From b48228861ed3d2110bc4ea3f11b39821958bb3ff Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Thu, 9 Jun 2022 09:40:31 -0400 Subject: [PATCH] Fixes for 5.17 Signed-off-by: Sasha Levin --- ...te-loop-found-by-xfstest-generic-676.patch | 65 + ...-fix-possible-memory-leak-in-amt_rcv.patch | 38 + ...x-return-value-of-amt_update_handler.patch | 38 + ...st2600-evb-enable-rx-delay-for-mac0-.patch | 51 + ...-jump-labels-before-setup_machine_fd.patch | 93 ++ ...l_sai-fix-fsl_sai_xdr-xfr-definition.patch | 40 + ...25-fix-ax25-session-cleanup-problems.patch | 184 +++ ...date-io_ticks-with-passthrough-reque.patch | 44 + ...t-touch-tagset-in-blk_mq_get_sq_hctx.patch | 58 + ...t_exit-fully-resilient-against-being.patch | 42 + ...nation-bvec-offsets-into-account-in-.patch | 46 + ...eue_enter-instead-of-blk_queue_enter.patch | 37 + ...use-bitmaps-for-random-flag-accesses.patch | 295 ++++ ...nc-fix-attempting-to-suspend-with-un.patch | 145 ++ ...dd-conditions-for-setting-hci_conn_f.patch | 61 + ...-probe-read-error-in-___bpf_prog_run.patch | 95 ++ ...c-fix-warnings-for-unbind-for-serial.patch | 45 + ...ers-oxnas-rps-fix-irq_of_parse_and_m.patch | 38 + ...ers-riscv-events-are-stopped-during-.patch | 40 + ...bug-replace-mutex-with-mutex_trylock.patch | 64 + ...se-fix-uaf-when-driver_attach-failed.patch | 48 + ...core-fix-deadlock-in-__device_attach.patch | 79 + ...wait_for_device_probe-deferred_probe.patch | 107 ++ ...ff-by-one-in-dm_dmub_outbox1_low_irq.patch | 37 + ...s-clear-mask-bits-to-disable-interru.patch | 81 + ...teproc-mediatek-make-l1tcm-reg-exclu.patch | 111 ++ ...not-return-the-address-of-the-freed-.patch | 54 + ...g-handling-of-namespace-in-export_sy.patch | 63 + ...dd-queue-work-sync-before-driver-rel.patch | 53 + ...fs-fix-memory-leak-in-dmi_sysfs_regi.patch | 42 + ...10-svc-fix-a-missing-check-on-list-i.patch | 60 + ...-ntfs_xattr_get_acl-and-ntfs_xattr_s.patch | 96 ++ ...-the-correct-register-address-to-do-.patch | 76 + ...c-ad7124-remove-shift-from-scan_type.patch | 36 + ...ine-tune-the-scale-calibration-value.patch | 64 + ...fix-read-big-scale-voltage-not-right.patch | 40 + ...c-fix-wait_for_completion_timeout-re.patch | 68 + ...53l0x-fix-return-value-check-of-wait.patch | 52 + ...x-memory-leak-in-jffs2_do_fill_super.patch | 68 + ...nce-count-leak-in-smb_check_perm_dac.patch | 43 + ...-for-the-null-pointer-after-calling-.patch | 47 + ...-expect-thread-termination-without-c.patch | 100 ++ .../macsec-fix-uaf-bug-for-real_dev.patch | 97 ++ ...-an-incorrect-null-check-on-list-ite.patch | 60 + ...vert-regular-spinlock-into-trylock-o.patch | 71 + ...odpost-fix-removing-numeric-suffixes.patch | 58 + ...nbd_cmd_inflight-flag-if-request-is-.patch | 80 + ...x-fix-refcount-leak-in-mv88e6xxx_mdi.patch | 44 + ..._eth_soc-out-of-bounds-read-in-mtk_h.patch | 38 + ...am65-cpsw-nuss-fix-some-refcount-lea.patch | 50 + ...eck-devm_of_phy_get-for-edefer_probe.patch | 52 + ...orrect-ece-offset-in-query-qp-output.patch | 41 + ...fix-header-rewrite-re-use-for-tupels.patch | 81 + ...n-t-use-already-freed-action-pointer.patch | 50 + ...e-softirq-in-mlx5e_activate_rq-to-av.patch | 214 +++ ...tc-nic-mode-fix-tc-chains-miss-table.patch | 151 ++ ...-netdev-features-after-changing-xdp-.patch | 44 + ...rrier-to-fix-packet-stuck-problem-fo.patch | 71 + ...barrier-to-prevent-skbuff-sticking-i.patch | 140 ++ ...r-converting-from-struct-smc_cdc_tx_.patch | 37 + ...smcrv2.ib_dev_v2-to-null-if-smc-rv2-.patch | 39 + ...pause-frame-configuration-for-physic.patch | 46 + ...af-fix-error-code-in-is_valid_offset.patch | 37 + ...xx_ss-restrict-to-mips_db1xxx-boards.patch | 48 + ...-fix-sorting-in-percent_rmt_hitm_cmp.patch | 49 + ...-topdown-events-in-a-weak-group-for-.patch | 146 ++ ...s-move-slots-event-for-the-hybrid-pl.patch | 143 ++ ...ort-sample-read-topdown-metric-group.patch | 144 ++ ...-pipe-clock-imbalance-on-power-on-fa.patch | 40 + ...nno-usb2-fix-muxed-interrupt-support.patch | 52 + ...-disallow-irq0-in-platform_get_irq-a.patch | 55 + ...upply-ab8500_fg-allocate-wq-in-probe.patch | 80 + ...288_fuel_gauge-drop-bios-version-che.patch | 39 + ...uty-calculation-in-case-period-was-c.patch | 40 + ...poe-fix-endianness-in-firmware-struc.patch | 46 + ...5-regulator-fix-invalid-allowed-mode.patch | 53 + ...proc-ignore-create-mem-entry-for-res.patch | 39 + ...ad-only-pages-should-not-be-writable.patch | 39 + ...ix-irq_of_parse_and_map-return-value.patch | 36 + ...ix-returning-0-if-irq_of_parse_and_m.patch | 37 + ...-possible-double-free-in-rpmsg_probe.patch | 50 + ...-possible-double-free-in-rpmsg_virti.patch | 40 + ...-the-unregistration-of-the-device-rp.patch | 40 + ...-error-handling-in-ftrtc010_rtc_prob.patch | 94 ++ ...-return-value-after-calling-platform.patch | 38 + ...scatterwalk_unmap-callers-in-aes-gcm.patch | 52 + ...e-sie-instruction-when-setting-cif_m.patch | 57 + ...fix-wrong-script-file-name-in-the-he.patch | 42 + ...x-potential-null-pointer-dereference.patch | 47 + ...x-selftest-after-random-urandom_read.patch | 53 + ...x-stacktrace_build_id-with-missing-k.patch | 51 + ...ed_vuart-fix-potential-null-derefere.patch | 38 + ...ek-check-ser_rs485_rts_-only-with-rs.patch | 61 + ...fix-build-error-without-config_seria.patch | 45 + ...al-digicolor-usart-don-t-allow-cs5-6.patch | 46 + ...l-meson-acquire-port-lock-in-startup.patch | 98 ++ .../serial-rda-uart-don-t-allow-cs5-6.patch | 46 + .../serial-sh-sci-don-t-allow-cs5-6.patch | 50 + ...port-actual-baud-base-rather-than-fi.patch | 66 + ...al-sifive-sanitize-csize-and-c_iflag.patch | 58 + ...nitize-csize-and-correct-parenb-for-.patch | 52 + ...-usart-correct-csize-bits-and-parity.patch | 64 + .../serial-txx9-don-t-allow-cs5-6.patch | 45 + .../serial-uartlite-fix-brkint-clearing.patch | 41 + queue-5.17/series | 137 ++ ...ing-that-all-channels-have-tx-queues.patch | 68 + ...-channel-offset-with-efx_separate_tx.patch | 70 + ...x-refcount-leak-in-rockchip_grf_init.patch | 44 + ...prevent-pm_runtime-resume-prior-to-s.patch | 58 + queue-5.17/spi-fsi-fix-spurious-timeout.patch | 61 + ...-fix-the-error-handling-path-in-anyb.patch | 39 + ...codecs-fix-type-confusion-of-list-it.patch | 44 + ...taging-r8188eu-add-check-for-kzalloc.patch | 87 + ...dd-accessors-to-read-set-tp-snd_cwnd.patch | 1447 +++++++++++++++++ ...ck-can-be-called-from-process-contex.patch | 92 ++ ...eck-attribute-length-for-bearer-name.patch | 58 + ...use-tty_port_destroy-to-destroy-port.patch | 48 + ...y-restore-eof-push-handling-behavior.patch | 123 ++ ...puart-fix-potential-bug-when-using-b.patch | 118 ++ ...ix-missing-clk_disable_unprepare-in-.patch | 37 + ...high-cpu-usage-of-ubi_bgt-by-making-.patch | 300 ++++ ...olume-fix-use-after-free-when-volume.patch | 49 + ...replace-list_for_each_entry_safe-if-.patch | 116 ++ ...x-pm_runtime_get_sync-error-checking.patch | 38 + ...issing-of_node_put-in-omap2430_probe.patch | 36 + ...rage-karma-fix-rio_karma_init-return.patch | 64 + ...-mux-check-dev_set_name-return-value.patch | 58 + ...ssing-device-lock-on-tweak-configura.patch | 49 + ...ip-fix-a-refcount-leak-in-stub_probe.patch | 49 + ...or-logic-in-vdpa_nl_cmd_dev_get_doit.patch | 56 + ...a-ifcvf-set-pci-driver-data-in-probe.patch | 47 + ...n-error-handling-path-in-vp_modern_p.patch | 37 + ...-fix-pm_runtime_get_sync-error-check.patch | 40 + ...g-rzg2l_wdt-fix-32bit-overflow-issue.patch | 47 + ...g2l_wdt-fix-bug-invalid-wait-context.patch | 134 ++ ...zg2l_wdt-fix-reset-control-imbalance.patch | 54 + ...chdog-rzg2l_wdt-fix-runtime-pm-usage.patch | 80 + ...wdt-fix-refcount-leak-in-ts4800_wdt_.patch | 49 + 138 files changed, 10639 insertions(+) create mode 100644 queue-5.17/afs-fix-infinite-loop-found-by-xfstest-generic-676.patch create mode 100644 queue-5.17/amt-fix-possible-memory-leak-in-amt_rcv.patch create mode 100644 queue-5.17/amt-fix-return-value-of-amt_update_handler.patch create mode 100644 queue-5.17/arm-dts-aspeed-ast2600-evb-enable-rx-delay-for-mac0-.patch create mode 100644 queue-5.17/arm64-initialize-jump-labels-before-setup_machine_fd.patch create mode 100644 queue-5.17/asoc-fsl_sai-fix-fsl_sai_xdr-xfr-definition.patch create mode 100644 queue-5.17/ax25-fix-ax25-session-cleanup-problems.patch create mode 100644 queue-5.17/blk-mq-do-not-update-io_ticks-with-passthrough-reque.patch create mode 100644 queue-5.17/blk-mq-don-t-touch-tagset-in-blk_mq_get_sq_hctx.patch create mode 100644 queue-5.17/block-make-bioset_exit-fully-resilient-against-being.patch create mode 100644 queue-5.17/block-take-destination-bvec-offsets-into-account-in-.patch create mode 100644 queue-5.17/block-use-bio_queue_enter-instead-of-blk_queue_enter.patch create mode 100644 queue-5.17/bluetooth-don-t-use-bitmaps-for-random-flag-accesses.patch create mode 100644 queue-5.17/bluetooth-hci_sync-fix-attempting-to-suspend-with-un.patch create mode 100644 queue-5.17/bluetooth-mgmt-add-conditions-for-setting-hci_conn_f.patch create mode 100644 queue-5.17/bpf-fix-probe-read-error-in-___bpf_prog_run.patch create mode 100644 queue-5.17/bus-ti-sysc-fix-warnings-for-unbind-for-serial.patch create mode 100644 queue-5.17/clocksource-drivers-oxnas-rps-fix-irq_of_parse_and_m.patch create mode 100644 queue-5.17/clocksource-drivers-riscv-events-are-stopped-during-.patch create mode 100644 queue-5.17/coresight-cpu-debug-replace-mutex-with-mutex_trylock.patch create mode 100644 queue-5.17/driver-base-fix-uaf-when-driver_attach-failed.patch create mode 100644 queue-5.17/driver-core-fix-deadlock-in-__device_attach.patch create mode 100644 queue-5.17/driver-core-fix-wait_for_device_probe-deferred_probe.patch create mode 100644 queue-5.17/drm-amdgpu-off-by-one-in-dm_dmub_outbox1_low_irq.patch create mode 100644 queue-5.17/drm-msm-dp-always-clear-mask-bits-to-disable-interru.patch create mode 100644 queue-5.17/dt-bindings-remoteproc-mediatek-make-l1tcm-reg-exclu.patch create mode 100644 queue-5.17/ep93xx-clock-do-not-return-the-address-of-the-freed-.patch create mode 100644 queue-5.17/export-fix-string-handling-of-namespace-in-export_sy.patch create mode 100644 queue-5.17/extcon-ptn5150-add-queue-work-sync-before-driver-rel.patch create mode 100644 queue-5.17/firmware-dmi-sysfs-fix-memory-leak-in-dmi_sysfs_regi.patch create mode 100644 queue-5.17/firmware-stratix10-svc-fix-a-missing-check-on-list-i.patch create mode 100644 queue-5.17/fs-ntfs3-restore-ntfs_xattr_get_acl-and-ntfs_xattr_s.patch create mode 100644 queue-5.17/gpio-pca953x-use-the-correct-register-address-to-do-.patch create mode 100644 queue-5.17/iio-adc-ad7124-remove-shift-from-scan_type.patch create mode 100644 queue-5.17/iio-adc-sc27xx-fine-tune-the-scale-calibration-value.patch create mode 100644 queue-5.17/iio-adc-sc27xx-fix-read-big-scale-voltage-not-right.patch create mode 100644 queue-5.17/iio-adc-stmpe-adc-fix-wait_for_completion_timeout-re.patch create mode 100644 queue-5.17/iio-proximity-vl53l0x-fix-return-value-check-of-wait.patch create mode 100644 queue-5.17/jffs2-fix-memory-leak-in-jffs2_do_fill_super.patch create mode 100644 queue-5.17/ksmbd-fix-reference-count-leak-in-smb_check_perm_dac.patch create mode 100644 queue-5.17/lkdtm-bugs-check-for-the-null-pointer-after-calling-.patch create mode 100644 queue-5.17/lkdtm-bugs-don-t-expect-thread-termination-without-c.patch create mode 100644 queue-5.17/macsec-fix-uaf-bug-for-real_dev.patch create mode 100644 queue-5.17/misc-fastrpc-fix-an-incorrect-null-check-on-list-ite.patch create mode 100644 queue-5.17/misc-pvpanic-convert-regular-spinlock-into-trylock-o.patch create mode 100644 queue-5.17/modpost-fix-removing-numeric-suffixes.patch create mode 100644 queue-5.17/nbd-don-t-clear-nbd_cmd_inflight-flag-if-request-is-.patch create mode 100644 queue-5.17/net-dsa-mv88e6xxx-fix-refcount-leak-in-mv88e6xxx_mdi.patch create mode 100644 queue-5.17/net-ethernet-mtk_eth_soc-out-of-bounds-read-in-mtk_h.patch create mode 100644 queue-5.17/net-ethernet-ti-am65-cpsw-nuss-fix-some-refcount-lea.patch create mode 100644 queue-5.17/net-lan966x-check-devm_of_phy_get-for-edefer_probe.patch create mode 100644 queue-5.17/net-mlx5-correct-ece-offset-in-query-qp-output.patch create mode 100644 queue-5.17/net-mlx5-ct-fix-header-rewrite-re-use-for-tupels.patch create mode 100644 queue-5.17/net-mlx5-don-t-use-already-freed-action-pointer.patch create mode 100644 queue-5.17/net-mlx5e-disable-softirq-in-mlx5e_activate_rq-to-av.patch create mode 100644 queue-5.17/net-mlx5e-tc-nic-mode-fix-tc-chains-miss-table.patch create mode 100644 queue-5.17/net-mlx5e-update-netdev-features-after-changing-xdp-.patch create mode 100644 queue-5.17/net-sched-add-barrier-to-fix-packet-stuck-problem-fo.patch create mode 100644 queue-5.17/net-sched-fixed-barrier-to-prevent-skbuff-sticking-i.patch create mode 100644 queue-5.17/net-smc-fixes-for-converting-from-struct-smc_cdc_tx_.patch create mode 100644 queue-5.17/net-smc-set-ini-smcrv2.ib_dev_v2-to-null-if-smc-rv2-.patch create mode 100644 queue-5.17/nfp-only-report-pause-frame-configuration-for-physic.patch create mode 100644 queue-5.17/octeontx2-af-fix-error-code-in-is_valid_offset.patch create mode 100644 queue-5.17/pcmcia-db1xxx_ss-restrict-to-mips_db1xxx-boards.patch create mode 100644 queue-5.17/perf-c2c-fix-sorting-in-percent_rmt_hitm_cmp.patch create mode 100644 queue-5.17/perf-evsel-fixes-topdown-events-in-a-weak-group-for-.patch create mode 100644 queue-5.17/perf-parse-events-move-slots-event-for-the-hybrid-pl.patch create mode 100644 queue-5.17/perf-record-support-sample-read-topdown-metric-group.patch create mode 100644 queue-5.17/phy-qcom-qmp-fix-pipe-clock-imbalance-on-power-on-fa.patch create mode 100644 queue-5.17/phy-rockchip-inno-usb2-fix-muxed-interrupt-support.patch create mode 100644 queue-5.17/platform-finally-disallow-irq0-in-platform_get_irq-a.patch create mode 100644 queue-5.17/power-supply-ab8500_fg-allocate-wq-in-probe.patch create mode 100644 queue-5.17/power-supply-axp288_fuel_gauge-drop-bios-version-che.patch create mode 100644 queue-5.17/pwm-lp3943-fix-duty-calculation-in-case-period-was-c.patch create mode 100644 queue-5.17/pwm-raspberrypi-poe-fix-endianness-in-firmware-struc.patch create mode 100644 queue-5.17/regulator-mt6315-regulator-fix-invalid-allowed-mode.patch create mode 100644 queue-5.17/remoteproc-imx_rproc-ignore-create-mem-entry-for-res.patch create mode 100644 queue-5.17/riscv-read-only-pages-should-not-be-writable.patch create mode 100644 queue-5.17/rpmsg-qcom_smd-fix-irq_of_parse_and_map-return-value.patch create mode 100644 queue-5.17/rpmsg-qcom_smd-fix-returning-0-if-irq_of_parse_and_m.patch create mode 100644 queue-5.17/rpmsg-virtio-fix-possible-double-free-in-rpmsg_probe.patch create mode 100644 queue-5.17/rpmsg-virtio-fix-possible-double-free-in-rpmsg_virti.patch create mode 100644 queue-5.17/rpmsg-virtio-fix-the-unregistration-of-the-device-rp.patch create mode 100644 queue-5.17/rtc-ftrtc010-fix-error-handling-in-ftrtc010_rtc_prob.patch create mode 100644 queue-5.17/rtc-mt6397-check-return-value-after-calling-platform.patch create mode 100644 queue-5.17/s390-crypto-fix-scatterwalk_unmap-callers-in-aes-gcm.patch create mode 100644 queue-5.17/s390-mcck-isolate-sie-instruction-when-setting-cif_m.patch create mode 100644 queue-5.17/scripts-get_abi-fix-wrong-script-file-name-in-the-he.patch create mode 100644 queue-5.17/scsi-sd-fix-potential-null-pointer-dereference.patch create mode 100644 queue-5.17/selftests-bpf-fix-selftest-after-random-urandom_read.patch create mode 100644 queue-5.17/selftests-bpf-fix-stacktrace_build_id-with-missing-k.patch create mode 100644 queue-5.17/serial-8250_aspeed_vuart-fix-potential-null-derefere.patch create mode 100644 queue-5.17/serial-8250_fintek-check-ser_rs485_rts_-only-with-rs.patch create mode 100644 queue-5.17/serial-cpm_uart-fix-build-error-without-config_seria.patch create mode 100644 queue-5.17/serial-digicolor-usart-don-t-allow-cs5-6.patch create mode 100644 queue-5.17/serial-meson-acquire-port-lock-in-startup.patch create mode 100644 queue-5.17/serial-rda-uart-don-t-allow-cs5-6.patch create mode 100644 queue-5.17/serial-sh-sci-don-t-allow-cs5-6.patch create mode 100644 queue-5.17/serial-sifive-report-actual-baud-base-rather-than-fi.patch create mode 100644 queue-5.17/serial-sifive-sanitize-csize-and-c_iflag.patch create mode 100644 queue-5.17/serial-st-asc-sanitize-csize-and-correct-parenb-for-.patch create mode 100644 queue-5.17/serial-stm32-usart-correct-csize-bits-and-parity.patch create mode 100644 queue-5.17/serial-txx9-don-t-allow-cs5-6.patch create mode 100644 queue-5.17/serial-uartlite-fix-brkint-clearing.patch create mode 100644 queue-5.17/series create mode 100644 queue-5.17/sfc-fix-considering-that-all-channels-have-tx-queues.patch create mode 100644 queue-5.17/sfc-fix-wrong-tx-channel-offset-with-efx_separate_tx.patch create mode 100644 queue-5.17/soc-rockchip-fix-refcount-leak-in-rockchip_grf_init.patch create mode 100644 queue-5.17/soundwire-intel-prevent-pm_runtime-resume-prior-to-s.patch create mode 100644 queue-5.17/spi-fsi-fix-spurious-timeout.patch create mode 100644 queue-5.17/staging-fieldbus-fix-the-error-handling-path-in-anyb.patch create mode 100644 queue-5.17/staging-greybus-codecs-fix-type-confusion-of-list-it.patch create mode 100644 queue-5.17/staging-r8188eu-add-check-for-kzalloc.patch create mode 100644 queue-5.17/tcp-add-accessors-to-read-set-tp-snd_cwnd.patch create mode 100644 queue-5.17/tcp-tcp_rtx_synack-can-be-called-from-process-contex.patch create mode 100644 queue-5.17/tipc-check-attribute-length-for-bearer-name.patch create mode 100644 queue-5.17/tty-goldfish-use-tty_port_destroy-to-destroy-port.patch create mode 100644 queue-5.17/tty-n_tty-restore-eof-push-handling-behavior.patch create mode 100644 queue-5.17/tty-serial-fsl_lpuart-fix-potential-bug-when-using-b.patch create mode 100644 queue-5.17/tty-serial-owl-fix-missing-clk_disable_unprepare-in-.patch create mode 100644 queue-5.17/ubi-fastmap-fix-high-cpu-usage-of-ubi_bgt-by-making-.patch create mode 100644 queue-5.17/ubi-ubi_create_volume-fix-use-after-free-when-volume.patch create mode 100644 queue-5.17/usb-dwc3-gadget-replace-list_for_each_entry_safe-if-.patch create mode 100644 queue-5.17/usb-dwc3-pci-fix-pm_runtime_get_sync-error-checking.patch create mode 100644 queue-5.17/usb-musb-fix-missing-of_node_put-in-omap2430_probe.patch create mode 100644 queue-5.17/usb-storage-karma-fix-rio_karma_init-return.patch create mode 100644 queue-5.17/usb-typec-mux-check-dev_set_name-return-value.patch create mode 100644 queue-5.17/usb-usbip-add-missing-device-lock-on-tweak-configura.patch create mode 100644 queue-5.17/usb-usbip-fix-a-refcount-leak-in-stub_probe.patch create mode 100644 queue-5.17/vdpa-fix-error-logic-in-vdpa_nl_cmd_dev_get_doit.patch create mode 100644 queue-5.17/vdpa-ifcvf-set-pci-driver-data-in-probe.patch create mode 100644 queue-5.17/virtio-pci-fix-an-error-handling-path-in-vp_modern_p.patch create mode 100644 queue-5.17/watchdog-rti-wdt-fix-pm_runtime_get_sync-error-check.patch create mode 100644 queue-5.17/watchdog-rzg2l_wdt-fix-32bit-overflow-issue.patch create mode 100644 queue-5.17/watchdog-rzg2l_wdt-fix-bug-invalid-wait-context.patch create mode 100644 queue-5.17/watchdog-rzg2l_wdt-fix-reset-control-imbalance.patch create mode 100644 queue-5.17/watchdog-rzg2l_wdt-fix-runtime-pm-usage.patch create mode 100644 queue-5.17/watchdog-ts4800_wdt-fix-refcount-leak-in-ts4800_wdt_.patch diff --git a/queue-5.17/afs-fix-infinite-loop-found-by-xfstest-generic-676.patch b/queue-5.17/afs-fix-infinite-loop-found-by-xfstest-generic-676.patch new file mode 100644 index 00000000000..04200b2590b --- /dev/null +++ b/queue-5.17/afs-fix-infinite-loop-found-by-xfstest-generic-676.patch @@ -0,0 +1,65 @@ +From c13463a6a6ddae8f87e98ae61cd5e2c5d44eebc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 May 2022 09:30:40 +0100 +Subject: afs: Fix infinite loop found by xfstest generic/676 + +From: David Howells + +[ Upstream commit 17eabd42560f4636648ad65ba5b20228071e2363 ] + +In AFS, a directory is handled as a file that the client downloads and +parses locally for the purposes of performing lookup and getdents +operations. The in-kernel afs filesystem has a number of functions that +do this. + +A directory file is arranged as a series of 2K blocks divided into +32-byte slots, where a directory entry occupies one or more slots, plus +each block starts with one or more metadata blocks. + +When parsing a block, if the last slots are occupied by a dirent that +occupies more than a single slot and the file position points at a slot +that's not the initial one, the logic in afs_dir_iterate_block() that +skips over it won't advance the file pointer to the end of it. This +will cause an infinite loop in getdents() as it will keep retrying that +block and failing to advance beyond the final entry. + +Fix this by advancing the file pointer if the next entry will be beyond +it when we skip a block. + +This was found by the generic/676 xfstest but can also be triggered with +something like: + + ~/xfstests-dev/src/t_readdir_3 /xfstest.test/z 4000 1 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: David Howells +Reviewed-by: Marc Dionne +Tested-by: Marc Dionne +cc: linux-afs@lists.infradead.org +Link: http://lore.kernel.org/r/165391973497.110268.2939296942213894166.stgit@warthog.procyon.org.uk/ +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/afs/dir.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/afs/dir.c b/fs/afs/dir.c +index da9b4f8577a1..7f1cb3b73874 100644 +--- a/fs/afs/dir.c ++++ b/fs/afs/dir.c +@@ -462,8 +462,11 @@ static int afs_dir_iterate_block(struct afs_vnode *dvnode, + } + + /* skip if starts before the current position */ +- if (offset < curr) ++ if (offset < curr) { ++ if (next > curr) ++ ctx->pos = blkoff + next * sizeof(union afs_xdr_dirent); + continue; ++ } + + /* found the next entry */ + if (!dir_emit(ctx, dire->u.name, nlen, +-- +2.35.1 + diff --git a/queue-5.17/amt-fix-possible-memory-leak-in-amt_rcv.patch b/queue-5.17/amt-fix-possible-memory-leak-in-amt_rcv.patch new file mode 100644 index 00000000000..efdbe71ad6b --- /dev/null +++ b/queue-5.17/amt-fix-possible-memory-leak-in-amt_rcv.patch @@ -0,0 +1,38 @@ +From e7af4b832dd427d0ce06453ce02f44e1e519372a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 May 2022 16:17:08 +0000 +Subject: amt: fix possible memory leak in amt_rcv() + +From: Taehee Yoo + +[ Upstream commit 1a1a0e80e005cbdc2c250fc858e1d8570f4e4acb ] + +If an amt receives packets and it finds socket. +If it can't find a socket, it should free a received skb. +But it doesn't. +So, a memory leak would possibly occur. + +Fixes: cbc21dc1cfe9 ("amt: add data plane of amt interface") +Signed-off-by: Taehee Yoo +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/amt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/amt.c b/drivers/net/amt.c +index 6205282a09e5..d23eac9ce858 100644 +--- a/drivers/net/amt.c ++++ b/drivers/net/amt.c +@@ -2679,7 +2679,7 @@ static int amt_rcv(struct sock *sk, struct sk_buff *skb) + amt = rcu_dereference_sk_user_data(sk); + if (!amt) { + err = true; +- goto out; ++ goto drop; + } + + skb->dev = amt->dev; +-- +2.35.1 + diff --git a/queue-5.17/amt-fix-return-value-of-amt_update_handler.patch b/queue-5.17/amt-fix-return-value-of-amt_update_handler.patch new file mode 100644 index 00000000000..e0cb9ab95fb --- /dev/null +++ b/queue-5.17/amt-fix-return-value-of-amt_update_handler.patch @@ -0,0 +1,38 @@ +From fcf7f6ba2877578404d52125b5e3ca6485ff495c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 May 2022 16:17:07 +0000 +Subject: amt: fix return value of amt_update_handler() + +From: Taehee Yoo + +[ Upstream commit ac1dbf55981b88d64312858ea06e3e63001f085d ] + +If a relay receives an update message, it lookup a tunnel. +and if there is no tunnel for that message, it should be treated +as an error, not a success. +But amt_update_handler() returns false, which means success. + +Fixes: cbc21dc1cfe9 ("amt: add data plane of amt interface") +Signed-off-by: Taehee Yoo +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/amt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/amt.c b/drivers/net/amt.c +index fb774d568baa..6205282a09e5 100644 +--- a/drivers/net/amt.c ++++ b/drivers/net/amt.c +@@ -2423,7 +2423,7 @@ static bool amt_update_handler(struct amt_dev *amt, struct sk_buff *skb) + } + } + +- return false; ++ return true; + + report: + iph = ip_hdr(skb); +-- +2.35.1 + diff --git a/queue-5.17/arm-dts-aspeed-ast2600-evb-enable-rx-delay-for-mac0-.patch b/queue-5.17/arm-dts-aspeed-ast2600-evb-enable-rx-delay-for-mac0-.patch new file mode 100644 index 00000000000..f8355c12afd --- /dev/null +++ b/queue-5.17/arm-dts-aspeed-ast2600-evb-enable-rx-delay-for-mac0-.patch @@ -0,0 +1,51 @@ +From 6a59a1a3605d38680fd85475f570081a6405b6ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Apr 2022 06:59:06 +0000 +Subject: ARM: dts: aspeed: ast2600-evb: Enable RX delay for MAC0/MAC1 + +From: Howard Chiu + +[ Upstream commit 4d338ee40ba89e508c5d3e1b4af956af7cb5e12e ] + +Since mac0/1 and mac2/3 are physically located on different die, +they have different properties by nature, which is mac0/1 has smaller delay step. + +The property 'phy-mode' on ast2600 mac0 and mac1 is recommended to set to 'rgmii-rxid' +which enables the RX interface delay from the PHY chip. +Refer page 45 of SDK User Guide v08.00 +https://github.com/AspeedTech-BMC/openbmc/releases/download/v08.00/SDK_User_Guide_v08.00.pdf + +Fixes: 2ca5646b5c2f ("ARM: dts: aspeed: Add AST2600 and EVB") +Signed-off-by: Howard Chiu +Link: https://lore.kernel.org/r/SG2PR06MB23152A548AAE81140B57DD69E6E09@SG2PR06MB2315.apcprd06.prod.outlook.com +Signed-off-by: Joel Stanley +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/aspeed-ast2600-evb.dts | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/aspeed-ast2600-evb.dts b/arch/arm/boot/dts/aspeed-ast2600-evb.dts +index b7eb552640cb..788448cdd6b3 100644 +--- a/arch/arm/boot/dts/aspeed-ast2600-evb.dts ++++ b/arch/arm/boot/dts/aspeed-ast2600-evb.dts +@@ -103,7 +103,7 @@ + &mac0 { + status = "okay"; + +- phy-mode = "rgmii"; ++ phy-mode = "rgmii-rxid"; + phy-handle = <ðphy0>; + + pinctrl-names = "default"; +@@ -114,7 +114,7 @@ + &mac1 { + status = "okay"; + +- phy-mode = "rgmii"; ++ phy-mode = "rgmii-rxid"; + phy-handle = <ðphy1>; + + pinctrl-names = "default"; +-- +2.35.1 + diff --git a/queue-5.17/arm64-initialize-jump-labels-before-setup_machine_fd.patch b/queue-5.17/arm64-initialize-jump-labels-before-setup_machine_fd.patch new file mode 100644 index 00000000000..be5cec495e1 --- /dev/null +++ b/queue-5.17/arm64-initialize-jump-labels-before-setup_machine_fd.patch @@ -0,0 +1,93 @@ +From 89c40524967b133c987a12594bc623b1c4af8479 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jun 2022 19:21:09 -0700 +Subject: arm64: Initialize jump labels before setup_machine_fdt() + +From: Stephen Boyd + +[ Upstream commit 73e2d827a501d48dceeb5b9b267a4cd283d6b1ae ] + +A static key warning splat appears during early boot on arm64 systems +that credit randomness from devicetrees that contain an "rng-seed" +property. This is because setup_machine_fdt() is called before +jump_label_init() during setup_arch(). Let's swap the order of these two +calls so that jump labels are initialized before the devicetree is +unflattened and the rng seed is credited. + + static_key_enable_cpuslocked(): static key '0xffffffe51c6fcfc0' used before call to jump_label_init() + WARNING: CPU: 0 PID: 0 at kernel/jump_label.c:166 static_key_enable_cpuslocked+0xb0/0xb8 + Modules linked in: + CPU: 0 PID: 0 Comm: swapper Not tainted 5.18.0+ #224 44b43e377bfc84bc99bb5ab885ff694984ee09ff + pstate: 600001c9 (nZCv dAIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : static_key_enable_cpuslocked+0xb0/0xb8 + lr : static_key_enable_cpuslocked+0xb0/0xb8 + sp : ffffffe51c393cf0 + x29: ffffffe51c393cf0 x28: 000000008185054c x27: 00000000f1042f10 + x26: 0000000000000000 x25: 00000000f10302b2 x24: 0000002513200000 + x23: 0000002513200000 x22: ffffffe51c1c9000 x21: fffffffdfdc00000 + x20: ffffffe51c2f0831 x19: ffffffe51c6fcfc0 x18: 00000000ffff1020 + x17: 00000000e1e2ac90 x16: 00000000000000e0 x15: ffffffe51b710708 + x14: 0000000000000066 x13: 0000000000000018 x12: 0000000000000000 + x11: 0000000000000000 x10: 00000000ffffffff x9 : 0000000000000000 + x8 : 0000000000000000 x7 : 61632065726f6665 x6 : 6220646573752027 + x5 : ffffffe51c641d25 x4 : ffffffe51c13142c x3 : ffff0a00ffffff05 + x2 : 40000000ffffe003 x1 : 00000000000001c0 x0 : 0000000000000065 + Call trace: + static_key_enable_cpuslocked+0xb0/0xb8 + static_key_enable+0x2c/0x40 + crng_set_ready+0x24/0x30 + execute_in_process_context+0x80/0x90 + _credit_init_bits+0x100/0x154 + add_bootloader_randomness+0x64/0x78 + early_init_dt_scan_chosen+0x140/0x184 + early_init_dt_scan_nodes+0x28/0x4c + early_init_dt_scan+0x40/0x44 + setup_machine_fdt+0x7c/0x120 + setup_arch+0x74/0x1d8 + start_kernel+0x84/0x44c + __primary_switched+0xc0/0xc8 + ---[ end trace 0000000000000000 ]--- + random: crng init done + Machine model: Google Lazor (rev1 - 2) with LTE + +Cc: Hsin-Yi Wang +Cc: Douglas Anderson +Cc: Ard Biesheuvel +Cc: Steven Rostedt +Cc: Jason A. Donenfeld +Cc: Dominik Brodowski +Fixes: f5bda35fba61 ("random: use static branch for crng_ready()") +Signed-off-by: Stephen Boyd +Reviewed-by: Jason A. Donenfeld +Link: https://lore.kernel.org/r/20220602022109.780348-1-swboyd@chromium.org +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/setup.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/kernel/setup.c b/arch/arm64/kernel/setup.c +index f70573928f1b..505617bb6761 100644 +--- a/arch/arm64/kernel/setup.c ++++ b/arch/arm64/kernel/setup.c +@@ -314,13 +314,14 @@ void __init __no_sanitize_address setup_arch(char **cmdline_p) + early_fixmap_init(); + early_ioremap_init(); + +- setup_machine_fdt(__fdt_pointer); +- + /* + * Initialise the static keys early as they may be enabled by the +- * cpufeature code and early parameters. ++ * cpufeature code, early parameters, and DT setup. + */ + jump_label_init(); ++ ++ setup_machine_fdt(__fdt_pointer); ++ + parse_early_param(); + + /* +-- +2.35.1 + diff --git a/queue-5.17/asoc-fsl_sai-fix-fsl_sai_xdr-xfr-definition.patch b/queue-5.17/asoc-fsl_sai-fix-fsl_sai_xdr-xfr-definition.patch new file mode 100644 index 00000000000..b203596f5c5 --- /dev/null +++ b/queue-5.17/asoc-fsl_sai-fix-fsl_sai_xdr-xfr-definition.patch @@ -0,0 +1,40 @@ +From 1c73f9fb61b4686aa43125f2f1ca51a887fd6718 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 May 2022 13:44:21 +0800 +Subject: ASoC: fsl_sai: Fix FSL_SAI_xDR/xFR definition + +From: Shengjiu Wang + +[ Upstream commit e4dd748dc87cf431af7b3954963be0d9f6150217 ] + +There are multiple xDR and xFR registers, the index is +from 0 to 7. FSL_SAI_xDR and FSL_SAI_xFR is abandoned, +replace them with FSL_SAI_xDR0 and FSL_SAI_xFR0. + +Fixes: 4f7a0728b530 ("ASoC: fsl_sai: Add support for SAI new version") +Signed-off-by: Shengjiu Wang +Link: https://lore.kernel.org/r/1653284661-18964-1-git-send-email-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_sai.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/fsl/fsl_sai.h b/sound/soc/fsl/fsl_sai.h +index 9aaf231bc024..93da86009c75 100644 +--- a/sound/soc/fsl/fsl_sai.h ++++ b/sound/soc/fsl/fsl_sai.h +@@ -80,8 +80,8 @@ + #define FSL_SAI_xCR3(tx, ofs) (tx ? FSL_SAI_TCR3(ofs) : FSL_SAI_RCR3(ofs)) + #define FSL_SAI_xCR4(tx, ofs) (tx ? FSL_SAI_TCR4(ofs) : FSL_SAI_RCR4(ofs)) + #define FSL_SAI_xCR5(tx, ofs) (tx ? FSL_SAI_TCR5(ofs) : FSL_SAI_RCR5(ofs)) +-#define FSL_SAI_xDR(tx, ofs) (tx ? FSL_SAI_TDR(ofs) : FSL_SAI_RDR(ofs)) +-#define FSL_SAI_xFR(tx, ofs) (tx ? FSL_SAI_TFR(ofs) : FSL_SAI_RFR(ofs)) ++#define FSL_SAI_xDR0(tx) (tx ? FSL_SAI_TDR0 : FSL_SAI_RDR0) ++#define FSL_SAI_xFR0(tx) (tx ? FSL_SAI_TFR0 : FSL_SAI_RFR0) + #define FSL_SAI_xMR(tx) (tx ? FSL_SAI_TMR : FSL_SAI_RMR) + + /* SAI Transmit/Receive Control Register */ +-- +2.35.1 + diff --git a/queue-5.17/ax25-fix-ax25-session-cleanup-problems.patch b/queue-5.17/ax25-fix-ax25-session-cleanup-problems.patch new file mode 100644 index 00000000000..3ccf2be8ecd --- /dev/null +++ b/queue-5.17/ax25-fix-ax25-session-cleanup-problems.patch @@ -0,0 +1,184 @@ +From a60a1c6225fc7feaa4821edc5b47a2d322a2a562 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 May 2022 23:21:58 +0800 +Subject: ax25: Fix ax25 session cleanup problems + +From: Duoming Zhou + +[ Upstream commit 7d8a3a477b3e25ada8dc71d22048c2ea417209a0 ] + +There are session cleanup problems in ax25_release() and +ax25_disconnect(). If we setup a session and then disconnect, +the disconnected session is still in "LISTENING" state that +is shown below. + +Active AX.25 sockets +Dest Source Device State Vr/Vs Send-Q Recv-Q +DL9SAU-4 DL9SAU-3 ??? LISTENING 000/000 0 0 +DL9SAU-3 DL9SAU-4 ??? LISTENING 000/000 0 0 + +The first reason is caused by del_timer_sync() in ax25_release(). +The timers of ax25 are used for correct session cleanup. If we use +ax25_release() to close ax25 sessions and ax25_dev is not null, +the del_timer_sync() functions in ax25_release() will execute. +As a result, the sessions could not be cleaned up correctly, +because the timers have stopped. + +In order to solve this problem, this patch adds a device_up flag +in ax25_dev in order to judge whether the device is up. If there +are sessions to be cleaned up, the del_timer_sync() in +ax25_release() will not execute. What's more, we add ax25_cb_del() +in ax25_kill_by_device(), because the timers have been stopped +and there are no functions that could delete ax25_cb if we do not +call ax25_release(). Finally, we reorder the position of +ax25_list_lock in ax25_cb_del() in order to synchronize among +different functions that call ax25_cb_del(). + +The second reason is caused by improper check in ax25_disconnect(). +The incoming ax25 sessions which ax25->sk is null will close +heartbeat timer, because the check "if(!ax25->sk || ..)" is +satisfied. As a result, the session could not be cleaned up properly. + +In order to solve this problem, this patch changes the improper +check to "if(ax25->sk && ..)" in ax25_disconnect(). + +What`s more, the ax25_disconnect() may be called twice, which is +not necessary. For example, ax25_kill_by_device() calls +ax25_disconnect() and sets ax25->state to AX25_STATE_0, but +ax25_release() calls ax25_disconnect() again. + +In order to solve this problem, this patch add a check in +ax25_release(). If the flag of ax25->sk equals to SOCK_DEAD, +the ax25_disconnect() in ax25_release() should not be executed. + +Fixes: 82e31755e55f ("ax25: Fix UAF bugs in ax25 timers") +Fixes: 8a367e74c012 ("ax25: Fix segfault after sock connection timeout") +Reported-and-tested-by: Thomas Osterried +Signed-off-by: Duoming Zhou +Link: https://lore.kernel.org/r/20220530152158.108619-1-duoming@zju.edu.cn +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + include/net/ax25.h | 1 + + net/ax25/af_ax25.c | 27 +++++++++++++++++---------- + net/ax25/ax25_dev.c | 1 + + net/ax25/ax25_subr.c | 2 +- + 4 files changed, 20 insertions(+), 11 deletions(-) + +diff --git a/include/net/ax25.h b/include/net/ax25.h +index 8221af1811df..5253692db9eb 100644 +--- a/include/net/ax25.h ++++ b/include/net/ax25.h +@@ -240,6 +240,7 @@ typedef struct ax25_dev { + ax25_dama_info dama; + #endif + refcount_t refcount; ++ bool device_up; + } ax25_dev; + + typedef struct ax25_cb { +diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c +index 363d47f94532..289f355e1853 100644 +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -62,12 +62,12 @@ static void ax25_free_sock(struct sock *sk) + */ + static void ax25_cb_del(ax25_cb *ax25) + { ++ spin_lock_bh(&ax25_list_lock); + if (!hlist_unhashed(&ax25->ax25_node)) { +- spin_lock_bh(&ax25_list_lock); + hlist_del_init(&ax25->ax25_node); +- spin_unlock_bh(&ax25_list_lock); + ax25_cb_put(ax25); + } ++ spin_unlock_bh(&ax25_list_lock); + } + + /* +@@ -81,6 +81,7 @@ static void ax25_kill_by_device(struct net_device *dev) + + if ((ax25_dev = ax25_dev_ax25dev(dev)) == NULL) + return; ++ ax25_dev->device_up = false; + + spin_lock_bh(&ax25_list_lock); + again: +@@ -91,6 +92,7 @@ static void ax25_kill_by_device(struct net_device *dev) + spin_unlock_bh(&ax25_list_lock); + ax25_disconnect(s, ENETUNREACH); + s->ax25_dev = NULL; ++ ax25_cb_del(s); + spin_lock_bh(&ax25_list_lock); + goto again; + } +@@ -103,6 +105,7 @@ static void ax25_kill_by_device(struct net_device *dev) + dev_put_track(ax25_dev->dev, &ax25_dev->dev_tracker); + ax25_dev_put(ax25_dev); + } ++ ax25_cb_del(s); + release_sock(sk); + spin_lock_bh(&ax25_list_lock); + sock_put(sk); +@@ -995,9 +998,11 @@ static int ax25_release(struct socket *sock) + if (sk->sk_type == SOCK_SEQPACKET) { + switch (ax25->state) { + case AX25_STATE_0: +- release_sock(sk); +- ax25_disconnect(ax25, 0); +- lock_sock(sk); ++ if (!sock_flag(ax25->sk, SOCK_DEAD)) { ++ release_sock(sk); ++ ax25_disconnect(ax25, 0); ++ lock_sock(sk); ++ } + ax25_destroy_socket(ax25); + break; + +@@ -1053,11 +1058,13 @@ static int ax25_release(struct socket *sock) + ax25_destroy_socket(ax25); + } + if (ax25_dev) { +- del_timer_sync(&ax25->timer); +- del_timer_sync(&ax25->t1timer); +- del_timer_sync(&ax25->t2timer); +- del_timer_sync(&ax25->t3timer); +- del_timer_sync(&ax25->idletimer); ++ if (!ax25_dev->device_up) { ++ del_timer_sync(&ax25->timer); ++ del_timer_sync(&ax25->t1timer); ++ del_timer_sync(&ax25->t2timer); ++ del_timer_sync(&ax25->t3timer); ++ del_timer_sync(&ax25->idletimer); ++ } + dev_put_track(ax25_dev->dev, &ax25_dev->dev_tracker); + ax25_dev_put(ax25_dev); + } +diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c +index d2a244e1c260..5451be15e072 100644 +--- a/net/ax25/ax25_dev.c ++++ b/net/ax25/ax25_dev.c +@@ -62,6 +62,7 @@ void ax25_dev_device_up(struct net_device *dev) + ax25_dev->dev = dev; + dev_hold_track(dev, &ax25_dev->dev_tracker, GFP_ATOMIC); + ax25_dev->forward = NULL; ++ ax25_dev->device_up = true; + + ax25_dev->values[AX25_VALUES_IPDEFMODE] = AX25_DEF_IPDEFMODE; + ax25_dev->values[AX25_VALUES_AXDEFMODE] = AX25_DEF_AXDEFMODE; +diff --git a/net/ax25/ax25_subr.c b/net/ax25/ax25_subr.c +index 3a476e4f6cd0..9ff98f46dc6b 100644 +--- a/net/ax25/ax25_subr.c ++++ b/net/ax25/ax25_subr.c +@@ -268,7 +268,7 @@ void ax25_disconnect(ax25_cb *ax25, int reason) + del_timer_sync(&ax25->t3timer); + del_timer_sync(&ax25->idletimer); + } else { +- if (!ax25->sk || !sock_flag(ax25->sk, SOCK_DESTROY)) ++ if (ax25->sk && !sock_flag(ax25->sk, SOCK_DESTROY)) + ax25_stop_heartbeat(ax25); + ax25_stop_t1timer(ax25); + ax25_stop_t2timer(ax25); +-- +2.35.1 + diff --git a/queue-5.17/blk-mq-do-not-update-io_ticks-with-passthrough-reque.patch b/queue-5.17/blk-mq-do-not-update-io_ticks-with-passthrough-reque.patch new file mode 100644 index 00000000000..4ad00a013bf --- /dev/null +++ b/queue-5.17/blk-mq-do-not-update-io_ticks-with-passthrough-reque.patch @@ -0,0 +1,44 @@ +From 54df122ed2d27132653ffcf30926c7da6b974631 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 May 2022 14:40:59 +0800 +Subject: blk-mq: do not update io_ticks with passthrough requests + +From: Haisu Wang + +[ Upstream commit b81c14ca14b631aa1abae32fb5ae75b5e9251012 ] + +Flush or passthrough requests are not accounted as normal IO in completion. +To reflect iostat for slow IO, io_ticks is updated when stat show called +based on inflight numbers. +It may cause inconsistent io_ticks calculation result. + +So do not account non-passthrough request when check inflight. + +Fixes: 86d7331299fd ("block: update io_ticks when io hang") +Signed-off-by: Haisu Wang +Reviewed-by: samuelliao +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20220530064059.1120058-1-haisuwang@tencent.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 6afe0cd128ac..f18e1c9c3f4a 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -132,7 +132,8 @@ static bool blk_mq_check_inflight(struct request *rq, void *priv, + { + struct mq_inflight *mi = priv; + +- if ((!mi->part->bd_partno || rq->part == mi->part) && ++ if (rq->part && blk_do_io_stat(rq) && ++ (!mi->part->bd_partno || rq->part == mi->part) && + blk_mq_rq_state(rq) == MQ_RQ_IN_FLIGHT) + mi->inflight[rq_data_dir(rq)]++; + +-- +2.35.1 + diff --git a/queue-5.17/blk-mq-don-t-touch-tagset-in-blk_mq_get_sq_hctx.patch b/queue-5.17/blk-mq-don-t-touch-tagset-in-blk_mq_get_sq_hctx.patch new file mode 100644 index 00000000000..0d91ff90017 --- /dev/null +++ b/queue-5.17/blk-mq-don-t-touch-tagset-in-blk_mq_get_sq_hctx.patch @@ -0,0 +1,58 @@ +From ec1f9d708294e087f10126dc482f6bc9963ece8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 22 May 2022 20:23:50 +0800 +Subject: blk-mq: don't touch ->tagset in blk_mq_get_sq_hctx + +From: Ming Lei + +[ Upstream commit 5d05426e2d5fd7df8afc866b78c36b37b00188b7 ] + +blk_mq_run_hw_queues() could be run when there isn't queued request and +after queue is cleaned up, at that time tagset is freed, because tagset +lifetime is covered by driver, and often freed after blk_cleanup_queue() +returns. + +So don't touch ->tagset for figuring out current default hctx by the mapping +built in request queue, so use-after-free on tagset can be avoided. Meantime +this way should be fast than retrieving mapping from tagset. + +Cc: "yukuai (C)" +Cc: Jan Kara +Fixes: b6e68ee82585 ("blk-mq: Improve performance of non-mq IO schedulers with multiple HW queues") +Signed-off-by: Ming Lei +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20220522122350.743103-1-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 0aa20df31e36..6afe0cd128ac 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -2114,8 +2114,7 @@ static bool blk_mq_has_sqsched(struct request_queue *q) + */ + static struct blk_mq_hw_ctx *blk_mq_get_sq_hctx(struct request_queue *q) + { +- struct blk_mq_hw_ctx *hctx; +- ++ struct blk_mq_ctx *ctx = blk_mq_get_ctx(q); + /* + * If the IO scheduler does not respect hardware queues when + * dispatching, we just don't bother with multiple HW queues and +@@ -2123,8 +2122,8 @@ static struct blk_mq_hw_ctx *blk_mq_get_sq_hctx(struct request_queue *q) + * just causes lock contention inside the scheduler and pointless cache + * bouncing. + */ +- hctx = blk_mq_map_queue_type(q, HCTX_TYPE_DEFAULT, +- raw_smp_processor_id()); ++ struct blk_mq_hw_ctx *hctx = blk_mq_map_queue(q, 0, ctx); ++ + if (!blk_mq_hctx_stopped(hctx)) + return hctx; + return NULL; +-- +2.35.1 + diff --git a/queue-5.17/block-make-bioset_exit-fully-resilient-against-being.patch b/queue-5.17/block-make-bioset_exit-fully-resilient-against-being.patch new file mode 100644 index 00000000000..5c29a4021e9 --- /dev/null +++ b/queue-5.17/block-make-bioset_exit-fully-resilient-against-being.patch @@ -0,0 +1,42 @@ +From 433219a3bbbe3066bf18ae3afd99e80b17b85caf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 May 2022 07:13:09 -0600 +Subject: block: make bioset_exit() fully resilient against being called twice + +From: Jens Axboe + +[ Upstream commit 605f7415ecfb426610195dd6c7577b30592b3369 ] + +Most of bioset_exit() is fine being called twice, as it clears the +various allocations etc when they are freed. The exception is +bio_alloc_cache_destroy(), which does not clear ->cache when it has +freed it. + +This isn't necessarily a bug, but can be if buggy users does call the +exit path more then once, or with just a memset() bioset which has +never been initialized. dm appears to be one such user. + +Fixes: be4d234d7aeb ("bio: add allocation cache abstraction") +Link: https://lore.kernel.org/linux-block/YpK7m+14A+pZKs5k@casper.infradead.org/ +Reported-by: Matthew Wilcox +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/block/bio.c b/block/bio.c +index 738fea03edbf..dc6940621d7d 100644 +--- a/block/bio.c ++++ b/block/bio.c +@@ -668,6 +668,7 @@ static void bio_alloc_cache_destroy(struct bio_set *bs) + bio_alloc_cache_prune(cache, -1U); + } + free_percpu(bs->cache); ++ bs->cache = NULL; + } + + /** +-- +2.35.1 + diff --git a/queue-5.17/block-take-destination-bvec-offsets-into-account-in-.patch b/queue-5.17/block-take-destination-bvec-offsets-into-account-in-.patch new file mode 100644 index 00000000000..7353f27e95f --- /dev/null +++ b/queue-5.17/block-take-destination-bvec-offsets-into-account-in-.patch @@ -0,0 +1,46 @@ +From 6bec3af08574d38478a1ec02e798a87eaf2db928 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 May 2022 16:39:19 +0200 +Subject: block: take destination bvec offsets into account in + bio_copy_data_iter + +From: Christoph Hellwig + +[ Upstream commit 403d50341cce6b5481a92eb481e6df60b1f49b55 ] + +Appartly bcache can copy into bios that do not just contain fresh +pages but can have offsets into the bio_vecs. Restore support for tht +in bio_copy_data_iter. + +Fixes: f8b679a070c5 ("block: rewrite bio_copy_data_iter to use bvec_kmap_local and memcpy_to_bvec") +Signed-off-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20220524143919.1155501-1-hch@lst.de +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bio.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/block/bio.c b/block/bio.c +index 342b1cf5d713..738fea03edbf 100644 +--- a/block/bio.c ++++ b/block/bio.c +@@ -1308,10 +1308,12 @@ void bio_copy_data_iter(struct bio *dst, struct bvec_iter *dst_iter, + struct bio_vec src_bv = bio_iter_iovec(src, *src_iter); + struct bio_vec dst_bv = bio_iter_iovec(dst, *dst_iter); + unsigned int bytes = min(src_bv.bv_len, dst_bv.bv_len); +- void *src_buf; ++ void *src_buf = bvec_kmap_local(&src_bv); ++ void *dst_buf = bvec_kmap_local(&dst_bv); + +- src_buf = bvec_kmap_local(&src_bv); +- memcpy_to_bvec(&dst_bv, src_buf); ++ memcpy(dst_buf, src_buf, bytes); ++ ++ kunmap_local(dst_buf); + kunmap_local(src_buf); + + bio_advance_iter_single(src, src_iter, bytes); +-- +2.35.1 + diff --git a/queue-5.17/block-use-bio_queue_enter-instead-of-blk_queue_enter.patch b/queue-5.17/block-use-bio_queue_enter-instead-of-blk_queue_enter.patch new file mode 100644 index 00000000000..547df9355e7 --- /dev/null +++ b/queue-5.17/block-use-bio_queue_enter-instead-of-blk_queue_enter.patch @@ -0,0 +1,37 @@ +From 97dbe0a754863d79ffd794aeee791f43c004bfcb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 May 2022 14:43:02 +0200 +Subject: block: use bio_queue_enter instead of blk_queue_enter in bio_poll + +From: Christoph Hellwig + +[ Upstream commit ebd076bf7d5deef488ec7ebc3fdbf781eafae269 ] + +We want to have a valid live gendisk to call ->poll and not just a +request_queue, so call the right helper. + +Fixes: 3e08773c3841 ("block: switch polling to be bio based") +Signed-off-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20220523124302.526186-1-hch@lst.de +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/blk-core.c b/block/blk-core.c +index 779b4a1f66ac..45d750eb2628 100644 +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -992,7 +992,7 @@ int bio_poll(struct bio *bio, struct io_comp_batch *iob, unsigned int flags) + if (current->plug) + blk_flush_plug(current->plug, false); + +- if (blk_queue_enter(q, BLK_MQ_REQ_NOWAIT)) ++ if (bio_queue_enter(bio)) + return 0; + if (WARN_ON_ONCE(!queue_is_mq(q))) + ret = 0; /* not yet implemented, should not happen */ +-- +2.35.1 + diff --git a/queue-5.17/bluetooth-don-t-use-bitmaps-for-random-flag-accesses.patch b/queue-5.17/bluetooth-don-t-use-bitmaps-for-random-flag-accesses.patch new file mode 100644 index 00000000000..5c5688d4afb --- /dev/null +++ b/queue-5.17/bluetooth-don-t-use-bitmaps-for-random-flag-accesses.patch @@ -0,0 +1,295 @@ +From 26e39eea4005542bd357f12dc15ab24ea2cc8b8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Jun 2022 11:51:48 -0700 +Subject: bluetooth: don't use bitmaps for random flag accesses + +From: Linus Torvalds + +[ Upstream commit e1cff7002b716bd0b5f5f4afd4273c99aa8644be ] + +The bluetooth code uses our bitmap infrastructure for the two bits (!) +of connection setup flags, and in the process causes odd problems when +it converts between a bitmap and just the regular values of said bits. + +It's completely pointless to do things like bitmap_to_arr32() to convert +a bitmap into a u32. It shoudln't have been a bitmap in the first +place. The reason to use bitmaps is if you have arbitrary number of +bits you want to manage (not two!), or if you rely on the atomicity +guarantees of the bitmap setting and clearing. + +The code could use an "atomic_t" and use "atomic_or/andnot()" to set and +clear the bit values, but considering that it then copies the bitmaps +around with "bitmap_to_arr32()" and friends, there clearly cannot be a +lot of atomicity requirements. + +So just use a regular integer. + +In the process, this avoids the warnings about erroneous use of +bitmap_from_u64() which were triggered on 32-bit architectures when +conversion from a u64 would access two words (and, surprise, surprise, +only one word is needed - and indeed overkill - for a 2-bit bitmap). + +That was always problematic, but the compiler seems to notice it and +warn about the invalid pattern only after commit 0a97953fd221 ("lib: add +bitmap_{from,to}_arr64") changed the exact implementation details of +'bitmap_from_u64()', as reported by Sudip Mukherjee and Stephen Rothwell. + +Fixes: fe92ee6425a2 ("Bluetooth: hci_core: Rework hci_conn_params flags") +Link: https://lore.kernel.org/all/YpyJ9qTNHJzz0FHY@debian/ +Link: https://lore.kernel.org/all/20220606080631.0c3014f2@canb.auug.org.au/ +Link: https://lore.kernel.org/all/20220605162537.1604762-1-yury.norov@gmail.com/ +Reported-by: Stephen Rothwell +Reported-by: Sudip Mukherjee +Reviewed-by: Yury Norov +Cc: Luiz Augusto von Dentz +Cc: Marcel Holtmann +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/hci_core.h | 17 ++++++--------- + net/bluetooth/hci_core.c | 4 ++-- + net/bluetooth/hci_request.c | 2 +- + net/bluetooth/hci_sync.c | 6 +++--- + net/bluetooth/mgmt.c | 37 ++++++++++++-------------------- + 5 files changed, 27 insertions(+), 39 deletions(-) + +diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h +index 4524920e4895..f397b0a3d631 100644 +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -155,21 +155,18 @@ struct bdaddr_list_with_irk { + u8 local_irk[16]; + }; + ++/* Bitmask of connection flags */ + enum hci_conn_flags { +- HCI_CONN_FLAG_REMOTE_WAKEUP, +- HCI_CONN_FLAG_DEVICE_PRIVACY, +- +- __HCI_CONN_NUM_FLAGS, ++ HCI_CONN_FLAG_REMOTE_WAKEUP = 1, ++ HCI_CONN_FLAG_DEVICE_PRIVACY = 2, + }; +- +-/* Make sure number of flags doesn't exceed sizeof(current_flags) */ +-static_assert(__HCI_CONN_NUM_FLAGS < 32); ++typedef u8 hci_conn_flags_t; + + struct bdaddr_list_with_flags { + struct list_head list; + bdaddr_t bdaddr; + u8 bdaddr_type; +- DECLARE_BITMAP(flags, __HCI_CONN_NUM_FLAGS); ++ hci_conn_flags_t flags; + }; + + struct bt_uuid { +@@ -567,7 +564,7 @@ struct hci_dev { + struct rfkill *rfkill; + + DECLARE_BITMAP(dev_flags, __HCI_NUM_FLAGS); +- DECLARE_BITMAP(conn_flags, __HCI_CONN_NUM_FLAGS); ++ hci_conn_flags_t conn_flags; + + __s8 adv_tx_power; + __u8 adv_data[HCI_MAX_EXT_AD_LENGTH]; +@@ -763,7 +760,7 @@ struct hci_conn_params { + + struct hci_conn *conn; + bool explicit_connect; +- DECLARE_BITMAP(flags, __HCI_CONN_NUM_FLAGS); ++ hci_conn_flags_t flags; + u8 privacy_mode; + }; + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index 9e9713f7ddb8..f1feb9204063 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -2153,7 +2153,7 @@ int hci_bdaddr_list_add_with_flags(struct list_head *list, bdaddr_t *bdaddr, + + bacpy(&entry->bdaddr, bdaddr); + entry->bdaddr_type = type; +- bitmap_from_u64(entry->flags, flags); ++ entry->flags = flags; + + list_add(&entry->list, list); + +@@ -2633,7 +2633,7 @@ int hci_register_dev(struct hci_dev *hdev) + * callback. + */ + if (hdev->wakeup) +- set_bit(HCI_CONN_FLAG_REMOTE_WAKEUP, hdev->conn_flags); ++ hdev->conn_flags |= HCI_CONN_FLAG_REMOTE_WAKEUP; + + hci_sock_dev_event(hdev, HCI_DEV_REG); + hci_dev_hold(hdev); +diff --git a/net/bluetooth/hci_request.c b/net/bluetooth/hci_request.c +index f4afe482e300..95689982eedb 100644 +--- a/net/bluetooth/hci_request.c ++++ b/net/bluetooth/hci_request.c +@@ -482,7 +482,7 @@ static int add_to_accept_list(struct hci_request *req, + + /* During suspend, only wakeable devices can be in accept list */ + if (hdev->suspended && +- !test_bit(HCI_CONN_FLAG_REMOTE_WAKEUP, params->flags)) ++ !