-frequency-.patch b/queue-5.10/cpufreq-fix-initialization-of-min-and-max-frequency-.patch new file mode 100644 index 00000000000..df964bf1902 --- /dev/null +++ b/queue-5.10/cpufreq-fix-initialization-of-min-and-max-frequency-.patch @@ -0,0 +1,54 @@ +From e593eadf8cb3cb8948a78fde741b0c63467b7348 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Dec 2021 20:32:15 +0100 +Subject: cpufreq: Fix initialization of min and max frequency QoS requests + +From: Rafael J. Wysocki + +[ Upstream commit 521223d8b3ec078f670c7c35a1a04b1b2af07966 ] + +The min and max frequency QoS requests in the cpufreq core are +initialized to whatever the current min and max frequency values are +at the init time, but if any of these values change later (for +example, cpuinfo.max_freq is updated by the driver), these initial +request values will be limiting the CPU frequency unnecessarily +unless they are changed by user space via sysfs. + +To address this, initialize min_freq_req and max_freq_req to +FREQ_QOS_MIN_DEFAULT_VALUE and FREQ_QOS_MAX_DEFAULT_VALUE, +respectively, so they don't really limit anything until user +space updates them. + +Reported-by: Srinivas Pandruvada +Tested-by: Srinivas Pandruvada +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/cpufreq.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c +index 8e159fb6af9cd..30dafe8fc5054 100644 +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -1400,7 +1400,7 @@ static int cpufreq_online(unsigned int cpu) + + ret = freq_qos_add_request(&policy->constraints, + policy->min_freq_req, FREQ_QOS_MIN, +- policy->min); ++ FREQ_QOS_MIN_DEFAULT_VALUE); + if (ret < 0) { + /* + * So we don't call freq_qos_remove_request() for an +@@ -1420,7 +1420,7 @@ static int cpufreq_online(unsigned int cpu) + + ret = freq_qos_add_request(&policy->constraints, + policy->max_freq_req, FREQ_QOS_MAX, +- policy->max); ++ FREQ_QOS_MAX_DEFAULT_VALUE); + if (ret < 0) { + policy->max_freq_req = NULL; + goto out_destroy_policy; +-- +2.34.1 + diff --git a/queue-5.10/crypto-jitter-consider-32-lsb-for-apt.patch b/queue-5.10/crypto-jitter-consider-32-lsb-for-apt.patch new file mode 100644 index 00000000000..33b55606122 --- /dev/null +++ b/queue-5.10/crypto-jitter-consider-32-lsb-for-apt.patch @@ -0,0 +1,57 @@ +From f6dd293acffab3f64e634192c2c7588b296ca4f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Nov 2021 15:14:20 +0100 +Subject: crypto: jitter - consider 32 LSB for APT +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stephan Müller + +[ Upstream commit 552d03a223eda3df84526ab2c1f4d82e15eaee7a ] + +The APT compares the current time stamp with a pre-set value. The +current code only considered the 4 LSB only. Yet, after reviews by +mathematicians of the user space Jitter RNG version >= 3.1.0, it was +concluded that the APT can be calculated on the 32 LSB of the time +delta. Thi change is applied to the kernel. + +This fixes a bug where an AMD EPYC fails this test as its RDTSC value +contains zeros in the LSB. The most appropriate fix would have been to +apply a GCD calculation and divide the time stamp by the GCD. Yet, this +is a significant code change that will be considered for a future +update. Note, tests showed that constantly the GCD always was 32 on +these systems, i.e. the 5 LSB were always zero (thus failing the APT +since it only considered the 4 LSB for its calculation). + +Signed-off-by: Stephan Mueller +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/jitterentropy.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/crypto/jitterentropy.c b/crypto/jitterentropy.c +index 6e147c43fc186..37c4c308339e4 100644 +--- a/crypto/jitterentropy.c ++++ b/crypto/jitterentropy.c +@@ -265,7 +265,6 @@ static int jent_stuck(struct rand_data *ec, __u64 current_delta) + { + __u64 delta2 = jent_delta(ec->last_delta, current_delta); + __u64 delta3 = jent_delta(ec->last_delta2, delta2); +- unsigned int delta_masked = current_delta & JENT_APT_WORD_MASK; + + ec->last_delta = current_delta; + ec->last_delta2 = delta2; +@@ -274,7 +273,7 @@ static int jent_stuck(struct rand_data *ec, __u64 current_delta) + * Insert the result of the comparison of two back-to-back time + * deltas. + */ +- jent_apt_insert(ec, delta_masked); ++ jent_apt_insert(ec, current_delta); + + if (!current_delta || !delta2 || !delta3) { + /* RCT with a stuck bit */ +-- +2.34.1 + diff --git a/queue-5.10/crypto-qat-fix-spelling-mistake-messge-message.patch b/queue-5.10/crypto-qat-fix-spelling-mistake-messge-message.patch new file mode 100644 index 00000000000..0df2786aeed --- /dev/null +++ b/queue-5.10/crypto-qat-fix-spelling-mistake-messge-message.patch @@ -0,0 +1,59 @@ +From 8b31aca3b0df3f42c0eefe2a334f047942526dd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Feb 2021 10:28:55 +0000 +Subject: crypto: qat - fix spelling mistake: "messge" -> "message" + +From: Bhaskar Chowdhury + +[ Upstream commit f17a25cb1776c5712e950aaf326528ae652a086c ] + +Trivial fix to spelling mistake in adf_pf2vf_msg.c and adf_vf2pf_msg.c. +s/messge/message/ + +Signed-off-by: Bhaskar Chowdhury +Signed-off-by: Giovanni Cabiddu +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qat/qat_common/adf_pf2vf_msg.c | 2 +- + drivers/crypto/qat/qat_common/adf_vf2pf_msg.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c +index d7ca222f0df18..e3da97286980e 100644 +--- a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c ++++ b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c +@@ -176,7 +176,7 @@ out: + * @msg: Message to send + * @vf_nr: VF number to which the message will be sent + * +- * Function sends a messge from the PF to a VF ++ * Function sends a message from the PF to a VF + * + * Return: 0 on success, error code otherwise. + */ +diff --git a/drivers/crypto/qat/qat_common/adf_vf2pf_msg.c b/drivers/crypto/qat/qat_common/adf_vf2pf_msg.c +index 54b738da829d8..3e25fac051b25 100644 +--- a/drivers/crypto/qat/qat_common/adf_vf2pf_msg.c ++++ b/drivers/crypto/qat/qat_common/adf_vf2pf_msg.c +@@ -8,7 +8,7 @@ + * adf_vf2pf_notify_init() - send init msg to PF + * @accel_dev: Pointer to acceleration VF device. + * +- * Function sends an init messge from the VF to a PF ++ * Function sends an init message from the VF to a PF + * + * Return: 0 on success, error code otherwise. + */ +@@ -31,7 +31,7 @@ EXPORT_SYMBOL_GPL(adf_vf2pf_notify_init); + * adf_vf2pf_notify_shutdown() - send shutdown msg to PF + * @accel_dev: Pointer to acceleration VF device. + * +- * Function sends a shutdown messge from the VF to a PF ++ * Function sends a shutdown message from the VF to a PF + * + * Return: void + */ +-- +2.34.1 + diff --git a/queue-5.10/crypto-qat-fix-undetected-pfvf-timeout-in-ack-loop.patch b/queue-5.10/crypto-qat-fix-undetected-pfvf-timeout-in-ack-loop.patch new file mode 100644 index 00000000000..8b128642a75 --- /dev/null +++ b/queue-5.10/crypto-qat-fix-undetected-pfvf-timeout-in-ack-loop.patch @@ -0,0 +1,59 @@ +From c68bab614782b59817dd2a654aeef725b5ed5bc9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Nov 2021 14:30:35 +0000 +Subject: crypto: qat - fix undetected PFVF timeout in ACK loop + +From: Giovanni Cabiddu + +[ Upstream commit 5002200b4fedd7e90e4fbc2e5c42a4b3351df814 ] + +If the remote function did not ACK the reception of a message, the +function __adf_iov_putmsg() could detect it as a collision. + +This was due to the fact that the collision and the timeout checks after +the ACK loop were in the wrong order. The timeout must be checked at the +end of the loop, so fix by swapping the order of the two checks. + +Fixes: 9b768e8a3909 ("crypto: qat - detect PFVF collision after ACK") +Signed-off-by: Giovanni Cabiddu +Co-developed-by: Marco Chiappero +Signed-off-by: Marco Chiappero +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qat/qat_common/adf_pf2vf_msg.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c +index 7b34273d18937..74afafc84c716 100644 +--- a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c ++++ b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c +@@ -132,6 +132,12 @@ static int __adf_iov_putmsg(struct adf_accel_dev *accel_dev, u32 msg, u8 vf_nr) + val = ADF_CSR_RD(pmisc_bar_addr, pf2vf_offset); + } while ((val & int_bit) && (count++ < ADF_IOV_MSG_ACK_MAX_RETRY)); + ++ if (val & int_bit) { ++ dev_dbg(&GET_DEV(accel_dev), "ACK not received from remote\n"); ++ val &= ~int_bit; ++ ret = -EIO; ++ } ++ + if (val != msg) { + dev_dbg(&GET_DEV(accel_dev), + "Collision - PFVF CSR overwritten by remote function\n"); +@@ -139,12 +145,6 @@ static int __adf_iov_putmsg(struct adf_accel_dev *accel_dev, u32 msg, u8 vf_nr) + goto out; + } + +- if (val & int_bit) { +- dev_dbg(&GET_DEV(accel_dev), "ACK not received from remote\n"); +- val &= ~int_bit; +- ret = -EIO; +- } +- + /* Finished with the PFVF CSR; relinquish it and leave msg in CSR */ + ADF_CSR_WR(pmisc_bar_addr, pf2vf_offset, val & ~local_in_use_mask); + out: +-- +2.34.1 + diff --git a/queue-5.10/crypto-qat-make-pfvf-send-message-direction-agnostic.patch b/queue-5.10/crypto-qat-make-pfvf-send-message-direction-agnostic.patch new file mode 100644 index 00000000000..c438c176ea7 --- /dev/null +++ b/queue-5.10/crypto-qat-make-pfvf-send-message-direction-agnostic.patch @@ -0,0 +1,81 @@ +From 703bec74806041f500074c46a21f8cd46202343f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 12:44:35 +0100 +Subject: crypto: qat - make pfvf send message direction agnostic + +From: Marco Chiappero + +[ Upstream commit 6e680f94bc31d0fd0ff01123c964d895ea8040fa ] + +The functions adf_iov_putmsg() and __adf_iov_putmsg() are shared by both +PF and VF. Any logging or documentation should not refer to any specific +direction. + +Make comments and log messages direction agnostic by replacing PF2VF +with PFVF. Also fix the wording for some related comments. + +Signed-off-by: Marco Chiappero +Co-developed-by: Giovanni Cabiddu +Signed-off-by: Giovanni Cabiddu +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qat/qat_common/adf_pf2vf_msg.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c +index d1dbf6216de57..7b34273d18937 100644 +--- a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c ++++ b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c +@@ -111,11 +111,11 @@ static int __adf_iov_putmsg(struct adf_accel_dev *accel_dev, u32 msg, u8 vf_nr) + + mutex_lock(lock); + +- /* Check if PF2VF CSR is in use by remote function */ ++ /* Check if the PFVF CSR is in use by remote function */ + val = ADF_CSR_RD(pmisc_bar_addr, pf2vf_offset); + if ((val & remote_in_use_mask) == remote_in_use_pattern) { + dev_dbg(&GET_DEV(accel_dev), +- "PF2VF CSR in use by remote function\n"); ++ "PFVF CSR in use by remote function\n"); + ret = -EBUSY; + goto out; + } +@@ -123,7 +123,7 @@ static int __adf_iov_putmsg(struct adf_accel_dev *accel_dev, u32 msg, u8 vf_nr) + msg &= ~local_in_use_mask; + msg |= local_in_use_pattern; + +- /* Attempt to get ownership of the PF2VF CSR */ ++ /* Attempt to get ownership of the PFVF CSR */ + ADF_CSR_WR(pmisc_bar_addr, pf2vf_offset, msg | int_bit); + + /* Wait for confirmation from remote func it received the message */ +@@ -145,7 +145,7 @@ static int __adf_iov_putmsg(struct adf_accel_dev *accel_dev, u32 msg, u8 vf_nr) + ret = -EIO; + } + +- /* Finished with PF2VF CSR; relinquish it and leave msg in CSR */ ++ /* Finished with the PFVF CSR; relinquish it and leave msg in CSR */ + ADF_CSR_WR(pmisc_bar_addr, pf2vf_offset, val & ~local_in_use_mask); + out: + mutex_unlock(lock); +@@ -153,12 +153,13 @@ out: + } + + /** +- * adf_iov_putmsg() - send PF2VF message ++ * adf_iov_putmsg() - send PFVF message + * @accel_dev: Pointer to acceleration device. + * @msg: Message to send +- * @vf_nr: VF number to which the message will be sent ++ * @vf_nr: VF number to which the message will be sent if on PF, ignored ++ * otherwise + * +- * Function sends a message from the PF to a VF ++ * Function sends a message through the PFVF channel + * + * Return: 0 on success, error code otherwise. + */ +-- +2.34.1 + diff --git a/queue-5.10/crypto-qat-remove-unnecessary-collision-prevention-s.patch b/queue-5.10/crypto-qat-remove-unnecessary-collision-prevention-s.patch new file mode 100644 index 00000000000..41a1f2c4ea2 --- /dev/null +++ b/queue-5.10/crypto-qat-remove-unnecessary-collision-prevention-s.patch @@ -0,0 +1,60 @@ +From 9a1d1326e3e5935c1c2c112c257f6aef1b461343 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 12:44:31 +0100 +Subject: crypto: qat - remove unnecessary collision prevention step in PFVF + +From: Marco Chiappero + +[ Upstream commit e17f49bb244a281fe39bfdad0306a38b3a02e7bf ] + +The initial version of the PFVF protocol included an initial "carrier +sensing" to get ownership of the channel. + +Collisions can happen anyway, the extra wait and test does not prevent +collisions, it instead slows the communication down, so remove it. + +Signed-off-by: Marco Chiappero +Reviewed-by: Giovanni Cabiddu +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qat/qat_common/adf_pf2vf_msg.c | 20 +------------------ + 1 file changed, 1 insertion(+), 19 deletions(-) + +diff --git a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c +index e3da97286980e..d1dbf6216de57 100644 +--- a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c ++++ b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c +@@ -120,28 +120,10 @@ static int __adf_iov_putmsg(struct adf_accel_dev *accel_dev, u32 msg, u8 vf_nr) + goto out; + } + +- /* Attempt to get ownership of PF2VF CSR */ + msg &= ~local_in_use_mask; + msg |= local_in_use_pattern; +- ADF_CSR_WR(pmisc_bar_addr, pf2vf_offset, msg); + +- /* Wait in case remote func also attempting to get ownership */ +- msleep(ADF_IOV_MSG_COLLISION_DETECT_DELAY); +- +- val = ADF_CSR_RD(pmisc_bar_addr, pf2vf_offset); +- if ((val & local_in_use_mask) != local_in_use_pattern) { +- dev_dbg(&GET_DEV(accel_dev), +- "PF2VF CSR in use by remote - collision detected\n"); +- ret = -EBUSY; +- goto out; +- } +- +- /* +- * This function now owns the PV2VF CSR. The IN_USE_BY pattern must +- * remain in the PF2VF CSR for all writes including ACK from remote +- * until this local function relinquishes the CSR. Send the message +- * by interrupting the remote. +- */ ++ /* Attempt to get ownership of the PF2VF CSR */ + ADF_CSR_WR(pmisc_bar_addr, pf2vf_offset, msg | int_bit); + + /* Wait for confirmation from remote func it received the message */ +-- +2.34.1 + diff --git a/queue-5.10/crypto-qce-fix-uaf-on-qce_ahash_register_one.patch b/queue-5.10/crypto-qce-fix-uaf-on-qce_ahash_register_one.patch new file mode 100644 index 00000000000..e4c78e6b159 --- /dev/null +++ b/queue-5.10/crypto-qce-fix-uaf-on-qce_ahash_register_one.patch @@ -0,0 +1,39 @@ +From f02aa368d5b8166e35a505e389cfec6e49352db9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Nov 2021 06:38:31 -0700 +Subject: crypto: qce - fix uaf on qce_ahash_register_one + +From: Chengfeng Ye + +[ Upstream commit b4cb4d31631912842eb7dce02b4350cbb7562d5e ] + +Pointer base points to sub field of tmpl, it +is dereferenced after tmpl is freed. Fix +this by accessing base before free tmpl. + +Fixes: ec8f5d8f ("crypto: qce - Qualcomm crypto engine driver") +Signed-off-by: Chengfeng Ye +Acked-by: Thara Gopinath +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qce/sha.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/qce/sha.c b/drivers/crypto/qce/sha.c +index 87be96a0b0bba..8b4e79d882af4 100644 +--- a/drivers/crypto/qce/sha.c ++++ b/drivers/crypto/qce/sha.c +@@ -533,8 +533,8 @@ static int qce_ahash_register_one(const struct qce_ahash_def *def, + + ret = crypto_register_ahash(alg); + if (ret) { +- kfree(tmpl); + dev_err(qce->dev, "%s registration failed\n", base->cra_name); ++ kfree(tmpl); + return ret; + } + +-- +2.34.1 + diff --git a/queue-5.10/crypto-qce-fix-uaf-on-qce_skcipher_register_one.patch b/queue-5.10/crypto-qce-fix-uaf-on-qce_skcipher_register_one.patch new file mode 100644 index 00000000000..120a9b960f7 --- /dev/null +++ b/queue-5.10/crypto-qce-fix-uaf-on-qce_skcipher_register_one.patch @@ -0,0 +1,39 @@ +From 7de565b78cd2ab08acef27561bcdbd3714cb5831 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Nov 2021 06:46:42 -0700 +Subject: crypto: qce - fix uaf on qce_skcipher_register_one + +From: Chengfeng Ye + +[ Upstream commit e9c195aaeed1b45c9012adbe29dedb6031e85aa8 ] + +Pointer alg points to sub field of tmpl, it +is dereferenced after tmpl is freed. Fix +this by accessing alg before free tmpl. + +Fixes: ec8f5d8f ("crypto: qce - Qualcomm crypto engine driver") +Signed-off-by: Chengfeng Ye +Acked-by: Thara Gopinath +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qce/skcipher.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/qce/skcipher.c b/drivers/crypto/qce/skcipher.c +index d8053789c8828..89c7fc3efbd71 100644 +--- a/drivers/crypto/qce/skcipher.c ++++ b/drivers/crypto/qce/skcipher.c +@@ -433,8 +433,8 @@ static int qce_skcipher_register_one(const struct qce_skcipher_def *def, + + ret = crypto_register_skcipher(alg); + if (ret) { +- kfree(tmpl); + dev_err(qce->dev, "%s registration failed\n", alg->base.cra_name); ++ kfree(tmpl); + return ret; + } + +-- +2.34.1 + diff --git a/queue-5.10/crypto-stm32-cryp-check-early-input-data.patch b/queue-5.10/crypto-stm32-cryp-check-early-input-data.patch new file mode 100644 index 00000000000..d944acb495e --- /dev/null +++ b/queue-5.10/crypto-stm32-cryp-check-early-input-data.patch @@ -0,0 +1,241 @@ +From 601d780f28c5fbc83b53e627242c153abb91375a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Nov 2021 08:54:57 +0100 +Subject: crypto: stm32/cryp - check early input data + +From: Nicolas Toromanoff + +[ Upstream commit 39e6e699c7fb92bdb2617b596ca4a4ea35c5d2a7 ] + +Some auto tests failed because driver wasn't returning the expected +error with some input size/iv value/tag size. +Now: + Return 0 early for empty buffer. (We don't need to start the engine for + an empty input buffer). + Accept any valid authsize for gcm(aes). + Return -EINVAL if iv for ccm(aes) is invalid. + Return -EINVAL if buffer size is a not a multiple of algorithm block size. + +Fixes: 9e054ec21ef8 ("crypto: stm32 - Support for STM32 CRYP crypto module") + +Signed-off-by: Nicolas Toromanoff +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/stm32/stm32-cryp.c | 114 +++++++++++++++++++++++++++++- + 1 file changed, 113 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/stm32/stm32-cryp.c b/drivers/crypto/stm32/stm32-cryp.c +index e2bcc4f98b0ae..fd7fb73a4d450 100644 +--- a/drivers/crypto/stm32/stm32-cryp.c ++++ b/drivers/crypto/stm32/stm32-cryp.c +@@ -799,7 +799,20 @@ static int stm32_cryp_aes_aead_setkey(struct crypto_aead *tfm, const u8 *key, + static int stm32_cryp_aes_gcm_setauthsize(struct crypto_aead *tfm, + unsigned int authsize) + { +- return authsize == AES_BLOCK_SIZE ? 0 : -EINVAL; ++ switch (authsize) { ++ case 4: ++ case 8: ++ case 12: ++ case 13: ++ case 14: ++ case 15: ++ case 16: ++ break; ++ default: ++ return -EINVAL; ++ } ++ ++ return 0; + } + + static int stm32_cryp_aes_ccm_setauthsize(struct crypto_aead *tfm, +@@ -823,31 +836,61 @@ static int stm32_cryp_aes_ccm_setauthsize(struct crypto_aead *tfm, + + static int stm32_cryp_aes_ecb_encrypt(struct skcipher_request *req) + { ++ if (req->cryptlen % AES_BLOCK_SIZE) ++ return -EINVAL; ++ ++ if (req->cryptlen == 0) ++ return 0; ++ + return stm32_cryp_crypt(req, FLG_AES | FLG_ECB | FLG_ENCRYPT); + } + + static int stm32_cryp_aes_ecb_decrypt(struct skcipher_request *req) + { ++ if (req->cryptlen % AES_BLOCK_SIZE) ++ return -EINVAL; ++ ++ if (req->cryptlen == 0) ++ return 0; ++ + return stm32_cryp_crypt(req, FLG_AES | FLG_ECB); + } + + static int stm32_cryp_aes_cbc_encrypt(struct skcipher_request *req) + { ++ if (req->cryptlen % AES_BLOCK_SIZE) ++ return -EINVAL; ++ ++ if (req->cryptlen == 0) ++ return 0; ++ + return stm32_cryp_crypt(req, FLG_AES | FLG_CBC | FLG_ENCRYPT); + } + + static int stm32_cryp_aes_cbc_decrypt(struct skcipher_request *req) + { ++ if (req->cryptlen % AES_BLOCK_SIZE) ++ return -EINVAL; ++ ++ if (req->cryptlen == 0) ++ return 0; ++ + return stm32_cryp_crypt(req, FLG_AES | FLG_CBC); + } + + static int stm32_cryp_aes_ctr_encrypt(struct skcipher_request *req) + { ++ if (req->cryptlen == 0) ++ return 0; ++ + return stm32_cryp_crypt(req, FLG_AES | FLG_CTR | FLG_ENCRYPT); + } + + static int stm32_cryp_aes_ctr_decrypt(struct skcipher_request *req) + { ++ if (req->cryptlen == 0) ++ return 0; ++ + return stm32_cryp_crypt(req, FLG_AES | FLG_CTR); + } + +@@ -861,53 +904,122 @@ static int stm32_cryp_aes_gcm_decrypt(struct aead_request *req) + return stm32_cryp_aead_crypt(req, FLG_AES | FLG_GCM); + } + ++static inline int crypto_ccm_check_iv(const u8 *iv) ++{ ++ /* 2 <= L <= 8, so 1 <= L' <= 7. */ ++ if (iv[0] < 1 || iv[0] > 7) ++ return -EINVAL; ++ ++ return 0; ++} ++ + static int stm32_cryp_aes_ccm_encrypt(struct aead_request *req) + { ++ int err; ++ ++ err = crypto_ccm_check_iv(req->iv); ++ if (err) ++ return err; ++ + return stm32_cryp_aead_crypt(req, FLG_AES | FLG_CCM | FLG_ENCRYPT); + } + + static int stm32_cryp_aes_ccm_decrypt(struct aead_request *req) + { ++ int err; ++ ++ err = crypto_ccm_check_iv(req->iv); ++ if (err) ++ return err; ++ + return stm32_cryp_aead_crypt(req, FLG_AES | FLG_CCM); + } + + static int stm32_cryp_des_ecb_encrypt(struct skcipher_request *req) + { ++ if (req->cryptlen % DES_BLOCK_SIZE) ++ return -EINVAL; ++ ++ if (req->cryptlen == 0) ++ return 0; ++ + return stm32_cryp_crypt(req, FLG_DES | FLG_ECB | FLG_ENCRYPT); + } + + static int stm32_cryp_des_ecb_decrypt(struct skcipher_request *req) + { ++ if (req->cryptlen % DES_BLOCK_SIZE) ++ return -EINVAL; ++ ++ if (req->cryptlen == 0) ++ return 0; ++ + return stm32_cryp_crypt(req, FLG_DES | FLG_ECB); + } + + static int stm32_cryp_des_cbc_encrypt(struct skcipher_request *req) + { ++ if (req->cryptlen % DES_BLOCK_SIZE) ++ return -EINVAL; ++ ++ if (req->cryptlen == 0) ++ return 0; ++ + return stm32_cryp_crypt(req, FLG_DES | FLG_CBC | FLG_ENCRYPT); + } + + static int stm32_cryp_des_cbc_decrypt(struct skcipher_request *req) + { ++ if (req->cryptlen % DES_BLOCK_SIZE) ++ return -EINVAL; ++ ++ if (req->cryptlen == 0) ++ return 0; ++ + return stm32_cryp_crypt(req, FLG_DES | FLG_CBC); + } + + static int stm32_cryp_tdes_ecb_encrypt(struct skcipher_request *req) + { ++ if (req->cryptlen % DES_BLOCK_SIZE) ++ return -EINVAL; ++ ++ if (req->cryptlen == 0) ++ return 0; ++ + return stm32_cryp_crypt(req, FLG_TDES | FLG_ECB | FLG_ENCRYPT); + } + + static int stm32_cryp_tdes_ecb_decrypt(struct skcipher_request *req) + { ++ if (req->cryptlen % DES_BLOCK_SIZE) ++ return -EINVAL; ++ ++ if (req->cryptlen == 0) ++ return 0; ++ + return stm32_cryp_crypt(req, FLG_TDES | FLG_ECB); + } + + static int stm32_cryp_tdes_cbc_encrypt(struct skcipher_request *req) + { ++ if (req->cryptlen % DES_BLOCK_SIZE) ++ return -EINVAL; ++ ++ if (req->cryptlen == 0) ++ return 0; ++ + return stm32_cryp_crypt(req, FLG_TDES | FLG_CBC | FLG_ENCRYPT); + } + + static int stm32_cryp_tdes_cbc_decrypt(struct skcipher_request *req) + { ++ if (req->cryptlen % DES_BLOCK_SIZE) ++ return -EINVAL; ++ ++ if (req->cryptlen == 0) ++ return 0; ++ + return stm32_cryp_crypt(req, FLG_TDES | FLG_CBC); + } + +-- +2.34.1 + diff --git a/queue-5.10/crypto-stm32-cryp-fix-bugs-and-crash-in-tests.patch b/queue-5.10/crypto-stm32-cryp-fix-bugs-and-crash-in-tests.patch new file mode 100644 index 00000000000..4485d1d69bb --- /dev/null +++ b/queue-5.10/crypto-stm32-cryp-fix-bugs-and-crash-in-tests.patch @@ -0,0 +1,1214 @@ +From 6c56cf1059098d52d9cbf644e121a61aa1150130 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Nov 2021 08:55:00 +0100 +Subject: crypto: stm32/cryp - fix bugs and crash in tests + +From: Nicolas Toromanoff + +[ Upstream commit 4b898d5cfa4d9a0ad5bc82cb5eafdc092394c6a9 ] + +Extra crypto manager auto test were crashing or failling due +to 2 reasons: +- block in a dead loop (dues to issues in cipher end process management) +- crash due to read/write unmapped memory (this crash was also reported +when using openssl afalg engine) + +Rework interrupt management, interrupts are masked as soon as they are +no more used: if input buffer is fully consumed, "Input FIFO not full" +interrupt is masked and if output buffer is full, "Output FIFO not +empty" interrupt is masked. +And crypto request finish when input *and* outpout buffer are fully +read/write. + +About the crash due to unmapped memory, using scatterwalk_copychunks() +that will map and copy each block fix the issue. +Using this api and copying full block will also fix unaligned data +access, avoid early copy of in/out buffer, and make useless the extra +alignment constraint. + +Fixes: 9e054ec21ef8 ("crypto: stm32 - Support for STM32 CRYP crypto module") + +Reported-by: Marek Vasut +Signed-off-by: Nicolas Toromanoff +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/stm32/stm32-cryp.c | 790 +++++++++--------------------- + 1 file changed, 243 insertions(+), 547 deletions(-) + +diff --git a/drivers/crypto/stm32/stm32-cryp.c b/drivers/crypto/stm32/stm32-cryp.c +index 9943836a5c25c..cd57c5bae3ce9 100644 +--- a/drivers/crypto/stm32/stm32-cryp.c ++++ b/drivers/crypto/stm32/stm32-cryp.c +@@ -37,7 +37,6 @@ + /* Mode mask = bits [15..0] */ + #define FLG_MODE_MASK GENMASK(15, 0) + /* Bit [31..16] status */ +-#define FLG_CCM_PADDED_WA BIT(16) + + /* Registers */ + #define CRYP_CR 0x00000000 +@@ -105,8 +104,6 @@ + /* Misc */ + #define AES_BLOCK_32 (AES_BLOCK_SIZE / sizeof(u32)) + #define GCM_CTR_INIT 2 +-#define _walked_in (cryp->in_walk.offset - cryp->in_sg->offset) +-#define _walked_out (cryp->out_walk.offset - cryp->out_sg->offset) + #define CRYP_AUTOSUSPEND_DELAY 50 + + struct stm32_cryp_caps { +@@ -144,21 +141,11 @@ struct stm32_cryp { + size_t authsize; + size_t hw_blocksize; + +- size_t total_in; +- size_t total_in_save; +- size_t total_out; +- size_t total_out_save; ++ size_t payload_in; ++ size_t header_in; ++ size_t payload_out; + +- struct scatterlist *in_sg; + struct scatterlist *out_sg; +- struct scatterlist *out_sg_save; +- +- struct scatterlist in_sgl; +- struct scatterlist out_sgl; +- bool sgs_copied; +- +- int in_sg_len; +- int out_sg_len; + + struct scatter_walk in_walk; + struct scatter_walk out_walk; +@@ -262,6 +249,7 @@ static inline int stm32_cryp_wait_output(struct stm32_cryp *cryp) + } + + static int stm32_cryp_read_auth_tag(struct stm32_cryp *cryp); ++static void stm32_cryp_finish_req(struct stm32_cryp *cryp, int err); + + static struct stm32_cryp *stm32_cryp_find_dev(struct stm32_cryp_ctx *ctx) + { +@@ -283,103 +271,6 @@ static struct stm32_cryp *stm32_cryp_find_dev(struct stm32_cryp_ctx *ctx) + return cryp; + } + +-static int stm32_cryp_check_aligned(struct scatterlist *sg, size_t total, +- size_t align) +-{ +- int len = 0; +- +- if (!total) +- return 0; +- +- if (!IS_ALIGNED(total, align)) +- return -EINVAL; +- +- while (sg) { +- if (!IS_ALIGNED(sg->offset, sizeof(u32))) +- return -EINVAL; +- +- if (!IS_ALIGNED(sg->length, align)) +- return -EINVAL; +- +- len += sg->length; +- sg = sg_next(sg); +- } +- +- if (len != total) +- return -EINVAL; +- +- return 0; +-} +- +-static int stm32_cryp_check_io_aligned(struct stm32_cryp *cryp) +-{ +- int ret; +- +- ret = stm32_cryp_check_aligned(cryp->in_sg, cryp->total_in, +- cryp->hw_blocksize); +- if (ret) +- return ret; +- +- ret = stm32_cryp_check_aligned(cryp->out_sg, cryp->total_out, +- cryp->hw_blocksize); +- +- return ret; +-} +- +-static void sg_copy_buf(void *buf, struct scatterlist *sg, +- unsigned int start, unsigned int nbytes, int out) +-{ +- struct scatter_walk walk; +- +- if (!nbytes) +- return; +- +- scatterwalk_start(&walk, sg); +- scatterwalk_advance(&walk, start); +- scatterwalk_copychunks(buf, &walk, nbytes, out); +- scatterwalk_done(&walk, out, 0); +-} +- +-static int stm32_cryp_copy_sgs(struct stm32_cryp *cryp) +-{ +- void *buf_in, *buf_out; +- int pages, total_in, total_out; +- +- if (!stm32_cryp_check_io_aligned(cryp)) { +- cryp->sgs_copied = 0; +- return 0; +- } +- +- total_in = ALIGN(cryp->total_in, cryp->hw_blocksize); +- pages = total_in ? get_order(total_in) : 1; +- buf_in = (void *)__get_free_pages(GFP_ATOMIC, pages); +- +- total_out = ALIGN(cryp->total_out, cryp->hw_blocksize); +- pages = total_out ? get_order(total_out) : 1; +- buf_out = (void *)__get_free_pages(GFP_ATOMIC, pages); +- +- if (!buf_in || !buf_out) { +- dev_err(cryp->dev, "Can't allocate pages when unaligned\n"); +- cryp->sgs_copied = 0; +- return -EFAULT; +- } +- +- sg_copy_buf(buf_in, cryp->in_sg, 0, cryp->total_in, 0); +- +- sg_init_one(&cryp->in_sgl, buf_in, total_in); +- cryp->in_sg = &cryp->in_sgl; +- cryp->in_sg_len = 1; +- +- sg_init_one(&cryp->out_sgl, buf_out, total_out); +- cryp->out_sg_save = cryp->out_sg; +- cryp->out_sg = &cryp->out_sgl; +- cryp->out_sg_len = 1; +- +- cryp->sgs_copied = 1; +- +- return 0; +-} +- + static void stm32_cryp_hw_write_iv(struct stm32_cryp *cryp, __be32 *iv) + { + if (!iv) +@@ -481,16 +372,99 @@ static int stm32_cryp_gcm_init(struct stm32_cryp *cryp, u32 cfg) + + /* Wait for end of processing */ + ret = stm32_cryp_wait_enable(cryp); +- if (ret) ++ if (ret) { + dev_err(cryp->dev, "Timeout (gcm init)\n"); ++ return ret; ++ } + +- return ret; ++ /* Prepare next phase */ ++ if (cryp->areq->assoclen) { ++ cfg |= CR_PH_HEADER; ++ stm32_cryp_write(cryp, CRYP_CR, cfg); ++ } else if (stm32_cryp_get_input_text_len(cryp)) { ++ cfg |= CR_PH_PAYLOAD; ++ stm32_cryp_write(cryp, CRYP_CR, cfg); ++ } ++ ++ return 0; ++} ++ ++static void stm32_crypt_gcmccm_end_header(struct stm32_cryp *cryp) ++{ ++ u32 cfg; ++ int err; ++ ++ /* Check if whole header written */ ++ if (!cryp->header_in) { ++ /* Wait for completion */ ++ err = stm32_cryp_wait_busy(cryp); ++ if (err) { ++ dev_err(cryp->dev, "Timeout (gcm/ccm header)\n"); ++ stm32_cryp_write(cryp, CRYP_IMSCR, 0); ++ stm32_cryp_finish_req(cryp, err); ++ return; ++ } ++ ++ if (stm32_cryp_get_input_text_len(cryp)) { ++ /* Phase 3 : payload */ ++ cfg = stm32_cryp_read(cryp, CRYP_CR); ++ cfg &= ~CR_CRYPEN; ++ stm32_cryp_write(cryp, CRYP_CR, cfg); ++ ++ cfg &= ~CR_PH_MASK; ++ cfg |= CR_PH_PAYLOAD | CR_CRYPEN; ++ stm32_cryp_write(cryp, CRYP_CR, cfg); ++ } else { ++ /* ++ * Phase 4 : tag. ++ * Nothing to read, nothing to write, caller have to ++ * end request ++ */ ++ } ++ } ++} ++ ++static void stm32_cryp_write_ccm_first_header(struct stm32_cryp *cryp) ++{ ++ unsigned int i; ++ size_t written; ++ size_t len; ++ u32 alen = cryp->areq->assoclen; ++ u32 block[AES_BLOCK_32] = {0}; ++ u8 *b8 = (u8 *)block; ++ ++ if (alen <= 65280) { ++ /* Write first u32 of B1 */ ++ b8[0] = (alen >> 8) & 0xFF; ++ b8[1] = alen & 0xFF; ++ len = 2; ++ } else { ++ /* Build the two first u32 of B1 */ ++ b8[0] = 0xFF; ++ b8[1] = 0xFE; ++ b8[2] = (alen & 0xFF000000) >> 24; ++ b8[3] = (alen & 0x00FF0000) >> 16; ++ b8[4] = (alen & 0x0000FF00) >> 8; ++ b8[5] = alen & 0x000000FF; ++ len = 6; ++ } ++ ++ written = min_t(size_t, AES_BLOCK_SIZE - len, alen); ++ ++ scatterwalk_copychunks((char *)block + len, &cryp->in_walk, written, 0); ++ for (i = 0; i < AES_BLOCK_32; i++) ++ stm32_cryp_write(cryp, CRYP_DIN, block[i]); ++ ++ cryp->header_in -= written; ++ ++ stm32_crypt_gcmccm_end_header(cryp); + } + + static int stm32_cryp_ccm_init(struct stm32_cryp *cryp, u32 cfg) + { + int ret; +- u8 iv[AES_BLOCK_SIZE], b0[AES_BLOCK_SIZE]; ++ u32 iv_32[AES_BLOCK_32], b0_32[AES_BLOCK_32]; ++ u8 *iv = (u8 *)iv_32, *b0 = (u8 *)b0_32; + __be32 *bd; + u32 *d; + unsigned int i, textlen; +@@ -531,17 +505,30 @@ static int stm32_cryp_ccm_init(struct stm32_cryp *cryp, u32 cfg) + + /* Wait for end of processing */ + ret = stm32_cryp_wait_enable(cryp); +- if (ret) ++ if (ret) { + dev_err(cryp->dev, "Timeout (ccm init)\n"); ++ return ret; ++ } + +- return ret; ++ /* Prepare next phase */ ++ if (cryp->areq->assoclen) { ++ cfg |= CR_PH_HEADER | CR_CRYPEN; ++ stm32_cryp_write(cryp, CRYP_CR, cfg); ++ ++ /* Write first (special) block (may move to next phase [payload]) */ ++ stm32_cryp_write_ccm_first_header(cryp); ++ } else if (stm32_cryp_get_input_text_len(cryp)) { ++ cfg |= CR_PH_PAYLOAD; ++ stm32_cryp_write(cryp, CRYP_CR, cfg); ++ } ++ ++ return 0; + } + + static int stm32_cryp_hw_init(struct stm32_cryp *cryp) + { + int ret; + u32 cfg, hw_mode; +- + pm_runtime_resume_and_get(cryp->dev); + + /* Disable interrupt */ +@@ -605,16 +592,6 @@ static int stm32_cryp_hw_init(struct stm32_cryp *cryp) + if (ret) + return ret; + +- /* Phase 2 : header (authenticated data) */ +- if (cryp->areq->assoclen) { +- cfg |= CR_PH_HEADER; +- } else if (stm32_cryp_get_input_text_len(cryp)) { +- cfg |= CR_PH_PAYLOAD; +- stm32_cryp_write(cryp, CRYP_CR, cfg); +- } else { +- cfg |= CR_PH_INIT; +- } +- + break; + + case CR_DES_CBC: +@@ -633,8 +610,6 @@ static int stm32_cryp_hw_init(struct stm32_cryp *cryp) + + stm32_cryp_write(cryp, CRYP_CR, cfg); + +- cryp->flags &= ~FLG_CCM_PADDED_WA; +- + return 0; + } + +@@ -647,25 +622,6 @@ static void stm32_cryp_finish_req(struct stm32_cryp *cryp, int err) + if (!err && (!(is_gcm(cryp) || is_ccm(cryp) || is_ecb(cryp)))) + stm32_cryp_get_iv(cryp); + +- if (cryp->sgs_copied) { +- void *buf_in, *buf_out; +- int pages, len; +- +- buf_in = sg_virt(&cryp->in_sgl); +- buf_out = sg_virt(&cryp->out_sgl); +- +- sg_copy_buf(buf_out, cryp->out_sg_save, 0, +- cryp->total_out_save, 1); +- +- len = ALIGN(cryp->total_in_save, cryp->hw_blocksize); +- pages = len ? get_order(len) : 1; +- free_pages((unsigned long)buf_in, pages); +- +- len = ALIGN(cryp->total_out_save, cryp->hw_blocksize); +- pages = len ? get_order(len) : 1; +- free_pages((unsigned long)buf_out, pages); +- } +- + pm_runtime_mark_last_busy(cryp->dev); + pm_runtime_put_autosuspend(cryp->dev); + +@@ -1029,6 +985,7 @@ static int stm32_cryp_prepare_req(struct skcipher_request *req, + struct stm32_cryp_ctx *ctx; + struct stm32_cryp *cryp; + struct stm32_cryp_reqctx *rctx; ++ struct scatterlist *in_sg; + int ret; + + if (!req && !areq) +@@ -1054,76 +1011,55 @@ static int stm32_cryp_prepare_req(struct skcipher_request *req, + if (req) { + cryp->req = req; + cryp->areq = NULL; +- cryp->total_in = req->cryptlen; +- cryp->total_out = cryp->total_in; ++ cryp->header_in = 0; ++ cryp->payload_in = req->cryptlen; ++ cryp->payload_out = req->cryptlen; ++ cryp->authsize = 0; + } else { + /* + * Length of input and output data: + * Encryption case: +- * INPUT = AssocData || PlainText ++ * INPUT = AssocData || PlainText + * <- assoclen -> <- cryptlen -> +- * <------- total_in -----------> + * +- * OUTPUT = AssocData || CipherText || AuthTag +- * <- assoclen -> <- cryptlen -> <- authsize -> +- * <---------------- total_out -----------------> ++ * OUTPUT = AssocData || CipherText || AuthTag ++ * <- assoclen -> <-- cryptlen --> <- authsize -> + * + * Decryption case: +- * INPUT = AssocData || CipherText || AuthTag +- * <- assoclen -> <--------- cryptlen ---------> +- * <- authsize -> +- * <---------------- total_in ------------------> ++ * INPUT = AssocData || CipherTex || AuthTag ++ * <- assoclen ---> <---------- cryptlen ----------> + * +- * OUTPUT = AssocData || PlainText +- * <- assoclen -> <- crypten - authsize -> +- * <---------- total_out -----------------> ++ * OUTPUT = AssocData || PlainText ++ * <- assoclen -> <- cryptlen - authsize -> + */ + cryp->areq = areq; + cryp->req = NULL; + cryp->authsize = crypto_aead_authsize(crypto_aead_reqtfm(areq)); +- cryp->total_in = areq->assoclen + areq->cryptlen; +- if (is_encrypt(cryp)) +- /* Append auth tag to output */ +- cryp->total_out = cryp->total_in + cryp->authsize; +- else +- /* No auth tag in output */ +- cryp->total_out = cryp->total_in - cryp->authsize; ++ if (is_encrypt(cryp)) { ++ cryp->payload_in = areq->cryptlen; ++ cryp->header_in = areq->assoclen; ++ cryp->payload_out = areq->cryptlen; ++ } else { ++ cryp->payload_in = areq->cryptlen - cryp->authsize; ++ cryp->header_in = areq->assoclen; ++ cryp->payload_out = cryp->payload_in; ++ } + } + +- cryp->total_in_save = cryp->total_in; +- cryp->total_out_save = cryp->total_out; ++ in_sg = req ? req->src : areq->src; ++ scatterwalk_start(&cryp->in_walk, in_sg); + +- cryp->in_sg = req ? req->src : areq->src; + cryp->out_sg = req ? req->dst : areq->dst; +- cryp->out_sg_save = cryp->out_sg; +- +- cryp->in_sg_len = sg_nents_for_len(cryp->in_sg, cryp->total_in); +- if (cryp->in_sg_len < 0) { +- dev_err(cryp->dev, "Cannot get in_sg_len\n"); +- ret = cryp->in_sg_len; +- return ret; +- } +- +- cryp->out_sg_len = sg_nents_for_len(cryp->out_sg, cryp->total_out); +- if (cryp->out_sg_len < 0) { +- dev_err(cryp->dev, "Cannot get out_sg_len\n"); +- ret = cryp->out_sg_len; +- return ret; +- } +- +- ret = stm32_cryp_copy_sgs(cryp); +- if (ret) +- return ret; +- +- scatterwalk_start(&cryp->in_walk, cryp->in_sg); + scatterwalk_start(&cryp->out_walk, cryp->out_sg); + + if (is_gcm(cryp) || is_ccm(cryp)) { + /* In output, jump after assoc data */ +- scatterwalk_advance(&cryp->out_walk, cryp->areq->assoclen); +- cryp->total_out -= cryp->areq->assoclen; ++ scatterwalk_copychunks(NULL, &cryp->out_walk, cryp->areq->assoclen, 2); + } + ++ if (is_ctr(cryp)) ++ memset(cryp->last_ctr, 0, sizeof(cryp->last_ctr)); ++ + ret = stm32_cryp_hw_init(cryp); + return ret; + } +@@ -1171,8 +1107,7 @@ static int stm32_cryp_aead_one_req(struct crypto_engine *engine, void *areq) + if (!cryp) + return -ENODEV; + +- if (unlikely(!cryp->areq->assoclen && +- !stm32_cryp_get_input_text_len(cryp))) { ++ if (unlikely(!cryp->payload_in && !cryp->header_in)) { + /* No input data to process: get tag and finish */ + stm32_cryp_finish_req(cryp, 0); + return 0; +@@ -1181,43 +1116,10 @@ static int stm32_cryp_aead_one_req(struct crypto_engine *engine, void *areq) + return stm32_cryp_cpu_start(cryp); + } + +-static u32 *stm32_cryp_next_out(struct stm32_cryp *cryp, u32 *dst, +- unsigned int n) +-{ +- scatterwalk_advance(&cryp->out_walk, n); +- +- if (unlikely(cryp->out_sg->length == _walked_out)) { +- cryp->out_sg = sg_next(cryp->out_sg); +- if (cryp->out_sg) { +- scatterwalk_start(&cryp->out_walk, cryp->out_sg); +- return (sg_virt(cryp->out_sg) + _walked_out); +- } +- } +- +- return (u32 *)((u8 *)dst + n); +-} +- +-static u32 *stm32_cryp_next_in(struct stm32_cryp *cryp, u32 *src, +- unsigned int n) +-{ +- scatterwalk_advance(&cryp->in_walk, n); +- +- if (unlikely(cryp->in_sg->length == _walked_in)) { +- cryp->in_sg = sg_next(cryp->in_sg); +- if (cryp->in_sg) { +- scatterwalk_start(&cryp->in_walk, cryp->in_sg); +- return (sg_virt(cryp->in_sg) + _walked_in); +- } +- } +- +- return (u32 *)((u8 *)src + n); +-} +- + static int stm32_cryp_read_auth_tag(struct stm32_cryp *cryp) + { +- u32 cfg, size_bit, *dst, d32; +- u8 *d8; +- unsigned int i, j; ++ u32 cfg, size_bit; ++ unsigned int i; + int ret = 0; + + /* Update Config */ +@@ -1240,7 +1142,7 @@ static int stm32_cryp_read_auth_tag(struct stm32_cryp *cryp) + stm32_cryp_write(cryp, CRYP_DIN, size_bit); + + size_bit = is_encrypt(cryp) ? cryp->areq->cryptlen : +- cryp->areq->cryptlen - AES_BLOCK_SIZE; ++ cryp->areq->cryptlen - cryp->authsize; + size_bit *= 8; + if (cryp->caps->swap_final) + size_bit = (__force u32)cpu_to_be32(size_bit); +@@ -1249,11 +1151,9 @@ static int stm32_cryp_read_auth_tag(struct stm32_cryp *cryp) + stm32_cryp_write(cryp, CRYP_DIN, size_bit); + } else { + /* CCM: write CTR0 */ +- u8 iv[AES_BLOCK_SIZE]; +- u32 *iv32 = (u32 *)iv; +- __be32 *biv; +- +- biv = (void *)iv; ++ u32 iv32[AES_BLOCK_32]; ++ u8 *iv = (u8 *)iv32; ++ __be32 *biv = (__be32 *)iv32; + + memcpy(iv, cryp->areq->iv, AES_BLOCK_SIZE); + memset(iv + AES_BLOCK_SIZE - 1 - iv[0], 0, iv[0] + 1); +@@ -1275,39 +1175,18 @@ static int stm32_cryp_read_auth_tag(struct stm32_cryp *cryp) + } + + if (is_encrypt(cryp)) { ++ u32 out_tag[AES_BLOCK_32]; ++ + /* Get and write tag */ +- dst = sg_virt(cryp->out_sg) + _walked_out; ++ for (i = 0; i < AES_BLOCK_32; i++) ++ out_tag[i] = stm32_cryp_read(cryp, CRYP_DOUT); + +- for (i = 0; i < AES_BLOCK_32; i++) { +- if (cryp->total_out >= sizeof(u32)) { +- /* Read a full u32 */ +- *dst = stm32_cryp_read(cryp, CRYP_DOUT); +- +- dst = stm32_cryp_next_out(cryp, dst, +- sizeof(u32)); +- cryp->total_out -= sizeof(u32); +- } else if (!cryp->total_out) { +- /* Empty fifo out (data from input padding) */ +- stm32_cryp_read(cryp, CRYP_DOUT); +- } else { +- /* Read less than an u32 */ +- d32 = stm32_cryp_read(cryp, CRYP_DOUT); +- d8 = (u8 *)&d32; +- +- for (j = 0; j < cryp->total_out; j++) { +- *((u8 *)dst) = *(d8++); +- dst = stm32_cryp_next_out(cryp, dst, 1); +- } +- cryp->total_out = 0; +- } +- } ++ scatterwalk_copychunks(out_tag, &cryp->out_walk, cryp->authsize, 1); + } else { + /* Get and check tag */ + u32 in_tag[AES_BLOCK_32], out_tag[AES_BLOCK_32]; + +- scatterwalk_map_and_copy(in_tag, cryp->in_sg, +- cryp->total_in_save - cryp->authsize, +- cryp->authsize, 0); ++ scatterwalk_copychunks(in_tag, &cryp->in_walk, cryp->authsize, 0); + + for (i = 0; i < AES_BLOCK_32; i++) + out_tag[i] = stm32_cryp_read(cryp, CRYP_DOUT); +@@ -1349,92 +1228,37 @@ static void stm32_cryp_check_ctr_counter(struct stm32_cryp *cryp) + cryp->last_ctr[3] = cpu_to_be32(stm32_cryp_read(cryp, CRYP_IV1RR)); + } + +-static bool stm32_cryp_irq_read_data(struct stm32_cryp *cryp) ++static void stm32_cryp_irq_read_data(struct stm32_cryp *cryp) + { +- unsigned int i, j; +- u32 d32, *dst; +- u8 *d8; +- size_t tag_size; +- +- /* Do no read tag now (if any) */ +- if (is_encrypt(cryp) && (is_gcm(cryp) || is_ccm(cryp))) +- tag_size = cryp->authsize; +- else +- tag_size = 0; +- +- dst = sg_virt(cryp->out_sg) + _walked_out; +- +- for (i = 0; i < cryp->hw_blocksize / sizeof(u32); i++) { +- if (likely(cryp->total_out - tag_size >= sizeof(u32))) { +- /* Read a full u32 */ +- *dst = stm32_cryp_read(cryp, CRYP_DOUT); ++ unsigned int i; ++ u32 block[AES_BLOCK_32]; + +- dst = stm32_cryp_next_out(cryp, dst, sizeof(u32)); +- cryp->total_out -= sizeof(u32); +- } else if (cryp->total_out == tag_size) { +- /* Empty fifo out (data from input padding) */ +- d32 = stm32_cryp_read(cryp, CRYP_DOUT); +- } else { +- /* Read less than an u32 */ +- d32 = stm32_cryp_read(cryp, CRYP_DOUT); +- d8 = (u8 *)&d32; +- +- for (j = 0; j < cryp->total_out - tag_size; j++) { +- *((u8 *)dst) = *(d8++); +- dst = stm32_cryp_next_out(cryp, dst, 1); +- } +- cryp->total_out = tag_size; +- } +- } ++ for (i = 0; i < cryp->hw_blocksize / sizeof(u32); i++) ++ block[i] = stm32_cryp_read(cryp, CRYP_DOUT); + +- return !(cryp->total_out - tag_size) || !cryp->total_in; ++ scatterwalk_copychunks(block, &cryp->out_walk, min_t(size_t, cryp->hw_blocksize, ++ cryp->payload_out), 1); ++ cryp->payload_out -= min_t(size_t, cryp->hw_blocksize, ++ cryp->payload_out); + } + + static void stm32_cryp_irq_write_block(struct stm32_cryp *cryp) + { +- unsigned int i, j; +- u32 *src; +- u8 d8[4]; +- size_t tag_size; +- +- /* Do no write tag (if any) */ +- if (is_decrypt(cryp) && (is_gcm(cryp) || is_ccm(cryp))) +- tag_size = cryp->authsize; +- else +- tag_size = 0; +- +- src = sg_virt(cryp->in_sg) + _walked_in; ++ unsigned int i; ++ u32 block[AES_BLOCK_32] = {0}; + +- for (i = 0; i < cryp->hw_blocksize / sizeof(u32); i++) { +- if (likely(cryp->total_in - tag_size >= sizeof(u32))) { +- /* Write a full u32 */ +- stm32_cryp_write(cryp, CRYP_DIN, *src); ++ scatterwalk_copychunks(block, &cryp->in_walk, min_t(size_t, cryp->hw_blocksize, ++ cryp->payload_in), 0); ++ for (i = 0; i < cryp->hw_blocksize / sizeof(u32); i++) ++ stm32_cryp_write(cryp, CRYP_DIN, block[i]); + +- src = stm32_cryp_next_in(cryp, src, sizeof(u32)); +- cryp->total_in -= sizeof(u32); +- } else if (cryp->total_in == tag_size) { +- /* Write padding data */ +- stm32_cryp_write(cryp, CRYP_DIN, 0); +- } else { +- /* Write less than an u32 */ +- memset(d8, 0, sizeof(u32)); +- for (j = 0; j < cryp->total_in - tag_size; j++) { +- d8[j] = *((u8 *)src); +- src = stm32_cryp_next_in(cryp, src, 1); +- } +- +- stm32_cryp_write(cryp, CRYP_DIN, *(u32 *)d8); +- cryp->total_in = tag_size; +- } +- } ++ cryp->payload_in -= min_t(size_t, cryp->hw_blocksize, cryp->payload_in); + } + + static void stm32_cryp_irq_write_gcm_padded_data(struct stm32_cryp *cryp) + { + int err; +- u32 cfg, tmp[AES_BLOCK_32]; +- size_t total_in_ori = cryp->total_in; +- struct scatterlist *out_sg_ori = cryp->out_sg; ++ u32 cfg, block[AES_BLOCK_32] = {0}; + unsigned int i; + + /* 'Special workaround' procedure described in the datasheet */ +@@ -1459,18 +1283,25 @@ static void stm32_cryp_irq_write_gcm_padded_data(struct stm32_cryp *cryp) + + /* b) pad and write the last block */ + stm32_cryp_irq_write_block(cryp); +- cryp->total_in = total_in_ori; ++ /* wait end of process */ + err = stm32_cryp_wait_output(cryp); + if (err) { +- dev_err(cryp->dev, "Timeout (write gcm header)\n"); ++ dev_err(cryp->dev, "Timeout (write gcm last data)\n"); + return stm32_cryp_finish_req(cryp, err); + } + + /* c) get and store encrypted data */ +- stm32_cryp_irq_read_data(cryp); +- scatterwalk_map_and_copy(tmp, out_sg_ori, +- cryp->total_in_save - total_in_ori, +- total_in_ori, 0); ++ /* ++ * Same code as stm32_cryp_irq_read_data(), but we want to store ++ * block value ++ */ ++ for (i = 0; i < cryp->hw_blocksize / sizeof(u32); i++) ++ block[i] = stm32_cryp_read(cryp, CRYP_DOUT); ++ ++ scatterwalk_copychunks(block, &cryp->out_walk, min_t(size_t, cryp->hw_blocksize, ++ cryp->payload_out), 1); ++ cryp->payload_out -= min_t(size_t, cryp->hw_blocksize, ++ cryp->payload_out); + + /* d) change mode back to AES GCM */ + cfg &= ~CR_ALGO_MASK; +@@ -1483,19 +1314,13 @@ static void stm32_cryp_irq_write_gcm_padded_data(struct stm32_cryp *cryp) + stm32_cryp_write(cryp, CRYP_CR, cfg); + + /* f) write padded data */ +- for (i = 0; i < AES_BLOCK_32; i++) { +- if (cryp->total_in) +- stm32_cryp_write(cryp, CRYP_DIN, tmp[i]); +- else +- stm32_cryp_write(cryp, CRYP_DIN, 0); +- +- cryp->total_in -= min_t(size_t, sizeof(u32), cryp->total_in); +- } ++ for (i = 0; i < AES_BLOCK_32; i++) ++ stm32_cryp_write(cryp, CRYP_DIN, block[i]); + + /* g) Empty fifo out */ + err = stm32_cryp_wait_output(cryp); + if (err) { +- dev_err(cryp->dev, "Timeout (write gcm header)\n"); ++ dev_err(cryp->dev, "Timeout (write gcm padded data)\n"); + return stm32_cryp_finish_req(cryp, err); + } + +@@ -1508,16 +1333,14 @@ static void stm32_cryp_irq_write_gcm_padded_data(struct stm32_cryp *cryp) + + static void stm32_cryp_irq_set_npblb(struct stm32_cryp *cryp) + { +- u32 cfg, payload_bytes; ++ u32 cfg; + + /* disable ip, set NPBLB and reneable ip */ + cfg = stm32_cryp_read(cryp, CRYP_CR); + cfg &= ~CR_CRYPEN; + stm32_cryp_write(cryp, CRYP_CR, cfg); + +- payload_bytes = is_decrypt(cryp) ? cryp->total_in - cryp->authsize : +- cryp->total_in; +- cfg |= (cryp->hw_blocksize - payload_bytes) << CR_NBPBL_SHIFT; ++ cfg |= (cryp->hw_blocksize - cryp->payload_in) << CR_NBPBL_SHIFT; + cfg |= CR_CRYPEN; + stm32_cryp_write(cryp, CRYP_CR, cfg); + } +@@ -1526,13 +1349,11 @@ static void stm32_cryp_irq_write_ccm_padded_data(struct stm32_cryp *cryp) + { + int err = 0; + u32 cfg, iv1tmp; +- u32 cstmp1[AES_BLOCK_32], cstmp2[AES_BLOCK_32], tmp[AES_BLOCK_32]; +- size_t last_total_out, total_in_ori = cryp->total_in; +- struct scatterlist *out_sg_ori = cryp->out_sg; ++ u32 cstmp1[AES_BLOCK_32], cstmp2[AES_BLOCK_32]; ++ u32 block[AES_BLOCK_32] = {0}; + unsigned int i; + + /* 'Special workaround' procedure described in the datasheet */ +- cryp->flags |= FLG_CCM_PADDED_WA; + + /* a) disable ip */ + stm32_cryp_write(cryp, CRYP_IMSCR, 0); +@@ -1562,7 +1383,7 @@ static void stm32_cryp_irq_write_ccm_padded_data(struct stm32_cryp *cryp) + + /* b) pad and write the last block */ + stm32_cryp_irq_write_block(cryp); +- cryp->total_in = total_in_ori; ++ /* wait end of process */ + err = stm32_cryp_wait_output(cryp); + if (err) { + dev_err(cryp->dev, "Timeout (wite ccm padded data)\n"); +@@ -1570,13 +1391,16 @@ static void stm32_cryp_irq_write_ccm_padded_data(struct stm32_cryp *cryp) + } + + /* c) get and store decrypted data */ +- last_total_out = cryp->total_out; +- stm32_cryp_irq_read_data(cryp); ++ /* ++ * Same code as stm32_cryp_irq_read_data(), but we want to store ++ * block value ++ */ ++ for (i = 0; i < cryp->hw_blocksize / sizeof(u32); i++) ++ block[i] = stm32_cryp_read(cryp, CRYP_DOUT); + +- memset(tmp, 0, sizeof(tmp)); +- scatterwalk_map_and_copy(tmp, out_sg_ori, +- cryp->total_out_save - last_total_out, +- last_total_out, 0); ++ scatterwalk_copychunks(block, &cryp->out_walk, min_t(size_t, cryp->hw_blocksize, ++ cryp->payload_out), 1); ++ cryp->payload_out -= min_t(size_t, cryp->hw_blocksize, cryp->payload_out); + + /* d) Load again CRYP_CSGCMCCMxR */ + for (i = 0; i < ARRAY_SIZE(cstmp2); i++) +@@ -1593,10 +1417,10 @@ static void stm32_cryp_irq_write_ccm_padded_data(struct stm32_cryp *cryp) + stm32_cryp_write(cryp, CRYP_CR, cfg); + + /* g) XOR and write padded data */ +- for (i = 0; i < ARRAY_SIZE(tmp); i++) { +- tmp[i] ^= cstmp1[i]; +- tmp[i] ^= cstmp2[i]; +- stm32_cryp_write(cryp, CRYP_DIN, tmp[i]); ++ for (i = 0; i < ARRAY_SIZE(block); i++) { ++ block[i] ^= cstmp1[i]; ++ block[i] ^= cstmp2[i]; ++ stm32_cryp_write(cryp, CRYP_DIN, block[i]); + } + + /* h) wait for completion */ +@@ -1610,30 +1434,34 @@ static void stm32_cryp_irq_write_ccm_padded_data(struct stm32_cryp *cryp) + + static void stm32_cryp_irq_write_data(struct stm32_cryp *cryp) + { +- if (unlikely(!cryp->total_in)) { ++ if (unlikely(!cryp->payload_in)) { + dev_warn(cryp->dev, "No more data to process\n"); + return; + } + +- if (unlikely(cryp->total_in < AES_BLOCK_SIZE && ++ if (unlikely(cryp->payload_in < AES_BLOCK_SIZE && + (stm32_cryp_get_hw_mode(cryp) == CR_AES_GCM) && + is_encrypt(cryp))) { + /* Padding for AES GCM encryption */ +- if (cryp->caps->padding_wa) ++ if (cryp->caps->padding_wa) { + /* Special case 1 */ +- return stm32_cryp_irq_write_gcm_padded_data(cryp); ++ stm32_cryp_irq_write_gcm_padded_data(cryp); ++ return; ++ } + + /* Setting padding bytes (NBBLB) */ + stm32_cryp_irq_set_npblb(cryp); + } + +- if (unlikely((cryp->total_in - cryp->authsize < AES_BLOCK_SIZE) && ++ if (unlikely((cryp->payload_in < AES_BLOCK_SIZE) && + (stm32_cryp_get_hw_mode(cryp) == CR_AES_CCM) && + is_decrypt(cryp))) { + /* Padding for AES CCM decryption */ +- if (cryp->caps->padding_wa) ++ if (cryp->caps->padding_wa) { + /* Special case 2 */ +- return stm32_cryp_irq_write_ccm_padded_data(cryp); ++ stm32_cryp_irq_write_ccm_padded_data(cryp); ++ return; ++ } + + /* Setting padding bytes (NBBLB) */ + stm32_cryp_irq_set_npblb(cryp); +@@ -1645,192 +1473,60 @@ static void stm32_cryp_irq_write_data(struct stm32_cryp *cryp) + stm32_cryp_irq_write_block(cryp); + } + +-static void stm32_cryp_irq_write_gcm_header(struct stm32_cryp *cryp) ++static void stm32_cryp_irq_write_gcmccm_header(struct stm32_cryp *cryp) + { +- int err; +- unsigned int i, j; +- u32 cfg, *src; +- +- src = sg_virt(cryp->in_sg) + _walked_in; +- +- for (i = 0; i < AES_BLOCK_32; i++) { +- stm32_cryp_write(cryp, CRYP_DIN, *src); +- +- src = stm32_cryp_next_in(cryp, src, sizeof(u32)); +- cryp->total_in -= min_t(size_t, sizeof(u32), cryp->total_in); +- +- /* Check if whole header written */ +- if ((cryp->total_in_save - cryp->total_in) == +- cryp->areq->assoclen) { +- /* Write padding if needed */ +- for (j = i + 1; j < AES_BLOCK_32; j++) +- stm32_cryp_write(cryp, CRYP_DIN, 0); +- +- /* Wait for completion */ +- err = stm32_cryp_wait_busy(cryp); +- if (err) { +- dev_err(cryp->dev, "Timeout (gcm header)\n"); +- return stm32_cryp_finish_req(cryp, err); +- } +- +- if (stm32_cryp_get_input_text_len(cryp)) { +- /* Phase 3 : payload */ +- cfg = stm32_cryp_read(cryp, CRYP_CR); +- cfg &= ~CR_CRYPEN; +- stm32_cryp_write(cryp, CRYP_CR, cfg); +- +- cfg &= ~CR_PH_MASK; +- cfg |= CR_PH_PAYLOAD; +- cfg |= CR_CRYPEN; +- stm32_cryp_write(cryp, CRYP_CR, cfg); +- } else { +- /* Phase 4 : tag */ +- stm32_cryp_write(cryp, CRYP_IMSCR, 0); +- stm32_cryp_finish_req(cryp, 0); +- } +- +- break; +- } +- +- if (!cryp->total_in) +- break; +- } +-} ++ unsigned int i; ++ u32 block[AES_BLOCK_32] = {0}; ++ size_t written; + +-static void stm32_cryp_irq_write_ccm_header(struct stm32_cryp *cryp) +-{ +- int err; +- unsigned int i = 0, j, k; +- u32 alen, cfg, *src; +- u8 d8[4]; +- +- src = sg_virt(cryp->in_sg) + _walked_in; +- alen = cryp->areq->assoclen; +- +- if (!_walked_in) { +- if (cryp->areq->assoclen <= 65280) { +- /* Write first u32 of B1 */ +- d8[0] = (alen >> 8) & 0xFF; +- d8[1] = alen & 0xFF; +- d8[2] = *((u8 *)src); +- src = stm32_cryp_next_in(cryp, src, 1); +- d8[3] = *((u8 *)src); +- src = stm32_cryp_next_in(cryp, src, 1); +- +- stm32_cryp_write(cryp, CRYP_DIN, *(u32 *)d8); +- i++; +- +- cryp->total_in -= min_t(size_t, 2, cryp->total_in); +- } else { +- /* Build the two first u32 of B1 */ +- d8[0] = 0xFF; +- d8[1] = 0xFE; +- d8[2] = alen & 0xFF000000; +- d8[3] = alen & 0x00FF0000; +- +- stm32_cryp_write(cryp, CRYP_DIN, *(u32 *)d8); +- i++; +- +- d8[0] = alen & 0x0000FF00; +- d8[1] = alen & 0x000000FF; +- d8[2] = *((u8 *)src); +- src = stm32_cryp_next_in(cryp, src, 1); +- d8[3] = *((u8 *)src); +- src = stm32_cryp_next_in(cryp, src, 1); +- +- stm32_cryp_write(cryp, CRYP_DIN, *(u32 *)d8); +- i++; +- +- cryp->total_in -= min_t(size_t, 2, cryp->total_in); +- } +- } ++ written = min_t(size_t, AES_BLOCK_SIZE, cryp->header_in); + +- /* Write next u32 */ +- for (; i < AES_BLOCK_32; i++) { +- /* Build an u32 */ +- memset(d8, 0, sizeof(u32)); +- for (k = 0; k < sizeof(u32); k++) { +- d8[k] = *((u8 *)src); +- src = stm32_cryp_next_in(cryp, src, 1); +- +- cryp->total_in -= min_t(size_t, 1, cryp->total_in); +- if ((cryp->total_in_save - cryp->total_in) == alen) +- break; +- } ++ scatterwalk_copychunks(block, &cryp->in_walk, written, 0); ++ for (i = 0; i < AES_BLOCK_32; i++) ++ stm32_cryp_write(cryp, CRYP_DIN, block[i]); + +- stm32_cryp_write(cryp, CRYP_DIN, *(u32 *)d8); +- +- if ((cryp->total_in_save - cryp->total_in) == alen) { +- /* Write padding if needed */ +- for (j = i + 1; j < AES_BLOCK_32; j++) +- stm32_cryp_write(cryp, CRYP_DIN, 0); +- +- /* Wait for completion */ +- err = stm32_cryp_wait_busy(cryp); +- if (err) { +- dev_err(cryp->dev, "Timeout (ccm header)\n"); +- return stm32_cryp_finish_req(cryp, err); +- } +- +- if (stm32_cryp_get_input_text_len(cryp)) { +- /* Phase 3 : payload */ +- cfg = stm32_cryp_read(cryp, CRYP_CR); +- cfg &= ~CR_CRYPEN; +- stm32_cryp_write(cryp, CRYP_CR, cfg); +- +- cfg &= ~CR_PH_MASK; +- cfg |= CR_PH_PAYLOAD; +- cfg |= CR_CRYPEN; +- stm32_cryp_write(cryp, CRYP_CR, cfg); +- } else { +- /* Phase 4 : tag */ +- stm32_cryp_write(cryp, CRYP_IMSCR, 0); +- stm32_cryp_finish_req(cryp, 0); +- } ++ cryp->header_in -= written; + +- break; +- } +- } ++ stm32_crypt_gcmccm_end_header(cryp); + } + + static irqreturn_t stm32_cryp_irq_thread(int irq, void *arg) + { + struct stm32_cryp *cryp = arg; + u32 ph; ++ u32 it_mask = stm32_cryp_read(cryp, CRYP_IMSCR); + + if (cryp->irq_status & MISR_OUT) + /* Output FIFO IRQ: read data */ +- if (unlikely(stm32_cryp_irq_read_data(cryp))) { +- /* All bytes processed, finish */ +- stm32_cryp_write(cryp, CRYP_IMSCR, 0); +- stm32_cryp_finish_req(cryp, 0); +- return IRQ_HANDLED; +- } ++ stm32_cryp_irq_read_data(cryp); + + if (cryp->irq_status & MISR_IN) { +- if (is_gcm(cryp)) { +- ph = stm32_cryp_read(cryp, CRYP_CR) & CR_PH_MASK; +- if (unlikely(ph == CR_PH_HEADER)) +- /* Write Header */ +- stm32_cryp_irq_write_gcm_header(cryp); +- else +- /* Input FIFO IRQ: write data */ +- stm32_cryp_irq_write_data(cryp); +- cryp->gcm_ctr++; +- } else if (is_ccm(cryp)) { ++ if (is_gcm(cryp) || is_ccm(cryp)) { + ph = stm32_cryp_read(cryp, CRYP_CR) & CR_PH_MASK; + if (unlikely(ph == CR_PH_HEADER)) + /* Write Header */ +- stm32_cryp_irq_write_ccm_header(cryp); ++ stm32_cryp_irq_write_gcmccm_header(cryp); + else + /* Input FIFO IRQ: write data */ + stm32_cryp_irq_write_data(cryp); ++ if (is_gcm(cryp)) ++ cryp->gcm_ctr++; + } else { + /* Input FIFO IRQ: write data */ + stm32_cryp_irq_write_data(cryp); + } + } + ++ /* Mask useless interrupts */ ++ if (!cryp->payload_in && !cryp->header_in) ++ it_mask &= ~IMSCR_IN; ++ if (!cryp->payload_out) ++ it_mask &= ~IMSCR_OUT; ++ stm32_cryp_write(cryp, CRYP_IMSCR, it_mask); ++ ++ if (!cryp->payload_in && !cryp->header_in && !cryp->payload_out) ++ stm32_cryp_finish_req(cryp, 0); ++ + return IRQ_HANDLED; + } + +@@ -1851,7 +1547,7 @@ static struct skcipher_alg crypto_algs[] = { + .base.cra_flags = CRYPTO_ALG_ASYNC, + .base.cra_blocksize = AES_BLOCK_SIZE, + .base.cra_ctxsize = sizeof(struct stm32_cryp_ctx), +- .base.cra_alignmask = 0xf, ++ .base.cra_alignmask = 0, + .base.cra_module = THIS_MODULE, + + .init = stm32_cryp_init_tfm, +@@ -1868,7 +1564,7 @@ static struct skcipher_alg crypto_algs[] = { + .base.cra_flags = CRYPTO_ALG_ASYNC, + .base.cra_blocksize = AES_BLOCK_SIZE, + .base.cra_ctxsize = sizeof(struct stm32_cryp_ctx), +- .base.cra_alignmask = 0xf, ++ .base.cra_alignmask = 0, + .base.cra_module = THIS_MODULE, + + .init = stm32_cryp_init_tfm, +@@ -1886,7 +1582,7 @@ static struct skcipher_alg crypto_algs[] = { + .base.cra_flags = CRYPTO_ALG_ASYNC, + .base.cra_blocksize = 1, + .base.cra_ctxsize = sizeof(struct stm32_cryp_ctx), +- .base.cra_alignmask = 0xf, ++ .base.cra_alignmask = 0, + .base.cra_module = THIS_MODULE, + + .init = stm32_cryp_init_tfm, +@@ -1904,7 +1600,7 @@ static struct skcipher_alg crypto_algs[] = { + .base.cra_flags = CRYPTO_ALG_ASYNC, + .base.cra_blocksize = DES_BLOCK_SIZE, + .base.cra_ctxsize = sizeof(struct stm32_cryp_ctx), +- .base.cra_alignmask = 0xf, ++ .base.cra_alignmask = 0, + .base.cra_module = THIS_MODULE, + + .init = stm32_cryp_init_tfm, +@@ -1921,7 +1617,7 @@ static struct skcipher_alg crypto_algs[] = { + .base.cra_flags = CRYPTO_ALG_ASYNC, + .base.cra_blocksize = DES_BLOCK_SIZE, + .base.cra_ctxsize = sizeof(struct stm32_cryp_ctx), +- .base.cra_alignmask = 0xf, ++ .base.cra_alignmask = 0, + .base.cra_module = THIS_MODULE, + + .init = stm32_cryp_init_tfm, +@@ -1939,7 +1635,7 @@ static struct skcipher_alg crypto_algs[] = { + .base.cra_flags = CRYPTO_ALG_ASYNC, + .base.cra_blocksize = DES_BLOCK_SIZE, + .base.cra_ctxsize = sizeof(struct stm32_cryp_ctx), +- .base.cra_alignmask = 0xf, ++ .base.cra_alignmask = 0, + .base.cra_module = THIS_MODULE, + + .init = stm32_cryp_init_tfm, +@@ -1956,7 +1652,7 @@ static struct skcipher_alg crypto_algs[] = { + .base.cra_flags = CRYPTO_ALG_ASYNC, + .base.cra_blocksize = DES_BLOCK_SIZE, + .base.cra_ctxsize = sizeof(struct stm32_cryp_ctx), +- .base.cra_alignmask = 0xf, ++ .base.cra_alignmask = 0, + .base.cra_module = THIS_MODULE, + + .init = stm32_cryp_init_tfm, +@@ -1986,7 +1682,7 @@ static struct aead_alg aead_algs[] = { + .cra_flags = CRYPTO_ALG_ASYNC, + .cra_blocksize = 1, + .cra_ctxsize = sizeof(struct stm32_cryp_ctx), +- .cra_alignmask = 0xf, ++ .cra_alignmask = 0, + .cra_module = THIS_MODULE, + }, + }, +@@ -2006,7 +1702,7 @@ static struct aead_alg aead_algs[] = { + .cra_flags = CRYPTO_ALG_ASYNC, + .cra_blocksize = 1, + .cra_ctxsize = sizeof(struct stm32_cryp_ctx), +- .cra_alignmask = 0xf, ++ .cra_alignmask = 0, + .cra_module = THIS_MODULE, + }, + }, +-- +2.34.1 + diff --git a/queue-5.10/crypto-stm32-cryp-fix-ctr-counter-carry.patch b/queue-5.10/crypto-stm32-cryp-fix-ctr-counter-carry.patch new file mode 100644 index 00000000000..9088213d559 --- /dev/null +++ b/queue-5.10/crypto-stm32-cryp-fix-ctr-counter-carry.patch @@ -0,0 +1,78 @@ +From 15314dce77201662e25bf14e6d07b092bd5b6147 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Nov 2021 08:54:55 +0100 +Subject: crypto: stm32/cryp - fix CTR counter carry + +From: Nicolas Toromanoff + +[ Upstream commit 41c76690b0990efacd15d35cfb4e77318cd80ebb ] + +STM32 CRYP hardware doesn't manage CTR counter bigger than max U32, as +a workaround, at each block the current IV is saved, if the saved IV +lower u32 is 0xFFFFFFFF, the full IV is manually incremented, and set +in hardware. +Fixes: bbb2832620ac ("crypto: stm32 - Fix sparse warnings") + +Signed-off-by: Nicolas Toromanoff +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/stm32/stm32-cryp.c | 27 +++++++++++++-------------- + 1 file changed, 13 insertions(+), 14 deletions(-) + +diff --git a/drivers/crypto/stm32/stm32-cryp.c b/drivers/crypto/stm32/stm32-cryp.c +index 7389a0536ff02..d13b262b36252 100644 +--- a/drivers/crypto/stm32/stm32-cryp.c ++++ b/drivers/crypto/stm32/stm32-cryp.c +@@ -163,7 +163,7 @@ struct stm32_cryp { + struct scatter_walk in_walk; + struct scatter_walk out_walk; + +- u32 last_ctr[4]; ++ __be32 last_ctr[4]; + u32 gcm_ctr; + }; + +@@ -1217,27 +1217,26 @@ static void stm32_cryp_check_ctr_counter(struct stm32_cryp *cryp) + { + u32 cr; + +- if (unlikely(cryp->last_ctr[3] == 0xFFFFFFFF)) { +- cryp->last_ctr[3] = 0; +- cryp->last_ctr[2]++; +- if (!cryp->last_ctr[2]) { +- cryp->last_ctr[1]++; +- if (!cryp->last_ctr[1]) +- cryp->last_ctr[0]++; +- } ++ if (unlikely(cryp->last_ctr[3] == cpu_to_be32(0xFFFFFFFF))) { ++ /* ++ * In this case, we need to increment manually the ctr counter, ++ * as HW doesn't handle the U32 carry. ++ */ ++ crypto_inc((u8 *)cryp->last_ctr, sizeof(cryp->last_ctr)); + + cr = stm32_cryp_read(cryp, CRYP_CR); + stm32_cryp_write(cryp, CRYP_CR, cr & ~CR_CRYPEN); + +- stm32_cryp_hw_write_iv(cryp, (__be32 *)cryp->last_ctr); ++ stm32_cryp_hw_write_iv(cryp, cryp->last_ctr); + + stm32_cryp_write(cryp, CRYP_CR, cr); + } + +- cryp->last_ctr[0] = stm32_cryp_read(cryp, CRYP_IV0LR); +- cryp->last_ctr[1] = stm32_cryp_read(cryp, CRYP_IV0RR); +- cryp->last_ctr[2] = stm32_cryp_read(cryp, CRYP_IV1LR); +- cryp->last_ctr[3] = stm32_cryp_read(cryp, CRYP_IV1RR); ++ /* The IV registers are BE */ ++ cryp->last_ctr[0] = cpu_to_be32(stm32_cryp_read(cryp, CRYP_IV0LR)); ++ cryp->last_ctr[1] = cpu_to_be32(stm32_cryp_read(cryp, CRYP_IV0RR)); ++ cryp->last_ctr[2] = cpu_to_be32(stm32_cryp_read(cryp, CRYP_IV1LR)); ++ cryp->last_ctr[3] = cpu_to_be32(stm32_cryp_read(cryp, CRYP_IV1RR)); + } + + static bool stm32_cryp_irq_read_data(struct stm32_cryp *cryp) +-- +2.34.1 + diff --git a/queue-5.10/crypto-stm32-cryp-fix-double-pm-exit.patch b/queue-5.10/crypto-stm32-cryp-fix-double-pm-exit.patch new file mode 100644 index 00000000000..176fda8300d --- /dev/null +++ b/queue-5.10/crypto-stm32-cryp-fix-double-pm-exit.patch @@ -0,0 +1,38 @@ +From a2ee4b831ba125a70e955816d8678aba6420c94e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Nov 2021 08:54:58 +0100 +Subject: crypto: stm32/cryp - fix double pm exit + +From: Nicolas Toromanoff + +[ Upstream commit 6c12e742785bf9333faf60bfb96575bdd763448e ] + +Delete extraneous lines in probe error handling code: pm was +disabled twice. + +Fixes: 65f9aa36ee47 ("crypto: stm32/cryp - Add power management support") + +Reported-by: Marek Vasut +Signed-off-by: Nicolas Toromanoff +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/stm32/stm32-cryp.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/crypto/stm32/stm32-cryp.c b/drivers/crypto/stm32/stm32-cryp.c +index fd7fb73a4d450..061db567908ae 100644 +--- a/drivers/crypto/stm32/stm32-cryp.c ++++ b/drivers/crypto/stm32/stm32-cryp.c +@@ -2134,8 +2134,6 @@ err_engine1: + list_del(&cryp->list); + spin_unlock(&cryp_list.lock); + +- pm_runtime_disable(dev); +- pm_runtime_put_noidle(dev); + pm_runtime_disable(dev); + pm_runtime_put_noidle(dev); + +-- +2.34.1 + diff --git a/queue-5.10/crypto-stm32-cryp-fix-lrw-chaining-mode.patch b/queue-5.10/crypto-stm32-cryp-fix-lrw-chaining-mode.patch new file mode 100644 index 00000000000..91170afc681 --- /dev/null +++ b/queue-5.10/crypto-stm32-cryp-fix-lrw-chaining-mode.patch @@ -0,0 +1,41 @@ +From b06a8a7cce1475618b97b9fc70ee5e313d16712f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Nov 2021 08:54:59 +0100 +Subject: crypto: stm32/cryp - fix lrw chaining mode + +From: Nicolas Toromanoff + +[ Upstream commit fa97dc2d48b476ea98199d808d3248d285987e99 ] + +This fixes the lrw autotest if lrw uses the CRYP as the AES block cipher +provider (as ecb(aes)). At end of request, CRYP should not update the IV +in case of ECB chaining mode. Indeed the ECB chaining mode never uses +the IV, but the software LRW chaining mode uses the IV field as +a counter and due to the (unexpected) update done by CRYP while the AES +block process, the counter get a wrong value when the IV overflow. + +Fixes: 5f49f18d27cd ("crypto: stm32/cryp - update to return iv_out") + +Signed-off-by: Nicolas Toromanoff +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/stm32/stm32-cryp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/stm32/stm32-cryp.c b/drivers/crypto/stm32/stm32-cryp.c +index 061db567908ae..9943836a5c25c 100644 +--- a/drivers/crypto/stm32/stm32-cryp.c ++++ b/drivers/crypto/stm32/stm32-cryp.c +@@ -644,7 +644,7 @@ static void stm32_cryp_finish_req(struct stm32_cryp *cryp, int err) + /* Phase 4 : output tag */ + err = stm32_cryp_read_auth_tag(cryp); + +- if (!err && (!(is_gcm(cryp) || is_ccm(cryp)))) ++ if (!err && (!(is_gcm(cryp) || is_ccm(cryp) || is_ecb(cryp)))) + stm32_cryp_get_iv(cryp); + + if (cryp->sgs_copied) { +-- +2.34.1 + diff --git a/queue-5.10/crypto-stm32-cryp-fix-xts-and-race-condition-in-cryp.patch b/queue-5.10/crypto-stm32-cryp-fix-xts-and-race-condition-in-cryp.patch new file mode 100644 index 00000000000..992c4f566c2 --- /dev/null +++ b/queue-5.10/crypto-stm32-cryp-fix-xts-and-race-condition-in-cryp.patch @@ -0,0 +1,42 @@ +From 443539111d13b7224127e8bb0114493ff56cdc35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Nov 2021 08:54:56 +0100 +Subject: crypto: stm32/cryp - fix xts and race condition in crypto_engine + requests + +From: Nicolas Toromanoff + +[ Upstream commit d703c7a994ee34b7fa89baf21631fca0aa9f17fc ] + +Don't erase key: +If key is erased before the crypto_finalize_.*_request() call, some +pending process will run with a key={ 0 }. +Moreover if the key is reset at end of request, it breaks xts chaining +mode, as for last xts block (in case input len is not a multiple of +block) a new AES request is started without calling again set_key(). + +Fixes: 9e054ec21ef8 ("crypto: stm32 - Support for STM32 CRYP crypto module") + +Signed-off-by: Nicolas Toromanoff +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/stm32/stm32-cryp.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/crypto/stm32/stm32-cryp.c b/drivers/crypto/stm32/stm32-cryp.c +index d13b262b36252..e2bcc4f98b0ae 100644 +--- a/drivers/crypto/stm32/stm32-cryp.c ++++ b/drivers/crypto/stm32/stm32-cryp.c +@@ -674,8 +674,6 @@ static void stm32_cryp_finish_req(struct stm32_cryp *cryp, int err) + else + crypto_finalize_skcipher_request(cryp->engine, cryp->req, + err); +- +- memset(cryp->ctx->key, 0, cryp->ctx->keylen); + } + + static int stm32_cryp_cpu_start(struct stm32_cryp *cryp) +-- +2.34.1 + diff --git a/queue-5.10/crypto-stm32-fix-last-sparse-warning-in-stm32_cryp_c.patch b/queue-5.10/crypto-stm32-fix-last-sparse-warning-in-stm32_cryp_c.patch new file mode 100644 index 00000000000..27f4c02df8d --- /dev/null +++ b/queue-5.10/crypto-stm32-fix-last-sparse-warning-in-stm32_cryp_c.patch @@ -0,0 +1,37 @@ +From 0ff012390b2ef55ff5fb81df5839b75cba886d50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Jan 2021 17:15:45 +1100 +Subject: crypto: stm32 - Fix last sparse warning in + stm32_cryp_check_ctr_counter + +From: Herbert Xu + +[ Upstream commit 81064c96d88180ad6995d52419e94a78968308a2 ] + +This patch changes the cast in stm32_cryp_check_ctr_counter from +u32 to __be32 to match the prototype of stm32_cryp_hw_write_iv +correctly. + +Reported-by: kernel test robot +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/stm32/stm32-cryp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/stm32/stm32-cryp.c b/drivers/crypto/stm32/stm32-cryp.c +index 7999b26a16ed0..7389a0536ff02 100644 +--- a/drivers/crypto/stm32/stm32-cryp.c ++++ b/drivers/crypto/stm32/stm32-cryp.c +@@ -1229,7 +1229,7 @@ static void stm32_cryp_check_ctr_counter(struct stm32_cryp *cryp) + cr = stm32_cryp_read(cryp, CRYP_CR); + stm32_cryp_write(cryp, CRYP_CR, cr & ~CR_CRYPEN); + +- stm32_cryp_hw_write_iv(cryp, (u32 *)cryp->last_ctr); ++ stm32_cryp_hw_write_iv(cryp, (__be32 *)cryp->last_ctr); + + stm32_cryp_write(cryp, CRYP_CR, cr); + } +-- +2.34.1 + diff --git a/queue-5.10/crypto-stm32-revert-broken-pm_runtime_resume_and_get.patch b/queue-5.10/crypto-stm32-revert-broken-pm_runtime_resume_and_get.patch new file mode 100644 index 00000000000..e3700c4d63b --- /dev/null +++ b/queue-5.10/crypto-stm32-revert-broken-pm_runtime_resume_and_get.patch @@ -0,0 +1,73 @@ +From 197d8a435b2194b163e04e14e087c67da3d56c19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Dec 2021 17:30:41 +1100 +Subject: crypto: stm32 - Revert broken pm_runtime_resume_and_get changes + +From: Herbert Xu + +[ Upstream commit 3d6b661330a7954d8136df98160d525eb04dcd6a ] + +We should not call pm_runtime_resume_and_get where the reference +count is expected to be incremented unconditionally. This patch +reverts these calls to the original unconditional get_sync call. + +Reported-by: Heiner Kallweit +Fixes: 747bf30fd944 ("crypto: stm32/cryp - Fix PM reference leak...") +Fixes: 1cb3ad701970 ("crypto: stm32/hash - Fix PM reference leak...") +Signed-off-by: Herbert Xu +Acked-by: Rafael J. Wysocki +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/stm32/stm32-cryp.c | 3 ++- + drivers/crypto/stm32/stm32-hash.c | 6 +++--- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/crypto/stm32/stm32-cryp.c b/drivers/crypto/stm32/stm32-cryp.c +index cd57c5bae3ce9..81eb136b6c11d 100644 +--- a/drivers/crypto/stm32/stm32-cryp.c ++++ b/drivers/crypto/stm32/stm32-cryp.c +@@ -529,7 +529,8 @@ static int stm32_cryp_hw_init(struct stm32_cryp *cryp) + { + int ret; + u32 cfg, hw_mode; +- pm_runtime_resume_and_get(cryp->dev); ++ ++ pm_runtime_get_sync(cryp->dev); + + /* Disable interrupt */ + stm32_cryp_write(cryp, CRYP_IMSCR, 0); +diff --git a/drivers/crypto/stm32/stm32-hash.c b/drivers/crypto/stm32/stm32-hash.c +index ff5362da118d8..16bb52836b28d 100644 +--- a/drivers/crypto/stm32/stm32-hash.c ++++ b/drivers/crypto/stm32/stm32-hash.c +@@ -812,7 +812,7 @@ static void stm32_hash_finish_req(struct ahash_request *req, int err) + static int stm32_hash_hw_init(struct stm32_hash_dev *hdev, + struct stm32_hash_request_ctx *rctx) + { +- pm_runtime_resume_and_get(hdev->dev); ++ pm_runtime_get_sync(hdev->dev); + + if (!(HASH_FLAGS_INIT & hdev->flags)) { + stm32_hash_write(hdev, HASH_CR, HASH_CR_INIT); +@@ -961,7 +961,7 @@ static int stm32_hash_export(struct ahash_request *req, void *out) + u32 *preg; + unsigned int i; + +- pm_runtime_resume_and_get(hdev->dev); ++ pm_runtime_get_sync(hdev->dev); + + while ((stm32_hash_read(hdev, HASH_SR) & HASH_SR_BUSY)) + cpu_relax(); +@@ -999,7 +999,7 @@ static int stm32_hash_import(struct ahash_request *req, const void *in) + + preg = rctx->hw_context; + +- pm_runtime_resume_and_get(hdev->dev); ++ pm_runtime_get_sync(hdev->dev); + + stm32_hash_write(hdev, HASH_IMR, *preg++); + stm32_hash_write(hdev, HASH_STR, *preg++); +-- +2.34.1 + diff --git a/queue-5.10/debugfs-lockdown-allow-reading-debugfs-files-that-ar.patch b/queue-5.10/debugfs-lockdown-allow-reading-debugfs-files-that-ar.patch new file mode 100644 index 00000000000..c58ea4954e6 --- /dev/null +++ b/queue-5.10/debugfs-lockdown-allow-reading-debugfs-files-that-ar.patch @@ -0,0 +1,40 @@ +From c907f2611a2e301739c1b44aa8e7aa16f0b2b09a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jan 2022 18:05:05 +0100 +Subject: debugfs: lockdown: Allow reading debugfs files that are not world + readable + +From: Michal Suchanek + +[ Upstream commit 358fcf5ddbec4e6706405847d6a666f5933a6c25 ] + +When the kernel is locked down the kernel allows reading only debugfs +files with mode 444. Mode 400 is also valid but is not allowed. + +Make the 444 into a mask. + +Fixes: 5496197f9b08 ("debugfs: Restrict debugfs when the kernel is locked down") +Signed-off-by: Michal Suchanek +Link: https://lore.kernel.org/r/20220104170505.10248-1-msuchanek@suse.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + fs/debugfs/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c +index 3aa5eb9ce498e..96059af28f508 100644 +--- a/fs/debugfs/file.c ++++ b/fs/debugfs/file.c +@@ -147,7 +147,7 @@ static int debugfs_locked_down(struct inode *inode, + struct file *filp, + const struct file_operations *real_fops) + { +- if ((inode->i_mode & 07777) == 0444 && ++ if ((inode->i_mode & 07777 & ~0444) == 0 && + !(filp->f_mode & FMODE_WRITE) && + !real_fops->unlocked_ioctl && + !real_fops->compat_ioctl && +-- +2.34.1 + diff --git a/queue-5.10/dm-btree-add-a-defensive-bounds-check-to-insert_at.patch b/queue-5.10/dm-btree-add-a-defensive-bounds-check-to-insert_at.patch new file mode 100644 index 00000000000..0e98161be42 --- /dev/null +++ b/queue-5.10/dm-btree-add-a-defensive-bounds-check-to-insert_at.patch @@ -0,0 +1,45 @@ +From 592c3f8827a2ca30bba60554dbeb891575e4f2e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Dec 2021 13:44:13 +0000 +Subject: dm btree: add a defensive bounds check to insert_at() + +From: Joe Thornber + +[ Upstream commit 85bca3c05b6cca31625437eedf2060e846c4bbad ] + +Corrupt metadata could trigger an out of bounds write. + +Signed-off-by: Joe Thornber +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/persistent-data/dm-btree.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/md/persistent-data/dm-btree.c b/drivers/md/persistent-data/dm-btree.c +index ef6e78d45d5b8..ee3e63aa864bf 100644 +--- a/drivers/md/persistent-data/dm-btree.c ++++ b/drivers/md/persistent-data/dm-btree.c +@@ -83,14 +83,16 @@ void inc_children(struct dm_transaction_manager *tm, struct btree_node *n, + } + + static int insert_at(size_t value_size, struct btree_node *node, unsigned index, +- uint64_t key, void *value) +- __dm_written_to_disk(value) ++ uint64_t key, void *value) ++ __dm_written_to_disk(value) + { + uint32_t nr_entries = le32_to_cpu(node->header.nr_entries); ++ uint32_t max_entries = le32_to_cpu(node->header.max_entries); + __le64 key_le = cpu_to_le64(key); + + if (index > nr_entries || +- index >= le32_to_cpu(node->header.max_entries)) { ++ index >= max_entries || ++ nr_entries >= max_entries) { + DMERR("too many entries in btree node for insert"); + __dm_unbless_for_disk(value); + return -ENOMEM; +-- +2.34.1 + diff --git a/queue-5.10/dm-fix-alloc_dax-error-handling-in-alloc_dev.patch b/queue-5.10/dm-fix-alloc_dax-error-handling-in-alloc_dev.patch new file mode 100644 index 00000000000..b8180a3e532 --- /dev/null +++ b/queue-5.10/dm-fix-alloc_dax-error-handling-in-alloc_dev.patch @@ -0,0 +1,40 @@ +From 3fa2203e31bd62360d4c7214b578d281bc6d49a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Nov 2021 11:21:35 +0100 +Subject: dm: fix alloc_dax error handling in alloc_dev + +From: Christoph Hellwig + +[ Upstream commit d751939235b9b7bc4af15f90a3e99288a8b844a7 ] + +Make sure ->dax_dev is NULL on error so that the cleanup path doesn't +trip over an ERR_PTR. + +Reported-by: Dan Williams +Signed-off-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20211129102203.2243509-2-hch@lst.de +Signed-off-by: Dan Williams +Signed-off-by: Sasha Levin +--- + drivers/md/dm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/md/dm.c b/drivers/md/dm.c +index 19a70f434029b..6030cba5b0382 100644 +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -1894,8 +1894,10 @@ static struct mapped_device *alloc_dev(int minor) + if (IS_ENABLED(CONFIG_DAX_DRIVER)) { + md->dax_dev = alloc_dax(md, md->disk->disk_name, + &dm_dax_ops, 0); +- if (IS_ERR(md->dax_dev)) ++ if (IS_ERR(md->dax_dev)) { ++ md->dax_dev = NULL; + goto bad; ++ } + } + + add_disk_no_queue_reg(md->disk); +-- +2.34.1 + diff --git a/queue-5.10/dm-space-map-common-add-bounds-check-to-sm_ll_lookup.patch b/queue-5.10/dm-space-map-common-add-bounds-check-to-sm_ll_lookup.patch new file mode 100644 index 00000000000..8000c9e76ba --- /dev/null +++ b/queue-5.10/dm-space-map-common-add-bounds-check-to-sm_ll_lookup.patch @@ -0,0 +1,37 @@ +From e1c8872ac937b7e4cadf90bb36db9ddb6ac650c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Dec 2021 13:49:53 +0000 +Subject: dm space map common: add bounds check to sm_ll_lookup_bitmap() + +From: Joe Thornber + +[ Upstream commit cba23ac158db7f3cd48a923d6861bee2eb7a2978 ] + +Corrupted metadata could warrant returning error from sm_ll_lookup_bitmap(). + +Signed-off-by: Joe Thornber +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/persistent-data/dm-space-map-common.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/md/persistent-data/dm-space-map-common.c b/drivers/md/persistent-data/dm-space-map-common.c +index a213bf11738fb..85853ab629717 100644 +--- a/drivers/md/persistent-data/dm-space-map-common.c ++++ b/drivers/md/persistent-data/dm-space-map-common.c +@@ -281,6 +281,11 @@ int sm_ll_lookup_bitmap(struct ll_disk *ll, dm_block_t b, uint32_t *result) + struct disk_index_entry ie_disk; + struct dm_block *blk; + ++ if (b >= ll->nr_blocks) { ++ DMERR_LIMIT("metadata block out of bounds"); ++ return -EINVAL; ++ } ++ + b = do_div(index, ll->entries_per_block); + r = ll->load_ie(ll, index, &ie_disk); + if (r < 0) +-- +2.34.1 + diff --git a/queue-5.10/dmaengine-pxa-mmp-stop-referencing-config-slave_id.patch b/queue-5.10/dmaengine-pxa-mmp-stop-referencing-config-slave_id.patch new file mode 100644 index 00000000000..3c79f3972d4 --- /dev/null +++ b/queue-5.10/dmaengine-pxa-mmp-stop-referencing-config-slave_id.patch @@ -0,0 +1,63 @@ +From d3d12a810f790b39ee133aa88cd0976a9ca7b156 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Nov 2021 23:21:58 +0100 +Subject: dmaengine: pxa/mmp: stop referencing config->slave_id + +From: Arnd Bergmann + +[ Upstream commit 134c37fa250a87a7e77c80a7c59ae16c462e46e0 ] + +The last driver referencing the slave_id on Marvell PXA and MMP platforms +was the SPI driver, but this stopped doing so a long time ago, so the +TODO from the earlier patch can no be removed. + +Fixes: b729bf34535e ("spi/pxa2xx: Don't use slave_id of dma_slave_config") +Fixes: 13b3006b8ebd ("dma: mmp_pdma: add filter function") +Signed-off-by: Arnd Bergmann +Acked-by: Mark Brown +Link: https://lore.kernel.org/r/20211122222203.4103644-7-arnd@kernel.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/mmp_pdma.c | 6 ------ + drivers/dma/pxa_dma.c | 7 ------- + 2 files changed, 13 deletions(-) + +diff --git a/drivers/dma/mmp_pdma.c b/drivers/dma/mmp_pdma.c +index b84303be8edf5..4eb63f1ad2247 100644 +--- a/drivers/dma/mmp_pdma.c ++++ b/drivers/dma/mmp_pdma.c +@@ -728,12 +728,6 @@ static int mmp_pdma_config_write(struct dma_chan *dchan, + + chan->dir = direction; + chan->dev_addr = addr; +- /* FIXME: drivers should be ported over to use the filter +- * function. Once that's done, the following two lines can +- * be removed. +- */ +- if (cfg->slave_id) +- chan->drcmr = cfg->slave_id; + + return 0; + } +diff --git a/drivers/dma/pxa_dma.c b/drivers/dma/pxa_dma.c +index 349fb312c8725..b4ef4f19f7dec 100644 +--- a/drivers/dma/pxa_dma.c ++++ b/drivers/dma/pxa_dma.c +@@ -911,13 +911,6 @@ static void pxad_get_config(struct pxad_chan *chan, + *dcmd |= PXA_DCMD_BURST16; + else if (maxburst == 32) + *dcmd |= PXA_DCMD_BURST32; +- +- /* FIXME: drivers should be ported over to use the filter +- * function. Once that's done, the following two lines can +- * be removed. +- */ +- if (chan->cfg.slave_id) +- chan->drcmr = chan->cfg.slave_id; + } + + static struct dma_async_tx_descriptor * +-- +2.34.1 + diff --git a/queue-5.10/drm-amd-display-check-top_pipe_to_program-pointer.patch b/queue-5.10/drm-amd-display-check-top_pipe_to_program-pointer.patch new file mode 100644 index 00000000000..8456060d13f --- /dev/null +++ b/queue-5.10/drm-amd-display-check-top_pipe_to_program-pointer.patch @@ -0,0 +1,47 @@ +From b370fb71a65c8d25fa253ebe935bdc1b4578804a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Nov 2021 16:10:19 +0800 +Subject: drm/amd/display: check top_pipe_to_program pointer + +From: Yang Li + +[ Upstream commit a689e8d1f80012f90384ebac9dcfac4201f9f77e ] + +Clang static analysis reports this error + +drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc.c:2870:7: warning: +Dereference of null pointer [clang-analyzer-core.NullDereference] + if +(top_pipe_to_program->stream_res.tg->funcs->lock_doublebuffer_enable) { + ^ + +top_pipe_to_program being NULL is caught as an error +But then it is used to report the error. + +So add a check before using it. + +Reported-by: Abaci Robot +Signed-off-by: Yang Li +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c +index 284ed1c8a35ac..93f5229c303e7 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c +@@ -2436,7 +2436,8 @@ static void commit_planes_for_stream(struct dc *dc, + } + + if ((update_type != UPDATE_TYPE_FAST) && stream->update_flags.bits.dsc_changed) +- if (top_pipe_to_program->stream_res.tg->funcs->lock_doublebuffer_enable) { ++ if (top_pipe_to_program && ++ top_pipe_to_program->stream_res.tg->funcs->lock_doublebuffer_enable) { + if (should_use_dmub_lock(stream->link)) { + union dmub_hw_lock_flags hw_locks = { 0 }; + struct dmub_hw_lock_inst_flags inst_flags = { 0 }; +-- +2.34.1 + diff --git a/queue-5.10/drm-amdgpu-display-set-vblank_disable_immediate-for-.patch b/queue-5.10/drm-amdgpu-display-set-vblank_disable_immediate-for-.patch new file mode 100644 index 00000000000..198b17b2186 --- /dev/null +++ b/queue-5.10/drm-amdgpu-display-set-vblank_disable_immediate-for-.patch @@ -0,0 +1,50 @@ +From fdb351776a4b9a9459004cfd5e4623f42c342ace Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Nov 2021 10:23:25 -0500 +Subject: drm/amdgpu/display: set vblank_disable_immediate for DC + +From: Alex Deucher + +[ Upstream commit 92020e81ddbeac351ea4a19bcf01743f32b9c800 ] + +Disable vblanks immediately to save power. I think this was +missed when we merged DC support. + +Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1781 +Reviewed-by: Harry Wentland +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c | 1 - + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 +++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c +index 2f70fdd6104f2..582055136cdbf 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c +@@ -267,7 +267,6 @@ int amdgpu_irq_init(struct amdgpu_device *adev) + if (!amdgpu_device_has_dc_support(adev)) { + if (!adev->enable_virtual_display) + /* Disable vblank IRQs aggressively for power-saving */ +- /* XXX: can this be enabled for DC? */ + adev_to_drm(adev)->vblank_disable_immediate = true; + + r = drm_vblank_init(adev_to_drm(adev), adev->mode_info.num_crtc); +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index a5b6f36fe1d72..6c8f141103da4 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -1069,6 +1069,9 @@ static int amdgpu_dm_init(struct amdgpu_device *adev) + adev_to_drm(adev)->mode_config.cursor_width = adev->dm.dc->caps.max_cursor_size; + adev_to_drm(adev)->mode_config.cursor_height = adev->dm.dc->caps.max_cursor_size; + ++ /* Disable vblank IRQs aggressively for power-saving */ ++ adev_to_drm(adev)->vblank_disable_immediate = true; ++ + if (drm_vblank_init(adev_to_drm(adev), adev->dm.display_indexes_num)) { + DRM_ERROR( + "amdgpu: failed to initialize sw for display support.\n"); +-- +2.34.1 + diff --git a/queue-5.10/drm-amdgpu-fix-a-null-pointer-dereference-in-amdgpu_.patch b/queue-5.10/drm-amdgpu-fix-a-null-pointer-dereference-in-amdgpu_.patch new file mode 100644 index 00000000000..3fcdb57dda4 --- /dev/null +++ b/queue-5.10/drm-amdgpu-fix-a-null-pointer-dereference-in-amdgpu_.patch @@ -0,0 +1,65 @@ +From 87d0ebe4ac6792684428e95a9c0ebd86f37b1d25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Dec 2021 00:17:36 +0800 +Subject: drm/amdgpu: Fix a NULL pointer dereference in + amdgpu_connector_lcd_native_mode() + +From: Zhou Qingyang + +[ Upstream commit b220110e4cd442156f36e1d9b4914bb9e87b0d00 ] + +In amdgpu_connector_lcd_native_mode(), the return value of +drm_mode_duplicate() is assigned to mode, and there is a dereference +of it in amdgpu_connector_lcd_native_mode(), which will lead to a NULL +pointer dereference on failure of drm_mode_duplicate(). + +Fix this bug add a check of mode. + +This bug was found by a static analyzer. The analysis employs +differential checking to identify inconsistent security operations +(e.g., checks or kfrees) between two code paths and confirms that the +inconsistent operations are not recovered in the current function or +the callers, so they constitute bugs. + +Note that, as a bug found by static analysis, it can be a false +positive or hard to trigger. Multiple researchers have cross-reviewed +the bug. + +Builds with CONFIG_DRM_AMDGPU=m show no new warnings, and +our static analyzer no longer warns about this code. + +Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") +Signed-off-by: Zhou Qingyang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +index 0de66f59adb8a..df1f9b88a53f9 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +@@ -387,6 +387,9 @@ amdgpu_connector_lcd_native_mode(struct drm_encoder *encoder) + native_mode->vdisplay != 0 && + native_mode->clock != 0) { + mode = drm_mode_duplicate(dev, native_mode); ++ if (!mode) ++ return NULL; ++ + mode->type = DRM_MODE_TYPE_PREFERRED | DRM_MODE_TYPE_DRIVER; + drm_mode_set_name(mode); + +@@ -401,6 +404,9 @@ amdgpu_connector_lcd_native_mode(struct drm_encoder *encoder) + * simpler. + */ + mode = drm_cvt_mode(dev, native_mode->hdisplay, native_mode->vdisplay, 60, true, false, false); ++ if (!mode) ++ return NULL; ++ + mode->type = DRM_MODE_TYPE_PREFERRED | DRM_MODE_TYPE_DRIVER; + DRM_DEBUG_KMS("Adding cvt approximation of native panel mode %s\n", mode->name); + } +-- +2.34.1 + diff --git a/queue-5.10/drm-amdgpu-fixup-bad-vram-size-on-gmc-v8.patch b/queue-5.10/drm-amdgpu-fixup-bad-vram-size-on-gmc-v8.patch new file mode 100644 index 00000000000..fbef53c6efc --- /dev/null +++ b/queue-5.10/drm-amdgpu-fixup-bad-vram-size-on-gmc-v8.patch @@ -0,0 +1,61 @@ +From b370bb2662d211f40f0992ff9c99f64bd680f77b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Dec 2021 17:23:37 +0800 +Subject: drm/amdgpu: fixup bad vram size on gmc v8 + +From: Zongmin Zhou + +[ Upstream commit 11544d77e3974924c5a9c8a8320b996a3e9b2f8b ] + +Some boards(like RX550) seem to have garbage in the upper +16 bits of the vram size register. Check for +this and clamp the size properly. Fixes +boards reporting bogus amounts of vram. + +after add this patch,the maximum GPU VRAM size is 64GB, +otherwise only 64GB vram size will be used. + +Signed-off-by: Zongmin Zhou +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c b/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c +index 9ab65ca7df777..873bc33912e23 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c +@@ -524,10 +524,10 @@ static void gmc_v8_0_mc_program(struct amdgpu_device *adev) + static int gmc_v8_0_mc_init(struct amdgpu_device *adev) + { + int r; ++ u32 tmp; + + adev->gmc.vram_width = amdgpu_atombios_get_vram_width(adev); + if (!adev->gmc.vram_width) { +- u32 tmp; + int chansize, numchan; + + /* Get VRAM informations */ +@@ -571,8 +571,15 @@ static int gmc_v8_0_mc_init(struct amdgpu_device *adev) + adev->gmc.vram_width = numchan * chansize; + } + /* size in MB on si */ +- adev->gmc.mc_vram_size = RREG32(mmCONFIG_MEMSIZE) * 1024ULL * 1024ULL; +- adev->gmc.real_vram_size = RREG32(mmCONFIG_MEMSIZE) * 1024ULL * 1024ULL; ++ tmp = RREG32(mmCONFIG_MEMSIZE); ++ /* some boards may have garbage in the upper 16 bits */ ++ if (tmp & 0xffff0000) { ++ DRM_INFO("Probable bad vram size: 0x%08x\n", tmp); ++ if (tmp & 0xffff) ++ tmp &= 0xffff; ++ } ++ adev->gmc.mc_vram_size = tmp * 1024ULL * 1024ULL; ++ adev->gmc.real_vram_size = adev->gmc.mc_vram_size; + + if (!(adev->flags & AMD_IS_APU)) { + r = amdgpu_device_resize_fb_bar(adev); +-- +2.34.1 + diff --git a/queue-5.10/drm-bridge-display-connector-fix-an-uninitialized-po.patch b/queue-5.10/drm-bridge-display-connector-fix-an-uninitialized-po.patch new file mode 100644 index 00000000000..1c3517822bc --- /dev/null +++ b/queue-5.10/drm-bridge-display-connector-fix-an-uninitialized-po.patch @@ -0,0 +1,39 @@ +From fdbece3d8e5ae07f01ca615721c35b92007f89f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Oct 2021 11:08:25 +0300 +Subject: drm/bridge: display-connector: fix an uninitialized pointer in + probe() + +From: Dan Carpenter + +[ Upstream commit 189723fbe9aca18d6f7d638c59a40288030932b5 ] + +The "label" pointer is used for debug output. The code assumes that it +is either NULL or valid, but it is never set to NULL. It is either +valid or uninitialized. + +Fixes: 0c275c30176b ("drm/bridge: Add bridge driver for display connectors") +Signed-off-by: Dan Carpenter +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20211013080825.GE6010@kili +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/display-connector.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bridge/display-connector.c b/drivers/gpu/drm/bridge/display-connector.c +index 4d278573cdb99..544a47335cac4 100644 +--- a/drivers/gpu/drm/bridge/display-connector.c ++++ b/drivers/gpu/drm/bridge/display-connector.c +@@ -104,7 +104,7 @@ static int display_connector_probe(struct platform_device *pdev) + { + struct display_connector *conn; + unsigned int type; +- const char *label; ++ const char *label = NULL; + int ret; + + conn = devm_kzalloc(&pdev->dev, sizeof(*conn), GFP_KERNEL); +-- +2.34.1 + diff --git a/queue-5.10/drm-bridge-dw-hdmi-handle-eld-when-drm_bridge_attach.patch b/queue-5.10/drm-bridge-dw-hdmi-handle-eld-when-drm_bridge_attach.patch new file mode 100644 index 00000000000..08238dec2bf --- /dev/null +++ b/queue-5.10/drm-bridge-dw-hdmi-handle-eld-when-drm_bridge_attach.patch @@ -0,0 +1,146 @@ +From c3a2d66da4f8c5984d6d539a3053c7007f9da21e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Oct 2021 15:59:47 +0200 +Subject: drm/bridge: dw-hdmi: handle ELD when DRM_BRIDGE_ATTACH_NO_CONNECTOR + +From: Neil Armstrong + +[ Upstream commit 3f2532d65a571ca02258b547b5b68ab2e9406fdb ] + +The current ELD handling takes the internal connector ELD buffer and +shares it to the I2S and AHB sub-driver. + +But with DRM_BRIDGE_ATTACH_NO_CONNECTOR, the connector is created +elsewhere (or not), and an eventual connector is known only +if the bridge chain up to a connector is enabled. + +The current dw-hdmi code gets the current connector from +atomic_enable() so use the already stored connector pointer and +replace the buffer pointer with a callback returning the current +connector ELD buffer. + +Since a connector is not always available, either pass an empty +ELD to the alsa HDMI driver or don't call snd_pcm_hw_constraint_eld() +in AHB driver. + +Reported-by: Martin Blumenstingl +Signed-off-by: Neil Armstrong +[narmstrong: fixed typo in commit log] +Acked-by: Jernej Skrabec +Link: https://patchwork.freedesktop.org/patch/msgid/20211029135947.3022875-1-narmstrong@baylibre.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/synopsys/dw-hdmi-ahb-audio.c | 10 +++++++--- + drivers/gpu/drm/bridge/synopsys/dw-hdmi-audio.h | 4 ++-- + drivers/gpu/drm/bridge/synopsys/dw-hdmi-i2s-audio.c | 9 ++++++++- + drivers/gpu/drm/bridge/synopsys/dw-hdmi.c | 12 ++++++++++-- + 4 files changed, 27 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-ahb-audio.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-ahb-audio.c +index d0db1acf11d73..7d2ed0ed2fe26 100644 +--- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-ahb-audio.c ++++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-ahb-audio.c +@@ -320,13 +320,17 @@ static int dw_hdmi_open(struct snd_pcm_substream *substream) + struct snd_pcm_runtime *runtime = substream->runtime; + struct snd_dw_hdmi *dw = substream->private_data; + void __iomem *base = dw->data.base; ++ u8 *eld; + int ret; + + runtime->hw = dw_hdmi_hw; + +- ret = snd_pcm_hw_constraint_eld(runtime, dw->data.eld); +- if (ret < 0) +- return ret; ++ eld = dw->data.get_eld(dw->data.hdmi); ++ if (eld) { ++ ret = snd_pcm_hw_constraint_eld(runtime, eld); ++ if (ret < 0) ++ return ret; ++ } + + ret = snd_pcm_limit_hw_rates(runtime); + if (ret < 0) +diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-audio.h b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-audio.h +index cb07dc0da5a70..f72d27208ebef 100644 +--- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-audio.h ++++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-audio.h +@@ -9,15 +9,15 @@ struct dw_hdmi_audio_data { + void __iomem *base; + int irq; + struct dw_hdmi *hdmi; +- u8 *eld; ++ u8 *(*get_eld)(struct dw_hdmi *hdmi); + }; + + struct dw_hdmi_i2s_audio_data { + struct dw_hdmi *hdmi; +- u8 *eld; + + void (*write)(struct dw_hdmi *hdmi, u8 val, int offset); + u8 (*read)(struct dw_hdmi *hdmi, int offset); ++ u8 *(*get_eld)(struct dw_hdmi *hdmi); + }; + + #endif +diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-i2s-audio.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-i2s-audio.c +index 9fef6413741dc..9682416056ed6 100644 +--- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-i2s-audio.c ++++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-i2s-audio.c +@@ -135,8 +135,15 @@ static int dw_hdmi_i2s_get_eld(struct device *dev, void *data, uint8_t *buf, + size_t len) + { + struct dw_hdmi_i2s_audio_data *audio = data; ++ u8 *eld; ++ ++ eld = audio->get_eld(audio->hdmi); ++ if (eld) ++ memcpy(buf, eld, min_t(size_t, MAX_ELD_BYTES, len)); ++ else ++ /* Pass en empty ELD if connector not available */ ++ memset(buf, 0, len); + +- memcpy(buf, audio->eld, min_t(size_t, MAX_ELD_BYTES, len)); + return 0; + } + +diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c +index 0c79a9ba48bb6..29c0eb4bd7546 100644 +--- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c ++++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c +@@ -756,6 +756,14 @@ static void hdmi_enable_audio_clk(struct dw_hdmi *hdmi, bool enable) + hdmi_writeb(hdmi, hdmi->mc_clkdis, HDMI_MC_CLKDIS); + } + ++static u8 *hdmi_audio_get_eld(struct dw_hdmi *hdmi) ++{ ++ if (!hdmi->curr_conn) ++ return NULL; ++ ++ return hdmi->curr_conn->eld; ++} ++ + static void dw_hdmi_ahb_audio_enable(struct dw_hdmi *hdmi) + { + hdmi_set_cts_n(hdmi, hdmi->audio_cts, hdmi->audio_n); +@@ -3395,7 +3403,7 @@ struct dw_hdmi *dw_hdmi_probe(struct platform_device *pdev, + audio.base = hdmi->regs; + audio.irq = irq; + audio.hdmi = hdmi; +- audio.eld = hdmi->connector.eld; ++ audio.get_eld = hdmi_audio_get_eld; + hdmi->enable_audio = dw_hdmi_ahb_audio_enable; + hdmi->disable_audio = dw_hdmi_ahb_audio_disable; + +@@ -3408,7 +3416,7 @@ struct dw_hdmi *dw_hdmi_probe(struct platform_device *pdev, + struct dw_hdmi_i2s_audio_data audio; + + audio.hdmi = hdmi; +- audio.eld = hdmi->connector.eld; ++ audio.get_eld = hdmi_audio_get_eld; + audio.write = hdmi_writeb; + audio.read = hdmi_readb; + hdmi->enable_audio = dw_hdmi_i2s_audio_enable; +-- +2.34.1 + diff --git a/queue-5.10/drm-bridge-megachips-ensure-both-bridges-are-probed-.patch b/queue-5.10/drm-bridge-megachips-ensure-both-bridges-are-probed-.patch new file mode 100644 index 00000000000..630c6d7e0e9 --- /dev/null +++ b/queue-5.10/drm-bridge-megachips-ensure-both-bridges-are-probed-.patch @@ -0,0 +1,251 @@ +From d80bd74ca56d597a0730f60ad019ffd83e25b8d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Nov 2021 10:53:02 +0000 +Subject: drm/bridge: megachips: Ensure both bridges are probed before + registration + +From: Martyn Welch + +[ Upstream commit 11632d4aa2b3f126790e81a4415d6c23103cf8bb ] + +In the configuration used by the b850v3, the STDP2690 is used to read EDID +data whilst it's the STDP4028 which can detect when monitors are connected. + +This can result in problems at boot with monitors connected when the +STDP4028 is probed first, a monitor is detected and an attempt is made to +read the EDID data before the STDP2690 has probed: + +[ 3.795721] Unable to handle kernel NULL pointer dereference at virtual address 00000018 +[ 3.803845] pgd = (ptrval) +[ 3.806581] [00000018] *pgd=00000000 +[ 3.810180] Internal error: Oops: 5 [#1] SMP ARM +[ 3.814813] Modules linked in: +[ 3.817879] CPU: 0 PID: 64 Comm: kworker/u4:1 Not tainted 5.15.0 #1 +[ 3.824161] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) +[ 3.830705] Workqueue: events_unbound deferred_probe_work_func +[ 3.836565] PC is at stdp2690_get_edid+0x44/0x19c +[ 3.841286] LR is at ge_b850v3_lvds_get_modes+0x2c/0x5c +[ 3.846526] pc : [<805eae10>] lr : [<805eb138>] psr: 80000013 +[ 3.852802] sp : 81c359d0 ip : 7dbb550b fp : 81c35a1c +[ 3.858037] r10: 81c73840 r9 : 81c73894 r8 : 816d9800 +[ 3.863270] r7 : 00000000 r6 : 81c34000 r5 : 00000000 r4 : 810c35f0 +[ 3.869808] r3 : 80e3e294 r2 : 00000080 r1 : 00000cc0 r0 : 81401180 +[ 3.876349] Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none +[ 3.883499] Control: 10c5387d Table: 1000404a DAC: 00000051 +[ 3.889254] Register r0 information: slab kmem_cache start 81401180 pointer offset 0 +[ 3.897034] Register r1 information: non-paged memory +[ 3.902097] Register r2 information: non-paged memory +[ 3.907160] Register r3 information: non-slab/vmalloc memory +[ 3.912832] Register r4 information: non-slab/vmalloc memory +[ 3.918503] Register r5 information: NULL pointer +[ 3.923217] Register r6 information: non-slab/vmalloc memory +[ 3.928887] Register r7 information: NULL pointer +[ 3.933601] Register r8 information: slab kmalloc-1k start 816d9800 pointer offset 0 size 1024 +[ 3.942244] Register r9 information: slab kmalloc-2k start 81c73800 pointer offset 148 size 2048 +[ 3.951058] Register r10 information: slab kmalloc-2k start 81c73800 pointer offset 64 size 2048 +[ 3.959873] Register r11 information: non-slab/vmalloc memory +[ 3.965632] Register r12 information: non-paged memory +[ 3.970781] Process kworker/u4:1 (pid: 64, stack limit = 0x(ptrval)) +[ 3.977148] Stack: (0x81c359d0 to 0x81c36000) +[ 3.981517] 59c0: 80b2b668 80b2b5bc 000002e2 0000034e +[ 3.989712] 59e0: 81c35a8c 816d98e8 81c35a14 7dbb550b 805bfcd0 810c35f0 81c73840 824addc0 +[ 3.997906] 5a00: 00001000 816d9800 81c73894 81c73840 81c35a34 81c35a20 805eb138 805eadd8 +[ 4.006099] 5a20: 810c35f0 00000045 81c35adc 81c35a38 80594188 805eb118 80d7c788 80dd1848 +[ 4.014292] 5a40: 00000000 81c35a50 80dca950 811194d3 80dca7c4 80dca944 80dca91c 816d9800 +[ 4.022485] 5a60: 81c34000 81c760a8 816d9800 80c58c98 810c35f0 816d98e8 00001000 00001000 +[ 4.030678] 5a80: 00000000 00000000 8017712c 81c60000 00000002 00000001 00000000 00000000 +[ 4.038870] 5aa0: 816d9900 816d9900 00000000 7dbb550b 805c700c 00000008 826282c8 826282c8 +[ 4.047062] 5ac0: 00001000 81e1ce40 00001000 00000002 81c35bf4 81c35ae0 805d9694 80593fc0 +[ 4.055255] 5ae0: 8017a970 80179ad8 00000179 00000000 81c35bcc 81c35b00 80177108 8017a950 +[ 4.063447] 5b00: 00000000 81c35b10 81c34000 00000000 81004fd8 81010a38 00000000 00000059 +[ 4.071639] 5b20: 816d98d4 81fbb718 00000013 826282c8 8017a940 81c35b40 81134448 00000400 +[ 4.079831] 5b40: 00000178 00000000 e063b9c1 00000000 c2000049 00000040 00000000 00000008 +[ 4.088024] 5b60: 82628300 82628380 00000000 00000000 81c34000 00000000 81fbb700 82628340 +[ 4.096216] 5b80: 826283c0 00001000 00000000 00000010 816d9800 826282c0 801766f8 00000000 +[ 4.104408] 5ba0: 00000000 81004fd8 00000049 00000000 00000000 00000001 80dcf940 80178de4 +[ 4.112601] 5bc0: 81c35c0c 7dbb550b 80178de4 81fbb700 00000010 00000010 810c35f4 81e1ce40 +[ 4.120793] 5be0: 81c40908 0000000c 81c35c64 81c35bf8 805a7f18 805d94a0 81c35c3c 816d9800 +[ 4.128985] 5c00: 00000010 81c34000 81c35c2c 81c35c18 8012fce0 805be90c 81c35c3c 81c35c28 +[ 4.137178] 5c20: 805be90c 80173210 81fbb600 81fbb6b4 81c35c5c 7dbb550b 81c35c64 81fbb700 +[ 4.145370] 5c40: 816d9800 00000010 810c35f4 81e1ce40 81c40908 0000000c 81c35c84 81c35c68 +[ 4.153565] 5c60: 805a8c78 805a7ed0 816d9800 81fbb700 00000010 00000000 81c35cac 81c35c88 +[ 4.161758] 5c80: 805a8dc4 805a8b68 816d9800 00000000 816d9800 00000000 8179f810 810c42d0 +[ 4.169950] 5ca0: 81c35ccc 81c35cb0 805e47b0 805a8d18 824aa240 81e1ea80 81c40908 81126b60 +[ 4.178144] 5cc0: 81c35d14 81c35cd0 8060db1c 805e46cc 81c35d14 81c35ce0 80dd90f8 810c4d58 +[ 4.186338] 5ce0: 80dd90dc 81fe9740 fffffffe 81fe9740 81e1ea80 00000000 810c4d6c 80c4b95c +[ 4.194531] 5d00: 80dd9a3c 815c6810 81c35d34 81c35d18 8060dc9c 8060d8fc 8246b440 815c6800 +[ 4.202724] 5d20: 815c6810 eefd8e00 81c35d44 81c35d38 8060dd80 8060dbec 81c35d6c 81c35d48 +[ 4.210918] 5d40: 805e98a4 8060dd70 00000000 815c6810 810c45b0 81126e90 81126e90 80dd9a3c +[ 4.219112] 5d60: 81c35d8c 81c35d70 80619574 805e9808 815c6810 00000000 810c45b0 81126e90 +[ 4.227305] 5d80: 81c35db4 81c35d90 806168dc 80619514 80625df0 80623c80 815c6810 810c45b0 +[ 4.235498] 5da0: 81c35e6c 815c6810 81c35dec 81c35db8 80616d04 80616800 81c35de4 81c35dc8 +[ 4.243691] 5dc0: 808382b0 80b2f444 8116e310 8116e314 81c35e6c 815c6810 00000003 80dd9a3c +[ 4.251884] 5de0: 81c35e14 81c35df0 80616ec8 80616c60 00000001 810c45b0 81c35e6c 815c6810 +[ 4.260076] 5e00: 00000001 80dd9a3c 81c35e34 81c35e18 80617338 80616e90 00000000 81c35e6c +[ 4.268269] 5e20: 80617284 81c34000 81c35e64 81c35e38 80614730 80617290 81c35e64 8171a06c +[ 4.276461] 5e40: 81e220b8 7dbb550b 815c6810 81c34000 815c6854 81126e90 81c35e9c 81c35e68 +[ 4.284654] 5e60: 8061673c 806146a8 8060f5e0 815c6810 00000001 7dbb550b 00000000 810c5080 +[ 4.292847] 5e80: 810c5320 815c6810 81126e90 00000000 81c35eac 81c35ea0 80617554 80616650 +[ 4.301040] 5ea0: 81c35ecc 81c35eb0 80615694 80617544 810c5080 810c5080 810c5094 81126e90 +[ 4.309233] 5ec0: 81c35efc 81c35ed0 80615c6c 8061560c 80615bc0 810c50c0 817eeb00 81412800 +[ 4.317425] 5ee0: 814c3000 00000000 814c300d 81119a60 81c35f3c 81c35f00 80141488 80615bcc +[ 4.325618] 5f00: 81c60000 81c34000 81c35f24 81c35f18 80143078 817eeb00 81412800 817eeb18 +[ 4.333811] 5f20: 81412818 81003d00 00000088 81412800 81c35f74 81c35f40 80141a48 80141298 +[ 4.342005] 5f40: 81c35f74 81c34000 801481ac 817efa40 817efc00 801417d8 817eeb00 00000000 +[ 4.350199] 5f60: 815a7e7c 81c34000 81c35fac 81c35f78 80149b1c 801417e4 817efc20 817efc20 +[ 4.358391] 5f80: ffffe000 817efa40 801499a8 00000000 00000000 00000000 00000000 00000000 +[ 4.366583] 5fa0: 00000000 81c35fb0 80100130 801499b4 00000000 00000000 00000000 00000000 +[ 4.374774] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +[ 4.382966] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000 +[ 4.391155] Backtrace: +[ 4.393613] [<805eadcc>] (stdp2690_get_edid) from [<805eb138>] (ge_b850v3_lvds_get_modes+0x2c/0x5c) +[ 4.402691] r10:81c73840 r9:81c73894 r8:816d9800 r7:00001000 r6:824addc0 r5:81c73840 +[ 4.410534] r4:810c35f0 +[ 4.413073] [<805eb10c>] (ge_b850v3_lvds_get_modes) from [<80594188>] (drm_helper_probe_single_connector_modes+0x1d4/0x84c) +[ 4.424240] r5:00000045 r4:810c35f0 +[ 4.427822] [<80593fb4>] (drm_helper_probe_single_connector_modes) from [<805d9694>] (drm_client_modeset_probe+0x200/0x1384) +[ 4.439074] r10:00000002 r9:00001000 r8:81e1ce40 r7:00001000 r6:826282c8 r5:826282c8 +[ 4.446917] r4:00000008 +[ 4.449455] [<805d9494>] (drm_client_modeset_probe) from [<805a7f18>] (__drm_fb_helper_initial_config_and_unlock+0x54/0x5b4) +[ 4.460713] r10:0000000c r9:81c40908 r8:81e1ce40 r7:810c35f4 r6:00000010 r5:00000010 +[ 4.468556] r4:81fbb700 +[ 4.471095] [<805a7ec4>] (__drm_fb_helper_initial_config_and_unlock) from [<805a8c78>] (drm_fbdev_client_hotplug+0x11c/0x1b0) +[ 4.482434] r10:0000000c r9:81c40908 r8:81e1ce40 r7:810c35f4 r6:00000010 r5:816d9800 +[ 4.490276] r4:81fbb700 +[ 4.492814] [<805a8b5c>] (drm_fbdev_client_hotplug) from [<805a8dc4>] (drm_fbdev_generic_setup+0xb8/0x1a4) +[ 4.502494] r7:00000000 r6:00000010 r5:81fbb700 r4:816d9800 +[ 4.508160] [<805a8d0c>] (drm_fbdev_generic_setup) from [<805e47b0>] (imx_drm_bind+0xf0/0x130) +[ 4.516805] r7:810c42d0 r6:8179f810 r5:00000000 r4:816d9800 +[ 4.522474] [<805e46c0>] (imx_drm_bind) from [<8060db1c>] (try_to_bring_up_master+0x22c/0x2f0) +[ 4.531116] r7:81126b60 r6:81c40908 r5:81e1ea80 r4:824aa240 +[ 4.536783] [<8060d8f0>] (try_to_bring_up_master) from [<8060dc9c>] (__component_add+0xbc/0x184) +[ 4.545597] r10:815c6810 r9:80dd9a3c r8:80c4b95c r7:810c4d6c r6:00000000 r5:81e1ea80 +[ 4.553440] r4:81fe9740 +[ 4.555980] [<8060dbe0>] (__component_add) from [<8060dd80>] (component_add+0x1c/0x20) +[ 4.563921] r7:eefd8e00 r6:815c6810 r5:815c6800 r4:8246b440 +[ 4.569589] [<8060dd64>] (component_add) from [<805e98a4>] (dw_hdmi_imx_probe+0xa8/0xe8) +[ 4.577702] [<805e97fc>] (dw_hdmi_imx_probe) from [<80619574>] (platform_probe+0x6c/0xc8) +[ 4.585908] r9:80dd9a3c r8:81126e90 r7:81126e90 r6:810c45b0 r5:815c6810 r4:00000000 +[ 4.593662] [<80619508>] (platform_probe) from [<806168dc>] (really_probe+0xe8/0x460) +[ 4.601524] r7:81126e90 r6:810c45b0 r5:00000000 r4:815c6810 +[ 4.607191] [<806167f4>] (really_probe) from [<80616d04>] (__driver_probe_device+0xb0/0x230) +[ 4.615658] r7:815c6810 r6:81c35e6c r5:810c45b0 r4:815c6810 +[ 4.621326] [<80616c54>] (__driver_probe_device) from [<80616ec8>] (driver_probe_device+0x44/0xe0) +[ 4.630313] r9:80dd9a3c r8:00000003 r7:815c6810 r6:81c35e6c r5:8116e314 r4:8116e310 +[ 4.638068] [<80616e84>] (driver_probe_device) from [<80617338>] (__device_attach_driver+0xb4/0x12c) +[ 4.647227] r9:80dd9a3c r8:00000001 r7:815c6810 r6:81c35e6c r5:810c45b0 r4:00000001 +[ 4.654981] [<80617284>] (__device_attach_driver) from [<80614730>] (bus_for_each_drv+0x94/0xd8) +[ 4.663794] r7:81c34000 r6:80617284 r5:81c35e6c r4:00000000 +[ 4.669461] [<8061469c>] (bus_for_each_drv) from [<8061673c>] (__device_attach+0xf8/0x190) +[ 4.677753] r7:81126e90 r6:815c6854 r5:81c34000 r4:815c6810 +[ 4.683419] [<80616644>] (__device_attach) from [<80617554>] (device_initial_probe+0x1c/0x20) +[ 4.691971] r8:00000000 r7:81126e90 r6:815c6810 r5:810c5320 r4:810c5080 +[ 4.698681] [<80617538>] (device_initial_probe) from [<80615694>] (bus_probe_device+0x94/0x9c) +[ 4.707318] [<80615600>] (bus_probe_device) from [<80615c6c>] (deferred_probe_work_func+0xac/0xf0) +[ 4.716305] r7:81126e90 r6:810c5094 r5:810c5080 r4:810c5080 +[ 4.721973] [<80615bc0>] (deferred_probe_work_func) from [<80141488>] (process_one_work+0x1fc/0x54c) +[ 4.731139] r10:81119a60 r9:814c300d r8:00000000 r7:814c3000 r6:81412800 r5:817eeb00 +[ 4.738981] r4:810c50c0 r3:80615bc0 +[ 4.742563] [<8014128c>] (process_one_work) from [<80141a48>] (worker_thread+0x270/0x570) +[ 4.750765] r10:81412800 r9:00000088 r8:81003d00 r7:81412818 r6:817eeb18 r5:81412800 +[ 4.758608] r4:817eeb00 +[ 4.761147] [<801417d8>] (worker_thread) from [<80149b1c>] (kthread+0x174/0x190) +[ 4.768574] r10:81c34000 r9:815a7e7c r8:00000000 r7:817eeb00 r6:801417d8 r5:817efc00 +[ 4.776417] r4:817efa40 +[ 4.778955] [<801499a8>] (kthread) from [<80100130>] (ret_from_fork+0x14/0x24) +[ 4.786201] Exception stack(0x81c35fb0 to 0x81c35ff8) +[ 4.791266] 5fa0: 00000000 00000000 00000000 00000000 +[ 4.799459] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +[ 4.807651] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000 +[ 4.814279] r10:00000000 r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:801499a8 +[ 4.822120] r4:817efa40 +[ 4.824664] Code: e3a02080 e593001c e3a01d33 e3a05000 (e5979018) + +Split the registration from the STDP4028 probe routine and only perform +registration once both the STDP4028 and STDP2690 have probed. + +Signed-off-by: Martyn Welch +CC: Peter Senna Tschudin +CC: Martyn Welch +CC: Neil Armstrong +CC: Robert Foss +CC: Laurent Pinchart +CC: Jonas Karlman +CC: Jernej Skrabec +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/43552c3404e8fdf92d8bc5658fac24e9f03c2c57.1637836606.git.martyn.welch@collabora.com +Signed-off-by: Sasha Levin +--- + .../bridge/megachips-stdpxxxx-ge-b850v3-fw.c | 40 +++++++++++++------ + 1 file changed, 28 insertions(+), 12 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c +index d2808c4a6fb1c..cce98bf2a4e73 100644 +--- a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c ++++ b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c +@@ -306,19 +306,10 @@ out: + mutex_unlock(&ge_b850v3_lvds_dev_mutex); + } + +-static int stdp4028_ge_b850v3_fw_probe(struct i2c_client *stdp4028_i2c, +- const struct i2c_device_id *id) ++static int ge_b850v3_register(void) + { ++ struct i2c_client *stdp4028_i2c = ge_b850v3_lvds_ptr->stdp4028_i2c; + struct device *dev = &stdp4028_i2c->dev; +- int ret; +- +- ret = ge_b850v3_lvds_init(dev); +- +- if (ret) +- return ret; +- +- ge_b850v3_lvds_ptr->stdp4028_i2c = stdp4028_i2c; +- i2c_set_clientdata(stdp4028_i2c, ge_b850v3_lvds_ptr); + + /* drm bridge initialization */ + ge_b850v3_lvds_ptr->bridge.funcs = &ge_b850v3_lvds_funcs; +@@ -343,6 +334,27 @@ static int stdp4028_ge_b850v3_fw_probe(struct i2c_client *stdp4028_i2c, + "ge-b850v3-lvds-dp", ge_b850v3_lvds_ptr); + } + ++static int stdp4028_ge_b850v3_fw_probe(struct i2c_client *stdp4028_i2c, ++ const struct i2c_device_id *id) ++{ ++ struct device *dev = &stdp4028_i2c->dev; ++ int ret; ++ ++ ret = ge_b850v3_lvds_init(dev); ++ ++ if (ret) ++ return ret; ++ ++ ge_b850v3_lvds_ptr->stdp4028_i2c = stdp4028_i2c; ++ i2c_set_clientdata(stdp4028_i2c, ge_b850v3_lvds_ptr); ++ ++ /* Only register after both bridges are probed */ ++ if (!ge_b850v3_lvds_ptr->stdp2690_i2c) ++ return 0; ++ ++ return ge_b850v3_register(); ++} ++ + static int stdp4028_ge_b850v3_fw_remove(struct i2c_client *stdp4028_i2c) + { + ge_b850v3_lvds_remove(); +@@ -386,7 +398,11 @@ static int stdp2690_ge_b850v3_fw_probe(struct i2c_client *stdp2690_i2c, + ge_b850v3_lvds_ptr->stdp2690_i2c = stdp2690_i2c; + i2c_set_clientdata(stdp2690_i2c, ge_b850v3_lvds_ptr); + +- return 0; ++ /* Only register after both bridges are probed */ ++ if (!ge_b850v3_lvds_ptr->stdp4028_i2c) ++ return 0; ++ ++ return ge_b850v3_register(); + } + + static int stdp2690_ge_b850v3_fw_remove(struct i2c_client *stdp2690_i2c) +-- +2.34.1 + diff --git a/queue-5.10/drm-bridge-ti-sn65dsi86-set-max-register-for-regmap.patch b/queue-5.10/drm-bridge-ti-sn65dsi86-set-max-register-for-regmap.patch new file mode 100644 index 00000000000..9c8f4936720 --- /dev/null +++ b/queue-5.10/drm-bridge-ti-sn65dsi86-set-max-register-for-regmap.patch @@ -0,0 +1,40 @@ +From f8c7da2973480c21ed56518edeea208aa973dbb5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Dec 2021 16:25:29 -0800 +Subject: drm/bridge: ti-sn65dsi86: Set max register for regmap + +From: Stephen Boyd + +[ Upstream commit 0b665d4af35837f0a0ae63135b84a3c187c1db3b ] + +Set the maximum register to 0xff so we can dump the registers for this +device in debugfs. + +Fixes: a095f15c00e2 ("drm/bridge: add support for sn65dsi86 bridge driver") +Cc: Rob Clark +Cc: Douglas Anderson +Cc: Laurent Pinchart +Signed-off-by: Stephen Boyd +Reviewed-by: Robert Foss +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20211215002529.382383-1-swboyd@chromium.