From 9ebaa027d8b63554fb3551bf9842674ee2d71490 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 17 Jul 2022 21:29:46 -0400 Subject: [PATCH] Fixes for 5.10 Signed-off-by: Sasha Levin --- ...e-the-correct-clock-source-for-cec-o.patch | 34 +++++ ...-event-generation-for-low-power-mux-.patch | 48 ++++++ ...lise-kcontrol-data-for-mux-demux-con.patch | 59 ++++++++ ...-fix-event-generation-for-out1-demux.patch | 46 ++++++ ...x-event-generation-for-rate-controls.patch | 51 +++++++ ...f-by-one-in-range-control-validation.patch | 45 ++++++ ...da-loader-clarify-the-cl_dsp_init-fl.patch | 54 +++++++ queue-5.10/asoc-wm5110-fix-dre-control.patch | 56 +++++++ ...pmac32-cpufreq-fix-refcount-leak-bug.patch | 38 +++++ ...-undefine-mask_ack-for-level-trigger.patch | 41 +++++ ...net-sfp-fix-memory-leak-in-sfp_probe.patch | 39 +++++ ...sible-refcount-leak-in-tipc_sk_creat.patch | 34 +++++ ...filter-do-not-skip-all-hooks-with-0-.patch | 104 +++++++++++++ ...t-print-header-length-mismatch-on-i2.patch | 50 ++++++ ...ion-when-disconnect-a-recovering-ctr.patch | 143 ++++++++++++++++++ ...i-phison-e16-has-bogus-namespace-ids.patch | 38 +++++ ...fail-a-request-when-sending-it-faile.patch | 45 ++++++ ...ix-potential-null-dereference-in-asp.patch | 42 +++++ ...p-wmi-ignore-sanitization-mode-event.patch | 49 ++++++ ...-can-xilinx_can-limit-canfd-brp-to-2.patch | 48 ++++++ ...i_sas-limit-max-hw-sectors-for-v3-hw.patch | 53 +++++++ queue-5.10/series | 26 ++++ ...dling-don-t-use-bug_on-for-debugging.patch | 54 +++++++ ...-ixp4xx-npe-fix-unused-match-warning.patch | 45 ++++++ ...d-missing-pm-calls-to-freeze-restore.patch | 81 ++++++++++ ...io-restore-guest-page-size-on-resume.patch | 44 ++++++ .../x86-clear-.brk-area-at-early-boot.patch | 43 ++++++ 27 files changed, 1410 insertions(+) create mode 100644 queue-5.10/arm-dts-stm32-use-the-correct-clock-source-for-cec-o.patch create mode 100644 queue-5.10/asoc-cs47l15-fix-event-generation-for-low-power-mux-.patch create mode 100644 queue-5.10/asoc-dapm-initialise-kcontrol-data-for-mux-demux-con.patch create mode 100644 queue-5.10/asoc-madera-fix-event-generation-for-out1-demux.patch create mode 100644 queue-5.10/asoc-madera-fix-event-generation-for-rate-controls.patch create mode 100644 queue-5.10/asoc-ops-fix-off-by-one-in-range-control-validation.patch create mode 100644 queue-5.10/asoc-sof-intel-hda-loader-clarify-the-cl_dsp_init-fl.patch create mode 100644 queue-5.10/asoc-wm5110-fix-dre-control.patch create mode 100644 queue-5.10/cpufreq-pmac32-cpufreq-fix-refcount-leak-bug.patch create mode 100644 queue-5.10/irqchip-or1k-pic-undefine-mask_ack-for-level-trigger.patch create mode 100644 queue-5.10/net-sfp-fix-memory-leak-in-sfp_probe.patch create mode 100644 queue-5.10/net-tipc-fix-possible-refcount-leak-in-tipc_sk_creat.patch create mode 100644 queue-5.10/netfilter-br_netfilter-do-not-skip-all-hooks-with-0-.patch create mode 100644 queue-5.10/nfc-nxp-nci-don-t-print-header-length-mismatch-on-i2.patch create mode 100644 queue-5.10/nvme-fix-regression-when-disconnect-a-recovering-ctr.patch create mode 100644 queue-5.10/nvme-pci-phison-e16-has-bogus-namespace-ids.patch create mode 100644 queue-5.10/nvme-tcp-always-fail-a-request-when-sending-it-faile.patch create mode 100644 queue-5.10/pinctrl-aspeed-fix-potential-null-dereference-in-asp.patch create mode 100644 queue-5.10/platform-x86-hp-wmi-ignore-sanitization-mode-event.patch create mode 100644 queue-5.10/revert-can-xilinx_can-limit-canfd-brp-to-2.patch create mode 100644 queue-5.10/scsi-hisi_sas-limit-max-hw-sectors-for-v3-hw.patch create mode 100644 queue-5.10/signal-handling-don-t-use-bug_on-for-debugging.patch create mode 100644 queue-5.10/soc-ixp4xx-npe-fix-unused-match-warning.patch create mode 100644 queue-5.10/virtio_mmio-add-missing-pm-calls-to-freeze-restore.patch create mode 100644 queue-5.10/virtio_mmio-restore-guest-page-size-on-resume.patch create mode 100644 queue-5.10/x86-clear-.brk-area-at-early-boot.patch diff --git a/queue-5.10/arm-dts-stm32-use-the-correct-clock-source-for-cec-o.patch b/queue-5.10/arm-dts-stm32-use-the-correct-clock-source-for-cec-o.patch new file mode 100644 index 00000000000..1874c2ce448 --- /dev/null +++ b/queue-5.10/arm-dts-stm32-use-the-correct-clock-source-for-cec-o.patch @@ -0,0 +1,34 @@ +From 8d4e2b4df2ee22555003ab8d228341780496d5d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jun 2022 11:27:13 +0200 +Subject: ARM: dts: stm32: use the correct clock source for CEC on stm32mp151 + +From: Gabriel Fernandez + +[ Upstream commit 78ece8cce1ba0c3f3e5a7c6c1b914b3794f04c44 ] + +The peripheral clock of CEC is not LSE but CEC. + +Signed-off-by: Gabriel Fernandez +Signed-off-by: Alexandre Torgue +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/stm32mp151.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/stm32mp151.dtsi b/arch/arm/boot/dts/stm32mp151.dtsi +index 7a0ef01de969..9919fc86bdc3 100644 +--- a/arch/arm/boot/dts/stm32mp151.dtsi ++++ b/arch/arm/boot/dts/stm32mp151.dtsi +@@ -543,7 +543,7 @@ + compatible = "st,stm32-cec"; + reg = <0x40016000 0x400>; + interrupts = ; +- clocks = <&rcc CEC_K>, <&clk_lse>; ++ clocks = <&rcc CEC_K>, <&rcc CEC>; + clock-names = "cec", "hdmi-cec"; + status = "disabled"; + }; +-- +2.35.1 + diff --git a/queue-5.10/asoc-cs47l15-fix-event-generation-for-low-power-mux-.patch b/queue-5.10/asoc-cs47l15-fix-event-generation-for-low-power-mux-.patch new file mode 100644 index 00000000000..e68bc88a5cc --- /dev/null +++ b/queue-5.10/asoc-cs47l15-fix-event-generation-for-low-power-mux-.patch @@ -0,0 +1,48 @@ +From c90400befa35f2817f43861ed7e132327e985b53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jun 2022 11:51:17 +0100 +Subject: ASoC: cs47l15: Fix event generation for low power mux control + +From: Charles Keepax + +[ Upstream commit 7f103af4a10f375b9b346b4d0b730f6a66b8c451 ] + +cs47l15_in1_adc_put always returns zero regardless of if the control +value was updated. This results in missing notifications to user-space +of the control change. Update the handling to return 1 when the value is +changed. + +Signed-off-by: Charles Keepax +Link: https://lore.kernel.org/r/20220623105120.1981154-3-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs47l15.