(params->flags & HCI_CONN_FLAG_REMOTE_WAKEUP)) + return 0; + + *num_entries += 1; +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 6b8d1cd65de4..351c2390164d 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -1637,7 +1637,7 @@ static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev, + * indicates that LL Privacy has been enabled and + * HCI_OP_LE_SET_PRIVACY_MODE is supported. + */ +- if (!test_bit(HCI_CONN_FLAG_DEVICE_PRIVACY, params->flags)) ++ if (!(params->flags & HCI_CONN_FLAG_DEVICE_PRIVACY)) + return 0; + + irk = hci_find_irk_by_addr(hdev, ¶ms->addr, params->addr_type); +@@ -1666,7 +1666,7 @@ static int hci_le_add_accept_list_sync(struct hci_dev *hdev, + + /* During suspend, only wakeable devices can be in acceptlist */ + if (hdev->suspended && +- !test_bit(HCI_CONN_FLAG_REMOTE_WAKEUP, params->flags)) ++ !(params->flags & HCI_CONN_FLAG_REMOTE_WAKEUP)) + return 0; + + /* Select filter policy to accept all advertising */ +@@ -4856,7 +4856,7 @@ static int hci_update_event_filter_sync(struct hci_dev *hdev) + hci_clear_event_filter_sync(hdev); + + list_for_each_entry(b, &hdev->accept_list, list) { +- if (!test_bit(HCI_CONN_FLAG_REMOTE_WAKEUP, b->flags)) ++ if (!(b->flags & HCI_CONN_FLAG_REMOTE_WAKEUP)) + continue; + + bt_dev_dbg(hdev, "Adding event filters for %pMR", &b->bdaddr); +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c +index 16cd2e7a10da..943cdc9ec763 100644 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -4009,10 +4009,11 @@ static int exp_ll_privacy_feature_changed(bool enabled, struct hci_dev *hdev, + memcpy(ev.uuid, rpa_resolution_uuid, 16); + ev.flags = cpu_to_le32((enabled ? BIT(0) : 0) | BIT(1)); + ++ // Do we need to be atomic with the conn_flags? + if (enabled && privacy_mode_capable(hdev)) +- set_bit(HCI_CONN_FLAG_DEVICE_PRIVACY, hdev->conn_flags); ++ hdev->conn_flags |= HCI_CONN_FLAG_DEVICE_PRIVACY; + else +- clear_bit(HCI_CONN_FLAG_DEVICE_PRIVACY, hdev->conn_flags); ++ hdev->conn_flags &= ~HCI_CONN_FLAG_DEVICE_PRIVACY; + + return mgmt_limited_event(MGMT_EV_EXP_FEATURE_CHANGED, hdev, + &ev, sizeof(ev), +@@ -4431,8 +4432,7 @@ static int get_device_flags(struct sock *sk, struct hci_dev *hdev, void *data, + + hci_dev_lock(hdev); + +- bitmap_to_arr32(&supported_flags, hdev->conn_flags, +- __HCI_CONN_NUM_FLAGS); ++ supported_flags = hdev->conn_flags; + + memset(&rp, 0, sizeof(rp)); + +@@ -4443,8 +4443,7 @@ static int get_device_flags(struct sock *sk, struct hci_dev *hdev, void *data, + if (!br_params) + goto done; + +- bitmap_to_arr32(¤t_flags, br_params->flags, +- __HCI_CONN_NUM_FLAGS); ++ current_flags = br_params->flags; + } else { + params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr, + le_addr_type(cp->addr.type)); +@@ -4452,8 +4451,7 @@ static int get_device_flags(struct sock *sk, struct hci_dev *hdev, void *data, + if (!params) + goto done; + +- bitmap_to_arr32(¤t_flags, params->flags, +- __HCI_CONN_NUM_FLAGS); ++ current_flags = params->flags; + } + + bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr); +@@ -4498,8 +4496,8 @@ static int set_device_flags(struct sock *sk, struct hci_dev *hdev, void *data, + &cp->addr.bdaddr, cp->addr.type, + __le32_to_cpu(current_flags)); + +- bitmap_to_arr32(&supported_flags, hdev->conn_flags, +- __HCI_CONN_NUM_FLAGS); ++ // We should take hci_dev_lock() early, I think.. conn_flags can change ++ supported_flags = hdev->conn_flags; + + if ((supported_flags | current_flags) != supported_flags) { + bt_dev_warn(hdev, "Bad flag given (0x%x) vs supported (0x%0x)", +@@ -4515,7 +4513,7 @@ static int set_device_flags(struct sock *sk, struct hci_dev *hdev, void *data, + cp->addr.type); + + if (br_params) { +- bitmap_from_u64(br_params->flags, current_flags); ++ br_params->flags = current_flags; + status = MGMT_STATUS_SUCCESS; + } else { + bt_dev_warn(hdev, "No such BR/EDR device %pMR (0x%x)", +@@ -4525,15 +4523,11 @@ static int set_device_flags(struct sock *sk, struct hci_dev *hdev, void *data, + params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr, + le_addr_type(cp->addr.type)); + if (params) { +- DECLARE_BITMAP(flags, __HCI_CONN_NUM_FLAGS); +- +- bitmap_from_u64(flags, current_flags); +- + /* Devices using RPAs can only be programmed in the + * acceptlist LL Privacy has been enable otherwise they + * cannot mark HCI_CONN_FLAG_REMOTE_WAKEUP. + */ +- if (test_bit(HCI_CONN_FLAG_REMOTE_WAKEUP, flags) && ++ if ((current_flags & HCI_CONN_FLAG_REMOTE_WAKEUP) && + !use_ll_privacy(hdev) && + hci_find_irk_by_addr(hdev, ¶ms->addr, + params->addr_type)) { +@@ -4542,14 +4536,13 @@ static int set_device_flags(struct sock *sk, struct hci_dev *hdev, void *data, + goto unlock; + } + +- bitmap_from_u64(params->flags, current_flags); ++ params->flags = current_flags; + status = MGMT_STATUS_SUCCESS; + + /* Update passive scan if HCI_CONN_FLAG_DEVICE_PRIVACY + * has been set. + */ +- if (test_bit(HCI_CONN_FLAG_DEVICE_PRIVACY, +- params->flags)) ++ if (params->flags & HCI_CONN_FLAG_DEVICE_PRIVACY) + hci_update_passive_scan(hdev); + } else { + bt_dev_warn(hdev, "No such LE device %pMR (0x%x)", +@@ -7150,8 +7143,7 @@ static int add_device(struct sock *sk, struct hci_dev *hdev, + params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr, + addr_type); + if (params) +- bitmap_to_arr32(¤t_flags, params->flags, +- __HCI_CONN_NUM_FLAGS); ++ current_flags = params->flags; + } + + err = hci_cmd_sync_queue(hdev, add_device_sync, NULL, NULL); +@@ -7160,8 +7152,7 @@ static int add_device(struct sock *sk, struct hci_dev *hdev, + + added: + device_added(sk, hdev, &cp->addr.bdaddr, cp->addr.type, cp->action); +- bitmap_to_arr32(&supported_flags, hdev->conn_flags, +- __HCI_CONN_NUM_FLAGS); ++ supported_flags = hdev->conn_flags; + device_flags_changed(NULL, hdev, &cp->addr.bdaddr, cp->addr.type, + supported_flags, current_flags); + +-- +2.35.1 + diff --git a/queue-5.17/bluetooth-hci_sync-fix-attempting-to-suspend-with-un.patch b/queue-5.17/bluetooth-hci_sync-fix-attempting-to-suspend-with-un.patch new file mode 100644 index 00000000000..04f286ca288 --- /dev/null +++ b/queue-5.17/bluetooth-hci_sync-fix-attempting-to-suspend-with-un.patch @@ -0,0 +1,145 @@ +From 69ff5596e3b14a8f689e13dc6d5c7e7edc52f8c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 May 2022 15:31:34 -0700 +Subject: Bluetooth: hci_sync: Fix attempting to suspend with unfiltered + passive scan + +From: Luiz Augusto von Dentz + +[ Upstream commit 3b42055388c30f2761a2d9cd9af2c99611dfe457 ] + +When suspending the passive scanning _must_ have its filter_policy set +to 0x01 to use the accept list otherwise _any_ advertise report would +end up waking up the system. + +In order to fix the filter_policy the code now checks for +hdev->suspended && HCI_CONN_FLAG_REMOTE_WAKEUP +first, since the MGMT_OP_SET_DEVICE_FLAGS will reject any attempt to +set HCI_CONN_FLAG_REMOTE_WAKEUP when it cannot be programmed in the +acceptlist, so it can return success causing the proper filter_policy +to be used. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215768 +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sync.c | 58 +++++++++++++++++++++++++++++----------- + 1 file changed, 43 insertions(+), 15 deletions(-) + +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 13600bf120b0..6b8d1cd65de4 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -1664,20 +1664,19 @@ static int hci_le_add_accept_list_sync(struct hci_dev *hdev, + struct hci_cp_le_add_to_accept_list cp; + int err; + ++ /* During suspend, only wakeable devices can be in acceptlist */ ++ if (hdev->suspended && ++ !test_bit(HCI_CONN_FLAG_REMOTE_WAKEUP, params->flags)) ++ return 0; ++ + /* Select filter policy to accept all advertising */ + if (*num_entries >= hdev->le_accept_list_size) + return -ENOSPC; + + /* Accept list can not be used with RPAs */ + if (!use_ll_privacy(hdev) && +- hci_find_irk_by_addr(hdev, ¶ms->addr, params->addr_type)) { ++ hci_find_irk_by_addr(hdev, ¶ms->addr, params->addr_type)) + return -EINVAL; +- } +- +- /* During suspend, only wakeable devices can be in acceptlist */ +- if (hdev->suspended && +- !test_bit(HCI_CONN_FLAG_REMOTE_WAKEUP, params->flags)) +- return 0; + + /* Attempt to program the device in the resolving list first to avoid + * having to rollback in case it fails since the resolving list is +@@ -4881,10 +4880,28 @@ static int hci_update_event_filter_sync(struct hci_dev *hdev) + return 0; + } + ++/* This function disables scan (BR and LE) and mark it as paused */ ++static int hci_pause_scan_sync(struct hci_dev *hdev) ++{ ++ if (hdev->scanning_paused) ++ return 0; ++ ++ /* Disable page scan if enabled */ ++ if (test_bit(HCI_PSCAN, &hdev->flags)) ++ hci_write_scan_enable_sync(hdev, SCAN_DISABLED); ++ ++ hci_scan_disable_sync(hdev); ++ ++ hdev->scanning_paused = true; ++ ++ return 0; ++} ++ + /* This function performs the HCI suspend procedures in the follow order: + * + * Pause discovery (active scanning/inquiry) + * Pause Directed Advertising/Advertising ++ * Pause Scanning (passive scanning in case discovery was not active) + * Disconnect all connections + * Set suspend_status to BT_SUSPEND_DISCONNECT if hdev cannot wakeup + * otherwise: +@@ -4910,15 +4927,11 @@ int hci_suspend_sync(struct hci_dev *hdev) + /* Pause other advertisements */ + hci_pause_advertising_sync(hdev); + +- /* Disable page scan if enabled */ +- if (test_bit(HCI_PSCAN, &hdev->flags)) +- hci_write_scan_enable_sync(hdev, SCAN_DISABLED); +- + /* Suspend monitor filters */ + hci_suspend_monitor_sync(hdev); + + /* Prevent disconnects from causing scanning to be re-enabled */ +- hdev->scanning_paused = true; ++ hci_pause_scan_sync(hdev); + + /* Soft disconnect everything (power off) */ + err = hci_disconnect_all_sync(hdev, HCI_ERROR_REMOTE_POWER_OFF); +@@ -4989,6 +5002,22 @@ static void hci_resume_monitor_sync(struct hci_dev *hdev) + } + } + ++/* This function resume scan and reset paused flag */ ++static int hci_resume_scan_sync(struct hci_dev *hdev) ++{ ++ if (!hdev->scanning_paused) ++ return 0; ++ ++ hci_update_scan_sync(hdev); ++ ++ /* Reset passive scanning to normal */ ++ hci_update_passive_scan_sync(hdev); ++ ++ hdev->scanning_paused = false; ++ ++ return 0; ++} ++ + /* This function performs the HCI suspend procedures in the follow order: + * + * Restore event mask +@@ -5011,10 +5040,9 @@ int hci_resume_sync(struct hci_dev *hdev) + + /* Clear any event filters and restore scan state */ + hci_clear_event_filter_sync(hdev); +- hci_update_scan_sync(hdev); + +- /* Reset passive scanning to normal */ +- hci_update_passive_scan_sync(hdev); ++ /* Resume scanning */ ++ hci_resume_scan_sync(hdev); + + /* Resume monitor filters */ + hci_resume_monitor_sync(hdev); +-- +2.35.1 + diff --git a/queue-5.17/bluetooth-mgmt-add-conditions-for-setting-hci_conn_f.patch b/queue-5.17/bluetooth-mgmt-add-conditions-for-setting-hci_conn_f.patch new file mode 100644 index 00000000000..1f08e38050d --- /dev/null +++ b/queue-5.17/bluetooth-mgmt-add-conditions-for-setting-hci_conn_f.patch @@ -0,0 +1,61 @@ +From 86d274db640c06ac0dc2aeb0644a678d8b777d89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 May 2022 15:31:33 -0700 +Subject: Bluetooth: MGMT: Add conditions for setting + HCI_CONN_FLAG_REMOTE_WAKEUP + +From: Luiz Augusto von Dentz + +[ Upstream commit a9a347655d224fa2841877957b34fc9d491fc2d7 ] + +HCI_CONN_FLAG_REMOTE_WAKEUP can only be set if device can be programmed +in the allowlist which in case of device using RPA requires LL Privacy +support to be enabled. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215768 +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/mgmt.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c +index 15eab8b968ce..16cd2e7a10da 100644 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -4525,6 +4525,23 @@ static int set_device_flags(struct sock *sk, struct hci_dev *hdev, void *data, + params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr, + le_addr_type(cp->addr.type)); + if (params) { ++ DECLARE_BITMAP(flags, __HCI_CONN_NUM_FLAGS); ++ ++ bitmap_from_u64(flags, current_flags); ++ ++ /* Devices using RPAs can only be programmed in the ++ * acceptlist LL Privacy has been enable otherwise they ++ * cannot mark HCI_CONN_FLAG_REMOTE_WAKEUP. ++ */ ++ if (test_bit(HCI_CONN_FLAG_REMOTE_WAKEUP, flags) && ++ !use_ll_privacy(hdev) && ++ hci_find_irk_by_addr(hdev, ¶ms->addr, ++ params->addr_type)) { ++ bt_dev_warn(hdev, ++ "Cannot set wakeable for RPA"); ++ goto unlock; ++ } ++ + bitmap_from_u64(params->flags, current_flags); + status = MGMT_STATUS_SUCCESS; + +@@ -4541,6 +4558,7 @@ static int set_device_flags(struct sock *sk, struct hci_dev *hdev, void *data, + } + } + ++unlock: + hci_dev_unlock(hdev); + + done: +-- +2.35.1 + diff --git a/queue-5.17/bpf-fix-probe-read-error-in-___bpf_prog_run.patch b/queue-5.17/bpf-fix-probe-read-error-in-___bpf_prog_run.patch new file mode 100644 index 00000000000..e2f2ae5412c --- /dev/null +++ b/queue-5.17/bpf-fix-probe-read-error-in-___bpf_prog_run.patch @@ -0,0 +1,95 @@ +From 5789d448dfa124c6ec02e1fa4d5547528e7e957f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 May 2022 10:12:27 +0800 +Subject: bpf: Fix probe read error in ___bpf_prog_run() + +From: Menglong Dong + +[ Upstream commit caff1fa4118cec4dfd4336521ebd22a6408a1e3e ] + +I think there is something wrong with BPF_PROBE_MEM in ___bpf_prog_run() +in big-endian machine. Let's make a test and see what will happen if we +want to load a 'u16' with BPF_PROBE_MEM. + +Let's make the src value '0x0001', the value of dest register will become +0x0001000000000000, as the value will be loaded to the first 2 byte of +DST with following code: + + bpf_probe_read_kernel(&DST, SIZE, (const void *)(long) (SRC + insn->off)); + +Obviously, the value in DST is not correct. In fact, we can compare +BPF_PROBE_MEM with LDX_MEM_H: + + DST = *(SIZE *)(unsigned long) (SRC + insn->off); + +If the memory load is done by LDX_MEM_H, the value in DST will be 0x1 now. + +And I think this error results in the test case 'test_bpf_sk_storage_map' +failing: + + test_bpf_sk_storage_map:PASS:bpf_iter_bpf_sk_storage_map__open_and_load 0 nsec + test_bpf_sk_storage_map:PASS:socket 0 nsec + test_bpf_sk_storage_map:PASS:map_update 0 nsec + test_bpf_sk_storage_map:PASS:socket 0 nsec + test_bpf_sk_storage_map:PASS:map_update 0 nsec + test_bpf_sk_storage_map:PASS:socket 0 nsec + test_bpf_sk_storage_map:PASS:map_update 0 nsec + test_bpf_sk_storage_map:PASS:attach_iter 0 nsec + test_bpf_sk_storage_map:PASS:create_iter 0 nsec + test_bpf_sk_storage_map:PASS:read 0 nsec + test_bpf_sk_storage_map:FAIL:ipv6_sk_count got 0 expected 3 + $10/26 bpf_iter/bpf_sk_storage_map:FAIL + +The code of the test case is simply, it will load sk->sk_family to the +register with BPF_PROBE_MEM and check if it is AF_INET6. With this patch, +now the test case 'bpf_iter' can pass: + + $10 bpf_iter:OK + +Fixes: 2a02759ef5f8 ("bpf: Add support for BTF pointers to interpreter") +Signed-off-by: Menglong Dong +Signed-off-by: Daniel Borkmann +Reviewed-by: Jiang Biao +Reviewed-by: Hao Peng +Cc: Ilya Leoshkevich +Link: https://lore.kernel.org/bpf/20220524021228.533216-1-imagedong@tencent.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/core.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index 64c44eed8c07..10c4a2028e07 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -1671,6 +1671,11 @@ static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn) + CONT; \ + LDX_MEM_##SIZEOP: \ + DST = *(SIZE *)(unsigned long) (SRC + insn->off); \ ++ CONT; \ ++ LDX_PROBE_MEM_##SIZEOP: \ ++ bpf_probe_read_kernel(&DST, sizeof(SIZE), \ ++ (const void *)(long) (SRC + insn->off)); \ ++ DST = *((SIZE *)&DST); \ + CONT; + + LDST(B, u8) +@@ -1678,15 +1683,6 @@ static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn) + LDST(W, u32) + LDST(DW, u64) + #undef LDST +-#define LDX_PROBE(SIZEOP, SIZE) \ +- LDX_PROBE_MEM_##SIZEOP: \ +- bpf_probe_read_kernel(&DST, SIZE, (const void *)(long) (SRC + insn->off)); \ +- CONT; +- LDX_PROBE(B, 1) +- LDX_PROBE(H, 2) +- LDX_PROBE(W, 4) +- LDX_PROBE(DW, 8) +-#undef LDX_PROBE + + #define ATOMIC_ALU_OP(BOP, KOP) \ + case BOP: \ +-- +2.35.1 + diff --git a/queue-5.17/bus-ti-sysc-fix-warnings-for-unbind-for-serial.patch b/queue-5.17/bus-ti-sysc-fix-warnings-for-unbind-for-serial.patch new file mode 100644 index 00000000000..0a1ef09bfdd --- /dev/null +++ b/queue-5.17/bus-ti-sysc-fix-warnings-for-unbind-for-serial.patch @@ -0,0 +1,45 @@ +From 06989e85c4cc2e602cf8ce5307ddde96cedf5102 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 May 2022 08:30:21 +0300 +Subject: bus: ti-sysc: Fix warnings for unbind for serial + +From: Tony Lindgren + +[ Upstream commit c337125b8834f9719dfda0e40b25eaa266f1b8cf ] + +We can get "failed to disable" clock_unprepare warnings on unbind at least +for the serial console device if the unbind is done before the device has +been idled. + +As some devices are using deferred idle, we must check the status for +pending idle work to idle the device. + +Fixes: 76f0f772e469 ("bus: ti-sysc: Improve handling for no-reset-on-init and no-idle-on-init") +Cc: Romain Naour +Reviewed-by: Romain Naour +Signed-off-by: Tony Lindgren +Link: https://lore.kernel.org/r/20220512053021.61650-1-tony@atomide.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/bus/ti-sysc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/bus/ti-sysc.c b/drivers/bus/ti-sysc.c +index 7a1b1f9e4933..70d00cea9d22 100644 +--- a/drivers/bus/ti-sysc.c ++++ b/drivers/bus/ti-sysc.c +@@ -3395,7 +3395,9 @@ static int sysc_remove(struct platform_device *pdev) + struct sysc *ddata = platform_get_drvdata(pdev); + int error; + +- cancel_delayed_work_sync(&ddata->idle_work); ++ /* Device can still be enabled, see deferred idle quirk in probe */ ++ if (cancel_delayed_work_sync(&ddata->idle_work)) ++ ti_sysc_idle(&ddata->idle_work.work); + + error = pm_runtime_resume_and_get(ddata->dev); + if (error < 0) { +-- +2.35.1 + diff --git a/queue-5.17/clocksource-drivers-oxnas-rps-fix-irq_of_parse_and_m.patch b/queue-5.17/clocksource-drivers-oxnas-rps-fix-irq_of_parse_and_m.patch new file mode 100644 index 00000000000..715d1f42f2a --- /dev/null +++ b/queue-5.17/clocksource-drivers-oxnas-rps-fix-irq_of_parse_and_m.patch @@ -0,0 +1,38 @@ +From 8ad9e9516cc2dcebc36556dd931a1dd3ada0c025 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Apr 2022 12:41:01 +0200 +Subject: clocksource/drivers/oxnas-rps: Fix irq_of_parse_and_map() return + value + +From: Krzysztof Kozlowski + +[ Upstream commit 9c04a8ff03def4df3f81219ffbe1ec9b44ff5348 ] + +The irq_of_parse_and_map() returns 0 on failure, not a negative ERRNO. + +Fixes: 89355274e1f7 ("clocksource/drivers/oxnas-rps: Add Oxford Semiconductor RPS Dual Timer") +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20220422104101.55754-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + drivers/clocksource/timer-oxnas-rps.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clocksource/timer-oxnas-rps.c b/drivers/clocksource/timer-oxnas-rps.c +index 56c0cc32d0ac..d514b44e67dd 100644 +--- a/drivers/clocksource/timer-oxnas-rps.c ++++ b/drivers/clocksource/timer-oxnas-rps.c +@@ -236,7 +236,7 @@ static int __init oxnas_rps_timer_init(struct device_node *np) + } + + rps->irq = irq_of_parse_and_map(np, 0); +- if (rps->irq < 0) { ++ if (!rps->irq) { + ret = -EINVAL; + goto err_iomap; + } +-- +2.35.1 + diff --git a/queue-5.17/clocksource-drivers-riscv-events-are-stopped-during-.patch b/queue-5.17/clocksource-drivers-riscv-events-are-stopped-during-.patch new file mode 100644 index 00000000000..915631ecfe7 --- /dev/null +++ b/queue-5.17/clocksource-drivers-riscv-events-are-stopped-during-.patch @@ -0,0 +1,40 @@ +From 18eaec31d09776464413b3a079a9036d02e948c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 May 2022 20:21:21 -0500 +Subject: clocksource/drivers/riscv: Events are stopped during CPU suspend + +From: Samuel Holland + +[ Upstream commit 232ccac1bd9b5bfe73895f527c08623e7fa0752d ] + +Some implementations of the SBI time extension depend on hart-local +state (for example, CSRs) that are lost or hardware that is powered +down when a CPU is suspended. To be safe, the clockevents driver +cannot assume that timer IRQs will be received during CPU suspend. + +Fixes: 62b019436814 ("clocksource: new RISC-V SBI timer driver") +Signed-off-by: Samuel Holland +Reviewed-by: Anup Patel +Link: https://lore.kernel.org/r/20220509012121.40031-1-samuel@sholland.org +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + drivers/clocksource/timer-riscv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clocksource/timer-riscv.c b/drivers/clocksource/timer-riscv.c +index 1767f8bf2013..593d5a957b69 100644 +--- a/drivers/clocksource/timer-riscv.c ++++ b/drivers/clocksource/timer-riscv.c +@@ -34,7 +34,7 @@ static int riscv_clock_next_event(unsigned long delta, + static unsigned int riscv_clock_event_irq; + static DEFINE_PER_CPU(struct clock_event_device, riscv_clock_event) = { + .name = "riscv_timer_clockevent", +- .features = CLOCK_EVT_FEAT_ONESHOT, ++ .features = CLOCK_EVT_FEAT_ONESHOT | CLOCK_EVT_FEAT_C3STOP, + .rating = 100, + .set_next_event = riscv_clock_next_event, + }; +-- +2.35.1 + diff --git a/queue-5.17/coresight-cpu-debug-replace-mutex-with-mutex_trylock.patch b/queue-5.17/coresight-cpu-debug-replace-mutex-with-mutex_trylock.patch new file mode 100644 index 00000000000..fa819163505 --- /dev/null +++ b/queue-5.17/coresight-cpu-debug-replace-mutex-with-mutex_trylock.patch @@ -0,0 +1,64 @@ +From bb2d7ca2a2afd376c746933ea54ec116c848d628 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Apr 2022 19:49:03 -0300 +Subject: coresight: cpu-debug: Replace mutex with mutex_trylock on panic + notifier + +From: Guilherme G. Piccoli + +[ Upstream commit 1adff542d67a2ed1120955cb219bfff8a9c53f59 ] + +The panic notifier infrastructure executes registered callbacks when +a panic event happens - such callbacks are executed in atomic context, +with interrupts and preemption disabled in the running CPU and all other +CPUs disabled. That said, mutexes in such context are not a good idea. + +This patch replaces a regular mutex with a mutex_trylock safer approach; +given the nature of the mutex used in the driver, it should be pretty +uncommon being unable to acquire such mutex in the panic path, hence +no functional change should be observed (and if it is, that would be +likely a deadlock with the regular mutex). + +Fixes: 2227b7c74634 ("coresight: add support for CPU debug module") +Cc: Leo Yan +Cc: Mathieu Poirier +Cc: Mike Leach +Cc: Suzuki K Poulose +Signed-off-by: Guilherme G. Piccoli +Reviewed-by: Suzuki K Poulose +Signed-off-by: Suzuki K Poulose +Link: https://lore.kernel.org/r/20220427224924.592546-10-gpiccoli@igalia.com +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-cpu-debug.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/hwtracing/coresight/coresight-cpu-debug.c b/drivers/hwtracing/coresight/coresight-cpu-debug.c +index 8845ec4b4402..1874df7c6a73 100644 +--- a/drivers/hwtracing/coresight/coresight-cpu-debug.c ++++ b/drivers/hwtracing/coresight/coresight-cpu-debug.c +@@ -380,9 +380,10 @@ static int debug_notifier_call(struct notifier_block *self, + int cpu; + struct debug_drvdata *drvdata; + +- mutex_lock(&debug_lock); ++ /* Bail out if we can't acquire the mutex or the functionality is off */ ++ if (!mutex_trylock(&debug_lock)) ++ return NOTIFY_DONE; + +- /* Bail out if the functionality is disabled */ + if (!debug_enable) + goto skip_dump; + +@@ -401,7 +402,7 @@ static int debug_notifier_call(struct notifier_block *self, + + skip_dump: + mutex_unlock(&debug_lock); +- return 0; ++ return NOTIFY_DONE; + } + + static struct notifier_block debug_notifier = { +-- +2.35.1 + diff --git a/queue-5.17/driver-base-fix-uaf-when-driver_attach-failed.patch b/queue-5.17/driver-base-fix-uaf-when-driver_attach-failed.patch new file mode 100644 index 00000000000..79eea6f8e0d --- /dev/null +++ b/queue-5.17/driver-base-fix-uaf-when-driver_attach-failed.patch @@ -0,0 +1,48 @@ +From f32a800df2a5d01864f9d7586731ebe498e6cdb2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 May 2022 19:24:44 +0800 +Subject: driver: base: fix UAF when driver_attach failed + +From: Schspa Shi + +[ Upstream commit 310862e574001a97ad02272bac0fd13f75f42a27 ] + +When driver_attach(drv); failed, the driver_private will be freed. +But it has been added to the bus, which caused a UAF. + +To fix it, we need to delete it from the bus when failed. + +Fixes: 190888ac01d0 ("driver core: fix possible missing of device probe") +Signed-off-by: Schspa Shi +Link: https://lore.kernel.org/r/20220513112444.45112-1-schspa@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/base/bus.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/base/bus.c b/drivers/base/bus.c +index 97936ec49bde..7ca47e5b3c1f 100644 +--- a/drivers/base/bus.c ++++ b/drivers/base/bus.c +@@ -617,7 +617,7 @@ int bus_add_driver(struct device_driver *drv) + if (drv->bus->p->drivers_autoprobe) { + error = driver_attach(drv); + if (error) +- goto out_unregister; ++ goto out_del_list; + } + module_add_driver(drv->owner, drv); + +@@ -644,6 +644,8 @@ int bus_add_driver(struct device_driver *drv) + + return 0; + ++out_del_list: ++ klist_del(&priv->knode_bus); + out_unregister: + kobject_put(&priv->kobj); + /* drv->p is freed in driver_release() */ +-- +2.35.1 + diff --git a/queue-5.17/driver-core-fix-deadlock-in-__device_attach.patch b/queue-5.17/driver-core-fix-deadlock-in-__device_attach.patch new file mode 100644 index 00000000000..229a09769f6 --- /dev/null +++ b/queue-5.17/driver-core-fix-deadlock-in-__device_attach.patch @@ -0,0 +1,79 @@ +From 68e736b0cd6d895a8791fa62c6beb8ac7120a3a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 May 2022 15:45:16 +0800 +Subject: driver core: fix deadlock in __device_attach + +From: Zhang Wensheng + +[ Upstream commit b232b02bf3c205b13a26dcec08e53baddd8e59ed ] + +In __device_attach function, The lock holding logic is as follows: +... +__device_attach +device_lock(dev) // get lock dev + async_schedule_dev(__device_attach_async_helper, dev); // func + async_schedule_node + async_schedule_node_domain(func) + entry = kzalloc(sizeof(struct async_entry), GFP_ATOMIC); + /* when fail or work limit, sync to execute func, but + __device_attach_async_helper will get lock dev as + well, which will lead to A-A deadlock. */ + if (!entry || atomic_read(&entry_count) > MAX_WORK) { + func; + else + queue_work_node(node, system_unbound_wq, &entry->work) + device_unlock(dev) + +As shown above, when it is allowed to do async probes, because of +out of memory or work limit, async work is not allowed, to do +sync execute instead. it will lead to A-A deadlock because of +__device_attach_async_helper getting lock dev. + +To fix the deadlock, move the async_schedule_dev outside device_lock, +as we can see, in async_schedule_node_domain, the parameter of +queue_work_node is system_unbound_wq, so it can accept concurrent +operations. which will also not change the code logic, and will +not lead to deadlock. + +Fixes: 765230b5f084 ("driver-core: add asynchronous probing support for drivers") +Signed-off-by: Zhang Wensheng +Link: https://lore.kernel.org/r/20220518074516.1225580-1-zhangwensheng5@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/base/dd.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/base/dd.c b/drivers/base/dd.c +index 7e079fa3795b..977e94cf669e 100644 +--- a/drivers/base/dd.c ++++ b/drivers/base/dd.c +@@ -945,6 +945,7 @@ static void __device_attach_async_helper(void *_dev, async_cookie_t cookie) + static int __device_attach(struct device *dev, bool allow_async) + { + int ret = 0; ++ bool async = false; + + device_lock(dev); + if (dev->p->dead) { +@@ -983,7 +984,7 @@ static int __device_attach(struct device *dev, bool allow_async) + */ + dev_dbg(dev, "scheduling asynchronous probe\n"); + get_device(dev); +- async_schedule_dev(__device_attach_async_helper, dev); ++ async = true; + } else { + pm_request_idle(dev); + } +@@ -993,6 +994,8 @@ static int __device_attach(struct device *dev, bool allow_async) + } + out_unlock: + device_unlock(dev); ++ if (async) ++ async_schedule_dev(__device_attach_async_helper, dev); + return ret; + } + +-- +2.35.1 + diff --git a/queue-5.17/driver-core-fix-wait_for_device_probe-deferred_probe.patch b/queue-5.17/driver-core-fix-wait_for_device_probe-deferred_probe.patch new file mode 100644 index 00000000000..b906e077e8f --- /dev/null +++ b/queue-5.17/driver-core-fix-wait_for_device_probe-deferred_probe.patch @@ -0,0 +1,107 @@ +From 3c2421a00fd64d33876b160d20d1e059492c5ffb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jun 2022 13:31:37 +0200 +Subject: driver core: Fix wait_for_device_probe() & deferred_probe_timeout + interaction + +From: Saravana Kannan + +[ Upstream commit 5ee76c256e928455212ab759c51d198fedbe7523 ] + +Mounting NFS rootfs was timing out when deferred_probe_timeout was +non-zero [1]. This was because ip_auto_config() initcall times out +waiting for the network interfaces to show up when +deferred_probe_timeout was non-zero. While ip_auto_config() calls +wait_for_device_probe() to make sure any currently running deferred +probe work or asynchronous probe finishes, that wasn't sufficient to +account for devices being deferred until deferred_probe_timeout. + +Commit 35a672363ab3 ("driver core: Ensure wait_for_device_probe() waits +until the deferred_probe_timeout fires") tried to fix that by making +sure wait_for_device_probe() waits for deferred_probe_timeout to expire +before returning. + +However, if wait_for_device_probe() is called from the kernel_init() +context: + +- Before deferred_probe_initcall() [2], it causes the boot process to + hang due to a deadlock. + +- After deferred_probe_initcall() [3], it blocks kernel_init() from + continuing till deferred_probe_timeout expires and beats the point of + deferred_probe_timeout that's trying to wait for userspace to load + modules. + +Neither of this is good. So revert the changes to +wait_for_device_probe(). + +[1] - https://lore.kernel.org/lkml/TYAPR01MB45443DF63B9EF29054F7C41FD8C60@TYAPR01MB4544.jpnprd01.prod.outlook.com/ +[2] - https://lore.kernel.org/lkml/YowHNo4sBjr9ijZr@dev-arch.thelio-3990X/ +[3] - https://lore.kernel.org/lkml/Yo3WvGnNk3LvLb7R@linutronix.de/ + +Fixes: 35a672363ab3 ("driver core: Ensure wait_for_device_probe() waits until the deferred_probe_timeout fires") +Cc: John Stultz +Cc: "David S. Miller" +Cc: Alexey Kuznetsov +Cc: Hideaki YOSHIFUJI +Cc: Jakub Kicinski +Cc: Rob Herring +Cc: Geert Uytterhoeven +Cc: Yoshihiro Shimoda +Cc: Robin Murphy +Cc: Andy Shevchenko +Cc: Sudeep Holla +Cc: Andy Shevchenko +Cc: Naresh Kamboju +Cc: Basil Eljuse +Cc: Ferry Toth +Cc: Arnd Bergmann +Cc: Anders Roxell +Cc: linux-pm@vger.kernel.org +Reported-by: Nathan Chancellor +Reported-by: Sebastian Andrzej Siewior +Tested-by: Geert Uytterhoeven +Acked-by: John Stultz +Signed-off-by: Saravana Kannan +Link: https://lore.kernel.org/r/20220526034609.480766-2-saravanak@google.com +Signed-off-by: Greg Kroah-Hartman +Reviewed-by: Rafael J. Wysocki +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/base/dd.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/base/dd.c b/drivers/base/dd.c +index 977e94cf669e..86fd2ea35656 100644 +--- a/drivers/base/dd.c ++++ b/drivers/base/dd.c +@@ -257,7 +257,6 @@ DEFINE_SHOW_ATTRIBUTE(deferred_devs); + + int driver_deferred_probe_timeout; + EXPORT_SYMBOL_GPL(driver_deferred_probe_timeout); +-static DECLARE_WAIT_QUEUE_HEAD(probe_timeout_waitqueue); + + static int __init deferred_probe_timeout_setup(char *str) + { +@@ -312,7 +311,6 @@ static void deferred_probe_timeout_work_func(struct work_struct *work) + list_for_each_entry(p, &deferred_probe_pending_list, deferred_probe) + dev_info(p->device, "deferred probe pending\n"); + mutex_unlock(&deferred_probe_mutex); +- wake_up_all(&probe_timeout_waitqueue); + } + static DECLARE_DELAYED_WORK(deferred_probe_timeout_work, deferred_probe_timeout_work_func); + +@@ -720,9 +718,6 @@ int driver_probe_done(void) + */ + void wait_for_device_probe(void) + { +- /* wait for probe timeout */ +- wait_event(probe_timeout_waitqueue, !driver_deferred_probe_timeout); +- + /* wait for the deferred probe workqueue to finish */ + flush_work(&deferred_probe_work); + +-- +2.35.1 + diff --git a/queue-5.17/drm-amdgpu-off-by-one-in-dm_dmub_outbox1_low_irq.patch b/queue-5.17/drm-amdgpu-off-by-one-in-dm_dmub_outbox1_low_irq.patch new file mode 100644 index 00000000000..e45c3f7d080 --- /dev/null +++ b/queue-5.17/drm-amdgpu-off-by-one-in-dm_dmub_outbox1_low_irq.patch @@ -0,0 +1,37 @@ +From afe69c1502156a6d0f9aaa4caa553ff59171da4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 May 2022 10:05:48 +0300 +Subject: drm/amdgpu: Off by one in dm_dmub_outbox1_low_irq() + +From: Dan Carpenter + +[ Upstream commit a35faec3db0e13aac8ea720bc1a3503081dd5a3d ] + +The > ARRAY_SIZE() should be >= ARRAY_SIZE() to prevent an out of bounds +access. + +Fixes: e27c41d5b068 ("drm/amd/display: Support for DMUB HPD interrupt handling") +Reviewed-by: Harry Wentland +Signed-off-by: Dan Carpenter +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 24db2297857b..edb5e72aeb66 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -767,7 +767,7 @@ static void dm_dmub_outbox1_low_irq(void *interrupt_params) + + do { + dc_stat_get_dmub_notification(adev->dm.dc, ¬ify); +- if (notify.type > ARRAY_SIZE(dm->dmub_thread_offload)) { ++ if (notify.type >= ARRAY_SIZE(dm->dmub_thread_offload)) { + DRM_ERROR("DM: notify type %d invalid!", notify.type); + continue; + } +-- +2.35.1 + diff --git a/queue-5.17/drm-msm-dp-always-clear-mask-bits-to-disable-interru.patch b/queue-5.17/drm-msm-dp-always-clear-mask-bits-to-disable-interru.patch new file mode 100644 index 00000000000..44f9bb1c8ce --- /dev/null +++ b/queue-5.17/drm-msm-dp-always-clear-mask-bits-to-disable-interru.patch @@ -0,0 +1,81 @@ +From 230b04d77426bb379fac1ace7466a3feb1b5136b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 May 2022 09:21:34 -0700 +Subject: drm/msm/dp: Always clear mask bits to disable interrupts at + dp_ctrl_reset_irq_ctrl() + +From: Kuogee Hsieh + +[ Upstream commit 993a2adc6e2e94a0a7b5bfc054eda90ac95f62c3 ] + +dp_catalog_ctrl_reset() will software reset DP controller. But it will +not reset programmable registers to default value. DP driver still have +to clear mask bits to interrupt status registers to disable interrupts +after software reset of controller. + +At current implementation, dp_ctrl_reset_irq_ctrl() will software reset dp +controller but did not call dp_catalog_ctrl_enable_irq(false) to clear hpd +related interrupt mask bits to disable hpd related interrupts due to it +mistakenly think hpd related interrupt mask bits will be cleared by software +reset of dp controller automatically. This mistake may cause system to crash +during suspending procedure due to unexpected irq fired and trigger event +thread to access dp controller registers with controller clocks are disabled. + +This patch fixes system crash during suspending problem by removing "enable" +flag condition checking at dp_ctrl_reset_irq_ctrl() so that hpd related +interrupt mask bits are cleared to prevent unexpected from happening. + +Changes in v2: +-- add more details commit text + +Changes in v3: +-- add synchrons_irq() +-- add atomic_t suspended + +Changes in v4: +-- correct Fixes's commit ID +-- remove synchrons_irq() + +Changes in v5: +-- revise commit text + +Changes in v6: +-- add event_lock to protect "suspended" + +Changes in v7: +-- delete "suspended" flag + +Fixes: 989ebe7bc446 ("drm/msm/dp: do not initialize phy until plugin interrupt received") +Signed-off-by: Kuogee Hsieh +Reviewed-by: Stephen Boyd +Patchwork: https://patchwork.freedesktop.org/patch/486591/ +Link: https://lore.kernel.org/r/1652804494-19650-1-git-send-email-quic_khsieh@quicinc.com +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dp/dp_ctrl.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dp/dp_ctrl.c b/drivers/gpu/drm/msm/dp/dp_ctrl.c +index 6eb176872a17..7ae74bd05924 100644 +--- a/drivers/gpu/drm/msm/dp/dp_ctrl.c ++++ b/drivers/gpu/drm/msm/dp/dp_ctrl.c +@@ -1373,8 +1373,13 @@ void dp_ctrl_reset_irq_ctrl(struct dp_ctrl *dp_ctrl, bool enable) + + dp_catalog_ctrl_reset(ctrl->catalog); + +- if (enable) +- dp_catalog_ctrl_enable_irq(ctrl->catalog, enable); ++ /* ++ * all dp controller programmable registers will not ++ * be reset to default value after DP_SW_RESET ++ * therefore interrupt mask bits have to be updated ++ * to enable/disable interrupts ++ */ ++ dp_catalog_ctrl_enable_irq(ctrl->catalog, enable); + } + + void dp_ctrl_phy_init(struct dp_ctrl *dp_ctrl) +-- +2.35.1 + diff --git a/queue-5.17/dt-bindings-remoteproc-mediatek-make-l1tcm-reg-exclu.patch b/queue-5.17/dt-bindings-remoteproc-mediatek-make-l1tcm-reg-exclu.patch new file mode 100644 index 00000000000..4a79c7ed9d7 --- /dev/null +++ b/queue-5.17/dt-bindings-remoteproc-mediatek-make-l1tcm-reg-exclu.patch @@ -0,0 +1,111 @@ +From 44db796833b55e4278fa6677e41933481a7d7920 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 May 2022 15:54:51 -0400 +Subject: dt-bindings: remoteproc: mediatek: Make l1tcm reg exclusive to mt819x +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +[ Upstream commit 6bbe1065121b8cd3b3e734ef8cd99f142bdab241 ] + +Commit ca23ecfdbd44 ("remoteproc/mediatek: support L1TCM") added support +for the l1tcm memory region on the MT8192 SCP, adding a new da_to_va +callback that handles l1tcm while keeping the old one for +back-compatibility with MT8183. However, since the mt8192 compatible was +missing from the dt-binding, the accompanying dt-binding commit +503c64cc42f1 ("dt-bindings: remoteproc: mediatek: add L1TCM memory region") +mistakenly added this reg as if it were for mt8183. And later +it became common to all platforms as their compatibles were added. + +Fix the dt-binding so that the l1tcm reg can be present only on the +supported platforms: mt8192 and mt8195. + +Fixes: 503c64cc42f1 ("dt-bindings: remoteproc: mediatek: add L1TCM memory region") +Signed-off-by: Nícolas F. R. A. Prado +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220511195452.871897-2-nfraprado@collabora.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Sasha Levin +--- + .../bindings/remoteproc/mtk,scp.yaml | 44 +++++++++++++------ + 1 file changed, 30 insertions(+), 14 deletions(-) + +diff --git a/Documentation/devicetree/bindings/remoteproc/mtk,scp.yaml b/Documentation/devicetree/bindings/remoteproc/mtk,scp.yaml +index d21a25ee96e6..8b2c0f1f8550 100644 +--- a/Documentation/devicetree/bindings/remoteproc/mtk,scp.yaml ++++ b/Documentation/devicetree/bindings/remoteproc/mtk,scp.yaml +@@ -22,11 +22,13 @@ properties: + + reg: + description: +- Should contain the address ranges for memory regions SRAM, CFG, and +- L1TCM. ++ Should contain the address ranges for memory regions SRAM, CFG, and, ++ on some platforms, L1TCM. ++ minItems: 2 + maxItems: 3 + + reg-names: ++ minItems: 2 + items: + - const: sram + - const: cfg +@@ -46,16 +48,30 @@ required: + - reg + - reg-names + +-if: +- properties: +- compatible: +- enum: +- - mediatek,mt8183-scp +- - mediatek,mt8192-scp +-then: +- required: +- - clocks +- - clock-names ++allOf: ++ - if: ++ properties: ++ compatible: ++ enum: ++ - mediatek,mt8183-scp ++ - mediatek,mt8192-scp ++ then: ++ required: ++ - clocks ++ - clock-names ++ ++ - if: ++ properties: ++ compatible: ++ enum: ++ - mediatek,mt8183-scp ++ - mediatek,mt8186-scp ++ then: ++ properties: ++ reg: ++ maxItems: 2 ++ reg-names: ++ maxItems: 2 + + additionalProperties: + type: object +@@ -75,10 +91,10 @@ additionalProperties: + + examples: + - | +- #include ++ #include + + scp@10500000 { +- compatible = "mediatek,mt8183-scp"; ++ compatible = "mediatek,mt8192-scp"; + reg = <0x10500000 0x80000>, + <0x10700000 0x8000>, + <0x10720000 0xe0000>; +-- +2.35.1 + diff --git a/queue-5.17/ep93xx-clock-do-not-return-the-address-of-the-freed-.patch b/queue-5.17/ep93xx-clock-do-not-return-the-address-of-the-freed-.patch new file mode 100644 index 00000000000..daf56abf848 --- /dev/null +++ b/queue-5.17/ep93xx-clock-do-not-return-the-address-of-the-freed-.patch @@ -0,0 +1,54 @@ +From 9eb961231e32c2a018e575075020b9c8c710730f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 May 2022 15:39:46 +0800 +Subject: ep93xx: clock: Do not return the address of the freed memory + +From: Genjian Zhang + +[ Upstream commit 8a7322a3a05f75e8a4902bdf8129aecd37d54fe9 ] + +Avoid return freed memory addresses,Modified to the actual error +return value of clk_register(). + +Fixes: 9645ccc7bd7a ("ep93xx: clock: convert in-place to COMMON_CLK") +Signed-off-by: Genjian Zhang +Acked-by: Alexander Sverdlin +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/mach-ep93xx/clock.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/arch/arm/mach-ep93xx/clock.c b/arch/arm/mach-ep93xx/clock.c +index 28e0ae6e890e..00c2db101ce5 100644 +--- a/arch/arm/mach-ep93xx/clock.c ++++ b/arch/arm/mach-ep93xx/clock.c +@@ -345,9 +345,10 @@ static struct clk_hw *clk_hw_register_ddiv(const char *name, + psc->hw.init = &init; + + clk = clk_register(NULL, &psc->hw); +- if (IS_ERR(clk)) ++ if (IS_ERR(clk)) { + kfree(psc); +- ++ return ERR_CAST(clk); ++ } + return &psc->hw; + } + +@@ -452,9 +453,10 @@ static struct clk_hw *clk_hw_register_div(const char *name, + psc->hw.init = &init; + + clk = clk_register(NULL, &psc->hw); +- if (IS_ERR(clk)) ++ if (IS_ERR(clk)) { + kfree(psc); +- ++ return ERR_CAST(clk); ++ } + return &psc->hw; + } + +-- +2.35.1 + diff --git a/queue-5.17/export-fix-string-handling-of-namespace-in-export_sy.patch b/queue-5.17/export-fix-string-handling-of-namespace-in-export_sy.patch new file mode 100644 index 00000000000..3e392ad30c5 --- /dev/null +++ b/queue-5.17/export-fix-string-handling-of-namespace-in-export_sy.patch @@ -0,0 +1,63 @@ +From 1d8e90bd7247ae701a4bdac06298aa017f9658d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Apr 2022 11:04:42 +0200 +Subject: export: fix string handling of namespace in EXPORT_SYMBOL_NS + +From: Greg Kroah-Hartman + +[ Upstream commit d143b9db8069f0e2a0fa34484e806a55a0dd4855 ] + +Commit c3a6cf19e695 ("export: avoid code duplication in +include/linux/export.h") broke the ability for a defined string to be +used as a namespace value. Fix this up by using stringify to properly +encode the namespace name. + +Fixes: c3a6cf19e695 ("export: avoid code duplication in include/linux/export.h") +Cc: Miroslav Benes +Cc: Emil Velikov +Cc: Jessica Yu +Cc: Quentin Perret +Cc: Matthias Maennich +Reviewed-by: Masahiro Yamada +Link: https://lore.kernel.org/r/20220427090442.2105905-1-gregkh@linuxfoundation.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + include/linux/export.h | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/include/linux/export.h b/include/linux/export.h +index 27d848712b90..5910ccb66ca2 100644 +--- a/include/linux/export.h ++++ b/include/linux/export.h +@@ -2,6 +2,8 @@ + #ifndef _LINUX_EXPORT_H + #define _LINUX_EXPORT_H + ++#include ++ + /* + * Export symbols from the kernel to modules. Forked from module.h + * to reduce the amount of pointless cruft we feed to gcc when only +@@ -154,7 +156,6 @@ struct kernel_symbol { + #endif /* CONFIG_MODULES */ + + #ifdef DEFAULT_SYMBOL_NAMESPACE +-#include + #define _EXPORT_SYMBOL(sym, sec) __EXPORT_SYMBOL(sym, sec, __stringify(DEFAULT_SYMBOL_NAMESPACE)) + #else + #define _EXPORT_SYMBOL(sym, sec) __EXPORT_SYMBOL(sym, sec, "") +@@ -162,8 +163,8 @@ struct kernel_symbol { + + #define EXPORT_SYMBOL(sym) _EXPORT_SYMBOL(sym, "") + #define EXPORT_SYMBOL_GPL(sym) _EXPORT_SYMBOL(sym, "_gpl") +-#define EXPORT_SYMBOL_NS(sym, ns) __EXPORT_SYMBOL(sym, "", #ns) +-#define EXPORT_SYMBOL_NS_GPL(sym, ns) __EXPORT_SYMBOL(sym, "_gpl", #ns) ++#define EXPORT_SYMBOL_NS(sym, ns) __EXPORT_SYMBOL(sym, "", __stringify(ns)) ++#define EXPORT_SYMBOL_NS_GPL(sym, ns) __EXPORT_SYMBOL(sym, "_gpl", __stringify(ns)) + + #endif /* !__ASSEMBLY__ */ + +-- +2.35.1 + diff --git a/queue-5.17/extcon-ptn5150-add-queue-work-sync-before-driver-rel.patch b/queue-5.17/extcon-ptn5150-add-queue-work-sync-before-driver-rel.patch new file mode 100644 index 00000000000..55528e2cf61 --- /dev/null +++ b/queue-5.17/extcon-ptn5150-add-queue-work-sync-before-driver-rel.patch @@ -0,0 +1,53 @@ +From dd83e4fefce13c7bd78b5c2b71d1d4e268c35503 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Apr 2022 20:44:08 +0800 +Subject: extcon: ptn5150: Add queue work sync before driver release + +From: Li Jun + +[ Upstream commit 782cd939cbe0f569197cd1c9b0477ee213167f04 ] + +Add device managed action to sync pending queue work, otherwise +the queued work may run after the work is destroyed. + +Fixes: 4ed754de2d66 ("extcon: Add support for ptn5150 extcon driver") +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Li Jun +Signed-off-by: Chanwoo Choi +Signed-off-by: Sasha Levin +--- + drivers/extcon/extcon-ptn5150.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/extcon/extcon-ptn5150.c b/drivers/extcon/extcon-ptn5150.c +index 5b9a3cf8df26..2a7874108df8 100644 +--- a/drivers/extcon/extcon-ptn5150.c ++++ b/drivers/extcon/extcon-ptn5150.c +@@ -194,6 +194,13 @@ static int ptn5150_init_dev_type(struct ptn5150_info *info) + return 0; + } + ++static void ptn5150_work_sync_and_put(void *data) ++{ ++ struct ptn5150_info *info = data; ++ ++ cancel_work_sync(&info->irq_work); ++} ++ + static int ptn5150_i2c_probe(struct i2c_client *i2c) + { + struct device *dev = &i2c->dev; +@@ -284,6 +291,10 @@ static int ptn5150_i2c_probe(struct i2c_client *i2c) + if (ret) + return -EINVAL; + ++ ret = devm_add_action_or_reset(dev, ptn5150_work_sync_and_put, info); ++ if (ret) ++ return ret; ++ + /* + * Update current extcon state if for example OTG connection was there + * before the probe +-- +2.35.1 + diff --git a/queue-5.17/firmware-dmi-sysfs-fix-memory-leak-in-dmi_sysfs_regi.patch b/queue-5.17/firmware-dmi-sysfs-fix-memory-leak-in-dmi_sysfs_regi.patch new file mode 100644 index 00000000000..503abcacf0b --- /dev/null +++ b/queue-5.17/firmware-dmi-sysfs-fix-memory-leak-in-dmi_sysfs_regi.patch @@ -0,0 +1,42 @@ +From 3ce6a561c59c19c283e2971ece905df544c1b8d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 May 2022 11:14:19 +0400 +Subject: firmware: dmi-sysfs: Fix memory leak in dmi_sysfs_register_handle + +From: Miaoqian Lin + +[ Upstream commit 660ba678f9998aca6db74f2dd912fa5124f0fa31 ] + +kobject_init_and_add() takes reference even when it fails. +According to the doc of kobject_init_and_add() + + If this function returns an error, kobject_put() must be called to + properly clean up the memory associated with the object. + +Fix this issue by calling kobject_put(). + +Fixes: 948af1f0bbc8 ("firmware: Basic dmi-sysfs support") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220511071421.9769-1-linmq006@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/firmware/dmi-sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firmware/dmi-sysfs.c b/drivers/firmware/dmi-sysfs.c +index 3a353776bd34..66727ad3361b 100644 +--- a/drivers/firmware/dmi-sysfs.c ++++ b/drivers/firmware/dmi-sysfs.c +@@ -604,7 +604,7 @@ static void __init dmi_sysfs_register_handle(const struct dmi_header *dh, + "%d-%d", dh->type, entry->instance); + + if (*ret) { +- kfree(entry); ++ kobject_put(&entry->kobj); + return; + } + +-- +2.35.1 + diff --git a/queue-5.17/firmware-stratix10-svc-fix-a-missing-check-on-list-i.patch b/queue-5.17/firmware-stratix10-svc-fix-a-missing-check-on-list-i.patch new file mode 100644 index 00000000000..449728532ae --- /dev/null +++ b/queue-5.17/firmware-stratix10-svc-fix-a-missing-check-on-list-i.patch @@ -0,0 +1,60 @@ +From d71591da72c1f9b5b74e38af95ab9bb803945d84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Apr 2022 11:56:09 +0800 +Subject: firmware: stratix10-svc: fix a missing check on list iterator + +From: Xiaomeng Tong + +[ Upstream commit 5a0793ac66ac0e254d292f129a4d6c526f9f2aff ] + +The bug is here: + pmem->vaddr = NULL; + +The list iterator 'pmem' will point to a bogus position containing +HEAD if the list is empty or no element is found. This case must +be checked before any use of the iterator, otherwise it will +lead to a invalid memory access. + +To fix this bug, just gen_pool_free/set NULL/list_del() and return +when found, otherwise list_del HEAD and return; + +Fixes: 7ca5ce896524f ("firmware: add Intel Stratix10 service layer driver") +Signed-off-by: Xiaomeng Tong +Link: https://lore.kernel.org/r/20220414035609.2239-1-xiam0nd.tong@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/firmware/stratix10-svc.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/firmware/stratix10-svc.c b/drivers/firmware/stratix10-svc.c +index c4bf934e3553..33ab24cfd600 100644 +--- a/drivers/firmware/stratix10-svc.c ++++ b/drivers/firmware/stratix10-svc.c +@@ -941,17 +941,17 @@ EXPORT_SYMBOL_GPL(stratix10_svc_allocate_memory); + void stratix10_svc_free_memory(struct stratix10_svc_chan *chan, void *kaddr) + { + struct stratix10_svc_data_mem *pmem; +- size_t size = 0; + + list_for_each_entry(pmem, &svc_data_mem, node) + if (pmem->vaddr == kaddr) { +- size = pmem->size; +- break; ++ gen_pool_free(chan->ctrl->genpool, ++ (unsigned long)kaddr, pmem->size); ++ pmem->vaddr = NULL; ++ list_del(&pmem->node); ++ return; + } + +- gen_pool_free(chan->ctrl->genpool, (unsigned long)kaddr, size); +- pmem->vaddr = NULL; +- list_del(&pmem->node); ++ list_del(&svc_data_mem); + } + EXPORT_SYMBOL_GPL(stratix10_svc_free_memory); + +-- +2.35.1 + diff --git a/queue-5.17/fs-ntfs3-restore-ntfs_xattr_get_acl-and-ntfs_xattr_s.patch b/queue-5.17/fs-ntfs3-restore-ntfs_xattr_get_acl-and-ntfs_xattr_s.patch new file mode 100644 index 00000000000..f3320cb3a87 --- /dev/null +++ b/queue-5.17/fs-ntfs3-restore-ntfs_xattr_get_acl-and-ntfs_xattr_s.patch @@ -0,0 +1,96 @@ +From 0f4e580685afefcec7daccbbb4b5d8afab9a4c5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Oct 2021 18:15:36 +0300 +Subject: fs/ntfs3: Restore ntfs_xattr_get_acl and ntfs_xattr_set_acl functions + +From: Konstantin Komarov + +[ Upstream commit 87e21c99bad763524c953ff4d1a61ee19038ddc2 ] + +Apparently we need to maintain these functions with +ntfs_get_acl_ex and ntfs_set_acl_ex. +This commit fixes xfstest generic/099 +Fixes: 95dd8b2c1ed0 ("fs/ntfs3: Remove unnecessary functions") + +Reviewed-by: Kari Argillander +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/xattr.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 61 insertions(+) + +diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c +index 0968565ff2ca..52ef3a60cde4 100644 +--- a/fs/ntfs3/xattr.c ++++ b/fs/ntfs3/xattr.c +@@ -681,6 +681,67 @@ static int ntfs_xattr_set_acl(struct user_namespace *mnt_userns, + return err; + } + ++static int ntfs_xattr_get_acl(struct user_namespace *mnt_userns, ++ struct inode *inode, int type, void *buffer, ++ size_t size) ++{ ++ struct posix_acl *acl; ++ int err; ++ ++ if (!(inode->i_sb->s_flags & SB_POSIXACL)) { ++ ntfs_inode_warn(inode, "add mount option \"acl\" to use acl"); ++ return -EOPNOTSUPP; ++ } ++ ++ acl = ntfs_get_acl(inode, type, false); ++ if (IS_ERR(acl)) ++ return PTR_ERR(acl); ++ ++ if (!acl) ++ return -ENODATA; ++ ++ err = posix_acl_to_xattr(mnt_userns, acl, buffer, size); ++ posix_acl_release(acl); ++ ++ return err; ++} ++ ++static int ntfs_xattr_set_acl(struct user_namespace *mnt_userns, ++ struct inode *inode, int type, const void *value, ++ size_t size) ++{ ++ struct posix_acl *acl; ++ int err; ++ ++ if (!