From f570b4be861132a0d49e5a54feed90ff5833d355 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Tue, 28 Mar 2023 06:06:58 -0400 Subject: [PATCH] Fixes for 5.15 Signed-off-by: Sasha Levin --- ...dd-cezanne-to-the-list-for-forcing-s.patch | 93 ++++++++++ ...he-backlog-for-nested-calls-to-mirre.patch | 139 ++++++++++++++ ...10-fix-mac_len-negative-array-access.patch | 37 ++++ ...check-pipe-plane.state-fb-in-cirrus_.patch | 44 +++++ ...river-not-registering-gpio-irq-chip-.patch | 37 ++++ ...d-ipc-fix-potential-use-after-free-i.patch | 70 +++++++ ...030-bus-error-if-pc-not-in-exception.patch | 75 ++++++++ ...rred-better-wording-on-protection-ag.patch | 89 +++++++++ ...-avoid-altsetting-toggling-for-telit.patch | 39 ++++ ...mi_wwan-add-telit-0x1080-composition.patch | 36 ++++ ...bump-command_line_size-value-to-1024.patch | 46 +++++ ...s-check-devm_add_action-return-value.patch | 38 ++++ ...usage-of-list-iterator-variable-afte.patch | 61 ++++++ ...kzalloc-in-lpfc_sli4_cgn_params_read.patch | 59 ++++++ ...dle-blocksize-change-in-hyper-v-vhd-.patch | 89 +++++++++ ...i-fix-an-error-message-in-iscsi_chec.patch | 55 ++++++ ...d-soft-dependency-on-governor_simple.patch | 36 ++++ ...ore-initialize-devfreq-synchronously.patch | 175 ++++++++++++++++++ ...eck-that-modifier-resolves-after-poi.patch | 63 +++++++ queue-5.15/series | 20 ++ .../sh-sanitize-the-flags-on-sigreturn.patch | 58 ++++++ 21 files changed, 1359 insertions(+) create mode 100644 queue-5.15/acpi-x86-utils-add-cezanne-to-the-list-for-forcing-s.patch create mode 100644 queue-5.15/act_mirred-use-the-backlog-for-nested-calls-to-mirre.patch create mode 100644 queue-5.15/ca8210-fix-mac_len-negative-array-access.patch create mode 100644 queue-5.15/drm-cirrus-null-check-pipe-plane.state-fb-in-cirrus_.patch create mode 100644 queue-5.15/hid-cp2112-fix-driver-not-registering-gpio-irq-chip-.patch create mode 100644 queue-5.15/hid-intel-ish-hid-ipc-fix-potential-use-after-free-i.patch create mode 100644 queue-5.15/m68k-only-force-030-bus-error-if-pc-not-in-exception.patch create mode 100644 queue-5.15/net-sched-act_mirred-better-wording-on-protection-ag.patch create mode 100644 queue-5.15/net-usb-cdc_mbim-avoid-altsetting-toggling-for-telit.patch create mode 100644 queue-5.15/net-usb-qmi_wwan-add-telit-0x1080-composition.patch create mode 100644 queue-5.15/riscv-bump-command_line_size-value-to-1024.patch create mode 100644 queue-5.15/scsi-hisi_sas-check-devm_add_action-return-value.patch create mode 100644 queue-5.15/scsi-lpfc-avoid-usage-of-list-iterator-variable-afte.patch create mode 100644 queue-5.15/scsi-lpfc-check-kzalloc-in-lpfc_sli4_cgn_params_read.patch create mode 100644 queue-5.15/scsi-storvsc-handle-blocksize-change-in-hyper-v-vhd-.patch create mode 100644 queue-5.15/scsi-target-iscsi-fix-an-error-message-in-iscsi_chec.patch create mode 100644 queue-5.15/scsi-ufs-core-add-soft-dependency-on-governor_simple.patch create mode 100644 queue-5.15/scsi-ufs-core-initialize-devfreq-synchronously.patch create mode 100644 queue-5.15/selftests-bpf-check-that-modifier-resolves-after-poi.patch create mode 100644 queue-5.15/sh-sanitize-the-flags-on-sigreturn.patch diff --git a/queue-5.15/acpi-x86-utils-add-cezanne-to-the-list-for-forcing-s.patch b/queue-5.15/acpi-x86-utils-add-cezanne-to-the-list-for-forcing-s.patch new file mode 100644 index 00000000000..7e92e3d11a9 --- /dev/null +++ b/queue-5.15/acpi-x86-utils-add-cezanne-to-the-list-for-forcing-s.patch @@ -0,0 +1,93 @@ +From b08b4a33e6309e23bcd1ac2fc8065df57d21338c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Feb 2023 16:11:28 -0600 +Subject: ACPI: x86: utils: Add Cezanne to the list for forcing StorageD3Enable + +From: Mario Limonciello + +[ Upstream commit e2a56364485e7789e7b8f342637c7f3a219f7ede ] + +commit 018d6711c26e4 ("ACPI: x86: Add a quirk for Dell Inspiron 14 2-in-1 +for StorageD3Enable") introduced a quirk to allow a system with ambiguous +use of _ADR 0 to force StorageD3Enable. + +It was reported that several more Dell systems suffered the same symptoms. +As the list is continuing to grow but these are all Cezanne systems, +instead add Cezanne to the CPU list to apply the StorageD3Enable property +and remove the whole list. + +It was also reported that an HP system only has StorageD3Enable on the ACPI +device for the first NVME disk, not the second. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217003 +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216773 +Reported-by: David Alvarez Lombardi +Reported-by: dbilios@stdio.gr +Reported-and-tested-by: Elvis Angelaccio +Tested-by: victor.bonnelle@proton.me +Tested-by: hurricanepootis@protonmail.com +Signed-off-by: Mario Limonciello +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/x86/utils.c | 37 +++++++++++++------------------------ + 1 file changed, 13 insertions(+), 24 deletions(-) + +diff --git a/drivers/acpi/x86/utils.c b/drivers/acpi/x86/utils.c +index 222b951ff56ae..f1dd086d0b87d 100644 +--- a/drivers/acpi/x86/utils.c ++++ b/drivers/acpi/x86/utils.c +@@ -191,37 +191,26 @@ bool acpi_device_override_status(struct acpi_device *adev, unsigned long long *s + * a hardcoded allowlist for D3 support, which was used for these platforms. + * + * This allows quirking on Linux in a similar fashion. ++ * ++ * Cezanne systems shouldn't *normally* need this as the BIOS includes ++ * StorageD3Enable. But for two reasons we have added it. ++ * 1) The BIOS on a number of Dell systems have ambiguity ++ * between the same value used for _ADR on ACPI nodes GPP1.DEV0 and GPP1.NVME. ++ * GPP1.NVME is needed to get StorageD3Enable node set properly. ++ * https://bugzilla.kernel.org/show_bug.cgi?id=216440 ++ * https://bugzilla.kernel.org/show_bug.cgi?id=216773 ++ * https://bugzilla.kernel.org/show_bug.cgi?id=217003 ++ * 2) On at least one HP system StorageD3Enable is missing on the second NVME ++ disk in the system. + */ + static const struct x86_cpu_id storage_d3_cpu_ids[] = { + X86_MATCH_VENDOR_FAM_MODEL(AMD, 23, 96, NULL), /* Renoir */ + X86_MATCH_VENDOR_FAM_MODEL(AMD, 23, 104, NULL), /* Lucienne */ +- {} +-}; +- +-static const struct dmi_system_id force_storage_d3_dmi[] = { +- { +- /* +- * _ADR is ambiguous between GPP1.DEV0 and GPP1.NVME +- * but .NVME is needed to get StorageD3Enable node +- * https://bugzilla.kernel.org/show_bug.cgi?id=216440 +- */ +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 14 7425 2-in-1"), +- } +- }, +- { +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 16 5625"), +- } +- }, ++ X86_MATCH_VENDOR_FAM_MODEL(AMD, 25, 80, NULL), /* Cezanne */ + {} + }; + + bool force_storage_d3(void) + { +- const struct dmi_system_id *dmi_id = dmi_first_match(force_storage_d3_dmi); +- +- return dmi_id || x86_match_cpu(storage_d3_cpu_ids); ++ return x86_match_cpu(storage_d3_cpu_ids); + } +-- +2.39.2 + diff --git a/queue-5.15/act_mirred-use-the-backlog-for-nested-calls-to-mirre.patch b/queue-5.15/act_mirred-use-the-backlog-for-nested-calls-to-mirre.patch new file mode 100644 index 00000000000..acb3e154987 --- /dev/null +++ b/queue-5.15/act_mirred-use-the-backlog-for-nested-calls-to-mirre.patch @@ -0,0 +1,139 @@ +From e89b91d7b28620c5d3b01f8acd94b4b8bbb53004 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 18:01:40 +0100 +Subject: act_mirred: use the backlog for nested calls to mirred ingress + +From: Davide Caratti + +[ Upstream commit ca22da2fbd693b54dc8e3b7b54ccc9f7e9ba3640 ] + +William reports kernel soft-lockups on some OVS topologies when TC mirred +egress->ingress action is hit by local TCP traffic [1]. +The same can also be reproduced with SCTP (thanks Xin for verifying), when +client and server reach themselves through mirred egress to ingress, and +one of the two peers sends a "heartbeat" packet (from within a timer). + +Enqueueing to backlog proved to fix this soft lockup; however, as Cong +noticed [2], we should preserve - when possible - the current mirred +behavior that counts as "overlimits" any eventual packet drop subsequent to +the mirred forwarding action [3]. A compromise solution might use the +backlog only when tcf_mirred_act() has a nest level greater than one: +change tcf_mirred_forward() accordingly. + +Also, add a kselftest that can reproduce the lockup and verifies TC mirred +ability to account for further packet drops after TC mirred egress->ingress +(when the nest level is 1). + + [1] https://lore.kernel.org/netdev/33dc43f587ec1388ba456b4915c75f02a8aae226.1663945716.git.dcaratti@redhat.com/ + [2] https://lore.kernel.org/netdev/Y0w%2FWWY60gqrtGLp@pop-os.localdomain/ + [3] such behavior is not guaranteed: for example, if RPS or skb RX + timestamping is enabled on the mirred target device, the kernel + can defer receiving the skb and return NET_RX_SUCCESS inside + tcf_mirred_forward(). + +Reported-by: William Zhao +CC: Xin Long +Signed-off-by: Davide Caratti +Reviewed-by: Marcelo Ricardo Leitner +Acked-by: Jamal Hadi Salim +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sched/act_mirred.c | 7 +++ + .../selftests/net/forwarding/tc_actions.sh | 49 ++++++++++++++++++- + 2 files changed, 55 insertions(+), 1 deletion(-) + +diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c +index b28d49495de09..6f39789d9d14b 100644 +--- a/net/sched/act_mirred.c ++++ b/net/sched/act_mirred.c +@@ -204,12 +204,19 @@ static int tcf_mirred_init(struct net *net, struct nlattr *nla, + return err; + } + ++static bool is_mirred_nested(void) ++{ ++ return unlikely(__this_cpu_read(mirred_nest_level) > 1); ++} ++ + static int tcf_mirred_forward(bool want_ingress, struct sk_buff *skb) + { + int err; + + if (!want_ingress) + err = tcf_dev_queue_xmit(skb, dev_queue_xmit); ++ else if (is_mirred_nested()) ++ err = netif_rx(skb); + else + err = netif_receive_skb(skb); + +diff --git a/tools/testing/selftests/net/forwarding/tc_actions.sh b/tools/testing/selftests/net/forwarding/tc_actions.sh +index d9eca227136bb..22a1e4c9553a3 100755 +--- a/tools/testing/selftests/net/forwarding/tc_actions.sh ++++ b/tools/testing/selftests/net/forwarding/tc_actions.sh +@@ -3,7 +3,7 @@ + + ALL_TESTS="gact_drop_and_ok_test mirred_egress_redirect_test \ + mirred_egress_mirror_test matchall_mirred_egress_mirror_test \ +- gact_trap_test" ++ gact_trap_test mirred_egress_to_ingress_tcp_test" + NUM_NETIFS=4 + source tc_common.sh + source lib.sh +@@ -153,6 +153,53 @@ gact_trap_test() + log_test "trap ($tcflags)" + } + ++mirred_egress_to_ingress_tcp_test() ++{ ++ local tmpfile=$(mktemp) tmpfile1=$(mktemp) ++ ++ RET=0 ++ dd conv=sparse status=none if=/dev/zero bs=1M count=2 of=$tmpfile ++ tc filter add dev $h1 protocol ip pref 100 handle 100 egress flower \ ++ $tcflags ip_proto tcp src_ip 192.0.2.1 dst_ip 192.0.2.2 \ ++ action ct commit nat src addr 192.0.2.2 pipe \ ++ action ct clear pipe \ ++ action ct commit nat dst addr 192.0.2.1 pipe \ ++ action ct clear pipe \ ++ action skbedit ptype host pipe \ ++ action mirred ingress redirect dev $h1 ++ tc filter add dev $h1 protocol ip pref 101 handle 101 egress flower \ ++ $tcflags ip_proto icmp \ ++ action mirred ingress redirect dev $h1 ++ tc filter add dev $h1 protocol ip pref 102 handle 102 ingress flower \ ++ ip_proto icmp \ ++ action drop ++ ++ ip vrf exec v$h1 nc --recv-only -w10 -l -p 12345 -o $tmpfile1 & ++ local rpid=$! ++ ip vrf exec v$h1 nc -w1 --send-only 192.0.2.2 12345 <$tmpfile ++ wait -n $rpid ++ cmp -s $tmpfile $tmpfile1 ++ check_err $? "server output check failed" ++ ++ $MZ $h1 -c 10 -p 64 -a $h1mac -b $h1mac -A 192.0.2.1 -B 192.0.2.1 \ ++ -t