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/cs47l15.c b/sound/soc/codecs/cs47l15.c +index 254f9d96e766..7c20642f160a 100644 +--- a/sound/soc/codecs/cs47l15.c ++++ b/sound/soc/codecs/cs47l15.c +@@ -122,6 +122,9 @@ static int cs47l15_in1_adc_put(struct snd_kcontrol *kcontrol, + snd_soc_kcontrol_component(kcontrol); + struct cs47l15 *cs47l15 = snd_soc_component_get_drvdata(component); + ++ if (!!ucontrol->value.integer.value[0] == cs47l15->in1_lp_mode) ++ return 0; ++ + switch (ucontrol->value.integer.value[0]) { + case 0: + /* Set IN1 to normal mode */ +@@ -150,7 +153,7 @@ static int cs47l15_in1_adc_put(struct snd_kcontrol *kcontrol, + break; + } + +- return 0; ++ return 1; + } + + static const struct snd_kcontrol_new cs47l15_snd_controls[] = { +-- +2.35.1 + diff --git a/queue-5.10/asoc-dapm-initialise-kcontrol-data-for-mux-demux-con.patch b/queue-5.10/asoc-dapm-initialise-kcontrol-data-for-mux-demux-con.patch new file mode 100644 index 00000000000..025da14fec2 --- /dev/null +++ b/queue-5.10/asoc-dapm-initialise-kcontrol-data-for-mux-demux-con.patch @@ -0,0 +1,59 @@ +From 1c8eea28425a1546c04651087e62921fde2a053c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jun 2022 11:51:15 +0100 +Subject: ASoC: dapm: Initialise kcontrol data for mux/demux controls + +From: Charles Keepax + +[ Upstream commit 11d7a12f7f50baa5af9090b131c9b03af59503e7 ] + +DAPM keeps a copy of the current value of mux/demux controls, +however this value is only initialised in the case of autodisable +controls. This leads to false notification events when first +modifying a DAPM kcontrol that has a non-zero default. + +Autodisable controls are left as they are, since they already +initialise the value, and there would be more work required to +support autodisable muxes where the first option isn't disabled +and/or that isn't the default. + +Technically this issue could affect mixer/switch elements as well, +although not on any of the devices I am currently running. There +is also a little more work to do to address the issue there due to +that side supporting stereo controls, so that has not been tackled +in this patch. + +Signed-off-by: Charles Keepax +Link: https://lore.kernel.org/r/20220623105120.1981154-1-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-dapm.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c +index f2f7f2dde93c..754c1f16ee83 100644 +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -62,6 +62,8 @@ struct snd_soc_dapm_widget * + snd_soc_dapm_new_control_unlocked(struct snd_soc_dapm_context *dapm, + const struct snd_soc_dapm_widget *widget); + ++static unsigned int soc_dapm_read(struct snd_soc_dapm_context *dapm, int reg); ++ + /* dapm power sequences - make this per codec in the future */ + static int dapm_up_seq[] = { + [snd_soc_dapm_pre] = 1, +@@ -442,6 +444,9 @@ static int dapm_kcontrol_data_alloc(struct snd_soc_dapm_widget *widget, + + snd_soc_dapm_add_path(widget->dapm, data->widget, + widget, NULL, NULL); ++ } else if (e->reg != SND_SOC_NOPM) { ++ data->value = soc_dapm_read(widget->dapm, e->reg) & ++ (e->mask << e->shift_l); + } + break; + default: +-- +2.35.1 + diff --git a/queue-5.10/asoc-madera-fix-event-generation-for-out1-demux.patch b/queue-5.10/asoc-madera-fix-event-generation-for-out1-demux.patch new file mode 100644 index 00000000000..fa1c951b0ca --- /dev/null +++ b/queue-5.10/asoc-madera-fix-event-generation-for-out1-demux.patch @@ -0,0 +1,46 @@ +From a485a057134d17395a3a41105491dc944e6c53f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jun 2022 11:51:18 +0100 +Subject: ASoC: madera: Fix event generation for OUT1 demux + +From: Charles Keepax + +[ Upstream commit e3cabbef3db8269207a6b8808f510137669f8deb ] + +madera_out1_demux_put returns the value of +snd_soc_dapm_mux_update_power, which returns a 1 if a path was found for +the kcontrol. This is obviously different to the expected return a 1 if +the control was updated value. This results in spurious notifications to +user-space. Update the handling to only return a 1 when the value is +changed. + +Signed-off-by: Charles Keepax +Link: https://lore.kernel.org/r/20220623105120.1981154-4-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/madera.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/madera.c b/sound/soc/codecs/madera.c +index 680f31a6493a..a74c9b28368b 100644 +--- a/sound/soc/codecs/madera.c ++++ b/sound/soc/codecs/madera.c +@@ -618,7 +618,13 @@ int madera_out1_demux_put(struct snd_kcontrol *kcontrol, + end: + snd_soc_dapm_mutex_unlock(dapm); + +- return snd_soc_dapm_mux_update_power(dapm, kcontrol, mux, e, NULL); ++ ret = snd_soc_dapm_mux_update_power(dapm, kcontrol, mux, e, NULL); ++ if (ret < 0) { ++ dev_err(madera->dev, "Failed to update demux power state: %d\n", ret); ++ return ret; ++ } ++ ++ return change; + } + EXPORT_SYMBOL_GPL(madera_out1_demux_put); + +-- +2.35.1 + diff --git a/queue-5.10/asoc-madera-fix-event-generation-for-rate-controls.patch b/queue-5.10/asoc-madera-fix-event-generation-for-rate-controls.patch new file mode 100644 index 00000000000..7e000ce3358 --- /dev/null +++ b/queue-5.10/asoc-madera-fix-event-generation-for-rate-controls.patch @@ -0,0 +1,51 @@ +From 292a033b55965ed9a31fa08fb01360fcc7bb69d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jun 2022 11:51:19 +0100 +Subject: ASoC: madera: Fix event generation for rate controls + +From: Charles Keepax + +[ Upstream commit 980555e95f7cabdc9c80a07107622b097ba23703 ] + +madera_adsp_rate_put always returns zero regardless of if the control +value was updated. This results in missing notifications to user-space +of the control change. Update the handling to return 1 when the +value is changed. + +Signed-off-by: Charles Keepax +Link: https://lore.kernel.org/r/20220623105120.1981154-5-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/madera.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/codecs/madera.c b/sound/soc/codecs/madera.c +index a74c9b28368b..bbab4bc1f6b5 100644 +--- a/sound/soc/codecs/madera.c ++++ b/sound/soc/codecs/madera.c +@@ -899,7 +899,7 @@ static int madera_adsp_rate_put(struct snd_kcontrol *kcontrol, + struct soc_enum *e = (struct soc_enum *)kcontrol->private_value; + const int adsp_num = e->shift_l; + const unsigned int item = ucontrol->value.enumerated.item[0]; +- int ret; ++ int ret = 0; + + if (item >= e->items) + return -EINVAL; +@@ -916,10 +916,10 @@ static int madera_adsp_rate_put(struct snd_kcontrol *kcontrol, + "Cannot change '%s' while in use by active audio paths\n", + kcontrol->id.name); + ret = -EBUSY; +- } else { ++ } else if (priv->adsp_rate_cache[adsp_num] != e->values[item]) { + /* Volatile register so defer until the codec is powered up */ + priv->adsp_rate_cache[adsp_num] = e->values[item]; +- ret = 0; ++ ret = 1; + } + + mutex_unlock(&priv->rate_lock); +-- +2.35.1 + diff --git a/queue-5.10/asoc-ops-fix-off-by-one-in-range-control-validation.patch b/queue-5.10/asoc-ops-fix-off-by-one-in-range-control-validation.patch new file mode 100644 index 00000000000..52f9d95269b --- /dev/null +++ b/queue-5.10/asoc-ops-fix-off-by-one-in-range-control-validation.patch @@ -0,0 +1,45 @@ +From f78651e847b792ccbc5c6937ca38540ee77d4ffe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Jun 2022 11:52:46 +0100 +Subject: ASoC: ops: Fix off by one in range control validation + +From: Mark Brown + +[ Upstream commit 5871321fb4558c55bf9567052b618ff0be6b975e ] + +We currently report that range controls accept a range of 0..(max-min) but +accept writes in the range 0..(max-min+1). Remove that extra +1. + +Signed-off-by: Mark Brown +Link: https://lore.kernel.org/r/20220604105246.4055214-1-broonie@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-ops.