(inode->i_sb->s_flags & SB_POSIXACL)) { ++ ntfs_inode_warn(inode, "add mount option \"acl\" to use acl"); ++ return -EOPNOTSUPP; ++ } ++ ++ if (!inode_owner_or_capable(mnt_userns, inode)) ++ return -EPERM; ++ ++ if (!value) { ++ acl = NULL; ++ } else { ++ acl = posix_acl_from_xattr(mnt_userns, value, size); ++ if (IS_ERR(acl)) ++ return PTR_ERR(acl); ++ ++ if (acl) { ++ err = posix_acl_valid(mnt_userns, acl); ++ if (err) ++ goto release_and_out; ++ } ++ } ++ ++ err = ntfs_set_acl(mnt_userns, inode, acl, type); ++ ++release_and_out: ++ posix_acl_release(acl); ++ return err; ++} ++ + /* + * ntfs_init_acl - Initialize the ACLs of a new inode. + * +-- +2.35.1 + diff --git a/queue-5.17/gpio-pca953x-use-the-correct-register-address-to-do-.patch b/queue-5.17/gpio-pca953x-use-the-correct-register-address-to-do-.patch new file mode 100644 index 00000000000..2ea2f49f49d --- /dev/null +++ b/queue-5.17/gpio-pca953x-use-the-correct-register-address-to-do-.patch @@ -0,0 +1,76 @@ +From d0f225bf1f528637334aeefce427660cc9c73262 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 May 2022 18:48:48 +0800 +Subject: gpio: pca953x: use the correct register address to do regcache sync + +From: Haibo Chen + +[ Upstream commit 43624eda86c98b0de726d0b6f2516ccc3ef7313f ] + +For regcache_sync_region, need to use pca953x_recalc_addr() to get +the real register address. + +Fixes: b76574300504 ("gpio: pca953x: Restore registers after suspend/resume cycle") +Signed-off-by: Haibo Chen +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-pca953x.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c +index 8726921a1129..33683295a0bf 100644 +--- a/drivers/gpio/gpio-pca953x.c ++++ b/drivers/gpio/gpio-pca953x.c +@@ -1108,20 +1108,21 @@ static int pca953x_regcache_sync(struct device *dev) + { + struct pca953x_chip *chip = dev_get_drvdata(dev); + int ret; ++ u8 regaddr; + + /* + * The ordering between direction and output is important, + * sync these registers first and only then sync the rest. + */ +- ret = regcache_sync_region(chip->regmap, chip->regs->direction, +- chip->regs->direction + NBANK(chip)); ++ regaddr = pca953x_recalc_addr(chip, chip->regs->direction, 0); ++ ret = regcache_sync_region(chip->regmap, regaddr, regaddr + NBANK(chip)); + if (ret) { + dev_err(dev, "Failed to sync GPIO dir registers: %d\n", ret); + return ret; + } + +- ret = regcache_sync_region(chip->regmap, chip->regs->output, +- chip->regs->output + NBANK(chip)); ++ regaddr = pca953x_recalc_addr(chip, chip->regs->output, 0); ++ ret = regcache_sync_region(chip->regmap, regaddr, regaddr + NBANK(chip)); + if (ret) { + dev_err(dev, "Failed to sync GPIO out registers: %d\n", ret); + return ret; +@@ -1129,16 +1130,18 @@ static int pca953x_regcache_sync(struct device *dev) + + #ifdef CONFIG_GPIO_PCA953X_IRQ + if (chip->driver_data & PCA_PCAL) { +- ret = regcache_sync_region(chip->regmap, PCAL953X_IN_LATCH, +- PCAL953X_IN_LATCH + NBANK(chip)); ++ regaddr = pca953x_recalc_addr(chip, PCAL953X_IN_LATCH, 0); ++ ret = regcache_sync_region(chip->regmap, regaddr, ++ regaddr + NBANK(chip)); + if (ret) { + dev_err(dev, "Failed to sync INT latch registers: %d\n", + ret); + return ret; + } + +- ret = regcache_sync_region(chip->regmap, PCAL953X_INT_MASK, +- PCAL953X_INT_MASK + NBANK(chip)); ++ regaddr = pca953x_recalc_addr(chip, PCAL953X_INT_MASK, 0); ++ ret = regcache_sync_region(chip->regmap, regaddr, ++ regaddr + NBANK(chip)); + if (ret) { + dev_err(dev, "Failed to sync INT mask registers: %d\n", + ret); +-- +2.35.1 + diff --git a/queue-5.17/iio-adc-ad7124-remove-shift-from-scan_type.patch b/queue-5.17/iio-adc-ad7124-remove-shift-from-scan_type.patch new file mode 100644 index 00000000000..e4593e15780 --- /dev/null +++ b/queue-5.17/iio-adc-ad7124-remove-shift-from-scan_type.patch @@ -0,0 +1,36 @@ +From b4a99f3a2484e0307f27d2cfd58ccd53bd640bae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Mar 2022 12:50:24 +0200 +Subject: iio: adc: ad7124: Remove shift from scan_type + +From: Alexandru Tachici + +[ Upstream commit fe78ccf79b0e29fd6d8dc2e2c3b0dbeda4ce3ad8 ] + +The 24 bits data is stored in 32 bits in BE. There +is no need to shift it. This confuses user-space apps. + +Fixes: b3af341bbd966 ("iio: adc: Add ad7124 support") +Signed-off-by: Alexandru Tachici +Link: https://lore.kernel.org/r/20220322105029.86389-2-alexandru.tachici@analog.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/ad7124.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/iio/adc/ad7124.c b/drivers/iio/adc/ad7124.c +index b400bbe291aa..c22d8dcaa100 100644 +--- a/drivers/iio/adc/ad7124.c ++++ b/drivers/iio/adc/ad7124.c +@@ -188,7 +188,6 @@ static const struct iio_chan_spec ad7124_channel_template = { + .sign = 'u', + .realbits = 24, + .storagebits = 32, +- .shift = 8, + .endianness = IIO_BE, + }, + }; +-- +2.35.1 + diff --git a/queue-5.17/iio-adc-sc27xx-fine-tune-the-scale-calibration-value.patch b/queue-5.17/iio-adc-sc27xx-fine-tune-the-scale-calibration-value.patch new file mode 100644 index 00000000000..49e9e8ed937 --- /dev/null +++ b/queue-5.17/iio-adc-sc27xx-fine-tune-the-scale-calibration-value.patch @@ -0,0 +1,64 @@ +From b21862a9ce8f21360a572125e158893fda5efe42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Apr 2022 22:24:54 +0800 +Subject: iio: adc: sc27xx: Fine tune the scale calibration values + +From: Cixi Geng + +[ Upstream commit 5a7a184b11c6910f47600ff5cbbee34168f701a8 ] + +Small adjustment the scale calibration value for the sc2731, +use new name sc2731_[big|small]_scale_graph_calib, and remove +the origin [big|small]_scale_graph_calib struct for unused. + +Fixes: 8ba0dbfd07a35 (iio: adc: sc27xx: Add ADC scale calibration) +Signed-off-by: Cixi Geng +Link: https://lore.kernel.org/r/20220419142458.884933-4-gengcixi@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/sc27xx_adc.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/iio/adc/sc27xx_adc.c b/drivers/iio/adc/sc27xx_adc.c +index aee076c8e2b1..cfe003cc4f0b 100644 +--- a/drivers/iio/adc/sc27xx_adc.c ++++ b/drivers/iio/adc/sc27xx_adc.c +@@ -103,14 +103,14 @@ static struct sc27xx_adc_linear_graph small_scale_graph = { + 100, 341, + }; + +-static const struct sc27xx_adc_linear_graph big_scale_graph_calib = { +- 4200, 856, +- 3600, 733, ++static const struct sc27xx_adc_linear_graph sc2731_big_scale_graph_calib = { ++ 4200, 850, ++ 3600, 728, + }; + +-static const struct sc27xx_adc_linear_graph small_scale_graph_calib = { +- 1000, 833, +- 100, 80, ++static const struct sc27xx_adc_linear_graph sc2731_small_scale_graph_calib = { ++ 1000, 838, ++ 100, 84, + }; + + static int sc27xx_adc_get_calib_data(u32 calib_data, int calib_adc) +@@ -130,11 +130,11 @@ static int sc27xx_adc_scale_calibration(struct sc27xx_adc_data *data, + size_t len; + + if (big_scale) { +- calib_graph = &big_scale_graph_calib; ++ calib_graph = &sc2731_big_scale_graph_calib; + graph = &big_scale_graph; + cell_name = "big_scale_calib"; + } else { +- calib_graph = &small_scale_graph_calib; ++ calib_graph = &sc2731_small_scale_graph_calib; + graph = &small_scale_graph; + cell_name = "small_scale_calib"; + } +-- +2.35.1 + diff --git a/queue-5.17/iio-adc-sc27xx-fix-read-big-scale-voltage-not-right.patch b/queue-5.17/iio-adc-sc27xx-fix-read-big-scale-voltage-not-right.patch new file mode 100644 index 00000000000..769cb576680 --- /dev/null +++ b/queue-5.17/iio-adc-sc27xx-fix-read-big-scale-voltage-not-right.patch @@ -0,0 +1,40 @@ +From 41547b06fa6f417a4b860fd592411db208cf1826 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Apr 2022 22:24:53 +0800 +Subject: iio: adc: sc27xx: fix read big scale voltage not right + +From: Cixi Geng + +[ Upstream commit ad930a75613282400179361e220e58b87386b8c7 ] + +Fix wrong configuration value of SC27XX_ADC_SCALE_MASK and +SC27XX_ADC_SCALE_SHIFT by spec documetation. + +Fixes: 5df362a6cf49c (iio: adc: Add Spreadtrum SC27XX PMICs ADC support) +Signed-off-by: Cixi Geng +Reviewed-by: Baolin Wang +Link: https://lore.kernel.org/r/20220419142458.884933-3-gengcixi@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/sc27xx_adc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/iio/adc/sc27xx_adc.c b/drivers/iio/adc/sc27xx_adc.c +index 00098caf6d9e..aee076c8e2b1 100644 +--- a/drivers/iio/adc/sc27xx_adc.c ++++ b/drivers/iio/adc/sc27xx_adc.c +@@ -36,8 +36,8 @@ + + /* Bits and mask definition for SC27XX_ADC_CH_CFG register */ + #define SC27XX_ADC_CHN_ID_MASK GENMASK(4, 0) +-#define SC27XX_ADC_SCALE_MASK GENMASK(10, 8) +-#define SC27XX_ADC_SCALE_SHIFT 8 ++#define SC27XX_ADC_SCALE_MASK GENMASK(10, 9) ++#define SC27XX_ADC_SCALE_SHIFT 9 + + /* Bits definitions for SC27XX_ADC_INT_EN registers */ + #define SC27XX_ADC_IRQ_EN BIT(0) +-- +2.35.1 + diff --git a/queue-5.17/iio-adc-stmpe-adc-fix-wait_for_completion_timeout-re.patch b/queue-5.17/iio-adc-stmpe-adc-fix-wait_for_completion_timeout-re.patch new file mode 100644 index 00000000000..ce1482fccba --- /dev/null +++ b/queue-5.17/iio-adc-stmpe-adc-fix-wait_for_completion_timeout-re.patch @@ -0,0 +1,68 @@ +From 265d34ca4898a1f3533f04e7318abee5a5368a7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 06:51:45 +0000 +Subject: iio: adc: stmpe-adc: Fix wait_for_completion_timeout return value + check + +From: Miaoqian Lin + +[ Upstream commit d345b23200bcdbd2bd3582213d738c258b77718f ] + +wait_for_completion_timeout() returns unsigned long not long. +it returns 0 if timed out, and positive if completed. +The check for <= 0 is ambiguous and should be == 0 here +indicating timeout which is the only error case + +Fixes: e813dde6f833 ("iio: stmpe-adc: Use wait_for_completion_timeout") +Signed-off-by: Miaoqian Lin +Reviewed-by: Philippe Schenker +Link: https://lore.kernel.org/r/20220412065150.14486-1-linmq006@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/stmpe-adc.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/iio/adc/stmpe-adc.c b/drivers/iio/adc/stmpe-adc.c +index d2d405388499..83e0ac4467ca 100644 +--- a/drivers/iio/adc/stmpe-adc.c ++++ b/drivers/iio/adc/stmpe-adc.c +@@ -61,7 +61,7 @@ struct stmpe_adc { + static int stmpe_read_voltage(struct stmpe_adc *info, + struct iio_chan_spec const *chan, int *val) + { +- long ret; ++ unsigned long ret; + + mutex_lock(&info->lock); + +@@ -79,7 +79,7 @@ static int stmpe_read_voltage(struct stmpe_adc *info, + + ret = wait_for_completion_timeout(&info->completion, STMPE_ADC_TIMEOUT); + +- if (ret <= 0) { ++ if (ret == 0) { + stmpe_reg_write(info->stmpe, STMPE_REG_ADC_INT_STA, + STMPE_ADC_CH(info->channel)); + mutex_unlock(&info->lock); +@@ -96,7 +96,7 @@ static int stmpe_read_voltage(struct stmpe_adc *info, + static int stmpe_read_temp(struct stmpe_adc *info, + struct iio_chan_spec const *chan, int *val) + { +- long ret; ++ unsigned long ret; + + mutex_lock(&info->lock); + +@@ -114,7 +114,7 @@ static int stmpe_read_temp(struct stmpe_adc *info, + + ret = wait_for_completion_timeout(&info->completion, STMPE_ADC_TIMEOUT); + +- if (ret <= 0) { ++ if (ret == 0) { + mutex_unlock(&info->lock); + return -ETIMEDOUT; + } +-- +2.35.1 + diff --git a/queue-5.17/iio-proximity-vl53l0x-fix-return-value-check-of-wait.patch b/queue-5.17/iio-proximity-vl53l0x-fix-return-value-check-of-wait.patch new file mode 100644 index 00000000000..27d940622f4 --- /dev/null +++ b/queue-5.17/iio-proximity-vl53l0x-fix-return-value-check-of-wait.patch @@ -0,0 +1,52 @@ +From 0db1aa45330f99c1268217ad0d7e49dcbe2cc686 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 06:42:09 +0000 +Subject: iio: proximity: vl53l0x: Fix return value check of + wait_for_completion_timeout + +From: Miaoqian Lin + +[ Upstream commit 50f2959113cb6756ffd73c4fedc712cf2661f711 ] + +wait_for_completion_timeout() returns unsigned long not int. +It returns 0 if timed out, and positive if completed. +The check for <= 0 is ambiguous and should be == 0 here +indicating timeout which is the only error case. + +Fixes: 3cef2e31b54b ("iio: proximity: vl53l0x: Add IRQ support") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220412064210.10734-1-linmq006@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/proximity/vl53l0x-i2c.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/iio/proximity/vl53l0x-i2c.c b/drivers/iio/proximity/vl53l0x-i2c.c +index cf38144b6f95..13a87d3e3544 100644 +--- a/drivers/iio/proximity/vl53l0x-i2c.c ++++ b/drivers/iio/proximity/vl53l0x-i2c.c +@@ -104,6 +104,7 @@ static int vl53l0x_read_proximity(struct vl53l0x_data *data, + u16 tries = 20; + u8 buffer[12]; + int ret; ++ unsigned long time_left; + + ret = i2c_smbus_write_byte_data(client, VL_REG_SYSRANGE_START, 1); + if (ret < 0) +@@ -112,10 +113,8 @@ static int vl53l0x_read_proximity(struct vl53l0x_data *data, + if (data->client->irq) { + reinit_completion(&data->completion); + +- ret = wait_for_completion_timeout(&data->completion, HZ/10); +- if (ret < 0) +- return ret; +- else if (ret == 0) ++ time_left = wait_for_completion_timeout(&data->completion, HZ/10); ++ if (time_left == 0) + return -ETIMEDOUT; + + vl53l0x_clear_irq(data); +-- +2.35.1 + diff --git a/queue-5.17/jffs2-fix-memory-leak-in-jffs2_do_fill_super.patch b/queue-5.17/jffs2-fix-memory-leak-in-jffs2_do_fill_super.patch new file mode 100644 index 00000000000..870ab10c75a --- /dev/null +++ b/queue-5.17/jffs2-fix-memory-leak-in-jffs2_do_fill_super.patch @@ -0,0 +1,68 @@ +From 728d95d29308c9e3bde713e96b111122e54ef995 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 17:38:16 +0800 +Subject: jffs2: fix memory leak in jffs2_do_fill_super + +From: Baokun Li + +[ Upstream commit c14adb1cf70a984ed081c67e9d27bc3caad9537c ] + +If jffs2_iget() or d_make_root() in jffs2_do_fill_super() returns +an error, we can observe the following kmemleak report: + +-------------------------------------------- +unreferenced object 0xffff888105a65340 (size 64): + comm "mount", pid 710, jiffies 4302851558 (age 58.239s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kmem_cache_alloc_trace+0x475/0x8a0 + [] jffs2_sum_init+0x96/0x1a0 + [] jffs2_do_mount_fs+0x745/0x2120 + [] jffs2_do_fill_super+0x35c/0x810 + [] jffs2_fill_super+0x2b9/0x3b0 + [...] +unreferenced object 0xffff8881bd7f0000 (size 65536): + comm "mount", pid 710, jiffies 4302851558 (age 58.239s) + hex dump (first 32 bytes): + bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ + bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ + backtrace: + [] kmalloc_order+0xda/0x110 + [] kmalloc_order_trace+0x21/0x130 + [] __kmalloc+0x711/0x8a0 + [] jffs2_sum_init+0xd9/0x1a0 + [] jffs2_do_mount_fs+0x745/0x2120 + [] jffs2_do_fill_super+0x35c/0x810 + [] jffs2_fill_super+0x2b9/0x3b0 + [...] +-------------------------------------------- + +This is because the resources allocated in jffs2_sum_init() are not +released. Call jffs2_sum_exit() to release these resources to solve +the problem. + +Fixes: e631ddba5887 ("[JFFS2] Add erase block summary support (mount time improvement)") +Signed-off-by: Baokun Li +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + fs/jffs2/fs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/jffs2/fs.c b/fs/jffs2/fs.c +index 71f03a5d36ed..f83a468b6488 100644 +--- a/fs/jffs2/fs.c ++++ b/fs/jffs2/fs.c +@@ -604,6 +604,7 @@ int jffs2_do_fill_super(struct super_block *sb, struct fs_context *fc) + jffs2_free_raw_node_refs(c); + kvfree(c->blocks); + jffs2_clear_xattr_subsystem(c); ++ jffs2_sum_exit(c); + out_inohash: + kfree(c->inocache_list); + out_wbuf: +-- +2.35.1 + diff --git a/queue-5.17/ksmbd-fix-reference-count-leak-in-smb_check_perm_dac.patch b/queue-5.17/ksmbd-fix-reference-count-leak-in-smb_check_perm_dac.patch new file mode 100644 index 00000000000..6b41c5ce7b6 --- /dev/null +++ b/queue-5.17/ksmbd-fix-reference-count-leak-in-smb_check_perm_dac.patch @@ -0,0 +1,43 @@ +From 91aef209daddf3c19b40544d87f6f389fbb48596 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Apr 2022 16:11:22 +0800 +Subject: ksmbd: fix reference count leak in smb_check_perm_dacl() + +From: Xin Xiong + +[ Upstream commit d21a580dafc69aa04f46e6099616146a536b0724 ] + +The issue happens in a specific path in smb_check_perm_dacl(). When +"id" and "uid" have the same value, the function simply jumps out of +the loop without decrementing the reference count of the object +"posix_acls", which is increased by get_acl() earlier. This may +result in memory leaks. + +Fix it by decreasing the reference count of "posix_acls" before +jumping to label "check_access_bits". + +Fixes: 777cad1604d6 ("ksmbd: remove select FS_POSIX_ACL in Kconfig") +Signed-off-by: Xin Xiong +Signed-off-by: Xin Tan +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/ksmbd/smbacl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/ksmbd/smbacl.c b/fs/ksmbd/smbacl.c +index 6ecf55ea1fed..38f23bf981ac 100644 +--- a/fs/ksmbd/smbacl.c ++++ b/fs/ksmbd/smbacl.c +@@ -1261,6 +1261,7 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, struct path *path, + if (!access_bits) + access_bits = + SET_MINIMUM_RIGHTS; ++ posix_acl_release(posix_acls); + goto check_access_bits; + } + } +-- +2.35.1 + diff --git a/queue-5.17/lkdtm-bugs-check-for-the-null-pointer-after-calling-.patch b/queue-5.17/lkdtm-bugs-check-for-the-null-pointer-after-calling-.patch new file mode 100644 index 00000000000..f0c1f1d0201 --- /dev/null +++ b/queue-5.17/lkdtm-bugs-check-for-the-null-pointer-after-calling-.patch @@ -0,0 +1,47 @@ +From 3ab6b7391957429e41c31f0ce21f9e4fa82175bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jan 2022 17:29:36 +0800 +Subject: lkdtm/bugs: Check for the NULL pointer after calling kmalloc + +From: Jiasheng Jiang + +[ Upstream commit 4a9800c81d2f34afb66b4b42e0330ae8298019a2 ] + +As the possible failure of the kmalloc(), the not_checked and checked +could be NULL pointer. +Therefore, it should be better to check it in order to avoid the +dereference of the NULL pointer. +Also, we need to kfree the 'not_checked' and 'checked' to avoid +the memory leak if fails. +And since it is just a test, it may directly return without error +number. + +Fixes: ae2e1aad3e48 ("drivers/misc/lkdtm/bugs.c: add arithmetic overflow and array bounds checks") +Signed-off-by: Jiasheng Jiang +Acked-by: Dan Carpenter +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20220120092936.1874264-1-jiasheng@iscas.ac.cn +Signed-off-by: Sasha Levin +--- + drivers/misc/lkdtm/bugs.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/misc/lkdtm/bugs.c b/drivers/misc/lkdtm/bugs.c +index f21854ac5cc2..4f2808b2ca3c 100644 +--- a/drivers/misc/lkdtm/bugs.c ++++ b/drivers/misc/lkdtm/bugs.c +@@ -327,6 +327,11 @@ void lkdtm_ARRAY_BOUNDS(void) + + not_checked = kmalloc(sizeof(*not_checked) * 2, GFP_KERNEL); + checked = kmalloc(sizeof(*checked) * 2, GFP_KERNEL); ++ if (!not_checked || !checked) { ++ kfree(not_checked); ++ kfree(checked); ++ return; ++ } + + pr_info("Array access within bounds ...\n"); + /* For both, touch all bytes in the actual member size. */ +-- +2.35.1 + diff --git a/queue-5.17/lkdtm-bugs-don-t-expect-thread-termination-without-c.patch b/queue-5.17/lkdtm-bugs-don-t-expect-thread-termination-without-c.patch new file mode 100644 index 00000000000..ab528ccf5ca --- /dev/null +++ b/queue-5.17/lkdtm-bugs-don-t-expect-thread-termination-without-c.patch @@ -0,0 +1,100 @@ +From aba7298f9d93f3d86d4bb5138e2129630dfb8499 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Apr 2022 21:13:39 +0200 +Subject: lkdtm/bugs: Don't expect thread termination without CONFIG_UBSAN_TRAP + +From: Christophe Leroy + +[ Upstream commit 8bfdbddd68249e0d8598777cca8249619ee51df0 ] + +When you don't select CONFIG_UBSAN_TRAP, you get: + + # echo ARRAY_BOUNDS > /sys/kernel/debug/provoke-crash/DIRECT +[ 102.265827] ================================================================================ +[ 102.278433] UBSAN: array-index-out-of-bounds in drivers/misc/lkdtm/bugs.c:342:16 +[ 102.287207] index 8 is out of range for type 'char [8]' +[ 102.298722] ================================================================================ +[ 102.313712] lkdtm: FAIL: survived array bounds overflow! +[ 102.318770] lkdtm: Unexpected! This kernel (5.16.0-rc1-s3k-dev-01884-g720dcf79314a ppc) was built with CONFIG_UBSAN_BOUNDS=y + +It is not correct because when CONFIG_UBSAN_TRAP is not selected +you can't expect array bounds overflow to kill the thread. + +Modify the logic so that when the kernel is built with +CONFIG_UBSAN_BOUNDS but without CONFIG_UBSAN_TRAP, you get a warning +about CONFIG_UBSAN_TRAP not been selected instead. + +This also require a fix of pr_expected_config(), otherwise the +following error is encountered. + + CC drivers/misc/lkdtm/bugs.o +drivers/misc/lkdtm/bugs.c: In function 'lkdtm_ARRAY_BOUNDS': +drivers/misc/lkdtm/bugs.c:351:2: error: 'else' without a previous 'if' + 351 | else + | ^~~~ + +Fixes: c75be56e35b2 ("lkdtm/bugs: Add ARRAY_BOUNDS to selftests") +Signed-off-by: Christophe Leroy +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/363b58690e907c677252467a94fe49444c80ea76.1649704381.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + drivers/misc/lkdtm/bugs.c | 5 ++++- + drivers/misc/lkdtm/lkdtm.h | 8 ++++---- + 2 files changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/misc/lkdtm/bugs.c b/drivers/misc/lkdtm/bugs.c +index 4f2808b2ca3c..8cb342c562af 100644 +--- a/drivers/misc/lkdtm/bugs.c ++++ b/drivers/misc/lkdtm/bugs.c +@@ -351,7 +351,10 @@ void lkdtm_ARRAY_BOUNDS(void) + kfree(not_checked); + kfree(checked); + pr_err("FAIL: survived array bounds overflow!\n"); +- pr_expected_config(CONFIG_UBSAN_BOUNDS); ++ if (IS_ENABLED(CONFIG_UBSAN_BOUNDS)) ++ pr_expected_config(CONFIG_UBSAN_TRAP); ++ else ++ pr_expected_config(CONFIG_UBSAN_BOUNDS); + } + + void lkdtm_CORRUPT_LIST_ADD(void) +diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h +index d6137c70ebbe..cc76ebcca4c7 100644 +--- a/drivers/misc/lkdtm/lkdtm.h ++++ b/drivers/misc/lkdtm/lkdtm.h +@@ -9,19 +9,19 @@ + extern char *lkdtm_kernel_info; + + #define pr_expected_config(kconfig) \ +-{ \ ++do { \ + if (IS_ENABLED(kconfig)) \ + pr_err("Unexpected! This %s was built with " #kconfig "=y\n", \ + lkdtm_kernel_info); \ + else \ + pr_warn("This is probably expected, since this %s was built *without* " #kconfig "=y\n", \ + lkdtm_kernel_info); \ +-} ++} while (0) + + #ifndef MODULE + int lkdtm_check_bool_cmdline(const char *param); + #define pr_expected_config_param(kconfig, param) \ +-{ \ ++do { \ + if (IS_ENABLED(kconfig)) { \ + switch (lkdtm_check_bool_cmdline(param)) { \ + case 0: \ +@@ -52,7 +52,7 @@ int lkdtm_check_bool_cmdline(const char *param); + break; \ + } \ + } \ +-} ++} while (0) + #else + #define pr_expected_config_param(kconfig, param) pr_expected_config(kconfig) + #endif +-- +2.35.1 + diff --git a/queue-5.17/macsec-fix-uaf-bug-for-real_dev.patch b/queue-5.17/macsec-fix-uaf-bug-for-real_dev.patch new file mode 100644 index 00000000000..3ce588431db --- /dev/null +++ b/queue-5.17/macsec-fix-uaf-bug-for-real_dev.patch @@ -0,0 +1,97 @@ +From 4c8d1f522a63bcf2e07a37c2e4973e7da6820771 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 May 2022 15:45:00 +0800 +Subject: macsec: fix UAF bug for real_dev + +From: Ziyang Xuan + +[ Upstream commit 196a888ca6571deb344468e1d7138e3273206335 ] + +Create a new macsec device but not get reference to real_dev. That can +not ensure that real_dev is freed after macsec. That will trigger the +UAF bug for real_dev as following: + +================================================================== +BUG: KASAN: use-after-free in macsec_get_iflink+0x5f/0x70 drivers/net/macsec.c:3662 +Call Trace: + ... + macsec_get_iflink+0x5f/0x70 drivers/net/macsec.c:3662 + dev_get_iflink+0x73/0xe0 net/core/dev.c:637 + default_operstate net/core/link_watch.c:42 [inline] + rfc2863_policy+0x233/0x2d0 net/core/link_watch.c:54 + linkwatch_do_dev+0x2a/0x150 net/core/link_watch.c:161 + +Allocated by task 22209: + ... + alloc_netdev_mqs+0x98/0x1100 net/core/dev.c:10549 + rtnl_create_link+0x9d7/0xc00 net/core/rtnetlink.c:3235 + veth_newlink+0x20e/0xa90 drivers/net/veth.c:1748 + +Freed by task 8: + ... + kfree+0xd6/0x4d0 mm/slub.c:4552 + kvfree+0x42/0x50 mm/util.c:615 + device_release+0x9f/0x240 drivers/base/core.c:2229 + kobject_cleanup lib/kobject.c:673 [inline] + kobject_release lib/kobject.c:704 [inline] + kref_put include/linux/kref.h:65 [inline] + kobject_put+0x1c8/0x540 lib/kobject.c:721 + netdev_run_todo+0x72e/0x10b0 net/core/dev.c:10327 + +After commit faab39f63c1f ("net: allow out-of-order netdev unregistration") +and commit e5f80fcf869a ("ipv6: give an IPv6 dev to blackhole_netdev"), we +can add dev_hold_track() in macsec_dev_init() and dev_put_track() in +macsec_free_netdev() to fix the problem. + +Fixes: 2bce1ebed17d ("macsec: fix refcnt leak in module exit routine") +Reported-by: syzbot+d0e94b65ac259c29ce7a@syzkaller.appspotmail.com +Signed-off-by: Ziyang Xuan +Link: https://lore.kernel.org/r/20220531074500.1272846-1-william.xuanziyang@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/macsec.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c +index 3d0874331763..b901acca098b 100644 +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -99,6 +99,7 @@ struct pcpu_secy_stats { + * struct macsec_dev - private data + * @secy: SecY config + * @real_dev: pointer to underlying netdevice ++ * @dev_tracker: refcount tracker for @real_dev reference + * @stats: MACsec device stats + * @secys: linked list of SecY's on the underlying device + * @gro_cells: pointer to the Generic Receive Offload cell +@@ -107,6 +108,7 @@ struct pcpu_secy_stats { + struct macsec_dev { + struct macsec_secy secy; + struct net_device *real_dev; ++ netdevice_tracker dev_tracker; + struct pcpu_secy_stats __percpu *stats; + struct list_head secys; + struct gro_cells gro_cells; +@@ -3459,6 +3461,9 @@ static int macsec_dev_init(struct net_device *dev) + if (is_zero_ether_addr(dev->broadcast)) + memcpy(dev->broadcast, real_dev->broadcast, dev->addr_len); + ++ /* Get macsec's reference to real_dev */ ++ dev_hold_track(real_dev, &macsec->dev_tracker, GFP_KERNEL); ++ + return 0; + } + +@@ -3704,6 +3709,8 @@ static void macsec_free_netdev(struct net_device *dev) + free_percpu(macsec->stats); + free_percpu(macsec->secy.tx_sc.stats); + ++ /* Get rid of the macsec's reference to real_dev */ ++ dev_put_track(macsec->real_dev, &macsec->dev_tracker); + } + + static void macsec_setup(struct net_device *dev) +-- +2.35.1 + diff --git a/queue-5.17/misc-fastrpc-fix-an-incorrect-null-check-on-list-ite.patch b/queue-5.17/misc-fastrpc-fix-an-incorrect-null-check-on-list-ite.patch new file mode 100644 index 00000000000..e1ccf3f25d0 --- /dev/null +++ b/queue-5.17/misc-fastrpc-fix-an-incorrect-null-check-on-list-ite.patch @@ -0,0 +1,60 @@ +From a4d82c76f9893a123726082d2c371be61be7036f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Mar 2022 14:22:02 +0800 +Subject: misc: fastrpc: fix an incorrect NULL check on list iterator + +From: Xiaomeng Tong + +[ Upstream commit 5ac11fe03a0a83042d1a040dbce4fa2fb5521e23 ] + +The bug is here: + if (!buf) { + +The list iterator value 'buf' will *always* be set and non-NULL +by list_for_each_entry(), so it is incorrect to assume that the +iterator value will be NULL if the list is empty (in this case, the +check 'if (!buf) {' will always be false and never exit expectly). + +To fix the bug, use a new variable 'iter' as the list iterator, +while use the original variable 'buf' as a dedicated pointer to +point to the found element. + +Fixes: 2419e55e532de ("misc: fastrpc: add mmap/unmap support") +Signed-off-by: Xiaomeng Tong +Link: https://lore.kernel.org/r/20220327062202.5720-1-xiam0nd.tong@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/fastrpc.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c +index aa1682b94a23..45aaf54a7560 100644 +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -1353,17 +1353,18 @@ static int fastrpc_req_munmap_impl(struct fastrpc_user *fl, + struct fastrpc_req_munmap *req) + { + struct fastrpc_invoke_args args[1] = { [0] = { 0 } }; +- struct fastrpc_buf *buf, *b; ++ struct fastrpc_buf *buf = NULL, *iter, *b; + struct fastrpc_munmap_req_msg req_msg; + struct device *dev = fl->sctx->dev; + int err; + u32 sc; + + spin_lock(&fl->lock); +- list_for_each_entry_safe(buf, b, &fl->mmaps, node) { +- if ((buf->raddr == req->vaddrout) && (buf->size == req->size)) ++ list_for_each_entry_safe(iter, b, &fl->mmaps, node) { ++ if ((iter->raddr == req->vaddrout) && (iter->size == req->size)) { ++ buf = iter; + break; +- buf = NULL; ++ } + } + spin_unlock(&fl->lock); + +-- +2.35.1 + diff --git a/queue-5.17/misc-pvpanic-convert-regular-spinlock-into-trylock-o.patch b/queue-5.17/misc-pvpanic-convert-regular-spinlock-into-trylock-o.patch new file mode 100644 index 00000000000..d87567ff525 --- /dev/null +++ b/queue-5.17/misc-pvpanic-convert-regular-spinlock-into-trylock-o.patch @@ -0,0 +1,71 @@ +From 84356915e79d7f86693c95caa228601becf5b498 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Apr 2022 19:48:59 -0300 +Subject: misc/pvpanic: Convert regular spinlock into trylock on panic path + +From: Guilherme G. Piccoli + +[ Upstream commit e918c10265ef2bc82ce8a6fed6d8123d09ec1db3 ] + +The pvpanic driver relies on panic notifiers to execute a callback +on panic event. Such function is executed in atomic context - the +panic function disables local IRQs, preemption and all other CPUs +that aren't running the panic code. + +With that said, it's dangerous to use regular spinlocks in such path, +as introduced by commit b3c0f8774668 ("misc/pvpanic: probe multiple instances"). +This patch fixes that by replacing regular spinlocks with the trylock +safer approach. + +It also fixes an old comment (about a long gone framebuffer code) and +the notifier priority - we should execute hypervisor notifiers early, +deferring this way the panic action to the hypervisor, as expected by +the users that are setting up pvpanic. + +Fixes: b3c0f8774668 ("misc/pvpanic: probe multiple instances") +Cc: Christophe JAILLET +Cc: Mihai Carabas +Cc: Shile Zhang +Cc: Wang ShaoBo +Cc: zhenwei pi +Signed-off-by: Guilherme G. Piccoli +Link: https://lore.kernel.org/r/20220427224924.592546-6-gpiccoli@igalia.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/pvpanic/pvpanic.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/misc/pvpanic/pvpanic.c b/drivers/misc/pvpanic/pvpanic.c +index 4b8f1c7d726d..049a12006348 100644 +--- a/drivers/misc/pvpanic/pvpanic.c ++++ b/drivers/misc/pvpanic/pvpanic.c +@@ -34,7 +34,9 @@ pvpanic_send_event(unsigned int event) + { + struct pvpanic_instance *pi_cur; + +- spin_lock(&pvpanic_lock); ++ if (!spin_trylock(&pvpanic_lock)) ++ return; ++ + list_for_each_entry(pi_cur, &pvpanic_list, list) { + if (event & pi_cur->capability & pi_cur->events) + iowrite8(event, pi_cur->base); +@@ -55,9 +57,13 @@ pvpanic_panic_notify(struct notifier_block *nb, unsigned long code, void *unused + return NOTIFY_DONE; + } + ++/* ++ * Call our notifier very early on panic, deferring the ++ * action taken to the hypervisor. ++ */ + static struct notifier_block pvpanic_panic_nb = { + .notifier_call = pvpanic_panic_notify, +- .priority = 1, /* let this called before broken drm_fb_helper() */ ++ .priority = INT_MAX, + }; + + static void pvpanic_remove(void *param) +-- +2.35.1 + diff --git a/queue-5.17/modpost-fix-removing-numeric-suffixes.patch b/queue-5.17/modpost-fix-removing-numeric-suffixes.patch new file mode 100644 index 00000000000..ece390bce45 --- /dev/null +++ b/queue-5.17/modpost-fix-removing-numeric-suffixes.patch @@ -0,0 +1,58 @@ +From ab4a8ec9bbfb4ae4ac4c98ebedb98650b796b57f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 May 2022 17:27:18 +0200 +Subject: modpost: fix removing numeric suffixes + +From: Alexander Lobakin + +[ Upstream commit b5beffa20d83c4e15306c991ffd00de0d8628338 ] + +With the `-z unique-symbol` linker flag or any similar mechanism, +it is possible to trigger the following: + +ERROR: modpost: "param_set_uint.0" [vmlinux] is a static EXPORT_SYMBOL + +The reason is that for now the condition from remove_dot(): + +if (m && (s[n + m] == '.' || s[n + m] == 0)) + +which was designed to test if it's a dot or a '\0' after the suffix +is never satisfied. +This is due to that `s[n + m]` always points to the last digit of a +numeric suffix, not on the symbol next to it (from a custom debug +print added to modpost): + +param_set_uint.0, s[n + m] is '0', s[n + m + 1] is '\0' + +So it's off-by-one and was like that since 2014. + +Fix this for the sake of any potential upcoming features, but don't +bother stable-backporting, as it's well hidden -- apart from that +LD flag, it can be triggered only with GCC LTO which never landed +upstream. + +Fixes: fcd38ed0ff26 ("scripts: modpost: fix compilation warning") +Signed-off-by: Alexander Lobakin +Reviewed-by: Petr Mladek +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/mod/modpost.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index e04ae56931e2..3b098e26938e 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -1986,7 +1986,7 @@ static char *remove_dot(char *s) + + if (n && s[n]) { + size_t m = strspn(s + n + 1, "0123456789"); +- if (m && (s[n + m] == '.' || s[n + m] == 0)) ++ if (m && (s[n + m + 1] == '.' || s[n + m + 1] == 0)) + s[n] = 0; + + /* strip trailing .lto */ +-- +2.35.1 + diff --git a/queue-5.17/nbd-don-t-clear-nbd_cmd_inflight-flag-if-request-is-.patch b/queue-5.17/nbd-don-t-clear-nbd_cmd_inflight-flag-if-request-is-.patch new file mode 100644 index 00000000000..b3cd5a43aa1 --- /dev/null +++ b/queue-5.17/nbd-don-t-clear-nbd_cmd_inflight-flag-if-request-is-.patch @@ -0,0 +1,80 @@ +From 3af62a9c0dde4e4e44265d2529044e349f965939 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 May 2022 15:37:46 +0800 +Subject: nbd: don't clear 'NBD_CMD_INFLIGHT' flag if request is not completed + +From: Yu Kuai + +[ Upstream commit 2895f1831e911ca87d4efdf43e35eb72a0c7e66e ] + +Otherwise io will hung because request will only be completed if the +cmd has the flag 'NBD_CMD_INFLIGHT'. + +Fixes: 07175cb1baf4 ("nbd: make sure request completion won't concurrent") +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20220521073749.3146892-4-yukuai3@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 284557041336..ed678037ba6d 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -404,13 +404,14 @@ static enum blk_eh_timer_return nbd_xmit_timeout(struct request *req, + if (!mutex_trylock(&cmd->lock)) + return BLK_EH_RESET_TIMER; + +- if (!__test_and_clear_bit(NBD_CMD_INFLIGHT, &cmd->flags)) { ++ if (!test_bit(NBD_CMD_INFLIGHT, &cmd->flags)) { + mutex_unlock(&cmd->lock); + return BLK_EH_DONE; + } + + if (!refcount_inc_not_zero(&nbd->config_refs)) { + cmd->status = BLK_STS_TIMEOUT; ++ __clear_bit(NBD_CMD_INFLIGHT, &cmd->flags); + mutex_unlock(&cmd->lock); + goto done; + } +@@ -479,6 +480,7 @@ static enum blk_eh_timer_return nbd_xmit_timeout(struct request *req, + dev_err_ratelimited(nbd_to_dev(nbd), "Connection timed out\n"); + set_bit(NBD_RT_TIMEDOUT, &config->runtime_flags); + cmd->status = BLK_STS_IOERR; ++ __clear_bit(NBD_CMD_INFLIGHT, &cmd->flags); + mutex_unlock(&cmd->lock); + sock_shutdown(nbd); + nbd_config_put(nbd); +@@ -746,7 +748,7 @@ static struct nbd_cmd *nbd_handle_reply(struct nbd_device *nbd, int index, + cmd = blk_mq_rq_to_pdu(req); + + mutex_lock(&cmd->lock); +- if (!__test_and_clear_bit(NBD_CMD_INFLIGHT, &cmd->flags)) { ++ if (!test_bit(NBD_CMD_INFLIGHT, &cmd->flags)) { + dev_err(disk_to_dev(nbd->disk), "Suspicious reply %d (status %u flags %lu)", + tag, cmd->status, cmd->flags); + ret = -ENOENT; +@@ -855,8 +857,16 @@ static void recv_work(struct work_struct *work) + } + + rq = blk_mq_rq_from_pdu(cmd); +- if (likely(!blk_should_fake_timeout(rq->q))) +- blk_mq_complete_request(rq); ++ if (likely(!blk_should_fake_timeout(rq->q))) { ++ bool complete; ++ ++ mutex_lock(&cmd->lock); ++ complete = __test_and_clear_bit(NBD_CMD_INFLIGHT, ++ &cmd->flags); ++ mutex_unlock(&cmd->lock); ++ if (complete) ++ blk_mq_complete_request(rq); ++ } + percpu_ref_put(&q->q_usage_counter); + } + +-- +2.35.1 + diff --git a/queue-5.17/net-dsa-mv88e6xxx-fix-refcount-leak-in-mv88e6xxx_mdi.patch b/queue-5.17/net-dsa-mv88e6xxx-fix-refcount-leak-in-mv88e6xxx_mdi.patch new file mode 100644 index 00000000000..91a6edf62a6 --- /dev/null +++ b/queue-5.17/net-dsa-mv88e6xxx-fix-refcount-leak-in-mv88e6xxx_mdi.patch @@ -0,0 +1,44 @@ +From 43b2b8b92caf6c0d65c5a703c227ca0de2eaf780 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 May 2022 18:52:08 +0400 +Subject: net: dsa: mv88e6xxx: Fix refcount leak in mv88e6xxx_mdios_register +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Miaoqian Lin + +[ Upstream commit 02ded5a173619b11728b8bf75a3fd995a2c1ff28 ] + +of_get_child_by_name() returns a node pointer with refcount +incremented, we should use of_node_put() on it when done. + +mv88e6xxx_mdio_register() pass the device node to of_mdiobus_register(). +We don't need the device node after it. + +Add missing of_node_put() to avoid refcount leak. + +Fixes: a3c53be55c95 ("net: dsa: mv88e6xxx: Support multiple MDIO busses") +Signed-off-by: Miaoqian Lin +Reviewed-by: Marek Behún +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index cf7754dddad7..283ae376f469 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -3482,6 +3482,7 @@ static int mv88e6xxx_mdios_register(struct mv88e6xxx_chip *chip, + */ + child = of_get_child_by_name(np, "mdio"); + err = mv88e6xxx_mdio_register(chip, child, false); ++ of_node_put(child); + if (err) + return err; + +-- +2.35.1 + diff --git a/queue-5.17/net-ethernet-mtk_eth_soc-out-of-bounds-read-in-mtk_h.patch b/queue-5.17/net-ethernet-mtk_eth_soc-out-of-bounds-read-in-mtk_h.patch new file mode 100644 index 00000000000..64af996ad15 --- /dev/null +++ b/queue-5.17/net-ethernet-mtk_eth_soc-out-of-bounds-read-in-mtk_h.patch @@ -0,0 +1,38 @@ +From 54895b3ef716cac92b6433edcbcbb705f2b08a87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 May 2022 11:02:42 +0300 +Subject: net: ethernet: mtk_eth_soc: out of bounds read in + mtk_hwlro_get_fdir_entry() + +From: Dan Carpenter + +[ Upstream commit e7e7104e2d5ddf3806a28695670f21bef471f1e1 ] + +The "fsp->location" variable comes from user via ethtool_get_rxnfc(). +Check that it is valid to prevent an out of bounds read. + +Fixes: 7aab747e5563 ("net: ethernet: mediatek: add ethtool functions to configure RX flows of HW LRO") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index f02d07ec5ccb..a50090e62c8f 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -1949,6 +1949,9 @@ static int mtk_hwlro_get_fdir_entry(struct net_device *dev, + struct ethtool_rx_flow_spec *fsp = + (struct ethtool_rx_flow_spec *)&cmd->fs; + ++ if (fsp->location >= ARRAY_SIZE(mac->hwlro_ip)) ++ return -EINVAL; ++ + /* only tcp dst ipv4 is meaningful, others are meaningless */ + fsp->flow_type = TCP_V4_FLOW; + fsp->h_u.tcp_ip4_spec.ip4dst = ntohl(mac->hwlro_ip[fsp->location]); +-- +2.35.1 + diff --git a/queue-5.17/net-ethernet-ti-am65-cpsw-nuss-fix-some-refcount-lea.patch b/queue-5.17/net-ethernet-ti-am65-cpsw-nuss-fix-some-refcount-lea.patch new file mode 100644 index 00000000000..4afca8f4b9e --- /dev/null +++ b/queue-5.17/net-ethernet-ti-am65-cpsw-nuss-fix-some-refcount-lea.patch @@ -0,0 +1,50 @@ +From 1163331311b6d9e0c1e34a907dcde3319089251b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 May 2022 12:52:08 +0400 +Subject: net: ethernet: ti: am65-cpsw-nuss: Fix some refcount leaks + +From: Miaoqian Lin + +[ Upstream commit 5dd89d2fc438457811cbbec07999ce0d80051ff5 ] + +of_get_child_by_name() returns a node pointer with refcount +incremented, we should use of_node_put() on it when not need anymore. +am65_cpsw_init_cpts() and am65_cpsw_nuss_probe() don't release +the refcount in error case. +Add missing of_node_put() to avoid refcount leak. + +Fixes: b1f66a5bee07 ("net: ethernet: ti: am65-cpsw-nuss: enable packet timestamping support") +Fixes: 93a76530316a ("net: ethernet: ti: introduce am65x/j721e gigabit eth subsystem driver") +Signed-off-by: Miaoqian Lin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/am65-cpsw-nuss.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ti/am65-cpsw-nuss.c b/drivers/net/ethernet/ti/am65-cpsw-nuss.c +index 8251d7eb001b..eda91336c9f6 100644 +--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c ++++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c +@@ -1802,6 +1802,7 @@ static int am65_cpsw_init_cpts(struct am65_cpsw_common *common) + if (IS_ERR(cpts)) { + int ret = PTR_ERR(cpts); + ++ of_node_put(node); + if (ret == -EOPNOTSUPP) { + dev_info(dev, "cpts disabled\n"); + return 0; +@@ -2669,9 +2670,9 @@ static int am65_cpsw_nuss_probe(struct platform_device *pdev) + if (!node) + return -ENOENT; + common->port_num = of_get_child_count(node); ++ of_node_put(node); + if (common->port_num < 1 || common->port_num > AM65_CPSW_MAX_PORTS) + return -ENOENT; +- of_node_put(node); + + common->rx_flow_id_base = -1; + init_completion(&common->tdown_complete); +-- +2.35.1 + diff --git a/queue-5.17/net-lan966x-check-devm_of_phy_get-for-edefer_probe.patch b/queue-5.17/net-lan966x-check-devm_of_phy_get-for-edefer_probe.patch new file mode 100644 index 00000000000..e30c711ed32 --- /dev/null +++ b/queue-5.17/net-lan966x-check-devm_of_phy_get-for-edefer_probe.patch @@ -0,0 +1,52 @@ +From b2ed537cef3406cec44e5f521014c95b7e4fb2ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 May 2022 01:12:39 +0200 +Subject: net: lan966x: check devm_of_phy_get() for -EDEFER_PROBE + +From: Michael Walle + +[ Upstream commit b58cdd4388b1d8f5bee9f5a3897a7e780d1eaa48 ] + +At the moment, if devm_of_phy_get() returns an error the serdes +simply isn't set. While it is bad to ignore an error in general, there +is a particular bug that network isn't working if the serdes driver is +compiled as a module. In that case, devm_of_phy_get() returns +-EDEFER_PROBE and the error is silently ignored. + +The serdes is optional, it is not there if the port is using RGMII, in +which case devm_of_phy_get() returns -ENODEV. Rearrange the error +handling so that -ENODEV will be handled but other error codes will +abort the probing. + +Fixes: d28d6d2e37d1 ("net: lan966x: add port module support") +Signed-off-by: Michael Walle +Link: https://lore.kernel.org/r/20220525231239.1307298-1-michael@walle.cc +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/lan966x/lan966x_main.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c +index fee148bbf13e..b0cb3b65cd5b 100644 +--- a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c ++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c +@@ -948,8 +948,13 @@ static int lan966x_probe(struct platform_device *pdev) + lan966x->ports[p]->fwnode = fwnode_handle_get(portnp); + + serdes = devm_of_phy_get(lan966x->dev, to_of_node(portnp), NULL); +- if (!IS_ERR(serdes)) +- lan966x->ports[p]->serdes = serdes; ++ if (PTR_ERR(serdes) == -ENODEV) ++ serdes = NULL; ++ if (IS_ERR(serdes)) { ++ err = PTR_ERR(serdes); ++ goto cleanup_ports; ++ } ++ lan966x->ports[p]->serdes = serdes; + + lan966x_port_init(lan966x->ports[p]); + } +-- +2.35.1 + diff --git a/queue-5.17/net-mlx5-correct-ece-offset-in-query-qp-output.patch b/queue-5.17/net-mlx5-correct-ece-offset-in-query-qp-output.patch new file mode 100644 index 00000000000..dc1174bc868 --- /dev/null +++ b/queue-5.17/net-mlx5-correct-ece-offset-in-query-qp-output.patch @@ -0,0 +1,41 @@ +From 0c61290257af1f6d72c90d68ec6c062dedadcae6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Apr 2022 21:28:14 +0800 +Subject: net/mlx5: correct ECE offset in query qp output + +From: Changcheng Liu + +[ Upstream commit 3fc2a9e89b3508a5cc0c324f26d7b4740ba8c456 ] + +ECE field should be after opt_param_mask in query qp output. + +Fixes: 6b646a7e4af6 ("net/mlx5: Add ability to read and write ECE options") +Signed-off-by: Changcheng Liu +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + include/linux/mlx5/mlx5_ifc.h | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h +index 49a48d7709ac..4cd54277d5d9 100644 +--- a/include/linux/mlx5/mlx5_ifc.h ++++ b/include/linux/mlx5/mlx5_ifc.h +@@ -5175,12 +5175,11 @@ struct mlx5_ifc_query_qp_out_bits { + + u8 syndrome[0x20]; + +- u8 reserved_at_40[0x20]; +- u8 ece[0x20]; ++ u8 reserved_at_40[0x40]; + + u8 opt_param_mask[0x20]; + +- u8 reserved_at_a0[0x20]; ++ u8 ece[0x20]; + + struct mlx5_ifc_qpc_bits qpc; + +-- +2.35.1 + diff --git a/queue-5.17/net-mlx5-ct-fix-header-rewrite-re-use-for-tupels.patch b/queue-5.17/net-mlx5-ct-fix-header-rewrite-re-use-for-tupels.patch new file mode 100644 index 00000000000..fab2d06d4ff --- /dev/null +++ b/queue-5.17/net-mlx5-ct-fix-header-rewrite-re-use-for-tupels.patch @@ -0,0 +1,81 @@ +From 9db45824d64256786382696ac1f62168c8bf8f33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 May 2022 19:12:21 +0300 +Subject: net/mlx5: CT: Fix header-rewrite re-use for tupels + +From: Paul Blakey + +[ Upstream commit 1f2856cde64baa78475e6d3c601fb7b7f693a161 ] + +Tuple entries that don't have nat configured for them +which are added to the ct nat table will always create +a new modify header, as we don't check for possible +re-use on them. The same for tuples that have nat configured +for them but are added to ct table. + +Fix the above by only avoiding wasteful re-use lookup +for actually natted entries in ct nat table. + +Fixes: 7fac5c2eced3 ("net/mlx5: CT: Avoid reusing modify header context for natted entries") +Signed-off-by: Paul Blakey +Reviewed-by: Ariel Levkovich +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../ethernet/mellanox/mlx5/core/en/tc_ct.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c +index 9028e9958c72..cf9d48d934ef 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c +@@ -692,7 +692,7 @@ mlx5_tc_ct_entry_create_mod_hdr(struct mlx5_tc_ct_priv *ct_priv, + struct mlx5_flow_attr *attr, + struct flow_rule *flow_rule, + struct mlx5e_mod_hdr_handle **mh, +- u8 zone_restore_id, bool nat) ++ u8 zone_restore_id, bool nat_table, bool has_nat) + { + DECLARE_MOD_HDR_ACTS_ACTIONS(actions_arr, MLX5_CT_MIN_MOD_ACTS); + DECLARE_MOD_HDR_ACTS(mod_acts, actions_arr); +@@ -708,11 +708,12 @@ mlx5_tc_ct_entry_create_mod_hdr(struct mlx5_tc_ct_priv *ct_priv, + &attr->ct_attr.ct_labels_id); + if (err) + return -EOPNOTSUPP; +- if (nat) { +- err = mlx5_tc_ct_entry_create_nat(ct_priv, flow_rule, +- &mod_acts); +- if (err) +- goto err_mapping; ++ if (nat_table) { ++ if (has_nat) { ++ err = mlx5_tc_ct_entry_create_nat(ct_priv, flow_rule, &mod_acts); ++ if (err) ++ goto err_mapping; ++ } + + ct_state |= MLX5_CT_STATE_NAT_BIT; + } +@@ -727,7 +728,7 @@ mlx5_tc_ct_entry_create_mod_hdr(struct mlx5_tc_ct_priv *ct_priv, + if (err) + goto err_mapping; + +- if (nat) { ++ if (nat_table && has_nat) { + attr->modify_hdr = mlx5_modify_header_alloc(ct_priv->dev, ct_priv->ns_type, + mod_acts.num_actions, + mod_acts.actions); +@@ -795,7 +796,9 @@ mlx5_tc_ct_entry_add_rule(struct mlx5_tc_ct_priv *ct_priv, + + err = mlx5_tc_ct_entry_create_mod_hdr(ct_priv, attr, flow_rule, + &zone_rule->mh, +- zone_restore_id, nat); ++ zone_restore_id, ++ nat, ++ mlx5_tc_ct_entry_has_nat(entry)); + if (err) { + ct_dbg("Failed to create ct entry mod hdr"); + goto err_mod_hdr; +-- +2.35.1 + diff --git a/queue-5.17/net-mlx5-don-t-use-already-freed-action-pointer.patch b/queue-5.17/net-mlx5-don-t-use-already-freed-action-pointer.patch new file mode 100644 index 00000000000..17c44d44023 --- /dev/null +++ b/queue-5.17/net-mlx5-don-t-use-already-freed-action-pointer.patch @@ -0,0 +1,50 @@ +From f5f0644add6c646b335af41205821f49d0fa6ce1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 May 2022 15:59:27 +0300 +Subject: net/mlx5: Don't use already freed action pointer + +From: Leon Romanovsky + +[ Upstream commit 80b2bd737d0e833e6a2b77e482e5a714a79c86a4 ] + +The call to mlx5dr_action_destroy() releases "action" memory. That +pointer is set to miss_action later and generates the following smatch +error: + + drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.c:53 set_miss_action() + warn: 'action' was already freed. + +Make sure that the pointer is always valid by setting NULL after destroy. + +Fixes: 6a48faeeca10 ("net/mlx5: Add direct rule fs_cmd implementation") +Reported-by: Dan Carpenter +Signed-off-by: Leon Romanovsky +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.c +index 05393fe11132..caeaa3c29353 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.c +@@ -44,11 +44,10 @@ static int set_miss_action(struct mlx5_flow_root_namespace *ns, + err = mlx5dr_table_set_miss_action(ft->fs_dr_table.dr_table, action); + if (err && action) { + err = mlx5dr_action_destroy(action); +- if (err) { +- action = NULL; +- mlx5_core_err(ns->dev, "Failed to destroy action (%d)\n", +- err); +- } ++ if (err) ++ mlx5_core_err(ns->dev, ++ "Failed to destroy action (%d)\n", err); ++ action = NULL; + } + ft->fs_dr_table.miss_action = action; + if (old_miss_action) { +-- +2.35.1 + diff --git a/queue-5.17/net-mlx5e-disable-softirq-in-mlx5e_activate_rq-to-av.patch b/queue-5.17/net-mlx5e-disable-softirq-in-mlx5e_activate_rq-to-av.patch new file mode 100644 index 00000000000..bdbcab6c4db --- /dev/null +++ b/queue-5.17/net-mlx5e-disable-softirq-in-mlx5e_activate_rq-to-av.patch @@ -0,0 +1,214 @@ +From 74020f8b1c4f61d4eaab31cd7c5f2165dc6f6122 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Apr 2022 16:19:15 +0300 +Subject: net/mlx5e: Disable softirq in mlx5e_activate_rq to avoid race + condition + +From: Maxim Mikityanskiy + +[ Upstream commit 2e642afb61b24401a7ec819d27ddcd69c7c29784 ] + +When the driver activates the channels, it assumes NAPI isn't running +yet. mlx5e_activate_rq posts a NOP WQE to ICOSQ to trigger a hardware +interrupt and start NAPI, which will run mlx5e_alloc_rx_mpwqe and post +UMR WQEs to ICOSQ to be able to receive packets with striding RQ. + +Unfortunately, a race condition is possible if NAPI is triggered by +something else (for example, TX) at a bad timing, before +mlx5e_activate_rq finishes. In this case, mlx5e_alloc_rx_mpwqe may post +UMR WQEs to ICOSQ, and with the bad timing, the wqe_info of the first +UMR may be overwritten by the wqe_info of the NOP posted by +mlx5e_activate_rq. + +The consequence is that icosq->db.wqe_info[0].num_wqebbs will be changed +from MLX5E_UMR_WQEBBS to 1, disrupting the integrity of the array-based +linked list in wqe_info[]. mlx5e_poll_ico_cq will hang in an infinite +loop after processing wqe_info[0], because after the corruption, the +next item to be processed will be wqe_info[1], which is filled with +zeros, and `sqcc += wi->num_wqebbs` will never move further. + +This commit fixes this race condition by using async_icosq to post the +NOP and trigger the interrupt. async_icosq is always protected with a +spinlock, eliminating the race condition. + +Fixes: bc77b240b3c5 ("net/mlx5e: Add fragmented memory support for RX multi packet WQE") +Signed-off-by: Maxim Mikityanskiy +Reported-by: Karsten Nielsen +Reviewed-by: Tariq Toukan +Reviewed-by: Gal Pressman +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en.h | 4 ++++ + .../net/ethernet/mellanox/mlx5/core/en/ptp.c | 1 + + .../mellanox/mlx5/core/en/reporter_rx.c | 6 +++++ + .../net/ethernet/mellanox/mlx5/core/en/trap.c | 1 + + .../ethernet/mellanox/mlx5/core/en/xsk/pool.c | 1 + + .../mellanox/mlx5/core/en/xsk/setup.c | 5 +--- + .../net/ethernet/mellanox/mlx5/core/en_main.c | 24 +++++++++++++------ + 7 files changed, 31 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h +index 5ccd6c634274..4c8c8e4c1ef3 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h +@@ -730,6 +730,7 @@ struct mlx5e_rq { + u8 wq_type; + u32 rqn; + struct mlx5_core_dev *mdev; ++ struct mlx5e_channel *channel; + u32 umr_mkey; + struct mlx5e_dma_info wqe_overflow; + +@@ -1044,6 +1045,9 @@ void mlx5e_close_cq(struct mlx5e_cq *cq); + int mlx5e_open_locked(struct net_device *netdev); + int mlx5e_close_locked(struct net_device *netdev); + ++void mlx5e_trigger_napi_icosq(struct mlx5e_channel *c); ++void mlx5e_trigger_napi_sched(struct napi_struct *napi); ++ + int mlx5e_open_channels(struct mlx5e_priv *priv, + struct mlx5e_channels *chs); + void mlx5e_close_channels(struct mlx5e_channels *chs); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c b/drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c +index 82baafd3c00c..fdb82f2b0130 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c +@@ -737,6 +737,7 @@ void mlx5e_ptp_activate_channel(struct mlx5e_ptp *c) + if (test_bit(MLX5E_PTP_STATE_RX, c->state)) { + mlx5e_ptp_rx_set_fs(c->priv); + mlx5e_activate_rq(&c->rq); ++ mlx5e_trigger_napi_sched(&c->napi); + } + } + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_rx.c +index 2684e9da9f41..fc366e66d0b0 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_rx.c +@@ -123,6 +123,8 @@ static int mlx5e_rx_reporter_err_icosq_cqe_recover(void *ctx) + xskrq->stats->recover++; + } + ++ mlx5e_trigger_napi_icosq(icosq->channel); ++ + mutex_unlock(&icosq->channel->icosq_recovery_lock); + + return 0; +@@ -166,6 +168,10 @@ static int mlx5e_rx_reporter_err_rq_cqe_recover(void *ctx) + clear_bit(MLX5E_RQ_STATE_RECOVERING, &rq->state); + mlx5e_activate_rq(rq); + rq->stats->recover++; ++ if (rq->channel) ++ mlx5e_trigger_napi_icosq(rq->channel); ++ else ++ mlx5e_trigger_napi_sched(rq->cq.napi); + return 0; + out: + clear_bit(MLX5E_RQ_STATE_RECOVERING, &rq->state); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/trap.c b/drivers/net/ethernet/mellanox/mlx5/core/en/trap.c +index a55b066746cb..6dd36e3cf425 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/trap.