From eb1811e12e75e7be7b1e7dd2958cab022ab1f28b Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 9 May 2022 10:42:25 +0200 Subject: [PATCH] 5.10-stable patches added patches: drm-amd-display-avoid-reading-audio-pattern-past-audio_channels_count.patch firewire-core-extend-card-lock-in-fw_core_handle_bus_reset.patch firewire-fix-potential-uaf-in-outbound_phy_packet_callback.patch firewire-remove-check-of-list-iterator-against-head-past-the-loop-body.patch gpiolib-of-fix-bounds-check-for-gpio-reserved-ranges.patch iommu-vt-d-calculate-mask-for-non-aligned-flushes.patch kvm-x86-svm-account-for-family-17h-event-renumberings-in-amd_pmc_perf_hw_id.patch mmc-core-set-hs-clock-speed-before-sending-hs-cmd13.patch mmc-sdhci-msm-reset-gcc_sdcc_bcr-register-for-sdhc.patch net-stmmac-disable-split-header-sph-for-intel-platforms.patch revert-sunrpc-attempt-af_local-connect-on-setup.patch --- ...io-pattern-past-audio_channels_count.patch | 33 +++++ ...ard-lock-in-fw_core_handle_bus_reset.patch | 91 ++++++++++++ ...-uaf-in-outbound_phy_packet_callback.patch | 47 ++++++ ...ator-against-head-past-the-loop-body.patch | 140 ++++++++++++++++++ ...ounds-check-for-gpio-reserved-ranges.patch | 47 ++++++ ...lculate-mask-for-non-aligned-flushes.patch | 85 +++++++++++ ...t-renumberings-in-amd_pmc_perf_hw_id.patch | 84 +++++++++++ ...-clock-speed-before-sending-hs-cmd13.patch | 131 ++++++++++++++++ ...reset-gcc_sdcc_bcr-register-for-sdhc.patch | 112 ++++++++++++++ ...split-header-sph-for-intel-platforms.patch | 65 ++++++++ ...pc-attempt-af_local-connect-on-setup.patch | 36 +++++ queue-5.10/series | 11 ++ 12 files changed, 882 insertions(+) create mode 100644 queue-5.10/drm-amd-display-avoid-reading-audio-pattern-past-audio_channels_count.patch create mode 100644 queue-5.10/firewire-core-extend-card-lock-in-fw_core_handle_bus_reset.patch create mode 100644 queue-5.10/firewire-fix-potential-uaf-in-outbound_phy_packet_callback.patch create mode 100644 queue-5.10/firewire-remove-check-of-list-iterator-against-head-past-the-loop-body.patch create mode 100644 queue-5.10/gpiolib-of-fix-bounds-check-for-gpio-reserved-ranges.patch create mode 100644 queue-5.10/iommu-vt-d-calculate-mask-for-non-aligned-flushes.patch create mode 100644 queue-5.10/kvm-x86-svm-account-for-family-17h-event-renumberings-in-amd_pmc_perf_hw_id.patch create mode 100644 queue-5.10/mmc-core-set-hs-clock-speed-before-sending-hs-cmd13.patch create mode 100644 queue-5.10/mmc-sdhci-msm-reset-gcc_sdcc_bcr-register-for-sdhc.patch create mode 100644 queue-5.10/net-stmmac-disable-split-header-sph-for-intel-platforms.patch create mode 100644 queue-5.10/revert-sunrpc-attempt-af_local-connect-on-setup.patch diff --git a/queue-5.10/drm-amd-display-avoid-reading-audio-pattern-past-audio_channels_count.patch b/queue-5.10/drm-amd-display-avoid-reading-audio-pattern-past-audio_channels_count.patch new file mode 100644 index 00000000000..de7a64d6fc0 --- /dev/null +++ b/queue-5.10/drm-amd-display-avoid-reading-audio-pattern-past-audio_channels_count.patch @@ -0,0 +1,33 @@ +From 3dfe85fa87b2a26bdbd292b66653bba065cf9941 Mon Sep 17 00:00:00 2001 +From: Harry Wentland +Date: Tue, 19 Apr 2022 13:03:12 -0400 +Subject: drm/amd/display: Avoid reading audio pattern past AUDIO_CHANNELS_COUNT + +From: Harry Wentland + +commit 3dfe85fa87b2a26bdbd292b66653bba065cf9941 upstream. + +A faulty receiver might report an erroneous channel count. We +should guard against reading beyond AUDIO_CHANNELS_COUNT as +that would overflow the dpcd_pattern_period array. + +Signed-off-by: Harry Wentland +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c +@@ -2822,7 +2822,7 @@ static void dp_test_get_audio_test_data( + &dpcd_pattern_type.value, + sizeof(dpcd_pattern_type)); + +- channel_count = dpcd_test_mode.bits.channel_count + 1; ++ channel_count = min(dpcd_test_mode.bits.channel_count + 1, AUDIO_CHANNELS_COUNT); + + // read pattern periods for requested channels when sawTooth pattern is requested + if (dpcd_pattern_type.value == AUDIO_TEST_PATTERN_SAWTOOTH || diff --git a/queue-5.10/firewire-core-extend-card-lock-in-fw_core_handle_bus_reset.patch b/queue-5.10/firewire-core-extend-card-lock-in-fw_core_handle_bus_reset.patch new file mode 100644 index 00000000000..e0ee10c41ea --- /dev/null +++ b/queue-5.10/firewire-core-extend-card-lock-in-fw_core_handle_bus_reset.patch @@ -0,0 +1,91 @@ +From a7ecbe92b9243edbe94772f6f2c854e4142a3345 Mon Sep 17 00:00:00 2001 +From: Niels Dossche +Date: Sat, 9 Apr 2022 13:12:43 +0900 +Subject: firewire: core: extend card->lock in fw_core_handle_bus_reset + +From: Niels Dossche + +commit a7ecbe92b9243edbe94772f6f2c854e4142a3345 upstream. + +card->local_node and card->bm_retries are both always accessed under +card->lock. +fw_core_handle_bus_reset has a check whose condition