icmp "ping,id=42,seq=5" -q ++ tc_check_packets "dev $h1 egress" 101 10 ++ check_err $? "didn't mirred redirect ICMP" ++ tc_check_packets "dev $h1 ingress" 102 10 ++ check_err $? "didn't drop mirred ICMP" ++ local overlimits=$(tc_rule_stats_get ${h1} 101 egress .overlimits) ++ test ${overlimits} = 10 ++ check_err $? "wrong overlimits, expected 10 got ${overlimits}" ++ ++ tc filter del dev $h1 egress protocol ip pref 100 handle 100 flower ++ tc filter del dev $h1 egress protocol ip pref 101 handle 101 flower ++ tc filter del dev $h1 ingress protocol ip pref 102 handle 102 flower ++ ++ rm -f $tmpfile $tmpfile1 ++ log_test "mirred_egress_to_ingress_tcp ($tcflags)" ++} ++ ++>>>>>>> e921d05033293 (act_mirred: use the backlog for nested calls to mirred ingress) + setup_prepare() + { + h1=${NETIFS[p1]} +-- +2.39.2 + diff --git a/queue-5.15/ca8210-fix-mac_len-negative-array-access.patch b/queue-5.15/ca8210-fix-mac_len-negative-array-access.patch new file mode 100644 index 00000000000..a3696a4c334 --- /dev/null +++ b/queue-5.15/ca8210-fix-mac_len-negative-array-access.patch @@ -0,0 +1,37 @@ +From 141ee3b03517b66735866b49de89f9b2ad98a36f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Feb 2023 23:25:04 -0500 +Subject: ca8210: fix mac_len negative array access + +From: Alexander Aring + +[ Upstream commit 6c993779ea1d0cccdb3a5d7d45446dd229e610a3 ] + +This patch fixes a buffer overflow access of skb->data if +ieee802154_hdr_peek_addrs() fails. + +Reported-by: lianhui tang +Signed-off-by: Alexander Aring +Link: https://lore.kernel.org/r/20230217042504.3303396-1-aahringo@redhat.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/ca8210.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c +index 0362917fce7a9..e2322bc3a4e9a 100644 +--- a/drivers/net/ieee802154/ca8210.c ++++ b/drivers/net/ieee802154/ca8210.c +@@ -1956,6 +1956,8 @@ static int ca8210_skb_tx( + * packet + */ + mac_len = ieee802154_hdr_peek_addrs(skb, &header); ++ if (mac_len < 0) ++ return mac_len; + + secspec.security_level = header.sec.level; + secspec.key_id_mode = header.sec.key_id_mode; +-- +2.39.2 + diff --git a/queue-5.15/drm-cirrus-null-check-pipe-plane.state-fb-in-cirrus_.patch b/queue-5.15/drm-cirrus-null-check-pipe-plane.state-fb-in-cirrus_.patch new file mode 100644 index 00000000000..f80f6282d3d --- /dev/null +++ b/queue-5.15/drm-cirrus-null-check-pipe-plane.state-fb-in-cirrus_.patch @@ -0,0 +1,44 @@ +From b2c6125609d61ad5672650df492ce984bfa3a6c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Feb 2023 20:15:49 +0300 +Subject: drm/cirrus: NULL-check pipe->plane.state->fb in cirrus_pipe_update() + +From: Alexandr Sapozhnikov + +[ Upstream commit 7245e629dcaaf308f1868aeffa218e9849c77893 ] + +After having been compared to NULL value at cirrus.c:455, pointer +'pipe->plane.state->fb' is passed as 1st parameter in call to function +'cirrus_fb_blit_rect' at cirrus.c:461, where it is dereferenced at +cirrus.c:316. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +v2: + * aligned commit message to line-length limits + +Signed-off-by: Alexandr Sapozhnikov +Reviewed-by: Thomas Zimmermann +Signed-off-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20230215171549.16305-1-alsp705@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tiny/cirrus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/tiny/cirrus.c b/drivers/gpu/drm/tiny/cirrus.c +index 4611ec408506b..2a81311b22172 100644 +--- a/drivers/gpu/drm/tiny/cirrus.c ++++ b/drivers/gpu/drm/tiny/cirrus.c +@@ -450,7 +450,7 @@ static void cirrus_pipe_update(struct drm_simple_display_pipe *pipe, + if (state->fb && cirrus->cpp != cirrus_cpp(state->fb)) + cirrus_mode_set(cirrus, &crtc->mode, state->fb); + +- if (drm_atomic_helper_damage_merged(old_state, state, &rect)) ++ if (state->fb && drm_atomic_helper_damage_merged(old_state, state, &rect)) + cirrus_fb_blit_rect(state->fb, &shadow_plane_state->data[0], &rect); + } + +-- +2.39.2 + diff --git a/queue-5.15/hid-cp2112-fix-driver-not-registering-gpio-irq-chip-.patch b/queue-5.15/hid-cp2112-fix-driver-not-registering-gpio-irq-chip-.patch new file mode 100644 index 00000000000..26c4c3e38d8 --- /dev/null +++ b/queue-5.15/hid-cp2112-fix-driver-not-registering-gpio-irq-chip-.patch @@ -0,0 +1,37 @@ +From 8a62cb8329a685689db0326d57e6a5987b3ce70b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Feb 2023 11:00:44 -0600 +Subject: HID: cp2112: Fix driver not registering GPIO IRQ chip as threaded + +From: Danny Kaehn + +[ Upstream commit 37f5b858a66543b2b67c0288280af623985abc29 ] + +The CP2112 generates interrupts from a polling routine on a thread, +and can only support threaded interrupts. This patch configures the +gpiochip irq chip with this flag, disallowing consumers to request +a hard IRQ from this driver, which resulted in a segfault previously. + +Signed-off-by: Danny Kaehn +Link: https://lore.kernel.org/r/20230210170044.11835-1-kaehndan@gmail.com +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-cp2112.