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/trap.c +@@ -172,6 +172,7 @@ static void mlx5e_activate_trap(struct mlx5e_trap *trap) + { + napi_enable(&trap->napi); + mlx5e_activate_rq(&trap->rq); ++ mlx5e_trigger_napi_sched(&trap->napi); + } + + void mlx5e_deactivate_trap(struct mlx5e_priv *priv) +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/xsk/pool.c b/drivers/net/ethernet/mellanox/mlx5/core/en/xsk/pool.c +index 279cd8f4e79f..2c520394aa1d 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/xsk/pool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/xsk/pool.c +@@ -117,6 +117,7 @@ static int mlx5e_xsk_enable_locked(struct mlx5e_priv *priv, + goto err_remove_pool; + + mlx5e_activate_xsk(c); ++ mlx5e_trigger_napi_icosq(c); + + /* Don't wait for WQEs, because the newer xdpsock sample doesn't provide + * any Fill Ring entries at the setup stage. +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c b/drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c +index 25eac9e20342..5a2cd15e245d 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c +@@ -64,6 +64,7 @@ static int mlx5e_init_xsk_rq(struct mlx5e_channel *c, + rq->clock = &mdev->clock; + rq->icosq = &c->icosq; + rq->ix = c->ix; ++ rq->channel = c; + rq->mdev = mdev; + rq->hw_mtu = MLX5E_SW2HW_MTU(params, params->sw_mtu); + rq->xdpsq = &c->rq_xdpsq; +@@ -179,10 +180,6 @@ void mlx5e_activate_xsk(struct mlx5e_channel *c) + mlx5e_reporter_icosq_resume_recovery(c); + + /* TX queue is created active. */ +- +- spin_lock_bh(&c->async_icosq_lock); +- mlx5e_trigger_irq(&c->async_icosq); +- spin_unlock_bh(&c->async_icosq_lock); + } + + void mlx5e_deactivate_xsk(struct mlx5e_channel *c) +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 531fffe1abe3..9730bd96d0de 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -477,6 +477,7 @@ static int mlx5e_init_rxq_rq(struct mlx5e_channel *c, struct mlx5e_params *param + rq->clock = &mdev->clock; + rq->icosq = &c->icosq; + rq->ix = c->ix; ++ rq->channel = c; + rq->mdev = mdev; + rq->hw_mtu = MLX5E_SW2HW_MTU(params, params->sw_mtu); + rq->xdpsq = &c->rq_xdpsq; +@@ -1070,13 +1071,6 @@ int mlx5e_open_rq(struct mlx5e_params *params, struct mlx5e_rq_param *param, + void mlx5e_activate_rq(struct mlx5e_rq *rq) + { + set_bit(MLX5E_RQ_STATE_ENABLED, &rq->state); +- if (rq->icosq) { +- mlx5e_trigger_irq(rq->icosq); +- } else { +- local_bh_disable(); +- napi_schedule(rq->cq.napi); +- local_bh_enable(); +- } + } + + void mlx5e_deactivate_rq(struct mlx5e_rq *rq) +@@ -2218,6 +2212,20 @@ static int mlx5e_channel_stats_alloc(struct mlx5e_priv *priv, int ix, int cpu) + return 0; + } + ++void mlx5e_trigger_napi_icosq(struct mlx5e_channel *c) ++{ ++ spin_lock_bh(&c->async_icosq_lock); ++ mlx5e_trigger_irq(&c->async_icosq); ++ spin_unlock_bh(&c->async_icosq_lock); ++} ++ ++void mlx5e_trigger_napi_sched(struct napi_struct *napi) ++{ ++ local_bh_disable(); ++ napi_schedule(napi); ++ local_bh_enable(); ++} ++ + static int mlx5e_open_channel(struct mlx5e_priv *priv, int ix, + struct mlx5e_params *params, + struct mlx5e_channel_param *cparam, +@@ -2299,6 +2307,8 @@ static void mlx5e_activate_channel(struct mlx5e_channel *c) + + if (test_bit(MLX5E_CHANNEL_STATE_XSK, c->state)) + mlx5e_activate_xsk(c); ++ ++ mlx5e_trigger_napi_icosq(c); + } + + static void mlx5e_deactivate_channel(struct mlx5e_channel *c) +-- +2.35.1 + diff --git a/queue-5.17/net-mlx5e-tc-nic-mode-fix-tc-chains-miss-table.patch b/queue-5.17/net-mlx5e-tc-nic-mode-fix-tc-chains-miss-table.patch new file mode 100644 index 00000000000..dd804829925 --- /dev/null +++ b/queue-5.17/net-mlx5e-tc-nic-mode-fix-tc-chains-miss-table.patch @@ -0,0 +1,151 @@ +From bd50e8f34642b727a3f8d62f015b8623847b4977 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 May 2022 10:51:30 +0300 +Subject: net/mlx5e: TC NIC mode, fix tc chains miss table + +From: Maor Dickman + +[ Upstream commit 66cb64e292d21588bdb831f08a7ec0ff04d6380d ] + +The cited commit changed promisc table to be created on demand with the +highest priority in the NIC table replacing the vlan table, this caused +tc NIC tables miss flow to skip the prmoisc table because it use vlan +table as miss table. + +OVS offload in NIC mode use promisc by default so any unicast packet +which will be handled by tc NIC tables miss flow will skip the promisc +rule and will be dropped. + +Fix this by adding new empty table in new tc level with low priority and +point the nic tc chain miss to it, the new table is managed so it will +point to vlan table if promisc is disabled and to promisc table if enabled. + +Fixes: 1c46d7409f30 ("net/mlx5e: Optimize promiscuous mode") +Signed-off-by: Maor Dickman +Reviewed-by: Paul Blakey +Reviewed-by: Ariel Levkovich +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/en/fs.h | 2 + + .../net/ethernet/mellanox/mlx5/core/en_tc.c | 38 ++++++++++++++++++- + .../net/ethernet/mellanox/mlx5/core/fs_core.c | 2 +- + 3 files changed, 39 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/fs.h b/drivers/net/ethernet/mellanox/mlx5/core/en/fs.h +index 678ffbb48a25..e3e8c1c3ff24 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/fs.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/fs.h +@@ -12,6 +12,7 @@ struct mlx5e_post_act; + enum { + MLX5E_TC_FT_LEVEL = 0, + MLX5E_TC_TTC_FT_LEVEL, ++ MLX5E_TC_MISS_LEVEL, + }; + + struct mlx5e_tc_table { +@@ -20,6 +21,7 @@ struct mlx5e_tc_table { + */ + struct mutex t_lock; + struct mlx5_flow_table *t; ++ struct mlx5_flow_table *miss_t; + struct mlx5_fs_chains *chains; + struct mlx5e_post_act *post_act; + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +index e0f45cef97c3..deff6698f395 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -4284,6 +4284,33 @@ static int mlx5e_tc_nic_get_ft_size(struct mlx5_core_dev *dev) + return tc_tbl_size; + } + ++static int mlx5e_tc_nic_create_miss_table(struct mlx5e_priv *priv) ++{ ++ struct mlx5_flow_table **ft = &priv->fs.tc.miss_t; ++ struct mlx5_flow_table_attr ft_attr = {}; ++ struct mlx5_flow_namespace *ns; ++ int err = 0; ++ ++ ft_attr.max_fte = 1; ++ ft_attr.autogroup.max_num_groups = 1; ++ ft_attr.level = MLX5E_TC_MISS_LEVEL; ++ ft_attr.prio = 0; ++ ns = mlx5_get_flow_namespace(priv->mdev, MLX5_FLOW_NAMESPACE_KERNEL); ++ ++ *ft = mlx5_create_auto_grouped_flow_table(ns, &ft_attr); ++ if (IS_ERR(*ft)) { ++ err = PTR_ERR(*ft); ++ netdev_err(priv->netdev, "failed to create tc nic miss table err=%d\n", err); ++ } ++ ++ return err; ++} ++ ++static void mlx5e_tc_nic_destroy_miss_table(struct mlx5e_priv *priv) ++{ ++ mlx5_destroy_flow_table(priv->fs.tc.miss_t); ++} ++ + int mlx5e_tc_nic_init(struct mlx5e_priv *priv) + { + struct mlx5e_tc_table *tc = &priv->fs.tc; +@@ -4316,19 +4343,23 @@ int mlx5e_tc_nic_init(struct mlx5e_priv *priv) + } + tc->mapping = chains_mapping; + ++ err = mlx5e_tc_nic_create_miss_table(priv); ++ if (err) ++ goto err_chains; ++ + if (MLX5_CAP_FLOWTABLE_NIC_RX(priv->mdev, ignore_flow_level)) + attr.flags = MLX5_CHAINS_AND_PRIOS_SUPPORTED | + MLX5_CHAINS_IGNORE_FLOW_LEVEL_SUPPORTED; + attr.ns = MLX5_FLOW_NAMESPACE_KERNEL; + attr.max_ft_sz = mlx5e_tc_nic_get_ft_size(dev); + attr.max_grp_num = MLX5E_TC_TABLE_NUM_GROUPS; +- attr.default_ft = mlx5e_vlan_get_flowtable(priv->fs.vlan); ++ attr.default_ft = priv->fs.tc.miss_t; + attr.mapping = chains_mapping; + + tc->chains = mlx5_chains_create(dev, &attr); + if (IS_ERR(tc->chains)) { + err = PTR_ERR(tc->chains); +- goto err_chains; ++ goto err_miss; + } + + tc->post_act = mlx5e_tc_post_act_init(priv, tc->chains, MLX5_FLOW_NAMESPACE_KERNEL); +@@ -4351,6 +4382,8 @@ int mlx5e_tc_nic_init(struct mlx5e_priv *priv) + mlx5_tc_ct_clean(tc->ct); + mlx5e_tc_post_act_destroy(tc->post_act); + mlx5_chains_destroy(tc->chains); ++err_miss: ++ mlx5e_tc_nic_destroy_miss_table(priv); + err_chains: + mapping_destroy(chains_mapping); + err_mapping: +@@ -4391,6 +4424,7 @@ void mlx5e_tc_nic_cleanup(struct mlx5e_priv *priv) + mlx5e_tc_post_act_destroy(tc->post_act); + mapping_destroy(tc->mapping); + mlx5_chains_destroy(tc->chains); ++ mlx5e_tc_nic_destroy_miss_table(priv); + } + + int mlx5e_tc_esw_init(struct rhashtable *tc_ht) +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +index 298c614c631b..bd52b0b4eefa 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -116,7 +116,7 @@ + #define KERNEL_MIN_LEVEL (KERNEL_NIC_PRIO_NUM_LEVELS + 1) + + #define KERNEL_NIC_TC_NUM_PRIOS 1 +-#define KERNEL_NIC_TC_NUM_LEVELS 2 ++#define KERNEL_NIC_TC_NUM_LEVELS 3 + + #define ANCHOR_NUM_LEVELS 1 + #define ANCHOR_NUM_PRIOS 1 +-- +2.35.1 + diff --git a/queue-5.17/net-mlx5e-update-netdev-features-after-changing-xdp-.patch b/queue-5.17/net-mlx5e-update-netdev-features-after-changing-xdp-.patch new file mode 100644 index 00000000000..40cfd3fe00d --- /dev/null +++ b/queue-5.17/net-mlx5e-update-netdev-features-after-changing-xdp-.patch @@ -0,0 +1,44 @@ +From 11feff50988879d366a4b07b565324c4c6a087a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 May 2022 15:39:13 +0300 +Subject: net/mlx5e: Update netdev features after changing XDP state + +From: Maxim Mikityanskiy + +[ Upstream commit f6279f113ad593971999c877eb69dc3d36a75894 ] + +Some features (LRO, HW GRO) conflict with XDP. If there is an attempt to +enable such features while XDP is active, they will be set to `off +[requested on]`. In order to activate these features after XDP is turned +off, the driver needs to call netdev_update_features(). This commit adds +this missing call after XDP state changes. + +Fixes: cf6e34c8c22f ("net/mlx5e: Properly block LRO when XDP is enabled") +Fixes: b0617e7b3500 ("net/mlx5e: Properly block HW GRO when XDP is enabled") +Signed-off-by: Maxim Mikityanskiy +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 9730bd96d0de..352b5c8ae24e 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -4531,6 +4531,11 @@ static int mlx5e_xdp_set(struct net_device *netdev, struct bpf_prog *prog) + + unlock: + mutex_unlock(&priv->state_lock); ++ ++ /* Need to fix some features. */ ++ if (!err) ++ netdev_update_features(netdev); ++ + return err; + } + +-- +2.35.1 + diff --git a/queue-5.17/net-sched-add-barrier-to-fix-packet-stuck-problem-fo.patch b/queue-5.17/net-sched-add-barrier-to-fix-packet-stuck-problem-fo.patch new file mode 100644 index 00000000000..16ebd120e11 --- /dev/null +++ b/queue-5.17/net-sched-add-barrier-to-fix-packet-stuck-problem-fo.patch @@ -0,0 +1,71 @@ +From 2ceb06405ad2ef638f6dae95762f7f7861227457 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 May 2022 18:16:28 +0800 +Subject: net: sched: add barrier to fix packet stuck problem for lockless + qdisc + +From: Guoju Fang + +[ Upstream commit 2e8728c955ce0624b958eee6e030a37aca3a5d86 ] + +In qdisc_run_end(), the spin_unlock() only has store-release semantic, +which guarantees all earlier memory access are visible before it. But +the subsequent test_bit() has no barrier semantics so may be reordered +ahead of the spin_unlock(). The store-load reordering may cause a packet +stuck problem. + +The concurrent operations can be described as below, + CPU 0 | CPU 1 + qdisc_run_end() | qdisc_run_begin() + . | . + ----> /* may be reorderd here */ | . +| . | . +| spin_unlock() | set_bit() +| . | smp_mb__after_atomic() + ---- test_bit() | spin_trylock() + . | . + +Consider the following sequence of events: + CPU 0 reorder test_bit() ahead and see MISSED = 0 + CPU 1 calls set_bit() + CPU 1 calls spin_trylock() and return fail + CPU 0 executes spin_unlock() + +At the end of the sequence, CPU 0 calls spin_unlock() and does nothing +because it see MISSED = 0. The skb on CPU 1 has beed enqueued but no one +take it, until the next cpu pushing to the qdisc (if ever ...) will +notice and dequeue it. + +This patch fix this by adding one explicit barrier. As spin_unlock() and +test_bit() ordering is a store-load ordering, a full memory barrier +smp_mb() is needed here. + +Fixes: a90c57f2cedd ("net: sched: fix packet stuck problem for lockless qdisc") +Signed-off-by: Guoju Fang +Link: https://lore.kernel.org/r/20220528101628.120193-1-gjfang@linux.alibaba.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/sch_generic.h | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h +index 4fe0892dde1a..6764fc265745 100644 +--- a/include/net/sch_generic.h ++++ b/include/net/sch_generic.h +@@ -209,6 +209,12 @@ static inline void qdisc_run_end(struct Qdisc *qdisc) + if (qdisc->flags & TCQ_F_NOLOCK) { + spin_unlock(&qdisc->seqlock); + ++ /* spin_unlock() only has store-release semantic. The unlock ++ * and test_bit() ordering is a store-load ordering, so a full ++ * memory barrier is needed here. ++ */ ++ smp_mb(); ++ + if (unlikely(test_bit(__QDISC_STATE_MISSED, + &qdisc->state))) + __netif_schedule(qdisc); +-- +2.35.1 + diff --git a/queue-5.17/net-sched-fixed-barrier-to-prevent-skbuff-sticking-i.patch b/queue-5.17/net-sched-fixed-barrier-to-prevent-skbuff-sticking-i.patch new file mode 100644 index 00000000000..66db5318ff8 --- /dev/null +++ b/queue-5.17/net-sched-fixed-barrier-to-prevent-skbuff-sticking-i.patch @@ -0,0 +1,140 @@ +From 596018e8ee338aa8817e556f31686a0600e8e9ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 May 2022 17:17:46 -0700 +Subject: net: sched: fixed barrier to prevent skbuff sticking in qdisc backlog + +From: Vincent Ray + +[ Upstream commit a54ce3703613e41fe1d98060b62ec09a3984dc28 ] + +In qdisc_run_begin(), smp_mb__before_atomic() used before test_bit() +does not provide any ordering guarantee as test_bit() is not an atomic +operation. This, added to the fact that the spin_trylock() call at +the beginning of qdisc_run_begin() does not guarantee acquire +semantics if it does not grab the lock, makes it possible for the +following statement : + +if (test_bit(__QDISC_STATE_MISSED, &qdisc->state)) + +to be executed before an enqueue operation called before +qdisc_run_begin(). + +As a result the following race can happen : + + CPU 1 CPU 2 + + qdisc_run_begin() qdisc_run_begin() /* true */ + set(MISSED) . + /* returns false */ . + . /* sees MISSED = 1 */ + . /* so qdisc not empty */ + . __qdisc_run() + . . + . pfifo_fast_dequeue() + ----> /* may be done here */ . +| . clear(MISSED) +| . . +| . smp_mb __after_atomic(); +| . . +| . /* recheck the queue */ +| . /* nothing => exit */ +| enqueue(skb1) +| . +| qdisc_run_begin() +| . +| spin_trylock() /* fail */ +| . +| smp_mb__before_atomic() /* not enough */ +| . + ---- if (test_bit(MISSED)) + return false; /* exit */ + +In the above scenario, CPU 1 and CPU 2 both try to grab the +qdisc->seqlock at the same time. Only CPU 2 succeeds and enters the +bypass code path, where it emits its skb then calls __qdisc_run(). + +CPU1 fails, sets MISSED and goes down the traditionnal enqueue() + +dequeue() code path. But when executing qdisc_run_begin() for the +second time, after enqueuing its skbuff, it sees the MISSED bit still +set (by itself) and consequently chooses to exit early without setting +it again nor trying to grab the spinlock again. + +Meanwhile CPU2 has seen MISSED = 1, cleared it, checked the queue +and found it empty, so it returned. + +At the end of the sequence, we end up with skb1 enqueued in the +backlog, both CPUs out of __dev_xmit_skb(), the MISSED bit not set, +and no __netif_schedule() called made. skb1 will now linger in the +qdisc until somebody later performs a full __qdisc_run(). Associated +to the bypass capacity of the qdisc, and the ability of the TCP layer +to avoid resending packets which it knows are still in the qdisc, this +can lead to serious traffic "holes" in a TCP connection. + +We fix this by replacing the smp_mb__before_atomic() / test_bit() / +set_bit() / smp_mb__after_atomic() sequence inside qdisc_run_begin() +by a single test_and_set_bit() call, which is more concise and +enforces the needed memory barriers. + +Fixes: 89837eb4b246 ("net: sched: add barrier to ensure correct ordering for lockless qdisc") +Signed-off-by: Vincent Ray +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20220526001746.2437669-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/sch_generic.h | 36 ++++++++---------------------------- + 1 file changed, 8 insertions(+), 28 deletions(-) + +diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h +index 472843eedbae..4fe0892dde1a 100644 +--- a/include/net/sch_generic.h ++++ b/include/net/sch_generic.h +@@ -187,37 +187,17 @@ static inline bool qdisc_run_begin(struct Qdisc *qdisc) + if (spin_trylock(&qdisc->seqlock)) + return true; + +- /* Paired with smp_mb__after_atomic() to make sure +- * STATE_MISSED checking is synchronized with clearing +- * in pfifo_fast_dequeue(). ++ /* No need to insist if the MISSED flag was already set. ++ * Note that test_and_set_bit() also gives us memory ordering ++ * guarantees wrt potential earlier enqueue() and below ++ * spin_trylock(), both of which are necessary to prevent races + */ +- smp_mb__before_atomic(); +- +- /* If the MISSED flag is set, it means other thread has +- * set the MISSED flag before second spin_trylock(), so +- * we can return false here to avoid multi cpus doing +- * the set_bit() and second spin_trylock() concurrently. +- */ +- if (test_bit(__QDISC_STATE_MISSED, &qdisc->state)) ++ if (test_and_set_bit(__QDISC_STATE_MISSED, &qdisc->state)) + return false; + +- /* Set the MISSED flag before the second spin_trylock(), +- * if the second spin_trylock() return false, it means +- * other cpu holding the lock will do dequeuing for us +- * or it will see the MISSED flag set after releasing +- * lock and reschedule the net_tx_action() to do the +- * dequeuing. +- */ +- set_bit(__QDISC_STATE_MISSED, &qdisc->state); +- +- /* spin_trylock() only has load-acquire semantic, so use +- * smp_mb__after_atomic() to ensure STATE_MISSED is set +- * before doing the second spin_trylock(). +- */ +- smp_mb__after_atomic(); +- +- /* Retry again in case other CPU may not see the new flag +- * after it releases the lock at the end of qdisc_run_end(). ++ /* Try to take the lock again to make sure that we will either ++ * grab it or the CPU that still has it will see MISSED set ++ * when testing it in qdisc_run_end() + */ + return spin_trylock(&qdisc->seqlock); + } +-- +2.35.1 + diff --git a/queue-5.17/net-smc-fixes-for-converting-from-struct-smc_cdc_tx_.patch b/queue-5.17/net-smc-fixes-for-converting-from-struct-smc_cdc_tx_.patch new file mode 100644 index 00000000000..c5036d6d1ee --- /dev/null +++ b/queue-5.17/net-smc-fixes-for-converting-from-struct-smc_cdc_tx_.patch @@ -0,0 +1,37 @@ +From 63dd88db7c2fb1a974ac1d6cdb6323e566b0154d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 May 2022 14:54:57 +0800 +Subject: net/smc: fixes for converting from "struct smc_cdc_tx_pend **" to + "struct smc_wr_tx_pend_priv *" + +From: Guangguan Wang + +[ Upstream commit e225c9a5a74b12e9ef8516f30a3db2c7eb866ee1 ] + +"struct smc_cdc_tx_pend **" can not directly convert +to "struct smc_wr_tx_pend_priv *". + +Fixes: 2bced6aefa3d ("net/smc: put slot when connection is killed") +Signed-off-by: Guangguan Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/smc_cdc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/smc/smc_cdc.c b/net/smc/smc_cdc.c +index 9d5a97168969..93042ef6869b 100644 +--- a/net/smc/smc_cdc.c ++++ b/net/smc/smc_cdc.c +@@ -72,7 +72,7 @@ int smc_cdc_get_free_slot(struct smc_connection *conn, + /* abnormal termination */ + if (!rc) + smc_wr_tx_put_slot(link, +- (struct smc_wr_tx_pend_priv *)pend); ++ (struct smc_wr_tx_pend_priv *)(*pend)); + rc = -EPIPE; + } + return rc; +-- +2.35.1 + diff --git a/queue-5.17/net-smc-set-ini-smcrv2.ib_dev_v2-to-null-if-smc-rv2-.patch b/queue-5.17/net-smc-set-ini-smcrv2.ib_dev_v2-to-null-if-smc-rv2-.patch new file mode 100644 index 00000000000..8e6de1c21bb --- /dev/null +++ b/queue-5.17/net-smc-set-ini-smcrv2.ib_dev_v2-to-null-if-smc-rv2-.patch @@ -0,0 +1,39 @@ +From c235dfbee43b6eb1cb2449e4267cbf863a13c9f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 May 2022 16:54:08 +0800 +Subject: net/smc: set ini->smcrv2.ib_dev_v2 to NULL if SMC-Rv2 is unavailable + +From: liuyacan + +[ Upstream commit b3b1a17538d3ef6a9667b2271216fd16d7678ab5 ] + +In the process of checking whether RDMAv2 is available, the current +implementation first sets ini->smcrv2.ib_dev_v2, and then allocates +smc buf desc and register rmb, but the latter may fail. In this case, +the pointer should be reset. + +Fixes: e49300a6bf62 ("net/smc: add listen processing for SMC-Rv2") +Signed-off-by: liuyacan +Reviewed-by: Karsten Graul +Link: https://lore.kernel.org/r/20220525085408.812273-1-liuyacan@corp.netease.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index b9fe31834354..4bc6b16669f3 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -1973,6 +1973,7 @@ static void smc_find_rdma_v2_device_serv(struct smc_sock *new_smc, + + not_found: + ini->smcr_version &= ~SMC_V2; ++ ini->smcrv2.ib_dev_v2 = NULL; + ini->check_smcrv2 = false; + } + +-- +2.35.1 + diff --git a/queue-5.17/nfp-only-report-pause-frame-configuration-for-physic.patch b/queue-5.17/nfp-only-report-pause-frame-configuration-for-physic.patch new file mode 100644 index 00000000000..8f70c051445 --- /dev/null +++ b/queue-5.17/nfp-only-report-pause-frame-configuration-for-physic.patch @@ -0,0 +1,46 @@ +From 95fdf5ee455171b852805ef5c7b1782e1a2f7aeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 May 2022 20:24:24 +0200 +Subject: nfp: only report pause frame configuration for physical device + +From: Yu Xiao + +[ Upstream commit 0649e4d63420ebc8cbebef3e9d39e12ffc5eb9fa ] + +Only report pause frame configuration for physical device. Logical +port of both PCI PF and PCI VF do not support it. + +Fixes: 9fdc5d85a8fe ("nfp: update ethtool reporting of pauseframe control") +Signed-off-by: Yu Xiao +Signed-off-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c +index e0c27471bcdb..5e2631aafdb6 100644 +--- a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c ++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c +@@ -287,8 +287,6 @@ nfp_net_get_link_ksettings(struct net_device *netdev, + + /* Init to unknowns */ + ethtool_link_ksettings_add_link_mode(cmd, supported, FIBRE); +- ethtool_link_ksettings_add_link_mode(cmd, supported, Pause); +- ethtool_link_ksettings_add_link_mode(cmd, advertising, Pause); + cmd->base.port = PORT_OTHER; + cmd->base.speed = SPEED_UNKNOWN; + cmd->base.duplex = DUPLEX_UNKNOWN; +@@ -296,6 +294,8 @@ nfp_net_get_link_ksettings(struct net_device *netdev, + port = nfp_port_from_netdev(netdev); + eth_port = nfp_port_get_eth_port(port); + if (eth_port) { ++ ethtool_link_ksettings_add_link_mode(cmd, supported, Pause); ++ ethtool_link_ksettings_add_link_mode(cmd, advertising, Pause); + cmd->base.autoneg = eth_port->aneg != NFP_ANEG_DISABLED ? + AUTONEG_ENABLE : AUTONEG_DISABLE; + nfp_net_set_fec_link_mode(eth_port, cmd); +-- +2.35.1 + diff --git a/queue-5.17/octeontx2-af-fix-error-code-in-is_valid_offset.patch b/queue-5.17/octeontx2-af-fix-error-code-in-is_valid_offset.patch new file mode 100644 index 00000000000..26cdf03ffe0 --- /dev/null +++ b/queue-5.17/octeontx2-af-fix-error-code-in-is_valid_offset.patch @@ -0,0 +1,37 @@ +From aa025ee9fef377791d1e3587d0cf6752dff2f252 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 May 2022 10:28:45 +0300 +Subject: octeontx2-af: fix error code in is_valid_offset() + +From: Dan Carpenter + +[ Upstream commit f3d671c711097a133bc36bd2bde52f1fcca783a6 ] + +The is_valid_offset() function returns success/true if the call to +validate_and_get_cpt_blkaddr() fails. + +Fixes: ecad2ce8c48f ("octeontx2-af: cn10k: Add mailbox to configure reassembly timeout") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/YpXDrTPb8qV01JSP@kili +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_cpt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_cpt.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_cpt.c +index a73a8017e0ee..e3a317442c8c 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_cpt.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_cpt.c +@@ -579,7 +579,7 @@ static bool is_valid_offset(struct rvu *rvu, struct cpt_rd_wr_reg_msg *req) + + blkaddr = validate_and_get_cpt_blkaddr(req->blkaddr); + if (blkaddr < 0) +- return blkaddr; ++ return false; + + /* Registers that can be accessed from PF/VF */ + if ((offset & 0xFF000) == CPT_AF_LFX_CTL(0) || +-- +2.35.1 + diff --git a/queue-5.17/pcmcia-db1xxx_ss-restrict-to-mips_db1xxx-boards.patch b/queue-5.17/pcmcia-db1xxx_ss-restrict-to-mips_db1xxx-boards.patch new file mode 100644 index 00000000000..739f9102f0c --- /dev/null +++ b/queue-5.17/pcmcia-db1xxx_ss-restrict-to-mips_db1xxx-boards.patch @@ -0,0 +1,48 @@ +From d25dd473fda772b1dcfcfc4f7720769341f0a5a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Jan 2022 09:40:31 -0800 +Subject: pcmcia: db1xxx_ss: restrict to MIPS_DB1XXX boards + +From: Randy Dunlap + +[ Upstream commit 3928cf08334ed895a31458cbebd8d4ec6d84c080 ] + +When the MIPS_ALCHEMY board selection is MIPS_XXS1500 instead of +MIPS_DB1XXX, the PCMCIA driver 'db1xxx_ss' has build errors due +to missing DB1XXX symbols. The PCMCIA driver should be restricted +to MIPS_DB1XXX instead of MIPS_ALCHEMY to fix this build error. + +ERROR: modpost: "bcsr_read" [drivers/pcmcia/db1xxx_ss.ko] undefined! +ERROR: modpost: "bcsr_mod" [drivers/pcmcia/db1xxx_ss.ko] undefined! + +Fixes: 42a4f17dc356 ("MIPS: Alchemy: remove SOC_AU1X00 in favor of MIPS_ALCHEMY") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Cc: Arnd Bergmann +Cc: Daniel Vetter +Cc: Kees Cook +Cc: Thomas Bogendoerfer +Cc: linux-mips@vger.kernel.org +Acked-by: Manuel Lauss +Signed-off-by: Dominik Brodowski +Signed-off-by: Sasha Levin +--- + drivers/pcmcia/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pcmcia/Kconfig b/drivers/pcmcia/Kconfig +index ab53eab635f6..1740a63b814d 100644 +--- a/drivers/pcmcia/Kconfig ++++ b/drivers/pcmcia/Kconfig +@@ -151,7 +151,7 @@ config TCIC + + config PCMCIA_ALCHEMY_DEVBOARD + tristate "Alchemy Db/Pb1xxx PCMCIA socket services" +- depends on MIPS_ALCHEMY && PCMCIA ++ depends on MIPS_DB1XXX && PCMCIA + help + Enable this driver of you want PCMCIA support on your Alchemy + Db1000, Db/Pb1100, Db/Pb1500, Db/Pb1550, Db/Pb1200, DB1300 +-- +2.35.1 + diff --git a/queue-5.17/perf-c2c-fix-sorting-in-percent_rmt_hitm_cmp.patch b/queue-5.17/perf-c2c-fix-sorting-in-percent_rmt_hitm_cmp.patch new file mode 100644 index 00000000000..d38431cabdf --- /dev/null +++ b/queue-5.17/perf-c2c-fix-sorting-in-percent_rmt_hitm_cmp.patch @@ -0,0 +1,49 @@ +From b81d1168310c9af6f3798c9e1ea518615835e0e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 May 2022 16:42:53 +0800 +Subject: perf c2c: Fix sorting in percent_rmt_hitm_cmp() + +From: Leo Yan + +[ Upstream commit b24192a17337abbf3f44aaa75e15df14a2d0016e ] + +The function percent_rmt_hitm_cmp() wrongly uses local HITMs for +sorting remote HITMs. + +Since this function is to sort cache lines for remote HITMs, this patch +changes to use 'rmt_hitm' field for correct sorting. + +Fixes: 9cb3500afc0980c5 ("perf c2c report: Add hitm/store percent related sort keys") +Signed-off-by: Leo Yan +Acked-by: Namhyung Kim +Cc: Alexander Shishkin +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Joe Mario +Cc: Mark Rutland +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20220530084253.750190-1-leo.yan@linaro.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-c2c.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/builtin-c2c.c b/tools/perf/builtin-c2c.c +index d8ec683b06a5..4e0c385427a4 100644 +--- a/tools/perf/builtin-c2c.c ++++ b/tools/perf/builtin-c2c.c +@@ -924,8 +924,8 @@ percent_rmt_hitm_cmp(struct perf_hpp_fmt *fmt __maybe_unused, + double per_left; + double per_right; + +- per_left = PERCENT(left, lcl_hitm); +- per_right = PERCENT(right, lcl_hitm); ++ per_left = PERCENT(left, rmt_hitm); ++ per_right = PERCENT(right, rmt_hitm); + + return per_left - per_right; + } +-- +2.35.1 + diff --git a/queue-5.17/perf-evsel-fixes-topdown-events-in-a-weak-group-for-.patch b/queue-5.17/perf-evsel-fixes-topdown-events-in-a-weak-group-for-.patch new file mode 100644 index 00000000000..f6e6ae7e3e8 --- /dev/null +++ b/queue-5.17/perf-evsel-fixes-topdown-events-in-a-weak-group-for-.patch @@ -0,0 +1,146 @@ +From 7fa4e92667ce3fe6600183c83754e7a325c8bf3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 May 2022 07:38:57 -0700 +Subject: perf evsel: Fixes topdown events in a weak group for the hybrid + platform + +From: Kan Liang + +[ Upstream commit 39d5f412da84784bcc7f39ed49e55376be526fc7 ] + +The patch ("perf evlist: Keep topdown counters in weak group") fixes the +perf metrics topdown event issue when the topdown events are in a weak +group on a non-hybrid platform. However, it doesn't work for the hybrid +platform. + + $./perf stat -e '{cpu_core/slots/,cpu_core/topdown-bad-spec/, + cpu_core/topdown-be-bound/,cpu_core/topdown-fe-bound/, + cpu_core/topdown-retiring/,cpu_core/branch-instructions/, + cpu_core/branch-misses/,cpu_core/bus-cycles/,cpu_core/cache-misses/, + cpu_core/cache-references/,cpu_core/cpu-cycles/,cpu_core/instructions/, + cpu_core/mem-loads/,cpu_core/mem-stores/,cpu_core/ref-cycles/, + cpu_core/cache-misses/,cpu_core/cache-references/}:W' -a sleep 1 + + Performance counter stats for 'system wide': + + 751,765,068 cpu_core/slots/ (84.07%) + cpu_core/topdown-bad-spec/ + cpu_core/topdown-be-bound/ + cpu_core/topdown-fe-bound/ + cpu_core/topdown-retiring/ + 12,398,197 cpu_core/branch-instructions/ (84.07%) + 1,054,218 cpu_core/branch-misses/ (84.24%) + 539,764,637 cpu_core/bus-cycles/ (84.64%) + 14,683 cpu_core/cache-misses/ (84.87%) + 7,277,809 cpu_core/cache-references/ (77.30%) + 222,299,439 cpu_core/cpu-cycles/ (77.28%) + 63,661,714 cpu_core/instructions/ (84.85%) + 0 cpu_core/mem-loads/ (77.29%) + 12,271,725 cpu_core/mem-stores/ (77.30%) + 542,241,102 cpu_core/ref-cycles/ (84.85%) + 8,854 cpu_core/cache-misses/ (76.71%) + 7,179,013 cpu_core/cache-references/ (76.31%) + + 1.003245250 seconds time elapsed + +A hybrid platform has a different PMU name for the core PMUs, while +the current perf hard code the PMU name "cpu". + +The evsel->pmu_name can be used to replace the "cpu" to fix the issue. +For a hybrid platform, the pmu_name must be non-NULL. Because there are +at least two core PMUs. The PMU has to be specified. +For a non-hybrid platform, the pmu_name may be NULL. Because there is +only one core PMU, "cpu". For a NULL pmu_name, we can safely assume that +it is a "cpu" PMU. + +In case other PMUs also define the "slots" event, checking the PMU type +as well. + +With the patch, + + $ perf stat -e '{cpu_core/slots/,cpu_core/topdown-bad-spec/, + cpu_core/topdown-be-bound/,cpu_core/topdown-fe-bound/, + cpu_core/topdown-retiring/,cpu_core/branch-instructions/, + cpu_core/branch-misses/,cpu_core/bus-cycles/,cpu_core/cache-misses/, + cpu_core/cache-references/,cpu_core/cpu-cycles/,cpu_core/instructions/, + cpu_core/mem-loads/,cpu_core/mem-stores/,cpu_core/ref-cycles/, + cpu_core/cache-misses/,cpu_core/cache-references/}:W' -a sleep 1 + + Performance counter stats for 'system wide': + + 766,620,266 cpu_core/slots/ (84.06%) + 73,172,129 cpu_core/topdown-bad-spec/ # 9.5% bad speculation (84.06%) + 193,443,341 cpu_core/topdown-be-bound/ # 25.0% backend bound (84.06%) + 403,940,929 cpu_core/topdown-fe-bound/ # 52.3% frontend bound (84.06%) + 102,070,237 cpu_core/topdown-retiring/ # 13.2% retiring (84.06%) + 12,364,429 cpu_core/branch-instructions/ (84.03%) + 1,080,124 cpu_core/branch-misses/ (84.24%) + 564,120,383 cpu_core/bus-cycles/ (84.65%) + 36,979 cpu_core/cache-misses/ (84.86%) + 7,298,094 cpu_core/cache-references/ (77.30%) + 227,174,372 cpu_core/cpu-cycles/ (77.31%) + 63,886,523 cpu_core/instructions/ (84.87%) + 0 cpu_core/mem-loads/ (77.31%) + 12,208,782 cpu_core/mem-stores/ (77.31%) + 566,409,738 cpu_core/ref-cycles/ (84.87%) + 23,118 cpu_core/cache-misses/ (76.71%) + 7,212,602 cpu_core/cache-references/ (76.29%) + + 1.003228667 seconds time elapsed + +Signed-off-by: Kan Liang +Acked-by: Ian Rogers +Cc: Adrian Hunter +Cc: Andi Kleen +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Xing Zhengjun +Link: https://lore.kernel.org/r/20220518143900.1493980-2-kan.liang@linux.intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/arch/x86/util/evsel.c | 23 +++++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/arch/x86/util/evsel.c b/tools/perf/arch/x86/util/evsel.c +index 0c9e56ab07b5..ff4561b7b600 100644 +--- a/tools/perf/arch/x86/util/evsel.c ++++ b/tools/perf/arch/x86/util/evsel.c +@@ -31,10 +31,29 @@ void arch_evsel__fixup_new_cycles(struct perf_event_attr *attr) + free(env.cpuid); + } + ++/* Check whether the evsel's PMU supports the perf metrics */ ++static bool evsel__sys_has_perf_metrics(const struct evsel *evsel) ++{ ++ const char *pmu_name = evsel->pmu_name ? evsel->pmu_name : "cpu"; ++ ++ /* ++ * The PERF_TYPE_RAW type is the core PMU type, e.g., "cpu" PMU ++ * on a non-hybrid machine, "cpu_core" PMU on a hybrid machine. ++ * The slots event is only available for the core PMU, which ++ * supports the perf metrics feature. ++ * Checking both the PERF_TYPE_RAW type and the slots event ++ * should be good enough to detect the perf metrics feature. ++ */ ++ if ((evsel->core.attr.type == PERF_TYPE_RAW) && ++ pmu_have_event(pmu_name, "slots")) ++ return true; ++ ++ return false; ++} ++ + bool arch_evsel__must_be_in_group(const struct evsel *evsel) + { +- if ((evsel->pmu_name && strcmp(evsel->pmu_name, "cpu")) || +- !pmu_have_event("cpu", "slots")) ++ if (!evsel__sys_has_perf_metrics(evsel)) + return false; + + return evsel->name && +-- +2.35.1 + diff --git a/queue-5.17/perf-parse-events-move-slots-event-for-the-hybrid-pl.patch b/queue-5.17/perf-parse-events-move-slots-event-for-the-hybrid-pl.patch new file mode 100644 index 00000000000..5fbc449aa29 --- /dev/null +++ b/queue-5.17/perf-parse-events-move-slots-event-for-the-hybrid-pl.patch @@ -0,0 +1,143 @@ +From 75d145dda5dff6cecdc72020317ea8307e33b224 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 May 2022 07:39:00 -0700 +Subject: perf parse-events: Move slots event for the hybrid platform too + +From: Kan Liang + +[ Upstream commit e0e14cdff31d326f81e0edbd5140f788c870756c ] + +The commit 94dbfd6781a0e87b ("perf parse-events: Architecture specific +leader override") introduced a feature to reorder the slots event to +fulfill the restriction of the perf metrics topdown group. But the +feature doesn't work on the hybrid machine. + + $ perf stat -e "{cpu_core/instructions/,cpu_core/slots/,cpu_core/topdown-retiring/}" -a sleep 1 + + Performance counter stats for 'system wide': + + cpu_core/instructions/ + cpu_core/slots/ + cpu_core/topdown-retiring/ + + 1.002871801 seconds time elapsed + +A hybrid platform has a different PMU name for the core PMUs, while +current perf hard code the PMU name "cpu". + +Introduce a new function to check whether the system supports the perf +metrics feature. The result is cached for the future usage. + +For X86, the core PMU name always has "cpu" prefix. + +With the patch: + + $ perf stat -e "{cpu_core/instructions/,cpu_core/slots/,cpu_core/topdown-retiring/}" -a sleep 1 + + Performance counter stats for 'system wide': + + 76,337,010 cpu_core/slots/ + 10,416,809 cpu_core/instructions/ + 11,692,372 cpu_core/topdown-retiring/ + + 1.002805453 seconds time elapsed + +Reviewed-by: Ian Rogers +Signed-off-by: Kan Liang +Cc: Adrian Hunter +Cc: Andi Kleen +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Xing Zhengjun +Link: https://lore.kernel.org/r/20220518143900.1493980-5-kan.liang@linux.intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/arch/x86/util/evlist.c | 5 +++-- + tools/perf/arch/x86/util/topdown.c | 25 +++++++++++++++++++++++++ + tools/perf/arch/x86/util/topdown.h | 7 +++++++ + 3 files changed, 35 insertions(+), 2 deletions(-) + create mode 100644 tools/perf/arch/x86/util/topdown.h + +diff --git a/tools/perf/arch/x86/util/evlist.c b/tools/perf/arch/x86/util/evlist.c +index 75564a7df15b..68f681ad54c1 100644 +--- a/tools/perf/arch/x86/util/evlist.c ++++ b/tools/perf/arch/x86/util/evlist.c +@@ -3,6 +3,7 @@ + #include "util/pmu.h" + #include "util/evlist.h" + #include "util/parse-events.h" ++#include "topdown.h" + + #define TOPDOWN_L1_EVENTS "{slots,topdown-retiring,topdown-bad-spec,topdown-fe-bound,topdown-be-bound}" + #define TOPDOWN_L2_EVENTS "{slots,topdown-retiring,topdown-bad-spec,topdown-fe-bound,topdown-be-bound,topdown-heavy-ops,topdown-br-mispredict,topdown-fetch-lat,topdown-mem-bound}" +@@ -25,12 +26,12 @@ struct evsel *arch_evlist__leader(struct list_head *list) + + first = list_first_entry(list, struct evsel, core.node); + +- if (!pmu_have_event("cpu", "slots")) ++ if (!topdown_sys_has_perf_metrics()) + return first; + + /* If there is a slots event and a topdown event then the slots event comes first. */ + __evlist__for_each_entry(list, evsel) { +- if (evsel->pmu_name && !strcmp(evsel->pmu_name, "cpu") && evsel->name) { ++ if (evsel->pmu_name && !strncmp(evsel->pmu_name, "cpu", 3) && evsel->name) { + if (strcasestr(evsel->name, "slots")) { + slots = evsel; + if (slots == first) +diff --git a/tools/perf/arch/x86/util/topdown.c b/tools/perf/arch/x86/util/topdown.c +index 2f3d96aa92a5..f4d5422e9960 100644 +--- a/tools/perf/arch/x86/util/topdown.c ++++ b/tools/perf/arch/x86/util/topdown.c +@@ -3,6 +3,31 @@ + #include "api/fs/fs.h" + #include "util/pmu.h" + #include "util/topdown.h" ++#include "topdown.h" ++ ++/* Check whether there is a PMU which supports the perf metrics. */ ++bool topdown_sys_has_perf_metrics(void) ++{ ++ static bool has_perf_metrics; ++ static bool cached; ++ struct perf_pmu *pmu; ++ ++ if (cached) ++ return has_perf_metrics; ++ ++ /* ++ * The perf metrics feature is a core PMU feature. ++ * The PERF_TYPE_RAW type is the type of a core PMU. ++ * The slots event is only available when the core PMU ++ * supports the perf metrics feature. ++ */ ++ pmu = perf_pmu__find_by_type(PERF_TYPE_RAW); ++ if (pmu && pmu_have_event(pmu->name, "slots")) ++ has_perf_metrics = true; ++ ++ cached = true; ++ return has_perf_metrics; ++} + + /* + * Check whether we can use a group for top down. +diff --git a/tools/perf/arch/x86/util/topdown.h b/tools/perf/arch/x86/util/topdown.h +new file mode 100644 +index 000000000000..46bf9273e572 +--- /dev/null ++++ b/tools/perf/arch/x86/util/topdown.h +@@ -0,0 +1,7 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++#ifndef _TOPDOWN_H ++#define _TOPDOWN_H 1 ++ ++bool topdown_sys_has_perf_metrics(void); ++ ++#endif +-- +2.35.1 + diff --git a/queue-5.17/perf-record-support-sample-read-topdown-metric-group.patch b/queue-5.17/perf-record-support-sample-read-topdown-metric-group.patch new file mode 100644 index 00000000000..bfebd2fcc0b --- /dev/null +++ b/queue-5.17/perf-record-support-sample-read-topdown-metric-group.patch @@ -0,0 +1,144 @@ +From d15f4a113e411b9910d30cd3d6a3c3b8325bb200 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jun 2022 23:36:03 +0800 +Subject: perf record: Support sample-read topdown metric group for hybrid + platforms + +From: Zhengjun Xing + +[ Upstream commit 151e7d75036b4e2ac0f33730bc1a5b3ff424d9a7 ] + +With the hardware TopDown metrics feature, the sample-read feature should +be supported for a TopDown group, e.g., sample a non-topdown event and read +a Topdown metric group. But the current perf record code errors are out. + +For a TopDown metric group,the slots event must be the leader of the group, +but the leader slots event doesn't support sampling. To support sample-read +the TopDown metric group, uses the 2nd event of the group as the "leader" +for the purposes of sampling. + +Only the platform with the TopDown metric feature supports sample-read the +topdown group. In commit acb65150a47c ("perf record: Support sample-read +topdown metric group"), it adds arch_topdown_sample_read() to indicate +whether the TopDown group supports sample-read, it should only work on the +non-hybrid systems, this patch extends the support for hybrid platforms. + +Before: + + # ./perf record -e "{cpu_core/slots/,cpu_core/cycles/,cpu_core/topdown-retiring/}:S" -a sleep 1 + Error: + The sys_perf_event_open() syscall returned with 22 (Invalid argument) for event (cpu_core/topdown-retiring/). + /bin/dmesg | grep -i perf may provide additional information. + +After: + + # ./perf record -e "{cpu_core/slots/,cpu_core/cycles/,cpu_core/topdown-retiring/}:S" -a sleep 1 + [ perf record: Woken up 1 times to write data ] + [ perf record: Captured and wrote 0.238 MB perf.data (369 samples) ] + +Fixes: acb65150a47c2bae ("perf record: Support sample-read topdown metric group") +Reviewed-by: Kan Liang +Signed-off-by: Zhengjun Xing +Acked-by: Ian Rogers +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20220602153603.1884710-1-zhengjun.xing@linux.intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/arch/x86/util/evsel.c | 3 ++- + tools/perf/arch/x86/util/evsel.h | 7 +++++++ + tools/perf/arch/x86/util/topdown.c | 21 ++++----------------- + 3 files changed, 13 insertions(+), 18 deletions(-) + create mode 100644 tools/perf/arch/x86/util/evsel.h + +diff --git a/tools/perf/arch/x86/util/evsel.c b/tools/perf/arch/x86/util/evsel.c +index ff4561b7b600..3501399cef35 100644 +--- a/tools/perf/arch/x86/util/evsel.c ++++ b/tools/perf/arch/x86/util/evsel.c +@@ -5,6 +5,7 @@ + #include "util/env.h" + #include "util/pmu.h" + #include "linux/string.h" ++#include "evsel.h" + + void arch_evsel__set_sample_weight(struct evsel *evsel) + { +@@ -32,7 +33,7 @@ void arch_evsel__fixup_new_cycles(struct perf_event_attr *attr) + } + + /* Check whether the evsel's PMU supports the perf metrics */ +-static bool evsel__sys_has_perf_metrics(const struct evsel *evsel) ++bool evsel__sys_has_perf_metrics(const struct evsel *evsel) + { + const char *pmu_name = evsel->pmu_name ? evsel->pmu_name : "cpu"; + +diff --git a/tools/perf/arch/x86/util/evsel.h b/tools/perf/arch/x86/util/evsel.h +new file mode 100644 +index 000000000000..19ad1691374d +--- /dev/null ++++ b/tools/perf/arch/x86/util/evsel.h +@@ -0,0 +1,7 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++#ifndef _EVSEL_H ++#define _EVSEL_H 1 ++ ++bool evsel__sys_has_perf_metrics(const struct evsel *evsel); ++ ++#endif +diff --git a/tools/perf/arch/x86/util/topdown.c b/tools/perf/arch/x86/util/topdown.c +index f4d5422e9960..f81a7cfe4d63 100644 +--- a/tools/perf/arch/x86/util/topdown.c ++++ b/tools/perf/arch/x86/util/topdown.c +@@ -4,6 +4,7 @@ + #include "util/pmu.h" + #include "util/topdown.h" + #include "topdown.h" ++#include "evsel.h" + + /* Check whether there is a PMU which supports the perf metrics. */ + bool topdown_sys_has_perf_metrics(void) +@@ -55,33 +56,19 @@ void arch_topdown_group_warn(void) + + #define TOPDOWN_SLOTS 0x0400 + +-static bool is_topdown_slots_event(struct evsel *counter) +-{ +- if (!counter->pmu_name) +- return false; +- +- if (strcmp(counter->pmu_name, "cpu")) +- return false; +- +- if (counter->core.attr.config == TOPDOWN_SLOTS) +- return true; +- +- return false; +-} +- + /* + * Check whether a topdown group supports sample-read. + * +- * Only Topdown metic supports sample-read. The slots ++ * Only Topdown metric supports sample-read. The slots + * event must be the leader of the topdown group. + */ + + bool arch_topdown_sample_read(struct evsel *leader) + { +- if (!pmu_have_event("cpu", "slots")) ++ if (!evsel__sys_has_perf_metrics(leader)) + return false; + +- if (is_topdown_slots_event(leader)) ++ if (leader->core.attr.config == TOPDOWN_SLOTS) + return true; + + return false; +-- +2.35.1 + diff --git a/queue-5.17/phy-qcom-qmp-fix-pipe-clock-imbalance-on-power-on-fa.patch b/queue-5.17/phy-qcom-qmp-fix-pipe-clock-imbalance-on-power-on-fa.patch new file mode 100644 index 00000000000..455b10581db --- /dev/null +++ b/queue-5.17/phy-qcom-qmp-fix-pipe-clock-imbalance-on-power-on-fa.patch @@ -0,0 +1,40 @@ +From d87287445948bb7c482cc4e03a1b78a4ef344b30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 May 2022 15:31:29 +0200 +Subject: phy: qcom-qmp: fix pipe-clock imbalance on power-on failure + +From: Johan Hovold + +[ Upstream commit 5e73b2d9867998278479ccc065a8a8227a5513ef ] + +Make sure to disable the pipe clock also if ufs-reset deassertion fails +during power on. + +Note that the ufs-reset is asserted in qcom_qmp_phy_com_exit(). + +Fixes: c9b589791fc1 ("phy: qcom: Utilize UFS reset controller") +Cc: Evan Green +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20220502133130.4125-2-johan+linaro@kernel.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/qualcomm/phy-qcom-qmp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/phy/qualcomm/phy-qcom-qmp.c b/drivers/phy/qualcomm/phy-qcom-qmp.c +index c2b878128e2c..7493fd634c1d 100644 +--- a/drivers/phy/qualcomm/phy-qcom-qmp.c ++++ b/drivers/phy/qualcomm/phy-qcom-qmp.c +@@ -5246,7 +5246,7 @@ static int qcom_qmp_phy_power_on(struct phy *phy) + + ret = reset_control_deassert(qmp->ufs_reset); + if (ret) +- goto err_lane_rst; ++ goto err_pcs_ready; + + qcom_qmp_phy_configure(pcs_misc, cfg->regs, cfg->pcs_misc_tbl, + cfg->pcs_misc_tbl_num); +-- +2.35.1 + diff --git a/queue-5.17/phy-rockchip-inno-usb2-fix-muxed-interrupt-support.patch b/queue-5.17/phy-rockchip-inno-usb2-fix-muxed-interrupt-support.patch new file mode 100644 index 00000000000..b5103bcd969 --- /dev/null +++ b/queue-5.17/phy-rockchip-inno-usb2-fix-muxed-interrupt-support.patch @@ -0,0 +1,52 @@ +From 8fc8df56c4cc915db761babe8e02e3453a719fe7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Apr 2022 22:22:52 -0500 +Subject: phy: rockchip-inno-usb2: Fix muxed interrupt support + +From: Samuel Holland + +[ Upstream commit 6a98df08ccd55e87947d253b19925691763e755c ] + +This commit fixes two issues with the muxed interrupt handler. First, +the OTG port has the "bvalid" interrupt enabled, not "linestate". Since +only the linestate interrupt was handled, and not the bvalid interrupt, +plugging in a cable to the OTG port caused an interrupt storm. + +Second, the return values from the individual port IRQ handlers need to +be OR-ed together. Otherwise, the lack of an interrupt from the last +port would cause the handler to erroneously return IRQ_NONE. + +Fixes: ed2b5a8e6b98 ("phy: phy-rockchip-inno-usb2: support muxed interrupts") +Signed-off-by: Samuel Holland +Tested-by: Michael Riesch +Link: https://lore.kernel.org/r/20220414032258.40984-2-samuel@sholland.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/rockchip/phy-rockchip-inno-usb2.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/phy/rockchip/phy-rockchip-inno-usb2.c b/drivers/phy/rockchip/phy-rockchip-inno-usb2.c +index eca77e44a4c1..cba5c32cbaee 100644 +--- a/drivers/phy/rockchip/phy-rockchip-inno-usb2.c ++++ b/drivers/phy/rockchip/phy-rockchip-inno-usb2.c +@@ -940,8 +940,14 @@ static irqreturn_t rockchip_usb2phy_irq(int irq, void *data) + if (!rport->phy) + continue; + +- /* Handle linestate irq for both otg port and host port */ +- ret = rockchip_usb2phy_linestate_irq(irq, rport); ++ switch (rport->port_id) { ++ case USB2PHY_PORT_OTG: ++ ret |= rockchip_usb2phy_otg_mux_irq(irq, rport); ++ break; ++ case USB2PHY_PORT_HOST: ++ ret |= rockchip_usb2phy_linestate_irq(irq, rport); ++ break; ++ } + } + + return ret; +-- +2.35.1 + diff --git a/queue-5.17/platform-finally-disallow-irq0-in-platform_get_irq-a.patch b/queue-5.17/platform-finally-disallow-irq0-in-platform_get_irq-a.patch new file mode 100644 index 00000000000..92350eed2b9 --- /dev/null +++ b/queue-5.17/platform-finally-disallow-irq0-in-platform_get_irq-a.patch @@ -0,0 +1,55 @@ +From fc32121eed7d2ef5aae923d1f0e6f8ee762e8c8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Mar 2022 22:35:29 +0300 +Subject: platform: finally disallow IRQ0 in platform_get_irq() and its ilk + +From: Sergey Shtylyov + +[ Upstream commit ce753ad1549cbe9ccaea4c06a1f5fa47432c8289 ] + +The commit a85a6c86c25b ("driver core: platform: Clarify that IRQ 0 is +invalid") only calls WARN() when IRQ0 is about to be returned, however +using IRQ0 is considered invalid (according to Linus) outside the arch/ +code where it's used by the i8253 drivers. Many driver subsystems treat +0 specially (e.g. as an indication of the polling mode by libata), so +the users of platform_get_irq[_byname]() in them would have to filter +out IRQ0 explicitly and this (quite obviously) doesn't scale... +Let's finally get this straight and return -EINVAL instead of IRQ0! + +Fixes: a85a6c86c25b ("driver core: platform: Clarify that IRQ 0 is invalid") +Acked-by: Marc Zyngier +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/025679e1-1f0a-ae4b-4369-01164f691511@omp.ru +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/base/platform.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/base/platform.c b/drivers/base/platform.c +index 6cb04ac48bf0..d7e14363e417 100644 +--- a/drivers/base/platform.c ++++ b/drivers/base/platform.c +@@ -231,7 +231,8 @@ int platform_get_irq_optional(struct platform_device *dev, unsigned int num) + out_not_found: + ret = -ENXIO; + out: +- WARN(ret == 0, "0 is an invalid IRQ number\n"); ++ if (WARN(!ret, "0 is an invalid IRQ number\n")) ++ return -EINVAL; + return ret; + } + EXPORT_SYMBOL_GPL(platform_get_irq_optional); +@@ -446,7 +447,8 @@ static int __platform_get_irq_byname(struct platform_device *dev, + + r = platform_get_resource_byname(dev, IORESOURCE_IRQ, name); + if (r) { +- WARN(r->start == 0, "0 is an invalid IRQ number\n"); ++ if (WARN(!r->start, "0 is an invalid IRQ number\n")) ++ return -EINVAL; + return r->start; + } + +-- +2.35.1 + diff --git a/queue-5.17/power-supply-ab8500_fg-allocate-wq-in-probe.patch b/queue-5.17/power-supply-ab8500_fg-allocate-wq-in-probe.patch new file mode 100644 index 00000000000..e5fc4394940 --- /dev/null +++ b/queue-5.17/power-supply-ab8500_fg-allocate-wq-in-probe.patch @@ -0,0 +1,80 @@ +From 1c3426658a549e2d9fed8845b55dc3f2de07550d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 23 Apr 2022 19:27:27 +0200 +Subject: power: supply: ab8500_fg: Allocate wq in probe + +From: Linus Walleij + +[ Upstream commit 010ddb813f3554cbbf8bd13b731452236a2c8017 ] + +The workqueue is allocated in bind() but all interrupts are +registered in probe(). + +Some interrupts put work on the workqueue, which can have +bad side effects. + +Allocate the workqueue in probe() instead, destroy it in +.remove() and make unbind() simply flush the workqueue. + +Fixes: 1c1f13a006ed ("power: supply: ab8500: Move to componentized binding") +Signed-off-by: Linus Walleij +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/ab8500_fg.