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/ti-sn65dsi86.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi86.c b/drivers/gpu/drm/bridge/ti-sn65dsi86.c +index ecdf9b01340f5..1a58481037b3f 100644 +--- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c ++++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c +@@ -171,6 +171,7 @@ static const struct regmap_config ti_sn_bridge_regmap_config = { + .val_bits = 8, + .volatile_table = &ti_sn_bridge_volatile_table, + .cache_type = REGCACHE_NONE, ++ .max_register = 0xFF, + }; + + static void ti_sn_bridge_write_u16(struct ti_sn_bridge *pdata, +-- +2.34.1 + diff --git a/queue-5.10/drm-etnaviv-consider-completed-fence-seqno-in-hang-c.patch b/queue-5.10/drm-etnaviv-consider-completed-fence-seqno-in-hang-c.patch new file mode 100644 index 00000000000..174f924a938 --- /dev/null +++ b/queue-5.10/drm-etnaviv-consider-completed-fence-seqno-in-hang-c.patch @@ -0,0 +1,59 @@ +From 60a607b50832d0251e3d4b5c023ef586d966fe6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Dec 2021 01:17:28 +0100 +Subject: drm/etnaviv: consider completed fence seqno in hang check + +From: Lucas Stach + +[ Upstream commit cdd156955f946beaa5f3a00d8ccf90e5a197becc ] + +Some GPU heavy test programs manage to trigger the hangcheck quite often. +If there are no other GPU users in the system and the test program +exhibits a very regular structure in the commandstreams that are being +submitted, we can end up with two distinct submits managing to trigger +the hangcheck with the FE in a very similar address range. This leads +the hangcheck to believe that the GPU is stuck, while in reality the GPU +is already busy working on a different job. To avoid those spurious +GPU resets, also remember and consider the last completed fence seqno +in the hang check. + +Reported-by: Joerg Albert +Signed-off-by: Lucas Stach +Reviewed-by: Christian Gmeiner +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/etnaviv/etnaviv_gpu.h | 1 + + drivers/gpu/drm/etnaviv/etnaviv_sched.c | 4 +++- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/etnaviv/etnaviv_gpu.h b/drivers/gpu/drm/etnaviv/etnaviv_gpu.h +index 1c75c8ed5bcea..85eddd492774d 100644 +--- a/drivers/gpu/drm/etnaviv/etnaviv_gpu.h ++++ b/drivers/gpu/drm/etnaviv/etnaviv_gpu.h +@@ -130,6 +130,7 @@ struct etnaviv_gpu { + + /* hang detection */ + u32 hangcheck_dma_addr; ++ u32 hangcheck_fence; + + void __iomem *mmio; + int irq; +diff --git a/drivers/gpu/drm/etnaviv/etnaviv_sched.c b/drivers/gpu/drm/etnaviv/etnaviv_sched.c +index cd46c882269cc..026b6c0731198 100644 +--- a/drivers/gpu/drm/etnaviv/etnaviv_sched.c ++++ b/drivers/gpu/drm/etnaviv/etnaviv_sched.c +@@ -106,8 +106,10 @@ static void etnaviv_sched_timedout_job(struct drm_sched_job *sched_job) + */ + dma_addr = gpu_read(gpu, VIVS_FE_DMA_ADDRESS); + change = dma_addr - gpu->hangcheck_dma_addr; +- if (change < 0 || change > 16) { ++ if (gpu->completed_fence != gpu->hangcheck_fence || ++ change < 0 || change > 16) { + gpu->hangcheck_dma_addr = dma_addr; ++ gpu->hangcheck_fence = gpu->completed_fence; + goto out_no_timeout; + } + +-- +2.34.1 + diff --git a/queue-5.10/drm-fix-null-ptr-deref-in-drm_dev_init_release.patch b/queue-5.10/drm-fix-null-ptr-deref-in-drm_dev_init_release.patch new file mode 100644 index 00000000000..193dbfffd57 --- /dev/null +++ b/queue-5.10/drm-fix-null-ptr-deref-in-drm_dev_init_release.patch @@ -0,0 +1,86 @@ +From 8c889b389c6e2c5a0ce5aac21a10ac08a3d7d935 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Oct 2021 19:41:39 +0800 +Subject: drm: fix null-ptr-deref in drm_dev_init_release() + +From: Wang Hai + +[ Upstream commit acf20ed020ffa4d6cc8347e8d356509b95df3cbe ] + +I got a null-ptr-deref report: + +[drm:drm_dev_init [drm]] *ERROR* Cannot allocate anonymous inode: -12 +================================================================== +BUG: KASAN: null-ptr-deref in iput+0x3c/0x4a0 +... +Call Trace: + dump_stack_lvl+0x6c/0x8b + kasan_report.cold+0x64/0xdb + __asan_load8+0x69/0x90 + iput+0x3c/0x4a0 + drm_dev_init_release+0x39/0xb0 [drm] + drm_managed_release+0x158/0x2d0 [drm] + drm_dev_init+0x3a7/0x4c0 [drm] + __devm_drm_dev_alloc+0x55/0xd0 [drm] + mi0283qt_probe+0x8a/0x2b5 [mi0283qt] + spi_probe+0xeb/0x130 +... + entry_SYSCALL_64_after_hwframe+0x44/0xae + +If drm_fs_inode_new() fails in drm_dev_init(), dev->anon_inode will point +to PTR_ERR(...) instead of NULL. This will result in null-ptr-deref when +drm_fs_inode_free(dev->anon_inode) is called. + +drm_dev_init() + drm_fs_inode_new() // fail, dev->anon_inode = PTR_ERR(...) + drm_managed_release() + drm_dev_init_release() + drm_fs_inode_free() // access non-existent anon_inode + +Define a temp variable and assign it to dev->anon_inode if the temp +variable is not PTR_ERR. + +Fixes: 2cbf7fc6718b ("drm: Use drmm_ for drm_dev_init cleanup") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20211013114139.4042207-1-wanghai38@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_drv.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c +index cd162d406078a..006e3b896caea 100644 +--- a/drivers/gpu/drm/drm_drv.c ++++ b/drivers/gpu/drm/drm_drv.c +@@ -577,6 +577,7 @@ static int drm_dev_init(struct drm_device *dev, + struct drm_driver *driver, + struct device *parent) + { ++ struct inode *inode; + int ret; + + if (!drm_core_init_complete) { +@@ -613,13 +614,15 @@ static int drm_dev_init(struct drm_device *dev, + if (ret) + return ret; + +- dev->anon_inode = drm_fs_inode_new(); +- if (IS_ERR(dev->anon_inode)) { +- ret = PTR_ERR(dev->anon_inode); ++ inode = drm_fs_inode_new(); ++ if (IS_ERR(inode)) { ++ ret = PTR_ERR(inode); + DRM_ERROR("Cannot allocate anonymous inode: %d\n", ret); + goto err; + } + ++ dev->anon_inode = inode; ++ + if (drm_core_check_feature(dev, DRIVER_RENDER)) { + ret = drm_minor_alloc(dev, DRM_MINOR_RENDER); + if (ret) +-- +2.34.1 + diff --git a/queue-5.10/drm-lima-fix-warning-when-config_debug_sg-y-config_d.patch b/queue-5.10/drm-lima-fix-warning-when-config_debug_sg-y-config_d.patch new file mode 100644 index 00000000000..dd1661a8007 --- /dev/null +++ b/queue-5.10/drm-lima-fix-warning-when-config_debug_sg-y-config_d.patch @@ -0,0 +1,39 @@ +From d8cb401c0921edec2a234cba4624aed961dbcaf3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Oct 2021 12:16:04 +0800 +Subject: drm/lima: fix warning when CONFIG_DEBUG_SG=y & CONFIG_DMA_API_DEBUG=y + +From: Qiang Yu + +[ Upstream commit 89636a06fa2ee7826a19c39c19a9bc99ab9340a9 ] + +Otherwise get following warning: + +DMA-API: lima 1c40000.gpu: mapping sg segment longer than device claims to support [len=4149248] [max=65536] + +See: https://gitlab.freedesktop.org/mesa/mesa/-/issues/5496 + +Reviewed-by: Vasily Khoruzhick +Reported-by: Roman Stratiienko +Signed-off-by: Qiang Yu +Link: https://patchwork.freedesktop.org/patch/msgid/20211031041604.187216-1-yuq825@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/lima/lima_device.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/lima/lima_device.c b/drivers/gpu/drm/lima/lima_device.c +index 65fdca366e41f..36c9905894278 100644 +--- a/drivers/gpu/drm/lima/lima_device.c ++++ b/drivers/gpu/drm/lima/lima_device.c +@@ -357,6 +357,7 @@ int lima_device_init(struct lima_device *ldev) + int err, i; + + dma_set_coherent_mask(ldev->dev, DMA_BIT_MASK(32)); ++ dma_set_max_seg_size(ldev->dev, UINT_MAX); + + err = lima_clk_init(ldev); + if (err) +-- +2.34.1 + diff --git a/queue-5.10/drm-msm-dp-displayport-driver-need-algorithm-rationa.patch b/queue-5.10/drm-msm-dp-displayport-driver-need-algorithm-rationa.patch new file mode 100644 index 00000000000..f1ed6378dc2 --- /dev/null +++ b/queue-5.10/drm-msm-dp-displayport-driver-need-algorithm-rationa.patch @@ -0,0 +1,41 @@ +From a76ceca4f664c2fa8283c725115b4fb9d81d16c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Nov 2021 15:09:49 +0800 +Subject: drm/msm/dp: displayPort driver need algorithm rational + +From: Jackie Liu + +[ Upstream commit 53d22794711ad630f40d59dd726bd260d77d585f ] + +Let's select RATIONAL with dp driver. avoid like: + +[...] +x86_64-linux-gnu-ld: drivers/gpu/drm/msm/dp/dp_catalog.o: in function `dp_catalog_ctrl_config_msa': +dp_catalog.c:(.text+0x57e): undefined reference to `rational_best_approximation' + +Fixes: c943b4948b58 ("drm/msm/dp: add displayPort driver support") +Reported-by: kernelbot +Signed-off-by: Jackie Liu +Link: https://lore.kernel.org/r/20211110070950.3355597-2-liu.yun@linux.dev +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/msm/Kconfig b/drivers/gpu/drm/msm/Kconfig +index dabb4a1ccdcf7..1aad34b5ffd7f 100644 +--- a/drivers/gpu/drm/msm/Kconfig ++++ b/drivers/gpu/drm/msm/Kconfig +@@ -60,6 +60,7 @@ config DRM_MSM_HDMI_HDCP + config DRM_MSM_DP + bool "Enable DisplayPort support in MSM DRM driver" + depends on DRM_MSM ++ select RATIONAL + default y + help + Compile in support for DP driver in MSM DRM driver. DP external +-- +2.34.1 + diff --git a/queue-5.10/drm-msm-dpu-fix-safe-status-debugfs-file.patch b/queue-5.10/drm-msm-dpu-fix-safe-status-debugfs-file.patch new file mode 100644 index 00000000000..75555ee8088 --- /dev/null +++ b/queue-5.10/drm-msm-dpu-fix-safe-status-debugfs-file.patch @@ -0,0 +1,41 @@ +From 89b03de69f545723f10a7305276ceefe2a1f01f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Dec 2021 01:26:27 +0300 +Subject: drm/msm/dpu: fix safe status debugfs file + +From: Dmitry Baryshkov + +[ Upstream commit f31b0e24d31e18b4503eeaf0032baeacc0beaff6 ] + +Make safe_status debugfs fs file actually return safe status rather than +danger status data. + +Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Link: https://lore.kernel.org/r/20211201222633.2476780-3-dmitry.baryshkov@linaro.org +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c +index b4a2e8eb35dd2..08e082d0443af 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c +@@ -71,8 +71,8 @@ static int _dpu_danger_signal_status(struct seq_file *s, + &status); + } else { + seq_puts(s, "\nSafe signal status:\n"); +- if (kms->hw_mdp->ops.get_danger_status) +- kms->hw_mdp->ops.get_danger_status(kms->hw_mdp, ++ if (kms->hw_mdp->ops.get_safe_status) ++ kms->hw_mdp->ops.get_safe_status(kms->hw_mdp, + &status); + } + pm_runtime_put_sync(&kms->pdev->dev); +-- +2.34.1 + diff --git a/queue-5.10/drm-nouveau-pmu-gm200-avoid-touching-pmu-outside-of-.patch b/queue-5.10/drm-nouveau-pmu-gm200-avoid-touching-pmu-outside-of-.patch new file mode 100644 index 00000000000..27df053a4cc --- /dev/null +++ b/queue-5.10/drm-nouveau-pmu-gm200-avoid-touching-pmu-outside-of-.patch @@ -0,0 +1,104 @@ +From acf0af678319db6ad5f42051f00c08e7f82a5286 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Feb 2021 19:29:52 +1000 +Subject: drm/nouveau/pmu/gm200-: avoid touching PMU outside of + DEVINIT/PREOS/ACR + +From: Ben Skeggs + +[ Upstream commit 1d2271d2fb85e54bfc9630a6c30ac0feb9ffb983 ] + +There have been reports of the WFI timing out on some boards, and a +patch was proposed to just remove it. This stuff is rather fragile, +and I believe the WFI might be needed with our FW prior to GM200. + +However, we probably should not be touching PMU during init on GPUs +where we depend on NVIDIA FW, outside of limited circumstances, so +this should be a somewhat safer change that achieves the desired +result. + +Reported-by: Diego Viola +Signed-off-by: Ben Skeggs +Reviewed-by: Karol Herbst +Signed-off-by: Karol Herbst +Link: https://gitlab.freedesktop.org/drm/nouveau/-/merge_requests/10 +Signed-off-by: Sasha Levin +--- + .../gpu/drm/nouveau/nvkm/subdev/pmu/base.c | 37 +++++++++++-------- + 1 file changed, 21 insertions(+), 16 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/base.c +index a0fe607c9c07f..3bfc55c571b5e 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/base.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/base.c +@@ -94,20 +94,13 @@ nvkm_pmu_fini(struct nvkm_subdev *subdev, bool suspend) + return 0; + } + +-static int ++static void + nvkm_pmu_reset(struct nvkm_pmu *pmu) + { + struct nvkm_device *device = pmu->subdev.device; + + if (!pmu->func->enabled(pmu)) +- return 0; +- +- /* Inhibit interrupts, and wait for idle. */ +- nvkm_wr32(device, 0x10a014, 0x0000ffff); +- nvkm_msec(device, 2000, +- if (!nvkm_rd32(device, 0x10a04c)) +- break; +- ); ++ return; + + /* Reset. */ + if (pmu->func->reset) +@@ -118,25 +111,37 @@ nvkm_pmu_reset(struct nvkm_pmu *pmu) + if (!(nvkm_rd32(device, 0x10a10c) & 0x00000006)) + break; + ); +- +- return 0; + } + + static int + nvkm_pmu_preinit(struct nvkm_subdev *subdev) + { + struct nvkm_pmu *pmu = nvkm_pmu(subdev); +- return nvkm_pmu_reset(pmu); ++ nvkm_pmu_reset(pmu); ++ return 0; + } + + static int + nvkm_pmu_init(struct nvkm_subdev *subdev) + { + struct nvkm_pmu *pmu = nvkm_pmu(subdev); +- int ret = nvkm_pmu_reset(pmu); +- if (ret == 0 && pmu->func->init) +- ret = pmu->func->init(pmu); +- return ret; ++ struct nvkm_device *device = pmu->subdev.device; ++ ++ if (!pmu->func->init) ++ return 0; ++ ++ if (pmu->func->enabled(pmu)) { ++ /* Inhibit interrupts, and wait for idle. */ ++ nvkm_wr32(device, 0x10a014, 0x0000ffff); ++ nvkm_msec(device, 2000, ++ if (!nvkm_rd32(device, 0x10a04c)) ++ break; ++ ); ++ ++ nvkm_pmu_reset(pmu); ++ } ++ ++ return pmu->func->init(pmu); + } + + static void * +-- +2.34.1 + diff --git a/queue-5.10/drm-panel-innolux-p079zca-delete-panel-on-attach-fai.patch b/queue-5.10/drm-panel-innolux-p079zca-delete-panel-on-attach-fai.patch new file mode 100644 index 00000000000..5496770732d --- /dev/null +++ b/queue-5.10/drm-panel-innolux-p079zca-delete-panel-on-attach-fai.patch @@ -0,0 +1,57 @@ +From 6d9f5105553a2b7d8a1f325dd64d24c3c50d535f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Sep 2021 17:33:54 -0700 +Subject: drm/panel: innolux-p079zca: Delete panel on attach() failure + +From: Brian Norris + +[ Upstream commit 32a267e9c057e1636e7afdd20599aa5741a73079 ] + +If we fail to attach (e.g., because 1 of 2 dual-DSI controllers aren't +ready), we leave a dangling drm_panel reference to freed memory. Clean +that up on failure. + +This problem exists since the driver's introduction, but is especially +relevant after refactored for dual-DSI variants. + +Fixes: 14c8f2e9f8ea ("drm/panel: add Innolux P079ZCA panel driver") +Fixes: 7ad4e4636c54 ("drm/panel: p079zca: Refactor panel driver to support multiple panels") +Signed-off-by: Brian Norris +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20210923173336.2.I9023cf8811a3abf4964ed84eb681721d8bb489d6@changeid +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-innolux-p079zca.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/panel/panel-innolux-p079zca.c b/drivers/gpu/drm/panel/panel-innolux-p079zca.c +index aea3162253914..f194b62e290ca 100644 +--- a/drivers/gpu/drm/panel/panel-innolux-p079zca.c ++++ b/drivers/gpu/drm/panel/panel-innolux-p079zca.c +@@ -484,6 +484,7 @@ static void innolux_panel_del(struct innolux_panel *innolux) + static int innolux_panel_probe(struct mipi_dsi_device *dsi) + { + const struct panel_desc *desc; ++ struct innolux_panel *innolux; + int err; + + desc = of_device_get_match_data(&dsi->dev); +@@ -495,7 +496,14 @@ static int innolux_panel_probe(struct mipi_dsi_device *dsi) + if (err < 0) + return err; + +- return mipi_dsi_attach(dsi); ++ err = mipi_dsi_attach(dsi); ++ if (err < 0) { ++ innolux = mipi_dsi_get_drvdata(dsi); ++ innolux_panel_del(innolux); ++ return err; ++ } ++ ++ return 0; + } + + static int innolux_panel_remove(struct mipi_dsi_device *dsi) +-- +2.34.1 + diff --git a/queue-5.10/drm-panel-kingdisplay-kd097d04-delete-panel-on-attac.patch b/queue-5.10/drm-panel-kingdisplay-kd097d04-delete-panel-on-attac.patch new file mode 100644 index 00000000000..141a65b6046 --- /dev/null +++ b/queue-5.10/drm-panel-kingdisplay-kd097d04-delete-panel-on-attac.patch @@ -0,0 +1,44 @@ +From 925237e6d02321310925477e5b0645a79f5ce3ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Sep 2021 17:33:53 -0700 +Subject: drm/panel: kingdisplay-kd097d04: Delete panel on attach() failure + +From: Brian Norris + +[ Upstream commit 5f31dbeae8a88f31c3eb4eb526ab4807c40da241 ] + +If we fail to attach (e.g., because 1 of 2 dual-DSI controllers aren't +ready), we leave a dangling drm_panel reference to freed memory. Clean +that up on failure. + +Fixes: 2a994cbed6b2 ("drm/panel: Add Kingdisplay KD097D04 panel driver") +Signed-off-by: Brian Norris +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20210923173336.1.Icb4d9dbc1817f4e826361a4f1cea7461541668f0@changeid +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-kingdisplay-kd097d04.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/panel/panel-kingdisplay-kd097d04.c b/drivers/gpu/drm/panel/panel-kingdisplay-kd097d04.c +index 86e4213e8bb13..daccb1fd5fdad 100644 +--- a/drivers/gpu/drm/panel/panel-kingdisplay-kd097d04.c ++++ b/drivers/gpu/drm/panel/panel-kingdisplay-kd097d04.c +@@ -406,7 +406,13 @@ static int kingdisplay_panel_probe(struct mipi_dsi_device *dsi) + if (err < 0) + return err; + +- return mipi_dsi_attach(dsi); ++ err = mipi_dsi_attach(dsi); ++ if (err < 0) { ++ kingdisplay_panel_del(kingdisplay); ++ return err; ++ } ++ ++ return 0; + } + + static int kingdisplay_panel_remove(struct mipi_dsi_device *dsi) +-- +2.34.1 + diff --git a/queue-5.10/drm-panel-orientation-quirks-add-quirk-for-the-lenov.patch b/queue-5.10/drm-panel-orientation-quirks-add-quirk-for-the-lenov.patch new file mode 100644 index 00000000000..624d13afc16 --- /dev/null +++ b/queue-5.10/drm-panel-orientation-quirks-add-quirk-for-the-lenov.patch @@ -0,0 +1,43 @@ +From d20a583e009803e78cf84c73bf0ce9653807f1c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Nov 2021 14:02:27 +0100 +Subject: drm: panel-orientation-quirks: Add quirk for the Lenovo Yoga Book + X91F/L + +From: Hans de Goede + +[ Upstream commit bc30c3b0c8a1904d83d5f0d60fb8650a334b207b ] + +The Lenovo Yoga Book X91F/L uses a panel which has been mounted +90 degrees rotated. Add a quirk for this. + +Cc: Yauhen Kharuzhy +Signed-off-by: Hans de Goede +Acked-by: Simon Ser +Tested-by: Yauhen Kharuzhy +Link: https://patchwork.freedesktop.org/patch/msgid/20211106130227.11927-1-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_panel_orientation_quirks.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c +index a950d5db211c5..9d1bd8f491ad7 100644 +--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c ++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c +@@ -248,6 +248,12 @@ static const struct dmi_system_id orientation_data[] = { + DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad D330-10IGM"), + }, + .driver_data = (void *)&lcd1200x1920_rightside_up, ++ }, { /* Lenovo Yoga Book X90F / X91F / X91L */ ++ .matches = { ++ /* Non exact match to match all versions */ ++ DMI_MATCH(DMI_PRODUCT_NAME, "Lenovo YB1-X9"), ++ }, ++ .driver_data = (void *)&lcd1200x1920_rightside_up, + }, { /* OneGX1 Pro */ + .matches = { + DMI_EXACT_MATCH(DMI_SYS_VENDOR, "SYSTEM_MANUFACTURER"), +-- +2.34.1 + diff --git a/queue-5.10/drm-radeon-radeon_kms-fix-a-null-pointer-dereference.patch b/queue-5.10/drm-radeon-radeon_kms-fix-a-null-pointer-dereference.patch new file mode 100644 index 00000000000..c4511726403 --- /dev/null +++ b/queue-5.10/drm-radeon-radeon_kms-fix-a-null-pointer-dereference.patch @@ -0,0 +1,122 @@ +From 025c2af71161535fb2334d79ee0dae18e5601ab8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Dec 2021 23:13:10 +0800 +Subject: drm/radeon/radeon_kms: Fix a NULL pointer dereference in + radeon_driver_open_kms() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Zhou Qingyang + +[ Upstream commit ab50cb9df8896b39aae65c537a30de2c79c19735 ] + +In radeon_driver_open_kms(), radeon_vm_bo_add() is assigned to +vm->ib_bo_va and passes and used in radeon_vm_bo_set_addr(). In +radeon_vm_bo_set_addr(), there is a dereference of vm->ib_bo_va, +which could lead to a NULL pointer dereference on failure of +radeon_vm_bo_add(). + +Fix this bug by adding a check of vm->ib_bo_va. + +This bug was found by a static analyzer. The analysis employs +differential checking to identify inconsistent security operations +(e.g., checks or kfrees) between two code paths and confirms that the +inconsistent operations are not recovered in the current function or +the callers, so they constitute bugs. + +Note that, as a bug found by static analysis, it can be a false +positive or hard to trigger. Multiple researchers have cross-reviewed +the bug. + +Builds with CONFIG_DRM_RADEON=m show no new warnings, +and our static analyzer no longer warns about this code. + +Fixes: cc9e67e3d700 ("drm/radeon: fix VM IB handling") +Reviewed-by: Christian König +Signed-off-by: Zhou Qingyang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_kms.c | 36 ++++++++++++++++------------- + 1 file changed, 20 insertions(+), 16 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c +index 8c0a572940e82..204634b239283 100644 +--- a/drivers/gpu/drm/radeon/radeon_kms.c ++++ b/drivers/gpu/drm/radeon/radeon_kms.c +@@ -634,6 +634,8 @@ void radeon_driver_lastclose_kms(struct drm_device *dev) + int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv) + { + struct radeon_device *rdev = dev->dev_private; ++ struct radeon_fpriv *fpriv; ++ struct radeon_vm *vm; + int r; + + file_priv->driver_priv = NULL; +@@ -646,8 +648,6 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv) + + /* new gpu have virtual address space support */ + if (rdev->family >= CHIP_CAYMAN) { +- struct radeon_fpriv *fpriv; +- struct radeon_vm *vm; + + fpriv = kzalloc(sizeof(*fpriv), GFP_KERNEL); + if (unlikely(!fpriv)) { +@@ -658,35 +658,39 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv) + if (rdev->accel_working) { + vm = &fpriv->vm; + r = radeon_vm_init(rdev, vm); +- if (r) { +- kfree(fpriv); +- goto out_suspend; +- } ++ if (r) ++ goto out_fpriv; + + r = radeon_bo_reserve(rdev->ring_tmp_bo.bo, false); +- if (r) { +- radeon_vm_fini(rdev, vm); +- kfree(fpriv); +- goto out_suspend; +- } ++ if (r) ++ goto out_vm_fini; + + /* map the ib pool buffer read only into + * virtual address space */ + vm->ib_bo_va = radeon_vm_bo_add(rdev, vm, + rdev->ring_tmp_bo.bo); ++ if (!vm->ib_bo_va) { ++ r = -ENOMEM; ++ goto out_vm_fini; ++ } ++ + r = radeon_vm_bo_set_addr(rdev, vm->ib_bo_va, + RADEON_VA_IB_OFFSET, + RADEON_VM_PAGE_READABLE | + RADEON_VM_PAGE_SNOOPED); +- if (r) { +- radeon_vm_fini(rdev, vm); +- kfree(fpriv); +- goto out_suspend; +- } ++ if (r) ++ goto out_vm_fini; + } + file_priv->driver_priv = fpriv; + } + ++ if (!r) ++ goto out_suspend; ++ ++out_vm_fini: ++ radeon_vm_fini(rdev, vm); ++out_fpriv: ++ kfree(fpriv); + out_suspend: + pm_runtime_mark_last_busy(dev->dev); + pm_runtime_put_autosuspend(dev->dev); +-- +2.34.1 + diff --git a/queue-5.10/drm-rcar-du-fix-crtc-timings-when-cmm-is-used.patch b/queue-5.10/drm-rcar-du-fix-crtc-timings-when-cmm-is-used.patch new file mode 100644 index 00000000000..f360d9c73ef --- /dev/null +++ b/queue-5.10/drm-rcar-du-fix-crtc-timings-when-cmm-is-used.patch @@ -0,0 +1,82 @@ +From 3326cd7338d7eea8153c4ef16877542cbabc841f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Nov 2021 03:10:46 +0200 +Subject: drm: rcar-du: Fix CRTC timings when CMM is used + +From: Laurent Pinchart + +[ Upstream commit f0ce591dc9a97067c6e783a2eaccd22c5476144d ] + +When the CMM is enabled, an offset of 25 pixels must be subtracted from +the HDS (horizontal display start) and HDE (horizontal display end) +registers. Fix the timings calculation, and take this into account in +the mode validation. + +This fixes a visible horizontal offset in the image with VGA monitors. +HDMI monitors seem to be generally more tolerant to incorrect timings, +but may be affected too. + +Signed-off-by: Laurent Pinchart +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rcar-du/rcar_du_crtc.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/rcar-du/rcar_du_crtc.c b/drivers/gpu/drm/rcar-du/rcar_du_crtc.c +index 1b9738e44909d..065604c5837de 100644 +--- a/drivers/gpu/drm/rcar-du/rcar_du_crtc.c ++++ b/drivers/gpu/drm/rcar-du/rcar_du_crtc.c +@@ -215,6 +215,7 @@ static void rcar_du_crtc_set_display_timing(struct rcar_du_crtc *rcrtc) + const struct drm_display_mode *mode = &rcrtc->crtc.state->adjusted_mode; + struct rcar_du_device *rcdu = rcrtc->dev; + unsigned long mode_clock = mode->clock * 1000; ++ unsigned int hdse_offset; + u32 dsmr; + u32 escr; + +@@ -298,10 +299,15 @@ static void rcar_du_crtc_set_display_timing(struct rcar_du_crtc *rcrtc) + | DSMR_DIPM_DISP | DSMR_CSPM; + rcar_du_crtc_write(rcrtc, DSMR, dsmr); + ++ hdse_offset = 19; ++ if (rcrtc->group->cmms_mask & BIT(rcrtc->index % 2)) ++ hdse_offset += 25; ++ + /* Display timings */ +- rcar_du_crtc_write(rcrtc, HDSR, mode->htotal - mode->hsync_start - 19); ++ rcar_du_crtc_write(rcrtc, HDSR, mode->htotal - mode->hsync_start - ++ hdse_offset); + rcar_du_crtc_write(rcrtc, HDER, mode->htotal - mode->hsync_start + +- mode->hdisplay - 19); ++ mode->hdisplay - hdse_offset); + rcar_du_crtc_write(rcrtc, HSWR, mode->hsync_end - + mode->hsync_start - 1); + rcar_du_crtc_write(rcrtc, HCR, mode->htotal - 1); +@@ -831,6 +837,7 @@ rcar_du_crtc_mode_valid(struct drm_crtc *crtc, + struct rcar_du_crtc *rcrtc = to_rcar_crtc(crtc); + struct rcar_du_device *rcdu = rcrtc->dev; + bool interlaced = mode->flags & DRM_MODE_FLAG_INTERLACE; ++ unsigned int min_sync_porch; + unsigned int vbp; + + if (interlaced && !rcar_du_has(rcdu, RCAR_DU_FEATURE_INTERLACED)) +@@ -838,9 +845,14 @@ rcar_du_crtc_mode_valid(struct drm_crtc *crtc, + + /* + * The hardware requires a minimum combined horizontal sync and back +- * porch of 20 pixels and a minimum vertical back porch of 3 lines. ++ * porch of 20 pixels (when CMM isn't used) or 45 pixels (when CMM is ++ * used), and a minimum vertical back porch of 3 lines. + */ +- if (mode->htotal - mode->hsync_start < 20) ++ min_sync_porch = 20; ++ if (rcrtc->group->cmms_mask & BIT(rcrtc->index % 2)) ++ min_sync_porch += 25; ++ ++ if (mode->htotal - mode->hsync_start < min_sync_porch) + return MODE_HBLANK_NARROW; + + vbp = (mode->vtotal - mode->vsync_end) / (interlaced ? 2 : 1); +-- +2.34.1 + diff --git a/queue-5.10/drm-rockchip-dsi-disable-pll-clock-on-bind-error.patch b/queue-5.10/drm-rockchip-dsi-disable-pll-clock-on-bind-error.patch new file mode 100644 index 00000000000..9923ffe4637 --- /dev/null +++ b/queue-5.10/drm-rockchip-dsi-disable-pll-clock-on-bind-error.patch @@ -0,0 +1,64 @@ +From a55a0a28046f51a6043ef53d843323b6fbf9a5c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 14:35:52 -0700 +Subject: drm/rockchip: dsi: Disable PLL clock on bind error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Brian Norris + +[ Upstream commit 5a614570172e1c9f59035d259dd735acd4f1c01b ] + +Fix some error handling here noticed in review of other changes. + +Fixes: 2d4f7bdafd70 ("drm/rockchip: dsi: migrate to use dw-mipi-dsi bridge driver") +Signed-off-by: Brian Norris +Reported-by: Chen-Yu Tsai +Reviewed-by: Chen-Yu Tsai +Tested-by: Nícolas F. R. A. Prado +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20210928143413.v3.4.I8bb7a91ecc411d56bc155763faa15f289d7fc074@changeid +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c b/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c +index d3cea42dde436..6691e45230126 100644 +--- a/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c ++++ b/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c +@@ -923,7 +923,7 @@ static int dw_mipi_dsi_rockchip_bind(struct device *dev, + ret = clk_prepare_enable(dsi->grf_clk); + if (ret) { + DRM_DEV_ERROR(dsi->dev, "Failed to enable grf_clk: %d\n", ret); +- goto out_pm_runtime; ++ goto out_pll_clk; + } + + dw_mipi_dsi_rockchip_config(dsi); +@@ -935,17 +935,19 @@ static int dw_mipi_dsi_rockchip_bind(struct device *dev, + ret = rockchip_dsi_drm_create_encoder(dsi, drm_dev); + if (ret) { + DRM_DEV_ERROR(dev, "Failed to create drm encoder\n"); +- goto out_pm_runtime; ++ goto out_pll_clk; + } + + ret = dw_mipi_dsi_bind(dsi->dmd, &dsi->encoder); + if (ret) { + DRM_DEV_ERROR(dev, "Failed to bind: %d\n", ret); +- goto out_pm_runtime; ++ goto out_pll_clk; + } + + return 0; + ++out_pll_clk: ++ clk_disable_unprepare(dsi->pllref_clk); + out_pm_runtime: + pm_runtime_put(dsi->dev); + if (dsi->slave) +-- +2.34.1 + diff --git a/queue-5.10/drm-rockchip-dsi-fix-unbalanced-clock-on-probe-error.patch b/queue-5.10/drm-rockchip-dsi-fix-unbalanced-clock-on-probe-error.patch new file mode 100644 index 00000000000..dcb6fd964a8 --- /dev/null +++ b/queue-5.10/drm-rockchip-dsi-fix-unbalanced-clock-on-probe-error.patch @@ -0,0 +1,51 @@ +From ecc0aacaa4f053267e04664265c1b17def833dc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 14:35:51 -0700 +Subject: drm/rockchip: dsi: Fix unbalanced clock on probe error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Brian Norris + +[ Upstream commit 251888398753924059f3bb247a44153a2853137f ] + +Our probe() function never enabled this clock, so we shouldn't disable +it if we fail to probe the bridge. + +Noted by inspection. + +Fixes: 2d4f7bdafd70 ("drm/rockchip: dsi: migrate to use dw-mipi-dsi bridge driver") +Signed-off-by: Brian Norris +Reviewed-by: Chen-Yu Tsai +Tested-by: Nícolas F. R. A. Prado +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20210928143413.v3.3.Ie8ceefb51ab6065a1151869b6fcda41a467d4d2c@changeid +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c b/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c +index d0c9610ad2202..433b2f459a7d9 100644 +--- a/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c ++++ b/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c +@@ -1126,14 +1126,10 @@ static int dw_mipi_dsi_rockchip_probe(struct platform_device *pdev) + if (ret != -EPROBE_DEFER) + DRM_DEV_ERROR(dev, + "Failed to probe dw_mipi_dsi: %d\n", ret); +- goto err_clkdisable; ++ return ret; + } + + return 0; +- +-err_clkdisable: +- clk_disable_unprepare(dsi->pllref_clk); +- return ret; + } + + static int dw_mipi_dsi_rockchip_remove(struct platform_device *pdev) +-- +2.34.1 + diff --git a/queue-5.10/drm-rockchip-dsi-hold-pm-runtime-across-bind-unbind.patch b/queue-5.10/drm-rockchip-dsi-hold-pm-runtime-across-bind-unbind.patch new file mode 100644 index 00000000000..3e0442ccbd8 --- /dev/null +++ b/queue-5.10/drm-rockchip-dsi-hold-pm-runtime-across-bind-unbind.patch @@ -0,0 +1,156 @@ +From 0422e05fc6079a26361d71532e0b59a21130f7c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 14:35:49 -0700 +Subject: drm/rockchip: dsi: Hold pm-runtime across bind/unbind +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Brian Norris + +[ Upstream commit 514db871922f103886ad4d221cf406b4fcc5e74a ] + +In commit 43c2de1002d2 ("drm/rockchip: dsi: move all lane config except +LCDC mux to bind()"), we moved most HW configuration to bind(), but we +didn't move the runtime PM management. Therefore, depending on initial +boot state, runtime-PM workqueue delays, and other timing factors, we +may disable our power domain in between the hardware configuration +(bind()) and when we enable the display. This can cause us to lose +hardware state and fail to configure our display. For example: + + dw-mipi-dsi-rockchip ff968000.mipi: failed to write command FIFO + panel-innolux-p079zca ff960000.mipi.0: failed to write command 0 + +or: + + dw-mipi-dsi-rockchip ff968000.mipi: failed to write command FIFO + panel-kingdisplay-kd097d04 ff960000.mipi.0: failed write init cmds: -110 + +We should match the runtime PM to the lifetime of the bind()/unbind() +cycle. + +Tested on Acer Chrometab 10 (RK3399 Gru-Scarlet), with panel drivers +built either as modules or built-in. + +Side notes: it seems one is more likely to see this problem when the +panel driver is built into the kernel. I've also seen this problem +bisect down to commits that simply changed Kconfig dependencies, because +it changed the order in which driver init functions were compiled into +the kernel, and therefore the ordering and timing of built-in device +probe. + +Fixes: 43c2de1002d2 ("drm/rockchip: dsi: move all lane config except LCDC mux to bind()") +Link: https://lore.kernel.org/linux-rockchip/9aedfb528600ecf871885f7293ca4207c84d16c1.camel@gmail.com/ +Reported-by: +Cc: +Signed-off-by: Brian Norris +Tested-by: Nícolas F. R. A. Prado +Reviewed-by: Chen-Yu Tsai +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20210928143413.v3.1.Ic2904d37f30013a7f3d8476203ad3733c186827e@changeid +Signed-off-by: Sasha Levin +--- + .../gpu/drm/rockchip/dw-mipi-dsi-rockchip.c | 37 ++++++++++--------- + 1 file changed, 19 insertions(+), 18 deletions(-) + +diff --git a/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c b/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c +index 433b2f459a7d9..d3cea42dde436 100644 +--- a/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c ++++ b/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c +@@ -753,10 +753,6 @@ static void dw_mipi_dsi_encoder_enable(struct drm_encoder *encoder) + if (mux < 0) + return; + +- pm_runtime_get_sync(dsi->dev); +- if (dsi->slave) +- pm_runtime_get_sync(dsi->slave->dev); +- + /* + * For the RK3399, the clk of grf must be enabled before writing grf + * register. And for RK3288 or other soc, this grf_clk must be NULL, +@@ -775,20 +771,10 @@ static void dw_mipi_dsi_encoder_enable(struct drm_encoder *encoder) + clk_disable_unprepare(dsi->grf_clk); + } + +-static void dw_mipi_dsi_encoder_disable(struct drm_encoder *encoder) +-{ +- struct dw_mipi_dsi_rockchip *dsi = to_dsi(encoder); +- +- if (dsi->slave) +- pm_runtime_put(dsi->slave->dev); +- pm_runtime_put(dsi->dev); +-} +- + static const struct drm_encoder_helper_funcs + dw_mipi_dsi_encoder_helper_funcs = { + .atomic_check = dw_mipi_dsi_encoder_atomic_check, + .enable = dw_mipi_dsi_encoder_enable, +- .disable = dw_mipi_dsi_encoder_disable, + }; + + static int rockchip_dsi_drm_create_encoder(struct dw_mipi_dsi_rockchip *dsi, +@@ -918,10 +904,14 @@ static int dw_mipi_dsi_rockchip_bind(struct device *dev, + put_device(second); + } + ++ pm_runtime_get_sync(dsi->dev); ++ if (dsi->slave) ++ pm_runtime_get_sync(dsi->slave->dev); ++ + ret = clk_prepare_enable(dsi->pllref_clk); + if (ret) { + DRM_DEV_ERROR(dev, "Failed to enable pllref_clk: %d\n", ret); +- return ret; ++ goto out_pm_runtime; + } + + /* +@@ -933,7 +923,7 @@ static int dw_mipi_dsi_rockchip_bind(struct device *dev, + ret = clk_prepare_enable(dsi->grf_clk); + if (ret) { + DRM_DEV_ERROR(dsi->dev, "Failed to enable grf_clk: %d\n", ret); +- return ret; ++ goto out_pm_runtime; + } + + dw_mipi_dsi_rockchip_config(dsi); +@@ -945,16 +935,23 @@ static int dw_mipi_dsi_rockchip_bind(struct device *dev, + ret = rockchip_dsi_drm_create_encoder(dsi, drm_dev); + if (ret) { + DRM_DEV_ERROR(dev, "Failed to create drm encoder\n"); +- return ret; ++ goto out_pm_runtime; + } + + ret = dw_mipi_dsi_bind(dsi->dmd, &dsi->encoder); + if (ret) { + DRM_DEV_ERROR(dev, "Failed to bind: %d\n", ret); +- return ret; ++ goto out_pm_runtime; + } + + return 0; ++ ++out_pm_runtime: ++ pm_runtime_put(dsi->dev); ++ if (dsi->slave) ++ pm_runtime_put(dsi->slave->dev); ++ ++ return ret; + } + + static void dw_mipi_dsi_rockchip_unbind(struct device *dev, +@@ -969,6 +966,10 @@ static void dw_mipi_dsi_rockchip_unbind(struct device *dev, + dw_mipi_dsi_unbind(dsi->dmd); + + clk_disable_unprepare(dsi->pllref_clk); ++ ++ pm_runtime_put(dsi->dev); ++ if (dsi->slave) ++ pm_runtime_put(dsi->slave->dev); + } + + static const struct component_ops dw_mipi_dsi_rockchip_ops = { +-- +2.34.1 + diff --git a/queue-5.10/drm-tegra-vic-fix-dma-api-misuse.patch b/queue-5.10/drm-tegra-vic-fix-dma-api-misuse.patch new file mode 100644 index 00000000000..3b2615c6039 --- /dev/null +++ b/queue-5.10/drm-tegra-vic-fix-dma-api-misuse.patch @@ -0,0 +1,57 @@ +From 4bf23e088aaabde8eaecd2b67ec0803b0bdd2ff5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Dec 2021 17:54:44 +0000 +Subject: drm/tegra: vic: Fix DMA API misuse + +From: Robin Murphy + +[ Upstream commit 5566174cb10a5167d59b0793871cab7990b149b8 ] + +Upon failure, dma_alloc_coherent() returns NULL. If that does happen, +passing some uninitialised stack contents to dma_mapping_error() - which +belongs to a different API in the first place - has precious little +chance of detecting it. + +Also include the correct header, because the fragile transitive +inclusion currently providing it is going to break soon. + +Fixes: 20e7dce255e9 ("drm/tegra: Remove memory allocation from Falcon library") +CC: Thierry Reding +CC: Mikko Perttunen +CC: dri-devel@lists.freedesktop.org +Signed-off-by: Robin Murphy +Reviewed-by: Christoph Hellwig +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/vic.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/tegra/vic.c b/drivers/gpu/drm/tegra/vic.c +index b77f726303d89..ec0e4d8f0aade 100644 +--- a/drivers/gpu/drm/tegra/vic.c ++++ b/drivers/gpu/drm/tegra/vic.c +@@ -5,6 +5,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -265,10 +266,8 @@ static int vic_load_firmware(struct vic *vic) + + if (!client->group) { + virt = dma_alloc_coherent(vic->dev, size, &iova, GFP_KERNEL); +- +- err = dma_mapping_error(vic->dev, iova); +- if (err < 0) +- return err; ++ if (!virt) ++ return -ENOMEM; + } else { + virt = tegra_drm_alloc(tegra, size, &iova); + } +-- +2.34.1 + diff --git a/queue-5.10/drm-vboxvideo-fix-a-null-vs-is_err-check.patch b/queue-5.10/drm-vboxvideo-fix-a-null-vs-is_err-check.patch new file mode 100644 index 00000000000..ee4cbd5b7f1 --- /dev/null +++ b/queue-5.10/drm-vboxvideo-fix-a-null-vs-is_err-check.patch @@ -0,0 +1,40 @@ +From 8ab9d4259e625688d7106cd03c4221ae7f74895d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Nov 2021 14:12:33 +0300 +Subject: drm/vboxvideo: fix a NULL vs IS_ERR() check + +From: Dan Carpenter + +[ Upstream commit cebbb5c46d0cb0615fd0c62dea9b44273d0a9780 ] + +The devm_gen_pool_create() function never returns NULL, it returns +error pointers. + +Fixes: 4cc9b565454b ("drm/vboxvideo: Use devm_gen_pool_create") +Signed-off-by: Dan Carpenter +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Link: https://patchwork.freedesktop.org/patch/msgid/20211118111233.GA1147@kili +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vboxvideo/vbox_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/vboxvideo/vbox_main.c b/drivers/gpu/drm/vboxvideo/vbox_main.c +index d68d9bad76747..c5ea880d17b29 100644 +--- a/drivers/gpu/drm/vboxvideo/vbox_main.c ++++ b/drivers/gpu/drm/vboxvideo/vbox_main.c +@@ -123,8 +123,8 @@ int vbox_hw_init(struct vbox_private *vbox) + /* Create guest-heap mem-pool use 2^4 = 16 byte chunks */ + vbox->guest_pool = devm_gen_pool_create(vbox->ddev.dev, 4, -1, + "vboxvideo-accel"); +- if (!vbox->guest_pool) +- return -ENOMEM; ++ if (IS_ERR(vbox->guest_pool)) ++ return PTR_ERR(vbox->guest_pool); + + ret = gen_pool_add_virt(vbox->guest_pool, + (unsigned long)vbox->guest_heap, +-- +2.34.1 + diff --git a/queue-5.10/drm-vc4-hdmi-set-a-default-hsm-rate.patch b/queue-5.10/drm-vc4-hdmi-set-a-default-hsm-rate.patch new file mode 100644 index 00000000000..8484500c3bd --- /dev/null +++ b/queue-5.10/drm-vc4-hdmi-set-a-default-hsm-rate.patch @@ -0,0 +1,61 @@ +From 716b9f50a9c165af8af5d610f20ca77a0cf476ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Sep 2021 14:54:17 +0200 +Subject: drm/vc4: hdmi: Set a default HSM rate + +From: Maxime Ripard + +[ Upstream commit 3e85b81591609bb794bb00cd619b20965b5b38cd ] + +When the firmware doesn't setup the HSM rate (such as when booting +without an HDMI cable plugged in), its rate is 0 and thus any register +access results in a CPU stall, even though HSM is enabled. + +Let's enforce a minimum rate at boot to avoid this issue. + +Fixes: 4f6e3d66ac52 ("drm/vc4: Add runtime PM support to the HDMI encoder driver") +Signed-off-by: Maxime Ripard +Reviewed-by: Nicolas Saenz Julienne +Tested-by: Nicolas Saenz Julienne +Tested-by: Michael Stapelberg +Link: https://patchwork.freedesktop.org/patch/msgid/20210922125419.4125779-4-maxime@cerno.tech +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_hdmi.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c +index ee293f061f0a8..5d5c4e9a86218 100644 +--- a/drivers/gpu/drm/vc4/vc4_hdmi.c ++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c +@@ -79,6 +79,7 @@ + # define VC4_HD_M_SW_RST BIT(2) + # define VC4_HD_M_ENABLE BIT(0) + ++#define HSM_MIN_CLOCK_FREQ 120000000 + #define CEC_CLOCK_FREQ 40000 + #define VC4_HSM_MID_CLOCK 149985000 + +@@ -1806,6 +1807,19 @@ static int vc4_hdmi_bind(struct device *dev, struct device *master, void *data) + vc4_hdmi->disable_wifi_frequencies = + of_property_read_bool(dev->of_node, "wifi-2.4ghz-coexistence"); + ++ /* ++ * If we boot without any cable connected to the HDMI connector, ++ * the firmware will skip the HSM initialization and leave it ++ * with a rate of 0, resulting in a bus lockup when we're ++ * accessing the registers even if it's enabled. ++ * ++ * Let's put a sensible default at runtime_resume so that we ++ * don't end up in this situation. ++ */ ++ ret = clk_set_min_rate(vc4_hdmi->hsm_clock, HSM_MIN_CLOCK_FREQ); ++ if (ret) ++ goto err_put_ddc; ++ + if (vc4_hdmi->variant->reset) + vc4_hdmi->variant->reset(vc4_hdmi); + +-- +2.34.1 + diff --git a/queue-5.10/dt-bindings-thermal-fix-definition-of-cooling-maps-c.patch b/queue-5.10/dt-bindings-thermal-fix-definition-of-cooling-maps-c.patch new file mode 100644 index 00000000000..efc5451a8f0 --- /dev/null +++ b/queue-5.10/dt-bindings-thermal-fix-definition-of-cooling-maps-c.patch @@ -0,0 +1,67 @@ +From 6d5e072ebcfd19c94eb4317f397730af0635dbea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Nov 2021 11:30:45 +0100 +Subject: dt-bindings: thermal: Fix definition of cooling-maps contribution + property +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Niklas Söderlund + +[ Upstream commit 49bcb1506f2e095262c01bda7fd1c0db524c91e2 ] + +When converting the thermal-zones bindings to yaml the definition of the +contribution property changed. The intention is the same, an integer +value expressing a ratio of a sum on how much cooling is provided by the +device to the zone. But after the conversion the integer value is +limited to the range 0 to 100 and expressed as a percentage. + +This is problematic for two reasons. + +- This do not match how the binding is used. Out of the 18 files that + make use of the property only two (ste-dbx5x0.dtsi and + ste-hrefv60plus.dtsi) sets it at a value that satisfy the binding, + 100. The remaining 16 files set the value higher and fail to validate. + +- Expressing the value as a percentage instead of a ratio of the sum is + confusing as there is nothing to enforce the sum in the zone is not + greater then 100. + +This patch restore the pre yaml conversion description and removes the +value limitation allowing the usage of the bindings to validate. + +Fixes: 1202a442a31fd2e5 ("dt-bindings: thermal: Add yaml bindings for thermal zones") +Reported-by: Kieran Bingham +Signed-off-by: Niklas Söderlund +Link: https://lore.kernel.org/r/20211109103045.1403686-1-niklas.soderlund+renesas@ragnatech.se +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + .../devicetree/bindings/thermal/thermal-zones.yaml | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/Documentation/devicetree/bindings/thermal/thermal-zones.yaml b/Documentation/devicetree/bindings/thermal/thermal-zones.yaml +index 164f71598c595..1b3954aa71c15 100644 +--- a/Documentation/devicetree/bindings/thermal/thermal-zones.yaml ++++ b/Documentation/devicetree/bindings/thermal/thermal-zones.yaml +@@ -199,12 +199,11 @@ patternProperties: + + contribution: + $ref: /schemas/types.yaml#/definitions/uint32 +- minimum: 0 +- maximum: 100 + description: +- The percentage contribution of the cooling devices at the +- specific trip temperature referenced in this map +- to this thermal zone ++ The cooling contribution to the thermal zone of the referred ++ cooling device at the referred trip point. The contribution is ++ a ratio of the sum of all cooling contributions within a ++ thermal zone. + + required: + - trip +-- +2.34.1 + diff --git a/queue-5.10/edac-synopsys-use-the-quirk-for-version-instead-of-d.patch b/queue-5.10/edac-synopsys-use-the-quirk-for-version-instead-of-d.patch new file mode 100644 index 00000000000..175c00cb32f --- /dev/null +++ b/queue-5.10/edac-synopsys-use-the-quirk-for-version-instead-of-d.patch @@ -0,0 +1,38 @@ +From 2a228255330d00aef30144d2aa3ae4046af612b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Oct 2021 14:07:06 -0500 +Subject: EDAC/synopsys: Use the quirk for version instead of ddr version + +From: Dinh Nguyen + +[ Upstream commit bd1d6da17c296bd005bfa656952710d256e77dd3 ] + +Version 2.40a supports DDR_ECC_INTR_SUPPORT for a quirk, so use that +quirk to determine a call to setup_address_map(). + +Signed-off-by: Dinh Nguyen +Signed-off-by: Borislav Petkov +Reviewed-by: Michal Simek +Link: https://lkml.kernel.org/r/20211012190709.1504152-1-dinguyen@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/edac/synopsys_edac.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/edac/synopsys_edac.c b/drivers/edac/synopsys_edac.c +index 1a801a5d3b08b..92906b56b1a2b 100644 +--- a/drivers/edac/synopsys_edac.c ++++ b/drivers/edac/synopsys_edac.c +@@ -1351,8 +1351,7 @@ static int mc_probe(struct platform_device *pdev) + } + } + +- if (of_device_is_compatible(pdev->dev.of_node, +- "xlnx,zynqmp-ddrc-2.40a")) ++ if (priv->p_data->quirks & DDR_ECC_INTR_SUPPORT) + setup_address_map(priv); + #endif + +-- +2.34.1 + diff --git a/queue-5.10/ext4-avoid-trim-error-on-fs-with-small-groups.patch b/queue-5.10/ext4-avoid-trim-error-on-fs-with-small-groups.patch new file mode 100644 index 00000000000..e867cc27f10 --- /dev/null +++ b/queue-5.10/ext4-avoid-trim-error-on-fs-with-small-groups.patch @@ -0,0 +1,72 @@ +From 74b0b4e7cc56d7b9dc9301f2c3bd3b2c89111f85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Nov 2021 16:22:02 +0100 +Subject: ext4: avoid trim error on fs with small groups + +From: Jan Kara + +[ Upstream commit 173b6e383d2a204c9921ffc1eca3b87aa2106c33 ] + +A user reported FITRIM ioctl failing for him on ext4 on some devices +without apparent reason. After some debugging we've found out that +these devices (being LVM volumes) report rather large discard +granularity of 42MB and the filesystem had 1k blocksize and thus group +size of 8MB. Because ext4 FITRIM implementation puts discard +granularity into minlen, ext4_trim_fs() declared the trim request as +invalid. However just silently doing nothing seems to be a more +appropriate reaction to such combination of parameters since user did +not specify anything wrong. + +CC: Lukas Czerner +Fixes: 5c2ed62fd447 ("ext4: Adjust minlen with discard_granularity in the FITRIM ioctl") +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20211112152202.26614-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/ioctl.c | 2 -- + fs/ext4/mballoc.c | 8 ++++++++ + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c +index cb54ea6461fd8..413bf3d2f7844 100644 +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -1123,8 +1123,6 @@ resizefs_out: + sizeof(range))) + return -EFAULT; + +- range.minlen = max((unsigned int)range.minlen, +- q->limits.discard_granularity); + ret = ext4_trim_fs(sb, &range); + if (ret < 0) + return ret; +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index d7cb7d719ee58..60aef7fdd61d0 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -5815,6 +5815,7 @@ out: + */ + int ext4_trim_fs(struct super_block *sb, struct fstrim_range *range) + { ++ struct request_queue *q = bdev_get_queue(sb->s_bdev); + struct ext4_group_info *grp; + ext4_group_t group, first_group, last_group; + ext4_grpblk_t cnt = 0, first_cluster, last_cluster; +@@ -5833,6 +5834,13 @@ int ext4_trim_fs(struct super_block *sb, struct fstrim_range *range) + start >= max_blks || + range->len < sb->s_blocksize) + return -EINVAL; ++ /* No point to try to trim less than discard granularity */ ++ if (range->minlen < q->limits.discard_granularity) { ++ minlen = EXT4_NUM_B2C(EXT4_SB(sb), ++ q->limits.discard_granularity >> sb->s_blocksize_bits); ++ if (minlen > EXT4_CLUSTERS_PER_GROUP(sb)) ++ goto out; ++ } + if (end >= max_blks) + end = max_blks - 1; + if (end <= first_data_blk) +-- +2.34.1 + diff --git a/queue-5.10/floppy-add-max-size-check-for-user-space-request.patch b/queue-5.10/floppy-add-max-size-check-for-user-space-request.patch new file mode 100644 index 00000000000..c18de73f2d9 --- /dev/null +++ b/queue-5.10/floppy-add-max-size-check-for-user-space-request.patch @@ -0,0 +1,82 @@ +From 4115ad5545acba59c45d285d849d100951a6669c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Nov 2021 21:10:33 +0800 +Subject: floppy: Add max size check for user space request + +From: Xiongwei Song + +[ Upstream commit 545a32498c536ee152331cd2e7d2416aa0f20e01 ] + +We need to check the max request size that is from user space before +allocating pages. If the request size exceeds the limit, return -EINVAL. +This check can avoid the warning below from page allocator. + +WARNING: CPU: 3 PID: 16525 at mm/page_alloc.c:5344 current_gfp_context include/linux/sched/mm.h:195 [inline] +WARNING: CPU: 3 PID: 16525 at mm/page_alloc.c:5344 __alloc_pages+0x45d/0x500 mm/page_alloc.c:5356 +Modules linked in: +CPU: 3 PID: 16525 Comm: syz-executor.3 Not tainted 5.15.0-syzkaller #0 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 +RIP: 0010:__alloc_pages+0x45d/0x500 mm/page_alloc.c:5344 +Code: be c9 00 00 00 48 c7 c7 20 4a 97 89 c6 05 62 32 a7 0b 01 e8 74 9a 42 07 e9 6a ff ff ff 0f 0b e9 a0 fd ff ff 40 80 e5 3f eb 88 <0f> 0b e9 18 ff ff ff 4c 89 ef 44 89 e6 45 31 ed e8 1e 76 ff ff e9 +RSP: 0018:ffffc90023b87850 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 1ffff92004770f0b RCX: dffffc0000000000 +RDX: 0000000000000000 RSI: 0000000000000033 RDI: 0000000000010cc1 +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001 +R10: ffffffff81bb4686 R11: 0000000000000001 R12: ffffffff902c1960 +R13: 0000000000000033 R14: 0000000000000000 R15: ffff88804cf64a30 +FS: 0000000000000000(0000) GS:ffff88802cd00000(0063) knlGS:00000000f44b4b40 +CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 +CR2: 000000002c921000 CR3: 000000004f507000 CR4: 0000000000150ee0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + alloc_pages+0x1a7/0x300 mm/mempolicy.c:2191 + __get_free_pages+0x8/0x40 mm/page_alloc.c:5418 + raw_cmd_copyin drivers/block/floppy.c:3113 [inline] + raw_cmd_ioctl drivers/block/floppy.c:3160 [inline] + fd_locked_ioctl+0x12e5/0x2820 drivers/block/floppy.c:3528 + fd_ioctl drivers/block/floppy.c:3555 [inline] + fd_compat_ioctl+0x891/0x1b60 drivers/block/floppy.c:3869 + compat_blkdev_ioctl+0x3b8/0x810 block/ioctl.c:662 + __do_compat_sys_ioctl+0x1c7/0x290 fs/ioctl.c:972 + do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] + __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178 + do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203 + entry_SYSENTER_compat_after_hwframe+0x4d/0x5c + +Reported-by: syzbot+23a02c7df2cf2bc93fa2@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20211116131033.27685-1-sxwjean@me.com +Signed-off-by: Xiongwei Song +Signed-off-by: Denis Efremov +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/floppy.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c +index eb4f841902aee..aaee15058d181 100644 +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -3169,6 +3169,8 @@ static void raw_cmd_free(struct floppy_raw_cmd **ptr) + } + } + ++#define MAX_LEN (1UL << MAX_ORDER << PAGE_SHIFT) ++ + static int raw_cmd_copyin(int cmd, void __user *param, + struct floppy_raw_cmd **rcmd) + { +@@ -3198,7 +3200,7 @@ loop: + ptr->resultcode = 0; + + if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) { +- if (ptr->length <= 0) ++ if (ptr->length <= 0 || ptr->length >= MAX_LEN) + return -EINVAL; + ptr->kernel_data = (char *)fd_dma_mem_alloc(ptr->length); + fallback_on_nodma_alloc(&ptr->kernel_data, ptr->length); +-- +2.34.1 + diff --git a/queue-5.10/floppy-fix-hang-in-watchdog-when-disk-is-ejected.patch b/queue-5.10/floppy-fix-hang-in-watchdog-when-disk-is-ejected.patch new file mode 100644 index 00000000000..f718dc3d946 --- /dev/null +++ b/queue-5.10/floppy-fix-hang-in-watchdog-when-disk-is-ejected.patch @@ -0,0 +1,52 @@ +From 7c1e145e06d3911cc81f0a5bb8e2fa532d353094 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Sep 2021 09:47:58 +0300 +Subject: floppy: Fix hang in watchdog when disk is ejected + +From: Tasos Sahanidis + +[ Upstream commit fb48febce7e30baed94dd791e19521abd2c3fd83 ] + +When the watchdog detects a disk change, it calls cancel_activity(), +which in turn tries to cancel the fd_timer delayed work. + +In the above scenario, fd_timer_fn is set to fd_watchdog(), meaning +it is trying to cancel its own work. +This results in a hang as cancel_delayed_work_sync() is waiting for the +watchdog (itself) to return, which never happens. + +This can be reproduced relatively consistently by attempting to read a +broken floppy, and ejecting it while IO is being attempted and retried. + +To resolve this, this patch calls cancel_delayed_work() instead, which +cancels the work without waiting for the watchdog to return and finish. + +Before this regression was introduced, the code in this section used +del_timer(), and not del_timer_sync() to delete the watchdog timer. + +Link: https://lore.kernel.org/r/399e486c-6540-db27-76aa-7a271b061f76@tasossah.com +Fixes: 070ad7e793dc ("floppy: convert to delayed work and single-thread wq") +Signed-off-by: Tasos Sahanidis +Signed-off-by: Denis Efremov +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/floppy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c +index 7df79ae6b0a1e..eb4f841902aee 100644 +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -1015,7 +1015,7 @@ static DECLARE_DELAYED_WORK(fd_timer, fd_timer_workfn); + static void cancel_activity(void) + { + do_floppy = NULL; +- cancel_delayed_work_sync(&fd_timer); ++ cancel_delayed_work(&fd_timer); + cancel_work_sync(&floppy_work); + } + +-- +2.34.1 + diff --git a/queue-5.10/fs-dlm-don-t-call-kernel_getpeername-in-error_report.patch b/queue-5.10/fs-dlm-don-t-call-kernel_getpeername-in-error_report.patch new file mode 100644 index 00000000000..44c4111411f --- /dev/null +++ b/queue-5.10/fs-dlm-don-t-call-kernel_getpeername-in-error_report.patch @@ -0,0 +1,144 @@ +From ce986fca3d7bffb887809b71070f2e7ff2f9654f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Nov 2021 08:57:05 -0500 +Subject: fs: dlm: don't call kernel_getpeername() in error_report() + +From: Alexander Aring + +[ Upstream commit 4c3d90570bcc2b338f70f61f01110268e281ca3c ] + +In some cases kernel_getpeername() will held the socket lock which is +already held when the socket layer calls error_report() callback. Since +commit 9dfc685e0262 ("inet: remove races in inet{6}_getname()") this +problem becomes more likely because the socket lock will be held always. +You will see something like: + +bob9-u5 login: [ 562.316860] BUG: spinlock recursion on CPU#7, swapper/7/0 +[ 562.318562] lock: 0xffff8f2284720088, .magic: dead4ead, .owner: swapper/7/0, .owner_cpu: 7 +[ 562.319522] CPU: 7 PID: 0 Comm: swapper/7 Not tainted 5.15.0+ #135 +[ 562.320346] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.13.0-2.module+el8.3.0+7353+9de0a3cc 04/01/2014 +[ 562.321277] Call Trace: +[ 562.321529] +[ 562.321734] dump_stack_lvl+0x33/0x42 +[ 562.322282] do_raw_spin_lock+0x8b/0xc0 +[ 562.322674] lock_sock_nested+0x1e/0x50 +[ 562.323057] inet_getname+0x39/0x110 +[ 562.323425] ? sock_def_readable+0x80/0x80 +[ 562.323838] lowcomms_error_report+0x63/0x260 [dlm] +[ 562.324338] ? wait_for_completion_interruptible_timeout+0xd2/0x120 +[ 562.324949] ? lock_timer_base+0x67/0x80 +[ 562.325330] ? do_raw_spin_unlock+0x49/0xc0 +[ 562.325735] ? _raw_spin_unlock_irqrestore+0x1e/0x40 +[ 562.326218] ? del_timer+0x54/0x80 +[ 562.326549] sk_error_report+0x12/0x70 +[ 562.326919] tcp_validate_incoming+0x3c8/0x530 +[ 562.327347] ? kvm_clock_read+0x14/0x30 +[ 562.327718] ? ktime_get+0x3b/0xa0 +[ 562.328055] tcp_rcv_established+0x121/0x660 +[ 562.328466] tcp_v4_do_rcv+0x132/0x260 +[ 562.328835] tcp_v4_rcv+0xcea/0xe20 +[ 562.329173] ip_protocol_deliver_rcu+0x35/0x1f0 +[ 562.329615] ip_local_deliver_finish+0x54/0x60 +[ 562.330050] ip_local_deliver+0xf7/0x110 +[ 562.330431] ? inet_rtm_getroute+0x211/0x840 +[ 562.330848] ? ip_protocol_deliver_rcu+0x1f0/0x1f0 +[ 562.331310] ip_rcv+0xe1/0xf0 +[ 562.331603] ? ip_local_deliver+0x110/0x110 +[ 562.332011] __netif_receive_skb_core+0x46a/0x1040 +[ 562.332476] ? inet_gro_receive+0x263/0x2e0 +[ 562.332885] __netif_receive_skb_list_core+0x13b/0x2c0 +[ 562.333383] netif_receive_skb_list_internal+0x1c8/0x2f0 +[ 562.333896] ? update_load_avg+0x7e/0x5e0 +[ 562.334285] gro_normal_list.part.149+0x19/0x40 +[ 562.334722] napi_complete_done+0x67/0x160 +[ 562.335134] virtnet_poll+0x2ad/0x408 [virtio_net] +[ 562.335644] __napi_poll+0x28/0x140 +[ 562.336012] net_rx_action+0x23d/0x300 +[ 562.336414] __do_softirq+0xf2/0x2ea +[ 562.336803] irq_exit_rcu+0xc1/0xf0 +[ 562.337173] common_interrupt+0xb9/0xd0 + +It is and was always forbidden to call kernel_getpeername() in context +of error_report(). To get rid of the problem we access the destination +address for the peer over the socket structure. While on it we fix to +print out the destination port of the inet socket. + +Fixes: 1a31833d085a ("DLM: Replace nodeid_to_addr with kernel_getpeername") +Reported-by: Bob Peterson +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/lowcomms.c | 42 ++++++++++++++++++++---------------------- + 1 file changed, 20 insertions(+), 22 deletions(-) + +diff --git a/fs/dlm/lowcomms.c b/fs/dlm/lowcomms.c +index 0a8645ed4b2d6..904855fa20655 100644 +--- a/fs/dlm/lowcomms.c ++++ b/fs/dlm/lowcomms.c +@@ -471,8 +471,8 @@ int dlm_lowcomms_connect_node(int nodeid) + static void lowcomms_error_report(struct sock *sk) + { + struct connection *con; +- struct sockaddr_storage saddr; + void (*orig_report)(struct sock *) = NULL; ++ struct inet_sock *inet; + + read_lock_bh(&sk->sk_callback_lock); + con = sock2con(sk); +@@ -480,33 +480,31 @@ static void lowcomms_error_report(struct sock *sk) + goto out; + + orig_report = listen_sock.sk_error_report; +- if (kernel_getpeername(sk->sk_socket, (struct sockaddr *)&saddr) < 0) { +- printk_ratelimited(KERN_ERR "dlm: node %d: socket error " +- "sending to node %d, port %d, " +- "sk_err=%d/%d\n", dlm_our_nodeid(), +- con->nodeid, dlm_config.ci_tcp_port, +- sk->sk_err, sk->sk_err_soft); +- } else if (saddr.ss_family == AF_INET) { +- struct sockaddr_in *sin4 = (struct sockaddr_in *)&saddr; + ++ inet = inet_sk(sk); ++ switch (sk->sk_family) { ++ case AF_INET: + printk_ratelimited(KERN_ERR "dlm: node %d: socket error " +- "sending to node %d at %pI4, port %d, " ++ "sending to node %d at %pI4, dport %d, " + "sk_err=%d/%d\n", dlm_our_nodeid(), +- con->nodeid, &sin4->sin_addr.s_addr, +- dlm_config.ci_tcp_port, sk->sk_err, ++ con->nodeid, &inet->inet_daddr, ++ ntohs(inet->inet_dport), sk->sk_err, + sk->sk_err_soft); +- } else { +- struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&saddr; +- ++ break; ++ case AF_INET6: + printk_ratelimited(KERN_ERR "dlm: node %d: socket error " +- "sending to node %d at %u.%u.%u.%u, " +- "port %d, sk_err=%d/%d\n", dlm_our_nodeid(), +- con->nodeid, sin6->sin6_addr.s6_addr32[0], +- sin6->sin6_addr.s6_addr32[1], +- sin6->sin6_addr.s6_addr32[2], +- sin6->sin6_addr.s6_addr32[3], +- dlm_config.ci_tcp_port, sk->sk_err, ++ "sending to node %d at %pI6c, " ++ "dport %d, sk_err=%d/%d\n", dlm_our_nodeid(), ++ con->nodeid, &sk->sk_v6_daddr, ++ ntohs(inet->inet_dport), sk->sk_err, + sk->sk_err_soft); ++ break; ++ default: ++ printk_ratelimited(KERN_ERR "dlm: node %d: socket error " ++ "invalid socket family %d set, " ++ "sk_err=%d/%d\n", dlm_our_nodeid(), ++ sk->sk_family, sk->sk_err, sk->sk_err_soft); ++ goto out; + } + out: + read_unlock_bh(&sk->sk_callback_lock); +-- +2.34.1 + diff --git a/queue-5.10/fs-dlm-filter-user-dlm-messages-for-kernel-locks.patch b/queue-5.10/fs-dlm-filter-user-dlm-messages-for-kernel-locks.patch new file mode 100644 index 00000000000..daf6bde6e15 --- /dev/null +++ b/queue-5.10/fs-dlm-filter-user-dlm-messages-for-kernel-locks.patch @@ -0,0 +1,118 @@ +From 9f2bf4d49d99a9ff46a7778fe50d9c70202fa2dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Nov 2021 15:17:24 -0400 +Subject: fs: dlm: filter user dlm messages for kernel locks + +From: Alexander Aring + +[ Upstream commit 6c2e3bf68f3e5e5a647aa52be246d5f552d7496d ] + +This patch fixes the following crash by receiving a invalid message: + +[ 160.672220] ================================================================== +[ 160.676206] BUG: KASAN: user-memory-access in dlm_user_add_ast+0xc3/0x370 +[ 160.679659] Read of size 8 at addr 00000000deadbeef by task kworker/u32:13/319 +[ 160.681447] +[ 160.681824] CPU: 10 PID: 319 Comm: kworker/u32:13 Not tainted 5.14.0-rc2+ #399 +[ 160.683472] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.14.0-1.module+el8.6.0+12648+6ede71a5 04/01/2014 +[ 160.685574] Workqueue: dlm_recv process_recv_sockets +[ 160.686721] Call Trace: +[ 160.687310] dump_stack_lvl+0x56/0x6f +[ 160.688169] ? dlm_user_add_ast+0xc3/0x370 +[ 160.689116] kasan_report.cold.14+0x116/0x11b +[ 160.690138] ? dlm_user_add_ast+0xc3/0x370 +[ 160.690832] dlm_user_add_ast+0xc3/0x370 +[ 160.691502] _receive_unlock_reply+0x103/0x170 +[ 160.692241] _receive_message+0x11df/0x1ec0 +[ 160.692926] ? rcu_read_lock_sched_held+0xa1/0xd0 +[ 160.693700] ? rcu_read_lock_bh_held+0xb0/0xb0 +[ 160.694427] ? lock_acquire+0x175/0x400 +[ 160.695058] ? do_purge.isra.51+0x200/0x200 +[ 160.695744] ? lock_acquired+0x360/0x5d0 +[ 160.696400] ? lock_contended+0x6a0/0x6a0 +[ 160.697055] ? lock_release+0x21d/0x5e0 +[ 160.697686] ? lock_is_held_type+0xe0/0x110 +[ 160.698352] ? lock_is_held_type+0xe0/0x110 +[ 160.699026] ? ___might_sleep+0x1cc/0x1e0 +[ 160.699698] ? dlm_wait_requestqueue+0x94/0x140 +[ 160.700451] ? dlm_process_requestqueue+0x240/0x240 +[ 160.701249] ? down_write_killable+0x2b0/0x2b0 +[ 160.701988] ? do_raw_spin_unlock+0xa2/0x130 +[ 160.702690] dlm_receive_buffer+0x1a5/0x210 +[ 160.703385] dlm_process_incoming_buffer+0x726/0x9f0 +[ 160.704210] receive_from_sock+0x1c0/0x3b0 +[ 160.704886] ? dlm_tcp_shutdown+0x30/0x30 +[ 160.705561] ? lock_acquire+0x175/0x400 +[ 160.706197] ? rcu_read_lock_sched_held+0xa1/0xd0 +[ 160.706941] ? rcu_read_lock_bh_held+0xb0/0xb0 +[ 160.707681] process_recv_sockets+0x32/0x40 +[ 160.708366] process_one_work+0x55e/0xad0 +[ 160.709045] ? pwq_dec_nr_in_flight+0x110/0x110 +[ 160.709820] worker_thread+0x65/0x5e0 +[ 160.710423] ? process_one_work+0xad0/0xad0 +[ 160.711087] kthread+0x1ed/0x220 +[ 160.711628] ? set_kthread_struct+0x80/0x80 +[ 160.712314] ret_from_fork+0x22/0x30 + +The issue is that we received a DLM message for a user lock but the +destination lock is a kernel lock. Note that the address which is trying +to derefence is 00000000deadbeef, which is in a kernel lock +lkb->lkb_astparam, this field should never be derefenced by the DLM +kernel stack. In case of a user lock lkb->lkb_astparam is lkb->lkb_ua +(memory is shared by a union field). The struct lkb_ua will be handled +by the DLM kernel stack but on a kernel lock it will contain invalid +data and ends in most likely crashing the kernel. + +It can be reproduced with two cluster nodes. + +node 2: +dlm_tool join test +echo "862 fooobaar 1 2 1" > /sys/kernel/debug/dlm/test_locks +echo "862 3 1" > /sys/kernel/debug/dlm/test_waiters + +node 1: +dlm_tool join test + +python: +foo = DLM(h_cmd=3, o_nextcmd=1, h_nodeid=1, h_lockspace=0x77222027, \ + m_type=7, m_flags=0x1, m_remid=0x862, m_result=0xFFFEFFFE) +newFile = open("/sys/kernel/debug/dlm/comms/2/rawmsg", "wb") +newFile.write(bytes(foo)) + +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/lock.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c +index 002123efc6b05..1e9d8999b9390 100644 +--- a/fs/dlm/lock.c ++++ b/fs/dlm/lock.c +@@ -3975,6 +3975,14 @@ static int validate_message(struct dlm_lkb *lkb, struct dlm_message *ms) + int from = ms->m_header.h_nodeid; + int error = 0; + ++ /* currently mixing of user/kernel locks are not supported */ ++ if (ms->m_flags & DLM_IFL_USER && ~lkb->lkb_flags & DLM_IFL_USER) { ++ log_error(lkb->lkb_resource->res_ls, ++ "got user dlm message for a kernel lock"); ++ error = -EINVAL; ++ goto out; ++ } ++ + switch (ms->m_type) { + case DLM_MSG_CONVERT: + case DLM_MSG_UNLOCK: +@@ -4003,6 +4011,7 @@ static int validate_message(struct dlm_lkb *lkb, struct dlm_message *ms) + error = -EINVAL; + } + ++out: + if (error) + log_error(lkb->lkb_resource->res_ls, + "ignore invalid message %d from %d %x %x %x %d", +-- +2.34.1 + diff --git a/queue-5.10/fs-dlm-fix-build-with-config_ipv6-disabled.patch b/queue-5.10/fs-dlm-fix-build-with-config_ipv6-disabled.patch new file mode 100644 index 00000000000..68b083bd2ec --- /dev/null +++ b/queue-5.10/fs-dlm-fix-build-with-config_ipv6-disabled.patch @@ -0,0 +1,49 @@ +From 80de903772b5d2dc333d800178b68892cffc1ad1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Nov 2021 09:20:43 -0500 +Subject: fs: dlm: fix build with CONFIG_IPV6 disabled + +From: Alexander Aring + +[ Upstream commit 1b9beda83e27a0c2cd75d1cb743c297c7b36c844 ] + +This patch will surround the AF_INET6 case in sk_error_report() of dlm +with a #if IS_ENABLED(CONFIG_IPV6). The field sk->sk_v6_daddr is not +defined when CONFIG_IPV6 is disabled. If CONFIG_IPV6 is disabled, the +socket creation with AF_INET6 should already fail because a runtime +check if AF_INET6 is registered. However if there is the possibility +that AF_INET6 is set as sk_family the sk_error_report() callback will +print then an invalid family type error. + +Reported-by: kernel test robot +Fixes: 4c3d90570bcc ("fs: dlm: don't call kernel_getpeername() in error_report()") +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/lowcomms.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/dlm/lowcomms.c b/fs/dlm/lowcomms.c +index 904855fa20655..68b765369c928 100644 +--- a/fs/dlm/lowcomms.c ++++ b/fs/dlm/lowcomms.c +@@ -491,6 +491,7 @@ static void lowcomms_error_report(struct sock *sk) + ntohs(inet->inet_dport), sk->sk_err, + sk->sk_err_soft); + break; ++#if IS_ENABLED(CONFIG_IPV6) + case AF_INET6: + printk_ratelimited(KERN_ERR "dlm: node %d: socket error " + "sending to node %d at %pI6c, " +@@ -499,6 +500,7 @@ static void lowcomms_error_report(struct sock *sk) + ntohs(inet->inet_dport), sk->sk_err, + sk->sk_err_soft); + break; ++#endif + default: + printk_ratelimited(KERN_ERR "dlm: node %d: socket error " + "invalid socket family %d set, " +-- +2.34.1 + diff --git a/queue-5.10/fs-dlm-use-sk-sk_socket-instead-of-con-sock.patch b/queue-5.10/fs-dlm-use-sk-sk_socket-instead-of-con-sock.patch new file mode 100644 index 00000000000..268dc2d2e7f --- /dev/null +++ b/queue-5.10/fs-dlm-use-sk-sk_socket-instead-of-con-sock.patch @@ -0,0 +1,36 @@ +From 7c4744439196cc2203ff3d1588cb8b1509c98303 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jul 2021 16:22:34 -0400 +Subject: fs: dlm: use sk->sk_socket instead of con->sock + +From: Alexander Aring + +[ Upstream commit feb704bd17786c8ff52a49d7759b8ee4f3a5aaac ] + +Instead of dereference "con->sock" we can get the socket structure over +"sk->sk_socket" as well. This patch will switch to this behaviour. + +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/lowcomms.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/dlm/lowcomms.c b/fs/dlm/lowcomms.c +index 0c78fdfb1f6fa..0a8645ed4b2d6 100644 +--- a/fs/dlm/lowcomms.c ++++ b/fs/dlm/lowcomms.c +@@ -480,8 +480,7 @@ static void lowcomms_error_report(struct sock *sk) + goto out; + + orig_report = listen_sock.sk_error_report; +- if (con->sock == NULL || +- kernel_getpeername(con->sock, (struct sockaddr *)&saddr) < 0) { ++ if (kernel_getpeername(sk->sk_socket, (struct sockaddr *)&saddr) < 0) { + printk_ratelimited(KERN_ERR "dlm: node %d: socket error " + "sending to node %d, port %d, " + "sk_err=%d/%d\n", dlm_our_nodeid(), +-- +2.34.1 + diff --git a/queue-5.10/fsl-fman-check-for-null-pointer-after-calling-devm_i.patch b/queue-5.10/fsl-fman-check-for-null-pointer-after-calling-devm_i.patch new file mode 100644 index 00000000000..1034baf3518 --- /dev/null +++ b/queue-5.10/fsl-fman-check-for-null-pointer-after-calling-devm_i.patch @@ -0,0 +1,96 @@ +From b19efee12965861057e998cb75adbc8aa07cc665 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jan 2022 18:04:10 +0800 +Subject: fsl/fman: Check for null pointer after calling devm_ioremap + +From: Jiasheng Jiang + +[ Upstream commit d5a73ec96cc57cf67e51b12820fc2354e7ca46f8 ] + +As the possible failure of the allocation, the devm_ioremap() may return +NULL pointer. +Take tgec_initialization() as an example. +If allocation fails, the params->base_addr will be NULL pointer and will +be assigned to tgec->regs in tgec_config(). +Then it will cause the dereference of NULL pointer in set_mac_address(), +which is called by tgec_init(). +Therefore, it should be better to add the sanity check after the calling +of the devm_ioremap(). + +Fixes: 3933961682a3 ("fsl/fman: Add FMan MAC driver") +Signed-off-by: Jiasheng Jiang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fman/mac.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fman/mac.c b/drivers/net/ethernet/freescale/fman/mac.c +index 901749a7a318b..6eeccc11b76ef 100644 +--- a/drivers/net/ethernet/freescale/fman/mac.c ++++ b/drivers/net/ethernet/freescale/fman/mac.c +@@ -94,14 +94,17 @@ static void mac_exception(void *handle, enum fman_mac_exceptions ex) + __func__, ex); + } + +-static void set_fman_mac_params(struct mac_device *mac_dev, +- struct fman_mac_params *params) ++static int set_fman_mac_params(struct mac_device *mac_dev, ++ struct fman_mac_params *params) + { + struct mac_priv_s *priv = mac_dev->priv; + + params->base_addr = (typeof(params->base_addr)) + devm_ioremap(priv->dev, mac_dev->res->start, + resource_size(mac_dev->res)); ++ if (!params->base_addr) ++ return -ENOMEM; ++ + memcpy(¶ms->addr, mac_dev->addr, sizeof(mac_dev->addr)); + params->max_speed = priv->max_speed; + params->phy_if = mac_dev->phy_if; +@@ -112,6 +115,8 @@ static void set_fman_mac_params(struct mac_device *mac_dev, + params->event_cb = mac_exception; + params->dev_id = mac_dev; + params->internal_phy_node = priv->internal_phy_node; ++ ++ return 0; + } + + static int tgec_initialization(struct mac_device *mac_dev) +@@ -123,7 +128,9 @@ static int tgec_initialization(struct mac_device *mac_dev) + + priv = mac_dev->priv; + +- set_fman_mac_params(mac_dev, ¶ms); ++ err = set_fman_mac_params(mac_dev, ¶ms); ++ if (err) ++ goto _return; + + mac_dev->fman_mac = tgec_config(¶ms); + if (!mac_dev->fman_mac) { +@@ -169,7 +176,9 @@ static int dtsec_initialization(struct mac_device *mac_dev) + + priv = mac_dev->priv; + +- set_fman_mac_params(mac_dev, ¶ms); ++ err = set_fman_mac_params(mac_dev, ¶ms); ++ if (err) ++ goto _return; + + mac_dev->fman_mac = dtsec_config(¶ms); + if (!mac_dev->fman_mac) { +@@ -218,7 +227,9 @@ static int memac_initialization(struct mac_device *mac_dev) + + priv = mac_dev->priv; + +- set_fman_mac_params(mac_dev, ¶ms); ++ err = set_fman_mac_params(mac_dev, ¶ms); ++ if (err) ++ goto _return; + + if (priv->max_speed == SPEED_10000) + params.phy_if = PHY_INTERFACE_MODE_XGMII; +-- +2.34.1 + diff --git a/queue-5.10/gpio-aspeed-convert-aspeed_gpio.lock-to-raw_spinlock.patch b/queue-5.10/gpio-aspeed-convert-aspeed_gpio.lock-to-raw_spinlock.patch new file mode 100644 index 00000000000..872c78bfe4c --- /dev/null +++ b/queue-5.10/gpio-aspeed-convert-aspeed_gpio.lock-to-raw_spinlock.patch @@ -0,0 +1,258 @@ +From d5d7d617d6e45f6e4829bd16c6140d93efdaad5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Dec 2021 18:10:26 +0100 +Subject: gpio: aspeed: Convert aspeed_gpio.lock to raw_spinlock + +From: Iwona Winiarska + +[ Upstream commit 61a7904b6ace99b1bde0d0e867fa3097f5c8cee2 ] + +The gpio-aspeed driver implements an irq_chip which need to be invoked +from hardirq context. Since spin_lock() can sleep with PREEMPT_RT, it is +no longer legal to invoke it while interrupts are disabled. +This also causes lockdep to complain about: +[ 0.649797] [ BUG: Invalid wait context ] +because aspeed_gpio.lock (spin_lock_t) is taken under irq_desc.lock +(raw_spinlock_t). +Let's use of raw_spinlock_t instead of spinlock_t. + +Signed-off-by: Iwona Winiarska +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-aspeed.c | 52 +++++++++++++++++++------------------- + 1 file changed, 26 insertions(+), 26 deletions(-) + +diff --git a/drivers/gpio/gpio-aspeed.c b/drivers/gpio/gpio-aspeed.c +index b966f5e28ebff..e0d5d80ec8e0f 100644 +--- a/drivers/gpio/gpio-aspeed.c ++++ b/drivers/gpio/gpio-aspeed.c +@@ -53,7 +53,7 @@ struct aspeed_gpio_config { + struct aspeed_gpio { + struct gpio_chip chip; + struct irq_chip irqc; +- spinlock_t lock; ++ raw_spinlock_t lock; + void __iomem *base; + int irq; + const struct aspeed_gpio_config *config; +@@ -413,14 +413,14 @@ static void aspeed_gpio_set(struct gpio_chip *gc, unsigned int offset, + unsigned long flags; + bool copro; + +- spin_lock_irqsave(&gpio->lock, flags); ++ raw_spin_lock_irqsave(&gpio->lock, flags); + copro = aspeed_gpio_copro_request(gpio, offset); + + __aspeed_gpio_set(gc, offset, val); + + if (copro) + aspeed_gpio_copro_release(gpio, offset); +- spin_unlock_irqrestore(&gpio->lock, flags); ++ raw_spin_unlock_irqrestore(&gpio->lock, flags); + } + + static int aspeed_gpio_dir_in(struct gpio_chip *gc, unsigned int offset) +@@ -435,7 +435,7 @@ static int aspeed_gpio_dir_in(struct gpio_chip *gc, unsigned int offset) + if (!have_input(gpio, offset)) + return -ENOTSUPP; + +- spin_lock_irqsave(&gpio->lock, flags); ++ raw_spin_lock_irqsave(&gpio->lock, flags); + + reg = ioread32(addr); + reg &= ~GPIO_BIT(offset); +@@ -445,7 +445,7 @@ static int aspeed_gpio_dir_in(struct gpio_chip *gc, unsigned int offset) + if (copro) + aspeed_gpio_copro_release(gpio, offset); + +- spin_unlock_irqrestore(&gpio->lock, flags); ++ raw_spin_unlock_irqrestore(&gpio->lock, flags); + + return 0; + } +@@ -463,7 +463,7 @@ static int aspeed_gpio_dir_out(struct gpio_chip *gc, + if (!have_output(gpio, offset)) + return -ENOTSUPP; + +- spin_lock_irqsave(&gpio->lock, flags); ++ raw_spin_lock_irqsave(&gpio->lock, flags); + + reg = ioread32(addr); + reg |= GPIO_BIT(offset); +@@ -474,7 +474,7 @@ static int aspeed_gpio_dir_out(struct gpio_chip *gc, + + if (copro) + aspeed_gpio_copro_release(gpio, offset); +- spin_unlock_irqrestore(&gpio->lock, flags); ++ raw_spin_unlock_irqrestore(&gpio->lock, flags); + + return 0; + } +@@ -492,11 +492,11 @@ static int aspeed_gpio_get_direction(struct gpio_chip *gc, unsigned int offset) + if (!have_output(gpio, offset)) + return GPIO_LINE_DIRECTION_IN; + +- spin_lock_irqsave(&gpio->lock, flags); ++ raw_spin_lock_irqsave(&gpio->lock, flags); + + val = ioread32(bank_reg(gpio, bank, reg_dir)) & GPIO_BIT(offset); + +- spin_unlock_irqrestore(&gpio->lock, flags); ++ raw_spin_unlock_irqrestore(&gpio->lock, flags); + + return val ? GPIO_LINE_DIRECTION_OUT : GPIO_LINE_DIRECTION_IN; + } +@@ -539,14 +539,14 @@ static void aspeed_gpio_irq_ack(struct irq_data *d) + + status_addr = bank_reg(gpio, bank, reg_irq_status); + +- spin_lock_irqsave(&gpio->lock, flags); ++ raw_spin_lock_irqsave(&gpio->lock, flags); + copro = aspeed_gpio_copro_request(gpio, offset); + + iowrite32(bit, status_addr); + + if (copro) + aspeed_gpio_copro_release(gpio, offset); +- spin_unlock_irqrestore(&gpio->lock, flags); ++ raw_spin_unlock_irqrestore(&gpio->lock, flags); + } + + static void aspeed_gpio_irq_set_mask(struct irq_data *d, bool set) +@@ -565,7 +565,7 @@ static void aspeed_gpio_irq_set_mask(struct irq_data *d, bool set) + + addr = bank_reg(gpio, bank, reg_irq_enable); + +- spin_lock_irqsave(&gpio->lock, flags); ++ raw_spin_lock_irqsave(&gpio->lock, flags); + copro = aspeed_gpio_copro_request(gpio, offset); + + reg = ioread32(addr); +@@ -577,7 +577,7 @@ static void aspeed_gpio_irq_set_mask(struct irq_data *d, bool set) + + if (copro) + aspeed_gpio_copro_release(gpio, offset); +- spin_unlock_irqrestore(&gpio->lock, flags); ++ raw_spin_unlock_irqrestore(&gpio->lock, flags); + } + + static void aspeed_gpio_irq_mask(struct irq_data *d) +@@ -629,7 +629,7 @@ static int aspeed_gpio_set_type(struct irq_data *d, unsigned int type) + return -EINVAL; + } + +- spin_lock_irqsave(&gpio->lock, flags); ++ raw_spin_lock_irqsave(&gpio->lock, flags); + copro = aspeed_gpio_copro_request(gpio, offset); + + addr = bank_reg(gpio, bank, reg_irq_type0); +@@ -649,7 +649,7 @@ static int aspeed_gpio_set_type(struct irq_data *d, unsigned int type) + + if (copro) + aspeed_gpio_copro_release(gpio, offset); +- spin_unlock_irqrestore(&gpio->lock, flags); ++ raw_spin_unlock_irqrestore(&gpio->lock, flags); + + irq_set_handler_locked(d, handler); + +@@ -719,7 +719,7 @@ static int aspeed_gpio_reset_tolerance(struct gpio_chip *chip, + + treg = bank_reg(gpio, to_bank(offset), reg_tolerance); + +- spin_lock_irqsave(&gpio->lock, flags); ++ raw_spin_lock_irqsave(&gpio->lock, flags); + copro = aspeed_gpio_copro_request(gpio, offset); + + val = readl(treg); +@@ -733,7 +733,7 @@ static int aspeed_gpio_reset_tolerance(struct gpio_chip *chip, + + if (copro) + aspeed_gpio_copro_release(gpio, offset); +- spin_unlock_irqrestore(&gpio->lock, flags); ++ raw_spin_unlock_irqrestore(&gpio->lock, flags); + + return 0; + } +@@ -859,7 +859,7 @@ static int enable_debounce(struct gpio_chip *chip, unsigned int offset, + return rc; + } + +- spin_lock_irqsave(&gpio->lock, flags); ++ raw_spin_lock_irqsave(&gpio->lock, flags); + + if (timer_allocation_registered(gpio, offset)) { + rc = unregister_allocated_timer(gpio, offset); +@@ -919,7 +919,7 @@ static int enable_debounce(struct gpio_chip *chip, unsigned int offset, + configure_timer(gpio, offset, i); + + out: +- spin_unlock_irqrestore(&gpio->lock, flags); ++ raw_spin_unlock_irqrestore(&gpio->lock, flags); + + return rc; + } +@@ -930,13 +930,13 @@ static int disable_debounce(struct gpio_chip *chip, unsigned int offset) + unsigned long flags; + int rc; + +- spin_lock_irqsave(&gpio->lock, flags); ++ raw_spin_lock_irqsave(&gpio->lock, flags); + + rc = unregister_allocated_timer(gpio, offset); + if (!rc) + configure_timer(gpio, offset, 0); + +- spin_unlock_irqrestore(&gpio->lock, flags); ++ raw_spin_unlock_irqrestore(&gpio->lock, flags); + + return rc; + } +@@ -1018,7 +1018,7 @@ int aspeed_gpio_copro_grab_gpio(struct gpio_desc *desc, + return -EINVAL; + bindex = offset >> 3; + +- spin_lock_irqsave(&gpio->lock, flags); ++ raw_spin_lock_irqsave(&gpio->lock, flags); + + /* Sanity check, this shouldn't happen */ + if (gpio->cf_copro_bankmap[bindex] == 0xff) { +@@ -1039,7 +1039,7 @@ int aspeed_gpio_copro_grab_gpio(struct gpio_desc *desc, + if (bit) + *bit = GPIO_OFFSET(offset); + bail: +- spin_unlock_irqrestore(&gpio->lock, flags); ++ raw_spin_unlock_irqrestore(&gpio->lock, flags); + return rc; + } + EXPORT_SYMBOL_GPL(aspeed_gpio_copro_grab_gpio); +@@ -1063,7 +1063,7 @@ int aspeed_gpio_copro_release_gpio(struct gpio_desc *desc) + return -EINVAL; + bindex = offset >> 3; + +- spin_lock_irqsave(&gpio->lock, flags); ++ raw_spin_lock_irqsave(&gpio->lock, flags); + + /* Sanity check, this shouldn't happen */ + if (gpio->cf_copro_bankmap[bindex] == 0) { +@@ -1077,7 +1077,7 @@ int aspeed_gpio_copro_release_gpio(struct gpio_desc *desc) + aspeed_gpio_change_cmd_source(gpio, bank, bindex, + GPIO_CMDSRC_ARM); + bail: +- spin_unlock_irqrestore(&gpio->lock, flags); ++ raw_spin_unlock_irqrestore(&gpio->lock, flags); + return rc; + } + EXPORT_SYMBOL_GPL(aspeed_gpio_copro_release_gpio); +@@ -1151,7 +1151,7 @@ static int __init aspeed_gpio_probe(struct platform_device *pdev) + if (IS_ERR(gpio->base)) + return PTR_ERR(gpio->base); + +- spin_lock_init(&gpio->lock); ++ raw_spin_lock_init(&gpio->lock); + + gpio_id = of_match_node(aspeed_gpio_of_table, pdev->dev.of_node); + if (!gpio_id) +-- +2.34.1 + diff --git a/queue-5.10/gpiolib-acpi-do-not-set-the-irq-type-if-the-irq-is-a.patch b/queue-5.10/gpiolib-acpi-do-not-set-the-irq-type-if-the-irq-is-a.patch new file mode 100644 index 00000000000..2450d806669 --- /dev/null +++ b/queue-5.10/gpiolib-acpi-do-not-set-the-irq-type-if-the-irq-is-a.patch @@ -0,0 +1,61 @@ +From b6e7ae40f72a24ab66958e60c64eb3687109b15e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Nov 2021 21:30:10 +0100 +Subject: gpiolib: acpi: Do not set the IRQ type if the IRQ is already in use + +From: Hans de Goede + +[ Upstream commit bdfd6ab8fdccd8b138837efff66f4a1911496378 ] + +If the IRQ is already in use, then acpi_dev_gpio_irq_get_by() really +should not change the type underneath the current owner. + +I specifically hit an issue with this an a Chuwi Hi8 Super (CWI509) Bay +Trail tablet, when the Boot OS selection in the BIOS is set to Android. +In this case _STA for a MAX17047 ACPI I2C device wrongly returns 0xf and +the _CRS resources for this device include a GpioInt pointing to a GPIO +already in use by an _AEI handler, with a different type then specified +in the _CRS for the MAX17047 device. Leading to the acpi_dev_gpio_irq_get() +call done by the i2c-core-acpi.c code changing the type breaking the +_AEI handler. + +Now this clearly is a bug in the DSDT of this tablet (in Android mode), +but in general calling irq_set_irq_type() on an IRQ which already is +in use seems like a bad idea. + +Signed-off-by: Hans de Goede +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-acpi.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpio/gpiolib-acpi.c b/drivers/gpio/gpiolib-acpi.c +index 6f11714ce0239..55e4f402ec8b6 100644 +--- a/drivers/gpio/gpiolib-acpi.c ++++ b/drivers/gpio/gpiolib-acpi.c +@@ -969,10 +969,17 @@ int acpi_dev_gpio_irq_get_by(struct acpi_device *adev, const char *name, int ind + irq_flags = acpi_dev_get_irq_type(info.triggering, + info.polarity); + +- /* Set type if specified and different than the current one */ +- if (irq_flags != IRQ_TYPE_NONE && +- irq_flags != irq_get_trigger_type(irq)) +- irq_set_irq_type(irq, irq_flags); ++ /* ++ * If the IRQ is not already in use then set type ++ * if specified and different than the current one. ++ */ ++ if (can_request_irq(irq, irq_flags)) { ++ if (irq_flags != IRQ_TYPE_NONE && ++ irq_flags != irq_get_trigger_type(irq)) ++ irq_set_irq_type(irq, irq_flags); ++ } else { ++ dev_dbg(&adev->dev, "IRQ %d already in use\n", irq); ++ } + + return irq; + } +-- +2.34.1 + diff --git a/queue-5.10/hid-apple-do-not-reset-quirks-when-the-fn-key-is-not.patch b/queue-5.10/hid-apple-do-not-reset-quirks-when-the-fn-key-is-not.patch new file mode 100644 index 00000000000..5a9b3661bf4 --- /dev/null +++ b/queue-5.10/hid-apple-do-not-reset-quirks-when-the-fn-key-is-not.patch @@ -0,0 +1,38 @@ +From a6a59e18de079f8b45a69e8b4250763c0651a6b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Nov 2021 08:29:53 +0100 +Subject: HID: apple: Do not reset quirks when the Fn key is not found +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Expósito + +[ Upstream commit a5fe7864d8ada170f19cc47d176bf8260ffb4263 ] + +When a keyboard without a function key is detected, instead of removing +all quirks, remove only the APPLE_HAS_FN quirk. + +Signed-off-by: José Expósito +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-apple.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-apple.c b/drivers/hid/hid-apple.c +index 5c1d33cda863b..e5d2e7e9541b8 100644 +--- a/drivers/hid/hid-apple.c ++++ b/drivers/hid/hid-apple.c +@@ -415,7 +415,7 @@ static int apple_input_configured(struct hid_device *hdev, + + if ((asc->quirks & APPLE_HAS_FN) && !asc->fn_found) { + hid_info(hdev, "Fn key not found (Apple Wireless Keyboard clone?), disabling Fn key handling\n"); +- asc->quirks = 0; ++ asc->quirks &= ~APPLE_HAS_FN; + } + + return 0; +-- +2.34.1 + diff --git a/queue-5.10/hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch b/queue-5.10/hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch new file mode 100644 index 00000000000..6065fb5218f --- /dev/null +++ b/queue-5.10/hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch @@ -0,0 +1,62 @@ +From c45635381d51ac131aa749868e83709cbcd8e7a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jan 2022 18:29:12 +0100 +Subject: HID: hid-uclogic-params: Invalid parameter check in + uclogic_params_init +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Expósito + +[ Upstream commit f364c571a5c77e96de2d32062ff019d6b8d2e2bc ] + +The function performs a check on its input parameters, however, the +hdev parameter is used before the check. + +Initialize the stack variables after checking the input parameters to +avoid a possible NULL pointer dereference. + +Fixes: 9614219e9310e ("HID: uclogic: Extract tablet parameter discovery into a module") +Addresses-Coverity-ID: 1443831 ("Null pointer dereference") +Signed-off-by: José Expósito +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-uclogic-params.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/hid/hid-uclogic-params.c b/drivers/hid/hid-uclogic-params.c +index dd05bed4ca53a..851ab8e24f9d7 100644 +--- a/drivers/hid/hid-uclogic-params.c ++++ b/drivers/hid/hid-uclogic-params.c +@@ -832,10 +832,10 @@ int uclogic_params_init(struct uclogic_params *params, + struct hid_device *hdev) + { + int rc; +- struct usb_device *udev = hid_to_usb_dev(hdev); +- __u8 bNumInterfaces = udev->config->desc.bNumInterfaces; +- struct usb_interface *iface = to_usb_interface(hdev->dev.parent); +- __u8 bInterfaceNumber = iface->cur_altsetting->desc.bInterfaceNumber; ++ struct usb_device *udev; ++ __u8 bNumInterfaces; ++ struct usb_interface *iface; ++ __u8 bInterfaceNumber; + bool found; + /* The resulting parameters (noop) */ + struct uclogic_params p = {0, }; +@@ -846,6 +846,11 @@ int uclogic_params_init(struct uclogic_params *params, + goto cleanup; + } + ++ udev = hid_to_usb_dev(hdev); ++ bNumInterfaces = udev->config->desc.bNumInterfaces; ++ iface = to_usb_interface(hdev->dev.parent); ++ bInterfaceNumber = iface->cur_altsetting->desc.bInterfaceNumber; ++ + /* + * Set replacement report descriptor if the original matches the + * specified size. Otherwise keep interface unchanged. +-- +2.34.1 + diff --git a/queue-5.10/hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch-21754 b/queue-5.10/hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch-21754 new file mode 100644 index 00000000000..fcf12420a7a --- /dev/null +++ b/queue-5.10/hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch-21754 @@ -0,0 +1,53 @@ +From 52310593bd30b65291c2ec4f25b7d0fd9204a6d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jan 2022 18:29:13 +0100 +Subject: HID: hid-uclogic-params: Invalid parameter check in + uclogic_params_get_str_desc +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Expósito + +[ Upstream commit 0a94131d6920916ccb6a357037c535533af08819 ] + +The function performs a check on the hdev input parameters, however, it +is used before the check. + +Initialize the udev variable after the sanity check to avoid a +possible NULL pointer dereference. + +Fixes: 9614219e9310e ("HID: uclogic: Extract tablet parameter discovery into a module") +Addresses-Coverity-ID: 1443827 ("Null pointer dereference") +Signed-off-by: José Expósito +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-uclogic-params.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-uclogic-params.c b/drivers/hid/hid-uclogic-params.c +index 851ab8e24f9d7..a751c9a49360f 100644 +--- a/drivers/hid/hid-uclogic-params.c ++++ b/drivers/hid/hid-uclogic-params.c +@@ -65,7 +65,7 @@ static int uclogic_params_get_str_desc(__u8 **pbuf, struct hid_device *hdev, + __u8 idx, size_t len) + { + int rc; +- struct usb_device *udev = hid_to_usb_dev(hdev); ++ struct usb_device *udev; + __u8 *buf = NULL; + + /* Check arguments */ +@@ -74,6 +74,8 @@ static int uclogic_params_get_str_desc(__u8 **pbuf, struct hid_device *hdev, + goto cleanup; + } + ++ udev = hid_to_usb_dev(hdev); ++ + buf = kmalloc(len, GFP_KERNEL); + if (buf == NULL) { + rc = -ENOMEM; +-- +2.34.1 + diff --git a/queue-5.10/hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch-23659 b/queue-5.10/hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch-23659 new file mode 100644 index 00000000000..795e7c081ab --- /dev/null +++ b/queue-5.10/hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch-23659 @@ -0,0 +1,53 @@ +From c39be822e1fd37ac896288dfb414a4dbad0e602d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jan 2022 18:29:15 +0100 +Subject: HID: hid-uclogic-params: Invalid parameter check in + uclogic_params_frame_init_v1_buttonpad +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Expósito + +[ Upstream commit aa320fdbbbb482c19100f51461bd0069753ce3d7 ] + +The function performs a check on the hdev input parameters, however, it +is used before the check. + +Initialize the udev variable after the sanity check to avoid a +possible NULL pointer dereference. + +Fixes: 9614219e9310e ("HID: uclogic: Extract tablet parameter discovery into a module") +Addresses-Coverity-ID: 1443763 ("Null pointer dereference") +Signed-off-by: José Expósito +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-uclogic-params.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-uclogic-params.c b/drivers/hid/hid-uclogic-params.c +index df12178a80da5..38f9bbad81c17 100644 +--- a/drivers/hid/hid-uclogic-params.c ++++ b/drivers/hid/hid-uclogic-params.c +@@ -451,7 +451,7 @@ static int uclogic_params_frame_init_v1_buttonpad( + { + int rc; + bool found = false; +- struct usb_device *usb_dev = hid_to_usb_dev(hdev); ++ struct usb_device *usb_dev; + char *str_buf = NULL; + const size_t str_len = 16; + +@@ -461,6 +461,8 @@ static int uclogic_params_frame_init_v1_buttonpad( + goto cleanup; + } + ++ usb_dev = hid_to_usb_dev(hdev); ++ + /* + * Enable generic button mode + */ +-- +2.34.1 + diff --git a/queue-5.10/hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch-27529 b/queue-5.10/hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch-27529 new file mode 100644 index 00000000000..9834a6eafed --- /dev/null +++ b/queue-5.10/hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch-27529 @@ -0,0 +1,59 @@ +From 161972a5a80cb1d5cfafb88d223c461dc496bb96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jan 2022 18:29:14 +0100 +Subject: HID: hid-uclogic-params: Invalid parameter check in + uclogic_params_huion_init +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Expósito + +[ Upstream commit ff6b548afe4d9d1ff3a0f6ef79e8cbca25d8f905 ] + +The function performs a check on its input parameters, however, the +hdev parameter is used before the check. + +Initialize the stack variables after checking the input parameters to +avoid a possible NULL pointer dereference. + +Fixes: 9614219e9310e ("HID: uclogic: Extract tablet parameter discovery into a module") +Addresses-Coverity-ID: 1443804 ("Null pointer dereference") +Signed-off-by: José Expósito +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-uclogic-params.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/hid/hid-uclogic-params.c b/drivers/hid/hid-uclogic-params.c +index a751c9a49360f..df12178a80da5 100644 +--- a/drivers/hid/hid-uclogic-params.c ++++ b/drivers/hid/hid-uclogic-params.c +@@ -707,9 +707,9 @@ static int uclogic_params_huion_init(struct uclogic_params *params, + struct hid_device *hdev) + { + int rc; +- struct usb_device *udev = hid_to_usb_dev(hdev); +- struct usb_interface *iface = to_usb_interface(hdev->dev.parent); +- __u8 bInterfaceNumber = iface->cur_altsetting->desc.bInterfaceNumber; ++ struct usb_device *udev; ++ struct usb_interface *iface; ++ __u8 bInterfaceNumber; + bool found; + /* The resulting parameters (noop) */ + struct uclogic_params p = {0, }; +@@ -723,6 +723,10 @@ static int uclogic_params_huion_init(struct uclogic_params *params, + goto cleanup; + } + ++ udev = hid_to_usb_dev(hdev); ++ iface = to_usb_interface(hdev->dev.parent); ++ bInterfaceNumber = iface->cur_altsetting->desc.bInterfaceNumber; ++ + /* If it's not a pen interface */ + if (bInterfaceNumber != 0) { + /* TODO: Consider marking the interface invalid */ +-- +2.34.1 + diff --git a/queue-5.10/hid-quirks-allow-inverting-the-absolute-x-y-values.patch b/queue-5.10/hid-quirks-allow-inverting-the-absolute-x-y-values.patch new file mode 100644 index 00000000000..e3fd6f4f9ba --- /dev/null +++ b/queue-5.10/hid-quirks-allow-inverting-the-absolute-x-y-values.patch @@ -0,0 +1,55 @@ +From b5c962ac12a9280decf07fa02f5f1f6d91c760fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Dec 2021 22:40:43 +1000 +Subject: HID: quirks: Allow inverting the absolute X/Y values + +From: Alistair Francis + +[ Upstream commit fd8d135b2c5e88662f2729e034913f183455a667 ] + +Add a HID_QUIRK_X_INVERT/HID_QUIRK_Y_INVERT quirk that can be used +to invert the X/Y values. + +Signed-off-by: Alistair Francis +[bentiss: silence checkpatch warning] +Signed-off-by: Benjamin Tissoires +Link: https://lore.kernel.org/r/20211208124045.61815-2-alistair@alistair23.me +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-input.c | 6 ++++++ + include/linux/hid.h | 2 ++ + 2 files changed, 8 insertions(+) + +diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c +index 580d378342c41..eb53855898c8d 100644 +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -1288,6 +1288,12 @@ void hidinput_hid_event(struct hid_device *hid, struct hid_field *field, struct + + input = field->hidinput->input; + ++ if (usage->type == EV_ABS && ++ (((*quirks & HID_QUIRK_X_INVERT) && usage->code == ABS_X) || ++ ((*quirks & HID_QUIRK_Y_INVERT) && usage->code == ABS_Y))) { ++ value = field->logical_maximum - value; ++ } ++ + if (usage->hat_min < usage->hat_max || usage->hat_dir) { + int hat_dir = usage->hat_dir; + if (!hat_dir) +diff --git a/include/linux/hid.h b/include/linux/hid.h +index fc56d53cc68bf..2ba33d708942c 100644 +--- a/include/linux/hid.h ++++ b/include/linux/hid.h +@@ -345,6 +345,8 @@ struct hid_item { + /* BIT(9) reserved for backward compatibility, was NO_INIT_INPUT_REPORTS */ + #define HID_QUIRK_ALWAYS_POLL BIT(10) + #define HID_QUIRK_INPUT_PER_APP BIT(11) ++#define HID_QUIRK_X_INVERT BIT(12) ++#define HID_QUIRK_Y_INVERT BIT(13) + #define HID_QUIRK_SKIP_OUTPUT_REPORTS BIT(16) + #define HID_QUIRK_SKIP_OUTPUT_REPORT_ID BIT(17) + #define HID_QUIRK_NO_OUTPUT_REPORTS_ON_INTR_EP BIT(18) +-- +2.34.1 + diff --git a/queue-5.10/hsi-core-fix-return-freed-object-in-hsi_new_client.patch b/queue-5.10/hsi-core-fix-return-freed-object-in-hsi_new_client.patch new file mode 100644 index 00000000000..f7a68b5b654 --- /dev/null +++ b/queue-5.10/hsi-core-fix-return-freed-object-in-hsi_new_client.patch @@ -0,0 +1,35 @@ +From 2c6bd17e1ae3c23b8d4058715a512e3a37504d29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Nov 2021 06:45:07 -0700 +Subject: HSI: core: Fix return freed object in hsi_new_client + +From: Chengfeng Ye + +[ Upstream commit a1ee1c08fcd5af03187dcd41dcab12fd5b379555 ] + +cl is freed on error of calling device_register, but this +object is return later, which will cause uaf issue. Fix it +by return NULL on error. + +Signed-off-by: Chengfeng Ye +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/hsi/hsi_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hsi/hsi_core.c b/drivers/hsi/hsi_core.c +index a5f92e2889cb8..a330f58d45fc6 100644 +--- a/drivers/hsi/hsi_core.c ++++ b/drivers/hsi/hsi_core.c +@@ -102,6 +102,7 @@ struct hsi_client *hsi_new_client(struct hsi_port *port, + if (device_register(&cl->device) < 0) { + pr_err("hsi: failed to register client: %s\n", info->name); + put_device(&cl->device); ++ goto err; + } + + return cl; +-- +2.34.1 + diff --git a/queue-5.10/hwmon-mr75203-fix-wrong-power-up-delay-value.patch b/queue-5.10/hwmon-mr75203-fix-wrong-power-up-delay-value.patch new file mode 100644 index 00000000000..79dc59a7279 --- /dev/null +++ b/queue-5.10/hwmon-mr75203-fix-wrong-power-up-delay-value.patch @@ -0,0 +1,39 @@ +From f82fcd795d99f46b9394abf7d8f2e35c6f9bd807 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Dec 2021 13:22:39 +0300 +Subject: hwmon: (mr75203) fix wrong power-up delay value + +From: Arseny Demidov + +[ Upstream commit a8d6d4992ad9d92356619ac372906bd29687bb46 ] + +In the file mr75203.c we have a macro named POWER_DELAY_CYCLE_256, +the correct value should be 0x100. The register ip_tmr is expressed +in units of IP clk cycles, in accordance with the datasheet. +Typical power-up delays for Temperature Sensor are 256 cycles i.e. 0x100. + +Fixes: 9d823351a337 ("hwmon: Add hardware monitoring driver for Moortec MR75203 PVT controller") +Signed-off-by: Arseny Demidov +Link: https://lore.kernel.org/r/20211219102239.1112-1-a.demidov@yadro.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/mr75203.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/mr75203.c b/drivers/hwmon/mr75203.c +index 18da5a25e89ab..046523d47c29b 100644 +--- a/drivers/hwmon/mr75203.c ++++ b/drivers/hwmon/mr75203.c +@@ -93,7 +93,7 @@ + #define VM_CH_REQ BIT(21) + + #define IP_TMR 0x05 +-#define POWER_DELAY_CYCLE_256 0x80 ++#define POWER_DELAY_CYCLE_256 0x100 + #define POWER_DELAY_CYCLE_64 0x40 + + #define PVT_POLL_DELAY_US 20 +-- +2.34.1 + diff --git a/queue-5.10/i2c-designware-pci-fix-to-change-data-types-of-hcnt-.patch b/queue-5.10/i2c-designware-pci-fix-to-change-data-types-of-hcnt-.patch new file mode 100644 index 00000000000..78ae1579fc8 --- /dev/null +++ b/queue-5.10/i2c-designware-pci-fix-to-change-data-types-of-hcnt-.patch @@ -0,0 +1,45 @@ +From 3075f1e30d1630c4e240ac034c7a446c88074af4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Dec 2021 17:12:01 +0200 +Subject: i2c: designware-pci: Fix to change data types of hcnt and lcnt + parameters + +From: Lakshmi Sowjanya D + +[ Upstream commit d52097010078c1844348dc0e467305e5f90fd317 ] + +The data type of hcnt and lcnt in the struct dw_i2c_dev is of type u16. +It's better to have same data type in struct dw_scl_sda_cfg as well. + +Reported-by: Wolfram Sang +Signed-off-by: Lakshmi Sowjanya D +Signed-off-by: Andy Shevchenko +Signed-off-by: Jarkko Nikula +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-designware-pcidrv.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-designware-pcidrv.c b/drivers/i2c/busses/i2c-designware-pcidrv.c +index 55c83a7a24f36..56c87ade0e89d 100644 +--- a/drivers/i2c/busses/i2c-designware-pcidrv.c ++++ b/drivers/i2c/busses/i2c-designware-pcidrv.c +@@ -37,10 +37,10 @@ enum dw_pci_ctl_id_t { + }; + + struct dw_scl_sda_cfg { +- u32 ss_hcnt; +- u32 fs_hcnt; +- u32 ss_lcnt; +- u32 fs_lcnt; ++ u16 ss_hcnt; ++ u16 fs_hcnt; ++ u16 ss_lcnt; ++ u16 fs_lcnt; + u32 sda_hold; + }; + +-- +2.34.1 + diff --git a/queue-5.10/i2c-i801-don-t-silently-correct-invalid-transfer-siz.patch b/queue-5.10/i2c-i801-don-t-silently-correct-invalid-transfer-siz.patch new file mode 100644 index 00000000000..a04ace279cd --- /dev/null +++ b/queue-5.10/i2c-i801-don-t-silently-correct-invalid-transfer-siz.patch @@ -0,0 +1,63 @@ +From 6b762ff3523c9f3de12c0a34b82b418a6dcf1006 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Nov 2021 22:57:00 +0100 +Subject: i2c: i801: Don't silently correct invalid transfer size + +From: Heiner Kallweit + +[ Upstream commit effa453168a7eeb8a562ff4edc1dbf9067360a61 ] + +If an invalid block size is provided, reject it instead of silently +changing it to a supported value. Especially critical I see the case of +a write transfer with block length 0. In this case we have no guarantee +that the byte we would write is valid. When silently reducing a read to +32 bytes then we don't return an error and the caller may falsely +assume that we returned the full requested data. + +If this change should break any (broken) caller, then I think we should +fix the caller. + +Signed-off-by: Heiner Kallweit +Reviewed-by: Jean Delvare +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-i801.c | 15 +++++---------- + 1 file changed, 5 insertions(+), 10 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c +index eab6fd6b890eb..5618c1ff34dc3 100644 +--- a/drivers/i2c/busses/i2c-i801.c ++++ b/drivers/i2c/busses/i2c-i801.c +@@ -797,6 +797,11 @@ static int i801_block_transaction(struct i801_priv *priv, + int result = 0; + unsigned char hostc; + ++ if (read_write == I2C_SMBUS_READ && command == I2C_SMBUS_BLOCK_DATA) ++ data->block[0] = I2C_SMBUS_BLOCK_MAX; ++ else if (data->block[0] < 1 || data->block[0] > I2C_SMBUS_BLOCK_MAX) ++ return -EPROTO; ++ + if (command == I2C_SMBUS_I2C_BLOCK_DATA) { + if (read_write == I2C_SMBUS_WRITE) { + /* set I2C_EN bit in configuration register */ +@@ -810,16 +815,6 @@ static int i801_block_transaction(struct i801_priv *priv, + } + } + +- if (read_write == I2C_SMBUS_WRITE +- || command == I2C_SMBUS_I2C_BLOCK_DATA) { +- if (data->block[0] < 1) +- data->block[0] = 1; +- if (data->block[0] > I2C_SMBUS_BLOCK_MAX) +- data->block[0] = I2C_SMBUS_BLOCK_MAX; +- } else { +- data->block[0] = 32; /* max for SMBus block reads */ +- } +- + /* Experience has shown that the block buffer can only be used for + SMBus (not I2C) block transactions, even though the datasheet + doesn't mention this limitation. */ +-- +2.34.1 + diff --git a/queue-5.10/i2c-mpc-correct-i2c-reset-procedure.patch b/queue-5.10/i2c-mpc-correct-i2c-reset-procedure.patch new file mode 100644 index 00000000000..71109d11b66 --- /dev/null +++ b/queue-5.10/i2c-mpc-correct-i2c-reset-procedure.patch @@ -0,0 +1,70 @@ +From 92a060dced7d2d0a3faf9a94bae6d519d505cee4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2017 14:20:33 +0200 +Subject: i2c: mpc: Correct I2C reset procedure + +From: Joakim Tjernlund + +[ Upstream commit ebe82cf92cd4825c3029434cabfcd2f1780e64be ] + +Current I2C reset procedure is broken in two ways: +1) It only generate 1 START instead of 9 STARTs and STOP. +2) It leaves the bus Busy so every I2C xfer after the first + fixup calls the reset routine again, for every xfer there after. + +This fixes both errors. + +Signed-off-by: Joakim Tjernlund +Acked-by: Scott Wood +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-mpc.