depends on +card->local_node and whose body writes to card->bm_retries. +Both of these accesses are not under card->lock. Move the lock acquiring +of card->lock to before this check such that these accesses do happen +when card->lock is held. +fw_destroy_nodes is called inside the check. +Since fw_destroy_nodes already acquires card->lock inside its function +body, move this out to the callsites of fw_destroy_nodes. +Also add a comment to indicate which locking is necessary when calling +fw_destroy_nodes. + +Cc: +Signed-off-by: Niels Dossche +Signed-off-by: Takashi Sakamoto +Link: https://lore.kernel.org/r/20220409041243.603210-4-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firewire/core-card.c | 3 +++ + drivers/firewire/core-topology.c | 9 +++------ + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/firewire/core-card.c ++++ b/drivers/firewire/core-card.c +@@ -668,6 +668,7 @@ EXPORT_SYMBOL_GPL(fw_card_release); + void fw_core_remove_card(struct fw_card *card) + { + struct fw_card_driver dummy_driver = dummy_driver_template; ++ unsigned long flags; + + card->driver->update_phy_reg(card, 4, + PHY_LINK_ACTIVE | PHY_CONTENDER, 0); +@@ -682,7 +683,9 @@ void fw_core_remove_card(struct fw_card + dummy_driver.stop_iso = card->driver->stop_iso; + card->driver = &dummy_driver; + ++ spin_lock_irqsave(&card->lock, flags); + fw_destroy_nodes(card); ++ spin_unlock_irqrestore(&card->lock, flags); + + /* Wait for all users, especially device workqueue jobs, to finish. */ + fw_card_put(card); +--- a/drivers/firewire/core-topology.c ++++ b/drivers/firewire/core-topology.c +@@ -374,16 +374,13 @@ static void report_found_node(struct fw_ + card->bm_retries = 0; + } + ++/* Must be called with card->lock held */ + void fw_destroy_nodes(struct fw_card *card) + { +- unsigned long flags; +- +- spin_lock_irqsave(&card->lock, flags); + card->color++; + if (card->local_node != NULL) + for_each_fw_node(card, card->local_node, report_lost_node); + card->local_node = NULL; +- spin_unlock_irqrestore(&card->lock, flags); + } + + static void move_tree(struct fw_node *node0, struct fw_node *node1, int port) +@@ -509,6 +506,8 @@ void fw_core_handle_bus_reset(struct fw_ + struct fw_node *local_node; + unsigned long flags; + ++ spin_lock_irqsave(&card->lock, flags); ++ + /* + * If the selfID buffer is not the immediate successor of the + * previously processed one, we cannot reliably compare the +@@ -520,8 +519,6 @@ void fw_core_handle_bus_reset(struct fw_ + card->bm_retries = 0; + } + +- spin_lock_irqsave(&card->lock, flags); +- + card->broadcast_channel_allocated = card->broadcast_channel_auto_allocated; + card->node_id = node_id; + /* diff --git a/queue-5.10/firewire-fix-potential-uaf-in-outbound_phy_packet_callback.patch b/queue-5.10/firewire-fix-potential-uaf-in-outbound_phy_packet_callback.patch new file mode 100644 index 00000000000..f63a9c9154b --- /dev/null +++ b/queue-5.10/firewire-fix-potential-uaf-in-outbound_phy_packet_callback.patch @@ -0,0 +1,47 @@ +From b7c81f80246fac44077166f3e07103affe6db8ff Mon Sep 17 00:00:00 2001 +From: Chengfeng Ye +Date: Sat, 9 Apr 2022 13:12:41 +0900 +Subject: firewire: fix potential uaf in outbound_phy_packet_callback() + +From: Chengfeng Ye + +commit b7c81f80246fac44077166f3e07103affe6db8ff upstream. + +&e->event and e point to the same address, and &e->event could +be freed in queue_event. So there is a potential uaf issue if +we dereference e after calling queue_event(). Fix this by adding +a temporary variable to maintain e->client in advance, this can +avoid the potential uaf issue. + +Cc: +Signed-off-by: Chengfeng Ye +Signed-off-by: Takashi Sakamoto +Link: https://lore.kernel.org/r/20220409041243.603210-2-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firewire/core-cdev.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/firewire/core-cdev.c ++++ b/drivers/firewire/core-cdev.c +@@ -1480,6 +1480,7 @@ static void outbound_phy_packet_callback + { + struct outbound_phy_packet_event *e = + container_of(packet, struct outbound_phy_packet_event, p); ++ struct client *e_client; + + switch (status) { + /* expected: */ +@@ -1496,9 +1497,10 @@ static void outbound_phy_packet_callback + } + e->phy_packet.data[0] = packet->timestamp; + ++ e_client = e->client; + queue_event(e->client, &e->event, &e->phy_packet, + sizeof(e->phy_packet) + e->phy_packet.length, NULL, 0); +- client_put(e->client); ++ client_put(e_client); + } + + static int ioctl_send_phy_packet(struct client *client, union ioctl_arg *arg) diff --git a/queue-5.10/firewire-remove-check-of-list-iterator-against-head-past-the-loop-body.patch b/queue-5.10/firewire-remove-check-of-list-iterator-against-head-past-the-loop-body.patch new file mode 100644 index 00000000000..830383d938d --- /dev/null +++ b/queue-5.10/firewire-remove-check-of-list-iterator-against-head-past-the-loop-body.patch @@ -0,0 +1,140 @@ +From 9423973869bd4632ffe669f950510c49296656e0 Mon Sep 17 00:00:00 2001 +From: Jakob Koschel +Date: Sat, 9 Apr 2022 13:12:42 +0900 +Subject: firewire: remove check of list iterator against head past the loop body + +From: Jakob Koschel + +commit 9423973869bd4632ffe669f950510c49296656e0 upstream. + +When list_for_each_entry() completes the iteration over the whole list +without breaking the loop, the iterator value will be a bogus pointer +computed based on the head element. + +While it is safe to use the pointer to determine if it was computed +based on the head element, either with list_entry_is_head() or +&pos->member == head, using the iterator variable after the loop should +be avoided. + +In preparation to limit the scope of a list iterator to the list +traversal loop, use a dedicated pointer to point to the found element [1]. + +Link: https://lore.kernel.org/all/CAHk-=wgRr_D8CB-D9Kg-c=EHreAsk5SqXPwr9Y7k9sA6cWXJ6w@mail.gmail.com/ [1] +Cc: +Signed-off-by: Jakob Koschel +Signed-off-by: Takashi Sakamoto +Link: https://lore.kernel.org/r/20220409041243.603210-3-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firewire/core-transaction.c | 30 ++++++++++++++++-------------- + drivers/firewire/sbp2.c | 13 +++++++------ + 2 files changed, 23 insertions(+), 20 deletions(-) + +--- a/drivers/firewire/core-transaction.c ++++ b/drivers/firewire/core-transaction.c +@@ -73,24 +73,25 @@ static int try_cancel_split_timeout(stru + static int close_transaction(struct fw_transaction *transaction, + struct fw_card *card, int rcode) + { +- struct fw_transaction *t; ++ struct fw_transaction *t = NULL, *iter; + unsigned long flags; + + spin_lock_irqsave(&card->lock, flags); +- list_for_each_entry(t, &card->transaction_list, link) { +- if (t == transaction) { +- if (!try_cancel_split_timeout(t)) { ++ list_for_each_entry(iter, &card->transaction_list, link) { ++ if (iter == transaction) { ++ if (!try_cancel_split_timeout(iter)) { + spin_unlock_irqrestore(&card->lock, flags); + goto timed_out; + } +- list_del_init(&t->link); +- card->tlabel_mask &= ~(1ULL << t->tlabel); ++ list_del_init(&iter->link); ++ card->tlabel_mask &= ~(1ULL << iter->tlabel); ++ t = iter; + break; + } + } + spin_unlock_irqrestore(&card->lock, flags); + +- if (&t->link != &card->transaction_list) { ++ if (t) { + t->callback(card, rcode, NULL, 0, t->callback_data); + return 0; + } +@@ -935,7 +936,7 @@ EXPORT_SYMBOL(fw_core_handle_request); + + void fw_core_handle_response(struct fw_card *card, struct fw_packet *p) + { +- struct fw_transaction *t; ++ struct fw_transaction *t = NULL, *iter; + unsigned long flags; + u32 *data; + size_t data_length; +@@ -947,20 +948,21 @@ void fw_core_handle_response(struct fw_c + rcode = HEADER_GET_RCODE(p->header[1]); + + spin_lock_irqsave(&card->lock, flags); +- list_for_each_entry(t, &card->transaction_list, link) { +- if (t->node_id == source && t->tlabel == tlabel) { +- if (!try_cancel_split_timeout(t)) { ++ list_for_each_entry(iter, &card->transaction_list, link) { ++ if (iter->node_id == source && iter->tlabel == tlabel) { ++ if (!try_cancel_split_timeout(iter)) { + spin_unlock_irqrestore(&card->lock, flags); + goto timed_out; + } +- list_del_init(&t->link); +- card->tlabel_mask &= ~(1ULL << t->tlabel); ++ list_del_init(&iter->link); ++ card->tlabel_mask &= ~(1ULL << iter->tlabel); ++ t = iter; + break; + } + } + spin_unlock_irqrestore(&card->lock, flags); + +- if (&t->link == &card->transaction_list) { ++ if (!t) { + timed_out: + fw_notice(card, "unsolicited response (source %x, tlabel %x)\n", + source, tlabel); +--- a/drivers/firewire/sbp2.c ++++ b/drivers/firewire/sbp2.c +@@ -408,7 +408,7 @@ static void sbp2_status_write(struct fw_ + void *payload, size_t length, void *callback_data) + { + struct sbp2_logical_unit *lu = callback_data; +- struct sbp2_orb *orb; ++ struct sbp2_orb *orb = NULL, *iter; + struct sbp2_status status; + unsigned long flags; + +@@ -433,17 +433,18 @@ static void sbp2_status_write(struct fw_ + + /* Lookup the orb corresponding to this status write. */ + spin_lock_irqsave(&lu->tgt->lock, flags); +- list_for_each_entry(orb, &lu->orb_list, link) { ++ list_for_each_entry(iter, &lu->orb_list, link) { + if (STATUS_GET_ORB_HIGH(status) == 0 && +- STATUS_GET_ORB_LOW(status) == orb->request_bus) { +- orb->rcode = RCODE_COMPLETE; +- list_del(&orb->link); ++ STATUS_GET_ORB_LOW(status) == iter->request_bus) { ++ iter->rcode = RCODE_COMPLETE; ++ list_del(&iter->link); ++ orb = iter; + break; + } + } + spin_unlock_irqrestore(&lu->tgt->lock, flags); + +- if (&orb->link != &lu->orb_list) { ++ if (orb) { + orb->callback(orb, &status); + kref_put(&orb->kref, free_orb); /* orb callback reference */ + } else { diff --git a/queue-5.10/gpiolib-of-fix-bounds-check-for-gpio-reserved-ranges.patch b/queue-5.10/gpiolib-of-fix-bounds-check-for-gpio-reserved-ranges.patch new file mode 100644 index 00000000000..aeca90b72c4 --- /dev/null +++ b/queue-5.10/gpiolib-of-fix-bounds-check-for-gpio-reserved-ranges.patch @@ -0,0 +1,47 @@ +From e75f88efac05bf4e107e4171d8db6d8c3937252d Mon Sep 17 00:00:00 2001 +From: Andrei Lalaev +Date: Fri, 15 Apr 2022 10:07:11 +0300 +Subject: gpiolib: of: fix bounds check for 'gpio-reserved-ranges' + +From: Andrei Lalaev + +commit e75f88efac05bf4e107e4171d8db6d8c3937252d upstream. + +Gpiolib interprets the elements of "gpio-reserved-ranges" as "start,size" +because it clears "size" bits starting from the "start" bit in the according +bitmap. So it has to use "greater" instead of "greater or equal" when performs +bounds check to make sure that GPIOs are in the available range. +Previous implementation skipped ranges that include the last GPIO in +the range. + +I wrote the mail to the maintainers +(https://lore.kernel.org/linux-gpio/20220412115554.159435-1-andrei.lalaev@emlid.com/T/#u) +of the questioned DTSes (because I couldn't understand how the maintainers +interpreted this property), but I haven't received a response. +Since the questioned DTSes use "gpio-reserved-ranges = <0 4>" +(i.e., the beginning of the range), this patch doesn't affect these DTSes at all. +TBH this patch doesn't break any existing DTSes because none of them +reserve gpios at the end of range. + +Fixes: 726cb3ba4969 ("gpiolib: Support 'gpio-reserved-ranges' property") +Signed-off-by: Andrei Lalaev +Reviewed-by: Andy Shevchenko +Reviewed-by: Linus Walleij +Cc: stable@vger.kernel.org +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpiolib-of.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpio/gpiolib-of.c ++++ b/drivers/gpio/gpiolib-of.c +@@ -912,7 +912,7 @@ static void of_gpiochip_init_valid_mask( + i, &start); + of_property_read_u32_index(np, "gpio-reserved-ranges", + i + 1, &count); +- if (start >= chip->ngpio || start + count >= chip->ngpio) ++ if (start >= chip->ngpio || start + count > chip->ngpio) + continue; + + bitmap_clear(chip->valid_mask, start, count); diff --git a/queue-5.10/iommu-vt-d-calculate-mask-for-non-aligned-flushes.patch b/queue-5.10/iommu-vt-d-calculate-mask-for-non-aligned-flushes.patch new file mode 100644 index 00000000000..aca7aeb5ee3 --- /dev/null +++ b/queue-5.10/iommu-vt-d-calculate-mask-for-non-aligned-flushes.patch @@ -0,0 +1,85 @@ +From 59bf3557cf2f8a469a554aea1e3d2c8e72a579f7 Mon Sep 17 00:00:00 2001 +From: David Stevens +Date: Sun, 10 Apr 2022 09:35:33 +0800 +Subject: iommu/vt-d: Calculate mask for non-aligned flushes + +From: David Stevens + +commit 59bf3557cf2f8a469a554aea1e3d2c8e72a579f7 upstream. + +Calculate the appropriate mask for non-size-aligned page selective +invalidation. Since psi uses the mask value to mask out the lower order +bits of the target address, properly flushing the iotlb requires using a +mask value such that [pfn, pfn+pages) all lie within the flushed +size-aligned region. This is not normally an issue because iova.c +always allocates iovas that are aligned to their size. However, iovas +which come from other sources (e.g. userspace via VFIO) may not be +aligned. + +To properly flush the IOTLB, both the start and end pfns need to be +equal after applying the mask. That means that the most efficient mask +to use is the index of the lowest bit that is equal where all higher +bits are also equal. For example, if pfn=0x17f and pages=3, then +end_pfn=0x181, so the smallest mask we can use is 8. Any differences +above the highest bit of pages are due to carrying, so by xnor'ing pfn +and end_pfn and then masking out the lower order bits based on pages, we +get 0xffffff00, where the first set bit is the mask we want to use. + +Fixes: 6fe1010d6d9c ("vfio/type1: DMA unmap chunking") +Cc: stable@vger.kernel.org +Signed-off-by: David Stevens +Reviewed-by: Kevin Tian +Link: https://lore.kernel.org/r/20220401022430.1262215-1-stevensd@google.com +Signed-off-by: Lu Baolu +Link: https://lore.kernel.org/r/20220410013533.3959168-2-baolu.lu@linux.intel.com +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/intel/iommu.c | 27 ++++++++++++++++++++++++--- + 1 file changed, 24 insertions(+), 3 deletions(-) + +--- a/drivers/iommu/intel/iommu.c ++++ b/drivers/iommu/intel/iommu.c +@@ -1626,7 +1626,8 @@ static void iommu_flush_iotlb_psi(struct + unsigned long pfn, unsigned int pages, + int ih, int map) + { +- unsigned int mask = ilog2(__roundup_pow_of_two(pages)); ++ unsigned int aligned_pages = __roundup_pow_of_two(pages); ++ unsigned int mask = ilog2(aligned_pages); + uint64_t addr = (uint64_t)pfn << VTD_PAGE_SHIFT; + u16 did = domain->iommu_did[iommu->seq_id]; + +@@ -1638,10 +1639,30 @@ static void iommu_flush_iotlb_psi(struct + if (domain_use_first_level(domain)) { + domain_flush_piotlb(iommu, domain, addr, pages, ih); + } else { ++ unsigned long bitmask = aligned_pages - 1; ++ ++ /* ++ * PSI masks the low order bits of the base address. If the ++ * address isn't aligned to the mask, then compute a mask value ++ * needed to ensure the target range is flushed. ++ */ ++ if (unlikely(bitmask & pfn)) { ++ unsigned long end_pfn = pfn + pages - 1, shared_bits; ++ ++ /* ++ * Since end_pfn <= pfn + bitmask, the only way bits ++ * higher than bitmask can differ in pfn and end_pfn is ++ * by carrying. This means after masking out bitmask, ++ * high bits starting with the first set bit in ++ * shared_bits are all equal in both pfn and end_pfn. ++ */ ++ shared_bits = ~(pfn ^ end_pfn) & ~bitmask; ++ mask = shared_bits ? __ffs(shared_bits) : BITS_PER_LONG; ++ } ++ + /* + * Fallback to domain selective flush if no PSI support or +- * the size is too big. PSI requires page size to be 2 ^ x, +- * and the base address is naturally aligned to the size. ++ * the size is too big. + */ + if (!cap_pgsel_inv(iommu->cap) || + mask > cap_max_amask_val(iommu->cap)) diff --git a/queue-5.10/kvm-x86-svm-account-for-family-17h-event-renumberings-in-amd_pmc_perf_hw_id.patch b/queue-5.10/kvm-x86-svm-account-for-family-17h-event-renumberings-in-amd_pmc_perf_hw_id.patch new file mode 100644 index 00000000000..b7982114e83 --- /dev/null +++ b/queue-5.10/kvm-x86-svm-account-for-family-17h-event-renumberings-in-amd_pmc_perf_hw_id.patch @@ -0,0 +1,84 @@ +From 5eb849322d7f7ae9d5c587c7bc3b4f7c6872cd2f Mon Sep 17 00:00:00 2001 +From: Kyle Huey +Date: Mon, 2 May 2022 22:01:36 -0700 +Subject: KVM: x86/svm: Account for family 17h event renumberings in amd_pmc_perf_hw_id + +From: Kyle Huey + +commit 5eb849322d7f7ae9d5c587c7bc3b4f7c6872cd2f upstream. + +Zen renumbered some of the performance counters that correspond to the +well known events in perf_hw_id. This code in KVM was never updated for +that, so guest that attempt to use counters on Zen that correspond to the +pre-Zen perf_hw_id values will silently receive the wrong values. + +This has been observed in the wild with rr[0] when running in Zen 3 +guests. rr uses the retired conditional branch counter 00d1 which is +incorrectly recognized by KVM as PERF_COUNT_HW_STALLED_CYCLES_BACKEND. + +[0] https://rr-project.org/ + +Signed-off-by: Kyle Huey +Message-Id: <20220503050136.86298-1-khuey@kylehuey.com> +Cc: stable@vger.kernel.org +[Check guest family, not host. - Paolo] +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/svm/pmu.c | 28 +++++++++++++++++++++++++--- + 1 file changed, 25 insertions(+), 3 deletions(-) + +--- a/arch/x86/kvm/svm/pmu.c ++++ b/arch/x86/kvm/svm/pmu.c +@@ -44,6 +44,22 @@ static struct kvm_event_hw_type_mapping + [7] = { 0xd1, 0x00, PERF_COUNT_HW_STALLED_CYCLES_BACKEND }, + }; + ++/* duplicated from amd_f17h_perfmon_event_map. */ ++static struct kvm_event_hw_type_mapping amd_f17h_event_mapping[] = { ++ [0] = { 0x76, 0x00, PERF_COUNT_HW_CPU_CYCLES }, ++ [1] = { 0xc0, 0x00, PERF_COUNT_HW_INSTRUCTIONS }, ++ [2] = { 0x60, 0xff, PERF_COUNT_HW_CACHE_REFERENCES }, ++ [3] = { 0x64, 0x09, PERF_COUNT_HW_CACHE_MISSES }, ++ [4] = { 0xc2, 0x00, PERF_COUNT_HW_BRANCH_INSTRUCTIONS }, ++ [5] = { 0xc3, 0x00, PERF_COUNT_HW_BRANCH_MISSES }, ++ [6] = { 0x87, 0x02, PERF_COUNT_HW_STALLED_CYCLES_FRONTEND }, ++ [7] = { 0x87, 0x01, PERF_COUNT_HW_STALLED_CYCLES_BACKEND }, ++}; ++ ++/* amd_pmc_perf_hw_id depends on these being the same size */ ++static_assert(ARRAY_SIZE(amd_event_mapping) == ++ ARRAY_SIZE(amd_f17h_event_mapping)); ++ + static unsigned int get_msr_base(struct kvm_pmu *pmu, enum pmu_type type) + { + struct kvm_vcpu *vcpu = pmu_to_vcpu(pmu); +@@ -128,19 +144,25 @@ static inline struct kvm_pmc *get_gp_pmc + + static unsigned int amd_pmc_perf_hw_id(struct kvm_pmc *pmc) + { ++ struct kvm_event_hw_type_mapping *event_mapping; + u8 event_select = pmc->eventsel & ARCH_PERFMON_EVENTSEL_EVENT; + u8 unit_mask = (pmc->eventsel & ARCH_PERFMON_EVENTSEL_UMASK) >> 8; + int i; + ++ if (guest_cpuid_family(pmc->vcpu) >= 0x17) ++ event_mapping = amd_f17h_event_mapping; ++ else ++ event_mapping = amd_event_mapping; ++ + for (i = 0; i < ARRAY_SIZE(amd_event_mapping); i++) +- if (amd_event_mapping[i].eventsel == event_select +- && amd_event_mapping[i].unit_mask == unit_mask) ++ if (event_mapping[i].eventsel == event_select ++ && event_mapping[i].unit_mask == unit_mask) + break; + + if (i == ARRAY_SIZE(amd_event_mapping)) + return PERF_COUNT_HW_MAX; + +- return amd_event_mapping[i].event_type; ++ return event_mapping[i].event_type; + } + + /* return PERF_COUNT_HW_MAX as AMD doesn't have fixed events */ diff --git a/queue-5.10/mmc-core-set-hs-clock-speed-before-sending-hs-cmd13.patch