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c +index 15bfcdbdfaa4..0f26d6c31ce5 100644 +--- a/sound/soc/soc-ops.c ++++ b/sound/soc/soc-ops.c +@@ -517,7 +517,7 @@ int snd_soc_put_volsw_range(struct snd_kcontrol *kcontrol, + return -EINVAL; + if (mc->platform_max && tmp > mc->platform_max) + return -EINVAL; +- if (tmp > mc->max - mc->min + 1) ++ if (tmp > mc->max - mc->min) + return -EINVAL; + + if (invert) +@@ -538,7 +538,7 @@ int snd_soc_put_volsw_range(struct snd_kcontrol *kcontrol, + return -EINVAL; + if (mc->platform_max && tmp > mc->platform_max) + return -EINVAL; +- if (tmp > mc->max - mc->min + 1) ++ if (tmp > mc->max - mc->min) + return -EINVAL; + + if (invert) +-- +2.35.1 + diff --git a/queue-5.10/asoc-sof-intel-hda-loader-clarify-the-cl_dsp_init-fl.patch b/queue-5.10/asoc-sof-intel-hda-loader-clarify-the-cl_dsp_init-fl.patch new file mode 100644 index 00000000000..195c846d3c7 --- /dev/null +++ b/queue-5.10/asoc-sof-intel-hda-loader-clarify-the-cl_dsp_init-fl.patch @@ -0,0 +1,54 @@ +From 03d6f62f22ddfd893913f17d22dfed5e9ce71a6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jun 2022 11:59:49 +0300 +Subject: ASoC: SOF: Intel: hda-loader: Clarify the cl_dsp_init() flow + +From: Peter Ujfalusi + +[ Upstream commit bbfef046c6613404c01aeb9e9928bebb78dd327a ] + +Update the comment for the cl_dsp_init() to clarify what is done by the +function and use the chip->init_core_mask instead of BIT(0) when +unstalling/running the init core. + +Complements: 2a68ff846164 ("ASoC: SOF: Intel: hda: Revisit IMR boot sequence") +Signed-off-by: Peter Ujfalusi +Reviewed-by: Pierre-Louis Bossart +Reviewed-by: Bard Liao +Reviewed-by: Ranjani Sridharan +Link: https://lore.kernel.org/r/20220609085949.29062-4-peter.ujfalusi@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/intel/hda-loader.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/sound/soc/sof/intel/hda-loader.c b/sound/soc/sof/intel/hda-loader.c +index 347636a80b48..4012097a9d60 100644 +--- a/sound/soc/sof/intel/hda-loader.c ++++ b/sound/soc/sof/intel/hda-loader.c +@@ -79,9 +79,9 @@ static struct hdac_ext_stream *cl_stream_prepare(struct snd_sof_dev *sdev, unsig + } + + /* +- * first boot sequence has some extra steps. core 0 waits for power +- * status on core 1, so power up core 1 also momentarily, keep it in +- * reset/stall and then turn it off ++ * first boot sequence has some extra steps. ++ * power on all host managed cores and only unstall/run the boot core to boot the ++ * DSP then turn off all non boot cores (if any) is powered on. + */ + static int cl_dsp_init(struct snd_sof_dev *sdev, int stream_tag) + { +@@ -115,7 +115,7 @@ static int cl_dsp_init(struct snd_sof_dev *sdev, int stream_tag) + ((stream_tag - 1) << 9))); + + /* step 3: unset core 0 reset state & unstall/run core 0 */ +- ret = hda_dsp_core_run(sdev, BIT(0)); ++ ret = hda_dsp_core_run(sdev, chip->init_core_mask); + if (ret < 0) { + if (hda->boot_iteration == HDA_FW_BOOT_ATTEMPTS) + dev_err(sdev->dev, +-- +2.35.1 + diff --git a/queue-5.10/asoc-wm5110-fix-dre-control.patch b/queue-5.10/asoc-wm5110-fix-dre-control.patch new file mode 100644 index 00000000000..9324a1c3d16 --- /dev/null +++ b/queue-5.10/asoc-wm5110-fix-dre-control.patch @@ -0,0 +1,56 @@ +From 5a9fc9594902c7f6d69870d631228fe5c3d742cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Jun 2022 11:20:39 +0100 +Subject: ASoC: wm5110: Fix DRE control + +From: Charles Keepax + +[ Upstream commit 0bc0ae9a5938d512fd5d44f11c9c04892dcf4961 ] + +The DRE controls on wm5110 should return a value of 1 if the DRE state +is actually changed, update to fix this. + +Signed-off-by: Charles Keepax +Link: https://lore.kernel.org/r/20220621102041.1713504-2-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wm5110.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/wm5110.c b/sound/soc/codecs/wm5110.c +index 4238929b2375..d0cef982215d 100644 +--- a/sound/soc/codecs/wm5110.c ++++ b/sound/soc/codecs/wm5110.c +@@ -413,6 +413,7 @@ static int wm5110_put_dre(struct snd_kcontrol *kcontrol, + unsigned int rnew = (!!ucontrol->value.integer.value[1]) << mc->rshift; + unsigned int lold, rold; + unsigned int lena, rena; ++ bool change = false; + int ret; + + snd_soc_dapm_mutex_lock(dapm); +@@ -440,8 +441,8 @@ static int wm5110_put_dre(struct snd_kcontrol *kcontrol, + goto err; + } + +- ret = regmap_update_bits(arizona->regmap, ARIZONA_DRE_ENABLE, +- mask, lnew | rnew); ++ ret = regmap_update_bits_check(arizona->regmap, ARIZONA_DRE_ENABLE, ++ mask, lnew | rnew, &change); + if (ret) { + dev_err(arizona->dev, "Failed to set DRE: %d\n", ret); + goto err; +@@ -454,6 +455,9 @@ static int wm5110_put_dre(struct snd_kcontrol *kcontrol, + if (!rnew && rold) + wm5110_clear_pga_volume(arizona, mc->rshift); + ++ if (change) ++ ret = 1; ++ + err: + snd_soc_dapm_mutex_unlock(dapm); + +-- +2.35.1 + diff --git a/queue-5.10/cpufreq-pmac32-cpufreq-fix-refcount-leak-bug.patch b/queue-5.10/cpufreq-pmac32-cpufreq-fix-refcount-leak-bug.patch new file mode 100644 index 00000000000..3500a657945 --- /dev/null +++ b/queue-5.10/cpufreq-pmac32-cpufreq-fix-refcount-leak-bug.patch @@ -0,0 +1,38 @@ +From 92df87984e10e8b50a11850e45749c11951e288c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Jun 2022 10:25:45 +0800 +Subject: cpufreq: pmac32-cpufreq: Fix refcount leak bug + +From: Liang He + +[ Upstream commit ccd7567d4b6cf187fdfa55f003a9e461ee629e36 ] + +In pmac_cpufreq_init_MacRISC3(), we need to add corresponding +of_node_put() for the three node pointers whose refcount have +been incremented by of_find_node_by_name(). + +Signed-off-by: Liang He +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/pmac32-cpufreq.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/cpufreq/pmac32-cpufreq.c b/drivers/cpufreq/pmac32-cpufreq.c +index 73621bc11976..3704476bb83a 100644 +--- a/drivers/cpufreq/pmac32-cpufreq.c ++++ b/drivers/cpufreq/pmac32-cpufreq.c +@@ -471,6 +471,10 @@ static int pmac_cpufreq_init_MacRISC3(struct device_node *cpunode) + if (slew_done_gpio_np) + slew_done_gpio = read_gpio(slew_done_gpio_np); + ++ of_node_put(volt_gpio_np); ++ of_node_put(freq_gpio_np); ++ of_node_put(slew_done_gpio_np); ++ + /* If we use the frequency GPIOs, calculate the min/max speeds based + * on the bus frequencies + */ +-- +2.35.1 + diff --git a/queue-5.10/irqchip-or1k-pic-undefine-mask_ack-for-level-trigger.patch b/queue-5.10/irqchip-or1k-pic-undefine-mask_ack-for-level-trigger.patch new file mode 100644 index 00000000000..0437fef6e25 --- /dev/null +++ b/queue-5.10/irqchip-or1k-pic-undefine-mask_ack-for-level-trigger.patch @@ -0,0 +1,41 @@ +From 7757ff602e3907bd723924a6fb879a22c5571b1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jun 2022 08:54:26 +0900 +Subject: irqchip: or1k-pic: Undefine mask_ack for level triggered hardware + +From: Stafford Horne + +[ Upstream commit 8520501346ed8d1c4a6dfa751cb57328a9c843f1 ] + +The mask_ack operation clears the interrupt by writing to the PICSR +register. This we don't want for level triggered interrupt because +it does not actually clear the interrupt on the source hardware. + +This was causing issues in qemu with multi core setups where +interrupts would continue to fire even though they had been cleared in +PICSR. + +Just remove the mask_ack operation. + +Acked-by: Marc Zyngier +Signed-off-by: Stafford Horne +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-or1k-pic.