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-mpc.c b/drivers/i2c/busses/i2c-mpc.c +index af349661fd769..8de8296d25831 100644 +--- a/drivers/i2c/busses/i2c-mpc.c ++++ b/drivers/i2c/busses/i2c-mpc.c +@@ -105,23 +105,30 @@ static irqreturn_t mpc_i2c_isr(int irq, void *dev_id) + /* Sometimes 9th clock pulse isn't generated, and slave doesn't release + * the bus, because it wants to send ACK. + * Following sequence of enabling/disabling and sending start/stop generates +- * the 9 pulses, so it's all OK. ++ * the 9 pulses, each with a START then ending with STOP, so it's all OK. + */ + static void mpc_i2c_fixup(struct mpc_i2c *i2c) + { + int k; +- u32 delay_val = 1000000 / i2c->real_clk + 1; +- +- if (delay_val < 2) +- delay_val = 2; ++ unsigned long flags; + + for (k = 9; k; k--) { + writeccr(i2c, 0); +- writeccr(i2c, CCR_MSTA | CCR_MTX | CCR_MEN); ++ writeb(0, i2c->base + MPC_I2C_SR); /* clear any status bits */ ++ writeccr(i2c, CCR_MEN | CCR_MSTA); /* START */ ++ readb(i2c->base + MPC_I2C_DR); /* init xfer */ ++ udelay(15); /* let it hit the bus */ ++ local_irq_save(flags); /* should not be delayed further */ ++ writeccr(i2c, CCR_MEN | CCR_MSTA | CCR_RSTA); /* delay SDA */ + readb(i2c->base + MPC_I2C_DR); +- writeccr(i2c, CCR_MEN); +- udelay(delay_val << 1); ++ if (k != 1) ++ udelay(5); ++ local_irq_restore(flags); + } ++ writeccr(i2c, CCR_MEN); /* Initiate STOP */ ++ readb(i2c->base + MPC_I2C_DR); ++ udelay(15); /* Let STOP propagate */ ++ writeccr(i2c, 0); + } + + static int i2c_wait(struct mpc_i2c *i2c, unsigned timeout, int writing) +-- +2.34.1 + diff --git a/queue-5.10/iommu-amd-remove-iommu_init_ga.patch b/queue-5.10/iommu-amd-remove-iommu_init_ga.patch new file mode 100644 index 00000000000..3448fc5d7f2 --- /dev/null +++ b/queue-5.10/iommu-amd-remove-iommu_init_ga.patch @@ -0,0 +1,69 @@ +From 856e0e5df48f7215ba119899d742140409d43e99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Aug 2021 15:29:57 -0500 +Subject: iommu/amd: Remove iommu_init_ga() + +From: Suravee Suthikulpanit + +[ Upstream commit eb03f2d2f6a4da25d286613717d10add9ce9f175 ] + +Since the function has been simplified and only call iommu_init_ga_log(), +remove the function and replace with iommu_init_ga_log() instead. + +Signed-off-by: Suravee Suthikulpanit +Link: https://lore.kernel.org/r/20210820202957.187572-4-suravee.suthikulpanit@amd.com +Fixes: 8bda0cfbdc1a ("iommu/amd: Detect and initialize guest vAPIC log") +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd/init.c | 17 ++++------------- + 1 file changed, 4 insertions(+), 13 deletions(-) + +diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c +index 28de889aa5164..c82f8ab4783c0 100644 +--- a/drivers/iommu/amd/init.c ++++ b/drivers/iommu/amd/init.c +@@ -830,9 +830,9 @@ static int iommu_ga_log_enable(struct amd_iommu *iommu) + return 0; + } + +-#ifdef CONFIG_IRQ_REMAP + static int iommu_init_ga_log(struct amd_iommu *iommu) + { ++#ifdef CONFIG_IRQ_REMAP + u64 entry; + + if (!AMD_IOMMU_GUEST_IR_VAPIC(amd_iommu_guest_ir)) +@@ -862,18 +862,9 @@ static int iommu_init_ga_log(struct amd_iommu *iommu) + err_out: + free_ga_log(iommu); + return -EINVAL; +-} +-#endif /* CONFIG_IRQ_REMAP */ +- +-static int iommu_init_ga(struct amd_iommu *iommu) +-{ +- int ret = 0; +- +-#ifdef CONFIG_IRQ_REMAP +- ret = iommu_init_ga_log(iommu); ++#else ++ return 0; + #endif /* CONFIG_IRQ_REMAP */ +- +- return ret; + } + + static int __init alloc_cwwb_sem(struct amd_iommu *iommu) +@@ -1860,7 +1851,7 @@ static int __init iommu_init_pci(struct amd_iommu *iommu) + if (iommu_feature(iommu, FEATURE_PPR) && alloc_ppr_log(iommu)) + return -ENOMEM; + +- ret = iommu_init_ga(iommu); ++ ret = iommu_init_ga_log(iommu); + if (ret) + return ret; + +-- +2.34.1 + diff --git a/queue-5.10/iommu-amd-restore-ga-log-tail-pointer-on-host-resume.patch b/queue-5.10/iommu-amd-restore-ga-log-tail-pointer-on-host-resume.patch new file mode 100644 index 00000000000..7f698e30f74 --- /dev/null +++ b/queue-5.10/iommu-amd-restore-ga-log-tail-pointer-on-host-resume.patch @@ -0,0 +1,95 @@ +From 286a60cf10e92eb7117ced3e906b237252ecb542 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Nov 2021 18:10:34 +0200 +Subject: iommu/amd: Restore GA log/tail pointer on host resume + +From: Maxim Levitsky + +[ Upstream commit a8d4a37d1bb93608501d0d0545f902061152669a ] + +This will give IOMMU GA log a chance to work after resume +from s3/s4. + +Fixes: 8bda0cfbdc1a6 ("iommu/amd: Detect and initialize guest vAPIC log") + +Signed-off-by: Maxim Levitsky +Link: https://lore.kernel.org/r/20211123161038.48009-2-mlevitsk@redhat.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd/init.c | 31 +++++++++++++++---------------- + 1 file changed, 15 insertions(+), 16 deletions(-) + +diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c +index c82f8ab4783c0..3f31a52f7044f 100644 +--- a/drivers/iommu/amd/init.c ++++ b/drivers/iommu/amd/init.c +@@ -805,16 +805,27 @@ static int iommu_ga_log_enable(struct amd_iommu *iommu) + { + #ifdef CONFIG_IRQ_REMAP + u32 status, i; ++ u64 entry; + + if (!iommu->ga_log) + return -EINVAL; + +- status = readl(iommu->mmio_base + MMIO_STATUS_OFFSET); +- + /* Check if already running */ +- if (status & (MMIO_STATUS_GALOG_RUN_MASK)) ++ status = readl(iommu->mmio_base + MMIO_STATUS_OFFSET); ++ if (WARN_ON(status & (MMIO_STATUS_GALOG_RUN_MASK))) + return 0; + ++ entry = iommu_virt_to_phys(iommu->ga_log) | GA_LOG_SIZE_512; ++ memcpy_toio(iommu->mmio_base + MMIO_GA_LOG_BASE_OFFSET, ++ &entry, sizeof(entry)); ++ entry = (iommu_virt_to_phys(iommu->ga_log_tail) & ++ (BIT_ULL(52)-1)) & ~7ULL; ++ memcpy_toio(iommu->mmio_base + MMIO_GA_LOG_TAIL_OFFSET, ++ &entry, sizeof(entry)); ++ writel(0x00, iommu->mmio_base + MMIO_GA_HEAD_OFFSET); ++ writel(0x00, iommu->mmio_base + MMIO_GA_TAIL_OFFSET); ++ ++ + iommu_feature_enable(iommu, CONTROL_GAINT_EN); + iommu_feature_enable(iommu, CONTROL_GALOG_EN); + +@@ -824,7 +835,7 @@ static int iommu_ga_log_enable(struct amd_iommu *iommu) + break; + } + +- if (i >= LOOP_TIMEOUT) ++ if (WARN_ON(i >= LOOP_TIMEOUT)) + return -EINVAL; + #endif /* CONFIG_IRQ_REMAP */ + return 0; +@@ -833,8 +844,6 @@ static int iommu_ga_log_enable(struct amd_iommu *iommu) + static int iommu_init_ga_log(struct amd_iommu *iommu) + { + #ifdef CONFIG_IRQ_REMAP +- u64 entry; +- + if (!AMD_IOMMU_GUEST_IR_VAPIC(amd_iommu_guest_ir)) + return 0; + +@@ -848,16 +857,6 @@ static int iommu_init_ga_log(struct amd_iommu *iommu) + if (!iommu->ga_log_tail) + goto err_out; + +- entry = iommu_virt_to_phys(iommu->ga_log) | GA_LOG_SIZE_512; +- memcpy_toio(iommu->mmio_base + MMIO_GA_LOG_BASE_OFFSET, +- &entry, sizeof(entry)); +- entry = (iommu_virt_to_phys(iommu->ga_log_tail) & +- (BIT_ULL(52)-1)) & ~7ULL; +- memcpy_toio(iommu->mmio_base + MMIO_GA_LOG_TAIL_OFFSET, +- &entry, sizeof(entry)); +- writel(0x00, iommu->mmio_base + MMIO_GA_HEAD_OFFSET); +- writel(0x00, iommu->mmio_base + MMIO_GA_TAIL_OFFSET); +- + return 0; + err_out: + free_ga_log(iommu); +-- +2.34.1 + diff --git a/queue-5.10/iommu-io-pgtable-arm-fix-table-descriptor-paddr-form.patch b/queue-5.10/iommu-io-pgtable-arm-fix-table-descriptor-paddr-form.patch new file mode 100644 index 00000000000..7857070f90a --- /dev/null +++ b/queue-5.10/iommu-io-pgtable-arm-fix-table-descriptor-paddr-form.patch @@ -0,0 +1,69 @@ +From d380682f43a46298d52b7f8cd9fb4ee64cc81f29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Nov 2021 12:13:43 +0900 +Subject: iommu/io-pgtable-arm: Fix table descriptor paddr formatting + +From: Hector Martin + +[ Upstream commit 9abe2ac834851a7d0b0756e295cf7a292c45ca53 ] + +Table descriptors were being installed without properly formatting the +address using paddr_to_iopte, which does not match up with the +iopte_deref in __arm_lpae_map. This is incorrect for the LPAE pte +format, as it does not handle the high bits properly. + +This was found on Apple T6000 DARTs, which require a new pte format +(different shift); adding support for that to +paddr_to_iopte/iopte_to_paddr caused it to break badly, as even <48-bit +addresses would end up incorrect in that case. + +Fixes: 6c89928ff7a0 ("iommu/io-pgtable-arm: Support 52-bit physical address") +Acked-by: Robin Murphy +Signed-off-by: Hector Martin +Link: https://lore.kernel.org/r/20211120031343.88034-1-marcan@marcan.st +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/io-pgtable-arm.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c +index bcfbd0e44a4a0..e1cd31c0e3c19 100644 +--- a/drivers/iommu/io-pgtable-arm.c ++++ b/drivers/iommu/io-pgtable-arm.c +@@ -302,11 +302,12 @@ static int arm_lpae_init_pte(struct arm_lpae_io_pgtable *data, + static arm_lpae_iopte arm_lpae_install_table(arm_lpae_iopte *table, + arm_lpae_iopte *ptep, + arm_lpae_iopte curr, +- struct io_pgtable_cfg *cfg) ++ struct arm_lpae_io_pgtable *data) + { + arm_lpae_iopte old, new; ++ struct io_pgtable_cfg *cfg = &data->iop.cfg; + +- new = __pa(table) | ARM_LPAE_PTE_TYPE_TABLE; ++ new = paddr_to_iopte(__pa(table), data) | ARM_LPAE_PTE_TYPE_TABLE; + if (cfg->quirks & IO_PGTABLE_QUIRK_ARM_NS) + new |= ARM_LPAE_PTE_NSTABLE; + +@@ -357,7 +358,7 @@ static int __arm_lpae_map(struct arm_lpae_io_pgtable *data, unsigned long iova, + if (!cptep) + return -ENOMEM; + +- pte = arm_lpae_install_table(cptep, ptep, 0, cfg); ++ pte = arm_lpae_install_table(cptep, ptep, 0, data); + if (pte) + __arm_lpae_free_pages(cptep, tblsz, cfg); + } else if (!cfg->coherent_walk && !(pte & ARM_LPAE_PTE_SW_SYNC)) { +@@ -546,7 +547,7 @@ static size_t arm_lpae_split_blk_unmap(struct arm_lpae_io_pgtable *data, + __arm_lpae_init_pte(data, blk_paddr, pte, lvl, &tablep[i]); + } + +- pte = arm_lpae_install_table(tablep, ptep, blk_pte, cfg); ++ pte = arm_lpae_install_table(tablep, ptep, blk_pte, data); + if (pte != blk_pte) { + __arm_lpae_free_pages(tablep, tablesz, cfg); + /* +-- +2.34.1 + diff --git a/queue-5.10/iommu-iova-fix-race-between-fq-timeout-and-teardown.patch b/queue-5.10/iommu-iova-fix-race-between-fq-timeout-and-teardown.patch new file mode 100644 index 00000000000..a84927cf4c0 --- /dev/null +++ b/queue-5.10/iommu-iova-fix-race-between-fq-timeout-and-teardown.patch @@ -0,0 +1,53 @@ +From 68254eef222b9c5257b6c913f1628d6de9b1396a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Dec 2021 15:30:55 +0000 +Subject: iommu/iova: Fix race between FQ timeout and teardown + +From: Xiongfeng Wang + +[ Upstream commit d7061627d701c90e1cac1e1e60c45292f64f3470 ] + +It turns out to be possible for hotplugging out a device to reach the +stage of tearing down the device's group and default domain before the +domain's flush queue has drained naturally. At this point, it is then +possible for the timeout to expire just before the del_timer() call +in free_iova_flush_queue(), such that we then proceed to free the FQ +resources while fq_flush_timeout() is still accessing them on another +CPU. Crashes due to this have been observed in the wild while removing +NVMe devices. + +Close the race window by using del_timer_sync() to safely wait for any +active timeout handler to finish before we start to free things. We +already avoid any locking in free_iova_flush_queue() since the FQ is +supposed to be inactive anyway, so the potential deadlock scenario does +not apply. + +Fixes: 9a005a800ae8 ("iommu/iova: Add flush timer") +Reviewed-by: John Garry +Signed-off-by: Xiongfeng Wang +[ rm: rewrite commit message ] +Signed-off-by: Robin Murphy +Link: https://lore.kernel.org/r/0a365e5b07f14b7344677ad6a9a734966a8422ce.1639753638.git.robin.murphy@arm.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/iova.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/iommu/iova.c b/drivers/iommu/iova.c +index 30d969a4c5fde..1164d1a42cbc5 100644 +--- a/drivers/iommu/iova.c ++++ b/drivers/iommu/iova.c +@@ -64,8 +64,7 @@ static void free_iova_flush_queue(struct iova_domain *iovad) + if (!has_iova_flush_queue(iovad)) + return; + +- if (timer_pending(&iovad->fq_timer)) +- del_timer(&iovad->fq_timer); ++ del_timer_sync(&iovad->fq_timer); + + fq_destroy_all_entries(iovad); + +-- +2.34.1 + diff --git a/queue-5.10/irqchip-gic-v4-disable-redistributors-view-of-the-vp.patch b/queue-5.10/irqchip-gic-v4-disable-redistributors-view-of-the-vp.patch new file mode 100644 index 00000000000..2cdcf6d3093 --- /dev/null +++ b/queue-5.10/irqchip-gic-v4-disable-redistributors-view-of-the-vp.patch @@ -0,0 +1,63 @@ +From 9dc113ab871f29ac07f637dfa08766e19db9483c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Dec 2021 14:32:27 +0000 +Subject: irqchip/gic-v4: Disable redistributors' view of the VPE table at boot + time + +From: Marc Zyngier + +[ Upstream commit 79a7f77b9b154d572bd9d2f1eecf58c4d018d8e2 ] + +Jay Chen reported that using a kdump kernel on a GICv4.1 system +results in a RAS error being delivered when the secondary kernel +configures the ITS's view of the new VPE table. + +As it turns out, that's because each RD still has a pointer to +the previous instance of the VPE table, and that particular +implementation is very upset by seeing two bits of the HW that +should point to the same table with different values. + +To solve this, let's invalidate any reference that any RD has to +the VPE table when discovering the RDs. The ITS can then be +programmed as expected. + +Reported-by: Jay Chen +Signed-off-by: Marc Zyngier +Cc: Lorenzo Pieralisi +Link: https://lore.kernel.org/r/20211214064716.21407-1-jkchen@linux.alibaba.com +Link: https://lore.kernel.org/r/20211216144804.1578566-1-maz@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-gic-v3.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/drivers/irqchip/irq-gic-v3.c b/drivers/irqchip/irq-gic-v3.c +index 1bdb7acf445f4..04d1b3963b6ba 100644 +--- a/drivers/irqchip/irq-gic-v3.c ++++ b/drivers/irqchip/irq-gic-v3.c +@@ -915,6 +915,22 @@ static int __gic_update_rdist_properties(struct redist_region *region, + { + u64 typer = gic_read_typer(ptr + GICR_TYPER); + ++ /* Boot-time cleanip */ ++ if ((typer & GICR_TYPER_VLPIS) && (typer & GICR_TYPER_RVPEID)) { ++ u64 val; ++ ++ /* Deactivate any present vPE */ ++ val = gicr_read_vpendbaser(ptr + SZ_128K + GICR_VPENDBASER); ++ if (val & GICR_VPENDBASER_Valid) ++ gicr_write_vpendbaser(GICR_VPENDBASER_PendingLast, ++ ptr + SZ_128K + GICR_VPENDBASER); ++ ++ /* Mark the VPE table as invalid */ ++ val = gicr_read_vpropbaser(ptr + SZ_128K + GICR_VPROPBASER); ++ val &= ~GICR_VPROPBASER_4_1_VALID; ++ gicr_write_vpropbaser(val, ptr + SZ_128K + GICR_VPROPBASER); ++ } ++ + gic_data.rdists.has_vlpis &= !!(typer & GICR_TYPER_VLPIS); + + /* RVPEID implies some form of DirectLPI, no matter what the doc says... :-/ */ +-- +2.34.1 + diff --git a/queue-5.10/iwlwifi-fix-leaks-bad-data-after-failed-firmware-loa.patch b/queue-5.10/iwlwifi-fix-leaks-bad-data-after-failed-firmware-loa.patch new file mode 100644 index 00000000000..4b7f13b7c85 --- /dev/null +++ b/queue-5.10/iwlwifi-fix-leaks-bad-data-after-failed-firmware-loa.patch @@ -0,0 +1,69 @@ +From b29a869340bc4d792df11b044acfe6886f05d258 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Dec 2021 11:12:42 +0200 +Subject: iwlwifi: fix leaks/bad data after failed firmware load + +From: Johannes Berg + +[ Upstream commit ab07506b0454bea606095951e19e72c282bfbb42 ] + +If firmware load fails after having loaded some parts of the +firmware, e.g. the IML image, then this would leak. For the +host command list we'd end up running into a WARN on the next +attempt to load another firmware image. + +Fix this by calling iwl_dealloc_ucode() on failures, and make +that also clear the data so we start fresh on the next round. + +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20211210110539.1f742f0eb58a.I1315f22f6aa632d94ae2069f85e1bca5e734dce0@changeid +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c +index be214f39f52be..4bdfd6afa7324 100644 +--- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c +@@ -185,6 +185,9 @@ static void iwl_dealloc_ucode(struct iwl_drv *drv) + + for (i = 0; i < IWL_UCODE_TYPE_MAX; i++) + iwl_free_fw_img(drv, drv->fw.img + i); ++ ++ /* clear the data for the aborted load case */ ++ memset(&drv->fw, 0, sizeof(drv->fw)); + } + + static int iwl_alloc_fw_desc(struct iwl_drv *drv, struct fw_desc *desc, +@@ -1365,6 +1368,7 @@ static void iwl_req_fw_callback(const struct firmware *ucode_raw, void *context) + int i; + bool load_module = false; + bool usniffer_images = false; ++ bool failure = true; + + fw->ucode_capa.max_probe_length = IWL_DEFAULT_MAX_PROBE_LENGTH; + fw->ucode_capa.standard_phy_calibration_size = +@@ -1634,6 +1638,7 @@ static void iwl_req_fw_callback(const struct firmware *ucode_raw, void *context) + op->name, err); + #endif + } ++ failure = false; + goto free; + + try_again: +@@ -1649,6 +1654,9 @@ static void iwl_req_fw_callback(const struct firmware *ucode_raw, void *context) + complete(&drv->request_firmware_complete); + device_release_driver(drv->trans->dev); + free: ++ if (failure) ++ iwl_dealloc_ucode(drv); ++ + if (pieces) { + for (i = 0; i < ARRAY_SIZE(pieces->img); i++) + kfree(pieces->img[i].sec); +-- +2.34.1 + diff --git a/queue-5.10/iwlwifi-mvm-avoid-clearing-a-just-saved-session-prot.patch b/queue-5.10/iwlwifi-mvm-avoid-clearing-a-just-saved-session-prot.patch new file mode 100644 index 00000000000..049a01357cf --- /dev/null +++ b/queue-5.10/iwlwifi-mvm-avoid-clearing-a-just-saved-session-prot.patch @@ -0,0 +1,59 @@ +From 12a9de65817383d67461ad573024da08d1b36556 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Dec 2021 13:10:47 +0200 +Subject: iwlwifi: mvm: avoid clearing a just saved session protection id + +From: Shaul Triebitz + +[ Upstream commit 8e967c137df3b236d2075f9538cb888129425d1a ] + +When scheduling a session protection the id is saved but +then it may be cleared when calling iwl_mvm_te_clear_data +(if a previous session protection is currently active). +Fix it by saving the id after calling iwl_mvm_te_clear_data. + +Signed-off-by: Shaul Triebitz +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20211204130722.b0743a588d14.I098fef6677d0dab3ef1b6183ed206a10bab01eb2@changeid +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/time-event.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c b/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c +index a633ad5f8ca4e..3f081cdea09ca 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c +@@ -1166,15 +1166,10 @@ void iwl_mvm_schedule_session_protection(struct iwl_mvm *mvm, + cpu_to_le32(FW_CMD_ID_AND_COLOR(mvmvif->id, + mvmvif->color)), + .action = cpu_to_le32(FW_CTXT_ACTION_ADD), ++ .conf_id = cpu_to_le32(SESSION_PROTECT_CONF_ASSOC), + .duration_tu = cpu_to_le32(MSEC_TO_TU(duration)), + }; + +- /* The time_event_data.id field is reused to save session +- * protection's configuration. +- */ +- mvmvif->time_event_data.id = SESSION_PROTECT_CONF_ASSOC; +- cmd.conf_id = cpu_to_le32(mvmvif->time_event_data.id); +- + lockdep_assert_held(&mvm->mutex); + + spin_lock_bh(&mvm->time_event_lock); +@@ -1188,6 +1183,11 @@ void iwl_mvm_schedule_session_protection(struct iwl_mvm *mvm, + } + + iwl_mvm_te_clear_data(mvm, te_data); ++ /* ++ * The time_event_data.id field is reused to save session ++ * protection's configuration. ++ */ ++ te_data->id = le32_to_cpu(cmd.conf_id); + te_data->duration = le32_to_cpu(cmd.duration_tu); + spin_unlock_bh(&mvm->time_event_lock); + +-- +2.34.1 + diff --git a/queue-5.10/iwlwifi-mvm-fix-32-bit-build-in-ftm.patch b/queue-5.10/iwlwifi-mvm-fix-32-bit-build-in-ftm.patch new file mode 100644 index 00000000000..c9e2afe2fd3 --- /dev/null +++ b/queue-5.10/iwlwifi-mvm-fix-32-bit-build-in-ftm.patch @@ -0,0 +1,40 @@ +From cf17da7b9fa5227e46419156b30d41a2edc3385b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Dec 2021 11:14:18 +0200 +Subject: iwlwifi: mvm: fix 32-bit build in FTM + +From: Johannes Berg + +[ Upstream commit 8b0f92549f2c2458200935c12a2e2a6e80234cf5 ] + +On a 32-bit build, the division here needs to be done +using do_div(), otherwise the compiler will try to call +a function that doesn't exist, thus failing to build. + +Fixes: b68bd2e3143a ("iwlwifi: mvm: Add FTM initiator RTT smoothing logic") +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20211219111352.e56cbf614a4d.Ib98004ccd2c7a55fd883a8ea7eebd810f406dec6@changeid +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c b/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c +index a0ce761d0c59b..fe3d52620a897 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c +@@ -967,7 +967,8 @@ static void iwl_mvm_ftm_rtt_smoothing(struct iwl_mvm *mvm, + overshoot = IWL_MVM_FTM_INITIATOR_SMOOTH_OVERSHOOT; + alpha = IWL_MVM_FTM_INITIATOR_SMOOTH_ALPHA; + +- rtt_avg = (alpha * rtt + (100 - alpha) * resp->rtt_avg) / 100; ++ rtt_avg = alpha * rtt + (100 - alpha) * resp->rtt_avg; ++ do_div(rtt_avg, 100); + + IWL_DEBUG_INFO(mvm, + "%pM: prev rtt_avg=%lld, new rtt_avg=%lld, rtt=%lld\n", +-- +2.34.1 + diff --git a/queue-5.10/iwlwifi-mvm-fix-calculation-of-frame-length.patch b/queue-5.10/iwlwifi-mvm-fix-calculation-of-frame-length.patch new file mode 100644 index 00000000000..2683a748882 --- /dev/null +++ b/queue-5.10/iwlwifi-mvm-fix-calculation-of-frame-length.patch @@ -0,0 +1,72 @@ +From 9340e2d955f3d2fc70ae5453456bddb83158d071 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Dec 2021 12:18:16 +0200 +Subject: iwlwifi: mvm: Fix calculation of frame length + +From: Ilan Peer + +[ Upstream commit 40a0b38d7a7f91a6027287e0df54f5f547e8d27e ] + +The RADA might include in the Rx frame the MIC and CRC bytes. +These bytes should be removed for non monitor interfaces and +should not be passed to mac80211. + +Fix the Rx processing to remove the extra bytes on non monitor +cases. + +Signed-off-by: Ilan Peer +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20211219121514.098be12c801e.I1d81733d8a75b84c3b20eb6e0d14ab3405ca6a86@changeid +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 27 +++++++++++++++++++ + 1 file changed, 27 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c +index 838734fec5023..86b3fb321dfdd 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c +@@ -177,12 +177,39 @@ static int iwl_mvm_create_skb(struct iwl_mvm *mvm, struct sk_buff *skb, + struct iwl_rx_mpdu_desc *desc = (void *)pkt->data; + unsigned int headlen, fraglen, pad_len = 0; + unsigned int hdrlen = ieee80211_hdrlen(hdr->frame_control); ++ u8 mic_crc_len = u8_get_bits(desc->mac_flags1, ++ IWL_RX_MPDU_MFLG1_MIC_CRC_LEN_MASK) << 1; + + if (desc->mac_flags2 & IWL_RX_MPDU_MFLG2_PAD) { + len -= 2; + pad_len = 2; + } + ++ /* ++ * For non monitor interface strip the bytes the RADA might not have ++ * removed. As monitor interface cannot exist with other interfaces ++ * this removal is safe. ++ */ ++ if (mic_crc_len && !ieee80211_hw_check(mvm->hw, RX_INCLUDES_FCS)) { ++ u32 pkt_flags = le32_to_cpu(pkt->len_n_flags); ++ ++ /* ++ * If RADA was not enabled then decryption was not performed so ++ * the MIC cannot be removed. ++ */ ++ if (!(pkt_flags & FH_RSCSR_RADA_EN)) { ++ if (WARN_ON(crypt_len > mic_crc_len)) ++ return -EINVAL; ++ ++ mic_crc_len -= crypt_len; ++ } ++ ++ if (WARN_ON(mic_crc_len > len)) ++ return -EINVAL; ++ ++ len -= mic_crc_len; ++ } ++ + /* If frame is small enough to fit in skb->head, pull it completely. + * If not, only pull ieee80211_hdr (including crypto if present, and + * an additional 8 bytes for SNAP/ethertype, see below) so that +-- +2.34.1 + diff --git a/queue-5.10/iwlwifi-mvm-synchronize-with-fw-after-multicast-comm.patch b/queue-5.10/iwlwifi-mvm-synchronize-with-fw-after-multicast-comm.patch new file mode 100644 index 00000000000..a3edcb05d16 --- /dev/null +++ b/queue-5.10/iwlwifi-mvm-synchronize-with-fw-after-multicast-comm.patch @@ -0,0 +1,72 @@ +From a6444b12c763842e647119d433fca22218344bf7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Dec 2021 08:35:45 +0200 +Subject: iwlwifi: mvm: synchronize with FW after multicast commands + +From: Johannes Berg + +[ Upstream commit db66abeea3aefed481391ecc564fb7b7fb31d742 ] + +If userspace installs a lot of multicast groups very quickly, then +we may run out of command queue space as we send the updates in an +asynchronous fashion (due to locking concerns), and the CPU can +create them faster than the firmware can process them. This is true +even when mac80211 has a work struct that gets scheduled. + +Fix this by synchronizing with the firmware after sending all those +commands - outside of the iteration we can send a synchronous echo +command that just has the effect of the CPU waiting for the prior +asynchronous commands to finish. This also will cause fewer of the +commands to be sent to the firmware overall, because the work will +only run once when rescheduled multiple times while it's running. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=213649 +Suggested-by: Emmanuel Grumbach +Reported-by: Maximilian Ernestus +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20211204083238.51aea5b79ea4.I88a44798efda16e9fe480fb3e94224931d311b29@changeid +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + .../net/wireless/intel/iwlwifi/mvm/mac80211.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +index 81cc85a97eb20..922a7ea0cd24e 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +@@ -1739,6 +1739,7 @@ static void iwl_mvm_recalc_multicast(struct iwl_mvm *mvm) + struct iwl_mvm_mc_iter_data iter_data = { + .mvm = mvm, + }; ++ int ret; + + lockdep_assert_held(&mvm->mutex); + +@@ -1748,6 +1749,22 @@ static void iwl_mvm_recalc_multicast(struct iwl_mvm *mvm) + ieee80211_iterate_active_interfaces_atomic( + mvm->hw, IEEE80211_IFACE_ITER_NORMAL, + iwl_mvm_mc_iface_iterator, &iter_data); ++ ++ /* ++ * Send a (synchronous) ech command so that we wait for the ++ * multiple asynchronous MCAST_FILTER_CMD commands sent by ++ * the interface iterator. Otherwise, we might get here over ++ * and over again (by userspace just sending a lot of these) ++ * and the CPU can send them faster than the firmware can ++ * process them. ++ * Note that the CPU is still faster - but with this we'll ++ * actually send fewer commands overall because the CPU will ++ * not schedule the work in mac80211 as frequently if it's ++ * still running when rescheduled (possibly multiple times). ++ */ ++ ret = iwl_mvm_send_cmd_pdu(mvm, ECHO_CMD, 0, 0, NULL); ++ if (ret) ++ IWL_ERR(mvm, "Failed to synchronize multicast groups update\n"); + } + + static u64 iwl_mvm_prepare_multicast(struct ieee80211_hw *hw, +-- +2.34.1 + diff --git a/queue-5.10/iwlwifi-mvm-test-roc-running-status-bits-before-remo.patch b/queue-5.10/iwlwifi-mvm-test-roc-running-status-bits-before-remo.patch new file mode 100644 index 00000000000..d03cc9ee578 --- /dev/null +++ b/queue-5.10/iwlwifi-mvm-test-roc-running-status-bits-before-remo.patch @@ -0,0 +1,67 @@ +From 02933929b312c0d2de641d0b26c5d3e3dc93869e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Dec 2021 12:18:15 +0200 +Subject: iwlwifi: mvm: test roc running status bits before removing the sta + +From: Nathan Errera + +[ Upstream commit 998e1aba6e5eb35370eaf30ccc1823426ec11f90 ] + +In some cases the sta is being removed twice since we do not test the +roc aux running before removing it. Start looking at the bit before +removing the sta. + +Signed-off-by: Nathan Errera +Fixes: 2c2c3647cde4 ("iwlwifi: mvm: support ADD_STA_CMD_API_S ver 12") +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20211219121514.d5376ac6bcb0.Ic5f8470ea60c072bde9d1503e5f528b65e301e20@changeid +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + .../net/wireless/intel/iwlwifi/mvm/time-event.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c b/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c +index 394598b14a173..a633ad5f8ca4e 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c +@@ -98,14 +98,13 @@ void iwl_mvm_roc_done_wk(struct work_struct *wk) + struct iwl_mvm *mvm = container_of(wk, struct iwl_mvm, roc_done_wk); + + /* +- * Clear the ROC_RUNNING /ROC_AUX_RUNNING status bit. ++ * Clear the ROC_RUNNING status bit. + * This will cause the TX path to drop offchannel transmissions. + * That would also be done by mac80211, but it is racy, in particular + * in the case that the time event actually completed in the firmware + * (which is handled in iwl_mvm_te_handle_notif). + */ + clear_bit(IWL_MVM_STATUS_ROC_RUNNING, &mvm->status); +- clear_bit(IWL_MVM_STATUS_ROC_AUX_RUNNING, &mvm->status); + + synchronize_net(); + +@@ -131,9 +130,19 @@ void iwl_mvm_roc_done_wk(struct work_struct *wk) + mvmvif = iwl_mvm_vif_from_mac80211(mvm->p2p_device_vif); + iwl_mvm_flush_sta(mvm, &mvmvif->bcast_sta, true); + } +- } else { ++ } ++ ++ /* ++ * Clear the ROC_AUX_RUNNING status bit. ++ * This will cause the TX path to drop offchannel transmissions. ++ * That would also be done by mac80211, but it is racy, in particular ++ * in the case that the time event actually completed in the firmware ++ * (which is handled in iwl_mvm_te_handle_notif). ++ */ ++ if (test_and_clear_bit(IWL_MVM_STATUS_ROC_AUX_RUNNING, &mvm->status)) { + /* do the same in case of hot spot 2.0 */ + iwl_mvm_flush_sta(mvm, &mvm->aux_sta, true); ++ + /* In newer version of this command an aux station is added only + * in cases of dedicated tx queue and need to be removed in end + * of use */ +-- +2.34.1 + diff --git a/queue-5.10/iwlwifi-mvm-use-div_s64-instead-of-do_div-in-iwl_mvm.patch b/queue-5.10/iwlwifi-mvm-use-div_s64-instead-of-do_div-in-iwl_mvm.patch new file mode 100644 index 00000000000..7b33995df88 --- /dev/null +++ b/queue-5.10/iwlwifi-mvm-use-div_s64-instead-of-do_div-in-iwl_mvm.patch @@ -0,0 +1,56 @@ +From 3938c95bd1a1b380a89cf9611cdf68199678e467 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Dec 2021 12:17:57 -0700 +Subject: iwlwifi: mvm: Use div_s64 instead of do_div in + iwl_mvm_ftm_rtt_smoothing() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nathan Chancellor + +[ Upstream commit 4ccdcc8ffd955490feec05380223db6a48961eb5 ] + +When building ARCH=arm allmodconfig: + +drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c: In function ‘iwl_mvm_ftm_rtt_smoothing’: +./include/asm-generic/div64.h:222:35: error: comparison of distinct pointer types lacks a cast [-Werror] + 222 | (void)(((typeof((n)) *)0) == ((uint64_t *)0)); \ + | ^~ +drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c:1070:9: note: in expansion of macro ‘do_div’ + 1070 | do_div(rtt_avg, 100); + | ^~~~~~ + +do_div() has to be used with an unsigned 64-bit integer dividend but +rtt_avg is a signed 64-bit integer. + +div_s64() expects a signed 64-bit integer dividend and signed 32-bit +divisor, which fits this scenario, so use that function here to fix the +warning. + +Fixes: 8b0f92549f2c ("iwlwifi: mvm: fix 32-bit build in FTM") +Signed-off-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20211227191757.2354329-1-nathan@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c b/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c +index fe3d52620a897..b1335fe3b01a2 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c +@@ -967,8 +967,7 @@ static void iwl_mvm_ftm_rtt_smoothing(struct iwl_mvm *mvm, + overshoot = IWL_MVM_FTM_INITIATOR_SMOOTH_OVERSHOOT; + alpha = IWL_MVM_FTM_INITIATOR_SMOOTH_ALPHA; + +- rtt_avg = alpha * rtt + (100 - alpha) * resp->rtt_avg; +- do_div(rtt_avg, 100); ++ rtt_avg = div_s64(alpha * rtt + (100 - alpha) * resp->rtt_avg, 100); + + IWL_DEBUG_INFO(mvm, + "%pM: prev rtt_avg=%lld, new rtt_avg=%lld, rtt=%lld\n", +-- +2.34.1 + diff --git a/queue-5.10/iwlwifi-pcie-make-sure-prph_info-is-set-when-treatin.patch b/queue-5.10/iwlwifi-pcie-make-sure-prph_info-is-set-when-treatin.patch new file mode 100644 index 00000000000..8702f79fccf --- /dev/null +++ b/queue-5.10/iwlwifi-pcie-make-sure-prph_info-is-set-when-treatin.patch @@ -0,0 +1,45 @@ +From 0fbfb20b810eacd91e06f68ed728f4ba827a8393 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Dec 2021 13:28:34 +0200 +Subject: iwlwifi: pcie: make sure prph_info is set when treating wakeup IRQ + +From: Luca Coelho + +[ Upstream commit 459fc0f2c6b0f6e280bfa0f230c100c9dfe3a199 ] + +In some rare cases when the HW is in a bad state, we may get this +interrupt when prph_info is not set yet. Then we will try to +dereference it to check the sleep_notif element, which will cause an +oops. + +Fix that by ignoring the interrupt if prph_info is not set yet. + +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20211219132536.0537aa562313.I183bb336345b9b3da196ba9e596a6f189fbcbd09@changeid +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/pcie/rx.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c +index 2c13fa8f28200..6aedf5762571d 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c +@@ -2260,7 +2260,12 @@ irqreturn_t iwl_pcie_irq_msix_handler(int irq, void *dev_id) + } + } + +- if (inta_hw & MSIX_HW_INT_CAUSES_REG_WAKEUP) { ++ /* ++ * In some rare cases when the HW is in a bad state, we may ++ * get this interrupt too early, when prph_info is still NULL. ++ * So make sure that it's not NULL to prevent crashing. ++ */ ++ if (inta_hw & MSIX_HW_INT_CAUSES_REG_WAKEUP && trans_pcie->prph_info) { + u32 sleep_notif = + le32_to_cpu(trans_pcie->prph_info->sleep_notif); + if (sleep_notif == IWL_D3_SLEEP_STATUS_SUSPEND || +-- +2.34.1 + diff --git a/queue-5.10/iwlwifi-remove-module-loading-failure-message.patch b/queue-5.10/iwlwifi-remove-module-loading-failure-message.patch new file mode 100644 index 00000000000..fc273b87f72 --- /dev/null +++ b/queue-5.10/iwlwifi-remove-module-loading-failure-message.patch @@ -0,0 +1,51 @@ +From 63042d6509a709274fafd115561defd1801cbdd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Dec 2021 11:12:45 +0200 +Subject: iwlwifi: remove module loading failure message + +From: Johannes Berg + +[ Upstream commit 6518f83ffa51131daaf439b66094f684da3fb0ae ] + +When CONFIG_DEBUG_TEST_DRIVER_REMOVE is set, iwlwifi crashes +when the opmode module cannot be loaded, due to completing +the completion before using drv->dev, which can then already +be freed. + +Fix this by removing the (fairly useless) message. Moving the +completion later causes a deadlock instead, so that's not an +option. + +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/20211210091245.289008-2-luca@coelho.fi +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c +index 4bdfd6afa7324..30c6d7b18599a 100644 +--- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c +@@ -1629,15 +1629,8 @@ static void iwl_req_fw_callback(const struct firmware *ucode_raw, void *context) + * else from proceeding if the module fails to load + * or hangs loading. + */ +- if (load_module) { ++ if (load_module) + request_module("%s", op->name); +-#ifdef CONFIG_IWLWIFI_OPMODE_MODULAR +- if (err) +- IWL_ERR(drv, +- "failed to load module %s (error %d), is dynamic loading enabled?\n", +- op->name, err); +-#endif +- } + failure = false; + goto free; + +-- +2.34.1 + diff --git a/queue-5.10/jffs2-gc-deadlock-reading-a-page-that-is-used-in-jff.patch b/queue-5.10/jffs2-gc-deadlock-reading-a-page-that-is-used-in-jff.patch new file mode 100644 index 00000000000..8375117d462 --- /dev/null +++ b/queue-5.10/jffs2-gc-deadlock-reading-a-page-that-is-used-in-jff.patch @@ -0,0 +1,133 @@ +From 43f86f9bd4a9c3bc2450579a6dd2e8ff61611b24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jul 2017 16:22:38 +1200 +Subject: jffs2: GC deadlock reading a page that is used in jffs2_write_begin() + +From: Kyeong Yoo + +[ Upstream commit aa39cc675799bc92da153af9a13d6f969c348e82 ] + +GC task can deadlock in read_cache_page() because it may attempt +to release a page that is actually allocated by another task in +jffs2_write_begin(). +The reason is that in jffs2_write_begin() there is a small window +a cache page is allocated for use but not set Uptodate yet. + +This ends up with a deadlock between two tasks: +1) A task (e.g. file copy) + - jffs2_write_begin() locks a cache page + - jffs2_write_end() tries to lock "alloc_sem" from + jffs2_reserve_space() <-- STUCK +2) GC task (jffs2_gcd_mtd3) + - jffs2_garbage_collect_pass() locks "alloc_sem" + - try to lock the same cache page in read_cache_page() <-- STUCK + +So to avoid this deadlock, hold "alloc_sem" in jffs2_write_begin() +while reading data in a cache page. + +Signed-off-by: Kyeong Yoo +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + fs/jffs2/file.c | 40 +++++++++++++++++++++++++--------------- + 1 file changed, 25 insertions(+), 15 deletions(-) + +diff --git a/fs/jffs2/file.c b/fs/jffs2/file.c +index 4fc8cd698d1a4..bd7d58d27bfc6 100644 +--- a/fs/jffs2/file.c ++++ b/fs/jffs2/file.c +@@ -136,20 +136,15 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, + struct page *pg; + struct inode *inode = mapping->host; + struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode); ++ struct jffs2_sb_info *c = JFFS2_SB_INFO(inode->i_sb); + pgoff_t index = pos >> PAGE_SHIFT; + uint32_t pageofs = index << PAGE_SHIFT; + int ret = 0; + +- pg = grab_cache_page_write_begin(mapping, index, flags); +- if (!pg) +- return -ENOMEM; +- *pagep = pg; +- + jffs2_dbg(1, "%s()\n", __func__); + + if (pageofs > inode->i_size) { + /* Make new hole frag from old EOF to new page */ +- struct jffs2_sb_info *c = JFFS2_SB_INFO(inode->i_sb); + struct jffs2_raw_inode ri; + struct jffs2_full_dnode *fn; + uint32_t alloc_len; +@@ -160,7 +155,7 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, + ret = jffs2_reserve_space(c, sizeof(ri), &alloc_len, + ALLOC_NORMAL, JFFS2_SUMMARY_INODE_SIZE); + if (ret) +- goto out_page; ++ goto out_err; + + mutex_lock(&f->sem); + memset(&ri, 0, sizeof(ri)); +@@ -190,7 +185,7 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, + ret = PTR_ERR(fn); + jffs2_complete_reservation(c); + mutex_unlock(&f->sem); +- goto out_page; ++ goto out_err; + } + ret = jffs2_add_full_dnode_to_inode(c, f, fn); + if (f->metadata) { +@@ -205,13 +200,26 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, + jffs2_free_full_dnode(fn); + jffs2_complete_reservation(c); + mutex_unlock(&f->sem); +- goto out_page; ++ goto out_err; + } + jffs2_complete_reservation(c); + inode->i_size = pageofs; + mutex_unlock(&f->sem); + } + ++ /* ++ * While getting a page and reading data in, lock c->alloc_sem until ++ * the page is Uptodate. Otherwise GC task may attempt to read the same ++ * page in read_cache_page(), which causes a deadlock. ++ */ ++ mutex_lock(&c->alloc_sem); ++ pg = grab_cache_page_write_begin(mapping, index, flags); ++ if (!pg) { ++ ret = -ENOMEM; ++ goto release_sem; ++ } ++ *pagep = pg; ++ + /* + * Read in the page if it wasn't already present. Cannot optimize away + * the whole page write case until jffs2_write_end can handle the +@@ -221,15 +229,17 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, + mutex_lock(&f->sem); + ret = jffs2_do_readpage_nolock(inode, pg); + mutex_unlock(&f->sem); +- if (ret) +- goto out_page; ++ if (ret) { ++ unlock_page(pg); ++ put_page(pg); ++ goto release_sem; ++ } + } + jffs2_dbg(1, "end write_begin(). pg->flags %lx\n", pg->flags); +- return ret; + +-out_page: +- unlock_page(pg); +- put_page(pg); ++release_sem: ++ mutex_unlock(&c->alloc_sem); ++out_err: + return ret; + } + +-- +2.34.1 + diff --git a/queue-5.10/kvm-ppc-book3s-suppress-failed-alloc-warning-in-h_co.patch b/queue-5.10/kvm-ppc-book3s-suppress-failed-alloc-warning-in-h_co.patch new file mode 100644 index 00000000000..e5e4c35bf40 --- /dev/null +++ b/queue-5.10/kvm-ppc-book3s-suppress-failed-alloc-warning-in-h_co.patch @@ -0,0 +1,44 @@ +From 9f3a163ff2fefa758f852fb1386d820d38d38f13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Sep 2021 18:45:50 +1000 +Subject: KVM: PPC: Book3S: Suppress failed alloc warning in + H_COPY_TOFROM_GUEST + +From: Alexey Kardashevskiy + +[ Upstream commit 792020907b11c6f9246c21977cab3bad985ae4b6 ] + +H_COPY_TOFROM_GUEST is an hcall for an upper level VM to access its nested +VMs memory. The userspace can trigger WARN_ON_ONCE(!(gfp & __GFP_NOWARN)) +in __alloc_pages() by constructing a tiny VM which only does +H_COPY_TOFROM_GUEST with a too big GPR9 (number of bytes to copy). + +This silences the warning by adding __GFP_NOWARN. + +Spotted by syzkaller. + +Signed-off-by: Alexey Kardashevskiy +Reviewed-by: Fabiano Rosas +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210901084550.1658699-1-aik@ozlabs.ru +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/book3s_hv_nested.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/kvm/book3s_hv_nested.c b/arch/powerpc/kvm/book3s_hv_nested.c +index a5f1ae892ba68..d0b6c8c16c48a 100644 +--- a/arch/powerpc/kvm/book3s_hv_nested.c ++++ b/arch/powerpc/kvm/book3s_hv_nested.c +@@ -510,7 +510,7 @@ long kvmhv_copy_tofrom_guest_nested(struct kvm_vcpu *vcpu) + if (eaddr & (0xFFFUL << 52)) + return H_PARAMETER; + +- buf = kzalloc(n, GFP_KERNEL); ++ buf = kzalloc(n, GFP_KERNEL | __GFP_NOWARN); + if (!buf) + return H_NO_MEM; + +-- +2.34.1 + diff --git a/queue-5.10/kvm-ppc-book3s-suppress-warnings-when-allocating-too.patch b/queue-5.10/kvm-ppc-book3s-suppress-warnings-when-allocating-too.patch new file mode 100644 index 00000000000..ecd17885a39 --- /dev/null +++ b/queue-5.10/kvm-ppc-book3s-suppress-warnings-when-allocating-too.patch @@ -0,0 +1,53 @@ +From 1d1768f15a7d279d8c5f0c28a2aa1b8f77c919aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Sep 2021 18:45:12 +1000 +Subject: KVM: PPC: Book3S: Suppress warnings when allocating too big memory + slots + +From: Alexey Kardashevskiy + +[ Upstream commit 511d25d6b789fffcb20a3eb71899cf974a31bd9d ] + +The userspace can trigger "vmalloc size %lu allocation failure: exceeds +total pages" via the KVM_SET_USER_MEMORY_REGION ioctl. + +This silences the warning by checking the limit before calling vzalloc() +and returns ENOMEM if failed. + +This does not call underlying valloc helpers as __vmalloc_node() is only +exported when CONFIG_TEST_VMALLOC_MODULE and __vmalloc_node_range() is +not exported at all. + +Spotted by syzkaller. + +Signed-off-by: Alexey Kardashevskiy +[mpe: Use 'size' for the variable rather than 'cb'] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210901084512.1658628-1-aik@ozlabs.ru +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/book3s_hv.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c +index 175967a195c44..527c205d5a5f5 100644 +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -4557,8 +4557,12 @@ static int kvmppc_core_prepare_memory_region_hv(struct kvm *kvm, + unsigned long npages = mem->memory_size >> PAGE_SHIFT; + + if (change == KVM_MR_CREATE) { +- slot->arch.rmap = vzalloc(array_size(npages, +- sizeof(*slot->arch.rmap))); ++ unsigned long size = array_size(npages, sizeof(*slot->arch.rmap)); ++ ++ if ((size >> PAGE_SHIFT) > totalram_pages()) ++ return -ENOMEM; ++ ++ slot->arch.rmap = vzalloc(size); + if (!slot->arch.rmap) + return -ENOMEM; + } +-- +2.34.1 + diff --git a/queue-5.10/lib-mpi-add-the-return-value-check-of-kcalloc.patch b/queue-5.10/lib-mpi-add-the-return-value-check-of-kcalloc.patch new file mode 100644 index 00000000000..819f162289a --- /dev/null +++ b/queue-5.10/lib-mpi-add-the-return-value-check-of-kcalloc.patch @@ -0,0 +1,37 @@ +From f849b31ed821802b17064cb6a88f8bc515cef796 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Dec 2021 15:03:31 +0800 +Subject: lib/mpi: Add the return value check of kcalloc() + +From: Zizhuang Deng + +[ Upstream commit dd827abe296fe4249b2f8c9b95f72f814ea8348c ] + +Add the return value check of kcalloc() to avoid potential +NULL ptr dereference. + +Fixes: a8ea8bdd9df9 ("lib/mpi: Extend the MPI library") +Signed-off-by: Zizhuang Deng +Reviewed-by: Tianjia Zhang +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + lib/mpi/mpi-mod.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/mpi/mpi-mod.c b/lib/mpi/mpi-mod.c +index 47bc59edd4ff9..54fcc01564d9d 100644 +--- a/lib/mpi/mpi-mod.c ++++ b/lib/mpi/mpi-mod.c +@@ -40,6 +40,8 @@ mpi_barrett_t mpi_barrett_init(MPI m, int copy) + + mpi_normalize(m); + ctx = kcalloc(1, sizeof(*ctx), GFP_KERNEL); ++ if (!ctx) ++ return NULL; + + if (copy) { + ctx->m = mpi_copy(m); +-- +2.34.1 + diff --git a/queue-5.10/libbpf-validate-that-.btf-and-.btf.ext-sections-cont.patch b/queue-5.10/libbpf-validate-that-.btf-and-.btf.ext-sections-cont.patch new file mode 100644 index 00000000000..f51ede2a32e --- /dev/null +++ b/queue-5.10/libbpf-validate-that-.btf-and-.btf.ext-sections-cont.patch @@ -0,0 +1,43 @@ +From 91230f9cc6744934c144a549c16afe63a5c87ff1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Nov 2021 10:32:11 -0700 +Subject: libbpf: Validate that .BTF and .BTF.ext sections contain data + +From: Andrii Nakryiko + +[ Upstream commit 62554d52e71797eefa3fc15b54008038837bb2d4 ] + +.BTF and .BTF.ext ELF sections should have SHT_PROGBITS type and contain +data. If they are not, ELF is invalid or corrupted, so bail out. +Otherwise this can lead to data->d_buf being NULL and SIGSEGV later on. +Reported by oss-fuzz project. + +Signed-off-by: Andrii Nakryiko +Signed-off-by: Alexei Starovoitov +Acked-by: Yonghong Song +Link: https://lore.kernel.org/bpf/20211103173213.1376990-4-andrii@kernel.org +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index b337d6f29098b..e8ad53d31044a 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -2870,8 +2870,12 @@ static int bpf_object__elf_collect(struct bpf_object *obj) + } else if (strcmp(name, MAPS_ELF_SEC) == 0) { + obj->efile.btf_maps_shndx = idx; + } else if (strcmp(name, BTF_ELF_SEC) == 0) { ++ if (sh->sh_type != SHT_PROGBITS) ++ return -LIBBPF_ERRNO__FORMAT; + btf_data = data; + } else if (strcmp(name, BTF_EXT_ELF_SEC) == 0) { ++ if (sh->sh_type != SHT_PROGBITS) ++ return -LIBBPF_ERRNO__FORMAT; + btf_ext_data = data; + } else if (sh.sh_type == SHT_SYMTAB) { + /* already processed during the first pass above */ +-- +2.34.1 + diff --git a/queue-5.10/mac80211-allow-non-standard-vht-mcs-10-11.patch b/queue-5.10/mac80211-allow-non-standard-vht-mcs-10-11.patch new file mode 100644 index 00000000000..a8da5355e8a --- /dev/null +++ b/queue-5.10/mac80211-allow-non-standard-vht-mcs-10-11.patch @@ -0,0 +1,49 @@ +From 726d0f25297f8cbfbcc2e5fa00ed9925ee67c094 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Jan 2022 09:36:21 +0800 +Subject: mac80211: allow non-standard VHT MCS-10/11 + +From: Ping-Ke Shih + +[ Upstream commit 04be6d337d37400ad5b3d5f27ca87645ee5a18a3 ] + +Some AP can possibly try non-standard VHT rate and mac80211 warns and drops +packets, and leads low TCP throughput. + + Rate marked as a VHT rate but data is invalid: MCS: 10, NSS: 2 + WARNING: CPU: 1 PID: 7817 at net/mac80211/rx.c:4856 ieee80211_rx_list+0x223/0x2f0 [mac8021 + +Since commit c27aa56a72b8 ("cfg80211: add VHT rate entries for MCS-10 and MCS-11") +has added, mac80211 adds this support as well. + +After this patch, throughput is good and iw can get the bitrate: + rx bitrate: 975.1 MBit/s VHT-MCS 10 80MHz short GI VHT-NSS 2 +or + rx bitrate: 1083.3 MBit/s VHT-MCS 11 80MHz short GI VHT-NSS 2 + +Buglink: https://bugzilla.suse.com/show_bug.cgi?id=1192891 +Reported-by: Goldwyn Rodrigues +Signed-off-by: Ping-Ke Shih +Link: https://lore.kernel.org/r/20220103013623.17052-1-pkshih@realtek.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/rx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index 6a24431b90095..d27c444a19ed1 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -4800,7 +4800,7 @@ void ieee80211_rx_list(struct ieee80211_hw *hw, struct ieee80211_sta *pubsta, + goto drop; + break; + case RX_ENC_VHT: +- if (WARN_ONCE(status->rate_idx > 9 || ++ if (WARN_ONCE(status->rate_idx > 11 || + !status->nss || + status->nss > 8, + "Rate marked as a VHT rate but data is invalid: MCS: %d, NSS: %d\n", +-- +2.34.1 + diff --git a/queue-5.10/media-aspeed-fix-mode-detect-always-time-out-at-2nd-.patch b/queue-5.10/media-aspeed-fix-mode-detect-always-time-out-at-2nd-.patch new file mode 100644 index 00000000000..ad4715c1cce --- /dev/null +++ b/queue-5.10/media-aspeed-fix-mode-detect-always-time-out-at-2nd-.patch @@ -0,0 +1,56 @@ +From ffd09cebc7aca44c49c080b80b409ec2d81abb97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Nov 2021 08:23:54 +0000 +Subject: media: aspeed: fix mode-detect always time out at 2nd run + +From: Jammy Huang + +[ Upstream commit 62cea52ad4bead0ae4be2cfe1142eb0aae0e9fbd ] + +aspeed_video_get_resolution() will try to do res-detect again if the +timing got in last try is invalid. But it will always time out because +VE_SEQ_CTRL_TRIG_MODE_DET is only cleared after 1st mode-detect. + +To fix the problem, just clear VE_SEQ_CTRL_TRIG_MODE_DET before setting +it in aspeed_video_enable_mode_detect(). + +Fixes: d2b4387f3bdf ("media: platform: Add Aspeed Video Engine driver") +Signed-off-by: Jammy Huang +Acked-by: Paul Menzel +Reviewed-by: Joel Stanley +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/aspeed-video.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/platform/aspeed-video.c b/drivers/media/platform/aspeed-video.c +index 7bb6babdcade0..23c41c545c536 100644 +--- a/drivers/media/platform/aspeed-video.c ++++ b/drivers/media/platform/aspeed-video.c +@@ -500,6 +500,10 @@ static void aspeed_video_enable_mode_detect(struct aspeed_video *video) + aspeed_video_update(video, VE_INTERRUPT_CTRL, 0, + VE_INTERRUPT_MODE_DETECT); + ++ /* Disable mode detect in order to re-trigger */ ++ aspeed_video_update(video, VE_SEQ_CTRL, ++ VE_SEQ_CTRL_TRIG_MODE_DET, 0); ++ + /* Trigger mode detect */ + aspeed_video_update(video, VE_SEQ_CTRL, 0, VE_SEQ_CTRL_TRIG_MODE_DET); + } +@@ -786,10 +790,6 @@ static void aspeed_video_get_resolution(struct aspeed_video *video) + return; + } + +- /* Disable mode detect in order to re-trigger */ +- aspeed_video_update(video, VE_SEQ_CTRL, +- VE_SEQ_CTRL_TRIG_MODE_DET, 0); +- + aspeed_video_check_and_set_polarity(video); + + aspeed_video_enable_mode_detect(video); +-- +2.34.1 + diff --git a/queue-5.10/media-aspeed-update-signal-status-immediately-to-ens.patch b/queue-5.10/media-aspeed-update-signal-status-immediately-to-ens.patch new file mode 100644 index 00000000000..19b6137b3cd --- /dev/null +++ b/queue-5.10/media-aspeed-update-signal-status-immediately-to-ens.patch @@ -0,0 +1,66 @@ +From f895d7c21a4439b9c924f5b1d0e7d0123f758873 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Nov 2021 03:12:27 +0000 +Subject: media: aspeed: Update signal status immediately to ensure sane hw + state + +From: Jammy Huang + +[ Upstream commit af6d1bde395cac174ee71adcd3fa43f6435c7206 ] + +If res-chg, VE_INTERRUPT_MODE_DETECT_WD irq will be raised. But +v4l2_input_status won't be updated to no-signal immediately until +aspeed_video_get_resolution() in aspeed_video_resolution_work(). + +During the period of time, aspeed_video_start_frame() could be called +because it doesn't know signal becomes unstable now. If it goes with +aspeed_video_init_regs() of aspeed_video_irq_res_change() +simultaneously, it will mess up hw state. + +To fix this problem, v4l2_input_status is updated to no-signal +immediately for VE_INTERRUPT_MODE_DETECT_WD irq. + +Fixes: d2b4387f3bdf ("media: platform: Add Aspeed Video Engine driver") +Signed-off-by: Jammy Huang +Acked-by: Paul Menzel +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/aspeed-video.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/platform/aspeed-video.c b/drivers/media/platform/aspeed-video.c +index 23c41c545c536..debc7509c173c 100644 +--- a/drivers/media/platform/aspeed-video.c ++++ b/drivers/media/platform/aspeed-video.c +@@ -556,6 +556,8 @@ static void aspeed_video_irq_res_change(struct aspeed_video *video, ulong delay) + set_bit(VIDEO_RES_CHANGE, &video->flags); + clear_bit(VIDEO_FRAME_INPRG, &video->flags); + ++ video->v4l2_input_status = V4L2_IN_ST_NO_SIGNAL; ++ + aspeed_video_off(video); + aspeed_video_bufs_done(video, VB2_BUF_STATE_ERROR); + +@@ -1337,7 +1339,6 @@ static void aspeed_video_resolution_work(struct work_struct *work) + struct delayed_work *dwork = to_delayed_work(work); + struct aspeed_video *video = container_of(dwork, struct aspeed_video, + res_work); +- u32 input_status = video->v4l2_input_status; + + aspeed_video_on(video); + +@@ -1350,8 +1351,7 @@ static void aspeed_video_resolution_work(struct work_struct *work) + aspeed_video_get_resolution(video); + + if (video->detected_timings.width != video->active_timings.width || +- video->detected_timings.height != video->active_timings.height || +- input_status != video->v4l2_input_status) { ++ video->detected_timings.height != video->active_timings.height) { + static const struct v4l2_event ev = { + .type = V4L2_EVENT_SOURCE_CHANGE, + .u.src_change.changes = V4L2_EVENT_SRC_CH_RESOLUTION, +-- +2.34.1 + diff --git a/queue-5.10/media-atomisp-add-missing-media_device_cleanup-in-at.patch b/queue-5.10/media-atomisp-add-missing-media_device_cleanup-in-at.patch new file mode 100644 index 00000000000..e9ac18e254c --- /dev/null +++ b/queue-5.10/media-atomisp-add-missing-media_device_cleanup-in-at.patch @@ -0,0 +1,44 @@ +From 1bc49485c94a36b43aa9d7e8ca053d81b1f6ba74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Oct 2021 01:19:41 +0900 +Subject: media: atomisp: add missing media_device_cleanup() in + atomisp_unregister_entities() + +From: Tsuchiya Yuto + +[ Upstream commit ce3015b7212e96db426d0c36f80fd159c91155d1 ] + +After the commit 9832e155f1ed ("[media] media-device: split media +initialization and registration"), calling media_device_cleanup() +is needed it seems. However, currently it is missing for the module +unload path. + +Note that for the probe failure path, it is already added in +atomisp_register_entities(). + +This patch adds the missing call of media_device_cleanup() in +atomisp_unregister_entities(). + +Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2") +Signed-off-by: Tsuchiya Yuto +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/atomisp/pci/atomisp_v4l2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/staging/media/atomisp/pci/atomisp_v4l2.c b/drivers/staging/media/atomisp/pci/atomisp_v4l2.c +index fa1bd99cd6f17..d35506f643609 100644 +--- a/drivers/staging/media/atomisp/pci/atomisp_v4l2.c ++++ b/drivers/staging/media/atomisp/pci/atomisp_v4l2.c +@@ -1182,6 +1182,7 @@ static void atomisp_unregister_entities(struct atomisp_device *isp) + + v4l2_device_unregister(&isp->v4l2_dev); + media_device_unregister(&isp->media_dev); ++ media_device_cleanup(&isp->media_dev); + } + + static int atomisp_register_entities(struct atomisp_device *isp) +-- +2.34.1 + diff --git a/queue-5.10/media-atomisp-add-null-check-for-asd-obtained-from-a.patch b/queue-5.10/media-atomisp-add-null-check-for-asd-obtained-from-a.patch new file mode 100644 index 00000000000..763411c683c --- /dev/null +++ b/queue-5.10/media-atomisp-add-null-check-for-asd-obtained-from-a.patch @@ -0,0 +1,463 @@ +From f2d44b96214177eaf0e749ee4ca47aa914768c58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Oct 2021 01:23:34 +0900 +Subject: media: atomisp: add NULL check for asd obtained from + atomisp_video_pipe + +From: Tsuchiya Yuto + +[ Upstream commit c10bcb13462e9cf43111d17f1e08b4bb4d4401b0 ] + +This is almost a BUG report with RFC patch that just avoids kernel +oopses. Thus, prefixed with [BUG][RFC]. + +Here is the kernel log after running `v4l2-compliance -d /dev/video4` +with this patch applied: + + kern :err : [25507.580392] atomisp-isp2 0000:00:03.0: can't change power state from D3cold to D0 (config space inaccessible) + kern :warn : [25507.592343] isys dma store at addr(0xcd408) val(0) + kern :err : [25507.592995] atomisp-isp2 0000:00:03.0: atomisp_queryctl(): asd is NULL, device is ATOMISP ISP ACC + kern :err : [25507.593685] atomisp-isp2 0000:00:03.0: atomisp_g_input(): asd is NULL, device is ATOMISP ISP ACC + kern :err : [25507.593719] atomisp-isp2 0000:00:03.0: atomisp_g_parm(): asd is NULL, device is ATOMISP ISP ACC + kern :err : [25507.593727] atomisp-isp2 0000:00:03.0: atomisp_queryctl(): asd is NULL, device is ATOMISP ISP ACC + [omitting 42 same messages] + kern :err : [25507.593976] atomisp-isp2 0000:00:03.0: atomisp_queryctl(): asd is NULL, device is ATOMISP ISP ACC + kern :err : [25507.594191] atomisp-isp2 0000:00:03.0: atomisp_g_input(): asd is NULL, device is ATOMISP ISP ACC + kern :err : [25507.594449] atomisp-isp2 0000:00:03.0: atomisp_queryctl(): asd is NULL, device is ATOMISP ISP ACC + [omitting 43 same messages] + kern :err : [25507.594756] atomisp-isp2 0000:00:03.0: atomisp_queryctl(): asd is NULL, device is ATOMISP ISP ACC + kern :err : [25507.594779] atomisp-isp2 0000:00:03.0: atomisp_g_ctrl(): asd is NULL, device is ATOMISP ISP ACC + kern :err : [25507.594787] atomisp-isp2 0000:00:03.0: atomisp_s_ctrl(): asd is NULL, device is ATOMISP ISP ACC + kern :err : [25507.594803] atomisp-isp2 0000:00:03.0: atomisp_camera_g_ext_ctrls(): asd is NULL, device is ATOMISP ISP ACC + kern :err : [25507.594880] atomisp-isp2 0000:00:03.0: atomisp_enum_fmt_cap(): asd is NULL, device is ATOMISP ISP ACC + kern :err : [25507.594915] atomisp-isp2 0000:00:03.0: atomisp_g_parm(): asd is NULL, device is ATOMISP ISP ACC + kern :err : [25507.595058] atomisp-isp2 0000:00:03.0: atomisp_try_fmt(): asd is NULL, device is ATOMISP ISP ACC + kern :err : [25507.595089] atomisp-isp2 0000:00:03.0: atomisp_set_fmt(): asd is NULL, device is ATOMISP ISP ACC + kern :err : [25507.595124] atomisp-isp2 0000:00:03.0: atomisp_set_fmt(): asd is NULL, device is ATOMISP ISP ACC + kern :err : [25507.595221] atomisp-isp2 0000:00:03.0: atomisp_set_fmt(): asd is NULL, device is ATOMISP ISP ACC + kern :err : [25507.595241] atomisp-isp2 0000:00:03.0: atomisp_set_fmt(): asd is NULL, device is ATOMISP ISP ACC + kern :err : [25507.601571] atomisp-isp2 0000:00:03.0: can't change power state from D3cold to D0 (config space inaccessible) + kern :warn : [25507.607496] isys dma store at addr(0xcd408) val(0) + kern :err : [25507.608604] atomisp-isp2 0000:00:03.0: atomisp_queryctl(): asd is NULL, device is ATOMISP ISP ACC + kern :err : [25507.611988] atomisp-isp2 0000:00:03.0: can't change power state from D3cold to D0 (config space inaccessible) + kern :warn : [25507.617420] isys dma store at addr(0xcd408) val(0) + kern :err : [25507.618429] atomisp-isp2 0000:00:03.0: atomisp_queryctl(): asd is NULL, device is ATOMISP ISP ACC + kern :err : [25507.618811] atomisp-isp2 0000:00:03.0: atomisp_g_parm(): asd is NULL, device is ATOMISP ISP ACC + kern :err : [25507.622193] atomisp-isp2 0000:00:03.0: can't change power state from D3cold to D0 (config space inaccessible) + kern :warn : [25507.627355] isys dma store at addr(0xcd408) val(0) + kern :err : [25507.628391] atomisp-isp2 0000:00:03.0: atomisp_queryctl(): asd is NULL, device is ATOMISP ISP ACC + kern :err : [25507.631143] atomisp-isp2 0000:00:03.0: can't change power state from D3cold to D0 (config space inaccessible) + kern :warn : [25507.635813] isys dma store at addr(0xcd408) val(0) + kern :err : [25507.636489] atomisp-isp2 0000:00:03.0: atomisp_queryctl(): asd is NULL, device is ATOMISP ISP ACC + kern :err : [25507.636504] atomisp-isp2 0000:00:03.0: atomisp_s_input(): asd is NULL, device is ATOMISP ISP ACC + kern :err : [25507.636516] atomisp-isp2 0000:00:03.0: atomisp_set_fmt(): asd is NULL, device is ATOMISP ISP ACC + kern :err : [25507.639111] atomisp-isp2 0000:00:03.0: can't change power state from D3cold to D0 (config space inaccessible) + kern :warn : [25507.646152] isys dma store at addr(0xcd408) val(0) + kern :err : [25507.646831] atomisp-isp2 0000:00:03.0: atomisp_queryctl(): asd is NULL, device is ATOMISP ISP ACC + kern :err : [25507.646847] atomisp-isp2 0000:00:03.0: atomisp_s_input(): asd is NULL, device is ATOMISP ISP ACC + kern :err : [25507.650079] atomisp-isp2 0000:00:03.0: can't change power state from D3cold to D0 (config space inaccessible) + kern :warn : [25507.657476] isys dma store at addr(0xcd408) val(0) + kern :err : [25507.658741] atomisp-isp2 0000:00:03.0: atomisp_queryctl(): asd is NULL, device is ATOMISP ISP ACC + kern :err : [25507.658759] atomisp-isp2 0000:00:03.0: atomisp_s_input(): asd is NULL, device is ATOMISP ISP ACC + kern :err : [25507.658771] atomisp-isp2 0000:00:03.0: atomisp_set_fmt(): asd is NULL, device is ATOMISP ISP ACC + kern :err : [25507.660959] atomisp-isp2 0000:00:03.0: can't change power state from D3cold to D0 (config space inaccessible) + kern :warn : [25507.666665] isys dma store at addr(0xcd408) val(0) + kern :err : [25507.667397] atomisp-isp2 0000:00:03.0: atomisp_queryctl(): asd is NULL, device is ATOMISP ISP ACC + +[mchehab: fix coding style] +Signed-off-by: Tsuchiya Yuto +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + .../staging/media/atomisp/pci/atomisp_cmd.c | 73 +++++++++++++++ + .../staging/media/atomisp/pci/atomisp_fops.c | 6 ++ + .../staging/media/atomisp/pci/atomisp_ioctl.c | 90 +++++++++++++++++++ + 3 files changed, 169 insertions(+) + +diff --git a/drivers/staging/media/atomisp/pci/atomisp_cmd.c b/drivers/staging/media/atomisp/pci/atomisp_cmd.c +index 21cd03f06291d..90d50a693ce57 100644 +--- a/drivers/staging/media/atomisp/pci/atomisp_cmd.c ++++ b/drivers/staging/media/atomisp/pci/atomisp_cmd.c +@@ -1715,6 +1715,12 @@ void atomisp_wdt_refresh_pipe(struct atomisp_video_pipe *pipe, + { + unsigned long next; + ++ if (!pipe->asd) { ++ dev_err(pipe->isp->dev, "%s(): asd is NULL, device is %s\n", ++ __func__, pipe->vdev.name); ++ return; ++ } ++ + if (delay != ATOMISP_WDT_KEEP_CURRENT_DELAY) + pipe->wdt_duration = delay; + +@@ -1777,6 +1783,12 @@ void atomisp_wdt_refresh(struct atomisp_sub_device *asd, unsigned int delay) + /* ISP2401 */ + void atomisp_wdt_stop_pipe(struct atomisp_video_pipe *pipe, bool sync) + { ++ if (!pipe->asd) { ++ dev_err(pipe->isp->dev, "%s(): asd is NULL, device is %s\n", ++ __func__, pipe->vdev.name); ++ return; ++ } ++ + if (!atomisp_is_wdt_running(pipe)) + return; + +@@ -4109,6 +4121,12 @@ void atomisp_handle_parameter_and_buffer(struct atomisp_video_pipe *pipe) + unsigned long irqflags; + bool need_to_enqueue_buffer = false; + ++ if (!asd) { ++ dev_err(pipe->isp->dev, "%s(): asd is NULL, device is %s\n", ++ __func__, pipe->vdev.name); ++ return; ++ } ++ + if (atomisp_is_vf_pipe(pipe)) + return; + +@@ -4196,6 +4214,12 @@ int atomisp_set_parameters(struct video_device *vdev, + struct atomisp_css_params *css_param = &asd->params.css_param; + int ret; + ++ if (!asd) { ++ dev_err(pipe->isp->dev, "%s(): asd is NULL, device is %s\n", ++ __func__, vdev->name); ++ return -EINVAL; ++ } ++ + if (!asd->stream_env[ATOMISP_INPUT_STREAM_GENERAL].stream) { + dev_err(asd->isp->dev, "%s: internal error!\n", __func__); + return -EINVAL; +@@ -4856,6 +4880,12 @@ int atomisp_try_fmt(struct video_device *vdev, struct v4l2_format *f, + int source_pad = atomisp_subdev_source_pad(vdev); + int ret; + ++ if (!asd) { ++ dev_err(isp->dev, "%s(): asd is NULL, device is %s\n", ++ __func__, vdev->name); ++ return -EINVAL; ++ } ++ + if (!isp->inputs[asd->input_curr].camera) + return -EINVAL; + +@@ -5202,6 +5232,12 @@ static int atomisp_set_fmt_to_isp(struct video_device *vdev, + const struct atomisp_in_fmt_conv *fc; + int ret, i; + ++ if (!asd) { ++ dev_err(isp->dev, "%s(): asd is NULL, device is %s\n", ++ __func__, vdev->name); ++ return -EINVAL; ++ } ++ + v4l2_fh_init(&fh.vfh, vdev); + + isp_sink_crop = atomisp_subdev_get_rect( +@@ -5513,6 +5549,7 @@ static int atomisp_set_fmt_to_snr(struct video_device *vdev, + unsigned int dvs_env_w, unsigned int dvs_env_h) + { + struct atomisp_sub_device *asd = atomisp_to_video_pipe(vdev)->asd; ++ struct atomisp_video_pipe *pipe = atomisp_to_video_pipe(vdev); + const struct atomisp_format_bridge *format; + struct v4l2_subdev_pad_config pad_cfg; + struct v4l2_subdev_format vformat = { +@@ -5528,6 +5565,12 @@ static int atomisp_set_fmt_to_snr(struct video_device *vdev, + struct v4l2_subdev_fh fh; + int ret; + ++ if (!asd) { ++ dev_err(pipe->isp->dev, "%s(): asd is NULL, device is %s\n", ++ __func__, vdev->name); ++ return -EINVAL; ++ } ++ + v4l2_fh_init(&fh.vfh, vdev); + + stream_index = atomisp_source_pad_to_stream_id(asd, source_pad); +@@ -5618,6 +5661,12 @@ int atomisp_set_fmt(struct video_device *vdev, struct v4l2_format *f) + struct v4l2_subdev_fh fh; + int ret; + ++ if (!asd) { ++ dev_err(isp->dev, "%s(): asd is NULL, device is %s\n", ++ __func__, vdev->name); ++ return -EINVAL; ++ } ++ + if (source_pad >= ATOMISP_SUBDEV_PADS_NUM) + return -EINVAL; + +@@ -6051,6 +6100,12 @@ int atomisp_set_fmt_file(struct video_device *vdev, struct v4l2_format *f) + struct v4l2_subdev_fh fh; + int ret; + ++ if (!asd) { ++ dev_err(isp->dev, "%s(): asd is NULL, device is %s\n", ++ __func__, vdev->name); ++ return -EINVAL; ++ } ++ + v4l2_fh_init(&fh.vfh, vdev); + + dev_dbg(isp->dev, "setting fmt %ux%u 0x%x for file inject\n", +@@ -6375,6 +6430,12 @@ bool atomisp_is_vf_pipe(struct atomisp_video_pipe *pipe) + { + struct atomisp_sub_device *asd = pipe->asd; + ++ if (!asd) { ++ dev_err(pipe->isp->dev, "%s(): asd is NULL, device is %s\n", ++ __func__, pipe->vdev.name); ++ return false; ++ } ++ + if (pipe == &asd->video_out_vf) + return true; + +@@ -6588,6 +6649,12 @@ static int atomisp_get_pipe_id(struct atomisp_video_pipe *pipe) + { + struct atomisp_sub_device *asd = pipe->asd; + ++ if (!asd) { ++ dev_err(pipe->isp->dev, "%s(): asd is NULL, device is %s\n", ++ __func__, pipe->vdev.name); ++ return -EINVAL; ++ } ++ + if (ATOMISP_USE_YUVPP(asd)) { + return IA_CSS_PIPE_ID_YUVPP; + } else if (asd->vfpp->val == ATOMISP_VFPP_DISABLE_SCALER) { +@@ -6625,6 +6692,12 @@ int atomisp_get_invalid_frame_num(struct video_device *vdev, + struct ia_css_pipe_info p_info; + int ret; + ++ if (!asd) { ++ dev_err(pipe->isp->dev, "%s(): asd is NULL, device is %s\n", ++ __func__, vdev->name); ++ return -EINVAL; ++ } ++ + if (asd->isp->inputs[asd->input_curr].camera_caps-> + sensor[asd->sensor_curr].stream_num > 1) { + /* External ISP */ +diff --git a/drivers/staging/media/atomisp/pci/atomisp_fops.c b/drivers/staging/media/atomisp/pci/atomisp_fops.c +index f1e6b25978534..52d24c1ca0d64 100644 +--- a/drivers/staging/media/atomisp/pci/atomisp_fops.c ++++ b/drivers/staging/media/atomisp/pci/atomisp_fops.c +@@ -1171,6 +1171,12 @@ static int atomisp_mmap(struct file *file, struct vm_area_struct *vma) + u32 origin_size, new_size; + int ret; + ++ if (!asd) { ++ dev_err(isp->dev, "%s(): asd is NULL, device is %s\n", ++ __func__, vdev->name); ++ return -EINVAL; ++ } ++ + if (!(vma->vm_flags & (VM_WRITE | VM_READ))) + return -EACCES; + +diff --git a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c +index 9da82855552de..35717a91cbd15 100644 +--- a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c ++++ b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c +@@ -646,6 +646,12 @@ static int atomisp_g_input(struct file *file, void *fh, unsigned int *input) + struct atomisp_device *isp = video_get_drvdata(vdev); + struct atomisp_sub_device *asd = atomisp_to_video_pipe(vdev)->asd; + ++ if (!asd) { ++ dev_err(isp->dev, "%s(): asd is NULL, device is %s\n", ++ __func__, vdev->name); ++ return -EINVAL; ++ } ++ + rt_mutex_lock(&isp->mutex); + *input = asd->input_curr; + rt_mutex_unlock(&isp->mutex); +@@ -665,6 +671,12 @@ static int atomisp_s_input(struct file *file, void *fh, unsigned int input) + struct v4l2_subdev *motor; + int ret; + ++ if (!asd) { ++ dev_err(isp->dev, "%s(): asd is NULL, device is %s\n", ++ __func__, vdev->name); ++ return -EINVAL; ++ } ++ + rt_mutex_lock(&isp->mutex); + if (input >= ATOM_ISP_MAX_INPUTS || input >= isp->input_cnt) { + dev_dbg(isp->dev, "input_cnt: %d\n", isp->input_cnt); +@@ -765,6 +777,12 @@ static int atomisp_enum_fmt_cap(struct file *file, void *fh, + unsigned int i, fi = 0; + int rval; + ++ if (!asd) { ++ dev_err(isp->dev, "%s(): asd is NULL, device is %s\n", ++ __func__, vdev->name); ++ return -EINVAL; ++ } ++ + rt_mutex_lock(&isp->mutex); + rval = v4l2_subdev_call(isp->inputs[asd->input_curr].camera, pad, + enum_mbus_code, NULL, &code); +@@ -1027,6 +1045,12 @@ int __atomisp_reqbufs(struct file *file, void *fh, + u16 stream_id = atomisp_source_pad_to_stream_id(asd, source_pad); + int ret = 0, i = 0; + ++ if (!asd) { ++ dev_err(pipe->isp->dev, "%s(): asd is NULL, device is %s\n", ++ __func__, vdev->name); ++ return -EINVAL; ++ } ++ + if (req->count == 0) { + mutex_lock(&pipe->capq.vb_lock); + if (!list_empty(&pipe->capq.stream)) +@@ -1154,6 +1178,12 @@ static int atomisp_qbuf(struct file *file, void *fh, struct v4l2_buffer *buf) + u32 pgnr; + int ret = 0; + ++ if (!asd) { ++ dev_err(isp->dev, "%s(): asd is NULL, device is %s\n", ++ __func__, vdev->name); ++ return -EINVAL; ++ } ++ + rt_mutex_lock(&isp->mutex); + if (isp->isp_fatal_error) { + ret = -EIO; +@@ -1389,6 +1419,12 @@ static int atomisp_dqbuf(struct file *file, void *fh, struct v4l2_buffer *buf) + struct atomisp_device *isp = video_get_drvdata(vdev); + int ret = 0; + ++ if (!asd) { ++ dev_err(isp->dev, "%s(): asd is NULL, device is %s\n", ++ __func__, vdev->name); ++ return -EINVAL; ++ } ++ + rt_mutex_lock(&isp->mutex); + + if (isp->isp_fatal_error) { +@@ -1640,6 +1676,12 @@ static int atomisp_streamon(struct file *file, void *fh, + int ret = 0; + unsigned long irqflags; + ++ if (!asd) { ++ dev_err(isp->dev, "%s(): asd is NULL, device is %s\n", ++ __func__, vdev->name); ++ return -EINVAL; ++ } ++ + dev_dbg(isp->dev, "Start stream on pad %d for asd%d\n", + atomisp_subdev_source_pad(vdev), asd->index); + +@@ -1901,6 +1943,12 @@ int __atomisp_streamoff(struct file *file, void *fh, enum v4l2_buf_type type) + unsigned long flags; + bool first_streamoff = false; + ++ if (!asd) { ++ dev_err(isp->dev, "%s(): asd is NULL, device is %s\n", ++ __func__, vdev->name); ++ return -EINVAL; ++ } ++ + dev_dbg(isp->dev, "Stop stream on pad %d for asd%d\n", + atomisp_subdev_source_pad(vdev), asd->index); + +@@ -2150,6 +2198,12 @@ static int atomisp_g_ctrl(struct file *file, void *fh, + struct atomisp_device *isp = video_get_drvdata(vdev); + int i, ret = -EINVAL; + ++ if (!asd) { ++ dev_err(isp->dev, "%s(): asd is NULL, device is %s\n", ++ __func__, vdev->name); ++ return -EINVAL; ++ } ++ + for (i = 0; i < ctrls_num; i++) { + if (ci_v4l2_controls[i].id == control->id) { + ret = 0; +@@ -2229,6 +2283,12 @@ static int atomisp_s_ctrl(struct file *file, void *fh, + struct atomisp_device *isp = video_get_drvdata(vdev); + int i, ret = -EINVAL; + ++ if (!asd) { ++ dev_err(isp->dev, "%s(): asd is NULL, device is %s\n", ++ __func__, vdev->name); ++ return -EINVAL; ++ } ++ + for (i = 0; i < ctrls_num; i++) { + if (ci_v4l2_controls[i].id == control->id) { + ret = 0; +@@ -2310,6 +2370,12 @@ static int atomisp_queryctl(struct file *file, void *fh, + struct atomisp_sub_device *asd = atomisp_to_video_pipe(vdev)->asd; + struct atomisp_device *isp = video_get_drvdata(vdev); + ++ if (!asd) { ++ dev_err(isp->dev, "%s(): asd is NULL, device is %s\n", ++ __func__, vdev->name); ++ return -EINVAL; ++ } ++ + switch (qc->id) { + case V4L2_CID_FOCUS_ABSOLUTE: + case V4L2_CID_FOCUS_RELATIVE: +@@ -2355,6 +2421,12 @@ static int atomisp_camera_g_ext_ctrls(struct file *file, void *fh, + int i; + int ret = 0; + ++ if (!asd) { ++ dev_err(isp->dev, "%s(): asd is NULL, device is %s\n", ++ __func__, vdev->name); ++ return -EINVAL; ++ } ++ + if (!IS_ISP2401) + motor = isp->inputs[asd->input_curr].motor; + else +@@ -2466,6 +2538,12 @@ static int atomisp_camera_s_ext_ctrls(struct file *file, void *fh, + int i; + int ret = 0; + ++ if (!asd) { ++ dev_err(isp->dev, "%s(): asd is NULL, device is %s\n", ++ __func__, vdev->name); ++ return -EINVAL; ++ } ++ + if (!IS_ISP2401) + motor = isp->inputs[asd->input_curr].motor; + else +@@ -2591,6 +2669,12 @@ static int atomisp_g_parm(struct file *file, void *fh, + struct atomisp_sub_device *asd = atomisp_to_video_pipe(vdev)->asd; + struct atomisp_device *isp = video_get_drvdata(vdev); + ++ if (!asd) { ++ dev_err(isp->dev, "%s(): asd is NULL, device is %s\n", ++ __func__, vdev->name); ++ return -EINVAL; ++ } ++ + if (parm->type != V4L2_BUF_TYPE_VIDEO_CAPTURE) { + dev_err(isp->dev, "unsupported v4l2 buf type\n"); + return -EINVAL; +@@ -2613,6 +2697,12 @@ static int atomisp_s_parm(struct file *file, void *fh, + int rval; + int fps; + ++ if (!asd) { ++ dev_err(isp->dev, "%s(): asd is NULL, device is %s\n", ++ __func__, vdev->name); ++ return -EINVAL; ++ } ++ + if (parm->type != V4L2_BUF_TYPE_VIDEO_CAPTURE) { + dev_err(isp->dev, "unsupported v4l2 buf type\n"); + return -EINVAL; +-- +2.34.1 + diff --git a/queue-5.10/media-atomisp-do-not-use-err-var-when-checking-port-.patch b/queue-5.10/media-atomisp-do-not-use-err-var-when-checking-port-.patch new file mode 100644 index 00000000000..32939b8fd64 --- /dev/null +++ b/queue-5.10/media-atomisp-do-not-use-err-var-when-checking-port-.patch @@ -0,0 +1,64 @@ +From 5d33bcbff069e18bf778c84d4c9d79f59c1b2f3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Oct 2021 01:19:44 +0900 +Subject: media: atomisp: do not use err var when checking port validity for + ISP2400 + +From: Tsuchiya Yuto + +[ Upstream commit 9f6b4fa2d2dfbff4b8a57eeb39b1128a6094ee20 ] + +Currently, the `port >= N_CSI_PORTS || err` checks for ISP2400 are always +evaluated as true because the err variable is set to `-EINVAL` on +declaration but the variable is never used until the evaluation. + +Looking at the diff of commit 3c0538fbad9f ("media: atomisp: get rid of +most checks for ISP2401 version"), the `port >= N_CSI_PORTS` check is +for ISP2400 and the err variable check is for ISP2401. Fix this issue +by adding ISP version test there accordingly. + +Fixes: 3c0538fbad9f ("media: atomisp: get rid of most checks for ISP2401 version") +Signed-off-by: Tsuchiya Yuto +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/atomisp/pci/sh_css_mipi.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/staging/media/atomisp/pci/sh_css_mipi.c b/drivers/staging/media/atomisp/pci/sh_css_mipi.c +index e18c0cfb4ce3a..34b71c1b7c1ec 100644 +--- a/drivers/staging/media/atomisp/pci/sh_css_mipi.c ++++ b/drivers/staging/media/atomisp/pci/sh_css_mipi.c +@@ -446,7 +446,8 @@ allocate_mipi_frames(struct ia_css_pipe *pipe, + + assert(port < N_CSI_PORTS); + +- if (port >= N_CSI_PORTS || err) { ++ if ((!IS_ISP2401 && port >= N_CSI_PORTS) || ++ (IS_ISP2401 && err)) { + ia_css_debug_dtrace(IA_CSS_DEBUG_TRACE_PRIVATE, + "allocate_mipi_frames(%p) exit: error: port is not correct (port=%d).\n", + pipe, port); +@@ -578,7 +579,8 @@ free_mipi_frames(struct ia_css_pipe *pipe) { + + assert(port < N_CSI_PORTS); + +- if (port >= N_CSI_PORTS || err) { ++ if ((!IS_ISP2401 && port >= N_CSI_PORTS) || ++ (IS_ISP2401 && err)) { + ia_css_debug_dtrace(IA_CSS_DEBUG_TRACE_PRIVATE, + "free_mipi_frames(%p, %d) exit: error: pipe port is not correct.\n", + pipe, port); +@@ -690,7 +692,8 @@ send_mipi_frames(struct ia_css_pipe *pipe) { + + assert(port < N_CSI_PORTS); + +- if (port >= N_CSI_PORTS || err) { ++ if ((!IS_ISP2401 && port >= N_CSI_PORTS) || ++ (IS_ISP2401 && err)) { + IA_CSS_ERROR("send_mipi_frames(%p) exit: invalid port specified (port=%d).\n", + pipe, port); + return err; +-- +2.34.1 + diff --git a/queue-5.10/media-atomisp-fix-enum-formats-logic.patch b/queue-5.10/media-atomisp-fix-enum-formats-logic.patch new file mode 100644 index 00000000000..6992065f540 --- /dev/null +++ b/queue-5.10/media-atomisp-fix-enum-formats-logic.patch @@ -0,0 +1,82 @@ +From 5d4a4a0ca1b0133dcb784cd8d3ae65b4ed1c6feb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Oct 2021 09:06:52 +0100 +Subject: media: atomisp: fix enum formats logic + +From: Mauro Carvalho Chehab + +[ Upstream commit fae46cb0531b45c789e39128f676f2bafa3a7b47 ] + +Changeset 374d62e7aa50 ("media: v4l2-subdev: Verify v4l2_subdev_call() pad config argument") +added an extra verification for a pads parameter for enum mbus +format code. + +Such change broke atomisp, because now the V4L2 core +refuses to enum MBUS formats if the state is empty. + +So, add .which field in order to select the active formats, +in order to make it work again. + +While here, improve error messages. + +Fixes: 374d62e7aa50 ("media: v4l2-subdev: Verify v4l2_subdev_call() pad config argument") +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + .../staging/media/atomisp/pci/atomisp_ioctl.c | 23 ++++++++++++++----- + 1 file changed, 17 insertions(+), 6 deletions(-) + +diff --git a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c +index 35717a91cbd15..830df02626634 100644 +--- a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c ++++ b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c +@@ -773,7 +773,10 @@ static int atomisp_enum_fmt_cap(struct file *file, void *fh, + struct video_device *vdev = video_devdata(file); + struct atomisp_device *isp = video_get_drvdata(vdev); + struct atomisp_sub_device *asd = atomisp_to_video_pipe(vdev)->asd; +- struct v4l2_subdev_mbus_code_enum code = { 0 }; ++ struct v4l2_subdev_mbus_code_enum code = { ++ .which = V4L2_SUBDEV_FORMAT_ACTIVE, ++ }; ++ struct v4l2_subdev *camera; + unsigned int i, fi = 0; + int rval; + +@@ -783,14 +786,20 @@ static int atomisp_enum_fmt_cap(struct file *file, void *fh, + return -EINVAL; + } + ++ camera = isp->inputs[asd->input_curr].camera; ++ if(!camera) { ++ dev_err(isp->dev, "%s(): camera is NULL, device is %s\n", ++ __func__, vdev->name); ++ return -EINVAL; ++ } ++ + rt_mutex_lock(&isp->mutex); +- rval = v4l2_subdev_call(isp->inputs[asd->input_curr].camera, pad, +- enum_mbus_code, NULL, &code); ++ ++ rval = v4l2_subdev_call(camera, pad, enum_mbus_code, NULL, &code); + if (rval == -ENOIOCTLCMD) { + dev_warn(isp->dev, +- "enum_mbus_code pad op not supported. Please fix your sensor driver!\n"); +- // rval = v4l2_subdev_call(isp->inputs[asd->input_curr].camera, +- // video, enum_mbus_fmt, 0, &code.code); ++ "enum_mbus_code pad op not supported by %s. Please fix your sensor driver!\n", ++ camera->name); + } + rt_mutex_unlock(&isp->mutex); + +@@ -820,6 +829,8 @@ static int atomisp_enum_fmt_cap(struct file *file, void *fh, + f->pixelformat = format->pixelformat; + return 0; + } ++ dev_err(isp->dev, "%s(): format for code %x not found.\n", ++ __func__, code.code); + + return -EINVAL; + } +-- +2.34.1 + diff --git a/queue-5.10/media-atomisp-fix-ifdefs-in-sh_css.c.patch b/queue-5.10/media-atomisp-fix-ifdefs-in-sh_css.c.patch new file mode 100644 index 00000000000..82417c5ed18 --- /dev/null +++ b/queue-5.10/media-atomisp-fix-ifdefs-in-sh_css.c.patch @@ -0,0 +1,137 @@ +From 30a69a770f412a18bf64f2ebd27780b719a9c85c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Oct 2021 01:19:47 +0900 +Subject: media: atomisp: fix ifdefs in sh_css.c + +From: Tsuchiya Yuto + +[ Upstream commit 5a1b2725558f8a3b4cbf0504f53cffae8e163034 ] + + ## `if (pipe->stream->config.mode == IA_CSS_INPUT_MODE_TPG) {` case + +The intel-aero atomisp has `#if defined(IS_ISP_2400_SYSTEM)` [1]. It is +to be defined in the following two places [2]: + + - css/hive_isp_css_common/system_global.h + - css/css_2401_csi2p_system/system_global.h + +and the former file is to be included on ISP2400 devices, too. So, it +is to be defined for both ISP2400 and ISP2401 devices. + +Because the upstreamed atomisp driver now supports only ISP2400 and +ISP2401, just remove the ISP version test again. This matches the other +upstream commits like 3c0538fbad9f ("media: atomisp: get rid of most +checks for ISP2401 version"). + +While here, moved the comment for define GP_ISEL_TPG_MODE to the +appropriate place. + +[1] https://github.com/intel-aero/linux-kernel/blob/a1b673258feb915268377275130c5c5df0eafc82/drivers/media/pci/atomisp/css/sh_css.c#L552-L558 +[2] https://github.com/intel-aero/linux-kernel/search?q=IS_ISP_2400_SYSTEM + + ## `isys_stream_descr->polling_mode` case + +This does not exist on the intel-aero atomisp. This is because it is +based on css version irci_stable_candrpv_0415_20150521_0458. + +On the other hand, the upstreamed atomisp is based on the following css +version depending on the ISP version using ifdefs: + + - ISP2400: irci_stable_candrpv_0415_20150521_0458 + - ISP2401: irci_master_20150911_0724 + +The `isys_stream_descr->polling_mode` usage was added on updating css +version to irci_master_20150701_0213 [3]. + +So, it is not a ISP version specific thing, but css version specific +thing. Because the upstreamed atomisp driver uses irci_master_20150911_0724 +for ISP2401, re-add the ISP version check for now. + +I say "for now" because ISP2401 should eventually use the same css +version with ISP2400 (i.e., irci_stable_candrpv_0415_20150521_0458) + +[3] https://raw.githubusercontent.com/intel/ProductionKernelQuilts/cht-m1stable-2016_ww31/uefi/cht-m1stable/patches/cam-0439-atomisp2-css2401-and-2401_legacy-irci_master_2015070.patch + ("atomisp2: css2401 and 2401_legacy-irci_master_20150701_0213") + Link to Intel's Android kernel patch. + + ## `coord = &me->config.internal_frame_origin_bqs_on_sctbl;` case + +it was added on commit 4f744a573db3 ("media: atomisp: make +sh_css_sp_init_pipeline() ISP version independent") for ISP2401. Because +the upstreamed atomisp for the ISP2401 part is based on +irci_master_20150911_0724, hence the difference. + +Because the upstreamed atomisp driver uses irci_master_20150911_0724 +for ISP2401, revert the test back to `if (IS_ISP2401)`. + +Fixes: 27333dadef57 ("media: atomisp: adjust some code at sh_css that could be broken") +Signed-off-by: Tsuchiya Yuto +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/atomisp/pci/sh_css.c | 27 +++++++++------------- + 1 file changed, 11 insertions(+), 16 deletions(-) + +diff --git a/drivers/staging/media/atomisp/pci/sh_css.c b/drivers/staging/media/atomisp/pci/sh_css.c +index ddee04c8248d0..54a18921fbd15 100644 +--- a/drivers/staging/media/atomisp/pci/sh_css.c ++++ b/drivers/staging/media/atomisp/pci/sh_css.c +@@ -527,6 +527,7 @@ ia_css_stream_input_format_bits_per_pixel(struct ia_css_stream *stream) + return bpp; + } + ++/* TODO: move define to proper file in tools */ + #define GP_ISEL_TPG_MODE 0x90058 + + #if !defined(ISP2401) +@@ -579,12 +580,8 @@ sh_css_config_input_network(struct ia_css_stream *stream) { + vblank_cycles = vblank_lines * (width + hblank_cycles); + sh_css_sp_configure_sync_gen(width, height, hblank_cycles, + vblank_cycles); +- if (!IS_ISP2401) { +- if (pipe->stream->config.mode == IA_CSS_INPUT_MODE_TPG) { +- /* TODO: move define to proper file in tools */ +- ia_css_device_store_uint32(GP_ISEL_TPG_MODE, 0); +- } +- } ++ if (pipe->stream->config.mode == IA_CSS_INPUT_MODE_TPG) ++ ia_css_device_store_uint32(GP_ISEL_TPG_MODE, 0); + } + ia_css_debug_dtrace(IA_CSS_DEBUG_TRACE_PRIVATE, + "sh_css_config_input_network() leave:\n"); +@@ -1019,16 +1016,14 @@ static bool sh_css_translate_stream_cfg_to_isys_stream_descr( + * ia_css_isys_stream_capture_indication() instead of + * ia_css_pipeline_sp_wait_for_isys_stream_N() as isp processing of + * capture takes longer than getting an ISYS frame +- * +- * Only 2401 relevant ?? + */ +-#if 0 // FIXME: NOT USED on Yocto Aero +- isys_stream_descr->polling_mode +- = early_polling ? INPUT_SYSTEM_POLL_ON_CAPTURE_REQUEST +- : INPUT_SYSTEM_POLL_ON_WAIT_FOR_FRAME; +- ia_css_debug_dtrace(IA_CSS_DEBUG_TRACE_PRIVATE, +- "sh_css_translate_stream_cfg_to_isys_stream_descr() leave:\n"); +-#endif ++ if (IS_ISP2401) { ++ isys_stream_descr->polling_mode ++ = early_polling ? INPUT_SYSTEM_POLL_ON_CAPTURE_REQUEST ++ : INPUT_SYSTEM_POLL_ON_WAIT_FOR_FRAME; ++ ia_css_debug_dtrace(IA_CSS_DEBUG_TRACE_PRIVATE, ++ "sh_css_translate_stream_cfg_to_isys_stream_descr() leave:\n"); ++ } + + return rc; + } +@@ -1451,7 +1446,7 @@ static void start_pipe( + + assert(me); /* all callers are in this file and call with non null argument */ + +- if (!IS_ISP2401) { ++ if (IS_ISP2401) { + coord = &me->config.internal_frame_origin_bqs_on_sctbl; + params = me->stream->isp_params_configs; + } +-- +2.34.1 + diff --git a/queue-5.10/media-atomisp-fix-inverted-error-check-for-ia_css_mi.patch b/queue-5.10/media-atomisp-fix-inverted-error-check-for-ia_css_mi.patch new file mode 100644 index 00000000000..cbd224480a7 --- /dev/null +++ b/queue-5.10/media-atomisp-fix-inverted-error-check-for-ia_css_mi.patch @@ -0,0 +1,79 @@ +From 6651b398708d223d82afaa4cf972137c90645a34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Oct 2021 01:19:45 +0900 +Subject: media: atomisp: fix inverted error check for + ia_css_mipi_is_source_port_valid() + +From: Tsuchiya Yuto + +[ Upstream commit d21ce8c2f7bf6d737b60c09f86db141b9e8e47f0 ] + +The function ia_css_mipi_is_source_port_valid() returns true if the port +is valid. So, we can't use the existing err variable as is. + +To fix this issue while reusing that variable, invert the return value +when assigning it to the variable. + +Fixes: 3c0538fbad9f ("media: atomisp: get rid of most checks for ISP2401 version") +Signed-off-by: Tsuchiya Yuto +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + .../staging/media/atomisp/pci/sh_css_mipi.c | 24 ++++++++++++------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +diff --git a/drivers/staging/media/atomisp/pci/sh_css_mipi.c b/drivers/staging/media/atomisp/pci/sh_css_mipi.c +index 34b71c1b7c1ec..651eda0469b23 100644 +--- a/drivers/staging/media/atomisp/pci/sh_css_mipi.c ++++ b/drivers/staging/media/atomisp/pci/sh_css_mipi.c +@@ -439,10 +439,12 @@ allocate_mipi_frames(struct ia_css_pipe *pipe, + return 0; /* AM TODO: Check */ + } + +- if (!IS_ISP2401) ++ if (!IS_ISP2401) { + port = (unsigned int)pipe->stream->config.source.port.port; +- else +- err = ia_css_mipi_is_source_port_valid(pipe, &port); ++ } else { ++ /* Returns true if port is valid. So, invert it */ ++ err = !ia_css_mipi_is_source_port_valid(pipe, &port); ++ } + + assert(port < N_CSI_PORTS); + +@@ -572,10 +574,12 @@ free_mipi_frames(struct ia_css_pipe *pipe) { + return err; + } + +- if (!IS_ISP2401) ++ if (!IS_ISP2401) { + port = (unsigned int)pipe->stream->config.source.port.port; +- else +- err = ia_css_mipi_is_source_port_valid(pipe, &port); ++ } else { ++ /* Returns true if port is valid. So, invert it */ ++ err = !ia_css_mipi_is_source_port_valid(pipe, &port); ++ } + + assert(port < N_CSI_PORTS); + +@@ -685,10 +689,12 @@ send_mipi_frames(struct ia_css_pipe *pipe) { + /* TODO: AM: maybe this should be returning an error. */ + } + +- if (!IS_ISP2401) ++ if (!IS_ISP2401) { + port = (unsigned int)pipe->stream->config.source.port.port; +- else +- err = ia_css_mipi_is_source_port_valid(pipe, &port); ++ } else { ++ /* Returns true if port is valid. So, invert it */ ++ err = !ia_css_mipi_is_source_port_valid(pipe, &port); ++ } + + assert(port < N_CSI_PORTS); + +-- +2.34.1 + diff --git a/queue-5.10/media-atomisp-fix-inverted-logic-in-buffers_needed.patch b/queue-5.10/media-atomisp-fix-inverted-logic-in-buffers_needed.patch new file mode 100644 index 00000000000..1bada316cab --- /dev/null +++ b/queue-5.10/media-atomisp-fix-inverted-logic-in-buffers_needed.patch @@ -0,0 +1,49 @@ +From 1577af6cb7a8fbac14336d11954038a14b58e624 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Oct 2021 01:19:43 +0900 +Subject: media: atomisp: fix inverted logic in buffers_needed() + +From: Tsuchiya Yuto + +[ Upstream commit e1921cd14640f0f4d1fad5eb8e448c58a536415d ] + +When config.mode is IA_CSS_INPUT_MODE_BUFFERED_SENSOR, it rather needs +buffers. Fix it by inverting the return value. + +Fixes: 3c0538fbad9f ("media: atomisp: get rid of most checks for ISP2401 version") +Signed-off-by: Tsuchiya Yuto +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/atomisp/pci/sh_css_mipi.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/staging/media/atomisp/pci/sh_css_mipi.c b/drivers/staging/media/atomisp/pci/sh_css_mipi.c +index d5ae7f0b5864b..e18c0cfb4ce3a 100644 +--- a/drivers/staging/media/atomisp/pci/sh_css_mipi.c ++++ b/drivers/staging/media/atomisp/pci/sh_css_mipi.c +@@ -389,17 +389,17 @@ static bool buffers_needed(struct ia_css_pipe *pipe) + { + if (!IS_ISP2401) { + if (pipe->stream->config.mode == IA_CSS_INPUT_MODE_BUFFERED_SENSOR) +- return false; +- else + return true; ++ else ++ return false; + } + + if (pipe->stream->config.mode == IA_CSS_INPUT_MODE_BUFFERED_SENSOR || + pipe->stream->config.mode == IA_CSS_INPUT_MODE_TPG || + pipe->stream->config.mode == IA_CSS_INPUT_MODE_PRBS) +- return false; ++ return true; + +- return true; ++ return false; + } + + int +-- +2.34.1 + diff --git a/queue-5.10/media-atomisp-fix-punit_ddr_dvfs_enable-argument-for.patch b/queue-5.10/media-atomisp-fix-punit_ddr_dvfs_enable-argument-for.patch new file mode 100644 index 00000000000..dd8ca990bd1 --- /dev/null +++ b/queue-5.10/media-atomisp-fix-punit_ddr_dvfs_enable-argument-for.patch @@ -0,0 +1,89 @@ +From 2bd2f6b221bc8d708f62a016fa95ea07249cc889 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Oct 2021 01:19:42 +0900 +Subject: media: atomisp: fix punit_ddr_dvfs_enable() argument for mrfld_power + up case + +From: Tsuchiya Yuto + +[ Upstream commit 5bfbf65fcca7325e4d89d289b3c286e11220e386 ] + +When comparing with intel-aero atomisp [1], it looks like +punit_ddr_dvfs_enable() should take `false` as an argument on mrfld_power +up case. + +Code from the intel-aero kernel [1]: + + int atomisp_mrfld_power_down(struct atomisp_device *isp) + { + [...] + /*WA:Enable DVFS*/ + if (IS_CHT) + punit_ddr_dvfs_enable(true); + + int atomisp_mrfld_power_up(struct atomisp_device *isp) + { + [...] + /*WA for PUNIT, if DVFS enabled, ISP timeout observed*/ + if (IS_CHT) + punit_ddr_dvfs_enable(false); + +This patch fixes the inverted argument as per the intel-aero code, as +well as its comment. While here, fix space issues for comments in +atomisp_mrfld_power(). + +Note that it does not seem to be possible to unify the up/down cases for +punit_ddr_dvfs_enable(), i.e., we can't do something like the following: + + if (IS_CHT) + punit_ddr_dvfs_enable(!enable); + +because according to the intel-aero code [1], the DVFS is disabled +before "writing 0x0 to ISPSSPM0 bit[1:0]" and the DVFS is enabled after +"writing 0x3 to ISPSSPM0 bit[1:0]". + +[1] https://github.com/intel-aero/linux-kernel/blob/a1b673258feb915268377275130c5c5df0eafc82/drivers/media/pci/atomisp/atomisp_driver/atomisp_v4l2.c#L431-L514 + +Fixes: 0f441fd70b1e ("media: atomisp: simplify the power down/up code") +Signed-off-by: Tsuchiya Yuto +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/atomisp/pci/atomisp_v4l2.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/staging/media/atomisp/pci/atomisp_v4l2.c b/drivers/staging/media/atomisp/pci/atomisp_v4l2.c +index d35506f643609..687e94e8b6ce5 100644 +--- a/drivers/staging/media/atomisp/pci/atomisp_v4l2.c ++++ b/drivers/staging/media/atomisp/pci/atomisp_v4l2.c +@@ -711,15 +711,15 @@ static int atomisp_mrfld_power(struct atomisp_device *isp, bool enable) + + dev_dbg(isp->dev, "IUNIT power-%s.\n", enable ? "on" : "off"); + +- /*WA:Enable DVFS*/ ++ /* WA for P-Unit, if DVFS enabled, ISP timeout observed */ + if (IS_CHT && enable) +- punit_ddr_dvfs_enable(true); ++ punit_ddr_dvfs_enable(false); + + /* + * FIXME:WA for ECS28A, with this sleep, CTS + * android.hardware.camera2.cts.CameraDeviceTest#testCameraDeviceAbort + * PASS, no impact on other platforms +- */ ++ */ + if (IS_BYT && enable) + msleep(10); + +@@ -727,7 +727,7 @@ static int atomisp_mrfld_power(struct atomisp_device *isp, bool enable) + iosf_mbi_modify(BT_MBI_UNIT_PMC, MBI_REG_READ, MRFLD_ISPSSPM0, + val, MRFLD_ISPSSPM0_ISPSSC_MASK); + +- /*WA:Enable DVFS*/ ++ /* WA:Enable DVFS */ + if (IS_CHT && !enable) + punit_ddr_dvfs_enable(true); + +-- +2.34.1 + diff --git a/queue-5.10/media-atomisp-fix-try_fmt-logic.patch b/queue-5.10/media-atomisp-fix-try_fmt-logic.patch new file mode 100644 index 00000000000..8e8fd4820ce --- /dev/null +++ b/queue-5.10/media-atomisp-fix-try_fmt-logic.patch @@ -0,0 +1,115 @@ +From 58e70d32f2738651ea3aa0d1083e6fd0d7f6ca6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Nov 2021 11:45:27 +0000 +Subject: media: atomisp: fix try_fmt logic + +From: Mauro Carvalho Chehab + +[ Upstream commit c9e9094c4e42124af909b2f5f6ded0498e0854ac ] + +The internal try_fmt logic is not meant to provide everything +that the V4L2 API should provide. Also, it doesn't decrement +the pads that are used only internally by the driver, but aren't +part of the device's output. + +Fix it. + +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + .../staging/media/atomisp/pci/atomisp_ioctl.c | 72 ++++++++++++++++++- + 1 file changed, 71 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c +index 830df02626634..8a0648fd7c813 100644 +--- a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c ++++ b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c +@@ -863,6 +863,72 @@ static int atomisp_g_fmt_file(struct file *file, void *fh, + return 0; + } + ++static int atomisp_adjust_fmt(struct v4l2_format *f) ++{ ++ const struct atomisp_format_bridge *format_bridge; ++ u32 padded_width; ++ ++ format_bridge = atomisp_get_format_bridge(f->fmt.pix.pixelformat); ++ ++ padded_width = f->fmt.pix.width + pad_w; ++ ++ if (format_bridge->planar) { ++ f->fmt.pix.bytesperline = padded_width; ++ f->fmt.pix.sizeimage = PAGE_ALIGN(f->fmt.pix.height * ++ DIV_ROUND_UP(format_bridge->depth * ++ padded_width, 8)); ++ } else { ++ f->fmt.pix.bytesperline = DIV_ROUND_UP(format_bridge->depth * ++ padded_width, 8); ++ f->fmt.pix.sizeimage = PAGE_ALIGN(f->fmt.pix.height * f->fmt.pix.bytesperline); ++ } ++ ++ if (f->fmt.pix.field == V4L2_FIELD_ANY) ++ f->fmt.pix.field = V4L2_FIELD_NONE; ++ ++ format_bridge = atomisp_get_format_bridge(f->fmt.pix.pixelformat); ++ if (!format_bridge) ++ return -EINVAL; ++ ++ /* Currently, raw formats are broken!!! */ ++ if (format_bridge->sh_fmt == IA_CSS_FRAME_FORMAT_RAW) { ++ f->fmt.pix.pixelformat = V4L2_PIX_FMT_YUV420; ++ ++ format_bridge = atomisp_get_format_bridge(f->fmt.pix.pixelformat); ++ if (!format_bridge) ++ return -EINVAL; ++ } ++ ++ padded_width = f->fmt.pix.width + pad_w; ++ ++ if (format_bridge->planar) { ++ f->fmt.pix.bytesperline = padded_width; ++ f->fmt.pix.sizeimage = PAGE_ALIGN(f->fmt.pix.height * ++ DIV_ROUND_UP(format_bridge->depth * ++ padded_width, 8)); ++ } else { ++ f->fmt.pix.bytesperline = DIV_ROUND_UP(format_bridge->depth * ++ padded_width, 8); ++ f->fmt.pix.sizeimage = PAGE_ALIGN(f->fmt.pix.height * f->fmt.pix.bytesperline); ++ } ++ ++ if (f->fmt.pix.field == V4L2_FIELD_ANY) ++ f->fmt.pix.field = V4L2_FIELD_NONE; ++ ++ /* ++ * FIXME: do we need to setup this differently, depending on the ++ * sensor or the pipeline? ++ */ ++ f->fmt.pix.colorspace = V4L2_COLORSPACE_REC709; ++ f->fmt.pix.ycbcr_enc = V4L2_YCBCR_ENC_709; ++ f->fmt.pix.xfer_func = V4L2_XFER_FUNC_709; ++ ++ f->fmt.pix.width -= pad_w; ++ f->fmt.pix.height -= pad_h; ++ ++ return 0; ++} ++ + /* This function looks up the closest available resolution. */ + static int atomisp_try_fmt_cap(struct file *file, void *fh, + struct v4l2_format *f) +@@ -874,7 +940,11 @@ static int atomisp_try_fmt_cap(struct file *file, void *fh, + rt_mutex_lock(&isp->mutex); + ret = atomisp_try_fmt(vdev, f, NULL); + rt_mutex_unlock(&isp->mutex); +- return ret; ++ ++ if (ret) ++ return ret; ++ ++ return atomisp_adjust_fmt(f); + } + + static int atomisp_s_fmt_cap(struct file *file, void *fh, +-- +2.34.1 + diff --git a/queue-5.10/media-atomisp-fix-uninitialized-bug-in-gmin_get_pmic.patch b/queue-5.10/media-atomisp-fix-uninitialized-bug-in-gmin_get_pmic.patch new file mode 100644 index 00000000000..88635dd6009 --- /dev/null +++ b/queue-5.10/media-atomisp-fix-uninitialized-bug-in-gmin_get_pmic.patch @@ -0,0 +1,38 @@ +From c4496a185aa0127adb10e50dab9cac17ba901ed7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Oct 2021 09:21:50 +0100 +Subject: media: atomisp: fix uninitialized bug in gmin_get_pmic_id_and_addr() + +From: Dan Carpenter + +[ Upstream commit cb4d67a998e97365afdf34965b069601da1dae60 ] + +The "power" pointer is not initialized on the else path and that would +lead to an Oops. + +Link: https://lore.kernel.org/linux-media/20211012082150.GA31086@kili +Fixes: c30f4cb2d4c7 ("media: atomisp: Refactor PMIC detection to a separate function") +Signed-off-by: Dan Carpenter +Reviewed-by: Kieran Bingham +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c b/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c +index 135994d44802c..34480ca164746 100644 +--- a/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c ++++ b/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c +@@ -481,7 +481,7 @@ fail: + + static u8 gmin_get_pmic_id_and_addr(struct device *dev) + { +- struct i2c_client *power; ++ struct i2c_client *power = NULL; + static u8 pmic_i2c_addr; + + if (pmic_id) +-- +2.34.1 + diff --git a/queue-5.10/media-atomisp-handle-errors-at-sh_css_create_isp_par.patch b/queue-5.10/media-atomisp-handle-errors-at-sh_css_create_isp_par.patch new file mode 100644 index 00000000000..e2d19eae7e0 --- /dev/null +++ b/queue-5.10/media-atomisp-handle-errors-at-sh_css_create_isp_par.patch @@ -0,0 +1,53 @@ +From 6ea1bbc5deb0422c69e1b87e8dcf2b0c5029027a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Nov 2021 23:04:09 +0000 +Subject: media: atomisp: handle errors at sh_css_create_isp_params() + +From: Mauro Carvalho Chehab + +[ Upstream commit 58043dbf6d1ae9deab4f5aa1e039c70112017682 ] + +The succ var tracks memory allocation erros on this function. + +Fix it, in order to stop this W=1 Werror in clang: + +drivers/staging/media/atomisp/pci/sh_css_params.c:2430:7: error: variable 'succ' set but not used [-Werror,-Wunused-but-set-variable] + bool succ = true; + ^ + +Reviewed-by: Nathan Chancellor +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/atomisp/pci/sh_css_params.