b/queue-5.10/mmc-core-set-hs-clock-speed-before-sending-hs-cmd13.patch new file mode 100644 index 00000000000..2a813d9c613 --- /dev/null +++ b/queue-5.10/mmc-core-set-hs-clock-speed-before-sending-hs-cmd13.patch @@ -0,0 +1,131 @@ +From 4bc31edebde51fcf8ad0794763b8679a7ecb5ec0 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Fri, 22 Apr 2022 10:08:53 -0700 +Subject: mmc: core: Set HS clock speed before sending HS CMD13 + +From: Brian Norris + +commit 4bc31edebde51fcf8ad0794763b8679a7ecb5ec0 upstream. + +Way back in commit 4f25580fb84d ("mmc: core: changes frequency to +hs_max_dtr when selecting hs400es"), Rockchip engineers noticed that +some eMMC don't respond to SEND_STATUS commands very reliably if they're +still running at a low initial frequency. As mentioned in that commit, +JESD84-B51 P49 suggests a sequence in which the host: +1. sets HS_TIMING +2. bumps the clock ("<= 52 MHz") +3. sends further commands + +It doesn't exactly require that we don't use a lower-than-52MHz +frequency, but in practice, these eMMC don't like it. + +The aforementioned commit tried to get that right for HS400ES, although +it's unclear whether this ever truly worked as committed into mainline, +as other changes/refactoring adjusted the sequence in conflicting ways: + +08573eaf1a70 ("mmc: mmc: do not use CMD13 to get status after speed mode +switch") + +53e60650f74e ("mmc: core: Allow CMD13 polling when switching to HS mode +for mmc") + +In any case, today we do step 3 before step 2. Let's fix that, and also +apply the same logic to HS200/400, where this eMMC has problems too. + +Resolves errors like this seen when booting some RK3399 Gru/Scarlet +systems: + +[ 2.058881] mmc1: CQHCI version 5.10 +[ 2.097545] mmc1: SDHCI controller on fe330000.mmc [fe330000.mmc] using ADMA +[ 2.209804] mmc1: mmc_select_hs400es failed, error -84 +[ 2.215597] mmc1: error -84 whilst initialising MMC card +[ 2.417514] mmc1: mmc_select_hs400es failed, error -110 +[ 2.423373] mmc1: error -110 whilst initialising MMC card +[ 2.605052] mmc1: mmc_select_hs400es failed, error -110 +[ 2.617944] mmc1: error -110 whilst initialising MMC card +[ 2.835884] mmc1: mmc_select_hs400es failed, error -110 +[ 2.841751] mmc1: error -110 whilst initialising MMC card + +Ealier versions of this patch bumped to 200MHz/HS200 speeds too early, +which caused issues on, e.g., qcom-msm8974-fairphone-fp2. (Thanks for +the report Luca!) After a second look, it appears that aligns with +JESD84 / page 45 / table 28, so we need to keep to lower (HS / 52 MHz) +rates first. + +Fixes: 08573eaf1a70 ("mmc: mmc: do not use CMD13 to get status after speed mode switch") +Fixes: 53e60650f74e ("mmc: core: Allow CMD13 polling when switching to HS mode for mmc") +Fixes: 4f25580fb84d ("mmc: core: changes frequency to hs_max_dtr when selecting hs400es") +Cc: Shawn Lin +Link: https://lore.kernel.org/linux-mmc/11962455.O9o76ZdvQC@g550jk/ +Reported-by: Luca Weiss +Signed-off-by: Brian Norris +Tested-by: Luca Weiss +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220422100824.v4.1.I484f4ee35609f78b932bd50feed639c29e64997e@changeid +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/mmc.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +--- a/drivers/mmc/core/mmc.c ++++ b/drivers/mmc/core/mmc.c +@@ -1378,13 +1378,17 @@ static int mmc_select_hs400es(struct mmc + goto out_err; + } + ++ /* ++ * Bump to HS timing and frequency. Some cards don't handle ++ * SEND_STATUS reliably at the initial frequency. ++ */ + mmc_set_timing(host, MMC_TIMING_MMC_HS); ++ mmc_set_bus_speed(card); ++ + err = mmc_switch_status(card, true); + if (err) + goto out_err; + +- mmc_set_clock(host, card->ext_csd.hs_max_dtr); +- + /* Switch card to DDR with strobe bit */ + val = EXT_CSD_DDR_BUS_WIDTH_8 | EXT_CSD_BUS_WIDTH_STROBE; + err = mmc_switch(card, EXT_CSD_CMD_SET_NORMAL, +@@ -1442,7 +1446,7 @@ out_err: + static int mmc_select_hs200(struct mmc_card *card) + { + struct mmc_host *host = card->host; +- unsigned int old_timing, old_signal_voltage; ++ unsigned int old_timing, old_signal_voltage, old_clock; + int err = -EINVAL; + u8 val; + +@@ -1473,8 +1477,17 @@ static int mmc_select_hs200(struct mmc_c + false, true); + if (err) + goto err; ++ ++ /* ++ * Bump to HS timing and frequency. Some cards don't handle ++ * SEND_STATUS reliably at the initial frequency. ++ * NB: We can't move to full (HS200) speeds until after we've ++ * successfully switched over. ++ */ + old_timing = host->ios.timing; ++ old_clock = host->ios.clock; + mmc_set_timing(host, MMC_TIMING_MMC_HS200); ++ mmc_set_clock(card->host, card->ext_csd.hs_max_dtr); + + /* + * For HS200, CRC errors are not a reliable way to know the +@@ -1487,8 +1500,10 @@ static int mmc_select_hs200(struct mmc_c + * mmc_select_timing() assumes