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/irqchip/irq-or1k-pic.c b/drivers/irqchip/irq-or1k-pic.c +index 03d2366118dd..d5f1fabc45d7 100644 +--- a/drivers/irqchip/irq-or1k-pic.c ++++ b/drivers/irqchip/irq-or1k-pic.c +@@ -66,7 +66,6 @@ static struct or1k_pic_dev or1k_pic_level = { + .name = "or1k-PIC-level", + .irq_unmask = or1k_pic_unmask, + .irq_mask = or1k_pic_mask, +- .irq_mask_ack = or1k_pic_mask_ack, + }, + .handle = handle_level_irq, + .flags = IRQ_LEVEL | IRQ_NOPROBE, +-- +2.35.1 + diff --git a/queue-5.10/net-sfp-fix-memory-leak-in-sfp_probe.patch b/queue-5.10/net-sfp-fix-memory-leak-in-sfp_probe.patch new file mode 100644 index 00000000000..15f50889a68 --- /dev/null +++ b/queue-5.10/net-sfp-fix-memory-leak-in-sfp_probe.patch @@ -0,0 +1,39 @@ +From 127037fbc68d010399291062b66f2c8e2db419dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jun 2022 15:55:50 +0800 +Subject: net: sfp: fix memory leak in sfp_probe() + +From: Jianglei Nie + +[ Upstream commit 0a18d802d65cf662644fd1d369c86d84a5630652 ] + +sfp_probe() allocates a memory chunk from sfp with sfp_alloc(). When +devm_add_action() fails, sfp is not freed, which leads to a memory leak. + +We should use devm_add_action_or_reset() instead of devm_add_action(). + +Signed-off-by: Jianglei Nie +Reviewed-by: Russell King (Oracle) +Link: https://lore.kernel.org/r/20220629075550.2152003-1-niejianglei2021@163.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/phy/sfp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c +index 96068e0d841a..dcbe278086dc 100644 +--- a/drivers/net/phy/sfp.c ++++ b/drivers/net/phy/sfp.c +@@ -2427,7 +2427,7 @@ static int sfp_probe(struct platform_device *pdev) + + platform_set_drvdata(pdev, sfp); + +- err = devm_add_action(sfp->dev, sfp_cleanup, sfp); ++ err = devm_add_action_or_reset(sfp->dev, sfp_cleanup, sfp); + if (err < 0) + return err; + +-- +2.35.1 + diff --git a/queue-5.10/net-tipc-fix-possible-refcount-leak-in-tipc_sk_creat.patch b/queue-5.10/net-tipc-fix-possible-refcount-leak-in-tipc_sk_creat.patch new file mode 100644 index 00000000000..cec4c45790b --- /dev/null +++ b/queue-5.10/net-tipc-fix-possible-refcount-leak-in-tipc_sk_creat.patch @@ -0,0 +1,34 @@ +From 937aeb2734867a90914296deb7ba18a3ca18062c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jun 2022 14:34:18 +0800 +Subject: net: tipc: fix possible refcount leak in tipc_sk_create() + +From: Hangyu Hua + +[ Upstream commit 00aff3590fc0a73bddd3b743863c14e76fd35c0c ] + +Free sk in case tipc_sk_insert() fails. + +Signed-off-by: Hangyu Hua +Reviewed-by: Tung Nguyen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tipc/socket.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/tipc/socket.c b/net/tipc/socket.c +index 42283dc6c5b7..38256aabf4f1 100644 +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -489,6 +489,7 @@ static int tipc_sk_create(struct net *net, struct socket *sock, + sock_init_data(sock, sk); + tipc_set_sk_state(sk, TIPC_OPEN); + if (tipc_sk_insert(tsk)) { ++ sk_free(sk); + pr_warn("Socket create failed; port number exhausted\n"); + return -EINVAL; + } +-- +2.35.1 + diff --git a/queue-5.10/netfilter-br_netfilter-do-not-skip-all-hooks-with-0-.patch b/queue-5.10/netfilter-br_netfilter-do-not-skip-all-hooks-with-0-.patch new file mode 100644 index 00000000000..c4d0408d55c --- /dev/null +++ b/queue-5.10/netfilter-br_netfilter-do-not-skip-all-hooks-with-0-.patch @@ -0,0 +1,104 @@ +From ed1ccfd04b8341c15b2187adc27a5c7dd9eb9a9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Jun 2022 18:26:03 +0200 +Subject: netfilter: br_netfilter: do not skip all hooks with 0 priority + +From: Florian Westphal + +[ Upstream commit c2577862eeb0be94f151f2f1fff662b028061b00 ] + +When br_netfilter module is loaded, skbs may be diverted to the +ipv4/ipv6 hooks, just like as if we were routing. + +Unfortunately, bridge filter hooks with priority 0 may be skipped +in this case. + +Example: +1. an nftables bridge ruleset is loaded, with a prerouting + hook that has priority 0. +2. interface is added to the bridge. +3. no tcp packet is ever seen by the bridge prerouting hook. +4. flush the ruleset +5. load the bridge ruleset again. +6. tcp packets are processed as expected. + +After 1) the only registered hook is the bridge prerouting hook, but its +not called yet because the bridge hasn't been brought up yet. + +After 2), hook order is: + 0 br_nf_pre_routing // br_netfilter internal hook + 0 chain bridge f prerouting // nftables bridge ruleset + +The packet is diverted to br_nf_pre_routing. +If call-iptables is off, the nftables bridge ruleset is called as expected. + +But if its enabled, br_nf_hook_thresh() will skip it because it assumes +that all 0-priority hooks had been called previously in bridge context. + +To avoid this, check for the br_nf_pre_routing hook itself, we need to +resume directly after it, even if this hook has a priority of 0. + +Unfortunately, this still results in different packet flow. +With this fix, the eval order after in 3) is: +1. br_nf_pre_routing +2. ip(6)tables (if enabled) +3. nftables bridge + +but after 5 its the much saner: +1. nftables bridge +2. br_nf_pre_routing +3. ip(6)tables (if enabled) + +Unfortunately I don't see a solution here: +It would be possible to move br_nf_pre_routing to a higher priority +so that it will be called later in the pipeline, but this also impacts +ebtables evaluation order, and would still result in this very ordering +problem for all nftables-bridge hooks with the same priority as the +br_nf_pre_routing one. + +Searching back through the git history I don't think this has +ever behaved in any other way, hence, no fixes-tag. + +Reported-by: Radim Hrazdil +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/bridge/br_netfilter_hooks.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c +index 68c0d0f92890..10a2c7bca719 100644 +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -1012,9 +1012,24 @@ int br_nf_hook_thresh(unsigned int hook, struct net *net, + return okfn(net, sk, skb); + + ops = nf_hook_entries_get_hook_ops(e); +- for (i = 0; i < e->num_hook_entries && +- ops[i]->priority <= NF_BR_PRI_BRNF; i++) +- ; ++ for (i = 0; i < e->num_hook_entries; i++) { ++ /* These hooks have already been called */ ++ if (ops[i]->priority < NF_BR_PRI_BRNF) ++ continue; ++ ++ /* These hooks have not been called yet, run them. */ ++ if (ops[i]->priority > NF_BR_PRI_BRNF) ++ break; ++ ++ /* take a closer look at NF_BR_PRI_BRNF. */ ++ if (ops[i]->hook == br_nf_pre_routing) { ++ /* This hook diverted the skb to this function, ++ * hooks after this have not been run yet. ++ */ ++ i++; ++ break; ++ } ++ } + + nf_hook_state_init(&state, hook, NFPROTO_BRIDGE, indev, outdev, + sk, net, okfn); +-- +2.35.1 + diff --git a/queue-5.10/nfc-nxp-nci-don-t-print-header-length-mismatch-on-i2.patch b/queue-5.10/nfc-nxp-nci-don-t-print-header-length-mismatch-on-i2.patch new file mode 100644 index 00000000000..2a79d6433c7 --- /dev/null +++ b/queue-5.10/nfc-nxp-nci-don-t-print-header-length-mismatch-on-i2.patch @@ -0,0 +1,50 @@ +From f4dd0b3810eb2ffb386d63f763570279b7b2ba0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Jun 2022 19:06:43 +0200 +Subject: NFC: nxp-nci: don't print header length mismatch on i2c error + +From: Michael Walle + +[ Upstream commit 9577fc5fdc8b07b891709af6453545db405e24ad ] + +Don't print a misleading header length mismatch error if the i2c call +returns an error. Instead just return the error code without any error +message. + +Signed-off-by: Michael Walle +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/nfc/nxp-nci/i2c.