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/hid-cp2112.c b/drivers/hid/hid-cp2112.c +index 172f20e88c6c9..d902fe43cb818 100644 +--- a/drivers/hid/hid-cp2112.c ++++ b/drivers/hid/hid-cp2112.c +@@ -1352,6 +1352,7 @@ static int cp2112_probe(struct hid_device *hdev, const struct hid_device_id *id) + girq->parents = NULL; + girq->default_type = IRQ_TYPE_NONE; + girq->handler = handle_simple_irq; ++ girq->threaded = true; + + ret = gpiochip_add_data(&dev->gc, dev); + if (ret < 0) { +-- +2.39.2 + diff --git a/queue-5.15/hid-intel-ish-hid-ipc-fix-potential-use-after-free-i.patch b/queue-5.15/hid-intel-ish-hid-ipc-fix-potential-use-after-free-i.patch new file mode 100644 index 00000000000..ff869923faf --- /dev/null +++ b/queue-5.15/hid-intel-ish-hid-ipc-fix-potential-use-after-free-i.patch @@ -0,0 +1,70 @@ +From 241b3355d1736c5edc3147ce20cb8901e4609a77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Feb 2023 13:49:38 +1100 +Subject: HID: intel-ish-hid: ipc: Fix potential use-after-free in work + function + +From: Reka Norman + +[ Upstream commit 8ae2f2b0a28416ed2f6d8478ac8b9f7862f36785 ] + +When a reset notify IPC message is received, the ISR schedules a work +function and passes the ISHTP device to it via a global pointer +ishtp_dev. If ish_probe() fails, the devm-managed device resources +including ishtp_dev are freed, but the work is not cancelled, causing a +use-after-free when the work function tries to access ishtp_dev. Use +devm_work_autocancel() instead, so that the work is automatically +cancelled if probe fails. + +Signed-off-by: Reka Norman +Acked-by: Srinivas Pandruvada +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/intel-ish-hid/ipc/ipc.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/intel-ish-hid/ipc/ipc.c b/drivers/hid/intel-ish-hid/ipc/ipc.c +index 45e0c7b1c9ec6..6c942dd1abca2 100644 +--- a/drivers/hid/intel-ish-hid/ipc/ipc.c ++++ b/drivers/hid/intel-ish-hid/ipc/ipc.c +@@ -5,6 +5,7 @@ + * Copyright (c) 2014-2016, Intel Corporation. + */ + ++#include + #include + #include + #include +@@ -621,7 +622,6 @@ static void recv_ipc(struct ishtp_device *dev, uint32_t doorbell_val) + case MNG_RESET_NOTIFY: + if (!ishtp_dev) { + ishtp_dev = dev; +- INIT_WORK(&fw_reset_work, fw_reset_work_fn); + } + schedule_work(&fw_reset_work); + break; +@@ -936,6 +936,7 @@ struct ishtp_device *ish_dev_init(struct pci_dev *pdev) + { + struct ishtp_device *dev; + int i; ++ int ret; + + dev = devm_kzalloc(&pdev->dev, + sizeof(struct ishtp_device) + sizeof(struct ish_hw), +@@ -971,6 +972,12 @@ struct ishtp_device *ish_dev_init(struct pci_dev *pdev) + list_add_tail(&tx_buf->link, &dev->wr_free_list); + } + ++ ret = devm_work_autocancel(&pdev->dev, &fw_reset_work, fw_reset_work_fn); ++ if (ret) { ++ dev_err(dev->devc, "Failed to initialise FW reset work\n"); ++ return NULL; ++ } ++ + dev->ops = &ish_hw_ops; + dev->devc = &pdev->dev; + dev->mtu = IPC_PAYLOAD_SIZE - sizeof(struct ishtp_msg_hdr); +-- +2.39.2 + diff --git a/queue-5.15/m68k-only-force-030-bus-error-if-pc-not-in-exception.patch b/queue-5.15/m68k-only-force-030-bus-error-if-pc-not-in-exception.patch new file mode 100644 index 00000000000..8a38d9e7019 --- /dev/null +++ b/queue-5.15/m68k-only-force-030-bus-error-if-pc-not-in-exception.patch @@ -0,0 +1,75 @@ +From a18a7be6cae85cc2bd74d46edf1a7ac434428f01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Mar 2023 15:11:07 +1300 +Subject: m68k: Only force 030 bus error if PC not in exception table + +From: Michael Schmitz + +[ Upstream commit e36a82bebbf7da814530d5a179bef9df5934b717 ] + +__get_kernel_nofault() does copy data in supervisor mode when +forcing a task backtrace log through /proc/sysrq_trigger. +This is expected cause a bus error exception on e.g. NULL +pointer dereferencing when logging a kernel task has no +workqueue associated. This bus error ought to be ignored. + +Our 030 bus error handler is ill equipped to deal with this: + +Whenever ssw indicates a kernel mode access on a data fault, +we don't even attempt to handle the fault and instead always +send a SEGV signal (or panic). As a result, the check +for exception handling at the fault PC (buried in +send_sig_fault() which gets called from do_page_fault() +eventually) is never used. + +In contrast, both 040 and 060 access error handlers do not +care whether a fault happened on supervisor mode access, +and will call do_page_fault() on those, ultimately honoring +the exception table. + +Add a check in bus_error030 to call do_page_fault() in case +we do have an entry for the fault PC in our exception table. + +I had attempted a fix for this earlier in 2019 that did rely +on testing pagefault_disabled() (see link below) to achieve +the same thing, but this patch should be more generic. + +Tested on 030 Atari Falcon. + +Reported-by: Eero Tamminen +Link: https://lore.kernel.org/r/alpine.LNX.2.21.1904091023540.25@nippy.intranet +Link: https://lore.kernel.org/r/63130691-1984-c423-c1f2-73bfd8d3dcd3@gmail.com +Signed-off-by: Michael Schmitz +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20230301021107.26307-1-schmitzmic@gmail.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/kernel/traps.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/m68k/kernel/traps.c b/arch/m68k/kernel/traps.c +index 59fc63feb0dcc..6f647742a6ca9 100644 +--- a/arch/m68k/kernel/traps.c ++++ b/arch/m68k/kernel/traps.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -544,7 +545,8 @@ static inline void bus_error030 (struct frame *fp) + errorcode |= 2; + + if (mmusr & (MMU_I | MMU_WP)) { +- if (ssw & 4) { ++ /* We might have an exception table for this PC */ ++ if (ssw & 4 && !search_exception_tables(fp->ptregs.pc)) { + pr_err("Data %s fault at %#010lx in %s (pc=%#lx)\n", + ssw & RW ? "read" : "write", + fp->un.fmtb.daddr, +-- +2.39.2 + diff --git a/queue-5.15/net-sched-act_mirred-better-wording-on-protection-ag.patch b/queue-5.15/net-sched-act_mirred-better-wording-on-protection-ag.patch new file mode 100644 index 00000000000..9564b2806a2 --- /dev/null +++ b/queue-5.15/net-sched-act_mirred-better-wording-on-protection-ag.patch @@ -0,0 +1,89 @@ +From 07e80923eecb11538851e4f5c1d851d78f0b5616 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 18:01:39 +0100 +Subject: net/sched: act_mirred: better wording on protection against excessive + stack growth + +From: Davide Caratti + +[ Upstream commit 78dcdffe0418ac8f3f057f26fe71ccf4d8ed851f ] + +with commit e2ca070f89ec ("net: sched: protect against stack overflow in +TC act_mirred"), act_mirred protected itself against excessive stack growth +using per_cpu counter of nested calls to tcf_mirred_act(), and capping it +to MIRRED_RECURSION_LIMIT. However, such protection does not detect +recursion/loops in case the packet is enqueued to the backlog (for example, +when the mirred target device has RPS or skb timestamping enabled). Change +the wording from "recursion" to "nesting" to make it more clear to readers. + +CC: Jamal Hadi Salim +Signed-off-by: Davide Caratti +Reviewed-by: Marcelo Ricardo Leitner +Acked-by: Jamal Hadi Salim +Signed-off-by: Paolo Abeni +Stable-dep-of: ca22da2fbd69 ("act_mirred: use the backlog for nested calls to mirred ingress") +Signed-off-by: Sasha Levin +--- + net/sched/act_mirred.