timing has not changed if + * it is a switch error. + */ +- if (err == -EBADMSG) ++ if (err == -EBADMSG) { ++ mmc_set_clock(host, old_clock); + mmc_set_timing(host, old_timing); ++ } + } + err: + if (err) { diff --git a/queue-5.10/mmc-sdhci-msm-reset-gcc_sdcc_bcr-register-for-sdhc.patch b/queue-5.10/mmc-sdhci-msm-reset-gcc_sdcc_bcr-register-for-sdhc.patch new file mode 100644 index 00000000000..bdcbf2af013 --- /dev/null +++ b/queue-5.10/mmc-sdhci-msm-reset-gcc_sdcc_bcr-register-for-sdhc.patch @@ -0,0 +1,112 @@ +From 3e5a8e8494a8122fe4eb3f167662f406cab753b9 Mon Sep 17 00:00:00 2001 +From: Shaik Sajida Bhanu +Date: Sun, 24 Apr 2022 21:32:33 +0530 +Subject: mmc: sdhci-msm: Reset GCC_SDCC_BCR register for SDHC + +From: Shaik Sajida Bhanu + +commit 3e5a8e8494a8122fe4eb3f167662f406cab753b9 upstream. + +Reset GCC_SDCC_BCR register before every fresh initilazation. This will +reset whole SDHC-msm controller, clears the previous power control +states and avoids, software reset timeout issues as below. + +[ 5.458061][ T262] mmc1: Reset 0x1 never completed. +[ 5.462454][ T262] mmc1: sdhci: ============ SDHCI REGISTER DUMP =========== +[ 5.469065][ T262] mmc1: sdhci: Sys addr: 0x00000000 | Version: 0x00007202 +[ 5.475688][ T262] mmc1: sdhci: Blk size: 0x00000000 | Blk cnt: 0x00000000 +[ 5.482315][ T262] mmc1: sdhci: Argument: 0x00000000 | Trn mode: 0x00000000 +[ 5.488927][ T262] mmc1: sdhci: Present: 0x01f800f0 | Host ctl: 0x00000000 +[ 5.495539][ T262] mmc1: sdhci: Power: 0x00000000 | Blk gap: 0x00000000 +[ 5.502162][ T262] mmc1: sdhci: Wake-up: 0x00000000 | Clock: 0x00000003 +[ 5.508768][ T262] mmc1: sdhci: Timeout: 0x00000000 | Int stat: 0x00000000 +[ 5.515381][ T262] mmc1: sdhci: Int enab: 0x00000000 | Sig enab: 0x00000000 +[ 5.521996][ T262] mmc1: sdhci: ACmd stat: 0x00000000 | Slot int: 0x00000000 +[ 5.528607][ T262] mmc1: sdhci: Caps: 0x362dc8b2 | Caps_1: 0x0000808f +[ 5.535227][ T262] mmc1: sdhci: Cmd: 0x00000000 | Max curr: 0x00000000 +[ 5.541841][ T262] mmc1: sdhci: Resp[0]: 0x00000000 | Resp[1]: 0x00000000 +[ 5.548454][ T262] mmc1: sdhci: Resp[2]: 0x00000000 | Resp[3]: 0x00000000 +[ 5.555079][ T262] mmc1: sdhci: Host ctl2: 0x00000000 +[ 5.559651][ T262] mmc1: sdhci_msm: ----------- VENDOR REGISTER DUMP----------- +[ 5.566621][ T262] mmc1: sdhci_msm: DLL sts: 0x00000000 | DLL cfg: 0x6000642c | DLL cfg2: 0x0020a000 +[ 5.575465][ T262] mmc1: sdhci_msm: DLL cfg3: 0x00000000 | DLL usr ctl: 0x00010800 | DDR cfg: 0x80040873 +[ 5.584658][ T262] mmc1: sdhci_msm: Vndr func: 0x00018a9c | Vndr func2 : 0xf88218a8 Vndr func3: 0x02626040 + +Fixes: 0eb0d9f4de34 ("mmc: sdhci-msm: Initial support for Qualcomm chipsets") +Signed-off-by: Shaik Sajida Bhanu +Acked-by: Adrian Hunter +Reviewed-by: Philipp Zabel +Tested-by: Konrad Dybcio +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/1650816153-23797-1-git-send-email-quic_c_sbhanu@quicinc.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-msm.c | 42 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 42 insertions(+) + +--- a/drivers/mmc/host/sdhci-msm.c ++++ b/drivers/mmc/host/sdhci-msm.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + + #include "sdhci-pltfm.h" + #include "cqhci.h" +@@ -2228,6 +2229,43 @@ static inline void sdhci_msm_get_of_prop + of_property_read_u32(node, "qcom,dll-config", &msm_host->dll_config); + } + ++static int sdhci_msm_gcc_reset(struct device *dev, struct sdhci_host *host) ++{ ++ struct reset_control *reset; ++ int ret = 0; ++ ++ reset = reset_control_get_optional_exclusive(dev, NULL); ++ if (IS_ERR(reset)) ++ return dev_err_probe(dev, PTR_ERR(reset), ++ "unable to acquire core_reset\n"); ++ ++ if (!reset) ++ return ret; ++ ++ ret = reset_control_assert(reset); ++ if (ret) { ++ reset_control_put(reset); ++ return dev_err_probe(dev, ret, "core_reset assert failed\n"); ++ } ++ ++ /* ++ * The hardware requirement for delay between assert/deassert ++ * is at least 3-4 sleep clock (32.7KHz) cycles, which comes to ++ * ~125us (4/32768). To be on the safe side add 200us delay. ++ */ ++ usleep_range(200, 210); ++ ++ ret = reset_control_deassert(reset); ++ if (ret) { ++ reset_control_put(reset); ++ return dev_err_probe(dev, ret, "core_reset deassert failed\n"); ++ } ++ ++ usleep_range(200, 210); ++ reset_control_put(reset); ++ ++ return ret; ++} + + static int sdhci_msm_probe(struct platform_device *pdev) + { +@@ -2276,6 +2314,10 @@ static int sdhci_msm_probe(struct platfo + + msm_host->saved_tuning_phase = INVALID_TUNING_PHASE; + ++ ret = sdhci_msm_gcc_reset(&pdev->dev, host); ++ if (ret) ++ goto pltfm_free; ++ + /* Setup SDCC bus voter clock. */ + msm_host->bus_clk = devm_clk_get(&pdev->dev, "bus"); + if (!IS_ERR(msm_host->bus_clk)) { diff --git a/queue-5.10/net-stmmac-disable-split-header-sph-for-intel-platforms.patch