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/staging/media/atomisp/pci/sh_css_params.c b/drivers/staging/media/atomisp/pci/sh_css_params.c +index 24fc497bd4915..8d6514c45eeb6 100644 +--- a/drivers/staging/media/atomisp/pci/sh_css_params.c ++++ b/drivers/staging/media/atomisp/pci/sh_css_params.c +@@ -2437,7 +2437,7 @@ sh_css_create_isp_params(struct ia_css_stream *stream, + unsigned int i; + struct sh_css_ddr_address_map *ddr_ptrs; + struct sh_css_ddr_address_map_size *ddr_ptrs_size; +- int err = 0; ++ int err; + size_t params_size; + struct ia_css_isp_parameters *params = + kvmalloc(sizeof(struct ia_css_isp_parameters), GFP_KERNEL); +@@ -2482,7 +2482,11 @@ sh_css_create_isp_params(struct ia_css_stream *stream, + succ &= (ddr_ptrs->macc_tbl != mmgr_NULL); + + *isp_params_out = params; +- return err; ++ ++ if (!succ) ++ return -ENOMEM; ++ ++ return 0; + } + + static bool +-- +2.34.1 + diff --git a/queue-5.10/media-atomisp-ov2680-fix-ov2680_set_fmt-clobbering-t.patch b/queue-5.10/media-atomisp-ov2680-fix-ov2680_set_fmt-clobbering-t.patch new file mode 100644 index 00000000000..383587e885a --- /dev/null +++ b/queue-5.10/media-atomisp-ov2680-fix-ov2680_set_fmt-clobbering-t.patch @@ -0,0 +1,139 @@ +From da97c3e43e264a2179283177af034499f67f29fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Nov 2021 17:15:48 +0000 +Subject: media: atomisp-ov2680: Fix ov2680_set_fmt() clobbering the exposure + +From: Hans de Goede + +[ Upstream commit 4492289c31364d28c2680b43b18883385a5d216c ] + +Now that we restore the default or last user set exposure setting on +power_up() there is no need for the registers written by ov2680_set_fmt() +to write to the exposure register. + +Not doing so fixes the exposure always being reset to the value from +the res->regs array after a set_fmt(). + +Link: https://lore.kernel.org/linux-media/20211107171549.267583-11-hdegoede@redhat.com +Signed-off-by: Hans de Goede +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/atomisp/i2c/ov2680.h | 24 ---------------------- + 1 file changed, 24 deletions(-) + +diff --git a/drivers/staging/media/atomisp/i2c/ov2680.h b/drivers/staging/media/atomisp/i2c/ov2680.h +index 49920245e0647..cafb798a71abe 100644 +--- a/drivers/staging/media/atomisp/i2c/ov2680.h ++++ b/drivers/staging/media/atomisp/i2c/ov2680.h +@@ -289,8 +289,6 @@ static struct ov2680_reg const ov2680_global_setting[] = { + */ + static struct ov2680_reg const ov2680_QCIF_30fps[] = { + {0x3086, 0x01}, +- {0x3501, 0x24}, +- {0x3502, 0x40}, + {0x370a, 0x23}, + {0x3801, 0xa0}, + {0x3802, 0x00}, +@@ -334,8 +332,6 @@ static struct ov2680_reg const ov2680_QCIF_30fps[] = { + */ + static struct ov2680_reg const ov2680_CIF_30fps[] = { + {0x3086, 0x01}, +- {0x3501, 0x24}, +- {0x3502, 0x40}, + {0x370a, 0x23}, + {0x3801, 0xa0}, + {0x3802, 0x00}, +@@ -377,8 +373,6 @@ static struct ov2680_reg const ov2680_CIF_30fps[] = { + */ + static struct ov2680_reg const ov2680_QVGA_30fps[] = { + {0x3086, 0x01}, +- {0x3501, 0x24}, +- {0x3502, 0x40}, + {0x370a, 0x23}, + {0x3801, 0xa0}, + {0x3802, 0x00}, +@@ -420,8 +414,6 @@ static struct ov2680_reg const ov2680_QVGA_30fps[] = { + */ + static struct ov2680_reg const ov2680_656x496_30fps[] = { + {0x3086, 0x01}, +- {0x3501, 0x24}, +- {0x3502, 0x40}, + {0x370a, 0x23}, + {0x3801, 0xa0}, + {0x3802, 0x00}, +@@ -463,8 +455,6 @@ static struct ov2680_reg const ov2680_656x496_30fps[] = { + */ + static struct ov2680_reg const ov2680_720x592_30fps[] = { + {0x3086, 0x01}, +- {0x3501, 0x26}, +- {0x3502, 0x40}, + {0x370a, 0x23}, + {0x3801, 0x00}, // X_ADDR_START; + {0x3802, 0x00}, +@@ -508,8 +498,6 @@ static struct ov2680_reg const ov2680_720x592_30fps[] = { + */ + static struct ov2680_reg const ov2680_800x600_30fps[] = { + {0x3086, 0x01}, +- {0x3501, 0x26}, +- {0x3502, 0x40}, + {0x370a, 0x23}, + {0x3801, 0x00}, + {0x3802, 0x00}, +@@ -551,8 +539,6 @@ static struct ov2680_reg const ov2680_800x600_30fps[] = { + */ + static struct ov2680_reg const ov2680_720p_30fps[] = { + {0x3086, 0x00}, +- {0x3501, 0x48}, +- {0x3502, 0xe0}, + {0x370a, 0x21}, + {0x3801, 0xa0}, + {0x3802, 0x00}, +@@ -594,8 +580,6 @@ static struct ov2680_reg const ov2680_720p_30fps[] = { + */ + static struct ov2680_reg const ov2680_1296x976_30fps[] = { + {0x3086, 0x00}, +- {0x3501, 0x48}, +- {0x3502, 0xe0}, + {0x370a, 0x21}, + {0x3801, 0xa0}, + {0x3802, 0x00}, +@@ -637,8 +621,6 @@ static struct ov2680_reg const ov2680_1296x976_30fps[] = { + */ + static struct ov2680_reg const ov2680_1456x1096_30fps[] = { + {0x3086, 0x00}, +- {0x3501, 0x48}, +- {0x3502, 0xe0}, + {0x370a, 0x21}, + {0x3801, 0x90}, + {0x3802, 0x00}, +@@ -682,8 +664,6 @@ static struct ov2680_reg const ov2680_1456x1096_30fps[] = { + + static struct ov2680_reg const ov2680_1616x916_30fps[] = { + {0x3086, 0x00}, +- {0x3501, 0x48}, +- {0x3502, 0xe0}, + {0x370a, 0x21}, + {0x3801, 0x00}, + {0x3802, 0x00}, +@@ -726,8 +706,6 @@ static struct ov2680_reg const ov2680_1616x916_30fps[] = { + #if 0 + static struct ov2680_reg const ov2680_1616x1082_30fps[] = { + {0x3086, 0x00}, +- {0x3501, 0x48}, +- {0x3502, 0xe0}, + {0x370a, 0x21}, + {0x3801, 0x00}, + {0x3802, 0x00}, +@@ -769,8 +747,6 @@ static struct ov2680_reg const ov2680_1616x1082_30fps[] = { + */ + static struct ov2680_reg const ov2680_1616x1216_30fps[] = { + {0x3086, 0x00}, +- {0x3501, 0x48}, +- {0x3502, 0xe0}, + {0x370a, 0x21}, + {0x3801, 0x00}, + {0x3802, 0x00}, +-- +2.34.1 + diff --git a/queue-5.10/media-atomisp-set-per-device-s-default-mode.patch b/queue-5.10/media-atomisp-set-per-device-s-default-mode.patch new file mode 100644 index 00000000000..cb30449d30f --- /dev/null +++ b/queue-5.10/media-atomisp-set-per-device-s-default-mode.patch @@ -0,0 +1,158 @@ +From d4a0dcf1f6df3d4dc5c485baf9f5259d404141fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Oct 2021 08:09:39 +0100 +Subject: media: atomisp: set per-device's default mode + +From: Mauro Carvalho Chehab + +[ Upstream commit 2c45e343c581091835c9047ed5298518aa133163 ] + +The atomisp driver originally used the s_parm command to +initialize the run_mode type to the driver. So, before start +setting up the streaming, s_parm should be called. + +So, even having 5 "normal" video devices, one meant to be used +for each type, the run_mode was actually selected when +s_parm is called. + +Without setting the run mode, applications that don't call +VIDIOC_SET_PARM with a custom atomisp parameters won't work, as +the pipeline won't be set: + + atomisp-isp2 0000:00:03.0: can't create streams + atomisp-isp2 0000:00:03.0: __get_frame_info 1600x1200 (padded to 0) returned -22 + +However, commit 8a7c5594c020 ("media: v4l2-ioctl: clear fields in s_parm") +broke support for it, with a good reason, as drivers shoudn't be +extending the API for their own purposes. + +So, as an step to allow generic apps to use this driver, put +the device's run_mode in preview after open. + +After this patch, using v4l2grab starts to work on preview +mode (/dev/video2): + + $ v4l2grab -f YUYV -x 1600 -y 1200 -d /dev/video2 -n 1 -u + $ feh out000.pnm + +So, let's just setup the default run_mode that each video devnode +should assume, setting it at open() time. + +Reported-by: Tsuchiya Yuto +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/atomisp/pci/atomisp_fops.c | 5 +++++ + .../staging/media/atomisp/pci/atomisp_subdev.c | 15 ++++++++++----- + .../staging/media/atomisp/pci/atomisp_subdev.h | 3 +++ + drivers/staging/media/atomisp/pci/atomisp_v4l2.c | 4 +++- + drivers/staging/media/atomisp/pci/atomisp_v4l2.h | 3 ++- + 5 files changed, 23 insertions(+), 7 deletions(-) + +diff --git a/drivers/staging/media/atomisp/pci/atomisp_fops.c b/drivers/staging/media/atomisp/pci/atomisp_fops.c +index 52d24c1ca0d64..b751df31cc24c 100644 +--- a/drivers/staging/media/atomisp/pci/atomisp_fops.c ++++ b/drivers/staging/media/atomisp/pci/atomisp_fops.c +@@ -877,6 +877,11 @@ done: + else + pipe->users++; + rt_mutex_unlock(&isp->mutex); ++ ++ /* Ensure that a mode is set */ ++ if (asd) ++ v4l2_ctrl_s_ctrl(asd->run_mode, pipe->default_run_mode); ++ + return 0; + + css_error: +diff --git a/drivers/staging/media/atomisp/pci/atomisp_subdev.c b/drivers/staging/media/atomisp/pci/atomisp_subdev.c +index dcc2dd981ca60..628e85799274d 100644 +--- a/drivers/staging/media/atomisp/pci/atomisp_subdev.c ++++ b/drivers/staging/media/atomisp/pci/atomisp_subdev.c +@@ -1178,23 +1178,28 @@ static int isp_subdev_init_entities(struct atomisp_sub_device *asd) + + atomisp_init_acc_pipe(asd, &asd->video_acc); + +- ret = atomisp_video_init(&asd->video_in, "MEMORY"); ++ ret = atomisp_video_init(&asd->video_in, "MEMORY", ++ ATOMISP_RUN_MODE_SDV); + if (ret < 0) + return ret; + +- ret = atomisp_video_init(&asd->video_out_capture, "CAPTURE"); ++ ret = atomisp_video_init(&asd->video_out_capture, "CAPTURE", ++ ATOMISP_RUN_MODE_STILL_CAPTURE); + if (ret < 0) + return ret; + +- ret = atomisp_video_init(&asd->video_out_vf, "VIEWFINDER"); ++ ret = atomisp_video_init(&asd->video_out_vf, "VIEWFINDER", ++ ATOMISP_RUN_MODE_CONTINUOUS_CAPTURE); + if (ret < 0) + return ret; + +- ret = atomisp_video_init(&asd->video_out_preview, "PREVIEW"); ++ ret = atomisp_video_init(&asd->video_out_preview, "PREVIEW", ++ ATOMISP_RUN_MODE_PREVIEW); + if (ret < 0) + return ret; + +- ret = atomisp_video_init(&asd->video_out_video_capture, "VIDEO"); ++ ret = atomisp_video_init(&asd->video_out_video_capture, "VIDEO", ++ ATOMISP_RUN_MODE_VIDEO); + if (ret < 0) + return ret; + +diff --git a/drivers/staging/media/atomisp/pci/atomisp_subdev.h b/drivers/staging/media/atomisp/pci/atomisp_subdev.h +index 330a77eed8aa6..12215d7406169 100644 +--- a/drivers/staging/media/atomisp/pci/atomisp_subdev.h ++++ b/drivers/staging/media/atomisp/pci/atomisp_subdev.h +@@ -81,6 +81,9 @@ struct atomisp_video_pipe { + /* the link list to store per_frame parameters */ + struct list_head per_frame_params; + ++ /* Store here the initial run mode */ ++ unsigned int default_run_mode; ++ + unsigned int buffers_in_css; + + /* irq_lock is used to protect video buffer state change operations and +diff --git a/drivers/staging/media/atomisp/pci/atomisp_v4l2.c b/drivers/staging/media/atomisp/pci/atomisp_v4l2.c +index 687e94e8b6ce5..8aeea74cfd06b 100644 +--- a/drivers/staging/media/atomisp/pci/atomisp_v4l2.c ++++ b/drivers/staging/media/atomisp/pci/atomisp_v4l2.c +@@ -447,7 +447,8 @@ const struct atomisp_dfs_config dfs_config_cht_soc = { + .dfs_table_size = ARRAY_SIZE(dfs_rules_cht_soc), + }; + +-int atomisp_video_init(struct atomisp_video_pipe *video, const char *name) ++int atomisp_video_init(struct atomisp_video_pipe *video, const char *name, ++ unsigned int run_mode) + { + int ret; + const char *direction; +@@ -478,6 +479,7 @@ int atomisp_video_init(struct atomisp_video_pipe *video, const char *name) + "ATOMISP ISP %s %s", name, direction); + video->vdev.release = video_device_release_empty; + video_set_drvdata(&video->vdev, video->isp); ++ video->default_run_mode = run_mode; + + return 0; + } +diff --git a/drivers/staging/media/atomisp/pci/atomisp_v4l2.h b/drivers/staging/media/atomisp/pci/atomisp_v4l2.h +index 81bb356b81720..72611b8286a4a 100644 +--- a/drivers/staging/media/atomisp/pci/atomisp_v4l2.h ++++ b/drivers/staging/media/atomisp/pci/atomisp_v4l2.h +@@ -27,7 +27,8 @@ struct v4l2_device; + struct atomisp_device; + struct firmware; + +-int atomisp_video_init(struct atomisp_video_pipe *video, const char *name); ++int atomisp_video_init(struct atomisp_video_pipe *video, const char *name, ++ unsigned int run_mode); + void atomisp_acc_init(struct atomisp_acc_pipe *video, const char *name); + void atomisp_video_unregister(struct atomisp_video_pipe *video); + void atomisp_acc_unregister(struct atomisp_acc_pipe *video); +-- +2.34.1 + diff --git a/queue-5.10/media-b2c2-add-missing-check-in-flexcop_pci_isr.patch b/queue-5.10/media-b2c2-add-missing-check-in-flexcop_pci_isr.patch new file mode 100644 index 00000000000..22869ba95df --- /dev/null +++ b/queue-5.10/media-b2c2-add-missing-check-in-flexcop_pci_isr.patch @@ -0,0 +1,163 @@ +From 5b72fb817a730678c4672448a3da629ff551f9aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 May 2021 10:00:03 +0100 +Subject: media: b2c2: Add missing check in flexcop_pci_isr: + +From: Zheyu Ma + +[ Upstream commit b13203032e679674c7c518f52a7ec0801ca3a829 ] + +A out-of-bounds bug can be triggered by an interrupt, the reason for +this bug is the lack of checking of register values. + +In flexcop_pci_isr, the driver reads value from a register and uses it as +a dma address. Finally, this address will be passed to the count parameter +of find_next_packet. If this value is larger than the size of dma, the +index of buffer will be out-of-bounds. + +Fix this by adding a check after reading the value of the register. + +The following KASAN report reveals it: + +BUG: KASAN: slab-out-of-bounds in find_next_packet +drivers/media/dvb-core/dvb_demux.c:528 [inline] +BUG: KASAN: slab-out-of-bounds in _dvb_dmx_swfilter +drivers/media/dvb-core/dvb_demux.c:572 [inline] +BUG: KASAN: slab-out-of-bounds in dvb_dmx_swfilter+0x3fa/0x420 +drivers/media/dvb-core/dvb_demux.c:603 +Read of size 1 at addr ffff8880608c00a0 by task swapper/2/0 + +CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.19.177-gdba4159c14ef #25 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xec/0x156 lib/dump_stack.c:118 + print_address_description+0x78/0x290 mm/kasan/report.c:256 + kasan_report_error mm/kasan/report.c:354 [inline] + kasan_report+0x25b/0x380 mm/kasan/report.c:412 + __asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:430 + find_next_packet drivers/media/dvb-core/dvb_demux.c:528 [inline] + _dvb_dmx_swfilter drivers/media/dvb-core/dvb_demux.c:572 [inline] + dvb_dmx_swfilter+0x3fa/0x420 drivers/media/dvb-core/dvb_demux.c:603 + flexcop_pass_dmx_data+0x2e/0x40 drivers/media/common/b2c2/flexcop.c:167 + flexcop_pci_isr+0x3d1/0x5d0 drivers/media/pci/b2c2/flexcop-pci.c:212 + __handle_irq_event_percpu+0xfb/0x770 kernel/irq/handle.c:149 + handle_irq_event_percpu+0x79/0x150 kernel/irq/handle.c:189 + handle_irq_event+0xac/0x140 kernel/irq/handle.c:206 + handle_fasteoi_irq+0x232/0x5c0 kernel/irq/chip.c:725 + generic_handle_irq_desc include/linux/irqdesc.h:155 [inline] + handle_irq+0x230/0x3a0 arch/x86/kernel/irq_64.c:87 + do_IRQ+0xa7/0x1e0 arch/x86/kernel/irq.c:247 + common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:670 + +RIP: 0010:native_safe_halt+0x28/0x30 arch/x86/include/asm/irqflags.h:61 +Code: 00 00 55 be 04 00 00 00 48 c7 c7 00 62 2f 8c 48 89 e5 e8 fb 31 +e8 f8 8b 05 75 4f 8e 03 85 c0 7e 07 0f 00 2d 8a 61 66 00 fb f4 <5d> c3 +90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 +RSP: 0018:ffff88806b71fcc8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffde +RAX: 0000000000000000 RBX: ffffffff8bde44c8 RCX: ffffffff88a11285 +RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff8c2f6200 +RBP: ffff88806b71fcc8 R08: fffffbfff185ec40 R09: fffffbfff185ec40 +R10: 0000000000000001 R11: fffffbfff185ec40 R12: 0000000000000002 +R13: ffffffff8be9d6e0 R14: 0000000000000000 R15: 0000000000000000 + arch_safe_halt arch/x86/include/asm/paravirt.h:94 [inline] + default_idle+0x6f/0x360 arch/x86/kernel/process.c:557 + arch_cpu_idle+0xf/0x20 arch/x86/kernel/process.c:548 + default_idle_call+0x3b/0x60 kernel/sched/idle.c:93 + cpuidle_idle_call kernel/sched/idle.c:153 [inline] + do_idle+0x2ab/0x3c0 kernel/sched/idle.c:263 + cpu_startup_entry+0xcb/0xe0 kernel/sched/idle.c:369 + start_secondary+0x3b8/0x4e0 arch/x86/kernel/smpboot.c:271 + secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243 + +Allocated by task 1: + save_stack+0x43/0xd0 mm/kasan/kasan.c:448 + set_track mm/kasan/kasan.c:460 [inline] + kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:553 + kasan_slab_alloc+0x11/0x20 mm/kasan/kasan.c:490 + slab_post_alloc_hook mm/slab.h:445 [inline] + slab_alloc_node mm/slub.c:2741 [inline] + slab_alloc mm/slub.c:2749 [inline] + kmem_cache_alloc+0xeb/0x280 mm/slub.c:2754 + kmem_cache_zalloc include/linux/slab.h:699 [inline] + __kernfs_new_node+0xe2/0x6f0 fs/kernfs/dir.c:633 + kernfs_new_node+0x9a/0x120 fs/kernfs/dir.c:693 + __kernfs_create_file+0x5f/0x340 fs/kernfs/file.c:992 + sysfs_add_file_mode_ns+0x22a/0x4e0 fs/sysfs/file.c:306 + create_files fs/sysfs/group.c:63 [inline] + internal_create_group+0x34e/0xc30 fs/sysfs/group.c:147 + sysfs_create_group fs/sysfs/group.c:173 [inline] + sysfs_create_groups+0x9c/0x140 fs/sysfs/group.c:200 + driver_add_groups+0x3e/0x50 drivers/base/driver.c:129 + bus_add_driver+0x3a5/0x790 drivers/base/bus.c:684 + driver_register+0x1cd/0x410 drivers/base/driver.c:170 + __pci_register_driver+0x197/0x200 drivers/pci/pci-driver.c:1411 + cx88_audio_pci_driver_init+0x23/0x25 drivers/media/pci/cx88/cx88-alsa.c: + 1017 + do_one_initcall+0xe0/0x610 init/main.c:884 + do_initcall_level init/main.c:952 [inline] + do_initcalls init/main.c:960 [inline] + do_basic_setup init/main.c:978 [inline] + kernel_init_freeable+0x4d0/0x592 init/main.c:1145 + kernel_init+0x18/0x190 init/main.c:1062 + ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 + +Freed by task 0: +(stack is not available) + +The buggy address belongs to the object at ffff8880608c0000 + which belongs to the cache kernfs_node_cache of size 160 +The buggy address is located 0 bytes to the right of + 160-byte region [ffff8880608c0000, ffff8880608c00a0) +The buggy address belongs to the page: +page:ffffea0001823000 count:1 mapcount:0 mapping:ffff88806bed1e00 +index:0x0 compound_mapcount: 0 +flags: 0x100000000008100(slab|head) +raw: 0100000000008100 dead000000000100 dead000000000200 ffff88806bed1e00 +raw: 0000000000000000 0000000000240024 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8880608bff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff8880608c0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +>ffff8880608c0080: 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00 00 + ^ + ffff8880608c0100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff8880608c0180: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 +================================================================== + +Link: https://lore.kernel.org/linux-media/1620723603-30912-1-git-send-email-zheyuma97@gmail.com +Reported-by: Zheyu Ma +Signed-off-by: Zheyu Ma +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/b2c2/flexcop-pci.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/media/pci/b2c2/flexcop-pci.c b/drivers/media/pci/b2c2/flexcop-pci.c +index a9d9520a94c6d..c9e6c7d663768 100644 +--- a/drivers/media/pci/b2c2/flexcop-pci.c ++++ b/drivers/media/pci/b2c2/flexcop-pci.c +@@ -185,6 +185,8 @@ static irqreturn_t flexcop_pci_isr(int irq, void *dev_id) + dma_addr_t cur_addr = + fc->read_ibi_reg(fc,dma1_008).dma_0x8.dma_cur_addr << 2; + u32 cur_pos = cur_addr - fc_pci->dma[0].dma_addr0; ++ if (cur_pos > fc_pci->dma[0].size * 2) ++ goto error; + + deb_irq("%u irq: %08x cur_addr: %llx: cur_pos: %08x, last_cur_pos: %08x ", + jiffies_to_usecs(jiffies - fc_pci->last_irq), +@@ -225,6 +227,7 @@ static irqreturn_t flexcop_pci_isr(int irq, void *dev_id) + ret = IRQ_NONE; + } + ++error: + spin_unlock_irqrestore(&fc_pci->irq_lock, flags); + return ret; + } +-- +2.34.1 + diff --git a/queue-5.10/media-coda-fix-coda960-jpeg-encoder-buffer-overflow.patch b/queue-5.10/media-coda-fix-coda960-jpeg-encoder-buffer-overflow.patch new file mode 100644 index 00000000000..c49b5529a04 --- /dev/null +++ b/queue-5.10/media-coda-fix-coda960-jpeg-encoder-buffer-overflow.patch @@ -0,0 +1,95 @@ +From 4b3e88c865fd959bfb1c82f1500d613b6f23498e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Nov 2021 11:41:20 +0100 +Subject: media: coda: fix CODA960 JPEG encoder buffer overflow + +From: Philipp Zabel + +[ Upstream commit 1a59cd88f55068710f6549bee548846661673780 ] + +Stop the CODA960 JPEG encoder from overflowing capture buffers. +The bitstream buffer overflow interrupt doesn't seem to be connected, +so this has to be handled via timeout instead. + +Reported-by: Martin Weber +Fixes: 96f6f62c4656 ("media: coda: jpeg: add CODA960 JPEG encoder support") +Tested-by: Martin Weber +Signed-off-by: Philipp Zabel +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/coda/coda-common.c | 8 +++++--- + drivers/media/platform/coda/coda-jpeg.c | 21 ++++++++++++++++++++- + 2 files changed, 25 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/platform/coda/coda-common.c b/drivers/media/platform/coda/coda-common.c +index 87a2c706f7477..1eed69d29149f 100644 +--- a/drivers/media/platform/coda/coda-common.c ++++ b/drivers/media/platform/coda/coda-common.c +@@ -1537,11 +1537,13 @@ static void coda_pic_run_work(struct work_struct *work) + + if (!wait_for_completion_timeout(&ctx->completion, + msecs_to_jiffies(1000))) { +- dev_err(dev->dev, "CODA PIC_RUN timeout\n"); ++ if (ctx->use_bit) { ++ dev_err(dev->dev, "CODA PIC_RUN timeout\n"); + +- ctx->hold = true; ++ ctx->hold = true; + +- coda_hw_reset(ctx); ++ coda_hw_reset(ctx); ++ } + + if (ctx->ops->run_timeout) + ctx->ops->run_timeout(ctx); +diff --git a/drivers/media/platform/coda/coda-jpeg.c b/drivers/media/platform/coda/coda-jpeg.c +index b11cfbe166dd3..a72f4655e5ad5 100644 +--- a/drivers/media/platform/coda/coda-jpeg.c ++++ b/drivers/media/platform/coda/coda-jpeg.c +@@ -1127,7 +1127,8 @@ static int coda9_jpeg_prepare_encode(struct coda_ctx *ctx) + coda_write(dev, 0, CODA9_REG_JPEG_GBU_BT_PTR); + coda_write(dev, 0, CODA9_REG_JPEG_GBU_WD_PTR); + coda_write(dev, 0, CODA9_REG_JPEG_GBU_BBSR); +- coda_write(dev, 0, CODA9_REG_JPEG_BBC_STRM_CTRL); ++ coda_write(dev, BIT(31) | ((end_addr - start_addr - header_len) / 256), ++ CODA9_REG_JPEG_BBC_STRM_CTRL); + coda_write(dev, 0, CODA9_REG_JPEG_GBU_CTRL); + coda_write(dev, 0, CODA9_REG_JPEG_GBU_FF_RPTR); + coda_write(dev, 127, CODA9_REG_JPEG_GBU_BBER); +@@ -1257,6 +1258,23 @@ static void coda9_jpeg_finish_encode(struct coda_ctx *ctx) + coda_hw_reset(ctx); + } + ++static void coda9_jpeg_encode_timeout(struct coda_ctx *ctx) ++{ ++ struct coda_dev *dev = ctx->dev; ++ u32 end_addr, wr_ptr; ++ ++ /* Handle missing BBC overflow interrupt via timeout */ ++ end_addr = coda_read(dev, CODA9_REG_JPEG_BBC_END_ADDR); ++ wr_ptr = coda_read(dev, CODA9_REG_JPEG_BBC_WR_PTR); ++ if (wr_ptr >= end_addr - 256) { ++ v4l2_err(&dev->v4l2_dev, "JPEG too large for capture buffer\n"); ++ coda9_jpeg_finish_encode(ctx); ++ return; ++ } ++ ++ coda_hw_reset(ctx); ++} ++ + static void coda9_jpeg_release(struct coda_ctx *ctx) + { + int i; +@@ -1276,6 +1294,7 @@ const struct coda_context_ops coda9_jpeg_encode_ops = { + .start_streaming = coda9_jpeg_start_encoding, + .prepare_run = coda9_jpeg_prepare_encode, + .finish_run = coda9_jpeg_finish_encode, ++ .run_timeout = coda9_jpeg_encode_timeout, + .release = coda9_jpeg_release, + }; + +-- +2.34.1 + diff --git a/queue-5.10/media-coda-imx-vdoa-handle-dma_set_coherent_mask-err.patch b/queue-5.10/media-coda-imx-vdoa-handle-dma_set_coherent_mask-err.patch new file mode 100644 index 00000000000..414df057bdc --- /dev/null +++ b/queue-5.10/media-coda-imx-vdoa-handle-dma_set_coherent_mask-err.patch @@ -0,0 +1,41 @@ +From b636ea3b832f61580551a14c499c4947908ad6c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Dec 2021 03:22:01 +0100 +Subject: media: coda/imx-vdoa: Handle dma_set_coherent_mask error codes + +From: Jiasheng Jiang + +[ Upstream commit 43f0633f89947df57fe0b5025bdd741768007708 ] + +The return value of dma_set_coherent_mask() is not always 0. +To catch the exception in case that dma is not support the mask. + +Link: https://lore.kernel.org/linux-media/20211206022201.1639460-1-jiasheng@iscas.ac.cn +Fixes: b0444f18e0b1 ("[media] coda: add i.MX6 VDOA driver") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/coda/imx-vdoa.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/coda/imx-vdoa.c b/drivers/media/platform/coda/imx-vdoa.c +index 8bc0d83718193..dd6e2e320264e 100644 +--- a/drivers/media/platform/coda/imx-vdoa.c ++++ b/drivers/media/platform/coda/imx-vdoa.c +@@ -287,7 +287,11 @@ static int vdoa_probe(struct platform_device *pdev) + struct resource *res; + int ret; + +- dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32)); ++ ret = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32)); ++ if (ret) { ++ dev_err(&pdev->dev, "DMA enable failed\n"); ++ return ret; ++ } + + vdoa = devm_kzalloc(&pdev->dev, sizeof(*vdoa), GFP_KERNEL); + if (!vdoa) +-- +2.34.1 + diff --git a/queue-5.10/media-dib8000-fix-a-memleak-in-dib8000_init.patch b/queue-5.10/media-dib8000-fix-a-memleak-in-dib8000_init.patch new file mode 100644 index 00000000000..f27c6714e8b --- /dev/null +++ b/queue-5.10/media-dib8000-fix-a-memleak-in-dib8000_init.patch @@ -0,0 +1,55 @@ +From 67f37c61409471eea5c01c67c5a2cb702404dd76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Nov 2021 16:38:05 +0100 +Subject: media: dib8000: Fix a memleak in dib8000_init() + +From: Zhou Qingyang + +[ Upstream commit 8dbdcc7269a83305ee9d677b75064d3530a48ee2 ] + +In dib8000_init(), the variable fe is not freed or passed out on the +failure of dib8000_identify(&state->i2c), which could lead to a memleak. + +Fix this bug by adding a kfree of fe in the error path. + +This bug was found by a static analyzer. The analysis employs +differential checking to identify inconsistent security operations +(e.g., checks or kfrees) between two code paths and confirms that the +inconsistent operations are not recovered in the current function or +the callers, so they constitute bugs. + +Note that, as a bug found by static analysis, it can be a false +positive or hard to trigger. Multiple researchers have cross-reviewed +the bug. + +Builds with CONFIG_DVB_DIB8000=m show no new warnings, +and our static analyzer no longer warns about this code. + +Fixes: 77e2c0f5d471 ("V4L/DVB (12900): DiB8000: added support for DiBcom ISDB-T/ISDB-Tsb demodulator DiB8000") +Signed-off-by: Zhou Qingyang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/dib8000.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/dvb-frontends/dib8000.c b/drivers/media/dvb-frontends/dib8000.c +index bb02354a48b81..d67f2dd997d06 100644 +--- a/drivers/media/dvb-frontends/dib8000.c ++++ b/drivers/media/dvb-frontends/dib8000.c +@@ -4473,8 +4473,10 @@ static struct dvb_frontend *dib8000_init(struct i2c_adapter *i2c_adap, u8 i2c_ad + + state->timf_default = cfg->pll->timf; + +- if (dib8000_identify(&state->i2c) == 0) ++ if (dib8000_identify(&state->i2c) == 0) { ++ kfree(fe); + goto error; ++ } + + dibx000_init_i2c_master(&state->i2c_master, DIB8000, state->i2c.adap, state->i2c.addr); + +-- +2.34.1 + diff --git a/queue-5.10/media-dmxdev-fix-uaf-when-dvb_register_device-fails.patch b/queue-5.10/media-dmxdev-fix-uaf-when-dvb_register_device-fails.patch new file mode 100644 index 00000000000..3f10f1c2074 --- /dev/null +++ b/queue-5.10/media-dmxdev-fix-uaf-when-dvb_register_device-fails.patch @@ -0,0 +1,104 @@ +From 4b91b92acd75cab6ece1f64e50442a337aa47dd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Oct 2021 16:57:41 +0800 +Subject: media: dmxdev: fix UAF when dvb_register_device() fails + +From: Wang Hai + +[ Upstream commit ab599eb11882f834951c436cc080c3455ba32b9b ] + +I got a use-after-free report: + +dvbdev: dvb_register_device: failed to create device dvb1.dvr0 (-12) +... +================================================================== +BUG: KASAN: use-after-free in dvb_dmxdev_release+0xce/0x2f0 +... +Call Trace: + dump_stack_lvl+0x6c/0x8b + print_address_description.constprop.0+0x48/0x70 + kasan_report.cold+0x82/0xdb + __asan_load4+0x6b/0x90 + dvb_dmxdev_release+0xce/0x2f0 +... +Allocated by task 7666: + kasan_save_stack+0x23/0x50 + __kasan_kmalloc+0x83/0xa0 + kmem_cache_alloc_trace+0x22e/0x470 + dvb_register_device+0x12f/0x980 + dvb_dmxdev_init+0x1f3/0x230 +... +Freed by task 7666: + kasan_save_stack+0x23/0x50 + kasan_set_track+0x20/0x30 + kasan_set_free_info+0x24/0x40 + __kasan_slab_free+0xf2/0x130 + kfree+0xd1/0x5c0 + dvb_register_device.cold+0x1ac/0x1fa + dvb_dmxdev_init+0x1f3/0x230 +... + +When dvb_register_device() in dvb_dmxdev_init() fails, dvb_dmxdev_init() +does not return a failure, and the memory pointed to by dvbdev or +dvr_dvbdev is invalid at this point. If they are used subsequently, it +will result in UFA or null-ptr-deref. + +If dvb_register_device() in dvb_dmxdev_init() fails, fix the bug by making +dvb_dmxdev_init() return an error as well. + +Link: https://lore.kernel.org/linux-media/20211015085741.1203283-1-wanghai38@huawei.com + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dmxdev.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c +index f14a872d12687..e58cb8434dafe 100644 +--- a/drivers/media/dvb-core/dmxdev.c ++++ b/drivers/media/dvb-core/dmxdev.c +@@ -1413,7 +1413,7 @@ static const struct dvb_device dvbdev_dvr = { + }; + int dvb_dmxdev_init(struct dmxdev *dmxdev, struct dvb_adapter *dvb_adapter) + { +- int i; ++ int i, ret; + + if (dmxdev->demux->open(dmxdev->demux) < 0) + return -EUSERS; +@@ -1432,14 +1432,26 @@ int dvb_dmxdev_init(struct dmxdev *dmxdev, struct dvb_adapter *dvb_adapter) + DMXDEV_STATE_FREE); + } + +- dvb_register_device(dvb_adapter, &dmxdev->dvbdev, &dvbdev_demux, dmxdev, ++ ret = dvb_register_device(dvb_adapter, &dmxdev->dvbdev, &dvbdev_demux, dmxdev, + DVB_DEVICE_DEMUX, dmxdev->filternum); +- dvb_register_device(dvb_adapter, &dmxdev->dvr_dvbdev, &dvbdev_dvr, ++ if (ret < 0) ++ goto err_register_dvbdev; ++ ++ ret = dvb_register_device(dvb_adapter, &dmxdev->dvr_dvbdev, &dvbdev_dvr, + dmxdev, DVB_DEVICE_DVR, dmxdev->filternum); ++ if (ret < 0) ++ goto err_register_dvr_dvbdev; + + dvb_ringbuffer_init(&dmxdev->dvr_buffer, NULL, 8192); + + return 0; ++ ++err_register_dvr_dvbdev: ++ dvb_unregister_device(dmxdev->dvbdev); ++err_register_dvbdev: ++ vfree(dmxdev->filter); ++ dmxdev->filter = NULL; ++ return ret; + } + + EXPORT_SYMBOL(dvb_dmxdev_init); +-- +2.34.1 + diff --git a/queue-5.10/media-dw2102-fix-use-after-free.patch b/queue-5.10/media-dw2102-fix-use-after-free.patch new file mode 100644 index 00000000000..81998f6f169 --- /dev/null +++ b/queue-5.10/media-dw2102-fix-use-after-free.patch @@ -0,0 +1,407 @@ +From e1e34d7c6654df5b391d5ffc3eff4f68be4358e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Aug 2019 12:41:47 +0200 +Subject: media: dw2102: Fix use after free + +From: Anton Vasilyev + +[ Upstream commit 589a9f0eb799f77de2c09583bf5bad221fa5d685 ] + +dvb_usb_device_init stores parts of properties at d->props +and d->desc and uses it on dvb_usb_device_exit. +Free of properties on module probe leads to use after free. +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=204597 + +The patch makes properties static instead of allocated on heap to prevent +memleak and use after free. +Also fixes s421_properties.devices initialization to have 2 element +instead of 6 copied from p7500_properties. + +[mchehab: fix function call alignments] +Link: https://lore.kernel.org/linux-media/20190822104147.4420-1-vasilyev@ispras.ru +Signed-off-by: Anton Vasilyev +Fixes: 299c7007e936 ("media: dw2102: Fix memleak on sequence of probes") +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/dw2102.c | 338 ++++++++++++++++++----------- + 1 file changed, 215 insertions(+), 123 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c +index a27a684403252..aa929db56db1f 100644 +--- a/drivers/media/usb/dvb-usb/dw2102.c ++++ b/drivers/media/usb/dvb-usb/dw2102.c +@@ -2148,46 +2148,153 @@ static struct dvb_usb_device_properties s6x0_properties = { + } + }; + +-static const struct dvb_usb_device_description d1100 = { +- "Prof 1100 USB ", +- {&dw2102_table[PROF_1100], NULL}, +- {NULL}, +-}; ++static struct dvb_usb_device_properties p1100_properties = { ++ .caps = DVB_USB_IS_AN_I2C_ADAPTER, ++ .usb_ctrl = DEVICE_SPECIFIC, ++ .size_of_priv = sizeof(struct dw2102_state), ++ .firmware = P1100_FIRMWARE, ++ .no_reconnect = 1, + +-static const struct dvb_usb_device_description d660 = { +- "TeVii S660 USB", +- {&dw2102_table[TEVII_S660], NULL}, +- {NULL}, +-}; ++ .i2c_algo = &s6x0_i2c_algo, ++ .rc.core = { ++ .rc_interval = 150, ++ .rc_codes = RC_MAP_TBS_NEC, ++ .module_name = "dw2102", ++ .allowed_protos = RC_PROTO_BIT_NEC, ++ .rc_query = prof_rc_query, ++ }, + +-static const struct dvb_usb_device_description d480_1 = { +- "TeVii S480.1 USB", +- {&dw2102_table[TEVII_S480_1], NULL}, +- {NULL}, ++ .generic_bulk_ctrl_endpoint = 0x81, ++ .num_adapters = 1, ++ .download_firmware = dw2102_load_firmware, ++ .read_mac_address = s6x0_read_mac_address, ++ .adapter = { ++ { ++ .num_frontends = 1, ++ .fe = {{ ++ .frontend_attach = stv0288_frontend_attach, ++ .stream = { ++ .type = USB_BULK, ++ .count = 8, ++ .endpoint = 0x82, ++ .u = { ++ .bulk = { ++ .buffersize = 4096, ++ } ++ } ++ }, ++ } }, ++ } ++ }, ++ .num_device_descs = 1, ++ .devices = { ++ {"Prof 1100 USB ", ++ {&dw2102_table[PROF_1100], NULL}, ++ {NULL}, ++ }, ++ } + }; + +-static const struct dvb_usb_device_description d480_2 = { +- "TeVii S480.2 USB", +- {&dw2102_table[TEVII_S480_2], NULL}, +- {NULL}, +-}; ++static struct dvb_usb_device_properties s660_properties = { ++ .caps = DVB_USB_IS_AN_I2C_ADAPTER, ++ .usb_ctrl = DEVICE_SPECIFIC, ++ .size_of_priv = sizeof(struct dw2102_state), ++ .firmware = S660_FIRMWARE, ++ .no_reconnect = 1, + +-static const struct dvb_usb_device_description d7500 = { +- "Prof 7500 USB DVB-S2", +- {&dw2102_table[PROF_7500], NULL}, +- {NULL}, +-}; ++ .i2c_algo = &s6x0_i2c_algo, ++ .rc.core = { ++ .rc_interval = 150, ++ .rc_codes = RC_MAP_TEVII_NEC, ++ .module_name = "dw2102", ++ .allowed_protos = RC_PROTO_BIT_NEC, ++ .rc_query = dw2102_rc_query, ++ }, + +-static const struct dvb_usb_device_description d421 = { +- "TeVii S421 PCI", +- {&dw2102_table[TEVII_S421], NULL}, +- {NULL}, ++ .generic_bulk_ctrl_endpoint = 0x81, ++ .num_adapters = 1, ++ .download_firmware = dw2102_load_firmware, ++ .read_mac_address = s6x0_read_mac_address, ++ .adapter = { ++ { ++ .num_frontends = 1, ++ .fe = {{ ++ .frontend_attach = ds3000_frontend_attach, ++ .stream = { ++ .type = USB_BULK, ++ .count = 8, ++ .endpoint = 0x82, ++ .u = { ++ .bulk = { ++ .buffersize = 4096, ++ } ++ } ++ }, ++ } }, ++ } ++ }, ++ .num_device_descs = 3, ++ .devices = { ++ {"TeVii S660 USB", ++ {&dw2102_table[TEVII_S660], NULL}, ++ {NULL}, ++ }, ++ {"TeVii S480.1 USB", ++ {&dw2102_table[TEVII_S480_1], NULL}, ++ {NULL}, ++ }, ++ {"TeVii S480.2 USB", ++ {&dw2102_table[TEVII_S480_2], NULL}, ++ {NULL}, ++ }, ++ } + }; + +-static const struct dvb_usb_device_description d632 = { +- "TeVii S632 USB", +- {&dw2102_table[TEVII_S632], NULL}, +- {NULL}, ++static struct dvb_usb_device_properties p7500_properties = { ++ .caps = DVB_USB_IS_AN_I2C_ADAPTER, ++ .usb_ctrl = DEVICE_SPECIFIC, ++ .size_of_priv = sizeof(struct dw2102_state), ++ .firmware = P7500_FIRMWARE, ++ .no_reconnect = 1, ++ ++ .i2c_algo = &s6x0_i2c_algo, ++ .rc.core = { ++ .rc_interval = 150, ++ .rc_codes = RC_MAP_TBS_NEC, ++ .module_name = "dw2102", ++ .allowed_protos = RC_PROTO_BIT_NEC, ++ .rc_query = prof_rc_query, ++ }, ++ ++ .generic_bulk_ctrl_endpoint = 0x81, ++ .num_adapters = 1, ++ .download_firmware = dw2102_load_firmware, ++ .read_mac_address = s6x0_read_mac_address, ++ .adapter = { ++ { ++ .num_frontends = 1, ++ .fe = {{ ++ .frontend_attach = prof_7500_frontend_attach, ++ .stream = { ++ .type = USB_BULK, ++ .count = 8, ++ .endpoint = 0x82, ++ .u = { ++ .bulk = { ++ .buffersize = 4096, ++ } ++ } ++ }, ++ } }, ++ } ++ }, ++ .num_device_descs = 1, ++ .devices = { ++ {"Prof 7500 USB DVB-S2", ++ {&dw2102_table[PROF_7500], NULL}, ++ {NULL}, ++ }, ++ } + }; + + static struct dvb_usb_device_properties su3000_properties = { +@@ -2267,6 +2374,59 @@ static struct dvb_usb_device_properties su3000_properties = { + } + }; + ++static struct dvb_usb_device_properties s421_properties = { ++ .caps = DVB_USB_IS_AN_I2C_ADAPTER, ++ .usb_ctrl = DEVICE_SPECIFIC, ++ .size_of_priv = sizeof(struct dw2102_state), ++ .power_ctrl = su3000_power_ctrl, ++ .num_adapters = 1, ++ .identify_state = su3000_identify_state, ++ .i2c_algo = &su3000_i2c_algo, ++ ++ .rc.core = { ++ .rc_interval = 150, ++ .rc_codes = RC_MAP_SU3000, ++ .module_name = "dw2102", ++ .allowed_protos = RC_PROTO_BIT_RC5, ++ .rc_query = su3000_rc_query, ++ }, ++ ++ .read_mac_address = su3000_read_mac_address, ++ ++ .generic_bulk_ctrl_endpoint = 0x01, ++ ++ .adapter = { ++ { ++ .num_frontends = 1, ++ .fe = {{ ++ .streaming_ctrl = su3000_streaming_ctrl, ++ .frontend_attach = m88rs2000_frontend_attach, ++ .stream = { ++ .type = USB_BULK, ++ .count = 8, ++ .endpoint = 0x82, ++ .u = { ++ .bulk = { ++ .buffersize = 4096, ++ } ++ } ++ } ++ } }, ++ } ++ }, ++ .num_device_descs = 2, ++ .devices = { ++ { "TeVii S421 PCI", ++ { &dw2102_table[TEVII_S421], NULL }, ++ { NULL }, ++ }, ++ { "TeVii S632 USB", ++ { &dw2102_table[TEVII_S632], NULL }, ++ { NULL }, ++ }, ++ } ++}; ++ + static struct dvb_usb_device_properties t220_properties = { + .caps = DVB_USB_IS_AN_I2C_ADAPTER, + .usb_ctrl = DEVICE_SPECIFIC, +@@ -2384,101 +2544,33 @@ static struct dvb_usb_device_properties tt_s2_4600_properties = { + static int dw2102_probe(struct usb_interface *intf, + const struct usb_device_id *id) + { +- int retval = -ENOMEM; +- struct dvb_usb_device_properties *p1100; +- struct dvb_usb_device_properties *s660; +- struct dvb_usb_device_properties *p7500; +- struct dvb_usb_device_properties *s421; +- +- p1100 = kmemdup(&s6x0_properties, +- sizeof(struct dvb_usb_device_properties), GFP_KERNEL); +- if (!p1100) +- goto err0; +- +- /* copy default structure */ +- /* fill only different fields */ +- p1100->firmware = P1100_FIRMWARE; +- p1100->devices[0] = d1100; +- p1100->rc.core.rc_query = prof_rc_query; +- p1100->rc.core.rc_codes = RC_MAP_TBS_NEC; +- p1100->adapter->fe[0].frontend_attach = stv0288_frontend_attach; +- +- s660 = kmemdup(&s6x0_properties, +- sizeof(struct dvb_usb_device_properties), GFP_KERNEL); +- if (!s660) +- goto err1; +- +- s660->firmware = S660_FIRMWARE; +- s660->num_device_descs = 3; +- s660->devices[0] = d660; +- s660->devices[1] = d480_1; +- s660->devices[2] = d480_2; +- s660->adapter->fe[0].frontend_attach = ds3000_frontend_attach; +- +- p7500 = kmemdup(&s6x0_properties, +- sizeof(struct dvb_usb_device_properties), GFP_KERNEL); +- if (!p7500) +- goto err2; +- +- p7500->firmware = P7500_FIRMWARE; +- p7500->devices[0] = d7500; +- p7500->rc.core.rc_query = prof_rc_query; +- p7500->rc.core.rc_codes = RC_MAP_TBS_NEC; +- p7500->adapter->fe[0].frontend_attach = prof_7500_frontend_attach; +- +- +- s421 = kmemdup(&su3000_properties, +- sizeof(struct dvb_usb_device_properties), GFP_KERNEL); +- if (!s421) +- goto err3; +- +- s421->num_device_descs = 2; +- s421->devices[0] = d421; +- s421->devices[1] = d632; +- s421->adapter->fe[0].frontend_attach = m88rs2000_frontend_attach; +- +- if (0 == dvb_usb_device_init(intf, &dw2102_properties, +- THIS_MODULE, NULL, adapter_nr) || +- 0 == dvb_usb_device_init(intf, &dw2104_properties, +- THIS_MODULE, NULL, adapter_nr) || +- 0 == dvb_usb_device_init(intf, &dw3101_properties, +- THIS_MODULE, NULL, adapter_nr) || +- 0 == dvb_usb_device_init(intf, &s6x0_properties, +- THIS_MODULE, NULL, adapter_nr) || +- 0 == dvb_usb_device_init(intf, p1100, +- THIS_MODULE, NULL, adapter_nr) || +- 0 == dvb_usb_device_init(intf, s660, +- THIS_MODULE, NULL, adapter_nr) || +- 0 == dvb_usb_device_init(intf, p7500, +- THIS_MODULE, NULL, adapter_nr) || +- 0 == dvb_usb_device_init(intf, s421, +- THIS_MODULE, NULL, adapter_nr) || +- 0 == dvb_usb_device_init(intf, &su3000_properties, +- THIS_MODULE, NULL, adapter_nr) || +- 0 == dvb_usb_device_init(intf, &t220_properties, +- THIS_MODULE, NULL, adapter_nr) || +- 0 == dvb_usb_device_init(intf, &tt_s2_4600_properties, +- THIS_MODULE, NULL, adapter_nr)) { +- +- /* clean up copied properties */ +- kfree(s421); +- kfree(p7500); +- kfree(s660); +- kfree(p1100); ++ if (!(dvb_usb_device_init(intf, &dw2102_properties, ++ THIS_MODULE, NULL, adapter_nr) && ++ dvb_usb_device_init(intf, &dw2104_properties, ++ THIS_MODULE, NULL, adapter_nr) && ++ dvb_usb_device_init(intf, &dw3101_properties, ++ THIS_MODULE, NULL, adapter_nr) && ++ dvb_usb_device_init(intf, &s6x0_properties, ++ THIS_MODULE, NULL, adapter_nr) && ++ dvb_usb_device_init(intf, &p1100_properties, ++ THIS_MODULE, NULL, adapter_nr) && ++ dvb_usb_device_init(intf, &s660_properties, ++ THIS_MODULE, NULL, adapter_nr) && ++ dvb_usb_device_init(intf, &p7500_properties, ++ THIS_MODULE, NULL, adapter_nr) && ++ dvb_usb_device_init(intf, &s421_properties, ++ THIS_MODULE, NULL, adapter_nr) && ++ dvb_usb_device_init(intf, &su3000_properties, ++ THIS_MODULE, NULL, adapter_nr) && ++ dvb_usb_device_init(intf, &t220_properties, ++ THIS_MODULE, NULL, adapter_nr) && ++ dvb_usb_device_init(intf, &tt_s2_4600_properties, ++ THIS_MODULE, NULL, adapter_nr))) { + + return 0; + } + +- retval = -ENODEV; +- kfree(s421); +-err3: +- kfree(p7500); +-err2: +- kfree(s660); +-err1: +- kfree(p1100); +-err0: +- return retval; ++ return -ENODEV; + } + + static void dw2102_disconnect(struct usb_interface *intf) +-- +2.34.1 + diff --git a/queue-5.10/media-em28xx-fix-memory-leak-in-em28xx_init_dev.patch b/queue-5.10/media-em28xx-fix-memory-leak-in-em28xx_init_dev.patch new file mode 100644 index 00000000000..7c9366a469e --- /dev/null +++ b/queue-5.10/media-em28xx-fix-memory-leak-in-em28xx_init_dev.patch @@ -0,0 +1,81 @@ +From e92328eeb043c5ac1c8289e4e8453ee3bd3fe7e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Nov 2021 09:55:39 +0000 +Subject: media: em28xx: fix memory leak in em28xx_init_dev + +From: Dongliang Mu + +[ Upstream commit 22be5a10d0b24eec9e45decd15d7e6112b25f080 ] + +In the em28xx_init_rev, if em28xx_audio_setup fails, this function fails +to deallocate the media_dev allocated in the em28xx_media_device_init. + +Fix this by adding em28xx_unregister_media_device to free media_dev. + +BTW, this patch is tested in my local syzkaller instance, and it can +prevent the memory leak from occurring again. + +CC: Pavel Skripkin +Fixes: 37ecc7b1278f ("[media] em28xx: add media controller support") +Signed-off-by: Dongliang Mu +Reported-by: syzkaller +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/em28xx/em28xx-cards.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/drivers/media/usb/em28xx/em28xx-cards.c b/drivers/media/usb/em28xx/em28xx-cards.c +index cf45cc566cbe2..87e375562dbb2 100644 +--- a/drivers/media/usb/em28xx/em28xx-cards.c ++++ b/drivers/media/usb/em28xx/em28xx-cards.c +@@ -3575,8 +3575,10 @@ static int em28xx_init_dev(struct em28xx *dev, struct usb_device *udev, + + if (dev->is_audio_only) { + retval = em28xx_audio_setup(dev); +- if (retval) +- return -ENODEV; ++ if (retval) { ++ retval = -ENODEV; ++ goto err_deinit_media; ++ } + em28xx_init_extension(dev); + + return 0; +@@ -3595,7 +3597,7 @@ static int em28xx_init_dev(struct em28xx *dev, struct usb_device *udev, + dev_err(&dev->intf->dev, + "%s: em28xx_i2c_register bus 0 - error [%d]!\n", + __func__, retval); +- return retval; ++ goto err_deinit_media; + } + + /* register i2c bus 1 */ +@@ -3611,9 +3613,7 @@ static int em28xx_init_dev(struct em28xx *dev, struct usb_device *udev, + "%s: em28xx_i2c_register bus 1 - error [%d]!\n", + __func__, retval); + +- em28xx_i2c_unregister(dev, 0); +- +- return retval; ++ goto err_unreg_i2c; + } + } + +@@ -3621,6 +3621,12 @@ static int em28xx_init_dev(struct em28xx *dev, struct usb_device *udev, + em28xx_card_setup(dev); + + return 0; ++ ++err_unreg_i2c: ++ em28xx_i2c_unregister(dev, 0); ++err_deinit_media: ++ em28xx_unregister_media_device(dev); ++ return retval; + } + + static int em28xx_duplicate_dev(struct em28xx *dev) +-- +2.34.1 + diff --git a/queue-5.10/media-hantro-fix-probe-func-error-path.patch b/queue-5.10/media-hantro-fix-probe-func-error-path.patch new file mode 100644 index 00000000000..2c82a30a6b3 --- /dev/null +++ b/queue-5.10/media-hantro-fix-probe-func-error-path.patch @@ -0,0 +1,51 @@ +From 50614cf2b1bc8fea169645291b612008a997ed5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Nov 2021 19:26:25 +0100 +Subject: media: hantro: Fix probe func error path + +From: Jernej Skrabec + +[ Upstream commit 37af43b250fda6162005d47bf7c959c70d52b107 ] + +If clocks for some reason couldn't be enabled, probe function returns +immediately, without disabling PM. This obviously leaves PM ref counters +unbalanced. + +Fix that by jumping to appropriate error path, so effects of PM functions +are reversed. + +Fixes: 775fec69008d ("media: add Rockchip VPU JPEG encoder driver") +Signed-off-by: Jernej Skrabec +Acked-by: Andrzej Pietrasiewicz +Reviewed-by: Ezequiel Garcia +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/hantro/hantro_drv.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/media/hantro/hantro_drv.c b/drivers/staging/media/hantro/hantro_drv.c +index 7749ca9a8ebbf..bc97ec0a7e4af 100644 +--- a/drivers/staging/media/hantro/hantro_drv.c ++++ b/drivers/staging/media/hantro/hantro_drv.c +@@ -829,7 +829,7 @@ static int hantro_probe(struct platform_device *pdev) + ret = clk_bulk_prepare(vpu->variant->num_clocks, vpu->clocks); + if (ret) { + dev_err(&pdev->dev, "Failed to prepare clocks\n"); +- return ret; ++ goto err_pm_disable; + } + + ret = v4l2_device_register(&pdev->dev, &vpu->v4l2_dev); +@@ -885,6 +885,7 @@ err_v4l2_unreg: + v4l2_device_unregister(&vpu->v4l2_dev); + err_clk_unprepare: + clk_bulk_unprepare(vpu->variant->num_clocks, vpu->clocks); ++err_pm_disable: + pm_runtime_dont_use_autosuspend(vpu->dev); + pm_runtime_disable(vpu->dev); + return ret; +-- +2.34.1 + diff --git a/queue-5.10/media-igorplugusb-receiver-overflow-should-be-report.patch b/queue-5.10/media-igorplugusb-receiver-overflow-should-be-report.patch new file mode 100644 index 00000000000..f8654d72901 --- /dev/null +++ b/queue-5.10/media-igorplugusb-receiver-overflow-should-be-report.patch @@ -0,0 +1,39 @@ +From 9275d457facf761b3c2c684cdcd51426890d81c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Nov 2021 23:58:19 +0100 +Subject: media: igorplugusb: receiver overflow should be reported + +From: Sean Young + +[ Upstream commit 8fede658e7ddb605bbd68ed38067ddb0af033db4 ] + +Without this, some IR will be missing mid-stream and we might decode +something which never really occurred. + +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/rc/igorplugusb.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/rc/igorplugusb.c b/drivers/media/rc/igorplugusb.c +index effaa5751d6c9..3e9988ee785f0 100644 +--- a/drivers/media/rc/igorplugusb.c ++++ b/drivers/media/rc/igorplugusb.c +@@ -64,9 +64,11 @@ static void igorplugusb_irdata(struct igorplugusb *ir, unsigned len) + if (start >= len) { + dev_err(ir->dev, "receive overflow invalid: %u", overflow); + } else { +- if (overflow > 0) ++ if (overflow > 0) { + dev_warn(ir->dev, "receive overflow, at least %u lost", + overflow); ++ ir_raw_event_reset(ir->rc); ++ } + + do { + rawir.duration = ir->buf_in[i] * 85; +-- +2.34.1 + diff --git a/queue-5.10/media-imx-pxp-initialize-the-spinlock-prior-to-using.patch b/queue-5.10/media-imx-pxp-initialize-the-spinlock-prior-to-using.patch new file mode 100644 index 00000000000..89aae95b8b4 --- /dev/null +++ b/queue-5.10/media-imx-pxp-initialize-the-spinlock-prior-to-using.patch @@ -0,0 +1,51 @@ +From ea1f3d1052580173bf526925ee54bde523c13cd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Oct 2021 15:10:14 +0200 +Subject: media: imx-pxp: Initialize the spinlock prior to using it + +From: Fabio Estevam + +[ Upstream commit ed2f97ad4b21072f849cf4ae6645d1f2b1d3f550 ] + +After devm_request_threaded_irq() is called there is a chance that an +interrupt may occur before the spinlock is initialized, which will trigger +a kernel oops. + +To prevent that, move the initialization of the spinlock prior to +requesting the interrupts. + +Fixes: 51abcf7fdb70 ("media: imx-pxp: add i.MX Pixel Pipeline driver") +Signed-off-by: Fabio Estevam +Reviewed-by: Philipp Zabel +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/imx-pxp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/imx-pxp.c b/drivers/media/platform/imx-pxp.c +index 08d76eb05ed1a..62356adebc39e 100644 +--- a/drivers/media/platform/imx-pxp.c ++++ b/drivers/media/platform/imx-pxp.c +@@ -1664,6 +1664,8 @@ static int pxp_probe(struct platform_device *pdev) + if (irq < 0) + return irq; + ++ spin_lock_init(&dev->irqlock); ++ + ret = devm_request_threaded_irq(&pdev->dev, irq, NULL, pxp_irq_handler, + IRQF_ONESHOT, dev_name(&pdev->dev), dev); + if (ret < 0) { +@@ -1681,8 +1683,6 @@ static int pxp_probe(struct platform_device *pdev) + goto err_clk; + } + +- spin_lock_init(&dev->irqlock); +- + ret = v4l2_device_register(&pdev->dev, &dev->v4l2_dev); + if (ret) + goto err_clk; +-- +2.34.1 + diff --git a/queue-5.10/media-m920x-don-t-use-stack-on-usb-reads.patch b/queue-5.10/media-m920x-don-t-use-stack-on-usb-reads.patch new file mode 100644 index 00000000000..9b1c0caf65f --- /dev/null +++ b/queue-5.10/media-m920x-don-t-use-stack-on-usb-reads.patch @@ -0,0 +1,59 @@ +From 3e6039cb46bc7818de26fe1a284d4ae8c32a3963 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Dec 2021 15:34:19 +0100 +Subject: media: m920x: don't use stack on USB reads + +From: Mauro Carvalho Chehab + +[ Upstream commit a2ab06d7c4d6bfd0b545a768247a70463e977e27 ] + +Using stack-allocated pointers for USB message data don't work. +This driver is almost OK with that, except for the I2C read +logic. + +Fix it by using a temporary read buffer, just like on all other +calls to m920x_read(). + +Link: https://lore.kernel.org/all/ccc99e48-de4f-045e-0fe4-61e3118e3f74@mida.se/ +Reported-by: rkardell@mida.se +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/m920x.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/dvb-usb/m920x.c b/drivers/media/usb/dvb-usb/m920x.c +index 4bb5b82599a79..691e05833db19 100644 +--- a/drivers/media/usb/dvb-usb/m920x.c ++++ b/drivers/media/usb/dvb-usb/m920x.c +@@ -274,6 +274,13 @@ static int m920x_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int nu + /* Should check for ack here, if we knew how. */ + } + if (msg[i].flags & I2C_M_RD) { ++ char *read = kmalloc(1, GFP_KERNEL); ++ if (!read) { ++ ret = -ENOMEM; ++ kfree(read); ++ goto unlock; ++ } ++ + for (j = 0; j < msg[i].len; j++) { + /* Last byte of transaction? + * Send STOP, otherwise send ACK. */ +@@ -281,9 +288,12 @@ static int m920x_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int nu + + if ((ret = m920x_read(d->udev, M9206_I2C, 0x0, + 0x20 | stop, +- &msg[i].buf[j], 1)) != 0) ++ read, 1)) != 0) + goto unlock; ++ msg[i].buf[j] = read[0]; + } ++ ++ kfree(read); + } else { + for (j = 0; j < msg[i].len; j++) { + /* Last byte of transaction? Then send STOP. */ +-- +2.34.1 + diff --git a/queue-5.10/media-msi001-fix-possible-null-ptr-deref-in-msi001_p.patch b/queue-5.10/media-msi001-fix-possible-null-ptr-deref-in-msi001_p.patch new file mode 100644 index 00000000000..46260c552a5 --- /dev/null +++ b/queue-5.10/media-msi001-fix-possible-null-ptr-deref-in-msi001_p.patch @@ -0,0 +1,58 @@ +From 18911d9d2f97deae9c04427dd1da12ec456f6b06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 13:23:48 +0200 +Subject: media: msi001: fix possible null-ptr-deref in msi001_probe() + +From: Wang Hai + +[ Upstream commit 3d5831a40d3464eea158180eb12cbd81c5edfb6a ] + +I got a null-ptr-deref report: + +BUG: kernel NULL pointer dereference, address: 0000000000000060 +... +RIP: 0010:v4l2_ctrl_auto_cluster+0x57/0x270 +... +Call Trace: + msi001_probe+0x13b/0x24b [msi001] + spi_probe+0xeb/0x130 +... + do_syscall_64+0x35/0xb0 + +In msi001_probe(), if the creation of control for bandwidth_auto +fails, there will be a null-ptr-deref issue when it is used in +v4l2_ctrl_auto_cluster(). + +Check dev->hdl.error before v4l2_ctrl_auto_cluster() to fix this bug. + +Link: https://lore.kernel.org/linux-media/20211026112348.2878040-1-wanghai38@huawei.com +Fixes: 93203dd6c7c4 ("[media] msi001: Mirics MSi001 silicon tuner driver") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/tuners/msi001.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/media/tuners/msi001.c b/drivers/media/tuners/msi001.c +index 78e6fd600d8ef..44247049a3190 100644 +--- a/drivers/media/tuners/msi001.c ++++ b/drivers/media/tuners/msi001.c +@@ -442,6 +442,13 @@ static int msi001_probe(struct spi_device *spi) + V4L2_CID_RF_TUNER_BANDWIDTH_AUTO, 0, 1, 1, 1); + dev->bandwidth = v4l2_ctrl_new_std(&dev->hdl, &msi001_ctrl_ops, + V4L2_CID_RF_TUNER_BANDWIDTH, 200000, 8000000, 1, 200000); ++ if (dev->hdl.error) { ++ ret = dev->hdl.error; ++ dev_err(&spi->dev, "Could not initialize controls\n"); ++ /* control init failed, free handler */ ++ goto err_ctrl_handler_free; ++ } ++ + v4l2_ctrl_auto_cluster(2, &dev->bandwidth_auto, 0, false); + dev->lna_gain = v4l2_ctrl_new_std(&dev->hdl, &msi001_ctrl_ops, + V4L2_CID_RF_TUNER_LNA_GAIN, 0, 1, 1, 1); +-- +2.34.1 + diff --git a/queue-5.10/media-mtk-vcodec-call-v4l2_m2m_ctx_release-first-whe.patch b/queue-5.10/media-mtk-vcodec-call-v4l2_m2m_ctx_release-first-whe.patch new file mode 100644 index 00000000000..d11b0a5a597 --- /dev/null +++ b/queue-5.10/media-mtk-vcodec-call-v4l2_m2m_ctx_release-first-whe.patch @@ -0,0 +1,86 @@ +From 4c2f517c0347431e83f5182006d9202623445688 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Nov 2021 14:06:30 +0100 +Subject: media: mtk-vcodec: call v4l2_m2m_ctx_release first when file is + released + +From: Dafna Hirschfeld + +[ Upstream commit 9f89c881bffbdffe4060ffaef3489a2830a6dd9c ] + +The func v4l2_m2m_ctx_release waits for currently running jobs +to finish and then stop streaming both queues and frees the buffers. +All this should be done before the call to mtk_vcodec_enc_release +which frees the encoder handler. This fixes null-pointer dereference bug: + +[ 638.028076] Mem abort info: +[ 638.030932] ESR = 0x96000004 +[ 638.033978] EC = 0x25: DABT (current EL), IL = 32 bits +[ 638.039293] SET = 0, FnV = 0 +[ 638.042338] EA = 0, S1PTW = 0 +[ 638.045474] FSC = 0x04: level 0 translation fault +[ 638.050349] Data abort info: +[ 638.053224] ISV = 0, ISS = 0x00000004 +[ 638.057055] CM = 0, WnR = 0 +[ 638.060018] user pgtable: 4k pages, 48-bit VAs, pgdp=000000012b6db000 +[ 638.066485] [00000000000001a0] pgd=0000000000000000, p4d=0000000000000000 +[ 638.073277] Internal error: Oops: 96000004 [#1] SMP +[ 638.078145] Modules linked in: rfkill mtk_vcodec_dec mtk_vcodec_enc uvcvideo mtk_mdp mtk_vcodec_common videobuf2_dma_contig v4l2_h264 cdc_ether v4l2_mem2mem videobuf2_vmalloc usbnet videobuf2_memops videobuf2_v4l2 r8152 videobuf2_common videodev cros_ec_sensors cros_ec_sensors_core industrialio_triggered_buffer kfifo_buf elan_i2c elants_i2c sbs_battery mc cros_usbpd_charger cros_ec_chardev cros_usbpd_logger crct10dif_ce mtk_vpu fuse ip_tables x_tables ipv6 +[ 638.118583] CPU: 0 PID: 212 Comm: kworker/u8:5 Not tainted 5.15.0-06427-g58a1d4dcfc74-dirty #109 +[ 638.127357] Hardware name: Google Elm (DT) +[ 638.131444] Workqueue: mtk-vcodec-enc mtk_venc_worker [mtk_vcodec_enc] +[ 638.137974] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 638.144925] pc : vp8_enc_encode+0x34/0x2b0 [mtk_vcodec_enc] +[ 638.150493] lr : venc_if_encode+0xac/0x1b0 [mtk_vcodec_enc] +[ 638.156060] sp : ffff8000124d3c40 +[ 638.159364] x29: ffff8000124d3c40 x28: 0000000000000000 x27: 0000000000000000 +[ 638.166493] x26: 0000000000000000 x25: ffff0000e7f252d0 x24: ffff8000124d3d58 +[ 638.173621] x23: ffff8000124d3d58 x22: ffff8000124d3d60 x21: 0000000000000001 +[ 638.180750] x20: ffff80001137e000 x19: 0000000000000000 x18: 0000000000000001 +[ 638.187878] x17: 000000040044ffff x16: 00400032b5503510 x15: 0000000000000000 +[ 638.195006] x14: ffff8000118536c0 x13: ffff8000ee1da000 x12: 0000000030d4d91d +[ 638.202134] x11: 0000000000000000 x10: 0000000000000980 x9 : ffff8000124d3b20 +[ 638.209262] x8 : ffff0000c18d4ea0 x7 : ffff0000c18d44c0 x6 : ffff0000c18d44c0 +[ 638.216391] x5 : ffff80000904a3b0 x4 : ffff8000124d3d58 x3 : ffff8000124d3d60 +[ 638.223519] x2 : ffff8000124d3d78 x1 : 0000000000000001 x0 : ffff80001137efb8 +[ 638.230648] Call trace: +[ 638.233084] vp8_enc_encode+0x34/0x2b0 [mtk_vcodec_enc] +[ 638.238304] venc_if_encode+0xac/0x1b0 [mtk_vcodec_enc] +[ 638.243525] mtk_venc_worker+0x110/0x250 [mtk_vcodec_enc] +[ 638.248918] process_one_work+0x1f8/0x498 +[ 638.252923] worker_thread+0x140/0x538 +[ 638.256664] kthread+0x148/0x158 +[ 638.259884] ret_from_fork+0x10/0x20 +[ 638.263455] Code: f90023f9 2a0103f5 aa0303f6 aa0403f8 (f940d277) +[ 638.269538] ---[ end trace e374fc10f8e181f5 ]--- + +[gst-master] root@debian:~/gst-build# [ 638.019193] Unable to handle kernel NULL pointer dereference at virtual address 00000000000001a0 +Fixes: 4e855a6efa547 ("[media] vcodec: mediatek: Add Mediatek V4L2 Video Encoder Driver") +Signed-off-by: Dafna Hirschfeld +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_drv.c b/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_drv.c +index 219c2c5b78efc..5f93bc670edb2 100644 +--- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_drv.c ++++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_drv.c +@@ -237,11 +237,11 @@ static int fops_vcodec_release(struct file *file) + mtk_v4l2_debug(1, "[%d] encoder", ctx->id); + mutex_lock(&dev->dev_mutex); + ++ v4l2_m2m_ctx_release(ctx->m2m_ctx); + mtk_vcodec_enc_release(ctx); + v4l2_fh_del(&ctx->fh); + v4l2_fh_exit(&ctx->fh); + v4l2_ctrl_handler_free(&ctx->ctrl_hdl); +- v4l2_m2m_ctx_release(ctx->m2m_ctx); + + list_del_init(&ctx->list); + kfree(ctx); +-- +2.34.1 + diff --git a/queue-5.10/media-rcar-csi2-correct-the-selection-of-hsfreqrange.patch b/queue-5.10/media-rcar-csi2-correct-the-selection-of-hsfreqrange.patch new file mode 100644 index 00000000000..e657427c432 --- /dev/null +++ b/queue-5.10/media-rcar-csi2-correct-the-selection-of-hsfreqrange.patch @@ -0,0 +1,83 @@ +From faa5b30a5098731bb77047d1d5137b54b6d4000f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Aug 2021 17:07:54 +0200 +Subject: media: rcar-csi2: Correct the selection of hsfreqrange +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Suresh Udipi + +[ Upstream commit cee44d4fbacbbdfe62697ec94e76c6e4f726c5df ] + +hsfreqrange should be chosen based on the calculated mbps which +is closer to the default bit rate and within the range as per +table[1]. But current calculation always selects first value which +is greater than or equal to the calculated mbps which may lead +to chosing a wrong range in some cases. + +For example for 360 mbps for H3/M3N +Existing logic selects +Calculated value 360Mbps : Default 400Mbps Range [368.125 -433.125 mbps] + +This hsfreqrange is out of range. + +The logic is changed to get the default value which is closest to the +calculated value [1] + +Calculated value 360Mbps : Default 350Mbps Range [320.625 -380.625 mpbs] + +[1] specs r19uh0105ej0200-r-car-3rd-generation.pdf [Table 25.9] + +Please note that According to Renesas in Table 25.9 the range for +220 default value is corrected as below + + |Range (Mbps) | Default Bit rate (Mbps) | + ----------------------------------------------- + | 197.125-244.125 | 220 | + ----------------------------------------------- + +Fixes: 769afd212b16 ("media: rcar-csi2: add Renesas R-Car MIPI CSI-2 receiver driver") +Signed-off-by: Suresh Udipi +Signed-off-by: Kazuyoshi Akiyama +Signed-off-by: Michael Rodin +Reviewed-by: Niklas Söderlund +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rcar-vin/rcar-csi2.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/rcar-vin/rcar-csi2.c b/drivers/media/platform/rcar-vin/rcar-csi2.c +index d2d87a204e918..6fb8efcb40444 100644 +--- a/drivers/media/platform/rcar-vin/rcar-csi2.c ++++ b/drivers/media/platform/rcar-vin/rcar-csi2.c +@@ -436,16 +436,23 @@ static int rcsi2_wait_phy_start(struct rcar_csi2 *priv, + static int rcsi2_set_phypll(struct rcar_csi2 *priv, unsigned int mbps) + { + const struct rcsi2_mbps_reg *hsfreq; ++ const struct rcsi2_mbps_reg *hsfreq_prev = NULL; + +- for (hsfreq = priv->info->hsfreqrange; hsfreq->mbps != 0; hsfreq++) ++ for (hsfreq = priv->info->hsfreqrange; hsfreq->mbps != 0; hsfreq++) { + if (hsfreq->mbps >= mbps) + break; ++ hsfreq_prev = hsfreq; ++ } + + if (!hsfreq->mbps) { + dev_err(priv->dev, "Unsupported PHY speed (%u Mbps)", mbps); + return -ERANGE; + } + ++ if (hsfreq_prev && ++ ((mbps - hsfreq_prev->mbps) <= (hsfreq->mbps - mbps))) ++ hsfreq = hsfreq_prev; ++ + rcsi2_write(priv, PHYPLL_REG, PHYPLL_HSFREQRANGE(hsfreq->reg)); + + return 0; +-- +2.34.1 + diff --git a/queue-5.10/media-rcar-vin-update-format-alignment-constraints.patch b/queue-5.10/media-rcar-vin-update-format-alignment-constraints.patch new file mode 100644 index 00000000000..849b007751d --- /dev/null +++ b/queue-5.10/media-rcar-vin-update-format-alignment-constraints.patch @@ -0,0 +1,69 @@ +From 5263b9d933cf34f4aac9e7adc6af0131cd2bad81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Nov 2021 00:02:57 +0100 +Subject: media: rcar-vin: Update format alignment constraints +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Niklas Söderlund + +[ Upstream commit da6911f330d40cfe115a37249e47643eff555e82 ] + +This change fixes two issues with the size constraints for buffers. + +- There is no width alignment constraint for RGB formats. Prior to this + change they were treated as YUV and as a result were more restricted + than needed. Add a new check to differentiate between the two. + +- The minimum width and height supported is 5x2, not 2x4, this is an + artifact from the driver's soc-camera days. Fix this incorrect + assumption. + +Signed-off-by: Niklas Söderlund +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rcar-vin/rcar-v4l2.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/platform/rcar-vin/rcar-v4l2.c b/drivers/media/platform/rcar-vin/rcar-v4l2.c +index 3e7a3ae2a6b97..0bbe6f9f92062 100644 +--- a/drivers/media/platform/rcar-vin/rcar-v4l2.c ++++ b/drivers/media/platform/rcar-vin/rcar-v4l2.c +@@ -175,20 +175,27 @@ static void rvin_format_align(struct rvin_dev *vin, struct v4l2_pix_format *pix) + break; + } + +- /* HW limit width to a multiple of 32 (2^5) for NV12/16 else 2 (2^1) */ ++ /* Hardware limits width alignment based on format. */ + switch (pix->pixelformat) { ++ /* Multiple of 32 (2^5) for NV12/16. */ + case V4L2_PIX_FMT_NV12: + case V4L2_PIX_FMT_NV16: + walign = 5; + break; +- default: ++ /* Multiple of 2 (2^1) for YUV. */ ++ case V4L2_PIX_FMT_YUYV: ++ case V4L2_PIX_FMT_UYVY: + walign = 1; + break; ++ /* No multiple for RGB. */ ++ default: ++ walign = 0; ++ break; + } + + /* Limit to VIN capabilities */ +- v4l_bound_align_image(&pix->width, 2, vin->info->max_width, walign, +- &pix->height, 4, vin->info->max_height, 2, 0); ++ v4l_bound_align_image(&pix->width, 5, vin->info->max_width, walign, ++ &pix->height, 2, vin->info->max_height, 0, 0); + + pix->bytesperline = rvin_format_bytesperline(vin, pix); + pix->sizeimage = rvin_format_sizeimage(pix); +-- +2.34.1 + diff --git a/queue-5.10/media-saa7146-hexium_gemini-fix-a-null-pointer-deref.patch b/queue-5.10/media-saa7146-hexium_gemini-fix-a-null-pointer-deref.patch new file mode 100644 index 00000000000..62c7da99287 --- /dev/null +++ b/queue-5.10/media-saa7146-hexium_gemini-fix-a-null-pointer-deref.patch @@ -0,0 +1,74 @@ +From f2270e4f3ac7f706838bb31f76e230a007ae61f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Dec 2021 16:40:30 +0100 +Subject: media: saa7146: hexium_gemini: Fix a NULL pointer dereference in + hexium_attach() + +From: Zhou Qingyang + +[ Upstream commit 3af86b046933ba513d08399dba0d4d8b50d607d0 ] + +In hexium_attach(dev, info), saa7146_vv_init() is called to allocate +a new memory for dev->vv_data. saa7146_vv_release() will be called on +failure of saa7146_register_device(). There is a dereference of +dev->vv_data in saa7146_vv_release(), which could lead to a NULL +pointer dereference on failure of saa7146_vv_init(). + +Fix this bug by adding a check of saa7146_vv_init(). + +This bug was found by a static analyzer. The analysis employs +differential checking to identify inconsistent security operations +(e.g., checks or kfrees) between two code paths and confirms that the +inconsistent operations are not recovered in the current function or +the callers, so they constitute bugs. + +Note that, as a bug found by static analysis, it can be a false +positive or hard to trigger. Multiple researchers have cross-reviewed +the bug. + +Builds with CONFIG_VIDEO_HEXIUM_GEMINI=m show no new warnings, +and our static analyzer no longer warns about this code. + +Link: https://lore.kernel.org/linux-media/20211203154030.111210-1-zhou1615@umn.edu +Signed-off-by: Zhou Qingyang +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/common/saa7146/saa7146_fops.c | 2 +- + drivers/media/pci/saa7146/hexium_gemini.c | 7 ++++++- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/common/saa7146/saa7146_fops.c b/drivers/media/common/saa7146/saa7146_fops.c +index d6531874faa65..8047e305f3d01 100644 +--- a/drivers/media/common/saa7146/saa7146_fops.c ++++ b/drivers/media/common/saa7146/saa7146_fops.c +@@ -523,7 +523,7 @@ int saa7146_vv_init(struct saa7146_dev* dev, struct saa7146_ext_vv *ext_vv) + ERR("out of memory. aborting.\n"); + kfree(vv); + v4l2_ctrl_handler_free(hdl); +- return -1; ++ return -ENOMEM; + } + + saa7146_video_uops.init(dev,vv); +diff --git a/drivers/media/pci/saa7146/hexium_gemini.c b/drivers/media/pci/saa7146/hexium_gemini.c +index 2214c74bbbf15..3947701cd6c7e 100644 +--- a/drivers/media/pci/saa7146/hexium_gemini.c ++++ b/drivers/media/pci/saa7146/hexium_gemini.c +@@ -284,7 +284,12 @@ static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_d + hexium_set_input(hexium, 0); + hexium->cur_input = 0; + +- saa7146_vv_init(dev, &vv_data); ++ ret = saa7146_vv_init(dev, &vv_data); ++ if (ret) { ++ i2c_del_adapter(&hexium->i2c_adapter); ++ kfree(hexium); ++ return ret; ++ } + + vv_data.vid_ops.vidioc_enum_input = vidioc_enum_input; + vv_data.vid_ops.vidioc_g_input = vidioc_g_input; +-- +2.34.1 + diff --git a/queue-5.10/media-saa7146-hexium_orion-fix-a-null-pointer-derefe.patch b/queue-5.10/media-saa7146-hexium_orion-fix-a-null-pointer-derefe.patch new file mode 100644 index 00000000000..53fbc8e67e8 --- /dev/null +++ b/queue-5.10/media-saa7146-hexium_orion-fix-a-null-pointer-derefe.patch @@ -0,0 +1,74 @@ +From 5ed4e07f3301bd48946cc55f3b439f106ad86385 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Nov 2021 17:25:49 +0100 +Subject: media: saa7146: hexium_orion: Fix a NULL pointer dereference in + hexium_attach() + +From: Zhou Qingyang + +[ Upstream commit 348df8035301dd212e3cc2860efe4c86cb0d3303 ] + +In hexium_attach(dev, info), saa7146_vv_init() is called to allocate +a new memory for dev->vv_data. In hexium_detach(), saa7146_vv_release() +will be called and there is a dereference of dev->vv_data in +saa7146_vv_release(), which could lead to a NULL pointer dereference +on failure of saa7146_vv_init() according to the following logic. + +Both hexium_attach() and hexium_detach() are callback functions of +the variable 'extension', so there exists a possible call chain directly +from hexium_attach() to hexium_detach(): + +hexium_attach(dev, info) -- fail to alloc memory to dev->vv_data + | in saa7146_vv_init(). + | + | +hexium_detach() -- a dereference of dev->vv_data in saa7146_vv_release() + +Fix this bug by adding a check of saa7146_vv_init(). + +This bug was found by a static analyzer. The analysis employs +differential checking to identify inconsistent security operations +(e.g., checks or kfrees) between two code paths and confirms that the +inconsistent operations are not recovered in the current function or +the callers, so they constitute bugs. + +Note that, as a bug found by static analysis, it can be a false +positive or hard to trigger. Multiple researchers have cross-reviewed +the bug. + +Builds with CONFIG_VIDEO_HEXIUM_ORION=m show no new warnings, +and our static analyzer no longer warns about this code. + +Signed-off-by: Zhou Qingyang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/saa7146/hexium_orion.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/pci/saa7146/hexium_orion.c b/drivers/media/pci/saa7146/hexium_orion.c +index 39d14c179d229..2eb4bee16b71f 100644 +--- a/drivers/media/pci/saa7146/hexium_orion.c ++++ b/drivers/media/pci/saa7146/hexium_orion.c +@@ -355,10 +355,16 @@ static struct saa7146_ext_vv vv_data; + static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_data *info) + { + struct hexium *hexium = (struct hexium *) dev->ext_priv; ++ int ret; + + DEB_EE("\n"); + +- saa7146_vv_init(dev, &vv_data); ++ ret = saa7146_vv_init(dev, &vv_data); ++ if (ret) { ++ pr_err("Error in saa7146_vv_init()\n"); ++ return ret; ++ } ++ + vv_data.vid_ops.vidioc_enum_input = vidioc_enum_input; + vv_data.vid_ops.vidioc_g_input = vidioc_g_input; + vv_data.vid_ops.vidioc_s_input = vidioc_s_input; +-- +2.34.1 + diff --git a/queue-5.10/media-saa7146-mxb-fix-a-null-pointer-dereference-in-.patch b/queue-5.10/media-saa7146-mxb-fix-a-null-pointer-dereference-in-.patch new file mode 100644 index 00000000000..c4cc9d9179f --- /dev/null +++ b/queue-5.10/media-saa7146-mxb-fix-a-null-pointer-dereference-in-.patch @@ -0,0 +1,64 @@ +From d83416f5238b5c52b8cdf378783419a2e32fd710 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Nov 2021 17:34:44 +0100 +Subject: media: saa7146: mxb: Fix a NULL pointer dereference in mxb_attach() + +From: Zhou Qingyang + +[ Upstream commit 0407c49ebe330333478440157c640fffd986f41b ] + +In mxb_attach(dev, info), saa7146_vv_init() is called to allocate a +new memory for dev->vv_data. saa7146_vv_release() will be called on +failure of mxb_probe(dev). There is a dereference of dev->vv_data +in saa7146_vv_release(), which could lead to a NULL pointer dereference +on failure of saa7146_vv_init(). + +Fix this bug by adding a check of saa7146_vv_init(). + +This bug was found by a static analyzer. The analysis employs +differential checking to identify inconsistent security operations +(e.g., checks or kfrees) between two code paths and confirms that the +inconsistent operations are not recovered in the current function or +the callers, so they constitute bugs. + +Note that, as a bug found by static analysis, it can be a false +positive or hard to trigger. Multiple researchers have cross-reviewed +the bug. + +Builds with CONFIG_VIDEO_MXB=m show no new warnings, +and our static analyzer no longer warns about this code. + +Fixes: 03b1930efd3c ("V4L/DVB: saa7146: fix regression of the av7110/budget-av driver") +Signed-off-by: Zhou Qingyang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/saa7146/mxb.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/pci/saa7146/mxb.c b/drivers/media/pci/saa7146/mxb.c +index 73fc901ecf3db..bf0b9b0914cd5 100644 +--- a/drivers/media/pci/saa7146/mxb.c ++++ b/drivers/media/pci/saa7146/mxb.c +@@ -683,10 +683,16 @@ static struct saa7146_ext_vv vv_data; + static int mxb_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_data *info) + { + struct mxb *mxb; ++ int ret; + + DEB_EE("dev:%p\n", dev); + +- saa7146_vv_init(dev, &vv_data); ++ ret = saa7146_vv_init(dev, &vv_data); ++ if (ret) { ++ ERR("Error in saa7146_vv_init()"); ++ return ret; ++ } ++ + if (mxb_probe(dev)) { + saa7146_vv_release(dev); + return -1; +-- +2.34.1 + diff --git a/queue-5.10/media-si2157-fix-warm-tuner-state-detection.patch b/queue-5.10/media-si2157-fix-warm-tuner-state-detection.patch new file mode 100644 index 00000000000..d84e5bbf74c --- /dev/null +++ b/queue-5.10/media-si2157-fix-warm-tuner-state-detection.patch @@ -0,0 +1,61 @@ +From 8247642c994c48d6800e6acbe90276b66cb3595d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Dec 2021 22:08:43 +0100 +Subject: media: si2157: Fix "warm" tuner state detection + +From: Robert Schlabbach + +[ Upstream commit a6441ea29cb2c9314654e093a1cd8020b9b851c8 ] + +Commit e955f959ac52 ("media: si2157: Better check for running tuner in +init") completely broke the "warm" tuner detection of the si2157 driver +due to a simple endian error: The Si2157 CRYSTAL_TRIM property code is +0x0402 and needs to be transmitted LSB first. However, it was inserted +MSB first, causing the warm detection to always fail and spam the kernel +log with tuner initialization messages each time the DVB frontend +device was closed and reopened: + +[ 312.215682] si2157 16-0060: found a 'Silicon Labs Si2157-A30' +[ 312.264334] si2157 16-0060: firmware version: 3.0.5 +[ 342.248593] si2157 16-0060: found a 'Silicon Labs Si2157-A30' +[ 342.295743] si2157 16-0060: firmware version: 3.0.5 +[ 372.328574] si2157 16-0060: found a 'Silicon Labs Si2157-A30' +[ 372.385035] si2157 16-0060: firmware version: 3.0.5 + +Also, the reinitializations were observed disturb _other_ tuners on +multi-tuner cards such as the Hauppauge WinTV-QuadHD, leading to missed +or errored packets when one of the other DVB frontend devices on that +card was opened. + +Fix the order of the property code bytes to make the warm detection work +again, also reducing the tuner initialization message in the kernel log +to once per power-on, as well as fixing the interference with other +tuners. + +Link: https://lore.kernel.org/linux-media/trinity-2a86eb9d-6264-4387-95e1-ba7b79a4050f-1638392923493@3c-app-gmx-bap03 + +Fixes: e955f959ac52 ("media: si2157: Better check for running tuner in init") +Reported-by: Robert Schlabbach +Signed-off-by: Robert Schlabbach +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/tuners/si2157.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/tuners/si2157.c b/drivers/media/tuners/si2157.c +index fefb2625f6558..75ddf7ed1faff 100644 +--- a/drivers/media/tuners/si2157.c ++++ b/drivers/media/tuners/si2157.c +@@ -90,7 +90,7 @@ static int si2157_init(struct dvb_frontend *fe) + dev_dbg(&client->dev, "\n"); + + /* Try to get Xtal trim property, to verify tuner still running */ +- memcpy(cmd.args, "\x15\x00\x04\x02", 4); ++ memcpy(cmd.args, "\x15\x00\x02\x04", 4); + cmd.wlen = 4; + cmd.rlen = 4; + ret = si2157_cmd_execute(client, &cmd); +-- +2.34.1 + diff --git a/queue-5.10/media-si470x-i2c-fix-possible-memory-leak-in-si470x_.patch b/queue-5.10/media-si470x-i2c-fix-possible-memory-leak-in-si470x_.patch new file mode 100644 index 00000000000..6d83816983c --- /dev/null +++ b/queue-5.10/media-si470x-i2c-fix-possible-memory-leak-in-si470x_.patch @@ -0,0 +1,62 @@ +From 6c1b96bffa34718e7dd088ff9af2423eb05f0813 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Oct 2021 11:58:55 +0200 +Subject: media: si470x-i2c: fix possible memory leak in si470x_i2c_probe() + +From: Yang Yingliang + +[ Upstream commit ef054e345ed8c79ce1121a3599b5a2dfd78e57a0 ] + +n the 'radio->hdl.error' error handling, ctrl handler allocated by +v4l2_ctrl_new_std() does not released, and caused memory leak as +follows: + +unreferenced object 0xffff888033d54200 (size 256): + comm "i2c-si470x-19", pid 909, jiffies 4294914203 (age 8.072s) + hex dump (first 32 bytes): + e8 69 11 03 80 88 ff ff 00 46 d5 33 80 88 ff ff .i.......F.3.... + 10 42 d5 33 80 88 ff ff 10 42 d5 33 80 88 ff ff .B.3.....B.3.... + backtrace: + [<00000000086bd4ed>] __kmalloc_node+0x1eb/0x360 + [<00000000bdb68871>] kvmalloc_node+0x66/0x120 + [<00000000fac74e4c>] v4l2_ctrl_new+0x7b9/0x1c60 [videodev] + [<00000000693bf940>] v4l2_ctrl_new_std+0x19b/0x270 [videodev] + [<00000000c0cb91bc>] si470x_i2c_probe+0x2d3/0x9a0 [radio_si470x_i2c] + [<0000000056a6f01f>] i2c_device_probe+0x4d8/0xbe0 + +Fix the error handling path to avoid memory leak. + +Reported-by: Hulk Robot +Fixes: 8c081b6f9a9b ("media: radio: Critical v4l2 registration...") +Signed-off-by: Yang Yingliang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/radio/si470x/radio-si470x-i2c.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/media/radio/si470x/radio-si470x-i2c.c b/drivers/media/radio/si470x/radio-si470x-i2c.c +index a972c0705ac79..76d39e2e87706 100644 +--- a/drivers/media/radio/si470x/radio-si470x-i2c.c ++++ b/drivers/media/radio/si470x/radio-si470x-i2c.c +@@ -368,7 +368,7 @@ static int si470x_i2c_probe(struct i2c_client *client) + if (radio->hdl.error) { + retval = radio->hdl.error; + dev_err(&client->dev, "couldn't register control\n"); +- goto err_dev; ++ goto err_all; + } + + /* video device initialization */ +@@ -463,7 +463,6 @@ static int si470x_i2c_probe(struct i2c_client *client) + return 0; + err_all: + v4l2_ctrl_handler_free(&radio->hdl); +-err_dev: + v4l2_device_unregister(&radio->v4l2_dev); + err_initial: + return retval; +-- +2.34.1 + diff --git a/queue-5.10/media-staging-media-atomisp-pci-balance-braces-aroun.patch b/queue-5.10/media-staging-media-atomisp-pci-balance-braces-aroun.patch new file mode 100644 index 00000000000..e8553210615 --- /dev/null +++ b/queue-5.10/media-staging-media-atomisp-pci-balance-braces-aroun.patch @@ -0,0 +1,79 @@ +From 75a7f27abb55d932f3c8651f59a34f5402df6cc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Apr 2021 18:54:23 +0200 +Subject: media: staging: media: atomisp: pci: Balance braces around + conditional statements in file atomisp_cmd.c + +From: Aline Santana Cordeiro + +[ Upstream commit 0a016c35a326c6b2f558ede58ff08da7ef1da1a8 ] + +Balance braces around conditional statements. +Issue detected by checkpatch.pl. +It happens in if-else statements where one of the commands +uses braces around a block of code and the other command +does not since it has just a single line of code. + +Signed-off-by: Aline Santana Cordeiro +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + .../staging/media/atomisp/pci/atomisp_cmd.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/drivers/staging/media/atomisp/pci/atomisp_cmd.c b/drivers/staging/media/atomisp/pci/atomisp_cmd.c +index 592ea990d4ca4..21cd03f06291d 100644 +--- a/drivers/staging/media/atomisp/pci/atomisp_cmd.c ++++ b/drivers/staging/media/atomisp/pci/atomisp_cmd.c +@@ -1138,9 +1138,10 @@ void atomisp_buf_done(struct atomisp_sub_device *asd, int error, + asd->frame_status[vb->i] = + ATOMISP_FRAME_STATUS_OK; + } +- } else ++ } else { + asd->frame_status[vb->i] = + ATOMISP_FRAME_STATUS_OK; ++ } + } else { + asd->frame_status[vb->i] = ATOMISP_FRAME_STATUS_OK; + } +@@ -4945,9 +4946,9 @@ atomisp_try_fmt_file(struct atomisp_device *isp, struct v4l2_format *f) + + depth = get_pixel_depth(pixelformat); + +- if (field == V4L2_FIELD_ANY) ++ if (field == V4L2_FIELD_ANY) { + field = V4L2_FIELD_NONE; +- else if (field != V4L2_FIELD_NONE) { ++ } else if (field != V4L2_FIELD_NONE) { + dev_err(isp->dev, "Wrong output field\n"); + return -EINVAL; + } +@@ -6587,17 +6588,17 @@ static int atomisp_get_pipe_id(struct atomisp_video_pipe *pipe) + { + struct atomisp_sub_device *asd = pipe->asd; + +- if (ATOMISP_USE_YUVPP(asd)) ++ if (ATOMISP_USE_YUVPP(asd)) { + return IA_CSS_PIPE_ID_YUVPP; +- else if (asd->vfpp->val == ATOMISP_VFPP_DISABLE_SCALER) ++ } else if (asd->vfpp->val == ATOMISP_VFPP_DISABLE_SCALER) { + return IA_CSS_PIPE_ID_VIDEO; +- else if (asd->vfpp->val == ATOMISP_VFPP_DISABLE_LOWLAT) ++ } else if (asd->vfpp->val == ATOMISP_VFPP_DISABLE_LOWLAT) { + return IA_CSS_PIPE_ID_CAPTURE; +- else if (pipe == &asd->video_out_video_capture) ++ } else if (pipe == &asd->video_out_video_capture) { + return IA_CSS_PIPE_ID_VIDEO; +- else if (pipe == &asd->video_out_vf) ++ } else if (pipe == &asd->video_out_vf) { + return IA_CSS_PIPE_ID_CAPTURE; +- else if (pipe == &asd->video_out_preview) { ++ } else if (pipe == &asd->video_out_preview) { + if (asd->run_mode->val == ATOMISP_RUN_MODE_VIDEO) + return IA_CSS_PIPE_ID_VIDEO; + else +-- +2.34.1 + diff --git a/queue-5.10/media-uvcvideo-increase-uvc_ctrl_control_timeout-to-.patch b/queue-5.10/media-uvcvideo-increase-uvc_ctrl_control_timeout-to-.patch new file mode 100644 index 00000000000..56a2950e2e4 --- /dev/null +++ b/queue-5.10/media-uvcvideo-increase-uvc_ctrl_control_timeout-to-.patch @@ -0,0 +1,45 @@ +From 1020aab82dc0e21fe880d355a1a5c09be5114670 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Nov 2021 09:52:36 +0100 +Subject: media: uvcvideo: Increase UVC_CTRL_CONTROL_TIMEOUT to 5 seconds. + +From: James Hilliard + +[ Upstream commit c8ed7d2f614cd8b315981d116c7a2fb01829500d ] + +Some uvc devices appear to require the maximum allowed USB timeout +for GET_CUR/SET_CUR requests. + +So lets just bump the UVC control timeout to 5 seconds which is the +same as the usb ctrl get/set defaults: +USB_CTRL_GET_TIMEOUT 5000 +USB_CTRL_SET_TIMEOUT 5000 + +It fixes the following runtime warnings: + Failed to query (GET_CUR) UVC control 11 on unit 2: -110 (exp. 1). + Failed to query (SET_CUR) UVC control 3 on unit 2: -110 (exp. 2). + +Signed-off-by: James Hilliard +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvcvideo.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/usb/uvc/uvcvideo.h b/drivers/media/usb/uvc/uvcvideo.h +index a3dfacf069c44..c884020b28784 100644 +--- a/drivers/media/usb/uvc/uvcvideo.h ++++ b/drivers/media/usb/uvc/uvcvideo.h +@@ -183,7 +183,7 @@ + /* Maximum status buffer size in bytes of interrupt URB. */ + #define UVC_MAX_STATUS_SIZE 16 + +-#define UVC_CTRL_CONTROL_TIMEOUT 500 ++#define UVC_CTRL_CONTROL_TIMEOUT 5000 + #define UVC_CTRL_STREAMING_TIMEOUT 5000 + + /* Maximum allowed number of control mappings per device */ +-- +2.34.1 + diff --git a/queue-5.10/media-venus-avoid-calling-core_clk_setrate-concurren.patch b/queue-5.10/media-venus-avoid-calling-core_clk_setrate-concurren.patch new file mode 100644 index 00000000000..31495e0ae99 --- /dev/null +++ b/queue-5.10/media-venus-avoid-calling-core_clk_setrate-concurren.patch @@ -0,0 +1,210 @@ +From ecb95ce719a86e303f6110d7f43f6fd4f9a4ed41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Nov 2021 06:48:51 +0100 +Subject: media: venus: avoid calling core_clk_setrate() concurrently during + concurrent video sessions + +From: Mansur Alisha Shaik + +[ Upstream commit 91f2b7d269e5c885c38c7ffa261f5276bd42f907 ] + +In existing implementation, core_clk_setrate() is getting called +concurrently in concurrent video sessions. Before the previous call to +core_clk_setrate returns, new call to core_clk_setrate is invoked from +another video session running concurrently. This results in latest +calculated frequency being set (higher/lower) instead of actual frequency +required for that video session. It also results in stability crashes +mention below. These resources are specific to video core, hence keeping +under core lock would ensure that they are estimated for all running video +sessions and called once for the video core. + +Crash logs: + +[ 1.900089] WARNING: CPU: 4 PID: 1 at drivers/opp/debugfs.c:33 opp_debug_remove_one+0x2c/0x48 +[ 1.908493] Modules linked in: +[ 1.911524] CPU: 4 PID: 1 Comm: swapper/0 Not tainted 5.10.67 #35 f8edb8c30cf2dd6838495dd9ef9be47af7f5f60c +[ 1.921036] Hardware name: Qualcomm Technologies, Inc. sc7280 IDP SKU2 platform (DT) +[ 1.928673] pstate: 60800009 (nZCv daif -PAN +UAO -TCO BTYPE=--) +[ 1.934608] pc : opp_debug_remove_one+0x2c/0x48 +[ 1.939080] lr : opp_debug_remove_one+0x2c/0x48 +[ 1.943560] sp : ffffffc011d7b7f0 +[ 1.946836] pmr_save: 000000e0 +[ 1.949854] x29: ffffffc011d7b7f0 x28: ffffffc010733bbc +[ 1.955104] x27: ffffffc010733ba8 x26: ffffff8083cedd00 +[ 1.960355] x25: 0000000000000001 x24: 0000000000000000 +[ 1.965603] x23: ffffff8083cc2878 x22: ffffff8083ceb900 +[ 1.970852] x21: ffffff8083ceb910 x20: ffffff8083cc2800 +[ 1.976101] x19: ffffff8083ceb900 x18: 00000000ffff0a10 +[ 1.981352] x17: ffffff80837a5620 x16: 00000000000000ec +[ 1.986601] x15: ffffffc010519ad4 x14: 0000000000000003 +[ 1.991849] x13: 0000000000000004 x12: 0000000000000001 +[ 1.997100] x11: c0000000ffffdfff x10: 00000000ffffffff +[ 2.002348] x9 : d2627c580300dc00 x8 : d2627c580300dc00 +[ 2.007596] x7 : 0720072007200720 x6 : ffffff80802ecf00 +[ 2.012845] x5 : 0000000000190004 x4 : 0000000000000000 +[ 2.018094] x3 : ffffffc011d7b478 x2 : ffffffc011d7b480 +[ 2.023343] x1 : 00000000ffffdfff x0 : 0000000000000017 +[ 2.028594] Call trace: +[ 2.031022] opp_debug_remove_one+0x2c/0x48 +[ 2.035160] dev_pm_opp_put+0x94/0xb0 +[ 2.038780] _opp_remove_all+0x7c/0xc8 +[ 2.042486] _opp_remove_all_static+0x54/0x7c +[ 2.046796] dev_pm_opp_remove_table+0x74/0x98 +[ 2.051183] devm_pm_opp_of_table_release+0x18/0x24 +[ 2.056001] devm_action_release+0x1c/0x28 +[ 2.060053] release_nodes+0x23c/0x2b8 +[ 2.063760] devres_release_group+0xcc/0xd0 +[ 2.067900] component_bind+0xac/0x168 +[ 2.071608] component_bind_all+0x98/0x124 +[ 2.075664] msm_drm_bind+0x1e8/0x678 +[ 2.079287] try_to_bring_up_master+0x60/0x134 +[ 2.083674] component_master_add_with_match+0xd8/0x120 +[ 2.088834] msm_pdev_probe+0x20c/0x2a0 +[ 2.092629] platform_drv_probe+0x9c/0xbc +[ 2.096598] really_probe+0x11c/0x46c +[ 2.100217] driver_probe_device+0x8c/0xf0 +[ 2.104270] device_driver_attach+0x54/0x78 +[ 2.108407] __driver_attach+0x48/0x148 +[ 2.112201] bus_for_each_dev+0x88/0xd4 +[ 2.115998] driver_attach+0x2c/0x38 +[ 2.119534] bus_add_driver+0x10c/0x200 +[ 2.123330] driver_register+0x6c/0x104 +[ 2.127122] __platform_driver_register+0x4c/0x58 +[ 2.131767] msm_drm_register+0x6c/0x70 +[ 2.135560] do_one_initcall+0x64/0x23c +[ 2.139357] do_initcall_level+0xac/0x15c +[ 2.143321] do_initcalls+0x5c/0x9c +[ 2.146778] do_basic_setup+0x2c/0x38 +[ 2.150401] kernel_init_freeable+0xf8/0x15c +[ 2.154622] kernel_init+0x1c/0x11c +[ 2.158079] ret_from_fork+0x10/0x30 +[ 2.161615] ---[ end trace a2cc45a0f784b212 ]--- + +[ 2.166272] Removing OPP: 300000000 + +Signed-off-by: Mansur Alisha Shaik +Signed-off-by: Stanimir Varbanov +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + .../media/platform/qcom/venus/pm_helpers.c | 28 +++++++++---------- + 1 file changed, 14 insertions(+), 14 deletions(-) + +diff --git a/drivers/media/platform/qcom/venus/pm_helpers.c b/drivers/media/platform/qcom/venus/pm_helpers.c +index 63095d70f8d82..710f9a2b132b0 100644 +--- a/drivers/media/platform/qcom/venus/pm_helpers.c ++++ b/drivers/media/platform/qcom/venus/pm_helpers.c +@@ -147,14 +147,12 @@ static u32 load_per_type(struct venus_core *core, u32 session_type) + struct venus_inst *inst = NULL; + u32 mbs_per_sec = 0; + +- mutex_lock(&core->lock); + list_for_each_entry(inst, &core->instances, list) { + if (inst->session_type != session_type) + continue; + + mbs_per_sec += load_per_instance(inst); + } +- mutex_unlock(&core->lock); + + return mbs_per_sec; + } +@@ -203,14 +201,12 @@ static int load_scale_bw(struct venus_core *core) + struct venus_inst *inst = NULL; + u32 mbs_per_sec, avg, peak, total_avg = 0, total_peak = 0; + +- mutex_lock(&core->lock); + list_for_each_entry(inst, &core->instances, list) { + mbs_per_sec = load_per_instance(inst); + mbs_to_bw(inst, mbs_per_sec, &avg, &peak); + total_avg += avg; + total_peak += peak; + } +- mutex_unlock(&core->lock); + + /* + * keep minimum bandwidth vote for "video-mem" path, +@@ -237,8 +233,9 @@ static int load_scale_v1(struct venus_inst *inst) + struct device *dev = core->dev; + u32 mbs_per_sec; + unsigned int i; +- int ret; ++ int ret = 0; + ++ mutex_lock(&core->lock); + mbs_per_sec = load_per_type(core, VIDC_SESSION_TYPE_ENC) + + load_per_type(core, VIDC_SESSION_TYPE_DEC); + +@@ -263,17 +260,19 @@ set_freq: + if (ret) { + dev_err(dev, "failed to set clock rate %lu (%d)\n", + freq, ret); +- return ret; ++ goto exit; + } + + ret = load_scale_bw(core); + if (ret) { + dev_err(dev, "failed to set bandwidth (%d)\n", + ret); +- return ret; ++ goto exit; + } + +- return 0; ++exit: ++ mutex_unlock(&core->lock); ++ return ret; + } + + static int core_get_v1(struct venus_core *core) +@@ -960,13 +959,13 @@ static int load_scale_v4(struct venus_inst *inst) + struct device *dev = core->dev; + unsigned long freq = 0, freq_core1 = 0, freq_core2 = 0; + unsigned long filled_len = 0; +- int i, ret; ++ int i, ret = 0; + + for (i = 0; i < inst->num_input_bufs; i++) + filled_len = max(filled_len, inst->payloads[i]); + + if (inst->session_type == VIDC_SESSION_TYPE_DEC && !filled_len) +- return 0; ++ return ret; + + freq = calculate_inst_freq(inst, filled_len); + inst->clk_data.freq = freq; +@@ -982,7 +981,6 @@ static int load_scale_v4(struct venus_inst *inst) + freq_core2 += inst->clk_data.freq; + } + } +- mutex_unlock(&core->lock); + + freq = max(freq_core1, freq_core2); + +@@ -1006,17 +1004,19 @@ set_freq: + if (ret) { + dev_err(dev, "failed to set clock rate %lu (%d)\n", + freq, ret); +- return ret; ++ goto exit; + } + + ret = load_scale_bw(core); + if (ret) { + dev_err(dev, "failed to set bandwidth (%d)\n", + ret); +- return ret; ++ goto exit; + } + +- return 0; ++exit: ++ mutex_unlock(&core->lock); ++ return ret; + } + + static const struct venus_pm_ops pm_ops_v4 = { +-- +2.34.1 + diff --git a/queue-5.10/media-venus-core-fix-a-potential-null-pointer-derefe.patch b/queue-5.10/media-venus-core-fix-a-potential-null-pointer-derefe.patch new file mode 100644 index 00000000000..c02c3da6ba8 --- /dev/null +++ b/queue-5.10/media-venus-core-fix-a-potential-null-pointer-derefe.patch @@ -0,0 +1,43 @@ +From 6e3dd734ef4e845063044db6c2b9b07c78277369 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Aug 2021 07:14:22 +0200 +Subject: media: venus: core: Fix a potential NULL pointer dereference in an + error handling path + +From: Christophe JAILLET + +[ Upstream commit e4debea9be7d5db52bc6a565a4c02c3c6560d093 ] + +The normal path of the function makes the assumption that +'pm_ops->core_power' may be NULL. +We should make the same assumption in the error handling path or a NULL +pointer dereference may occur. + +Add the missing test before calling 'pm_ops->core_power' + +Fixes: 9e8efdb57879 ("media: venus: core: vote for video-mem path") +Signed-off-by: Christophe JAILLET +Signed-off-by: Stanimir Varbanov +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/qcom/venus/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/qcom/venus/core.c b/drivers/media/platform/qcom/venus/core.c +index bad553bf9f304..791ed1b1bbbd3 100644 +--- a/drivers/media/platform/qcom/venus/core.c ++++ b/drivers/media/platform/qcom/venus/core.c +@@ -409,7 +409,8 @@ static __maybe_unused int venus_runtime_suspend(struct device *dev) + err_video_path: + icc_set_bw(core->cpucfg_path, kbps_to_icc(1000), 0); + err_cpucfg_path: +- pm_ops->core_power(core, POWER_ON); ++ if (pm_ops->core_power) ++ pm_ops->core_power(core, POWER_ON); + + return ret; + } +-- +2.34.1 + diff --git a/queue-5.10/media-venus-core-fix-a-resource-leak-in-the-error-ha.patch b/queue-5.10/media-venus-core-fix-a-resource-leak-in-the-error-ha.patch new file mode 100644 index 00000000000..83109e1d767 --- /dev/null +++ b/queue-5.10/media-venus-core-fix-a-resource-leak-in-the-error-ha.patch @@ -0,0 +1,61 @@ +From 144a5ea39bfef14db22e3bce9145f228266f7392 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Aug 2021 22:05:28 +0200 +Subject: media: venus: core: Fix a resource leak in the error handling path of + 'venus_probe()' + +From: Christophe JAILLET + +[ Upstream commit 8cc7a1b2aca067397a016cdb971a5e6ad9b640c7 ] + +A successful 'of_platform_populate()' call should be balanced by a +corresponding 'of_platform_depopulate()' call in the error handling path +of the probe, as already done in the remove function. + +A successful 'venus_firmware_init()' call should be balanced by a +corresponding 'venus_firmware_deinit()' call in the error handling path +of the probe, as already done in the remove function. + +Update the error handling path accordingly. + +Fixes: f9799fcce4bb ("media: venus: firmware: register separate platform_device for firmware loader") +Signed-off-by: Christophe JAILLET +Signed-off-by: Stanimir Varbanov +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/qcom/venus/core.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/qcom/venus/core.c b/drivers/media/platform/qcom/venus/core.c +index 791ed1b1bbbd3..1d621f7769035 100644 +--- a/drivers/media/platform/qcom/venus/core.c ++++ b/drivers/media/platform/qcom/venus/core.c +@@ -294,11 +294,11 @@ static int venus_probe(struct platform_device *pdev) + + ret = venus_firmware_init(core); + if (ret) +- goto err_runtime_disable; ++ goto err_of_depopulate; + + ret = venus_boot(core); + if (ret) +- goto err_runtime_disable; ++ goto err_firmware_deinit; + + ret = hfi_core_resume(core, true); + if (ret) +@@ -330,6 +330,10 @@ err_dev_unregister: + v4l2_device_unregister(&core->v4l2_dev); + err_venus_shutdown: + venus_shutdown(core); ++err_firmware_deinit: ++ venus_firmware_deinit(core); ++err_of_depopulate: ++ of_platform_depopulate(dev); + err_runtime_disable: + pm_runtime_put_noidle(dev); + pm_runtime_set_suspended(dev); +-- +2.34.1 + diff --git a/queue-5.10/media-venus-core-venc-vdec-fix-probe-dependency-erro.patch b/queue-5.10/media-venus-core-venc-vdec-fix-probe-dependency-erro.patch new file mode 100644 index 00000000000..973dccf3e70 --- /dev/null +++ b/queue-5.10/media-venus-core-venc-vdec-fix-probe-dependency-erro.patch @@ -0,0 +1,343 @@ +From ea5585c6615cf328c53a204f29d12960bdd9bdd9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Feb 2021 19:11:49 +0100 +Subject: media: venus: core, venc, vdec: Fix probe dependency error + +From: Bryan O'Donoghue + +[ Upstream commit 08b1cf474b7f72750adebe0f0a35f8e9a3eb75f6 ] + +Commit aaaa93eda64b ("media] media: venus: venc: add video encoder files") +is the last in a series of three commits to add core.c vdec.c and venc.c +adding core, encoder and decoder. + +The encoder and decoder check for core drvdata as set and return -EPROBE_DEFER +if it has not been set, however both the encoder and decoder rely on +core.v4l2_dev as valid. + +core.v4l2_dev will not be valid until v4l2_device_register() has completed +in core.c's probe(). + +Normally this is never seen however, Dmitry reported the following +backtrace when compiling drivers and firmware directly into a kernel image. + +[ 5.259968] Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT) +[ 5.269850] sd 0:0:0:3: [sdd] Optimal transfer size 524288 bytes +[ 5.275505] Workqueue: events deferred_probe_work_func +[ 5.275513] pstate: 60400005 (nZCv daif +PAN -UAO -TCO BTYPE=--) +[ 5.441211] usb 2-1: new SuperSpeedPlus Gen 2 USB device number 2 using xhci-hcd +[ 5.442486] pc : refcount_warn_saturate+0x140/0x148 +[ 5.493756] hub 2-1:1.0: USB hub found +[ 5.496266] lr : refcount_warn_saturate+0x140/0x148 +[ 5.500982] hub 2-1:1.0: 4 ports detected +[ 5.503440] sp : ffff80001067b730 +[ 5.503442] x29: ffff80001067b730 +[ 5.592660] usb 1-1: new high-speed USB device number 2 using xhci-hcd +[ 5.598478] x28: ffff6c6bc1c379b8 +[ 5.598480] x27: ffffa5c673852960 x26: ffffa5c673852000 +[ 5.598484] x25: ffff6c6bc1c37800 x24: 0000000000000001 +[ 5.810652] x23: 0000000000000000 x22: ffffa5c673bc7118 +[ 5.813777] hub 1-1:1.0: USB hub found +[ 5.816108] x21: ffffa5c674440000 x20: 0000000000000001 +[ 5.820846] hub 1-1:1.0: 4 ports detected +[ 5.825415] x19: ffffa5c6744f4000 x18: ffffffffffffffff +[ 5.825418] x17: 0000000000000000 x16: 0000000000000000 +[ 5.825421] x15: 00000a4810c193ba x14: 0000000000000000 +[ 5.825424] x13: 00000000000002b8 x12: 000000000000f20a +[ 5.825427] x11: 000000000000f20a x10: 0000000000000038 +[ 5.845447] usb 2-1.1: new SuperSpeed Gen 1 USB device number 3 using xhci-hcd +[ 5.845904] +[ 5.845905] x9 : 0000000000000000 x8 : ffff6c6d36fae780 +[ 5.871208] x7 : ffff6c6d36faf240 x6 : 0000000000000000 +[ 5.876664] x5 : 0000000000000004 x4 : 0000000000000085 +[ 5.882121] x3 : 0000000000000119 x2 : ffffa5c6741ef478 +[ 5.887578] x1 : 3acbb3926faf5f00 x0 : 0000000000000000 +[ 5.893036] Call trace: +[ 5.895551] refcount_warn_saturate+0x140/0x148 +[ 5.900202] __video_register_device+0x64c/0xd10 +[ 5.904944] venc_probe+0xc4/0x148 +[ 5.908444] platform_probe+0x68/0xe0 +[ 5.912210] really_probe+0x118/0x3e0 +[ 5.915977] driver_probe_device+0x5c/0xc0 +[ 5.920187] __device_attach_driver+0x98/0xb8 +[ 5.924661] bus_for_each_drv+0x68/0xd0 +[ 5.928604] __device_attach+0xec/0x148 +[ 5.932547] device_initial_probe+0x14/0x20 +[ 5.936845] bus_probe_device+0x9c/0xa8 +[ 5.940788] device_add+0x3e8/0x7c8 +[ 5.944376] of_device_add+0x4c/0x60 +[ 5.948056] of_platform_device_create_pdata+0xbc/0x140 +[ 5.953425] of_platform_bus_create+0x17c/0x3c0 +[ 5.958078] of_platform_populate+0x80/0x110 +[ 5.962463] venus_probe+0x2ec/0x4d8 +[ 5.966143] platform_probe+0x68/0xe0 +[ 5.969907] really_probe+0x118/0x3e0 +[ 5.973674] driver_probe_device+0x5c/0xc0 +[ 5.977882] __device_attach_driver+0x98/0xb8 +[ 5.982356] bus_for_each_drv+0x68/0xd0 +[ 5.986298] __device_attach+0xec/0x148 +[ 5.990242] device_initial_probe+0x14/0x20 +[ 5.994539] bus_probe_device+0x9c/0xa8 +[ 5.998481] deferred_probe_work_func+0x74/0xb0 +[ 6.003132] process_one_work+0x1e8/0x360 +[ 6.007254] worker_thread+0x208/0x478 +[ 6.011106] kthread+0x150/0x158 +[ 6.014431] ret_from_fork+0x10/0x30 +[ 6.018111] ---[ end trace f074246b1ecdb466 ]--- + +This patch fixes by + +- Only setting drvdata after v4l2_device_register() completes +- Moving v4l2_device_register() so that suspend/reume in core::probe() + stays as-is +- Changes pm_ops->core_function() to take struct venus_core not struct + device +- Minimal rework of v4l2_device_*register in probe/remove + +Reported-by: Dmitry Baryshkov +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Stanimir Varbanov +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/qcom/venus/core.c | 30 +++++++++++-------- + .../media/platform/qcom/venus/pm_helpers.c | 30 ++++++++----------- + .../media/platform/qcom/venus/pm_helpers.h | 7 +++-- + 3 files changed, 34 insertions(+), 33 deletions(-) + +diff --git a/drivers/media/platform/qcom/venus/core.c b/drivers/media/platform/qcom/venus/core.c +index 58ddebbb84468..bad553bf9f304 100644 +--- a/drivers/media/platform/qcom/venus/core.c ++++ b/drivers/media/platform/qcom/venus/core.c +@@ -222,7 +222,6 @@ static int venus_probe(struct platform_device *pdev) + return -ENOMEM; + + core->dev = dev; +- platform_set_drvdata(pdev, core); + + r = platform_get_resource(pdev, IORESOURCE_MEM, 0); + core->base = devm_ioremap_resource(dev, r); +@@ -252,7 +251,7 @@ static int venus_probe(struct platform_device *pdev) + return -ENODEV; + + if (core->pm_ops->core_get) { +- ret = core->pm_ops->core_get(dev); ++ ret = core->pm_ops->core_get(core); + if (ret) + return ret; + } +@@ -277,6 +276,12 @@ static int venus_probe(struct platform_device *pdev) + if (ret) + goto err_core_put; + ++ ret = v4l2_device_register(dev, &core->v4l2_dev); ++ if (ret) ++ goto err_core_deinit; ++ ++ platform_set_drvdata(pdev, core); ++ + pm_runtime_enable(dev); + + ret = pm_runtime_get_sync(dev); +@@ -311,10 +316,6 @@ static int venus_probe(struct platform_device *pdev) + if (ret) + goto err_venus_shutdown; + +- ret = v4l2_device_register(dev, &core->v4l2_dev); +- if (ret) +- goto err_core_deinit; +- + ret = pm_runtime_put_sync(dev); + if (ret) { + pm_runtime_get_noresume(dev); +@@ -327,8 +328,6 @@ static int venus_probe(struct platform_device *pdev) + + err_dev_unregister: + v4l2_device_unregister(&core->v4l2_dev); +-err_core_deinit: +- hfi_core_deinit(core, false); + err_venus_shutdown: + venus_shutdown(core); + err_runtime_disable: +@@ -336,9 +335,11 @@ err_runtime_disable: + pm_runtime_set_suspended(dev); + pm_runtime_disable(dev); + hfi_destroy(core); ++err_core_deinit: ++ hfi_core_deinit(core, false); + err_core_put: + if (core->pm_ops->core_put) +- core->pm_ops->core_put(dev); ++ core->pm_ops->core_put(core); + return ret; + } + +@@ -364,11 +365,14 @@ static int venus_remove(struct platform_device *pdev) + pm_runtime_disable(dev); + + if (pm_ops->core_put) +- pm_ops->core_put(dev); ++ pm_ops->core_put(core); ++ ++ v4l2_device_unregister(&core->v4l2_dev); + + hfi_destroy(core); + + v4l2_device_unregister(&core->v4l2_dev); ++ + mutex_destroy(&core->pm_lock); + mutex_destroy(&core->lock); + venus_dbgfs_deinit(core); +@@ -387,7 +391,7 @@ static __maybe_unused int venus_runtime_suspend(struct device *dev) + return ret; + + if (pm_ops->core_power) { +- ret = pm_ops->core_power(dev, POWER_OFF); ++ ret = pm_ops->core_power(core, POWER_OFF); + if (ret) + return ret; + } +@@ -405,7 +409,7 @@ static __maybe_unused int venus_runtime_suspend(struct device *dev) + err_video_path: + icc_set_bw(core->cpucfg_path, kbps_to_icc(1000), 0); + err_cpucfg_path: +- pm_ops->core_power(dev, POWER_ON); ++ pm_ops->core_power(core, POWER_ON); + + return ret; + } +@@ -425,7 +429,7 @@ static __maybe_unused int venus_runtime_resume(struct device *dev) + return ret; + + if (pm_ops->core_power) { +- ret = pm_ops->core_power(dev, POWER_ON); ++ ret = pm_ops->core_power(core, POWER_ON); + if (ret) + return ret; + } +diff --git a/drivers/media/platform/qcom/venus/pm_helpers.c b/drivers/media/platform/qcom/venus/pm_helpers.c +index bce9a370015fb..63095d70f8d82 100644 +--- a/drivers/media/platform/qcom/venus/pm_helpers.c ++++ b/drivers/media/platform/qcom/venus/pm_helpers.c +@@ -276,16 +276,13 @@ set_freq: + return 0; + } + +-static int core_get_v1(struct device *dev) ++static int core_get_v1(struct venus_core *core) + { +- struct venus_core *core = dev_get_drvdata(dev); +- + return core_clks_get(core); + } + +-static int core_power_v1(struct device *dev, int on) ++static int core_power_v1(struct venus_core *core, int on) + { +- struct venus_core *core = dev_get_drvdata(dev); + int ret = 0; + + if (on == POWER_ON) +@@ -752,12 +749,12 @@ static int venc_power_v4(struct device *dev, int on) + return ret; + } + +-static int vcodec_domains_get(struct device *dev) ++static int vcodec_domains_get(struct venus_core *core) + { + int ret; + struct opp_table *opp_table; + struct device **opp_virt_dev; +- struct venus_core *core = dev_get_drvdata(dev); ++ struct device *dev = core->dev; + const struct venus_resources *res = core->res; + struct device *pd; + unsigned int i; +@@ -808,9 +805,8 @@ opp_attach_err: + return ret; + } + +-static void vcodec_domains_put(struct device *dev) ++static void vcodec_domains_put(struct venus_core *core) + { +- struct venus_core *core = dev_get_drvdata(dev); + const struct venus_resources *res = core->res; + unsigned int i; + +@@ -833,9 +829,9 @@ skip_pmdomains: + dev_pm_opp_detach_genpd(core->opp_table); + } + +-static int core_get_v4(struct device *dev) ++static int core_get_v4(struct venus_core *core) + { +- struct venus_core *core = dev_get_drvdata(dev); ++ struct device *dev = core->dev; + const struct venus_resources *res = core->res; + int ret; + +@@ -874,7 +870,7 @@ static int core_get_v4(struct device *dev) + } + } + +- ret = vcodec_domains_get(dev); ++ ret = vcodec_domains_get(core); + if (ret) { + if (core->has_opp_table) + dev_pm_opp_of_remove_table(dev); +@@ -885,14 +881,14 @@ static int core_get_v4(struct device *dev) + return 0; + } + +-static void core_put_v4(struct device *dev) ++static void core_put_v4(struct venus_core *core) + { +- struct venus_core *core = dev_get_drvdata(dev); ++ struct device *dev = core->dev; + + if (legacy_binding) + return; + +- vcodec_domains_put(dev); ++ vcodec_domains_put(core); + + if (core->has_opp_table) + dev_pm_opp_of_remove_table(dev); +@@ -901,9 +897,9 @@ static void core_put_v4(struct device *dev) + + } + +-static int core_power_v4(struct device *dev, int on) ++static int core_power_v4(struct venus_core *core, int on) + { +- struct venus_core *core = dev_get_drvdata(dev); ++ struct device *dev = core->dev; + struct device *pmctrl = core->pmdomains[0]; + int ret = 0; + +diff --git a/drivers/media/platform/qcom/venus/pm_helpers.h b/drivers/media/platform/qcom/venus/pm_helpers.h +index aa2f6afa23544..a492c50c5543c 100644 +--- a/drivers/media/platform/qcom/venus/pm_helpers.h ++++ b/drivers/media/platform/qcom/venus/pm_helpers.h +@@ -4,14 +4,15 @@ + #define __VENUS_PM_HELPERS_H__ + + struct device; ++struct venus_core; + + #define POWER_ON 1 + #define POWER_OFF 0 + + struct venus_pm_ops { +- int (*core_get)(struct device *dev); +- void (*core_put)(struct device *dev); +- int (*core_power)(struct device *dev, int on); ++ int (*core_get)(struct venus_core *core); ++ void (*core_put)(struct venus_core *core); ++ int (*core_power)(struct venus_core *core, int on); + + int (*vdec_get)(struct device *dev); + void (*vdec_put)(struct device *dev); +-- +2.34.1 + diff --git a/queue-5.10/media-venus-pm_helpers-control-core-power-domain-man.patch b/queue-5.10/media-venus-pm_helpers-control-core-power-domain-man.patch new file mode 100644 index 00000000000..43c56efbeed --- /dev/null +++ b/queue-5.10/media-venus-pm_helpers-control-core-power-domain-man.patch @@ -0,0 +1,124 @@ +From f28f6e2c6f9990a5cb772a2fc8e105426c36addc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Jan 2021 08:21:30 +0100 +Subject: media: venus: pm_helpers: Control core power domain manually + +From: Stanimir Varbanov + +[ Upstream commit a76f43a490542ecb8c57176730b6eb665d716139 ] + +Presently we use device_link to control core power domain. But this +leads to issues because the genpd doesn't guarantee synchronous on/off +for supplier devices. Switch to manually control by pmruntime calls. + +Tested-by: Fritz Koenig +Signed-off-by: Stanimir Varbanov +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/qcom/venus/core.h | 2 -- + .../media/platform/qcom/venus/pm_helpers.c | 36 ++++++++++--------- + 2 files changed, 19 insertions(+), 19 deletions(-) + +diff --git a/drivers/media/platform/qcom/venus/core.h b/drivers/media/platform/qcom/venus/core.h +index 05c9fbd51f0c0..f2a0ef9ee884e 100644 +--- a/drivers/media/platform/qcom/venus/core.h ++++ b/drivers/media/platform/qcom/venus/core.h +@@ -123,7 +123,6 @@ struct venus_caps { + * @clks: an array of struct clk pointers + * @vcodec0_clks: an array of vcodec0 struct clk pointers + * @vcodec1_clks: an array of vcodec1 struct clk pointers +- * @pd_dl_venus: pmdomain device-link for venus domain + * @pmdomains: an array of pmdomains struct device pointers + * @vdev_dec: a reference to video device structure for decoder instances + * @vdev_enc: a reference to video device structure for encoder instances +@@ -161,7 +160,6 @@ struct venus_core { + struct icc_path *cpucfg_path; + struct opp_table *opp_table; + bool has_opp_table; +- struct device_link *pd_dl_venus; + struct device *pmdomains[VIDC_PMDOMAINS_NUM_MAX]; + struct device_link *opp_dl_venus; + struct device *opp_pmdomain; +diff --git a/drivers/media/platform/qcom/venus/pm_helpers.c b/drivers/media/platform/qcom/venus/pm_helpers.c +index 2946547a0df4a..bce9a370015fb 100644 +--- a/drivers/media/platform/qcom/venus/pm_helpers.c ++++ b/drivers/media/platform/qcom/venus/pm_helpers.c +@@ -773,13 +773,6 @@ static int vcodec_domains_get(struct device *dev) + core->pmdomains[i] = pd; + } + +- core->pd_dl_venus = device_link_add(dev, core->pmdomains[0], +- DL_FLAG_PM_RUNTIME | +- DL_FLAG_STATELESS | +- DL_FLAG_RPM_ACTIVE); +- if (!core->pd_dl_venus) +- return -ENODEV; +- + skip_pmdomains: + if (!core->has_opp_table) + return 0; +@@ -806,14 +799,12 @@ skip_pmdomains: + opp_dl_add_err: + dev_pm_opp_detach_genpd(core->opp_table); + opp_attach_err: +- if (core->pd_dl_venus) { +- device_link_del(core->pd_dl_venus); +- for (i = 0; i < res->vcodec_pmdomains_num; i++) { +- if (IS_ERR_OR_NULL(core->pmdomains[i])) +- continue; +- dev_pm_domain_detach(core->pmdomains[i], true); +- } ++ for (i = 0; i < res->vcodec_pmdomains_num; i++) { ++ if (IS_ERR_OR_NULL(core->pmdomains[i])) ++ continue; ++ dev_pm_domain_detach(core->pmdomains[i], true); + } ++ + return ret; + } + +@@ -826,9 +817,6 @@ static void vcodec_domains_put(struct device *dev) + if (!res->vcodec_pmdomains_num) + goto skip_pmdomains; + +- if (core->pd_dl_venus) +- device_link_del(core->pd_dl_venus); +- + for (i = 0; i < res->vcodec_pmdomains_num; i++) { + if (IS_ERR_OR_NULL(core->pmdomains[i])) + continue; +@@ -916,16 +904,30 @@ static void core_put_v4(struct device *dev) + static int core_power_v4(struct device *dev, int on) + { + struct venus_core *core = dev_get_drvdata(dev); ++ struct device *pmctrl = core->pmdomains[0]; + int ret = 0; + + if (on == POWER_ON) { ++ if (pmctrl) { ++ ret = pm_runtime_get_sync(pmctrl); ++ if (ret < 0) { ++ pm_runtime_put_noidle(pmctrl); ++ return ret; ++ } ++ } ++ + ret = core_clks_enable(core); ++ if (ret < 0 && pmctrl) ++ pm_runtime_put_sync(pmctrl); + } else { + /* Drop the performance state vote */ + if (core->opp_pmdomain) + dev_pm_opp_set_rate(dev, 0); + + core_clks_disable(core); ++ ++ if (pmctrl) ++ pm_runtime_put_sync(pmctrl); + } + + return ret; +-- +2.34.1 + diff --git a/queue-5.10/media-videobuf2-fix-the-size-printk-format.patch b/queue-5.10/media-videobuf2-fix-the-size-printk-format.patch new file mode 100644 index 00000000000..f7f92c02e5d --- /dev/null +++ b/queue-5.10/media-videobuf2-fix-the-size-printk-format.patch @@ -0,0 +1,50 @@ +From de20d675f7d824db823989c0194d297fa08cc041 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Oct 2021 09:43:19 +0100 +Subject: media: videobuf2: Fix the size printk format + +From: Dillon Min + +[ Upstream commit c9ee220d76775e42f35d634479c978d9350077d3 ] + +Since the type of parameter size is unsigned long, +it should printk by %lu, instead of %ld, fix it. + +Fixes: 7952be9b6ece ("media: drivers/media/common/videobuf2: rename from videobuf") +Signed-off-by: Dillon Min +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/common/videobuf2/videobuf2-dma-contig.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/common/videobuf2/videobuf2-dma-contig.c b/drivers/media/common/videobuf2/videobuf2-dma-contig.c +index 2f3a5996d3fc9..fe626109ef4db 100644 +--- a/drivers/media/common/videobuf2/videobuf2-dma-contig.c ++++ b/drivers/media/common/videobuf2/videobuf2-dma-contig.c +@@ -150,7 +150,7 @@ static void *vb2_dc_alloc(struct device *dev, unsigned long attrs, + buf->cookie = dma_alloc_attrs(dev, size, &buf->dma_addr, + GFP_KERNEL | gfp_flags, buf->attrs); + if (!buf->cookie) { +- dev_err(dev, "dma_alloc_coherent of size %ld failed\n", size); ++ dev_err(dev, "dma_alloc_coherent of size %lu failed\n", size); + kfree(buf); + return ERR_PTR(-ENOMEM); + } +@@ -196,9 +196,9 @@ static int vb2_dc_mmap(void *buf_priv, struct vm_area_struct *vma) + + vma->vm_ops->open(vma); + +- pr_debug("%s: mapped dma addr 0x%08lx at 0x%08lx, size %ld\n", +- __func__, (unsigned long)buf->dma_addr, vma->vm_start, +- buf->size); ++ pr_debug("%s: mapped dma addr 0x%08lx at 0x%08lx, size %lu\n", ++ __func__, (unsigned long)buf->dma_addr, vma->vm_start, ++ buf->size); + + return 0; + } +-- +2.34.1 + diff --git a/queue-5.10/memory-renesas-rpc-if-return-error-in-case-devm_iore.patch b/queue-5.10/memory-renesas-rpc-if-return-error-in-case-devm_iore.patch new file mode 100644 index 00000000000..4eaebe38f72 --- /dev/null +++ b/queue-5.10/memory-renesas-rpc-if-return-error-in-case-devm_iore.patch @@ -0,0 +1,41 @@ +From 9e5fbaf2718b0111f74ffebe29fd3547ba2ce0c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Oct 2021 21:56:29 +0100 +Subject: memory: renesas-rpc-if: Return error in case devm_ioremap_resource() + fails + +From: Lad Prabhakar + +[ Upstream commit 818fdfa89baac77a8df5a2c30f4fb798cc937aa0 ] + +Make sure we return error in case devm_ioremap_resource() fails for dirmap +resource. + +Fixes: ca7d8b980b67 ("memory: add Renesas RPC-IF driver") +Signed-off-by: Lad Prabhakar +Reviewed-by: Biju Das +Reviewed-by: Wolfram Sang +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20211025205631.21151-6-prabhakar.mahadev-lad.rj@bp.renesas.com +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/memory/renesas-rpc-if.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/memory/renesas-rpc-if.c b/drivers/memory/renesas-rpc-if.c +index a760ab08256ff..9019121a80f53 100644 +--- a/drivers/memory/renesas-rpc-if.c ++++ b/drivers/memory/renesas-rpc-if.c +@@ -245,7 +245,7 @@ int rpcif_sw_init(struct rpcif *rpc, struct device *dev) + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "dirmap"); + rpc->dirmap = devm_ioremap_resource(&pdev->dev, res); + if (IS_ERR(rpc->dirmap)) +- rpc->dirmap = NULL; ++ return PTR_ERR(rpc->dirmap); + rpc->size = resource_size(res); + + rpc->rstc = devm_reset_control_get_exclusive(&pdev->dev, NULL); +-- +2.34.1 + diff --git a/queue-5.10/mfd-atmel-flexcom-remove-ifdef-config_pm_sleep.patch b/queue-5.10/mfd-atmel-flexcom-remove-ifdef-config_pm_sleep.patch new file mode 100644 index 00000000000..dc0a5382e22 --- /dev/null +++ b/queue-5.10/mfd-atmel-flexcom-remove-ifdef-config_pm_sleep.patch @@ -0,0 +1,54 @@ +From fd5e7825eebee09b250a5e93ba4f414c0b5982ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 16:51:37 +0300 +Subject: mfd: atmel-flexcom: Remove #ifdef CONFIG_PM_SLEEP + +From: Claudiu Beznea + +[ Upstream commit 8c0fad75dcaa650e3f3145a2c35847bc6a65cb7f ] + +Remove compilation flag and use __maybe_unused and pm_ptr instead. + +Signed-off-by: Claudiu Beznea +Acked-by: Nicolas Ferre +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20211028135138.3481166-2-claudiu.beznea@microchip.com +Signed-off-by: Sasha Levin +--- + drivers/mfd/atmel-flexcom.