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/drivers/power/supply/ab8500_fg.c b/drivers/power/supply/ab8500_fg.c +index 09a4cbd69676..23adcb597ff9 100644 +--- a/drivers/power/supply/ab8500_fg.c ++++ b/drivers/power/supply/ab8500_fg.c +@@ -2995,13 +2995,6 @@ static int ab8500_fg_bind(struct device *dev, struct device *master, + { + struct ab8500_fg *di = dev_get_drvdata(dev); + +- /* Create a work queue for running the FG algorithm */ +- di->fg_wq = alloc_ordered_workqueue("ab8500_fg_wq", WQ_MEM_RECLAIM); +- if (di->fg_wq == NULL) { +- dev_err(dev, "failed to create work queue\n"); +- return -ENOMEM; +- } +- + di->bat_cap.max_mah_design = di->bm->bi->charge_full_design_uah; + di->bat_cap.max_mah = di->bat_cap.max_mah_design; + di->vbat_nom_uv = di->bm->bi->voltage_max_design_uv; +@@ -3025,8 +3018,7 @@ static void ab8500_fg_unbind(struct device *dev, struct device *master, + if (ret) + dev_err(dev, "failed to disable coulomb counter\n"); + +- destroy_workqueue(di->fg_wq); +- flush_scheduled_work(); ++ flush_workqueue(di->fg_wq); + } + + static const struct component_ops ab8500_fg_component_ops = { +@@ -3070,6 +3062,13 @@ static int ab8500_fg_probe(struct platform_device *pdev) + ab8500_fg_charge_state_to(di, AB8500_FG_CHARGE_INIT); + ab8500_fg_discharge_state_to(di, AB8500_FG_DISCHARGE_INIT); + ++ /* Create a work queue for running the FG algorithm */ ++ di->fg_wq = alloc_ordered_workqueue("ab8500_fg_wq", WQ_MEM_RECLAIM); ++ if (di->fg_wq == NULL) { ++ dev_err(dev, "failed to create work queue\n"); ++ return -ENOMEM; ++ } ++ + /* Init work for running the fg algorithm instantly */ + INIT_WORK(&di->fg_work, ab8500_fg_instant_work); + +@@ -3181,6 +3180,8 @@ static int ab8500_fg_remove(struct platform_device *pdev) + int ret = 0; + struct ab8500_fg *di = platform_get_drvdata(pdev); + ++ destroy_workqueue(di->fg_wq); ++ flush_scheduled_work(); + component_del(&pdev->dev, &ab8500_fg_component_ops); + list_del(&di->node); + ab8500_fg_sysfs_exit(di); +-- +2.35.1 + diff --git a/queue-5.17/power-supply-axp288_fuel_gauge-drop-bios-version-che.patch b/queue-5.17/power-supply-axp288_fuel_gauge-drop-bios-version-che.patch new file mode 100644 index 00000000000..5eaa5739865 --- /dev/null +++ b/queue-5.17/power-supply-axp288_fuel_gauge-drop-bios-version-che.patch @@ -0,0 +1,39 @@ +From 2c1426cfc356e59f30c86e19e26357448143450d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 May 2022 13:12:35 +0200 +Subject: power: supply: axp288_fuel_gauge: Drop BIOS version check from "T3 + MRD" DMI quirk + +From: Hans de Goede + +[ Upstream commit f61509a6f0b70f5bedea34efaf8065621689bd7a ] + +Some "T3 MRD" mini-PCs / HDMI-sticks without a battery use a different +value then "5.11" for their DMI BIOS version field. + +Drop the BIOS version check so that the no-battery "T3 MRD" DMI quirk +applies to these too. + +Fixes: 3a06b912a5ce ("power: supply: axp288_fuel_gauge: Make "T3 MRD" no_battery_list DMI entry more generic") +Signed-off-by: Hans de Goede +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/axp288_fuel_gauge.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/power/supply/axp288_fuel_gauge.c b/drivers/power/supply/axp288_fuel_gauge.c +index ce8ffd0a41b5..68595897e72d 100644 +--- a/drivers/power/supply/axp288_fuel_gauge.c ++++ b/drivers/power/supply/axp288_fuel_gauge.c +@@ -600,7 +600,6 @@ static const struct dmi_system_id axp288_no_battery_list[] = { + DMI_MATCH(DMI_BOARD_NAME, "T3 MRD"), + DMI_MATCH(DMI_CHASSIS_TYPE, "3"), + DMI_MATCH(DMI_BIOS_VENDOR, "American Megatrends Inc."), +- DMI_MATCH(DMI_BIOS_VERSION, "5.11"), + }, + }, + {} +-- +2.35.1 + diff --git a/queue-5.17/pwm-lp3943-fix-duty-calculation-in-case-period-was-c.patch b/queue-5.17/pwm-lp3943-fix-duty-calculation-in-case-period-was-c.patch new file mode 100644 index 00000000000..55bc86ec003 --- /dev/null +++ b/queue-5.17/pwm-lp3943-fix-duty-calculation-in-case-period-was-c.patch @@ -0,0 +1,40 @@ +From 5f1ce3579644d46ff36747933f93bd034ac9d80e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Apr 2022 17:22:38 +0200 +Subject: pwm: lp3943: Fix duty calculation in case period was clamped +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 5e3b07ca5cc78cd4a987e78446849e41288d87cb ] + +The hardware only supports periods <= 1.6 ms and if a bigger period is +requested it is clamped to 1.6 ms. In this case duty_cycle might be bigger +than 1.6 ms and then the duty cycle register is written with a value +bigger than LP3943_MAX_DUTY. So clamp duty_cycle accordingly. + +Fixes: af66b3c0934e ("pwm: Add LP3943 PWM driver") +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-lp3943.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pwm/pwm-lp3943.c b/drivers/pwm/pwm-lp3943.c +index ea17d446a627..2bd04ecb508c 100644 +--- a/drivers/pwm/pwm-lp3943.c ++++ b/drivers/pwm/pwm-lp3943.c +@@ -125,6 +125,7 @@ static int lp3943_pwm_config(struct pwm_chip *chip, struct pwm_device *pwm, + if (err) + return err; + ++ duty_ns = min(duty_ns, period_ns); + val = (u8)(duty_ns * LP3943_MAX_DUTY / period_ns); + + return lp3943_write_byte(lp3943, reg_duty, val); +-- +2.35.1 + diff --git a/queue-5.17/pwm-raspberrypi-poe-fix-endianness-in-firmware-struc.patch b/queue-5.17/pwm-raspberrypi-poe-fix-endianness-in-firmware-struc.patch new file mode 100644 index 00000000000..7269e441224 --- /dev/null +++ b/queue-5.17/pwm-raspberrypi-poe-fix-endianness-in-firmware-struc.patch @@ -0,0 +1,46 @@ +From 16bc6bff86b6c27573ec361f49760417156c6d33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Apr 2022 17:38:46 +0200 +Subject: pwm: raspberrypi-poe: Fix endianness in firmware struct +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 09f688f0718f57f9cf68ee1aa94490f641e759ba ] + +The reg member of struct raspberrypi_pwm_prop is a little endian 32 bit +quantity. Explicitly convert the (native endian) value to little endian +on assignment as is already done in raspberrypi_pwm_set_property(). + +This fixes the following sparse warning: + + drivers/pwm/pwm-raspberrypi-poe.c:69:24: warning: incorrect type in initializer (different base types) + drivers/pwm/pwm-raspberrypi-poe.c:69:24: expected restricted __le32 [usertype] reg + drivers/pwm/pwm-raspberrypi-poe.c:69:24: got unsigned int [usertype] reg + +Fixes: 79caa362eab6 ("pwm: Add Raspberry Pi Firmware based PWM bus") +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-raspberrypi-poe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pwm/pwm-raspberrypi-poe.c b/drivers/pwm/pwm-raspberrypi-poe.c +index 579a15240e0a..c877de37734d 100644 +--- a/drivers/pwm/pwm-raspberrypi-poe.c ++++ b/drivers/pwm/pwm-raspberrypi-poe.c +@@ -66,7 +66,7 @@ static int raspberrypi_pwm_get_property(struct rpi_firmware *firmware, + u32 reg, u32 *val) + { + struct raspberrypi_pwm_prop msg = { +- .reg = reg ++ .reg = cpu_to_le32(reg), + }; + int ret; + +-- +2.35.1 + diff --git a/queue-5.17/regulator-mt6315-regulator-fix-invalid-allowed-mode.patch b/queue-5.17/regulator-mt6315-regulator-fix-invalid-allowed-mode.patch new file mode 100644 index 00000000000..2ae36b8303d --- /dev/null +++ b/queue-5.17/regulator-mt6315-regulator-fix-invalid-allowed-mode.patch @@ -0,0 +1,53 @@ +From 7b4214c32c737c2f5eda8895ac67dbca077f31e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 May 2022 17:46:13 +0200 +Subject: regulator: mt6315-regulator: fix invalid allowed mode + +From: Fabien Parent + +[ Upstream commit 28cbc2d4c54c09a427b18a1604740efb6b2cc2d6 ] + +In the binding example, the regulator mode 4 is shown as a valid mode, +but the driver actually only support mode 0 to 2: + +This generates an error in dmesg when copy/pasting the binding example: +[ 0.306080] vbuck1: invalid regulator-allowed-modes element 4 +[ 0.307290] vbuck2: invalid regulator-allowed-modes element 4 + +This commit fixes this error by removing the invalid mode from the +examples. + +Fixes: 977fb5b58469 ("regulator: document binding for MT6315 regulator") +Signed-off-by: Fabien Parent +Link: https://lore.kernel.org/r/20220529154613.337559-1-fparent@baylibre.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + .../devicetree/bindings/regulator/mt6315-regulator.yaml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Documentation/devicetree/bindings/regulator/mt6315-regulator.yaml b/Documentation/devicetree/bindings/regulator/mt6315-regulator.yaml +index 5d2d989de893..37402c370fbb 100644 +--- a/Documentation/devicetree/bindings/regulator/mt6315-regulator.yaml ++++ b/Documentation/devicetree/bindings/regulator/mt6315-regulator.yaml +@@ -55,7 +55,7 @@ examples: + regulator-min-microvolt = <300000>; + regulator-max-microvolt = <1193750>; + regulator-enable-ramp-delay = <256>; +- regulator-allowed-modes = <0 1 2 4>; ++ regulator-allowed-modes = <0 1 2>; + }; + + vbuck3 { +@@ -63,7 +63,7 @@ examples: + regulator-min-microvolt = <300000>; + regulator-max-microvolt = <1193750>; + regulator-enable-ramp-delay = <256>; +- regulator-allowed-modes = <0 1 2 4>; ++ regulator-allowed-modes = <0 1 2>; + }; + }; + }; +-- +2.35.1 + diff --git a/queue-5.17/remoteproc-imx_rproc-ignore-create-mem-entry-for-res.patch b/queue-5.17/remoteproc-imx_rproc-ignore-create-mem-entry-for-res.patch new file mode 100644 index 00000000000..fbb67377008 --- /dev/null +++ b/queue-5.17/remoteproc-imx_rproc-ignore-create-mem-entry-for-res.patch @@ -0,0 +1,39 @@ +From b0bc3f020b4afdfc6e97dd223b201c199facf22d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Apr 2022 10:57:37 +0800 +Subject: remoteproc: imx_rproc: Ignore create mem entry for resource table + +From: Peng Fan + +[ Upstream commit 58b7c856519fe946620ee68dd0c37bd3c695484a ] + +Resource table is used by Linux to get information published by +remote processor. It should be not be used for memory allocation, so +not create rproc mem entry. + +Fixes: b29b4249f8f0 ("remoteproc: imx_rproc: add i.MX specific parse fw hook") +Signed-off-by: Peng Fan +Link: https://lore.kernel.org/r/20220415025737.1561976-1-peng.fan@oss.nxp.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/imx_rproc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/remoteproc/imx_rproc.c b/drivers/remoteproc/imx_rproc.c +index 7a096f1891e6..91eb037089ef 100644 +--- a/drivers/remoteproc/imx_rproc.c ++++ b/drivers/remoteproc/imx_rproc.c +@@ -423,6 +423,9 @@ static int imx_rproc_prepare(struct rproc *rproc) + if (!strcmp(it.node->name, "vdev0buffer")) + continue; + ++ if (!strcmp(it.node->name, "rsc-table")) ++ continue; ++ + rmem = of_reserved_mem_lookup(it.node); + if (!rmem) { + dev_err(priv->dev, "unable to acquire memory-region\n"); +-- +2.35.1 + diff --git a/queue-5.17/riscv-read-only-pages-should-not-be-writable.patch b/queue-5.17/riscv-read-only-pages-should-not-be-writable.patch new file mode 100644 index 00000000000..d1acb8e2875 --- /dev/null +++ b/queue-5.17/riscv-read-only-pages-should-not-be-writable.patch @@ -0,0 +1,39 @@ +From d01d0c34238b7d63842211560e8cbb8fa444a466 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 May 2022 03:41:32 +0200 +Subject: riscv: read-only pages should not be writable + +From: Heinrich Schuchardt + +[ Upstream commit 630f972d76d6460235e84e1aa034ee06f9c8c3a9 ] + +If EFI pages are marked as read-only, +we should remove the _PAGE_WRITE flag. + +The current code overwrites an unused value. + +Fixes: b91540d52a08b ("RISC-V: Add EFI runtime services") +Signed-off-by: Heinrich Schuchardt +Link: https://lore.kernel.org/r/20220528014132.91052-1-heinrich.schuchardt@canonical.com +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/efi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/riscv/kernel/efi.c b/arch/riscv/kernel/efi.c +index 024159298231..1aa540350abd 100644 +--- a/arch/riscv/kernel/efi.c ++++ b/arch/riscv/kernel/efi.c +@@ -65,7 +65,7 @@ static int __init set_permissions(pte_t *ptep, unsigned long addr, void *data) + + if (md->attribute & EFI_MEMORY_RO) { + val = pte_val(pte) & ~_PAGE_WRITE; +- val = pte_val(pte) | _PAGE_READ; ++ val |= _PAGE_READ; + pte = __pte(val); + } + if (md->attribute & EFI_MEMORY_XP) { +-- +2.35.1 + diff --git a/queue-5.17/rpmsg-qcom_smd-fix-irq_of_parse_and_map-return-value.patch b/queue-5.17/rpmsg-qcom_smd-fix-irq_of_parse_and_map-return-value.patch new file mode 100644 index 00000000000..5875da564ad --- /dev/null +++ b/queue-5.17/rpmsg-qcom_smd-fix-irq_of_parse_and_map-return-value.patch @@ -0,0 +1,36 @@ +From 71c779db8d4e1f4adb2bc48ee89788a349b702a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Apr 2022 12:53:26 +0200 +Subject: rpmsg: qcom_smd: Fix irq_of_parse_and_map() return value + +From: Krzysztof Kozlowski + +[ Upstream commit 1a358d35066487d228a68303d808bc4721c6b1b9 ] + +The irq_of_parse_and_map() returns 0 on failure, not a negative ERRNO. + +Fixes: 53e2822e56c7 ("rpmsg: Introduce Qualcomm SMD backend") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220422105326.78713-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/rpmsg/qcom_smd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rpmsg/qcom_smd.c b/drivers/rpmsg/qcom_smd.c +index 540e027f08c4..d4b54eebe15d 100644 +--- a/drivers/rpmsg/qcom_smd.c ++++ b/drivers/rpmsg/qcom_smd.c +@@ -1404,7 +1404,7 @@ static int qcom_smd_parse_edge(struct device *dev, + edge->name = node->name; + + irq = irq_of_parse_and_map(node, 0); +- if (irq < 0) { ++ if (!irq) { + dev_err(dev, "required smd interrupt missing\n"); + ret = irq; + goto put_node; +-- +2.35.1 + diff --git a/queue-5.17/rpmsg-qcom_smd-fix-returning-0-if-irq_of_parse_and_m.patch b/queue-5.17/rpmsg-qcom_smd-fix-returning-0-if-irq_of_parse_and_m.patch new file mode 100644 index 00000000000..8c3c93231cf --- /dev/null +++ b/queue-5.17/rpmsg-qcom_smd-fix-returning-0-if-irq_of_parse_and_m.patch @@ -0,0 +1,37 @@ +From 3ec89d1266340e0c73c896e3a0f839aa7a162361 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 23 Apr 2022 11:39:32 +0200 +Subject: rpmsg: qcom_smd: Fix returning 0 if irq_of_parse_and_map() fails + +From: Krzysztof Kozlowski + +[ Upstream commit 59d6f72f6f9c92fec8757d9e29527da828e9281f ] + +irq_of_parse_and_map() returns 0 on failure, so this should not be +passed further as error return code. + +Fixes: 1a358d350664 ("rpmsg: qcom_smd: Fix irq_of_parse_and_map() return value") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220423093932.32136-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/rpmsg/qcom_smd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rpmsg/qcom_smd.c b/drivers/rpmsg/qcom_smd.c +index d4b54eebe15d..4ad90945518f 100644 +--- a/drivers/rpmsg/qcom_smd.c ++++ b/drivers/rpmsg/qcom_smd.c +@@ -1406,7 +1406,7 @@ static int qcom_smd_parse_edge(struct device *dev, + irq = irq_of_parse_and_map(node, 0); + if (!irq) { + dev_err(dev, "required smd interrupt missing\n"); +- ret = irq; ++ ret = -EINVAL; + goto put_node; + } + +-- +2.35.1 + diff --git a/queue-5.17/rpmsg-virtio-fix-possible-double-free-in-rpmsg_probe.patch b/queue-5.17/rpmsg-virtio-fix-possible-double-free-in-rpmsg_probe.patch new file mode 100644 index 00000000000..0d03da27897 --- /dev/null +++ b/queue-5.17/rpmsg-virtio-fix-possible-double-free-in-rpmsg_probe.patch @@ -0,0 +1,50 @@ +From 2597ad698645bb6a1d1fd1c5e9f1ff4392781e90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Apr 2022 14:05:34 +0800 +Subject: rpmsg: virtio: Fix possible double free in rpmsg_probe() + +From: Hangyu Hua + +[ Upstream commit c2eecefec5df1306eafce28ccdf1ca159a552ecc ] + +vch will be free in virtio_rpmsg_release_device() when +rpmsg_ns_register_device() fails. There is no need to call kfree() again. + +Fix this by changing error path from free_vch to free_ctrldev. + +Fixes: c486682ae1e2 ("rpmsg: virtio: Register the rpmsg_char device") +Signed-off-by: Hangyu Hua +Tested-by: Arnaud Pouliquen +Link: https://lore.kernel.org/r/20220426060536.15594-2-hbh25y@gmail.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Sasha Levin +--- + drivers/rpmsg/virtio_rpmsg_bus.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/rpmsg/virtio_rpmsg_bus.c b/drivers/rpmsg/virtio_rpmsg_bus.c +index ac764e04c898..1c39e9c4fa02 100644 +--- a/drivers/rpmsg/virtio_rpmsg_bus.c ++++ b/drivers/rpmsg/virtio_rpmsg_bus.c +@@ -973,7 +973,8 @@ static int rpmsg_probe(struct virtio_device *vdev) + + err = rpmsg_ns_register_device(rpdev_ns); + if (err) +- goto free_vch; ++ /* vch will be free in virtio_rpmsg_release_device() */ ++ goto free_ctrldev; + } + + /* +@@ -997,8 +998,6 @@ static int rpmsg_probe(struct virtio_device *vdev) + + return 0; + +-free_vch: +- kfree(vch); + free_ctrldev: + rpmsg_virtio_del_ctrl_dev(rpdev_ctrl); + free_coherent: +-- +2.35.1 + diff --git a/queue-5.17/rpmsg-virtio-fix-possible-double-free-in-rpmsg_virti.patch b/queue-5.17/rpmsg-virtio-fix-possible-double-free-in-rpmsg_virti.patch new file mode 100644 index 00000000000..9559b5ff030 --- /dev/null +++ b/queue-5.17/rpmsg-virtio-fix-possible-double-free-in-rpmsg_virti.patch @@ -0,0 +1,40 @@ +From 9fb98a9e9a6c89366758878873436abe7e3e4e70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Apr 2022 14:05:35 +0800 +Subject: rpmsg: virtio: Fix possible double free in + rpmsg_virtio_add_ctrl_dev() + +From: Hangyu Hua + +[ Upstream commit 1680939e9ecf7764fba8689cfb3429c2fe2bb23c ] + +vch will be free in virtio_rpmsg_release_device() when +rpmsg_ctrldev_register_device() fails. There is no need to call +kfree() again. + +Fixes: c486682ae1e2 ("rpmsg: virtio: Register the rpmsg_char device") +Signed-off-by: Hangyu Hua +Tested-by: Arnaud Pouliquen +Link: https://lore.kernel.org/r/20220426060536.15594-3-hbh25y@gmail.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Sasha Levin +--- + drivers/rpmsg/virtio_rpmsg_bus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rpmsg/virtio_rpmsg_bus.c b/drivers/rpmsg/virtio_rpmsg_bus.c +index 1c39e9c4fa02..99e0de65733a 100644 +--- a/drivers/rpmsg/virtio_rpmsg_bus.c ++++ b/drivers/rpmsg/virtio_rpmsg_bus.c +@@ -851,7 +851,7 @@ static struct rpmsg_device *rpmsg_virtio_add_ctrl_dev(struct virtio_device *vdev + + err = rpmsg_chrdev_register_device(rpdev_ctrl); + if (err) { +- kfree(vch); ++ /* vch will be free in virtio_rpmsg_release_device() */ + return ERR_PTR(err); + } + +-- +2.35.1 + diff --git a/queue-5.17/rpmsg-virtio-fix-the-unregistration-of-the-device-rp.patch b/queue-5.17/rpmsg-virtio-fix-the-unregistration-of-the-device-rp.patch new file mode 100644 index 00000000000..7c7d755b50f --- /dev/null +++ b/queue-5.17/rpmsg-virtio-fix-the-unregistration-of-the-device-rp.patch @@ -0,0 +1,40 @@ +From 8de377b43441e2821aae769a26b7287bd036cebb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Apr 2022 14:05:36 +0800 +Subject: rpmsg: virtio: Fix the unregistration of the device rpmsg_ctrl + +From: Arnaud Pouliquen + +[ Upstream commit df191796985922488e4e6b64f7bd79c3934412f2 ] + +Unregister the rpmsg_ctrl device instead of just freeing the +the virtio_rpmsg_channel structure. +This will properly unregister the device and call +virtio_rpmsg_release_device() that frees the structure. + +Fixes: c486682ae1e2 ("rpmsg: virtio: Register the rpmsg_char device") +Signed-off-by: Arnaud Pouliquen +Reviewed-by: Hangyu Hua +Link: https://lore.kernel.org/r/20220426060536.15594-4-hbh25y@gmail.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Sasha Levin +--- + drivers/rpmsg/virtio_rpmsg_bus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rpmsg/virtio_rpmsg_bus.c b/drivers/rpmsg/virtio_rpmsg_bus.c +index 99e0de65733a..ed26e9226834 100644 +--- a/drivers/rpmsg/virtio_rpmsg_bus.c ++++ b/drivers/rpmsg/virtio_rpmsg_bus.c +@@ -862,7 +862,7 @@ static void rpmsg_virtio_del_ctrl_dev(struct rpmsg_device *rpdev_ctrl) + { + if (!rpdev_ctrl) + return; +- kfree(to_virtio_rpmsg_channel(rpdev_ctrl)); ++ device_unregister(&rpdev_ctrl->dev); + } + + static int rpmsg_probe(struct virtio_device *vdev) +-- +2.35.1 + diff --git a/queue-5.17/rtc-ftrtc010-fix-error-handling-in-ftrtc010_rtc_prob.patch b/queue-5.17/rtc-ftrtc010-fix-error-handling-in-ftrtc010_rtc_prob.patch new file mode 100644 index 00000000000..050301185d0 --- /dev/null +++ b/queue-5.17/rtc-ftrtc010-fix-error-handling-in-ftrtc010_rtc_prob.patch @@ -0,0 +1,94 @@ +From c6da704c0659fe0dac4b8b3f028852c19f19e69b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 Apr 2022 05:49:12 +0000 +Subject: rtc: ftrtc010: Fix error handling in ftrtc010_rtc_probe + +From: Miaoqian Lin + +[ Upstream commit b520cbe5be37b1b9b401c0b6ecbdae32575273db ] + +In the error handling path, the clk_prepare_enable() function +call should be balanced by a corresponding 'clk_disable_unprepare()' +call , as already done in the remove function. + +clk_disable_unprepare calls clk_disable() and clk_unprepare(). +They will use IS_ERR_OR_NULL to check the argument. + +Fixes: ac05fba39cc5 ("rtc: gemini: Add optional clock handling") +Signed-off-by: Miaoqian Lin +Reviewed-by: Linus Walleij +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20220403054912.31739-1-linmq006@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-ftrtc010.c | 34 ++++++++++++++++++++++++---------- + 1 file changed, 24 insertions(+), 10 deletions(-) + +diff --git a/drivers/rtc/rtc-ftrtc010.c b/drivers/rtc/rtc-ftrtc010.c +index 53bb08fe1cd4..25c6e7d9570f 100644 +--- a/drivers/rtc/rtc-ftrtc010.c ++++ b/drivers/rtc/rtc-ftrtc010.c +@@ -137,26 +137,34 @@ static int ftrtc010_rtc_probe(struct platform_device *pdev) + ret = clk_prepare_enable(rtc->extclk); + if (ret) { + dev_err(dev, "failed to enable EXTCLK\n"); +- return ret; ++ goto err_disable_pclk; + } + } + + rtc->rtc_irq = platform_get_irq(pdev, 0); +- if (rtc->rtc_irq < 0) +- return rtc->rtc_irq; ++ if (rtc->rtc_irq < 0) { ++ ret = rtc->rtc_irq; ++ goto err_disable_extclk; ++ } + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); +- if (!res) +- return -ENODEV; ++ if (!res) { ++ ret = -ENODEV; ++ goto err_disable_extclk; ++ } + + rtc->rtc_base = devm_ioremap(dev, res->start, + resource_size(res)); +- if (!rtc->rtc_base) +- return -ENOMEM; ++ if (!rtc->rtc_base) { ++ ret = -ENOMEM; ++ goto err_disable_extclk; ++ } + + rtc->rtc_dev = devm_rtc_allocate_device(dev); +- if (IS_ERR(rtc->rtc_dev)) +- return PTR_ERR(rtc->rtc_dev); ++ if (IS_ERR(rtc->rtc_dev)) { ++ ret = PTR_ERR(rtc->rtc_dev); ++ goto err_disable_extclk; ++ } + + rtc->rtc_dev->ops = &ftrtc010_rtc_ops; + +@@ -172,9 +180,15 @@ static int ftrtc010_rtc_probe(struct platform_device *pdev) + ret = devm_request_irq(dev, rtc->rtc_irq, ftrtc010_rtc_interrupt, + IRQF_SHARED, pdev->name, dev); + if (unlikely(ret)) +- return ret; ++ goto err_disable_extclk; + + return devm_rtc_register_device(rtc->rtc_dev); ++ ++err_disable_extclk: ++ clk_disable_unprepare(rtc->extclk); ++err_disable_pclk: ++ clk_disable_unprepare(rtc->pclk); ++ return ret; + } + + static int ftrtc010_rtc_remove(struct platform_device *pdev) +-- +2.35.1 + diff --git a/queue-5.17/rtc-mt6397-check-return-value-after-calling-platform.patch b/queue-5.17/rtc-mt6397-check-return-value-after-calling-platform.patch new file mode 100644 index 00000000000..29760b58e7a --- /dev/null +++ b/queue-5.17/rtc-mt6397-check-return-value-after-calling-platform.patch @@ -0,0 +1,38 @@ +From 0a1b33672b1b39cf89b48ac1c29011fa6415511e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 May 2022 20:50:43 +0800 +Subject: rtc: mt6397: check return value after calling platform_get_resource() + +From: Yang Yingliang + +[ Upstream commit d3b43eb505bffb8e4cdf6800c15660c001553fe6 ] + +It will cause null-ptr-deref if platform_get_resource() returns NULL, +we need check the return value. + +Fixes: fc2979118f3f ("rtc: mediatek: Add MT6397 RTC driver") +Signed-off-by: Yang Yingliang +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20220505125043.1594771-1-yangyingliang@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-mt6397.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/rtc/rtc-mt6397.c b/drivers/rtc/rtc-mt6397.c +index 80dc479a6ff0..1d297af80f87 100644 +--- a/drivers/rtc/rtc-mt6397.c ++++ b/drivers/rtc/rtc-mt6397.c +@@ -269,6 +269,8 @@ static int mtk_rtc_probe(struct platform_device *pdev) + return -ENOMEM; + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ if (!res) ++ return -EINVAL; + rtc->addr_base = res->start; + + rtc->data = of_device_get_match_data(&pdev->dev); +-- +2.35.1 + diff --git a/queue-5.17/s390-crypto-fix-scatterwalk_unmap-callers-in-aes-gcm.patch b/queue-5.17/s390-crypto-fix-scatterwalk_unmap-callers-in-aes-gcm.patch new file mode 100644 index 00000000000..933d4928f23 --- /dev/null +++ b/queue-5.17/s390-crypto-fix-scatterwalk_unmap-callers-in-aes-gcm.patch @@ -0,0 +1,52 @@ +From 07874d0fa3795869558d911c7553d1f6361929c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 May 2022 16:30:47 +0200 +Subject: s390/crypto: fix scatterwalk_unmap() callers in AES-GCM + +From: Jann Horn + +[ Upstream commit bd52cd5e23f134019b23f0c389db0f9a436e4576 ] + +The argument of scatterwalk_unmap() is supposed to be the void* that was +returned by the previous scatterwalk_map() call. +The s390 AES-GCM implementation was instead passing the pointer to the +struct scatter_walk. + +This doesn't actually break anything because scatterwalk_unmap() only uses +its argument under CONFIG_HIGHMEM and ARCH_HAS_FLUSH_ON_KUNMAP. + +Fixes: bf7fa038707c ("s390/crypto: add s390 platform specific aes gcm support.") +Signed-off-by: Jann Horn +Acked-by: Harald Freudenberger +Link: https://lore.kernel.org/r/20220517143047.3054498-1-jannh@google.com +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/crypto/aes_s390.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/s390/crypto/aes_s390.c b/arch/s390/crypto/aes_s390.c +index 54c7536f2482..1023e9d43d44 100644 +--- a/arch/s390/crypto/aes_s390.c ++++ b/arch/s390/crypto/aes_s390.c +@@ -701,7 +701,7 @@ static inline void _gcm_sg_unmap_and_advance(struct gcm_sg_walk *gw, + unsigned int nbytes) + { + gw->walk_bytes_remain -= nbytes; +- scatterwalk_unmap(&gw->walk); ++ scatterwalk_unmap(gw->walk_ptr); + scatterwalk_advance(&gw->walk, nbytes); + scatterwalk_done(&gw->walk, 0, gw->walk_bytes_remain); + gw->walk_ptr = NULL; +@@ -776,7 +776,7 @@ static int gcm_out_walk_go(struct gcm_sg_walk *gw, unsigned int minbytesneeded) + goto out; + } + +- scatterwalk_unmap(&gw->walk); ++ scatterwalk_unmap(gw->walk_ptr); + gw->walk_ptr = NULL; + + gw->ptr = gw->buf; +-- +2.35.1 + diff --git a/queue-5.17/s390-mcck-isolate-sie-instruction-when-setting-cif_m.patch b/queue-5.17/s390-mcck-isolate-sie-instruction-when-setting-cif_m.patch new file mode 100644 index 00000000000..08a1a7c3956 --- /dev/null +++ b/queue-5.17/s390-mcck-isolate-sie-instruction-when-setting-cif_m.patch @@ -0,0 +1,57 @@ +From c50a20e46e355f798685a2eab253ad83af09f7d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 May 2022 12:38:14 +0200 +Subject: s390/mcck: isolate SIE instruction when setting CIF_MCCK_GUEST flag + +From: Alexander Gordeev + +[ Upstream commit 29ccaa4b35ea874ddd50518e5c2c746b9238a792 ] + +Commit d768bd892fc8 ("s390: add options to change branch prediction +behaviour for the kernel") introduced .Lsie_exit label - supposedly +to fence off SIE instruction. However, the corresponding address +range length .Lsie_crit_mcck_length was not updated, which led to +BPON code potentionally marked with CIF_MCCK_GUEST flag. + +Both .Lsie_exit and .Lsie_crit_mcck_length were removed with commit +0b0ed657fe00 ("s390: remove critical section cleanup from entry.S"), +but the issue persisted - currently BPOFF and BPENTER macros might +get wrongly considered by the machine check handler as a guest. + +Fixes: d768bd892fc8 ("s390: add options to change branch prediction behaviour for the kernel") +Reviewed-by: Sven Schnelle +Reviewed-by: Christian Borntraeger +Signed-off-by: Alexander Gordeev +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/entry.S | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/arch/s390/kernel/entry.S b/arch/s390/kernel/entry.S +index 01bae1d51113..3bf8aeeec96f 100644 +--- a/arch/s390/kernel/entry.S ++++ b/arch/s390/kernel/entry.S +@@ -264,6 +264,10 @@ ENTRY(sie64a) + BPEXIT __SF_SIE_FLAGS(%r15),(_TIF_ISOLATE_BP|_TIF_ISOLATE_BP_GUEST) + .Lsie_entry: + sie 0(%r14) ++# Let the next instruction be NOP to avoid triggering a machine check ++# and handling it in a guest as result of the instruction execution. ++ nopr 7 ++.Lsie_leave: + BPOFF + BPENTER __SF_SIE_FLAGS(%r15),(_TIF_ISOLATE_BP|_TIF_ISOLATE_BP_GUEST) + .Lsie_skip: +@@ -563,7 +567,7 @@ ENTRY(mcck_int_handler) + jno .Lmcck_panic + #if IS_ENABLED(CONFIG_KVM) + OUTSIDE %r9,.Lsie_gmap,.Lsie_done,6f +- OUTSIDE %r9,.Lsie_entry,.Lsie_skip,4f ++ OUTSIDE %r9,.Lsie_entry,.Lsie_leave,4f + oi __LC_CPU_FLAGS+7, _CIF_MCCK_GUEST + j 5f + 4: CHKSTG .Lmcck_panic +-- +2.35.1 + diff --git a/queue-5.17/scripts-get_abi-fix-wrong-script-file-name-in-the-he.patch b/queue-5.17/scripts-get_abi-fix-wrong-script-file-name-in-the-he.patch new file mode 100644 index 00000000000..05ba12c6d5c --- /dev/null +++ b/queue-5.17/scripts-get_abi-fix-wrong-script-file-name-in-the-he.patch @@ -0,0 +1,42 @@ +From 8236fb38130ddc96e337554ee42b0fe27833fc02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Apr 2022 12:16:36 +0000 +Subject: scripts/get_abi: Fix wrong script file name in the help message + +From: SeongJae Park + +[ Upstream commit 5b5bfecaa333fb6a0cce1bfc4852a622dacfed1d ] + +The help message of 'get_abi.pl' is mistakenly saying it's +'abi_book.pl'. This commit fixes the wrong name in the help message. + +Fixes: bbc249f2b859 ("scripts: add an script to parse the ABI files") +Signed-off-by: SeongJae Park +Link: https://lore.kernel.org/r/20220419121636.290407-1-sj@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + scripts/get_abi.pl | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/scripts/get_abi.pl b/scripts/get_abi.pl +index 6212f58b69c6..0cf501285204 100755 +--- a/scripts/get_abi.pl ++++ b/scripts/get_abi.pl +@@ -980,11 +980,11 @@ __END__ + + =head1 NAME + +-abi_book.pl - parse the Linux ABI files and produce a ReST book. ++get_abi.pl - parse the Linux ABI files and produce a ReST book. + + =head1 SYNOPSIS + +-B [--debug ] [--enable-lineno] [--man] [--help] ++B [--debug ] [--enable-lineno] [--man] [--help] + [--(no-)rst-source] [--dir=] [--show-hints] + [--search-string ] + [] +-- +2.35.1 + diff --git a/queue-5.17/scsi-sd-fix-potential-null-pointer-dereference.patch b/queue-5.17/scsi-sd-fix-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..23c37816c10 --- /dev/null +++ b/queue-5.17/scsi-sd-fix-potential-null-pointer-dereference.patch @@ -0,0 +1,47 @@ +From 4050b77e2fe3f26328a222d713cf90065e62a822 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jun 2022 15:25:43 +0900 +Subject: scsi: sd: Fix potential NULL pointer dereference + +From: Damien Le Moal + +[ Upstream commit 05fbde3a77a4f1d62e4c4428f384288c1f1a0be5 ] + +If sd_probe() sees an early error before sdkp->device is initialized, +sd_zbc_release_disk() is called. This causes a NULL pointer dereference +when sd_is_zoned() is called inside that function. Avoid this by removing +the call to sd_zbc_release_disk() in sd_probe() error path. + +This change is safe and does not result in zone information memory leakage +because the zone information for a zoned disk is allocated only when +sd_revalidate_disk() is called, at which point sdkp->disk_dev is fully set, +resulting in sd_disk_release() being called when needed to cleanup a disk +zone information using sd_zbc_release_disk(). + +Link: https://lore.kernel.org/r/20220601062544.905141-2-damien.lemoal@opensource.wdc.com +Fixes: 89d947561077 ("sd: Implement support for ZBC devices") +Reported-by: Dongliang Mu +Suggested-by: Christoph Hellwig +Reviewed-by: Christoph Hellwig +Signed-off-by: Damien Le Moal +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/sd.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c +index 8b5d2a4076c2..65b501859141 100644 +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -3605,7 +3605,6 @@ static int sd_probe(struct device *dev) + out_put: + put_disk(gd); + out_free: +- sd_zbc_release_disk(sdkp); + kfree(sdkp); + out: + scsi_autopm_put_device(sdp); +-- +2.35.1 + diff --git a/queue-5.17/selftests-bpf-fix-selftest-after-random-urandom_read.patch b/queue-5.17/selftests-bpf-fix-selftest-after-random-urandom_read.patch new file mode 100644 index 00000000000..485ba86c552 --- /dev/null +++ b/queue-5.17/selftests-bpf-fix-selftest-after-random-urandom_read.patch @@ -0,0 +1,53 @@ +From db4d344939fe78d8c295c3d8f377f0f9030b59ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Mar 2022 15:56:43 -0700 +Subject: selftests/bpf: fix selftest after random: Urandom_read tracepoint + removal + +From: Andrii Nakryiko + +[ Upstream commit 99dea2c664d7bc7e4f6f6947182d0d365165a998 ] + +14c174633f34 ("random: remove unused tracepoints") removed all the +tracepoints from drivers/char/random.c, one of which, +random:urandom_read, was used by stacktrace_build_id selftest to trigger +stack trace capture. + +Fix breakage by switching to kprobing urandom_read() function. + +Suggested-by: Yonghong Song +Signed-off-by: Andrii Nakryiko +Signed-off-by: Alexei Starovoitov +Acked-by: Yonghong Song +Link: https://lore.kernel.org/bpf/20220325225643.2606-1-andrii@kernel.org +Signed-off-by: Sasha Levin +--- + .../selftests/bpf/progs/test_stacktrace_build_id.c | 12 ++---------- + 1 file changed, 2 insertions(+), 10 deletions(-) + +diff --git a/tools/testing/selftests/bpf/progs/test_stacktrace_build_id.c b/tools/testing/selftests/bpf/progs/test_stacktrace_build_id.c +index 36a707e7c7a7..6c62bfb8bb6f 100644 +--- a/tools/testing/selftests/bpf/progs/test_stacktrace_build_id.c ++++ b/tools/testing/selftests/bpf/progs/test_stacktrace_build_id.c +@@ -39,16 +39,8 @@ struct { + __type(value, stack_trace_t); + } stack_amap SEC(".maps"); + +-/* taken from /sys/kernel/debug/tracing/events/random/urandom_read/format */ +-struct random_urandom_args { +- unsigned long long pad; +- int got_bits; +- int pool_left; +- int input_left; +-}; +- +-SEC("tracepoint/random/urandom_read") +-int oncpu(struct random_urandom_args *args) ++SEC("kprobe/urandom_read") ++int oncpu(struct pt_regs *args) + { + __u32 max_len = sizeof(struct bpf_stack_build_id) + * PERF_MAX_STACK_DEPTH; +-- +2.35.1 + diff --git a/queue-5.17/selftests-bpf-fix-stacktrace_build_id-with-missing-k.patch b/queue-5.17/selftests-bpf-fix-stacktrace_build_id-with-missing-k.patch new file mode 100644 index 00000000000..ad8a74372e5 --- /dev/null +++ b/queue-5.17/selftests-bpf-fix-stacktrace_build_id-with-missing-k.patch @@ -0,0 +1,51 @@ +From 9a64f1aab8f7f606980fded71c5ce81d9023d1a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 May 2022 12:16:08 -0700 +Subject: selftests/bpf: fix stacktrace_build_id with missing + kprobe/urandom_read + +From: Song Liu + +[ Upstream commit 59ed76fe2f981bccde37bdddb465f260a96a2404 ] + +Kernel function urandom_read is replaced with urandom_read_iter. +Therefore, kprobe on urandom_read is not working any more: + +[root@eth50-1 bpf]# ./test_progs -n 161 +test_stacktrace_build_id:PASS:skel_open_and_load 0 nsec +libbpf: kprobe perf_event_open() failed: No such file or directory +libbpf: prog 'oncpu': failed to create kprobe 'urandom_read+0x0' \ + perf event: No such file or directory +libbpf: prog 'oncpu': failed to auto-attach: -2 +test_stacktrace_build_id:FAIL:attach_tp err -2 +161 stacktrace_build_id:FAIL + +Fix this by replacing urandom_read with urandom_read_iter in the test. + +Fixes: 1b388e7765f2 ("random: convert to using fops->read_iter()") +Reported-by: Mykola Lysenko +Signed-off-by: Song Liu +Acked-by: David Vernet +Link: https://lore.kernel.org/r/20220526191608.2364049-1-song@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/progs/test_stacktrace_build_id.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/progs/test_stacktrace_build_id.c b/tools/testing/selftests/bpf/progs/test_stacktrace_build_id.c +index 6c62bfb8bb6f..0c4426592a26 100644 +--- a/tools/testing/selftests/bpf/progs/test_stacktrace_build_id.c ++++ b/tools/testing/selftests/bpf/progs/test_stacktrace_build_id.c +@@ -39,7 +39,7 @@ struct { + __type(value, stack_trace_t); + } stack_amap SEC(".maps"); + +-SEC("kprobe/urandom_read") ++SEC("kprobe/urandom_read_iter") + int oncpu(struct pt_regs *args) + { + __u32 max_len = sizeof(struct bpf_stack_build_id) +-- +2.35.1 + diff --git a/queue-5.17/serial-8250_aspeed_vuart-fix-potential-null-derefere.patch b/queue-5.17/serial-8250_aspeed_vuart-fix-potential-null-derefere.patch new file mode 100644 index 00000000000..11f6d946aad --- /dev/null +++ b/queue-5.17/serial-8250_aspeed_vuart-fix-potential-null-derefere.patch @@ -0,0 +1,38 @@ +From 1f33eeaba2e3da2e43e5315ecbc85bd1da9d75b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Apr 2022 14:38:40 +0000 +Subject: serial: 8250_aspeed_vuart: Fix potential NULL dereference in + aspeed_vuart_probe + +From: Miaoqian Lin + +[ Upstream commit 0e0fd55719fa081de6f9e5d9e6cef48efb04d34a ] + +platform_get_resource() may fail and return NULL, so we should +better check it's return value to avoid a NULL pointer dereference. + +Fixes: 54da3e381c2b ("serial: 8250_aspeed_vuart: use UPF_IOREMAP to set up register mapping") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220404143842.16960-1-linmq006@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_aspeed_vuart.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/tty/serial/8250/8250_aspeed_vuart.c b/drivers/tty/serial/8250/8250_aspeed_vuart.c +index c2cecc6f47db..179bb1375636 100644 +--- a/drivers/tty/serial/8250/8250_aspeed_vuart.c ++++ b/drivers/tty/serial/8250/8250_aspeed_vuart.c +@@ -429,6 +429,8 @@ static int aspeed_vuart_probe(struct platform_device *pdev) + timer_setup(&vuart->unthrottle_timer, aspeed_vuart_unthrottle_exp, 0); + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ if (!res) ++ return -EINVAL; + + memset(&port, 0, sizeof(port)); + port.port.private_data = vuart; +-- +2.35.1 + diff --git a/queue-5.17/serial-8250_fintek-check-ser_rs485_rts_-only-with-rs.patch b/queue-5.17/serial-8250_fintek-check-ser_rs485_rts_-only-with-rs.patch new file mode 100644 index 00000000000..93abf7a9140 --- /dev/null +++ b/queue-5.17/serial-8250_fintek-check-ser_rs485_rts_-only-with-rs.patch @@ -0,0 +1,61 @@ +From bc7d71a2429541406c54c02dacb7da5efa9ea894 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 May 2022 16:46:43 +0300 +Subject: serial: 8250_fintek: Check SER_RS485_RTS_* only with RS485 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit af0179270977508df6986b51242825d7edd59caf ] + +SER_RS485_RTS_ON_SEND and SER_RS485_RTS_AFTER_SEND relate to behavior +within RS485 operation. The driver checks if they have the same value +which is not possible to realize with the hardware. The check is taken +regardless of SER_RS485_ENABLED flag and -EINVAL is returned when the +check fails, which creates problems. + +This check makes it unnecessarily complicated to turn RS485 mode off as +simple zeroed serial_rs485 struct will trigger that equal values check. +In addition, the driver itself memsets its rs485 structure to zero when +RS485 is disabled but if userspace would try to make an TIOCSRS485 +ioctl() call with the very same struct, it would end up failing with +-EINVAL which doesn't make much sense. + +Resolve the problem by moving the check inside SER_RS485_ENABLED block. + +Fixes: 7ecc77011c6f ("serial: 8250_fintek: Return -EINVAL on invalid configuration") +Cc: Ricardo Ribalda Delgado +Signed-off-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/035c738-8ea5-8b17-b1d7-84a7b3aeaa51@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_fintek.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/tty/serial/8250/8250_fintek.c b/drivers/tty/serial/8250/8250_fintek.c +index 251f0018ae8c..dba5950b8d0e 100644 +--- a/drivers/tty/serial/8250/8250_fintek.c ++++ b/drivers/tty/serial/8250/8250_fintek.c +@@ -200,12 +200,12 @@ static int fintek_8250_rs485_config(struct uart_port *port, + if (!pdata) + return -EINVAL; + +- /* Hardware do not support same RTS level on send and receive */ +- if (!(rs485->flags & SER_RS485_RTS_ON_SEND) == +- !(rs485->flags & SER_RS485_RTS_AFTER_SEND)) +- return -EINVAL; + + if (rs485->flags & SER_RS485_ENABLED) { ++ /* Hardware do not support same RTS level on send and receive */ ++ if (!(rs485->flags & SER_RS485_RTS_ON_SEND) == ++ !(rs485->flags & SER_RS485_RTS_AFTER_SEND)) ++ return -EINVAL; + memset(rs485->padding, 0, sizeof(rs485->padding)); + config |= RS485_URA; + } else { +-- +2.35.1 + diff --git a/queue-5.17/serial-cpm_uart-fix-build-error-without-config_seria.patch b/queue-5.17/serial-cpm_uart-fix-build-error-without-config_seria.patch new file mode 100644 index 00000000000..dada0bd659a --- /dev/null +++ b/queue-5.17/serial-cpm_uart-fix-build-error-without-config_seria.patch @@ -0,0 +1,45 @@ +From f68d2e868593ce828d783fcee51d34cfe6fef9eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 May 2022 21:54:52 +0800 +Subject: serial: cpm_uart: Fix build error without CONFIG_SERIAL_CPM_CONSOLE +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: YueHaibing + +[ Upstream commit 0258502f11a4f6036b5f8b34b09027c8a92def3a ] + +drivers/tty/serial/cpm_uart/cpm_uart_core.c: In function ‘cpm_uart_init_port’: +drivers/tty/serial/cpm_uart/cpm_uart_core.c:1251:7: error: ‘udbg_port’ undeclared (first use in this function); did you mean ‘uart_port’? + if (!udbg_port) + ^~~~~~~~~ + uart_port + +commit d142585bceb3 leave this corner, wrap it with #ifdef block + +Fixes: d142585bceb3 ("serial: cpm_uart: Protect udbg definitions by CONFIG_SERIAL_CPM_CONSOLE") +Signed-off-by: YueHaibing +Link: https://lore.kernel.org/r/20220518135452.39480-1-yuehaibing@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/cpm_uart/cpm_uart_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/cpm_uart/cpm_uart_core.c b/drivers/tty/serial/cpm_uart/cpm_uart_core.c +index d6d3db9c3b1f..db07d6a5d764 100644 +--- a/drivers/tty/serial/cpm_uart/cpm_uart_core.c ++++ b/drivers/tty/serial/cpm_uart/cpm_uart_core.c +@@ -1247,7 +1247,7 @@ static int cpm_uart_init_port(struct device_node *np, + } + + #ifdef CONFIG_PPC_EARLY_DEBUG_CPM +-#ifdef CONFIG_CONSOLE_POLL ++#if defined(CONFIG_CONSOLE_POLL) && defined(CONFIG_SERIAL_CPM_CONSOLE) + if (!udbg_port) + #endif + udbg_putc = NULL; +-- +2.35.1 + diff --git a/queue-5.17/serial-digicolor-usart-don-t-allow-cs5-6.patch b/queue-5.17/serial-digicolor-usart-don-t-allow-cs5-6.patch new file mode 100644 index 00000000000..ab57fd0e43c --- /dev/null +++ b/queue-5.17/serial-digicolor-usart-don-t-allow-cs5-6.patch @@ -0,0 +1,46 @@ +From 3850b654bf3145045da2e9e9ef9a40f9ddbd8d4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 May 2022 11:18:01 +0300 +Subject: serial: digicolor-usart: Don't allow CS5-6 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit fd63031b8c0763addcecdefe0e0c59d49646204e ] + +Only CS7 and CS8 seem supported but CSIZE is not sanitized to CS8 in +the default: block. + +Set CSIZE correctly so that userspace knows the effective value. +Incorrect CSIZE also results in miscalculation of the frame bits in +tty_get_char_size() or in its predecessor where the roughly the same +code is directly within uart_update_timeout(). + +Fixes: 5930cb3511df (serial: driver for Conexant Digicolor USART) +Acked-by: Baruch Siach +Signed-off-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20220519081808.3776-3-ilpo.jarvinen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/digicolor-usart.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/tty/serial/digicolor-usart.c b/drivers/tty/serial/digicolor-usart.c +index c7f81aa1ce91..5fea9bf86e85 100644 +--- a/drivers/tty/serial/digicolor-usart.c ++++ b/drivers/tty/serial/digicolor-usart.c +@@ -309,6 +309,8 @@ static void digicolor_uart_set_termios(struct uart_port *port, + case CS8: + default: + config |= UA_CONFIG_CHAR_LEN; ++ termios->c_cflag &= ~CSIZE; ++ termios->c_cflag |= CS8; + break; + } + +-- +2.35.1 + diff --git a/queue-5.17/serial-meson-acquire-port-lock-in-startup.patch b/queue-5.17/serial-meson-acquire-port-lock-in-startup.patch new file mode 100644 index 00000000000..a09c6208bae --- /dev/null +++ b/queue-5.17/serial-meson-acquire-port-lock-in-startup.patch @@ -0,0 +1,98 @@ +From 4d51c7401dfc21adee3db65753f82a193c4d45c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 May 2022 12:41:47 +0206 +Subject: serial: meson: acquire port->lock in startup() + +From: John Ogness + +[ Upstream commit 589f892ac8ef244e47c5a00ffd8605daa1eaef8e ] + +The uart_ops startup() callback is called without interrupts +disabled and without port->lock locked, relatively late during the +boot process (from the call path of console_on_rootfs()). If the +device is a console, it was already previously registered and could +be actively printing messages. + +Since the startup() callback is reading/writing registers used by +the console write() callback (AML_UART_CONTROL), its access must +be synchronized using the port->lock. Currently it is not. + +The startup() callback is the only function that explicitly enables +interrupts. Without the synchronization, it is possible that +interrupts become accidentally permanently disabled. + +CPU0 CPU1 +meson_serial_console_write meson_uart_startup +-------------------------- ------------------ +spin_lock(port->lock) +val = readl(AML_UART_CONTROL) +uart_console_write() + writel(INT_EN, AML_UART_CONTROL) +writel(val, AML_UART_CONTROL) +spin_unlock(port->lock) + +Add port->lock synchronization to meson_uart_startup() to avoid +racing with meson_serial_console_write(). + +Also add detailed comments to meson_uart_reset() explaining why it +is *not* using port->lock synchronization. + +Link: https://lore.kernel.org/lkml/2a82eae7-a256-f70c-fd82-4e510750906e@samsung.com +Fixes: ff7693d079e5 ("ARM: meson: serial: add MesonX SoC on-chip uart driver") +Reported-by: Marek Szyprowski +Tested-by: Marek Szyprowski +Reviewed-by: Petr Mladek +Reviewed-by: Jiri Slaby +Acked-by: Neil Armstrong +Signed-off-by: John Ogness +Link: https://lore.kernel.org/r/20220508103547.626355-1-john.ogness@linutronix.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/meson_uart.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/drivers/tty/serial/meson_uart.c b/drivers/tty/serial/meson_uart.c +index 45e00d928253..54a6b488bc8c 100644 +--- a/drivers/tty/serial/meson_uart.c ++++ b/drivers/tty/serial/meson_uart.c +@@ -253,6 +253,14 @@ static const char *meson_uart_type(struct uart_port *port) + return (port->type == PORT_MESON) ? "meson_uart" : NULL; + } + ++/* ++ * This function is called only from probe() using a temporary io mapping ++ * in order to perform a reset before setting up the device. Since the ++ * temporarily mapped region was successfully requested, there can be no ++ * console on this port at this time. Hence it is not necessary for this ++ * function to acquire the port->lock. (Since there is no console on this ++ * port at this time, the port->lock is not initialized yet.) ++ */ + static void meson_uart_reset(struct uart_port *port) + { + u32 val; +@@ -267,9 +275,12 @@ static void meson_uart_reset(struct uart_port *port) + + static int meson_uart_startup(struct uart_port *port) + { ++ unsigned long flags; + u32 val; + int ret = 0; + ++ spin_lock_irqsave(&port->lock, flags); ++ + val = readl(port->membase + AML_UART_CONTROL); + val |= AML_UART_CLEAR_ERR; + writel(val, port->membase + AML_UART_CONTROL); +@@ -285,6 +296,8 @@ static int meson_uart_startup(struct uart_port *port) + val = (AML_UART_RECV_IRQ(1) | AML_UART_XMIT_IRQ(port->fifosize / 2)); + writel(val, port->membase + AML_UART_MISC); + ++ spin_unlock_irqrestore(&port->lock, flags); ++ + ret = request_irq(port->irq, meson_uart_interrupt, 0, + port->name, port); + +-- +2.35.1 + diff --git a/queue-5.17/serial-rda-uart-don-t-allow-cs5-6.patch b/queue-5.17/serial-rda-uart-don-t-allow-cs5-6.patch new file mode 100644 index 00000000000..4cd997746f3 --- /dev/null +++ b/queue-5.17/serial-rda-uart-don-t-allow-cs5-6.patch @@ -0,0 +1,46 @@ +From 764252742b5d3134605e948f9283e482f2d912f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 May 2022 11:18:02 +0300 +Subject: serial: rda-uart: Don't allow CS5-6 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 098333a9c7d12bb3ce44c82f08b4d810c44d31b0 ] + +Only CS7 and CS8 are supported but CSIZE is not sanitized after +fallthrough from CS5 or CS6 to CS7. + +Set CSIZE correctly so that userspace knows the effective value. +Incorrect CSIZE also results in miscalculation of the frame bits in +tty_get_char_size() or in its predecessor where the roughly the same +code is directly within uart_update_timeout(). + +Fixes: c10b13325ced (tty: serial: Add RDA8810PL UART driver) +Cc: Manivannan Sadhasivam +Signed-off-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20220519081808.3776-4-ilpo.jarvinen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/rda-uart.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/tty/serial/rda-uart.c b/drivers/tty/serial/rda-uart.c +index d550d8fa2fab..a8fe1c3ebcd9 100644 +--- a/drivers/tty/serial/rda-uart.c ++++ b/drivers/tty/serial/rda-uart.c +@@ -262,6 +262,8 @@ static void rda_uart_set_termios(struct uart_port *port, + fallthrough; + case CS7: + ctrl &= ~RDA_UART_DBITS_8; ++ termios->c_cflag &= ~CSIZE; ++ termios->c_cflag |= CS7; + break; + default: + ctrl |= RDA_UART_DBITS_8; +-- +2.35.1 + diff --git a/queue-5.17/serial-sh-sci-don-t-allow-cs5-6.patch b/queue-5.17/serial-sh-sci-don-t-allow-cs5-6.patch new file mode 100644 index 00000000000..8dab86dd1a4 --- /dev/null +++ b/queue-5.17/serial-sh-sci-don-t-allow-cs5-6.patch @@ -0,0 +1,50 @@ +From 5da9c4642cc8d89b7452f14354ab0c0018dc5f93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 May 2022 11:18:04 +0300 +Subject: serial: sh-sci: Don't allow CS5-6 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 9b87162de8be26bf3156460b37deee6399fd0fcb ] + +Only CS7 and CS8 seem supported but CSIZE is not sanitized from +CS5 or CS6 to CS8. + +Set CSIZE correctly so that userspace knows the effective value. +Incorrect CSIZE also results in miscalculation of the frame bits in +tty_get_char_size() or in its predecessor where the roughly the same +code is directly within uart_update_timeout(). + +Fixes: 1da177e4c3f4 (Linux-2.6.12-rc2) +Signed-off-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20220519081808.3776-6-ilpo.jarvinen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/sh-sci.