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c +index efc963ab995a3..b28d49495de09 100644 +--- a/net/sched/act_mirred.c ++++ b/net/sched/act_mirred.c +@@ -28,8 +28,8 @@ + static LIST_HEAD(mirred_list); + static DEFINE_SPINLOCK(mirred_list_lock); + +-#define MIRRED_RECURSION_LIMIT 4 +-static DEFINE_PER_CPU(unsigned int, mirred_rec_level); ++#define MIRRED_NEST_LIMIT 4 ++static DEFINE_PER_CPU(unsigned int, mirred_nest_level); + + static bool tcf_mirred_is_act_redirect(int action) + { +@@ -223,7 +223,7 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, + struct sk_buff *skb2 = skb; + bool m_mac_header_xmit; + struct net_device *dev; +- unsigned int rec_level; ++ unsigned int nest_level; + int retval, err = 0; + bool use_reinsert; + bool want_ingress; +@@ -234,11 +234,11 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, + int mac_len; + bool at_nh; + +- rec_level = __this_cpu_inc_return(mirred_rec_level); +- if (unlikely(rec_level > MIRRED_RECURSION_LIMIT)) { ++ nest_level = __this_cpu_inc_return(mirred_nest_level); ++ if (unlikely(nest_level > MIRRED_NEST_LIMIT)) { + net_warn_ratelimited("Packet exceeded mirred recursion limit on dev %s\n", + netdev_name(skb->dev)); +- __this_cpu_dec(mirred_rec_level); ++ __this_cpu_dec(mirred_nest_level); + return TC_ACT_SHOT; + } + +@@ -308,7 +308,7 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, + err = tcf_mirred_forward(res->ingress, skb); + if (err) + tcf_action_inc_overlimit_qstats(&m->common); +- __this_cpu_dec(mirred_rec_level); ++ __this_cpu_dec(mirred_nest_level); + return TC_ACT_CONSUMED; + } + } +@@ -320,7 +320,7 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, + if (tcf_mirred_is_act_redirect(m_eaction)) + retval = TC_ACT_SHOT; + } +- __this_cpu_dec(mirred_rec_level); ++ __this_cpu_dec(mirred_nest_level); + + return retval; + } +-- +2.39.2 + diff --git a/queue-5.15/net-usb-cdc_mbim-avoid-altsetting-toggling-for-telit.patch b/queue-5.15/net-usb-cdc_mbim-avoid-altsetting-toggling-for-telit.patch new file mode 100644 index 00000000000..29e1cb50e6b --- /dev/null +++ b/queue-5.15/net-usb-cdc_mbim-avoid-altsetting-toggling-for-telit.patch @@ -0,0 +1,39 @@ +From 35682e838ab058aeb979f47d2bd7834f929bb1ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Mar 2023 12:59:33 +0100 +Subject: net: usb: cdc_mbim: avoid altsetting toggling for Telit FE990 + +From: Enrico Sau + +[ Upstream commit 418383e6ed6b4624a54ec05c535f13d184fbf33b ] + +Add quirk CDC_MBIM_FLAG_AVOID_ALTSETTING_TOGGLE for Telit FE990 +0x1081 composition in order to avoid bind error. + +Signed-off-by: Enrico Sau +Link: https://lore.kernel.org/r/20230306115933.198259-1-enrico.sau@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/cdc_mbim.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/usb/cdc_mbim.c b/drivers/net/usb/cdc_mbim.c +index c0b8b4aa78f37..a3ccf0cee093c 100644 +--- a/drivers/net/usb/cdc_mbim.c ++++ b/drivers/net/usb/cdc_mbim.c +@@ -664,6 +664,11 @@ static const struct usb_device_id mbim_devs[] = { + .driver_info = (unsigned long)&cdc_mbim_info_avoid_altsetting_toggle, + }, + ++ /* Telit FE990 */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x1bc7, 0x1081, USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE), ++ .driver_info = (unsigned long)&cdc_mbim_info_avoid_altsetting_toggle, ++ }, ++ + /* default entry */ + { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE), + .driver_info = (unsigned long)&cdc_mbim_info_zlp, +-- +2.39.2 + diff --git a/queue-5.15/net-usb-qmi_wwan-add-telit-0x1080-composition.patch b/queue-5.15/net-usb-qmi_wwan-add-telit-0x1080-composition.patch new file mode 100644 index 00000000000..ec03a5bd589 --- /dev/null +++ b/queue-5.15/net-usb-qmi_wwan-add-telit-0x1080-composition.patch @@ -0,0 +1,36 @@ +From 823c644f2a867103cf3b897c9204b9daf6e0d3a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Mar 2023 13:05:28 +0100 +Subject: net: usb: qmi_wwan: add Telit 0x1080 composition + +From: Enrico Sau + +[ Upstream commit 382e363d5bed0cec5807b35761d14e55955eee63 ] + +Add the following Telit FE990 composition: + +0x1080: tty, adb, rmnet, tty, tty, tty, tty + +Signed-off-by: Enrico Sau +Link: https://lore.kernel.org/r/20230306120528.198842-1-enrico.sau@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 7b358b896a6d7..8646c4d90361c 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1358,6 +1358,7 @@ static const struct usb_device_id products[] = { + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1050, 2)}, /* Telit FN980 */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1060, 2)}, /* Telit LN920 */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1070, 2)}, /* Telit FN990 */ ++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1080, 2)}, /* Telit FE990 */ + {QMI_FIXED_INTF(0x1bc7, 0x1100, 3)}, /* Telit ME910 */ + {QMI_FIXED_INTF(0x1bc7, 0x1101, 3)}, /* Telit ME910 dual modem */ + {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */ +-- +2.39.2 + diff --git a/queue-5.15/riscv-bump-command_line_size-value-to-1024.patch