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/nfc/nxp-nci/i2c.c b/drivers/nfc/nxp-nci/i2c.c +index 3943a30053b3..f426dcdfcdd6 100644 +--- a/drivers/nfc/nxp-nci/i2c.c ++++ b/drivers/nfc/nxp-nci/i2c.c +@@ -122,7 +122,9 @@ static int nxp_nci_i2c_fw_read(struct nxp_nci_i2c_phy *phy, + skb_put_data(*skb, &header, NXP_NCI_FW_HDR_LEN); + + r = i2c_master_recv(client, skb_put(*skb, frame_len), frame_len); +- if (r != frame_len) { ++ if (r < 0) { ++ goto fw_read_exit_free_skb; ++ } else if (r != frame_len) { + nfc_err(&client->dev, + "Invalid frame length: %u (expected %zu)\n", + r, frame_len); +@@ -166,7 +168,9 @@ static int nxp_nci_i2c_nci_read(struct nxp_nci_i2c_phy *phy, + return 0; + + r = i2c_master_recv(client, skb_put(*skb, header.plen), header.plen); +- if (r != header.plen) { ++ if (r < 0) { ++ goto nci_read_exit_free_skb; ++ } else if (r != header.plen) { + nfc_err(&client->dev, + "Invalid frame payload length: %u (expected %u)\n", + r, header.plen); +-- +2.35.1 + diff --git a/queue-5.10/nvme-fix-regression-when-disconnect-a-recovering-ctr.patch b/queue-5.10/nvme-fix-regression-when-disconnect-a-recovering-ctr.patch new file mode 100644 index 00000000000..4fecd420304 --- /dev/null +++ b/queue-5.10/nvme-fix-regression-when-disconnect-a-recovering-ctr.patch @@ -0,0 +1,143 @@ +From 86a253f9221d8bc16d81b6823c86c4a610f818bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jun 2022 14:45:39 +0800 +Subject: nvme: fix regression when disconnect a recovering ctrl + +From: Ruozhu Li + +[ Upstream commit f7f70f4aa09dc43d7455c060143e86a017c30548 ] + +We encountered a problem that the disconnect command hangs. +After analyzing the log and stack, we found that the triggering +process is as follows: +CPU0 CPU1 + nvme_rdma_error_recovery_work + nvme_rdma_teardown_io_queues +nvme_do_delete_ctrl nvme_stop_queues + nvme_remove_namespaces + --clear ctrl->namespaces + nvme_start_queues + --no ns in ctrl->namespaces + nvme_ns_remove return(because ctrl is deleting) + blk_freeze_queue + blk_mq_freeze_queue_wait + --wait for ns to unquiesce to clean infligt IO, hang forever + +This problem was not found in older kernels because we will flush +err work in nvme_stop_ctrl before nvme_remove_namespaces.It does not +seem to be modified for functional reasons, the patch can be revert +to solve the problem. + +Revert commit 794a4cb3d2f7 ("nvme: remove the .stop_ctrl callout") + +Signed-off-by: Ruozhu Li +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 2 ++ + drivers/nvme/host/nvme.h | 1 + + drivers/nvme/host/rdma.c | 12 +++++++++--- + drivers/nvme/host/tcp.c | 10 +++++++--- + 4 files changed, 19 insertions(+), 6 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index af2902d70b19..ab060b4911ff 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -4460,6 +4460,8 @@ void nvme_stop_ctrl(struct nvme_ctrl *ctrl) + nvme_stop_keep_alive(ctrl); + flush_work(&ctrl->async_event_work); + cancel_work_sync(&ctrl->fw_act_work); ++ if (ctrl->ops->stop_ctrl) ++ ctrl->ops->stop_ctrl(ctrl); + } + EXPORT_SYMBOL_GPL(nvme_stop_ctrl); + +diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h +index 8e40a6306e53..58cf9e39d613 100644 +--- a/drivers/nvme/host/nvme.h ++++ b/drivers/nvme/host/nvme.h +@@ -478,6 +478,7 @@ struct nvme_ctrl_ops { + void (*free_ctrl)(struct nvme_ctrl *ctrl); + void (*submit_async_event)(struct nvme_ctrl *ctrl); + void (*delete_ctrl)(struct nvme_ctrl *ctrl); ++ void (*stop_ctrl)(struct nvme_ctrl *ctrl); + int (*get_address)(struct nvme_ctrl *ctrl, char *buf, int size); + }; + +diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c +index 8eacc9bd58f5..b61924394032 100644 +--- a/drivers/nvme/host/rdma.c ++++ b/drivers/nvme/host/rdma.c +@@ -1057,6 +1057,14 @@ static void nvme_rdma_teardown_io_queues(struct nvme_rdma_ctrl *ctrl, + } + } + ++static void nvme_rdma_stop_ctrl(struct nvme_ctrl *nctrl) ++{ ++ struct nvme_rdma_ctrl *ctrl = to_rdma_ctrl(nctrl); ++ ++ cancel_work_sync(&ctrl->err_work); ++ cancel_delayed_work_sync(&ctrl->reconnect_work); ++} ++ + static void nvme_rdma_free_ctrl(struct nvme_ctrl *nctrl) + { + struct nvme_rdma_ctrl *ctrl = to_rdma_ctrl(nctrl); +@@ -2236,9 +2244,6 @@ static const struct blk_mq_ops nvme_rdma_admin_mq_ops = { + + static void nvme_rdma_shutdown_ctrl(struct nvme_rdma_ctrl *ctrl, bool shutdown) + { +- cancel_work_sync(&ctrl->err_work); +- cancel_delayed_work_sync(&ctrl->reconnect_work); +- + nvme_rdma_teardown_io_queues(ctrl, shutdown); + blk_mq_quiesce_queue(ctrl->ctrl.admin_q); + if (shutdown) +@@ -2288,6 +2293,7 @@ static const struct nvme_ctrl_ops nvme_rdma_ctrl_ops = { + .submit_async_event = nvme_rdma_submit_async_event, + .delete_ctrl = nvme_rdma_delete_ctrl, + .get_address = nvmf_get_address, ++ .stop_ctrl = nvme_rdma_stop_ctrl, + }; + + /* +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index d5e162f2c23a..fe8c27bbc3f2 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -2135,9 +2135,6 @@ static void nvme_tcp_error_recovery_work(struct work_struct *work) + + static void nvme_tcp_teardown_ctrl(struct nvme_ctrl *ctrl, bool shutdown) + { +- cancel_work_sync(&to_tcp_ctrl(ctrl)->err_work); +- cancel_delayed_work_sync(&to_tcp_ctrl(ctrl)->connect_work); +- + nvme_tcp_teardown_io_queues(ctrl, shutdown); + blk_mq_quiesce_queue(ctrl->admin_q); + if (shutdown) +@@ -2177,6 +2174,12 @@ static void nvme_reset_ctrl_work(struct work_struct *work) + nvme_tcp_reconnect_or_remove(ctrl); + } + ++static void nvme_tcp_stop_ctrl(struct nvme_ctrl *ctrl) ++{ ++ cancel_work_sync(&to_tcp_ctrl(ctrl)->err_work); ++ cancel_delayed_work_sync(&to_tcp_ctrl(ctrl)->connect_work); ++} ++ + static void nvme_tcp_free_ctrl(struct nvme_ctrl *nctrl) + { + struct nvme_tcp_ctrl *ctrl = to_tcp_ctrl(nctrl); +@@ -2499,6 +2502,7 @@ static const struct nvme_ctrl_ops nvme_tcp_ctrl_ops = { + .submit_async_event = nvme_tcp_submit_async_event, + .delete_ctrl = nvme_tcp_delete_ctrl, + .get_address = nvmf_get_address, ++ .stop_ctrl = nvme_tcp_stop_ctrl, + }; + + static bool +-- +2.35.1 + diff --git a/queue-5.10/nvme-pci-phison-e16-has-bogus-namespace-ids.patch b/queue-5.10/nvme-pci-phison-e16-has-bogus-namespace-ids.patch new file mode 100644 index 00000000000..7c86993a302 --- /dev/null +++ b/queue-5.10/nvme-pci-phison-e16-has-bogus-namespace-ids.patch @@ -0,0 +1,38 @@ +From c800281fe0c65bfe0fea612d3bec2b944828632e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Jul 2022 10:21:02 -0700 +Subject: nvme-pci: phison e16 has bogus namespace ids + +From: Keith Busch + +[ Upstream commit 73029c9b23cf1213e5f54c2b59efce08665199e7 ] + +Add the quirk. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216049 +Reported-by: Chris Egolf +Signed-off-by: Keith Busch +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 3622c5c9515f..ce129655ef0a 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -3234,7 +3234,8 @@ static const struct pci_device_id nvme_id_table[] = { + NVME_QUIRK_DISABLE_WRITE_ZEROES| + NVME_QUIRK_IGNORE_DEV_SUBNQN, }, + { PCI_DEVICE(0x1987, 0x5016), /* Phison E16 */ +- .driver_data = NVME_QUIRK_IGNORE_DEV_SUBNQN, }, ++ .driver_data = NVME_QUIRK_IGNORE_DEV_SUBNQN | ++ NVME_QUIRK_BOGUS_NID, }, + { PCI_DEVICE(0x1b4b, 0x1092), /* Lexar 256 GB SSD */ + .driver_data = NVME_QUIRK_NO_NS_DESC_LIST | + NVME_QUIRK_IGNORE_DEV_SUBNQN, }, +-- +2.35.1 + diff --git a/queue-5.10/nvme-tcp-always-fail-a-request-when-sending-it-faile.patch b/queue-5.10/nvme-tcp-always-fail-a-request-when-sending-it-faile.patch new file mode 100644 index 00000000000..a3ecfb2a1c6 --- /dev/null +++ b/queue-5.10/nvme-tcp-always-fail-a-request-when-sending-it-faile.patch @@ -0,0 +1,45 @@ +From c6863feaac29d6cb800ed1a2810a23417f5f24ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Jun 2022 12:24:51 +0300 +Subject: nvme-tcp: always fail a request when sending it failed + +From: Sagi Grimberg + +[ Upstream commit 41d07df7de841bfbc32725ce21d933ad358f2844 ] + +queue stoppage and inflight requests cancellation is fully fenced from +io_work and thus failing a request from this context. Hence we don't +need to try to guess from the socket retcode if this failure is because +the queue is about to be torn down or not. + +We are perfectly safe to just fail it, the request will not be cancelled +later on. + +This solves possible very long shutdown delays when the users issues a +'nvme disconnect-all' + +Reported-by: Daniel Wagner +Signed-off-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/tcp.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index 7e3932033707..d5e162f2c23a 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -1149,8 +1149,7 @@ static int nvme_tcp_try_send(struct nvme_tcp_queue *queue) + } else if (ret < 0) { + dev_err(queue->ctrl->ctrl.device, + "failed to send request %d\n", ret); +- if (ret != -EPIPE && ret != -ECONNRESET) +- nvme_tcp_fail_request(queue->request); ++ nvme_tcp_fail_request(queue->request); + nvme_tcp_done_send_req(queue); + } + return ret; +-- +2.35.1 + diff --git a/queue-5.10/pinctrl-aspeed-fix-potential-null-dereference-in-asp.patch b/queue-5.10/pinctrl-aspeed-fix-potential-null-dereference-in-asp.patch new file mode 100644 index 00000000000..6877ddb7250 --- /dev/null +++ b/queue-5.10/pinctrl-aspeed-fix-potential-null-dereference-in-asp.patch @@ -0,0 +1,42 @@ +From 20c6a4efeebc71e8595492e787c1c3846b525ebf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Apr 2022 10:26:59 +0800 +Subject: pinctrl: aspeed: Fix potential NULL dereference in + aspeed_pinmux_set_mux() + +From: Haowen Bai + +[ Upstream commit 84a85d3fef2e75b1fe9fc2af6f5267122555a1ed ] + +pdesc could be null but still dereference pdesc->name and it will lead to +a null pointer access. So we move a null check before dereference. + +Signed-off-by: Haowen Bai +Link: https://lore.kernel.org/r/1650508019-22554-1-git-send-email-baihaowen@meizu.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/aspeed/pinctrl-aspeed.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/pinctrl/aspeed/pinctrl-aspeed.c b/drivers/pinctrl/aspeed/pinctrl-aspeed.c +index 9c65d560d48f..e792318c3894 100644 +--- a/drivers/pinctrl/aspeed/pinctrl-aspeed.c ++++ b/drivers/pinctrl/aspeed/pinctrl-aspeed.c +@@ -235,11 +235,11 @@ int aspeed_pinmux_set_mux(struct pinctrl_dev *pctldev, unsigned int function, + const struct aspeed_sig_expr **funcs; + const struct aspeed_sig_expr ***prios; + +- pr_debug("Muxing pin %s for %s\n", pdesc->name, pfunc->name); +- + if (!pdesc) + return -EINVAL; + ++ pr_debug("Muxing pin %s for %s\n", pdesc->name, pfunc->name); ++ + prios = pdesc->prios; + + if (!prios) +-- +2.35.1 + diff --git a/queue-5.10/platform-x86-hp-wmi-ignore-sanitization-mode-event.patch b/queue-5.10/platform-x86-hp-wmi-ignore-sanitization-mode-event.patch new file mode 100644 index 00000000000..30a98837d19 --- /dev/null +++ b/queue-5.10/platform-x86-hp-wmi-ignore-sanitization-mode-event.patch @@ -0,0 +1,49 @@ +From d04b6232bb93145e33e68a9f5bf50679585cc761 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jun 2022 20:37:26 +0800 +Subject: platform/x86: hp-wmi: Ignore Sanitization Mode event + +From: Kai-Heng Feng + +[ Upstream commit 9ab762a84b8094540c18a170e5ddd6488632c456 ] + +After system resume the hp-wmi driver may complain: +[ 702.620180] hp_wmi: Unknown event_id - 23 - 0x0 + +According to HP it means 'Sanitization Mode' and it's harmless to just +ignore the event. + +Cc: Jorge Lopez +Signed-off-by: Kai-Heng Feng +Link: https://lore.kernel.org/r/20220628123726.250062-1-kai.heng.feng@canonical.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/hp-wmi.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/platform/x86/hp-wmi.c b/drivers/platform/x86/hp-wmi.c +index e94e59283ecb..012639f6d335 100644 +--- a/drivers/platform/x86/hp-wmi.c ++++ b/drivers/platform/x86/hp-wmi.c +@@ -62,6 +62,7 @@ enum hp_wmi_event_ids { + HPWMI_BACKLIT_KB_BRIGHTNESS = 0x0D, + HPWMI_PEAKSHIFT_PERIOD = 0x0F, + HPWMI_BATTERY_CHARGE_PERIOD = 0x10, ++ HPWMI_SANITIZATION_MODE = 0x17, + }; + + struct bios_args { +@@ -629,6 +630,8 @@ static void hp_wmi_notify(u32 value, void *context) + break; + case HPWMI_BATTERY_CHARGE_PERIOD: + break; ++ case HPWMI_SANITIZATION_MODE: ++ break; + default: + pr_info("Unknown event_id - %d - 0x%x\n", event_id, event_data); + break; +-- +2.35.1 + diff --git a/queue-5.10/revert-can-xilinx_can-limit-canfd-brp-to-2.patch b/queue-5.10/revert-can-xilinx_can-limit-canfd-brp-to-2.patch new file mode 100644 index 00000000000..95de807451e --- /dev/null +++ b/queue-5.10/revert-can-xilinx_can-limit-canfd-brp-to-2.patch @@ -0,0 +1,48 @@ +From 7fe063cc12f6f6dc53f19607a5b4c6a4d86d4aeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jun 2022 13:54:32 +0530 +Subject: Revert "can: xilinx_can: Limit CANFD brp to 2" + +From: Srinivas Neeli + +[ Upstream commit c6da4590fe819dfe28a4f8037a8dc1e056542fb4 ] + +This reverts commit 05ca14fdb6fe65614e0652d03e44b02748d25af7. + +On early silicon engineering samples observed bit shrinking issue when +we use brp as 1. Hence updated brp_min as 2. As in production silicon +this issue is fixed, so reverting the patch. + +Link: https://lore.kernel.org/all/20220609082433.1191060-2-srinivas.neeli@xilinx.com +Signed-off-by: Srinivas Neeli +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/xilinx_can.