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c +index 968967d722d4..e55895f0a4ff 100644 +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -2379,8 +2379,12 @@ static void sci_set_termios(struct uart_port *port, struct ktermios *termios, + int best_clk = -1; + unsigned long flags; + +- if ((termios->c_cflag & CSIZE) == CS7) ++ if ((termios->c_cflag & CSIZE) == CS7) { + smr_val |= SCSMR_CHR; ++ } else { ++ termios->c_cflag &= ~CSIZE; ++ termios->c_cflag |= CS8; ++ } + if (termios->c_cflag & PARENB) + smr_val |= SCSMR_PE; + if (termios->c_cflag & PARODD) +-- +2.35.1 + diff --git a/queue-5.17/serial-sifive-report-actual-baud-base-rather-than-fi.patch b/queue-5.17/serial-sifive-report-actual-baud-base-rather-than-fi.patch new file mode 100644 index 00000000000..e2825748b35 --- /dev/null +++ b/queue-5.17/serial-sifive-report-actual-baud-base-rather-than-fi.patch @@ -0,0 +1,66 @@ +From a2cf24ea3d33eae8422c05b973811d63c36f4c8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Apr 2022 21:40:18 +0100 +Subject: serial: sifive: Report actual baud base rather than fixed 115200 + +From: Maciej W. Rozycki + +[ Upstream commit 0a7ff843d507ce2cca2c3b7e169ee56e28133530 ] + +The base baud value reported is supposed to be the highest baud rate +that can be set for a serial port. The SiFive FU740-C000 SOC's on-chip +UART supports baud rates of up to 1/16 of the input clock rate, which is +the bus clock `tlclk'[1], often at 130MHz in the case of the HiFive +Unmatched board. + +However the sifive UART driver reports a fixed value of 115200 instead: + +10010000.serial: ttySIF0 at MMIO 0x10010000 (irq = 1, base_baud = 115200) is a SiFive UART v0 +10011000.serial: ttySIF1 at MMIO 0x10011000 (irq = 2, base_baud = 115200) is a SiFive UART v0 + +even though we already support setting higher baud rates, e.g.: + +$ tty +/dev/ttySIF1 +$ stty speed +230400 + +The baud base value is computed by the serial core by dividing the UART +clock recorded in `struct uart_port' by 16, which is also the minimum +value of the clock divider supported, so correct the baud base value +reported by setting the UART clock recorded to the input clock rate +rather than 115200: + +10010000.serial: ttySIF0 at MMIO 0x10010000 (irq = 1, base_baud = 8125000) is a SiFive UART v0 +10011000.serial: ttySIF1 at MMIO 0x10011000 (irq = 2, base_baud = 8125000) is a SiFive UART v0 + +References: + +[1] "SiFive FU740-C000 Manual", v1p3, SiFive, Inc., August 13, 2021, + Section 16.9 "Baud Rate Divisor Register (div)", pp.143-144 + +Signed-off-by: Maciej W. Rozycki +Fixes: 1f1496a923b6 ("riscv: Fix sifive serial driver") +Link: https://lore.kernel.org/r/alpine.DEB.2.21.2204291656280.9383@angie.orcam.me.uk +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/sifive.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/sifive.c b/drivers/tty/serial/sifive.c +index b79900d0e91a..fff0b7916f3d 100644 +--- a/drivers/tty/serial/sifive.c ++++ b/drivers/tty/serial/sifive.c +@@ -998,7 +998,7 @@ static int sifive_serial_probe(struct platform_device *pdev) + /* Set up clock divider */ + ssp->clkin_rate = clk_get_rate(ssp->clk); + ssp->baud_rate = SIFIVE_DEFAULT_BAUD_RATE; +- ssp->port.uartclk = ssp->baud_rate * 16; ++ ssp->port.uartclk = ssp->clkin_rate; + __ssp_update_div(ssp); + + platform_set_drvdata(pdev, ssp); +-- +2.35.1 + diff --git a/queue-5.17/serial-sifive-sanitize-csize-and-c_iflag.patch b/queue-5.17/serial-sifive-sanitize-csize-and-c_iflag.patch new file mode 100644 index 00000000000..56334c6b3c9 --- /dev/null +++ b/queue-5.17/serial-sifive-sanitize-csize-and-c_iflag.patch @@ -0,0 +1,58 @@ +From e628b588af2589f9eef3c36e75be2b670151da99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 May 2022 11:18:05 +0300 +Subject: serial: sifive: Sanitize CSIZE and c_iflag +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit c069d2756c01ed36121fae6a42c14fdf1325c71d ] + +Only CS8 is supported but CSIZE was not sanitized to CS8. + +Set CSIZE correctly so that userspace knows the effective value. +Incorrect CSIZE also results in miscalculation of the frame bits in +tty_get_char_size() or in its predecessor where the roughly the same +code is directly within uart_update_timeout(). + +Similarly, INPCK, PARMRK, and BRKINT are reported textually unsupported +but were not cleared in termios c_iflag which is the machine-readable +format. + +Fixes: 45c054d0815b (tty: serial: add driver for the SiFive UART) +Cc: Paul Walmsley +Signed-off-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20220519081808.3776-7-ilpo.jarvinen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/sifive.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/sifive.c b/drivers/tty/serial/sifive.c +index fff0b7916f3d..cba44483cb03 100644 +--- a/drivers/tty/serial/sifive.c ++++ b/drivers/tty/serial/sifive.c +@@ -666,12 +666,16 @@ static void sifive_serial_set_termios(struct uart_port *port, + int rate; + char nstop; + +- if ((termios->c_cflag & CSIZE) != CS8) ++ if ((termios->c_cflag & CSIZE) != CS8) { + dev_err_once(ssp->port.dev, "only 8-bit words supported\n"); ++ termios->c_cflag &= ~CSIZE; ++ termios->c_cflag |= CS8; ++ } + if (termios->c_iflag & (INPCK | PARMRK)) + dev_err_once(ssp->port.dev, "parity checking not supported\n"); + if (termios->c_iflag & BRKINT) + dev_err_once(ssp->port.dev, "BREAK detection not supported\n"); ++ termios->c_iflag &= ~(INPCK|PARMRK|BRKINT); + + /* Set number of stop bits */ + nstop = (termios->c_cflag & CSTOPB) ? 2 : 1; +-- +2.35.1 + diff --git a/queue-5.17/serial-st-asc-sanitize-csize-and-correct-parenb-for-.patch b/queue-5.17/serial-st-asc-sanitize-csize-and-correct-parenb-for-.patch new file mode 100644 index 00000000000..10589eb98fd --- /dev/null +++ b/queue-5.17/serial-st-asc-sanitize-csize-and-correct-parenb-for-.patch @@ -0,0 +1,52 @@ +From 5f353f38bdd1dca94daeca76a484e25649eee703 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 May 2022 11:18:06 +0300 +Subject: serial: st-asc: Sanitize CSIZE and correct PARENB for CS7 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 52bb1cb7118564166b04d52387bd8403632f5190 ] + +Only CS7 and CS8 seem supported but CSIZE is not sanitized from CS5 or +CS6 to CS8. In addition, ASC_CTL_MODE_7BIT_PAR suggests that CS7 has +to have parity, thus add PARENB. + +Incorrect CSIZE results in miscalculation of the frame bits in +tty_get_char_size() or in its predecessor where the roughly the same +code is directly within uart_update_timeout(). + +Fixes: c4b058560762 (serial:st-asc: Add ST ASC driver.) +Cc: Srinivas Kandagatla +Signed-off-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20220519081808.3776-8-ilpo.jarvinen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/st-asc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/tty/serial/st-asc.c b/drivers/tty/serial/st-asc.c +index 87e480cc8206..5a45633aaea8 100644 +--- a/drivers/tty/serial/st-asc.c ++++ b/drivers/tty/serial/st-asc.c +@@ -535,10 +535,14 @@ static void asc_set_termios(struct uart_port *port, struct ktermios *termios, + /* set character length */ + if ((cflag & CSIZE) == CS7) { + ctrl_val |= ASC_CTL_MODE_7BIT_PAR; ++ cflag |= PARENB; + } else { + ctrl_val |= (cflag & PARENB) ? ASC_CTL_MODE_8BIT_PAR : + ASC_CTL_MODE_8BIT; ++ cflag &= ~CSIZE; ++ cflag |= CS8; + } ++ termios->c_cflag = cflag; + + /* set stop bit */ + ctrl_val |= (cflag & CSTOPB) ? ASC_CTL_STOP_2BIT : ASC_CTL_STOP_1BIT; +-- +2.35.1 + diff --git a/queue-5.17/serial-stm32-usart-correct-csize-bits-and-parity.patch b/queue-5.17/serial-stm32-usart-correct-csize-bits-and-parity.patch new file mode 100644 index 00000000000..38f5fa0226d --- /dev/null +++ b/queue-5.17/serial-stm32-usart-correct-csize-bits-and-parity.patch @@ -0,0 +1,64 @@ +From 3afe1e52fcb74b2ecafce85ebd92cc0edb469a64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 May 2022 11:18:07 +0300 +Subject: serial: stm32-usart: Correct CSIZE, bits, and parity +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 1deeda8d2877c18bc2b9eeee10dd6d2628852848 ] + +Add CSIZE sanitization for unsupported CSIZE configurations. In +addition, if parity is asked for but CSx was unsupported, the sensible +result is CS8+parity which requires setting USART_CR1_M0 like with 9 +bits. + +Incorrect CSIZE results in miscalculation of the frame bits in +tty_get_char_size() or in its predecessor where the roughly the same +code is directly within uart_update_timeout(). + +Fixes: c8a9d043947b (serial: stm32: fix word length configuration) +Cc: Erwan Le Ray +Signed-off-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20220519081808.3776-9-ilpo.jarvinen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/stm32-usart.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/tty/serial/stm32-usart.c b/drivers/tty/serial/stm32-usart.c +index 9570002d07e7..9bc970be59ba 100644 +--- a/drivers/tty/serial/stm32-usart.c ++++ b/drivers/tty/serial/stm32-usart.c +@@ -1037,13 +1037,22 @@ static void stm32_usart_set_termios(struct uart_port *port, + * CS8 or (CS7 + parity), 8 bits word aka [M1:M0] = 0b00 + * M0 and M1 already cleared by cr1 initialization. + */ +- if (bits == 9) ++ if (bits == 9) { + cr1 |= USART_CR1_M0; +- else if ((bits == 7) && cfg->has_7bits_data) ++ } else if ((bits == 7) && cfg->has_7bits_data) { + cr1 |= USART_CR1_M1; +- else if (bits != 8) ++ } else if (bits != 8) { + dev_dbg(port->dev, "Unsupported data bits config: %u bits\n" + , bits); ++ cflag &= ~CSIZE; ++ cflag |= CS8; ++ termios->c_cflag = cflag; ++ bits = 8; ++ if (cflag & PARENB) { ++ bits++; ++ cr1 |= USART_CR1_M0; ++ } ++ } + + if (ofs->rtor != UNDEF_REG && (stm32_port->rx_ch || + (stm32_port->fifoen && +-- +2.35.1 + diff --git a/queue-5.17/serial-txx9-don-t-allow-cs5-6.patch b/queue-5.17/serial-txx9-don-t-allow-cs5-6.patch new file mode 100644 index 00000000000..f87ffad0564 --- /dev/null +++ b/queue-5.17/serial-txx9-don-t-allow-cs5-6.patch @@ -0,0 +1,45 @@ +From ee19559628a627323f47a95a75b40c7911c76d50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 May 2022 11:18:03 +0300 +Subject: serial: txx9: Don't allow CS5-6 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 79ac88655dc0551e3571ad16bdabdbe65d61553e ] + +Only CS7 and CS8 are supported but CSIZE is not sanitized with +CS5 or CS6 to CS8. + +Set CSIZE correctly so that userspace knows the effective value. +Incorrect CSIZE also results in miscalculation of the frame bits in +tty_get_char_size() or in its predecessor where the roughly the same +code is directly within uart_update_timeout(). + +Fixes: 1da177e4c3f4 (Linux-2.6.12-rc2) +Signed-off-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20220519081808.3776-5-ilpo.jarvinen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/serial_txx9.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/tty/serial/serial_txx9.c b/drivers/tty/serial/serial_txx9.c +index aaca4fe38486..1f8362d5e3b9 100644 +--- a/drivers/tty/serial/serial_txx9.c ++++ b/drivers/tty/serial/serial_txx9.c +@@ -644,6 +644,8 @@ serial_txx9_set_termios(struct uart_port *port, struct ktermios *termios, + case CS6: /* not supported */ + case CS8: + cval |= TXX9_SILCR_UMODE_8BIT; ++ termios->c_cflag &= ~CSIZE; ++ termios->c_cflag |= CS8; + break; + } + +-- +2.35.1 + diff --git a/queue-5.17/serial-uartlite-fix-brkint-clearing.patch b/queue-5.17/serial-uartlite-fix-brkint-clearing.patch new file mode 100644 index 00000000000..513ce12235e --- /dev/null +++ b/queue-5.17/serial-uartlite-fix-brkint-clearing.patch @@ -0,0 +1,41 @@ +From 0ea34d535a5fc674f83dd55038b526d705ea1919 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 May 2022 11:18:00 +0300 +Subject: serial: uartlite: Fix BRKINT clearing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 3f7fed405c118607d4d42255f2572072db728399 ] + +BRKINT is within c_iflag rather than c_cflag. + +Fixes: ea017f5853e9 (tty: serial: uartlite: Prevent changing fixed parameters) +Reviewed-by: Sean Anderson +Signed-off-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20220519081808.3776-2-ilpo.jarvinen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/uartlite.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/uartlite.c b/drivers/tty/serial/uartlite.c +index e1fa52d31474..7c788c697f3e 100644 +--- a/drivers/tty/serial/uartlite.c ++++ b/drivers/tty/serial/uartlite.c +@@ -321,7 +321,8 @@ static void ulite_set_termios(struct uart_port *port, struct ktermios *termios, + struct uartlite_data *pdata = port->private_data; + + /* Set termios to what the hardware supports */ +- termios->c_cflag &= ~(BRKINT | CSTOPB | PARENB | PARODD | CSIZE); ++ termios->c_iflag &= ~BRKINT; ++ termios->c_cflag &= ~(CSTOPB | PARENB | PARODD | CSIZE); + termios->c_cflag |= pdata->cflags & (PARENB | PARODD | CSIZE); + tty_termios_encode_baud_rate(termios, pdata->baud, pdata->baud); + +-- +2.35.1 + diff --git a/queue-5.17/series b/queue-5.17/series new file mode 100644 index 00000000000..5cc61dc9b00 --- /dev/null +++ b/queue-5.17/series @@ -0,0 +1,137 @@ +fs-ntfs3-restore-ntfs_xattr_get_acl-and-ntfs_xattr_s.patch +pcmcia-db1xxx_ss-restrict-to-mips_db1xxx-boards.patch +staging-greybus-codecs-fix-type-confusion-of-list-it.patch +iio-adc-ad7124-remove-shift-from-scan_type.patch +lkdtm-bugs-check-for-the-null-pointer-after-calling-.patch +lkdtm-bugs-don-t-expect-thread-termination-without-c.patch +tty-goldfish-use-tty_port_destroy-to-destroy-port.patch +tty-serial-owl-fix-missing-clk_disable_unprepare-in-.patch +tty-n_tty-restore-eof-push-handling-behavior.patch +serial-8250_aspeed_vuart-fix-potential-null-derefere.patch +tty-serial-fsl_lpuart-fix-potential-bug-when-using-b.patch +remoteproc-imx_rproc-ignore-create-mem-entry-for-res.patch +phy-rockchip-inno-usb2-fix-muxed-interrupt-support.patch +usb-usbip-fix-a-refcount-leak-in-stub_probe.patch +usb-usbip-add-missing-device-lock-on-tweak-configura.patch +usb-storage-karma-fix-rio_karma_init-return.patch +usb-musb-fix-missing-of_node_put-in-omap2430_probe.patch +staging-fieldbus-fix-the-error-handling-path-in-anyb.patch +pwm-lp3943-fix-duty-calculation-in-case-period-was-c.patch +pwm-raspberrypi-poe-fix-endianness-in-firmware-struc.patch +rpmsg-qcom_smd-fix-irq_of_parse_and_map-return-value.patch +usb-dwc3-gadget-replace-list_for_each_entry_safe-if-.patch +usb-dwc3-pci-fix-pm_runtime_get_sync-error-checking.patch +scripts-get_abi-fix-wrong-script-file-name-in-the-he.patch +misc-fastrpc-fix-an-incorrect-null-check-on-list-ite.patch +firmware-stratix10-svc-fix-a-missing-check-on-list-i.patch +usb-typec-mux-check-dev_set_name-return-value.patch +rpmsg-virtio-fix-possible-double-free-in-rpmsg_probe.patch +rpmsg-virtio-fix-possible-double-free-in-rpmsg_virti.patch +rpmsg-virtio-fix-the-unregistration-of-the-device-rp.patch +platform-finally-disallow-irq0-in-platform_get_irq-a.patch +iio-adc-stmpe-adc-fix-wait_for_completion_timeout-re.patch +iio-proximity-vl53l0x-fix-return-value-check-of-wait.patch +iio-adc-sc27xx-fix-read-big-scale-voltage-not-right.patch +iio-adc-sc27xx-fine-tune-the-scale-calibration-value.patch +rpmsg-qcom_smd-fix-returning-0-if-irq_of_parse_and_m.patch +misc-pvpanic-convert-regular-spinlock-into-trylock-o.patch +phy-qcom-qmp-fix-pipe-clock-imbalance-on-power-on-fa.patch +power-supply-axp288_fuel_gauge-drop-bios-version-che.patch +power-supply-ab8500_fg-allocate-wq-in-probe.patch +serial-sifive-report-actual-baud-base-rather-than-fi.patch +export-fix-string-handling-of-namespace-in-export_sy.patch +watchdog-rzg2l_wdt-fix-32bit-overflow-issue.patch +watchdog-rzg2l_wdt-fix-runtime-pm-usage.patch +watchdog-rzg2l_wdt-fix-bug-invalid-wait-context.patch +watchdog-rzg2l_wdt-fix-reset-control-imbalance.patch +soundwire-intel-prevent-pm_runtime-resume-prior-to-s.patch +coresight-cpu-debug-replace-mutex-with-mutex_trylock.patch +ksmbd-fix-reference-count-leak-in-smb_check_perm_dac.patch +extcon-ptn5150-add-queue-work-sync-before-driver-rel.patch +dt-bindings-remoteproc-mediatek-make-l1tcm-reg-exclu.patch +soc-rockchip-fix-refcount-leak-in-rockchip_grf_init.patch +clocksource-drivers-riscv-events-are-stopped-during-.patch +arm-dts-aspeed-ast2600-evb-enable-rx-delay-for-mac0-.patch +rtc-mt6397-check-return-value-after-calling-platform.patch +rtc-ftrtc010-fix-error-handling-in-ftrtc010_rtc_prob.patch +staging-r8188eu-add-check-for-kzalloc.patch +serial-meson-acquire-port-lock-in-startup.patch +serial-8250_fintek-check-ser_rs485_rts_-only-with-rs.patch +serial-cpm_uart-fix-build-error-without-config_seria.patch +serial-uartlite-fix-brkint-clearing.patch +serial-digicolor-usart-don-t-allow-cs5-6.patch +serial-rda-uart-don-t-allow-cs5-6.patch +serial-txx9-don-t-allow-cs5-6.patch +serial-sh-sci-don-t-allow-cs5-6.patch +serial-sifive-sanitize-csize-and-c_iflag.patch +serial-st-asc-sanitize-csize-and-correct-parenb-for-.patch +serial-stm32-usart-correct-csize-bits-and-parity.patch +firmware-dmi-sysfs-fix-memory-leak-in-dmi_sysfs_regi.patch +bus-ti-sysc-fix-warnings-for-unbind-for-serial.patch +driver-base-fix-uaf-when-driver_attach-failed.patch +driver-core-fix-deadlock-in-__device_attach.patch +watchdog-rti-wdt-fix-pm_runtime_get_sync-error-check.patch +watchdog-ts4800_wdt-fix-refcount-leak-in-ts4800_wdt_.patch +blk-mq-don-t-touch-tagset-in-blk_mq_get_sq_hctx.patch +asoc-fsl_sai-fix-fsl_sai_xdr-xfr-definition.patch +clocksource-drivers-oxnas-rps-fix-irq_of_parse_and_m.patch +s390-crypto-fix-scatterwalk_unmap-callers-in-aes-gcm.patch +amt-fix-return-value-of-amt_update_handler.patch +amt-fix-possible-memory-leak-in-amt_rcv.patch +net-smc-set-ini-smcrv2.ib_dev_v2-to-null-if-smc-rv2-.patch +spi-fsi-fix-spurious-timeout.patch +drm-amdgpu-off-by-one-in-dm_dmub_outbox1_low_irq.patch +net-lan966x-check-devm_of_phy_get-for-edefer_probe.patch +net-sched-fixed-barrier-to-prevent-skbuff-sticking-i.patch +net-ethernet-mtk_eth_soc-out-of-bounds-read-in-mtk_h.patch +net-ethernet-ti-am65-cpsw-nuss-fix-some-refcount-lea.patch +net-dsa-mv88e6xxx-fix-refcount-leak-in-mv88e6xxx_mdi.patch +modpost-fix-removing-numeric-suffixes.patch +ep93xx-clock-do-not-return-the-address-of-the-freed-.patch +jffs2-fix-memory-leak-in-jffs2_do_fill_super.patch +ubi-fastmap-fix-high-cpu-usage-of-ubi_bgt-by-making-.patch +ubi-ubi_create_volume-fix-use-after-free-when-volume.patch +selftests-bpf-fix-selftest-after-random-urandom_read.patch +selftests-bpf-fix-stacktrace_build_id-with-missing-k.patch +bpf-fix-probe-read-error-in-___bpf_prog_run.patch +block-take-destination-bvec-offsets-into-account-in-.patch +nbd-don-t-clear-nbd_cmd_inflight-flag-if-request-is-.patch +riscv-read-only-pages-should-not-be-writable.patch +net-smc-fixes-for-converting-from-struct-smc_cdc_tx_.patch +tcp-add-accessors-to-read-set-tp-snd_cwnd.patch +nfp-only-report-pause-frame-configuration-for-physic.patch +block-use-bio_queue_enter-instead-of-blk_queue_enter.patch +sfc-fix-considering-that-all-channels-have-tx-queues.patch +sfc-fix-wrong-tx-channel-offset-with-efx_separate_tx.patch +block-make-bioset_exit-fully-resilient-against-being.patch +blk-mq-do-not-update-io_ticks-with-passthrough-reque.patch +vdpa-fix-error-logic-in-vdpa_nl_cmd_dev_get_doit.patch +virtio-pci-fix-an-error-handling-path-in-vp_modern_p.patch +net-mlx5-don-t-use-already-freed-action-pointer.patch +net-mlx5e-tc-nic-mode-fix-tc-chains-miss-table.patch +net-mlx5-ct-fix-header-rewrite-re-use-for-tupels.patch +net-mlx5e-disable-softirq-in-mlx5e_activate_rq-to-av.patch +net-mlx5-correct-ece-offset-in-query-qp-output.patch +net-mlx5e-update-netdev-features-after-changing-xdp-.patch +net-sched-add-barrier-to-fix-packet-stuck-problem-fo.patch +tcp-tcp_rtx_synack-can-be-called-from-process-contex.patch +vdpa-ifcvf-set-pci-driver-data-in-probe.patch +octeontx2-af-fix-error-code-in-is_valid_offset.patch +macsec-fix-uaf-bug-for-real_dev.patch +s390-mcck-isolate-sie-instruction-when-setting-cif_m.patch +regulator-mt6315-regulator-fix-invalid-allowed-mode.patch +gpio-pca953x-use-the-correct-register-address-to-do-.patch +afs-fix-infinite-loop-found-by-xfstest-generic-676.patch +drm-msm-dp-always-clear-mask-bits-to-disable-interru.patch +scsi-sd-fix-potential-null-pointer-dereference.patch +ax25-fix-ax25-session-cleanup-problems.patch +tipc-check-attribute-length-for-bearer-name.patch +arm64-initialize-jump-labels-before-setup_machine_fd.patch +driver-core-fix-wait_for_device_probe-deferred_probe.patch +perf-evsel-fixes-topdown-events-in-a-weak-group-for-.patch +perf-parse-events-move-slots-event-for-the-hybrid-pl.patch +perf-record-support-sample-read-topdown-metric-group.patch +perf-c2c-fix-sorting-in-percent_rmt_hitm_cmp.patch +bluetooth-mgmt-add-conditions-for-setting-hci_conn_f.patch +bluetooth-hci_sync-fix-attempting-to-suspend-with-un.patch +bluetooth-don-t-use-bitmaps-for-random-flag-accesses.patch diff --git a/queue-5.17/sfc-fix-considering-that-all-channels-have-tx-queues.patch b/queue-5.17/sfc-fix-considering-that-all-channels-have-tx-queues.patch new file mode 100644 index 00000000000..2055fefa45a --- /dev/null +++ b/queue-5.17/sfc-fix-considering-that-all-channels-have-tx-queues.patch @@ -0,0 +1,68 @@ +From 04561610a3ae530a2abe2eaadd7f457596503df3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 May 2022 10:05:28 +0200 +Subject: sfc: fix considering that all channels have TX queues +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Martin Habets + +[ Upstream commit 2e102b53f8a778f872dc137f4c7ac548705817aa ] + +Normally, all channels have RX and TX queues, but this is not true if +modparam efx_separate_tx_channels=1 is used. In that cases, some +channels only have RX queues and others only TX queues (or more +preciselly, they have them allocated, but not initialized). + +Fix efx_channel_has_tx_queues to return the correct value for this case +too. + +Messages shown at probe time before the fix: + sfc 0000:03:00.0 ens6f0np0: MC command 0x82 inlen 544 failed rc=-22 (raw=0) arg=0 + ------------[ cut here ]------------ + netdevice: ens6f0np0: failed to initialise TXQ -1 + WARNING: CPU: 1 PID: 626 at drivers/net/ethernet/sfc/ef10.c:2393 efx_ef10_tx_init+0x201/0x300 [sfc] + [...] stripped + RIP: 0010:efx_ef10_tx_init+0x201/0x300 [sfc] + [...] stripped + Call Trace: + efx_init_tx_queue+0xaa/0xf0 [sfc] + efx_start_channels+0x49/0x120 [sfc] + efx_start_all+0x1f8/0x430 [sfc] + efx_net_open+0x5a/0xe0 [sfc] + __dev_open+0xd0/0x190 + __dev_change_flags+0x1b3/0x220 + dev_change_flags+0x21/0x60 + [...] stripped + +Messages shown at remove time before the fix: + sfc 0000:03:00.0 ens6f0np0: failed to flush 10 queues + sfc 0000:03:00.0 ens6f0np0: failed to flush queues + +Fixes: 8700aff08984 ("sfc: fix channel allocation with brute force") +Reported-by: Tianhao Zhao +Signed-off-by: Martin Habets +Tested-by: Íñigo Huguet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/net_driver.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/sfc/net_driver.h b/drivers/net/ethernet/sfc/net_driver.h +index cc15ee8812d9..8a9eedec177a 100644 +--- a/drivers/net/ethernet/sfc/net_driver.h ++++ b/drivers/net/ethernet/sfc/net_driver.h +@@ -1533,7 +1533,7 @@ static inline bool efx_channel_is_xdp_tx(struct efx_channel *channel) + + static inline bool efx_channel_has_tx_queues(struct efx_channel *channel) + { +- return true; ++ return channel && channel->channel >= channel->efx->tx_channel_offset; + } + + static inline unsigned int efx_channel_num_tx_queues(struct efx_channel *channel) +-- +2.35.1 + diff --git a/queue-5.17/sfc-fix-wrong-tx-channel-offset-with-efx_separate_tx.patch b/queue-5.17/sfc-fix-wrong-tx-channel-offset-with-efx_separate_tx.patch new file mode 100644 index 00000000000..2a63833b6f1 --- /dev/null +++ b/queue-5.17/sfc-fix-wrong-tx-channel-offset-with-efx_separate_tx.patch @@ -0,0 +1,70 @@ +From 74022bb38ba86673e1e67c80f89d73cc44695b13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 May 2022 10:05:29 +0200 +Subject: sfc: fix wrong tx channel offset with efx_separate_tx_channels +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Íñigo Huguet + +[ Upstream commit c308dfd1b43ef0d4c3e57b741bb3462eb7a7f4a2 ] + +tx_channel_offset is calculated in efx_allocate_msix_channels, but it is +also calculated again in efx_set_channels because it was originally done +there, and when efx_allocate_msix_channels was introduced it was +forgotten to be removed from efx_set_channels. + +Moreover, the old calculation is wrong when using +efx_separate_tx_channels because now we can have XDP channels after the +TX channels, so n_channels - n_tx_channels doesn't point to the first TX +channel. + +Remove the old calculation from efx_set_channels, and add the +initialization of this variable if MSI or legacy interrupts are used, +next to the initialization of the rest of the related variables, where +it was missing. + +Fixes: 3990a8fffbda ("sfc: allocate channels for XDP tx queues") +Reported-by: Tianhao Zhao +Signed-off-by: Íñigo Huguet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/efx_channels.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/sfc/efx_channels.c b/drivers/net/ethernet/sfc/efx_channels.c +index eec0db76d888..8ab9358a1c3d 100644 +--- a/drivers/net/ethernet/sfc/efx_channels.c ++++ b/drivers/net/ethernet/sfc/efx_channels.c +@@ -309,6 +309,7 @@ int efx_probe_interrupts(struct efx_nic *efx) + efx->n_channels = 1; + efx->n_rx_channels = 1; + efx->n_tx_channels = 1; ++ efx->tx_channel_offset = 0; + efx->n_xdp_channels = 0; + efx->xdp_channel_offset = efx->n_channels; + rc = pci_enable_msi(efx->pci_dev); +@@ -329,6 +330,7 @@ int efx_probe_interrupts(struct efx_nic *efx) + efx->n_channels = 1 + (efx_separate_tx_channels ? 1 : 0); + efx->n_rx_channels = 1; + efx->n_tx_channels = 1; ++ efx->tx_channel_offset = 1; + efx->n_xdp_channels = 0; + efx->xdp_channel_offset = efx->n_channels; + efx->legacy_irq = efx->pci_dev->irq; +@@ -957,10 +959,6 @@ int efx_set_channels(struct efx_nic *efx) + struct efx_channel *channel; + int rc; + +- efx->tx_channel_offset = +- efx_separate_tx_channels ? +- efx->n_channels - efx->n_tx_channels : 0; +- + if (efx->xdp_tx_queue_count) { + EFX_WARN_ON_PARANOID(efx->xdp_tx_queues); + +-- +2.35.1 + diff --git a/queue-5.17/soc-rockchip-fix-refcount-leak-in-rockchip_grf_init.patch b/queue-5.17/soc-rockchip-fix-refcount-leak-in-rockchip_grf_init.patch new file mode 100644 index 00000000000..d5b2b11c2e8 --- /dev/null +++ b/queue-5.17/soc-rockchip-fix-refcount-leak-in-rockchip_grf_init.patch @@ -0,0 +1,44 @@ +From 342076eadf976c4f47eb3c6aeefe41d85509b468 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 May 2022 11:20:10 +0400 +Subject: soc: rockchip: Fix refcount leak in rockchip_grf_init + +From: Miaoqian Lin + +[ Upstream commit 9b59588d8be91c96bfb0371e912ceb4f16315dbf ] + +of_find_matching_node_and_match returns a node pointer with refcount +incremented, we should use of_node_put() on it when done. +Add missing of_node_put() to avoid refcount leak. + +Fixes: 4c58063d4258 ("soc: rockchip: add driver handling grf setup") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220516072013.19731-1-linmq006@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + drivers/soc/rockchip/grf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/soc/rockchip/grf.c b/drivers/soc/rockchip/grf.c +index 494cf2b5bf7b..343ff61ccccb 100644 +--- a/drivers/soc/rockchip/grf.c ++++ b/drivers/soc/rockchip/grf.c +@@ -148,12 +148,14 @@ static int __init rockchip_grf_init(void) + return -ENODEV; + if (!match || !match->data) { + pr_err("%s: missing grf data\n", __func__); ++ of_node_put(np); + return -EINVAL; + } + + grf_info = match->data; + + grf = syscon_node_to_regmap(np); ++ of_node_put(np); + if (IS_ERR(grf)) { + pr_err("%s: could not get grf syscon\n", __func__); + return PTR_ERR(grf); +-- +2.35.1 + diff --git a/queue-5.17/soundwire-intel-prevent-pm_runtime-resume-prior-to-s.patch b/queue-5.17/soundwire-intel-prevent-pm_runtime-resume-prior-to-s.patch new file mode 100644 index 00000000000..a720872b96d --- /dev/null +++ b/queue-5.17/soundwire-intel-prevent-pm_runtime-resume-prior-to-s.patch @@ -0,0 +1,58 @@ +From c1d765b408d2aad11ef5f912b16c20a3f8ae9b3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Apr 2022 10:32:39 +0800 +Subject: soundwire: intel: prevent pm_runtime resume prior to system suspend + +From: Pierre-Louis Bossart + +[ Upstream commit 6d9f2dadba698114fed97b224578c5338a36b0d9 ] + +commit e38f9ff63e6d ("ACPI: scan: Do not add device IDs from _CID if _HID is not valid") +exposes a race condition on a TGL RVP device leading to a timeout. + +The detailed analysis shows the RT711 codec driver scheduling a jack +detection workqueue while attaching during a spurious pm_runtime +resume, and the work function happens to be scheduled after the +manager device is suspended. + +The direct link between this ACPI patch and a spurious pm_runtime +resume is not obvious; the most likely explanation is that a change in +the ACPI device linked list management modifies the order in which the +pm_runtime device status is checked and exposes a race condition that +was probably present for a very long time, but was not identified. + +We already have a check in the .prepare stage, where we will resume to +full power from specific clock-stop modes. In all other cases, we +don't need to resume to full power by default. Adding the +SMART_SUSPEND flag prevents the spurious resume from happening. + +BugLink: https://github.com/thesofproject/linux/issues/3459 +Fixes: 029bfd1cd53cd ("soundwire: intel: conditionally exit clock stop mode on system suspend") +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Ranjani Sridharan +Reviewed-by: Rander Wang +Signed-off-by: Bard Liao +Link: https://lore.kernel.org/r/20220420023241.14335-2-yung-chuan.liao@linux.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/soundwire/intel.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/soundwire/intel.c b/drivers/soundwire/intel.c +index 63101f1ba271..32e5fdb823c4 100644 +--- a/drivers/soundwire/intel.c ++++ b/drivers/soundwire/intel.c +@@ -1293,6 +1293,9 @@ static int intel_link_probe(struct auxiliary_device *auxdev, + /* use generic bandwidth allocation algorithm */ + sdw->cdns.bus.compute_params = sdw_compute_params; + ++ /* avoid resuming from pm_runtime suspend if it's not required */ ++ dev_pm_set_driver_flags(dev, DPM_FLAG_SMART_SUSPEND); ++ + ret = sdw_bus_master_add(bus, dev, dev->fwnode); + if (ret) { + dev_err(dev, "sdw_bus_master_add fail: %d\n", ret); +-- +2.35.1 + diff --git a/queue-5.17/spi-fsi-fix-spurious-timeout.patch b/queue-5.17/spi-fsi-fix-spurious-timeout.patch new file mode 100644 index 00000000000..83273f65367 --- /dev/null +++ b/queue-5.17/spi-fsi-fix-spurious-timeout.patch @@ -0,0 +1,61 @@ +From b5810b0d76a1925497c4828a22d266d5a748e4cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 May 2022 11:58:51 -0500 +Subject: spi: fsi: Fix spurious timeout + +From: Eddie James + +[ Upstream commit 61bf40ef51aa73f6216b33563271b6acf7ea8d70 ] + +The driver may return a timeout error even if the status register +indicates that the transfer may proceed. Fix this by restructuring +the polling loop. + +Fixes: 89b35e3f2851 ("spi: fsi: Implement a timeout for polling status") +Signed-off-by: Eddie James +Link: https://lore.kernel.org/r/20220525165852.33167-2-eajames@linux.ibm.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-fsi.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/spi/spi-fsi.c b/drivers/spi/spi-fsi.c +index d403a7a3021d..72ab066ce552 100644 +--- a/drivers/spi/spi-fsi.c ++++ b/drivers/spi/spi-fsi.c +@@ -319,12 +319,12 @@ static int fsi_spi_transfer_data(struct fsi_spi *ctx, + + end = jiffies + msecs_to_jiffies(SPI_FSI_STATUS_TIMEOUT_MS); + do { ++ if (time_after(jiffies, end)) ++ return -ETIMEDOUT; ++ + rc = fsi_spi_status(ctx, &status, "TX"); + if (rc) + return rc; +- +- if (time_after(jiffies, end)) +- return -ETIMEDOUT; + } while (status & SPI_FSI_STATUS_TDR_FULL); + + sent += nb; +@@ -337,12 +337,12 @@ static int fsi_spi_transfer_data(struct fsi_spi *ctx, + while (transfer->len > recv) { + end = jiffies + msecs_to_jiffies(SPI_FSI_STATUS_TIMEOUT_MS); + do { ++ if (time_after(jiffies, end)) ++ return -ETIMEDOUT; ++ + rc = fsi_spi_status(ctx, &status, "RX"); + if (rc) + return rc; +- +- if (time_after(jiffies, end)) +- return -ETIMEDOUT; + } while (!(status & SPI_FSI_STATUS_RDR_FULL)); + + rc = fsi_spi_read_reg(ctx, SPI_FSI_DATA_RX, &in); +-- +2.35.1 + diff --git a/queue-5.17/staging-fieldbus-fix-the-error-handling-path-in-anyb.patch b/queue-5.17/staging-fieldbus-fix-the-error-handling-path-in-anyb.patch new file mode 100644 index 00000000000..17418392196 --- /dev/null +++ b/queue-5.17/staging-fieldbus-fix-the-error-handling-path-in-anyb.patch @@ -0,0 +1,39 @@ +From 221a6ca7f49c4437e7c37bef2e403edc050bdd76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Apr 2022 08:48:18 +0200 +Subject: staging: fieldbus: Fix the error handling path in + anybuss_host_common_probe() + +From: Christophe JAILLET + +[ Upstream commit 7079b3483a17be2cfba64cbd4feb1b7ae07f1ea7 ] + +If device_register() fails, device_unregister() should not be called +because it will free some resources that are not allocated. +put_device() should be used instead. + +Fixes: 308ee87a2f1e ("staging: fieldbus: anybus-s: support HMS Anybus-S bus") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/5401a519608d6e1a4e7435c20f4f20b0c5c36c23.1650610082.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/fieldbus/anybuss/host.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/fieldbus/anybuss/host.c b/drivers/staging/fieldbus/anybuss/host.c +index a344410e48fe..cd86b9c9e345 100644 +--- a/drivers/staging/fieldbus/anybuss/host.c ++++ b/drivers/staging/fieldbus/anybuss/host.c +@@ -1384,7 +1384,7 @@ anybuss_host_common_probe(struct device *dev, + goto err_device; + return cd; + err_device: +- device_unregister(&cd->client->dev); ++ put_device(&cd->client->dev); + err_kthread: + kthread_stop(cd->qthread); + err_reset: +-- +2.35.1 + diff --git a/queue-5.17/staging-greybus-codecs-fix-type-confusion-of-list-it.patch b/queue-5.17/staging-greybus-codecs-fix-type-confusion-of-list-it.patch new file mode 100644 index 00000000000..8182e832c35 --- /dev/null +++ b/queue-5.17/staging-greybus-codecs-fix-type-confusion-of-list-it.patch @@ -0,0 +1,44 @@ +From 02ec5aa449514a112c61caa9a170b9ed823e5cd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Mar 2022 13:36:26 +0100 +Subject: staging: greybus: codecs: fix type confusion of list iterator + variable + +From: Jakob Koschel + +[ Upstream commit 84ef256550196bc06e6849a34224c998b45bd557 ] + +If the list does not exit early then data == NULL and 'module' does not +point to a valid list element. +Using 'module' in such a case is not valid and was therefore removed. + +Fixes: 6dd67645f22c ("greybus: audio: Use single codec driver registration") +Reviewed-by: Dan Carpenter +Reviewed-by: Vaibhav Agarwal +Reviewed-by: Mark Greer +Signed-off-by: Jakob Koschel +Link: https://lore.kernel.org/r/20220321123626.3068639-1-jakobkoschel@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/greybus/audio_codec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/staging/greybus/audio_codec.c b/drivers/staging/greybus/audio_codec.c +index b589cf6b1d03..e19b91e7a72e 100644 +--- a/drivers/staging/greybus/audio_codec.c ++++ b/drivers/staging/greybus/audio_codec.c +@@ -599,8 +599,8 @@ static int gbcodec_mute_stream(struct snd_soc_dai *dai, int mute, int stream) + break; + } + if (!data) { +- dev_err(dai->dev, "%s:%s DATA connection missing\n", +- dai->name, module->name); ++ dev_err(dai->dev, "%s DATA connection missing\n", ++ dai->name); + mutex_unlock(&codec->lock); + return -ENODEV; + } +-- +2.35.1 + diff --git a/queue-5.17/staging-r8188eu-add-check-for-kzalloc.patch b/queue-5.17/staging-r8188eu-add-check-for-kzalloc.patch new file mode 100644 index 00000000000..3e2ba56b589 --- /dev/null +++ b/queue-5.17/staging-r8188eu-add-check-for-kzalloc.patch @@ -0,0 +1,87 @@ +From 79229cb140b5e54ad6c740ba7779aa2c8d5b5c4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 May 2022 15:59:57 +0800 +Subject: staging: r8188eu: add check for kzalloc + +From: Jiasheng Jiang + +[ Upstream commit f94b47c6bde624d6c07f43054087607c52054a95 ] + +As kzalloc() may return null pointer, it should be better to +check the return value and return error if fails in order +to avoid dereference of null pointer. +Moreover, the return value of rtw_alloc_hwxmits() should also +be dealt with. + +Fixes: 15865124feed ("staging: r8188eu: introduce new core dir for RTL8188eu driver") +Reviewed-by: Dan Carpenter +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20220518075957.514603-1-jiasheng@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/r8188eu/core/rtw_xmit.c | 13 +++++++++++-- + drivers/staging/r8188eu/include/rtw_xmit.h | 2 +- + 2 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/staging/r8188eu/core/rtw_xmit.c b/drivers/staging/r8188eu/core/rtw_xmit.c +index 8503059edc46..f4e9f6102539 100644 +--- a/drivers/staging/r8188eu/core/rtw_xmit.c ++++ b/drivers/staging/r8188eu/core/rtw_xmit.c +@@ -179,7 +179,12 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter) + + pxmitpriv->free_xmit_extbuf_cnt = num_xmit_extbuf; + +- rtw_alloc_hwxmits(padapter); ++ res = rtw_alloc_hwxmits(padapter); ++ if (res) { ++ res = _FAIL; ++ goto exit; ++ } ++ + rtw_init_hwxmits(pxmitpriv->hwxmits, pxmitpriv->hwxmit_entry); + + for (i = 0; i < 4; i++) +@@ -1496,7 +1501,7 @@ s32 rtw_xmit_classifier(struct adapter *padapter, struct xmit_frame *pxmitframe) + return res; + } + +-void rtw_alloc_hwxmits(struct adapter *padapter) ++int rtw_alloc_hwxmits(struct adapter *padapter) + { + struct hw_xmit *hwxmits; + struct xmit_priv *pxmitpriv = &padapter->xmitpriv; +@@ -1504,6 +1509,8 @@ void rtw_alloc_hwxmits(struct adapter *padapter) + pxmitpriv->hwxmit_entry = HWXMIT_ENTRY; + + pxmitpriv->hwxmits = kzalloc(sizeof(struct hw_xmit) * pxmitpriv->hwxmit_entry, GFP_KERNEL); ++ if (!pxmitpriv->hwxmits) ++ return -ENOMEM; + + hwxmits = pxmitpriv->hwxmits; + +@@ -1520,6 +1527,8 @@ void rtw_alloc_hwxmits(struct adapter *padapter) + hwxmits[3] .sta_queue = &pxmitpriv->bk_pending; + } else { + } ++ ++ return 0; + } + + void rtw_free_hwxmits(struct adapter *padapter) +diff --git a/drivers/staging/r8188eu/include/rtw_xmit.h b/drivers/staging/r8188eu/include/rtw_xmit.h +index b2df1480d66b..e73632972900 100644 +--- a/drivers/staging/r8188eu/include/rtw_xmit.h ++++ b/drivers/staging/r8188eu/include/rtw_xmit.h +@@ -341,7 +341,7 @@ s32 rtw_txframes_sta_ac_pending(struct adapter *padapter, + void rtw_init_hwxmits(struct hw_xmit *phwxmit, int entry); + s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter); + void _rtw_free_xmit_priv(struct xmit_priv *pxmitpriv); +-void rtw_alloc_hwxmits(struct adapter *padapter); ++int rtw_alloc_hwxmits(struct adapter *padapter); + void rtw_free_hwxmits(struct adapter *padapter); + s32 rtw_xmit(struct adapter *padapter, struct sk_buff **pkt); + +-- +2.35.1 + diff --git a/queue-5.17/tcp-add-accessors-to-read-set-tp-snd_cwnd.patch b/queue-5.17/tcp-add-accessors-to-read-set-tp-snd_cwnd.patch new file mode 100644 index 00000000000..29bc21243df --- /dev/null +++ b/queue-5.17/tcp-add-accessors-to-read-set-tp-snd_cwnd.patch @@ -0,0 +1,1447 @@ +From b3e5c855caece877ed6d63003b8668471422b136 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Apr 2022 16:35:38 -0700 +Subject: tcp: add accessors to read/set tp->snd_cwnd + +From: Eric Dumazet + +[ Upstream commit 40570375356c874b1578e05c1dcc3ff7c1322dbe ] + +We had various bugs over the years with code +breaking the assumption that tp->snd_cwnd is greater +than zero. + +Lately, syzbot reported the WARN_ON_ONCE(!tp->prior_cwnd) added +in commit 8b8a321ff72c ("tcp: fix zero cwnd in tcp_cwnd_reduction") +can trigger, and without a repro we would have to spend +considerable time finding the bug. + +Instead of complaining too late, we want to catch where +and when tp->snd_cwnd is set to an illegal value. + +Signed-off-by: Eric Dumazet +Suggested-by: Yuchung Cheng +Cc: Neal Cardwell +Acked-by: Yuchung Cheng +Link: https://lore.kernel.org/r/20220405233538.947344-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 19 +++++++++++++++---- + include/trace/events/tcp.h | 2 +- + net/core/filter.c | 2 +- + net/ipv4/tcp.c | 8 ++++---- + net/ipv4/tcp_bbr.c | 20 ++++++++++---------- + net/ipv4/tcp_bic.c | 14 +++++++------- + net/ipv4/tcp_cdg.c | 30 +++++++++++++++--------------- + net/ipv4/tcp_cong.c | 18 +++++++++--------- + net/ipv4/tcp_cubic.c | 22 +++++++++++----------- + net/ipv4/tcp_dctcp.c | 11 ++++++----- + net/ipv4/tcp_highspeed.c | 18 +++++++++--------- + net/ipv4/tcp_htcp.c | 10 +++++----- + net/ipv4/tcp_hybla.c | 18 +++++++++--------- + net/ipv4/tcp_illinois.c | 12 +++++++----- + net/ipv4/tcp_input.c | 36 ++++++++++++++++++------------------ + net/ipv4/tcp_ipv4.c | 2 +- + net/ipv4/tcp_lp.c | 6 +++--- + net/ipv4/tcp_metrics.c | 12 ++++++------ + net/ipv4/tcp_nv.c | 24 ++++++++++++------------ + net/ipv4/tcp_output.c | 30 +++++++++++++++--------------- + net/ipv4/tcp_rate.c | 2 +- + net/ipv4/tcp_scalable.c | 4 ++-- + net/ipv4/tcp_vegas.c | 21 +++++++++++---------- + net/ipv4/tcp_veno.c | 24 ++++++++++++------------ + net/ipv4/tcp_westwood.c | 3 ++- + net/ipv4/tcp_yeah.c | 30 +++++++++++++++--------------- + net/ipv6/tcp_ipv6.c | 2 +- + 27 files changed, 208 insertions(+), 192 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index a3fe2f9bc01c..818ac8077381 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1215,9 +1215,20 @@ static inline unsigned int tcp_packets_in_flight(const struct tcp_sock *tp) + + #define TCP_INFINITE_SSTHRESH 0x7fffffff + ++static inline u32 tcp_snd_cwnd(const struct tcp_sock *tp) ++{ ++ return tp->snd_cwnd; ++} ++ ++static inline void tcp_snd_cwnd_set(struct tcp_sock *tp, u32 val) ++{ ++ WARN_ON_ONCE((int)val <= 0); ++ tp->snd_cwnd = val; ++} ++ + static inline bool tcp_in_slow_start(const struct tcp_sock *tp) + { +- return tp->snd_cwnd < tp->snd_ssthresh; ++ return tcp_snd_cwnd(tp) < tp->snd_ssthresh; + } + + static inline bool tcp_in_initial_slowstart(const struct tcp_sock *tp) +@@ -1243,8 +1254,8 @@ static inline __u32 tcp_current_ssthresh(const struct sock *sk) + return tp->snd_ssthresh; + else + return max(tp->snd_ssthresh, +- ((tp->snd_cwnd >> 1) + +- (tp->snd_cwnd >> 2))); ++ ((tcp_snd_cwnd(tp) >> 1) + ++ (tcp_snd_cwnd(tp) >> 2))); + } + + /* Use define here intentionally to get WARN_ON location shown at the caller */ +@@ -1286,7 +1297,7 @@ static inline bool tcp_is_cwnd_limited(const struct sock *sk) + + /* If in slow start, ensure cwnd grows to twice what was ACKed. */ + if (tcp_in_slow_start(tp)) +- return tp->snd_cwnd < 2 * tp->max_packets_out; ++ return tcp_snd_cwnd(tp) < 2 * tp->max_packets_out; + + return tp->is_cwnd_limited; + } +diff --git a/include/trace/events/tcp.h b/include/trace/events/tcp.h +index 521059d8dc0a..edcd6369de10 100644 +--- a/include/trace/events/tcp.h ++++ b/include/trace/events/tcp.h +@@ -279,7 +279,7 @@ TRACE_EVENT(tcp_probe, + __entry->data_len = skb->len - __tcp_hdrlen(th); + __entry->snd_nxt = tp->snd_nxt; + __entry->snd_una = tp->snd_una; +- __entry->snd_cwnd = tp->snd_cwnd; ++ __entry->snd_cwnd = tcp_snd_cwnd(tp); + __entry->snd_wnd = tp->snd_wnd; + __entry->rcv_wnd = tp->rcv_wnd; + __entry->ssthresh = tcp_current_ssthresh(sk); +diff --git a/net/core/filter.c b/net/core/filter.c +index f8fbb5fa74f3..4210b127c5f5 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -4937,7 +4937,7 @@ static int _bpf_setsockopt(struct sock *sk, int level, int optname, + if (val <= 0 || tp->data_segs_out > tp->syn_data) + ret = -EINVAL; + else +- tp->snd_cwnd = val; ++ tcp_snd_cwnd_set(tp, val); + break; + case TCP_BPF_SNDCWND_CLAMP: + if (val <= 0) { +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 28ff2a820f7c..c9ad372f8edb 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -429,7 +429,7 @@ void tcp_init_sock(struct sock *sk) + * algorithms that we must have the following bandaid to talk + * efficiently to them. -DaveM + */ +- tp->snd_cwnd = TCP_INIT_CWND; ++ tcp_snd_cwnd_set(tp, TCP_INIT_CWND); + + /* There's a bubble in the pipe until at least the first ACK. */ + tp->app_limited = ~0U; +@@ -3033,7 +3033,7 @@ int tcp_disconnect(struct sock *sk, int flags) + icsk->icsk_rto_min = TCP_RTO_MIN; + icsk->icsk_delack_max = TCP_DELACK_MAX; + tp->snd_ssthresh = TCP_INFINITE_SSTHRESH; +- tp->snd_cwnd = TCP_INIT_CWND; ++ tcp_snd_cwnd_set(tp, TCP_INIT_CWND); + tp->snd_cwnd_cnt = 0; + tp->window_clamp = 0; + tp->delivered = 0; +@@ -3744,7 +3744,7 @@ void tcp_get_info(struct sock *sk, struct tcp_info *info) + info->tcpi_max_pacing_rate = rate64; + + info->tcpi_reordering = tp->reordering; +- info->tcpi_snd_cwnd = tp->snd_cwnd; ++ info->tcpi_snd_cwnd = tcp_snd_cwnd(tp); + + if (info->tcpi_state == TCP_LISTEN) { + /* listeners aliased fields : +@@ -3915,7 +3915,7 @@ struct sk_buff *tcp_get_timestamping_opt_stats(const struct sock *sk, + rate64 = tcp_compute_delivery_rate(tp); + nla_put_u64_64bit(stats, TCP_NLA_DELIVERY_RATE, rate64, TCP_NLA_PAD); + +- nla_put_u32(stats, TCP_NLA_SND_CWND, tp->snd_cwnd); ++ nla_put_u32(stats, TCP_NLA_SND_CWND, tcp_snd_cwnd(tp)); + nla_put_u32(stats, TCP_NLA_REORDERING, tp->reordering); + nla_put_u32(stats, TCP_NLA_MIN_RTT, tcp_min_rtt(tp)); + +diff --git a/net/ipv4/tcp_bbr.c b/net/ipv4/tcp_bbr.c +index ec5550089b4d..aefe12b7dbf7 100644 +--- a/net/ipv4/tcp_bbr.c ++++ b/net/ipv4/tcp_bbr.c +@@ -276,7 +276,7 @@ static void bbr_init_pacing_rate_from_rtt(struct sock *sk) + } else { /* no RTT sample yet */ + rtt_us = USEC_PER_MSEC; /* use nominal default RTT */ + } +- bw = (u64)tp->snd_cwnd * BW_UNIT; ++ bw = (u64)tcp_snd_cwnd(tp) * BW_UNIT; + do_div(bw, rtt_us); + sk->sk_pacing_rate = bbr_bw_to_pacing_rate(sk, bw, bbr_high_gain); + } +@@ -323,9 +323,9 @@ static void bbr_save_cwnd(struct sock *sk) + struct bbr *bbr = inet_csk_ca(sk); + + if (bbr->prev_ca_state < TCP_CA_Recovery && bbr->mode != BBR_PROBE_RTT) +- bbr->prior_cwnd = tp->snd_cwnd; /* this cwnd is good enough */ ++ bbr->prior_cwnd = tcp_snd_cwnd(tp); /* this cwnd is good enough */ + else /* loss recovery or BBR_PROBE_RTT have temporarily cut cwnd */ +- bbr->prior_cwnd = max(bbr->prior_cwnd, tp->snd_cwnd); ++ bbr->prior_cwnd = max(bbr->prior_cwnd, tcp_snd_cwnd(tp)); + } + + static void bbr_cwnd_event(struct sock *sk, enum tcp_ca_event event) +@@ -482,7 +482,7 @@ static bool bbr_set_cwnd_to_recover_or_restore( + struct tcp_sock *tp = tcp_sk(sk); + struct bbr *bbr = inet_csk_ca(sk); + u8 prev_state = bbr->prev_ca_state, state = inet_csk(sk)->icsk_ca_state; +- u32 cwnd = tp->snd_cwnd; ++ u32 cwnd = tcp_snd_cwnd(tp); + + /* An ACK for P pkts should release at most 2*P packets. We do this + * in two steps. First, here we deduct the number of lost packets. +@@ -520,7 +520,7 @@ static void bbr_set_cwnd(struct sock *sk, const struct rate_sample *rs, + { + struct tcp_sock *tp = tcp_sk(sk); + struct bbr *bbr = inet_csk_ca(sk); +- u32 cwnd = tp->snd_cwnd, target_cwnd = 0; ++ u32 cwnd = tcp_snd_cwnd(tp), target_cwnd = 0; + + if (!acked) + goto done; /* no packet fully ACKed; just apply caps */ +@@ -544,9 +544,9 @@ static void bbr_set_cwnd(struct sock *sk, const struct rate_sample *rs, + cwnd = max(cwnd, bbr_cwnd_min_target); + + done: +- tp->snd_cwnd = min(cwnd, tp->snd_cwnd_clamp); /* apply global cap */ ++ tcp_snd_cwnd_set(tp, min(cwnd, tp->snd_cwnd_clamp)); /* apply global cap */ + if (bbr->mode == BBR_PROBE_RTT) /* drain queue, refresh min_rtt */ +- tp->snd_cwnd = min(tp->snd_cwnd, bbr_cwnd_min_target); ++ tcp_snd_cwnd_set(tp, min(tcp_snd_cwnd(tp), bbr_cwnd_min_target)); + } + + /* End cycle phase if it's time and/or we hit the phase's in-flight target. */ +@@ -856,7 +856,7 @@ static void bbr_update_ack_aggregation(struct sock *sk, + bbr->ack_epoch_acked = min_t(u32, 0xFFFFF, + bbr->ack_epoch_acked + rs->acked_sacked); + extra_acked = bbr->ack_epoch_acked - expected_acked; +- extra_acked = min(extra_acked, tp->snd_cwnd); ++ extra_acked = min(extra_acked, tcp_snd_cwnd(tp)); + if (extra_acked > bbr->extra_acked[bbr->extra_acked_win_idx]) + bbr->extra_acked[bbr->extra_acked_win_idx] = extra_acked; + } +@@ -914,7 +914,7 @@ static void bbr_check_probe_rtt_done(struct sock *sk) + return; + + bbr->min_rtt_stamp = tcp_jiffies32; /* wait a while until PROBE_RTT */ +- tp->snd_cwnd = max(tp->snd_cwnd, bbr->prior_cwnd); ++ tcp_snd_cwnd_set(tp, max(tcp_snd_cwnd(tp), bbr->prior_cwnd)); + bbr_reset_mode(sk); + } + +@@ -1093,7 +1093,7 @@ static u32 bbr_undo_cwnd(struct sock *sk) + bbr->full_bw = 0; /* spurious slow-down; reset full pipe detection */ + bbr->full_bw_cnt = 0; + bbr_reset_lt_bw_sampling(sk); +- return tcp_sk(sk)->snd_cwnd; ++ return tcp_snd_cwnd(tcp_sk(sk)); + } + + /* Entering loss recovery, so save cwnd for when we exit or undo recovery. */ +diff --git a/net/ipv4/tcp_bic.c b/net/ipv4/tcp_bic.c +index f5f588b1f6e9..58358bf92e1b 100644 +--- a/net/ipv4/tcp_bic.c ++++ b/net/ipv4/tcp_bic.c +@@ -150,7 +150,7 @@ static void bictcp_cong_avoid(struct sock *sk, u32 ack, u32 acked) + if (!acked) + return; + } +- bictcp_update(ca, tp->snd_cwnd); ++ bictcp_update(ca, tcp_snd_cwnd(tp)); + tcp_cong_avoid_ai(tp, ca->cnt, acked); + } + +@@ -166,16 +166,16 @@ static u32 bictcp_recalc_ssthresh(struct sock *sk) + ca->epoch_start = 0; /* end of epoch */ + + /* Wmax and fast convergence */ +- if (tp->snd_cwnd < ca->last_max_cwnd && fast_convergence) +- ca->last_max_cwnd = (tp->snd_cwnd * (BICTCP_BETA_SCALE + beta)) ++ if (tcp_snd_cwnd(tp) < ca->last_max_cwnd && fast_convergence) ++ ca->last_max_cwnd = (tcp_snd_cwnd(tp) * (BICTCP_BETA_SCALE + beta)) + / (2 * BICTCP_BETA_SCALE); + else +- ca->last_max_cwnd = tp->snd_cwnd; ++ ca->last_max_cwnd = tcp_snd_cwnd(tp); + +- if (tp->snd_cwnd <= low_window) +- return max(tp->snd_cwnd >> 1U, 2U); ++ if (tcp_snd_cwnd(tp) <= low_window) ++ return max(tcp_snd_cwnd(tp) >> 1U, 2U); + else +- return max((tp->snd_cwnd * beta) / BICTCP_BETA_SCALE, 2U); ++ return max((tcp_snd_cwnd(tp) * beta) / BICTCP_BETA_SCALE, 2U); + } + + static void bictcp_state(struct sock *sk, u8 new_state) +diff --git a/net/ipv4/tcp_cdg.c b/net/ipv4/tcp_cdg.c +index 709d23801823..ddc7ba0554bd 100644 +--- a/net/ipv4/tcp_cdg.c ++++ b/net/ipv4/tcp_cdg.c +@@ -161,8 +161,8 @@ static void tcp_cdg_hystart_update(struct sock *sk) + LINUX_MIB_TCPHYSTARTTRAINDETECT); + NET_ADD_STATS(sock_net(sk), + LINUX_MIB_TCPHYSTARTTRAINCWND, +- tp->snd_cwnd); +- tp->snd_ssthresh = tp->snd_cwnd; ++ tcp_snd_cwnd(tp)); ++ tp->snd_ssthresh = tcp_snd_cwnd(tp); + return; + } + } +@@ -180,8 +180,8 @@ static void tcp_cdg_hystart_update(struct sock *sk) + LINUX_MIB_TCPHYSTARTDELAYDETECT); + NET_ADD_STATS(sock_net(sk), + LINUX_MIB_TCPHYSTARTDELAYCWND, +- tp->snd_cwnd); +- tp->snd_ssthresh = tp->snd_cwnd; ++ tcp_snd_cwnd(tp)); ++ tp->snd_ssthresh = tcp_snd_cwnd(tp); + } + } + } +@@ -252,7 +252,7 @@ static bool tcp_cdg_backoff(struct sock *sk, u32 grad) + return false; + } + +- ca->shadow_wnd = max(ca->shadow_wnd, tp->snd_cwnd); ++ ca->shadow_wnd = max(ca->shadow_wnd, tcp_snd_cwnd(tp)); + ca->state = CDG_BACKOFF; + tcp_enter_cwr(sk); + return true; +@@ -285,14 +285,14 @@ static void tcp_cdg_cong_avoid(struct sock *sk, u32 ack, u32 acked) + } + + if (!tcp_is_cwnd_limited(sk)) { +- ca->shadow_wnd = min(ca->shadow_wnd, tp->snd_cwnd); ++ ca->shadow_wnd = min(ca->shadow_wnd, tcp_snd_cwnd(tp)); + return; + } + +- prior_snd_cwnd = tp->snd_cwnd; ++ prior_snd_cwnd = tcp_snd_cwnd(tp); + tcp_reno_cong_avoid(sk, ack, acked); + +- incr = tp->snd_cwnd - prior_snd_cwnd; ++ incr = tcp_snd_cwnd(tp) - prior_snd_cwnd; + ca->shadow_wnd = max(ca->shadow_wnd, ca->shadow_wnd + incr); + } + +@@ -331,15 +331,15 @@ static u32 tcp_cdg_ssthresh(struct sock *sk) + struct tcp_sock *tp = tcp_sk(sk); + + if (ca->state == CDG_BACKOFF) +- return max(2U, (tp->snd_cwnd * min(1024U, backoff_beta)) >> 10); ++ return max(2U, (tcp_snd_cwnd(tp) * min(1024U, backoff_beta)) >> 10); + + if (ca->state == CDG_NONFULL && use_tolerance) +- return tp->snd_cwnd; ++ return tcp_snd_cwnd(tp); + +- ca->shadow_wnd = min(ca->shadow_wnd >> 1, tp->snd_cwnd); ++ ca->shadow_wnd = min(ca->shadow_wnd >> 1, tcp_snd_cwnd(tp)); + if (use_shadow) +- return max3(2U, ca->shadow_wnd, tp->snd_cwnd >> 1); +- return max(2U, tp->snd_cwnd >> 1); ++ return max3(2U, ca->shadow_wnd, tcp_snd_cwnd(tp) >> 1); ++ return max(2U, tcp_snd_cwnd(tp) >> 1); + } + + static void tcp_cdg_cwnd_event(struct sock *sk, const enum tcp_ca_event ev) +@@ -357,7 +357,7 @@ static void tcp_cdg_cwnd_event(struct sock *sk, const enum tcp_ca_event ev) + + ca->gradients = gradients; + ca->rtt_seq = tp->snd_nxt; +- ca->shadow_wnd = tp->snd_cwnd; ++ ca->shadow_wnd = tcp_snd_cwnd(tp); + break; + case CA_EVENT_COMPLETE_CWR: + ca->state = CDG_UNKNOWN; +@@ -380,7 +380,7 @@ static void tcp_cdg_init(struct sock *sk) + ca->gradients = kcalloc(window, sizeof(ca->gradients[0]), + GFP_NOWAIT | __GFP_NOWARN); + ca->rtt_seq = tp->snd_nxt; +- ca->shadow_wnd = tp->snd_cwnd; ++ ca->shadow_wnd = tcp_snd_cwnd(tp); + } + + static void tcp_cdg_release(struct sock *sk) +diff --git a/net/ipv4/tcp_cong.c b/net/ipv4/tcp_cong.c +index db5831e6c136..f43db30a7195 100644 +--- a/net/ipv4/tcp_cong.c ++++ b/net/ipv4/tcp_cong.c +@@ -395,10 +395,10 @@ int tcp_set_congestion_control(struct sock *sk, const char *name, bool load, + */ + u32 tcp_slow_start(struct tcp_sock *tp, u32 acked) + { +- u32 cwnd = min(tp->snd_cwnd + acked, tp->snd_ssthresh); ++ u32 cwnd = min(tcp_snd_cwnd(tp) + acked, tp->snd_ssthresh); + +- acked -= cwnd - tp->snd_cwnd; +- tp->snd_cwnd = min(cwnd, tp->snd_cwnd_clamp); ++ acked -= cwnd - tcp_snd_cwnd(tp); ++ tcp_snd_cwnd_set(tp, min(cwnd, tp->snd_cwnd_clamp)); + + return acked; + } +@@ -412,7 +412,7 @@ void tcp_cong_avoid_ai(struct tcp_sock *tp, u32 w, u32 acked) + /* If credits accumulated at a higher w, apply them gently now. */ + if (tp->snd_cwnd_cnt >= w) { + tp->snd_cwnd_cnt = 0; +- tp->snd_cwnd++; ++ tcp_snd_cwnd_set(tp, tcp_snd_cwnd(tp) + 1); + } + + tp->snd_cwnd_cnt += acked; +@@ -420,9 +420,9 @@ void tcp_cong_avoid_ai(struct tcp_sock *tp, u32 w, u32 acked) + u32 delta = tp->snd_cwnd_cnt / w; + + tp->snd_cwnd_cnt -= delta * w; +- tp->snd_cwnd += delta; ++ tcp_snd_cwnd_set(tp, tcp_snd_cwnd(tp) + delta); + } +- tp->snd_cwnd = min(tp->snd_cwnd, tp->snd_cwnd_clamp); ++ tcp_snd_cwnd_set(tp, min(tcp_snd_cwnd(tp), tp->snd_cwnd_clamp)); + } + EXPORT_SYMBOL_GPL(tcp_cong_avoid_ai); + +@@ -447,7 +447,7 @@ void tcp_reno_cong_avoid(struct sock *sk, u32 ack, u32 acked) + return; + } + /* In dangerous area, increase slowly. */ +- tcp_cong_avoid_ai(tp, tp->snd_cwnd, acked); ++ tcp_cong_avoid_ai(tp, tcp_snd_cwnd(tp), acked); + } + EXPORT_SYMBOL_GPL(tcp_reno_cong_avoid); + +@@ -456,7 +456,7 @@ u32 tcp_reno_ssthresh(struct sock *sk) + { + const struct tcp_sock *tp = tcp_sk(sk); + +- return max(tp->snd_cwnd >> 1U, 2U); ++ return max(tcp_snd_cwnd(tp) >> 1U, 2U); + } + EXPORT_SYMBOL_GPL(tcp_reno_ssthresh); + +@@ -464,7 +464,7 @@ u32 tcp_reno_undo_cwnd(struct sock *sk) + { + const struct tcp_sock *tp = tcp_sk(sk); + +- return max(tp->snd_cwnd, tp->prior_cwnd); ++ return max(tcp_snd_cwnd(tp), tp->prior_cwnd); + } + EXPORT_SYMBOL_GPL(tcp_reno_undo_cwnd); + +diff --git a/net/ipv4/tcp_cubic.c b/net/ipv4/tcp_cubic.c +index e07837e23b3f..f0a240792ff9 100644 +--- a/net/ipv4/tcp_cubic.c ++++ b/net/ipv4/tcp_cubic.c +@@ -334,7 +334,7 @@ static void cubictcp_cong_avoid(struct sock *sk, u32 ack, u32 acked) + if (!acked) + return; + } +- bictcp_update(ca, tp->snd_cwnd, acked); ++ bictcp_update(ca, tcp_snd_cwnd(tp), acked); + tcp_cong_avoid_ai(tp, ca->cnt, acked); + } + +@@ -346,13 +346,13 @@ static u32 cubictcp_recalc_ssthresh(struct sock *sk) + ca->epoch_start = 0; /* end of epoch */ + + /* Wmax and fast convergence */ +- if (tp->snd_cwnd < ca->last_max_cwnd && fast_convergence) +- ca->last_max_cwnd = (tp->snd_cwnd * (BICTCP_BETA_SCALE + beta)) ++ if (tcp_snd_cwnd(tp) < ca->last_max_cwnd && fast_convergence) ++ ca->last_max_cwnd = (tcp_snd_cwnd(tp) * (BICTCP_BETA_SCALE + beta)) + / (2 * BICTCP_BETA_SCALE); + else +- ca->last_max_cwnd = tp->snd_cwnd; ++ ca->last_max_cwnd = tcp_snd_cwnd(tp); + +- return max((tp->snd_cwnd * beta) / BICTCP_BETA_SCALE, 2U); ++ return max((tcp_snd_cwnd(tp) * beta) / BICTCP_BETA_SCALE, 2U); + } + + static void cubictcp_state(struct sock *sk, u8 new_state) +@@ -413,13 +413,13 @@ static void hystart_update(struct sock *sk, u32 delay) + ca->found = 1; + pr_debug("hystart_ack_train (%u > %u) delay_min %u (+ ack_delay %u) cwnd %u\n", + now - ca->round_start, threshold, +- ca->delay_min, hystart_ack_delay(sk), tp->snd_cwnd); ++ ca->delay_min, hystart_ack_delay(sk), tcp_snd_cwnd(tp)); + NET_INC_STATS(sock_net(sk), + LINUX_MIB_TCPHYSTARTTRAINDETECT); + NET_ADD_STATS(sock_net(sk), + LINUX_MIB_TCPHYSTARTTRAINCWND, +- tp->snd_cwnd); +- tp->snd_ssthresh = tp->snd_cwnd; ++ tcp_snd_cwnd(tp)); ++ tp->snd_ssthresh = tcp_snd_cwnd(tp); + } + } + } +@@ -438,8 +438,8 @@ static void hystart_update(struct sock *sk, u32 delay) + LINUX_MIB_TCPHYSTARTDELAYDETECT); + NET_ADD_STATS(sock_net(sk), + LINUX_MIB_TCPHYSTARTDELAYCWND, +- tp->snd_cwnd); +- tp->snd_ssthresh = tp->snd_cwnd; ++ tcp_snd_cwnd(tp)); ++ tp->snd_ssthresh = tcp_snd_cwnd(tp); + } + } + } +@@ -469,7 +469,7 @@ static void cubictcp_acked(struct sock *sk, const struct ack_sample *sample) + + /* hystart triggers when cwnd is larger than some threshold */ + if (!ca->found && tcp_in_slow_start(tp) && hystart && +- tp->snd_cwnd >= hystart_low_window) ++ tcp_snd_cwnd(tp) >= hystart_low_window) + hystart_update(sk, delay); + } + +diff --git a/net/ipv4/tcp_dctcp.c b/net/ipv4/tcp_dctcp.c +index 0d7ab3cc7b61..d0bf7bb4b140 100644 +--- a/net/ipv4/tcp_dctcp.c ++++ b/net/ipv4/tcp_dctcp.c +@@ -106,8 +106,8 @@ static u32 dctcp_ssthresh(struct sock *sk) + struct dctcp *ca = inet_csk_ca(sk); + struct tcp_sock *tp = tcp_sk(sk); + +- ca->loss_cwnd = tp->snd_cwnd; +- return max(tp->snd_cwnd - ((tp->snd_cwnd * ca->dctcp_alpha) >> 11U), 2U); ++ ca->loss_cwnd = tcp_snd_cwnd(tp); ++ return max(tcp_snd_cwnd(tp) - ((tcp_snd_cwnd(tp) * ca->dctcp_alpha) >> 11U), 2U); + } + + static void dctcp_update_alpha(struct sock *sk, u32 flags) +@@ -148,8 +148,8 @@ static void dctcp_react_to_loss(struct sock *sk) + struct dctcp *ca = inet_csk_ca(sk); + struct tcp_sock *tp = tcp_sk(sk); + +- ca->loss_cwnd = tp->snd_cwnd; +- tp->snd_ssthresh = max(tp->snd_cwnd >> 1U, 2U); ++ ca->loss_cwnd = tcp_snd_cwnd(tp); ++ tp->snd_ssthresh = max(tcp_snd_cwnd(tp) >> 1U, 2U); + } + + static void dctcp_state(struct sock *sk, u8 new_state) +@@ -211,8 +211,9 @@ static size_t dctcp_get_info(struct sock *sk, u32 ext, int *attr, + static u32 dctcp_cwnd_undo(struct sock *sk) + { + const struct dctcp *ca = inet_csk_ca(sk); ++ struct tcp_sock *tp = tcp_sk(sk); + +- return max(tcp_sk(sk)->snd_cwnd, ca->loss_cwnd); ++ return max(tcp_snd_cwnd(tp), ca->loss_cwnd); + } + + static struct tcp_congestion_ops dctcp __read_mostly = { +diff --git a/net/ipv4/tcp_highspeed.c b/net/ipv4/tcp_highspeed.c +index 349069d6cd0a..c6de5ce79ad3 100644 +--- a/net/ipv4/tcp_highspeed.c ++++ b/net/ipv4/tcp_highspeed.c +@@ -127,22 +127,22 @@ static void hstcp_cong_avoid(struct sock *sk, u32 ack, u32 acked) + * snd_cwnd <= + * hstcp_aimd_vals[ca->ai].cwnd + */ +- if (tp->snd_cwnd > hstcp_aimd_vals[ca->ai].cwnd) { +- while (tp->snd_cwnd > hstcp_aimd_vals[ca->ai].cwnd && ++ if (tcp_snd_cwnd(tp) > hstcp_aimd_vals[ca->ai].cwnd) { ++ while (tcp_snd_cwnd(tp) > hstcp_aimd_vals[ca->ai].cwnd && + ca->ai < HSTCP_AIMD_MAX - 1) + ca->ai++; +- } else if (ca->ai && tp->snd_cwnd <= hstcp_aimd_vals[ca->ai-1].cwnd) { +- while (ca->ai && tp->snd_cwnd <= hstcp_aimd_vals[ca->ai-1].cwnd) ++ } else if (ca->ai && tcp_snd_cwnd(tp) <= hstcp_aimd_vals[ca->ai-1].cwnd) { ++ while (ca->ai && tcp_snd_cwnd(tp) <= hstcp_aimd_vals[ca->ai-1].cwnd) + ca->ai--; + } + + /* Do additive increase */ +- if (tp->snd_cwnd < tp->snd_cwnd_clamp) { ++ if (tcp_snd_cwnd(tp) < tp->snd_cwnd_clamp) { + /* cwnd = cwnd + a(w) / cwnd */ + tp->snd_cwnd_cnt += ca->ai + 1; +- if (tp->snd_cwnd_cnt >= tp->snd_cwnd) { +- tp->snd_cwnd_cnt -= tp->snd_cwnd; +- tp->snd_cwnd++; ++ if (tp->snd_cwnd_cnt >= tcp_snd_cwnd(tp)) { ++ tp->snd_cwnd_cnt -= tcp_snd_cwnd(tp); ++ tcp_snd_cwnd_set(tp, tcp_snd_cwnd(tp) + 1); + } + } + } +@@ -154,7 +154,7 @@ static u32 hstcp_ssthresh(struct sock *sk) + struct hstcp *ca = inet_csk_ca(sk); + + /* Do multiplicative decrease */ +- return max(tp->snd_cwnd - ((tp->snd_cwnd * hstcp_aimd_vals[ca->ai].md) >> 8), 2U); ++ return max(tcp_snd_cwnd(tp) - ((tcp_snd_cwnd(tp) * hstcp_aimd_vals[ca->ai].md) >> 8), 2U); + } + + static struct tcp_congestion_ops tcp_highspeed __read_mostly = { +diff --git a/net/ipv4/tcp_htcp.c b/net/ipv4/tcp_htcp.c +index 55adcfcf96fe..52b1f2665dfa 100644 +--- a/net/ipv4/tcp_htcp.c ++++ b/net/ipv4/tcp_htcp.c +@@ -124,7 +124,7 @@ static void measure_achieved_throughput(struct sock *sk, + + ca->packetcount += sample->pkts_acked; + +- if (ca->packetcount >= tp->snd_cwnd - (ca->alpha >> 7 ? : 1) && ++ if (ca->packetcount >= tcp_snd_cwnd(tp) - (ca->alpha >> 7 ? : 1) && + now - ca->lasttime >= ca->minRTT && + ca->minRTT > 0) { + __u32 cur_Bi = ca->packetcount * HZ / (now - ca->lasttime); +@@ -225,7 +225,7 @@ static u32 htcp_recalc_ssthresh(struct sock *sk) + const struct htcp *ca = inet_csk_ca(sk); + + htcp_param_update(sk); +- return max((tp->snd_cwnd * ca->beta) >> 7, 2U); ++ return max((tcp_snd_cwnd(tp) * ca->beta) >> 7, 2U); + } + + static void htcp_cong_avoid(struct sock *sk, u32 ack, u32 acked) +@@ -242,9 +242,9 @@ static void htcp_cong_avoid(struct sock *sk, u32 ack, u32 acked) + /* In dangerous area, increase slowly. + * In theory this is tp->snd_cwnd += alpha / tp->snd_cwnd + */ +- if ((tp->snd_cwnd_cnt * ca->alpha)>>7 >= tp->snd_cwnd) { +- if (tp->snd_cwnd < tp->snd_cwnd_clamp) +- tp->snd_cwnd++; ++ if ((tp->snd_cwnd_cnt * ca->alpha)>>7 >= tcp_snd_cwnd(tp)) { ++ if (tcp_snd_cwnd(tp) < tp->snd_cwnd_clamp) ++ tcp_snd_cwnd_set(tp, tcp_snd_cwnd(tp) + 1); + tp->snd_cwnd_cnt = 0; + htcp_alpha_update(ca); + } else +diff --git a/net/ipv4/tcp_hybla.c b/net/ipv4/tcp_hybla.c +index be39327e04e6..abd7d91807e5 100644 +--- a/net/ipv4/tcp_hybla.c ++++ b/net/ipv4/tcp_hybla.c +@@ -54,7 +54,7 @@ static void hybla_init(struct sock *sk) + ca->rho2_7ls = 0; + ca->snd_cwnd_cents = 0; + ca->hybla_en = true; +- tp->snd_cwnd = 2; ++ tcp_snd_cwnd_set(tp, 2); + tp->snd_cwnd_clamp = 65535; + + /* 1st Rho measurement based on initial srtt */ +@@ -62,7 +62,7 @@ static void hybla_init(struct sock *sk) + + /* set minimum rtt as this is the 1st ever seen */ + ca->minrtt_us = tp->srtt_us; +- tp->snd_cwnd = ca->rho; ++ tcp_snd_cwnd_set(tp, ca->rho); + } + + static void hybla_state(struct sock *sk, u8 ca_state) +@@ -137,31 +137,31 @@ static void hybla_cong_avoid(struct sock *sk, u32 ack, u32 acked) + * as long as increment is estimated as (rho<<7)/window + * it already is <<7 and we can easily count its fractions. + */ +- increment = ca->rho2_7ls / tp->snd_cwnd; ++ increment = ca->rho2_7ls / tcp_snd_cwnd(tp); + if (increment < 128) + tp->snd_cwnd_cnt++; + } + + odd = increment % 128; +- tp->snd_cwnd += increment >> 7; ++ tcp_snd_cwnd_set(tp, tcp_snd_cwnd(tp) + (increment >> 7)); + ca->snd_cwnd_cents += odd; + + /* check when fractions goes >=128 and increase cwnd by 1. */ + while (ca->snd_cwnd_cents >= 128) { +- tp->snd_cwnd++; ++ tcp_snd_cwnd_set(tp, tcp_snd_cwnd(tp) + 1); + ca->snd_cwnd_cents -= 128; + tp->snd_cwnd_cnt = 0; + } + /* check when cwnd has not been incremented for a while */ +- if (increment == 0 && odd == 0 && tp->snd_cwnd_cnt >= tp->snd_cwnd) { +- tp->snd_cwnd++; ++ if (increment == 0 && odd == 0 && tp->snd_cwnd_cnt >= tcp_snd_cwnd(tp)) { ++ tcp_snd_cwnd_set(tp, tcp_snd_cwnd(tp) + 1); + tp->snd_cwnd_cnt = 0; + } + /* clamp down slowstart cwnd to ssthresh value. */ + if (is_slowstart) +- tp->snd_cwnd = min(tp->snd_cwnd, tp->snd_ssthresh); ++ tcp_snd_cwnd_set(tp, min(tcp_snd_cwnd(tp), tp->snd_ssthresh)); + +- tp->snd_cwnd = min_t(u32, tp->snd_cwnd, tp->snd_cwnd_clamp); ++ tcp_snd_cwnd_set(tp, min(tcp_snd_cwnd(tp), tp->snd_cwnd_clamp)); + } + + static struct tcp_congestion_ops tcp_hybla __read_mostly = { +diff --git a/net/ipv4/tcp_illinois.c b/net/ipv4/tcp_illinois.c +index 00e54873213e..c0c81a2c77fa 100644 +--- a/net/ipv4/tcp_illinois.c ++++ b/net/ipv4/tcp_illinois.c +@@ -224,7 +224,7 @@ static void update_params(struct sock *sk) + struct tcp_sock *tp = tcp_sk(sk); + struct illinois *ca = inet_csk_ca(sk); + +- if (tp->snd_cwnd < win_thresh) { ++ if (tcp_snd_cwnd(tp) < win_thresh) { + ca->alpha = ALPHA_BASE; + ca->beta = BETA_BASE; + } else if (ca->cnt_rtt > 0) { +@@ -284,9 +284,9 @@ static void tcp_illinois_cong_avoid(struct sock *sk, u32 ack, u32 acked) + * tp->snd_cwnd += alpha/tp->snd_cwnd + */ + delta = (tp->snd_cwnd_cnt * ca->alpha) >> ALPHA_SHIFT; +- if (delta >= tp->snd_cwnd) { +- tp->snd_cwnd = min(tp->snd_cwnd + delta / tp->snd_cwnd, +- (u32)tp->snd_cwnd_clamp); ++ if (delta >= tcp_snd_cwnd(tp)) { ++ tcp_snd_cwnd_set(tp, min(tcp_snd_cwnd(tp) + delta / tcp_snd_cwnd(tp), ++ (u32)tp->snd_cwnd_clamp)); + tp->snd_cwnd_cnt = 0; + } + } +@@ -296,9 +296,11 @@ static u32 tcp_illinois_ssthresh(struct sock *sk) + { + struct tcp_sock *tp = tcp_sk(sk); + struct illinois *ca = inet_csk_ca(sk); ++ u32 decr; + + /* Multiplicative decrease */ +- return max(tp->snd_cwnd - ((tp->snd_cwnd * ca->beta) >> BETA_SHIFT), 2U); ++ decr = (tcp_snd_cwnd(tp) * ca->beta) >> BETA_SHIFT; ++ return max(tcp_snd_cwnd(tp) - decr, 2U); + } + + /* Extract info for Tcp socket info provided via netlink. */ +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 96c25c97ee56..edd952250465 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -414,7 +414,7 @@ static void tcp_sndbuf_expand(struct sock *sk) + per_mss = roundup_pow_of_two(per_mss) + + SKB_DATA_ALIGN(sizeof(struct sk_buff)); + +- nr_segs = max_t(u32, TCP_INIT_CWND, tp->snd_cwnd); ++ nr_segs = max_t(u32, TCP_INIT_CWND, tcp_snd_cwnd(tp)); + nr_segs = max_t(u32, nr_segs, tp->reordering + 1); + + /* Fast Recovery (RFC 5681 3.2) : +@@ -909,12 +909,12 @@ static void tcp_update_pacing_rate(struct sock *sk) + * If snd_cwnd >= (tp->snd_ssthresh / 2), we are approaching + * end of slow start and should slow down. + */ +- if (tp->snd_cwnd < tp->snd_ssthresh / 2) ++ if (tcp_snd_cwnd(tp) < tp->snd_ssthresh / 2) + rate *= sock_net(sk)->ipv4.sysctl_tcp_pacing_ss_ratio; + else + rate *= sock_net(sk)->ipv4.sysctl_tcp_pacing_ca_ratio; + +- rate *= max(tp->snd_cwnd, tp->packets_out); ++ rate *= max(tcp_snd_cwnd(tp), tp->packets_out); + + if (likely(tp->srtt_us)) + do_div(rate, tp->srtt_us); +@@ -2147,12 +2147,12 @@ void tcp_enter_loss(struct sock *sk) + !after(tp->high_seq, tp->snd_una) || + (icsk->icsk_ca_state == TCP_CA_Loss && !icsk->icsk_retransmits)) { + tp->prior_ssthresh = tcp_current_ssthresh(sk); +- tp->prior_cwnd = tp->snd_cwnd; ++ tp->prior_cwnd = tcp_snd_cwnd(tp); + tp->snd_ssthresh = icsk->icsk_ca_ops->ssthresh(sk); + tcp_ca_event(sk, CA_EVENT_LOSS); + tcp_init_undo(tp); + } +- tp->snd_cwnd = tcp_packets_in_flight(tp) + 1; ++ tcp_snd_cwnd_set(tp, tcp_packets_in_flight(tp) + 1); + tp->snd_cwnd_cnt = 0; + tp->snd_cwnd_stamp = tcp_jiffies32; + +@@ -2458,7 +2458,7 @@ static void DBGUNDO(struct sock *sk, const char *msg) + pr_debug("Undo %s %pI4/%u c%u l%u ss%u/%u p%u\n", + msg, + &inet->inet_daddr, ntohs(inet->inet_dport), +- tp->snd_cwnd, tcp_left_out(tp), ++ tcp_snd_cwnd(tp), tcp_left_out(tp), + tp->snd_ssthresh, tp->prior_ssthresh, + tp->packets_out); + } +@@ -2467,7 +2467,7 @@ static void DBGUNDO(struct sock *sk, const char *msg) + pr_debug("Undo %s %pI6/%u c%u l%u ss%u/%u p%u\n", + msg, + &sk->sk_v6_daddr, ntohs(inet->inet_dport), +- tp->snd_cwnd, tcp_left_out(tp), ++ tcp_snd_cwnd(tp), tcp_left_out(tp), + tp->snd_ssthresh, tp->prior_ssthresh, + tp->packets_out); + } +@@ -2492,7 +2492,7 @@ static void tcp_undo_cwnd_reduction(struct sock *sk, bool unmark_loss) + if (tp->prior_ssthresh) { + const struct inet_connection_sock *icsk = inet_csk(sk); + +- tp->snd_cwnd = icsk->icsk_ca_ops->undo_cwnd(sk); ++ tcp_snd_cwnd_set(tp, icsk->icsk_ca_ops->undo_cwnd(sk)); + + if (tp->prior_ssthresh > tp->snd_ssthresh) { + tp->snd_ssthresh = tp->prior_ssthresh; +@@ -2599,7 +2599,7 @@ static void tcp_init_cwnd_reduction(struct sock *sk) + tp->high_seq = tp->snd_nxt; + tp->tlp_high_seq = 0; + tp->snd_cwnd_cnt = 0; +- tp->prior_cwnd = tp->snd_cwnd; ++ tp->prior_cwnd = tcp_snd_cwnd(tp); + tp->prr_delivered = 0; + tp->prr_out = 0; + tp->snd_ssthresh = inet_csk(sk)->icsk_ca_ops->ssthresh(sk); +@@ -2629,7 +2629,7 @@ void tcp_cwnd_reduction(struct sock *sk, int newly_acked_sacked, int newly_lost, + } + /* Force a fast retransmit upon entering fast recovery */ + sndcnt = max(sndcnt, (tp->prr_out ? 0 : 1)); +- tp->snd_cwnd = tcp_packets_in_flight(tp) + sndcnt; ++ tcp_snd_cwnd_set(tp, tcp_packets_in_flight(tp) + sndcnt); + } + + static inline void tcp_end_cwnd_reduction(struct sock *sk) +@@ -2642,7 +2642,7 @@ static inline void tcp_end_cwnd_reduction(struct sock *sk) + /* Reset cwnd to ssthresh in CWR or Recovery (unless it's undone) */ + if (tp->snd_ssthresh < TCP_INFINITE_SSTHRESH && + (inet_csk(sk)->icsk_ca_state == TCP_CA_CWR || tp->undo_marker)) { +- tp->snd_cwnd = tp->snd_ssthresh; ++ tcp_snd_cwnd_set(tp, tp->snd_ssthresh); + tp->snd_cwnd_stamp = tcp_jiffies32; + } + tcp_ca_event(sk, CA_EVENT_COMPLETE_CWR); +@@ -2709,9 +2709,9 @@ static void tcp_mtup_probe_success(struct sock *sk) + + /* FIXME: breaks with very large cwnd */ + tp->prior_ssthresh = tcp_current_ssthresh(sk); +- tp->snd_cwnd = tp->snd_cwnd * +- tcp_mss_to_mtu(sk, tp->mss_cache) / +- icsk->icsk_mtup.probe_size; ++ tcp_snd_cwnd_set(tp, tcp_snd_cwnd(tp) * ++ tcp_mss_to_mtu(sk, tp->mss_cache) / ++ icsk->icsk_mtup.probe_size); + tp->snd_cwnd_cnt = 0; + tp->snd_cwnd_stamp = tcp_jiffies32; + tp->snd_ssthresh = tcp_current_ssthresh(sk); +@@ -3034,7 +3034,7 @@ static void tcp_fastretrans_alert(struct sock *sk, const u32 prior_snd_una, + tp->snd_una == tp->mtu_probe.probe_seq_start) { + tcp_mtup_probe_failed(sk); + /* Restores the reduction we did in tcp_mtup_probe() */ +- tp->snd_cwnd++; ++ tcp_snd_cwnd_set(tp, tcp_snd_cwnd(tp) + 1); + tcp_simple_retransmit(sk); + return; + } +@@ -5420,7 +5420,7 @@ static bool tcp_should_expand_sndbuf(struct sock *sk) + return false; + + /* If we filled the congestion window, do not expand. */ +- if (tcp_packets_in_flight(tp) >= tp->snd_cwnd) ++ if (tcp_packets_in_flight(tp) >= tcp_snd_cwnd(tp)) + return false; + + return true; +@@ -5991,9 +5991,9 @@ void tcp_init_transfer(struct sock *sk, int bpf_op, struct sk_buff *skb) + * retransmission has occurred. + */ + if (tp->total_retrans > 1 && tp->undo_marker) +- tp->snd_cwnd = 1; ++ tcp_snd_cwnd_set(tp, 1); + else +- tp->snd_cwnd = tcp_init_cwnd(tp, __sk_dst_get(sk)); ++ tcp_snd_cwnd_set(tp, tcp_init_cwnd(tp, __sk_dst_get(sk))); + tp->snd_cwnd_stamp = tcp_jiffies32; + + bpf_skops_established(sk, bpf_op, skb); +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index fec656f5a39e..79f9a6187a01 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -2665,7 +2665,7 @@ static void get_tcp4_sock(struct sock *sk, struct seq_file *f, int i) + jiffies_to_clock_t(icsk->icsk_rto), + jiffies_to_clock_t(icsk->icsk_ack.ato), + (icsk->icsk_ack.quick << 1) | inet_csk_in_pingpong_mode(sk), +- tp->snd_cwnd, ++ tcp_snd_cwnd(tp), + state == TCP_LISTEN ? + fastopenq->max_qlen : + (tcp_in_initial_slowstart(tp) ? -1 : tp->snd_ssthresh)); +diff --git a/net/ipv4/tcp_lp.c b/net/ipv4/tcp_lp.c +index 82b36ec3f2f8..ae36780977d2 100644 +--- a/net/ipv4/tcp_lp.c ++++ b/net/ipv4/tcp_lp.c +@@ -297,7 +297,7 @@ static void tcp_lp_pkts_acked(struct sock *sk, const struct ack_sample *sample) + lp->flag &= ~LP_WITHIN_THR; + + pr_debug("TCP-LP: %05o|%5u|%5u|%15u|%15u|%15u\n", lp->flag, +- tp->snd_cwnd, lp->remote_hz, lp->owd_min, lp->owd_max, ++ tcp_snd_cwnd(tp), lp->remote_hz, lp->owd_min, lp->owd_max, + lp->sowd >> 3); + + if (lp->flag & LP_WITHIN_THR) +@@ -313,12 +313,12 @@ static void tcp_lp_pkts_acked(struct sock *sk, const struct ack_sample *sample) + /* happened within inference + * drop snd_cwnd into 1 */ + if (lp->flag & LP_WITHIN_INF) +- tp->snd_cwnd = 1U; ++ tcp_snd_cwnd_set(tp, 1U); + + /* happened after inference + * cut snd_cwnd into half */ + else +- tp->snd_cwnd = max(tp->snd_cwnd >> 1U, 1U); ++ tcp_snd_cwnd_set(tp, max(tcp_snd_cwnd(tp) >> 1U, 1U)); + + /* record this drop time */ + lp->last_drop = now; +diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c +index 0588b004ddac..7029b0e98edb 100644 +--- a/net/ipv4/tcp_metrics.c ++++ b/net/ipv4/tcp_metrics.c +@@ -388,15 +388,15 @@ void tcp_update_metrics(struct sock *sk) + if (!net->ipv4.sysctl_tcp_no_ssthresh_metrics_save && + !tcp_metric_locked(tm, TCP_METRIC_SSTHRESH)) { + val = tcp_metric_get(tm, TCP_METRIC_SSTHRESH); +- if (val && (tp->snd_cwnd >> 1) > val) ++ if (val && (tcp_snd_cwnd(tp) >> 1) > val) + tcp_metric_set(tm, TCP_METRIC_SSTHRESH, +- tp->snd_cwnd >> 1); ++ tcp_snd_cwnd(tp) >> 1); + } + if (!tcp_metric_locked(tm, TCP_METRIC_CWND)) { + val = tcp_metric_get(tm, TCP_METRIC_CWND); +- if (tp->snd_cwnd > val) ++ if (tcp_snd_cwnd(tp) > val) + tcp_metric_set(tm, TCP_METRIC_CWND, +- tp->snd_cwnd); ++ tcp_snd_cwnd(tp)); + } + } else if (!tcp_in_slow_start(tp) && + icsk->icsk_ca_state == TCP_CA_Open) { +@@ -404,10 +404,10 @@ void tcp_update_metrics(struct sock *sk) + if (!net->ipv4.sysctl_tcp_no_ssthresh_metrics_save && + !tcp_metric_locked(tm, TCP_METRIC_SSTHRESH)) + tcp_metric_set(tm, TCP_METRIC_SSTHRESH, +- max(tp->snd_cwnd >> 1, tp->snd_ssthresh)); ++ max(tcp_snd_cwnd(tp) >> 1, tp->snd_ssthresh)); + if (!tcp_metric_locked(tm, TCP_METRIC_CWND)) { + val = tcp_metric_get(tm, TCP_METRIC_CWND); +- tcp_metric_set(tm, TCP_METRIC_CWND, (val + tp->snd_cwnd) >> 1); ++ tcp_metric_set(tm, TCP_METRIC_CWND, (val + tcp_snd_cwnd(tp)) >> 1); + } + } else { + /* Else slow start did not finish, cwnd is non-sense, +diff --git a/net/ipv4/tcp_nv.c b/net/ipv4/tcp_nv.c +index ab552356bdba..a60662f4bdf9 100644 +--- a/net/ipv4/tcp_nv.c ++++ b/net/ipv4/tcp_nv.c +@@ -197,10 +197,10 @@ static void tcpnv_cong_avoid(struct sock *sk, u32 ack, u32 acked) + } + + if (ca->cwnd_growth_factor < 0) { +- cnt = tp->snd_cwnd << -ca->cwnd_growth_factor; ++ cnt = tcp_snd_cwnd(tp) << -ca->cwnd_growth_factor; + tcp_cong_avoid_ai(tp, cnt, acked); + } else { +- cnt = max(4U, tp->snd_cwnd >> ca->cwnd_growth_factor); ++ cnt = max(4U, tcp_snd_cwnd(tp) >> ca->cwnd_growth_factor); + tcp_cong_avoid_ai(tp, cnt, acked); + } + } +@@ -209,7 +209,7 @@ static u32 tcpnv_recalc_ssthresh(struct sock *sk) + { + const struct tcp_sock *tp = tcp_sk(sk); + +- return max((tp->snd_cwnd * nv_loss_dec_factor) >> 10, 2U); ++ return max((tcp_snd_cwnd(tp) * nv_loss_dec_factor) >> 10, 2U); + } + + static void tcpnv_state(struct sock *sk, u8 new_state) +@@ -257,7 +257,7 @@ static void tcpnv_acked(struct sock *sk, const struct ack_sample *sample) + return; + + /* Stop cwnd growth if we were in catch up mode */ +- if (ca->nv_catchup && tp->snd_cwnd >= nv_min_cwnd) { ++ if (ca->nv_catchup && tcp_snd_cwnd(tp) >= nv_min_cwnd) { + ca->nv_catchup = 0; + ca->nv_allow_cwnd_growth = 0; + } +@@ -371,7 +371,7 @@ static void tcpnv_acked(struct sock *sk, const struct ack_sample *sample) + * if cwnd < max_win, grow cwnd + * else leave the same + */ +- if (tp->snd_cwnd > max_win) { ++ if (tcp_snd_cwnd(tp) > max_win) { + /* there is congestion, check that it is ok + * to make a CA decision + * 1. We should have at least nv_dec_eval_min_calls +@@ -398,20 +398,20 @@ static void tcpnv_acked(struct sock *sk, const struct ack_sample *sample) + ca->nv_allow_cwnd_growth = 0; + tp->snd_ssthresh = + (nv_ssthresh_factor * max_win) >> 3; +- if (tp->snd_cwnd - max_win > 2) { ++ if (tcp_snd_cwnd(tp) - max_win > 2) { + /* gap > 2, we do exponential cwnd decrease */ + int dec; + +- dec = max(2U, ((tp->snd_cwnd - max_win) * ++ dec = max(2U, ((tcp_snd_cwnd(tp) - max_win) * + nv_cong_dec_mult) >> 7); +- tp->snd_cwnd -= dec; ++ tcp_snd_cwnd_set(tp, tcp_snd_cwnd(tp) - dec); + } else if (nv_cong_dec_mult > 0) { +- tp->snd_cwnd = max_win; ++ tcp_snd_cwnd_set(tp, max_win); + } + if (ca->cwnd_growth_factor > 0) + ca->cwnd_growth_factor = 0; + ca->nv_no_cong_cnt = 0; +- } else if (tp->snd_cwnd <= max_win - nv_pad_buffer) { ++ } else if (tcp_snd_cwnd(tp) <= max_win - nv_pad_buffer) { + /* There is no congestion, grow cwnd if allowed*/ + if (ca->nv_eval_call_cnt < nv_inc_eval_min_calls) + return; +@@ -444,8 +444,8 @@ static void tcpnv_acked(struct sock *sk, const struct ack_sample *sample) + * (it wasn't before, if it is now is because nv + * decreased it). + */ +- if (tp->snd_cwnd < nv_min_cwnd) +- tp->snd_cwnd = nv_min_cwnd; ++ if (tcp_snd_cwnd(tp) < nv_min_cwnd) ++ tcp_snd_cwnd_set(tp, nv_min_cwnd); + } + } + +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 0b5eab685154..84651fc3dde0 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -143,7 +143,7 @@ void tcp_cwnd_restart(struct sock *sk, s32 delta) + { + struct tcp_sock *tp = tcp_sk(sk); + u32 restart_cwnd = tcp_init_cwnd(tp, __sk_dst_get(sk)); +- u32 cwnd = tp->snd_cwnd; ++ u32 cwnd = tcp_snd_cwnd(tp); + + tcp_ca_event(sk, CA_EVENT_CWND_RESTART); + +@@ -152,7 +152,7 @@ void tcp_cwnd_restart(struct sock *sk, s32 delta) + + while ((delta -= inet_csk(sk)->icsk_rto) > 0 && cwnd > restart_cwnd) + cwnd >>= 1; +- tp->snd_cwnd = max(cwnd, restart_cwnd); ++ tcp_snd_cwnd_set(tp, max(cwnd, restart_cwnd)); + tp->snd_cwnd_stamp = tcp_jiffies32; + tp->snd_cwnd_used = 0; + } +@@ -1014,7 +1014,7 @@ static void tcp_tsq_write(struct sock *sk) + struct tcp_sock *tp = tcp_sk(sk); + + if (tp->lost_out > tp->retrans_out && +- tp->snd_cwnd > tcp_packets_in_flight(tp)) { ++ tcp_snd_cwnd(tp) > tcp_packets_in_flight(tp)) { + tcp_mstamp_refresh(tp); + tcp_xmit_retransmit_queue(sk); + } +@@ -1861,9 +1861,9 @@ static void tcp_cwnd_application_limited(struct sock *sk) + /* Limited by application or receiver window. */ + u32 init_win = tcp_init_cwnd(tp, __sk_dst_get(sk)); + u32 win_used = max(tp->snd_cwnd_used, init_win); +- if (win_used < tp->snd_cwnd) { ++ if (win_used < tcp_snd_cwnd(tp)) { + tp->snd_ssthresh = tcp_current_ssthresh(sk); +- tp->snd_cwnd = (tp->snd_cwnd + win_used) >> 1; ++ tcp_snd_cwnd_set(tp, (tcp_snd_cwnd(tp) + win_used) >> 1); + } + tp->snd_cwnd_used = 0; + } +@@ -2035,7 +2035,7 @@ static inline unsigned int tcp_cwnd_test(const struct tcp_sock *tp, + return 1; + + in_flight = tcp_packets_in_flight(tp); +- cwnd = tp->snd_cwnd; ++ cwnd = tcp_snd_cwnd(tp); + if (in_flight >= cwnd) + return 0; + +@@ -2188,12 +2188,12 @@ static bool tcp_tso_should_defer(struct sock *sk, struct sk_buff *skb, + in_flight = tcp_packets_in_flight(tp); + + BUG_ON(tcp_skb_pcount(skb) <= 1); +- BUG_ON(tp->snd_cwnd <= in_flight); ++ BUG_ON(tcp_snd_cwnd(tp) <= in_flight); + + send_win = tcp_wnd_end(tp) - TCP_SKB_CB(skb)->seq; + + /* From in_flight test above, we know that cwnd > in_flight. */ +- cong_win = (tp->snd_cwnd - in_flight) * tp->mss_cache; ++ cong_win = (tcp_snd_cwnd(tp) - in_flight) * tp->mss_cache; + + limit = min(send_win, cong_win); + +@@ -2207,7 +2207,7 @@ static bool tcp_tso_should_defer(struct sock *sk, struct sk_buff *skb, + + win_divisor = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_tso_win_divisor); + if (win_divisor) { +- u32 chunk = min(tp->snd_wnd, tp->snd_cwnd * tp->mss_cache); ++ u32 chunk = min(tp->snd_wnd, tcp_snd_cwnd(tp) * tp->mss_cache); + + /* If at least some fraction of a window is available, + * just use it. +@@ -2337,7 +2337,7 @@ static int tcp_mtu_probe(struct sock *sk) + if (likely(!icsk->icsk_mtup.enabled || + icsk->icsk_mtup.probe_size || + inet_csk(sk)->icsk_ca_state != TCP_CA_Open || +- tp->snd_cwnd < 11 || ++ tcp_snd_cwnd(tp) < 11 || + tp->rx_opt.num_sacks || tp->rx_opt.dsack)) + return -1; + +@@ -2373,7 +2373,7 @@ static int tcp_mtu_probe(struct sock *sk) + return 0; + + /* Do we need to wait to drain cwnd? With none in flight, don't stall */ +- if (tcp_packets_in_flight(tp) + 2 > tp->snd_cwnd) { ++ if (tcp_packets_in_flight(tp) + 2 > tcp_snd_cwnd(tp)) { + if (!tcp_packets_in_flight(tp)) + return -1; + else +@@ -2442,7 +2442,7 @@ static int tcp_mtu_probe(struct sock *sk) + if (!tcp_transmit_skb(sk, nskb, 1, GFP_ATOMIC)) { + /* Decrement cwnd here because we are sending + * effectively two packets. */ +- tp->snd_cwnd--; ++ tcp_snd_cwnd_set(tp, tcp_snd_cwnd(tp) - 1); + tcp_event_new_data_sent(sk, nskb); + + icsk->icsk_mtup.probe_size = tcp_mss_to_mtu(sk, nskb->len); +@@ -2699,7 +2699,7 @@ static bool tcp_write_xmit(struct sock *sk, unsigned int mss_now, int nonagle, + else + tcp_chrono_stop(sk, TCP_CHRONO_RWND_LIMITED); + +- is_cwnd_limited |= (tcp_packets_in_flight(tp) >= tp->snd_cwnd); ++ is_cwnd_limited |= (tcp_packets_in_flight(tp) >= tcp_snd_cwnd(tp)); + if (likely(sent_pkts || is_cwnd_limited)) + tcp_cwnd_validate(sk, is_cwnd_limited); + +@@ -2809,7 +2809,7 @@ void tcp_send_loss_probe(struct sock *sk) + if (unlikely(!skb)) { + WARN_ONCE(tp->packets_out, + "invalid inflight: %u state %u cwnd %u mss %d\n", +- tp->packets_out, sk->sk_state, tp->snd_cwnd, mss); ++ tp->packets_out, sk->sk_state, tcp_snd_cwnd(tp), mss); + inet_csk(sk)->icsk_pending = 0; + return; + } +@@ -3293,7 +3293,7 @@ void tcp_xmit_retransmit_queue(struct sock *sk) + if (!hole) + tp->retransmit_skb_hint = skb; + +- segs = tp->snd_cwnd - tcp_packets_in_flight(tp); ++ segs = tcp_snd_cwnd(tp) - tcp_packets_in_flight(tp); + if (segs <= 0) + break; + sacked = TCP_SKB_CB(skb)->sacked; +diff --git a/net/ipv4/tcp_rate.c b/net/ipv4/tcp_rate.c +index 9a8e014d9b5b..a8f6d9d06f2e 100644 +--- a/net/ipv4/tcp_rate.c ++++ b/net/ipv4/tcp_rate.c +@@ -200,7 +200,7 @@ void tcp_rate_check_app_limited(struct sock *sk) + /* Nothing in sending host's qdisc queues or NIC tx queue. */ + sk_wmem_alloc_get(sk) < SKB_TRUESIZE(1) && + /* We are not limited by CWND. */ +- tcp_packets_in_flight(tp) < tp->snd_cwnd && ++ tcp_packets_in_flight(tp) < tcp_snd_cwnd(tp) && + /* All lost packets have been retransmitted. */ + tp->lost_out <= tp->retrans_out) + tp->app_limited = +diff --git a/net/ipv4/tcp_scalable.c b/net/ipv4/tcp_scalable.c +index 5842081bc8a2..862b96248a92 100644 +--- a/net/ipv4/tcp_scalable.c ++++ b/net/ipv4/tcp_scalable.c +@@ -27,7 +27,7 @@ static void tcp_scalable_cong_avoid(struct sock *sk, u32 ack, u32 acked) + if (!acked) + return; + } +- tcp_cong_avoid_ai(tp, min(tp->snd_cwnd, TCP_SCALABLE_AI_CNT), ++ tcp_cong_avoid_ai(tp, min(tcp_snd_cwnd(tp), TCP_SCALABLE_AI_CNT), + acked); + } + +@@ -35,7 +35,7 @@ static u32 tcp_scalable_ssthresh(struct sock *sk) + { + const struct tcp_sock *tp = tcp_sk(sk); + +- return max(tp->snd_cwnd - (tp->snd_cwnd>>TCP_SCALABLE_MD_SCALE), 2U); ++ return max(tcp_snd_cwnd(tp) - (tcp_snd_cwnd(tp)>>TCP_SCALABLE_MD_SCALE), 2U); + } + + static struct tcp_congestion_ops tcp_scalable __read_mostly = { +diff --git a/net/ipv4/tcp_vegas.c b/net/ipv4/tcp_vegas.c +index c8003c8aad2c..786848ad37ea 100644 +--- a/net/ipv4/tcp_vegas.c ++++ b/net/ipv4/tcp_vegas.c +@@ -159,7 +159,7 @@ EXPORT_SYMBOL_GPL(tcp_vegas_cwnd_event); + + static inline u32 tcp_vegas_ssthresh(struct tcp_sock *tp) + { +- return min(tp->snd_ssthresh, tp->snd_cwnd); ++ return min(tp->snd_ssthresh, tcp_snd_cwnd(tp)); + } + + static void tcp_vegas_cong_avoid(struct sock *sk, u32 ack, u32 acked) +@@ -217,14 +217,14 @@ static void tcp_vegas_cong_avoid(struct sock *sk, u32 ack, u32 acked) + * This is: + * (actual rate in segments) * baseRTT + */ +- target_cwnd = (u64)tp->snd_cwnd * vegas->baseRTT; ++ target_cwnd = (u64)tcp_snd_cwnd(tp) * vegas->baseRTT; + do_div(target_cwnd, rtt); + + /* Calculate the difference between the window we had, + * and the window we would like to have. This quantity + * is the "Diff" from the Arizona Vegas papers. + */ +- diff = tp->snd_cwnd * (rtt-vegas->baseRTT) / vegas->baseRTT; ++ diff = tcp_snd_cwnd(tp) * (rtt-vegas->baseRTT) / vegas->baseRTT; + + if (diff > gamma && tcp_in_slow_start(tp)) { + /* Going too fast. Time to slow down +@@ -238,7 +238,8 @@ static void tcp_vegas_cong_avoid(struct sock *sk, u32 ack, u32 acked) + * truncation robs us of full link + * utilization. + */ +- tp->snd_cwnd = min(tp->snd_cwnd, (u32)target_cwnd+1); ++ tcp_snd_cwnd_set(tp, min(tcp_snd_cwnd(tp), ++ (u32)target_cwnd + 1)); + tp->snd_ssthresh = tcp_vegas_ssthresh(tp); + + } else if (tcp_in_slow_start(tp)) { +@@ -254,14 +255,14 @@ static void tcp_vegas_cong_avoid(struct sock *sk, u32 ack, u32 acked) + /* The old window was too fast, so + * we slow down. + */ +- tp->snd_cwnd--; ++ tcp_snd_cwnd_set(tp, tcp_snd_cwnd(tp) - 1); + tp->snd_ssthresh + = tcp_vegas_ssthresh(tp); + } else if (diff < alpha) { + /* We don't have enough extra packets + * in the network, so speed up. + */ +- tp->snd_cwnd++; ++ tcp_snd_cwnd_set(tp, tcp_snd_cwnd(tp) + 1); + } else { + /* Sending just as fast as we + * should be. +@@ -269,10 +270,10 @@ static void tcp_vegas_cong_avoid(struct sock *sk, u32 ack, u32 acked) + } + } + +- if (tp->snd_cwnd < 2) +- tp->snd_cwnd = 2; +- else if (tp->snd_cwnd > tp->snd_cwnd_clamp) +- tp->snd_cwnd = tp->snd_cwnd_clamp; ++ if (tcp_snd_cwnd(tp) < 2) ++ tcp_snd_cwnd_set(tp, 2); ++ else if (tcp_snd_cwnd(tp) > tp->snd_cwnd_clamp) ++ tcp_snd_cwnd_set(tp, tp->snd_cwnd_clamp); + + tp->snd_ssthresh = tcp_current_ssthresh(sk); + } +diff --git a/net/ipv4/tcp_veno.c b/net/ipv4/tcp_veno.c +index cd50a61c9976..366ff6f214b2 100644 +--- a/net/ipv4/tcp_veno.c ++++ b/net/ipv4/tcp_veno.c +@@ -146,11 +146,11 @@ static void tcp_veno_cong_avoid(struct sock *sk, u32 ack, u32 acked) + + rtt = veno->minrtt; + +- target_cwnd = (u64)tp->snd_cwnd * veno->basertt; ++ target_cwnd = (u64)tcp_snd_cwnd(tp) * veno->basertt; + target_cwnd <<= V_PARAM_SHIFT; + do_div(target_cwnd, rtt); + +- veno->diff = (tp->snd_cwnd << V_PARAM_SHIFT) - target_cwnd; ++ veno->diff = (tcp_snd_cwnd(tp) << V_PARAM_SHIFT) - target_cwnd; + + if (tcp_in_slow_start(tp)) { + /* Slow start. */ +@@ -164,15 +164,15 @@ static void tcp_veno_cong_avoid(struct sock *sk, u32 ack, u32 acked) + /* In the "non-congestive state", increase cwnd + * every rtt. + */ +- tcp_cong_avoid_ai(tp, tp->snd_cwnd, acked); ++ tcp_cong_avoid_ai(tp, tcp_snd_cwnd(tp), acked); + } else { + /* In the "congestive state", increase cwnd + * every other rtt. + */ +- if (tp->snd_cwnd_cnt >= tp->snd_cwnd) { ++ if (tp->snd_cwnd_cnt >= tcp_snd_cwnd(tp)) { + if (veno->inc && +- tp->snd_cwnd < tp->snd_cwnd_clamp) { +- tp->snd_cwnd++; ++ tcp_snd_cwnd(tp) < tp->snd_cwnd_clamp) { ++ tcp_snd_cwnd_set(tp, tcp_snd_cwnd(tp) + 1); + veno->inc = 0; + } else + veno->inc = 1; +@@ -181,10 +181,10 @@ static void tcp_veno_cong_avoid(struct sock *sk, u32 ack, u32 acked) + tp->snd_cwnd_cnt += acked; + } + done: +- if (tp->snd_cwnd < 2) +- tp->snd_cwnd = 2; +- else if (tp->snd_cwnd > tp->snd_cwnd_clamp) +- tp->snd_cwnd = tp->snd_cwnd_clamp; ++ if (tcp_snd_cwnd(tp) < 2) ++ tcp_snd_cwnd_set(tp, 2); ++ else if (tcp_snd_cwnd(tp) > tp->snd_cwnd_clamp) ++ tcp_snd_cwnd_set(tp, tp->snd_cwnd_clamp); + } + /* Wipe the slate clean for the next rtt. */ + /* veno->cntrtt = 0; */ +@@ -199,10 +199,10 @@ static u32 tcp_veno_ssthresh(struct sock *sk) + + if (veno->diff < beta) + /* in "non-congestive state", cut cwnd by 1/5 */ +- return max(tp->snd_cwnd * 4 / 5, 2U); ++ return max(tcp_snd_cwnd(tp) * 4 / 5, 2U); + else + /* in "congestive state", cut cwnd by 1/2 */ +- return max(tp->snd_cwnd >> 1U, 2U); ++ return max(tcp_snd_cwnd(tp) >> 1U, 2U); + } + + static struct tcp_congestion_ops tcp_veno __read_mostly = { +diff --git a/net/ipv4/tcp_westwood.c b/net/ipv4/tcp_westwood.c +index b2e05c4cea00..c6e97141eef2 100644 +--- a/net/ipv4/tcp_westwood.c ++++ b/net/ipv4/tcp_westwood.c +@@ -244,7 +244,8 @@ static void tcp_westwood_event(struct sock *sk, enum tcp_ca_event event) + + switch (event) { + case CA_EVENT_COMPLETE_CWR: +- tp->snd_cwnd = tp->snd_ssthresh = tcp_westwood_bw_rttmin(sk); ++ tp->snd_ssthresh = tcp_westwood_bw_rttmin(sk); ++ tcp_snd_cwnd_set(tp, tp->snd_ssthresh); + break; + case CA_EVENT_LOSS: + tp->snd_ssthresh = tcp_westwood_bw_rttmin(sk); +diff --git a/net/ipv4/tcp_yeah.c b/net/ipv4/tcp_yeah.c +index 07c4c93b9fdb..18b07ff5d20e 100644 +--- a/net/ipv4/tcp_yeah.c ++++ b/net/ipv4/tcp_yeah.c +@@ -71,11 +71,11 @@ static void tcp_yeah_cong_avoid(struct sock *sk, u32 ack, u32 acked) + + if (!yeah->doing_reno_now) { + /* Scalable */ +- tcp_cong_avoid_ai(tp, min(tp->snd_cwnd, TCP_SCALABLE_AI_CNT), ++ tcp_cong_avoid_ai(tp, min(tcp_snd_cwnd(tp), TCP_SCALABLE_AI_CNT), + acked); + } else { + /* Reno */ +- tcp_cong_avoid_ai(tp, tp->snd_cwnd, acked); ++ tcp_cong_avoid_ai(tp, tcp_snd_cwnd(tp), acked); + } + + /* The key players are v_vegas.beg_snd_una and v_beg_snd_nxt. +@@ -130,7 +130,7 @@ static void tcp_yeah_cong_avoid(struct sock *sk, u32 ack, u32 acked) + /* Compute excess number of packets above bandwidth + * Avoid doing full 64 bit divide. + */ +- bw = tp->snd_cwnd; ++ bw = tcp_snd_cwnd(tp); + bw *= rtt - yeah->vegas.baseRTT; + do_div(bw, rtt); + queue = bw; +@@ -138,20 +138,20 @@ static void tcp_yeah_cong_avoid(struct sock *sk, u32 ack, u32 acked) + if (queue > TCP_YEAH_ALPHA || + rtt - yeah->vegas.baseRTT > (yeah->vegas.baseRTT / TCP_YEAH_PHY)) { + if (queue > TCP_YEAH_ALPHA && +- tp->snd_cwnd > yeah->reno_count) { ++ tcp_snd_cwnd(tp) > yeah->reno_count) { + u32 reduction = min(queue / TCP_YEAH_GAMMA , +- tp->snd_cwnd >> TCP_YEAH_EPSILON); ++ tcp_snd_cwnd(tp) >> TCP_YEAH_EPSILON); + +- tp->snd_cwnd -= reduction; ++ tcp_snd_cwnd_set(tp, tcp_snd_cwnd(tp) - reduction); + +- tp->snd_cwnd = max(tp->snd_cwnd, +- yeah->reno_count); ++ tcp_snd_cwnd_set(tp, max(tcp_snd_cwnd(tp), ++ yeah->reno_count)); + +- tp->snd_ssthresh = tp->snd_cwnd; ++ tp->snd_ssthresh = tcp_snd_cwnd(tp); + } + + if (yeah->reno_count <= 2) +- yeah->reno_count = max(tp->snd_cwnd>>1, 2U); ++ yeah->reno_count = max(tcp_snd_cwnd(tp)>>1, 2U); + else + yeah->reno_count++; + +@@ -176,7 +176,7 @@ static void tcp_yeah_cong_avoid(struct sock *sk, u32 ack, u32 acked) + */ + yeah->vegas.beg_snd_una = yeah->vegas.beg_snd_nxt; + yeah->vegas.beg_snd_nxt = tp->snd_nxt; +- yeah->vegas.beg_snd_cwnd = tp->snd_cwnd; ++ yeah->vegas.beg_snd_cwnd = tcp_snd_cwnd(tp); + + /* Wipe the slate clean for the next RTT. */ + yeah->vegas.cntRTT = 0; +@@ -193,16 +193,16 @@ static u32 tcp_yeah_ssthresh(struct sock *sk) + if (yeah->doing_reno_now < TCP_YEAH_RHO) { + reduction = yeah->lastQ; + +- reduction = min(reduction, max(tp->snd_cwnd>>1, 2U)); ++ reduction = min(reduction, max(tcp_snd_cwnd(tp)>>1, 2U)); + +- reduction = max(reduction, tp->snd_cwnd >> TCP_YEAH_DELTA); ++ reduction = max(reduction, tcp_snd_cwnd(tp) >> TCP_YEAH_DELTA); + } else +- reduction = max(tp->snd_cwnd>>1, 2U); ++ reduction = max(tcp_snd_cwnd(tp)>>1, 2U); + + yeah->fast_count = 0; + yeah->reno_count = max(yeah->reno_count>>1, 2U); + +- return max_t(int, tp->snd_cwnd - reduction, 2); ++ return max_t(int, tcp_snd_cwnd(tp) - reduction, 2); + } + + static struct tcp_congestion_ops tcp_yeah __read_mostly = { +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index 075ee8a2df3b..29a4fc92580e 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -2074,7 +2074,7 @@ static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i) + jiffies_to_clock_t(icsk->icsk_rto), + jiffies_to_clock_t(icsk->icsk_ack.ato), + (icsk->icsk_ack.quick << 1) | inet_csk_in_pingpong_mode(sp), +- tp->snd_cwnd, ++ tcp_snd_cwnd(tp), + state == TCP_LISTEN ? + fastopenq->max_qlen : + (tcp_in_initial_slowstart(tp) ? -1 : tp->snd_ssthresh) +-- +2.35.1 + diff --git a/queue-5.17/tcp-tcp_rtx_synack-can-be-called-from-process-contex.patch b/queue-5.17/tcp-tcp_rtx_synack-can-be-called-from-process-contex.patch new file mode 100644 index 00000000000..c779ff15d8b --- /dev/null +++ b/queue-5.17/tcp-tcp_rtx_synack-can-be-called-from-process-contex.patch @@ -0,0 +1,92 @@ +From 0be4c18e91b7e64ea93070488be2f393fb14cda8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 May 2022 14:37:13 -0700 +Subject: tcp: tcp_rtx_synack() can be called from process context + +From: Eric Dumazet + +[ Upstream commit 0a375c822497ed6ad6b5da0792a12a6f1af10c0b ] + +Laurent reported the enclosed report [1] + +This bug triggers with following coditions: + +0) Kernel built with CONFIG_DEBUG_PREEMPT=y + +1) A new passive FastOpen TCP socket is created. + This FO socket waits for an ACK coming from client to be a complete + ESTABLISHED one. +2) A socket operation on this socket goes through lock_sock() + release_sock() dance. +3) While the socket is owned by the user in step 2), + a retransmit of the SYN is received and stored in socket backlog. +4) At release_sock() time, the socket backlog is processed while + in process context. +5) A SYNACK packet is cooked in response of the SYN retransmit. +6) -> tcp_rtx_synack() is called in process context. + +Before blamed commit, tcp_rtx_synack() was always called from BH handler, +from a timer handler. + +Fix this by using TCP_INC_STATS() & NET_INC_STATS() +which do not assume caller is in non preemptible context. + +[1] +BUG: using __this_cpu_add() in preemptible [00000000] code: epollpep/2180 +caller is tcp_rtx_synack.part.0+0x36/0xc0 +CPU: 10 PID: 2180 Comm: epollpep Tainted: G OE 5.16.0-0.bpo.4-amd64 #1 Debian 5.16.12-1~bpo11+1 +Hardware name: Supermicro SYS-5039MC-H8TRF/X11SCD-F, BIOS 1.7 11/23/2021 +Call Trace: + + dump_stack_lvl+0x48/0x5e + check_preemption_disabled+0xde/0xe0 + tcp_rtx_synack.part.0+0x36/0xc0 + tcp_rtx_synack+0x8d/0xa0 + ? kmem_cache_alloc+0x2e0/0x3e0 + ? apparmor_file_alloc_security+0x3b/0x1f0 + inet_rtx_syn_ack+0x16/0x30 + tcp_check_req+0x367/0x610 + tcp_rcv_state_process+0x91/0xf60 + ? get_nohz_timer_target+0x18/0x1a0 + ? lock_timer_base+0x61/0x80 + ? preempt_count_add+0x68/0xa0 + tcp_v4_do_rcv+0xbd/0x270 + __release_sock+0x6d/0xb0 + release_sock+0x2b/0x90 + sock_setsockopt+0x138/0x1140 + ? __sys_getsockname+0x7e/0xc0 + ? aa_sk_perm+0x3e/0x1a0 + __sys_setsockopt+0x198/0x1e0 + __x64_sys_setsockopt+0x21/0x30 + do_syscall_64+0x38/0xc0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Fixes: 168a8f58059a ("tcp: TCP Fast Open Server - main code path") +Signed-off-by: Eric Dumazet +Reported-by: Laurent Fasnacht +Acked-by: Neal Cardwell +Link: https://lore.kernel.org/r/20220530213713.601888-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_output.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 84651fc3dde0..2adff4877cd6 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -4100,8 +4100,8 @@ int tcp_rtx_synack(const struct sock *sk, struct request_sock *req) + res = af_ops->send_synack(sk, NULL, &fl, req, NULL, TCP_SYNACK_NORMAL, + NULL); + if (!res) { +- __TCP_INC_STATS(sock_net(sk), TCP_MIB_RETRANSSEGS); +- __NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPSYNRETRANS); ++ TCP_INC_STATS(sock_net(sk), TCP_MIB_RETRANSSEGS); ++ NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPSYNRETRANS); + if (unlikely(tcp_passive_fastopen(sk))) + tcp_sk(sk)->total_retrans++; + trace_tcp_retransmit_synack(sk, req); +-- +2.35.1 + diff --git a/queue-5.17/tipc-check-attribute-length-for-bearer-name.patch b/queue-5.17/tipc-check-attribute-length-for-bearer-name.patch new file mode 100644 index 00000000000..a1de097adeb --- /dev/null +++ b/queue-5.17/tipc-check-attribute-length-for-bearer-name.patch @@ -0,0 +1,58 @@ +From 5056327e4d726b5de71c5c7593cc625ae98099ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jun 2022 13:30:53 +0700 +Subject: tipc: check attribute length for bearer name + +From: Hoang Le + +[ Upstream commit 7f36f798f89bf32c0164049cb0e3fd1af613d0bb ] + +syzbot reported uninit-value: +===================================================== +BUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:644 [inline] +BUG: KMSAN: uninit-value in string+0x4f9/0x6f0 lib/vsprintf.c:725 + string_nocheck lib/vsprintf.c:644 [inline] + string+0x4f9/0x6f0 lib/vsprintf.c:725 + vsnprintf+0x2222/0x3650 lib/vsprintf.c:2806 + vprintk_store+0x537/0x2150 kernel/printk/printk.c:2158 + vprintk_emit+0x28b/0xab0 kernel/printk/printk.c:2256 + vprintk_default+0x86/0xa0 kernel/printk/printk.c:2283 + vprintk+0x15f/0x180 kernel/printk/printk_safe.c:50 + _printk+0x18d/0x1cf kernel/printk/printk.c:2293 + tipc_enable_bearer net/tipc/bearer.c:371 [inline] + __tipc_nl_bearer_enable+0x2022/0x22a0 net/tipc/bearer.c:1033 + tipc_nl_bearer_enable+0x6c/0xb0 net/tipc/bearer.c:1042 + genl_family_rcv_msg_doit net/netlink/genetlink.c:731 [inline] + +- Do sanity check the attribute length for TIPC_NLA_BEARER_NAME. +- Do not use 'illegal name' in printing message. + +Reported-by: syzbot+e820fdc8ce362f2dea51@syzkaller.appspotmail.com +Fixes: cb30a63384bc ("tipc: refactor function tipc_enable_bearer()") +Acked-by: Jon Maloy +Signed-off-by: Hoang Le +Link: https://lore.kernel.org/r/20220602063053.5892-1-hoang.h.le@dektech.com.au +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/bearer.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c +index a2f9c9640716..91d9c815a406 100644 +--- a/net/tipc/bearer.c ++++ b/net/tipc/bearer.c +@@ -259,9 +259,8 @@ static int tipc_enable_bearer(struct net *net, const char *name, + u32 i; + + if (!bearer_name_validate(name, &b_names)) { +- errstr = "illegal name"; + NL_SET_ERR_MSG(extack, "Illegal name"); +- goto rejected; ++ return res; + } + + if (prio > TIPC_MAX_LINK_PRI && prio != TIPC_MEDIA_LINK_PRI) { +-- +2.35.1 + diff --git a/queue-5.17/tty-goldfish-use-tty_port_destroy-to-destroy-port.patch b/queue-5.17/tty-goldfish-use-tty_port_destroy-to-destroy-port.patch new file mode 100644 index 00000000000..b2cca25c413 --- /dev/null +++ b/queue-5.17/tty-goldfish-use-tty_port_destroy-to-destroy-port.patch @@ -0,0 +1,48 @@ +From 40127d14bf1894f65ac89b48f7d4fd7dc9e5e5aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Mar 2022 19:58:44 +0800 +Subject: tty: goldfish: Use tty_port_destroy() to destroy port + +From: Wang Weiyang + +[ Upstream commit 507b05063d1b7a1fcb9f7d7c47586fc4f3508f98 ] + +In goldfish_tty_probe(), the port initialized through tty_port_init() +should be destroyed in error paths.In goldfish_tty_remove(), qtty->port +also should be destroyed or else might leak resources. + +Fix the above by calling tty_port_destroy(). + +Fixes: 666b7793d4bf ("goldfish: tty driver") +Reviewed-by: Jiri Slaby +Signed-off-by: Wang Weiyang +Link: https://lore.kernel.org/r/20220328115844.86032-1-wangweiyang2@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/goldfish.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/tty/goldfish.c b/drivers/tty/goldfish.c +index 10c13b93ed52..9355d97ff591 100644 +--- a/drivers/tty/goldfish.c ++++ b/drivers/tty/goldfish.c +@@ -405,6 +405,7 @@ static int goldfish_tty_probe(struct platform_device *pdev) + err_tty_register_device_failed: + free_irq(irq, qtty); + err_dec_line_count: ++ tty_port_destroy(&qtty->port); + goldfish_tty_current_line_count--; + if (goldfish_tty_current_line_count == 0) + goldfish_tty_delete_driver(); +@@ -426,6 +427,7 @@ static int goldfish_tty_remove(struct platform_device *pdev) + iounmap(qtty->base); + qtty->base = NULL; + free_irq(qtty->irq, pdev); ++ tty_port_destroy(&qtty->port); + goldfish_tty_current_line_count--; + if (goldfish_tty_current_line_count == 0) + goldfish_tty_delete_driver(); +-- +2.35.1 + diff --git a/queue-5.17/tty-n_tty-restore-eof-push-handling-behavior.patch b/queue-5.17/tty-n_tty-restore-eof-push-handling-behavior.patch new file mode 100644 index 00000000000..cc7a0b3d2ae --- /dev/null +++ b/queue-5.17/tty-n_tty-restore-eof-push-handling-behavior.patch @@ -0,0 +1,123 @@ +From 5ded1711802bfafb84a397d4a1725fb8ef3c764b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Mar 2022 01:58:10 +0200 +Subject: tty: n_tty: Restore EOF push handling behavior + +From: Daniel Gibson + +[ Upstream commit 65a8b287023da68c4550deab5c764e6891cf1caf ] + +TTYs in ICANON mode have a special case that allows "pushing" a line +without a regular EOL character (like newline), by using EOF (the EOT +character - ASCII 0x4) as a pseudo-EOL. It is silently discarded, so +the reader of the PTS will receive the line *without* EOF or any other +terminating character. + +This special case has an edge case: What happens if the readers buffer +is the same size as the line (without EOF)? Will they be able to tell +if the whole line is received, i.e. if the next read() will return more +of the same line or the next line? + +There are two possibilities, that both have (dis)advantages: + +1. The next read() returns 0. FreeBSD (13.0) and OSX (10.11) do this. + Advantage: The reader can interpret this as "the line is over". + Disadvantage: read() returning 0 means EOF, the reader could also + interpret it as "there's no more data" and stop reading or even + close the PT. + +2. The next read() returns the next line, the EOF is silently discarded. + Solaris (or at least OpenIndiana 2021.10) does this, Linux has done + do this since commit 40d5e0905a03 ("n_tty: Fix EOF push handling"); + this behavior was recently broken by commit 359303076163 ("tty: + n_tty: do not look ahead for EOL character past the end of the buffer"). + Advantage: read() won't return 0 (EOF), reader less likely to be + confused (and things like `while(read(..)>0)` don't break) + Disadvantage: The reader can't really know if the read() continues + the last line (that filled the whole read buffer) or starts a + new line. + +As both options are defensible (and are used by other Unix-likes), it's +best to stick to the "old" behavior since "n_tty: Fix EOF push handling" +of 2013, i.e. silently discard that EOF. + +This patch - that I actually got from Linus for testing and only +modified slightly - restores that behavior by skipping an EOF +character if it's the next character after reading is done. + +Based on a patch from Linus Torvalds. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215611 +Fixes: 359303076163 ("tty: n_tty: do not look ahead for EOL character past the end of the buffer") +Cc: Peter Hurley +Cc: Greg Kroah-Hartman +Cc: Jiri Slaby +Reviewed-and-tested-by: Daniel Gibson +Acked-by: Linus Torvalds +Signed-off-by: Daniel Gibson +Link: https://lore.kernel.org/r/20220329235810.452513-2-daniel@gibson.sh +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/n_tty.c | 38 +++++++++++++++++++++++++++++++++++++- + 1 file changed, 37 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c +index efc72104c840..bdc314aeab88 100644 +--- a/drivers/tty/n_tty.c ++++ b/drivers/tty/n_tty.c +@@ -1975,6 +1975,35 @@ static bool canon_copy_from_read_buf(struct tty_struct *tty, + return ldata->read_tail != canon_head; + } + ++/* ++ * If we finished a read at the exact location of an ++ * EOF (special EOL character that's a __DISABLED_CHAR) ++ * in the stream, silently eat the EOF. ++ */ ++static void canon_skip_eof(struct tty_struct *tty) ++{ ++ struct n_tty_data *ldata = tty->disc_data; ++ size_t tail, canon_head; ++ ++ canon_head = smp_load_acquire(&ldata->canon_head); ++ tail = ldata->read_tail; ++ ++ // No data? ++ if (tail == canon_head) ++ return; ++ ++ // See if the tail position is EOF in the circular buffer ++ tail &= (N_TTY_BUF_SIZE - 1); ++ if (!test_bit(tail, ldata->read_flags)) ++ return; ++ if (read_buf(ldata, tail) != __DISABLED_CHAR) ++ return; ++ ++ // Clear the EOL bit, skip the EOF char. ++ clear_bit(tail, ldata->read_flags); ++ smp_store_release(&ldata->read_tail, ldata->read_tail + 1); ++} ++ + /** + * job_control - check job control + * @tty: tty +@@ -2045,7 +2074,14 @@ static ssize_t n_tty_read(struct tty_struct *tty, struct file *file, + */ + if (*cookie) { + if (ldata->icanon && !L_EXTPROC(tty)) { +- if (canon_copy_from_read_buf(tty, &kb, &nr)) ++ /* ++ * If we have filled the user buffer, see ++ * if we should skip an EOF character before ++ * releasing the lock and returning done. ++ */ ++ if (!nr) ++ canon_skip_eof(tty); ++ else if (canon_copy_from_read_buf(tty, &kb, &nr)) + return kb - kbuf; + } else { + if (copy_from_read_buf(tty, &kb, &nr)) +-- +2.35.1 + diff --git a/queue-5.17/tty-serial-fsl_lpuart-fix-potential-bug-when-using-b.patch b/queue-5.17/tty-serial-fsl_lpuart-fix-potential-bug-when-using-b.patch new file mode 100644 index 00000000000..b8d9616c704 --- /dev/null +++ b/queue-5.17/tty-serial-fsl_lpuart-fix-potential-bug-when-using-b.patch @@ -0,0 +1,118 @@ +From 95e67d6eea921a6031d3269df8edb119236b91e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Mar 2022 19:22:11 +0800 +Subject: tty: serial: fsl_lpuart: fix potential bug when using both + of_alias_get_id and ida_simple_get + +From: Sherry Sun + +[ Upstream commit f398e0aa325c61fa20903833a5b534ecb8e6e418 ] + +Now fsl_lpuart driver use both of_alias_get_id() and ida_simple_get() in +.probe(), which has the potential bug. For example, when remove the +lpuart7 alias in dts, of_alias_get_id() will return error, then call +ida_simple_get() to allocate the id 0 for lpuart7, this may confilct +with the lpuart4 which has alias 0. + + aliases { + ... + serial0 = &lpuart4; + serial1 = &lpuart5; + serial2 = &lpuart6; + serial3 = &lpuart7; + } + +So remove the ida_simple_get() in .probe(), return an error directly +when calling of_alias_get_id() fails, which is consistent with other +uart drivers behavior. + +Fixes: 3bc3206e1c0f ("serial: fsl_lpuart: Remove the alias node dependence") +Signed-off-by: Sherry Sun +Link: https://lore.kernel.org/r/20220321112211.8895-1-sherry.sun@nxp.