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/mfd/atmel-flexcom.c b/drivers/mfd/atmel-flexcom.c +index d2f5c073fdf31..962f66dc8813e 100644 +--- a/drivers/mfd/atmel-flexcom.c ++++ b/drivers/mfd/atmel-flexcom.c +@@ -87,8 +87,7 @@ static const struct of_device_id atmel_flexcom_of_match[] = { + }; + MODULE_DEVICE_TABLE(of, atmel_flexcom_of_match); + +-#ifdef CONFIG_PM_SLEEP +-static int atmel_flexcom_resume(struct device *dev) ++static int __maybe_unused atmel_flexcom_resume(struct device *dev) + { + struct atmel_flexcom *ddata = dev_get_drvdata(dev); + int err; +@@ -105,7 +104,6 @@ static int atmel_flexcom_resume(struct device *dev) + + return 0; + } +-#endif + + static SIMPLE_DEV_PM_OPS(atmel_flexcom_pm_ops, NULL, + atmel_flexcom_resume); +@@ -114,7 +112,7 @@ static struct platform_driver atmel_flexcom_driver = { + .probe = atmel_flexcom_probe, + .driver = { + .name = "atmel_flexcom", +- .pm = &atmel_flexcom_pm_ops, ++ .pm = pm_ptr(&atmel_flexcom_pm_ops), + .of_match_table = atmel_flexcom_of_match, + }, + }; +-- +2.34.1 + diff --git a/queue-5.10/mfd-atmel-flexcom-use-.resume_noirq.patch b/queue-5.10/mfd-atmel-flexcom-use-.resume_noirq.patch new file mode 100644 index 00000000000..c6251fa9723 --- /dev/null +++ b/queue-5.10/mfd-atmel-flexcom-use-.resume_noirq.patch @@ -0,0 +1,56 @@ +From bc4d7300828f74a2dd4070e10b73802cab5919fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 16:51:38 +0300 +Subject: mfd: atmel-flexcom: Use .resume_noirq + +From: Claudiu Beznea + +[ Upstream commit 5d051cf94fd5834a1513aa77e542c49fd973988a ] + +Flexcom IP embeds 3 other IPs: usart, i2c, spi and selects the operation +mode (usart, i2c, spi) via mode register (FLEX_MR). On i2c bus there might +be connected critical devices (like PMIC) which on suspend/resume should +be suspended/resumed at the end/beginning. i2c uses +.suspend_noirq/.resume_noirq for this kind of purposes. Align flexcom +to use .resume_noirq as it should be resumed before the embedded IPs. +Otherwise the embedded devices might behave badly. + +Fixes: 7fdec11015c3 ("atmel_flexcom: Support resuming after a chip reset") +Signed-off-by: Claudiu Beznea +Tested-by: Codrin Ciubotariu +Acked-by: Nicolas Ferre +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20211028135138.3481166-3-claudiu.beznea@microchip.com +Signed-off-by: Sasha Levin +--- + drivers/mfd/atmel-flexcom.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/mfd/atmel-flexcom.c b/drivers/mfd/atmel-flexcom.c +index 962f66dc8813e..559eb4d352b68 100644 +--- a/drivers/mfd/atmel-flexcom.c ++++ b/drivers/mfd/atmel-flexcom.c +@@ -87,7 +87,7 @@ static const struct of_device_id atmel_flexcom_of_match[] = { + }; + MODULE_DEVICE_TABLE(of, atmel_flexcom_of_match); + +-static int __maybe_unused atmel_flexcom_resume(struct device *dev) ++static int __maybe_unused atmel_flexcom_resume_noirq(struct device *dev) + { + struct atmel_flexcom *ddata = dev_get_drvdata(dev); + int err; +@@ -105,8 +105,9 @@ static int __maybe_unused atmel_flexcom_resume(struct device *dev) + return 0; + } + +-static SIMPLE_DEV_PM_OPS(atmel_flexcom_pm_ops, NULL, +- atmel_flexcom_resume); ++static const struct dev_pm_ops atmel_flexcom_pm_ops = { ++ .resume_noirq = atmel_flexcom_resume_noirq, ++}; + + static struct platform_driver atmel_flexcom_driver = { + .probe = atmel_flexcom_probe, +-- +2.34.1 + diff --git a/queue-5.10/mfd-intel_soc_pmic-use-cpu-id-check-instead-of-_hrv-.patch b/queue-5.10/mfd-intel_soc_pmic-use-cpu-id-check-instead-of-_hrv-.patch new file mode 100644 index 00000000000..4e86790d9db --- /dev/null +++ b/queue-5.10/mfd-intel_soc_pmic-use-cpu-id-check-instead-of-_hrv-.patch @@ -0,0 +1,88 @@ +From df49bff43e1b151eaa6d7190dae5d7857dfafb0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Dec 2021 18:48:06 +0100 +Subject: mfd: intel_soc_pmic: Use CPU-id check instead of _HRV check to + differentiate variants + +From: Hans de Goede + +[ Upstream commit 5b78223f55a0f516a1639dbe11cd4324d4aaee20 ] + +The Intel Crystal Cove PMIC has 2 different variants, one for use with +Bay Trail (BYT) SoCs and one for use with Cherry Trail (CHT) SoCs. + +So far we have been using an ACPI _HRV check to differentiate between +the 2, but at least on the Microsoft Surface 3, which is a CHT device, +the wrong _HRV value is reported by ACPI. + +So instead switch to a CPU-ID check which prevents us from relying on +the possibly wrong ACPI _HRV value. + +Signed-off-by: Hans de Goede +Reported-by: Tsuchiya Yuto +Reviewed-by: Andy Shevchenko +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20211206174806.197772-2-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/mfd/intel_soc_pmic_core.c | 28 +++------------------------- + 1 file changed, 3 insertions(+), 25 deletions(-) + +diff --git a/drivers/mfd/intel_soc_pmic_core.c b/drivers/mfd/intel_soc_pmic_core.c +index ddd64f9e3341e..47cb7f00dfcfc 100644 +--- a/drivers/mfd/intel_soc_pmic_core.c ++++ b/drivers/mfd/intel_soc_pmic_core.c +@@ -14,15 +14,12 @@ + #include + #include + #include ++#include + #include + #include + + #include "intel_soc_pmic_core.h" + +-/* Crystal Cove PMIC shares same ACPI ID between different platforms */ +-#define BYT_CRC_HRV 2 +-#define CHT_CRC_HRV 3 +- + /* PWM consumed by the Intel GFX */ + static struct pwm_lookup crc_pwm_lookup[] = { + PWM_LOOKUP("crystal_cove_pwm", 0, "0000:00:02.0", "pwm_pmic_backlight", 0, PWM_POLARITY_NORMAL), +@@ -34,31 +31,12 @@ static int intel_soc_pmic_i2c_probe(struct i2c_client *i2c, + struct device *dev = &i2c->dev; + struct intel_soc_pmic_config *config; + struct intel_soc_pmic *pmic; +- unsigned long long hrv; +- acpi_status status; + int ret; + +- /* +- * There are 2 different Crystal Cove PMICs a Bay Trail and Cherry +- * Trail version, use _HRV to differentiate between the 2. +- */ +- status = acpi_evaluate_integer(ACPI_HANDLE(dev), "_HRV", NULL, &hrv); +- if (ACPI_FAILURE(status)) { +- dev_err(dev, "Failed to get PMIC hardware revision\n"); +- return -ENODEV; +- } +- +- switch (hrv) { +- case BYT_CRC_HRV: ++ if (soc_intel_is_byt()) + config = &intel_soc_pmic_config_byt_crc; +- break; +- case CHT_CRC_HRV: ++ else + config = &intel_soc_pmic_config_cht_crc; +- break; +- default: +- dev_warn(dev, "Unknown hardware rev %llu, assuming BYT\n", hrv); +- config = &intel_soc_pmic_config_byt_crc; +- } + + pmic = devm_kzalloc(dev, sizeof(*pmic), GFP_KERNEL); + if (!pmic) +-- +2.34.1 + diff --git a/queue-5.10/mips-add-sys_has_cpu_mips64_r5-config-for-mips-relea.patch b/queue-5.10/mips-add-sys_has_cpu_mips64_r5-config-for-mips-relea.patch new file mode 100644 index 00000000000..200fff50162 --- /dev/null +++ b/queue-5.10/mips-add-sys_has_cpu_mips64_r5-config-for-mips-relea.patch @@ -0,0 +1,52 @@ +From 4c7acae151af8fe73f36d6e8a1a7d0f8a75d7106 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Dec 2021 12:16:35 +0100 +Subject: mips: add SYS_HAS_CPU_MIPS64_R5 config for MIPS Release 5 support + +From: Lukas Bulwahn + +[ Upstream commit fd4eb90b164442cb1e9909f7845e12a0835ac699 ] + +Commit ab7c01fdc3cf ("mips: Add MIPS Release 5 support") adds the two +configs CPU_MIPS32_R5 and CPU_MIPS64_R5, which depend on the corresponding +SYS_HAS_CPU_MIPS32_R5 and SYS_HAS_CPU_MIPS64_R5, respectively. + +The config SYS_HAS_CPU_MIPS32_R5 was already introduced with commit +c5b367835cfc ("MIPS: Add support for XPA."); the config +SYS_HAS_CPU_MIPS64_R5, however, was never introduced. + +Hence, ./scripts/checkkconfigsymbols.py warns: + + SYS_HAS_CPU_MIPS64_R5 + Referencing files: arch/mips/Kconfig, arch/mips/include/asm/cpu-type.h + +Add the definition for config SYS_HAS_CPU_MIPS64_R5 under the assumption +that SYS_HAS_CPU_MIPS64_R5 follows the same pattern as the existing +SYS_HAS_CPU_MIPS32_R5 and SYS_HAS_CPU_MIPS64_R6. + +Fixes: ab7c01fdc3cf ("mips: Add MIPS Release 5 support") +Signed-off-by: Lukas Bulwahn +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/Kconfig | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig +index 23d756fe0fd6c..db8fe5d7a2377 100644 +--- a/arch/mips/Kconfig ++++ b/arch/mips/Kconfig +@@ -1985,6 +1985,10 @@ config SYS_HAS_CPU_MIPS64_R1 + config SYS_HAS_CPU_MIPS64_R2 + bool + ++config SYS_HAS_CPU_MIPS64_R5 ++ bool ++ select ARCH_HAS_SYNC_DMA_FOR_CPU if DMA_NONCOHERENT ++ + config SYS_HAS_CPU_MIPS64_R6 + bool + select ARCH_HAS_SYNC_DMA_FOR_CPU if DMA_NONCOHERENT +-- +2.34.1 + diff --git a/queue-5.10/mips-bcm63xx-add-support-for-clk_set_parent.patch b/queue-5.10/mips-bcm63xx-add-support-for-clk_set_parent.patch new file mode 100644 index 00000000000..1a02cfb1295 --- /dev/null +++ b/queue-5.10/mips-bcm63xx-add-support-for-clk_set_parent.patch @@ -0,0 +1,48 @@ +From 071e3956d2ff642df4f45fc2feb6fe6868c814b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Dec 2021 16:05:53 -0800 +Subject: mips: bcm63xx: add support for clk_set_parent() + +From: Randy Dunlap + +[ Upstream commit 6f03055d508ff4feb8db02ba3df9303a1db8d381 ] + +The MIPS BMC63XX subarch does not provide/support clk_set_parent(). +This causes build errors in a few drivers, so add a simple implementation +of that function so that callers of it will build without errors. + +Fixes these build errors: + +ERROR: modpost: "clk_set_parent" [sound/soc/jz4740/snd-soc-jz4740-i2s.ko] undefined! +ERROR: modpost: "clk_set_parent" [sound/soc/atmel/snd-soc-atmel-i2s.ko] undefined! + +Fixes: e7300d04bd08 ("MIPS: BCM63xx: Add support for the Broadcom BCM63xx family of SOCs." ) +Signed-off-by: Randy Dunlap +Reviewed-by: Jonathan Cameron +Acked-by: Florian Fainelli +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/bcm63xx/clk.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/mips/bcm63xx/clk.c b/arch/mips/bcm63xx/clk.c +index aba6e2d6a736c..dcfa0ea912fe1 100644 +--- a/arch/mips/bcm63xx/clk.c ++++ b/arch/mips/bcm63xx/clk.c +@@ -387,6 +387,12 @@ struct clk *clk_get_parent(struct clk *clk) + } + EXPORT_SYMBOL(clk_get_parent); + ++int clk_set_parent(struct clk *clk, struct clk *parent) ++{ ++ return 0; ++} ++EXPORT_SYMBOL(clk_set_parent); ++ + unsigned long clk_get_rate(struct clk *clk) + { + if (!clk) +-- +2.34.1 + diff --git a/queue-5.10/mips-fix-kconfig-reference-to-phys_addr_t_64bit.patch b/queue-5.10/mips-fix-kconfig-reference-to-phys_addr_t_64bit.patch new file mode 100644 index 00000000000..f12ae2de959 --- /dev/null +++ b/queue-5.10/mips-fix-kconfig-reference-to-phys_addr_t_64bit.patch @@ -0,0 +1,52 @@ +From 90fed17c8579983a451daf610b2920ac77481821 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Dec 2021 12:16:42 +0100 +Subject: mips: fix Kconfig reference to PHYS_ADDR_T_64BIT + +From: Lukas Bulwahn + +[ Upstream commit a670c82d9ca4f1e7385d9d6f26ff41a50fbdd944 ] + +Commit d4a451d5fc84 ("arch: remove the ARCH_PHYS_ADDR_T_64BIT config +symbol") removes config ARCH_PHYS_ADDR_T_64BIT with all instances of that +config refactored appropriately. Since then, it is recommended to use the +config PHYS_ADDR_T_64BIT instead. + +Commit 171543e75272 ("MIPS: Disallow CPU_SUPPORTS_HUGEPAGES for XPA,EVA") +introduces the expression "!(32BIT && (ARCH_PHYS_ADDR_T_64BIT || EVA))" +for config CPU_SUPPORTS_HUGEPAGES, which unintentionally refers to the +non-existing symbol ARCH_PHYS_ADDR_T_64BIT instead of the intended +PHYS_ADDR_T_64BIT. + +Fix this Kconfig reference to the intended PHYS_ADDR_T_64BIT. + +This issue was identified with the script ./scripts/checkkconfigsymbols.py. +I then reported it on the mailing list and Paul confirmed the mistake in +the linked email thread. + +Link: https://lore.kernel.org/lkml/H8IU3R.H5QVNRA077PT@crapouillou.net/ +Suggested-by: Paul Cercueil +Fixes: 171543e75272 ("MIPS: Disallow CPU_SUPPORTS_HUGEPAGES for XPA,EVA") +Signed-off-by: Lukas Bulwahn +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig +index db8fe5d7a2377..3442bdd4314cb 100644 +--- a/arch/mips/Kconfig ++++ b/arch/mips/Kconfig +@@ -2150,7 +2150,7 @@ config CPU_SUPPORTS_ADDRWINCFG + bool + config CPU_SUPPORTS_HUGEPAGES + bool +- depends on !(32BIT && (ARCH_PHYS_ADDR_T_64BIT || EVA)) ++ depends on !(32BIT && (PHYS_ADDR_T_64BIT || EVA)) + config MIPS_PGD_C0_CONTEXT + bool + default y if 64BIT && (CPU_MIPSR2 || CPU_MIPSR6) && !CPU_XLP +-- +2.34.1 + diff --git a/queue-5.10/mips-lantiq-add-support-for-clk_set_parent.patch b/queue-5.10/mips-lantiq-add-support-for-clk_set_parent.patch new file mode 100644 index 00000000000..e8786e853bd --- /dev/null +++ b/queue-5.10/mips-lantiq-add-support-for-clk_set_parent.patch @@ -0,0 +1,48 @@ +From 119e6533711786a5e0f31d3a804d4c8180660611 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Dec 2021 16:03:45 -0800 +Subject: mips: lantiq: add support for clk_set_parent() + +From: Randy Dunlap + +[ Upstream commit 76f66dfd60dc5d2f9dec22d99091fea1035c5d03 ] + +Provide a simple implementation of clk_set_parent() in the lantiq +subarch so that callers of it will build without errors. + +Fixes these build errors: + +ERROR: modpost: "clk_set_parent" [sound/soc/jz4740/snd-soc-jz4740-i2s.ko] undefined! +ERROR: modpost: "clk_set_parent" [sound/soc/atmel/snd-soc-atmel-i2s.ko] undefined! + +Fixes: 171bb2f19ed6 ("MIPS: Lantiq: Add initial support for Lantiq SoCs") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +--to=linux-mips@vger.kernel.org --cc="John Crispin " --cc="Jonathan Cameron " --cc="Russell King " --cc="Andy Shevchenko " --cc=alsa-devel@alsa-project.org --to="Thomas Bogendoerfer " +Reviewed-by: Jonathan Cameron +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/lantiq/clk.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/mips/lantiq/clk.c b/arch/mips/lantiq/clk.c +index 4916cccf378fd..7a623684d9b5e 100644 +--- a/arch/mips/lantiq/clk.c ++++ b/arch/mips/lantiq/clk.c +@@ -164,6 +164,12 @@ struct clk *clk_get_parent(struct clk *clk) + } + EXPORT_SYMBOL(clk_get_parent); + ++int clk_set_parent(struct clk *clk, struct clk *parent) ++{ ++ return 0; ++} ++EXPORT_SYMBOL(clk_set_parent); ++ + static inline u32 get_counter_resolution(void) + { + u32 res; +-- +2.34.1 + diff --git a/queue-5.10/mips-loongson64-use-three-arguments-for-slti.patch b/queue-5.10/mips-loongson64-use-three-arguments-for-slti.patch new file mode 100644 index 00000000000..2f642255509 --- /dev/null +++ b/queue-5.10/mips-loongson64-use-three-arguments-for-slti.patch @@ -0,0 +1,62 @@ +From fe1f6d20ab56ab1fdcf4f7a3ee5e547500a77704 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Dec 2021 09:56:17 -0700 +Subject: MIPS: Loongson64: Use three arguments for slti + +From: Nathan Chancellor + +[ Upstream commit f2c6c22fa83ab2577619009057b3ebcb5305bb03 ] + +LLVM's integrated assembler does not support 'slti , ': + +:16:12: error: invalid operand for instruction + slti $12, (0x6300 | 0x0008) + ^ +arch/mips/kernel/head.S:86:2: note: while in macro instantiation + kernel_entry_setup # cpu specific setup + ^ +:16:12: error: invalid operand for instruction + slti $12, (0x6300 | 0x0008) + ^ +arch/mips/kernel/head.S:150:2: note: while in macro instantiation + smp_slave_setup + ^ + +To increase compatibility with LLVM's integrated assembler, use the full +form of 'slti , , ', which matches the rest of +arch/mips/. This does not result in any change for GNU as. + +Link: https://github.com/ClangBuiltLinux/linux/issues/1526 +Reported-by: Ryutaroh Matsumoto +Signed-off-by: Nathan Chancellor +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/mach-loongson64/kernel-entry-init.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/include/asm/mach-loongson64/kernel-entry-init.h b/arch/mips/include/asm/mach-loongson64/kernel-entry-init.h +index 87a5bfbf8cfe9..28572ddfb004a 100644 +--- a/arch/mips/include/asm/mach-loongson64/kernel-entry-init.h ++++ b/arch/mips/include/asm/mach-loongson64/kernel-entry-init.h +@@ -36,7 +36,7 @@ + nop + /* Loongson-3A R2/R3 */ + andi t0, (PRID_IMP_MASK | PRID_REV_MASK) +- slti t0, (PRID_IMP_LOONGSON_64C | PRID_REV_LOONGSON3A_R2_0) ++ slti t0, t0, (PRID_IMP_LOONGSON_64C | PRID_REV_LOONGSON3A_R2_0) + bnez t0, 2f + nop + 1: +@@ -71,7 +71,7 @@ + nop + /* Loongson-3A R2/R3 */ + andi t0, (PRID_IMP_MASK | PRID_REV_MASK) +- slti t0, (PRID_IMP_LOONGSON_64C | PRID_REV_LOONGSON3A_R2_0) ++ slti t0, t0, (PRID_IMP_LOONGSON_64C | PRID_REV_LOONGSON3A_R2_0) + bnez t0, 2f + nop + 1: +-- +2.34.1 + diff --git a/queue-5.10/mips-octeon-add-put_device-after-of_find_device_by_n.patch b/queue-5.10/mips-octeon-add-put_device-after-of_find_device_by_n.patch new file mode 100644 index 00000000000..1f5ace2cf3d --- /dev/null +++ b/queue-5.10/mips-octeon-add-put_device-after-of_find_device_by_n.patch @@ -0,0 +1,67 @@ +From e8265b742a66effad998c49e206b405ffab31759 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Nov 2021 08:10:51 +0000 +Subject: MIPS: OCTEON: add put_device() after of_find_device_by_node() + +From: Ye Guojin + +[ Upstream commit 858779df1c0787d3fec827fb705708df9ebdb15b ] + +This was found by coccicheck: +./arch/mips/cavium-octeon/octeon-platform.c, 332, 1-7, ERROR missing +put_device; call of_find_device_by_node on line 324, but without a +corresponding object release within this function. +./arch/mips/cavium-octeon/octeon-platform.c, 395, 1-7, ERROR missing +put_device; call of_find_device_by_node on line 387, but without a +corresponding object release within this function. +./arch/mips/cavium-octeon/octeon-usb.c, 512, 3-9, ERROR missing +put_device; call of_find_device_by_node on line 515, but without a +corresponding object release within this function. +./arch/mips/cavium-octeon/octeon-usb.c, 543, 1-7, ERROR missing +put_device; call of_find_device_by_node on line 515, but without a +corresponding object release within this function. + +Reported-by: Zeal Robot +Signed-off-by: Ye Guojin +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/cavium-octeon/octeon-platform.c | 2 ++ + arch/mips/cavium-octeon/octeon-usb.c | 1 + + 2 files changed, 3 insertions(+) + +diff --git a/arch/mips/cavium-octeon/octeon-platform.c b/arch/mips/cavium-octeon/octeon-platform.c +index d56e9b9d2e434..a994022e32c9f 100644 +--- a/arch/mips/cavium-octeon/octeon-platform.c ++++ b/arch/mips/cavium-octeon/octeon-platform.c +@@ -328,6 +328,7 @@ static int __init octeon_ehci_device_init(void) + + pd->dev.platform_data = &octeon_ehci_pdata; + octeon_ehci_hw_start(&pd->dev); ++ put_device(&pd->dev); + + return ret; + } +@@ -391,6 +392,7 @@ static int __init octeon_ohci_device_init(void) + + pd->dev.platform_data = &octeon_ohci_pdata; + octeon_ohci_hw_start(&pd->dev); ++ put_device(&pd->dev); + + return ret; + } +diff --git a/arch/mips/cavium-octeon/octeon-usb.c b/arch/mips/cavium-octeon/octeon-usb.c +index 950e6c6e86297..fa87e5aa1811d 100644 +--- a/arch/mips/cavium-octeon/octeon-usb.c ++++ b/arch/mips/cavium-octeon/octeon-usb.c +@@ -544,6 +544,7 @@ static int __init dwc3_octeon_device_init(void) + devm_iounmap(&pdev->dev, base); + devm_release_mem_region(&pdev->dev, res->start, + resource_size(res)); ++ put_device(&pdev->dev); + } + } while (node != NULL); + +-- +2.34.1 + diff --git a/queue-5.10/mips-octeon-fix-build-errors-using-clang.patch b/queue-5.10/mips-octeon-fix-build-errors-using-clang.patch new file mode 100644 index 00000000000..ad9ea27af46 --- /dev/null +++ b/queue-5.10/mips-octeon-fix-build-errors-using-clang.patch @@ -0,0 +1,62 @@ +From 7a6a781799bcafcb34eae19ff7aa3776f9168936 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Dec 2021 17:50:14 +0800 +Subject: MIPS: Octeon: Fix build errors using clang +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tianjia Zhang + +[ Upstream commit 95339b70677dc6f9a2d669c4716058e71b8dc1c7 ] + +A large number of the following errors is reported when compiling +with clang: + + cvmx-bootinfo.h:326:3: error: adding 'int' to a string does not append to the string [-Werror,-Wstring-plus-int] + ENUM_BRD_TYPE_CASE(CVMX_BOARD_TYPE_NULL) + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + cvmx-bootinfo.h:321:20: note: expanded from macro 'ENUM_BRD_TYPE_CASE' + case x: return(#x + 16); /* Skip CVMX_BOARD_TYPE_ */ + ~~~^~~~ + cvmx-bootinfo.h:326:3: note: use array indexing to silence this warning + cvmx-bootinfo.h:321:20: note: expanded from macro 'ENUM_BRD_TYPE_CASE' + case x: return(#x + 16); /* Skip CVMX_BOARD_TYPE_ */ + ^ + +Follow the prompts to use the address operator '&' to fix this error. + +Signed-off-by: Tianjia Zhang +Reviewed-by: Nathan Chancellor +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/octeon/cvmx-bootinfo.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/include/asm/octeon/cvmx-bootinfo.h b/arch/mips/include/asm/octeon/cvmx-bootinfo.h +index c114a7ba0badd..e77e8b7c00838 100644 +--- a/arch/mips/include/asm/octeon/cvmx-bootinfo.h ++++ b/arch/mips/include/asm/octeon/cvmx-bootinfo.h +@@ -317,7 +317,7 @@ enum cvmx_chip_types_enum { + + /* Functions to return string based on type */ + #define ENUM_BRD_TYPE_CASE(x) \ +- case x: return(#x + 16); /* Skip CVMX_BOARD_TYPE_ */ ++ case x: return (&#x[16]); /* Skip CVMX_BOARD_TYPE_ */ + static inline const char *cvmx_board_type_to_string(enum + cvmx_board_types_enum type) + { +@@ -408,7 +408,7 @@ static inline const char *cvmx_board_type_to_string(enum + } + + #define ENUM_CHIP_TYPE_CASE(x) \ +- case x: return(#x + 15); /* Skip CVMX_CHIP_TYPE */ ++ case x: return (&#x[15]); /* Skip CVMX_CHIP_TYPE */ + static inline const char *cvmx_chip_type_to_string(enum + cvmx_chip_types_enum type) + { +-- +2.34.1 + diff --git a/queue-5.10/misc-lattice-ecp3-config-fix-task-hung-when-firmware.patch b/queue-5.10/misc-lattice-ecp3-config-fix-task-hung-when-firmware.patch new file mode 100644 index 00000000000..fb9e07e09ab --- /dev/null +++ b/queue-5.10/misc-lattice-ecp3-config-fix-task-hung-when-firmware.patch @@ -0,0 +1,95 @@ +From ff3f27d687354a1fc0b26db02460e5d89ea395bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Dec 2021 12:55:22 +0000 +Subject: misc: lattice-ecp3-config: Fix task hung when firmware load failed + +From: Wei Yongjun + +[ Upstream commit fcee5ce50bdb21116711e38635e3865594af907e ] + +When firmware load failed, kernel report task hung as follows: + +INFO: task xrun:5191 blocked for more than 147 seconds. + Tainted: G W 5.16.0-rc5-next-20211220+ #11 +"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +task:xrun state:D stack: 0 pid: 5191 ppid: 270 flags:0x00000004 +Call Trace: + __schedule+0xc12/0x4b50 kernel/sched/core.c:4986 + schedule+0xd7/0x260 kernel/sched/core.c:6369 (discriminator 1) + schedule_timeout+0x7aa/0xa80 kernel/time/timer.c:1857 + wait_for_completion+0x181/0x290 kernel/sched/completion.c:85 + lattice_ecp3_remove+0x32/0x40 drivers/misc/lattice-ecp3-config.c:221 + spi_remove+0x72/0xb0 drivers/spi/spi.c:409 + +lattice_ecp3_remove() wait for signals from firmware loading, but when +load failed, firmware_load() does not send this signal. This cause +device remove hung. Fix it by sending signal even if load failed. + +Fixes: 781551df57c7 ("misc: Add Lattice ECP3 FPGA configuration via SPI") +Reported-by: Hulk Robot +Signed-off-by: Wei Yongjun +Link: https://lore.kernel.org/r/20211228125522.3122284-1-weiyongjun1@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/lattice-ecp3-config.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/misc/lattice-ecp3-config.c b/drivers/misc/lattice-ecp3-config.c +index 5eaf74447ca1e..556bb7d705f53 100644 +--- a/drivers/misc/lattice-ecp3-config.c ++++ b/drivers/misc/lattice-ecp3-config.c +@@ -76,12 +76,12 @@ static void firmware_load(const struct firmware *fw, void *context) + + if (fw == NULL) { + dev_err(&spi->dev, "Cannot load firmware, aborting\n"); +- return; ++ goto out; + } + + if (fw->size == 0) { + dev_err(&spi->dev, "Error: Firmware size is 0!\n"); +- return; ++ goto out; + } + + /* Fill dummy data (24 stuffing bits for commands) */ +@@ -103,7 +103,7 @@ static void firmware_load(const struct firmware *fw, void *context) + dev_err(&spi->dev, + "Error: No supported FPGA detected (JEDEC_ID=%08x)!\n", + jedec_id); +- return; ++ goto out; + } + + dev_info(&spi->dev, "FPGA %s detected\n", ecp3_dev[i].name); +@@ -116,7 +116,7 @@ static void firmware_load(const struct firmware *fw, void *context) + buffer = kzalloc(fw->size + 8, GFP_KERNEL); + if (!buffer) { + dev_err(&spi->dev, "Error: Can't allocate memory!\n"); +- return; ++ goto out; + } + + /* +@@ -155,7 +155,7 @@ static void firmware_load(const struct firmware *fw, void *context) + "Error: Timeout waiting for FPGA to clear (status=%08x)!\n", + status); + kfree(buffer); +- return; ++ goto out; + } + + dev_info(&spi->dev, "Configuring the FPGA...\n"); +@@ -181,7 +181,7 @@ static void firmware_load(const struct firmware *fw, void *context) + release_firmware(fw); + + kfree(buffer); +- ++out: + complete(&data->fw_loaded); + } + +-- +2.34.1 + diff --git a/queue-5.10/mlxsw-pci-add-shutdown-method-in-pci-driver.patch b/queue-5.10/mlxsw-pci-add-shutdown-method-in-pci-driver.patch new file mode 100644 index 00000000000..e8b6bf103d2 --- /dev/null +++ b/queue-5.10/mlxsw-pci-add-shutdown-method-in-pci-driver.patch @@ -0,0 +1,96 @@ +From e5bb7877ca9c351ed69aa0aba095202ea65d82e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Nov 2021 09:54:47 +0200 +Subject: mlxsw: pci: Add shutdown method in PCI driver + +From: Danielle Ratson + +[ Upstream commit c1020d3cf4752f61a6a413f632ea2ce2370e150d ] + +On an arm64 platform with the Spectrum ASIC, after loading and executing +a new kernel via kexec, the following trace [1] is observed. This seems +to be caused by the fact that the device is not properly shutdown before +executing the new kernel. + +Fix this by implementing a shutdown method which mirrors the remove +method, as recommended by the kexec maintainer [2][3]. + +[1] +BUG: Bad page state in process devlink pfn:22f73d +page:fffffe00089dcf40 refcount:-1 mapcount:0 mapping:0000000000000000 index:0x0 +flags: 0x2ffff00000000000() +raw: 2ffff00000000000 0000000000000000 ffffffff089d0201 0000000000000000 +raw: 0000000000000000 0000000000000000 ffffffffffffffff 0000000000000000 +page dumped because: nonzero _refcount +Modules linked in: +CPU: 1 PID: 16346 Comm: devlink Tainted: G B 5.8.0-rc6-custom-273020-gac6b365b1bf5 #44 +Hardware name: Marvell Armada 7040 TX4810M (DT) +Call trace: + dump_backtrace+0x0/0x1d0 + show_stack+0x1c/0x28 + dump_stack+0xbc/0x118 + bad_page+0xcc/0xf8 + check_free_page_bad+0x80/0x88 + __free_pages_ok+0x3f8/0x418 + __free_pages+0x38/0x60 + kmem_freepages+0x200/0x2a8 + slab_destroy+0x28/0x68 + slabs_destroy+0x60/0x90 + ___cache_free+0x1b4/0x358 + kfree+0xc0/0x1d0 + skb_free_head+0x2c/0x38 + skb_release_data+0x110/0x1a0 + skb_release_all+0x2c/0x38 + consume_skb+0x38/0x130 + __dev_kfree_skb_any+0x44/0x50 + mlxsw_pci_rdq_fini+0x8c/0xb0 + mlxsw_pci_queue_fini.isra.0+0x28/0x58 + mlxsw_pci_queue_group_fini+0x58/0x88 + mlxsw_pci_aqs_fini+0x2c/0x60 + mlxsw_pci_fini+0x34/0x50 + mlxsw_core_bus_device_unregister+0x104/0x1d0 + mlxsw_devlink_core_bus_device_reload_down+0x2c/0x48 + devlink_reload+0x44/0x158 + devlink_nl_cmd_reload+0x270/0x290 + genl_rcv_msg+0x188/0x2f0 + netlink_rcv_skb+0x5c/0x118 + genl_rcv+0x3c/0x50 + netlink_unicast+0x1bc/0x278 + netlink_sendmsg+0x194/0x390 + __sys_sendto+0xe0/0x158 + __arm64_sys_sendto+0x2c/0x38 + el0_svc_common.constprop.0+0x70/0x168 + do_el0_svc+0x28/0x88 + el0_sync_handler+0x88/0x190 + el0_sync+0x140/0x180 + +[2] +https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1195432.html + +[3] +https://patchwork.kernel.org/project/linux-scsi/patch/20170212214920.28866-1-anton@ozlabs.org/#20116693 + +Cc: Eric Biederman +Signed-off-by: Danielle Ratson +Signed-off-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/pci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/pci.c b/drivers/net/ethernet/mellanox/mlxsw/pci.c +index ffaeda75eec42..72d5c77bcb949 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/pci.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/pci.c +@@ -1900,6 +1900,7 @@ int mlxsw_pci_driver_register(struct pci_driver *pci_driver) + { + pci_driver->probe = mlxsw_pci_probe; + pci_driver->remove = mlxsw_pci_remove; ++ pci_driver->shutdown = mlxsw_pci_remove; + return pci_register_driver(pci_driver); + } + EXPORT_SYMBOL(mlxsw_pci_driver_register); +-- +2.34.1 + diff --git a/queue-5.10/mlxsw-pci-avoid-flow-control-for-emad-packets.patch b/queue-5.10/mlxsw-pci-avoid-flow-control-for-emad-packets.patch new file mode 100644 index 00000000000..6f7e422a4ed --- /dev/null +++ b/queue-5.10/mlxsw-pci-avoid-flow-control-for-emad-packets.patch @@ -0,0 +1,95 @@ +From 42001501f149987541770e9be81752e9c3756895 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jan 2022 12:22:27 +0200 +Subject: mlxsw: pci: Avoid flow control for EMAD packets + +From: Danielle Ratson + +[ Upstream commit d43e4271747ace01a27a49a97a397cb4219f6487 ] + +Locally generated packets ingress the device through its CPU port. When +the CPU port is congested and there are not enough credits in its +headroom buffer, packets can be dropped. + +While this might be acceptable for data packets that traverse the +network, configuration packets exchanged between the host and the device +(EMADs) should not be subjected to this flow control. + +The "sdq_lp" bit in the SDQ (Send Descriptor Queue) context allows the +host to instruct the device to treat packets sent on this queue as +"local processing" and always process them, regardless of the state of +the CPU port's headroom. + +Add the definition of this bit and set it for the dedicated SDQ reserved +for the transmission of EMAD packets. This makes the "local processing" +bit in the WQE (Work Queue Element) redundant, so clear it. + +Signed-off-by: Danielle Ratson +Signed-off-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/cmd.h | 12 ++++++++++++ + drivers/net/ethernet/mellanox/mlxsw/pci.c | 6 +++++- + 2 files changed, 17 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/cmd.h b/drivers/net/ethernet/mellanox/mlxsw/cmd.h +index 5ffdfb532cb7f..91f68fb0b420a 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/cmd.h ++++ b/drivers/net/ethernet/mellanox/mlxsw/cmd.h +@@ -905,6 +905,18 @@ static inline int mlxsw_cmd_sw2hw_rdq(struct mlxsw_core *mlxsw_core, + */ + MLXSW_ITEM32(cmd_mbox, sw2hw_dq, cq, 0x00, 24, 8); + ++enum mlxsw_cmd_mbox_sw2hw_dq_sdq_lp { ++ MLXSW_CMD_MBOX_SW2HW_DQ_SDQ_LP_WQE, ++ MLXSW_CMD_MBOX_SW2HW_DQ_SDQ_LP_IGNORE_WQE, ++}; ++ ++/* cmd_mbox_sw2hw_dq_sdq_lp ++ * SDQ local Processing ++ * 0: local processing by wqe.lp ++ * 1: local processing (ignoring wqe.lp) ++ */ ++MLXSW_ITEM32(cmd_mbox, sw2hw_dq, sdq_lp, 0x00, 23, 1); ++ + /* cmd_mbox_sw2hw_dq_sdq_tclass + * SDQ: CPU Egress TClass + * RDQ: Reserved +diff --git a/drivers/net/ethernet/mellanox/mlxsw/pci.c b/drivers/net/ethernet/mellanox/mlxsw/pci.c +index 72d5c77bcb949..dbb16ce25bdf3 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/pci.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/pci.c +@@ -285,6 +285,7 @@ static int mlxsw_pci_sdq_init(struct mlxsw_pci *mlxsw_pci, char *mbox, + struct mlxsw_pci_queue *q) + { + int tclass; ++ int lp; + int i; + int err; + +@@ -292,9 +293,12 @@ static int mlxsw_pci_sdq_init(struct mlxsw_pci *mlxsw_pci, char *mbox, + q->consumer_counter = 0; + tclass = q->num == MLXSW_PCI_SDQ_EMAD_INDEX ? MLXSW_PCI_SDQ_EMAD_TC : + MLXSW_PCI_SDQ_CTL_TC; ++ lp = q->num == MLXSW_PCI_SDQ_EMAD_INDEX ? MLXSW_CMD_MBOX_SW2HW_DQ_SDQ_LP_IGNORE_WQE : ++ MLXSW_CMD_MBOX_SW2HW_DQ_SDQ_LP_WQE; + + /* Set CQ of same number of this SDQ. */ + mlxsw_cmd_mbox_sw2hw_dq_cq_set(mbox, q->num); ++ mlxsw_cmd_mbox_sw2hw_dq_sdq_lp_set(mbox, lp); + mlxsw_cmd_mbox_sw2hw_dq_sdq_tclass_set(mbox, tclass); + mlxsw_cmd_mbox_sw2hw_dq_log2_dq_sz_set(mbox, 3); /* 8 pages */ + for (i = 0; i < MLXSW_PCI_AQ_PAGES; i++) { +@@ -1599,7 +1603,7 @@ static int mlxsw_pci_skb_transmit(void *bus_priv, struct sk_buff *skb, + + wqe = elem_info->elem; + mlxsw_pci_wqe_c_set(wqe, 1); /* always report completion */ +- mlxsw_pci_wqe_lp_set(wqe, !!tx_info->is_emad); ++ mlxsw_pci_wqe_lp_set(wqe, 0); + mlxsw_pci_wqe_type_set(wqe, MLXSW_PCI_WQE_TYPE_ETHERNET); + + err = mlxsw_pci_wqe_frag_map(mlxsw_pci, wqe, 0, skb->data, +-- +2.34.1 + diff --git a/queue-5.10/mmc-core-fixup-storing-of-ocr-for-mmc_quirk_nonstd_s.patch b/queue-5.10/mmc-core-fixup-storing-of-ocr-for-mmc_quirk_nonstd_s.patch new file mode 100644 index 00000000000..89ff26b9ae2 --- /dev/null +++ b/queue-5.10/mmc-core-fixup-storing-of-ocr-for-mmc_quirk_nonstd_s.patch @@ -0,0 +1,57 @@ +From fd26e0545953837d19a41b8972ea7944065cb559 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Nov 2021 18:17:09 +0100 +Subject: mmc: core: Fixup storing of OCR for MMC_QUIRK_NONSTD_SDIO + +From: Ulf Hansson + +[ Upstream commit 8c3e5b74b9e2146f564905e50ca716591c76d4f1 ] + +The mmc core takes a specific path to support initializing of a +non-standard SDIO card. This is triggered by looking for the card-quirk, +MMC_QUIRK_NONSTD_SDIO. + +In mmc_sdio_init_card() this gets rather messy, as it causes the code to +bail out earlier, compared to the usual path. This leads to that the OCR +doesn't get saved properly in card->ocr. Fortunately, only omap_hsmmc has +been using the MMC_QUIRK_NONSTD_SDIO and is dealing with the issue, by +assigning a hardcoded value (0x80) to card->ocr from an ->init_card() ops. + +To make the behaviour consistent, let's instead rely on the core to save +the OCR in card->ocr during initialization. + +Reported-by: H. Nikolaus Schaller +Signed-off-by: Ulf Hansson +Signed-off-by: H. Nikolaus Schaller +Link: https://lore.kernel.org/r/e7936cff7fc24d187ef2680d3b4edb0ade58f293.1636564631.git.hns@goldelico.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/core/sdio.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/core/sdio.c b/drivers/mmc/core/sdio.c +index 1b0853a82189a..99a4ce68d82f1 100644 +--- a/drivers/mmc/core/sdio.c ++++ b/drivers/mmc/core/sdio.c +@@ -708,6 +708,8 @@ try_again: + if (host->ops->init_card) + host->ops->init_card(host, card); + ++ card->ocr = ocr_card; ++ + /* + * If the host and card support UHS-I mode request the card + * to switch to 1.8V signaling level. No 1.8v signalling if +@@ -820,7 +822,7 @@ try_again: + goto mismatch; + } + } +- card->ocr = ocr_card; ++ + mmc_fixup_device(card, sdio_fixup_methods); + + if (card->type == MMC_TYPE_SD_COMBO) { +-- +2.34.1 + diff --git a/queue-5.10/mmc-meson-mx-sdhc-add-irq-check.patch b/queue-5.10/mmc-meson-mx-sdhc-add-irq-check.patch new file mode 100644 index 00000000000..ad0a2ea18c2 --- /dev/null +++ b/queue-5.10/mmc-meson-mx-sdhc-add-irq-check.patch @@ -0,0 +1,44 @@ +From c4e5c474a29ad59da88320cbdbdedbeac035e3c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Dec 2021 23:27:16 +0300 +Subject: mmc: meson-mx-sdhc: add IRQ check + +From: Sergey Shtylyov + +[ Upstream commit 77bed755e0f06135faccdd3948863703f9a6e640 ] + +The driver neglects to check the result of platform_get_irq()'s call and +blithely passes the negative error codes to devm_request_threaded_irq() +(which takes *unsigned* IRQ #), causing it to fail with -EINVAL, overriding +an original error code. Stop calling devm_request_threaded_irq() with the +invalid IRQ #s. + +Fixes: e4bf1b0970ef ("mmc: host: meson-mx-sdhc: new driver for the Amlogic Meson SDHC host") +Signed-off-by: Sergey Shtylyov +Reviewed-by: Martin Blumenstingl +Link: https://lore.kernel.org/r/20211217202717.10041-2-s.shtylyov@omp.ru +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/meson-mx-sdhc-mmc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/mmc/host/meson-mx-sdhc-mmc.c b/drivers/mmc/host/meson-mx-sdhc-mmc.c +index 8fdd0bbbfa21f..28aa78aa08f3f 100644 +--- a/drivers/mmc/host/meson-mx-sdhc-mmc.c ++++ b/drivers/mmc/host/meson-mx-sdhc-mmc.c +@@ -854,6 +854,11 @@ static int meson_mx_sdhc_probe(struct platform_device *pdev) + goto err_disable_pclk; + + irq = platform_get_irq(pdev, 0); ++ if (irq < 0) { ++ ret = irq; ++ goto err_disable_pclk; ++ } ++ + ret = devm_request_threaded_irq(dev, irq, meson_mx_sdhc_irq, + meson_mx_sdhc_irq_thread, IRQF_ONESHOT, + NULL, host); +-- +2.34.1 + diff --git a/queue-5.10/mmc-meson-mx-sdio-add-irq-check.patch b/queue-5.10/mmc-meson-mx-sdio-add-irq-check.patch new file mode 100644 index 00000000000..6cc140d0aa4 --- /dev/null +++ b/queue-5.10/mmc-meson-mx-sdio-add-irq-check.patch @@ -0,0 +1,44 @@ +From 37683c6373cb55ac0ffa852df001b143053b743e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Dec 2021 23:27:17 +0300 +Subject: mmc: meson-mx-sdio: add IRQ check + +From: Sergey Shtylyov + +[ Upstream commit 8fc9a77bc64e1f23d07953439817d8402ac9706f ] + +The driver neglects to check the result of platform_get_irq()'s call and +blithely passes the negative error codes to devm_request_threaded_irq() +(which takes *unsigned* IRQ #), causing it to fail with -EINVAL, overriding +an original error code. Stop calling devm_request_threaded_irq() with the +invalid IRQ #s. + +Fixes: ed80a13bb4c4 ("mmc: meson-mx-sdio: Add a driver for the Amlogic Meson8 and Meson8b SoC") +Signed-off-by: Sergey Shtylyov +Reviewed-by: Martin Blumenstingl +Link: https://lore.kernel.org/r/20211217202717.10041-3-s.shtylyov@omp.ru +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/meson-mx-sdio.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/mmc/host/meson-mx-sdio.c b/drivers/mmc/host/meson-mx-sdio.c +index 1c5299cd0cbe1..264aae2a2b0cf 100644 +--- a/drivers/mmc/host/meson-mx-sdio.c ++++ b/drivers/mmc/host/meson-mx-sdio.c +@@ -663,6 +663,11 @@ static int meson_mx_mmc_probe(struct platform_device *pdev) + } + + irq = platform_get_irq(pdev, 0); ++ if (irq < 0) { ++ ret = irq; ++ goto error_free_mmc; ++ } ++ + ret = devm_request_threaded_irq(host->controller_dev, irq, + meson_mx_mmc_irq, + meson_mx_mmc_irq_thread, IRQF_ONESHOT, +-- +2.34.1 + diff --git a/queue-5.10/mtd-hyperbus-rpc-if-check-return-value-of-rpcif_sw_i.patch b/queue-5.10/mtd-hyperbus-rpc-if-check-return-value-of-rpcif_sw_i.patch new file mode 100644 index 00000000000..a86c1f95741 --- /dev/null +++ b/queue-5.10/mtd-hyperbus-rpc-if-check-return-value-of-rpcif_sw_i.patch @@ -0,0 +1,42 @@ +From ef94ed4f23a6474ab93c36a406fb7f54dde2161b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Oct 2021 21:56:28 +0100 +Subject: mtd: hyperbus: rpc-if: Check return value of rpcif_sw_init() + +From: Lad Prabhakar + +[ Upstream commit 981387ed06b96908223a607f5fba6efa42728fc2 ] + +rpcif_sw_init() can fail so make sure we check the return value +of it and on error exit rpcif_hb_probe() callback with error code. + +Fixes: 5de15b610f78 ("mtd: hyperbus: add Renesas RPC-IF driver") +Signed-off-by: Lad Prabhakar +Signed-off-by: Vignesh Raghavendra +Reviewed-by: Biju Das +Reviewed-by: Wolfram Sang +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20211025205631.21151-5-prabhakar.mahadev-lad.rj@bp.renesas.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/hyperbus/rpc-if.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mtd/hyperbus/rpc-if.c b/drivers/mtd/hyperbus/rpc-if.c +index ecb050ba95cdf..367b0d72bf622 100644 +--- a/drivers/mtd/hyperbus/rpc-if.c ++++ b/drivers/mtd/hyperbus/rpc-if.c +@@ -124,7 +124,9 @@ static int rpcif_hb_probe(struct platform_device *pdev) + if (!hyperbus) + return -ENOMEM; + +- rpcif_sw_init(&hyperbus->rpc, pdev->dev.parent); ++ error = rpcif_sw_init(&hyperbus->rpc, pdev->dev.parent); ++ if (error) ++ return error; + + platform_set_drvdata(pdev, hyperbus); + +-- +2.34.1 + diff --git a/queue-5.10/mtd-hyperbus-rpc-if-fix-bug-in-rpcif_hb_remove.patch b/queue-5.10/mtd-hyperbus-rpc-if-fix-bug-in-rpcif_hb_remove.patch new file mode 100644 index 00000000000..2a263c36842 --- /dev/null +++ b/queue-5.10/mtd-hyperbus-rpc-if-fix-bug-in-rpcif_hb_remove.patch @@ -0,0 +1,97 @@ +From 733cdd2449c1fe73520df32aef2a67153112f8d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jul 2021 16:49:35 -0400 +Subject: mtd: hyperbus: rpc-if: fix bug in rpcif_hb_remove + +From: George G. Davis + +[ Upstream commit baaf965f94308301d2dc554d72a87d7432cd5ce6 ] + +The following KASAN BUG is observed when testing the rpc-if driver on +rcar-gen3: + +root@rcar-gen3:~# modprobe -r rpc-if +[ 101.930146] ================================================================== +[ 101.937408] BUG: KASAN: slab-out-of-bounds in __lock_acquire+0x518/0x25d0 +[ 101.944240] Read of size 8 at addr ffff0004c5be2750 by task modprobe/664 +[ 101.950959] +[ 101.952466] CPU: 2 PID: 664 Comm: modprobe Not tainted 5.14.0-rc1-00342-g1a1464d7aa31 #1 +[ 101.960578] Hardware name: Renesas H3ULCB board based on r8a77951 (DT) +[ 101.967120] Call trace: +[ 101.969580] dump_backtrace+0x0/0x2c0 +[ 101.973275] show_stack+0x1c/0x30 +[ 101.976616] dump_stack_lvl+0x9c/0xd8 +[ 101.980301] print_address_description.constprop.0+0x74/0x2b8 +[ 101.986071] kasan_report+0x1f4/0x26c +[ 101.989757] __asan_load8+0x98/0xd4 +[ 101.993266] __lock_acquire+0x518/0x25d0 +[ 101.997215] lock_acquire.part.0+0x18c/0x360 +[ 102.001506] lock_acquire+0x74/0x90 +[ 102.005013] _raw_spin_lock_irq+0x98/0x130 +[ 102.009131] __pm_runtime_disable+0x30/0x210 +[ 102.013427] rpcif_hb_remove+0x5c/0x70 [rpc_if] +[ 102.018001] platform_remove+0x40/0x80 +[ 102.021771] __device_release_driver+0x234/0x350 +[ 102.026412] driver_detach+0x158/0x20c +[ 102.030179] bus_remove_driver+0xa0/0x140 +[ 102.034212] driver_unregister+0x48/0x80 +[ 102.038153] platform_driver_unregister+0x18/0x24 +[ 102.042879] rpcif_platform_driver_exit+0x1c/0x34 [rpc_if] +[ 102.048400] __arm64_sys_delete_module+0x210/0x310 +[ 102.053212] invoke_syscall+0x60/0x190 +[ 102.056986] el0_svc_common+0x12c/0x144 +[ 102.060844] do_el0_svc+0x88/0xac +[ 102.064181] el0_svc+0x24/0x3c +[ 102.067257] el0t_64_sync_handler+0x1a8/0x1b0 +[ 102.071634] el0t_64_sync+0x198/0x19c +[ 102.075315] +[ 102.076815] Allocated by task 628: +[ 102.080781] +[ 102.082280] Last potentially related work creation: +[ 102.087524] +[ 102.089022] The buggy address belongs to the object at ffff0004c5be2000 +[ 102.089022] which belongs to the cache kmalloc-2k of size 2048 +[ 102.101555] The buggy address is located 1872 bytes inside of +[ 102.101555] 2048-byte region [ffff0004c5be2000, ffff0004c5be2800) +[ 102.113486] The buggy address belongs to the page: +[ 102.118409] +[ 102.119908] Memory state around the buggy address: +[ 102.124711] ffff0004c5be2600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 102.131947] ffff0004c5be2680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 102.139181] >ffff0004c5be2700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 102.146412] ^ +[ 102.152257] ffff0004c5be2780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 102.159491] ffff0004c5be2800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 102.166723] ================================================================== + +The above bug is caused by use of the wrong pointer in the +rpcif_disable_rpm() call. Fix the bug by using the correct pointer. + +Fixes: 5de15b610f78 ("mtd: hyperbus: add Renesas RPC-IF driver") +Signed-off-by: George G. Davis +Signed-off-by: Vignesh Raghavendra +Link: https://lore.kernel.org/r/20210716204935.25859-1-george_davis@mentor.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/hyperbus/rpc-if.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/mtd/hyperbus/rpc-if.c b/drivers/mtd/hyperbus/rpc-if.c +index 367b0d72bf622..dc164c18f8429 100644 +--- a/drivers/mtd/hyperbus/rpc-if.c ++++ b/drivers/mtd/hyperbus/rpc-if.c +@@ -152,9 +152,9 @@ static int rpcif_hb_remove(struct platform_device *pdev) + { + struct rpcif_hyperbus *hyperbus = platform_get_drvdata(pdev); + int error = hyperbus_unregister_device(&hyperbus->hbdev); +- struct rpcif *rpc = dev_get_drvdata(pdev->dev.parent); + +- rpcif_disable_rpm(rpc); ++ rpcif_disable_rpm(&hyperbus->rpc); ++ + return error; + } + +-- +2.34.1 + diff --git a/queue-5.10/mwifiex-fix-possible-abba-deadlock.patch b/queue-5.10/mwifiex-fix-possible-abba-deadlock.patch new file mode 100644 index 00000000000..4d32e7e596d --- /dev/null +++ b/queue-5.10/mwifiex-fix-possible-abba-deadlock.patch @@ -0,0 +1,82 @@ +From 05983bd4e10cd8028c1048cc003c40a9179e0e77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Nov 2021 16:47:34 -0800 +Subject: mwifiex: Fix possible ABBA deadlock + +From: Brian Norris + +[ Upstream commit 1b8bb8919ef81bfc8873d223b9361f1685f2106d ] + +Quoting Jia-Ju Bai : + + mwifiex_dequeue_tx_packet() + spin_lock_bh(&priv->wmm.ra_list_spinlock); --> Line 1432 (Lock A) + mwifiex_send_addba() + spin_lock_bh(&priv->sta_list_spinlock); --> Line 608 (Lock B) + + mwifiex_process_sta_tx_pause() + spin_lock_bh(&priv->sta_list_spinlock); --> Line 398 (Lock B) + mwifiex_update_ralist_tx_pause() + spin_lock_bh(&priv->wmm.ra_list_spinlock); --> Line 941 (Lock A) + +Similar report for mwifiex_process_uap_tx_pause(). + +While the locking expectations in this driver are a bit unclear, the +Fixed commit only intended to protect the sta_ptr, so we can drop the +lock as soon as we're done with it. + +IIUC, this deadlock cannot actually happen, because command event +processing (which calls mwifiex_process_sta_tx_pause()) is +sequentialized with TX packet processing (e.g., +mwifiex_dequeue_tx_packet()) via the main loop (mwifiex_main_process()). +But it's good not to leave this potential issue lurking. + +Fixes: f0f7c2275fb9 ("mwifiex: minor cleanups w/ sta_list_spinlock in cfg80211.c") +Cc: Douglas Anderson +Reported-by: TOTE Robot +Link: https://lore.kernel.org/linux-wireless/0e495b14-efbb-e0da-37bd-af6bd677ee2c@gmail.com/ +Signed-off-by: Brian Norris +Reviewed-by: Douglas Anderson +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/YaV0pllJ5p/EuUat@google.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/sta_event.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/sta_event.c b/drivers/net/wireless/marvell/mwifiex/sta_event.c +index bc79ca4cb803c..753458628f86a 100644 +--- a/drivers/net/wireless/marvell/mwifiex/sta_event.c ++++ b/drivers/net/wireless/marvell/mwifiex/sta_event.c +@@ -364,10 +364,12 @@ static void mwifiex_process_uap_tx_pause(struct mwifiex_private *priv, + sta_ptr = mwifiex_get_sta_entry(priv, tp->peermac); + if (sta_ptr && sta_ptr->tx_pause != tp->tx_pause) { + sta_ptr->tx_pause = tp->tx_pause; ++ spin_unlock_bh(&priv->sta_list_spinlock); + mwifiex_update_ralist_tx_pause(priv, tp->peermac, + tp->tx_pause); ++ } else { ++ spin_unlock_bh(&priv->sta_list_spinlock); + } +- spin_unlock_bh(&priv->sta_list_spinlock); + } + } + +@@ -399,11 +401,13 @@ static void mwifiex_process_sta_tx_pause(struct mwifiex_private *priv, + sta_ptr = mwifiex_get_sta_entry(priv, tp->peermac); + if (sta_ptr && sta_ptr->tx_pause != tp->tx_pause) { + sta_ptr->tx_pause = tp->tx_pause; ++ spin_unlock_bh(&priv->sta_list_spinlock); + mwifiex_update_ralist_tx_pause(priv, + tp->peermac, + tp->tx_pause); ++ } else { ++ spin_unlock_bh(&priv->sta_list_spinlock); + } +- spin_unlock_bh(&priv->sta_list_spinlock); + } + } + } +-- +2.34.1 + diff --git a/queue-5.10/mwifiex-fix-skb_over_panic-in-mwifiex_usb_recv.patch b/queue-5.10/mwifiex-fix-skb_over_panic-in-mwifiex_usb_recv.patch new file mode 100644 index 00000000000..92abb2a74b0 --- /dev/null +++ b/queue-5.10/mwifiex-fix-skb_over_panic-in-mwifiex_usb_recv.patch @@ -0,0 +1,68 @@ +From a7b6d40dca8517942d0e6e5694fd8dcaaa498f2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Oct 2021 22:42:50 -0400 +Subject: mwifiex: Fix skb_over_panic in mwifiex_usb_recv() + +From: Zekun Shen + +[ Upstream commit 04d80663f67ccef893061b49ec8a42ff7045ae84 ] + +Currently, with an unknown recv_type, mwifiex_usb_recv +just return -1 without restoring the skb. Next time +mwifiex_usb_rx_complete is invoked with the same skb, +calling skb_put causes skb_over_panic. + +The bug is triggerable with a compromised/malfunctioning +usb device. After applying the patch, skb_over_panic +no longer shows up with the same input. + +Attached is the panic report from fuzzing. +skbuff: skb_over_panic: text:000000003bf1b5fa + len:2048 put:4 head:00000000dd6a115b data:000000000a9445d8 + tail:0x844 end:0x840 dev: +kernel BUG at net/core/skbuff.c:109! +invalid opcode: 0000 [#1] SMP KASAN NOPTI +CPU: 0 PID: 198 Comm: in:imklog Not tainted 5.6.0 #60 +RIP: 0010:skb_panic+0x15f/0x161 +Call Trace: + + ? mwifiex_usb_rx_complete+0x26b/0xfcd [mwifiex_usb] + skb_put.cold+0x24/0x24 + mwifiex_usb_rx_complete+0x26b/0xfcd [mwifiex_usb] + __usb_hcd_giveback_urb+0x1e4/0x380 + usb_giveback_urb_bh+0x241/0x4f0 + ? __hrtimer_run_queues+0x316/0x740 + ? __usb_hcd_giveback_urb+0x380/0x380 + tasklet_action_common.isra.0+0x135/0x330 + __do_softirq+0x18c/0x634 + irq_exit+0x114/0x140 + smp_apic_timer_interrupt+0xde/0x380 + apic_timer_interrupt+0xf/0x20 + + +Reported-by: Brendan Dolan-Gavitt +Signed-off-by: Zekun Shen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/YX4CqjfRcTa6bVL+@Zekuns-MBP-16.fios-router.home +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/usb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/usb.c b/drivers/net/wireless/marvell/mwifiex/usb.c +index 9736aa0ab7fd4..8f01fcbe93961 100644 +--- a/drivers/net/wireless/marvell/mwifiex/usb.c ++++ b/drivers/net/wireless/marvell/mwifiex/usb.c +@@ -130,7 +130,8 @@ static int mwifiex_usb_recv(struct mwifiex_adapter *adapter, + default: + mwifiex_dbg(adapter, ERROR, + "unknown recv_type %#x\n", recv_type); +- return -1; ++ ret = -1; ++ goto exit_restore_skb; + } + break; + case MWIFIEX_USB_EP_DATA: +-- +2.34.1 + diff --git a/queue-5.10/net-bonding-debug-avoid-printing-debug-logs-when-bon.patch b/queue-5.10/net-bonding-debug-avoid-printing-debug-logs-when-bon.patch new file mode 100644 index 00000000000..c8eada8014f --- /dev/null +++ b/queue-5.10/net-bonding-debug-avoid-printing-debug-logs-when-bon.patch @@ -0,0 +1,71 @@ +From 8aba859d18d8f3f3d24f67ee24360c166d5a4698 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Dec 2021 11:17:09 +0530 +Subject: net: bonding: debug: avoid printing debug logs when bond is not + notifying peers + +From: Suresh Kumar + +[ Upstream commit fee32de284ac277ba434a2d59f8ce46528ff3946 ] + +Currently "bond_should_notify_peers: slave ..." messages are printed whenever +"bond_should_notify_peers" function is called. + ++++ +Dec 12 12:33:26 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 +Dec 12 12:33:26 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 +Dec 12 12:33:26 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 +Dec 12 12:33:26 node1 kernel: bond0: (slave enp0s25): Received LACPDU on port 1 +Dec 12 12:33:26 node1 kernel: bond0: (slave enp0s25): Rx Machine: Port=1, Last State=6, Curr State=6 +Dec 12 12:33:26 node1 kernel: bond0: (slave enp0s25): partner sync=1 +Dec 12 12:33:26 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 +Dec 12 12:33:26 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 +Dec 12 12:33:26 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 +... +Dec 12 12:33:30 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 +Dec 12 12:33:30 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 +Dec 12 12:33:30 node1 kernel: bond0: (slave enp4s3): Received LACPDU on port 2 +Dec 12 12:33:30 node1 kernel: bond0: (slave enp4s3): Rx Machine: Port=2, Last State=6, Curr State=6 +Dec 12 12:33:30 node1 kernel: bond0: (slave enp4s3): partner sync=1 +Dec 12 12:33:30 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 +Dec 12 12:33:30 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 +Dec 12 12:33:30 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 ++++ + +This is confusing and can also clutter up debug logs. +Print logs only when the peer notification happens. + +Signed-off-by: Suresh Kumar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 645c7cabcbe4d..e2e6a69adab4b 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1061,9 +1061,6 @@ static bool bond_should_notify_peers(struct bonding *bond) + slave = rcu_dereference(bond->curr_active_slave); + rcu_read_unlock(); + +- netdev_dbg(bond->dev, "bond_should_notify_peers: slave %s\n", +- slave ? slave->dev->name : "NULL"); +- + if (!slave || !bond->send_peer_notif || + bond->send_peer_notif % + max(1, bond->params.peer_notif_delay) != 0 || +@@ -1071,6 +1068,9 @@ static bool bond_should_notify_peers(struct bonding *bond) + test_bit(__LINK_STATE_LINKWATCH_PENDING, &slave->dev->state)) + return false; + ++ netdev_dbg(bond->dev, "bond_should_notify_peers: slave %s\n", ++ slave ? slave->dev->name : "NULL"); ++ + return true; + } + +-- +2.34.1 + diff --git a/queue-5.10/net-gemini-allow-any-rgmii-interface-mode.patch b/queue-5.10/net-gemini-allow-any-rgmii-interface-mode.patch new file mode 100644 index 00000000000..a48fab54e0c --- /dev/null +++ b/queue-5.10/net-gemini-allow-any-rgmii-interface-mode.patch @@ -0,0 +1,71 @@ +From cad96ec2e3d4d0f6dd0fd9d927d03dc9bcc110ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jan 2022 16:38:31 +0000 +Subject: net: gemini: allow any RGMII interface mode + +From: Russell King (Oracle) + +[ Upstream commit 4e4f325a0a55907b14f579e6b1a38c53755e3de2 ] + +The four RGMII interface modes take care of the required RGMII delay +configuration at the PHY and should not be limited by the network MAC +driver. Sadly, gemini was only permitting RGMII mode with no delays, +which would require the required delay to be inserted via PCB tracking +or by the MAC. + +However, there are designs that require the PHY to add the delay, which +is impossible without Gemini permitting the other three PHY interface +modes. Fix the driver to allow these. + +Signed-off-by: Russell King (Oracle) +Reviewed-by: Linus Walleij +Tested-by: Corentin Labbe +Link: https://lore.kernel.org/r/E1n4mpT-002PLd-Ha@rmk-PC.armlinux.org.uk +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cortina/gemini.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c +index 8df6f081f2447..d11fcfd927c0b 100644 +--- a/drivers/net/ethernet/cortina/gemini.c ++++ b/drivers/net/ethernet/cortina/gemini.c +@@ -305,21 +305,21 @@ static void gmac_speed_set(struct net_device *netdev) + switch (phydev->speed) { + case 1000: + status.bits.speed = GMAC_SPEED_1000; +- if (phydev->interface == PHY_INTERFACE_MODE_RGMII) ++ if (phy_interface_mode_is_rgmii(phydev->interface)) + status.bits.mii_rmii = GMAC_PHY_RGMII_1000; + netdev_dbg(netdev, "connect %s to RGMII @ 1Gbit\n", + phydev_name(phydev)); + break; + case 100: + status.bits.speed = GMAC_SPEED_100; +- if (phydev->interface == PHY_INTERFACE_MODE_RGMII) ++ if (phy_interface_mode_is_rgmii(phydev->interface)) + status.bits.mii_rmii = GMAC_PHY_RGMII_100_10; + netdev_dbg(netdev, "connect %s to RGMII @ 100 Mbit\n", + phydev_name(phydev)); + break; + case 10: + status.bits.speed = GMAC_SPEED_10; +- if (phydev->interface == PHY_INTERFACE_MODE_RGMII) ++ if (phy_interface_mode_is_rgmii(phydev->interface)) + status.bits.mii_rmii = GMAC_PHY_RGMII_100_10; + netdev_dbg(netdev, "connect %s to RGMII @ 10 Mbit\n", + phydev_name(phydev)); +@@ -389,6 +389,9 @@ static int gmac_setup_phy(struct net_device *netdev) + status.bits.mii_rmii = GMAC_PHY_GMII; + break; + case PHY_INTERFACE_MODE_RGMII: ++ case PHY_INTERFACE_MODE_RGMII_ID: ++ case PHY_INTERFACE_MODE_RGMII_TXID: ++ case PHY_INTERFACE_MODE_RGMII_RXID: + netdev_dbg(netdev, + "RGMII: set GMAC0 and GMAC1 to MII/RGMII mode\n"); + status.bits.mii_rmii = GMAC_PHY_RGMII_100_10; +-- +2.34.1 + diff --git a/queue-5.10/net-mcs7830-handle-usb-read-errors-properly.patch b/queue-5.10/net-mcs7830-handle-usb-read-errors-properly.patch new file mode 100644 index 00000000000..d04f20833b7 --- /dev/null +++ b/queue-5.10/net-mcs7830-handle-usb-read-errors-properly.patch @@ -0,0 +1,56 @@ +From 7961b88ac7953074ae428c3e0326af72be46a6ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jan 2022 01:57:16 +0300 +Subject: net: mcs7830: handle usb read errors properly + +From: Pavel Skripkin + +[ Upstream commit d668769eb9c52b150753f1653f7f5a0aeb8239d2 ] + +Syzbot reported uninit value in mcs7830_bind(). The problem was in +missing validation check for bytes read via usbnet_read_cmd(). + +usbnet_read_cmd() internally calls usb_control_msg(), that returns +number of bytes read. Code should validate that requested number of bytes +was actually read. + +So, this patch adds missing size validation check inside +mcs7830_get_reg() to prevent uninit value bugs + +Reported-and-tested-by: syzbot+003c0a286b9af5412510@syzkaller.appspotmail.com +Fixes: 2a36d7083438 ("USB: driver for mcs7830 (aka DeLOCK) USB ethernet adapter") +Signed-off-by: Pavel Skripkin +Reviewed-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20220106225716.7425-1-paskripkin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/mcs7830.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/mcs7830.c b/drivers/net/usb/mcs7830.c +index 09bfa6a4dfbc1..7e40e2e2f3723 100644 +--- a/drivers/net/usb/mcs7830.c ++++ b/drivers/net/usb/mcs7830.c +@@ -108,8 +108,16 @@ static const char driver_name[] = "MOSCHIP usb-ethernet driver"; + + static int mcs7830_get_reg(struct usbnet *dev, u16 index, u16 size, void *data) + { +- return usbnet_read_cmd(dev, MCS7830_RD_BREQ, MCS7830_RD_BMREQ, +- 0x0000, index, data, size); ++ int ret; ++ ++ ret = usbnet_read_cmd(dev, MCS7830_RD_BREQ, MCS7830_RD_BMREQ, ++ 0x0000, index, data, size); ++ if (ret < 0) ++ return ret; ++ else if (ret < size) ++ return -ENODATA; ++ ++ return ret; + } + + static int mcs7830_set_reg(struct usbnet *dev, u16 index, u16 size, const void *data) +-- +2.34.1 + diff --git a/queue-5.10/net-mdio-demote-probed-message-to-debug-print.patch b/queue-5.10/net-mdio-demote-probed-message-to-debug-print.patch new file mode 100644 index 00000000000..70f261b588e --- /dev/null +++ b/queue-5.10/net-mdio-demote-probed-message-to-debug-print.patch @@ -0,0 +1,40 @@ +From 35913e1c48add5d90933cb0f024df8582b6b45b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Jan 2022 11:40:24 -0800 +Subject: net: mdio: Demote probed message to debug print + +From: Florian Fainelli + +[ Upstream commit 7590fc6f80ac2cbf23e6b42b668bbeded070850b ] + +On systems with large numbers of MDIO bus/muxes the message indicating +that a given MDIO bus has been successfully probed is repeated for as +many buses we have, which can eat up substantial boot time for no +reason, demote to a debug print. + +Reported-by: Maxime Bizon +Signed-off-by: Florian Fainelli +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20220103194024.2620-1-f.fainelli@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mdio_bus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c +index 2645ca35103c9..c416ab1d2b008 100644 +--- a/drivers/net/phy/mdio_bus.c ++++ b/drivers/net/phy/mdio_bus.c +@@ -588,7 +588,7 @@ int __mdiobus_register(struct mii_bus *bus, struct module *owner) + mdiobus_setup_mdiodev_from_board_info(bus, mdiobus_create_device); + + bus->state = MDIOBUS_REGISTERED; +- pr_info("%s: probed\n", bus->name); ++ dev_dbg(&bus->dev, "probed\n"); + return 0; + + error: +-- +2.34.1 + diff --git a/queue-5.10/net-mlx5-set-command-entry-semaphore-up-once-got-ind.patch b/queue-5.10/net-mlx5-set-command-entry-semaphore-up-once-got-ind.patch new file mode 100644 index 00000000000..38d6105d50c --- /dev/null +++ b/queue-5.10/net-mlx5-set-command-entry-semaphore-up-once-got-ind.patch @@ -0,0 +1,72 @@ +From 65e1119397a202a42d4448990ba3d20ea0d83d42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Dec 2021 12:07:49 +0200 +Subject: net/mlx5: Set command entry semaphore up once got index free + +From: Moshe Shemesh + +[ Upstream commit 8e715cd613a1e872b9d918e912d90b399785761a ] + +Avoid a race where command work handler may fail to allocate command +entry index, by holding the command semaphore down till command entry +index is being freed. + +Fixes: 410bd754cd73 ("net/mlx5: Add retry mechanism to the command entry index allocation") +Signed-off-by: Moshe Shemesh +Reviewed-by: Eran Ben Elisha +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +index 2e55e00888715..20e3f8cd074a1 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -147,8 +147,12 @@ static void cmd_ent_put(struct mlx5_cmd_work_ent *ent) + if (!refcount_dec_and_test(&ent->refcnt)) + return; + +- if (ent->idx >= 0) +- cmd_free_index(ent->cmd, ent->idx); ++ if (ent->idx >= 0) { ++ struct mlx5_cmd *cmd = ent->cmd; ++ ++ cmd_free_index(cmd, ent->idx); ++ up(ent->page_queue ? &cmd->pages_sem : &cmd->sem); ++ } + + cmd_free_ent(ent); + } +@@ -1582,8 +1586,6 @@ static void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec, bool force + vector = vec & 0xffffffff; + for (i = 0; i < (1 << cmd->log_sz); i++) { + if (test_bit(i, &vector)) { +- struct semaphore *sem; +- + ent = cmd->ent_arr[i]; + + /* if we already completed the command, ignore it */ +@@ -1606,10 +1608,6 @@ static void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec, bool force + dev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR) + cmd_ent_put(ent); + +- if (ent->page_queue) +- sem = &cmd->pages_sem; +- else +- sem = &cmd->sem; + ent->ts2 = ktime_get_ns(); + memcpy(ent->out->first.data, ent->lay->out, sizeof(ent->lay->out)); + dump_command(dev, ent, 0); +@@ -1663,7 +1661,6 @@ static void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec, bool force + */ + complete(&ent->done); + } +- up(sem); + } + } + } +-- +2.34.1 + diff --git a/queue-5.10/net-mlx5e-don-t-block-routes-with-nexthop-objects-in.patch b/queue-5.10/net-mlx5e-don-t-block-routes-with-nexthop-objects-in.patch new file mode 100644 index 00000000000..04dcf8e9451 --- /dev/null +++ b/queue-5.10/net-mlx5e-don-t-block-routes-with-nexthop-objects-in.patch @@ -0,0 +1,48 @@ +From bf7a1c23f6a5e0d08caddfdf828e0b4bf5235131 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Dec 2021 11:20:10 +0200 +Subject: net/mlx5e: Don't block routes with nexthop objects in SW + +From: Maor Dickman + +[ Upstream commit 9e72a55a3c9d54b38a704bb7292d984574a81d9d ] + +Routes with nexthop objects is currently not supported by multipath offload +and any attempts to use it is blocked, however this also block adding SW +routes with nexthop. + +Resolve this by returning NOTIFY_DONE instead of an error which will allow such +a route to be created in SW but not offloaded. + +This fix also solve an issue which block adding such routes on different devices +due to missing check if the route FIB device is one of multipath devices. + +Fixes: 6a87afc072c3 ("mlx5: Fail attempts to use routes with nexthop objects") +Signed-off-by: Maor Dickman +Reviewed-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/lag_mp.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag_mp.c b/drivers/net/ethernet/mellanox/mlx5/core/lag_mp.c +index 15c3a9058e728..0f0d250bbc150 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lag_mp.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag_mp.c +@@ -265,10 +265,8 @@ static int mlx5_lag_fib_event(struct notifier_block *nb, + fen_info = container_of(info, struct fib_entry_notifier_info, + info); + fi = fen_info->fi; +- if (fi->nh) { +- NL_SET_ERR_MSG_MOD(info->extack, "IPv4 route with nexthop objects is not supported"); +- return notifier_from_errno(-EINVAL); +- } ++ if (fi->nh) ++ return NOTIFY_DONE; + fib_dev = fib_info_nh(fen_info->fi, 0)->fib_nh_dev; + if (fib_dev != ldev->pf[MLX5_LAG_P1].netdev && + fib_dev != ldev->pf[MLX5_LAG_P2].netdev) { +-- +2.34.1 + diff --git a/queue-5.10/net-mlx5e-fix-page-dma-map-unmap-attributes.patch b/queue-5.10/net-mlx5e-fix-page-dma-map-unmap-attributes.patch new file mode 100644 index 00000000000..0ae5ea3f34f --- /dev/null +++ b/queue-5.10/net-mlx5e-fix-page-dma-map-unmap-attributes.patch @@ -0,0 +1,76 @@ +From 48b78aea9fd9cd57a003f7f537b0c651eb4f04c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Dec 2021 14:38:28 +0200 +Subject: net/mlx5e: Fix page DMA map/unmap attributes + +From: Aya Levin + +[ Upstream commit 0b7cfa4082fbf550595bc0e40f05614bd83bf0cd ] + +Driver initiates DMA sync, hence it may skip CPU sync. Add +DMA_ATTR_SKIP_CPU_SYNC as input attribute both to dma_map_page and +dma_unmap_page to avoid redundant sync with the CPU. +When forcing the device to work with SWIOTLB, the extra sync might cause +data corruption. The driver unmaps the whole page while the hardware +used just a part of the bounce buffer. So syncing overrides the entire +page with bounce buffer that only partially contains real data. + +Fixes: bc77b240b3c5 ("net/mlx5e: Add fragmented memory support for RX multi packet WQE") +Fixes: db05815b36cb ("net/mlx5e: Add XSK zero-copy support") +Signed-off-by: Aya Levin +Reviewed-by: Gal Pressman +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/xsk/pool.c | 4 ++-- + drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 7 ++++--- + 2 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/xsk/pool.c b/drivers/net/ethernet/mellanox/mlx5/core/en/xsk/pool.c +index 71e8d66fa1509..6692bc8333f73 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/xsk/pool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/xsk/pool.c +@@ -11,13 +11,13 @@ static int mlx5e_xsk_map_pool(struct mlx5e_priv *priv, + { + struct device *dev = mlx5_core_dma_dev(priv->mdev); + +- return xsk_pool_dma_map(pool, dev, 0); ++ return xsk_pool_dma_map(pool, dev, DMA_ATTR_SKIP_CPU_SYNC); + } + + static void mlx5e_xsk_unmap_pool(struct mlx5e_priv *priv, + struct xsk_buff_pool *pool) + { +- return xsk_pool_dma_unmap(pool, 0); ++ return xsk_pool_dma_unmap(pool, DMA_ATTR_SKIP_CPU_SYNC); + } + + static int mlx5e_xsk_get_pools(struct mlx5e_xsk *xsk) +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +index 117a593414537..d384403d73f69 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +@@ -276,8 +276,8 @@ static inline int mlx5e_page_alloc_pool(struct mlx5e_rq *rq, + if (unlikely(!dma_info->page)) + return -ENOMEM; + +- dma_info->addr = dma_map_page(rq->pdev, dma_info->page, 0, +- PAGE_SIZE, rq->buff.map_dir); ++ dma_info->addr = dma_map_page_attrs(rq->pdev, dma_info->page, 0, PAGE_SIZE, ++ rq->buff.map_dir, DMA_ATTR_SKIP_CPU_SYNC); + if (unlikely(dma_mapping_error(rq->pdev, dma_info->addr))) { + page_pool_recycle_direct(rq->page_pool, dma_info->page); + dma_info->page = NULL; +@@ -298,7 +298,8 @@ static inline int mlx5e_page_alloc(struct mlx5e_rq *rq, + + void mlx5e_page_dma_unmap(struct mlx5e_rq *rq, struct mlx5e_dma_info *dma_info) + { +- dma_unmap_page(rq->pdev, dma_info->addr, PAGE_SIZE, rq->buff.map_dir); ++ dma_unmap_page_attrs(rq->pdev, dma_info->addr, PAGE_SIZE, rq->buff.map_dir, ++ DMA_ATTR_SKIP_CPU_SYNC); + } + + void mlx5e_page_release_dynamic(struct mlx5e_rq *rq, +-- +2.34.1 + diff --git a/queue-5.10/net-phy-marvell-configure-rgmii-delays-for-88e1118.patch b/queue-5.10/net-phy-marvell-configure-rgmii-delays-for-88e1118.patch new file mode 100644 index 00000000000..7c873d83b97 --- /dev/null +++ b/queue-5.10/net-phy-marvell-configure-rgmii-delays-for-88e1118.patch @@ -0,0 +1,55 @@ +From 988d63fcbbdd897f29985ccd56fb47b5d5c42591 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jan 2022 16:38:19 +0000 +Subject: net: phy: marvell: configure RGMII delays for 88E1118 + +From: Russell King (Oracle) + +[ Upstream commit f22725c95ececb703c3f741e8f946d23705630b7 ] + +Corentin Labbe reports that the SSI 1328 does not work when allowing +the PHY to operate at gigabit speeds, but does work with the generic +PHY driver. + +This appears to be because m88e1118_config_init() writes a fixed value +to the MSCR register, claiming that this is to enable 1G speeds. +However, this always sets bits 4 and 5, enabling RGMII transmit and +receive delays. The suspicion is that the original board this was +added for required the delays to make 1G speeds work. + +Add the necessary configuration for RGMII delays for the 88E1118 to +bring this into line with the requirements for RGMII support, and thus +make the SSI 1328 work. + +Corentin Labbe has tested this on gemini-ssi1328 and gemini-ns2502. + +Reported-by: Corentin Labbe +Tested-by: Corentin Labbe +Signed-off-by: Russell King (Oracle) +Reviewed-by: Andrew Lunn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/marvell.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/phy/marvell.c b/drivers/net/phy/marvell.c +index 91616182c311f..4dda2ab19c265 100644 +--- a/drivers/net/phy/marvell.c ++++ b/drivers/net/phy/marvell.c +@@ -1090,6 +1090,12 @@ static int m88e1118_config_init(struct phy_device *phydev) + if (err < 0) + return err; + ++ if (phy_interface_is_rgmii(phydev)) { ++ err = m88e1121_config_aneg_rgmii_delays(phydev); ++ if (err < 0) ++ return err; ++ } ++ + /* Adjust LED Control */ + if (phydev->dev_flags & MARVELL_PHY_M1118_DNS323_LEDS) + err = phy_write(phydev, 0x10, 0x1100); +-- +2.34.1 + diff --git a/queue-5.10/net-phy-prefer-1000baset-over-1000basekx.patch b/queue-5.10/net-phy-prefer-1000baset-over-1000basekx.patch new file mode 100644 index 00000000000..f7419ce415a --- /dev/null +++ b/queue-5.10/net-phy-prefer-1000baset-over-1000basekx.patch @@ -0,0 +1,58 @@ +From e1da338e282a817670c805bb9af1a55067d743b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Dec 2021 11:36:30 +0000 +Subject: net: phy: prefer 1000baseT over 1000baseKX + +From: Russell King (Oracle) + +[ Upstream commit f20f94f7f52c4685c81754f489ffcc72186e8bdb ] + +The PHY settings table is supposed to be sorted by descending match +priority - in other words, earlier entries are preferred over later +entries. + +The order of 1000baseKX/Full and 1000baseT/Full is such that we +prefer 1000baseKX/Full over 1000baseT/Full, but 1000baseKX/Full is +a lot rarer than 1000baseT/Full, and thus is much less likely to +be preferred. + +This causes phylink problems - it means a fixed link specifying a +speed of 1G and full duplex gets an ethtool linkmode of 1000baseKX/Full +rather than 1000baseT/Full as would be expected - and since we offer +userspace a software emulation of a conventional copper PHY, we want +to offer copper modes in preference to anything else. However, we do +still want to allow the rarer modes as well. + +Hence, let's reorder these two modes to prefer copper. + +Tested-by: Tom Lendacky +Signed-off-by: Russell King (Oracle) +Reviewed-by: Andrew Lunn +Reported-by: Florian Fainelli +Link: https://lore.kernel.org/r/E1muvFO-00F6jY-1K@rmk-PC.armlinux.org.uk +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phy-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/phy/phy-core.c b/drivers/net/phy/phy-core.c +index 8d333d3084ed3..cccb83dae673b 100644 +--- a/drivers/net/phy/phy-core.c ++++ b/drivers/net/phy/phy-core.c +@@ -161,11 +161,11 @@ static const struct phy_setting settings[] = { + PHY_SETTING( 2500, FULL, 2500baseT_Full ), + PHY_SETTING( 2500, FULL, 2500baseX_Full ), + /* 1G */ +- PHY_SETTING( 1000, FULL, 1000baseKX_Full ), + PHY_SETTING( 1000, FULL, 1000baseT_Full ), + PHY_SETTING( 1000, HALF, 1000baseT_Half ), + PHY_SETTING( 1000, FULL, 1000baseT1_Full ), + PHY_SETTING( 1000, FULL, 1000baseX_Full ), ++ PHY_SETTING( 1000, FULL, 1000baseKX_Full ), + /* 100M */ + PHY_SETTING( 100, FULL, 100baseT_Full ), + PHY_SETTING( 100, FULL, 100baseT1_Full ), +-- +2.34.1 + diff --git a/queue-5.10/net-sysfs-update-the-queue-counts-in-the-unregistrat.patch b/queue-5.10/net-sysfs-update-the-queue-counts-in-the-unregistrat.patch new file mode 100644 index 00000000000..e8611a1dad6 --- /dev/null +++ b/queue-5.10/net-sysfs-update-the-queue-counts-in-the-unregistrat.patch @@ -0,0 +1,38 @@ +From 8b074a9b03605382f966ad41350d9933f433a40a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Dec 2021 15:57:24 +0100 +Subject: net-sysfs: update the queue counts in the unregistration path + +From: Antoine Tenart + +[ Upstream commit d7dac083414eb5bb99a6d2ed53dc2c1b405224e5 ] + +When updating Rx and Tx queue kobjects, the queue count should always be +updated to match the queue kobjects count. This was not done in the net +device unregistration path, fix it. Tracking all queue count updates +will allow in a following up patch to detect illegal updates. + +Signed-off-by: Antoine Tenart +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/net-sysfs.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c +index af59123601055..99303897b7bb7 100644 +--- a/net/core/net-sysfs.c ++++ b/net/core/net-sysfs.c +@@ -1804,6 +1804,9 @@ static void remove_queue_kobjects(struct net_device *dev) + + net_rx_queue_update_kobjects(dev, real_rx, 0); + netdev_queue_update_kobjects(dev, real_tx, 0); ++ ++ dev->real_num_rx_queues = 0; ++ dev->real_num_tx_queues = 0; + #ifdef CONFIG_SYSFS + kset_unregister(dev->queues_kset); + #endif +-- +2.34.1 + diff --git a/queue-5.10/netfilter-bridge-add-support-for-pppoe-filtering.patch b/queue-5.10/netfilter-bridge-add-support-for-pppoe-filtering.patch new file mode 100644 index 00000000000..a074ef2b229 --- /dev/null +++ b/queue-5.10/netfilter-bridge-add-support-for-pppoe-filtering.patch @@ -0,0 +1,77 @@ +From 3b14bf98d4a4a195a4668b41be01d369ba5f4fec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Nov 2021 12:50:31 +0100 +Subject: netfilter: bridge: add support for pppoe filtering + +From: Florian Westphal + +[ Upstream commit 28b78ecffea8078d81466b2e01bb5a154509f1ba ] + +This makes 'bridge-nf-filter-pppoe-tagged' sysctl work for +bridged traffic. + +Looking at the original commit it doesn't appear this ever worked: + + static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff **pskb, +[..] + if (skb->protocol == htons(ETH_P_8021Q)) { + skb_pull(skb, VLAN_HLEN); + skb->network_header += VLAN_HLEN; ++ } else if (skb->protocol == htons(ETH_P_PPP_SES)) { ++ skb_pull(skb, PPPOE_SES_HLEN); ++ skb->network_header += PPPOE_SES_HLEN; + } + [..] + NF_HOOK(... POST_ROUTING, ...) + +... but the adjusted offsets are never restored. + +The alternative would be to rip this code out for good, +but otoh we'd have to keep this anyway for the vlan handling +(which works because vlan tag info is in the skb, not the packet + payload). + +Reported-and-tested-by: Amish Chana +Fixes: 516299d2f5b6f97 ("[NETFILTER]: bridge-nf: filter bridged IPv4/IPv6 encapsulated in pppoe traffic") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/bridge/br_netfilter_hooks.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c +index 8edfb98ae1d58..68c0d0f928908 100644 +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -743,6 +743,9 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff + if (nf_bridge->frag_max_size && nf_bridge->frag_max_size < mtu) + mtu = nf_bridge->frag_max_size; + ++ nf_bridge_update_protocol(skb); ++ nf_bridge_push_encap_header(skb); ++ + if (skb_is_gso(skb) || skb->len + mtu_reserved <= mtu) { + nf_bridge_info_free(skb); + return br_dev_queue_push_xmit(net, sk, skb); +@@ -760,8 +763,6 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff + + IPCB(skb)->frag_max_size = nf_bridge->frag_max_size; + +- nf_bridge_update_protocol(skb); +- + data = this_cpu_ptr(&brnf_frag_data_storage); + + if (skb_vlan_tag_present(skb)) { +@@ -789,8 +790,6 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff + + IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size; + +- nf_bridge_update_protocol(skb); +- + data = this_cpu_ptr(&brnf_frag_data_storage); + data->encap_size = nf_bridge_encap_header_len(skb); + data->size = ETH_HLEN + data->encap_size; +-- +2.34.1 + diff --git a/queue-5.10/netfilter-ipt_clusterip-fix-refcount-leak-in-cluster.patch b/queue-5.10/netfilter-ipt_clusterip-fix-refcount-leak-in-cluster.patch new file mode 100644 index 00000000000..aab651c9b73 --- /dev/null +++ b/queue-5.10/netfilter-ipt_clusterip-fix-refcount-leak-in-cluster.patch @@ -0,0 +1,48 @@ +From 1f3af1588ef2e3bebe4ac058e26dac29eb79efb9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Dec 2021 10:48:12 +0800 +Subject: netfilter: ipt_CLUSTERIP: fix refcount leak in clusterip_tg_check() + +From: Xin Xiong + +[ Upstream commit d94a69cb2cfa77294921aae9afcfb866e723a2da ] + +The issue takes place in one error path of clusterip_tg_check(). When +memcmp() returns nonzero, the function simply returns the error code, +forgetting to decrease the reference count of a clusterip_config +object, which is bumped earlier by clusterip_config_find_get(). This +may incur reference count leak. + +Fix this issue by decrementing the refcount of the object in specific +error path. + +Fixes: 06aa151ad1fc74 ("netfilter: ipt_CLUSTERIP: check MAC address when duplicate config is set") +Signed-off-by: Xin Xiong +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Tan +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/ipv4/netfilter/ipt_CLUSTERIP.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c +index a8b980ad11d4e..1088564d4dbcb 100644 +--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c ++++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c +@@ -505,8 +505,11 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par) + if (IS_ERR(config)) + return PTR_ERR(config); + } +- } else if (memcmp(&config->clustermac, &cipinfo->clustermac, ETH_ALEN)) ++ } else if (memcmp(&config->clustermac, &cipinfo->clustermac, ETH_ALEN)) { ++ clusterip_config_entry_put(config); ++ clusterip_config_put(config); + return -EINVAL; ++ } + + ret = nf_ct_netns_get(par->net, par->family); + if (ret < 0) { +-- +2.34.1 + diff --git a/queue-5.10/netfilter-nft_set_pipapo-allocate-pcpu-scratch-maps-.patch b/queue-5.10/netfilter-nft_set_pipapo-allocate-pcpu-scratch-maps-.patch new file mode 100644 index 00000000000..cefceccbb0a --- /dev/null +++ b/queue-5.10/netfilter-nft_set_pipapo-allocate-pcpu-scratch-maps-.patch @@ -0,0 +1,58 @@ +From dfba040fe8d8be45ba8fd204e6629c40636cda71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jan 2022 14:19:54 +0100 +Subject: netfilter: nft_set_pipapo: allocate pcpu scratch maps on clone + +From: Florian Westphal + +[ Upstream commit 23c54263efd7cb605e2f7af72717a2a951999217 ] + +This is needed in case a new transaction is made that doesn't insert any +new elements into an already existing set. + +Else, after second 'nft -f ruleset.txt', lookups in such a set will fail +because ->lookup() encounters raw_cpu_ptr(m->scratch) == NULL. + +For the initial rule load, insertion of elements takes care of the +allocation, but for rule reloads this isn't guaranteed: we might not +have additions to the set. + +Fixes: 3c4287f62044a90e ("nf_tables: Add set type for arbitrary concatenation of ranges") +Reported-by: etkaar +Signed-off-by: Florian Westphal +Reviewed-by: Stefano Brivio +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c +index 2d73f265b12c9..f67c4436c5d31 100644 +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -1290,6 +1290,11 @@ static struct nft_pipapo_match *pipapo_clone(struct nft_pipapo_match *old) + if (!new->scratch_aligned) + goto out_scratch; + #endif ++ for_each_possible_cpu(i) ++ *per_cpu_ptr(new->scratch, i) = NULL; ++ ++ if (pipapo_realloc_scratch(new, old->bsize_max)) ++ goto out_scratch_realloc; + + rcu_head_init(&new->rcu); + +@@ -1334,6 +1339,9 @@ out_lt: + kvfree(dst->lt); + dst--; + } ++out_scratch_realloc: ++ for_each_possible_cpu(i) ++ kfree(*per_cpu_ptr(new->scratch, i)); + #ifdef NFT_PIPAPO_ALIGN + free_percpu(new->scratch_aligned); + #endif +-- +2.34.1 + diff --git a/queue-5.10/netrom-fix-api-breakage-in-nr_setsockopt.patch b/queue-5.10/netrom-fix-api-breakage-in-nr_setsockopt.patch new file mode 100644 index 00000000000..e6d93a8e08b --- /dev/null +++ b/queue-5.10/netrom-fix-api-breakage-in-nr_setsockopt.patch @@ -0,0 +1,78 @@ +From cbeeab4e3904d8d10939d4a8e19cd831e93b9c5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jan 2022 10:12:10 +0300 +Subject: netrom: fix api breakage in nr_setsockopt() + +From: Dan Carpenter + +[ Upstream commit dc35616e6c2907b0c0c391a205802d8880f7fd85 ] + +This needs to copy an unsigned int from user space instead of a long to +avoid breaking user space with an API change. + +I have updated all the integer overflow checks from ULONG to UINT as +well. This is a slight API change but I do not expect it to affect +anything in real life. + +Fixes: 3087a6f36ee0 ("netrom: fix copying in user data in nr_setsockopt") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/netrom/af_netrom.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c +index eef0e3f2f25b0..e5c8a295e6406 100644 +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -298,7 +298,7 @@ static int nr_setsockopt(struct socket *sock, int level, int optname, + { + struct sock *sk = sock->sk; + struct nr_sock *nr = nr_sk(sk); +- unsigned long opt; ++ unsigned int opt; + + if (level != SOL_NETROM) + return -ENOPROTOOPT; +@@ -306,18 +306,18 @@ static int nr_setsockopt(struct socket *sock, int level, int optname, + if (optlen < sizeof(unsigned int)) + return -EINVAL; + +- if (copy_from_sockptr(&opt, optval, sizeof(unsigned long))) ++ if (copy_from_sockptr(&opt, optval, sizeof(opt))) + return -EFAULT; + + switch (optname) { + case NETROM_T1: +- if (opt < 1 || opt > ULONG_MAX / HZ) ++ if (opt < 1 || opt > UINT_MAX / HZ) + return -EINVAL; + nr->t1 = opt * HZ; + return 0; + + case NETROM_T2: +- if (opt < 1 || opt > ULONG_MAX / HZ) ++ if (opt < 1 || opt > UINT_MAX / HZ) + return -EINVAL; + nr->t2 = opt * HZ; + return 0; +@@ -329,13 +329,13 @@ static int nr_setsockopt(struct socket *sock, int level, int optname, + return 0; + + case NETROM_T4: +- if (opt < 1 || opt > ULONG_MAX / HZ) ++ if (opt < 1 || opt > UINT_MAX / HZ) + return -EINVAL; + nr->t4 = opt * HZ; + return 0; + + case NETROM_IDLE: +- if (opt > ULONG_MAX / (60 * HZ)) ++ if (opt > UINT_MAX / (60 * HZ)) + return -EINVAL; + nr->idle = opt * 60 * HZ; + return 0; +-- +2.34.1 + diff --git a/queue-5.10/nvmem-core-set-size-for-sysfs-bin-file.patch b/queue-5.10/nvmem-core-set-size-for-sysfs-bin-file.patch new file mode 100644 index 00000000000..e780cfbc1a0 --- /dev/null +++ b/queue-5.10/nvmem-core-set-size-for-sysfs-bin-file.patch @@ -0,0 +1,37 @@ +From 1316527d1fe91dc1c9958e2e31b76485e813752b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Nov 2021 13:39:09 +0000 +Subject: nvmem: core: set size for sysfs bin file + +From: Srinivas Kandagatla + +[ Upstream commit 86192251033308bb42f1e9813c962989d8ed07ec ] + +For some reason we never set the size for nvmem sysfs binary file. +Set this. + +Reported-by: Gilles BULOZ +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20211130133909.6154-1-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/nvmem/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c +index 6b170083cd248..21d89d80d0838 100644 +--- a/drivers/nvmem/core.c ++++ b/drivers/nvmem/core.c +@@ -222,6 +222,8 @@ static umode_t nvmem_bin_attr_is_visible(struct kobject *kobj, + struct device *dev = kobj_to_dev(kobj); + struct nvmem_device *nvmem = to_nvmem_device(dev); + ++ attr->size = nvmem->size; ++ + return nvmem_bin_attr_get_umode(nvmem); + } + +-- +2.34.1 + diff --git a/queue-5.10/of-base-fix-phandle-argument-length-mismatch-error-m.patch b/queue-5.10/of-base-fix-phandle-argument-length-mismatch-error-m.patch new file mode 100644 index 00000000000..05123a79232 --- /dev/null +++ b/queue-5.10/of-base-fix-phandle-argument-length-mismatch-error-m.patch @@ -0,0 +1,42 @@ +From e7adf20a96877a5ccebc2d6ac0a653798f263e69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Dec 2021 18:31:52 +0200 +Subject: of: base: Fix phandle argument length mismatch error message + +From: Baruch Siach + +[ Upstream commit 94a4950a4acff39b5847cc1fee4f65e160813493 ] + +The cell_count field of of_phandle_iterator is the number of cells we +expect in the phandle arguments list when cells_name is missing. The +error message should show the number of cells we actually see. + +Fixes: af3be70a3211 ("of: Improve of_phandle_iterator_next() error message") +Cc: Florian Fainelli +Signed-off-by: Baruch Siach +Signed-off-by: Rob Herring +Link: https://lore.kernel.org/r/96519ac55be90a63fa44afe01480c30d08535465.1640881913.git.baruch@tkos.co.il +Signed-off-by: Sasha Levin +--- + drivers/of/base.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/of/base.c b/drivers/of/base.c +index 161a23631472d..60cb9b44d4ecc 100644 +--- a/drivers/of/base.c ++++ b/drivers/of/base.c +@@ -1328,9 +1328,9 @@ int of_phandle_iterator_next(struct of_phandle_iterator *it) + * property data length + */ + if (it->cur + count > it->list_end) { +- pr_err("%pOF: %s = %d found %d\n", ++ pr_err("%pOF: %s = %d found %td\n", + it->parent, it->cells_name, +- count, it->cell_count); ++ count, it->list_end - it->cur); + goto err; + } + } +-- +2.34.1 + diff --git a/queue-5.10/of-unittest-64-bit-dma-address-test-requires-arch-su.patch b/queue-5.10/of-unittest-64-bit-dma-address-test-requires-arch-su.patch new file mode 100644 index 00000000000..0147975c6dd --- /dev/null +++ b/queue-5.10/of-unittest-64-bit-dma-address-test-requires-arch-su.patch @@ -0,0 +1,40 @@ +From 1884a36ae8a4b06323ca7f21e33f31ca7ed5b56a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Dec 2021 16:18:52 -0600 +Subject: of: unittest: 64 bit dma address test requires arch support + +From: Frank Rowand + +[ Upstream commit 9fd4cf5d3571b27d746b8ead494a3f051485b679 ] + +If an architecture does not support 64 bit dma addresses then testing +for an expected dma address >= 0x100000000 will fail. + +Fixes: e0d072782c73 ("dma-mapping: introduce DMA range map, supplanting dma_pfn_offset") +Signed-off-by: Frank Rowand +Signed-off-by: Rob Herring +Link: https://lore.kernel.org/r/20211212221852.233295-1-frowand.list@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/of/unittest.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c +index a5c4c77b6f3e2..5407bbdb64395 100644 +--- a/drivers/of/unittest.c ++++ b/drivers/of/unittest.c +@@ -941,8 +941,9 @@ static void __init of_unittest_parse_dma_ranges(void) + { + of_unittest_dma_ranges_one("/testcase-data/address-tests/device@70000000", + 0x0, 0x20000000); +- of_unittest_dma_ranges_one("/testcase-data/address-tests/bus@80000000/device@1000", +- 0x100000000, 0x20000000); ++ if (IS_ENABLED(CONFIG_ARCH_DMA_ADDR_T_64BIT)) ++ of_unittest_dma_ranges_one("/testcase-data/address-tests/bus@80000000/device@1000", ++ 0x100000000, 0x20000000); + of_unittest_dma_ranges_one("/testcase-data/address-tests/pci@90000000", + 0x80000000, 0x20000000); + } +-- +2.34.1 + diff --git a/queue-5.10/of-unittest-fix-warning-on-powerpc-frame-size-warnin.patch b/queue-5.10/of-unittest-fix-warning-on-powerpc-frame-size-warnin.patch new file mode 100644 index 00000000000..18bcb0e5cea --- /dev/null +++ b/queue-5.10/of-unittest-fix-warning-on-powerpc-frame-size-warnin.patch @@ -0,0 +1,69 @@ +From c5f032d24ec3430d7f355d9bb695ac6a9e7572a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Dec 2021 13:46:35 -0500 +Subject: of: unittest: fix warning on PowerPC frame size warning + +From: Jim Quinlan + +[ Upstream commit a8d61a9112ad0c9216ab45d050991e07bc4f3408 ] + +The struct device variable "dev_bogus" was triggering this warning +on a PowerPC build: + + drivers/of/unittest.c: In function 'of_unittest_dma_ranges_one.constprop': + [...] >> The frame size of 1424 bytes is larger than 1024 bytes + [-Wframe-larger-than=] + +This variable is now dynamically allocated. + +Fixes: e0d072782c734 ("dma-mapping: introduce DMA range map, supplanting dma_pfn_offset") +Reported-by: kernel test robot +Signed-off-by: Jim Quinlan +Reviewed-by: Christoph Hellwig +Reviewed-by: Frank Rowand +Reviewed-by: Florian Fainelli +Signed-off-by: Rob Herring +Link: https://lore.kernel.org/r/20211210184636.7273-2-jim2101024@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/of/unittest.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c +index 1d4b0b7d0cc10..a5c4c77b6f3e2 100644 +--- a/drivers/of/unittest.c ++++ b/drivers/of/unittest.c +@@ -910,11 +910,18 @@ static void __init of_unittest_dma_ranges_one(const char *path, + if (!rc) { + phys_addr_t paddr; + dma_addr_t dma_addr; +- struct device dev_bogus; ++ struct device *dev_bogus; + +- dev_bogus.dma_range_map = map; +- paddr = dma_to_phys(&dev_bogus, expect_dma_addr); +- dma_addr = phys_to_dma(&dev_bogus, expect_paddr); ++ dev_bogus = kzalloc(sizeof(struct device), GFP_KERNEL); ++ if (!dev_bogus) { ++ unittest(0, "kzalloc() failed\n"); ++ kfree(map); ++ return; ++ } ++ ++ dev_bogus->dma_range_map = map; ++ paddr = dma_to_phys(dev_bogus, expect_dma_addr); ++ dma_addr = phys_to_dma(dev_bogus, expect_paddr); + + unittest(paddr == expect_paddr, + "of_dma_get_range: wrong phys addr %pap (expecting %llx) on node %pOF\n", +@@ -924,6 +931,7 @@ static void __init of_unittest_dma_ranges_one(const char *path, + &dma_addr, expect_dma_addr, np); + + kfree(map); ++ kfree(dev_bogus); + } + of_node_put(np); + #endif +-- +2.34.1 + diff --git a/queue-5.10/openrisc-add-clone3-abi-wrapper.patch b/queue-5.10/openrisc-add-clone3-abi-wrapper.patch new file mode 100644 index 00000000000..99b094f7a1a --- /dev/null +++ b/queue-5.10/openrisc-add-clone3-abi-wrapper.patch @@ -0,0 +1,63 @@ +From ba910ba929404ccaeaecc9a4ba36c2af127e1dec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Dec 2021 07:10:18 +0900 +Subject: openrisc: Add clone3 ABI wrapper + +From: Stafford Horne + +[ Upstream commit 433fe39f674d58bc7a3e8254a5d2ffc290b7e04e ] + +Like fork and clone the clone3 syscall needs a wrapper to save callee +saved registers, which is required by the OpenRISC ABI. This came up +after auditing code following a discussion with Rob Landley and Arnd +Bergmann [0]. + +Tested with the clone3 kselftests and there were no issues. + +[0] https://lore.kernel.org/all/41206fc7-f8ce-98aa-3718-ba3e1431e320@landley.net/T/#m9c0cdb2703813b9df4da04cf6b30de1f1aa89944 + +Fixes: 07e83dfbe16c ("openrisc: Enable the clone3 syscall") +Cc: Rob Landley +Cc: Arnd Bergmann +Signed-off-by: Stafford Horne +Signed-off-by: Sasha Levin +--- + arch/openrisc/include/asm/syscalls.h | 2 ++ + arch/openrisc/kernel/entry.S | 5 +++++ + 2 files changed, 7 insertions(+) + +diff --git a/arch/openrisc/include/asm/syscalls.h b/arch/openrisc/include/asm/syscalls.h +index 3a7eeae6f56a8..aa1c7e98722e3 100644 +--- a/arch/openrisc/include/asm/syscalls.h ++++ b/arch/openrisc/include/asm/syscalls.h +@@ -22,9 +22,11 @@ asmlinkage long sys_or1k_atomic(unsigned long type, unsigned long *v1, + + asmlinkage long __sys_clone(unsigned long clone_flags, unsigned long newsp, + void __user *parent_tid, void __user *child_tid, int tls); ++asmlinkage long __sys_clone3(struct clone_args __user *uargs, size_t size); + asmlinkage long __sys_fork(void); + + #define sys_clone __sys_clone ++#define sys_clone3 __sys_clone3 + #define sys_fork __sys_fork + + #endif /* __ASM_OPENRISC_SYSCALLS_H */ +diff --git a/arch/openrisc/kernel/entry.S b/arch/openrisc/kernel/entry.S +index 98e4f97db5159..b42d32d79b2e6 100644 +--- a/arch/openrisc/kernel/entry.S ++++ b/arch/openrisc/kernel/entry.S +@@ -1170,6 +1170,11 @@ ENTRY(__sys_clone) + l.j _fork_save_extra_regs_and_call + l.nop + ++ENTRY(__sys_clone3) ++ l.movhi r29,hi(sys_clone3) ++ l.j _fork_save_extra_regs_and_call ++ l.ori r29,r29,lo(sys_clone3) ++ + ENTRY(__sys_fork) + l.movhi r29,hi(sys_fork) + l.ori r29,r29,lo(sys_fork) +-- +2.34.1 + diff --git a/queue-5.10/parisc-avoid-calling-faulthandler_disabled-twice.patch b/queue-5.10/parisc-avoid-calling-faulthandler_disabled-twice.patch new file mode 100644 index 00000000000..390456e6553 --- /dev/null +++ b/queue-5.10/parisc-avoid-calling-faulthandler_disabled-twice.patch @@ -0,0 +1,53 @@ +From 81efcc4f0980c3405119c46f7dd0c2f6586ee820 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Dec 2021 16:52:26 +0000 +Subject: parisc: Avoid calling faulthandler_disabled() twice + +From: John David Anglin + +[ Upstream commit 9e9d4b460f23bab61672eae397417d03917d116c ] + +In handle_interruption(), we call faulthandler_disabled() to check whether the +fault handler is not disabled. If the fault handler is disabled, we immediately +call do_page_fault(). It then calls faulthandler_disabled(). If disabled, +do_page_fault() attempts to fixup the exception by jumping to no_context: + +no_context: + + if (!user_mode(regs) && fixup_exception(regs)) { + return; + } + + parisc_terminate("Bad Address (null pointer deref?)", regs, code, address); + +Apart from the error messages, the two blocks of code perform the same +function. + +We can avoid two calls to faulthandler_disabled() by a simple revision +to the code in handle_interruption(). + +Note: I didn't try to fix the formatting of this code block. + +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + arch/parisc/kernel/traps.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/parisc/kernel/traps.c b/arch/parisc/kernel/traps.c +index 43f56335759a4..269b737d26299 100644 +--- a/arch/parisc/kernel/traps.c ++++ b/arch/parisc/kernel/traps.c +@@ -784,7 +784,7 @@ void notrace handle_interruption(int code, struct pt_regs *regs) + * unless pagefault_disable() was called before. + */ + +- if (fault_space == 0 && !faulthandler_disabled()) ++ if (faulthandler_disabled() || fault_space == 0) + { + /* Clean up and return if in exception table. */ + if (fixup_exception(regs)) +-- +2.34.1 + diff --git a/queue-5.10/pci-msi-fix-pci_irq_vector-pci_irq_get_affinity.patch b/queue-5.10/pci-msi-fix-pci_irq_vector-pci_irq_get_affinity.patch new file mode 100644 index 00000000000..0cfbf8d79cf --- /dev/null +++ b/queue-5.10/pci-msi-fix-pci_irq_vector-pci_irq_get_affinity.patch @@ -0,0 +1,97 @@ +From c0842c415bdfac0c4b18e5ca8b75939338a1815e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Dec 2021 23:27:26 +0100 +Subject: PCI/MSI: Fix pci_irq_vector()/pci_irq_get_affinity() + +From: Thomas Gleixner + +[ Upstream commit 29bbc35e29d9b6347780dcacde2deb4b39344167 ] + +pci_irq_vector() and pci_irq_get_affinity() use the list position to find the +MSI-X descriptor at a given index. That's correct for the normal case where +the entry number is the same as the list position. + +But it's wrong for cases where MSI-X was allocated with an entries array +describing sparse entry numbers into the hardware message descriptor +table. That's inconsistent at best. + +Make it always check the entry number because that's what the zero base +index really means. This change won't break existing users which use a +sparse entries array for allocation because these users retrieve the Linux +interrupt number from the entries array after allocation and none of them +uses pci_irq_vector() or pci_irq_get_affinity(). + +Fixes: aff171641d18 ("PCI: Provide sensible IRQ vector alloc/free routines") +Signed-off-by: Thomas Gleixner +Tested-by: Juergen Gross +Reviewed-by: Jason Gunthorpe +Acked-by: Bjorn Helgaas +Link: https://lore.kernel.org/r/20211206210223.929792157@linutronix.de +Signed-off-by: Sasha Levin +--- + drivers/pci/msi.c | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +diff --git a/drivers/pci/msi.c b/drivers/pci/msi.c +index 57314fec2261b..3da69b26e6743 100644 +--- a/drivers/pci/msi.c ++++ b/drivers/pci/msi.c +@@ -1291,19 +1291,24 @@ EXPORT_SYMBOL(pci_free_irq_vectors); + + /** + * pci_irq_vector - return Linux IRQ number of a device vector +- * @dev: PCI device to operate on +- * @nr: device-relative interrupt vector index (0-based). ++ * @dev: PCI device to operate on ++ * @nr: Interrupt vector index (0-based) ++ * ++ * @nr has the following meanings depending on the interrupt mode: ++ * MSI-X: The index in the MSI-X vector table ++ * MSI: The index of the enabled MSI vectors ++ * INTx: Must be 0 ++ * ++ * Return: The Linux interrupt number or -EINVAl if @nr is out of range. + */ + int pci_irq_vector(struct pci_dev *dev, unsigned int nr) + { + if (dev->msix_enabled) { + struct msi_desc *entry; +- int i = 0; + + for_each_pci_msi_entry(entry, dev) { +- if (i == nr) ++ if (entry->msi_attrib.entry_nr == nr) + return entry->irq; +- i++; + } + WARN_ON_ONCE(1); + return -EINVAL; +@@ -1327,17 +1332,22 @@ EXPORT_SYMBOL(pci_irq_vector); + * pci_irq_get_affinity - return the affinity of a particular MSI vector + * @dev: PCI device to operate on + * @nr: device-relative interrupt vector index (0-based). ++ * ++ * @nr has the following meanings depending on the interrupt mode: ++ * MSI-X: The index in the MSI-X vector table ++ * MSI: The index of the enabled MSI vectors ++ * INTx: Must be 0 ++ * ++ * Return: A cpumask pointer or NULL if @nr is out of range + */ + const struct cpumask *pci_irq_get_affinity(struct pci_dev *dev, int nr) + { + if (dev->msix_enabled) { + struct msi_desc *entry; +- int i = 0; + + for_each_pci_msi_entry(entry, dev) { +- if (i == nr) ++ if (entry->msi_attrib.entry_nr == nr) + return &entry->affinity->mask; +- i++; + } + WARN_ON_ONCE(1); + return NULL; +-- +2.34.1 + diff --git a/queue-5.10/pcmcia-fix-setting-of-kthread-task-states.patch b/queue-5.10/pcmcia-fix-setting-of-kthread-task-states.patch new file mode 100644 index 00000000000..fdbf59444e5 --- /dev/null +++ b/queue-5.10/pcmcia-fix-setting-of-kthread-task-states.patch @@ -0,0 +1,55 @@ +From f3831a4727ae0c3903f52537acf26f7763459597 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Jan 2022 10:02:51 +0100 +Subject: pcmcia: fix setting of kthread task states + +From: Dominik Brodowski + +[ Upstream commit fbb3485f1f931102d8ba606f1c28123f5b48afa3 ] + +We need to set TASK_INTERRUPTIBLE before calling kthread_should_stop(). +Otherwise, kthread_stop() might see that the pccardd thread is still +in TASK_RUNNING state and fail to wake it up. + +Additionally, we only need to set the state back to TASK_RUNNING if +kthread_should_stop() breaks the loop. + +Cc: Greg Kroah-Hartman +Reported-by: Al Viro +Reviewed-by: Matthew Wilcox (Oracle) +Fixes: d3046ba809ce ("pcmcia: fix a boot time warning in pcmcia cs code") +Signed-off-by: Dominik Brodowski +Signed-off-by: Sasha Levin +--- + drivers/pcmcia/cs.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/pcmcia/cs.c b/drivers/pcmcia/cs.c +index e211e2619680c..f70197154a362 100644 +--- a/drivers/pcmcia/cs.c ++++ b/drivers/pcmcia/cs.c +@@ -666,18 +666,16 @@ static int pccardd(void *__skt) + if (events || sysfs_events) + continue; + ++ set_current_state(TASK_INTERRUPTIBLE); + if (kthread_should_stop()) + break; + +- set_current_state(TASK_INTERRUPTIBLE); +- + schedule(); + +- /* make sure we are running */ +- __set_current_state(TASK_RUNNING); +- + try_to_freeze(); + } ++ /* make sure we are running before we exit */ ++ __set_current_state(TASK_RUNNING); + + /* shut down socket, if a device is still present */ + if (skt->state & SOCKET_PRESENT) { +-- +2.34.1 + diff --git a/queue-5.10/pcmcia-rsrc_nonstatic-fix-a-null-pointer-dereference.patch b/queue-5.10/pcmcia-rsrc_nonstatic-fix-a-null-pointer-dereference.patch new file mode 100644 index 00000000000..a29201a5893 --- /dev/null +++ b/queue-5.10/pcmcia-rsrc_nonstatic-fix-a-null-pointer-dereference.patch @@ -0,0 +1,56 @@ +From 74f1d5dbb2e675d1ec03b565c5f8fb492b92b746 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Dec 2021 00:59:23 +0800 +Subject: pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in + __nonstatic_find_io_region() + +From: Zhou Qingyang + +[ Upstream commit ca0fe0d7c35c97528bdf621fdca75f13157c27af ] + +In __nonstatic_find_io_region(), pcmcia_make_resource() is assigned to +res and used in pci_bus_alloc_resource(). There is a dereference of res +in pci_bus_alloc_resource(), which could lead to a NULL pointer +dereference on failure of pcmcia_make_resource(). + +Fix this bug by adding a check of res. + +This bug was found by a static analyzer. The analysis employs +differential checking to identify inconsistent security operations +(e.g., checks or kfrees) between two code paths and confirms that the +inconsistent operations are not recovered in the current function or +the callers, so they constitute bugs. + +Note that, as a bug found by static analysis, it can be a false +positive or hard to trigger. Multiple researchers have cross-reviewed +the bug. + +Builds with CONFIG_PCCARD_NONSTATIC=y show no new warnings, +and our static analyzer no longer warns about this code. + +Fixes: 49b1153adfe1 ("pcmcia: move all pcmcia_resource_ops providers into one module") +Signed-off-by: Zhou Qingyang +[linux@dominikbrodowski.net: Fix typo in commit message] +Signed-off-by: Dominik Brodowski +Signed-off-by: Sasha Levin +--- + drivers/pcmcia/rsrc_nonstatic.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/pcmcia/rsrc_nonstatic.c b/drivers/pcmcia/rsrc_nonstatic.c +index 3b05760e69d62..4c70e8ffe04ea 100644 +--- a/drivers/pcmcia/rsrc_nonstatic.c ++++ b/drivers/pcmcia/rsrc_nonstatic.c +@@ -690,6 +690,9 @@ static struct resource *__nonstatic_find_io_region(struct pcmcia_socket *s, + unsigned long min = base; + int ret; + ++ if (!res) ++ return NULL; ++ + data.mask = align - 1; + data.offset = base & data.mask; + data.map = &s_data->io_db; +-- +2.34.1 + diff --git a/queue-5.10/pcmcia-rsrc_nonstatic-fix-a-null-pointer-dereference.patch-3767 b/queue-5.10/pcmcia-rsrc_nonstatic-fix-a-null-pointer-dereference.patch-3767 new file mode 100644 index 00000000000..fe50d0876c3 --- /dev/null +++ b/queue-5.10/pcmcia-rsrc_nonstatic-fix-a-null-pointer-dereference.patch-3767 @@ -0,0 +1,55 @@ +From 49c385396b97a54f187b7493485c6ac6c54ba456 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Dec 2021 02:11:40 +0800 +Subject: pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in + nonstatic_find_mem_region() + +From: Zhou Qingyang + +[ Upstream commit 977d2e7c63c3d04d07ba340b39987742e3241554 ] + +In nonstatic_find_mem_region(), pcmcia_make_resource() is assigned to +res and used in pci_bus_alloc_resource(). There a dereference of res +in pci_bus_alloc_resource(), which could lead to a NULL pointer +dereference on failure of pcmcia_make_resource(). + +Fix this bug by adding a check of res. + +This bug was found by a static analyzer. The analysis employs +differential checking to identify inconsistent security operations +(e.g., checks or kfrees) between two code paths and confirms that the +inconsistent operations are not recovered in the current function or +the callers, so they constitute bugs. + +Note that, as a bug found by static analysis, it can be a false +positive or hard to trigger. Multiple researchers have cross-reviewed +the bug. + +Builds with CONFIG_PCCARD_NONSTATIC=y show no new warnings, +and our static analyzer no longer warns about this code. + +Fixes: 49b1153adfe1 ("pcmcia: move all pcmcia_resource_ops providers into one module") +Signed-off-by: Zhou Qingyang +Signed-off-by: Dominik Brodowski +Signed-off-by: Sasha Levin +--- + drivers/pcmcia/rsrc_nonstatic.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/pcmcia/rsrc_nonstatic.c b/drivers/pcmcia/rsrc_nonstatic.c +index 4c70e8ffe04ea..69a6e9a5d6d26 100644 +--- a/drivers/pcmcia/rsrc_nonstatic.c ++++ b/drivers/pcmcia/rsrc_nonstatic.c +@@ -812,6 +812,9 @@ static struct resource *nonstatic_find_mem_region(u_long base, u_long num, + unsigned long min, max; + int ret, i, j; + ++ if (!res) ++ return NULL; ++ + low = low || !(s->features & SS_CAP_PAGE_REGS); + + data.mask = align - 1; +-- +2.34.1 + diff --git a/queue-5.10/phy-mediatek-fix-missing-check-in-mtk_mipi_tx_probe.patch b/queue-5.10/phy-mediatek-fix-missing-check-in-mtk_mipi_tx_probe.patch new file mode 100644 index 00000000000..0c60d402a17 --- /dev/null +++ b/queue-5.10/phy-mediatek-fix-missing-check-in-mtk_mipi_tx_probe.patch @@ -0,0 +1,37 @@ +From f2e48127820dd45e20d31d305ee2d93ef7a8d199 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Dec 2021 08:21:03 +0000 +Subject: phy: mediatek: Fix missing check in mtk_mipi_tx_probe + +From: Miaoqian Lin + +[ Upstream commit 399c91c3f30531593e5ff6ca7b53f47092128669 ] + +The of_device_get_match_data() function may return NULL. +Add check to prevent potential null dereference. + +Signed-off-by: Miaoqian Lin +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20211224082103.7658-1-linmq006@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_mipi_tx.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/mediatek/mtk_mipi_tx.c b/drivers/gpu/drm/mediatek/mtk_mipi_tx.c +index 8cee2591e7284..ccc742dc78bd9 100644 +--- a/drivers/gpu/drm/mediatek/mtk_mipi_tx.c ++++ b/drivers/gpu/drm/mediatek/mtk_mipi_tx.c +@@ -147,6 +147,8 @@ static int mtk_mipi_tx_probe(struct platform_device *pdev) + return -ENOMEM; + + mipi_tx->driver_data = of_device_get_match_data(dev); ++ if (!mipi_tx->driver_data) ++ return -ENODEV; + + mem = platform_get_resource(pdev, IORESOURCE_MEM, 0); + mipi_tx->regs = devm_ioremap_resource(dev, mem); +-- +2.34.1 + diff --git a/queue-5.10/phy-uniphier-usb3ss-fix-unintended-writing-zeros-to-.patch b/queue-5.10/phy-uniphier-usb3ss-fix-unintended-writing-zeros-to-.patch new file mode 100644 index 00000000000..ac1fb1c83ed --- /dev/null +++ b/queue-5.10/phy-uniphier-usb3ss-fix-unintended-writing-zeros-to-.patch @@ -0,0 +1,61 @@ +From 8ba936e8ea31d9cdb232e1d6053a4ed57cddb91c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Dec 2021 14:19:29 +0900 +Subject: phy: uniphier-usb3ss: fix unintended writing zeros to PHY register + +From: Ryuta NAKANISHI + +[ Upstream commit 898c7a9ec81620125f2463714a0f4dea18ad6e54 ] + +Similar to commit 4a90bbb478db ("phy: uniphier-pcie: Fix updating phy +parameters"), in function uniphier_u3ssphy_set_param(), unintentionally +write zeros to other fields when writing PHY registers. + +Fixes: 5ab43d0f8697 ("phy: socionext: add USB3 PHY driver for UniPhier SoC") +Signed-off-by: Ryuta NAKANISHI +Signed-off-by: Kunihiko Hayashi +Link: https://lore.kernel.org/r/1640150369-4134-1-git-send-email-hayashi.kunihiko@socionext.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/socionext/phy-uniphier-usb3ss.