b/queue-5.15/riscv-bump-command_line_size-value-to-1024.patch new file mode 100644 index 00000000000..97f3d0c0884 --- /dev/null +++ b/queue-5.15/riscv-bump-command_line_size-value-to-1024.patch @@ -0,0 +1,46 @@ +From bd77fb7baf9678e3258eae6bcf92e3ba99fb08c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Mar 2021 15:34:20 -0400 +Subject: riscv: Bump COMMAND_LINE_SIZE value to 1024 + +From: Alexandre Ghiti + +[ Upstream commit 61fc1ee8be26bc192d691932b0a67eabee45d12f ] + +Increase COMMAND_LINE_SIZE as the current default value is too low +for syzbot kernel command line. + +There has been considerable discussion on this patch that has led to a +larger patch set removing COMMAND_LINE_SIZE from the uapi headers on all +ports. That's not quite done yet, but it's gotten far enough we're +confident this is not a uABI change so this is safe. + +Reported-by: Dmitry Vyukov +Signed-off-by: Alexandre Ghiti +Link: https://lore.kernel.org/r/20210316193420.904-1-alex@ghiti.fr +[Palmer: it's not uabi] +Link: https://lore.kernel.org/linux-riscv/874b8076-b0d1-4aaa-bcd8-05d523060152@app.fastmail.com/#t +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/include/uapi/asm/setup.h | 8 ++++++++ + 1 file changed, 8 insertions(+) + create mode 100644 arch/riscv/include/uapi/asm/setup.h + +diff --git a/arch/riscv/include/uapi/asm/setup.h b/arch/riscv/include/uapi/asm/setup.h +new file mode 100644 +index 0000000000000..66b13a5228808 +--- /dev/null ++++ b/arch/riscv/include/uapi/asm/setup.h +@@ -0,0 +1,8 @@ ++/* SPDX-License-Identifier: GPL-2.0-only WITH Linux-syscall-note */ ++ ++#ifndef _UAPI_ASM_RISCV_SETUP_H ++#define _UAPI_ASM_RISCV_SETUP_H ++ ++#define COMMAND_LINE_SIZE 1024 ++ ++#endif /* _UAPI_ASM_RISCV_SETUP_H */ +-- +2.39.2 + diff --git a/queue-5.15/scsi-hisi_sas-check-devm_add_action-return-value.patch b/queue-5.15/scsi-hisi_sas-check-devm_add_action-return-value.patch new file mode 100644 index 00000000000..0dba66dd61b --- /dev/null +++ b/queue-5.15/scsi-hisi_sas-check-devm_add_action-return-value.patch @@ -0,0 +1,38 @@ +From 955ac45b84df532ccc0ba2efe557da217c919f3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Feb 2023 11:10:30 +0800 +Subject: scsi: hisi_sas: Check devm_add_action() return value + +From: Kang Chen + +[ Upstream commit 06d1a90de60208054cca15ef200138cfdbb642a9 ] + +In case devm_add_action() fails, check it in the caller of +interrupt_preinit_v3_hw(). + +Link: https://lore.kernel.org/r/20230227031030.893324-1-void0red@gmail.com +Signed-off-by: Kang Chen +Acked-by: Xiang Chen +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +index fa22cb712be5a..9515ab66a7789 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +@@ -2424,8 +2424,7 @@ static int interrupt_preinit_v3_hw(struct hisi_hba *hisi_hba) + hisi_hba->cq_nvecs = vectors - BASE_VECTORS_V3_HW; + shost->nr_hw_queues = hisi_hba->cq_nvecs; + +- devm_add_action(&pdev->dev, hisi_sas_v3_free_vectors, pdev); +- return 0; ++ return devm_add_action(&pdev->dev, hisi_sas_v3_free_vectors, pdev); + } + + static int interrupt_init_v3_hw(struct hisi_hba *hisi_hba) +-- +2.39.2 + diff --git a/queue-5.15/scsi-lpfc-avoid-usage-of-list-iterator-variable-afte.patch b/queue-5.15/scsi-lpfc-avoid-usage-of-list-iterator-variable-afte.patch new file mode 100644 index 00000000000..7ac9b3ecdbf --- /dev/null +++ b/queue-5.15/scsi-lpfc-avoid-usage-of-list-iterator-variable-afte.patch @@ -0,0 +1,61 @@ +From e882ed9564d926a1f5277d658289231202eff4eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Mar 2023 18:19:14 +0100 +Subject: scsi: lpfc: Avoid usage of list iterator variable after loop + +From: Jakob Koschel + +[ Upstream commit 2850b23e9f9ae3696e472d2883ea1b43aafa884e ] + +If the &epd_pool->list is empty when executing +lpfc_get_io_buf_from_expedite_pool() the function would return an invalid +pointer. Even in the case if the list is guaranteed to be populated, the +iterator variable should not be used after the loop to be more robust for +future changes. + +Linus proposed to avoid any use of the list iterator variable after the +loop, in the attempt to move the list iterator variable declaration into +the macro to avoid any potential misuse after the loop [1]. + +Link: https://lore.kernel.org/all/CAHk-=wgRr_D8CB-D9Kg-c=EHreAsk5SqXPwr9Y7k9sA6cWXJ6w@mail.gmail.com/ [1] +Signed-off-by: Jakob Koschel +Link: https://lore.kernel.org/r/20230301-scsi-lpfc-avoid-list-iterator-after-loop-v1-1-325578ae7561@gmail.com +Reviewed-by: Justin Tee +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_sli.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index 1f1d346adc038..30bc72324f068 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -22166,20 +22166,20 @@ lpfc_get_io_buf_from_private_pool(struct lpfc_hba *phba, + static struct lpfc_io_buf * + lpfc_get_io_buf_from_expedite_pool(struct lpfc_hba *phba) + { +- struct lpfc_io_buf *lpfc_ncmd; ++ struct lpfc_io_buf *lpfc_ncmd = NULL, *iter; + struct lpfc_io_buf *lpfc_ncmd_next; + unsigned long iflag; + struct lpfc_epd_pool *epd_pool; + + epd_pool = &phba->epd_pool; +- lpfc_ncmd = NULL; + + spin_lock_irqsave(&epd_pool->lock, iflag); + if (epd_pool->count > 0) { +- list_for_each_entry_safe(lpfc_ncmd, lpfc_ncmd_next, ++ list_for_each_entry_safe(iter, lpfc_ncmd_next, + &epd_pool->list, list) { +- list_del(&lpfc_ncmd->list); ++ list_del(&iter->list); + epd_pool->count--; ++ lpfc_ncmd = iter; + break; + } + } +-- +2.39.2 + diff --git a/queue-5.15/scsi-lpfc-check-kzalloc-in-lpfc_sli4_cgn_params_read.patch b/queue-5.15/scsi-lpfc-check-kzalloc-in-lpfc_sli4_cgn_params_read.patch new file mode 100644 index 00000000000..642c76e7924 --- /dev/null +++ b/queue-5.15/scsi-lpfc-check-kzalloc-in-lpfc_sli4_cgn_params_read.patch @@ -0,0 +1,59 @@ +From d1a622265c4f23853d4abf9281947aabebdce969 