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/fsl_lpuart.c | 24 ++++-------------------- + 1 file changed, 4 insertions(+), 20 deletions(-) + +diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c +index d32c25bc973b..b1307ef34468 100644 +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -239,8 +239,6 @@ + /* IMX lpuart has four extra unused regs located at the beginning */ + #define IMX_REG_OFF 0x10 + +-static DEFINE_IDA(fsl_lpuart_ida); +- + enum lpuart_type { + VF610_LPUART, + LS1021A_LPUART, +@@ -276,7 +274,6 @@ struct lpuart_port { + int rx_dma_rng_buf_len; + unsigned int dma_tx_nents; + wait_queue_head_t dma_wait; +- bool id_allocated; + }; + + struct lpuart_soc_data { +@@ -2711,23 +2708,18 @@ static int lpuart_probe(struct platform_device *pdev) + + ret = of_alias_get_id(np, "serial"); + if (ret < 0) { +- ret = ida_simple_get(&fsl_lpuart_ida, 0, UART_NR, GFP_KERNEL); +- if (ret < 0) { +- dev_err(&pdev->dev, "port line is full, add device failed\n"); +- return ret; +- } +- sport->id_allocated = true; ++ dev_err(&pdev->dev, "failed to get alias id, errno %d\n", ret); ++ return ret; + } + if (ret >= ARRAY_SIZE(lpuart_ports)) { + dev_err(&pdev->dev, "serial%d out of range\n", ret); +- ret = -EINVAL; +- goto failed_out_of_range; ++ return -EINVAL; + } + sport->port.line = ret; + + ret = lpuart_enable_clks(sport); + if (ret) +- goto failed_clock_enable; ++ return ret; + sport->port.uartclk = lpuart_get_baud_clk_rate(sport); + + lpuart_ports[sport->port.line] = sport; +@@ -2775,10 +2767,6 @@ static int lpuart_probe(struct platform_device *pdev) + uart_remove_one_port(&lpuart_reg, &sport->port); + failed_attach_port: + lpuart_disable_clks(sport); +-failed_clock_enable: +-failed_out_of_range: +- if (sport->id_allocated) +- ida_simple_remove(&fsl_lpuart_ida, sport->port.line); + return ret; + } + +@@ -2788,9 +2776,6 @@ static int lpuart_remove(struct platform_device *pdev) + + uart_remove_one_port(&lpuart_reg, &sport->port); + +- if (sport->id_allocated) +- ida_simple_remove(&fsl_lpuart_ida, sport->port.line); +- + lpuart_disable_clks(sport); + + if (sport->dma_tx_chan) +@@ -2920,7 +2905,6 @@ static int __init lpuart_serial_init(void) + + static void __exit lpuart_serial_exit(void) + { +- ida_destroy(&fsl_lpuart_ida); + platform_driver_unregister(&lpuart_driver); + uart_unregister_driver(&lpuart_reg); + } +-- +2.35.1 + diff --git a/queue-5.17/tty-serial-owl-fix-missing-clk_disable_unprepare-in-.patch b/queue-5.17/tty-serial-owl-fix-missing-clk_disable_unprepare-in-.patch new file mode 100644 index 00000000000..6a9cb5dbc3a --- /dev/null +++ b/queue-5.17/tty-serial-owl-fix-missing-clk_disable_unprepare-in-.patch @@ -0,0 +1,37 @@ +From c7b8895c97bb3b740f855e8f936c08d91f009c55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 10:51:35 +0000 +Subject: tty: serial: owl: Fix missing clk_disable_unprepare() in + owl_uart_probe + +From: Miaoqian Lin + +[ Upstream commit bcea0f547ec1a2ee44d429aaf0334633e386e67c ] + +Fix the missing clk_disable_unprepare() before return +from owl_uart_probe() in the error handling case. + +Fixes: abf42d2f333b ("tty: serial: owl: add "much needed" clk_prepare_enable()") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220307105135.11698-1-linmq006@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/owl-uart.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/tty/serial/owl-uart.c b/drivers/tty/serial/owl-uart.c +index 91f1eb0058d7..9a6611cfc18e 100644 +--- a/drivers/tty/serial/owl-uart.c ++++ b/drivers/tty/serial/owl-uart.c +@@ -731,6 +731,7 @@ static int owl_uart_probe(struct platform_device *pdev) + owl_port->port.uartclk = clk_get_rate(owl_port->clk); + if (owl_port->port.uartclk == 0) { + dev_err(&pdev->dev, "clock rate is zero\n"); ++ clk_disable_unprepare(owl_port->clk); + return -EINVAL; + } + owl_port->port.flags = UPF_BOOT_AUTOCONF | UPF_IOREMAP | UPF_LOW_LATENCY; +-- +2.35.1 + diff --git a/queue-5.17/ubi-fastmap-fix-high-cpu-usage-of-ubi_bgt-by-making-.patch b/queue-5.17/ubi-fastmap-fix-high-cpu-usage-of-ubi_bgt-by-making-.patch new file mode 100644 index 00000000000..4b5b2621ace --- /dev/null +++ b/queue-5.17/ubi-fastmap-fix-high-cpu-usage-of-ubi_bgt-by-making-.patch @@ -0,0 +1,300 @@ +From 7f1da1147ccc7d01a0bad49cbe7ab4d4d60c6c52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 May 2022 20:31:24 +0800 +Subject: ubi: fastmap: Fix high cpu usage of ubi_bgt by making sure wl_pool + not empty + +From: Zhihao Cheng + +[ Upstream commit d09e9a2bddba6c48e0fddb16c4383172ac593251 ] + +There at least 6 PEBs reserved on UBI device: +1. EBA_RESERVED_PEBS[1] +2. WL_RESERVED_PEBS[1] +3. UBI_LAYOUT_VOLUME_EBS[2] +4. MIN_FASTMAP_RESERVED_PEBS[2] + +When all ubi volumes take all their PEBs, there are 3 (EBA_RESERVED_PEBS + +WL_RESERVED_PEBS + MIN_FASTMAP_RESERVED_PEBS - MIN_FASTMAP_TAKEN_PEBS[1]) +free PEBs. Since commit f9c34bb529975fe ("ubi: Fix producing anchor PEBs") +and commit 4b68bf9a69d22dd ("ubi: Select fastmap anchor PEBs considering +wear level rules") applied, there is only 1 (3 - FASTMAP_ANCHOR_PEBS[1] - +FASTMAP_NEXT_ANCHOR_PEBS[1]) free PEB to fill pool and wl_pool, after +filling pool, wl_pool is always empty. So, UBI could be stuck in an +infinite loop: + + ubi_thread system_wq +wear_leveling_worker <-------------------------------------------------- + get_peb_for_wl | + // fm_wl_pool, used = size = 0 | + schedule_work(&ubi->fm_work) | + | + update_fastmap_work_fn | + ubi_update_fastmap | + ubi_refill_pools | + // ubi->free_count - ubi->beb_rsvd_pebs < 5 | + // wl_pool is not filled with any PEBs | + schedule_erase(old_fm_anchor) | + ubi_ensure_anchor_pebs | + __schedule_ubi_work(wear_leveling_worker) | + | +__erase_worker | + ensure_wear_leveling | + __schedule_ubi_work(wear_leveling_worker) -------------------------- + +, which cause high cpu usage of ubi_bgt: +top - 12:10:42 up 5 min, 2 users, load average: 1.76, 0.68, 0.27 +Tasks: 123 total, 3 running, 54 sleeping, 0 stopped, 0 zombie + + PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND + 1589 root 20 0 0 0 0 R 45.0 0.0 0:38.86 ubi_bgt0d + 319 root 20 0 0 0 0 I 15.2 0.0 0:15.29 kworker/0:3-eve + 371 root 20 0 0 0 0 I 14.9 0.0 0:12.85 kworker/3:3-eve + 20 root 20 0 0 0 0 I 11.3 0.0 0:05.33 kworker/1:0-eve + 202 root 20 0 0 0 0 I 11.3 0.0 0:04.93 kworker/2:3-eve + +In commit 4b68bf9a69d22dd ("ubi: Select fastmap anchor PEBs considering +wear level rules"), there are three key changes: + 1) Choose the fastmap anchor when the most free PEBs are available. + 2) Enable anchor move within the anchor area again as it is useful + for distributing wear. + 3) Import a candidate fm anchor and check this PEB's erase count during + wear leveling. If the wear leveling limit is exceeded, use the used + anchor area PEB with the lowest erase count to replace it. + +The anchor candidate can be removed, we can check fm_anchor PEB's erase +count during wear leveling. Fix it by: + 1) Removing 'fm_next_anchor' and check 'fm_anchor' during wear leveling. + 2) Preferentially filling one free peb into fm_wl_pool in condition of + ubi->free_count > ubi->beb_rsvd_pebs, then try to reserve enough + free count for fastmap non anchor pebs after the above prerequisites + are met. +Then, there are at least 1 PEB in pool and 1 PEB in wl_pool after calling +ubi_refill_pools() with all erase works done. + +Fetch a reproducer in [Link]. + +Fixes: 4b68bf9a69d22dd ("ubi: Select fastmap anchor PEBs ... rules") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215407 +Signed-off-by: Zhihao Cheng +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + drivers/mtd/ubi/fastmap-wl.c | 69 ++++++++++++++++++++++++------------ + drivers/mtd/ubi/fastmap.c | 11 ------ + drivers/mtd/ubi/ubi.h | 4 +-- + drivers/mtd/ubi/wl.c | 19 +++++----- + 4 files changed, 57 insertions(+), 46 deletions(-) + +diff --git a/drivers/mtd/ubi/fastmap-wl.c b/drivers/mtd/ubi/fastmap-wl.c +index 28f55f9cf715..053ab52668e8 100644 +--- a/drivers/mtd/ubi/fastmap-wl.c ++++ b/drivers/mtd/ubi/fastmap-wl.c +@@ -97,6 +97,33 @@ struct ubi_wl_entry *ubi_wl_get_fm_peb(struct ubi_device *ubi, int anchor) + return e; + } + ++/* ++ * has_enough_free_count - whether ubi has enough free pebs to fill fm pools ++ * @ubi: UBI device description object ++ * @is_wl_pool: whether UBI is filling wear leveling pool ++ * ++ * This helper function checks whether there are enough free pebs (deducted ++ * by fastmap pebs) to fill fm_pool and fm_wl_pool, above rule works after ++ * there is at least one of free pebs is filled into fm_wl_pool. ++ * For wear leveling pool, UBI should also reserve free pebs for bad pebs ++ * handling, because there maybe no enough free pebs for user volumes after ++ * producing new bad pebs. ++ */ ++static bool has_enough_free_count(struct ubi_device *ubi, bool is_wl_pool) ++{ ++ int fm_used = 0; // fastmap non anchor pebs. ++ int beb_rsvd_pebs; ++ ++ if (!ubi->free.rb_node) ++ return false; ++ ++ beb_rsvd_pebs = is_wl_pool ? ubi->beb_rsvd_pebs : 0; ++ if (ubi->fm_wl_pool.size > 0 && !(ubi->ro_mode || ubi->fm_disabled)) ++ fm_used = ubi->fm_size / ubi->leb_size - 1; ++ ++ return ubi->free_count - beb_rsvd_pebs > fm_used; ++} ++ + /** + * ubi_refill_pools - refills all fastmap PEB pools. + * @ubi: UBI device description object +@@ -120,21 +147,17 @@ void ubi_refill_pools(struct ubi_device *ubi) + wl_tree_add(ubi->fm_anchor, &ubi->free); + ubi->free_count++; + } +- if (ubi->fm_next_anchor) { +- wl_tree_add(ubi->fm_next_anchor, &ubi->free); +- ubi->free_count++; +- } + +- /* All available PEBs are in ubi->free, now is the time to get ++ /* ++ * All available PEBs are in ubi->free, now is the time to get + * the best anchor PEBs. + */ + ubi->fm_anchor = ubi_wl_get_fm_peb(ubi, 1); +- ubi->fm_next_anchor = ubi_wl_get_fm_peb(ubi, 1); + + for (;;) { + enough = 0; + if (pool->size < pool->max_size) { +- if (!ubi->free.rb_node) ++ if (!has_enough_free_count(ubi, false)) + break; + + e = wl_get_wle(ubi); +@@ -147,8 +170,7 @@ void ubi_refill_pools(struct ubi_device *ubi) + enough++; + + if (wl_pool->size < wl_pool->max_size) { +- if (!ubi->free.rb_node || +- (ubi->free_count - ubi->beb_rsvd_pebs < 5)) ++ if (!has_enough_free_count(ubi, true)) + break; + + e = find_wl_entry(ubi, &ubi->free, WL_FREE_MAX_DIFF); +@@ -286,20 +308,26 @@ static struct ubi_wl_entry *get_peb_for_wl(struct ubi_device *ubi) + int ubi_ensure_anchor_pebs(struct ubi_device *ubi) + { + struct ubi_work *wrk; ++ struct ubi_wl_entry *anchor; + + spin_lock(&ubi->wl_lock); + +- /* Do we have a next anchor? */ +- if (!ubi->fm_next_anchor) { +- ubi->fm_next_anchor = ubi_wl_get_fm_peb(ubi, 1); +- if (!ubi->fm_next_anchor) +- /* Tell wear leveling to produce a new anchor PEB */ +- ubi->fm_do_produce_anchor = 1; ++ /* Do we already have an anchor? */ ++ if (ubi->fm_anchor) { ++ spin_unlock(&ubi->wl_lock); ++ return 0; + } + +- /* Do wear leveling to get a new anchor PEB or check the +- * existing next anchor candidate. +- */ ++ /* See if we can find an anchor PEB on the list of free PEBs */ ++ anchor = ubi_wl_get_fm_peb(ubi, 1); ++ if (anchor) { ++ ubi->fm_anchor = anchor; ++ spin_unlock(&ubi->wl_lock); ++ return 0; ++ } ++ ++ ubi->fm_do_produce_anchor = 1; ++ /* No luck, trigger wear leveling to produce a new anchor PEB. */ + if (ubi->wl_scheduled) { + spin_unlock(&ubi->wl_lock); + return 0; +@@ -381,11 +409,6 @@ static void ubi_fastmap_close(struct ubi_device *ubi) + ubi->fm_anchor = NULL; + } + +- if (ubi->fm_next_anchor) { +- return_unused_peb(ubi, ubi->fm_next_anchor); +- ubi->fm_next_anchor = NULL; +- } +- + if (ubi->fm) { + for (i = 0; i < ubi->fm->used_blocks; i++) + kfree(ubi->fm->e[i]); +diff --git a/drivers/mtd/ubi/fastmap.c b/drivers/mtd/ubi/fastmap.c +index 6b5f1ffd961b..6e95c4b1473e 100644 +--- a/drivers/mtd/ubi/fastmap.c ++++ b/drivers/mtd/ubi/fastmap.c +@@ -1230,17 +1230,6 @@ static int ubi_write_fastmap(struct ubi_device *ubi, + fm_pos += sizeof(*fec); + ubi_assert(fm_pos <= ubi->fm_size); + } +- if (ubi->fm_next_anchor) { +- fec = (struct ubi_fm_ec *)(fm_raw + fm_pos); +- +- fec->pnum = cpu_to_be32(ubi->fm_next_anchor->pnum); +- set_seen(ubi, ubi->fm_next_anchor->pnum, seen_pebs); +- fec->ec = cpu_to_be32(ubi->fm_next_anchor->ec); +- +- free_peb_count++; +- fm_pos += sizeof(*fec); +- ubi_assert(fm_pos <= ubi->fm_size); +- } + fmh->free_peb_count = cpu_to_be32(free_peb_count); + + ubi_for_each_used_peb(ubi, wl_e, tmp_rb) { +diff --git a/drivers/mtd/ubi/ubi.h b/drivers/mtd/ubi/ubi.h +index 7c083ad58274..078112e23dfd 100644 +--- a/drivers/mtd/ubi/ubi.h ++++ b/drivers/mtd/ubi/ubi.h +@@ -489,8 +489,7 @@ struct ubi_debug_info { + * @fm_work: fastmap work queue + * @fm_work_scheduled: non-zero if fastmap work was scheduled + * @fast_attach: non-zero if UBI was attached by fastmap +- * @fm_anchor: The new anchor PEB used during fastmap update +- * @fm_next_anchor: An anchor PEB candidate for the next time fastmap is updated ++ * @fm_anchor: The next anchor PEB to use for fastmap + * @fm_do_produce_anchor: If true produce an anchor PEB in wl + * + * @used: RB-tree of used physical eraseblocks +@@ -601,7 +600,6 @@ struct ubi_device { + int fm_work_scheduled; + int fast_attach; + struct ubi_wl_entry *fm_anchor; +- struct ubi_wl_entry *fm_next_anchor; + int fm_do_produce_anchor; + + /* Wear-leveling sub-system's stuff */ +diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c +index 8455f1d47f3c..afcdacb9d0e9 100644 +--- a/drivers/mtd/ubi/wl.c ++++ b/drivers/mtd/ubi/wl.c +@@ -689,16 +689,16 @@ static int wear_leveling_worker(struct ubi_device *ubi, struct ubi_work *wrk, + + #ifdef CONFIG_MTD_UBI_FASTMAP + e1 = find_anchor_wl_entry(&ubi->used); +- if (e1 && ubi->fm_next_anchor && +- (ubi->fm_next_anchor->ec - e1->ec >= UBI_WL_THRESHOLD)) { ++ if (e1 && ubi->fm_anchor && ++ (ubi->fm_anchor->ec - e1->ec >= UBI_WL_THRESHOLD)) { + ubi->fm_do_produce_anchor = 1; +- /* fm_next_anchor is no longer considered a good anchor +- * candidate. ++ /* ++ * fm_anchor is no longer considered a good anchor. + * NULL assignment also prevents multiple wear level checks + * of this PEB. + */ +- wl_tree_add(ubi->fm_next_anchor, &ubi->free); +- ubi->fm_next_anchor = NULL; ++ wl_tree_add(ubi->fm_anchor, &ubi->free); ++ ubi->fm_anchor = NULL; + ubi->free_count++; + } + +@@ -1085,12 +1085,13 @@ static int __erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk) + if (!err) { + spin_lock(&ubi->wl_lock); + +- if (!ubi->fm_disabled && !ubi->fm_next_anchor && ++ if (!ubi->fm_disabled && !ubi->fm_anchor && + e->pnum < UBI_FM_MAX_START) { +- /* Abort anchor production, if needed it will be ++ /* ++ * Abort anchor production, if needed it will be + * enabled again in the wear leveling started below. + */ +- ubi->fm_next_anchor = e; ++ ubi->fm_anchor = e; + ubi->fm_do_produce_anchor = 0; + } else { + wl_tree_add(e, &ubi->free); +-- +2.35.1 + diff --git a/queue-5.17/ubi-ubi_create_volume-fix-use-after-free-when-volume.patch b/queue-5.17/ubi-ubi_create_volume-fix-use-after-free-when-volume.patch new file mode 100644 index 00000000000..c3cf38b7ae6 --- /dev/null +++ b/queue-5.17/ubi-ubi_create_volume-fix-use-after-free-when-volume.patch @@ -0,0 +1,49 @@ +From ed1250aeea3775b1c1f1b74b961229340d58c83e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 May 2022 20:31:26 +0800 +Subject: ubi: ubi_create_volume: Fix use-after-free when volume creation + failed + +From: Zhihao Cheng + +[ Upstream commit 8c03a1c21d72210f81cb369cc528e3fde4b45411 ] + +There is an use-after-free problem for 'eba_tbl' in ubi_create_volume()'s +error handling path: + + ubi_eba_replace_table(vol, eba_tbl) + vol->eba_tbl = tbl +out_mapping: + ubi_eba_destroy_table(eba_tbl) // Free 'eba_tbl' +out_unlock: + put_device(&vol->dev) + vol_release + kfree(tbl->entries) // UAF + +Fix it by removing redundant 'eba_tbl' releasing. +Fetch a reproducer in [Link]. + +Fixes: 493cfaeaa0c9b ("mtd: utilize new cdev_device_add helper function") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215965 +Signed-off-by: Zhihao Cheng +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + drivers/mtd/ubi/vmt.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/mtd/ubi/vmt.c b/drivers/mtd/ubi/vmt.c +index 1bc7b3a05604..6ea95ade4ca6 100644 +--- a/drivers/mtd/ubi/vmt.c ++++ b/drivers/mtd/ubi/vmt.c +@@ -309,7 +309,6 @@ int ubi_create_volume(struct ubi_device *ubi, struct ubi_mkvol_req *req) + ubi->volumes[vol_id] = NULL; + ubi->vol_count -= 1; + spin_unlock(&ubi->volumes_lock); +- ubi_eba_destroy_table(eba_tbl); + out_acc: + spin_lock(&ubi->volumes_lock); + ubi->rsvd_pebs -= vol->reserved_pebs; +-- +2.35.1 + diff --git a/queue-5.17/usb-dwc3-gadget-replace-list_for_each_entry_safe-if-.patch b/queue-5.17/usb-dwc3-gadget-replace-list_for_each_entry_safe-if-.patch new file mode 100644 index 00000000000..2afb10740b0 --- /dev/null +++ b/queue-5.17/usb-dwc3-gadget-replace-list_for_each_entry_safe-if-.patch @@ -0,0 +1,116 @@ +From be7c3cfa076ac1aa7c67821ef77b89d165ba323e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Apr 2022 11:35:21 -0700 +Subject: usb: dwc3: gadget: Replace list_for_each_entry_safe() if using + giveback + +From: Wesley Cheng + +[ Upstream commit bf594d1d0c1d7b895954018043536ffd327844f9 ] + +The list_for_each_entry_safe() macro saves the current item (n) and +the item after (n+1), so that n can be safely removed without +corrupting the list. However, when traversing the list and removing +items using gadget giveback, the DWC3 lock is briefly released, +allowing other routines to execute. There is a situation where, while +items are being removed from the cancelled_list using +dwc3_gadget_ep_cleanup_cancelled_requests(), the pullup disable +routine is running in parallel (due to UDC unbind). As the cleanup +routine removes n, and the pullup disable removes n+1, once the +cleanup retakes the DWC3 lock, it references a request who was already +removed/handled. With list debug enabled, this leads to a panic. +Ensure all instances of the macro are replaced where gadget giveback +is used. + +Example call stack: + +Thread#1: +__dwc3_gadget_ep_set_halt() - CLEAR HALT + -> dwc3_gadget_ep_cleanup_cancelled_requests() + ->list_for_each_entry_safe() + ->dwc3_gadget_giveback(n) + ->dwc3_gadget_del_and_unmap_request()- n deleted[cancelled_list] + ->spin_unlock + ->Thread#2 executes + ... + ->dwc3_gadget_giveback(n+1) + ->Already removed! + +Thread#2: +dwc3_gadget_pullup() + ->waiting for dwc3 spin_lock + ... + ->Thread#1 released lock + ->dwc3_stop_active_transfers() + ->dwc3_remove_requests() + ->fetches n+1 item from cancelled_list (n removed by Thread#1) + ->dwc3_gadget_giveback() + ->dwc3_gadget_del_and_unmap_request()- n+1 deleted[cancelled_list] + ->spin_unlock + +Fixes: d4f1afe5e896 ("usb: dwc3: gadget: move requests to cancelled_list") +Signed-off-by: Wesley Cheng +Link: https://lore.kernel.org/r/20220414183521.23451-1-quic_wcheng@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/gadget.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index 78ec6af79c7f..5c1ae0d0ed47 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -1978,10 +1978,10 @@ static void dwc3_gadget_ep_skip_trbs(struct dwc3_ep *dep, struct dwc3_request *r + static void dwc3_gadget_ep_cleanup_cancelled_requests(struct dwc3_ep *dep) + { + struct dwc3_request *req; +- struct dwc3_request *tmp; + struct dwc3 *dwc = dep->dwc; + +- list_for_each_entry_safe(req, tmp, &dep->cancelled_list, list) { ++ while (!list_empty(&dep->cancelled_list)) { ++ req = next_request(&dep->cancelled_list); + dwc3_gadget_ep_skip_trbs(dep, req); + switch (req->status) { + case DWC3_REQUEST_STATUS_DISCONNECTED: +@@ -1998,6 +1998,12 @@ static void dwc3_gadget_ep_cleanup_cancelled_requests(struct dwc3_ep *dep) + dwc3_gadget_giveback(dep, req, -ECONNRESET); + break; + } ++ /* ++ * The endpoint is disabled, let the dwc3_remove_requests() ++ * handle the cleanup. ++ */ ++ if (!dep->endpoint.desc) ++ break; + } + } + +@@ -3288,15 +3294,21 @@ static void dwc3_gadget_ep_cleanup_completed_requests(struct dwc3_ep *dep, + const struct dwc3_event_depevt *event, int status) + { + struct dwc3_request *req; +- struct dwc3_request *tmp; + +- list_for_each_entry_safe(req, tmp, &dep->started_list, list) { ++ while (!list_empty(&dep->started_list)) { + int ret; + ++ req = next_request(&dep->started_list); + ret = dwc3_gadget_ep_cleanup_completed_request(dep, event, + req, status); + if (ret) + break; ++ /* ++ * The endpoint is disabled, let the dwc3_remove_requests() ++ * handle the cleanup. ++ */ ++ if (!dep->endpoint.desc) ++ break; + } + } + +-- +2.35.1 + diff --git a/queue-5.17/usb-dwc3-pci-fix-pm_runtime_get_sync-error-checking.patch b/queue-5.17/usb-dwc3-pci-fix-pm_runtime_get_sync-error-checking.patch new file mode 100644 index 00000000000..439c48daf79 --- /dev/null +++ b/queue-5.17/usb-dwc3-pci-fix-pm_runtime_get_sync-error-checking.patch @@ -0,0 +1,38 @@ +From c0f47c9a643306b3d9763199f04919d24ef43000 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Apr 2022 06:26:52 +0000 +Subject: usb: dwc3: pci: Fix pm_runtime_get_sync() error checking + +From: Zheng Yongjun + +[ Upstream commit a03e2ddab8e735e2cc315609b297b300e9cc60d2 ] + +If the device is already in a runtime PM enabled state +pm_runtime_get_sync() will return 1, so a test for negative +value should be used to check for errors. + +Fixes: 8eed00b237a28 ("usb: dwc3: pci: Runtime resume child device from wq") +Signed-off-by: Zheng Yongjun +Link: https://lore.kernel.org/r/20220422062652.10575-1-zhengyongjun3@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/dwc3/dwc3-pci.c b/drivers/usb/dwc3/dwc3-pci.c +index f08b2178fd32..9c8887615701 100644 +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -256,7 +256,7 @@ static void dwc3_pci_resume_work(struct work_struct *work) + int ret; + + ret = pm_runtime_get_sync(&dwc3->dev); +- if (ret) { ++ if (ret < 0) { + pm_runtime_put_sync_autosuspend(&dwc3->dev); + return; + } +-- +2.35.1 + diff --git a/queue-5.17/usb-musb-fix-missing-of_node_put-in-omap2430_probe.patch b/queue-5.17/usb-musb-fix-missing-of_node_put-in-omap2430_probe.patch new file mode 100644 index 00000000000..4f97f1d82b1 --- /dev/null +++ b/queue-5.17/usb-musb-fix-missing-of_node_put-in-omap2430_probe.patch @@ -0,0 +1,36 @@ +From 973cece0f5728125566f90c7a40c6bf95582c416 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Mar 2022 11:10:33 +0000 +Subject: usb: musb: Fix missing of_node_put() in omap2430_probe + +From: Miaoqian Lin + +[ Upstream commit 424bef51fa530389b0b9008c9e144e40c10e8458 ] + +The device_node pointer is returned by of_parse_phandle() with refcount +incremented. We should use of_node_put() on it when done. + +Fixes: 8934d3e4d0e7 ("usb: musb: omap2430: Don't use omap_get_control_dev()") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220309111033.24487-1-linmq006@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/musb/omap2430.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/musb/omap2430.c b/drivers/usb/musb/omap2430.c +index d2b7e613eb34..f571a65ae6ee 100644 +--- a/drivers/usb/musb/omap2430.c ++++ b/drivers/usb/musb/omap2430.c +@@ -362,6 +362,7 @@ static int omap2430_probe(struct platform_device *pdev) + control_node = of_parse_phandle(np, "ctrl-module", 0); + if (control_node) { + control_pdev = of_find_device_by_node(control_node); ++ of_node_put(control_node); + if (!control_pdev) { + dev_err(&pdev->dev, "Failed to get control device\n"); + ret = -EINVAL; +-- +2.35.1 + diff --git a/queue-5.17/usb-storage-karma-fix-rio_karma_init-return.patch b/queue-5.17/usb-storage-karma-fix-rio_karma_init-return.patch new file mode 100644 index 00000000000..9b1c207e388 --- /dev/null +++ b/queue-5.17/usb-storage-karma-fix-rio_karma_init-return.patch @@ -0,0 +1,64 @@ +From 2bc14db8454b915a20efb8ab99a5a6ecc92e0405 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 22:43:59 +0800 +Subject: USB: storage: karma: fix rio_karma_init return + +From: Lin Ma + +[ Upstream commit b92ffb1eddd9a66a90defc556dcbf65a43c196c7 ] + +The function rio_karam_init() should return -ENOMEM instead of +value 0 (USB_STOR_TRANSPORT_GOOD) when allocation fails. + +Similarly, it should return -EIO when rio_karma_send_command() fails. + +Fixes: dfe0d3ba20e8 ("USB Storage: add rio karma eject support") +Acked-by: Alan Stern +Signed-off-by: Lin Ma +Link: https://lore.kernel.org/r/20220412144359.28447-1-linma@zju.edu.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/storage/karma.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/usb/storage/karma.c b/drivers/usb/storage/karma.c +index 05cec81dcd3f..38ddfedef629 100644 +--- a/drivers/usb/storage/karma.c ++++ b/drivers/usb/storage/karma.c +@@ -174,24 +174,25 @@ static void rio_karma_destructor(void *extra) + + static int rio_karma_init(struct us_data *us) + { +- int ret = 0; + struct karma_data *data = kzalloc(sizeof(struct karma_data), GFP_NOIO); + + if (!data) +- goto out; ++ return -ENOMEM; + + data->recv = kmalloc(RIO_RECV_LEN, GFP_NOIO); + if (!data->recv) { + kfree(data); +- goto out; ++ return -ENOMEM; + } + + us->extra = data; + us->extra_destructor = rio_karma_destructor; +- ret = rio_karma_send_command(RIO_ENTER_STORAGE, us); +- data->in_storage = (ret == 0); +-out: +- return ret; ++ if (rio_karma_send_command(RIO_ENTER_STORAGE, us)) ++ return -EIO; ++ ++ data->in_storage = 1; ++ ++ return 0; + } + + static struct scsi_host_template karma_host_template; +-- +2.35.1 + diff --git a/queue-5.17/usb-typec-mux-check-dev_set_name-return-value.patch b/queue-5.17/usb-typec-mux-check-dev_set_name-return-value.patch new file mode 100644 index 00000000000..b52d24afc82 --- /dev/null +++ b/queue-5.17/usb-typec-mux-check-dev_set_name-return-value.patch @@ -0,0 +1,58 @@ +From b91ac2ba699b1d0118e481f31902d6d8b4c4a109 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Apr 2022 15:23:47 -0700 +Subject: usb: typec: mux: Check dev_set_name() return value + +From: Bjorn Andersson + +[ Upstream commit b9fa0292490db39d6542f514117333d366ec0011 ] + +It's possible that dev_set_name() returns -ENOMEM, catch and handle this. + +Fixes: 3370db35193b ("usb: typec: Registering real device entries for the muxes") +Reported-by: Andy Shevchenko +Reviewed-by: Andy Shevchenko +Acked-by: Heikki Krogerus +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220422222351.1297276-4-bjorn.andersson@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/typec/mux.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/typec/mux.c b/drivers/usb/typec/mux.c +index c8340de0ed49..d2aaf294b649 100644 +--- a/drivers/usb/typec/mux.c ++++ b/drivers/usb/typec/mux.c +@@ -131,8 +131,11 @@ typec_switch_register(struct device *parent, + sw->dev.class = &typec_mux_class; + sw->dev.type = &typec_switch_dev_type; + sw->dev.driver_data = desc->drvdata; +- dev_set_name(&sw->dev, "%s-switch", +- desc->name ? desc->name : dev_name(parent)); ++ ret = dev_set_name(&sw->dev, "%s-switch", desc->name ? desc->name : dev_name(parent)); ++ if (ret) { ++ put_device(&sw->dev); ++ return ERR_PTR(ret); ++ } + + ret = device_add(&sw->dev); + if (ret) { +@@ -338,8 +341,11 @@ typec_mux_register(struct device *parent, const struct typec_mux_desc *desc) + mux->dev.class = &typec_mux_class; + mux->dev.type = &typec_mux_dev_type; + mux->dev.driver_data = desc->drvdata; +- dev_set_name(&mux->dev, "%s-mux", +- desc->name ? desc->name : dev_name(parent)); ++ ret = dev_set_name(&mux->dev, "%s-mux", desc->name ? desc->name : dev_name(parent)); ++ if (ret) { ++ put_device(&mux->dev); ++ return ERR_PTR(ret); ++ } + + ret = device_add(&mux->dev); + if (ret) { +-- +2.35.1 + diff --git a/queue-5.17/usb-usbip-add-missing-device-lock-on-tweak-configura.patch b/queue-5.17/usb-usbip-add-missing-device-lock-on-tweak-configura.patch new file mode 100644 index 00000000000..1468c4b990e --- /dev/null +++ b/queue-5.17/usb-usbip-add-missing-device-lock-on-tweak-configura.patch @@ -0,0 +1,49 @@ +From 405e4c2e0ae613866c1719e56d6b11fb483d3009 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 18:50:55 +0200 +Subject: usb: usbip: add missing device lock on tweak configuration cmd + +From: Niels Dossche + +[ Upstream commit d088fabace2ca337b275d1d4b36db4fe7771e44f ] + +The function documentation of usb_set_configuration says that its +callers should hold the device lock. This lock is held for all +callsites except tweak_set_configuration_cmd. The code path can be +executed for example when attaching a remote USB device. +The solution is to surround the call by the device lock. + +This bug was found using my experimental own-developed static analysis +tool, which reported the missing lock on v5.17.2. I manually verified +this bug report by doing code review as well. I runtime checked that +the required lock is not held. I compiled and runtime tested this on +x86_64 with a USB mouse. After applying this patch, my analyser no +longer reports this potential bug. + +Fixes: 2c8c98158946 ("staging: usbip: let client choose device configuration") +Reviewed-by: Shuah Khan +Signed-off-by: Niels Dossche +Link: https://lore.kernel.org/r/20220412165055.257113-1-dossche.niels@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/usbip/stub_rx.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/usbip/stub_rx.c b/drivers/usb/usbip/stub_rx.c +index 325c22008e53..5dd41e8215e0 100644 +--- a/drivers/usb/usbip/stub_rx.c ++++ b/drivers/usb/usbip/stub_rx.c +@@ -138,7 +138,9 @@ static int tweak_set_configuration_cmd(struct urb *urb) + req = (struct usb_ctrlrequest *) urb->setup_packet; + config = le16_to_cpu(req->wValue); + ++ usb_lock_device(sdev->udev); + err = usb_set_configuration(sdev->udev, config); ++ usb_unlock_device(sdev->udev); + if (err && err != -ENODEV) + dev_err(&sdev->udev->dev, "can't set config #%d, error %d\n", + config, err); +-- +2.35.1 + diff --git a/queue-5.17/usb-usbip-fix-a-refcount-leak-in-stub_probe.patch b/queue-5.17/usb-usbip-fix-a-refcount-leak-in-stub_probe.patch new file mode 100644 index 00000000000..fc017b18dd2 --- /dev/null +++ b/queue-5.17/usb-usbip-fix-a-refcount-leak-in-stub_probe.patch @@ -0,0 +1,49 @@ +From 2e03c968910d85a73579baee4526bf45fb606c61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 10:02:57 +0800 +Subject: usb: usbip: fix a refcount leak in stub_probe() + +From: Hangyu Hua + +[ Upstream commit 9ec4cbf1cc55d126759051acfe328d489c5d6e60 ] + +usb_get_dev() is called in stub_device_alloc(). When stub_probe() fails +after that, usb_put_dev() needs to be called to release the reference. + +Fix this by moving usb_put_dev() to sdev_free error path handling. + +Find this by code review. + +Fixes: 3ff67445750a ("usbip: fix error handling in stub_probe()") +Reviewed-by: Shuah Khan +Signed-off-by: Hangyu Hua +Link: https://lore.kernel.org/r/20220412020257.9767-1-hbh25y@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/usbip/stub_dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/usbip/stub_dev.c b/drivers/usb/usbip/stub_dev.c +index d8d3892e5a69..3c6d452e3bf4 100644 +--- a/drivers/usb/usbip/stub_dev.c ++++ b/drivers/usb/usbip/stub_dev.c +@@ -393,7 +393,6 @@ static int stub_probe(struct usb_device *udev) + + err_port: + dev_set_drvdata(&udev->dev, NULL); +- usb_put_dev(udev); + + /* we already have busid_priv, just lock busid_lock */ + spin_lock(&busid_priv->busid_lock); +@@ -408,6 +407,7 @@ static int stub_probe(struct usb_device *udev) + put_busid_priv(busid_priv); + + sdev_free: ++ usb_put_dev(udev); + stub_device_free(sdev); + + return rc; +-- +2.35.1 + diff --git a/queue-5.17/vdpa-fix-error-logic-in-vdpa_nl_cmd_dev_get_doit.patch b/queue-5.17/vdpa-fix-error-logic-in-vdpa_nl_cmd_dev_get_doit.patch new file mode 100644 index 00000000000..291f0ac94f9 --- /dev/null +++ b/queue-5.17/vdpa-fix-error-logic-in-vdpa_nl_cmd_dev_get_doit.patch @@ -0,0 +1,56 @@ +From a759ee9c5da304d16d33193b6567339a9c02907d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 May 2022 16:37:59 +0300 +Subject: vdpa: Fix error logic in vdpa_nl_cmd_dev_get_doit + +From: Eli Cohen + +[ Upstream commit 7a6691f1f89784f775fa0c54be57533445726068 ] + +In vdpa_nl_cmd_dev_get_doit(), if the call to genlmsg_reply() fails we +must not call nlmsg_free() since this is done inside genlmsg_reply(). + +Fix it. + +Fixes: bc0d90ee021f ("vdpa: Enable user to query vdpa device info") +Reviewed-by: Si-Wei Liu +Acked-by: Jason Wang +Signed-off-by: Eli Cohen +Message-Id: <20220518133804.1075129-2-elic@nvidia.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/vdpa/vdpa.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/vdpa/vdpa.c b/drivers/vdpa/vdpa.c +index 1ea525433a5c..4e7351110e43 100644 +--- a/drivers/vdpa/vdpa.c ++++ b/drivers/vdpa/vdpa.c +@@ -756,14 +756,19 @@ static int vdpa_nl_cmd_dev_get_doit(struct sk_buff *skb, struct genl_info *info) + goto mdev_err; + } + err = vdpa_dev_fill(vdev, msg, info->snd_portid, info->snd_seq, 0, info->extack); +- if (!err) +- err = genlmsg_reply(msg, info); ++ if (err) ++ goto mdev_err; ++ ++ err = genlmsg_reply(msg, info); ++ put_device(dev); ++ mutex_unlock(&vdpa_dev_mutex); ++ return err; ++ + mdev_err: + put_device(dev); + err: + mutex_unlock(&vdpa_dev_mutex); +- if (err) +- nlmsg_free(msg); ++ nlmsg_free(msg); + return err; + } + +-- +2.35.1 + diff --git a/queue-5.17/vdpa-ifcvf-set-pci-driver-data-in-probe.patch b/queue-5.17/vdpa-ifcvf-set-pci-driver-data-in-probe.patch new file mode 100644 index 00000000000..e4e4620655e --- /dev/null +++ b/queue-5.17/vdpa-ifcvf-set-pci-driver-data-in-probe.patch @@ -0,0 +1,47 @@ +From 2bcc6d223d965a0f205f84e221ffc6d21fdb23f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 May 2022 13:55:57 +0800 +Subject: vdpa: ifcvf: set pci driver data in probe + +From: Jason Wang + +[ Upstream commit bd8bb9aed56b1814784a975e2dfea12a9adcee92 ] + +We should set the pci driver data in probe instead of the vdpa device +adding callback. Otherwise if no vDPA device is created we will lose +the pointer to the management device. + +Fixes: 6b5df347c6482 ("vDPA/ifcvf: implement management netlink framework for ifcvf") +Tested-by: Zheyu Ma +Signed-off-by: Jason Wang +Message-Id: <20220524055557.1938-1-jasowang@redhat.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/vdpa/ifcvf/ifcvf_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/vdpa/ifcvf/ifcvf_main.c b/drivers/vdpa/ifcvf/ifcvf_main.c +index d1a6b5ab543c..474c6120c955 100644 +--- a/drivers/vdpa/ifcvf/ifcvf_main.c ++++ b/drivers/vdpa/ifcvf/ifcvf_main.c +@@ -514,7 +514,6 @@ static int ifcvf_vdpa_dev_add(struct vdpa_mgmt_dev *mdev, const char *name, + } + + ifcvf_mgmt_dev->adapter = adapter; +- pci_set_drvdata(pdev, ifcvf_mgmt_dev); + + vf = &adapter->vf; + vf->dev_type = get_dev_type(pdev); +@@ -629,6 +628,8 @@ static int ifcvf_probe(struct pci_dev *pdev, const struct pci_device_id *id) + goto err; + } + ++ pci_set_drvdata(pdev, ifcvf_mgmt_dev); ++ + return 0; + + err: +-- +2.35.1 + diff --git a/queue-5.17/virtio-pci-fix-an-error-handling-path-in-vp_modern_p.patch b/queue-5.17/virtio-pci-fix-an-error-handling-path-in-vp_modern_p.patch new file mode 100644 index 00000000000..ab328a89d05 --- /dev/null +++ b/queue-5.17/virtio-pci-fix-an-error-handling-path-in-vp_modern_p.patch @@ -0,0 +1,37 @@ +From 3328ddfbbbf45dbaf66138a9c5b5d1f5300eb7e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 Apr 2022 11:11:14 +0200 +Subject: virtio: pci: Fix an error handling path in vp_modern_probe() + +From: Christophe JAILLET + +[ Upstream commit 7a836a2aba09479c8e71fa43249eecc4af945f61 ] + +If an error occurs after a successful pci_request_selected_regions() call, +it should be undone by a corresponding pci_release_selected_regions() call, +as already done in vp_modern_remove(). + +Fixes: fd502729fbbf ("virtio-pci: introduce modern device module") +Signed-off-by: Christophe JAILLET +Message-Id: <237109725aad2c3c03d14549f777b1927c84b045.1648977064.git.christophe.jaillet@wanadoo.fr> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/virtio/virtio_pci_modern_dev.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/virtio/virtio_pci_modern_dev.c b/drivers/virtio/virtio_pci_modern_dev.c +index e8b3ff2b9fbc..6f6187fe8893 100644 +--- a/drivers/virtio/virtio_pci_modern_dev.c ++++ b/drivers/virtio/virtio_pci_modern_dev.c +@@ -340,6 +340,7 @@ int vp_modern_probe(struct virtio_pci_modern_device *mdev) + err_map_isr: + pci_iounmap(pci_dev, mdev->common); + err_map_common: ++ pci_release_selected_regions(pci_dev, mdev->modern_bars); + return err; + } + EXPORT_SYMBOL_GPL(vp_modern_probe); +-- +2.35.1 + diff --git a/queue-5.17/watchdog-rti-wdt-fix-pm_runtime_get_sync-error-check.patch b/queue-5.17/watchdog-rti-wdt-fix-pm_runtime_get_sync-error-check.patch new file mode 100644 index 00000000000..762aee5db29 --- /dev/null +++ b/queue-5.17/watchdog-rti-wdt-fix-pm_runtime_get_sync-error-check.patch @@ -0,0 +1,40 @@ +From c41dce49d45738160fcbd878d63db330301f2a6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 07:08:23 +0000 +Subject: watchdog: rti-wdt: Fix pm_runtime_get_sync() error checking + +From: Miaoqian Lin + +[ Upstream commit b3ac0c58fa8934926360268f3d89ec7680644d7b ] + +If the device is already in a runtime PM enabled state +pm_runtime_get_sync() will return 1, so a test for negative +value should be used to check for errors. + +Fixes: 2d63908bdbfb ("watchdog: Add K3 RTI watchdog support") +Signed-off-by: Miaoqian Lin +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20220412070824.23708-1-linmq006@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/rti_wdt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/watchdog/rti_wdt.c b/drivers/watchdog/rti_wdt.c +index db843f825860..00ebeffc674f 100644 +--- a/drivers/watchdog/rti_wdt.c ++++ b/drivers/watchdog/rti_wdt.c +@@ -226,7 +226,7 @@ static int rti_wdt_probe(struct platform_device *pdev) + + pm_runtime_enable(dev); + ret = pm_runtime_get_sync(dev); +- if (ret) { ++ if (ret < 0) { + pm_runtime_put_noidle(dev); + pm_runtime_disable(&pdev->dev); + return dev_err_probe(dev, ret, "runtime pm failed\n"); +-- +2.35.1 + diff --git a/queue-5.17/watchdog-rzg2l_wdt-fix-32bit-overflow-issue.patch b/queue-5.17/watchdog-rzg2l_wdt-fix-32bit-overflow-issue.patch new file mode 100644 index 00000000000..74e91b62611 --- /dev/null +++ b/queue-5.17/watchdog-rzg2l_wdt-fix-32bit-overflow-issue.patch @@ -0,0 +1,47 @@ +From d53996f82f03787eba89f37aaa95e694d507879c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Feb 2022 17:53:14 +0000 +Subject: watchdog: rzg2l_wdt: Fix 32bit overflow issue + +From: Biju Das + +[ Upstream commit ea2949df22a533cdf75e4583c00b1ce94cd5a83b ] + +The value of timer_cycle_us can be 0 due to 32bit overflow. +For eg:- If we assign the counter value "0xfff" for computing +maxval. + +This patch fixes this issue by appending ULL to 1024, so that +it is promoted to 64bit. + +This patch also fixes the warning message, 'watchdog: Invalid min and +max timeout values, resetting to 0!'. + +Fixes: 2cbc5cd0b55fa2 ("watchdog: Add Watchdog Timer driver for RZ/G2L") +Signed-off-by: Biju Das +Reviewed-by: Guenter Roeck +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20220225175320.11041-2-biju.das.jz@bp.renesas.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/rzg2l_wdt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/watchdog/rzg2l_wdt.c b/drivers/watchdog/rzg2l_wdt.c +index 6b426df34fd6..96f2a018ab62 100644 +--- a/drivers/watchdog/rzg2l_wdt.c ++++ b/drivers/watchdog/rzg2l_wdt.c +@@ -53,7 +53,7 @@ static void rzg2l_wdt_wait_delay(struct rzg2l_wdt_priv *priv) + + static u32 rzg2l_wdt_get_cycle_usec(unsigned long cycle, u32 wdttime) + { +- u64 timer_cycle_us = 1024 * 1024 * (wdttime + 1) * MICRO; ++ u64 timer_cycle_us = 1024 * 1024ULL * (wdttime + 1) * MICRO; + + return div64_ul(timer_cycle_us, cycle); + } +-- +2.35.1 + diff --git a/queue-5.17/watchdog-rzg2l_wdt-fix-bug-invalid-wait-context.patch b/queue-5.17/watchdog-rzg2l_wdt-fix-bug-invalid-wait-context.patch new file mode 100644 index 00000000000..1f3a10d7c86 --- /dev/null +++ b/queue-5.17/watchdog-rzg2l_wdt-fix-bug-invalid-wait-context.patch @@ -0,0 +1,134 @@ +From a3d9eaaa8bcb55f881762da77acdbcae06789aec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Feb 2022 17:53:16 +0000 +Subject: watchdog: rzg2l_wdt: Fix 'BUG: Invalid wait context' + +From: Biju Das + +[ Upstream commit e4cf89596c1f1e33309556699f910ced4abbaf44 ] + +This patch fixes the issue 'BUG: Invalid wait context' during restart() +callback by using clk_prepare_enable() instead of pm_runtime_get_sync() +for turning on the clocks during restart. + +This issue is noticed when testing with renesas_defconfig. + +[ 42.213802] reboot: Restarting system +[ 42.217860] +[ 42.219364] ============================= +[ 42.223368] [ BUG: Invalid wait context ] +[ 42.227372] 5.17.0-rc5-arm64-renesas-00002-g10393723e35e #522 Not tainted +[ 42.234153] ----------------------------- +[ 42.238155] systemd-shutdow/1 is trying to lock: +[ 42.242766] ffff00000a650828 (&genpd->mlock){+.+.}-{3:3}, at: genpd_lock_mtx+0x14/0x20 +[ 42.250709] other info that might help us debug this: +[ 42.255753] context-{4:4} +[ 42.258368] 2 locks held by systemd-shutdow/1: +[ 42.262806] #0: ffff80000944e1c8 (system_transition_mutex#2){+.+.}-{3:3}, at: __do_sys_reboot+0xd0/0x250 +[ 42.272388] #1: ffff8000094c4e40 (rcu_read_lock){....}-{1:2}, at: atomic_notifier_call_chain+0x0/0x150 +[ 42.281795] stack backtrace: +[ 42.284672] CPU: 0 PID: 1 Comm: systemd-shutdow Not tainted 5.17.0-rc5-arm64-renesas-00002-g10393723e35e #522 +[ 42.294577] Hardware name: Renesas SMARC EVK based on r9a07g044c2 (DT) +[ 42.301096] Call trace: +[ 42.303538] dump_backtrace+0xcc/0xd8 +[ 42.307203] show_stack+0x14/0x30 +[ 42.310517] dump_stack_lvl+0x88/0xb0 +[ 42.314180] dump_stack+0x14/0x2c +[ 42.317492] __lock_acquire+0x1b24/0x1b50 +[ 42.321502] lock_acquire+0x120/0x3a8 +[ 42.325162] __mutex_lock+0x84/0x8f8 +[ 42.328737] mutex_lock_nested+0x30/0x58 +[ 42.332658] genpd_lock_mtx+0x14/0x20 +[ 42.336319] genpd_runtime_resume+0xc4/0x228 +[ 42.340587] __rpm_callback+0x44/0x170 +[ 42.344337] rpm_callback+0x64/0x70 +[ 42.347824] rpm_resume+0x4e0/0x6b8 +[ 42.351310] __pm_runtime_resume+0x50/0x78 +[ 42.355404] rzg2l_wdt_restart+0x28/0x68 +[ 42.359329] watchdog_restart_notifier+0x1c/0x30 +[ 42.363943] atomic_notifier_call_chain+0x94/0x150 +[ 42.368732] do_kernel_restart+0x24/0x30 +[ 42.372652] machine_restart+0x44/0x70 +[ 42.376399] kernel_restart+0x3c/0x60 +[ 42.380058] __do_sys_reboot+0x228/0x250 +[ 42.383977] __arm64_sys_reboot+0x20/0x28 +[ 42.387983] invoke_syscall+0x40/0xf8 + +Fixes: 2cbc5cd0b55fa2 ("watchdog: Add Watchdog Timer driver for RZ/G2L") +Signed-off-by: Biju Das +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20220225175320.11041-4-biju.das.jz@bp.renesas.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/rzg2l_wdt.c | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +diff --git a/drivers/watchdog/rzg2l_wdt.c b/drivers/watchdog/rzg2l_wdt.c +index 0fc73b8a9567..48dfe6e5e64f 100644 +--- a/drivers/watchdog/rzg2l_wdt.c ++++ b/drivers/watchdog/rzg2l_wdt.c +@@ -43,6 +43,8 @@ struct rzg2l_wdt_priv { + struct reset_control *rstc; + unsigned long osc_clk_rate; + unsigned long delay; ++ struct clk *pclk; ++ struct clk *osc_clk; + }; + + static void rzg2l_wdt_wait_delay(struct rzg2l_wdt_priv *priv) +@@ -118,7 +120,9 @@ static int rzg2l_wdt_restart(struct watchdog_device *wdev, + + /* Reset the module before we modify any register */ + reset_control_reset(priv->rstc); +- pm_runtime_get_sync(wdev->parent); ++ ++ clk_prepare_enable(priv->pclk); ++ clk_prepare_enable(priv->osc_clk); + + /* smallest counter value to reboot soon */ + rzg2l_wdt_write(priv, WDTSET_COUNTER_VAL(1), WDTSET); +@@ -165,7 +169,6 @@ static int rzg2l_wdt_probe(struct platform_device *pdev) + struct device *dev = &pdev->dev; + struct rzg2l_wdt_priv *priv; + unsigned long pclk_rate; +- struct clk *wdt_clk; + int ret; + + priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL); +@@ -177,22 +180,20 @@ static int rzg2l_wdt_probe(struct platform_device *pdev) + return PTR_ERR(priv->base); + + /* Get watchdog main clock */ +- wdt_clk = clk_get(&pdev->dev, "oscclk"); +- if (IS_ERR(wdt_clk)) +- return dev_err_probe(&pdev->dev, PTR_ERR(wdt_clk), "no oscclk"); ++ priv->osc_clk = devm_clk_get(&pdev->dev, "oscclk"); ++ if (IS_ERR(priv->osc_clk)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(priv->osc_clk), "no oscclk"); + +- priv->osc_clk_rate = clk_get_rate(wdt_clk); +- clk_put(wdt_clk); ++ priv->osc_clk_rate = clk_get_rate(priv->osc_clk); + if (!priv->osc_clk_rate) + return dev_err_probe(&pdev->dev, -EINVAL, "oscclk rate is 0"); + + /* Get Peripheral clock */ +- wdt_clk = clk_get(&pdev->dev, "pclk"); +- if (IS_ERR(wdt_clk)) +- return dev_err_probe(&pdev->dev, PTR_ERR(wdt_clk), "no pclk"); ++ priv->pclk = devm_clk_get(&pdev->dev, "pclk"); ++ if (IS_ERR(priv->pclk)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(priv->pclk), "no pclk"); + +- pclk_rate = clk_get_rate(wdt_clk); +- clk_put(wdt_clk); ++ pclk_rate = clk_get_rate(priv->pclk); + if (!pclk_rate) + return dev_err_probe(&pdev->dev, -EINVAL, "pclk rate is 0"); + +-- +2.35.1 + diff --git a/queue-5.17/watchdog-rzg2l_wdt-fix-reset-control-imbalance.patch b/queue-5.17/watchdog-rzg2l_wdt-fix-reset-control-imbalance.patch new file mode 100644 index 00000000000..1c8b2948be2 --- /dev/null +++ b/queue-5.17/watchdog-rzg2l_wdt-fix-reset-control-imbalance.patch @@ -0,0 +1,54 @@ +From aa4894dd964b6827679ea28750ad67e685637e7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Feb 2022 17:53:17 +0000 +Subject: watchdog: rzg2l_wdt: Fix reset control imbalance + +From: Biju Das + +[ Upstream commit 33d04d0fdba9fae18c7d58364643d2c606a43dba ] + +Both rzg2l_wdt_probe() and rzg2l_wdt_start() calls reset_control_ +deassert() which results in a reset control imbalance. + +This patch fixes reset control imbalance by removing reset_control_ +deassert() from rzg2l_wdt_start() and replaces reset_control_assert with +reset_control_reset in rzg2l_wdt_stop() as watchdog module can be stopped +only by a module reset. This change will allow us to restart WDT after +stop() by configuring WDT timeout and enable registers. + +Fixes: 2cbc5cd0b55fa2 ("watchdog: Add Watchdog Timer driver for RZ/G2L") +Signed-off-by: Biju Das +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20220225175320.11041-5-biju.das.jz@bp.renesas.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/rzg2l_wdt.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/watchdog/rzg2l_wdt.c b/drivers/watchdog/rzg2l_wdt.c +index 48dfe6e5e64f..88274704b260 100644 +--- a/drivers/watchdog/rzg2l_wdt.c ++++ b/drivers/watchdog/rzg2l_wdt.c +@@ -88,7 +88,6 @@ static int rzg2l_wdt_start(struct watchdog_device *wdev) + { + struct rzg2l_wdt_priv *priv = watchdog_get_drvdata(wdev); + +- reset_control_deassert(priv->rstc); + pm_runtime_get_sync(wdev->parent); + + /* Initialize time out */ +@@ -108,7 +107,7 @@ static int rzg2l_wdt_stop(struct watchdog_device *wdev) + struct rzg2l_wdt_priv *priv = watchdog_get_drvdata(wdev); + + pm_runtime_put(wdev->parent); +- reset_control_assert(priv->rstc); ++ reset_control_reset(priv->rstc); + + return 0; + } +-- +2.35.1 + diff --git a/queue-5.17/watchdog-rzg2l_wdt-fix-runtime-pm-usage.patch b/queue-5.17/watchdog-rzg2l_wdt-fix-runtime-pm-usage.patch new file mode 100644 index 00000000000..28c0d0b129e --- /dev/null +++ b/queue-5.17/watchdog-rzg2l_wdt-fix-runtime-pm-usage.patch @@ -0,0 +1,80 @@ +From 8adcbd046c034befb77188c68f5e2b38c5165386 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Feb 2022 17:53:15 +0000 +Subject: watchdog: rzg2l_wdt: Fix Runtime PM usage + +From: Biju Das + +[ Upstream commit 95abafe76297fa057de6c3486ef844bd446bdf18 ] + +Both rzg2l_wdt_probe() and rzg2l_wdt_start() calls pm_runtime_get() which +results in a usage counter imbalance. This patch fixes this issue by +removing pm_runtime_get() call from probe. + +Fixes: 2cbc5cd0b55fa2 ("watchdog: Add Watchdog Timer driver for RZ/G2L") +Signed-off-by: Biju Das +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20220225175320.11041-3-biju.das.jz@bp.renesas.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/rzg2l_wdt.c | 16 ++-------------- + 1 file changed, 2 insertions(+), 14 deletions(-) + +diff --git a/drivers/watchdog/rzg2l_wdt.c b/drivers/watchdog/rzg2l_wdt.c +index 96f2a018ab62..0fc73b8a9567 100644 +--- a/drivers/watchdog/rzg2l_wdt.c ++++ b/drivers/watchdog/rzg2l_wdt.c +@@ -151,12 +151,11 @@ static const struct watchdog_ops rzg2l_wdt_ops = { + .restart = rzg2l_wdt_restart, + }; + +-static void rzg2l_wdt_reset_assert_pm_disable_put(void *data) ++static void rzg2l_wdt_reset_assert_pm_disable(void *data) + { + struct watchdog_device *wdev = data; + struct rzg2l_wdt_priv *priv = watchdog_get_drvdata(wdev); + +- pm_runtime_put(wdev->parent); + pm_runtime_disable(wdev->parent); + reset_control_assert(priv->rstc); + } +@@ -206,11 +205,6 @@ static int rzg2l_wdt_probe(struct platform_device *pdev) + + reset_control_deassert(priv->rstc); + pm_runtime_enable(&pdev->dev); +- ret = pm_runtime_resume_and_get(&pdev->dev); +- if (ret < 0) { +- dev_err(dev, "pm_runtime_resume_and_get failed ret=%pe", ERR_PTR(ret)); +- goto out_pm_get; +- } + + priv->wdev.info = &rzg2l_wdt_ident; + priv->wdev.ops = &rzg2l_wdt_ops; +@@ -222,7 +216,7 @@ static int rzg2l_wdt_probe(struct platform_device *pdev) + + watchdog_set_drvdata(&priv->wdev, priv); + ret = devm_add_action_or_reset(&pdev->dev, +- rzg2l_wdt_reset_assert_pm_disable_put, ++ rzg2l_wdt_reset_assert_pm_disable, + &priv->wdev); + if (ret < 0) + return ret; +@@ -235,12 +229,6 @@ static int rzg2l_wdt_probe(struct platform_device *pdev) + dev_warn(dev, "Specified timeout invalid, using default"); + + return devm_watchdog_register_device(&pdev->dev, &priv->wdev); +- +-out_pm_get: +- pm_runtime_disable(dev); +- reset_control_assert(priv->rstc); +- +- return ret; + } + + static const struct of_device_id rzg2l_wdt_ids[] = { +-- +2.35.1 + diff --git a/queue-5.17/watchdog-ts4800_wdt-fix-refcount-leak-in-ts4800_wdt_.patch b/queue-5.17/watchdog-ts4800_wdt-fix-refcount-leak-in-ts4800_wdt_.patch new file mode 100644 index 00000000000..cdded9a7dde --- /dev/null +++ b/queue-5.17/watchdog-ts4800_wdt-fix-refcount-leak-in-ts4800_wdt_.patch @@ -0,0 +1,49 @@ +From 3fcf135c02e91ff04fa1c163fe44b3fa01a535c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 May 2022 15:42:03 +0400 +Subject: watchdog: ts4800_wdt: Fix refcount leak in ts4800_wdt_probe + +From: Miaoqian Lin + +[ Upstream commit 5d24df3d690809952528e7a19a43d84bc5b99d44 ] + +of_parse_phandle() returns a node pointer with refcount +incremented, we should use of_node_put() on it when done. +Add missing of_node_put() in some error paths. + +Fixes: bf9006399939 ("watchdog: ts4800: add driver for TS-4800 watchdog") +Signed-off-by: Miaoqian Lin +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20220511114203.47420-1-linmq006@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/ts4800_wdt.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/watchdog/ts4800_wdt.c b/drivers/watchdog/ts4800_wdt.c +index c137ad2bd5c3..0ea554c7cda5 100644 +--- a/drivers/watchdog/ts4800_wdt.c ++++ b/drivers/watchdog/ts4800_wdt.c +@@ -125,13 +125,16 @@ static int ts4800_wdt_probe(struct platform_device *pdev) + ret = of_property_read_u32_index(np, "syscon", 1, ®); + if (ret < 0) { + dev_err(dev, "no offset in syscon\n"); ++ of_node_put(syscon_np); + return ret; + } + + /* allocate memory for watchdog struct */ + wdt = devm_kzalloc(dev, sizeof(*wdt), GFP_KERNEL); +- if (!wdt) ++ if (!wdt) { ++ of_node_put(syscon_np); + return -ENOMEM; ++ } + + /* set regmap and offset to know where to write */ + wdt->feed_offset = reg; +-- +2.35.1 + -- 2.47.3