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/phy/socionext/phy-uniphier-usb3ss.c b/drivers/phy/socionext/phy-uniphier-usb3ss.c +index 6700645bcbe6b..3b5ffc16a6947 100644 +--- a/drivers/phy/socionext/phy-uniphier-usb3ss.c ++++ b/drivers/phy/socionext/phy-uniphier-usb3ss.c +@@ -22,11 +22,13 @@ + #include + + #define SSPHY_TESTI 0x0 +-#define SSPHY_TESTO 0x4 + #define TESTI_DAT_MASK GENMASK(13, 6) + #define TESTI_ADR_MASK GENMASK(5, 1) + #define TESTI_WR_EN BIT(0) + ++#define SSPHY_TESTO 0x4 ++#define TESTO_DAT_MASK GENMASK(7, 0) ++ + #define PHY_F(regno, msb, lsb) { (regno), (msb), (lsb) } + + #define CDR_CPD_TRIM PHY_F(7, 3, 0) /* RxPLL charge pump current */ +@@ -84,12 +86,12 @@ static void uniphier_u3ssphy_set_param(struct uniphier_u3ssphy_priv *priv, + val = FIELD_PREP(TESTI_DAT_MASK, 1); + val |= FIELD_PREP(TESTI_ADR_MASK, p->field.reg_no); + uniphier_u3ssphy_testio_write(priv, val); +- val = readl(priv->base + SSPHY_TESTO); ++ val = readl(priv->base + SSPHY_TESTO) & TESTO_DAT_MASK; + + /* update value */ +- val &= ~FIELD_PREP(TESTI_DAT_MASK, field_mask); ++ val &= ~field_mask; + data = field_mask & (p->value << p->field.lsb); +- val = FIELD_PREP(TESTI_DAT_MASK, data); ++ val = FIELD_PREP(TESTI_DAT_MASK, data | val); + val |= FIELD_PREP(TESTI_ADR_MASK, p->field.reg_no); + uniphier_u3ssphy_testio_write(priv, val); + uniphier_u3ssphy_testio_write(priv, val | TESTI_WR_EN); +-- +2.34.1 + diff --git a/queue-5.10/pm-avs-qcom-cpr-use-div64_ul-instead-of-do_div.patch b/queue-5.10/pm-avs-qcom-cpr-use-div64_ul-instead-of-do_div.patch new file mode 100644 index 00000000000..bb0df7a538b --- /dev/null +++ b/queue-5.10/pm-avs-qcom-cpr-use-div64_ul-instead-of-do_div.patch @@ -0,0 +1,38 @@ +From 0136610e36946d2ecb6aa2efefd30bee8ed040bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Nov 2021 01:43:11 +0000 +Subject: PM: AVS: qcom-cpr: Use div64_ul instead of do_div + +From: Changcheng Deng + +[ Upstream commit 92c550f9ffd2884bb5def52b5c0485a35e452784 ] + +do_div() does a 64-by-32 division. Here the divisor is an unsigned long +which on some platforms is 64 bit wide. So use div64_ul instead of do_div +to avoid a possible truncation. + +Reported-by: Zeal Robot +Signed-off-by: Changcheng Deng +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20211125014311.45942-1-deng.changcheng@zte.com.cn +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/cpr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/qcom/cpr.c b/drivers/soc/qcom/cpr.c +index b24cc77d1889f..6298561bc29c9 100644 +--- a/drivers/soc/qcom/cpr.c ++++ b/drivers/soc/qcom/cpr.c +@@ -1043,7 +1043,7 @@ static int cpr_interpolate(const struct corner *corner, int step_volt, + return corner->uV; + + temp = f_diff * (uV_high - uV_low); +- do_div(temp, f_high - f_low); ++ temp = div64_ul(temp, f_high - f_low); + + /* + * max_volt_scale has units of uV/MHz while freq values +-- +2.34.1 + diff --git a/queue-5.10/pm-runtime-add-safety-net-to-supplier-device-release.patch b/queue-5.10/pm-runtime-add-safety-net-to-supplier-device-release.patch new file mode 100644 index 00000000000..5c4e0a8b927 --- /dev/null +++ b/queue-5.10/pm-runtime-add-safety-net-to-supplier-device-release.patch @@ -0,0 +1,137 @@ +From 078902dbd0754664e17a69576275d08602a9e720 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Dec 2021 17:10:13 +0100 +Subject: PM: runtime: Add safety net to supplier device release + +From: Rafael J. Wysocki + +[ Upstream commit d1579e61192e0e686faa4208500ef4c3b529b16c ] + +Because refcount_dec_not_one() returns true if the target refcount +becomes saturated, it is generally unsafe to use its return value as +a loop termination condition, but that is what happens when a device +link's supplier device is released during runtime PM suspend +operations and on device link removal. + +To address this, introduce pm_runtime_release_supplier() to be used +in the above cases which will check the supplier device's runtime +PM usage counter in addition to the refcount_dec_not_one() return +value, so the loop can be terminated in case the rpm_active refcount +value becomes invalid, and update the code in question to use it as +appropriate. + +This change is not expected to have any visible functional impact. + +Reported-by: Peter Zijlstra +Signed-off-by: Rafael J. Wysocki +Acked-by: Greg Kroah-Hartman +Acked-by: Peter Zijlstra (Intel) +Signed-off-by: Sasha Levin +--- + drivers/base/core.c | 3 +-- + drivers/base/power/runtime.c | 41 ++++++++++++++++++++++++++---------- + include/linux/pm_runtime.h | 3 +++ + 3 files changed, 34 insertions(+), 13 deletions(-) + +diff --git a/drivers/base/core.c b/drivers/base/core.c +index 389d13616d1df..c0566aff53551 100644 +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -348,8 +348,7 @@ static void device_link_release_fn(struct work_struct *work) + /* Ensure that all references to the link object have been dropped. */ + device_link_synchronize_removal(); + +- while (refcount_dec_not_one(&link->rpm_active)) +- pm_runtime_put(link->supplier); ++ pm_runtime_release_supplier(link, true); + + put_device(link->consumer); + put_device(link->supplier); +diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c +index bc649da4899a0..1573319404888 100644 +--- a/drivers/base/power/runtime.c ++++ b/drivers/base/power/runtime.c +@@ -305,19 +305,40 @@ static int rpm_get_suppliers(struct device *dev) + return 0; + } + ++/** ++ * pm_runtime_release_supplier - Drop references to device link's supplier. ++ * @link: Target device link. ++ * @check_idle: Whether or not to check if the supplier device is idle. ++ * ++ * Drop all runtime PM references associated with @link to its supplier device ++ * and if @check_idle is set, check if that device is idle (and so it can be ++ * suspended). ++ */ ++void pm_runtime_release_supplier(struct device_link *link, bool check_idle) ++{ ++ struct device *supplier = link->supplier; ++ ++ /* ++ * The additional power.usage_count check is a safety net in case ++ * the rpm_active refcount becomes saturated, in which case ++ * refcount_dec_not_one() would return true forever, but it is not ++ * strictly necessary. ++ */ ++ while (refcount_dec_not_one(&link->rpm_active) && ++ atomic_read(&supplier->power.usage_count) > 0) ++ pm_runtime_put_noidle(supplier); ++ ++ if (check_idle) ++ pm_request_idle(supplier); ++} ++ + static void __rpm_put_suppliers(struct device *dev, bool try_to_suspend) + { + struct device_link *link; + + list_for_each_entry_rcu(link, &dev->links.suppliers, c_node, +- device_links_read_lock_held()) { +- +- while (refcount_dec_not_one(&link->rpm_active)) +- pm_runtime_put_noidle(link->supplier); +- +- if (try_to_suspend) +- pm_request_idle(link->supplier); +- } ++ device_links_read_lock_held()) ++ pm_runtime_release_supplier(link, try_to_suspend); + } + + static void rpm_put_suppliers(struct device *dev) +@@ -1755,9 +1776,7 @@ void pm_runtime_drop_link(struct device_link *link) + return; + + pm_runtime_drop_link_count(link->consumer); +- +- while (refcount_dec_not_one(&link->rpm_active)) +- pm_runtime_put(link->supplier); ++ pm_runtime_release_supplier(link, true); + } + + static bool pm_runtime_need_not_resume(struct device *dev) +diff --git a/include/linux/pm_runtime.h b/include/linux/pm_runtime.h +index 161acd4ede448..30091ab5de287 100644 +--- a/include/linux/pm_runtime.h ++++ b/include/linux/pm_runtime.h +@@ -58,6 +58,7 @@ extern void pm_runtime_get_suppliers(struct device *dev); + extern void pm_runtime_put_suppliers(struct device *dev); + extern void pm_runtime_new_link(struct device *dev); + extern void pm_runtime_drop_link(struct device_link *link); ++extern void pm_runtime_release_supplier(struct device_link *link, bool check_idle); + + /** + * pm_runtime_get_if_in_use - Conditionally bump up runtime PM usage counter. +@@ -279,6 +280,8 @@ static inline void pm_runtime_get_suppliers(struct device *dev) {} + static inline void pm_runtime_put_suppliers(struct device *dev) {} + static inline void pm_runtime_new_link(struct device *dev) {} + static inline void pm_runtime_drop_link(struct device_link *link) {} ++static inline void pm_runtime_release_supplier(struct device_link *link, ++ bool check_idle) {} + + #endif /* !CONFIG_PM */ + +-- +2.34.1 + diff --git a/queue-5.10/power-reset-mt6397-check-for-null-res-pointer.patch b/queue-5.10/power-reset-mt6397-check-for-null-res-pointer.patch new file mode 100644 index 00000000000..d084db2f922 --- /dev/null +++ b/queue-5.10/power-reset-mt6397-check-for-null-res-pointer.patch @@ -0,0 +1,38 @@ +From 7f54abdb702f891381e21e6b2e197f39ca7a1cb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Dec 2021 16:38:11 +0800 +Subject: power: reset: mt6397: Check for null res pointer + +From: Jiasheng Jiang + +[ Upstream commit 1c1348bf056dee665760a3bd1cd30b0be7554fc2 ] + +The return value of platform_get_resource() needs to be checked. +To avoid use of error pointer in case that there is no suitable +resource. + +Fixes: d28c74c10751 ("power: reset: add driver for mt6323 poweroff") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/reset/mt6323-poweroff.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/power/reset/mt6323-poweroff.c b/drivers/power/reset/mt6323-poweroff.c +index 0532803e6cbc4..d90e76fcb9383 100644 +--- a/drivers/power/reset/mt6323-poweroff.c ++++ b/drivers/power/reset/mt6323-poweroff.c +@@ -57,6 +57,9 @@ static int mt6323_pwrc_probe(struct platform_device *pdev) + return -ENOMEM; + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ if (!res) ++ return -EINVAL; ++ + pwrc->base = res->start; + pwrc->regmap = mt6397_chip->regmap; + pwrc->dev = &pdev->dev; +-- +2.34.1 + diff --git a/queue-5.10/powerpc-32s-fix-shift-out-of-bounds-in-kasan-init.patch b/queue-5.10/powerpc-32s-fix-shift-out-of-bounds-in-kasan-init.patch new file mode 100644 index 00000000000..2d910d30bfb --- /dev/null +++ b/queue-5.10/powerpc-32s-fix-shift-out-of-bounds-in-kasan-init.patch @@ -0,0 +1,56 @@ +From 773fc9a9949c4dc06871a87e4d7099a51304bb95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Nov 2021 09:42:37 +0100 +Subject: powerpc/32s: Fix shift-out-of-bounds in KASAN init + +From: Christophe Leroy + +[ Upstream commit af11dee4361b3519981fa04d014873f9d9edd6ac ] + +================================================================================ +UBSAN: shift-out-of-bounds in arch/powerpc/mm/kasan/book3s_32.c:22:23 +shift exponent -1 is negative +CPU: 0 PID: 0 Comm: swapper Not tainted 5.15.5-gentoo-PowerMacG4 #9 +Call Trace: +[c214be60] [c0ba0048] dump_stack_lvl+0x80/0xb0 (unreliable) +[c214be80] [c0b99288] ubsan_epilogue+0x10/0x5c +[c214be90] [c0b98fe0] __ubsan_handle_shift_out_of_bounds+0x94/0x138 +[c214bf00] [c1c0f010] kasan_init_region+0xd8/0x26c +[c214bf30] [c1c0ed84] kasan_init+0xc0/0x198 +[c214bf70] [c1c08024] setup_arch+0x18/0x54c +[c214bfc0] [c1c037f0] start_kernel+0x90/0x33c +[c214bff0] [00003610] 0x3610 +================================================================================ + +This happens when the directly mapped memory is a power of 2. + +Fix it by checking the shift and set the result to 0 when shift is -1 + +Fixes: 7974c4732642 ("powerpc/32s: Implement dedicated kasan_init_region()") +Reported-by: Erhard Furtner +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215169 +Link: https://lore.kernel.org/r/15cbc3439d4ad988b225e2119ec99502a5cc6ad3.1638261744.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/mm/kasan/book3s_32.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/mm/kasan/book3s_32.c b/arch/powerpc/mm/kasan/book3s_32.c +index 202bd260a0095..35b287b0a8da4 100644 +--- a/arch/powerpc/mm/kasan/book3s_32.c ++++ b/arch/powerpc/mm/kasan/book3s_32.c +@@ -19,7 +19,8 @@ int __init kasan_init_region(void *start, size_t size) + block = memblock_alloc(k_size, k_size_base); + + if (block && k_size_base >= SZ_128K && k_start == ALIGN(k_start, k_size_base)) { +- int k_size_more = 1 << (ffs(k_size - k_size_base) - 1); ++ int shift = ffs(k_size - k_size_base); ++ int k_size_more = shift ? 1 << (shift - 1) : 0; + + setbat(-1, k_start, __pa(block), k_size_base, PAGE_KERNEL); + if (k_size_more >= SZ_128K) +-- +2.34.1 + diff --git a/queue-5.10/powerpc-40x-map-32mbytes-of-memory-at-startup.patch b/queue-5.10/powerpc-40x-map-32mbytes-of-memory-at-startup.patch new file mode 100644 index 00000000000..40b808ee4b8 --- /dev/null +++ b/queue-5.10/powerpc-40x-map-32mbytes-of-memory-at-startup.patch @@ -0,0 +1,57 @@ +From 5792f6ed10ab0efd3f95c67b823ff5c7a4158d42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Sep 2021 17:12:39 +0200 +Subject: powerpc/40x: Map 32Mbytes of memory at startup + +From: Christophe Leroy + +[ Upstream commit 06e7cbc29e97b4713b4ea6def04ae8501a7d1a59 ] + +As reported by Carlo, 16Mbytes is not enough with modern kernels +that tend to be a bit big, so map another 16M page at boot. + +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/89b5f974a7fa5011206682cd092e2c905530ff46.1632755552.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/head_40x.S | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/head_40x.S b/arch/powerpc/kernel/head_40x.S +index a1ae00689e0f4..aeb9bc9958749 100644 +--- a/arch/powerpc/kernel/head_40x.S ++++ b/arch/powerpc/kernel/head_40x.S +@@ -27,6 +27,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -626,7 +627,7 @@ start_here: + b . /* prevent prefetch past rfi */ + + /* Set up the initial MMU state so we can do the first level of +- * kernel initialization. This maps the first 16 MBytes of memory 1:1 ++ * kernel initialization. This maps the first 32 MBytes of memory 1:1 + * virtual to physical and more importantly sets the cache mode. + */ + initial_mmu: +@@ -663,6 +664,12 @@ initial_mmu: + tlbwe r4,r0,TLB_DATA /* Load the data portion of the entry */ + tlbwe r3,r0,TLB_TAG /* Load the tag portion of the entry */ + ++ li r0,62 /* TLB slot 62 */ ++ addis r4,r4,SZ_16M@h ++ addis r3,r3,SZ_16M@h ++ tlbwe r4,r0,TLB_DATA /* Load the data portion of the entry */ ++ tlbwe r3,r0,TLB_TAG /* Load the tag portion of the entry */ ++ + isync + + /* Establish the exception vector base +-- +2.34.1 + diff --git a/queue-5.10/powerpc-64s-convert-some-cpu_setup-and-cpu_restore-f.patch b/queue-5.10/powerpc-64s-convert-some-cpu_setup-and-cpu_restore-f.patch new file mode 100644 index 00000000000..ad890f7f206 --- /dev/null +++ b/queue-5.10/powerpc-64s-convert-some-cpu_setup-and-cpu_restore-f.patch @@ -0,0 +1,619 @@ +From 76cbfc25ae26bc70ba8a50f38fde17f5e88959ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Oct 2020 18:28:37 +1100 +Subject: powerpc/64s: Convert some cpu_setup() and cpu_restore() functions to + C + +From: Jordan Niethe + +[ Upstream commit 344fbab991a568dc33ad90711b489d870e18d26d ] + +The only thing keeping the cpu_setup() and cpu_restore() functions +used in the cputable entries for Power7, Power8, Power9 and Power10 in +assembly was cpu_restore() being called before there was a stack in +generic_secondary_smp_init(). Commit ("powerpc/64: Set up a kernel +stack for secondaries before cpu_restore()") means that it is now +possible to use C. + +Rewrite the functions in C so they are a little bit easier to read. +This is not changing their functionality. + +Signed-off-by: Jordan Niethe +[mpe: Tweak copyright and authorship notes] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20201014072837.24539-2-jniethe5@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/cpu_setup_power.h | 12 + + arch/powerpc/kernel/cpu_setup_power.S | 252 ------------------- + arch/powerpc/kernel/cpu_setup_power.c | 271 +++++++++++++++++++++ + arch/powerpc/kernel/cputable.c | 12 +- + 4 files changed, 287 insertions(+), 260 deletions(-) + create mode 100644 arch/powerpc/include/asm/cpu_setup_power.h + delete mode 100644 arch/powerpc/kernel/cpu_setup_power.S + create mode 100644 arch/powerpc/kernel/cpu_setup_power.c + +diff --git a/arch/powerpc/include/asm/cpu_setup_power.h b/arch/powerpc/include/asm/cpu_setup_power.h +new file mode 100644 +index 0000000000000..24be9131f8032 +--- /dev/null ++++ b/arch/powerpc/include/asm/cpu_setup_power.h +@@ -0,0 +1,12 @@ ++/* SPDX-License-Identifier: GPL-2.0-or-later */ ++/* ++ * Copyright (C) 2020 IBM Corporation ++ */ ++void __setup_cpu_power7(unsigned long offset, struct cpu_spec *spec); ++void __restore_cpu_power7(void); ++void __setup_cpu_power8(unsigned long offset, struct cpu_spec *spec); ++void __restore_cpu_power8(void); ++void __setup_cpu_power9(unsigned long offset, struct cpu_spec *spec); ++void __restore_cpu_power9(void); ++void __setup_cpu_power10(unsigned long offset, struct cpu_spec *spec); ++void __restore_cpu_power10(void); +diff --git a/arch/powerpc/kernel/cpu_setup_power.S b/arch/powerpc/kernel/cpu_setup_power.S +deleted file mode 100644 +index 704e8b9501eee..0000000000000 +--- a/arch/powerpc/kernel/cpu_setup_power.S ++++ /dev/null +@@ -1,252 +0,0 @@ +-/* SPDX-License-Identifier: GPL-2.0-or-later */ +-/* +- * This file contains low level CPU setup functions. +- * Copyright (C) 2003 Benjamin Herrenschmidt (benh@kernel.crashing.org) +- */ +- +-#include +-#include +-#include +-#include +-#include +-#include +-#include +- +-/* Entry: r3 = crap, r4 = ptr to cputable entry +- * +- * Note that we can be called twice for pseudo-PVRs +- */ +-_GLOBAL(__setup_cpu_power7) +- mflr r11 +- bl __init_hvmode_206 +- mtlr r11 +- beqlr +- li r0,0 +- mtspr SPRN_LPID,r0 +- LOAD_REG_IMMEDIATE(r0, PCR_MASK) +- mtspr SPRN_PCR,r0 +- mfspr r3,SPRN_LPCR +- li r4,(LPCR_LPES1 >> LPCR_LPES_SH) +- bl __init_LPCR_ISA206 +- mtlr r11 +- blr +- +-_GLOBAL(__restore_cpu_power7) +- mflr r11 +- mfmsr r3 +- rldicl. r0,r3,4,63 +- beqlr +- li r0,0 +- mtspr SPRN_LPID,r0 +- LOAD_REG_IMMEDIATE(r0, PCR_MASK) +- mtspr SPRN_PCR,r0 +- mfspr r3,SPRN_LPCR +- li r4,(LPCR_LPES1 >> LPCR_LPES_SH) +- bl __init_LPCR_ISA206 +- mtlr r11 +- blr +- +-_GLOBAL(__setup_cpu_power8) +- mflr r11 +- bl __init_FSCR +- bl __init_PMU +- bl __init_PMU_ISA207 +- bl __init_hvmode_206 +- mtlr r11 +- beqlr +- li r0,0 +- mtspr SPRN_LPID,r0 +- LOAD_REG_IMMEDIATE(r0, PCR_MASK) +- mtspr SPRN_PCR,r0 +- mfspr r3,SPRN_LPCR +- ori r3, r3, LPCR_PECEDH +- li r4,0 /* LPES = 0 */ +- bl __init_LPCR_ISA206 +- bl __init_HFSCR +- bl __init_PMU_HV +- bl __init_PMU_HV_ISA207 +- mtlr r11 +- blr +- +-_GLOBAL(__restore_cpu_power8) +- mflr r11 +- bl __init_FSCR +- bl __init_PMU +- bl __init_PMU_ISA207 +- mfmsr r3 +- rldicl. r0,r3,4,63 +- mtlr r11 +- beqlr +- li r0,0 +- mtspr SPRN_LPID,r0 +- LOAD_REG_IMMEDIATE(r0, PCR_MASK) +- mtspr SPRN_PCR,r0 +- mfspr r3,SPRN_LPCR +- ori r3, r3, LPCR_PECEDH +- li r4,0 /* LPES = 0 */ +- bl __init_LPCR_ISA206 +- bl __init_HFSCR +- bl __init_PMU_HV +- bl __init_PMU_HV_ISA207 +- mtlr r11 +- blr +- +-_GLOBAL(__setup_cpu_power10) +- mflr r11 +- bl __init_FSCR_power10 +- bl __init_PMU +- bl __init_PMU_ISA31 +- b 1f +- +-_GLOBAL(__setup_cpu_power9) +- mflr r11 +- bl __init_FSCR_power9 +- bl __init_PMU +-1: bl __init_hvmode_206 +- mtlr r11 +- beqlr +- li r0,0 +- mtspr SPRN_PSSCR,r0 +- mtspr SPRN_LPID,r0 +- mtspr SPRN_PID,r0 +- LOAD_REG_IMMEDIATE(r0, PCR_MASK) +- mtspr SPRN_PCR,r0 +- mfspr r3,SPRN_LPCR +- LOAD_REG_IMMEDIATE(r4, LPCR_PECEDH | LPCR_PECE_HVEE | LPCR_HVICE | LPCR_HEIC) +- or r3, r3, r4 +- LOAD_REG_IMMEDIATE(r4, LPCR_UPRT | LPCR_HR) +- andc r3, r3, r4 +- li r4,0 /* LPES = 0 */ +- bl __init_LPCR_ISA300 +- bl __init_HFSCR +- bl __init_PMU_HV +- mtlr r11 +- blr +- +-_GLOBAL(__restore_cpu_power10) +- mflr r11 +- bl __init_FSCR_power10 +- bl __init_PMU +- bl __init_PMU_ISA31 +- b 1f +- +-_GLOBAL(__restore_cpu_power9) +- mflr r11 +- bl __init_FSCR_power9 +- bl __init_PMU +-1: mfmsr r3 +- rldicl. r0,r3,4,63 +- mtlr r11 +- beqlr +- li r0,0 +- mtspr SPRN_PSSCR,r0 +- mtspr SPRN_LPID,r0 +- mtspr SPRN_PID,r0 +- LOAD_REG_IMMEDIATE(r0, PCR_MASK) +- mtspr SPRN_PCR,r0 +- mfspr r3,SPRN_LPCR +- LOAD_REG_IMMEDIATE(r4, LPCR_PECEDH | LPCR_PECE_HVEE | LPCR_HVICE | LPCR_HEIC) +- or r3, r3, r4 +- LOAD_REG_IMMEDIATE(r4, LPCR_UPRT | LPCR_HR) +- andc r3, r3, r4 +- li r4,0 /* LPES = 0 */ +- bl __init_LPCR_ISA300 +- bl __init_HFSCR +- bl __init_PMU_HV +- mtlr r11 +- blr +- +-__init_hvmode_206: +- /* Disable CPU_FTR_HVMODE and exit if MSR:HV is not set */ +- mfmsr r3 +- rldicl. r0,r3,4,63 +- bnelr +- ld r5,CPU_SPEC_FEATURES(r4) +- LOAD_REG_IMMEDIATE(r6,CPU_FTR_HVMODE | CPU_FTR_P9_TM_HV_ASSIST) +- andc r5,r5,r6 +- std r5,CPU_SPEC_FEATURES(r4) +- blr +- +-__init_LPCR_ISA206: +- /* Setup a sane LPCR: +- * Called with initial LPCR in R3 and desired LPES 2-bit value in R4 +- * +- * LPES = 0b01 (HSRR0/1 used for 0x500) +- * PECE = 0b111 +- * DPFD = 4 +- * HDICE = 0 +- * VC = 0b100 (VPM0=1, VPM1=0, ISL=0) +- * VRMASD = 0b10000 (L=1, LP=00) +- * +- * Other bits untouched for now +- */ +- li r5,0x10 +- rldimi r3,r5, LPCR_VRMASD_SH, 64-LPCR_VRMASD_SH-5 +- +- /* POWER9 has no VRMASD */ +-__init_LPCR_ISA300: +- rldimi r3,r4, LPCR_LPES_SH, 64-LPCR_LPES_SH-2 +- ori r3,r3,(LPCR_PECE0|LPCR_PECE1|LPCR_PECE2) +- li r5,4 +- rldimi r3,r5, LPCR_DPFD_SH, 64-LPCR_DPFD_SH-3 +- clrrdi r3,r3,1 /* clear HDICE */ +- li r5,4 +- rldimi r3,r5, LPCR_VC_SH, 0 +- mtspr SPRN_LPCR,r3 +- isync +- blr +- +-__init_FSCR_power10: +- mfspr r3, SPRN_FSCR +- ori r3, r3, FSCR_PREFIX +- mtspr SPRN_FSCR, r3 +- // fall through +- +-__init_FSCR_power9: +- mfspr r3, SPRN_FSCR +- ori r3, r3, FSCR_SCV +- mtspr SPRN_FSCR, r3 +- // fall through +- +-__init_FSCR: +- mfspr r3,SPRN_FSCR +- ori r3,r3,FSCR_TAR|FSCR_EBB +- mtspr SPRN_FSCR,r3 +- blr +- +-__init_HFSCR: +- mfspr r3,SPRN_HFSCR +- ori r3,r3,HFSCR_TAR|HFSCR_TM|HFSCR_BHRB|HFSCR_PM|\ +- HFSCR_DSCR|HFSCR_VECVSX|HFSCR_FP|HFSCR_EBB|HFSCR_MSGP +- mtspr SPRN_HFSCR,r3 +- blr +- +-__init_PMU_HV: +- li r5,0 +- mtspr SPRN_MMCRC,r5 +- blr +- +-__init_PMU_HV_ISA207: +- li r5,0 +- mtspr SPRN_MMCRH,r5 +- blr +- +-__init_PMU: +- li r5,0 +- mtspr SPRN_MMCRA,r5 +- mtspr SPRN_MMCR0,r5 +- mtspr SPRN_MMCR1,r5 +- mtspr SPRN_MMCR2,r5 +- blr +- +-__init_PMU_ISA207: +- li r5,0 +- mtspr SPRN_MMCRS,r5 +- blr +- +-__init_PMU_ISA31: +- li r5,0 +- mtspr SPRN_MMCR3,r5 +- LOAD_REG_IMMEDIATE(r5, MMCRA_BHRB_DISABLE) +- mtspr SPRN_MMCRA,r5 +- blr +diff --git a/arch/powerpc/kernel/cpu_setup_power.c b/arch/powerpc/kernel/cpu_setup_power.c +new file mode 100644 +index 0000000000000..0c2191ee139ec +--- /dev/null ++++ b/arch/powerpc/kernel/cpu_setup_power.c +@@ -0,0 +1,271 @@ ++// SPDX-License-Identifier: GPL-2.0-or-later ++/* ++ * Copyright 2020, Jordan Niethe, IBM Corporation. ++ * ++ * This file contains low level CPU setup functions. ++ * Originally written in assembly by Benjamin Herrenschmidt & various other ++ * authors. ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++ ++/* Disable CPU_FTR_HVMODE and return false if MSR:HV is not set */ ++static bool init_hvmode_206(struct cpu_spec *t) ++{ ++ u64 msr; ++ ++ msr = mfmsr(); ++ if (msr & MSR_HV) ++ return true; ++ ++ t->cpu_features &= ~(CPU_FTR_HVMODE | CPU_FTR_P9_TM_HV_ASSIST); ++ return false; ++} ++ ++static void init_LPCR_ISA300(u64 lpcr, u64 lpes) ++{ ++ /* POWER9 has no VRMASD */ ++ lpcr |= (lpes << LPCR_LPES_SH) & LPCR_LPES; ++ lpcr |= LPCR_PECE0|LPCR_PECE1|LPCR_PECE2; ++ lpcr |= (4ull << LPCR_DPFD_SH) & LPCR_DPFD; ++ lpcr &= ~LPCR_HDICE; /* clear HDICE */ ++ lpcr |= (4ull << LPCR_VC_SH); ++ mtspr(SPRN_LPCR, lpcr); ++ isync(); ++} ++ ++/* ++ * Setup a sane LPCR: ++ * Called with initial LPCR and desired LPES 2-bit value ++ * ++ * LPES = 0b01 (HSRR0/1 used for 0x500) ++ * PECE = 0b111 ++ * DPFD = 4 ++ * HDICE = 0 ++ * VC = 0b100 (VPM0=1, VPM1=0, ISL=0) ++ * VRMASD = 0b10000 (L=1, LP=00) ++ * ++ * Other bits untouched for now ++ */ ++static void init_LPCR_ISA206(u64 lpcr, u64 lpes) ++{ ++ lpcr |= (0x10ull << LPCR_VRMASD_SH) & LPCR_VRMASD; ++ init_LPCR_ISA300(lpcr, lpes); ++} ++ ++static void init_FSCR(void) ++{ ++ u64 fscr; ++ ++ fscr = mfspr(SPRN_FSCR); ++ fscr |= FSCR_TAR|FSCR_EBB; ++ mtspr(SPRN_FSCR, fscr); ++} ++ ++static void init_FSCR_power9(void) ++{ ++ u64 fscr; ++ ++ fscr = mfspr(SPRN_FSCR); ++ fscr |= FSCR_SCV; ++ mtspr(SPRN_FSCR, fscr); ++ init_FSCR(); ++} ++ ++static void init_FSCR_power10(void) ++{ ++ u64 fscr; ++ ++ fscr = mfspr(SPRN_FSCR); ++ fscr |= FSCR_PREFIX; ++ mtspr(SPRN_FSCR, fscr); ++ init_FSCR_power9(); ++} ++ ++static void init_HFSCR(void) ++{ ++ u64 hfscr; ++ ++ hfscr = mfspr(SPRN_HFSCR); ++ hfscr |= HFSCR_TAR|HFSCR_TM|HFSCR_BHRB|HFSCR_PM|HFSCR_DSCR|\ ++ HFSCR_VECVSX|HFSCR_FP|HFSCR_EBB|HFSCR_MSGP; ++ mtspr(SPRN_HFSCR, hfscr); ++} ++ ++static void init_PMU_HV(void) ++{ ++ mtspr(SPRN_MMCRC, 0); ++} ++ ++static void init_PMU_HV_ISA207(void) ++{ ++ mtspr(SPRN_MMCRH, 0); ++} ++ ++static void init_PMU(void) ++{ ++ mtspr(SPRN_MMCRA, 0); ++ mtspr(SPRN_MMCR0, 0); ++ mtspr(SPRN_MMCR1, 0); ++ mtspr(SPRN_MMCR2, 0); ++} ++ ++static void init_PMU_ISA207(void) ++{ ++ mtspr(SPRN_MMCRS, 0); ++} ++ ++static void init_PMU_ISA31(void) ++{ ++ mtspr(SPRN_MMCR3, 0); ++ mtspr(SPRN_MMCRA, MMCRA_BHRB_DISABLE); ++} ++ ++/* ++ * Note that we can be called twice of pseudo-PVRs. ++ * The parameter offset is not used. ++ */ ++ ++void __setup_cpu_power7(unsigned long offset, struct cpu_spec *t) ++{ ++ if (!init_hvmode_206(t)) ++ return; ++ ++ mtspr(SPRN_LPID, 0); ++ mtspr(SPRN_PCR, PCR_MASK); ++ init_LPCR_ISA206(mfspr(SPRN_LPCR), LPCR_LPES1 >> LPCR_LPES_SH); ++} ++ ++void __restore_cpu_power7(void) ++{ ++ u64 msr; ++ ++ msr = mfmsr(); ++ if (!(msr & MSR_HV)) ++ return; ++ ++ mtspr(SPRN_LPID, 0); ++ mtspr(SPRN_PCR, PCR_MASK); ++ init_LPCR_ISA206(mfspr(SPRN_LPCR), LPCR_LPES1 >> LPCR_LPES_SH); ++} ++ ++void __setup_cpu_power8(unsigned long offset, struct cpu_spec *t) ++{ ++ init_FSCR(); ++ init_PMU(); ++ init_PMU_ISA207(); ++ ++ if (!init_hvmode_206(t)) ++ return; ++ ++ mtspr(SPRN_LPID, 0); ++ mtspr(SPRN_PCR, PCR_MASK); ++ init_LPCR_ISA206(mfspr(SPRN_LPCR) | LPCR_PECEDH, 0); /* LPES = 0 */ ++ init_HFSCR(); ++ init_PMU_HV(); ++ init_PMU_HV_ISA207(); ++} ++ ++void __restore_cpu_power8(void) ++{ ++ u64 msr; ++ ++ init_FSCR(); ++ init_PMU(); ++ init_PMU_ISA207(); ++ ++ msr = mfmsr(); ++ if (!(msr & MSR_HV)) ++ return; ++ ++ mtspr(SPRN_LPID, 0); ++ mtspr(SPRN_PCR, PCR_MASK); ++ init_LPCR_ISA206(mfspr(SPRN_LPCR) | LPCR_PECEDH, 0); /* LPES = 0 */ ++ init_HFSCR(); ++ init_PMU_HV(); ++ init_PMU_HV_ISA207(); ++} ++ ++void __setup_cpu_power9(unsigned long offset, struct cpu_spec *t) ++{ ++ init_FSCR_power9(); ++ init_PMU(); ++ ++ if (!init_hvmode_206(t)) ++ return; ++ ++ mtspr(SPRN_PSSCR, 0); ++ mtspr(SPRN_LPID, 0); ++ mtspr(SPRN_PID, 0); ++ mtspr(SPRN_PCR, PCR_MASK); ++ init_LPCR_ISA300((mfspr(SPRN_LPCR) | LPCR_PECEDH | LPCR_PECE_HVEE |\ ++ LPCR_HVICE | LPCR_HEIC) & ~(LPCR_UPRT | LPCR_HR), 0); ++ init_HFSCR(); ++ init_PMU_HV(); ++} ++ ++void __restore_cpu_power9(void) ++{ ++ u64 msr; ++ ++ init_FSCR_power9(); ++ init_PMU(); ++ ++ msr = mfmsr(); ++ if (!(msr & MSR_HV)) ++ return; ++ ++ mtspr(SPRN_PSSCR, 0); ++ mtspr(SPRN_LPID, 0); ++ mtspr(SPRN_PID, 0); ++ mtspr(SPRN_PCR, PCR_MASK); ++ init_LPCR_ISA300((mfspr(SPRN_LPCR) | LPCR_PECEDH | LPCR_PECE_HVEE |\ ++ LPCR_HVICE | LPCR_HEIC) & ~(LPCR_UPRT | LPCR_HR), 0); ++ init_HFSCR(); ++ init_PMU_HV(); ++} ++ ++void __setup_cpu_power10(unsigned long offset, struct cpu_spec *t) ++{ ++ init_FSCR_power10(); ++ init_PMU(); ++ init_PMU_ISA31(); ++ ++ if (!init_hvmode_206(t)) ++ return; ++ ++ mtspr(SPRN_PSSCR, 0); ++ mtspr(SPRN_LPID, 0); ++ mtspr(SPRN_PID, 0); ++ mtspr(SPRN_PCR, PCR_MASK); ++ init_LPCR_ISA300((mfspr(SPRN_LPCR) | LPCR_PECEDH | LPCR_PECE_HVEE |\ ++ LPCR_HVICE | LPCR_HEIC) & ~(LPCR_UPRT | LPCR_HR), 0); ++ init_HFSCR(); ++ init_PMU_HV(); ++} ++ ++void __restore_cpu_power10(void) ++{ ++ u64 msr; ++ ++ init_FSCR_power10(); ++ init_PMU(); ++ init_PMU_ISA31(); ++ ++ msr = mfmsr(); ++ if (!(msr & MSR_HV)) ++ return; ++ ++ mtspr(SPRN_PSSCR, 0); ++ mtspr(SPRN_LPID, 0); ++ mtspr(SPRN_PID, 0); ++ mtspr(SPRN_PCR, PCR_MASK); ++ init_LPCR_ISA300((mfspr(SPRN_LPCR) | LPCR_PECEDH | LPCR_PECE_HVEE |\ ++ LPCR_HVICE | LPCR_HEIC) & ~(LPCR_UPRT | LPCR_HR), 0); ++ init_HFSCR(); ++ init_PMU_HV(); ++} +diff --git a/arch/powerpc/kernel/cputable.c b/arch/powerpc/kernel/cputable.c +index 29de58d4dfb76..8fdb40ee86d11 100644 +--- a/arch/powerpc/kernel/cputable.c ++++ b/arch/powerpc/kernel/cputable.c +@@ -60,19 +60,15 @@ extern void __setup_cpu_7410(unsigned long offset, struct cpu_spec* spec); + extern void __setup_cpu_745x(unsigned long offset, struct cpu_spec* spec); + #endif /* CONFIG_PPC32 */ + #ifdef CONFIG_PPC64 ++#include + extern void __setup_cpu_ppc970(unsigned long offset, struct cpu_spec* spec); + extern void __setup_cpu_ppc970MP(unsigned long offset, struct cpu_spec* spec); + extern void __setup_cpu_pa6t(unsigned long offset, struct cpu_spec* spec); + extern void __restore_cpu_pa6t(void); + extern void __restore_cpu_ppc970(void); +-extern void __setup_cpu_power7(unsigned long offset, struct cpu_spec* spec); +-extern void __restore_cpu_power7(void); +-extern void __setup_cpu_power8(unsigned long offset, struct cpu_spec* spec); +-extern void __restore_cpu_power8(void); +-extern void __setup_cpu_power9(unsigned long offset, struct cpu_spec* spec); +-extern void __restore_cpu_power9(void); +-extern void __setup_cpu_power10(unsigned long offset, struct cpu_spec* spec); +-extern void __restore_cpu_power10(void); ++extern long __machine_check_early_realmode_p7(struct pt_regs *regs); ++extern long __machine_check_early_realmode_p8(struct pt_regs *regs); ++extern long __machine_check_early_realmode_p9(struct pt_regs *regs); + #endif /* CONFIG_PPC64 */ + #if defined(CONFIG_E500) + extern void __setup_cpu_e5500(unsigned long offset, struct cpu_spec* spec); +-- +2.34.1 + diff --git a/queue-5.10/powerpc-6xx-add-missing-of_node_put.patch b/queue-5.10/powerpc-6xx-add-missing-of_node_put.patch new file mode 100644 index 00000000000..fa961614b85 --- /dev/null +++ b/queue-5.10/powerpc-6xx-add-missing-of_node_put.patch @@ -0,0 +1,64 @@ +From f9b89b4626fe2ee2bb5bd076cc471fcb9b2aacb4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Nov 2015 20:33:19 +0000 +Subject: powerpc/6xx: add missing of_node_put + +From: Julia Lawall + +[ Upstream commit f6e82647ff71d427d4148964b71f239fba9d7937 ] + +for_each_compatible_node performs an of_node_get on each iteration, so +a break out of the loop requires an of_node_put. + +A simplified version of the semantic patch that fixes this problem is as +follows (http://coccinelle.lip6.fr): + +// +@@ +expression e; +local idexpression n; +@@ + +@@ +local idexpression n; +expression e; +@@ + + for_each_compatible_node(n,...) { + ... +( + of_node_put(n); +| + e = n +| ++ of_node_put(n); +? break; +) + ... + } +... when != n +// + +Signed-off-by: Julia Lawall +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1448051604-25256-2-git-send-email-Julia.Lawall@lip6.fr +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/embedded6xx/hlwd-pic.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/platforms/embedded6xx/hlwd-pic.c b/arch/powerpc/platforms/embedded6xx/hlwd-pic.c +index a1b7f79a8a152..de10c13de15c6 100644 +--- a/arch/powerpc/platforms/embedded6xx/hlwd-pic.c ++++ b/arch/powerpc/platforms/embedded6xx/hlwd-pic.c +@@ -215,6 +215,7 @@ void hlwd_pic_probe(void) + irq_set_chained_handler(cascade_virq, + hlwd_pic_irq_cascade); + hlwd_irq_host = host; ++ of_node_put(np); + break; + } + } +-- +2.34.1 + diff --git a/queue-5.10/powerpc-btext-add-missing-of_node_put.patch b/queue-5.10/powerpc-btext-add-missing-of_node_put.patch new file mode 100644 index 00000000000..0f2ab3030e7 --- /dev/null +++ b/queue-5.10/powerpc-btext-add-missing-of_node_put.patch @@ -0,0 +1,63 @@ +From f4502ac7092b28a471ed795c9fabaf48e4de0f3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Nov 2015 20:33:23 +0000 +Subject: powerpc/btext: add missing of_node_put + +From: Julia Lawall + +[ Upstream commit a1d2b210ffa52d60acabbf7b6af3ef7e1e69cda0 ] + +for_each_node_by_type performs an of_node_get on each iteration, so +a break out of the loop requires an of_node_put. + +A simplified version of the semantic patch that fixes this problem is as +follows (http://coccinelle.lip6.fr): + +// +@@ +local idexpression n; +expression e; +@@ + + for_each_node_by_type(n,...) { + ... +( + of_node_put(n); +| + e = n +| ++ of_node_put(n); +? break; +) + ... + } +... when != n +// + +Signed-off-by: Julia Lawall +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1448051604-25256-6-git-send-email-Julia.Lawall@lip6.fr +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/btext.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/btext.c b/arch/powerpc/kernel/btext.c +index 803c2a45b22ac..1cffb5e7c38d6 100644 +--- a/arch/powerpc/kernel/btext.c ++++ b/arch/powerpc/kernel/btext.c +@@ -241,8 +241,10 @@ int __init btext_find_display(int allow_nonstdout) + rc = btext_initialize(np); + printk("result: %d\n", rc); + } +- if (rc == 0) ++ if (rc == 0) { ++ of_node_put(np); + break; ++ } + } + return rc; + } +-- +2.34.1 + diff --git a/queue-5.10/powerpc-cell-add-missing-of_node_put.patch b/queue-5.10/powerpc-cell-add-missing-of_node_put.patch new file mode 100644 index 00000000000..a3400029eba --- /dev/null +++ b/queue-5.10/powerpc-cell-add-missing-of_node_put.patch @@ -0,0 +1,57 @@ +From 9445fdd2296721c2249b979a1464101a21daa845 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Nov 2015 21:33:24 +0100 +Subject: powerpc/cell: add missing of_node_put + +From: Julia Lawall + +[ Upstream commit a841fd009e51c8c0a8f07c942e9ab6bb48da8858 ] + +for_each_node_by_name performs an of_node_get on each iteration, so +a break out of the loop requires an of_node_put. + +A simplified version of the semantic patch that fixes this problem is as +follows (http://coccinelle.lip6.fr): + +// +@@ +expression e,e1; +local idexpression n; +@@ + + for_each_node_by_name(n, e1) { + ... when != of_node_put(n) + when != e = n +( + return n; +| ++ of_node_put(n); +? return ...; +) + ... + } +// + +Signed-off-by: Julia Lawall +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1448051604-25256-7-git-send-email-Julia.Lawall@lip6.fr +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/cell/iommu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/platforms/cell/iommu.c b/arch/powerpc/platforms/cell/iommu.c +index 2124831cf57c0..d04079b34d7c2 100644 +--- a/arch/powerpc/platforms/cell/iommu.c ++++ b/arch/powerpc/platforms/cell/iommu.c +@@ -976,6 +976,7 @@ static int __init cell_iommu_fixed_mapping_init(void) + if (hbase < dbase || (hend > (dbase + dsize))) { + pr_debug("iommu: hash window doesn't fit in" + "real DMA window\n"); ++ of_node_put(np); + return -1; + } + } +-- +2.34.1 + diff --git a/queue-5.10/powerpc-fadump-fix-inaccurate-cpu-state-info-in-vmco.patch b/queue-5.10/powerpc-fadump-fix-inaccurate-cpu-state-info-in-vmco.patch new file mode 100644 index 00000000000..e2ee7970dcf --- /dev/null +++ b/queue-5.10/powerpc-fadump-fix-inaccurate-cpu-state-info-in-vmco.patch @@ -0,0 +1,133 @@ +From 6a54e26255abea95b912303a3748dfc62e669bb4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Dec 2021 16:07:19 +0530 +Subject: powerpc/fadump: Fix inaccurate CPU state info in vmcore generated + with panic + +From: Hari Bathini + +[ Upstream commit 06e629c25daa519be620a8c17359ae8fc7a2e903 ] + +In panic path, fadump is triggered via a panic notifier function. +Before calling panic notifier functions, smp_send_stop() gets called, +which stops all CPUs except the panic'ing CPU. Commit 8389b37dffdc +("powerpc: stop_this_cpu: remove the cpu from the online map.") and +again commit bab26238bbd4 ("powerpc: Offline CPU in stop_this_cpu()") +started marking CPUs as offline while stopping them. So, if a kernel +has either of the above commits, vmcore captured with fadump via panic +path would not process register data for all CPUs except the panic'ing +CPU. Sample output of crash-utility with such vmcore: + + # crash vmlinux vmcore + ... + KERNEL: vmlinux + DUMPFILE: vmcore [PARTIAL DUMP] + CPUS: 1 + DATE: Wed Nov 10 09:56:34 EST 2021 + UPTIME: 00:00:42 + LOAD AVERAGE: 2.27, 0.69, 0.24 + TASKS: 183 + NODENAME: XXXXXXXXX + RELEASE: 5.15.0+ + VERSION: #974 SMP Wed Nov 10 04:18:19 CST 2021 + MACHINE: ppc64le (2500 Mhz) + MEMORY: 8 GB + PANIC: "Kernel panic - not syncing: sysrq triggered crash" + PID: 3394 + COMMAND: "bash" + TASK: c0000000150a5f80 [THREAD_INFO: c0000000150a5f80] + CPU: 1 + STATE: TASK_RUNNING (PANIC) + + crash> p -x __cpu_online_mask + __cpu_online_mask = $1 = { + bits = {0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0} + } + crash> + crash> + crash> p -x __cpu_active_mask + __cpu_active_mask = $2 = { + bits = {0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0} + } + crash> + +While this has been the case since fadump was introduced, the issue +was not identified for two probable reasons: + + - In general, the bulk of the vmcores analyzed were from crash + due to exception. + + - The above did change since commit 8341f2f222d7 ("sysrq: Use + panic() to force a crash") started using panic() instead of + deferencing NULL pointer to force a kernel crash. But then + commit de6e5d38417e ("powerpc: smp_send_stop do not offline + stopped CPUs") stopped marking CPUs as offline till kernel + commit bab26238bbd4 ("powerpc: Offline CPU in stop_this_cpu()") + reverted that change. + +To ensure post processing register data of all other CPUs happens +as intended, let panic() function take the crash friendly path (read +crash_smp_send_stop()) with the help of crash_kexec_post_notifiers +option. Also, as register data for all CPUs is captured by f/w, skip +IPI callbacks here for fadump, to avoid any complications in finding +the right backtraces. + +Signed-off-by: Hari Bathini +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20211207103719.91117-2-hbathini@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/fadump.c | 8 ++++++++ + arch/powerpc/kernel/smp.c | 10 ++++++++++ + 2 files changed, 18 insertions(+) + +diff --git a/arch/powerpc/kernel/fadump.c b/arch/powerpc/kernel/fadump.c +index eddf362caedce..c3bb800dc4352 100644 +--- a/arch/powerpc/kernel/fadump.c ++++ b/arch/powerpc/kernel/fadump.c +@@ -1641,6 +1641,14 @@ int __init setup_fadump(void) + else if (fw_dump.reserve_dump_area_size) + fw_dump.ops->fadump_init_mem_struct(&fw_dump); + ++ /* ++ * In case of panic, fadump is triggered via ppc_panic_event() ++ * panic notifier. Setting crash_kexec_post_notifiers to 'true' ++ * lets panic() function take crash friendly path before panic ++ * notifiers are invoked. ++ */ ++ crash_kexec_post_notifiers = true; ++ + return 1; + } + subsys_initcall(setup_fadump); +diff --git a/arch/powerpc/kernel/smp.c b/arch/powerpc/kernel/smp.c +index d993f28107afa..cf99f57aed822 100644 +--- a/arch/powerpc/kernel/smp.c ++++ b/arch/powerpc/kernel/smp.c +@@ -60,6 +60,7 @@ + #include + #include + #include ++#include + + #ifdef DEBUG + #include +@@ -612,6 +613,15 @@ void crash_smp_send_stop(void) + { + static bool stopped = false; + ++ /* ++ * In case of fadump, register data for all CPUs is captured by f/w ++ * on ibm,os-term rtas call. Skip IPI callbacks to other CPUs before ++ * this rtas call to avoid tricky post processing of those CPUs' ++ * backtraces. ++ */ ++ if (should_fadump_crash()) ++ return; ++ + if (stopped) + return; + +-- +2.34.1 + diff --git a/queue-5.10/powerpc-handle-kdump-appropriately-with-crash_kexec_.patch b/queue-5.10/powerpc-handle-kdump-appropriately-with-crash_kexec_.patch new file mode 100644 index 00000000000..4e58a2870d1 --- /dev/null +++ b/queue-5.10/powerpc-handle-kdump-appropriately-with-crash_kexec_.patch @@ -0,0 +1,76 @@ +From 490dc93a850d8bcc0b253d1dd6e680a28f533fc9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Dec 2021 16:07:18 +0530 +Subject: powerpc: handle kdump appropriately with crash_kexec_post_notifiers + option + +From: Hari Bathini + +[ Upstream commit 219572d2fc4135b5ce65c735d881787d48b10e71 ] + +Kdump can be triggered after panic_notifers since commit f06e5153f4ae2 +("kernel/panic.c: add "crash_kexec_post_notifiers" option for kdump +after panic_notifers") introduced crash_kexec_post_notifiers option. +But using this option would mean smp_send_stop(), that marks all other +CPUs as offline, gets called before kdump is triggered. As a result, +kdump routines fail to save other CPUs' registers. To fix this, kdump +friendly crash_smp_send_stop() function was introduced with kernel +commit 0ee59413c967 ("x86/panic: replace smp_send_stop() with kdump +friendly version in panic path"). Override this kdump friendly weak +function to handle crash_kexec_post_notifiers option appropriately +on powerpc. + +Reported-by: kernel test robot +Signed-off-by: Hari Bathini +[Fixed signature of crash_stop_this_cpu() - reported by lkp@intel.com] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20211207103719.91117-1-hbathini@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/smp.c | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +diff --git a/arch/powerpc/kernel/smp.c b/arch/powerpc/kernel/smp.c +index 50aeef08aa470..d993f28107afa 100644 +--- a/arch/powerpc/kernel/smp.c ++++ b/arch/powerpc/kernel/smp.c +@@ -594,6 +594,36 @@ void crash_send_ipi(void (*crash_ipi_callback)(struct pt_regs *)) + } + #endif + ++#ifdef CONFIG_NMI_IPI ++static void crash_stop_this_cpu(struct pt_regs *regs) ++#else ++static void crash_stop_this_cpu(void *dummy) ++#endif ++{ ++ /* ++ * Just busy wait here and avoid marking CPU as offline to ensure ++ * register data is captured appropriately. ++ */ ++ while (1) ++ cpu_relax(); ++} ++ ++void crash_smp_send_stop(void) ++{ ++ static bool stopped = false; ++ ++ if (stopped) ++ return; ++ ++ stopped = true; ++ ++#ifdef CONFIG_NMI_IPI ++ smp_send_nmi_ipi(NMI_IPI_ALL_OTHERS, crash_stop_this_cpu, 1000000); ++#else ++ smp_call_function(crash_stop_this_cpu, NULL, 0); ++#endif /* CONFIG_NMI_IPI */ ++} ++ + #ifdef CONFIG_NMI_IPI + static void nmi_stop_this_cpu(struct pt_regs *regs) + { +-- +2.34.1 + diff --git a/queue-5.10/powerpc-irq-add-helper-to-set-regs-softe.patch b/queue-5.10/powerpc-irq-add-helper-to-set-regs-softe.patch new file mode 100644 index 00000000000..6ec43dc0fbd --- /dev/null +++ b/queue-5.10/powerpc-irq-add-helper-to-set-regs-softe.patch @@ -0,0 +1,68 @@ +From 4fa378f9c59cb97e3c4d83a813efc21d0da088b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Feb 2021 15:10:24 +0000 +Subject: powerpc/irq: Add helper to set regs->softe + +From: Christophe Leroy + +[ Upstream commit fb5608fd117a8b48752d2b5a7e70847c1ed33d33 ] + +regs->softe doesn't exist on PPC32. + +Add irq_soft_mask_regs_set_state() helper to set regs->softe. +This helper will void on PPC32. + +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/5f37d1177a751fdbca79df461d283850ca3a34a2.1612796617.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/hw_irq.h | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/include/asm/hw_irq.h b/arch/powerpc/include/asm/hw_irq.h +index 0363734ff56e0..da94cab528dd4 100644 +--- a/arch/powerpc/include/asm/hw_irq.h ++++ b/arch/powerpc/include/asm/hw_irq.h +@@ -38,6 +38,8 @@ + #define PACA_IRQ_MUST_HARD_MASK (PACA_IRQ_EE) + #endif + ++#endif /* CONFIG_PPC64 */ ++ + /* + * flags for paca->irq_soft_mask + */ +@@ -46,8 +48,6 @@ + #define IRQS_PMI_DISABLED 2 + #define IRQS_ALL_DISABLED (IRQS_DISABLED | IRQS_PMI_DISABLED) + +-#endif /* CONFIG_PPC64 */ +- + #ifndef __ASSEMBLY__ + + extern void replay_system_reset(void); +@@ -296,6 +296,10 @@ extern void irq_set_pending_from_srr1(unsigned long srr1); + + extern void force_external_irq_replay(void); + ++static inline void irq_soft_mask_regs_set_state(struct pt_regs *regs, unsigned long val) ++{ ++ regs->softe = val; ++} + #else /* CONFIG_PPC64 */ + + static inline unsigned long arch_local_save_flags(void) +@@ -364,6 +368,9 @@ static inline bool arch_irq_disabled_regs(struct pt_regs *regs) + + static inline void may_hard_irq_enable(void) { } + ++static inline void irq_soft_mask_regs_set_state(struct pt_regs *regs, unsigned long val) ++{ ++} + #endif /* CONFIG_PPC64 */ + + #define ARCH_IRQ_INIT_FLAGS IRQ_NOREQUEST +-- +2.34.1 + diff --git a/queue-5.10/powerpc-perf-fix-pmu-callbacks-to-clear-pending-pmi-.patch b/queue-5.10/powerpc-perf-fix-pmu-callbacks-to-clear-pending-pmi-.patch new file mode 100644 index 00000000000..d50450b213b --- /dev/null +++ b/queue-5.10/powerpc-perf-fix-pmu-callbacks-to-clear-pending-pmi-.patch @@ -0,0 +1,275 @@ +From 7c5ee22c1af4b72226e6548c9926381bae461ff1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jul 2021 01:48:29 -0400 +Subject: powerpc/perf: Fix PMU callbacks to clear pending PMI before resetting + an overflown PMC + +From: Athira Rajeev + +[ Upstream commit 2c9ac51b850d84ee496b0a5d832ce66d411ae552 ] + +Running perf fuzzer showed below in dmesg logs: + "Can't find PMC that caused IRQ" + +This means a PMU exception happened, but none of the PMC's (Performance +Monitor Counter) were found to be overflown. There are some corner cases +that clears the PMCs after PMI gets masked. In such cases, the perf +interrupt handler will not find the active PMC values that had caused +the overflow and thus leads to this message while replaying. + +Case 1: PMU Interrupt happens during replay of other interrupts and +counter values gets cleared by PMU callbacks before replay: + +During replay of interrupts like timer, __do_irq() and doorbell +exception, we conditionally enable interrupts via may_hard_irq_enable(). +This could potentially create a window to generate a PMI. Since irq soft +mask is set to ALL_DISABLED, the PMI will get masked here. We could get +IPIs run before perf interrupt is replayed and the PMU events could +be deleted or stopped. This will change the PMU SPR values and resets +the counters. Snippet of ftrace log showing PMU callbacks invoked in +__do_irq(): + + -0 [051] dns. 132025441306354: __do_irq <-call_do_irq + -0 [051] dns. 132025441306430: irq_enter <-__do_irq + -0 [051] dns. 132025441306503: irq_enter_rcu <-__do_irq + -0 [051] dnH. 132025441306599: xive_get_irq <-__do_irq + <<>> + -0 [051] dnH. 132025441307770: generic_smp_call_function_single_interrupt <-smp_ipi_demux_relaxed + -0 [051] dnH. 132025441307839: flush_smp_call_function_queue <-smp_ipi_demux_relaxed + -0 [051] dnH. 132025441308057: _raw_spin_lock <-event_function + -0 [051] dnH. 132025441308206: power_pmu_disable <-perf_pmu_disable + -0 [051] dnH. 132025441308337: power_pmu_del <-event_sched_out + -0 [051] dnH. 132025441308407: power_pmu_read <-power_pmu_del + -0 [051] dnH. 132025441308477: read_pmc <-power_pmu_read + -0 [051] dnH. 132025441308590: isa207_disable_pmc <-power_pmu_del + -0 [051] dnH. 132025441308663: write_pmc <-power_pmu_del + -0 [051] dnH. 132025441308787: power_pmu_event_idx <-perf_event_update_userpage + -0 [051] dnH. 132025441308859: rcu_read_unlock_strict <-perf_event_update_userpage + -0 [051] dnH. 132025441308975: power_pmu_enable <-perf_pmu_enable + <<>> + -0 [051] dnH. 132025441311108: irq_exit <-__do_irq + -0 [051] dns. 132025441311319: performance_monitor_exception <-replay_soft_interrupts + +Case 2: PMI's masked during local_* operations, example local_add(). If +the local_add() operation happens within a local_irq_save(), replay of +PMI will be during local_irq_restore(). Similar to case 1, this could +also create a window before replay where PMU events gets deleted or +stopped. + +Fix it by updating the PMU callback function power_pmu_disable() to +check for pending perf interrupt. If there is an overflown PMC and +pending perf interrupt indicated in paca, clear the PMI bit in paca to +drop that sample. Clearing of PMI bit is done in power_pmu_disable() +since disable is invoked before any event gets deleted/stopped. With +this fix, if there are more than one event running in the PMU, there is +a chance that we clear the PMI bit for the event which is not getting +deleted/stopped. The other events may still remain active. Hence to make +sure we don't drop valid sample in such cases, another check is added in +power_pmu_enable. This checks if there is an overflown PMC found among +the active events and if so enable back the PMI bit. Two new helper +functions are introduced to clear/set the PMI, ie +clear_pmi_irq_pending() and set_pmi_irq_pending(). Helper function +pmi_irq_pending() is introduced to give a warning if there is pending +PMI bit in paca, but no PMC is overflown. + +Also there are corner cases which result in performance monitor +interrupts being triggered during power_pmu_disable(). This happens +since PMXE bit is not cleared along with disabling of other MMCR0 bits +in the pmu_disable. Such PMI's could leave the PMU running and could +trigger PMI again which will set MMCR0 PMAO bit. This could lead to +spurious interrupts in some corner cases. Example, a timer after +power_pmu_del() which will re-enable interrupts and triggers a PMI again +since PMAO bit is still set. But fails to find valid overflow since PMC +was cleared in power_pmu_del(). Fix that by disabling PMXE along with +disabling of other MMCR0 bits in power_pmu_disable(). + +We can't just replay PMI any time. Hence this approach is preferred +rather than replaying PMI before resetting overflown PMC. Patch also +documents core-book3s on a race condition which can trigger these PMC +messages during idle path in PowerNV. + +Fixes: f442d004806e ("powerpc/64s: Add support to mask perf interrupts and replay them") +Reported-by: Nageswara R Sastry +Suggested-by: Nicholas Piggin +Suggested-by: Madhavan Srinivasan +Signed-off-by: Athira Rajeev +Tested-by: Nageswara R Sastry +Reviewed-by: Nicholas Piggin +[mpe: Make pmi_irq_pending() return bool, reflow/reword some comments] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1626846509-1350-2-git-send-email-atrajeev@linux.vnet.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/hw_irq.h | 40 +++++++++++++++++++++ + arch/powerpc/perf/core-book3s.c | 58 ++++++++++++++++++++++++++++++- + 2 files changed, 97 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/include/asm/hw_irq.h b/arch/powerpc/include/asm/hw_irq.h +index da94cab528dd4..0f2acbb966740 100644 +--- a/arch/powerpc/include/asm/hw_irq.h ++++ b/arch/powerpc/include/asm/hw_irq.h +@@ -175,6 +175,42 @@ static inline bool arch_irqs_disabled(void) + return arch_irqs_disabled_flags(arch_local_save_flags()); + } + ++static inline void set_pmi_irq_pending(void) ++{ ++ /* ++ * Invoked from PMU callback functions to set PMI bit in the paca. ++ * This has to be called with irq's disabled (via hard_irq_disable()). ++ */ ++ if (IS_ENABLED(CONFIG_PPC_IRQ_SOFT_MASK_DEBUG)) ++ WARN_ON_ONCE(mfmsr() & MSR_EE); ++ ++ get_paca()->irq_happened |= PACA_IRQ_PMI; ++} ++ ++static inline void clear_pmi_irq_pending(void) ++{ ++ /* ++ * Invoked from PMU callback functions to clear the pending PMI bit ++ * in the paca. ++ */ ++ if (IS_ENABLED(CONFIG_PPC_IRQ_SOFT_MASK_DEBUG)) ++ WARN_ON_ONCE(mfmsr() & MSR_EE); ++ ++ get_paca()->irq_happened &= ~PACA_IRQ_PMI; ++} ++ ++static inline bool pmi_irq_pending(void) ++{ ++ /* ++ * Invoked from PMU callback functions to check if there is a pending ++ * PMI bit in the paca. ++ */ ++ if (get_paca()->irq_happened & PACA_IRQ_PMI) ++ return true; ++ ++ return false; ++} ++ + #ifdef CONFIG_PPC_BOOK3S + /* + * To support disabling and enabling of irq with PMI, set of +@@ -368,6 +404,10 @@ static inline bool arch_irq_disabled_regs(struct pt_regs *regs) + + static inline void may_hard_irq_enable(void) { } + ++static inline void clear_pmi_irq_pending(void) { } ++static inline void set_pmi_irq_pending(void) { } ++static inline bool pmi_irq_pending(void) { return false; } ++ + static inline void irq_soft_mask_regs_set_state(struct pt_regs *regs, unsigned long val) + { + } +diff --git a/arch/powerpc/perf/core-book3s.c b/arch/powerpc/perf/core-book3s.c +index b5cac8ddcf5bc..bd34e062bd290 100644 +--- a/arch/powerpc/perf/core-book3s.c ++++ b/arch/powerpc/perf/core-book3s.c +@@ -805,6 +805,19 @@ static void write_pmc(int idx, unsigned long val) + } + } + ++static int any_pmc_overflown(struct cpu_hw_events *cpuhw) ++{ ++ int i, idx; ++ ++ for (i = 0; i < cpuhw->n_events; i++) { ++ idx = cpuhw->event[i]->hw.idx; ++ if ((idx) && ((int)read_pmc(idx) < 0)) ++ return idx; ++ } ++ ++ return 0; ++} ++ + /* Called from sysrq_handle_showregs() */ + void perf_event_print_debug(void) + { +@@ -1228,11 +1241,13 @@ static void power_pmu_disable(struct pmu *pmu) + + /* + * Set the 'freeze counters' bit, clear EBE/BHRBA/PMCC/PMAO/FC56 ++ * Also clear PMXE to disable PMI's getting triggered in some ++ * corner cases during PMU disable. + */ + val = mmcr0 = mfspr(SPRN_MMCR0); + val |= MMCR0_FC; + val &= ~(MMCR0_EBE | MMCR0_BHRBA | MMCR0_PMCC | MMCR0_PMAO | +- MMCR0_FC56); ++ MMCR0_PMXE | MMCR0_FC56); + /* Set mmcr0 PMCCEXT for p10 */ + if (ppmu->flags & PPMU_ARCH_31) + val |= MMCR0_PMCCEXT; +@@ -1246,6 +1261,23 @@ static void power_pmu_disable(struct pmu *pmu) + mb(); + isync(); + ++ /* ++ * Some corner cases could clear the PMU counter overflow ++ * while a masked PMI is pending. One such case is when ++ * a PMI happens during interrupt replay and perf counter ++ * values are cleared by PMU callbacks before replay. ++ * ++ * If any PMC corresponding to the active PMU events are ++ * overflown, disable the interrupt by clearing the paca ++ * bit for PMI since we are disabling the PMU now. ++ * Otherwise provide a warning if there is PMI pending, but ++ * no counter is found overflown. ++ */ ++ if (any_pmc_overflown(cpuhw)) ++ clear_pmi_irq_pending(); ++ else ++ WARN_ON(pmi_irq_pending()); ++ + val = mmcra = cpuhw->mmcr.mmcra; + + /* +@@ -1337,6 +1369,15 @@ static void power_pmu_enable(struct pmu *pmu) + * (possibly updated for removal of events). + */ + if (!cpuhw->n_added) { ++ /* ++ * If there is any active event with an overflown PMC ++ * value, set back PACA_IRQ_PMI which would have been ++ * cleared in power_pmu_disable(). ++ */ ++ hard_irq_disable(); ++ if (any_pmc_overflown(cpuhw)) ++ set_pmi_irq_pending(); ++ + mtspr(SPRN_MMCRA, cpuhw->mmcr.mmcra & ~MMCRA_SAMPLE_ENABLE); + mtspr(SPRN_MMCR1, cpuhw->mmcr.mmcr1); + if (ppmu->flags & PPMU_ARCH_31) +@@ -2274,6 +2315,14 @@ static void __perf_event_interrupt(struct pt_regs *regs) + break; + } + } ++ ++ /* ++ * Clear PACA_IRQ_PMI in case it was set by ++ * set_pmi_irq_pending() when PMU was enabled ++ * after accounting for interrupts. ++ */ ++ clear_pmi_irq_pending(); ++ + if (!active) + /* reset non active counters that have overflowed */ + write_pmc(i + 1, 0); +@@ -2293,6 +2342,13 @@ static void __perf_event_interrupt(struct pt_regs *regs) + } + } + } ++ ++ /* ++ * During system wide profling or while specific CPU is monitored for an ++ * event, some corner cases could cause PMC to overflow in idle path. This ++ * will trigger a PMI after waking up from idle. Since counter values are _not_ ++ * saved/restored in idle path, can lead to below "Can't find PMC" message. ++ */ + if (unlikely(!found) && !arch_irq_disabled_regs(regs)) + printk_ratelimited(KERN_WARNING "Can't find PMC that caused IRQ\n"); + +-- +2.34.1 + diff --git a/queue-5.10/powerpc-perf-mmcr0-control-for-pmu-registers-under-p.patch b/queue-5.10/powerpc-perf-mmcr0-control-for-pmu-registers-under-p.patch new file mode 100644 index 00000000000..7f75d9727bc --- /dev/null +++ b/queue-5.10/powerpc-perf-mmcr0-control-for-pmu-registers-under-p.patch @@ -0,0 +1,114 @@ +From b6b2371eacbafd99bde0651e4acdea824f2a3387 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Nov 2020 11:54:44 -0500 +Subject: powerpc/perf: MMCR0 control for PMU registers under PMCC=00 + +From: Athira Rajeev + +[ Upstream commit 91668ab7db4bcfae332e561df1de2401f3f18553 ] + +PowerISA v3.1 introduces new control bit (PMCCEXT) for restricting +access to group B PMU registers in problem state when +MMCR0 PMCC=0b00. In problem state and when MMCR0 PMCC=0b00, +setting the Monitor Mode Control Register bit 54 (MMCR0 PMCCEXT), +will restrict read permission on Group B Performance Monitor +Registers (SIER, SIAR, SDAR and MMCR1). When this bit is set to zero, +group B registers will be readable. In other platforms (like power9), +the older behaviour is retained where group B PMU SPRs are readable. + +Patch adds support for MMCR0 PMCCEXT bit in power10 by enabling +this bit during boot and during the PMU event enable/disable callback +functions. + +Signed-off-by: Athira Rajeev +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1606409684-1589-8-git-send-email-atrajeev@linux.vnet.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/reg.h | 1 + + arch/powerpc/kernel/cpu_setup_power.c | 1 + + arch/powerpc/kernel/dt_cpu_ftrs.c | 1 + + arch/powerpc/perf/core-book3s.c | 4 ++++ + arch/powerpc/perf/isa207-common.c | 8 ++++++++ + 5 files changed, 15 insertions(+) + +diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h +index f4b98903064f5..6afb14b6bbc26 100644 +--- a/arch/powerpc/include/asm/reg.h ++++ b/arch/powerpc/include/asm/reg.h +@@ -865,6 +865,7 @@ + #define MMCR0_BHRBA 0x00200000UL /* BHRB Access allowed in userspace */ + #define MMCR0_EBE 0x00100000UL /* Event based branch enable */ + #define MMCR0_PMCC 0x000c0000UL /* PMC control */ ++#define MMCR0_PMCCEXT ASM_CONST(0x00000200) /* PMCCEXT control */ + #define MMCR0_PMCC_U6 0x00080000UL /* PMC1-6 are R/W by user (PR) */ + #define MMCR0_PMC1CE 0x00008000UL /* PMC1 count enable*/ + #define MMCR0_PMCjCE ASM_CONST(0x00004000) /* PMCj count enable*/ +diff --git a/arch/powerpc/kernel/cpu_setup_power.c b/arch/powerpc/kernel/cpu_setup_power.c +index 0c2191ee139ec..3cca88ee96d71 100644 +--- a/arch/powerpc/kernel/cpu_setup_power.c ++++ b/arch/powerpc/kernel/cpu_setup_power.c +@@ -123,6 +123,7 @@ static void init_PMU_ISA31(void) + { + mtspr(SPRN_MMCR3, 0); + mtspr(SPRN_MMCRA, MMCRA_BHRB_DISABLE); ++ mtspr(SPRN_MMCR0, MMCR0_PMCCEXT); + } + + /* +diff --git a/arch/powerpc/kernel/dt_cpu_ftrs.c b/arch/powerpc/kernel/dt_cpu_ftrs.c +index 1098863e17ee8..9d079659b24d3 100644 +--- a/arch/powerpc/kernel/dt_cpu_ftrs.c ++++ b/arch/powerpc/kernel/dt_cpu_ftrs.c +@@ -454,6 +454,7 @@ static void init_pmu_power10(void) + + mtspr(SPRN_MMCR3, 0); + mtspr(SPRN_MMCRA, MMCRA_BHRB_DISABLE); ++ mtspr(SPRN_MMCR0, MMCR0_PMCCEXT); + } + + static int __init feat_enable_pmu_power10(struct dt_cpu_feature *f) +diff --git a/arch/powerpc/perf/core-book3s.c b/arch/powerpc/perf/core-book3s.c +index 91452313489f1..7bda7499d0401 100644 +--- a/arch/powerpc/perf/core-book3s.c ++++ b/arch/powerpc/perf/core-book3s.c +@@ -95,6 +95,7 @@ static unsigned int freeze_events_kernel = MMCR0_FCS; + #define SPRN_SIER3 0 + #define MMCRA_SAMPLE_ENABLE 0 + #define MMCRA_BHRB_DISABLE 0 ++#define MMCR0_PMCCEXT 0 + + static inline unsigned long perf_ip_adjust(struct pt_regs *regs) + { +@@ -1245,6 +1246,9 @@ static void power_pmu_disable(struct pmu *pmu) + val |= MMCR0_FC; + val &= ~(MMCR0_EBE | MMCR0_BHRBA | MMCR0_PMCC | MMCR0_PMAO | + MMCR0_FC56); ++ /* Set mmcr0 PMCCEXT for p10 */ ++ if (ppmu->flags & PPMU_ARCH_31) ++ val |= MMCR0_PMCCEXT; + + /* + * The barrier is to make sure the mtspr has been +diff --git a/arch/powerpc/perf/isa207-common.c b/arch/powerpc/perf/isa207-common.c +index 5e8eedda45d39..58448f0e47213 100644 +--- a/arch/powerpc/perf/isa207-common.c ++++ b/arch/powerpc/perf/isa207-common.c +@@ -561,6 +561,14 @@ int isa207_compute_mmcr(u64 event[], int n_ev, + if (!(pmc_inuse & 0x60)) + mmcr->mmcr0 |= MMCR0_FC56; + ++ /* ++ * Set mmcr0 (PMCCEXT) for p10 which ++ * will restrict access to group B registers ++ * when MMCR0 PMCC=0b00. ++ */ ++ if (cpu_has_feature(CPU_FTR_ARCH_31)) ++ mmcr->mmcr0 |= MMCR0_PMCCEXT; ++ + mmcr->mmcr1 = mmcr1; + mmcr->mmcra = mmcra; + mmcr->mmcr2 = mmcr2; +-- +2.34.1 + diff --git a/queue-5.10/powerpc-perf-move-perf-irq-nmi-handling-details-into.patch b/queue-5.10/powerpc-perf-move-perf-irq-nmi-handling-details-into.patch new file mode 100644 index 00000000000..a32573b89cf --- /dev/null +++ b/queue-5.10/powerpc-perf-move-perf-irq-nmi-handling-details-into.patch @@ -0,0 +1,202 @@ +From d053a07ac93fa9d1b5af63a43d04f73bc5afe2a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Jan 2021 23:08:29 +1000 +Subject: powerpc/perf: move perf irq/nmi handling details into traps.c + +From: Nicholas Piggin + +[ Upstream commit 156b5371a9c2482a9ad23ec82d1a4f89a3ab430d ] + +This is required in order to allow more significant differences between +NMI type interrupt handlers and regular asynchronous handlers. + +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210130130852.2952424-20-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/traps.c | 31 +++++++++++++++++++++++++++- + arch/powerpc/perf/core-book3s.c | 35 ++------------------------------ + arch/powerpc/perf/core-fsl-emb.c | 25 ----------------------- + 3 files changed, 32 insertions(+), 59 deletions(-) + +diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c +index 77dffea3d5373..069d451240fa4 100644 +--- a/arch/powerpc/kernel/traps.c ++++ b/arch/powerpc/kernel/traps.c +@@ -1922,11 +1922,40 @@ void vsx_unavailable_tm(struct pt_regs *regs) + } + #endif /* CONFIG_PPC_TRANSACTIONAL_MEM */ + +-void performance_monitor_exception(struct pt_regs *regs) ++static void performance_monitor_exception_nmi(struct pt_regs *regs) ++{ ++ nmi_enter(); ++ ++ __this_cpu_inc(irq_stat.pmu_irqs); ++ ++ perf_irq(regs); ++ ++ nmi_exit(); ++} ++ ++static void performance_monitor_exception_async(struct pt_regs *regs) + { ++ irq_enter(); ++ + __this_cpu_inc(irq_stat.pmu_irqs); + + perf_irq(regs); ++ ++ irq_exit(); ++} ++ ++void performance_monitor_exception(struct pt_regs *regs) ++{ ++ /* ++ * On 64-bit, if perf interrupts hit in a local_irq_disable ++ * (soft-masked) region, we consider them as NMIs. This is required to ++ * prevent hash faults on user addresses when reading callchains (and ++ * looks better from an irq tracing perspective). ++ */ ++ if (IS_ENABLED(CONFIG_PPC64) && unlikely(arch_irq_disabled_regs(regs))) ++ performance_monitor_exception_nmi(regs); ++ else ++ performance_monitor_exception_async(regs); + } + + #ifdef CONFIG_PPC_ADV_DEBUG_REGS +diff --git a/arch/powerpc/perf/core-book3s.c b/arch/powerpc/perf/core-book3s.c +index 7bda7499d0401..b5cac8ddcf5bc 100644 +--- a/arch/powerpc/perf/core-book3s.c ++++ b/arch/powerpc/perf/core-book3s.c +@@ -110,10 +110,6 @@ static inline void perf_read_regs(struct pt_regs *regs) + { + regs->result = 0; + } +-static inline int perf_intr_is_nmi(struct pt_regs *regs) +-{ +- return 0; +-} + + static inline int siar_valid(struct pt_regs *regs) + { +@@ -332,15 +328,6 @@ static inline void perf_read_regs(struct pt_regs *regs) + regs->result = use_siar; + } + +-/* +- * If interrupts were soft-disabled when a PMU interrupt occurs, treat +- * it as an NMI. +- */ +-static inline int perf_intr_is_nmi(struct pt_regs *regs) +-{ +- return (regs->softe & IRQS_DISABLED); +-} +- + /* + * On processors like P7+ that have the SIAR-Valid bit, marked instructions + * must be sampled only if the SIAR-valid bit is set. +@@ -2254,7 +2241,6 @@ static void __perf_event_interrupt(struct pt_regs *regs) + struct perf_event *event; + unsigned long val[8]; + int found, active; +- int nmi; + + if (cpuhw->n_limited) + freeze_limited_counters(cpuhw, mfspr(SPRN_PMC5), +@@ -2262,18 +2248,6 @@ static void __perf_event_interrupt(struct pt_regs *regs) + + perf_read_regs(regs); + +- /* +- * If perf interrupts hit in a local_irq_disable (soft-masked) region, +- * we consider them as NMIs. This is required to prevent hash faults on +- * user addresses when reading callchains. See the NMI test in +- * do_hash_page. +- */ +- nmi = perf_intr_is_nmi(regs); +- if (nmi) +- nmi_enter(); +- else +- irq_enter(); +- + /* Read all the PMCs since we'll need them a bunch of times */ + for (i = 0; i < ppmu->n_counter; ++i) + val[i] = read_pmc(i + 1); +@@ -2319,8 +2293,8 @@ static void __perf_event_interrupt(struct pt_regs *regs) + } + } + } +- if (!found && !nmi && printk_ratelimit()) +- printk(KERN_WARNING "Can't find PMC that caused IRQ\n"); ++ if (unlikely(!found) && !arch_irq_disabled_regs(regs)) ++ printk_ratelimited(KERN_WARNING "Can't find PMC that caused IRQ\n"); + + /* + * Reset MMCR0 to its normal value. This will set PMXE and +@@ -2330,11 +2304,6 @@ static void __perf_event_interrupt(struct pt_regs *regs) + * we get back out of this interrupt. + */ + write_mmcr0(cpuhw, cpuhw->mmcr.mmcr0); +- +- if (nmi) +- nmi_exit(); +- else +- irq_exit(); + } + + static void perf_event_interrupt(struct pt_regs *regs) +diff --git a/arch/powerpc/perf/core-fsl-emb.c b/arch/powerpc/perf/core-fsl-emb.c +index e0e7e276bfd25..ee721f420a7ba 100644 +--- a/arch/powerpc/perf/core-fsl-emb.c ++++ b/arch/powerpc/perf/core-fsl-emb.c +@@ -31,19 +31,6 @@ static atomic_t num_events; + /* Used to avoid races in calling reserve/release_pmc_hardware */ + static DEFINE_MUTEX(pmc_reserve_mutex); + +-/* +- * If interrupts were soft-disabled when a PMU interrupt occurs, treat +- * it as an NMI. +- */ +-static inline int perf_intr_is_nmi(struct pt_regs *regs) +-{ +-#ifdef __powerpc64__ +- return (regs->softe & IRQS_DISABLED); +-#else +- return 0; +-#endif +-} +- + static void perf_event_interrupt(struct pt_regs *regs); + + /* +@@ -659,13 +646,6 @@ static void perf_event_interrupt(struct pt_regs *regs) + struct perf_event *event; + unsigned long val; + int found = 0; +- int nmi; +- +- nmi = perf_intr_is_nmi(regs); +- if (nmi) +- nmi_enter(); +- else +- irq_enter(); + + for (i = 0; i < ppmu->n_counter; ++i) { + event = cpuhw->event[i]; +@@ -690,11 +670,6 @@ static void perf_event_interrupt(struct pt_regs *regs) + mtmsr(mfmsr() | MSR_PMM); + mtpmr(PMRN_PMGC0, PMGC0_PMIE | PMGC0_FCECE); + isync(); +- +- if (nmi) +- nmi_exit(); +- else +- irq_exit(); + } + + void hw_perf_event_setup(int cpu) +-- +2.34.1 + diff --git a/queue-5.10/powerpc-powermac-add-additional-missing-lockdep_regi.patch b/queue-5.10/powerpc-powermac-add-additional-missing-lockdep_regi.patch new file mode 100644 index 00000000000..5c0f0fea42e --- /dev/null +++ b/queue-5.10/powerpc-powermac-add-additional-missing-lockdep_regi.patch @@ -0,0 +1,53 @@ +From af92d4c3fac871674a503c4bcd5fc0f5ca7ffa17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Dec 2021 17:36:52 +0000 +Subject: powerpc/powermac: Add additional missing lockdep_register_key() + +From: Christophe Leroy + +[ Upstream commit b149d5d45ac9171ed699a256f026c8ebef901112 ] + +Commit df1f679d19ed ("powerpc/powermac: Add missing +lockdep_register_key()") fixed a problem that was causing a WARNING. + +There are two other places in the same file with the same problem +originating from commit 9e607f72748d ("i2c_powermac: shut up lockdep +warning"). + +Add missing lockdep_register_key() + +Fixes: 9e607f72748d ("i2c_powermac: shut up lockdep warning") +Reported-by: Erhard Furtner +Signed-off-by: Christophe Leroy +Depends-on: df1f679d19ed ("powerpc/powermac: Add missing lockdep_register_key()") +Signed-off-by: Michael Ellerman +Link: https://bugzilla.kernel.org/show_bug.cgi?id=200055 +Link: https://lore.kernel.org/r/2c7e421874e21b2fb87813d768cf662f630c2ad4.1638984999.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/powermac/low_i2c.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/platforms/powermac/low_i2c.c b/arch/powerpc/platforms/powermac/low_i2c.c +index f77a59b5c2e1a..09bfe4b8f25aa 100644 +--- a/arch/powerpc/platforms/powermac/low_i2c.c ++++ b/arch/powerpc/platforms/powermac/low_i2c.c +@@ -810,6 +810,7 @@ static void __init pmu_i2c_probe(void) + bus->hostdata = bus + 1; + bus->xfer = pmu_i2c_xfer; + mutex_init(&bus->mutex); ++ lockdep_register_key(&bus->lock_key); + lockdep_set_class(&bus->mutex, &bus->lock_key); + bus->flags = pmac_i2c_multibus; + list_add(&bus->link, &pmac_i2c_busses); +@@ -933,6 +934,7 @@ static void __init smu_i2c_probe(void) + bus->hostdata = bus + 1; + bus->xfer = smu_i2c_xfer; + mutex_init(&bus->mutex); ++ lockdep_register_key(&bus->lock_key); + lockdep_set_class(&bus->mutex, &bus->lock_key); + bus->flags = 0; + list_add(&bus->link, &pmac_i2c_busses); +-- +2.34.1 + diff --git a/queue-5.10/powerpc-powermac-add-missing-lockdep_register_key.patch b/queue-5.10/powerpc-powermac-add-missing-lockdep_register_key.patch new file mode 100644 index 00000000000..84f3d4b888c --- /dev/null +++ b/queue-5.10/powerpc-powermac-add-missing-lockdep_register_key.patch @@ -0,0 +1,61 @@ +From aaa7254a14ae31f02e72f8fd0ea9f0586dfcad47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Nov 2021 10:32:42 +0100 +Subject: powerpc/powermac: Add missing lockdep_register_key() + +From: Christophe Leroy + +[ Upstream commit df1f679d19edb9eeb67cc2f96b29375f21991945 ] + +KeyWest i2c @0xf8001003 irq 42 /uni-n@f8000000/i2c@f8001000 +BUG: key c2d00cbc has not been registered! +------------[ cut here ]------------ +DEBUG_LOCKS_WARN_ON(1) +WARNING: CPU: 0 PID: 1 at kernel/locking/lockdep.c:4801 lockdep_init_map_type+0x4c0/0xb4c +Modules linked in: +CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.5-gentoo-PowerMacG4 #9 +NIP: c01a9428 LR: c01a9428 CTR: 00000000 +REGS: e1033cf0 TRAP: 0700 Not tainted (5.15.5-gentoo-PowerMacG4) +MSR: 00029032 CR: 24002002 XER: 00000000 + +GPR00: c01a9428 e1033db0 c2d1cf20 00000016 00000004 00000001 c01c0630 e1033a73 +GPR08: 00000000 00000000 00000000 e1033db0 24002004 00000000 f8729377 00000003 +GPR16: c1829a9c 00000000 18305357 c1416fc0 c1416f80 c006ac60 c2d00ca8 c1416f00 +GPR24: 00000000 c21586f0 c2160000 00000000 c2d00cbc c2170000 c216e1a0 c2160000 +NIP [c01a9428] lockdep_init_map_type+0x4c0/0xb4c +LR [c01a9428] lockdep_init_map_type+0x4c0/0xb4c +Call Trace: +[e1033db0] [c01a9428] lockdep_init_map_type+0x4c0/0xb4c (unreliable) +[e1033df0] [c1c177b8] kw_i2c_add+0x334/0x424 +[e1033e20] [c1c18294] pmac_i2c_init+0x9ec/0xa9c +[e1033e80] [c1c1a790] smp_core99_probe+0xbc/0x35c +[e1033eb0] [c1c03cb0] kernel_init_freeable+0x190/0x5a4 +[e1033f10] [c000946c] kernel_init+0x28/0x154 +[e1033f30] [c0035148] ret_from_kernel_thread+0x14/0x1c + +Add missing lockdep_register_key() + +Reported-by: Erhard Furtner +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/69e4f55565bb45ebb0843977801b245af0c666fe.1638264741.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/powermac/low_i2c.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/platforms/powermac/low_i2c.c b/arch/powerpc/platforms/powermac/low_i2c.c +index 09bfe4b8f25aa..df89d916236d9 100644 +--- a/arch/powerpc/platforms/powermac/low_i2c.c ++++ b/arch/powerpc/platforms/powermac/low_i2c.c +@@ -582,6 +582,7 @@ static void __init kw_i2c_add(struct pmac_i2c_host_kw *host, + bus->close = kw_i2c_close; + bus->xfer = kw_i2c_xfer; + mutex_init(&bus->mutex); ++ lockdep_register_key(&bus->lock_key); + lockdep_set_class(&bus->mutex, &bus->lock_key); + if (controller == busnode) + bus->flags = pmac_i2c_multibus; +-- +2.34.1 + diff --git a/queue-5.10/powerpc-powernv-add-missing-of_node_put.patch b/queue-5.10/powerpc-powernv-add-missing-of_node_put.patch new file mode 100644 index 00000000000..6c16c49a48f --- /dev/null +++ b/queue-5.10/powerpc-powernv-add-missing-of_node_put.patch @@ -0,0 +1,59 @@ +From 80bc823ab9b27b42e6706071e8523213d8cb60ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Nov 2015 20:33:21 +0000 +Subject: powerpc/powernv: add missing of_node_put + +From: Julia Lawall + +[ Upstream commit 7d405a939ca960162eb30c1475759cb2fdf38f8c ] + +for_each_compatible_node performs an of_node_get on each iteration, so +a break out of the loop requires an of_node_put. + +A simplified version of the semantic patch that fixes this problem is as +follows (http://coccinelle.lip6.fr): + +// +@@ +local idexpression n; +expression e; +@@ + + for_each_compatible_node(n,...) { + ... +( + of_node_put(n); +| + e = n +| ++ of_node_put(n); +? break; +) + ... + } +... when != n +// + +Signed-off-by: Julia Lawall +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1448051604-25256-4-git-send-email-Julia.Lawall@lip6.fr +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/powernv/opal-lpc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/platforms/powernv/opal-lpc.c b/arch/powerpc/platforms/powernv/opal-lpc.c +index 608569082ba0b..123a0e799b7bd 100644 +--- a/arch/powerpc/platforms/powernv/opal-lpc.c ++++ b/arch/powerpc/platforms/powernv/opal-lpc.c +@@ -396,6 +396,7 @@ void __init opal_lpc_init(void) + if (!of_get_property(np, "primary", NULL)) + continue; + opal_lpc_chip_id = of_get_ibm_chip_id(np); ++ of_node_put(np); + break; + } + if (opal_lpc_chip_id < 0) +-- +2.34.1 + diff --git a/queue-5.10/powerpc-prom_init-fix-improper-check-of-prom_getprop.patch b/queue-5.10/powerpc-prom_init-fix-improper-check-of-prom_getprop.patch new file mode 100644 index 00000000000..73b5c47d11b --- /dev/null +++ b/queue-5.10/powerpc-prom_init-fix-improper-check-of-prom_getprop.patch @@ -0,0 +1,37 @@ +From 9bbe01f8cbb0ca0a6b94d4e37655e9ceb8b26c9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Nov 2021 17:12:18 +0800 +Subject: powerpc/prom_init: Fix improper check of prom_getprop() + +From: Peiwei Hu + +[ Upstream commit 869fb7e5aecbc163003f93f36dcc26d0554319f6 ] + +prom_getprop() can return PROM_ERROR. Binary operator can not identify +it. + +Fixes: 94d2dde738a5 ("[POWERPC] Efika: prune fixups and make them more carefull") +Signed-off-by: Peiwei Hu +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/tencent_BA28CC6897B7C95A92EB8C580B5D18589105@qq.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/prom_init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/prom_init.c b/arch/powerpc/kernel/prom_init.c +index 7e337c570ea6b..9e71c0739f08d 100644 +--- a/arch/powerpc/kernel/prom_init.c ++++ b/arch/powerpc/kernel/prom_init.c +@@ -2956,7 +2956,7 @@ static void __init fixup_device_tree_efika_add_phy(void) + + /* Check if the phy-handle property exists - bail if it does */ + rv = prom_getprop(node, "phy-handle", prop, sizeof(prop)); +- if (!rv) ++ if (rv <= 0) + return; + + /* +-- +2.34.1 + diff --git a/queue-5.10/powerpc-smp-move-setup_profiling_timer-under-config_.patch b/queue-5.10/powerpc-smp-move-setup_profiling_timer-under-config_.patch new file mode 100644 index 00000000000..e151f086b47 --- /dev/null +++ b/queue-5.10/powerpc-smp-move-setup_profiling_timer-under-config_.patch @@ -0,0 +1,44 @@ +From 2175063d0649f4edb0209c4626b3d06970478273 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Nov 2021 20:32:53 +1100 +Subject: powerpc/smp: Move setup_profiling_timer() under CONFIG_PROFILING +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michael Ellerman + +[ Upstream commit a4ac0d249a5db80e79d573db9e4ad29354b643a8 ] + +setup_profiling_timer() is only needed when CONFIG_PROFILING is enabled. + +Fixes the following W=1 warning when CONFIG_PROFILING=n: + linux/arch/powerpc/kernel/smp.c:1638:5: error: no previous prototype for ‘setup_profiling_timer’ + +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20211124093254.1054750-5-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/smp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/kernel/smp.c b/arch/powerpc/kernel/smp.c +index 452cbf98bfd71..50aeef08aa470 100644 +--- a/arch/powerpc/kernel/smp.c ++++ b/arch/powerpc/kernel/smp.c +@@ -1488,10 +1488,12 @@ void start_secondary(void *unused) + BUG(); + } + ++#ifdef CONFIG_PROFILING + int setup_profiling_timer(unsigned int multiplier) + { + return 0; + } ++#endif + + static void fixup_topology(void) + { +-- +2.34.1 + diff --git a/queue-5.10/powerpc-watchdog-fix-missed-watchdog-reset-due-to-me.patch b/queue-5.10/powerpc-watchdog-fix-missed-watchdog-reset-due-to-me.patch new file mode 100644 index 00000000000..031eaea2bf2 --- /dev/null +++ b/queue-5.10/powerpc-watchdog-fix-missed-watchdog-reset-due-to-me.patch @@ -0,0 +1,111 @@ +From f24870e48724e4a934e228a4327a3e8e8d50e292 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Nov 2021 12:50:53 +1000 +Subject: powerpc/watchdog: Fix missed watchdog reset due to memory ordering + race + +From: Nicholas Piggin + +[ Upstream commit 5dad4ba68a2483fc80d70b9dc90bbe16e1f27263 ] + +It is possible for all CPUs to miss the pending cpumask becoming clear, +and then nobody resetting it, which will cause the lockup detector to +stop working. It will eventually expire, but watchdog_smp_panic will +avoid doing anything if the pending mask is clear and it will never be +reset. + +Order the cpumask clear vs the subsequent test to close this race. + +Add an extra check for an empty pending mask when the watchdog fires and +finds its bit still clear, to try to catch any other possible races or +bugs here and keep the watchdog working. The extra test in +arch_touch_nmi_watchdog is required to prevent the new warning from +firing off. + +Signed-off-by: Nicholas Piggin +Reviewed-by: Laurent Dufour +Debugged-by: Laurent Dufour +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20211110025056.2084347-2-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/watchdog.c | 41 +++++++++++++++++++++++++++++++++- + 1 file changed, 40 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/watchdog.c b/arch/powerpc/kernel/watchdog.c +index af3c15a1d41eb..75b2a6c4db5a5 100644 +--- a/arch/powerpc/kernel/watchdog.c ++++ b/arch/powerpc/kernel/watchdog.c +@@ -132,6 +132,10 @@ static void set_cpumask_stuck(const struct cpumask *cpumask, u64 tb) + { + cpumask_or(&wd_smp_cpus_stuck, &wd_smp_cpus_stuck, cpumask); + cpumask_andnot(&wd_smp_cpus_pending, &wd_smp_cpus_pending, cpumask); ++ /* ++ * See wd_smp_clear_cpu_pending() ++ */ ++ smp_mb(); + if (cpumask_empty(&wd_smp_cpus_pending)) { + wd_smp_last_reset_tb = tb; + cpumask_andnot(&wd_smp_cpus_pending, +@@ -217,13 +221,44 @@ static void wd_smp_clear_cpu_pending(int cpu, u64 tb) + + cpumask_clear_cpu(cpu, &wd_smp_cpus_stuck); + wd_smp_unlock(&flags); ++ } else { ++ /* ++ * The last CPU to clear pending should have reset the ++ * watchdog so we generally should not find it empty ++ * here if our CPU was clear. However it could happen ++ * due to a rare race with another CPU taking the ++ * last CPU out of the mask concurrently. ++ * ++ * We can't add a warning for it. But just in case ++ * there is a problem with the watchdog that is causing ++ * the mask to not be reset, try to kick it along here. ++ */ ++ if (unlikely(cpumask_empty(&wd_smp_cpus_pending))) ++ goto none_pending; + } + return; + } ++ + cpumask_clear_cpu(cpu, &wd_smp_cpus_pending); ++ ++ /* ++ * Order the store to clear pending with the load(s) to check all ++ * words in the pending mask to check they are all empty. This orders ++ * with the same barrier on another CPU. This prevents two CPUs ++ * clearing the last 2 pending bits, but neither seeing the other's ++ * store when checking if the mask is empty, and missing an empty ++ * mask, which ends with a false positive. ++ */ ++ smp_mb(); + if (cpumask_empty(&wd_smp_cpus_pending)) { + unsigned long flags; + ++none_pending: ++ /* ++ * Double check under lock because more than one CPU could see ++ * a clear mask with the lockless check after clearing their ++ * pending bits. ++ */ + wd_smp_lock(&flags); + if (cpumask_empty(&wd_smp_cpus_pending)) { + wd_smp_last_reset_tb = tb; +@@ -314,8 +349,12 @@ void arch_touch_nmi_watchdog(void) + { + unsigned long ticks = tb_ticks_per_usec * wd_timer_period_ms * 1000; + int cpu = smp_processor_id(); +- u64 tb = get_tb(); ++ u64 tb; + ++ if (!cpumask_test_cpu(cpu, &watchdog_cpumask)) ++ return; ++ ++ tb = get_tb(); + if (tb - per_cpu(wd_timer_tb, cpu) >= ticks) { + per_cpu(wd_timer_tb, cpu) = tb; + wd_smp_clear_cpu_pending(cpu, tb); +-- +2.34.1 + diff --git a/queue-5.10/powerpc-xive-add-missing-null-check-after-calling-km.patch b/queue-5.10/powerpc-xive-add-missing-null-check-after-calling-km.patch new file mode 100644 index 00000000000..3bc99ffe210 --- /dev/null +++ b/queue-5.10/powerpc-xive-add-missing-null-check-after-calling-km.patch @@ -0,0 +1,44 @@ +From 328b49f0e76ef267ff75583e08fcb59c8df83560 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Dec 2021 20:54:02 +0700 +Subject: powerpc/xive: Add missing null check after calling kmalloc +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ammar Faizi + +[ Upstream commit 18dbfcdedc802f9500b2c29794f22a31d27639c0 ] + +Commit 930914b7d528fc ("powerpc/xive: Add a debugfs file to dump +internal XIVE state") forgot to add a null check. + +Add it. + +Fixes: 930914b7d528fc6b0249bffc00564100bcf6ef75 ("powerpc/xive: Add a debugfs file to dump internal XIVE state") +Signed-off-by: Ammar Faizi +Reviewed-by: Cédric Le Goater +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20211226135314.251221-1-ammar.faizi@intel.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/sysdev/xive/spapr.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/powerpc/sysdev/xive/spapr.c b/arch/powerpc/sysdev/xive/spapr.c +index 1e3674d7ea7bc..b57eeaff7bb33 100644 +--- a/arch/powerpc/sysdev/xive/spapr.c ++++ b/arch/powerpc/sysdev/xive/spapr.c +@@ -658,6 +658,9 @@ static int xive_spapr_debug_show(struct seq_file *m, void *private) + struct xive_irq_bitmap *xibm; + char *buf = kmalloc(PAGE_SIZE, GFP_KERNEL); + ++ if (!buf) ++ return -ENOMEM; ++ + list_for_each_entry(xibm, &xive_irq_bitmaps, list) { + memset(buf, 0, PAGE_SIZE); + bitmap_print_to_pagebuf(true, buf, xibm->bitmap, xibm->count); +-- +2.34.1 + diff --git a/queue-5.10/ppp-ensure-minimum-packet-size-in-ppp_write.patch b/queue-5.10/ppp-ensure-minimum-packet-size-in-ppp_write.patch new file mode 100644 index 00000000000..e1ad16339d0 --- /dev/null +++ b/queue-5.10/ppp-ensure-minimum-packet-size-in-ppp_write.patch @@ -0,0 +1,104 @@ +From 377cdf4cdc96783a372627c36eebf8edf6813e8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jan 2022 03:48:42 -0800 +Subject: ppp: ensure minimum packet size in ppp_write() + +From: Eric Dumazet + +[ Upstream commit 44073187990d5629804ce0627525f6ea5cfef171 ] + +It seems pretty clear ppp layer assumed user space +would always be kind to provide enough data +in their write() to a ppp device. + +This patch makes sure user provides at least +2 bytes. + +It adds PPP_PROTO_LEN macro that could replace +in net-next many occurrences of hard-coded 2 value. + +I replaced only one occurrence to ease backports +to stable kernels. + +The bug manifests in the following report: + +BUG: KMSAN: uninit-value in ppp_send_frame+0x28d/0x27c0 drivers/net/ppp/ppp_generic.c:1740 + ppp_send_frame+0x28d/0x27c0 drivers/net/ppp/ppp_generic.c:1740 + __ppp_xmit_process+0x23e/0x4b0 drivers/net/ppp/ppp_generic.c:1640 + ppp_xmit_process+0x1fe/0x480 drivers/net/ppp/ppp_generic.c:1661 + ppp_write+0x5cb/0x5e0 drivers/net/ppp/ppp_generic.c:513 + do_iter_write+0xb0c/0x1500 fs/read_write.c:853 + vfs_writev fs/read_write.c:924 [inline] + do_writev+0x645/0xe00 fs/read_write.c:967 + __do_sys_writev fs/read_write.c:1040 [inline] + __se_sys_writev fs/read_write.c:1037 [inline] + __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Uninit was created at: + slab_post_alloc_hook mm/slab.h:524 [inline] + slab_alloc_node mm/slub.c:3251 [inline] + __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974 + kmalloc_reserve net/core/skbuff.c:354 [inline] + __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 + alloc_skb include/linux/skbuff.h:1126 [inline] + ppp_write+0x11d/0x5e0 drivers/net/ppp/ppp_generic.c:501 + do_iter_write+0xb0c/0x1500 fs/read_write.c:853 + vfs_writev fs/read_write.c:924 [inline] + do_writev+0x645/0xe00 fs/read_write.c:967 + __do_sys_writev fs/read_write.c:1040 [inline] + __se_sys_writev fs/read_write.c:1037 [inline] + __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Cc: Paul Mackerras +Cc: linux-ppp@vger.kernel.org +Reported-by: syzbot +Acked-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ppp/ppp_generic.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c +index 33b2e0fb68bbb..2b9815ec4a622 100644 +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -69,6 +69,8 @@ + #define MPHDRLEN 6 /* multilink protocol header length */ + #define MPHDRLEN_SSN 4 /* ditto with short sequence numbers */ + ++#define PPP_PROTO_LEN 2 ++ + /* + * An instance of /dev/ppp can be associated with either a ppp + * interface unit or a ppp channel. In both cases, file->private_data +@@ -496,6 +498,9 @@ static ssize_t ppp_write(struct file *file, const char __user *buf, + + if (!pf) + return -ENXIO; ++ /* All PPP packets should start with the 2-byte protocol */ ++ if (count < PPP_PROTO_LEN) ++ return -EINVAL; + ret = -ENOMEM; + skb = alloc_skb(count + pf->hdrlen, GFP_KERNEL); + if (!skb) +@@ -1632,7 +1637,7 @@ ppp_send_frame(struct ppp *ppp, struct sk_buff *skb) + } + + ++ppp->stats64.tx_packets; +- ppp->stats64.tx_bytes += skb->len - 2; ++ ppp->stats64.tx_bytes += skb->len - PPP_PROTO_LEN; + + switch (proto) { + case PPP_IP: +-- +2.34.1 + diff --git a/queue-5.10/random-do-not-throw-away-excess-input-to-crng_fast_l.patch b/queue-5.10/random-do-not-throw-away-excess-input-to-crng_fast_l.patch new file mode 100644 index 00000000000..a67707f6dc4 --- /dev/null +++ b/queue-5.10/random-do-not-throw-away-excess-input-to-crng_fast_l.patch @@ -0,0 +1,95 @@ +From b341f2f2815be9fda1983e50d90b4e640e3ba27e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Dec 2021 22:10:05 +0100 +Subject: random: do not throw away excess input to crng_fast_load + +From: Jason A. Donenfeld + +[ Upstream commit 73c7733f122e8d0107f88655a12011f68f69e74b ] + +When crng_fast_load() is called by add_hwgenerator_randomness(), we +currently will advance to crng_init==1 once we've acquired 64 bytes, and +then throw away the rest of the buffer. Usually, that is not a problem: +When add_hwgenerator_randomness() gets called via EFI or DT during +setup_arch(), there won't be any IRQ randomness. Therefore, the 64 bytes +passed by EFI exactly matches what is needed to advance to crng_init==1. +Usually, DT seems to pass 64 bytes as well -- with one notable exception +being kexec, which hands over 128 bytes of entropy to the kexec'd kernel. +In that case, we'll advance to crng_init==1 once 64 of those bytes are +consumed by crng_fast_load(), but won't continue onward feeding in bytes +to progress to crng_init==2. This commit fixes the issue by feeding +any leftover bytes into the next phase in add_hwgenerator_randomness(). + +[linux@dominikbrodowski.net: rewrite commit message] +Signed-off-by: Dominik Brodowski +Signed-off-by: Jason A. Donenfeld +Signed-off-by: Sasha Levin +--- + drivers/char/random.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/drivers/char/random.c b/drivers/char/random.c +index 8c94380e7a463..5444206f35e22 100644 +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -922,12 +922,14 @@ static struct crng_state *select_crng(void) + + /* + * crng_fast_load() can be called by code in the interrupt service +- * path. So we can't afford to dilly-dally. ++ * path. So we can't afford to dilly-dally. Returns the number of ++ * bytes processed from cp. + */ +-static int crng_fast_load(const char *cp, size_t len) ++static size_t crng_fast_load(const char *cp, size_t len) + { + unsigned long flags; + char *p; ++ size_t ret = 0; + + if (!spin_trylock_irqsave(&primary_crng.lock, flags)) + return 0; +@@ -938,7 +940,7 @@ static int crng_fast_load(const char *cp, size_t len) + p = (unsigned char *) &primary_crng.state[4]; + while (len > 0 && crng_init_cnt < CRNG_INIT_CNT_THRESH) { + p[crng_init_cnt % CHACHA_KEY_SIZE] ^= *cp; +- cp++; crng_init_cnt++; len--; ++ cp++; crng_init_cnt++; len--; ret++; + } + spin_unlock_irqrestore(&primary_crng.lock, flags); + if (crng_init_cnt >= CRNG_INIT_CNT_THRESH) { +@@ -946,7 +948,7 @@ static int crng_fast_load(const char *cp, size_t len) + crng_init = 1; + pr_notice("fast init done\n"); + } +- return 1; ++ return ret; + } + + /* +@@ -1299,7 +1301,7 @@ void add_interrupt_randomness(int irq, int irq_flags) + if (unlikely(crng_init == 0)) { + if ((fast_pool->count >= 64) && + crng_fast_load((char *) fast_pool->pool, +- sizeof(fast_pool->pool))) { ++ sizeof(fast_pool->pool)) > 0) { + fast_pool->count = 0; + fast_pool->last = now; + } +@@ -2319,8 +2321,11 @@ void add_hwgenerator_randomness(const char *buffer, size_t count, + struct entropy_store *poolp = &input_pool; + + if (unlikely(crng_init == 0)) { +- crng_fast_load(buffer, count); +- return; ++ size_t ret = crng_fast_load(buffer, count); ++ count -= ret; ++ buffer += ret; ++ if (!count || crng_init == 0) ++ return; + } + + /* Suspend writing if we're above the trickle threshold. +-- +2.34.1 + diff --git a/queue-5.10/rcu-exp-mark-current-cpu-as-exp-qs-in-ipi-loop-secon.patch b/queue-5.10/rcu-exp-mark-current-cpu-as-exp-qs-in-ipi-loop-secon.patch new file mode 100644 index 00000000000..738662174ec --- /dev/null +++ b/queue-5.10/rcu-exp-mark-current-cpu-as-exp-qs-in-ipi-loop-secon.patch @@ -0,0 +1,61 @@ +From 2ba05abae7159607d45cae08c02e69b1f41557bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Nov 2021 17:21:08 +0100 +Subject: rcu/exp: Mark current CPU as exp-QS in IPI loop second pass + +From: Frederic Weisbecker + +[ Upstream commit 81f6d49cce2d2fe507e3fddcc4a6db021d9c2e7b ] + +Expedited RCU grace periods invoke sync_rcu_exp_select_node_cpus(), which +takes two passes over the leaf rcu_node structure's CPUs. The first +pass gathers up the current CPU and CPUs that are in dynticks idle mode. +The workqueue will report a quiescent state on their behalf later. +The second pass sends IPIs to the rest of the CPUs, but excludes the +current CPU, incorrectly assuming it has been included in the first +pass's list of CPUs. + +Unfortunately the current CPU may have changed between the first and +second pass, due to the fact that the various rcu_node structures' +->lock fields have been dropped, thus momentarily enabling preemption. +This means that if the second pass's CPU was not on the first pass's +list, it will be ignored completely. There will be no IPI sent to +it, and there will be no reporting of quiescent states on its behalf. +Unfortunately, the expedited grace period will nevertheless be waiting +for that CPU to report a quiescent state, but with that CPU having no +reason to believe that such a report is needed. + +The result will be an expedited grace period stall. + +Fix this by no longer excluding the current CPU from consideration during +the second pass. + +Fixes: b9ad4d6ed18e ("rcu: Avoid self-IPI in sync_rcu_exp_select_node_cpus()") +Reviewed-by: Neeraj Upadhyay +Signed-off-by: Frederic Weisbecker +Cc: Uladzislau Rezki +Cc: Neeraj Upadhyay +Cc: Boqun Feng +Cc: Josh Triplett +Cc: Joel Fernandes +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + kernel/rcu/tree_exp.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/rcu/tree_exp.h b/kernel/rcu/tree_exp.h +index 0ffe185c1f46a..0dc16345e668c 100644 +--- a/kernel/rcu/tree_exp.h ++++ b/kernel/rcu/tree_exp.h +@@ -387,6 +387,7 @@ retry_ipi: + continue; + } + if (get_cpu() == cpu) { ++ mask_ofl_test |= mask; + put_cpu(); + continue; + } +-- +2.34.1 + diff --git a/queue-5.10/rdma-bnxt_re-scan-the-whole-bitmap-when-checking-if-.patch b/queue-5.10/rdma-bnxt_re-scan-the-whole-bitmap-when-checking-if-.patch new file mode 100644 index 00000000000..4c891f55f9b --- /dev/null +++ b/queue-5.10/rdma-bnxt_re-scan-the-whole-bitmap-when-checking-if-.patch @@ -0,0 +1,70 @@ +From ade77300ae8a413b9eeb18d0ef39b9af347d287c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Nov 2021 09:59:04 +0100 +Subject: RDMA/bnxt_re: Scan the whole bitmap when checking if "disabling RCFW + with pending cmd-bit" + +From: Christophe JAILLET + +[ Upstream commit a917dfb66c0a1fa1caacf3d71edcafcab48e6ff0 ] + +The 'cmdq->cmdq_bitmap' bitmap is 'rcfw->cmdq_depth' bits long. The size +stored in 'cmdq->bmap_size' is the size of the bitmap in bytes. + +Remove this erroneous 'bmap_size' and use 'rcfw->cmdq_depth' directly in +'bnxt_qplib_disable_rcfw_channel()'. Otherwise some error messages may be +missing. + +Other uses of 'cmdq_bitmap' already take into account 'rcfw->cmdq_depth' +directly. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Link: https://lore.kernel.org/r/47ed717c3070a1d0f53e7b4c768a4fd11caf365d.1636707421.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Christophe JAILLET +Acked-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 6 ++---- + drivers/infiniband/hw/bnxt_re/qplib_rcfw.h | 1 - + 2 files changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +index 441eb421e5e59..5759027914b01 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +@@ -614,8 +614,6 @@ int bnxt_qplib_alloc_rcfw_channel(struct bnxt_qplib_res *res, + if (!cmdq->cmdq_bitmap) + goto fail; + +- cmdq->bmap_size = bmap_size; +- + /* Allocate one extra to hold the QP1 entries */ + rcfw->qp_tbl_size = qp_tbl_sz + 1; + rcfw->qp_tbl = kcalloc(rcfw->qp_tbl_size, sizeof(struct bnxt_qplib_qp_node), +@@ -663,8 +661,8 @@ void bnxt_qplib_disable_rcfw_channel(struct bnxt_qplib_rcfw *rcfw) + iounmap(cmdq->cmdq_mbox.reg.bar_reg); + iounmap(creq->creq_db.reg.bar_reg); + +- indx = find_first_bit(cmdq->cmdq_bitmap, cmdq->bmap_size); +- if (indx != cmdq->bmap_size) ++ indx = find_first_bit(cmdq->cmdq_bitmap, rcfw->cmdq_depth); ++ if (indx != rcfw->cmdq_depth) + dev_err(&rcfw->pdev->dev, + "disabling RCFW with pending cmd-bit %lx\n", indx); + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.h b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.h +index 5f2f0a5a3560f..6953f4e53dd20 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.h ++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.h +@@ -150,7 +150,6 @@ struct bnxt_qplib_cmdq_ctx { + wait_queue_head_t waitq; + unsigned long flags; + unsigned long *cmdq_bitmap; +- u32 bmap_size; + u32 seq_num; + }; + +-- +2.34.1 + diff --git a/queue-5.10/rdma-cma-let-cma_resolve_ib_dev-continue-search-even.patch b/queue-5.10/rdma-cma-let-cma_resolve_ib_dev-continue-search-even.patch new file mode 100644 index 00000000000..851e40b09b9 --- /dev/null +++ b/queue-5.10/rdma-cma-let-cma_resolve_ib_dev-continue-search-even.patch @@ -0,0 +1,66 @@ +From a1937d6ff94dc1f5491941565d91eebc27335e76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Dec 2021 15:16:07 +0200 +Subject: RDMA/cma: Let cma_resolve_ib_dev() continue search even after empty + entry + +From: Avihai Horon + +[ Upstream commit 20679094a0161c94faf77e373fa3f7428a8e14bd ] + +Currently, when cma_resolve_ib_dev() searches for a matching GID it will +stop searching after encountering the first empty GID table entry. This +behavior is wrong since neither IB nor RoCE spec enforce tightly packed +GID tables. + +For example, when the matching valid GID entry exists at index N, and if a +GID entry is empty at index N-1, cma_resolve_ib_dev() will fail to find +the matching valid entry. + +Fix it by making cma_resolve_ib_dev() continue searching even after +encountering missing entries. + +Fixes: f17df3b0dede ("RDMA/cma: Add support for AF_IB to rdma_resolve_addr()") +Link: https://lore.kernel.org/r/b7346307e3bb396c43d67d924348c6c496493991.1639055490.git.leonro@nvidia.com +Signed-off-by: Avihai Horon +Reviewed-by: Mark Zhang +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cma.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index 8e54184566f7f..4d4ba09f6cf93 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -775,6 +775,7 @@ static int cma_resolve_ib_dev(struct rdma_id_private *id_priv) + unsigned int p; + u16 pkey, index; + enum ib_port_state port_state; ++ int ret; + int i; + + cma_dev = NULL; +@@ -793,9 +794,14 @@ static int cma_resolve_ib_dev(struct rdma_id_private *id_priv) + + if (ib_get_cached_port_state(cur_dev->device, p, &port_state)) + continue; +- for (i = 0; !rdma_query_gid(cur_dev->device, +- p, i, &gid); +- i++) { ++ ++ for (i = 0; i < cur_dev->device->port_data[p].immutable.gid_tbl_len; ++ ++i) { ++ ret = rdma_query_gid(cur_dev->device, p, i, ++ &gid); ++ if (ret) ++ continue; ++ + if (!memcmp(&gid, dgid, sizeof(gid))) { + cma_dev = cur_dev; + sgid = gid; +-- +2.34.1 + diff --git a/queue-5.10/rdma-core-let-ib_find_gid-continue-search-even-after.patch b/queue-5.10/rdma-core-let-ib_find_gid-continue-search-even-after.patch new file mode 100644 index 00000000000..e7fd84480e0 --- /dev/null +++ b/queue-5.10/rdma-core-let-ib_find_gid-continue-search-even-after.patch @@ -0,0 +1,47 @@ +From 63113f100317de372c0a283602c095c0d8251b8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Dec 2021 15:16:06 +0200 +Subject: RDMA/core: Let ib_find_gid() continue search even after empty entry + +From: Avihai Horon + +[ Upstream commit 483d805191a23191f8294bbf9b4e94836f5d92e4 ] + +Currently, ib_find_gid() will stop searching after encountering the first +empty GID table entry. This behavior is wrong since neither IB nor RoCE +spec enforce tightly packed GID tables. + +For example, when a valid GID entry exists at index N, and if a GID entry +is empty at index N-1, ib_find_gid() will fail to find the valid entry. + +Fix it by making ib_find_gid() continue searching even after encountering +missing entries. + +Fixes: 5eb620c81ce3 ("IB/core: Add helpers for uncached GID and P_Key searches") +Link: https://lore.kernel.org/r/e55d331b96cecfc2cf19803d16e7109ea966882d.1639055490.git.leonro@nvidia.com +Signed-off-by: Avihai Horon +Reviewed-by: Mark Zhang +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/device.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c +index 76b9c436edcd2..aa526c5ca0cf3 100644 +--- a/drivers/infiniband/core/device.c ++++ b/drivers/infiniband/core/device.c +@@ -2411,7 +2411,8 @@ int ib_find_gid(struct ib_device *device, union ib_gid *gid, + ++i) { + ret = rdma_query_gid(device, port, i, &tmp_gid); + if (ret) +- return ret; ++ continue; ++ + if (!memcmp(&tmp_gid, gid, sizeof *gid)) { + *port_num = port; + if (index) +-- +2.34.1 + diff --git a/queue-5.10/rdma-cxgb4-set-queue-pair-state-when-being-queried.patch b/queue-5.10/rdma-cxgb4-set-queue-pair-state-when-being-queried.patch new file mode 100644 index 00000000000..1e92dc56540 --- /dev/null +++ b/queue-5.10/rdma-cxgb4-set-queue-pair-state-when-being-queried.patch @@ -0,0 +1,37 @@ +From e2f9b255881b7eea93db0623bd594d3afbb8ef2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Dec 2021 17:25:30 +0200 +Subject: RDMA/cxgb4: Set queue pair state when being queried + +From: Kamal Heib + +[ Upstream commit e375b9c92985e409c4bb95dd43d34915ea7f5e28 ] + +The API for ib_query_qp requires the driver to set cur_qp_state on return, +add the missing set. + +Fixes: 67bbc05512d8 ("RDMA/cxgb4: Add query_qp support") +Link: https://lore.kernel.org/r/20211220152530.60399-1-kamalheib1@gmail.com +Signed-off-by: Kamal Heib +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/cxgb4/qp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/hw/cxgb4/qp.c b/drivers/infiniband/hw/cxgb4/qp.c +index 861e19fdfeb46..12e5461581cb4 100644 +--- a/drivers/infiniband/hw/cxgb4/qp.c ++++ b/drivers/infiniband/hw/cxgb4/qp.c +@@ -2469,6 +2469,7 @@ int c4iw_ib_query_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr, + memset(attr, 0, sizeof(*attr)); + memset(init_attr, 0, sizeof(*init_attr)); + attr->qp_state = to_ib_qp_state(qhp->attr.state); ++ attr->cur_qp_state = to_ib_qp_state(qhp->attr.state); + init_attr->cap.max_send_wr = qhp->attr.sq_num_entries; + init_attr->cap.max_recv_wr = qhp->attr.rq_num_entries; + init_attr->cap.max_send_sge = qhp->attr.sq_max_sges; +-- +2.34.1 + diff --git a/queue-5.10/rdma-hns-validate-the-pkey-index.patch b/queue-5.10/rdma-hns-validate-the-pkey-index.patch new file mode 100644 index 00000000000..707b2b61690 --- /dev/null +++ b/queue-5.10/rdma-hns-validate-the-pkey-index.patch @@ -0,0 +1,37 @@ +From 455500cc4736125abaf0350c7c3a4ad694b9c9c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Nov 2021 16:59:54 +0200 +Subject: RDMA/hns: Validate the pkey index + +From: Kamal Heib + +[ Upstream commit 2a67fcfa0db6b4075515bd23497750849b88850f ] + +Before query pkey, make sure that the queried index is valid. + +Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver") +Link: https://lore.kernel.org/r/20211117145954.123893-1-kamalheib1@gmail.com +Signed-off-by: Kamal Heib +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c +index ba65823a5c0bb..c0249e4874a96 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_main.c ++++ b/drivers/infiniband/hw/hns/hns_roce_main.c +@@ -279,6 +279,9 @@ static enum rdma_link_layer hns_roce_get_link_layer(struct ib_device *device, + static int hns_roce_query_pkey(struct ib_device *ib_dev, u8 port, u16 index, + u16 *pkey) + { ++ if (index > 0) ++ return -EINVAL; ++ + *pkey = PKEY_ID; + + return 0; +-- +2.34.1 + diff --git a/queue-5.10/rdma-qedr-fix-reporting-max_-send-recv-_wr-attrs.patch b/queue-5.10/rdma-qedr-fix-reporting-max_-send-recv-_wr-attrs.patch new file mode 100644 index 00000000000..4241614e6e8 --- /dev/null +++ b/queue-5.10/rdma-qedr-fix-reporting-max_-send-recv-_wr-attrs.patch @@ -0,0 +1,49 @@ +From 449a580ba6b069519406e7addc41d413ef33778b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Dec 2021 22:13:14 +0200 +Subject: RDMA/qedr: Fix reporting max_{send/recv}_wr attrs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kamal Heib + +[ Upstream commit b1a4da64bfc189510e08df1ccb1c589e667dc7a3 ] + +Fix the wrongly reported max_send_wr and max_recv_wr attributes for user +QP by making sure to save their valuse on QP creation, so when query QP is +called the attributes will be reported correctly. + +Fixes: cecbcddf6461 ("qedr: Add support for QP verbs") +Link: https://lore.kernel.org/r/20211206201314.124947-1-kamalheib1@gmail.com +Signed-off-by: Kamal Heib +Acked-by: Michal Kalderon  +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/qedr/verbs.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/hw/qedr/verbs.c b/drivers/infiniband/hw/qedr/verbs.c +index 16d5283651894..eeb87f31cd252 100644 +--- a/drivers/infiniband/hw/qedr/verbs.c ++++ b/drivers/infiniband/hw/qedr/verbs.c +@@ -1918,6 +1918,7 @@ static int qedr_create_user_qp(struct qedr_dev *dev, + /* db offset was calculated in copy_qp_uresp, now set in the user q */ + if (qedr_qp_has_sq(qp)) { + qp->usq.db_addr = ctx->dpi_addr + uresp.sq_db_offset; ++ qp->sq.max_wr = attrs->cap.max_send_wr; + rc = qedr_db_recovery_add(dev, qp->usq.db_addr, + &qp->usq.db_rec_data->db_data, + DB_REC_WIDTH_32B, +@@ -1928,6 +1929,7 @@ static int qedr_create_user_qp(struct qedr_dev *dev, + + if (qedr_qp_has_rq(qp)) { + qp->urq.db_addr = ctx->dpi_addr + uresp.rq_db_offset; ++ qp->rq.max_wr = attrs->cap.max_recv_wr; + rc = qedr_db_recovery_add(dev, qp->urq.db_addr, + &qp->urq.db_rec_data->db_data, + DB_REC_WIDTH_32B, +-- +2.34.1 + diff --git a/queue-5.10/regmap-call-regmap_debugfs_exit-prior-to-_init.patch b/queue-5.10/regmap-call-regmap_debugfs_exit-prior-to-_init.patch new file mode 100644 index 00000000000..58c74550b5e --- /dev/null +++ b/queue-5.10/regmap-call-regmap_debugfs_exit-prior-to-_init.patch @@ -0,0 +1,61 @@ +From 28a5520b44ef173aa8c3cb3aa2140e493ba030f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jan 2022 13:33:07 -0300 +Subject: regmap: Call regmap_debugfs_exit() prior to _init() + +From: Fabio Estevam + +[ Upstream commit 530792efa6cb86f5612ff093333fec735793b582 ] + +Since commit cffa4b2122f5 ("regmap: debugfs: Fix a memory leak when +calling regmap_attach_dev"), the following debugfs error is seen +on i.MX boards: + +debugfs: Directory 'dummy-iomuxc-gpr@20e0000' with parent 'regmap' already present! + +In the attempt to fix the memory leak, the above commit added a NULL check +for map->debugfs_name. For the first debufs entry, map->debugfs_name is NULL +and then the new name is allocated via kasprintf(). + +For the second debugfs entry, map->debugfs_name() is no longer NULL, so +it will keep using the old entry name and the duplicate name error is seen. + +Quoting Mark Brown: + +"That means that if the device gets freed we'll end up with the old debugfs +file hanging around pointing at nothing. +... +To be more explicit this means we need a call to regmap_debugfs_exit() +which will clean up all the existing debugfs stuff before we loose +references to it." + +Call regmap_debugfs_exit() prior to regmap_debugfs_init() to fix +the problem. + +Tested on i.MX6Q and i.MX6SX boards. + +Fixes: cffa4b2122f5 ("regmap: debugfs: Fix a memory leak when calling regmap_attach_dev") +Suggested-by: Mark Brown +Signed-off-by: Fabio Estevam +Link: https://lore.kernel.org/r/20220107163307.335404-1-festevam@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regmap.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c +index 456a1787e18d0..55a30afc14a00 100644 +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -620,6 +620,7 @@ int regmap_attach_dev(struct device *dev, struct regmap *map, + if (ret) + return ret; + ++ regmap_debugfs_exit(map); + regmap_debugfs_init(map); + + /* Add a devres resource for dev_get_regmap() */ +-- +2.34.1 + diff --git a/queue-5.10/regulator-qcom_smd-align-probe-function-with-rpmh-re.patch b/queue-5.10/regulator-qcom_smd-align-probe-function-with-rpmh-re.patch new file mode 100644 index 00000000000..8d69f0857f0 --- /dev/null +++ b/queue-5.10/regulator-qcom_smd-align-probe-function-with-rpmh-re.patch @@ -0,0 +1,171 @@ +From 957becdd89bf5f06b7a36900301f9e017772b4b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Dec 2021 03:34:42 +0100 +Subject: regulator: qcom_smd: Align probe function with rpmh-regulator + +From: Konrad Dybcio + +[ Upstream commit 14e2976fbabdacb01335d7f91eeebbc89c67ddb1 ] + +The RPMh regulator driver is much newer and gets more attention, which in +consequence makes it do a few things better. Update qcom_smd-regulator's +probe function to mimic what rpmh-regulator does to address a couple of +issues: + +- Probe defer now works correctly, before it used to, well, + kinda just die.. This fixes reliable probing on (at least) PM8994, + because Linux apparently cannot deal with supply map dependencies yet.. + +- Regulator data is now matched more sanely: regulator data is matched + against each individual regulator node name and throwing an -EINVAL if + data is missing, instead of just assuming everything is fine and + iterating over all subsequent array members. + +- status = "disabled" will now work for disabling individual regulators in + DT. Previously it didn't seem to do much if anything at all. + +Signed-off-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20211230023442.1123424-1-konrad.dybcio@somainline.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/qcom_smd-regulator.c | 100 +++++++++++++++++-------- + 1 file changed, 70 insertions(+), 30 deletions(-) + +diff --git a/drivers/regulator/qcom_smd-regulator.c b/drivers/regulator/qcom_smd-regulator.c +index bb944ee5fe3b1..03e146e98abd5 100644 +--- a/drivers/regulator/qcom_smd-regulator.c ++++ b/drivers/regulator/qcom_smd-regulator.