b/queue-5.10/net-stmmac-disable-split-header-sph-for-intel-platforms.patch new file mode 100644 index 00000000000..ba407d6af5e --- /dev/null +++ b/queue-5.10/net-stmmac-disable-split-header-sph-for-intel-platforms.patch @@ -0,0 +1,65 @@ +From 47f753c1108e287edb3e27fad8a7511a9d55578e Mon Sep 17 00:00:00 2001 +From: Tan Tee Min +Date: Fri, 29 Apr 2022 19:58:07 +0800 +Subject: net: stmmac: disable Split Header (SPH) for Intel platforms + +From: Tan Tee Min + +commit 47f753c1108e287edb3e27fad8a7511a9d55578e upstream. + +Based on DesignWare Ethernet QoS datasheet, we are seeing the limitation +of Split Header (SPH) feature is not supported for Ipv4 fragmented packet. +This SPH limitation will cause ping failure when the packets size exceed +the MTU size. For example, the issue happens once the basic ping packet +size is larger than the configured MTU size and the data is lost inside +the fragmented packet, replaced by zeros/corrupted values, and leads to +ping fail. + +So, disable the Split Header for Intel platforms. + +v2: Add fixes tag in commit message. + +Fixes: 67afd6d1cfdf("net: stmmac: Add Split Header support and enable it in XGMAC cores") +Cc: # 5.10.x +Suggested-by: Ong, Boon Leong +Signed-off-by: Mohammad Athari Bin Ismail +Signed-off-by: Wong Vee Khee +Signed-off-by: Tan Tee Min +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c | 1 + + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +- + include/linux/stmmac.h | 1 + + 3 files changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c +@@ -243,6 +243,7 @@ static int intel_mgbe_common_data(struct + plat->has_gmac4 = 1; + plat->force_sf_dma_mode = 0; + plat->tso_en = 1; ++ plat->sph_disable = 1; + + plat->rx_sched_algorithm = MTL_RX_ALGORITHM_SP; + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -5046,7 +5046,7 @@ int stmmac_dvr_probe(struct device *devi + dev_info(priv->device, "TSO feature enabled\n"); + } + +- if (priv->dma_cap.sphen) { ++ if (priv->dma_cap.sphen && !priv->plat->sph_disable) { + ndev->hw_features |= NETIF_F_GRO; + priv->sph = true; + dev_info(priv->device, "SPH feature enabled\n"); +--- a/include/linux/stmmac.h ++++ b/include/linux/stmmac.h +@@ -203,5 +203,6 @@ struct plat_stmmacenet_data { + bool vlan_fail_q_en; + u8 vlan_fail_q; + unsigned int eee_usecs_rate; ++ bool sph_disable; + }; + #endif diff --git a/queue-5.10/revert-sunrpc-attempt-af_local-connect-on-setup.patch b/queue-5.10/revert-sunrpc-attempt-af_local-connect-on-setup.patch new file mode 100644 index 00000000000..476040bd872 --- /dev/null +++ b/queue-5.10/revert-sunrpc-attempt-af_local-connect-on-setup.patch @@ -0,0 +1,36 @@ +From a3d0562d4dc039bca39445e1cddde7951662e17d Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Fri, 29 Apr 2022 12:27:30 -0400 +Subject: Revert "SUNRPC: attempt AF_LOCAL connect on setup" + +From: Trond Myklebust + +commit a3d0562d4dc039bca39445e1cddde7951662e17d upstream. + +This reverts commit 7073ea8799a8cf73db60270986f14e4aae20fa80. + +We must not try to connect the socket while the transport is under +construction, because the mechanisms to safely tear it down are not in +place. As the code stands, we end up leaking the sockets on a connection +error. + +Reported-by: wanghai (M) +Cc: stable@vger.kernel.org +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/xprtsock.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -2826,9 +2826,6 @@ static struct rpc_xprt *xs_setup_local(s + } + xprt_set_bound(xprt); + xs_format_peer_addresses(xprt, "local", RPCBIND_NETID_LOCAL); +- ret = ERR_PTR(xs_local_setup_socket(transport)); +- if (ret) +- goto out_err; + break; + default: + ret = ERR_PTR(-EAFNOSUPPORT); diff --git a/queue-5.10/series b/queue-5.10/series index 56c6b832540..f163d809290 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -3,3 +3,14 @@ revert-parisc-fix-patch-code-locking-and-flushing.patch parisc-merge-model-and-model-name-into-one-line-in-proc-cpuinfo.patch alsa-hda-realtek-add-quirk-for-yoga-duet-7-13itl6-speakers.patch alsa-fireworks-fix-wrong-return-count-shorter-than-expected-by-4-bytes.patch +mmc-sdhci-msm-reset-gcc_sdcc_bcr-register-for-sdhc.patch +mmc-core-set-hs-clock-speed-before-sending-hs-cmd13.patch +gpiolib-of-fix-bounds-check-for-gpio-reserved-ranges.patch +kvm-x86-svm-account-for-family-17h-event-renumberings-in-amd_pmc_perf_hw_id.patch +iommu-vt-d-calculate-mask-for-non-aligned-flushes.patch +drm-amd-display-avoid-reading-audio-pattern-past-audio_channels_count.patch +revert-sunrpc-attempt-af_local-connect-on-setup.patch +firewire-fix-potential-uaf-in-outbound_phy_packet_callback.patch +firewire-remove-check-of-list-iterator-against-head-past-the-loop-body.patch +firewire-core-extend-card-lock-in-fw_core_handle_bus_reset.patch +net-stmmac-disable-split-header-sph-for-intel-platforms.patch -- 2.47.3