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/can/xilinx_can.c b/drivers/net/can/xilinx_can.c +index 1c42417810fc..1a3fba352cad 100644 +--- a/drivers/net/can/xilinx_can.c ++++ b/drivers/net/can/xilinx_can.c +@@ -259,7 +259,7 @@ static const struct can_bittiming_const xcan_bittiming_const_canfd2 = { + .tseg2_min = 1, + .tseg2_max = 128, + .sjw_max = 128, +- .brp_min = 2, ++ .brp_min = 1, + .brp_max = 256, + .brp_inc = 1, + }; +@@ -272,7 +272,7 @@ static const struct can_bittiming_const xcan_data_bittiming_const_canfd2 = { + .tseg2_min = 1, + .tseg2_max = 16, + .sjw_max = 16, +- .brp_min = 2, ++ .brp_min = 1, + .brp_max = 256, + .brp_inc = 1, + }; +-- +2.35.1 + diff --git a/queue-5.10/scsi-hisi_sas-limit-max-hw-sectors-for-v3-hw.patch b/queue-5.10/scsi-hisi_sas-limit-max-hw-sectors-for-v3-hw.patch new file mode 100644 index 00000000000..64e2f49036d --- /dev/null +++ b/queue-5.10/scsi-hisi_sas-limit-max-hw-sectors-for-v3-hw.patch @@ -0,0 +1,53 @@ +From a751e82c26bdf79bf02aa94bb3ac810b3092ab10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jun 2022 20:41:59 +0800 +Subject: scsi: hisi_sas: Limit max hw sectors for v3 HW + +From: John Garry + +[ Upstream commit fce54ed027577517df1e74b7d54dc2b1bd536887 ] + +If the controller is behind an IOMMU then the IOMMU IOVA caching range can +affect performance, as discussed in [0]. + +Limit the max HW sectors to not exceed this limit. We need to hardcode the +value until a proper DMA mapping API is available. + +[0] https://lore.kernel.org/linux-iommu/20210129092120.1482-1-thunder.leizhen@huawei.com/ + +Link: https://lore.kernel.org/r/1655988119-223714-1-git-send-email-john.garry@huawei.com +Signed-off-by: John Garry +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +index cd41dc061d87..dfe7e6370d84 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +@@ -2738,6 +2738,7 @@ static int slave_configure_v3_hw(struct scsi_device *sdev) + struct hisi_hba *hisi_hba = shost_priv(shost); + struct device *dev = hisi_hba->dev; + int ret = sas_slave_configure(sdev); ++ unsigned int max_sectors; + + if (ret) + return ret; +@@ -2755,6 +2756,12 @@ static int slave_configure_v3_hw(struct scsi_device *sdev) + } + } + ++ /* Set according to IOMMU IOVA caching limit */ ++ max_sectors = min_t(size_t, queue_max_hw_sectors(sdev->request_queue), ++ (PAGE_SIZE * 32) >> SECTOR_SHIFT); ++ ++ blk_queue_max_hw_sectors(sdev->request_queue, max_sectors); ++ + return 0; + } + +-- +2.35.1 + diff --git a/queue-5.10/series b/queue-5.10/series index 9b63b134613..faa534acc22 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -74,3 +74,29 @@ net-atlantic-remove-aq_nic_deinit-when-resume.patch kvm-x86-fully-initialize-struct-kvm_lapic_irq-in-kvm.patch net-tls-check-for-errors-in-tls_device_init.patch mm-sysctl-fix-missing-numa_stat-when-config_hugetlb_.patch +virtio_mmio-add-missing-pm-calls-to-freeze-restore.patch +virtio_mmio-restore-guest-page-size-on-resume.patch +netfilter-br_netfilter-do-not-skip-all-hooks-with-0-.patch +scsi-hisi_sas-limit-max-hw-sectors-for-v3-hw.patch +cpufreq-pmac32-cpufreq-fix-refcount-leak-bug.patch +platform-x86-hp-wmi-ignore-sanitization-mode-event.patch +net-tipc-fix-possible-refcount-leak-in-tipc_sk_creat.patch +nfc-nxp-nci-don-t-print-header-length-mismatch-on-i2.patch +nvme-tcp-always-fail-a-request-when-sending-it-faile.patch +nvme-fix-regression-when-disconnect-a-recovering-ctr.patch +net-sfp-fix-memory-leak-in-sfp_probe.patch +asoc-ops-fix-off-by-one-in-range-control-validation.patch +pinctrl-aspeed-fix-potential-null-dereference-in-asp.patch +asoc-sof-intel-hda-loader-clarify-the-cl_dsp_init-fl.patch +asoc-wm5110-fix-dre-control.patch +asoc-dapm-initialise-kcontrol-data-for-mux-demux-con.patch +asoc-cs47l15-fix-event-generation-for-low-power-mux-.patch +asoc-madera-fix-event-generation-for-out1-demux.patch +asoc-madera-fix-event-generation-for-rate-controls.patch +irqchip-or1k-pic-undefine-mask_ack-for-level-trigger.patch +x86-clear-.brk-area-at-early-boot.patch +soc-ixp4xx-npe-fix-unused-match-warning.patch +arm-dts-stm32-use-the-correct-clock-source-for-cec-o.patch +revert-can-xilinx_can-limit-canfd-brp-to-2.patch +nvme-pci-phison-e16-has-bogus-namespace-ids.patch +signal-handling-don-t-use-bug_on-for-debugging.patch diff --git a/queue-5.10/signal-handling-don-t-use-bug_on-for-debugging.patch b/queue-5.10/signal-handling-don-t-use-bug_on-for-debugging.patch new file mode 100644 index 00000000000..a4be04664b1 --- /dev/null +++ b/queue-5.10/signal-handling-don-t-use-bug_on-for-debugging.patch @@ -0,0 +1,54 @@ +From 734cd4edcd6ebbc015ddfcaab9d0e6958fe278cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Jul 2022 12:20:59 -0700 +Subject: signal handling: don't use BUG_ON() for debugging + +From: Linus Torvalds + +[ Upstream commit a382f8fee42ca10c9bfce0d2352d4153f931f5dc ] + +These are indeed "should not happen" situations, but it turns out recent +changes made the 'task_is_stopped_or_trace()' case trigger (fix for that +exists, is pending more testing), and the BUG_ON() makes it +unnecessarily hard to actually debug for no good reason. + +It's been that way for a long time, but let's make it clear: BUG_ON() is +not good for debugging, and should never be used in situations where you +could just say "this shouldn't happen, but we can continue". + +Use WARN_ON_ONCE() instead to make sure it gets logged, and then just +continue running. Instead of making the system basically unusuable +because you crashed the machine while potentially holding some very core +locks (eg this function is commonly called while holding 'tasklist_lock' +for writing). + +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/signal.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/kernel/signal.c b/kernel/signal.c +index 6bb2df4f6109..d05f783d5a5e 100644 +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -1912,12 +1912,12 @@ bool do_notify_parent(struct task_struct *tsk, int sig) + bool autoreap = false; + u64 utime, stime; + +- BUG_ON(sig == -1); ++ WARN_ON_ONCE(sig == -1); + +- /* do_notify_parent_cldstop should have been called instead. */ +- BUG_ON(task_is_stopped_or_traced(tsk)); ++ /* do_notify_parent_cldstop should have been called instead. */ ++ WARN_ON_ONCE(task_is_stopped_or_traced(tsk)); + +- BUG_ON(!tsk->ptrace && ++ WARN_ON_ONCE(!tsk->ptrace && + (tsk->group_leader != tsk || !thread_group_empty(tsk))); + + /* Wake up all pidfd waiters */ +-- +2.35.1 + diff --git a/queue-5.10/soc-ixp4xx-npe-fix-unused-match-warning.patch b/queue-5.10/soc-ixp4xx-npe-fix-unused-match-warning.patch new file mode 100644 index 00000000000..58266e0ea85 --- /dev/null +++ b/queue-5.10/soc-ixp4xx-npe-fix-unused-match-warning.patch @@ -0,0 +1,45 @@ +From fecc6d603e259aab9d022aad22cc4dedbe20e4cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Jun 2022 09:43:15 +0200 +Subject: soc: ixp4xx/npe: Fix unused match warning + +From: Linus Walleij + +[ Upstream commit 620f83b8326ce9706b1118334f0257ae028ce045 ] + +The kernel test robot found this inconsistency: + + drivers/soc/ixp4xx/ixp4xx-npe.c:737:34: warning: + 'ixp4xx_npe_of_match' defined but not used [-Wunused-const-variable=] + 737 | static const struct