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + #include + + struct qcom_rpm_reg { +@@ -1107,52 +1108,91 @@ static const struct of_device_id rpm_of_match[] = { + }; + MODULE_DEVICE_TABLE(of, rpm_of_match); + +-static int rpm_reg_probe(struct platform_device *pdev) ++/** ++ * rpm_regulator_init_vreg() - initialize all attributes of a qcom_smd-regulator ++ * @vreg: Pointer to the individual qcom_smd-regulator resource ++ * @dev: Pointer to the top level qcom_smd-regulator PMIC device ++ * @node: Pointer to the individual qcom_smd-regulator resource ++ * device node ++ * @rpm: Pointer to the rpm bus node ++ * @pmic_rpm_data: Pointer to a null-terminated array of qcom_smd-regulator ++ * resources defined for the top level PMIC device ++ * ++ * Return: 0 on success, errno on failure ++ */ ++static int rpm_regulator_init_vreg(struct qcom_rpm_reg *vreg, struct device *dev, ++ struct device_node *node, struct qcom_smd_rpm *rpm, ++ const struct rpm_regulator_data *pmic_rpm_data) + { +- const struct rpm_regulator_data *reg; +- const struct of_device_id *match; +- struct regulator_config config = { }; ++ struct regulator_config config = {}; ++ const struct rpm_regulator_data *rpm_data; + struct regulator_dev *rdev; ++ int ret; ++ ++ for (rpm_data = pmic_rpm_data; rpm_data->name; rpm_data++) ++ if (of_node_name_eq(node, rpm_data->name)) ++ break; ++ ++ if (!rpm_data->name) { ++ dev_err(dev, "Unknown regulator %pOFn\n", node); ++ return -EINVAL; ++ } ++ ++ vreg->dev = dev; ++ vreg->rpm = rpm; ++ vreg->type = rpm_data->type; ++ vreg->id = rpm_data->id; ++ ++ memcpy(&vreg->desc, rpm_data->desc, sizeof(vreg->desc)); ++ vreg->desc.name = rpm_data->name; ++ vreg->desc.supply_name = rpm_data->supply; ++ vreg->desc.owner = THIS_MODULE; ++ vreg->desc.type = REGULATOR_VOLTAGE; ++ vreg->desc.of_match = rpm_data->name; ++ ++ config.dev = dev; ++ config.of_node = node; ++ config.driver_data = vreg; ++ ++ rdev = devm_regulator_register(dev, &vreg->desc, &config); ++ if (IS_ERR(rdev)) { ++ ret = PTR_ERR(rdev); ++ dev_err(dev, "%pOFn: devm_regulator_register() failed, ret=%d\n", node, ret); ++ return ret; ++ } ++ ++ return 0; ++} ++ ++static int rpm_reg_probe(struct platform_device *pdev) ++{ ++ struct device *dev = &pdev->dev; ++ const struct rpm_regulator_data *vreg_data; ++ struct device_node *node; + struct qcom_rpm_reg *vreg; + struct qcom_smd_rpm *rpm; ++ int ret; + + rpm = dev_get_drvdata(pdev->dev.parent); + if (!rpm) { +- dev_err(&pdev->dev, "unable to retrieve handle to rpm\n"); ++ dev_err(&pdev->dev, "Unable to retrieve handle to rpm\n"); + return -ENODEV; + } + +- match = of_match_device(rpm_of_match, &pdev->dev); +- if (!match) { +- dev_err(&pdev->dev, "failed to match device\n"); ++ vreg_data = of_device_get_match_data(dev); ++ if (!vreg_data) + return -ENODEV; +- } + +- for (reg = match->data; reg->name; reg++) { ++ for_each_available_child_of_node(dev->of_node, node) { + vreg = devm_kzalloc(&pdev->dev, sizeof(*vreg), GFP_KERNEL); + if (!vreg) + return -ENOMEM; + +- vreg->dev = &pdev->dev; +- vreg->type = reg->type; +- vreg->id = reg->id; +- vreg->rpm = rpm; +- +- memcpy(&vreg->desc, reg->desc, sizeof(vreg->desc)); +- +- vreg->desc.id = -1; +- vreg->desc.owner = THIS_MODULE; +- vreg->desc.type = REGULATOR_VOLTAGE; +- vreg->desc.name = reg->name; +- vreg->desc.supply_name = reg->supply; +- vreg->desc.of_match = reg->name; +- +- config.dev = &pdev->dev; +- config.driver_data = vreg; +- rdev = devm_regulator_register(&pdev->dev, &vreg->desc, &config); +- if (IS_ERR(rdev)) { +- dev_err(&pdev->dev, "failed to register %s\n", reg->name); +- return PTR_ERR(rdev); ++ ret = rpm_regulator_init_vreg(vreg, dev, node, rpm, vreg_data); ++ ++ if (ret < 0) { ++ of_node_put(node); ++ return ret; + } + } + +-- +2.34.1 + diff --git a/queue-5.10/revert-net-mlx5e-block-offload-of-outer-header-csum-.patch b/queue-5.10/revert-net-mlx5e-block-offload-of-outer-header-csum-.patch new file mode 100644 index 00000000000..aef79c874f6 --- /dev/null +++ b/queue-5.10/revert-net-mlx5e-block-offload-of-outer-header-csum-.patch @@ -0,0 +1,51 @@ +From c86bf103546d53832234acd2a567e30c821d996b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Oct 2021 11:47:41 +0300 +Subject: Revert "net/mlx5e: Block offload of outer header csum for UDP + tunnels" + +From: Aya Levin + +[ Upstream commit 64050cdad0983ad8060e33c3f4b5aee2366bcebd ] + +This reverts commit 6d6727dddc7f93fcc155cb8d0c49c29ae0e71122. + +Although the NIC doesn't support offload of outer header CSUM, using +gso_partial_features allows offloading the tunnel's segmentation. The +driver relies on the stack CSUM calculation of the outer header. For +this, NETIF_F_GSO_UDP_TUNNEL_CSUM must be a member of the device's +features. + +Fixes: 6d6727dddc7f ("net/mlx5e: Block offload of outer header csum for UDP tunnels") +Signed-off-by: Aya Levin +Reviewed-by: Gal Pressman +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 2f6c3a5813ed1..16e98ac47624c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -5024,9 +5024,13 @@ static void mlx5e_build_nic_netdev(struct net_device *netdev) + } + + if (mlx5_vxlan_allowed(mdev->vxlan) || mlx5_geneve_tx_allowed(mdev)) { +- netdev->hw_features |= NETIF_F_GSO_UDP_TUNNEL; +- netdev->hw_enc_features |= NETIF_F_GSO_UDP_TUNNEL; +- netdev->vlan_features |= NETIF_F_GSO_UDP_TUNNEL; ++ netdev->hw_features |= NETIF_F_GSO_UDP_TUNNEL | ++ NETIF_F_GSO_UDP_TUNNEL_CSUM; ++ netdev->hw_enc_features |= NETIF_F_GSO_UDP_TUNNEL | ++ NETIF_F_GSO_UDP_TUNNEL_CSUM; ++ netdev->gso_partial_features = NETIF_F_GSO_UDP_TUNNEL_CSUM; ++ netdev->vlan_features |= NETIF_F_GSO_UDP_TUNNEL | ++ NETIF_F_GSO_UDP_TUNNEL_CSUM; + } + + if (mlx5e_tunnel_proto_supported(mdev, IPPROTO_GRE)) { +-- +2.34.1 + diff --git a/queue-5.10/rocker-fix-a-sleeping-in-atomic-bug.patch b/queue-5.10/rocker-fix-a-sleeping-in-atomic-bug.patch new file mode 100644 index 00000000000..aaef76f5a8f --- /dev/null +++ b/queue-5.10/rocker-fix-a-sleeping-in-atomic-bug.patch @@ -0,0 +1,38 @@ +From 54c5ab0f498f16f3318e667ae215eabb30ac1601 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jan 2022 14:57:54 +0300 +Subject: rocker: fix a sleeping in atomic bug + +From: Dan Carpenter + +[ Upstream commit 43d012123122cc69feacab55b71369f386c19566 ] + +This code is holding the &ofdpa->flow_tbl_lock spinlock so it is not +allowed to sleep. That means we have to pass the OFDPA_OP_FLAG_NOWAIT +flag to ofdpa_flow_tbl_del(). + +Fixes: 936bd486564a ("rocker: use FIB notifications instead of switchdev calls") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/rocker/rocker_ofdpa.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/rocker/rocker_ofdpa.c b/drivers/net/ethernet/rocker/rocker_ofdpa.c +index 7072b249c8bd6..8157666209798 100644 +--- a/drivers/net/ethernet/rocker/rocker_ofdpa.c ++++ b/drivers/net/ethernet/rocker/rocker_ofdpa.c +@@ -2795,7 +2795,8 @@ static void ofdpa_fib4_abort(struct rocker *rocker) + if (!ofdpa_port) + continue; + nh->fib_nh_flags &= ~RTNH_F_OFFLOAD; +- ofdpa_flow_tbl_del(ofdpa_port, OFDPA_OP_FLAG_REMOVE, ++ ofdpa_flow_tbl_del(ofdpa_port, ++ OFDPA_OP_FLAG_REMOVE | OFDPA_OP_FLAG_NOWAIT, + flow_entry); + } + spin_unlock_irqrestore(&ofdpa->flow_tbl_lock, flags); +-- +2.34.1 + diff --git a/queue-5.10/rsi-fix-out-of-bounds-read-in-rsi_read_pkt.patch b/queue-5.10/rsi-fix-out-of-bounds-read-in-rsi_read_pkt.patch new file mode 100644 index 00000000000..1247894ff89 --- /dev/null +++ b/queue-5.10/rsi-fix-out-of-bounds-read-in-rsi_read_pkt.patch @@ -0,0 +1,108 @@ +From 818f912030853d5813f0b2b0e5635b99583b10af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Oct 2021 16:19:23 -0400 +Subject: rsi: Fix out-of-bounds read in rsi_read_pkt() + +From: Zekun Shen + +[ Upstream commit f1cb3476e48b60c450ec3a1d7da0805bffc6e43a ] + +rsi_get_* functions rely on an offset variable from usb +input. The size of usb input is RSI_MAX_RX_USB_PKT_SIZE(3000), +while 2-byte offset can be up to 0xFFFF. Thus a large offset +can cause out-of-bounds read. + +The patch adds a bound checking condition when rcv_pkt_len is 0, +indicating it's USB. It's unclear whether this is triggerable +from other type of bus. The following check might help in that case. +offset > rcv_pkt_len - FRAME_DESC_SZ + +The bug is trigerrable with conpromised/malfunctioning USB devices. +I tested the patch with the crashing input and got no more bug report. + +Attached is the KASAN report from fuzzing. + +BUG: KASAN: slab-out-of-bounds in rsi_read_pkt+0x42e/0x500 [rsi_91x] +Read of size 2 at addr ffff888019439fdb by task RX-Thread/227 + +CPU: 0 PID: 227 Comm: RX-Thread Not tainted 5.6.0 #66 +Call Trace: + dump_stack+0x76/0xa0 + print_address_description.constprop.0+0x16/0x200 + ? rsi_read_pkt+0x42e/0x500 [rsi_91x] + ? rsi_read_pkt+0x42e/0x500 [rsi_91x] + __kasan_report.cold+0x37/0x7c + ? rsi_read_pkt+0x42e/0x500 [rsi_91x] + kasan_report+0xe/0x20 + rsi_read_pkt+0x42e/0x500 [rsi_91x] + rsi_usb_rx_thread+0x1b1/0x2fc [rsi_usb] + ? rsi_probe+0x16a0/0x16a0 [rsi_usb] + ? _raw_spin_lock_irqsave+0x7b/0xd0 + ? _raw_spin_trylock_bh+0x120/0x120 + ? __wake_up_common+0x10b/0x520 + ? rsi_probe+0x16a0/0x16a0 [rsi_usb] + kthread+0x2b5/0x3b0 + ? kthread_create_on_node+0xd0/0xd0 + ret_from_fork+0x22/0x40 + +Reported-by: Brendan Dolan-Gavitt +Signed-off-by: Zekun Shen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/YXxXS4wgu2OsmlVv@10-18-43-117.dynapool.wireless.nyu.edu +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/rsi/rsi_91x_main.c | 4 ++++ + drivers/net/wireless/rsi/rsi_91x_usb.c | 1 - + drivers/net/wireless/rsi/rsi_usb.h | 2 ++ + 3 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/rsi/rsi_91x_main.c b/drivers/net/wireless/rsi/rsi_91x_main.c +index 8c638cfeac52f..fe8aed58ac088 100644 +--- a/drivers/net/wireless/rsi/rsi_91x_main.c ++++ b/drivers/net/wireless/rsi/rsi_91x_main.c +@@ -23,6 +23,7 @@ + #include "rsi_common.h" + #include "rsi_coex.h" + #include "rsi_hal.h" ++#include "rsi_usb.h" + + u32 rsi_zone_enabled = /* INFO_ZONE | + INIT_ZONE | +@@ -168,6 +169,9 @@ int rsi_read_pkt(struct rsi_common *common, u8 *rx_pkt, s32 rcv_pkt_len) + frame_desc = &rx_pkt[index]; + actual_length = *(u16 *)&frame_desc[0]; + offset = *(u16 *)&frame_desc[2]; ++ if (!rcv_pkt_len && offset > ++ RSI_MAX_RX_USB_PKT_SIZE - FRAME_DESC_SZ) ++ goto fail; + + queueno = rsi_get_queueno(frame_desc, offset); + length = rsi_get_length(frame_desc, offset); +diff --git a/drivers/net/wireless/rsi/rsi_91x_usb.c b/drivers/net/wireless/rsi/rsi_91x_usb.c +index 7f34148c7dfe5..11388a1469621 100644 +--- a/drivers/net/wireless/rsi/rsi_91x_usb.c ++++ b/drivers/net/wireless/rsi/rsi_91x_usb.c +@@ -328,7 +328,6 @@ static int rsi_rx_urb_submit(struct rsi_hw *adapter, u8 ep_num, gfp_t mem_flags) + struct sk_buff *skb; + u8 dword_align_bytes = 0; + +-#define RSI_MAX_RX_USB_PKT_SIZE 3000 + skb = dev_alloc_skb(RSI_MAX_RX_USB_PKT_SIZE); + if (!skb) + return -ENOMEM; +diff --git a/drivers/net/wireless/rsi/rsi_usb.h b/drivers/net/wireless/rsi/rsi_usb.h +index 8702f434b5699..ad88f8c70a351 100644 +--- a/drivers/net/wireless/rsi/rsi_usb.h ++++ b/drivers/net/wireless/rsi/rsi_usb.h +@@ -44,6 +44,8 @@ + #define RSI_USB_BUF_SIZE 4096 + #define RSI_USB_CTRL_BUF_SIZE 0x04 + ++#define RSI_MAX_RX_USB_PKT_SIZE 3000 ++ + struct rx_usb_ctrl_block { + u8 *data; + struct urb *rx_urb; +-- +2.34.1 + diff --git a/queue-5.10/rsi-fix-use-after-free-in-rsi_rx_done_handler.patch b/queue-5.10/rsi-fix-use-after-free-in-rsi_rx_done_handler.patch new file mode 100644 index 00000000000..300cd7e8883 --- /dev/null +++ b/queue-5.10/rsi-fix-use-after-free-in-rsi_rx_done_handler.patch @@ -0,0 +1,88 @@ +From 66dc65f97712394b15b55add3d9a6b3f24229598 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Oct 2021 15:49:03 -0400 +Subject: rsi: Fix use-after-free in rsi_rx_done_handler() + +From: Zekun Shen + +[ Upstream commit b07e3c6ebc0c20c772c0f54042e430acec2945c3 ] + +When freeing rx_cb->rx_skb, the pointer is not set to NULL, +a later rsi_rx_done_handler call will try to read the freed +address. +This bug will very likley lead to double free, although +detected early as use-after-free bug. + +The bug is triggerable with a compromised/malfunctional usb +device. After applying the patch, the same input no longer +triggers the use-after-free. + +Attached is the kasan report from fuzzing. + +BUG: KASAN: use-after-free in rsi_rx_done_handler+0x354/0x430 [rsi_usb] +Read of size 4 at addr ffff8880188e5930 by task modprobe/231 +Call Trace: + + dump_stack+0x76/0xa0 + print_address_description.constprop.0+0x16/0x200 + ? rsi_rx_done_handler+0x354/0x430 [rsi_usb] + ? rsi_rx_done_handler+0x354/0x430 [rsi_usb] + __kasan_report.cold+0x37/0x7c + ? dma_direct_unmap_page+0x90/0x110 + ? rsi_rx_done_handler+0x354/0x430 [rsi_usb] + kasan_report+0xe/0x20 + rsi_rx_done_handler+0x354/0x430 [rsi_usb] + __usb_hcd_giveback_urb+0x1e4/0x380 + usb_giveback_urb_bh+0x241/0x4f0 + ? __usb_hcd_giveback_urb+0x380/0x380 + ? apic_timer_interrupt+0xa/0x20 + tasklet_action_common.isra.0+0x135/0x330 + __do_softirq+0x18c/0x634 + ? handle_irq_event+0xcd/0x157 + ? handle_edge_irq+0x1eb/0x7b0 + irq_exit+0x114/0x140 + do_IRQ+0x91/0x1e0 + common_interrupt+0xf/0xf + + +Reported-by: Brendan Dolan-Gavitt +Signed-off-by: Zekun Shen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/YXxQL/vIiYcZUu/j@10-18-43-117.dynapool.wireless.nyu.edu +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/rsi/rsi_91x_usb.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/rsi/rsi_91x_usb.c b/drivers/net/wireless/rsi/rsi_91x_usb.c +index d881df9ebd0c3..7f34148c7dfe5 100644 +--- a/drivers/net/wireless/rsi/rsi_91x_usb.c ++++ b/drivers/net/wireless/rsi/rsi_91x_usb.c +@@ -269,8 +269,12 @@ static void rsi_rx_done_handler(struct urb *urb) + struct rsi_91x_usbdev *dev = (struct rsi_91x_usbdev *)rx_cb->data; + int status = -EINVAL; + ++ if (!rx_cb->rx_skb) ++ return; ++ + if (urb->status) { + dev_kfree_skb(rx_cb->rx_skb); ++ rx_cb->rx_skb = NULL; + return; + } + +@@ -294,8 +298,10 @@ out: + if (rsi_rx_urb_submit(dev->priv, rx_cb->ep_num, GFP_ATOMIC)) + rsi_dbg(ERR_ZONE, "%s: Failed in urb submission", __func__); + +- if (status) ++ if (status) { + dev_kfree_skb(rx_cb->rx_skb); ++ rx_cb->rx_skb = NULL; ++ } + } + + static void rsi_rx_urb_kill(struct rsi_hw *adapter, u8 ep_num) +-- +2.34.1 + diff --git a/queue-5.10/rtw88-8822c-update-rx-settings-to-prevent-potential-.patch b/queue-5.10/rtw88-8822c-update-rx-settings-to-prevent-potential-.patch new file mode 100644 index 00000000000..76ae12f23e2 --- /dev/null +++ b/queue-5.10/rtw88-8822c-update-rx-settings-to-prevent-potential-.patch @@ -0,0 +1,79 @@ +From b553475b90d4449052a3a625f53aa07b1fa5604d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Dec 2021 09:27:08 +0800 +Subject: rtw88: 8822c: update rx settings to prevent potential hw deadlock + +From: Po-Hao Huang + +[ Upstream commit c1afb26727d9e507d3e17a9890e7aaf7fc85cd55 ] + +These settings enables mac to detect and recover when rx fifo +circuit deadlock occurs. Previous version missed this, so we fix it. + +Signed-off-by: Po-Hao Huang +Signed-off-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211217012708.8623-1-pkshih@realtek.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw88/main.c | 2 +- + drivers/net/wireless/realtek/rtw88/rtw8821c.h | 2 +- + drivers/net/wireless/realtek/rtw88/rtw8822b.c | 2 +- + drivers/net/wireless/realtek/rtw88/rtw8822c.c | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtw88/main.c b/drivers/net/wireless/realtek/rtw88/main.c +index 565efd8806247..2ef1416899f03 100644 +--- a/drivers/net/wireless/realtek/rtw88/main.c ++++ b/drivers/net/wireless/realtek/rtw88/main.c +@@ -1652,7 +1652,7 @@ int rtw_core_init(struct rtw_dev *rtwdev) + + /* default rx filter setting */ + rtwdev->hal.rcr = BIT_APP_FCS | BIT_APP_MIC | BIT_APP_ICV | +- BIT_HTC_LOC_CTRL | BIT_APP_PHYSTS | ++ BIT_PKTCTL_DLEN | BIT_HTC_LOC_CTRL | BIT_APP_PHYSTS | + BIT_AB | BIT_AM | BIT_APM; + + ret = rtw_load_firmware(rtwdev, RTW_NORMAL_FW); +diff --git a/drivers/net/wireless/realtek/rtw88/rtw8821c.h b/drivers/net/wireless/realtek/rtw88/rtw8821c.h +index bd01e82b6bcd0..8d1e8ff71d7ef 100644 +--- a/drivers/net/wireless/realtek/rtw88/rtw8821c.h ++++ b/drivers/net/wireless/realtek/rtw88/rtw8821c.h +@@ -131,7 +131,7 @@ _rtw_write32s_mask(struct rtw_dev *rtwdev, u32 addr, u32 mask, u32 data) + #define WLAN_TX_FUNC_CFG2 0x30 + #define WLAN_MAC_OPT_NORM_FUNC1 0x98 + #define WLAN_MAC_OPT_LB_FUNC1 0x80 +-#define WLAN_MAC_OPT_FUNC2 0x30810041 ++#define WLAN_MAC_OPT_FUNC2 0xb0810041 + + #define WLAN_SIFS_CFG (WLAN_SIFS_CCK_CONT_TX | \ + (WLAN_SIFS_OFDM_CONT_TX << BIT_SHIFT_SIFS_OFDM_CTX) | \ +diff --git a/drivers/net/wireless/realtek/rtw88/rtw8822b.c b/drivers/net/wireless/realtek/rtw88/rtw8822b.c +index 22d0dd640ac94..dbfd67c3f598c 100644 +--- a/drivers/net/wireless/realtek/rtw88/rtw8822b.c ++++ b/drivers/net/wireless/realtek/rtw88/rtw8822b.c +@@ -204,7 +204,7 @@ static void rtw8822b_phy_set_param(struct rtw_dev *rtwdev) + #define WLAN_TX_FUNC_CFG2 0x30 + #define WLAN_MAC_OPT_NORM_FUNC1 0x98 + #define WLAN_MAC_OPT_LB_FUNC1 0x80 +-#define WLAN_MAC_OPT_FUNC2 0x30810041 ++#define WLAN_MAC_OPT_FUNC2 0xb0810041 + + #define WLAN_SIFS_CFG (WLAN_SIFS_CCK_CONT_TX | \ + (WLAN_SIFS_OFDM_CONT_TX << BIT_SHIFT_SIFS_OFDM_CTX) | \ +diff --git a/drivers/net/wireless/realtek/rtw88/rtw8822c.c b/drivers/net/wireless/realtek/rtw88/rtw8822c.c +index 79ad6232dce83..cee586335552d 100644 +--- a/drivers/net/wireless/realtek/rtw88/rtw8822c.c ++++ b/drivers/net/wireless/realtek/rtw88/rtw8822c.c +@@ -1248,7 +1248,7 @@ static void rtw8822c_phy_set_param(struct rtw_dev *rtwdev) + #define WLAN_TX_FUNC_CFG2 0x30 + #define WLAN_MAC_OPT_NORM_FUNC1 0x98 + #define WLAN_MAC_OPT_LB_FUNC1 0x80 +-#define WLAN_MAC_OPT_FUNC2 0x30810041 ++#define WLAN_MAC_OPT_FUNC2 0xb0810041 + #define WLAN_MAC_INT_MIG_CFG 0x33330000 + + #define WLAN_SIFS_CFG (WLAN_SIFS_CCK_CONT_TX | \ +-- +2.34.1 + diff --git a/queue-5.10/sched-fair-fix-detection-of-per-cpu-kthreads-waking-.patch b/queue-5.10/sched-fair-fix-detection-of-per-cpu-kthreads-waking-.patch new file mode 100644 index 00000000000..8b009555b49 --- /dev/null +++ b/queue-5.10/sched-fair-fix-detection-of-per-cpu-kthreads-waking-.patch @@ -0,0 +1,48 @@ +From adb9079b9888f546a46e8a6da2dacf68dd11e722 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Dec 2021 14:34:50 +0000 +Subject: sched/fair: Fix detection of per-CPU kthreads waking a task + +From: Vincent Donnefort + +[ Upstream commit 8b4e74ccb582797f6f0b0a50372ebd9fd2372a27 ] + +select_idle_sibling() has a special case for tasks woken up by a per-CPU +kthread, where the selected CPU is the previous one. However, the current +condition for this exit path is incomplete. A task can wake up from an +interrupt context (e.g. hrtimer), while a per-CPU kthread is running. A +such scenario would spuriously trigger the special case described above. +Also, a recent change made the idle task like a regular per-CPU kthread, +hence making that situation more likely to happen +(is_per_cpu_kthread(swapper) being true now). + +Checking for task context makes sure select_idle_sibling() will not +interpret a wake up from any other context as a wake up by a per-CPU +kthread. + +Fixes: 52262ee567ad ("sched/fair: Allow a per-CPU kthread waking a task to stack on the same CPU, to fix XFS performance regression") +Signed-off-by: Vincent Donnefort +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Vincent Guittot +Reviewed-by: Valentin Schneider +Link: https://lore.kernel.org/r/20211201143450.479472-1-vincent.donnefort@arm.com +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index c004e3b89c324..a7589552be5fc 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -6284,6 +6284,7 @@ static int select_idle_sibling(struct task_struct *p, int prev, int target) + * pattern is IO completions. + */ + if (is_per_cpu_kthread(current) && ++ in_task() && + prev == smp_processor_id() && + this_rq()->nr_running <= 1) { + return prev; +-- +2.34.1 + diff --git a/queue-5.10/sched-fair-fix-per-cpu-kthread-and-wakee-stacking-fo.patch b/queue-5.10/sched-fair-fix-per-cpu-kthread-and-wakee-stacking-fo.patch new file mode 100644 index 00000000000..a90c2989271 --- /dev/null +++ b/queue-5.10/sched-fair-fix-per-cpu-kthread-and-wakee-stacking-fo.patch @@ -0,0 +1,47 @@ +From 40879173edb8271d33a23ba1a5ad2b58dda49542 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Nov 2021 17:31:15 +0000 +Subject: sched/fair: Fix per-CPU kthread and wakee stacking for asym CPU + capacity + +From: Vincent Donnefort + +[ Upstream commit 014ba44e8184e1acf93e0cbb7089ee847802f8f0 ] + +select_idle_sibling() has a special case for tasks woken up by a per-CPU +kthread where the selected CPU is the previous one. For asymmetric CPU +capacity systems, the assumption was that the wakee couldn't have a +bigger utilization during task placement than it used to have during the +last activation. That was not considering uclamp.min which can completely +change between two task activations and as a consequence mandates the +fitness criterion asym_fits_capacity(), even for the exit path described +above. + +Fixes: b4c9c9f15649 ("sched/fair: Prefer prev cpu in asymmetric wakeup path") +Signed-off-by: Vincent Donnefort +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Valentin Schneider +Reviewed-by: Dietmar Eggemann +Link: https://lkml.kernel.org/r/20211129173115.4006346-1-vincent.donnefort@arm.com +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index a7589552be5fc..2a33cb5a10e59 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -6286,7 +6286,8 @@ static int select_idle_sibling(struct task_struct *p, int prev, int target) + if (is_per_cpu_kthread(current) && + in_task() && + prev == smp_processor_id() && +- this_rq()->nr_running <= 1) { ++ this_rq()->nr_running <= 1 && ++ asym_fits_capacity(task_util, prev)) { + return prev; + } + +-- +2.34.1 + diff --git a/queue-5.10/sched-rt-try-to-restart-rt-period-timer-when-rt-runt.patch b/queue-5.10/sched-rt-try-to-restart-rt-period-timer-when-rt-runt.patch new file mode 100644 index 00000000000..71776926d53 --- /dev/null +++ b/queue-5.10/sched-rt-try-to-restart-rt-period-timer-when-rt-runt.patch @@ -0,0 +1,99 @@ +From 94fe380749ab2dc000f5e9a146f1f21cef2b014d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Dec 2021 03:36:18 +0000 +Subject: sched/rt: Try to restart rt period timer when rt runtime exceeded + +From: Li Hua + +[ Upstream commit 9b58e976b3b391c0cf02e038d53dd0478ed3013c ] + +When rt_runtime is modified from -1 to a valid control value, it may +cause the task to be throttled all the time. Operations like the following +will trigger the bug. E.g: + + 1. echo -1 > /proc/sys/kernel/sched_rt_runtime_us + 2. Run a FIFO task named A that executes while(1) + 3. echo 950000 > /proc/sys/kernel/sched_rt_runtime_us + +When rt_runtime is -1, The rt period timer will not be activated when task +A enqueued. And then the task will be throttled after setting rt_runtime to +950,000. The task will always be throttled because the rt period timer is +not activated. + +Fixes: d0b27fa77854 ("sched: rt-group: synchonised bandwidth period") +Reported-by: Hulk Robot +Signed-off-by: Li Hua +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20211203033618.11895-1-hucool.lihua@huawei.com +Signed-off-by: Sasha Levin +--- + kernel/sched/rt.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/kernel/sched/rt.c b/kernel/sched/rt.c +index b5cf418e2e3fe..41b14d9242039 100644 +--- a/kernel/sched/rt.c ++++ b/kernel/sched/rt.c +@@ -52,11 +52,8 @@ void init_rt_bandwidth(struct rt_bandwidth *rt_b, u64 period, u64 runtime) + rt_b->rt_period_timer.function = sched_rt_period_timer; + } + +-static void start_rt_bandwidth(struct rt_bandwidth *rt_b) ++static inline void do_start_rt_bandwidth(struct rt_bandwidth *rt_b) + { +- if (!rt_bandwidth_enabled() || rt_b->rt_runtime == RUNTIME_INF) +- return; +- + raw_spin_lock(&rt_b->rt_runtime_lock); + if (!rt_b->rt_period_active) { + rt_b->rt_period_active = 1; +@@ -75,6 +72,14 @@ static void start_rt_bandwidth(struct rt_bandwidth *rt_b) + raw_spin_unlock(&rt_b->rt_runtime_lock); + } + ++static void start_rt_bandwidth(struct rt_bandwidth *rt_b) ++{ ++ if (!rt_bandwidth_enabled() || rt_b->rt_runtime == RUNTIME_INF) ++ return; ++ ++ do_start_rt_bandwidth(rt_b); ++} ++ + void init_rt_rq(struct rt_rq *rt_rq) + { + struct rt_prio_array *array; +@@ -1022,13 +1027,17 @@ static void update_curr_rt(struct rq *rq) + + for_each_sched_rt_entity(rt_se) { + struct rt_rq *rt_rq = rt_rq_of_se(rt_se); ++ int exceeded; + + if (sched_rt_runtime(rt_rq) != RUNTIME_INF) { + raw_spin_lock(&rt_rq->rt_runtime_lock); + rt_rq->rt_time += delta_exec; +- if (sched_rt_runtime_exceeded(rt_rq)) ++ exceeded = sched_rt_runtime_exceeded(rt_rq); ++ if (exceeded) + resched_curr(rq); + raw_spin_unlock(&rt_rq->rt_runtime_lock); ++ if (exceeded) ++ do_start_rt_bandwidth(sched_rt_bandwidth(rt_rq)); + } + } + } +@@ -2727,8 +2736,12 @@ static int sched_rt_global_validate(void) + + static void sched_rt_do_global(void) + { ++ unsigned long flags; ++ ++ raw_spin_lock_irqsave(&def_rt_bandwidth.rt_runtime_lock, flags); + def_rt_bandwidth.rt_runtime = global_rt_runtime(); + def_rt_bandwidth.rt_period = ns_to_ktime(global_rt_period()); ++ raw_spin_unlock_irqrestore(&def_rt_bandwidth.rt_runtime_lock, flags); + } + + int sched_rt_handler(struct ctl_table *table, int write, void *buffer, +-- +2.34.1 + diff --git a/queue-5.10/scripts-sphinx-pre-install-fix-ctex-support-on-debia.patch b/queue-5.10/scripts-sphinx-pre-install-fix-ctex-support-on-debia.patch new file mode 100644 index 00000000000..3260d6b388b --- /dev/null +++ b/queue-5.10/scripts-sphinx-pre-install-fix-ctex-support-on-debia.patch @@ -0,0 +1,39 @@ +From e2cccc176c7878f4cc0c617f4c47fc698e0fa56b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jan 2022 01:41:02 +0100 +Subject: scripts: sphinx-pre-install: Fix ctex support on Debian + +From: Mauro Carvalho Chehab + +[ Upstream commit 87d6576ddf8ac25f36597bc93ca17f6628289c16 ] + +The name of the package with ctexhook.sty is different on +Debian/Ubuntu. + +Reported-by: Akira Yokosawa +Signed-off-by: Mauro Carvalho Chehab +Tested-by: Akira Yokosawa +Link: https://lore.kernel.org/r/63882425609a2820fac78f5e94620abeb7ed5f6f.1641429634.git.mchehab@kernel.org +Signed-off-by: Jonathan Corbet +Signed-off-by: Sasha Levin +--- + scripts/sphinx-pre-install | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/scripts/sphinx-pre-install b/scripts/sphinx-pre-install +index 828a8615a9181..b32a20782c851 100755 +--- a/scripts/sphinx-pre-install ++++ b/scripts/sphinx-pre-install +@@ -370,6 +370,9 @@ sub give_debian_hints() + ); + + if ($pdf) { ++ check_missing_file(["/usr/share/texlive/texmf-dist/tex/latex/ctex/ctexhook.sty"], ++ "texlive-lang-chinese", 2); ++ + check_missing_file(["/usr/share/fonts/truetype/dejavu/DejaVuSans.ttf"], + "fonts-dejavu", 2); + +-- +2.34.1 + diff --git a/queue-5.10/scsi-block-pm-always-set-request-queue-runtime-activ.patch b/queue-5.10/scsi-block-pm-always-set-request-queue-runtime-activ.patch new file mode 100644 index 00000000000..690bdfb4623 --- /dev/null +++ b/queue-5.10/scsi-block-pm-always-set-request-queue-runtime-activ.patch @@ -0,0 +1,121 @@ +From 2888132eea0481495c347c0f06a7879ad6e55143 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Dec 2021 19:21:26 +0800 +Subject: scsi: block: pm: Always set request queue runtime active in + blk_post_runtime_resume() + +From: Alan Stern + +[ Upstream commit 6e1fcab00a23f7fe9f4fe9704905a790efa1eeab ] + +John Garry reported a deadlock that occurs when trying to access a +runtime-suspended SATA device. For obscure reasons, the rescan procedure +causes the link to be hard-reset, which disconnects the device. + +The rescan tries to carry out a runtime resume when accessing the device. +scsi_rescan_device() holds the SCSI device lock and won't release it until +it can put commands onto the device's block queue. This can't happen until +the queue is successfully runtime-resumed or the device is unregistered. +But the runtime resume fails because the device is disconnected, and +__scsi_remove_device() can't do the unregistration because it can't get the +device lock. + +The best way to resolve this deadlock appears to be to allow the block +queue to start running again even after an unsuccessful runtime resume. +The idea is that the driver or the SCSI error handler will need to be able +to use the queue to resolve the runtime resume failure. + +This patch removes the err argument to blk_post_runtime_resume() and makes +the routine act as though the resume was successful always. This fixes the +deadlock. + +Link: https://lore.kernel.org/r/1639999298-244569-4-git-send-email-chenxiang66@hisilicon.com +Fixes: e27829dc92e5 ("scsi: serialize ->rescan against ->remove") +Reported-and-tested-by: John Garry +Reviewed-by: Bart Van Assche +Signed-off-by: Alan Stern +Signed-off-by: Xiang Chen +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + block/blk-pm.c | 22 +++++++--------------- + drivers/scsi/scsi_pm.c | 2 +- + include/linux/blk-pm.h | 2 +- + 3 files changed, 9 insertions(+), 17 deletions(-) + +diff --git a/block/blk-pm.c b/block/blk-pm.c +index 17bd020268d42..2dad62cc15727 100644 +--- a/block/blk-pm.c ++++ b/block/blk-pm.c +@@ -163,27 +163,19 @@ EXPORT_SYMBOL(blk_pre_runtime_resume); + /** + * blk_post_runtime_resume - Post runtime resume processing + * @q: the queue of the device +- * @err: return value of the device's runtime_resume function + * + * Description: +- * Update the queue's runtime status according to the return value of the +- * device's runtime_resume function. If the resume was successful, call +- * blk_set_runtime_active() to do the real work of restarting the queue. ++ * For historical reasons, this routine merely calls blk_set_runtime_active() ++ * to do the real work of restarting the queue. It does this regardless of ++ * whether the device's runtime-resume succeeded; even if it failed the ++ * driver or error handler will need to communicate with the device. + * + * This function should be called near the end of the device's + * runtime_resume callback. + */ +-void blk_post_runtime_resume(struct request_queue *q, int err) ++void blk_post_runtime_resume(struct request_queue *q) + { +- if (!q->dev) +- return; +- if (!err) { +- blk_set_runtime_active(q); +- } else { +- spin_lock_irq(&q->queue_lock); +- q->rpm_status = RPM_SUSPENDED; +- spin_unlock_irq(&q->queue_lock); +- } ++ blk_set_runtime_active(q); + } + EXPORT_SYMBOL(blk_post_runtime_resume); + +@@ -201,7 +193,7 @@ EXPORT_SYMBOL(blk_post_runtime_resume); + * runtime PM status and re-enable peeking requests from the queue. It + * should be called before first request is added to the queue. + * +- * This function is also called by blk_post_runtime_resume() for successful ++ * This function is also called by blk_post_runtime_resume() for + * runtime resumes. It does everything necessary to restart the queue. + */ + void blk_set_runtime_active(struct request_queue *q) +diff --git a/drivers/scsi/scsi_pm.c b/drivers/scsi/scsi_pm.c +index 3717eea37ecb3..e91a0a5bc7a3e 100644 +--- a/drivers/scsi/scsi_pm.c ++++ b/drivers/scsi/scsi_pm.c +@@ -262,7 +262,7 @@ static int sdev_runtime_resume(struct device *dev) + blk_pre_runtime_resume(sdev->request_queue); + if (pm && pm->runtime_resume) + err = pm->runtime_resume(dev); +- blk_post_runtime_resume(sdev->request_queue, err); ++ blk_post_runtime_resume(sdev->request_queue); + + return err; + } +diff --git a/include/linux/blk-pm.h b/include/linux/blk-pm.h +index b80c65aba2493..2580e05a8ab67 100644 +--- a/include/linux/blk-pm.h ++++ b/include/linux/blk-pm.h +@@ -14,7 +14,7 @@ extern void blk_pm_runtime_init(struct request_queue *q, struct device *dev); + extern int blk_pre_runtime_suspend(struct request_queue *q); + extern void blk_post_runtime_suspend(struct request_queue *q, int err); + extern void blk_pre_runtime_resume(struct request_queue *q); +-extern void blk_post_runtime_resume(struct request_queue *q, int err); ++extern void blk_post_runtime_resume(struct request_queue *q); + extern void blk_set_runtime_active(struct request_queue *q); + #else + static inline void blk_pm_runtime_init(struct request_queue *q, +-- +2.34.1 + diff --git a/queue-5.10/scsi-lpfc-trigger-sli4-firmware-dump-before-doing-dr.patch b/queue-5.10/scsi-lpfc-trigger-sli4-firmware-dump-before-doing-dr.patch new file mode 100644 index 00000000000..38b6a26b09a --- /dev/null +++ b/queue-5.10/scsi-lpfc-trigger-sli4-firmware-dump-before-doing-dr.patch @@ -0,0 +1,188 @@ +From c6984154492eab8c4fdfead5f3ff6c9a82cae8fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Dec 2021 16:26:40 -0800 +Subject: scsi: lpfc: Trigger SLI4 firmware dump before doing driver cleanup + +From: James Smart + +[ Upstream commit 7dd2e2a923173d637c272e483966be8e96a72b64 ] + +Extraneous teardown routines are present in the firmware dump path causing +altered states in firmware captures. + +When a firmware dump is requested via sysfs, trigger the dump immediately +without tearing down structures and changing adapter state. + +The driver shall rely on pre-existing firmware error state clean up +handlers to restore the adapter. + +Link: https://lore.kernel.org/r/20211204002644.116455-6-jsmart2021@gmail.com +Co-developed-by: Justin Tee +Signed-off-by: Justin Tee +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc.h | 2 +- + drivers/scsi/lpfc/lpfc_attr.c | 62 ++++++++++++++++++++------------ + drivers/scsi/lpfc/lpfc_hbadisc.c | 8 ++++- + drivers/scsi/lpfc/lpfc_sli.c | 6 ---- + 4 files changed, 48 insertions(+), 30 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h +index 93e507677bdcb..0273bf3918ff3 100644 +--- a/drivers/scsi/lpfc/lpfc.h ++++ b/drivers/scsi/lpfc/lpfc.h +@@ -763,7 +763,6 @@ struct lpfc_hba { + #define HBA_DEVLOSS_TMO 0x2000 /* HBA in devloss timeout */ + #define HBA_RRQ_ACTIVE 0x4000 /* process the rrq active list */ + #define HBA_IOQ_FLUSH 0x8000 /* FCP/NVME I/O queues being flushed */ +-#define HBA_FW_DUMP_OP 0x10000 /* Skips fn reset before FW dump */ + #define HBA_RECOVERABLE_UE 0x20000 /* Firmware supports recoverable UE */ + #define HBA_FORCED_LINK_SPEED 0x40000 /* + * Firmware supports Forced Link Speed +@@ -772,6 +771,7 @@ struct lpfc_hba { + #define HBA_FLOGI_ISSUED 0x100000 /* FLOGI was issued */ + #define HBA_DEFER_FLOGI 0x800000 /* Defer FLOGI till read_sparm cmpl */ + ++ struct completion *fw_dump_cmpl; /* cmpl event tracker for fw_dump */ + uint32_t fcp_ring_in_use; /* When polling test if intr-hndlr active*/ + struct lpfc_dmabuf slim2p; + +diff --git a/drivers/scsi/lpfc/lpfc_attr.c b/drivers/scsi/lpfc/lpfc_attr.c +index 2c59a5bf35390..727b7ba4d8f82 100644 +--- a/drivers/scsi/lpfc/lpfc_attr.c ++++ b/drivers/scsi/lpfc/lpfc_attr.c +@@ -1536,25 +1536,25 @@ lpfc_sli4_pdev_reg_request(struct lpfc_hba *phba, uint32_t opcode) + before_fc_flag = phba->pport->fc_flag; + sriov_nr_virtfn = phba->cfg_sriov_nr_virtfn; + +- /* Disable SR-IOV virtual functions if enabled */ +- if (phba->cfg_sriov_nr_virtfn) { +- pci_disable_sriov(pdev); +- phba->cfg_sriov_nr_virtfn = 0; +- } ++ if (opcode == LPFC_FW_DUMP) { ++ init_completion(&online_compl); ++ phba->fw_dump_cmpl = &online_compl; ++ } else { ++ /* Disable SR-IOV virtual functions if enabled */ ++ if (phba->cfg_sriov_nr_virtfn) { ++ pci_disable_sriov(pdev); ++ phba->cfg_sriov_nr_virtfn = 0; ++ } + +- if (opcode == LPFC_FW_DUMP) +- phba->hba_flag |= HBA_FW_DUMP_OP; ++ status = lpfc_do_offline(phba, LPFC_EVT_OFFLINE); + +- status = lpfc_do_offline(phba, LPFC_EVT_OFFLINE); ++ if (status != 0) ++ return status; + +- if (status != 0) { +- phba->hba_flag &= ~HBA_FW_DUMP_OP; +- return status; ++ /* wait for the device to be quiesced before firmware reset */ ++ msleep(100); + } + +- /* wait for the device to be quiesced before firmware reset */ +- msleep(100); +- + reg_val = readl(phba->sli4_hba.conf_regs_memmap_p + + LPFC_CTL_PDEV_CTL_OFFSET); + +@@ -1583,24 +1583,42 @@ lpfc_sli4_pdev_reg_request(struct lpfc_hba *phba, uint32_t opcode) + lpfc_printf_log(phba, KERN_ERR, LOG_SLI, + "3153 Fail to perform the requested " + "access: x%x\n", reg_val); ++ if (phba->fw_dump_cmpl) ++ phba->fw_dump_cmpl = NULL; + return rc; + } + + /* keep the original port state */ +- if (before_fc_flag & FC_OFFLINE_MODE) +- goto out; +- +- init_completion(&online_compl); +- job_posted = lpfc_workq_post_event(phba, &status, &online_compl, +- LPFC_EVT_ONLINE); +- if (!job_posted) ++ if (before_fc_flag & FC_OFFLINE_MODE) { ++ if (phba->fw_dump_cmpl) ++ phba->fw_dump_cmpl = NULL; + goto out; ++ } + +- wait_for_completion(&online_compl); ++ /* Firmware dump will trigger an HA_ERATT event, and ++ * lpfc_handle_eratt_s4 routine already handles bringing the port back ++ * online. ++ */ ++ if (opcode == LPFC_FW_DUMP) { ++ wait_for_completion(phba->fw_dump_cmpl); ++ } else { ++ init_completion(&online_compl); ++ job_posted = lpfc_workq_post_event(phba, &status, &online_compl, ++ LPFC_EVT_ONLINE); ++ if (!job_posted) ++ goto out; + ++ wait_for_completion(&online_compl); ++ } + out: + /* in any case, restore the virtual functions enabled as before */ + if (sriov_nr_virtfn) { ++ /* If fw_dump was performed, first disable to clean up */ ++ if (opcode == LPFC_FW_DUMP) { ++ pci_disable_sriov(pdev); ++ phba->cfg_sriov_nr_virtfn = 0; ++ } ++ + sriov_err = + lpfc_sli_probe_sriov_nr_virtfn(phba, sriov_nr_virtfn); + if (!sriov_err) +diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c +index f4a672e549716..68ff233f936e5 100644 +--- a/drivers/scsi/lpfc/lpfc_hbadisc.c ++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c +@@ -635,10 +635,16 @@ lpfc_work_done(struct lpfc_hba *phba) + if (phba->pci_dev_grp == LPFC_PCI_DEV_OC) + lpfc_sli4_post_async_mbox(phba); + +- if (ha_copy & HA_ERATT) ++ if (ha_copy & HA_ERATT) { + /* Handle the error attention event */ + lpfc_handle_eratt(phba); + ++ if (phba->fw_dump_cmpl) { ++ complete(phba->fw_dump_cmpl); ++ phba->fw_dump_cmpl = NULL; ++ } ++ } ++ + if (ha_copy & HA_MBATT) + lpfc_sli_handle_mb_event(phba); + +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index 06a23718a7c7f..1a9522baba484 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -4629,12 +4629,6 @@ lpfc_sli4_brdreset(struct lpfc_hba *phba) + phba->fcf.fcf_flag = 0; + spin_unlock_irq(&phba->hbalock); + +- /* SLI4 INTF 2: if FW dump is being taken skip INIT_PORT */ +- if (phba->hba_flag & HBA_FW_DUMP_OP) { +- phba->hba_flag &= ~HBA_FW_DUMP_OP; +- return rc; +- } +- + /* Now physically reset the device */ + lpfc_printf_log(phba, KERN_INFO, LOG_INIT, + "0389 Performing PCI function reset!\n"); +-- +2.34.1 + diff --git a/queue-5.10/scsi-pm80xx-update-warn_on-check-in-pm8001_mpi_build.patch b/queue-5.10/scsi-pm80xx-update-warn_on-check-in-pm8001_mpi_build.patch new file mode 100644 index 00000000000..9461c333b7f --- /dev/null +++ b/queue-5.10/scsi-pm80xx-update-warn_on-check-in-pm8001_mpi_build.patch @@ -0,0 +1,42 @@ +From c110ec2d111d25f057e05578cb8159be050d8688 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Nov 2021 16:28:24 -0700 +Subject: scsi: pm80xx: Update WARN_ON check in pm8001_mpi_build_cmd() + +From: Igor Pylypiv + +[ Upstream commit 606c54ae975ad3af540b505b46b55a687501711f ] + +Starting from commit 05c6c029a44d ("scsi: pm80xx: Increase number of +supported queues") driver initializes only max_q_num queues. Do not use an +invalid queue if the WARN_ON condition is true. + +Link: https://lore.kernel.org/r/20211101232825.2350233-4-ipylypiv@google.com +Fixes: 7640e1eb8c5d ("scsi: pm80xx: Make mpi_build_cmd locking consistent") +Reviewed-by: Vishakha Channapattan +Acked-by: Jack Wang +Signed-off-by: Igor Pylypiv +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/pm8001/pm8001_hwi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/pm8001/pm8001_hwi.c b/drivers/scsi/pm8001/pm8001_hwi.c +index 5d751628a6340..9b318958d78cc 100644 +--- a/drivers/scsi/pm8001/pm8001_hwi.c ++++ b/drivers/scsi/pm8001/pm8001_hwi.c +@@ -1323,7 +1323,9 @@ int pm8001_mpi_build_cmd(struct pm8001_hba_info *pm8001_ha, + int q_index = circularQ - pm8001_ha->inbnd_q_tbl; + int rv = -1; + +- WARN_ON(q_index >= PM8001_MAX_INB_NUM); ++ if (WARN_ON(q_index >= pm8001_ha->max_q_num)) ++ return -EINVAL; ++ + spin_lock_irqsave(&circularQ->iq_lock, flags); + rv = pm8001_mpi_msg_free_get(circularQ, pm8001_ha->iomb_size, + &pMessage); +-- +2.34.1 + diff --git a/queue-5.10/scsi-sr-don-t-use-gfp_dma.patch b/queue-5.10/scsi-sr-don-t-use-gfp_dma.patch new file mode 100644 index 00000000000..ee965732595 --- /dev/null +++ b/queue-5.10/scsi-sr-don-t-use-gfp_dma.patch @@ -0,0 +1,61 @@ +From e9b8da82565723b9b1570c4a7dd42cbf90491c94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Dec 2021 10:08:42 +0100 +Subject: scsi: sr: Don't use GFP_DMA + +From: Christoph Hellwig + +[ Upstream commit d94d94969a4ba07a43d62429c60372320519c391 ] + +The allocated buffers are used as a command payload, for which the block +layer and/or DMA API do the proper bounce buffering if needed. + +Link: https://lore.kernel.org/r/20211222090842.920724-1-hch@lst.de +Reported-by: Baoquan He +Reviewed-by: Baoquan He +Signed-off-by: Christoph Hellwig +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/sr.c | 2 +- + drivers/scsi/sr_vendor.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c +index 4cb4ab9c6137e..464418413ced0 100644 +--- a/drivers/scsi/sr.c ++++ b/drivers/scsi/sr.c +@@ -917,7 +917,7 @@ static void get_capabilities(struct scsi_cd *cd) + + + /* allocate transfer buffer */ +- buffer = kmalloc(512, GFP_KERNEL | GFP_DMA); ++ buffer = kmalloc(512, GFP_KERNEL); + if (!buffer) { + sr_printk(KERN_ERR, cd, "out of memory.\n"); + return; +diff --git a/drivers/scsi/sr_vendor.c b/drivers/scsi/sr_vendor.c +index 1f988a1b9166f..a61635326ae0a 100644 +--- a/drivers/scsi/sr_vendor.c ++++ b/drivers/scsi/sr_vendor.c +@@ -131,7 +131,7 @@ int sr_set_blocklength(Scsi_CD *cd, int blocklength) + if (cd->vendor == VENDOR_TOSHIBA) + density = (blocklength > 2048) ? 0x81 : 0x83; + +- buffer = kmalloc(512, GFP_KERNEL | GFP_DMA); ++ buffer = kmalloc(512, GFP_KERNEL); + if (!buffer) + return -ENOMEM; + +@@ -179,7 +179,7 @@ int sr_cd_check(struct cdrom_device_info *cdi) + if (cd->cdi.mask & CDC_MULTI_SESSION) + return 0; + +- buffer = kmalloc(512, GFP_KERNEL | GFP_DMA); ++ buffer = kmalloc(512, GFP_KERNEL); + if (!buffer) + return -ENOMEM; + +-- +2.34.1 + diff --git a/queue-5.10/scsi-ufs-fix-race-conditions-related-to-driver-data.patch b/queue-5.10/scsi-ufs-fix-race-conditions-related-to-driver-data.patch new file mode 100644 index 00000000000..24dd3c355cc --- /dev/null +++ b/queue-5.10/scsi-ufs-fix-race-conditions-related-to-driver-data.patch @@ -0,0 +1,87 @@ +From 503686a287c37bb4406c77dd067d4971d6cfb33f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Dec 2021 15:19:39 -0800 +Subject: scsi: ufs: Fix race conditions related to driver data + +From: Bart Van Assche + +[ Upstream commit 21ad0e49085deb22c094f91f9da57319a97188e4 ] + +The driver data pointer must be set before any callbacks are registered +that use that pointer. Hence move the initialization of that pointer from +after the ufshcd_init() call to inside ufshcd_init(). + +Link: https://lore.kernel.org/r/20211203231950.193369-7-bvanassche@acm.org +Fixes: 3b1d05807a9a ("[SCSI] ufs: Segregate PCI Specific Code") +Reported-by: Alexey Dobriyan +Tested-by: Bean Huo +Reviewed-by: Bean Huo +Signed-off-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/tc-dwc-g210-pci.c | 1 - + drivers/scsi/ufs/ufshcd-pci.c | 2 -- + drivers/scsi/ufs/ufshcd-pltfrm.c | 2 -- + drivers/scsi/ufs/ufshcd.c | 7 +++++++ + 4 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/scsi/ufs/tc-dwc-g210-pci.c b/drivers/scsi/ufs/tc-dwc-g210-pci.c +index 67a6a61154b71..4e471484539d2 100644 +--- a/drivers/scsi/ufs/tc-dwc-g210-pci.c ++++ b/drivers/scsi/ufs/tc-dwc-g210-pci.c +@@ -135,7 +135,6 @@ tc_dwc_g210_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + return err; + } + +- pci_set_drvdata(pdev, hba); + pm_runtime_put_noidle(&pdev->dev); + pm_runtime_allow(&pdev->dev); + +diff --git a/drivers/scsi/ufs/ufshcd-pci.c b/drivers/scsi/ufs/ufshcd-pci.c +index fadd566025b86..4bf8ec88676ee 100644 +--- a/drivers/scsi/ufs/ufshcd-pci.c ++++ b/drivers/scsi/ufs/ufshcd-pci.c +@@ -347,8 +347,6 @@ ufshcd_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + return err; + } + +- pci_set_drvdata(pdev, hba); +- + hba->vops = (struct ufs_hba_variant_ops *)id->driver_data; + + err = ufshcd_init(hba, mmio_base, pdev->irq); +diff --git a/drivers/scsi/ufs/ufshcd-pltfrm.c b/drivers/scsi/ufs/ufshcd-pltfrm.c +index 8c92d1bde64be..e49505534d498 100644 +--- a/drivers/scsi/ufs/ufshcd-pltfrm.c ++++ b/drivers/scsi/ufs/ufshcd-pltfrm.c +@@ -412,8 +412,6 @@ int ufshcd_pltfrm_init(struct platform_device *pdev, + goto dealloc_host; + } + +- platform_set_drvdata(pdev, hba); +- + pm_runtime_set_active(&pdev->dev); + pm_runtime_enable(&pdev->dev); + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index e3a9a02cadf5a..bf302776340ce 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -9085,6 +9085,13 @@ int ufshcd_init(struct ufs_hba *hba, void __iomem *mmio_base, unsigned int irq) + struct device *dev = hba->dev; + char eh_wq_name[sizeof("ufs_eh_wq_00")]; + ++ /* ++ * dev_set_drvdata() must be called before any callbacks are registered ++ * that use dev_get_drvdata() (frequency scaling, clock scaling, hwmon, ++ * sysfs). ++ */ ++ dev_set_drvdata(dev, hba); ++ + if (!mmio_base) { + dev_err(hba->dev, + "Invalid memory reference for mmio_base is NULL\n"); +-- +2.34.1 + diff --git a/queue-5.10/selftests-bpf-fix-bpf_object-leak-in-skb_ctx-selftes.patch b/queue-5.10/selftests-bpf-fix-bpf_object-leak-in-skb_ctx-selftes.patch new file mode 100644 index 00000000000..115fe47c834 --- /dev/null +++ b/queue-5.10/selftests-bpf-fix-bpf_object-leak-in-skb_ctx-selftes.patch @@ -0,0 +1,36 @@ +From d013369a55bd5f479ed6bac947ca9eab1de94279 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Nov 2021 08:55:21 -0800 +Subject: selftests/bpf: Fix bpf_object leak in skb_ctx selftest + +From: Andrii Nakryiko + +[ Upstream commit 8c7a95520184b6677ca6075e12df9c208d57d088 ] + +skb_ctx selftest didn't close bpf_object implicitly allocated by +bpf_prog_test_load() helper. Fix the problem by explicitly calling +bpf_object__close() at the end of the test. + +Signed-off-by: Andrii Nakryiko +Signed-off-by: Alexei Starovoitov +Reviewed-by: Hengqi Chen +Link: https://lore.kernel.org/bpf/20211107165521.9240-10-andrii@kernel.org +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/skb_ctx.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/testing/selftests/bpf/prog_tests/skb_ctx.c b/tools/testing/selftests/bpf/prog_tests/skb_ctx.c +index fafeddaad6a99..23915be6172d6 100644 +--- a/tools/testing/selftests/bpf/prog_tests/skb_ctx.c ++++ b/tools/testing/selftests/bpf/prog_tests/skb_ctx.c +@@ -105,4 +105,6 @@ void test_skb_ctx(void) + "ctx_out_mark", + "skb->mark == %u, expected %d\n", + skb.mark, 10); ++ ++ bpf_object__close(obj); + } +-- +2.34.1 + diff --git a/queue-5.10/selftests-clone3-clone3-add-case-clone3_args_no_test.patch b/queue-5.10/selftests-clone3-clone3-add-case-clone3_args_no_test.patch new file mode 100644 index 00000000000..81074892ca6 --- /dev/null +++ b/queue-5.10/selftests-clone3-clone3-add-case-clone3_args_no_test.patch @@ -0,0 +1,47 @@ +From 35fb5d2819f553531d5c86ba5747a980e4da8185 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Nov 2021 21:13:50 +0100 +Subject: selftests: clone3: clone3: add case CLONE3_ARGS_NO_TEST + +From: Anders Roxell + +[ Upstream commit a531b0c23c0fc68ad758cc31a74cf612a4dafeb0 ] + +Building selftests/clone3 with clang warns about enumeration not handled +in switch case: + +clone3.c:54:10: warning: enumeration value 'CLONE3_ARGS_NO_TEST' not handled in switch [-Wswitch] + switch (test_mode) { + ^ + +Add the missing switch case with a comment. + +Fixes: 17a810699c18 ("selftests: add tests for clone3()") +Signed-off-by: Anders Roxell +Acked-by: Christian Brauner +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/clone3/clone3.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/tools/testing/selftests/clone3/clone3.c b/tools/testing/selftests/clone3/clone3.c +index 42be3b9258301..076cf4325f783 100644 +--- a/tools/testing/selftests/clone3/clone3.c ++++ b/tools/testing/selftests/clone3/clone3.c +@@ -52,6 +52,12 @@ static int call_clone3(uint64_t flags, size_t size, enum test_mode test_mode) + size = sizeof(struct __clone_args); + + switch (test_mode) { ++ case CLONE3_ARGS_NO_TEST: ++ /* ++ * Uses default 'flags' and 'SIGCHLD' ++ * assignment. ++ */ ++ break; + case CLONE3_ARGS_ALL_0: + args.flags = 0; + args.exit_signal = 0; +-- +2.34.1 + diff --git a/queue-5.10/selftests-ftrace-make-kprobe-profile-testcase-descri.patch b/queue-5.10/selftests-ftrace-make-kprobe-profile-testcase-descri.patch new file mode 100644 index 00000000000..37963970c6c --- /dev/null +++ b/queue-5.10/selftests-ftrace-make-kprobe-profile-testcase-descri.patch @@ -0,0 +1,41 @@ +From 81eeea659f68a91852e030484714cfad48d3833c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Nov 2021 13:25:46 +0100 +Subject: selftests/ftrace: make kprobe profile testcase description unique + +From: Heiko Carstens + +[ Upstream commit e5992f373c6eed6d09e5858e9623df1259b3ce30 ] + +Commit 32f6e5da83c7 ("selftests/ftrace: Add kprobe profile testcase") +added a new kprobes testcase, but has a description which does not +describe what the test case is doing and is duplicating the description +of another test case. + +Therefore change the test case description, so it is unique and then +allows easily to tell which test case actually passed or failed. + +Reported-by: Alexander Egorenkov +Signed-off-by: Heiko Carstens +Acked-by: Masami Hiramatsu +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/ftrace/test.d/kprobe/profile.tc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/profile.tc b/tools/testing/selftests/ftrace/test.d/kprobe/profile.tc +index 98166fa3eb91c..34fb89b0c61fa 100644 +--- a/tools/testing/selftests/ftrace/test.d/kprobe/profile.tc ++++ b/tools/testing/selftests/ftrace/test.d/kprobe/profile.tc +@@ -1,6 +1,6 @@ + #!/bin/sh + # SPDX-License-Identifier: GPL-2.0 +-# description: Kprobe dynamic event - adding and removing ++# description: Kprobe profile + # requires: kprobe_events + + ! grep -q 'myevent' kprobe_profile +-- +2.34.1 + diff --git a/queue-5.10/selftests-harness-avoid-false-negatives-if-test-has-.patch b/queue-5.10/selftests-harness-avoid-false-negatives-if-test-has-.patch new file mode 100644 index 00000000000..fca60e0afbb --- /dev/null +++ b/queue-5.10/selftests-harness-avoid-false-negatives-if-test-has-.patch @@ -0,0 +1,40 @@ +From 31aafa56833b765508baeba82815c7f6eebe7f8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Nov 2021 14:39:16 -0800 +Subject: selftests: harness: avoid false negatives if test has no ASSERTs + +From: Jakub Kicinski + +[ Upstream commit 3abedf4646fdc0036fcb8ebbc3b600667167fafe ] + +Test can fail either immediately when ASSERT() failed or at the +end if one or more EXPECT() was not met. The exact return code +is decided based on the number of successful ASSERT()s. + +If test has no ASSERT()s, however, the return code will be 0, +as if the test did not fail. Start counting ASSERT()s from 1. + +Fixes: 369130b63178 ("selftests: Enhance kselftest_harness.h to print which assert failed") +Signed-off-by: Jakub Kicinski +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/kselftest_harness.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/kselftest_harness.h b/tools/testing/selftests/kselftest_harness.h +index edce85420d193..5ecb9718e1616 100644 +--- a/tools/testing/selftests/kselftest_harness.h ++++ b/tools/testing/selftests/kselftest_harness.h +@@ -965,7 +965,7 @@ void __run_test(struct __fixture_metadata *f, + t->passed = 1; + t->skip = 0; + t->trigger = 0; +- t->step = 0; ++ t->step = 1; + t->no_print = 0; + memset(t->results->reason, 0, sizeof(t->results->reason)); + +-- +2.34.1 + diff --git a/queue-5.10/selftests-powerpc-spectre_v2-return-skip-code-when-m.patch b/queue-5.10/selftests-powerpc-spectre_v2-return-skip-code-when-m.patch new file mode 100644 index 00000000000..e10fe52aa81 --- /dev/null +++ b/queue-5.10/selftests-powerpc-spectre_v2-return-skip-code-when-m.patch @@ -0,0 +1,43 @@ +From 7bb91a0933f384f5c4a1ace3d0d5d54e64badf6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Dec 2021 10:05:57 -0300 +Subject: selftests/powerpc/spectre_v2: Return skip code when miss_percent is + high + +From: Thadeu Lima de Souza Cascardo + +[ Upstream commit 3c42e9542050d49610077e083c7c3f5fd5e26820 ] + +A mis-match between reported and actual mitigation is not restricted to the +Vulnerable case. The guest might also report the mitigation as "Software +count cache flush" and the host will still mitigate with branch cache +disabled. + +So, instead of skipping depending on the detected mitigation, simply skip +whenever the detected miss_percent is the expected one for a fully +mitigated system, that is, above 95%. + +Signed-off-by: Thadeu Lima de Souza Cascardo +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20211207130557.40566-1-cascardo@canonical.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/powerpc/security/spectre_v2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/powerpc/security/spectre_v2.c b/tools/testing/selftests/powerpc/security/spectre_v2.c +index adc2b7294e5fd..83647b8277e7d 100644 +--- a/tools/testing/selftests/powerpc/security/spectre_v2.c ++++ b/tools/testing/selftests/powerpc/security/spectre_v2.c +@@ -193,7 +193,7 @@ int spectre_v2_test(void) + * We are not vulnerable and reporting otherwise, so + * missing such a mismatch is safe. + */ +- if (state == VULNERABLE) ++ if (miss_percent > 95) + return 4; + + return 1; +-- +2.34.1 + diff --git a/queue-5.10/selinux-fix-potential-memleak-in-selinux_add_opt.patch b/queue-5.10/selinux-fix-potential-memleak-in-selinux_add_opt.patch new file mode 100644 index 00000000000..6406aad6ee5 --- /dev/null +++ b/queue-5.10/selinux-fix-potential-memleak-in-selinux_add_opt.patch @@ -0,0 +1,63 @@ +From 37be341613d2f7ad7d3ae329b5722e37ffeccfdf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Dec 2021 04:03:58 -0800 +Subject: selinux: fix potential memleak in selinux_add_opt() + +From: Bernard Zhao + +[ Upstream commit 2e08df3c7c4e4e74e3dd5104c100f0bf6288aaa8 ] + +This patch try to fix potential memleak in error branch. + +Fixes: ba6418623385 ("selinux: new helper - selinux_add_opt()") +Signed-off-by: Bernard Zhao +[PM: tweak the subject line, add Fixes tag] +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + security/selinux/hooks.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index ff2191ae53528..86159b32921cc 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -947,18 +947,22 @@ out: + static int selinux_add_opt(int token, const char *s, void **mnt_opts) + { + struct selinux_mnt_opts *opts = *mnt_opts; ++ bool is_alloc_opts = false; + + if (token == Opt_seclabel) /* eaten and completely ignored */ + return 0; + ++ if (!s) ++ return -ENOMEM; ++ + if (!opts) { + opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL); + if (!opts) + return -ENOMEM; + *mnt_opts = opts; ++ is_alloc_opts = true; + } +- if (!s) +- return -ENOMEM; ++ + switch (token) { + case Opt_context: + if (opts->context || opts->defcontext) +@@ -983,6 +987,10 @@ static int selinux_add_opt(int token, const char *s, void **mnt_opts) + } + return 0; + Einval: ++ if (is_alloc_opts) { ++ kfree(opts); ++ *mnt_opts = NULL; ++ } + pr_warn(SEL_MOUNT_FAIL_MSG); + return -EINVAL; + } +-- +2.34.1 + diff --git a/queue-5.10/serial-amba-pl011-do-not-request-memory-region-twice.patch b/queue-5.10/serial-amba-pl011-do-not-request-memory-region-twice.patch new file mode 100644 index 00000000000..59c2318e0e6 --- /dev/null +++ b/queue-5.10/serial-amba-pl011-do-not-request-memory-region-twice.patch @@ -0,0 +1,106 @@ +From 9f87516231f64a5359b320de04b58ae211fbc8f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Nov 2021 18:42:38 +0100 +Subject: serial: amba-pl011: do not request memory region twice +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lino Sanfilippo + +[ Upstream commit d1180405c7b5c7a1c6bde79d5fc24fe931430737 ] + +With commit 3873e2d7f63a ("drivers: PL011: refactor pl011_probe()") the +function devm_ioremap() called from pl011_setup_port() was replaced with +devm_ioremap_resource(). Since this function not only remaps but also +requests the ports io memory region it now collides with the .config_port() +callback which requests the same region at uart port registration. + +Since devm_ioremap_resource() already claims the memory successfully, the +request in .config_port() fails. + +Later at uart port deregistration the attempt to release the unclaimed +memory also fails. The failure results in a “Trying to free nonexistent +resource" warning. + +Fix these issues by removing the callbacks that implement the redundant +memory allocation/release. Also make sure that changing the drivers io +memory base address via TIOCSSERIAL is not allowed any more. + +Fixes: 3873e2d7f63a ("drivers: PL011: refactor pl011_probe()") +Signed-off-by: Lino Sanfilippo +Link: https://lore.kernel.org/r/20211129174238.8333-1-LinoSanfilippo@gmx.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/amba-pl011.c | 27 +++------------------------ + 1 file changed, 3 insertions(+), 24 deletions(-) + +diff --git a/drivers/tty/serial/amba-pl011.c b/drivers/tty/serial/amba-pl011.c +index b3cddcdcbdad0..61183e7ff0097 100644 +--- a/drivers/tty/serial/amba-pl011.c ++++ b/drivers/tty/serial/amba-pl011.c +@@ -2083,32 +2083,13 @@ static const char *pl011_type(struct uart_port *port) + return uap->port.type == PORT_AMBA ? uap->type : NULL; + } + +-/* +- * Release the memory region(s) being used by 'port' +- */ +-static void pl011_release_port(struct uart_port *port) +-{ +- release_mem_region(port->mapbase, SZ_4K); +-} +- +-/* +- * Request the memory region(s) being used by 'port' +- */ +-static int pl011_request_port(struct uart_port *port) +-{ +- return request_mem_region(port->mapbase, SZ_4K, "uart-pl011") +- != NULL ? 0 : -EBUSY; +-} +- + /* + * Configure/autoconfigure the port. + */ + static void pl011_config_port(struct uart_port *port, int flags) + { +- if (flags & UART_CONFIG_TYPE) { ++ if (flags & UART_CONFIG_TYPE) + port->type = PORT_AMBA; +- pl011_request_port(port); +- } + } + + /* +@@ -2123,6 +2104,8 @@ static int pl011_verify_port(struct uart_port *port, struct serial_struct *ser) + ret = -EINVAL; + if (ser->baud_base < 9600) + ret = -EINVAL; ++ if (port->mapbase != (unsigned long) ser->iomem_base) ++ ret = -EINVAL; + return ret; + } + +@@ -2140,8 +2123,6 @@ static const struct uart_ops amba_pl011_pops = { + .flush_buffer = pl011_dma_flush_buffer, + .set_termios = pl011_set_termios, + .type = pl011_type, +- .release_port = pl011_release_port, +- .request_port = pl011_request_port, + .config_port = pl011_config_port, + .verify_port = pl011_verify_port, + #ifdef CONFIG_CONSOLE_POLL +@@ -2171,8 +2152,6 @@ static const struct uart_ops sbsa_uart_pops = { + .shutdown = sbsa_uart_shutdown, + .set_termios = sbsa_uart_set_termios, + .type = pl011_type, +- .release_port = pl011_release_port, +- .request_port = pl011_request_port, + .config_port = pl011_config_port, + .verify_port = pl011_verify_port, + #ifdef CONFIG_CONSOLE_POLL +-- +2.34.1 + diff --git a/queue-5.10/serial-core-keep-mctrl-register-state-and-cached-cop.patch b/queue-5.10/serial-core-keep-mctrl-register-state-and-cached-cop.patch new file mode 100644 index 00000000000..ec24210509c --- /dev/null +++ b/queue-5.10/serial-core-keep-mctrl-register-state-and-cached-cop.patch @@ -0,0 +1,53 @@ +From 148db6a691bf78d59ab2018e28749a0dac00a495 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Jan 2022 18:52:44 +0100 +Subject: serial: core: Keep mctrl register state and cached copy in sync + +From: Lukas Wunner + +[ Upstream commit 93a770b7e16772530196674ffc79bb13fa927dc6 ] + +struct uart_port contains a cached copy of the Modem Control signals. +It is used to skip register writes in uart_update_mctrl() if the new +signal state equals the old signal state. It also avoids a register +read to obtain the current state of output signals. + +When a uart_port is registered, uart_configure_port() changes signal +state but neglects to keep the cached copy in sync. That may cause +a subsequent register write to be incorrectly skipped. Fix it before +it trips somebody up. + +This behavior has been present ever since the serial core was introduced +in 2002: +https://git.kernel.org/history/history/c/33c0d1b0c3eb + +So far it was never an issue because the cached copy is initialized to 0 +by kzalloc() and when uart_configure_port() is executed, at most DTR has +been set by uart_set_options() or sunsu_console_setup(). Therefore, +a stable designation seems unnecessary. + +Signed-off-by: Lukas Wunner +Link: https://lore.kernel.org/r/bceeaba030b028ed810272d55d5fc6f3656ddddb.1641129752.git.lukas@wunner.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/serial_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c +index 046bedca7b8f5..55108db5b64bf 100644 +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -2414,7 +2414,8 @@ uart_configure_port(struct uart_driver *drv, struct uart_state *state, + * We probably don't need a spinlock around this, but + */ + spin_lock_irqsave(&port->lock, flags); +- port->ops->set_mctrl(port, port->mctrl & TIOCM_DTR); ++ port->mctrl &= TIOCM_DTR; ++ port->ops->set_mctrl(port, port->mctrl); + spin_unlock_irqrestore(&port->lock, flags); + + /* +-- +2.34.1 + diff --git a/queue-5.10/serial-pl010-drop-cr-register-reset-on-set_termios.patch b/queue-5.10/serial-pl010-drop-cr-register-reset-on-set_termios.patch new file mode 100644 index 00000000000..7dc9c21007b --- /dev/null +++ b/queue-5.10/serial-pl010-drop-cr-register-reset-on-set_termios.patch @@ -0,0 +1,58 @@ +From 85e46a962b2c31cd85c3eb3fcf895ab6c12e8ecd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Jan 2022 18:42:44 +0100 +Subject: serial: pl010: Drop CR register reset on set_termios + +From: Lukas Wunner + +[ Upstream commit 08a0c6dff91c965e39905cf200d22db989203ccb ] + +pl010_set_termios() briefly resets the CR register to zero. + +Where does this register write come from? + +The PL010 driver's IRQ handler ambauart_int() originally modified the CR +register without holding the port spinlock. ambauart_set_termios() also +modified that register. To prevent concurrent read-modify-writes by the +IRQ handler and to prevent transmission while changing baudrate, +ambauart_set_termios() had to disable interrupts. That is achieved by +writing zero to the CR register. + +However in 2004 the PL010 driver was amended to acquire the port +spinlock in the IRQ handler, obviating the need to disable interrupts in +->set_termios(): +https://git.kernel.org/history/history/c/157c0342e591 + +That rendered the CR register write obsolete. Drop it. + +Cc: Russell King +Signed-off-by: Lukas Wunner +Link: https://lore.kernel.org/r/fcaff16e5b1abb4cc3da5a2879ac13f278b99ed0.1641128728.git.lukas@wunner.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/amba-pl010.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/tty/serial/amba-pl010.c b/drivers/tty/serial/amba-pl010.c +index 3284f34e9dfe1..75d61e038a775 100644 +--- a/drivers/tty/serial/amba-pl010.c ++++ b/drivers/tty/serial/amba-pl010.c +@@ -448,14 +448,11 @@ pl010_set_termios(struct uart_port *port, struct ktermios *termios, + if ((termios->c_cflag & CREAD) == 0) + uap->port.ignore_status_mask |= UART_DUMMY_RSR_RX; + +- /* first, disable everything */ + old_cr = readb(uap->port.membase + UART010_CR) & ~UART010_CR_MSIE; + + if (UART_ENABLE_MS(port, termios->c_cflag)) + old_cr |= UART010_CR_MSIE; + +- writel(0, uap->port.membase + UART010_CR); +- + /* Set baud rate */ + quot -= 1; + writel((quot & 0xf00) >> 8, uap->port.membase + UART010_LCRM); +-- +2.34.1 + diff --git a/queue-5.10/series b/queue-5.10/series index 06b96d9d3af..acc3c44a41b 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -3,3 +3,402 @@ hid-uhid-fix-worker-destroying-device-without-any-protection.patch hid-wacom-reset-expected-and-received-contact-counts-at-the-same-time.patch hid-wacom-ignore-the-confidence-flag-when-a-touch-is-removed.patch hid-wacom-avoid-using-stale-array-indicies-to-read-contact-count.patch +bluetooth-l2cap-fix-not-initializing-sk_peer_pid.patch +drm-bridge-display-connector-fix-an-uninitialized-po.patch +drm-fix-null-ptr-deref-in-drm_dev_init_release.patch +drm-panel-kingdisplay-kd097d04-delete-panel-on-attac.patch +drm-panel-innolux-p079zca-delete-panel-on-attach-fai.patch +drm-rockchip-dsi-fix-unbalanced-clock-on-probe-error.patch +drm-rockchip-dsi-hold-pm-runtime-across-bind-unbind.patch +drm-rockchip-dsi-disable-pll-clock-on-bind-error.patch +bluetooth-cmtp-fix-possible-panic-when-cmtp_init_soc.patch +clk-bcm-2835-pick-the-closest-clock-rate.patch +clk-bcm-2835-remove-rounding-up-the-dividers.patch +drm-vc4-hdmi-set-a-default-hsm-rate.patch +wcn36xx-ensure-pairing-of-init_scan-finish_scan-and-.patch +wcn36xx-indicate-beacon-not-connection-loss-on-misse.patch +wcn36xx-fix-dma-channel-enable-disable-cycle.patch +wcn36xx-release-dma-channel-descriptor-allocations.patch +wcn36xx-put-dxe-block-into-reset-before-freeing-memo.patch +wcn36xx-populate-band-before-determining-rate-on-rx.patch +wcn36xx-fix-rx-bd-rate-mapping-for-5ghz-legacy-rates.patch +ath11k-send-ppdu_stats_cfg-with-proper-pdev-mask-to-.patch +mtd-hyperbus-rpc-if-check-return-value-of-rpcif_sw_i.patch +media-videobuf2-fix-the-size-printk-format.patch +media-atomisp-add-missing-media_device_cleanup-in-at.patch +media-atomisp-fix-punit_ddr_dvfs_enable-argument-for.patch +media-atomisp-fix-inverted-logic-in-buffers_needed.patch +media-atomisp-do-not-use-err-var-when-checking-port-.patch +media-atomisp-fix-inverted-error-check-for-ia_css_mi.patch +media-atomisp-fix-ifdefs-in-sh_css.c.patch +media-staging-media-atomisp-pci-balance-braces-aroun.patch +media-atomisp-add-null-check-for-asd-obtained-from-a.patch +media-atomisp-fix-enum-formats-logic.patch +media-atomisp-fix-uninitialized-bug-in-gmin_get_pmic.patch +media-aspeed-fix-mode-detect-always-time-out-at-2nd-.patch +media-em28xx-fix-memory-leak-in-em28xx_init_dev.patch +media-aspeed-update-signal-status-immediately-to-ens.patch +arm64-dts-amlogic-meson-g12-fix-gpu-operating-point-.patch +arm64-dts-amlogic-fix-spi-nor-flash-node-name-for-od.patch +arm64-dts-meson-gxbb-wetek-fix-hdmi-in-early-boot.patch +arm64-dts-meson-gxbb-wetek-fix-missing-gpio-binding.patch +fs-dlm-use-sk-sk_socket-instead-of-con-sock.patch +fs-dlm-don-t-call-kernel_getpeername-in-error_report.patch +memory-renesas-rpc-if-return-error-in-case-devm_iore.patch +bluetooth-stop-proccessing-malicious-adv-data.patch +ath11k-fix-etsi-regd-with-weather-radar-overlap.patch +ath11k-clear-the-keys-properly-via-disable_key.patch +ath11k-reset-rsn-wpa-present-state-for-open-bss.patch +tee-fix-put-order-in-teedev_close_context.patch +fs-dlm-fix-build-with-config_ipv6-disabled.patch +drm-vboxvideo-fix-a-null-vs-is_err-check.patch +arm64-dts-renesas-cat875-add-rx-tx-delays.patch +media-dmxdev-fix-uaf-when-dvb_register_device-fails.patch +crypto-qce-fix-uaf-on-qce_ahash_register_one.patch +crypto-qce-fix-uaf-on-qce_skcipher_register_one.patch +mtd-hyperbus-rpc-if-fix-bug-in-rpcif_hb_remove.patch +arm-dts-stm32-fix-dtbs_check-warning-on-ili9341-dts-.patch +crypto-qat-fix-spelling-mistake-messge-message.patch +crypto-qat-remove-unnecessary-collision-prevention-s.patch +crypto-qat-make-pfvf-send-message-direction-agnostic.patch +crypto-qat-fix-undetected-pfvf-timeout-in-ack-loop.patch +ath11k-use-host-ce-parameters-for-ce-interrupts-conf.patch +arm64-dts-ti-k3-j721e-correct-cache-sets-info.patch +tty-serial-atmel-check-return-code-of-dmaengine_subm.patch +tty-serial-atmel-call-dma_async_issue_pending.patch +mfd-atmel-flexcom-remove-ifdef-config_pm_sleep.patch +mfd-atmel-flexcom-use-.resume_noirq.patch +media-rcar-csi2-correct-the-selection-of-hsfreqrange.patch +media-imx-pxp-initialize-the-spinlock-prior-to-using.patch +media-si470x-i2c-fix-possible-memory-leak-in-si470x_.patch +media-mtk-vcodec-call-v4l2_m2m_ctx_release-first-whe.patch +media-coda-fix-coda960-jpeg-encoder-buffer-overflow.patch +media-venus-pm_helpers-control-core-power-domain-man.patch +media-venus-core-venc-vdec-fix-probe-dependency-erro.patch +media-venus-core-fix-a-potential-null-pointer-derefe.patch +media-venus-core-fix-a-resource-leak-in-the-error-ha.patch +thermal-drivers-imx-implement-runtime-pm-support.patch +netfilter-bridge-add-support-for-pppoe-filtering.patch +arm64-dts-qcom-msm8916-fix-mmc-controller-aliases.patch +cgroup-trace-event-cgroup-id-fields-should-be-u64.patch +acpi-ec-rework-flushing-of-ec-work-while-suspended-t.patch +thermal-drivers-imx8mm-enable-adc-when-enabling-moni.patch +drm-amdgpu-fix-a-null-pointer-dereference-in-amdgpu_.patch +drm-radeon-radeon_kms-fix-a-null-pointer-dereference.patch +arm64-dts-ti-k3-j7200-fix-the-l2-cache-sets.patch +arm64-dts-ti-k3-j721e-fix-the-l2-cache-sets.patch +arm64-dts-ti-k3-j7200-correct-the-d-cache-sets-info.patch +tty-serial-uartlite-allow-64-bit-address.patch +serial-amba-pl011-do-not-request-memory-region-twice.patch +floppy-fix-hang-in-watchdog-when-disk-is-ejected.patch +staging-rtl8192e-return-error-code-from-rtllib_softm.patch +staging-rtl8192e-rtllib_module-fix-error-handle-case.patch +bluetooth-btmtksdio-fix-resume-failure.patch +sched-fair-fix-detection-of-per-cpu-kthreads-waking-.patch +sched-fair-fix-per-cpu-kthread-and-wakee-stacking-fo.patch +bpf-adjust-btf-log-size-limit.patch +bpf-disallow-bpf_log_kernel-log-level-for-bpf-bpf_bt.patch +bpf-remove-config-check-to-enable-bpf-support-for-br.patch +arm64-lib-annotate-clear-copy-_page-as-position-inde.patch +arm64-clear_page-shouldn-t-use-dc-zva-when-dczid_el0.patch +media-dib8000-fix-a-memleak-in-dib8000_init.patch +media-saa7146-mxb-fix-a-null-pointer-dereference-in-.patch +media-si2157-fix-warm-tuner-state-detection.patch +wireless-iwlwifi-fix-a-double-free-in-iwl_txq_dyn_al.patch +sched-rt-try-to-restart-rt-period-timer-when-rt-runt.patch +drm-msm-dp-displayport-driver-need-algorithm-rationa.patch +rcu-exp-mark-current-cpu-as-exp-qs-in-ipi-loop-secon.patch +mwifiex-fix-possible-abba-deadlock.patch +xfrm-fix-a-small-bug-in-xfrm_sa_len.patch +x86-uaccess-move-variable-into-switch-case-statement.patch +selftests-clone3-clone3-add-case-clone3_args_no_test.patch +selftests-harness-avoid-false-negatives-if-test-has-.patch +crypto-stm32-fix-last-sparse-warning-in-stm32_cryp_c.patch +crypto-stm32-cryp-fix-ctr-counter-carry.patch +crypto-stm32-cryp-fix-xts-and-race-condition-in-cryp.patch +crypto-stm32-cryp-check-early-input-data.patch +crypto-stm32-cryp-fix-double-pm-exit.patch +crypto-stm32-cryp-fix-lrw-chaining-mode.patch +crypto-stm32-cryp-fix-bugs-and-crash-in-tests.patch +crypto-stm32-revert-broken-pm_runtime_resume_and_get.patch +ath11k-fix-deleting-uninitialized-kernel-timer-durin.patch +arm-dts-gemini-nas4220-b-fis-index-block-with-128-ki.patch +media-dw2102-fix-use-after-free.patch +media-msi001-fix-possible-null-ptr-deref-in-msi001_p.patch +media-coda-imx-vdoa-handle-dma_set_coherent_mask-err.patch +ath11k-fix-a-null-pointer-dereference-in-ath11k_mac_.patch +arm64-dts-qcom-c630-fix-soundcard-setup.patch +arm64-dts-qcom-ipq6018-fix-gpio-ranges-property.patch +drm-msm-dpu-fix-safe-status-debugfs-file.patch +drm-bridge-ti-sn65dsi86-set-max-register-for-regmap.patch +drm-tegra-vic-fix-dma-api-misuse.patch +media-hantro-fix-probe-func-error-path.patch +xfrm-interface-with-if_id-0-should-return-error.patch +xfrm-state-and-policy-should-fail-if-xfrma_if_id-0.patch +arm-9159-1-decompressor-avoid-unpredictable-nop-enco.patch +usb-ftdi-elan-fix-memory-leak-on-device-disconnect.patch +arm64-dts-marvell-cn9130-add-gpio-and-spi-aliases.patch +arm64-dts-marvell-cn9130-enable-cp0-gpio-controllers.patch +arm-dts-armada-38x-add-generic-compatible-to-uart-no.patch +iwlwifi-mvm-fix-32-bit-build-in-ftm.patch +iwlwifi-mvm-test-roc-running-status-bits-before-remo.patch +mmc-meson-mx-sdhc-add-irq-check.patch +mmc-meson-mx-sdio-add-irq-check.patch +selinux-fix-potential-memleak-in-selinux_add_opt.patch +um-fix-ndelay-udelay-defines.patch +um-virtio_uml-fix-time-travel-external-time-propagat.patch +bluetooth-l2cap-fix-using-wrong-mode.patch +bpftool-enable-line-buffering-for-stdout.patch +backlight-qcom-wled-validate-enabled-string-indices-.patch +backlight-qcom-wled-pass-number-of-elements-to-read-.patch +backlight-qcom-wled-fix-off-by-one-maximum-with-defa.patch +backlight-qcom-wled-override-default-length-with-qco.patch +backlight-qcom-wled-use-cpu_to_le16-macro-to-perform.patch +backlight-qcom-wled-respect-enabled-strings-in-set_b.patch +software-node-fix-wrong-node-passed-to-find-nargs_pr.patch +bluetooth-hci_qca-stop-ibs-timer-during-bt-off.patch +x86-boot-compressed-move-clang_flags-to-beginning-of.patch +hwmon-mr75203-fix-wrong-power-up-delay-value.patch +x86-mce-inject-avoid-out-of-bounds-write-when-settin.patch +acpi-scan-create-platform-device-for-bcm4752-and-lnv.patch +pcmcia-rsrc_nonstatic-fix-a-null-pointer-dereference.patch +pcmcia-rsrc_nonstatic-fix-a-null-pointer-dereference.patch-3767 +power-reset-mt6397-check-for-null-res-pointer.patch +netfilter-ipt_clusterip-fix-refcount-leak-in-cluster.patch +bpf-don-t-promote-bogus-looking-registers-after-null.patch +bpf-fix-so_rcvbuf-so_sndbuf-handling-in-_bpf_setsock.patch +netfilter-nft_set_pipapo-allocate-pcpu-scratch-maps-.patch +ppp-ensure-minimum-packet-size-in-ppp_write.patch +rocker-fix-a-sleeping-in-atomic-bug.patch +staging-greybus-audio-check-null-pointer.patch +fsl-fman-check-for-null-pointer-after-calling-devm_i.patch +bluetooth-hci_bcm-check-for-error-irq.patch +bluetooth-hci_qca-fix-null-vs-is_err_or_null-check-i.patch +usb-dwc3-qcom-fix-null-vs-is_err-checking-in-dwc3_qc.patch +hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch +hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch-21754 +hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch-27529 +hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch-23659 +debugfs-lockdown-allow-reading-debugfs-files-that-ar.patch +net-mlx5e-fix-page-dma-map-unmap-attributes.patch +net-mlx5e-don-t-block-routes-with-nexthop-objects-in.patch +revert-net-mlx5e-block-offload-of-outer-header-csum-.patch +net-mlx5-set-command-entry-semaphore-up-once-got-ind.patch +lib-mpi-add-the-return-value-check-of-kcalloc.patch +bluetooth-l2cap-uninitialized-variables-in-l2cap_soc.patch +spi-spi-meson-spifc-add-missing-pm_runtime_disable-i.patch +ax25-uninitialized-variable-in-ax25_setsockopt.patch +netrom-fix-api-breakage-in-nr_setsockopt.patch +regmap-call-regmap_debugfs_exit-prior-to-_init.patch +can-mcp251xfd-add-missing-newline-to-printed-strings.patch +tpm-add-request_locality-before-write-tpm_int_enable.patch +tpm_tis-fix-an-error-handling-path-in-tpm_tis_core_i.patch +can-softing-softing_startstop-fix-set-but-not-used-v.patch +can-xilinx_can-xcan_probe-check-for-error-irq.patch +pcmcia-fix-setting-of-kthread-task-states.patch +iwlwifi-mvm-use-div_s64-instead-of-do_div-in-iwl_mvm.patch +net-mcs7830-handle-usb-read-errors-properly.patch +ext4-avoid-trim-error-on-fs-with-small-groups.patch +alsa-jack-add-missing-rwsem-around-snd_ctl_remove-ca.patch +alsa-pcm-add-missing-rwsem-around-snd_ctl_remove-cal.patch +alsa-hda-add-missing-rwsem-around-snd_ctl_remove-cal.patch +rdma-bnxt_re-scan-the-whole-bitmap-when-checking-if-.patch +rdma-hns-validate-the-pkey-index.patch +scsi-pm80xx-update-warn_on-check-in-pm8001_mpi_build.patch +clk-imx8mn-fix-imx8mn_clko1_sels.patch +powerpc-prom_init-fix-improper-check-of-prom_getprop.patch +asoc-uniphier-drop-selecting-non-existing-snd_soc_un.patch +dt-bindings-thermal-fix-definition-of-cooling-maps-c.patch +powerpc-64s-convert-some-cpu_setup-and-cpu_restore-f.patch +powerpc-perf-mmcr0-control-for-pmu-registers-under-p.patch +powerpc-perf-move-perf-irq-nmi-handling-details-into.patch +powerpc-irq-add-helper-to-set-regs-softe.patch +powerpc-perf-fix-pmu-callbacks-to-clear-pending-pmi-.patch +powerpc-32s-fix-shift-out-of-bounds-in-kasan-init.patch +clocksource-reduce-clocksource-skew-threshold.patch +clocksource-avoid-accidental-unstable-marking-of-clo.patch +alsa-oss-fix-compile-error-when-oss_debug-is-enabled.patch +alsa-usb-audio-drop-superfluous-0-in-presonus-studio.patch +char-mwave-adjust-io-port-register-size.patch +binder-fix-handling-of-error-during-copy.patch +openrisc-add-clone3-abi-wrapper.patch +uio-uio_dmem_genirq-catch-the-exception.patch +iommu-io-pgtable-arm-fix-table-descriptor-paddr-form.patch +scsi-ufs-fix-race-conditions-related-to-driver-data.patch +rdma-qedr-fix-reporting-max_-send-recv-_wr-attrs.patch +pci-msi-fix-pci_irq_vector-pci_irq_get_affinity.patch +powerpc-powermac-add-additional-missing-lockdep_regi.patch +rdma-core-let-ib_find_gid-continue-search-even-after.patch +rdma-cma-let-cma_resolve_ib_dev-continue-search-even.patch +asoc-rt5663-handle-device_property_read_u32_array-er.patch +of-unittest-fix-warning-on-powerpc-frame-size-warnin.patch +of-unittest-64-bit-dma-address-test-requires-arch-su.patch +clk-stm32-fix-ltdc-s-clock-turn-off-by-clk_disable_u.patch +mips-add-sys_has_cpu_mips64_r5-config-for-mips-relea.patch +mips-fix-kconfig-reference-to-phys_addr_t_64bit.patch +dmaengine-pxa-mmp-stop-referencing-config-slave_id.patch +iommu-amd-remove-iommu_init_ga.patch +iommu-amd-restore-ga-log-tail-pointer-on-host-resume.patch +asoc-intel-catpt-test-dmaengine_submit-result-before.patch +iommu-iova-fix-race-between-fq-timeout-and-teardown.patch +scsi-block-pm-always-set-request-queue-runtime-activ.patch +phy-uniphier-usb3ss-fix-unintended-writing-zeros-to-.patch +asoc-mediatek-check-for-error-clk-pointer.patch +asoc-samsung-idma-check-of-ioremap-return-value.patch +misc-lattice-ecp3-config-fix-task-hung-when-firmware.patch +counter-stm32-lptimer-cnt-remove-iio-counter-abi.patch +arm64-tegra-fix-tegra194-hda-clock-reset-names-order.patch +arm64-tegra-remove-non-existent-tegra194-reset.patch +mips-lantiq-add-support-for-clk_set_parent.patch +mips-bcm63xx-add-support-for-clk_set_parent.patch +powerpc-xive-add-missing-null-check-after-calling-km.patch +asoc-fsl_mqs-fix-module_alias.patch +rdma-cxgb4-set-queue-pair-state-when-being-queried.patch +asoc-fsl_asrc-refine-the-check-of-available-clock-di.patch +clk-bm1880-remove-kfrees-on-static-allocations.patch +of-base-fix-phandle-argument-length-mismatch-error-m.patch +arm-dts-omap3-n900-fix-lp5523-for-multi-color.patch +bluetooth-fix-debugfs-entry-leak-in-hci_register_dev.patch +fs-dlm-filter-user-dlm-messages-for-kernel-locks.patch +libbpf-validate-that-.btf-and-.btf.ext-sections-cont.patch +drm-lima-fix-warning-when-config_debug_sg-y-config_d.patch +selftests-bpf-fix-bpf_object-leak-in-skb_ctx-selftes.patch +ar5523-fix-null-ptr-deref-with-unexpected-wdcmsg_tar.patch +drm-bridge-dw-hdmi-handle-eld-when-drm_bridge_attach.patch +drm-nouveau-pmu-gm200-avoid-touching-pmu-outside-of-.patch +media-atomisp-fix-try_fmt-logic.patch +media-atomisp-set-per-device-s-default-mode.patch +media-atomisp-ov2680-fix-ov2680_set_fmt-clobbering-t.patch +arm-shmobile-rcar-gen2-add-missing-of_node_put.patch +batman-adv-allow-netlink-usage-in-unprivileged-conta.patch +media-atomisp-handle-errors-at-sh_css_create_isp_par.patch +ath11k-fix-crash-caused-by-uninitialized-tx-ring.patch +usb-gadget-f_fs-use-stream_open-for-endpoint-files.patch +drm-panel-orientation-quirks-add-quirk-for-the-lenov.patch +hid-apple-do-not-reset-quirks-when-the-fn-key-is-not.patch +media-b2c2-add-missing-check-in-flexcop_pci_isr.patch +edac-synopsys-use-the-quirk-for-version-instead-of-d.patch +arm-imx-rename-debug_imx21_imx27_uart-to-debug_imx27.patch +drm-amd-display-check-top_pipe_to_program-pointer.patch +drm-amdgpu-display-set-vblank_disable_immediate-for-.patch +soc-ti-pruss-fix-referenced-node-in-error-message.patch +mlxsw-pci-add-shutdown-method-in-pci-driver.patch +drm-bridge-megachips-ensure-both-bridges-are-probed-.patch +tty-serial-imx-disable-ucr4_oren-in-.stop_rx-instead.patch +gpiolib-acpi-do-not-set-the-irq-type-if-the-irq-is-a.patch +hsi-core-fix-return-freed-object-in-hsi_new_client.patch +crypto-jitter-consider-32-lsb-for-apt.patch +mwifiex-fix-skb_over_panic-in-mwifiex_usb_recv.patch +rsi-fix-use-after-free-in-rsi_rx_done_handler.patch +rsi-fix-out-of-bounds-read-in-rsi_read_pkt.patch +ath11k-avoid-null-ptr-access-during-mgmt-tx-cleanup.patch +media-venus-avoid-calling-core_clk_setrate-concurren.patch +acpi-x86-drop-pwm2-device-on-lenovo-yoga-book-from-a.patch +acpi-change-acpi_device_always_present-into-acpi_dev.patch +acpi-x86-allow-specifying-acpi_device_override_statu.patch +acpi-x86-add-not-present-quirk-for-the-pci0.sdhb.brc.patch +arm64-dts-ti-j7200-main-fix-dtbs_check-serdes_ln_ctr.patch +usb-uhci-add-aspeed-ast2600-uhci-support.patch +floppy-add-max-size-check-for-user-space-request.patch +x86-mm-flush-global-tlb-when-switching-to-trampoline.patch +drm-rcar-du-fix-crtc-timings-when-cmm-is-used.patch +media-uvcvideo-increase-uvc_ctrl_control_timeout-to-.patch +media-rcar-vin-update-format-alignment-constraints.patch +media-saa7146-hexium_orion-fix-a-null-pointer-derefe.patch +media-m920x-don-t-use-stack-on-usb-reads.patch +thunderbolt-runtime-pm-activate-both-ends-of-the-dev.patch +iwlwifi-mvm-synchronize-with-fw-after-multicast-comm.patch +iwlwifi-mvm-avoid-clearing-a-just-saved-session-prot.patch +ath11k-avoid-deadlock-by-change-ieee80211_queue_work.patch +ath10k-fix-tx-hanging.patch +net-sysfs-update-the-queue-counts-in-the-unregistrat.patch +net-phy-prefer-1000baset-over-1000basekx.patch +gpio-aspeed-convert-aspeed_gpio.lock-to-raw_spinlock.patch +selftests-ftrace-make-kprobe-profile-testcase-descri.patch +ath11k-avoid-false-deadlock-warning-reported-by-lock.patch +x86-mce-allow-instrumentation-during-task-work-queue.patch +x86-mce-mark-mce_panic-noinstr.patch +x86-mce-mark-mce_end-noinstr.patch +x86-mce-mark-mce_read_aux-noinstr.patch +net-bonding-debug-avoid-printing-debug-logs-when-bon.patch +bpf-do-not-warn-in-bpf_warn_invalid_xdp_action.patch +hid-quirks-allow-inverting-the-absolute-x-y-values.patch +media-igorplugusb-receiver-overflow-should-be-report.patch +media-saa7146-hexium_gemini-fix-a-null-pointer-deref.patch +mmc-core-fixup-storing-of-ocr-for-mmc_quirk_nonstd_s.patch +audit-ensure-userspace-is-penalized-the-same-as-the-.patch +arm64-dts-ls1028a-qds-move-rtc-node-to-the-correct-i.patch +arm64-tegra-adjust-length-of-ccplex-cluster-mmio-reg.patch +pm-runtime-add-safety-net-to-supplier-device-release.patch +cpufreq-fix-initialization-of-min-and-max-frequency-.patch +usb-hub-add-delay-for-superspeed-hub-resume-to-let-l.patch +ath9k-fix-out-of-bound-memcpy-in-ath9k_hif_usb_rx_st.patch +rtw88-8822c-update-rx-settings-to-prevent-potential-.patch +pm-avs-qcom-cpr-use-div64_ul-instead-of-do_div.patch +iwlwifi-fix-leaks-bad-data-after-failed-firmware-loa.patch +iwlwifi-remove-module-loading-failure-message.patch +iwlwifi-mvm-fix-calculation-of-frame-length.patch +iwlwifi-pcie-make-sure-prph_info-is-set-when-treatin.patch +um-registers-rename-function-names-to-avoid-conflict.patch +ath11k-fix-napi-related-hang.patch +bluetooth-vhci-set-hci_quirk_valid_le_states.patch +xfrm-rate-limit-sa-mapping-change-message-to-user-sp.patch +drm-etnaviv-consider-completed-fence-seqno-in-hang-c.patch +jffs2-gc-deadlock-reading-a-page-that-is-used-in-jff.patch +acpica-actypes.h-expand-the-acpi_access_-definitions.patch +acpica-utilities-avoid-deleting-the-same-object-twic.patch +acpica-executer-fix-the-refclass_refof-case-in-acpi_.patch +acpica-fix-wrong-interpretation-of-pcc-address.patch +acpica-hardware-do-not-flush-cpu-cache-when-entering.patch +drm-amdgpu-fixup-bad-vram-size-on-gmc-v8.patch +mfd-intel_soc_pmic-use-cpu-id-check-instead-of-_hrv-.patch +amdgpu-pm-make-sysfs-pm-attributes-as-read-only-for-.patch +acpi-battery-add-the-thinkpad-not-charging-quirk.patch +btrfs-remove-bug_on-in-find_parent_nodes.patch +btrfs-remove-bug_on-eie-in-find_parent_nodes.patch +net-mdio-demote-probed-message-to-debug-print.patch +mac80211-allow-non-standard-vht-mcs-10-11.patch +dm-btree-add-a-defensive-bounds-check-to-insert_at.patch +dm-space-map-common-add-bounds-check-to-sm_ll_lookup.patch +mlxsw-pci-avoid-flow-control-for-emad-packets.patch +net-phy-marvell-configure-rgmii-delays-for-88e1118.patch +net-gemini-allow-any-rgmii-interface-mode.patch +regulator-qcom_smd-align-probe-function-with-rpmh-re.patch +serial-pl010-drop-cr-register-reset-on-set_termios.patch +serial-core-keep-mctrl-register-state-and-cached-cop.patch +random-do-not-throw-away-excess-input-to-crng_fast_l.patch +parisc-avoid-calling-faulthandler_disabled-twice.patch +scripts-sphinx-pre-install-fix-ctex-support-on-debia.patch +x86-kbuild-enable-config_kallsyms_all-y-in-the-defco.patch +alsa-usb-audio-fix-db-level-of-bose-revolve-soundlin.patch +powerpc-6xx-add-missing-of_node_put.patch +powerpc-powernv-add-missing-of_node_put.patch +powerpc-cell-add-missing-of_node_put.patch +powerpc-btext-add-missing-of_node_put.patch +powerpc-watchdog-fix-missed-watchdog-reset-due-to-me.patch +i2c-i801-don-t-silently-correct-invalid-transfer-siz.patch +powerpc-smp-move-setup_profiling_timer-under-config_.patch +i2c-mpc-correct-i2c-reset-procedure.patch +clk-meson-gxbb-fix-the-sdm_en-bit-for-mpll0-on-gxbb.patch +powerpc-powermac-add-missing-lockdep_register_key.patch +kvm-ppc-book3s-suppress-warnings-when-allocating-too.patch +kvm-ppc-book3s-suppress-failed-alloc-warning-in-h_co.patch +w1-misuse-of-get_user-put_user-reported-by-sparse.patch +nvmem-core-set-size-for-sysfs-bin-file.patch +dm-fix-alloc_dax-error-handling-in-alloc_dev.patch +scsi-lpfc-trigger-sli4-firmware-dump-before-doing-dr.patch +alsa-seq-set-upper-limit-of-processed-events.patch +mips-loongson64-use-three-arguments-for-slti.patch +powerpc-40x-map-32mbytes-of-memory-at-startup.patch +selftests-powerpc-spectre_v2-return-skip-code-when-m.patch +powerpc-handle-kdump-appropriately-with-crash_kexec_.patch +powerpc-fadump-fix-inaccurate-cpu-state-info-in-vmco.patch +udf-fix-error-handling-in-udf_new_inode.patch +mips-octeon-add-put_device-after-of_find_device_by_n.patch +irqchip-gic-v4-disable-redistributors-view-of-the-vp.patch +i2c-designware-pci-fix-to-change-data-types-of-hcnt-.patch +mips-octeon-fix-build-errors-using-clang.patch +scsi-sr-don-t-use-gfp_dma.patch +asoc-mediatek-mt8173-fix-device_node-leak.patch +asoc-mediatek-mt8183-fix-device_node-leak.patch +phy-mediatek-fix-missing-check-in-mtk_mipi_tx_probe.patch diff --git a/queue-5.10/soc-ti-pruss-fix-referenced-node-in-error-message.patch b/queue-5.10/soc-ti-pruss-fix-referenced-node-in-error-message.patch new file mode 100644 index 00000000000..bccad89cf83 --- /dev/null +++ b/queue-5.10/soc-ti-pruss-fix-referenced-node-in-error-message.patch @@ -0,0 +1,36 @@ +From 1cfb9a29f513612b0d1b4f5627610e181b194b05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jun 2021 20:08:28 +0200 +Subject: soc: ti: pruss: fix referenced node in error message + +From: Jan Kiszka + +[ Upstream commit 8aa35e0bb5eaa42bac415ad0847985daa7b4890c ] + +So far, "(null)" is reported for the node that is missing clocks. + +Signed-off-by: Jan Kiszka +Acked-by: Suman Anna +Signed-off-by: Nishanth Menon +Link: https://lore.kernel.org/r/d6e24953-ea89-fd1c-6e16-7a0142118054@siemens.com +Signed-off-by: Sasha Levin +--- + drivers/soc/ti/pruss.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/ti/pruss.c b/drivers/soc/ti/pruss.c +index cc0b4ad7a3d34..30695172a508f 100644 +--- a/drivers/soc/ti/pruss.c ++++ b/drivers/soc/ti/pruss.c +@@ -131,7 +131,7 @@ static int pruss_clk_init(struct pruss *pruss, struct device_node *cfg_node) + + clks_np = of_get_child_by_name(cfg_node, "clocks"); + if (!clks_np) { +- dev_err(dev, "%pOF is missing its 'clocks' node\n", clks_np); ++ dev_err(dev, "%pOF is missing its 'clocks' node\n", cfg_node); + return -ENODEV; + } + +-- +2.34.1 + diff --git a/queue-5.10/software-node-fix-wrong-node-passed-to-find-nargs_pr.patch b/queue-5.10/software-node-fix-wrong-node-passed-to-find-nargs_pr.patch new file mode 100644 index 00000000000..485e70ac888 --- /dev/null +++ b/queue-5.10/software-node-fix-wrong-node-passed-to-find-nargs_pr.patch @@ -0,0 +1,43 @@ +From f90a590e3a838bbb77def3fb08d0a544609a39c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Dec 2021 22:05:33 +0100 +Subject: software node: fix wrong node passed to find nargs_prop +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Clément Léger + +[ Upstream commit c5fc5ba8b6b7bebc05e45036a33405b4c5036c2f ] + +nargs_prop refers to a property located in the reference that is found +within the nargs property. Use the correct reference node in call to +property_entry_read_int_array() to retrieve the correct nargs value. + +Fixes: b06184acf751 ("software node: Add software_node_get_reference_args()") +Signed-off-by: Clément Léger +Reviewed-by: Sakari Ailus +Reviewed-by: Daniel Scally +Acked-by: Heikki Krogerus +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/base/swnode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/base/swnode.c b/drivers/base/swnode.c +index 206bd4d7d7e23..d2fb3eb5816c3 100644 +--- a/drivers/base/swnode.c ++++ b/drivers/base/swnode.c +@@ -519,7 +519,7 @@ software_node_get_reference_args(const struct fwnode_handle *fwnode, + return -ENOENT; + + if (nargs_prop) { +- error = property_entry_read_int_array(swnode->node->properties, ++ error = property_entry_read_int_array(ref->node->properties, + nargs_prop, sizeof(u32), + &nargs_prop_val, 1); + if (error) +-- +2.34.1 + diff --git a/queue-5.10/spi-spi-meson-spifc-add-missing-pm_runtime_disable-i.patch b/queue-5.10/spi-spi-meson-spifc-add-missing-pm_runtime_disable-i.patch new file mode 100644 index 00000000000..41459ec363e --- /dev/null +++ b/queue-5.10/spi-spi-meson-spifc-add-missing-pm_runtime_disable-i.patch @@ -0,0 +1,38 @@ +From aaeefb8b54c44a2e97e3f51e87321d96aba18fde Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jan 2022 07:54:24 +0000 +Subject: spi: spi-meson-spifc: Add missing pm_runtime_disable() in + meson_spifc_probe + +From: Miaoqian Lin + +[ Upstream commit 69c1b87516e327a60b39f96b778fe683259408bf ] + +If the probe fails, we should use pm_runtime_disable() to balance +pm_runtime_enable(). +Add missing pm_runtime_disable() for meson_spifc_probe. + +Fixes: c3e4bc5434d2 ("spi: meson: Add support for Amlogic Meson SPIFC") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220107075424.7774-1-linmq006@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-meson-spifc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/spi/spi-meson-spifc.c b/drivers/spi/spi-meson-spifc.c +index 8eca6f24cb799..c8ed7815c4ba6 100644 +--- a/drivers/spi/spi-meson-spifc.c ++++ b/drivers/spi/spi-meson-spifc.c +@@ -349,6 +349,7 @@ static int meson_spifc_probe(struct platform_device *pdev) + return 0; + out_clk: + clk_disable_unprepare(spifc->clk); ++ pm_runtime_disable(spifc->dev); + out_err: + spi_master_put(master); + return ret; +-- +2.34.1 + diff --git a/queue-5.10/staging-greybus-audio-check-null-pointer.patch b/queue-5.10/staging-greybus-audio-check-null-pointer.patch new file mode 100644 index 00000000000..89e720b1350 --- /dev/null +++ b/queue-5.10/staging-greybus-audio-check-null-pointer.patch @@ -0,0 +1,91 @@ +From c0fb0b037ec1c5eeb809dca8c63de4be0febce45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jan 2022 23:06:28 +0800 +Subject: staging: greybus: audio: Check null pointer + +From: Jiasheng Jiang + +[ Upstream commit 2e81948177d769106754085c3e03534e6cc1f623 ] + +As the possible alloc failure of devm_kcalloc(), it could return null +pointer. +Therefore, 'strings' should be checked and return NULL if alloc fails to +prevent the dereference of the NULL pointer. +Also, the caller should also deal with the return value of the +gb_generate_enum_strings() and return -ENOMEM if returns NULL. +Moreover, because the memory allocated with devm_kzalloc() will be +freed automatically when the last reference to the device is dropped, +the 'gbe' in gbaudio_tplg_create_enum_kctl() and +gbaudio_tplg_create_enum_ctl() do not need to free manually. +But the 'control' in gbaudio_tplg_create_widget() and +gbaudio_tplg_process_kcontrols() has a specially error handle to +cleanup. +So it should be better to cleanup 'control' when fails. + +Fixes: e65579e335da ("greybus: audio: topology: Enable enumerated control support") +Reviewed-by: Alex Elder +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20220104150628.1987906-1-jiasheng@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/greybus/audio_topology.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/drivers/staging/greybus/audio_topology.c b/drivers/staging/greybus/audio_topology.c +index 2bb8e7b60e8d5..e1579f356af5c 100644 +--- a/drivers/staging/greybus/audio_topology.c ++++ b/drivers/staging/greybus/audio_topology.c +@@ -147,6 +147,9 @@ static const char **gb_generate_enum_strings(struct gbaudio_module_info *gb, + + items = le32_to_cpu(gbenum->items); + strings = devm_kcalloc(gb->dev, items, sizeof(char *), GFP_KERNEL); ++ if (!strings) ++ return NULL; ++ + data = gbenum->names; + + for (i = 0; i < items; i++) { +@@ -655,6 +658,8 @@ static int gbaudio_tplg_create_enum_kctl(struct gbaudio_module_info *gb, + /* since count=1, and reg is dummy */ + gbe->items = le32_to_cpu(gb_enum->items); + gbe->texts = gb_generate_enum_strings(gb, gb_enum); ++ if (!gbe->texts) ++ return -ENOMEM; + + /* debug enum info */ + dev_dbg(gb->dev, "Max:%d, name_length:%d\n", gbe->items, +@@ -862,6 +867,8 @@ static int gbaudio_tplg_create_enum_ctl(struct gbaudio_module_info *gb, + /* since count=1, and reg is dummy */ + gbe->items = le32_to_cpu(gb_enum->items); + gbe->texts = gb_generate_enum_strings(gb, gb_enum); ++ if (!gbe->texts) ++ return -ENOMEM; + + /* debug enum info */ + dev_dbg(gb->dev, "Max:%d, name_length:%d\n", gbe->items, +@@ -1072,6 +1079,10 @@ static int gbaudio_tplg_create_widget(struct gbaudio_module_info *module, + csize += le16_to_cpu(gbenum->names_length); + control->texts = (const char * const *) + gb_generate_enum_strings(module, gbenum); ++ if (!control->texts) { ++ ret = -ENOMEM; ++ goto error; ++ } + control->items = le32_to_cpu(gbenum->items); + } else { + csize = sizeof(struct gb_audio_control); +@@ -1181,6 +1192,10 @@ static int gbaudio_tplg_process_kcontrols(struct gbaudio_module_info *module, + csize += le16_to_cpu(gbenum->names_length); + control->texts = (const char * const *) + gb_generate_enum_strings(module, gbenum); ++ if (!control->texts) { ++ ret = -ENOMEM; ++ goto error; ++ } + control->items = le32_to_cpu(gbenum->items); + } else { + csize = sizeof(struct gb_audio_control); +-- +2.34.1 + diff --git a/queue-5.10/staging-rtl8192e-return-error-code-from-rtllib_softm.patch b/queue-5.10/staging-rtl8192e-return-error-code-from-rtllib_softm.patch new file mode 100644 index 00000000000..d7fa7142f95 --- /dev/null +++ b/queue-5.10/staging-rtl8192e-return-error-code-from-rtllib_softm.patch @@ -0,0 +1,71 @@ +From 66f23eb1575360c593be118f8162bd3b40b11d62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Dec 2021 11:07:02 +0800 +Subject: staging: rtl8192e: return error code from rtllib_softmac_init() + +From: Yang Yingliang + +[ Upstream commit 68bf78ff59a0891eb1239948e94ce10f73a9dd30 ] + +If it fails to allocate 'dot11d_info', rtllib_softmac_init() +should return error code. And remove unneccessary error message. + +Fixes: 94a799425eee ("From: wlanfae ") +Reviewed-by: Dan Carpenter +Reviewed-by: Pavel Skripkin +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20211202030704.2425621-2-yangyingliang@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8192e/rtllib.h | 2 +- + drivers/staging/rtl8192e/rtllib_softmac.c | 6 ++++-- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/staging/rtl8192e/rtllib.h b/drivers/staging/rtl8192e/rtllib.h +index 4cabaf21c1ca0..367db4acc7852 100644 +--- a/drivers/staging/rtl8192e/rtllib.h ++++ b/drivers/staging/rtl8192e/rtllib.h +@@ -1982,7 +1982,7 @@ void rtllib_softmac_xmit(struct rtllib_txb *txb, struct rtllib_device *ieee); + void rtllib_stop_send_beacons(struct rtllib_device *ieee); + void notify_wx_assoc_event(struct rtllib_device *ieee); + void rtllib_start_ibss(struct rtllib_device *ieee); +-void rtllib_softmac_init(struct rtllib_device *ieee); ++int rtllib_softmac_init(struct rtllib_device *ieee); + void rtllib_softmac_free(struct rtllib_device *ieee); + void rtllib_disassociate(struct rtllib_device *ieee); + void rtllib_stop_scan(struct rtllib_device *ieee); +diff --git a/drivers/staging/rtl8192e/rtllib_softmac.c b/drivers/staging/rtl8192e/rtllib_softmac.c +index 2c752ba5a802a..e8e72f79ca007 100644 +--- a/drivers/staging/rtl8192e/rtllib_softmac.c ++++ b/drivers/staging/rtl8192e/rtllib_softmac.c +@@ -2953,7 +2953,7 @@ void rtllib_start_protocol(struct rtllib_device *ieee) + } + } + +-void rtllib_softmac_init(struct rtllib_device *ieee) ++int rtllib_softmac_init(struct rtllib_device *ieee) + { + int i; + +@@ -2964,7 +2964,8 @@ void rtllib_softmac_init(struct rtllib_device *ieee) + ieee->seq_ctrl[i] = 0; + ieee->dot11d_info = kzalloc(sizeof(struct rt_dot11d_info), GFP_ATOMIC); + if (!ieee->dot11d_info) +- netdev_err(ieee->dev, "Can't alloc memory for DOT11D\n"); ++ return -ENOMEM; ++ + ieee->LinkDetectInfo.SlotIndex = 0; + ieee->LinkDetectInfo.SlotNum = 2; + ieee->LinkDetectInfo.NumRecvBcnInPeriod = 0; +@@ -3030,6 +3031,7 @@ void rtllib_softmac_init(struct rtllib_device *ieee) + + tasklet_setup(&ieee->ps_task, rtllib_sta_ps); + ++ return 0; + } + + void rtllib_softmac_free(struct rtllib_device *ieee) +-- +2.34.1 + diff --git a/queue-5.10/staging-rtl8192e-rtllib_module-fix-error-handle-case.patch b/queue-5.10/staging-rtl8192e-rtllib_module-fix-error-handle-case.patch new file mode 100644 index 00000000000..80e6b4dc42d --- /dev/null +++ b/queue-5.10/staging-rtl8192e-rtllib_module-fix-error-handle-case.patch @@ -0,0 +1,72 @@ +From 2649c46bc651f9cda1361bd9629878462f9925e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Dec 2021 11:07:03 +0800 +Subject: staging: rtl8192e: rtllib_module: fix error handle case in + alloc_rtllib() + +From: Yang Yingliang + +[ Upstream commit e730cd57ac2dfe94bca0f14a3be8e1b21de41a9c ] + +Some variables are leaked in the error handling in alloc_rtllib(), free +the variables in the error path. + +Fixes: 94a799425eee ("From: wlanfae ") +Reviewed-by: Dan Carpenter +Reviewed-by: Pavel Skripkin +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20211202030704.2425621-3-yangyingliang@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8192e/rtllib_module.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/drivers/staging/rtl8192e/rtllib_module.c b/drivers/staging/rtl8192e/rtllib_module.c +index 64d9feee1f392..f00ac94b2639b 100644 +--- a/drivers/staging/rtl8192e/rtllib_module.c ++++ b/drivers/staging/rtl8192e/rtllib_module.c +@@ -88,7 +88,7 @@ struct net_device *alloc_rtllib(int sizeof_priv) + err = rtllib_networks_allocate(ieee); + if (err) { + pr_err("Unable to allocate beacon storage: %d\n", err); +- goto failed; ++ goto free_netdev; + } + rtllib_networks_initialize(ieee); + +@@ -121,11 +121,13 @@ struct net_device *alloc_rtllib(int sizeof_priv) + ieee->hwsec_active = 0; + + memset(ieee->swcamtable, 0, sizeof(struct sw_cam_table) * 32); +- rtllib_softmac_init(ieee); ++ err = rtllib_softmac_init(ieee); ++ if (err) ++ goto free_crypt_info; + + ieee->pHTInfo = kzalloc(sizeof(struct rt_hi_throughput), GFP_KERNEL); + if (!ieee->pHTInfo) +- return NULL; ++ goto free_softmac; + + HTUpdateDefaultSetting(ieee); + HTInitializeHTInfo(ieee); +@@ -141,8 +143,14 @@ struct net_device *alloc_rtllib(int sizeof_priv) + + return dev; + +- failed: ++free_softmac: ++ rtllib_softmac_free(ieee); ++free_crypt_info: ++ lib80211_crypt_info_free(&ieee->crypt_info); ++ rtllib_networks_free(ieee); ++free_netdev: + free_netdev(dev); ++ + return NULL; + } + EXPORT_SYMBOL(alloc_rtllib); +-- +2.34.1 + diff --git a/queue-5.10/tee-fix-put-order-in-teedev_close_context.patch b/queue-5.10/tee-fix-put-order-in-teedev_close_context.patch new file mode 100644 index 00000000000..5d1869ac2f1 --- /dev/null +++ b/queue-5.10/tee-fix-put-order-in-teedev_close_context.patch @@ -0,0 +1,41 @@ +From 1bc155d52e36c194bbf36fce405b14696ba15158 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jun 2021 22:23:50 +0200 +Subject: tee: fix put order in teedev_close_context() + +From: Jens Wiklander + +[ Upstream commit f18397ab3ae23e8e43bba9986e66af6d4497f2ad ] + +Prior to this patch was teedev_close_context() calling tee_device_put() +before teedev_ctx_put() leading to teedev_ctx_release() accessing +ctx->teedev just after the reference counter was decreased on the +teedev. Fix this by calling teedev_ctx_put() before tee_device_put(). + +Fixes: 217e0250cccb ("tee: use reference counting for tee_context") +Reviewed-by: Sumit Garg +Signed-off-by: Jens Wiklander +Signed-off-by: Sasha Levin +--- + drivers/tee/tee_core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c +index 6ade4a5c48407..dfc239c64ce3c 100644 +--- a/drivers/tee/tee_core.c ++++ b/drivers/tee/tee_core.c +@@ -98,8 +98,10 @@ void teedev_ctx_put(struct tee_context *ctx) + + static void teedev_close_context(struct tee_context *ctx) + { +- tee_device_put(ctx->teedev); ++ struct tee_device *teedev = ctx->teedev; ++ + teedev_ctx_put(ctx); ++ tee_device_put(teedev); + } + + static int tee_open(struct inode *inode, struct file *filp) +-- +2.34.1 + diff --git a/queue-5.10/thermal-drivers-imx-implement-runtime-pm-support.patch b/queue-5.10/thermal-drivers-imx-implement-runtime-pm-support.patch new file mode 100644 index 00000000000..0899404977a --- /dev/null +++ b/queue-5.10/thermal-drivers-imx-implement-runtime-pm-support.patch @@ -0,0 +1,308 @@ +From a14e8334b6e37c9a595dd1b1c930a6ff1a1fb51d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Nov 2021 11:34:26 +0100 +Subject: thermal/drivers/imx: Implement runtime PM support +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Oleksij Rempel + +[ Upstream commit 4cf2ddf16e175ee18c5c29865c32da7d6269cf44 ] + +Starting with commit d92ed2c9d3ff ("thermal: imx: Use driver's local +data to decide whether to run a measurement") this driver stared using +irq_enabled flag to make decision to power on/off the thermal +core. This triggered a regression, where after reaching critical +temperature, alarm IRQ handler set irq_enabled to false, disabled +thermal core and was not able read temperature and disable cooling +sequence. + +In case the cooling device is "CPU/GPU freq", the system will run with +reduce performance until next reboot. + +To solve this issue, we need to move all parts implementing hand made +runtime power management and let it handle actual runtime PM framework. + +Fixes: d92ed2c9d3ff ("thermal: imx: Use driver's local data to decide whether to run a measurement") +Signed-off-by: Oleksij Rempel +Tested-by: Petr BeneÅ¡ +Link: https://lore.kernel.org/r/20211117103426.81813-1-o.rempel@pengutronix.de +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + drivers/thermal/imx_thermal.c | 145 +++++++++++++++++++++------------- + 1 file changed, 91 insertions(+), 54 deletions(-) + +diff --git a/drivers/thermal/imx_thermal.c b/drivers/thermal/imx_thermal.c +index 2c7473d86a59b..16663373b6829 100644 +--- a/drivers/thermal/imx_thermal.c ++++ b/drivers/thermal/imx_thermal.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + + #define REG_SET 0x4 + #define REG_CLR 0x8 +@@ -194,6 +195,7 @@ static struct thermal_soc_data thermal_imx7d_data = { + }; + + struct imx_thermal_data { ++ struct device *dev; + struct cpufreq_policy *policy; + struct thermal_zone_device *tz; + struct thermal_cooling_device *cdev; +@@ -252,44 +254,15 @@ static int imx_get_temp(struct thermal_zone_device *tz, int *temp) + const struct thermal_soc_data *soc_data = data->socdata; + struct regmap *map = data->tempmon; + unsigned int n_meas; +- bool wait, run_measurement; + u32 val; ++ int ret; + +- run_measurement = !data->irq_enabled; +- if (!run_measurement) { +- /* Check if a measurement is currently in progress */ +- regmap_read(map, soc_data->temp_data, &val); +- wait = !