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Feb 2023 20:43:36 -0800 +Subject: scsi: lpfc: Check kzalloc() in lpfc_sli4_cgn_params_read() + +From: Justin Tee + +[ Upstream commit 312320b0e0ec21249a17645683fe5304d796aec1 ] + +If kzalloc() fails in lpfc_sli4_cgn_params_read(), then we rely on +lpfc_read_object()'s routine to NULL check pdata. + +Currently, an early return error is thrown from lpfc_read_object() to +protect us from NULL ptr dereference, but the errno code is -ENODEV. + +Change the errno code to a more appropriate -ENOMEM. + +Reported-by: Kang Chen +Link: https://lore.kernel.org/all/20230226102338.3362585-1-void0red@gmail.com +Signed-off-by: Justin Tee +Link: https://lore.kernel.org/r/20230228044336.5195-1-justintee8345@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_init.c | 2 ++ + drivers/scsi/lpfc/lpfc_sli.c | 4 ---- + 2 files changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c +index 855817f6fe671..f79299f6178cd 100644 +--- a/drivers/scsi/lpfc/lpfc_init.c ++++ b/drivers/scsi/lpfc/lpfc_init.c +@@ -7056,6 +7056,8 @@ lpfc_sli4_cgn_params_read(struct lpfc_hba *phba) + /* Find out if the FW has a new set of congestion parameters. */ + len = sizeof(struct lpfc_cgn_param); + pdata = kzalloc(len, GFP_KERNEL); ++ if (!pdata) ++ return -ENOMEM; + ret = lpfc_read_object(phba, (char *)LPFC_PORT_CFG_NAME, + pdata, len); + +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index 7d333167047f5..1f1d346adc038 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -22376,10 +22376,6 @@ lpfc_read_object(struct lpfc_hba *phba, char *rdobject, uint32_t *datap, + struct lpfc_dmabuf *pcmd; + u32 rd_object_name[LPFC_MBX_OBJECT_NAME_LEN_DW] = {0}; + +- /* sanity check on queue memory */ +- if (!datap) +- return -ENODEV; +- + mbox = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL); + if (!mbox) + return -ENOMEM; +-- +2.39.2 + diff --git a/queue-5.15/scsi-storvsc-handle-blocksize-change-in-hyper-v-vhd-.patch b/queue-5.15/scsi-storvsc-handle-blocksize-change-in-hyper-v-vhd-.patch new file mode 100644 index 00000000000..c92ffdb85a1 --- /dev/null +++ b/queue-5.15/scsi-storvsc-handle-blocksize-change-in-hyper-v-vhd-.patch @@ -0,0 +1,89 @@ +From 7beaeaa932c6ea1e4abea96b42c389a941b97ab8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Feb 2023 08:48:34 -0800 +Subject: scsi: storvsc: Handle BlockSize change in Hyper-V VHD/VHDX file + +From: Michael Kelley + +[ Upstream commit 11d9874c4204a785f43d899a1ab12f9dc8d9de3e ] + +Hyper-V uses a VHD or VHDX file on the host as the underlying storage for a +virtual disk. The VHD/VHDX file format is a sparse format where real disk +space on the host is assigned in chunks that the VHD/VHDX file format calls +the BlockSize. This BlockSize is not to be confused with the 512-byte (or +4096-byte) sector size of the underlying storage device. The default block +size for a new VHD/VHDX file is 32 Mbytes. When a guest VM touches any +disk space within a 32 Mbyte chunk of the VHD/VHDX file, Hyper-V allocates +32 Mbytes of real disk space for that section of the VHD/VHDX. Similarly, +if a discard operation is done that covers an entire 32 Mbyte chunk, +Hyper-V will free the real disk space for that portion of the VHD/VHDX. +This BlockSize is surfaced in Linux as the "discard_granularity" in +/sys/block/sd/queue, which makes sense. + +Hyper-V also has differencing disks that can overlay a VHD/VHDX file to +capture changes to the VHD/VHDX while preserving the original VHD/VHDX. +One example of this differencing functionality is for VM snapshots. When a +snapshot is created, a differencing disk is created. If the snapshot is +rolled back, Hyper-V can just delete the differencing disk, and the VM will +see the original disk contents at the time the snapshot was taken. +Differencing disks are used in other scenarios as well. + +The BlockSize for a differencing disk defaults to 2 Mbytes, not 32 Mbytes. +The smaller default is used because changes to differencing disks are +typically scattered all over, and Hyper-V doesn't want to allocate 32 +Mbytes of real disk space for a stray write here or there. The smaller +BlockSize provides more efficient use of real disk space. + +When a differencing disk is added to a VHD/VHDX, Hyper-V reports +UNIT_ATTENTION with a sense code indicating "Operating parameters have +changed", because the value of discard_granularity should be changed to 2 +Mbytes. When the differencing disk is removed, discard_granularity should +be changed back to 32 Mbytes. However, current code simply reports a +message from scsi_report_sense() and the value of +/sys/block/sd/queue/discard_granularity is not updated. The message +isn't very actionable by a sysadmin. + +Fix this by having the storvsc driver check for the sense code indicating +that the underly VHD/VHDX block size has changed, and do a rescan of the +device to pick up the new discard_granularity. With this change the entire +transition to/from differencing disks is handled automatically and +transparently, with no confusing messages being output. + +Link: https://lore.kernel.org/r/1677516514-86060-1-git-send-email-mikelley@microsoft.com +Signed-off-by: Michael Kelley +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/storvsc_drv.