of_device_id ixp4xx_npe_of_match[] = { + +This is because the match is enclosed in the of_match_ptr() +which compiles into NULL when OF is disabled and this +is unnecessary. + +Fix it by dropping of_match_ptr() around the match. + +Signed-off-by: Linus Walleij +Link: https://lore.kernel.org/r/20220626074315.61209-1-linus.walleij@linaro.org' +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + drivers/soc/ixp4xx/ixp4xx-npe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/ixp4xx/ixp4xx-npe.c b/drivers/soc/ixp4xx/ixp4xx-npe.c +index 6065aaab6740..8482a4892b83 100644 +--- a/drivers/soc/ixp4xx/ixp4xx-npe.c ++++ b/drivers/soc/ixp4xx/ixp4xx-npe.c +@@ -735,7 +735,7 @@ static const struct of_device_id ixp4xx_npe_of_match[] = { + static struct platform_driver ixp4xx_npe_driver = { + .driver = { + .name = "ixp4xx-npe", +- .of_match_table = of_match_ptr(ixp4xx_npe_of_match), ++ .of_match_table = ixp4xx_npe_of_match, + }, + .probe = ixp4xx_npe_probe, + .remove = ixp4xx_npe_remove, +-- +2.35.1 + diff --git a/queue-5.10/virtio_mmio-add-missing-pm-calls-to-freeze-restore.patch b/queue-5.10/virtio_mmio-add-missing-pm-calls-to-freeze-restore.patch new file mode 100644 index 00000000000..e7184f8d610 --- /dev/null +++ b/queue-5.10/virtio_mmio-add-missing-pm-calls-to-freeze-restore.patch @@ -0,0 +1,81 @@ +From cb07c94ea8bc4fc4e6e23c9df122c1fb9ded5e57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Jun 2022 13:06:20 +0200 +Subject: virtio_mmio: Add missing PM calls to freeze/restore + +From: Stephan Gerhold + +[ Upstream commit ed7ac37fde33ccd84e4bd2b9363c191f925364c7 ] + +Most virtio drivers provide freeze/restore callbacks to finish up +device usage before suspend and to reinitialize the virtio device after +resume. However, these callbacks are currently only called when using +virtio_pci. virtio_mmio does not have any PM ops defined. + +This causes problems for example after suspend to disk (hibernation), +since the virtio devices might lose their state after the VMM is +restarted. Calling virtio_device_freeze()/restore() ensures that +the virtio devices are re-initialized correctly. + +Fix this by implementing the dev_pm_ops for virtio_mmio, +similar to virtio_pci_common. + +Signed-off-by: Stephan Gerhold +Message-Id: <20220621110621.3638025-2-stephan.gerhold@kernkonzept.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/virtio/virtio_mmio.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +diff --git a/drivers/virtio/virtio_mmio.c b/drivers/virtio/virtio_mmio.c +index 5c970e6f664c..7dec1418bf7c 100644 +--- a/drivers/virtio/virtio_mmio.c ++++ b/drivers/virtio/virtio_mmio.c +@@ -62,6 +62,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -543,6 +544,25 @@ static const struct virtio_config_ops virtio_mmio_config_ops = { + .get_shm_region = vm_get_shm_region, + }; + ++#ifdef CONFIG_PM_SLEEP ++static int virtio_mmio_freeze(struct device *dev) ++{ ++ struct virtio_mmio_device *vm_dev = dev_get_drvdata(dev); ++ ++ return virtio_device_freeze(&vm_dev->vdev); ++} ++ ++static int virtio_mmio_restore(struct device *dev) ++{ ++ struct virtio_mmio_device *vm_dev = dev_get_drvdata(dev); ++ ++ return virtio_device_restore(&vm_dev->vdev); ++} ++ ++static const struct dev_pm_ops virtio_mmio_pm_ops = { ++ SET_SYSTEM_SLEEP_PM_OPS(virtio_mmio_freeze, virtio_mmio_restore) ++}; ++#endif + + static void virtio_mmio_release_dev(struct device *_d) + { +@@ -787,6 +807,9 @@ static struct platform_driver virtio_mmio_driver = { + .name = "virtio-mmio", + .of_match_table = virtio_mmio_match, + .acpi_match_table = ACPI_PTR(virtio_mmio_acpi_match), ++#ifdef CONFIG_PM_SLEEP ++ .pm = &virtio_mmio_pm_ops, ++#endif + }, + }; + +-- +2.35.1 + diff --git a/queue-5.10/virtio_mmio-restore-guest-page-size-on-resume.patch b/queue-5.10/virtio_mmio-restore-guest-page-size-on-resume.patch new file mode 100644 index 00000000000..5f74ebb1cbd --- /dev/null +++ b/queue-5.10/virtio_mmio-restore-guest-page-size-on-resume.patch @@ -0,0 +1,44 @@ +From 3c3a8536d07897c37c6d7f798262a050c9ca663c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Jun 2022 13:06:21 +0200 +Subject: virtio_mmio: Restore guest page size on resume + +From: Stephan Gerhold + +[ Upstream commit e0c2ce8217955537dd5434baeba061f209797119 ] + +Virtio devices might lose their state when the VMM is restarted +after a suspend to disk (hibernation) cycle. This means that the +guest page size register must be restored for the virtio_mmio legacy +interface, since otherwise the virtio queues are not functional. + +This is particularly problematic for QEMU that currently still defaults +to using the legacy interface for virtio_mmio. Write the guest page +size register again in virtio_mmio_restore() to make legacy virtio_mmio +devices work correctly after hibernation. + +Signed-off-by: Stephan Gerhold +Message-Id: <20220621110621.3638025-3-stephan.gerhold@kernkonzept.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/virtio/virtio_mmio.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/virtio/virtio_mmio.c b/drivers/virtio/virtio_mmio.c +index 7dec1418bf7c..e8ef0c66e558 100644 +--- a/drivers/virtio/virtio_mmio.c ++++ b/drivers/virtio/virtio_mmio.c +@@ -556,6 +556,9 @@ static int virtio_mmio_restore(struct device *dev) + { + struct virtio_mmio_device *vm_dev = dev_get_drvdata(dev); + ++ if (vm_dev->version == 1) ++ writel(PAGE_SIZE, vm_dev->base + VIRTIO_MMIO_GUEST_PAGE_SIZE); ++ + return virtio_device_restore(&vm_dev->vdev); + } + +-- +2.35.1 + diff --git a/queue-5.10/x86-clear-.brk-area-at-early-boot.patch b/queue-5.10/x86-clear-.brk-area-at-early-boot.patch new file mode 100644 index 00000000000..305f7b23cd2 --- /dev/null +++ b/queue-5.10/x86-clear-.brk-area-at-early-boot.patch @@ -0,0 +1,43 @@ +From 34bc88081fd241260073352f576dfba9427bbfc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jun 2022 09:14:40 +0200 +Subject: x86: Clear .brk area at early boot + +From: Juergen Gross + +[ Upstream commit 38fa5479b41376dc9d7f57e71c83514285a25ca0 ] + +The .brk section has the same properties as .bss: it is an alloc-only +section and should be cleared before being used. + +Not doing so is especially a problem for Xen PV guests, as the +hypervisor will validate page tables (check for writable page tables +and hypervisor private bits) before accepting them to be used. + +Make sure .brk is initially zero by letting clear_bss() clear the brk +area, too. + +Signed-off-by: Juergen Gross +Signed-off-by: Borislav Petkov +Link: https://lore.kernel.org/r/20220630071441.28576-3-jgross@suse.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/head64.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c +index 05e117137b45..efe13ab366f4 100644 +--- a/arch/x86/kernel/head64.c ++++ b/arch/x86/kernel/head64.c +@@ -419,6 +419,8 @@ static void __init clear_bss(void) + { + memset(__bss_start, 0, + (unsigned long) __bss_stop - (unsigned long) __bss_start); ++ memset(__brk_base, 0, ++ (unsigned long) __brk_limit - (unsigned long) __brk_base); + } + + static unsigned long get_cmd_line_ptr(void) +-- +2.35.1 + -- 2.47.3