(val & soc_data->temp_valid_mask); +- } else { +- /* +- * Every time we measure the temperature, we will power on the +- * temperature sensor, enable measurements, take a reading, +- * disable measurements, power off the temperature sensor. +- */ +- regmap_write(map, soc_data->sensor_ctrl + REG_CLR, +- soc_data->power_down_mask); +- regmap_write(map, soc_data->sensor_ctrl + REG_SET, +- soc_data->measure_temp_mask); +- +- wait = true; +- } +- +- /* +- * According to the temp sensor designers, it may require up to ~17us +- * to complete a measurement. +- */ +- if (wait) +- usleep_range(20, 50); ++ ret = pm_runtime_resume_and_get(data->dev); ++ if (ret < 0) ++ return ret; + + regmap_read(map, soc_data->temp_data, &val); + +- if (run_measurement) { +- regmap_write(map, soc_data->sensor_ctrl + REG_CLR, +- soc_data->measure_temp_mask); +- regmap_write(map, soc_data->sensor_ctrl + REG_SET, +- soc_data->power_down_mask); +- } +- + if ((val & soc_data->temp_valid_mask) == 0) { + dev_dbg(&tz->device, "temp measurement never finished\n"); + return -EAGAIN; +@@ -328,6 +301,8 @@ static int imx_get_temp(struct thermal_zone_device *tz, int *temp) + enable_irq(data->irq); + } + ++ pm_runtime_put(data->dev); ++ + return 0; + } + +@@ -335,24 +310,16 @@ static int imx_change_mode(struct thermal_zone_device *tz, + enum thermal_device_mode mode) + { + struct imx_thermal_data *data = tz->devdata; +- struct regmap *map = data->tempmon; +- const struct thermal_soc_data *soc_data = data->socdata; + + if (mode == THERMAL_DEVICE_ENABLED) { +- regmap_write(map, soc_data->sensor_ctrl + REG_CLR, +- soc_data->power_down_mask); +- regmap_write(map, soc_data->sensor_ctrl + REG_SET, +- soc_data->measure_temp_mask); ++ pm_runtime_get(data->dev); + + if (!data->irq_enabled) { + data->irq_enabled = true; + enable_irq(data->irq); + } + } else { +- regmap_write(map, soc_data->sensor_ctrl + REG_CLR, +- soc_data->measure_temp_mask); +- regmap_write(map, soc_data->sensor_ctrl + REG_SET, +- soc_data->power_down_mask); ++ pm_runtime_put(data->dev); + + if (data->irq_enabled) { + disable_irq(data->irq); +@@ -393,6 +360,11 @@ static int imx_set_trip_temp(struct thermal_zone_device *tz, int trip, + int temp) + { + struct imx_thermal_data *data = tz->devdata; ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(data->dev); ++ if (ret < 0) ++ return ret; + + /* do not allow changing critical threshold */ + if (trip == IMX_TRIP_CRITICAL) +@@ -406,6 +378,8 @@ static int imx_set_trip_temp(struct thermal_zone_device *tz, int trip, + + imx_set_alarm_temp(data, temp); + ++ pm_runtime_put(data->dev); ++ + return 0; + } + +@@ -681,6 +655,8 @@ static int imx_thermal_probe(struct platform_device *pdev) + if (!data) + return -ENOMEM; + ++ data->dev = &pdev->dev; ++ + map = syscon_regmap_lookup_by_phandle(pdev->dev.of_node, "fsl,tempmon"); + if (IS_ERR(map)) { + ret = PTR_ERR(map); +@@ -800,6 +776,16 @@ static int imx_thermal_probe(struct platform_device *pdev) + data->socdata->power_down_mask); + regmap_write(map, data->socdata->sensor_ctrl + REG_SET, + data->socdata->measure_temp_mask); ++ /* After power up, we need a delay before first access can be done. */ ++ usleep_range(20, 50); ++ ++ /* the core was configured and enabled just before */ ++ pm_runtime_set_active(&pdev->dev); ++ pm_runtime_enable(data->dev); ++ ++ ret = pm_runtime_resume_and_get(data->dev); ++ if (ret < 0) ++ goto disable_runtime_pm; + + data->irq_enabled = true; + ret = thermal_zone_device_enable(data->tz); +@@ -814,10 +800,15 @@ static int imx_thermal_probe(struct platform_device *pdev) + goto thermal_zone_unregister; + } + ++ pm_runtime_put(data->dev); ++ + return 0; + + thermal_zone_unregister: + thermal_zone_device_unregister(data->tz); ++disable_runtime_pm: ++ pm_runtime_put_noidle(data->dev); ++ pm_runtime_disable(data->dev); + clk_disable: + clk_disable_unprepare(data->thermal_clk); + legacy_cleanup: +@@ -829,13 +820,9 @@ legacy_cleanup: + static int imx_thermal_remove(struct platform_device *pdev) + { + struct imx_thermal_data *data = platform_get_drvdata(pdev); +- struct regmap *map = data->tempmon; + +- /* Disable measurements */ +- regmap_write(map, data->socdata->sensor_ctrl + REG_SET, +- data->socdata->power_down_mask); +- if (!IS_ERR(data->thermal_clk)) +- clk_disable_unprepare(data->thermal_clk); ++ pm_runtime_put_noidle(data->dev); ++ pm_runtime_disable(data->dev); + + thermal_zone_device_unregister(data->tz); + imx_thermal_unregister_legacy_cooling(data); +@@ -858,29 +845,79 @@ static int __maybe_unused imx_thermal_suspend(struct device *dev) + ret = thermal_zone_device_disable(data->tz); + if (ret) + return ret; ++ ++ return pm_runtime_force_suspend(data->dev); ++} ++ ++static int __maybe_unused imx_thermal_resume(struct device *dev) ++{ ++ struct imx_thermal_data *data = dev_get_drvdata(dev); ++ int ret; ++ ++ ret = pm_runtime_force_resume(data->dev); ++ if (ret) ++ return ret; ++ /* Enabled thermal sensor after resume */ ++ return thermal_zone_device_enable(data->tz); ++} ++ ++static int __maybe_unused imx_thermal_runtime_suspend(struct device *dev) ++{ ++ struct imx_thermal_data *data = dev_get_drvdata(dev); ++ const struct thermal_soc_data *socdata = data->socdata; ++ struct regmap *map = data->tempmon; ++ int ret; ++ ++ ret = regmap_write(map, socdata->sensor_ctrl + REG_CLR, ++ socdata->measure_temp_mask); ++ if (ret) ++ return ret; ++ ++ ret = regmap_write(map, socdata->sensor_ctrl + REG_SET, ++ socdata->power_down_mask); ++ if (ret) ++ return ret; ++ + clk_disable_unprepare(data->thermal_clk); + + return 0; + } + +-static int __maybe_unused imx_thermal_resume(struct device *dev) ++static int __maybe_unused imx_thermal_runtime_resume(struct device *dev) + { + struct imx_thermal_data *data = dev_get_drvdata(dev); ++ const struct thermal_soc_data *socdata = data->socdata; ++ struct regmap *map = data->tempmon; + int ret; + + ret = clk_prepare_enable(data->thermal_clk); + if (ret) + return ret; +- /* Enabled thermal sensor after resume */ +- ret = thermal_zone_device_enable(data->tz); ++ ++ ret = regmap_write(map, socdata->sensor_ctrl + REG_CLR, ++ socdata->power_down_mask); ++ if (ret) ++ return ret; ++ ++ ret = regmap_write(map, socdata->sensor_ctrl + REG_SET, ++ socdata->measure_temp_mask); + if (ret) + return ret; + ++ /* ++ * According to the temp sensor designers, it may require up to ~17us ++ * to complete a measurement. ++ */ ++ usleep_range(20, 50); ++ + return 0; + } + +-static SIMPLE_DEV_PM_OPS(imx_thermal_pm_ops, +- imx_thermal_suspend, imx_thermal_resume); ++static const struct dev_pm_ops imx_thermal_pm_ops = { ++ SET_SYSTEM_SLEEP_PM_OPS(imx_thermal_suspend, imx_thermal_resume) ++ SET_RUNTIME_PM_OPS(imx_thermal_runtime_suspend, ++ imx_thermal_runtime_resume, NULL) ++}; + + static struct platform_driver imx_thermal = { + .driver = { +-- +2.34.1 + diff --git a/queue-5.10/thermal-drivers-imx8mm-enable-adc-when-enabling-moni.patch b/queue-5.10/thermal-drivers-imx8mm-enable-adc-when-enabling-moni.patch new file mode 100644 index 00000000000..71faac1e74e --- /dev/null +++ b/queue-5.10/thermal-drivers-imx8mm-enable-adc-when-enabling-moni.patch @@ -0,0 +1,53 @@ +From 38b6849e4f6b1483fec88353bbf007db9cd2b4c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Nov 2021 12:42:25 +0100 +Subject: thermal/drivers/imx8mm: Enable ADC when enabling monitor + +From: Paul Gerber + +[ Upstream commit 3de89d8842a2b5d3dd22ebf97dd561ae0a330948 ] + +The i.MX 8MP has a ADC_PD bit in the TMU_TER register that controls the +operating mode of the ADC: +* 0 means normal operating mode +* 1 means power down mode + +When enabling/disabling the TMU, the ADC operating mode must be set +accordingly. + +i.MX 8M Mini & Nano are lacking this bit. + +Signed-off-by: Paul Gerber +Signed-off-by: Alexander Stein +Fixes: 2b8f1f0337c5 ("thermal: imx8mm: Add i.MX8MP support") +Link: https://lore.kernel.org/r/20211122114225.196280-1-alexander.stein@ew.tq-group.com +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + drivers/thermal/imx8mm_thermal.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/thermal/imx8mm_thermal.c b/drivers/thermal/imx8mm_thermal.c +index a1e4f9bb4cb01..0f4cabd2a8c62 100644 +--- a/drivers/thermal/imx8mm_thermal.c ++++ b/drivers/thermal/imx8mm_thermal.c +@@ -21,6 +21,7 @@ + #define TPS 0x4 + #define TRITSR 0x20 /* TMU immediate temp */ + ++#define TER_ADC_PD BIT(30) + #define TER_EN BIT(31) + #define TRITSR_TEMP0_VAL_MASK 0xff + #define TRITSR_TEMP1_VAL_MASK 0xff0000 +@@ -113,6 +114,8 @@ static void imx8mm_tmu_enable(struct imx8mm_tmu *tmu, bool enable) + + val = readl_relaxed(tmu->base + TER); + val = enable ? (val | TER_EN) : (val & ~TER_EN); ++ if (tmu->socdata->version == TMU_VER2) ++ val = enable ? (val & ~TER_ADC_PD) : (val | TER_ADC_PD); + writel_relaxed(val, tmu->base + TER); + } + +-- +2.34.1 + diff --git a/queue-5.10/thunderbolt-runtime-pm-activate-both-ends-of-the-dev.patch b/queue-5.10/thunderbolt-runtime-pm-activate-both-ends-of-the-dev.patch new file mode 100644 index 00000000000..6425f797c0e --- /dev/null +++ b/queue-5.10/thunderbolt-runtime-pm-activate-both-ends-of-the-dev.patch @@ -0,0 +1,74 @@ +From 44bcbab341c0ad15567c75d76e267dd3c70dbd7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Nov 2021 16:07:11 +0200 +Subject: thunderbolt: Runtime PM activate both ends of the device link + +From: Mika Westerberg + +[ Upstream commit f3380cac0c0b3a6f49ab161e2a057c363962f48d ] + +If protocol tunnels are already up when the driver is loaded, for +instance if the boot firmware implements connection manager of its own, +runtime PM reference count of the consumer devices behind the tunnel +might have been increased already before the device link is created but +the supplier device runtime PM reference count is not. This leads to a +situation where the supplier (the Thunderbolt driver) can runtime +suspend even if it should not because the corresponding protocol tunnel +needs to be up causing the devices to be removed from the corresponding +native bus. + +Prevent this from happening by making both sides of the link runtime PM +active briefly. The pm_runtime_put() for the consumer (PCIe +root/downstream port, xHCI) then allows it to runtime suspend again but +keeps the supplier runtime resumed the whole time it is runtime active. + +Signed-off-by: Mika Westerberg +Reviewed-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/thunderbolt/acpi.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/drivers/thunderbolt/acpi.c b/drivers/thunderbolt/acpi.c +index b5442f979b4d0..6355fdf7d71a3 100644 +--- a/drivers/thunderbolt/acpi.c ++++ b/drivers/thunderbolt/acpi.c +@@ -7,6 +7,7 @@ + */ + + #include ++#include + + #include "tb.h" + +@@ -74,8 +75,18 @@ static acpi_status tb_acpi_add_link(acpi_handle handle, u32 level, void *data, + pci_pcie_type(pdev) == PCI_EXP_TYPE_DOWNSTREAM))) { + const struct device_link *link; + ++ /* ++ * Make them both active first to make sure the NHI does ++ * not runtime suspend before the consumer. The ++ * pm_runtime_put() below then allows the consumer to ++ * runtime suspend again (which then allows NHI runtime ++ * suspend too now that the device link is established). ++ */ ++ pm_runtime_get_sync(&pdev->dev); ++ + link = device_link_add(&pdev->dev, &nhi->pdev->dev, + DL_FLAG_AUTOREMOVE_SUPPLIER | ++ DL_FLAG_RPM_ACTIVE | + DL_FLAG_PM_RUNTIME); + if (link) { + dev_dbg(&nhi->pdev->dev, "created link from %s\n", +@@ -84,6 +95,8 @@ static acpi_status tb_acpi_add_link(acpi_handle handle, u32 level, void *data, + dev_warn(&nhi->pdev->dev, "device link creation from %s failed\n", + dev_name(&pdev->dev)); + } ++ ++ pm_runtime_put(&pdev->dev); + } + + out_put: +-- +2.34.1 + diff --git a/queue-5.10/tpm-add-request_locality-before-write-tpm_int_enable.patch b/queue-5.10/tpm-add-request_locality-before-write-tpm_int_enable.patch new file mode 100644 index 00000000000..d2f23793b8a --- /dev/null +++ b/queue-5.10/tpm-add-request_locality-before-write-tpm_int_enable.patch @@ -0,0 +1,44 @@ +From 169afce9242e33f899c0551e2f28363c6d6c4bdf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Oct 2021 06:25:56 +0000 +Subject: tpm: add request_locality before write TPM_INT_ENABLE + +From: Chen Jun + +[ Upstream commit 0ef333f5ba7f24f5d8478425c163d3097f1c7afd ] + +Locality is not appropriately requested before writing the int mask. +Add the missing boilerplate. + +Fixes: e6aef069b6e9 ("tpm_tis: convert to using locality callbacks") +Signed-off-by: Chen Jun +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +--- + drivers/char/tpm/tpm_tis_core.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c +index b2659a4c40168..e2df1098a812f 100644 +--- a/drivers/char/tpm/tpm_tis_core.c ++++ b/drivers/char/tpm/tpm_tis_core.c +@@ -994,7 +994,15 @@ int tpm_tis_core_init(struct device *dev, struct tpm_tis_data *priv, int irq, + intmask |= TPM_INTF_CMD_READY_INT | TPM_INTF_LOCALITY_CHANGE_INT | + TPM_INTF_DATA_AVAIL_INT | TPM_INTF_STS_VALID_INT; + intmask &= ~TPM_GLOBAL_INT_ENABLE; ++ ++ rc = request_locality(chip, 0); ++ if (rc < 0) { ++ rc = -ENODEV; ++ goto out_err; ++ } ++ + tpm_tis_write32(priv, TPM_INT_ENABLE(priv->locality), intmask); ++ release_locality(chip, 0); + + rc = tpm_chip_start(chip); + if (rc) +-- +2.34.1 + diff --git a/queue-5.10/tpm_tis-fix-an-error-handling-path-in-tpm_tis_core_i.patch b/queue-5.10/tpm_tis-fix-an-error-handling-path-in-tpm_tis_core_i.patch new file mode 100644 index 00000000000..a66bdf5c1b0 --- /dev/null +++ b/queue-5.10/tpm_tis-fix-an-error-handling-path-in-tpm_tis_core_i.patch @@ -0,0 +1,44 @@ +From b54bee1bcecfe4664e3023888f7afe32a6379bc9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Nov 2021 17:42:04 +0100 +Subject: tpm_tis: Fix an error handling path in 'tpm_tis_core_init()' + +From: Christophe Jaillet + +[ Upstream commit e96d52822f5ac0a25de78f95cd23421bcbc93584 ] + +Commit 79ca6f74dae0 ("tpm: fix Atmel TPM crash caused by too frequent +queries") has moved some code around without updating the error handling +path. + +This is now pointless to 'goto out_err' when neither 'clk_enable()' nor +'ioremap()' have been called yet. + +Make a direct return instead to avoid undoing things that have not been +done. + +Fixes: 79ca6f74dae0 ("tpm: fix Atmel TPM crash caused by too frequent queries") +Signed-off-by: Christophe Jaillet +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +--- + drivers/char/tpm/tpm_tis_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c +index e2df1098a812f..36d1ad8f479d7 100644 +--- a/drivers/char/tpm/tpm_tis_core.c ++++ b/drivers/char/tpm/tpm_tis_core.c +@@ -952,7 +952,7 @@ int tpm_tis_core_init(struct device *dev, struct tpm_tis_data *priv, int irq, + + rc = tpm_tis_read32(priv, TPM_DID_VID(0), &vendor); + if (rc < 0) +- goto out_err; ++ return rc; + + priv->manufacturer_id = vendor; + +-- +2.34.1 + diff --git a/queue-5.10/tty-serial-atmel-call-dma_async_issue_pending.patch b/queue-5.10/tty-serial-atmel-call-dma_async_issue_pending.patch new file mode 100644 index 00000000000..50f2ec3be16 --- /dev/null +++ b/queue-5.10/tty-serial-atmel-call-dma_async_issue_pending.patch @@ -0,0 +1,50 @@ +From 548e4475862472723ed980acd25331c4de21552f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Nov 2021 11:00:18 +0200 +Subject: tty: serial: atmel: Call dma_async_issue_pending() + +From: Tudor Ambarus + +[ Upstream commit 4f4b9b5895614eb2e2b5f4cab7858f44bd113e1b ] + +The driver wrongly assummed that tx_submit() will start the transfer, +which is not the case, now that the at_xdmac driver is fixed. tx_submit +is supposed to push the current transaction descriptor to a pending queue, +waiting for issue_pending to be called. issue_pending must start the +transfer, not tx_submit. + +Fixes: 34df42f59a60 ("serial: at91: add rx dma support") +Fixes: 08f738be88bb ("serial: at91: add tx dma support") +Signed-off-by: Tudor Ambarus +Link: https://lore.kernel.org/r/20211125090028.786832-4-tudor.ambarus@microchip.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/atmel_serial.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c +index 396fe8c51f93b..602065bfc9bb8 100644 +--- a/drivers/tty/serial/atmel_serial.c ++++ b/drivers/tty/serial/atmel_serial.c +@@ -1009,6 +1009,8 @@ static void atmel_tx_dma(struct uart_port *port) + atmel_port->cookie_tx); + return; + } ++ ++ dma_async_issue_pending(chan); + } + + if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS) +@@ -1275,6 +1277,8 @@ static int atmel_prepare_rx_dma(struct uart_port *port) + goto chan_err; + } + ++ dma_async_issue_pending(atmel_port->chan_rx); ++ + return 0; + + chan_err: +-- +2.34.1 + diff --git a/queue-5.10/tty-serial-atmel-check-return-code-of-dmaengine_subm.patch b/queue-5.10/tty-serial-atmel-check-return-code-of-dmaengine_subm.patch new file mode 100644 index 00000000000..3faf55e3dd8 --- /dev/null +++ b/queue-5.10/tty-serial-atmel-check-return-code-of-dmaengine_subm.patch @@ -0,0 +1,59 @@ +From 02f00b225708eb6a31c7d8b413acf17a9a287218 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Nov 2021 11:00:17 +0200 +Subject: tty: serial: atmel: Check return code of dmaengine_submit() + +From: Tudor Ambarus + +[ Upstream commit 1e67bd2b8cb90b66e89562598e9c2046246832d3 ] + +The tx_submit() method of struct dma_async_tx_descriptor is entitled +to do sanity checks and return errors if encountered. It's not the +case for the DMA controller drivers that this client is using +(at_h/xdmac), because they currently don't do sanity checks and always +return a positive cookie at tx_submit() method. In case the controller +drivers will implement sanity checks and return errors, print a message +so that the client will be informed that something went wrong at +tx_submit() level. + +Fixes: 08f738be88bb ("serial: at91: add tx dma support") +Signed-off-by: Tudor Ambarus +Acked-by: Richard Genoud +Link: https://lore.kernel.org/r/20211125090028.786832-3-tudor.ambarus@microchip.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/atmel_serial.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c +index a24e5c2b30bc9..396fe8c51f93b 100644 +--- a/drivers/tty/serial/atmel_serial.c ++++ b/drivers/tty/serial/atmel_serial.c +@@ -1004,6 +1004,11 @@ static void atmel_tx_dma(struct uart_port *port) + desc->callback = atmel_complete_tx_dma; + desc->callback_param = atmel_port; + atmel_port->cookie_tx = dmaengine_submit(desc); ++ if (dma_submit_error(atmel_port->cookie_tx)) { ++ dev_err(port->dev, "dma_submit_error %d\n", ++ atmel_port->cookie_tx); ++ return; ++ } + } + + if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS) +@@ -1264,6 +1269,11 @@ static int atmel_prepare_rx_dma(struct uart_port *port) + desc->callback_param = port; + atmel_port->desc_rx = desc; + atmel_port->cookie_rx = dmaengine_submit(desc); ++ if (dma_submit_error(atmel_port->cookie_rx)) { ++ dev_err(port->dev, "dma_submit_error %d\n", ++ atmel_port->cookie_rx); ++ goto chan_err; ++ } + + return 0; + +-- +2.34.1 + diff --git a/queue-5.10/tty-serial-imx-disable-ucr4_oren-in-.stop_rx-instead.patch b/queue-5.10/tty-serial-imx-disable-ucr4_oren-in-.stop_rx-instead.patch new file mode 100644 index 00000000000..d06c06ddeb6 --- /dev/null +++ b/queue-5.10/tty-serial-imx-disable-ucr4_oren-in-.stop_rx-instead.patch @@ -0,0 +1,70 @@ +From dc9847055abf5093fe687a27bb53a5139f32c3c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Nov 2021 10:03:49 +0800 +Subject: tty: serial: imx: disable UCR4_OREN in .stop_rx() instead of + .shutdown() + +From: Fugang Duan + +[ Upstream commit 028e083832b06fdeeb290e1e57dc1f6702c4c215 ] + +The UCR4_OREN should be disabled before disabling the uart receiver in +.stop_rx() instead of in the .shutdown(). + +Otherwise, if we have the overrun error during the receiver disable +process, the overrun interrupt will keep trigging until we disable the +OREN interrupt in the .shutdown(), because the ORE status can only be +cleared when read the rx FIFO or reset the controller. Although the +called time between the receiver disable and OREN disable in .shutdown() +is very short, there is still the risk of endless interrupt during this +short period of time. So here change to disable OREN before the receiver +been disabled in .stop_rx(). + +Signed-off-by: Fugang Duan +Signed-off-by: Sherry Sun +Link: https://lore.kernel.org/r/20211125020349.4980-1-sherry.sun@nxp.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/imx.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c +index 28cc328ddb6eb..93cd8ad57f385 100644 +--- a/drivers/tty/serial/imx.c ++++ b/drivers/tty/serial/imx.c +@@ -508,18 +508,21 @@ static void imx_uart_stop_tx(struct uart_port *port) + static void imx_uart_stop_rx(struct uart_port *port) + { + struct imx_port *sport = (struct imx_port *)port; +- u32 ucr1, ucr2; ++ u32 ucr1, ucr2, ucr4; + + ucr1 = imx_uart_readl(sport, UCR1); + ucr2 = imx_uart_readl(sport, UCR2); ++ ucr4 = imx_uart_readl(sport, UCR4); + + if (sport->dma_is_enabled) { + ucr1 &= ~(UCR1_RXDMAEN | UCR1_ATDMAEN); + } else { + ucr1 &= ~UCR1_RRDYEN; + ucr2 &= ~UCR2_ATEN; ++ ucr4 &= ~UCR4_OREN; + } + imx_uart_writel(sport, ucr1, UCR1); ++ imx_uart_writel(sport, ucr4, UCR4); + + ucr2 &= ~UCR2_RXEN; + imx_uart_writel(sport, ucr2, UCR2); +@@ -1576,7 +1579,7 @@ static void imx_uart_shutdown(struct uart_port *port) + imx_uart_writel(sport, ucr1, UCR1); + + ucr4 = imx_uart_readl(sport, UCR4); +- ucr4 &= ~(UCR4_OREN | UCR4_TCEN); ++ ucr4 &= ~UCR4_TCEN; + imx_uart_writel(sport, ucr4, UCR4); + + spin_unlock_irqrestore(&sport->port.lock, flags); +-- +2.34.1 + diff --git a/queue-5.10/tty-serial-uartlite-allow-64-bit-address.patch b/queue-5.10/tty-serial-uartlite-allow-64-bit-address.patch new file mode 100644 index 00000000000..9b80211a373 --- /dev/null +++ b/queue-5.10/tty-serial-uartlite-allow-64-bit-address.patch @@ -0,0 +1,39 @@ +From 79780c4ced6c59304d0f437b990f1db6e8d7c92d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Nov 2021 12:23:02 -0800 +Subject: tty: serial: uartlite: allow 64 bit address + +From: Lizhi Hou + +[ Upstream commit 3672fb65155530b5eea6225685c75329b6debec3 ] + +The base address of uartlite registers could be 64 bit address which is from +device resource. When ulite_probe() calls ulite_assign(), this 64 bit +address is casted to 32-bit. The fix is to replace "u32" type with +"phys_addr_t" type for the base address in ulite_assign() argument list. + +Fixes: 8fa7b6100693 ("[POWERPC] Uartlite: Separate the bus binding from the driver proper") +Signed-off-by: Lizhi Hou +Link: https://lore.kernel.org/r/20211129202302.1319033-1-lizhi.hou@xilinx.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/uartlite.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/uartlite.c b/drivers/tty/serial/uartlite.c +index 7081ab322b402..48923cd8c07d1 100644 +--- a/drivers/tty/serial/uartlite.c ++++ b/drivers/tty/serial/uartlite.c +@@ -615,7 +615,7 @@ static struct uart_driver ulite_uart_driver = { + * + * Returns: 0 on success, <0 otherwise + */ +-static int ulite_assign(struct device *dev, int id, u32 base, int irq, ++static int ulite_assign(struct device *dev, int id, phys_addr_t base, int irq, + struct uartlite_data *pdata) + { + struct uart_port *port; +-- +2.34.1 + diff --git a/queue-5.10/udf-fix-error-handling-in-udf_new_inode.patch b/queue-5.10/udf-fix-error-handling-in-udf_new_inode.patch new file mode 100644 index 00000000000..ddc0e376424 --- /dev/null +++ b/queue-5.10/udf-fix-error-handling-in-udf_new_inode.patch @@ -0,0 +1,45 @@ +From 5fc57f0d8fb7247674c26f3a75c1cb947a1996cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Dec 2021 11:04:29 +0100 +Subject: udf: Fix error handling in udf_new_inode() + +From: Jan Kara + +[ Upstream commit f05f2429eec60851b98bdde213de31dab697c01b ] + +When memory allocation of iinfo or block allocation fails, already +allocated struct udf_inode_info gets freed with iput() and +udf_evict_inode() may look at inode fields which are not properly +initialized. Fix it by marking inode bad before dropping reference to it +in udf_new_inode(). + +Reported-by: syzbot+9ca499bb57a2b9e4c652@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/ialloc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/udf/ialloc.c b/fs/udf/ialloc.c +index 84ed23edebfd3..87a77bf70ee19 100644 +--- a/fs/udf/ialloc.c ++++ b/fs/udf/ialloc.c +@@ -77,6 +77,7 @@ struct inode *udf_new_inode(struct inode *dir, umode_t mode) + GFP_KERNEL); + } + if (!iinfo->i_data) { ++ make_bad_inode(inode); + iput(inode); + return ERR_PTR(-ENOMEM); + } +@@ -86,6 +87,7 @@ struct inode *udf_new_inode(struct inode *dir, umode_t mode) + dinfo->i_location.partitionReferenceNum, + start, &err); + if (err) { ++ make_bad_inode(inode); + iput(inode); + return ERR_PTR(err); + } +-- +2.34.1 + diff --git a/queue-5.10/uio-uio_dmem_genirq-catch-the-exception.patch b/queue-5.10/uio-uio_dmem_genirq-catch-the-exception.patch new file mode 100644 index 00000000000..ea2d67f5675 --- /dev/null +++ b/queue-5.10/uio-uio_dmem_genirq-catch-the-exception.patch @@ -0,0 +1,41 @@ +From 3c4953875e1494b16e79c3e8147494b4dee925ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Dec 2021 08:03:26 +0800 +Subject: uio: uio_dmem_genirq: Catch the Exception + +From: Jiasheng Jiang + +[ Upstream commit eec91694f927d1026974444eb6a3adccd4f1cbc2 ] + +The return value of dma_set_coherent_mask() is not always 0. +To catch the exception in case that dma is not support the mask. + +Fixes: 0a0c3b5a24bd ("Add new uio device for dynamic memory allocation") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20211204000326.1592687-1-jiasheng@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/uio/uio_dmem_genirq.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/uio/uio_dmem_genirq.c b/drivers/uio/uio_dmem_genirq.c +index ec7f66f4555a6..bf39a424ea77d 100644 +--- a/drivers/uio/uio_dmem_genirq.c ++++ b/drivers/uio/uio_dmem_genirq.c +@@ -183,7 +183,11 @@ static int uio_dmem_genirq_probe(struct platform_device *pdev) + goto bad0; + } + +- dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32)); ++ ret = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32)); ++ if (ret) { ++ dev_err(&pdev->dev, "DMA enable failed\n"); ++ return ret; ++ } + + priv->uioinfo = uioinfo; + spin_lock_init(&priv->lock); +-- +2.34.1 + diff --git a/queue-5.10/um-fix-ndelay-udelay-defines.patch b/queue-5.10/um-fix-ndelay-udelay-defines.patch new file mode 100644 index 00000000000..6983c45ba99 --- /dev/null +++ b/queue-5.10/um-fix-ndelay-udelay-defines.patch @@ -0,0 +1,46 @@ +From 709dc93a495ab7a3432f7b18d0536f9fb1b5bc45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Aug 2021 09:27:53 +0200 +Subject: um: fix ndelay/udelay defines + +From: Johannes Berg + +[ Upstream commit 5f8539e2ff962e25b57742ca7106456403abbc94 ] + +Many places in the kernel use 'udelay' as an identifier, and +are broken with the current "#define udelay um_udelay". Fix +this by adding an argument to the macro, and do the same to +'ndelay' as well, just in case. + +Fixes: 0bc8fb4dda2b ("um: Implement ndelay/udelay in time-travel mode") +Reported-by: kernel test robot +Signed-off-by: Johannes Berg +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/include/asm/delay.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/um/include/asm/delay.h b/arch/um/include/asm/delay.h +index 56fc2b8f2dd01..e79b2ab6f40c8 100644 +--- a/arch/um/include/asm/delay.h ++++ b/arch/um/include/asm/delay.h +@@ -14,7 +14,7 @@ static inline void um_ndelay(unsigned long nsecs) + ndelay(nsecs); + } + #undef ndelay +-#define ndelay um_ndelay ++#define ndelay(n) um_ndelay(n) + + static inline void um_udelay(unsigned long usecs) + { +@@ -26,5 +26,5 @@ static inline void um_udelay(unsigned long usecs) + udelay(usecs); + } + #undef udelay +-#define udelay um_udelay ++#define udelay(n) um_udelay(n) + #endif /* __UM_DELAY_H */ +-- +2.34.1 + diff --git a/queue-5.10/um-registers-rename-function-names-to-avoid-conflict.patch b/queue-5.10/um-registers-rename-function-names-to-avoid-conflict.patch new file mode 100644 index 00000000000..c13069d57e8 --- /dev/null +++ b/queue-5.10/um-registers-rename-function-names-to-avoid-conflict.patch @@ -0,0 +1,104 @@ +From 12cc608219b0866557e12c33551fa0139a93550b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Sep 2021 23:12:52 -0700 +Subject: um: registers: Rename function names to avoid conflicts and build + problems + +From: Randy Dunlap + +[ Upstream commit 077b7320942b64b0da182aefd83c374462a65535 ] + +The function names init_registers() and restore_registers() are used +in several net/ethernet/ and gpu/drm/ drivers for other purposes (not +calls to UML functions), so rename them. + +This fixes multiple build errors. + +Signed-off-by: Randy Dunlap +Cc: Jeff Dike +Cc: Richard Weinberger +Cc: Anton Ivanov +Cc: linux-um@lists.infradead.org +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/include/shared/registers.h | 4 ++-- + arch/um/os-Linux/registers.c | 4 ++-- + arch/um/os-Linux/start_up.c | 2 +- + arch/x86/um/syscalls_64.c | 3 ++- + 4 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/arch/um/include/shared/registers.h b/arch/um/include/shared/registers.h +index 0c50fa6e8a55b..fbb709a222839 100644 +--- a/arch/um/include/shared/registers.h ++++ b/arch/um/include/shared/registers.h +@@ -16,8 +16,8 @@ extern int restore_fp_registers(int pid, unsigned long *fp_regs); + extern int save_fpx_registers(int pid, unsigned long *fp_regs); + extern int restore_fpx_registers(int pid, unsigned long *fp_regs); + extern int save_registers(int pid, struct uml_pt_regs *regs); +-extern int restore_registers(int pid, struct uml_pt_regs *regs); +-extern int init_registers(int pid); ++extern int restore_pid_registers(int pid, struct uml_pt_regs *regs); ++extern int init_pid_registers(int pid); + extern void get_safe_registers(unsigned long *regs, unsigned long *fp_regs); + extern unsigned long get_thread_reg(int reg, jmp_buf *buf); + extern int get_fp_registers(int pid, unsigned long *regs); +diff --git a/arch/um/os-Linux/registers.c b/arch/um/os-Linux/registers.c +index 2d9270508e156..b123955be7acc 100644 +--- a/arch/um/os-Linux/registers.c ++++ b/arch/um/os-Linux/registers.c +@@ -21,7 +21,7 @@ int save_registers(int pid, struct uml_pt_regs *regs) + return 0; + } + +-int restore_registers(int pid, struct uml_pt_regs *regs) ++int restore_pid_registers(int pid, struct uml_pt_regs *regs) + { + int err; + +@@ -36,7 +36,7 @@ int restore_registers(int pid, struct uml_pt_regs *regs) + static unsigned long exec_regs[MAX_REG_NR]; + static unsigned long exec_fp_regs[FP_SIZE]; + +-int init_registers(int pid) ++int init_pid_registers(int pid) + { + int err; + +diff --git a/arch/um/os-Linux/start_up.c b/arch/um/os-Linux/start_up.c +index f79dc338279e6..b28373a2b8d2d 100644 +--- a/arch/um/os-Linux/start_up.c ++++ b/arch/um/os-Linux/start_up.c +@@ -336,7 +336,7 @@ void __init os_early_checks(void) + check_tmpexec(); + + pid = start_ptraced_child(); +- if (init_registers(pid)) ++ if (init_pid_registers(pid)) + fatal("Failed to initialize default registers"); + stop_ptraced_child(pid, 1, 1); + } +diff --git a/arch/x86/um/syscalls_64.c b/arch/x86/um/syscalls_64.c +index 58f51667e2e4b..8249685b40960 100644 +--- a/arch/x86/um/syscalls_64.c ++++ b/arch/x86/um/syscalls_64.c +@@ -11,6 +11,7 @@ + #include + #include /* XXX This should get the constants from libc */ + #include ++#include + + long arch_prctl(struct task_struct *task, int option, + unsigned long __user *arg2) +@@ -35,7 +36,7 @@ long arch_prctl(struct task_struct *task, int option, + switch (option) { + case ARCH_SET_FS: + case ARCH_SET_GS: +- ret = restore_registers(pid, ¤t->thread.regs.regs); ++ ret = restore_pid_registers(pid, ¤t->thread.regs.regs); + if (ret) + return ret; + break; +-- +2.34.1 + diff --git a/queue-5.10/um-virtio_uml-fix-time-travel-external-time-propagat.patch b/queue-5.10/um-virtio_uml-fix-time-travel-external-time-propagat.patch new file mode 100644 index 00000000000..e9e34a5a4a9 --- /dev/null +++ b/queue-5.10/um-virtio_uml-fix-time-travel-external-time-propagat.patch @@ -0,0 +1,59 @@ +From 3c1930d99de9452b85b59c64b23a096f1a7ebb48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Sep 2021 13:09:22 +0200 +Subject: um: virtio_uml: Fix time-travel external time propagation + +From: Johannes Berg + +[ Upstream commit 85e73968a040c642fd38f6cba5b73b61f5d0f052 ] + +When creating an external event, the current time needs to +be propagated to other participants of a simulation. This +is done in the places here where we kick a virtq etc. + +However, it must be done for _all_ external events, and +that includes making the initial socket connection and +later closing it. Call time_travel_propagate_time() to do +this before making or closing the socket connection. + +Apparently, at least for the initial connection creation, +due to the remote side in my use cases using microseconds +(rather than nanoseconds), this wasn't a problem yet; only +started failing between 5.14-rc1 and 5.15-rc1 (didn't test +others much), or possibly depending on the configuration, +where more delays happen before the virtio devices are +initialized. + +Fixes: 88ce64249233 ("um: Implement time-travel=ext") +Signed-off-by: Johannes Berg +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/drivers/virtio_uml.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/um/drivers/virtio_uml.c b/arch/um/drivers/virtio_uml.c +index d11b3d41c3785..d5d768188b3ba 100644 +--- a/arch/um/drivers/virtio_uml.c ++++ b/arch/um/drivers/virtio_uml.c +@@ -1076,6 +1076,8 @@ static void virtio_uml_release_dev(struct device *d) + container_of(d, struct virtio_device, dev); + struct virtio_uml_device *vu_dev = to_virtio_uml_device(vdev); + ++ time_travel_propagate_time(); ++ + /* might not have been opened due to not negotiating the feature */ + if (vu_dev->req_fd >= 0) { + um_free_irq(VIRTIO_IRQ, vu_dev); +@@ -1109,6 +1111,8 @@ static int virtio_uml_probe(struct platform_device *pdev) + vu_dev->pdev = pdev; + vu_dev->req_fd = -1; + ++ time_travel_propagate_time(); ++ + do { + rc = os_connect_socket(pdata->socket_path); + } while (rc == -EINTR); +-- +2.34.1 + diff --git a/queue-5.10/usb-dwc3-qcom-fix-null-vs-is_err-checking-in-dwc3_qc.patch b/queue-5.10/usb-dwc3-qcom-fix-null-vs-is_err-checking-in-dwc3_qc.patch new file mode 100644 index 00000000000..2512836d20c --- /dev/null +++ b/queue-5.10/usb-dwc3-qcom-fix-null-vs-is_err-checking-in-dwc3_qc.patch @@ -0,0 +1,44 @@ +From 3e758893dab50b378dc357347785766ecd290bcc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Dec 2021 11:18:23 +0000 +Subject: usb: dwc3: qcom: Fix NULL vs IS_ERR checking in dwc3_qcom_probe + +From: Miaoqian Lin + +[ Upstream commit b52fe2dbb3e655eb1483000adfab68a219549e13 ] + +Since the acpi_create_platform_device() function may return error +pointers, dwc3_qcom_create_urs_usb_platdev() function may return error +pointers too. Using IS_ERR_OR_NULL() to check the return value to fix this. + +Fixes: c25c210f590e ("usb: dwc3: qcom: add URS Host support for sdm845 ACPI boot") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20211222111823.22887-1-linmq006@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-qcom.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c +index 2a29e2f681fe6..504f8af4d0f80 100644 +--- a/drivers/usb/dwc3/dwc3-qcom.c ++++ b/drivers/usb/dwc3/dwc3-qcom.c +@@ -764,9 +764,12 @@ static int dwc3_qcom_probe(struct platform_device *pdev) + + if (qcom->acpi_pdata->is_urs) { + qcom->urs_usb = dwc3_qcom_create_urs_usb_platdev(dev); +- if (!qcom->urs_usb) { ++ if (IS_ERR_OR_NULL(qcom->urs_usb)) { + dev_err(dev, "failed to create URS USB platdev\n"); +- return -ENODEV; ++ if (!qcom->urs_usb) ++ return -ENODEV; ++ else ++ return PTR_ERR(qcom->urs_usb); + } + } + } +-- +2.34.1 + diff --git a/queue-5.10/usb-ftdi-elan-fix-memory-leak-on-device-disconnect.patch b/queue-5.10/usb-ftdi-elan-fix-memory-leak-on-device-disconnect.patch new file mode 100644 index 00000000000..7f1496b485f --- /dev/null +++ b/queue-5.10/usb-ftdi-elan-fix-memory-leak-on-device-disconnect.patch @@ -0,0 +1,52 @@ +From 7a5445eba1dffa3400ce931efbf84160f27dd194 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Dec 2021 16:34:28 +0800 +Subject: usb: ftdi-elan: fix memory leak on device disconnect + +From: Wei Yongjun + +[ Upstream commit 1646566b5e0c556f779180a8514e521ac735de1e ] + +'ftdi' is alloced when probe device, but not free on device disconnect, +this cause a memory leak as follows: + +unreferenced object 0xffff88800d584000 (size 8400): + comm "kworker/0:2", pid 3809, jiffies 4295453055 (age 13.784s) + hex dump (first 32 bytes): + 00 40 58 0d 80 88 ff ff 00 40 58 0d 80 88 ff ff .@X......@X..... + 00 00 00 00 00 00 00 00 00 00 00 00 ad 4e ad de .............N.. + backtrace: + [<000000000d47f947>] kmalloc_order_trace+0x19/0x110 mm/slab_common.c:960 + [<000000008548ac68>] ftdi_elan_probe+0x8c/0x880 drivers/usb/misc/ftdi-elan.c:2647 + [<000000007f73e422>] usb_probe_interface+0x31b/0x800 drivers/usb/core/driver.c:396 + [<00000000fe8d07fc>] really_probe+0x299/0xc30 drivers/base/dd.c:517 + [<0000000005da7d32>] __driver_probe_device+0x357/0x500 drivers/base/dd.c:751 + [<000000003c2c9579>] driver_probe_device+0x4e/0x140 drivers/base/dd.c:781 + +Fix it by freeing 'ftdi' after nobody use it. + +Fixes: a5c66e4b2418 ("USB: ftdi-elan: client driver for ELAN Uxxx adapters") +Reported-by: Hulk Robot +Signed-off-by: Wei Yongjun +Link: https://lore.kernel.org/r/20211217083428.2441-1-weiyongjun1@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/misc/ftdi-elan.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/misc/ftdi-elan.c b/drivers/usb/misc/ftdi-elan.c +index 8a3d9c0c8d8bc..157b31d354ac2 100644 +--- a/drivers/usb/misc/ftdi-elan.c ++++ b/drivers/usb/misc/ftdi-elan.c +@@ -202,6 +202,7 @@ static void ftdi_elan_delete(struct kref *kref) + mutex_unlock(&ftdi_module_lock); + kfree(ftdi->bulk_in_buffer); + ftdi->bulk_in_buffer = NULL; ++ kfree(ftdi); + } + + static void ftdi_elan_put_kref(struct usb_ftdi *ftdi) +-- +2.34.1 + diff --git a/queue-5.10/usb-gadget-f_fs-use-stream_open-for-endpoint-files.patch b/queue-5.10/usb-gadget-f_fs-use-stream_open-for-endpoint-files.patch new file mode 100644 index 00000000000..f061c281e13 --- /dev/null +++ b/queue-5.10/usb-gadget-f_fs-use-stream_open-for-endpoint-files.patch @@ -0,0 +1,65 @@ +From e87c347f0afdb62642b1a0d244ba7f6971a724be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Nov 2021 15:54:40 +0530 +Subject: usb: gadget: f_fs: Use stream_open() for endpoint files + +From: Pavankumar Kondeti + +[ Upstream commit c76ef96fc00eb398c8fc836b0eb2f82bcc619dc7 ] + +Function fs endpoint file operations are synchronized via an interruptible +mutex wait. However we see threads that do ep file operations concurrently +are getting blocked for the mutex lock in __fdget_pos(). This is an +uninterruptible wait and we see hung task warnings and kernel panic +if hung_task_panic systcl is enabled if host does not send/receive +the data for long time. + +The reason for threads getting blocked in __fdget_pos() is due to +the file position protection introduced by the commit 9c225f2655e3 +("vfs: atomic f_pos accesses as per POSIX"). Since function fs +endpoint files does not have the notion of the file position, switch +to the stream mode. This will bypass the file position mutex and +threads will be blocked in interruptible state for the function fs +mutex. + +It should not affects user space as we are only changing the task state +changes the task state from UNINTERRUPTIBLE to INTERRUPTIBLE while waiting +for the USB transfers to be finished. However there is a slight change to +the O_NONBLOCK behavior. Earlier threads that are using O_NONBLOCK are also +getting blocked inside fdget_pos(). Now they reach to function fs and error +code is returned. The non blocking behavior is actually honoured now. + +Reviewed-by: John Keeping +Signed-off-by: Pavankumar Kondeti +Link: https://lore.kernel.org/r/1636712682-1226-1-git-send-email-quic_pkondeti@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_fs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c +index cbb7947f366f9..d8652321e15e9 100644 +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -614,7 +614,7 @@ static int ffs_ep0_open(struct inode *inode, struct file *file) + file->private_data = ffs; + ffs_data_opened(ffs); + +- return 0; ++ return stream_open(inode, file); + } + + static int ffs_ep0_release(struct inode *inode, struct file *file) +@@ -1152,7 +1152,7 @@ ffs_epfile_open(struct inode *inode, struct file *file) + file->private_data = epfile; + ffs_data_opened(epfile->ffs); + +- return 0; ++ return stream_open(inode, file); + } + + static int ffs_aio_cancel(struct kiocb *kiocb) +-- +2.34.1 + diff --git a/queue-5.10/usb-hub-add-delay-for-superspeed-hub-resume-to-let-l.patch b/queue-5.10/usb-hub-add-delay-for-superspeed-hub-resume-to-let-l.patch new file mode 100644 index 00000000000..de4b696b09d --- /dev/null +++ b/queue-5.10/usb-hub-add-delay-for-superspeed-hub-resume-to-let-l.patch @@ -0,0 +1,97 @@ +From d5b73299f61c2c5e0a6b1d8252ed7614eadfef8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Dec 2021 20:01:06 +0800 +Subject: usb: hub: Add delay for SuperSpeed hub resume to let links transit to + U0 + +From: Kai-Heng Feng + +[ Upstream commit 00558586382891540c59c9febc671062425a6e47 ] + +When a new USB device gets plugged to nested hubs, the affected hub, +which connects to usb 2-1.4-port2, doesn't report there's any change, +hence the nested hubs go back to runtime suspend like nothing happened: +[ 281.032951] usb usb2: usb wakeup-resume +[ 281.032959] usb usb2: usb auto-resume +[ 281.032974] hub 2-0:1.0: hub_resume +[ 281.033011] usb usb2-port1: status 0263 change 0000 +[ 281.033077] hub 2-0:1.0: state 7 ports 4 chg 0000 evt 0000 +[ 281.049797] usb 2-1: usb wakeup-resume +[ 281.069800] usb 2-1: Waited 0ms for CONNECT +[ 281.069810] usb 2-1: finish resume +[ 281.070026] hub 2-1:1.0: hub_resume +[ 281.070250] usb 2-1-port4: status 0203 change 0000 +[ 281.070272] usb usb2-port1: resume, status 0 +[ 281.070282] hub 2-1:1.0: state 7 ports 4 chg 0010 evt 0000 +[ 281.089813] usb 2-1.4: usb wakeup-resume +[ 281.109792] usb 2-1.4: Waited 0ms for CONNECT +[ 281.109801] usb 2-1.4: finish resume +[ 281.109991] hub 2-1.4:1.0: hub_resume +[ 281.110147] usb 2-1.4-port2: status 0263 change 0000 +[ 281.110234] usb 2-1-port4: resume, status 0 +[ 281.110239] usb 2-1-port4: status 0203, change 0000, 10.0 Gb/s +[ 281.110266] hub 2-1.4:1.0: state 7 ports 4 chg 0000 evt 0000 +[ 281.110426] hub 2-1.4:1.0: hub_suspend +[ 281.110565] usb 2-1.4: usb auto-suspend, wakeup 1 +[ 281.130998] hub 2-1:1.0: hub_suspend +[ 281.137788] usb 2-1: usb auto-suspend, wakeup 1 +[ 281.142935] hub 2-0:1.0: state 7 ports 4 chg 0000 evt 0000 +[ 281.177828] usb 2-1: usb wakeup-resume +[ 281.197839] usb 2-1: Waited 0ms for CONNECT +[ 281.197850] usb 2-1: finish resume +[ 281.197984] hub 2-1:1.0: hub_resume +[ 281.198203] usb 2-1-port4: status 0203 change 0000 +[ 281.198228] usb usb2-port1: resume, status 0 +[ 281.198237] hub 2-1:1.0: state 7 ports 4 chg 0010 evt 0000 +[ 281.217835] usb 2-1.4: usb wakeup-resume +[ 281.237834] usb 2-1.4: Waited 0ms for CONNECT +[ 281.237845] usb 2-1.4: finish resume +[ 281.237990] hub 2-1.4:1.0: hub_resume +[ 281.238067] usb 2-1.4-port2: status 0263 change 0000 +[ 281.238148] usb 2-1-port4: resume, status 0 +[ 281.238152] usb 2-1-port4: status 0203, change 0000, 10.0 Gb/s +[ 281.238166] hub 2-1.4:1.0: state 7 ports 4 chg 0000 evt 0000 +[ 281.238385] hub 2-1.4:1.0: hub_suspend +[ 281.238523] usb 2-1.4: usb auto-suspend, wakeup 1 +[ 281.258076] hub 2-1:1.0: hub_suspend +[ 281.265744] usb 2-1: usb auto-suspend, wakeup 1 +[ 281.285976] hub 2-0:1.0: hub_suspend +[ 281.285988] usb usb2: bus auto-suspend, wakeup 1 + +USB 3.2 spec, 9.2.5.4 "Changing Function Suspend State" says that "If +the link is in a non-U0 state, then the device must transition the link +to U0 prior to sending the remote wake message", but the hub only +transits the link to U0 after signaling remote wakeup. + +So be more forgiving and use a 20ms delay to let the link transit to U0 +for remote wakeup. + +Suggested-by: Alan Stern +Acked-by: Alan Stern +Signed-off-by: Kai-Heng Feng +Link: https://lore.kernel.org/r/20211215120108.336597-1-kai.heng.feng@canonical.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/hub.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index af15dbe6bb141..18ee3914b4686 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -1109,7 +1109,10 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) + } else { + hub_power_on(hub, true); + } +- } ++ /* Give some time on remote wakeup to let links to transit to U0 */ ++ } else if (hub_is_superspeed(hub->hdev)) ++ msleep(20); ++ + init2: + + /* +-- +2.34.1 + diff --git a/queue-5.10/usb-uhci-add-aspeed-ast2600-uhci-support.patch b/queue-5.10/usb-uhci-add-aspeed-ast2600-uhci-support.patch new file mode 100644 index 00000000000..9dd3a9aa78e --- /dev/null +++ b/queue-5.10/usb-uhci-add-aspeed-ast2600-uhci-support.patch @@ -0,0 +1,36 @@ +From d1d885fe19ed3fd4338006adbe0b2e2f9cdc114d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Nov 2021 18:00:21 +0800 +Subject: usb: uhci: add aspeed ast2600 uhci support + +From: Neal Liu + +[ Upstream commit 554abfe2eadec97d12c71d4a69da1518478f69eb ] + +Enable ast2600 uhci quirks. + +Signed-off-by: Neal Liu +Link: https://lore.kernel.org/r/20211126100021.2331024-1-neal_liu@aspeedtech.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/uhci-platform.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/host/uhci-platform.c b/drivers/usb/host/uhci-platform.c +index 70dbd95c3f063..be9e9db7cad10 100644 +--- a/drivers/usb/host/uhci-platform.c ++++ b/drivers/usb/host/uhci-platform.c +@@ -113,7 +113,8 @@ static int uhci_hcd_platform_probe(struct platform_device *pdev) + num_ports); + } + if (of_device_is_compatible(np, "aspeed,ast2400-uhci") || +- of_device_is_compatible(np, "aspeed,ast2500-uhci")) { ++ of_device_is_compatible(np, "aspeed,ast2500-uhci") || ++ of_device_is_compatible(np, "aspeed,ast2600-uhci")) { + uhci->is_aspeed = 1; + dev_info(&pdev->dev, + "Enabled Aspeed implementation workarounds\n"); +-- +2.34.1 + diff --git a/queue-5.10/w1-misuse-of-get_user-put_user-reported-by-sparse.patch b/queue-5.10/w1-misuse-of-get_user-put_user-reported-by-sparse.patch new file mode 100644 index 00000000000..5f11f32bf34 --- /dev/null +++ b/queue-5.10/w1-misuse-of-get_user-put_user-reported-by-sparse.patch @@ -0,0 +1,86 @@ +From edb57874a9ec1244b10685eafd6ddc1570a208d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Nov 2021 18:06:46 +0100 +Subject: w1: Misuse of get_user()/put_user() reported by sparse + +From: Christophe Leroy + +[ Upstream commit 33dc3e3e99e626ce51f462d883b05856c6c30b1d ] + +sparse warnings: (new ones prefixed by >>) +>> drivers/w1/slaves/w1_ds28e04.c:342:13: sparse: sparse: incorrect type in initializer (different address spaces) @@ expected char [noderef] __user *_pu_addr @@ got char *buf @@ + drivers/w1/slaves/w1_ds28e04.c:342:13: sparse: expected char [noderef] __user *_pu_addr + drivers/w1/slaves/w1_ds28e04.c:342:13: sparse: got char *buf +>> drivers/w1/slaves/w1_ds28e04.c:356:13: sparse: sparse: incorrect type in initializer (different address spaces) @@ expected char const [noderef] __user *_gu_addr @@ got char const *buf @@ + drivers/w1/slaves/w1_ds28e04.c:356:13: sparse: expected char const [noderef] __user *_gu_addr + drivers/w1/slaves/w1_ds28e04.c:356:13: sparse: got char const *buf + +The buffer buf is a failsafe buffer in kernel space, it's not user +memory hence doesn't deserve the use of get_user() or put_user(). + +Access 'buf' content directly. + +Link: https://lore.kernel.org/lkml/202111190526.K5vb7NWC-lkp@intel.com/T/ +Reported-by: kernel test robot +Signed-off-by: Christophe Leroy +Link: https://lore.kernel.org/r/d14ed8d71ad4372e6839ae427f91441d3ba0e94d.1637946316.git.christophe.leroy@csgroup.eu +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/w1/slaves/w1_ds28e04.c | 26 ++++++-------------------- + 1 file changed, 6 insertions(+), 20 deletions(-) + +diff --git a/drivers/w1/slaves/w1_ds28e04.c b/drivers/w1/slaves/w1_ds28e04.c +index e4f336111edc6..6cef6e2edb892 100644 +--- a/drivers/w1/slaves/w1_ds28e04.c ++++ b/drivers/w1/slaves/w1_ds28e04.c +@@ -32,7 +32,7 @@ static int w1_strong_pullup = 1; + module_param_named(strong_pullup, w1_strong_pullup, int, 0); + + /* enable/disable CRC checking on DS28E04-100 memory accesses */ +-static char w1_enable_crccheck = 1; ++static bool w1_enable_crccheck = true; + + #define W1_EEPROM_SIZE 512 + #define W1_PAGE_COUNT 16 +@@ -339,32 +339,18 @@ static BIN_ATTR_RW(pio, 1); + static ssize_t crccheck_show(struct device *dev, struct device_attribute *attr, + char *buf) + { +- if (put_user(w1_enable_crccheck + 0x30, buf)) +- return -EFAULT; +- +- return sizeof(w1_enable_crccheck); ++ return sysfs_emit(buf, "%d\n", w1_enable_crccheck); + } + + static ssize_t crccheck_store(struct device *dev, struct device_attribute *attr, + const char *buf, size_t count) + { +- char val; +- +- if (count != 1 || !buf) +- return -EINVAL; ++ int err = kstrtobool(buf, &w1_enable_crccheck); + +- if (get_user(val, buf)) +- return -EFAULT; ++ if (err) ++ return err; + +- /* convert to decimal */ +- val = val - 0x30; +- if (val != 0 && val != 1) +- return -EINVAL; +- +- /* set the new value */ +- w1_enable_crccheck = val; +- +- return sizeof(w1_enable_crccheck); ++ return count; + } + + static DEVICE_ATTR_RW(crccheck); +-- +2.34.1 + diff --git a/queue-5.10/wcn36xx-ensure-pairing-of-init_scan-finish_scan-and-.patch b/queue-5.10/wcn36xx-ensure-pairing-of-init_scan-finish_scan-and-.patch new file mode 100644 index 00000000000..db208ce1542 --- /dev/null +++ b/queue-5.10/wcn36xx-ensure-pairing-of-init_scan-finish_scan-and-.patch @@ -0,0 +1,201 @@ +From fccf3ecb2638c60291797d91e537f2a9fbd8158e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Oct 2021 10:03:05 -0700 +Subject: wcn36xx: ensure pairing of init_scan/finish_scan and + start_scan/end_scan + +From: Benjamin Li + +[ Upstream commit 8f1ba8b0ee2679f0b3d22d2a5c1bc70c436fd872 ] + +An SMD capture from the downstream prima driver on WCN3680B shows the +following command sequence for connected scans: + +- init_scan_req + - start_scan_req, channel 1 + - end_scan_req, channel 1 + - start_scan_req, channel 2 + - ... + - end_scan_req, channel 3 +- finish_scan_req +- init_scan_req + - start_scan_req, channel 4 + - ... + - end_scan_req, channel 6 +- finish_scan_req +- ... + - end_scan_req, channel 165 +- finish_scan_req + +Upstream currently never calls wcn36xx_smd_end_scan, and in some cases[1] +still sends finish_scan_req twice in a row or before init_scan_req. A +typical connected scan looks like this: + +- init_scan_req + - start_scan_req, channel 1 +- finish_scan_req +- init_scan_req + - start_scan_req, channel 2 +- ... + - start_scan_req, channel 165 +- finish_scan_req +- finish_scan_req + +This patch cleans up scanning so that init/finish and start/end are always +paired together and correctly nested. + +- init_scan_req + - start_scan_req, channel 1 + - end_scan_req, channel 1 +- finish_scan_req +- init_scan_req + - start_scan_req, channel 2 + - end_scan_req, channel 2 +- ... + - start_scan_req, channel 165 + - end_scan_req, channel 165 +- finish_scan_req + +Note that upstream will not do batching of 3 active-probe scans before +returning to the operating channel, and this patch does not change that. +To match downstream in this aspect, adjust IEEE80211_PROBE_DELAY and/or +the 125ms max off-channel time in ieee80211_scan_state_decision. + +[1]: commit d195d7aac09b ("wcn36xx: Ensure finish scan is not requested +before start scan") addressed one case of finish_scan_req being sent +without a preceding init_scan_req (the case of the operating channel +coinciding with the first scan channel); two other cases are: +1) if SW scan is started and aborted immediately, without scanning any + channels, we send a finish_scan_req without ever sending init_scan_req, + and +2) as SW scan logic always returns us to the operating channel before + calling wcn36xx_sw_scan_complete, finish_scan_req is always sent twice + at the end of a SW scan + +Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware") +Signed-off-by: Benjamin Li +Tested-by: Bryan O'Donoghue +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211027170306.555535-4-benl@squareup.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wcn36xx/main.c | 34 +++++++++++++++++----- + drivers/net/wireless/ath/wcn36xx/smd.c | 4 +++ + drivers/net/wireless/ath/wcn36xx/wcn36xx.h | 1 + + 3 files changed, 32 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/main.c b/drivers/net/wireless/ath/wcn36xx/main.c +index 629ddfd74da1a..9aaf6f7473333 100644 +--- a/drivers/net/wireless/ath/wcn36xx/main.c ++++ b/drivers/net/wireless/ath/wcn36xx/main.c +@@ -397,6 +397,7 @@ static void wcn36xx_change_opchannel(struct wcn36xx *wcn, int ch) + static int wcn36xx_config(struct ieee80211_hw *hw, u32 changed) + { + struct wcn36xx *wcn = hw->priv; ++ int ret; + + wcn36xx_dbg(WCN36XX_DBG_MAC, "mac config changed 0x%08x\n", changed); + +@@ -412,17 +413,31 @@ static int wcn36xx_config(struct ieee80211_hw *hw, u32 changed) + * want to receive/transmit regular data packets, then + * simply stop the scan session and exit PS mode. + */ +- wcn36xx_smd_finish_scan(wcn, HAL_SYS_MODE_SCAN, +- wcn->sw_scan_vif); +- wcn->sw_scan_channel = 0; ++ if (wcn->sw_scan_channel) ++ wcn36xx_smd_end_scan(wcn, wcn->sw_scan_channel); ++ if (wcn->sw_scan_init) { ++ wcn36xx_smd_finish_scan(wcn, HAL_SYS_MODE_SCAN, ++ wcn->sw_scan_vif); ++ } + } else if (wcn->sw_scan) { + /* A scan is ongoing, do not change the operating + * channel, but start a scan session on the channel. + */ +- wcn36xx_smd_init_scan(wcn, HAL_SYS_MODE_SCAN, +- wcn->sw_scan_vif); ++ if (wcn->sw_scan_channel) ++ wcn36xx_smd_end_scan(wcn, wcn->sw_scan_channel); ++ if (!wcn->sw_scan_init) { ++ /* This can fail if we are unable to notify the ++ * operating channel. ++ */ ++ ret = wcn36xx_smd_init_scan(wcn, ++ HAL_SYS_MODE_SCAN, ++ wcn->sw_scan_vif); ++ if (ret) { ++ mutex_unlock(&wcn->conf_mutex); ++ return -EIO; ++ } ++ } + wcn36xx_smd_start_scan(wcn, ch); +- wcn->sw_scan_channel = ch; + } else { + wcn36xx_change_opchannel(wcn, ch); + } +@@ -709,7 +724,12 @@ static void wcn36xx_sw_scan_complete(struct ieee80211_hw *hw, + struct wcn36xx *wcn = hw->priv; + + /* ensure that any scan session is finished */ +- wcn36xx_smd_finish_scan(wcn, HAL_SYS_MODE_SCAN, wcn->sw_scan_vif); ++ if (wcn->sw_scan_channel) ++ wcn36xx_smd_end_scan(wcn, wcn->sw_scan_channel); ++ if (wcn->sw_scan_init) { ++ wcn36xx_smd_finish_scan(wcn, HAL_SYS_MODE_SCAN, ++ wcn->sw_scan_vif); ++ } + wcn->sw_scan = false; + wcn->sw_scan_opchannel = 0; + } +diff --git a/drivers/net/wireless/ath/wcn36xx/smd.c b/drivers/net/wireless/ath/wcn36xx/smd.c +index 3793907ace92e..ad312e17f7a3c 100644 +--- a/drivers/net/wireless/ath/wcn36xx/smd.c ++++ b/drivers/net/wireless/ath/wcn36xx/smd.c +@@ -730,6 +730,7 @@ int wcn36xx_smd_init_scan(struct wcn36xx *wcn, enum wcn36xx_hal_sys_mode mode, + wcn36xx_err("hal_init_scan response failed err=%d\n", ret); + goto out; + } ++ wcn->sw_scan_init = true; + out: + mutex_unlock(&wcn->hal_mutex); + return ret; +@@ -760,6 +761,7 @@ int wcn36xx_smd_start_scan(struct wcn36xx *wcn, u8 scan_channel) + wcn36xx_err("hal_start_scan response failed err=%d\n", ret); + goto out; + } ++ wcn->sw_scan_channel = scan_channel; + out: + mutex_unlock(&wcn->hal_mutex); + return ret; +@@ -790,6 +792,7 @@ int wcn36xx_smd_end_scan(struct wcn36xx *wcn, u8 scan_channel) + wcn36xx_err("hal_end_scan response failed err=%d\n", ret); + goto out; + } ++ wcn->sw_scan_channel = 0; + out: + mutex_unlock(&wcn->hal_mutex); + return ret; +@@ -831,6 +834,7 @@ int wcn36xx_smd_finish_scan(struct wcn36xx *wcn, + wcn36xx_err("hal_finish_scan response failed err=%d\n", ret); + goto out; + } ++ wcn->sw_scan_init = false; + out: + mutex_unlock(&wcn->hal_mutex); + return ret; +diff --git a/drivers/net/wireless/ath/wcn36xx/wcn36xx.h b/drivers/net/wireless/ath/wcn36xx/wcn36xx.h +index 9b4dee2fc6483..5c40d0bdee245 100644 +--- a/drivers/net/wireless/ath/wcn36xx/wcn36xx.h ++++ b/drivers/net/wireless/ath/wcn36xx/wcn36xx.h +@@ -231,6 +231,7 @@ struct wcn36xx { + struct cfg80211_scan_request *scan_req; + bool sw_scan; + u8 sw_scan_opchannel; ++ bool sw_scan_init; + u8 sw_scan_channel; + struct ieee80211_vif *sw_scan_vif; + struct mutex scan_lock; +-- +2.34.1 + diff --git a/queue-5.10/wcn36xx-fix-dma-channel-enable-disable-cycle.patch b/queue-5.10/wcn36xx-fix-dma-channel-enable-disable-cycle.patch new file mode 100644 index 00000000000..b21435460a8 --- /dev/null +++ b/queue-5.10/wcn36xx-fix-dma-channel-enable-disable-cycle.patch @@ -0,0 +1,125 @@ +From 5edc1570dc3eec7b5d7f1bcc2354835cdb7c5961 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Nov 2021 12:21:50 +0000 +Subject: wcn36xx: Fix DMA channel enable/disable cycle + +From: Bryan O'Donoghue + +[ Upstream commit 89dcb1da611d9b3ff0728502d58372fdaae9ebff ] + +Right now we have a broken sequence where we enable DMA channel interrupts +which can be left enabled and never disabled if we hit an error path. + +Worse still when we unload the driver, the DMA channel interrupt bits are +left intact. About the only saving grace here is that we do remember to +disable the wcnss interrupt when unload the driver. + +Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware") +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211105122152.1580542-2-bryan.odonoghue@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wcn36xx/dxe.c | 38 ++++++++++++++++++-------- + 1 file changed, 27 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/dxe.c b/drivers/net/wireless/ath/wcn36xx/dxe.c +index cf4eb0fb28151..0909d0c423cbb 100644 +--- a/drivers/net/wireless/ath/wcn36xx/dxe.c ++++ b/drivers/net/wireless/ath/wcn36xx/dxe.c +@@ -272,6 +272,21 @@ static int wcn36xx_dxe_enable_ch_int(struct wcn36xx *wcn, u16 wcn_ch) + return 0; + } + ++static void wcn36xx_dxe_disable_ch_int(struct wcn36xx *wcn, u16 wcn_ch) ++{ ++ int reg_data = 0; ++ ++ wcn36xx_dxe_read_register(wcn, ++ WCN36XX_DXE_INT_MASK_REG, ++ ®_data); ++ ++ reg_data &= ~wcn_ch; ++ ++ wcn36xx_dxe_write_register(wcn, ++ WCN36XX_DXE_INT_MASK_REG, ++ (int)reg_data); ++} ++ + static int wcn36xx_dxe_fill_skb(struct device *dev, + struct wcn36xx_dxe_ctl *ctl, + gfp_t gfp) +@@ -869,7 +884,6 @@ int wcn36xx_dxe_init(struct wcn36xx *wcn) + WCN36XX_DXE_WQ_TX_L); + + wcn36xx_dxe_read_register(wcn, WCN36XX_DXE_REG_CH_EN, ®_data); +- wcn36xx_dxe_enable_ch_int(wcn, WCN36XX_INT_MASK_CHAN_TX_L); + + /***************************************/ + /* Init descriptors for TX HIGH channel */ +@@ -893,9 +907,6 @@ int wcn36xx_dxe_init(struct wcn36xx *wcn) + + wcn36xx_dxe_read_register(wcn, WCN36XX_DXE_REG_CH_EN, ®_data); + +- /* Enable channel interrupts */ +- wcn36xx_dxe_enable_ch_int(wcn, WCN36XX_INT_MASK_CHAN_TX_H); +- + /***************************************/ + /* Init descriptors for RX LOW channel */ + /***************************************/ +@@ -905,7 +916,6 @@ int wcn36xx_dxe_init(struct wcn36xx *wcn) + goto out_err_rxl_ch; + } + +- + /* For RX we need to preallocated buffers */ + wcn36xx_dxe_ch_alloc_skb(wcn, &wcn->dxe_rx_l_ch); + +@@ -928,9 +938,6 @@ int wcn36xx_dxe_init(struct wcn36xx *wcn) + WCN36XX_DXE_REG_CTL_RX_L, + WCN36XX_DXE_CH_DEFAULT_CTL_RX_L); + +- /* Enable channel interrupts */ +- wcn36xx_dxe_enable_ch_int(wcn, WCN36XX_INT_MASK_CHAN_RX_L); +- + /***************************************/ + /* Init descriptors for RX HIGH channel */ + /***************************************/ +@@ -962,15 +969,18 @@ int wcn36xx_dxe_init(struct wcn36xx *wcn) + WCN36XX_DXE_REG_CTL_RX_H, + WCN36XX_DXE_CH_DEFAULT_CTL_RX_H); + +- /* Enable channel interrupts */ +- wcn36xx_dxe_enable_ch_int(wcn, WCN36XX_INT_MASK_CHAN_RX_H); +- + ret = wcn36xx_dxe_request_irqs(wcn); + if (ret < 0) + goto out_err_irq; + + timer_setup(&wcn->tx_ack_timer, wcn36xx_dxe_tx_timer, 0); + ++ /* Enable channel interrupts */ ++ wcn36xx_dxe_enable_ch_int(wcn, WCN36XX_INT_MASK_CHAN_TX_L); ++ wcn36xx_dxe_enable_ch_int(wcn, WCN36XX_INT_MASK_CHAN_TX_H); ++ wcn36xx_dxe_enable_ch_int(wcn, WCN36XX_INT_MASK_CHAN_RX_L); ++ wcn36xx_dxe_enable_ch_int(wcn, WCN36XX_INT_MASK_CHAN_RX_H); ++ + return 0; + + out_err_irq: +@@ -987,6 +997,12 @@ out_err_txh_ch: + + void wcn36xx_dxe_deinit(struct wcn36xx *wcn) + { ++ /* Disable channel interrupts */ ++ wcn36xx_dxe_disable_ch_int(wcn, WCN36XX_INT_MASK_CHAN_RX_H); ++ wcn36xx_dxe_disable_ch_int(wcn, WCN36XX_INT_MASK_CHAN_RX_L); ++ wcn36xx_dxe_disable_ch_int(wcn, WCN36XX_INT_MASK_CHAN_TX_H); ++ wcn36xx_dxe_disable_ch_int(wcn, WCN36XX_INT_MASK_CHAN_TX_L); ++ + free_irq(wcn->tx_irq, wcn); + free_irq(wcn->rx_irq, wcn); + del_timer(&wcn->tx_ack_timer); +-- +2.34.1 + diff --git a/queue-5.10/wcn36xx-fix-rx-bd-rate-mapping-for-5ghz-legacy-rates.patch b/queue-5.10/wcn36xx-fix-rx-bd-rate-mapping-for-5ghz-legacy-rates.patch new file mode 100644 index 00000000000..228e5afb1e0 --- /dev/null +++ b/queue-5.10/wcn36xx-fix-rx-bd-rate-mapping-for-5ghz-legacy-rates.patch @@ -0,0 +1,52 @@ +From fac6d17e7d9d29bbf5f6dc0f83ee4c08c4c9cc1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Nov 2021 18:05:48 -0700 +Subject: wcn36xx: fix RX BD rate mapping for 5GHz legacy rates + +From: Benjamin Li + +[ Upstream commit cfdf6b19e750f7de8ae71a26932f63b52e3bf74c ] + +The linear mapping between the BD rate field and the driver's 5GHz +legacy rates table (wcn_5ghz_rates) does not only apply for the latter +four rates -- it applies to all eight rates. + +Fixes: 6ea131acea98 ("wcn36xx: Fix warning due to bad rate_idx") +Signed-off-by: Benjamin Li +Tested-by: Loic Poulain +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211104010548.1107405-3-benl@squareup.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wcn36xx/txrx.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/txrx.c b/drivers/net/wireless/ath/wcn36xx/txrx.c +index f76de106570d2..f33e7228a1010 100644 +--- a/drivers/net/wireless/ath/wcn36xx/txrx.c ++++ b/drivers/net/wireless/ath/wcn36xx/txrx.c +@@ -237,7 +237,6 @@ int wcn36xx_rx_skb(struct wcn36xx *wcn, struct sk_buff *skb) + const struct wcn36xx_rate *rate; + struct ieee80211_hdr *hdr; + struct wcn36xx_rx_bd *bd; +- struct ieee80211_supported_band *sband; + u16 fc, sn; + + /* +@@ -295,12 +294,11 @@ int wcn36xx_rx_skb(struct wcn36xx *wcn, struct sk_buff *skb) + status.enc_flags = rate->encoding_flags; + status.bw = rate->bw; + status.rate_idx = rate->mcs_or_legacy_index; +- sband = wcn->hw->wiphy->bands[status.band]; + status.nss = 1; + + if (status.band == NL80211_BAND_5GHZ && + status.encoding == RX_ENC_LEGACY && +- status.rate_idx >= sband->n_bitrates) { ++ status.rate_idx >= 4) { + /* no dsss rates in 5Ghz rates table */ + status.rate_idx -= 4; + } +-- +2.34.1 + diff --git a/queue-5.10/wcn36xx-indicate-beacon-not-connection-loss-on-misse.patch b/queue-5.10/wcn36xx-indicate-beacon-not-connection-loss-on-misse.patch new file mode 100644 index 00000000000..05e43f26d4a --- /dev/null +++ b/queue-5.10/wcn36xx-indicate-beacon-not-connection-loss-on-misse.patch @@ -0,0 +1,51 @@ +From 2ed34ad5451c45c67a418ad5bf503216c32f0d0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 00:25:29 +0100 +Subject: wcn36xx: Indicate beacon not connection loss on MISSED_BEACON_IND + +From: Bryan O'Donoghue + +[ Upstream commit 588b45c88ae130fe373a8c50edaf54735c3f4fe3 ] + +Firmware can trigger a missed beacon indication, this is not the same as a +lost signal. + +Flag to Linux the missed beacon and let the WiFi stack decide for itself if +the link is up or down by sending its own probe to determine this. + +We should only be signalling the link is lost when the firmware indicates + +Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware") +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211027232529.657764-1-bryan.odonoghue@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wcn36xx/smd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/smd.c b/drivers/net/wireless/ath/wcn36xx/smd.c +index ad312e17f7a3c..7f00cb6f5e16b 100644 +--- a/drivers/net/wireless/ath/wcn36xx/smd.c ++++ b/drivers/net/wireless/ath/wcn36xx/smd.c +@@ -2607,7 +2607,7 @@ static int wcn36xx_smd_missed_beacon_ind(struct wcn36xx *wcn, + wcn36xx_dbg(WCN36XX_DBG_HAL, "beacon missed bss_index %d\n", + tmp->bss_index); + vif = wcn36xx_priv_to_vif(tmp); +- ieee80211_connection_loss(vif); ++ ieee80211_beacon_loss(vif); + } + return 0; + } +@@ -2622,7 +2622,7 @@ static int wcn36xx_smd_missed_beacon_ind(struct wcn36xx *wcn, + wcn36xx_dbg(WCN36XX_DBG_HAL, "beacon missed bss_index %d\n", + rsp->bss_index); + vif = wcn36xx_priv_to_vif(tmp); +- ieee80211_connection_loss(vif); ++ ieee80211_beacon_loss(vif); + return 0; + } + } +-- +2.34.1 + diff --git a/queue-5.10/wcn36xx-populate-band-before-determining-rate-on-rx.patch b/queue-5.10/wcn36xx-populate-band-before-determining-rate-on-rx.patch new file mode 100644 index 00000000000..6813f3a3927 --- /dev/null +++ b/queue-5.10/wcn36xx-populate-band-before-determining-rate-on-rx.patch @@ -0,0 +1,126 @@ +From 51e2fd149048434e8942882eee415c1cc0d84fa3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Nov 2021 18:05:47 -0700 +Subject: wcn36xx: populate band before determining rate on RX + +From: Benjamin Li + +[ Upstream commit c9c5608fafe4dae975c9644c7d14c51ad3b0ed73 ] + +status.band is used in determination of status.rate -- for 5GHz on legacy +rates there is a linear shift between the BD descriptor's rate field and +the wcn36xx driver's rate table (wcn_5ghz_rates). + +We have a special clause to populate status.band for hardware scan offload +frames. However, this block occurs after status.rate is already populated. +Correctly handle this dependency by moving the band block before the rate +block. + +This patch addresses kernel warnings & missing scan results for 5GHz APs +that send their beacons/probe responses at the higher four legacy rates +(24-54 Mbps), when using hardware scan offload: + + ------------[ cut here ]------------ + WARNING: CPU: 0 PID: 0 at net/mac80211/rx.c:4532 ieee80211_rx_napi+0x744/0x8d8 + Modules linked in: wcn36xx [...] + CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 4.19.107-g73909fa #1 + Hardware name: Square, Inc. T2 (all variants) (DT) + Call trace: + dump_backtrace+0x0/0x148 + show_stack+0x14/0x1c + dump_stack+0xb8/0xf0 + __warn+0x2ac/0x2d8 + warn_slowpath_null+0x44/0x54 + ieee80211_rx_napi+0x744/0x8d8 + ieee80211_tasklet_handler+0xa4/0xe0 + tasklet_action_common+0xe0/0x118 + tasklet_action+0x20/0x28 + __do_softirq+0x108/0x1ec + irq_exit+0xd4/0xd8 + __handle_domain_irq+0x84/0xbc + gic_handle_irq+0x4c/0xb8 + el1_irq+0xe8/0x190 + lpm_cpuidle_enter+0x220/0x260 + cpuidle_enter_state+0x114/0x1c0 + cpuidle_enter+0x34/0x48 + do_idle+0x150/0x268 + cpu_startup_entry+0x20/0x24 + rest_init+0xd4/0xe0 + start_kernel+0x398/0x430 + ---[ end trace ae28cb759352b403 ]--- + +Fixes: 8a27ca394782 ("wcn36xx: Correct band/freq reporting on RX") +Signed-off-by: Benjamin Li +Tested-by: Loic Poulain +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211104010548.1107405-2-benl@squareup.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wcn36xx/txrx.c | 37 +++++++++++++------------ + 1 file changed, 19 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/txrx.c b/drivers/net/wireless/ath/wcn36xx/txrx.c +index bbd7194c82e27..f76de106570d2 100644 +--- a/drivers/net/wireless/ath/wcn36xx/txrx.c ++++ b/drivers/net/wireless/ath/wcn36xx/txrx.c +@@ -259,8 +259,6 @@ int wcn36xx_rx_skb(struct wcn36xx *wcn, struct sk_buff *skb) + fc = __le16_to_cpu(hdr->frame_control); + sn = IEEE80211_SEQ_TO_SN(__le16_to_cpu(hdr->seq_ctrl)); + +- status.freq = WCN36XX_CENTER_FREQ(wcn); +- status.band = WCN36XX_BAND(wcn); + status.mactime = 10; + status.signal = -get_rssi0(bd); + status.antenna = 1; +@@ -272,6 +270,25 @@ int wcn36xx_rx_skb(struct wcn36xx *wcn, struct sk_buff *skb) + + wcn36xx_dbg(WCN36XX_DBG_RX, "status.flags=%x\n", status.flag); + ++ if (bd->scan_learn) { ++ /* If packet originate from hardware scanning, extract the ++ * band/channel from bd descriptor. ++ */ ++ u8 hwch = (bd->reserved0 << 4) + bd->rx_ch; ++ ++ if (bd->rf_band != 1 && hwch <= sizeof(ab_rx_ch_map) && hwch >= 1) { ++ status.band = NL80211_BAND_5GHZ; ++ status.freq = ieee80211_channel_to_frequency(ab_rx_ch_map[hwch - 1], ++ status.band); ++ } else { ++ status.band = NL80211_BAND_2GHZ; ++ status.freq = ieee80211_channel_to_frequency(hwch, status.band); ++ } ++ } else { ++ status.band = WCN36XX_BAND(wcn); ++ status.freq = WCN36XX_CENTER_FREQ(wcn); ++ } ++ + if (bd->rate_id < ARRAY_SIZE(wcn36xx_rate_table)) { + rate = &wcn36xx_rate_table[bd->rate_id]; + status.encoding = rate->encoding; +@@ -298,22 +315,6 @@ int wcn36xx_rx_skb(struct wcn36xx *wcn, struct sk_buff *skb) + ieee80211_is_probe_resp(hdr->frame_control)) + status.boottime_ns = ktime_get_boottime_ns(); + +- if (bd->scan_learn) { +- /* If packet originates from hardware scanning, extract the +- * band/channel from bd descriptor. +- */ +- u8 hwch = (bd->reserved0 << 4) + bd->rx_ch; +- +- if (bd->rf_band != 1 && hwch <= sizeof(ab_rx_ch_map) && hwch >= 1) { +- status.band = NL80211_BAND_5GHZ; +- status.freq = ieee80211_channel_to_frequency(ab_rx_ch_map[hwch - 1], +- status.band); +- } else { +- status.band = NL80211_BAND_2GHZ; +- status.freq = ieee80211_channel_to_frequency(hwch, status.band); +- } +- } +- + memcpy(IEEE80211_SKB_RXCB(skb), &status, sizeof(status)); + + if (ieee80211_is_beacon(hdr->frame_control)) { +-- +2.34.1 + diff --git a/queue-5.10/wcn36xx-put-dxe-block-into-reset-before-freeing-memo.patch b/queue-5.10/wcn36xx-put-dxe-block-into-reset-before-freeing-memo.patch new file mode 100644 index 00000000000..1ecf56d7ba8 --- /dev/null +++ b/queue-5.10/wcn36xx-put-dxe-block-into-reset-before-freeing-memo.patch @@ -0,0 +1,49 @@ +From 9cc8eb9f30c9b683079f253f442d743e056003dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Nov 2021 12:21:52 +0000 +Subject: wcn36xx: Put DXE block into reset before freeing memory + +From: Bryan O'Donoghue + +[ Upstream commit ed04ea76e69e7194f7489cebe23a32a68f39218d ] + +When deiniting the DXE hardware we should reset the block to ensure there +is no spurious DMA write transaction from the downstream WCNSS to upstream +MSM at a skbuff address we will have released. + +Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware") +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211105122152.1580542-4-bryan.odonoghue@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wcn36xx/dxe.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/wireless/ath/wcn36xx/dxe.c b/drivers/net/wireless/ath/wcn36xx/dxe.c +index b117d8a0f446f..6c62ffc799a2b 100644 +--- a/drivers/net/wireless/ath/wcn36xx/dxe.c ++++ b/drivers/net/wireless/ath/wcn36xx/dxe.c +@@ -997,6 +997,8 @@ out_err_txh_ch: + + void wcn36xx_dxe_deinit(struct wcn36xx *wcn) + { ++ int reg_data = 0; ++ + /* Disable channel interrupts */ + wcn36xx_dxe_disable_ch_int(wcn, WCN36XX_INT_MASK_CHAN_RX_H); + wcn36xx_dxe_disable_ch_int(wcn, WCN36XX_INT_MASK_CHAN_RX_L); +@@ -1012,6 +1014,10 @@ void wcn36xx_dxe_deinit(struct wcn36xx *wcn) + wcn->tx_ack_skb = NULL; + } + ++ /* Put the DXE block into reset before freeing memory */ ++ reg_data = WCN36XX_DXE_REG_RESET; ++ wcn36xx_dxe_write_register(wcn, WCN36XX_DXE_REG_CSR_RESET, reg_data); ++ + wcn36xx_dxe_ch_free_skbs(wcn, &wcn->dxe_rx_l_ch); + wcn36xx_dxe_ch_free_skbs(wcn, &wcn->dxe_rx_h_ch); + +-- +2.34.1 + diff --git a/queue-5.10/wcn36xx-release-dma-channel-descriptor-allocations.patch b/queue-5.10/wcn36xx-release-dma-channel-descriptor-allocations.patch new file mode 100644 index 00000000000..3e0fe9626f8 --- /dev/null +++ b/queue-5.10/wcn36xx-release-dma-channel-descriptor-allocations.patch @@ -0,0 +1,38 @@ +From d91742e39ba8130dad00d385a533165a3f118b22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Nov 2021 12:21:51 +0000 +Subject: wcn36xx: Release DMA channel descriptor allocations + +From: Bryan O'Donoghue + +[ Upstream commit 3652096e5263ad67604b0323f71d133485f410e5 ] + +When unloading the driver we are not releasing the DMA descriptors which we +previously allocated. + +Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware") +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211105122152.1580542-3-bryan.odonoghue@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wcn36xx/dxe.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/ath/wcn36xx/dxe.c b/drivers/net/wireless/ath/wcn36xx/dxe.c +index 0909d0c423cbb..b117d8a0f446f 100644 +--- a/drivers/net/wireless/ath/wcn36xx/dxe.c ++++ b/drivers/net/wireless/ath/wcn36xx/dxe.c +@@ -1014,4 +1014,9 @@ void wcn36xx_dxe_deinit(struct wcn36xx *wcn) + + wcn36xx_dxe_ch_free_skbs(wcn, &wcn->dxe_rx_l_ch); + wcn36xx_dxe_ch_free_skbs(wcn, &wcn->dxe_rx_h_ch); ++ ++ wcn36xx_dxe_deinit_descs(wcn->dev, &wcn->dxe_tx_l_ch); ++ wcn36xx_dxe_deinit_descs(wcn->dev, &wcn->dxe_tx_h_ch); ++ wcn36xx_dxe_deinit_descs(wcn->dev, &wcn->dxe_rx_l_ch); ++ wcn36xx_dxe_deinit_descs(wcn->dev, &wcn->dxe_rx_h_ch); + } +-- +2.34.1 + diff --git a/queue-5.10/wireless-iwlwifi-fix-a-double-free-in-iwl_txq_dyn_al.patch b/queue-5.10/wireless-iwlwifi-fix-a-double-free-in-iwl_txq_dyn_al.patch new file mode 100644 index 00000000000..c6d46bdd755 --- /dev/null +++ b/queue-5.10/wireless-iwlwifi-fix-a-double-free-in-iwl_txq_dyn_al.patch @@ -0,0 +1,43 @@ +From c0744e957d5cd16703cc2d621dcc31f741da7fcc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Apr 2021 22:47:55 -0700 +Subject: wireless: iwlwifi: Fix a double free in iwl_txq_dyn_alloc_dma + +From: Lv Yunlong + +[ Upstream commit f973795a8d19cbf3d03807704eb7c6ff65788d5a ] + +In iwl_txq_dyn_alloc_dma, txq->tfds is freed at first time by: +iwl_txq_alloc()->goto err_free_tfds->dma_free_coherent(). But +it forgot to set txq->tfds to NULL. + +Then the txq->tfds is freed again in iwl_txq_dyn_alloc_dma by: +goto error->iwl_txq_gen2_free_memory()->dma_free_coherent(). + +My patch sets txq->tfds to NULL after the first free to avoid the +double free. + +Fixes: 0cd1ad2d7fd41 ("iwlwifi: move all bus-independent TX functions to common code") +Signed-off-by: Lv Yunlong +Link: https://lore.kernel.org/r/20210403054755.4781-1-lyl2019@mail.ustc.edu.cn +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/queue/tx.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/queue/tx.c b/drivers/net/wireless/intel/iwlwifi/queue/tx.c +index 9181221a2434d..0136df00ff6a6 100644 +--- a/drivers/net/wireless/intel/iwlwifi/queue/tx.c ++++ b/drivers/net/wireless/intel/iwlwifi/queue/tx.c +@@ -1148,6 +1148,7 @@ int iwl_txq_alloc(struct iwl_trans *trans, struct iwl_txq *txq, int slots_num, + return 0; + err_free_tfds: + dma_free_coherent(trans->dev, tfd_sz, txq->tfds, txq->dma_addr); ++ txq->tfds = NULL; + error: + if (txq->entries && cmd_queue) + for (i = 0; i < slots_num; i++) +-- +2.34.1 + diff --git a/queue-5.10/x86-boot-compressed-move-clang_flags-to-beginning-of.patch b/queue-5.10/x86-boot-compressed-move-clang_flags-to-beginning-of.patch new file mode 100644 index 00000000000..e1dea06b9dd --- /dev/null +++ b/queue-5.10/x86-boot-compressed-move-clang_flags-to-beginning-of.patch @@ -0,0 +1,69 @@ +From e905f4991c1b0fc6fbd259a99c49b9a5454bd7e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Dec 2021 09:30:41 -0700 +Subject: x86/boot/compressed: Move CLANG_FLAGS to beginning of KBUILD_CFLAGS + +From: Nathan Chancellor + +[ Upstream commit 5fe392ff9d1f7254a1fbb3f72d9893088e4d23eb ] + +When cross compiling i386_defconfig on an arm64 host with clang, there +are a few instances of '-Waddress-of-packed-member' and +'-Wgnu-variable-sized-type-not-at-end' in arch/x86/boot/compressed/, +which should both be disabled with the cc-disable-warning calls in that +directory's Makefile, which indicates that cc-disable-warning is failing +at the point of testing these flags. + +The cc-disable-warning calls fail because at the point that the flags +are tested, KBUILD_CFLAGS has '-march=i386' without $(CLANG_FLAGS), +which has the '--target=' flag to tell clang what architecture it is +targeting. Without the '--target=' flag, the host architecture (arm64) +is used and i386 is not a valid value for '-march=' in that case. This +error can be seen by adding some logging to try-run: + + clang-14: error: the clang compiler does not support '-march=i386' + +Invoking the compiler has to succeed prior to calling cc-option or +cc-disable-warning in order to accurately test whether or not the flag +is supported; if it doesn't, the requested flag can never be added to +the compiler flags. Move $(CLANG_FLAGS) to the beginning of KBUILD_FLAGS +so that any new flags that might be added in the future can be +accurately tested. + +Fixes: d5cbd80e302d ("x86/boot: Add $(CLANG_FLAGS) to compressed KBUILD_CFLAGS") +Signed-off-by: Nathan Chancellor +Signed-off-by: Borislav Petkov +Link: https://lore.kernel.org/r/20211222163040.1961481-1-nathan@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/boot/compressed/Makefile | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile +index 6004047d25fdd..bf91e0a36d77f 100644 +--- a/arch/x86/boot/compressed/Makefile ++++ b/arch/x86/boot/compressed/Makefile +@@ -28,7 +28,11 @@ KCOV_INSTRUMENT := n + targets := vmlinux vmlinux.bin vmlinux.bin.gz vmlinux.bin.bz2 vmlinux.bin.lzma \ + vmlinux.bin.xz vmlinux.bin.lzo vmlinux.bin.lz4 vmlinux.bin.zst + +-KBUILD_CFLAGS := -m$(BITS) -O2 ++# CLANG_FLAGS must come before any cc-disable-warning or cc-option calls in ++# case of cross compiling, as it has the '--target=' flag, which is needed to ++# avoid errors with '-march=i386', and future flags may depend on the target to ++# be valid. ++KBUILD_CFLAGS := -m$(BITS) -O2 $(CLANG_FLAGS) + KBUILD_CFLAGS += -fno-strict-aliasing -fPIE + KBUILD_CFLAGS += -DDISABLE_BRANCH_PROFILING + cflags-$(CONFIG_X86_32) := -march=i386 +@@ -46,7 +50,6 @@ KBUILD_CFLAGS += -D__DISABLE_EXPORTS + # Disable relocation relaxation in case the link is not PIE. + KBUILD_CFLAGS += $(call as-option,-Wa$(comma)-mrelax-relocations=no) + KBUILD_CFLAGS += -include $(srctree)/include/linux/hidden.h +-KBUILD_CFLAGS += $(CLANG_FLAGS) + + # sev-es.c indirectly inludes inat-table.h which is generated during + # compilation and stored in $(objtree). Add the directory to the includes so +-- +2.34.1 + diff --git a/queue-5.10/x86-kbuild-enable-config_kallsyms_all-y-in-the-defco.patch b/queue-5.10/x86-kbuild-enable-config_kallsyms_all-y-in-the-defco.patch new file mode 100644 index 00000000000..f0f889e022c --- /dev/null +++ b/queue-5.10/x86-kbuild-enable-config_kallsyms_all-y-in-the-defco.patch @@ -0,0 +1,45 @@ +From b3d5790b7f3ae85ce03dce06fbeeeef427ee82f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jan 2022 01:35:58 +0100 +Subject: x86/kbuild: Enable CONFIG_KALLSYMS_ALL=y in the defconfigs + +From: Ingo Molnar + +[ Upstream commit b6aa86cff44cf099299d3a5e66348cb709cd7964 ] + +Most distro kernels have this option enabled, to improve debug output. + +Lockdep also selects it. + +Enable this in the defconfig kernel as well, to make it more +representative of what people are using on x86. + +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/YdTn7gssoMVDMgMw@gmail.com +Signed-off-by: Sasha Levin +--- + arch/x86/configs/i386_defconfig | 1 + + arch/x86/configs/x86_64_defconfig | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/arch/x86/configs/i386_defconfig b/arch/x86/configs/i386_defconfig +index 78210793d357c..38d7acb9610cc 100644 +--- a/arch/x86/configs/i386_defconfig ++++ b/arch/x86/configs/i386_defconfig +@@ -264,3 +264,4 @@ CONFIG_BLK_DEV_IO_TRACE=y + CONFIG_PROVIDE_OHCI1394_DMA_INIT=y + CONFIG_EARLY_PRINTK_DBGP=y + CONFIG_DEBUG_BOOT_PARAMS=y ++CONFIG_KALLSYMS_ALL=y +diff --git a/arch/x86/configs/x86_64_defconfig b/arch/x86/configs/x86_64_defconfig +index 9936528e19393..c6e587a9a6f85 100644 +--- a/arch/x86/configs/x86_64_defconfig ++++ b/arch/x86/configs/x86_64_defconfig +@@ -260,3 +260,4 @@ CONFIG_BLK_DEV_IO_TRACE=y + CONFIG_PROVIDE_OHCI1394_DMA_INIT=y + CONFIG_EARLY_PRINTK_DBGP=y + CONFIG_DEBUG_BOOT_PARAMS=y ++CONFIG_KALLSYMS_ALL=y +-- +2.34.1 + diff --git a/queue-5.10/x86-mce-allow-instrumentation-during-task-work-queue.patch b/queue-5.10/x86-mce-allow-instrumentation-during-task-work-queue.patch new file mode 100644 index 00000000000..3851bbdc736 --- /dev/null +++ b/queue-5.10/x86-mce-allow-instrumentation-during-task-work-queue.patch @@ -0,0 +1,52 @@ +From f5132c876536b269c9ba7b3b2e184b3d032e9f48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Oct 2021 09:07:19 +0200 +Subject: x86/mce: Allow instrumentation during task work queueing + +From: Borislav Petkov + +[ Upstream commit 4fbce464db81a42f9a57ee242d6150ec7f996415 ] + +Fixes + + vmlinux.o: warning: objtool: do_machine_check()+0xdb1: call to queue_task_work() leaves .noinstr.text section + +Signed-off-by: Borislav Petkov +Link: https://lore.kernel.org/r/20211208111343.8130-6-bp@alien8.de +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/mce/core.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/arch/x86/kernel/cpu/mce/core.c b/arch/x86/kernel/cpu/mce/core.c +index 14b34963eb1f7..34fffffaf8730 100644 +--- a/arch/x86/kernel/cpu/mce/core.c ++++ b/arch/x86/kernel/cpu/mce/core.c +@@ -1443,6 +1443,14 @@ noinstr void do_machine_check(struct pt_regs *regs) + if (worst != MCE_AR_SEVERITY && !kill_it) + goto out; + ++ /* ++ * Enable instrumentation around the external facilities like ++ * task_work_add() (via queue_task_work()), fixup_exception() etc. ++ * For now, that is. Fixing this properly would need a lot more involved ++ * reorganization. ++ */ ++ instrumentation_begin(); ++ + /* Fault was in user mode and we need to take some action */ + if ((m.cs & 3) == 3) { + /* If this triggers there is no way to recover. Die hard. */ +@@ -1468,6 +1476,9 @@ noinstr void do_machine_check(struct pt_regs *regs) + if (m.kflags & MCE_IN_KERNEL_COPYIN) + queue_task_work(&m, msg, kill_it); + } ++ ++ instrumentation_end(); ++ + out: + mce_wrmsrl(MSR_IA32_MCG_STATUS, 0); + } +-- +2.34.1 + diff --git a/queue-5.10/x86-mce-inject-avoid-out-of-bounds-write-when-settin.patch b/queue-5.10/x86-mce-inject-avoid-out-of-bounds-write-when-settin.patch new file mode 100644 index 00000000000..9c35640f335 --- /dev/null +++ b/queue-5.10/x86-mce-inject-avoid-out-of-bounds-write-when-settin.patch @@ -0,0 +1,55 @@ +From bb7054182b599f5c035e3a7895109ca8eff1605e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Dec 2021 22:02:49 +0100 +Subject: x86/mce/inject: Avoid out-of-bounds write when setting flags + +From: Zhang Zixun + +[ Upstream commit de768416b203ac84e02a757b782a32efb388476f ] + +A contrived zero-length write, for example, by using write(2): + + ... + ret = write(fd, str, 0); + ... + +to the "flags" file causes: + + BUG: KASAN: stack-out-of-bounds in flags_write + Write of size 1 at addr ffff888019be7ddf by task writefile/3787 + + CPU: 4 PID: 3787 Comm: writefile Not tainted 5.16.0-rc7+ #12 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 + +due to accessing buf one char before its start. + +Prevent such out-of-bounds access. + + [ bp: Productize into a proper patch. Link below is the next best + thing because the original mail didn't get archived on lore. ] + +Fixes: 0451d14d0561 ("EDAC, mce_amd_inj: Modify flags attribute to use string arguments") +Signed-off-by: Zhang Zixun +Signed-off-by: Borislav Petkov +Link: https://lore.kernel.org/linux-edac/YcnePfF1OOqoQwrX@zn.tnic/ +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/mce/inject.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/cpu/mce/inject.c b/arch/x86/kernel/cpu/mce/inject.c +index 3a44346f22766..e7808309d4710 100644 +--- a/arch/x86/kernel/cpu/mce/inject.c ++++ b/arch/x86/kernel/cpu/mce/inject.c +@@ -347,7 +347,7 @@ static ssize_t flags_write(struct file *filp, const char __user *ubuf, + char buf[MAX_FLAG_OPT_SIZE], *__buf; + int err; + +- if (cnt > MAX_FLAG_OPT_SIZE) ++ if (!cnt || cnt > MAX_FLAG_OPT_SIZE) + return -EINVAL; + + if (copy_from_user(&buf, ubuf, cnt)) +-- +2.34.1 + diff --git a/queue-5.10/x86-mce-mark-mce_end-noinstr.patch b/queue-5.10/x86-mce-mark-mce_end-noinstr.patch new file mode 100644 index 00000000000..2eeab81f3b5 --- /dev/null +++ b/queue-5.10/x86-mce-mark-mce_end-noinstr.patch @@ -0,0 +1,66 @@ +From 21effeac6c232f260c1a54bcdedc676bc5825e43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Nov 2021 16:43:33 +0100 +Subject: x86/mce: Mark mce_end() noinstr + +From: Borislav Petkov + +[ Upstream commit b4813539d37fa31fed62cdfab7bd2dd8929c5b2e ] + +It is called by the #MC handler which is noinstr. + +Fixes + + vmlinux.o: warning: objtool: do_machine_check()+0xbd6: call to memset() leaves .noinstr.text section + +Signed-off-by: Borislav Petkov +Link: https://lore.kernel.org/r/20211208111343.8130-9-bp@alien8.de +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/mce/core.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/kernel/cpu/mce/core.c b/arch/x86/kernel/cpu/mce/core.c +index 64d8a96a2bf1e..2a608f0819765 100644 +--- a/arch/x86/kernel/cpu/mce/core.c ++++ b/arch/x86/kernel/cpu/mce/core.c +@@ -1070,10 +1070,13 @@ static int mce_start(int *no_way_out) + * Synchronize between CPUs after main scanning loop. + * This invokes the bulk of the Monarch processing. + */ +-static int mce_end(int order) ++static noinstr int mce_end(int order) + { +- int ret = -1; + u64 timeout = (u64)mca_cfg.monarch_timeout * NSEC_PER_USEC; ++ int ret = -1; ++ ++ /* Allow instrumentation around external facilities. */ ++ instrumentation_begin(); + + if (!timeout) + goto reset; +@@ -1117,7 +1120,8 @@ static int mce_end(int order) + /* + * Don't reset anything. That's done by the Monarch. + */ +- return 0; ++ ret = 0; ++ goto out; + } + + /* +@@ -1132,6 +1136,10 @@ reset: + * Let others run again. + */ + atomic_set(&mce_executing, 0); ++ ++out: ++ instrumentation_end(); ++ + return ret; + } + +-- +2.34.1 + diff --git a/queue-5.10/x86-mce-mark-mce_panic-noinstr.patch b/queue-5.10/x86-mce-mark-mce_panic-noinstr.patch new file mode 100644 index 00000000000..13f228f28a3 --- /dev/null +++ b/queue-5.10/x86-mce-mark-mce_panic-noinstr.patch @@ -0,0 +1,69 @@ +From 26fd4c4293fdaa19bc0936c7dbef365b175d0fba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Nov 2021 13:39:35 +0100 +Subject: x86/mce: Mark mce_panic() noinstr + +From: Borislav Petkov + +[ Upstream commit 3c7ce80a818fa7950be123cac80cd078e5ac1013 ] + +And allow instrumentation inside it because it does calls to other +facilities which will not be tagged noinstr. + +Fixes + + vmlinux.o: warning: objtool: do_machine_check()+0xc73: call to mce_panic() leaves .noinstr.text section + +Signed-off-by: Borislav Petkov +Link: https://lore.kernel.org/r/20211208111343.8130-8-bp@alien8.de +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/mce/core.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/kernel/cpu/mce/core.c b/arch/x86/kernel/cpu/mce/core.c +index 34fffffaf8730..64d8a96a2bf1e 100644 +--- a/arch/x86/kernel/cpu/mce/core.c ++++ b/arch/x86/kernel/cpu/mce/core.c +@@ -295,11 +295,17 @@ static void wait_for_panic(void) + panic("Panicing machine check CPU died"); + } + +-static void mce_panic(const char *msg, struct mce *final, char *exp) ++static noinstr void mce_panic(const char *msg, struct mce *final, char *exp) + { +- int apei_err = 0; + struct llist_node *pending; + struct mce_evt_llist *l; ++ int apei_err = 0; ++ ++ /* ++ * Allow instrumentation around external facilities usage. Not that it ++ * matters a whole lot since the machine is going to panic anyway. ++ */ ++ instrumentation_begin(); + + if (!fake_panic) { + /* +@@ -314,7 +320,7 @@ static void mce_panic(const char *msg, struct mce *final, char *exp) + } else { + /* Don't log too much for fake panic */ + if (atomic_inc_return(&mce_fake_panicked) > 1) +- return; ++ goto out; + } + pending = mce_gen_pool_prepare_records(); + /* First print corrected ones that are still unlogged */ +@@ -352,6 +358,9 @@ static void mce_panic(const char *msg, struct mce *final, char *exp) + panic(msg); + } else + pr_emerg(HW_ERR "Fake kernel panic: %s\n", msg); ++ ++out: ++ instrumentation_end(); + } + + /* Support code for software error injection */ +-- +2.34.1 + diff --git a/queue-5.10/x86-mce-mark-mce_read_aux-noinstr.patch b/queue-5.10/x86-mce-mark-mce_read_aux-noinstr.patch new file mode 100644 index 00000000000..80f7c1d50c3 --- /dev/null +++ b/queue-5.10/x86-mce-mark-mce_read_aux-noinstr.patch @@ -0,0 +1,36 @@ +From d2ceec0c47a2edf67d5ee18d446bcecf3b9eea61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Nov 2021 11:14:48 +0100 +Subject: x86/mce: Mark mce_read_aux() noinstr + +From: Borislav Petkov + +[ Upstream commit db6c996d6ce45dfb44891f0824a65ecec216f47a ] + +Fixes + + vmlinux.o: warning: objtool: do_machine_check()+0x681: call to mce_read_aux() leaves .noinstr.text section + +Signed-off-by: Borislav Petkov +Link: https://lore.kernel.org/r/20211208111343.8130-10-bp@alien8.de +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/mce/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/cpu/mce/core.c b/arch/x86/kernel/cpu/mce/core.c +index 2a608f0819765..5cf1a024408bf 100644 +--- a/arch/x86/kernel/cpu/mce/core.c ++++ b/arch/x86/kernel/cpu/mce/core.c +@@ -691,7 +691,7 @@ static struct notifier_block mce_default_nb = { + /* + * Read ADDR and MISC registers. + */ +-static void mce_read_aux(struct mce *m, int i) ++static noinstr void mce_read_aux(struct mce *m, int i) + { + if (m->status & MCI_STATUS_MISCV) + m->misc = mce_rdmsrl(msr_ops.misc(i)); +-- +2.34.1 + diff --git a/queue-5.10/x86-mm-flush-global-tlb-when-switching-to-trampoline.patch b/queue-5.10/x86-mm-flush-global-tlb-when-switching-to-trampoline.patch new file mode 100644 index 00000000000..0ec5fed19af --- /dev/null +++ b/queue-5.10/x86-mm-flush-global-tlb-when-switching-to-trampoline.patch @@ -0,0 +1,103 @@ +From f9e310f06f7b3db8cc249ac5c6f90ce783e7a57a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Dec 2021 16:32:25 +0100 +Subject: x86/mm: Flush global TLB when switching to trampoline page-table + +From: Joerg Roedel + +[ Upstream commit 71d5049b053876afbde6c3273250b76935494ab2 ] + +Move the switching code into a function so that it can be re-used and +add a global TLB flush. This makes sure that usage of memory which is +not mapped in the trampoline page-table is reliably caught. + +Also move the clearing of CR4.PCIDE before the CR3 switch because the +cr4_clear_bits() function will access data not mapped into the +trampoline page-table. + +Signed-off-by: Joerg Roedel +Signed-off-by: Borislav Petkov +Link: https://lore.kernel.org/r/20211202153226.22946-4-joro@8bytes.org +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/realmode.h | 1 + + arch/x86/kernel/reboot.c | 12 ++---------- + arch/x86/realmode/init.c | 26 ++++++++++++++++++++++++++ + 3 files changed, 29 insertions(+), 10 deletions(-) + +diff --git a/arch/x86/include/asm/realmode.h b/arch/x86/include/asm/realmode.h +index 5db5d083c8732..331474b150f16 100644 +--- a/arch/x86/include/asm/realmode.h ++++ b/arch/x86/include/asm/realmode.h +@@ -89,6 +89,7 @@ static inline void set_real_mode_mem(phys_addr_t mem) + } + + void reserve_real_mode(void); ++void load_trampoline_pgtable(void); + + #endif /* __ASSEMBLY__ */ + +diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c +index 798a6f73f8946..df3514835b356 100644 +--- a/arch/x86/kernel/reboot.c ++++ b/arch/x86/kernel/reboot.c +@@ -113,17 +113,9 @@ void __noreturn machine_real_restart(unsigned int type) + spin_unlock(&rtc_lock); + + /* +- * Switch back to the initial page table. ++ * Switch to the trampoline page table. + */ +-#ifdef CONFIG_X86_32 +- load_cr3(initial_page_table); +-#else +- write_cr3(real_mode_header->trampoline_pgd); +- +- /* Exiting long mode will fail if CR4.PCIDE is set. */ +- if (boot_cpu_has(X86_FEATURE_PCID)) +- cr4_clear_bits(X86_CR4_PCIDE); +-#endif ++ load_trampoline_pgtable(); + + /* Jump to the identity-mapped low memory code */ + #ifdef CONFIG_X86_32 +diff --git a/arch/x86/realmode/init.c b/arch/x86/realmode/init.c +index 3313bffbecd4d..1a702c6a226ec 100644 +--- a/arch/x86/realmode/init.c ++++ b/arch/x86/realmode/init.c +@@ -17,6 +17,32 @@ u32 *trampoline_cr4_features; + /* Hold the pgd entry used on booting additional CPUs */ + pgd_t trampoline_pgd_entry; + ++void load_trampoline_pgtable(void) ++{ ++#ifdef CONFIG_X86_32 ++ load_cr3(initial_page_table); ++#else ++ /* ++ * This function is called before exiting to real-mode and that will ++ * fail with CR4.PCIDE still set. ++ */ ++ if (boot_cpu_has(X86_FEATURE_PCID)) ++ cr4_clear_bits(X86_CR4_PCIDE); ++ ++ write_cr3(real_mode_header->trampoline_pgd); ++#endif ++ ++ /* ++ * The CR3 write above will not flush global TLB entries. ++ * Stale, global entries from previous page tables may still be ++ * present. Flush those stale entries. ++ * ++ * This ensures that memory accessed while running with ++ * trampoline_pgd is *actually* mapped into trampoline_pgd. ++ */ ++ __flush_tlb_all(); ++} ++ + void __init reserve_real_mode(void) + { + phys_addr_t mem; +-- +2.34.1 + diff --git a/queue-5.10/x86-uaccess-move-variable-into-switch-case-statement.patch b/queue-5.10/x86-uaccess-move-variable-into-switch-case-statement.patch new file mode 100644 index 00000000000..914bd61eea0 --- /dev/null +++ b/queue-5.10/x86-uaccess-move-variable-into-switch-case-statement.patch @@ -0,0 +1,49 @@ +From 51f41da6fc8c4072c599d7390bd75ec54222f04a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Dec 2021 20:34:56 -0800 +Subject: x86/uaccess: Move variable into switch case statement + +From: Kees Cook + +[ Upstream commit 61646ca83d3889696f2772edaff122dd96a2935e ] + +When building with automatic stack variable initialization, GCC 12 +complains about variables defined outside of switch case statements. +Move the variable into the case that uses it, which silences the warning: + +./arch/x86/include/asm/uaccess.h:317:23: warning: statement will never be executed [-Wswitch-unreachable] + 317 | unsigned char x_u8__; \ + | ^~~~~~ + +Fixes: 865c50e1d279 ("x86/uaccess: utilize CONFIG_CC_HAS_ASM_GOTO_OUTPUT") +Signed-off-by: Kees Cook +Signed-off-by: Dave Hansen +Signed-off-by: Borislav Petkov +Link: https://lkml.kernel.org/r/20211209043456.1377875-1-keescook@chromium.org +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/uaccess.h | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h +index 5c95d242f38d7..bb1430283c726 100644 +--- a/arch/x86/include/asm/uaccess.h ++++ b/arch/x86/include/asm/uaccess.h +@@ -314,11 +314,12 @@ do { \ + do { \ + __chk_user_ptr(ptr); \ + switch (size) { \ +- unsigned char x_u8__; \ +- case 1: \ ++ case 1: { \ ++ unsigned char x_u8__; \ + __get_user_asm(x_u8__, ptr, "b", "=q", label); \ + (x) = x_u8__; \ + break; \ ++ } \ + case 2: \ + __get_user_asm(x, ptr, "w", "=r", label); \ + break; \ +-- +2.34.1 + diff --git a/queue-5.10/xfrm-fix-a-small-bug-in-xfrm_sa_len.patch b/queue-5.10/xfrm-fix-a-small-bug-in-xfrm_sa_len.patch new file mode 100644 index 00000000000..24bca10c6ab --- /dev/null +++ b/queue-5.10/xfrm-fix-a-small-bug-in-xfrm_sa_len.patch @@ -0,0 +1,38 @@ +From d93114d0d266538539fc5c21735b0d2ef17691a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Dec 2021 12:20:19 -0800 +Subject: xfrm: fix a small bug in xfrm_sa_len() + +From: Eric Dumazet + +[ Upstream commit 7770a39d7c63faec6c4f33666d49a8cb664d0482 ] + +copy_user_offload() will actually push a struct struct xfrm_user_offload, +which is different than (struct xfrm_state *)->xso +(struct xfrm_state_offload) + +Fixes: d77e38e612a01 ("xfrm: Add an IPsec hardware offloading API") +Signed-off-by: Eric Dumazet +Cc: Steffen Klassert +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 6f97665b632ed..97f7ebf5324e7 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -2898,7 +2898,7 @@ static inline unsigned int xfrm_sa_len(struct xfrm_state *x) + if (x->props.extra_flags) + l += nla_total_size(sizeof(x->props.extra_flags)); + if (x->xso.dev) +- l += nla_total_size(sizeof(x->xso)); ++ l += nla_total_size(sizeof(struct xfrm_user_offload)); + if (x->props.smark.v | x->props.smark.m) { + l += nla_total_size(sizeof(x->props.smark.v)); + l += nla_total_size(sizeof(x->props.smark.m)); +-- +2.34.1 + diff --git a/queue-5.10/xfrm-interface-with-if_id-0-should-return-error.patch b/queue-5.10/xfrm-interface-with-if_id-0-should-return-error.patch new file mode 100644 index 00000000000..976b6f6e83a --- /dev/null +++ b/queue-5.10/xfrm-interface-with-if_id-0-should-return-error.patch @@ -0,0 +1,69 @@ +From bed62f4821d831f2787dbfec8526c7085a278ad7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Dec 2021 11:34:30 +0100 +Subject: xfrm: interface with if_id 0 should return error + +From: Antony Antony + +[ Upstream commit 8dce43919566f06e865f7e8949f5c10d8c2493f5 ] + +xfrm interface if_id = 0 would cause xfrm policy lookup errors since +Commit 9f8550e4bd9d. + +Now explicitly fail to create an xfrm interface when if_id = 0 + +With this commit: + ip link add ipsec0 type xfrm dev lo if_id 0 + Error: if_id must be non zero. + +v1->v2 change: + - add Fixes: tag + +Fixes: 9f8550e4bd9d ("xfrm: fix disable_xfrm sysctl when used on xfrm interfaces") +Signed-off-by: Antony Antony +Reviewed-by: Eyal Birger +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_interface.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c +index e9ce23343f5ca..e1fae61a5bb90 100644 +--- a/net/xfrm/xfrm_interface.c ++++ b/net/xfrm/xfrm_interface.c +@@ -643,11 +643,16 @@ static int xfrmi_newlink(struct net *src_net, struct net_device *dev, + struct netlink_ext_ack *extack) + { + struct net *net = dev_net(dev); +- struct xfrm_if_parms p; ++ struct xfrm_if_parms p = {}; + struct xfrm_if *xi; + int err; + + xfrmi_netlink_parms(data, &p); ++ if (!p.if_id) { ++ NL_SET_ERR_MSG(extack, "if_id must be non zero"); ++ return -EINVAL; ++ } ++ + xi = xfrmi_locate(net, &p); + if (xi) + return -EEXIST; +@@ -672,7 +677,12 @@ static int xfrmi_changelink(struct net_device *dev, struct nlattr *tb[], + { + struct xfrm_if *xi = netdev_priv(dev); + struct net *net = xi->net; +- struct xfrm_if_parms p; ++ struct xfrm_if_parms p = {}; ++ ++ if (!p.if_id) { ++ NL_SET_ERR_MSG(extack, "if_id must be non zero"); ++ return -EINVAL; ++ } + + xfrmi_netlink_parms(data, &p); + xi = xfrmi_locate(net, &p); +-- +2.34.1 + diff --git a/queue-5.10/xfrm-rate-limit-sa-mapping-change-message-to-user-sp.patch b/queue-5.10/xfrm-rate-limit-sa-mapping-change-message-to-user-sp.patch new file mode 100644 index 00000000000..a5c6c85bbda --- /dev/null +++ b/queue-5.10/xfrm-rate-limit-sa-mapping-change-message-to-user-sp.patch @@ -0,0 +1,211 @@ +From da223c6e4cd1541c50b6584913638e9bf3a68e4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Dec 2021 14:11:18 +0100 +Subject: xfrm: rate limit SA mapping change message to user space + +From: Antony Antony + +[ Upstream commit 4e484b3e969b52effd95c17f7a86f39208b2ccf4 ] + +Kernel generates mapping change message, XFRM_MSG_MAPPING, +when a source port chage is detected on a input state with UDP +encapsulation set. Kernel generates a message for each IPsec packet +with new source port. For a high speed flow per packet mapping change +message can be excessive, and can overload the user space listener. + +Introduce rate limiting for XFRM_MSG_MAPPING message to the user space. + +The rate limiting is configurable via netlink, when adding a new SA or +updating it. Use the new attribute XFRMA_MTIMER_THRESH in seconds. + +v1->v2 change: + update xfrm_sa_len() + +v2->v3 changes: + use u32 insted unsigned long to reduce size of struct xfrm_state + fix xfrm_ompat size Reported-by: kernel test robot + accept XFRM_MSG_MAPPING only when XFRMA_ENCAP is present + +Co-developed-by: Thomas Egerer +Signed-off-by: Thomas Egerer +Signed-off-by: Antony Antony +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + include/net/xfrm.h | 5 +++++ + include/uapi/linux/xfrm.h | 1 + + net/xfrm/xfrm_compat.c | 6 ++++-- + net/xfrm/xfrm_state.c | 23 ++++++++++++++++++++++- + net/xfrm/xfrm_user.c | 18 +++++++++++++++++- + 5 files changed, 49 insertions(+), 4 deletions(-) + +diff --git a/include/net/xfrm.h b/include/net/xfrm.h +index 6232a5f048bde..337d29875e518 100644 +--- a/include/net/xfrm.h ++++ b/include/net/xfrm.h +@@ -193,6 +193,11 @@ struct xfrm_state { + struct xfrm_algo_aead *aead; + const char *geniv; + ++ /* mapping change rate limiting */ ++ __be16 new_mapping_sport; ++ u32 new_mapping; /* seconds */ ++ u32 mapping_maxage; /* seconds for input SA */ ++ + /* Data for encapsulator */ + struct xfrm_encap_tmpl *encap; + struct sock __rcu *encap_sk; +diff --git a/include/uapi/linux/xfrm.h b/include/uapi/linux/xfrm.h +index ffc6a5391bb7b..2290c98b47cf8 100644 +--- a/include/uapi/linux/xfrm.h ++++ b/include/uapi/linux/xfrm.h +@@ -308,6 +308,7 @@ enum xfrm_attr_type_t { + XFRMA_SET_MARK, /* __u32 */ + XFRMA_SET_MARK_MASK, /* __u32 */ + XFRMA_IF_ID, /* __u32 */ ++ XFRMA_MTIMER_THRESH, /* __u32 in seconds for input SA */ + __XFRMA_MAX + + #define XFRMA_OUTPUT_MARK XFRMA_SET_MARK /* Compatibility */ +diff --git a/net/xfrm/xfrm_compat.c b/net/xfrm/xfrm_compat.c +index 2bf2693901631..a0f62fa02e06e 100644 +--- a/net/xfrm/xfrm_compat.c ++++ b/net/xfrm/xfrm_compat.c +@@ -127,6 +127,7 @@ static const struct nla_policy compat_policy[XFRMA_MAX+1] = { + [XFRMA_SET_MARK] = { .type = NLA_U32 }, + [XFRMA_SET_MARK_MASK] = { .type = NLA_U32 }, + [XFRMA_IF_ID] = { .type = NLA_U32 }, ++ [XFRMA_MTIMER_THRESH] = { .type = NLA_U32 }, + }; + + static struct nlmsghdr *xfrm_nlmsg_put_compat(struct sk_buff *skb, +@@ -274,9 +275,10 @@ static int xfrm_xlate64_attr(struct sk_buff *dst, const struct nlattr *src) + case XFRMA_SET_MARK: + case XFRMA_SET_MARK_MASK: + case XFRMA_IF_ID: ++ case XFRMA_MTIMER_THRESH: + return xfrm_nla_cpy(dst, src, nla_len(src)); + default: +- BUILD_BUG_ON(XFRMA_MAX != XFRMA_IF_ID); ++ BUILD_BUG_ON(XFRMA_MAX != XFRMA_MTIMER_THRESH); + pr_warn_once("unsupported nla_type %d\n", src->nla_type); + return -EOPNOTSUPP; + } +@@ -431,7 +433,7 @@ static int xfrm_xlate32_attr(void *dst, const struct nlattr *nla, + int err; + + if (type > XFRMA_MAX) { +- BUILD_BUG_ON(XFRMA_MAX != XFRMA_IF_ID); ++ BUILD_BUG_ON(XFRMA_MAX != XFRMA_MTIMER_THRESH); + NL_SET_ERR_MSG(extack, "Bad attribute"); + return -EOPNOTSUPP; + } +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index c158e70e8ae10..65e2805fa113a 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -1557,6 +1557,9 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, + x->km.seq = orig->km.seq; + x->replay = orig->replay; + x->preplay = orig->preplay; ++ x->mapping_maxage = orig->mapping_maxage; ++ x->new_mapping = 0; ++ x->new_mapping_sport = 0; + + return x; + +@@ -2208,7 +2211,7 @@ int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol) + } + EXPORT_SYMBOL(km_query); + +-int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport) ++static int __km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport) + { + int err = -EINVAL; + struct xfrm_mgr *km; +@@ -2223,6 +2226,24 @@ int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport) + rcu_read_unlock(); + return err; + } ++ ++int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport) ++{ ++ int ret = 0; ++ ++ if (x->mapping_maxage) { ++ if ((jiffies / HZ - x->new_mapping) > x->mapping_maxage || ++ x->new_mapping_sport != sport) { ++ x->new_mapping_sport = sport; ++ x->new_mapping = jiffies / HZ; ++ ret = __km_new_mapping(x, ipaddr, sport); ++ } ++ } else { ++ ret = __km_new_mapping(x, ipaddr, sport); ++ } ++ ++ return ret; ++} + EXPORT_SYMBOL(km_new_mapping); + + void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 portid) +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index ddf1b3a5f7c1f..d0fdfbf4c5f72 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -282,6 +282,10 @@ static int verify_newsa_info(struct xfrm_usersa_info *p, + + err = 0; + ++ if (attrs[XFRMA_MTIMER_THRESH]) ++ if (!attrs[XFRMA_ENCAP]) ++ err = -EINVAL; ++ + out: + return err; + } +@@ -521,6 +525,7 @@ static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs, + struct nlattr *lt = attrs[XFRMA_LTIME_VAL]; + struct nlattr *et = attrs[XFRMA_ETIMER_THRESH]; + struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH]; ++ struct nlattr *mt = attrs[XFRMA_MTIMER_THRESH]; + + if (re) { + struct xfrm_replay_state_esn *replay_esn; +@@ -552,6 +557,9 @@ static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs, + + if (rt) + x->replay_maxdiff = nla_get_u32(rt); ++ ++ if (mt) ++ x->mapping_maxage = nla_get_u32(mt); + } + + static void xfrm_smark_init(struct nlattr **attrs, struct xfrm_mark *m) +@@ -969,8 +977,13 @@ static int copy_to_user_state_extra(struct xfrm_state *x, + if (ret) + goto out; + } +- if (x->security) ++ if (x->security) { + ret = copy_sec_ctx(x->security, skb); ++ if (ret) ++ goto out; ++ } ++ if (x->mapping_maxage) ++ ret = nla_put_u32(skb, XFRMA_MTIMER_THRESH, x->mapping_maxage); + out: + return ret; + } +@@ -2924,6 +2937,9 @@ static inline unsigned int xfrm_sa_len(struct xfrm_state *x) + /* Must count x->lastused as it may become non-zero behind our back. */ + l += nla_total_size_64bit(sizeof(u64)); + ++ if (x->mapping_maxage) ++ l += nla_total_size(sizeof(x->mapping_maxage)); ++ + return l; + } + +-- +2.34.1 + diff --git a/queue-5.10/xfrm-state-and-policy-should-fail-if-xfrma_if_id-0.patch b/queue-5.10/xfrm-state-and-policy-should-fail-if-xfrma_if_id-0.patch new file mode 100644 index 00000000000..cc0f827712c --- /dev/null +++ b/queue-5.10/xfrm-state-and-policy-should-fail-if-xfrma_if_id-0.patch @@ -0,0 +1,84 @@ +From f62664531c7f8f7e99ca405ba22f3766a906d40b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Dec 2021 11:35:00 +0100 +Subject: xfrm: state and policy should fail if XFRMA_IF_ID 0 + +From: Antony Antony + +[ Upstream commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 ] + +xfrm ineterface does not allow xfrm if_id = 0 +fail to create or update xfrm state and policy. + +With this commit: + ip xfrm policy add src 192.0.2.1 dst 192.0.2.2 dir out if_id 0 + RTNETLINK answers: Invalid argument + + ip xfrm state add src 192.0.2.1 dst 192.0.2.2 proto esp spi 1 \ + reqid 1 mode tunnel aead 'rfc4106(gcm(aes))' \ + 0x1111111111111111111111111111111111111111 96 if_id 0 + RTNETLINK answers: Invalid argument + +v1->v2 change: + - add Fixes: tag + +Fixes: 9f8550e4bd9d ("xfrm: fix disable_xfrm sysctl when used on xfrm interfaces") +Signed-off-by: Antony Antony +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 97f7ebf5324e7..ddf1b3a5f7c1f 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -621,8 +621,13 @@ static struct xfrm_state *xfrm_state_construct(struct net *net, + + xfrm_smark_init(attrs, &x->props.smark); + +- if (attrs[XFRMA_IF_ID]) ++ if (attrs[XFRMA_IF_ID]) { + x->if_id = nla_get_u32(attrs[XFRMA_IF_ID]); ++ if (!x->if_id) { ++ err = -EINVAL; ++ goto error; ++ } ++ } + + err = __xfrm_init_state(x, false, attrs[XFRMA_OFFLOAD_DEV]); + if (err) +@@ -1353,8 +1358,13 @@ static int xfrm_alloc_userspi(struct sk_buff *skb, struct nlmsghdr *nlh, + + mark = xfrm_mark_get(attrs, &m); + +- if (attrs[XFRMA_IF_ID]) ++ if (attrs[XFRMA_IF_ID]) { + if_id = nla_get_u32(attrs[XFRMA_IF_ID]); ++ if (!if_id) { ++ err = -EINVAL; ++ goto out_noput; ++ } ++ } + + if (p->info.seq) { + x = xfrm_find_acq_byseq(net, mark, p->info.seq); +@@ -1667,8 +1677,13 @@ static struct xfrm_policy *xfrm_policy_construct(struct net *net, struct xfrm_us + + xfrm_mark_get(attrs, &xp->mark); + +- if (attrs[XFRMA_IF_ID]) ++ if (attrs[XFRMA_IF_ID]) { + xp->if_id = nla_get_u32(attrs[XFRMA_IF_ID]); ++ if (!xp->if_id) { ++ err = -EINVAL; ++ goto error; ++ } ++ } + + return xp; + error: +-- +2.34.1 + -- 2.47.2