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c +index 6110dfd903f74..83a3d9f085d84 100644 +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -1050,6 +1050,22 @@ static void storvsc_handle_error(struct vmscsi_request *vm_srb, + goto do_work; + } + ++ /* ++ * Check for "Operating parameters have changed" ++ * due to Hyper-V changing the VHD/VHDX BlockSize ++ * when adding/removing a differencing disk. This ++ * causes discard_granularity to change, so do a ++ * rescan to pick up the new granularity. We don't ++ * want scsi_report_sense() to output a message ++ * that a sysadmin wouldn't know what to do with. ++ */ ++ if ((asc == 0x3f) && (ascq != 0x03) && ++ (ascq != 0x0e)) { ++ process_err_fn = storvsc_device_scan; ++ set_host_byte(scmnd, DID_REQUEUE); ++ goto do_work; ++ } ++ + /* + * Otherwise, let upper layer deal with the + * error when sense message is present +-- +2.39.2 + diff --git a/queue-5.15/scsi-target-iscsi-fix-an-error-message-in-iscsi_chec.patch b/queue-5.15/scsi-target-iscsi-fix-an-error-message-in-iscsi_chec.patch new file mode 100644 index 00000000000..58d4399a1fa --- /dev/null +++ b/queue-5.15/scsi-target-iscsi-fix-an-error-message-in-iscsi_chec.patch @@ -0,0 +1,55 @@ +From eebe4fce913a756d0e9765780705f41eb1a3c01c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Feb 2023 15:15:56 +0100 +Subject: scsi: target: iscsi: Fix an error message in iscsi_check_key() + +From: Maurizio Lombardi + +[ Upstream commit 6cc55c969b7ce8d85e09a636693d4126c3676c11 ] + +The first half of the error message is printed by pr_err(), the second half +is printed by pr_debug(). The user will therefore see only the first part +of the message and will miss some useful information. + +Link: https://lore.kernel.org/r/20230214141556.762047-1-mlombard@redhat.com +Signed-off-by: Maurizio Lombardi +Reviewed-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/iscsi/iscsi_target_parameters.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c +index 6bc3aaf655fc4..62004e3fe1ccc 100644 +--- a/drivers/target/iscsi/iscsi_target_parameters.c ++++ b/drivers/target/iscsi/iscsi_target_parameters.c +@@ -1262,18 +1262,20 @@ static struct iscsi_param *iscsi_check_key( + return param; + + if (!(param->phase & phase)) { +- pr_err("Key \"%s\" may not be negotiated during ", +- param->name); ++ char *phase_name; ++ + switch (phase) { + case PHASE_SECURITY: +- pr_debug("Security phase.\n"); ++ phase_name = "Security"; + break; + case PHASE_OPERATIONAL: +- pr_debug("Operational phase.\n"); ++ phase_name = "Operational"; + break; + default: +- pr_debug("Unknown phase.\n"); ++ phase_name = "Unknown"; + } ++ pr_err("Key \"%s\" may not be negotiated during %s phase.\n", ++ param->name, phase_name); + return NULL; + } + +-- +2.39.2 + diff --git a/queue-5.15/scsi-ufs-core-add-soft-dependency-on-governor_simple.patch b/queue-5.15/scsi-ufs-core-add-soft-dependency-on-governor_simple.patch new file mode 100644 index 00000000000..c9fb691c410 --- /dev/null +++ b/queue-5.15/scsi-ufs-core-add-soft-dependency-on-governor_simple.patch @@ -0,0 +1,36 @@ +From d4789e12694fda00f6e77345b51ca24bf19de883 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Feb 2023 09:07:40 -0500 +Subject: scsi: ufs: core: Add soft dependency on governor_simpleondemand + +From: Adrien Thierry + +[ Upstream commit 2ebe16155dc8bd4e602cad5b5f65458d2eaa1a75 ] + +The ufshcd driver uses simpleondemand governor for devfreq. Add it to the +list of ufshcd softdeps to allow userspace initramfs tools like dracut to +automatically pull the governor module into the initramfs together with UFS +drivers. + +Link: https://lore.kernel.org/r/20230220140740.14379-1-athierry@redhat.com +Signed-off-by: Adrien Thierry +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index eaa91aec036b1..fd430d24f6de9 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -9749,5 +9749,6 @@ module_exit(ufshcd_core_exit); + MODULE_AUTHOR("Santosh Yaragnavi "); + MODULE_AUTHOR("Vinayak Holikatti "); + MODULE_DESCRIPTION("Generic UFS host controller driver Core"); ++MODULE_SOFTDEP("pre: governor_simpleondemand"); + MODULE_LICENSE("GPL"); + MODULE_VERSION(UFSHCD_DRIVER_VERSION); +-- +2.39.2 + diff --git a/queue-5.15/scsi-ufs-core-initialize-devfreq-synchronously.patch b/queue-5.15/scsi-ufs-core-initialize-devfreq-synchronously.patch new file mode 100644 index 00000000000..a55daefc542 --- /dev/null +++ b/queue-5.15/scsi-ufs-core-initialize-devfreq-synchronously.patch @@ -0,0 +1,175 @@ +From 937e1b69386ea5c3faa8006bdaf94d023014f45e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Feb 2023 14:44:22 -0500 +Subject: scsi: ufs: core: Initialize devfreq synchronously + +From: Adrien Thierry + +[ Upstream commit 7dafc3e007918384c8693ff8d70381b5c1e9c247 ] + +During UFS initialization, devfreq initialization is asynchronous: +ufshcd_async_scan() calls ufshcd_add_lus(), which in turn initializes +devfreq for UFS. The simple ondemand governor is then loaded. If it is +built as a module, request_module() is called and throws a warning: + + WARNING: CPU: 7 PID: 167 at kernel/kmod.c:136 __request_module+0x1e0/0x460 + Modules linked in: crct10dif_ce llcc_qcom phy_qcom_qmp_usb ufs_qcom phy_qcom_snps_femto_v2 ufshcd_pltfrm phy_qcom_qmp_combo ufshcd_core phy_qcom_qmp_ufs qcom_wdt socinfo fuse ipv6 + CPU: 7 PID: 167 Comm: kworker/u16:3 Not tainted 6.2.0-rc6-00009-g58706f7fb045 #1 + Hardware name: Qualcomm SA8540P Ride (DT) + Workqueue: events_unbound async_run_entry_fn + pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : __request_module+0x1e0/0x460 + lr : __request_module+0x1d8/0x460 + sp : ffff800009323b90 + x29: ffff800009323b90 x28: 0000000000000000 x27: 0000000000000000 + x26: ffff800009323d50 x25: ffff7b9045f57810 x24: ffff7b9045f57830 + x23: ffffdc5a83e426e8 x22: ffffdc5ae80a9818 x21: 0000000000000001 + x20: ffffdc5ae7502f98 x19: ffff7b9045f57800 x18: ffffffffffffffff + x17: 312f716572667665 x16: 642f7366752e3030 x15: 0000000000000000 + x14: 000000000000021c x13: 0000000000005400 x12: ffff7b9042ed7614 + x11: ffff7b9042ed7600 x10: 00000000636c0890 x9 : 0000000000000038 + x8 : ffff7b9045f2c880 x7 : ffff7b9045f57c68 x6 : 0000000000000080 + x5 : 0000000000000000 x4 : 8000000000000000 x3 : 0000000000000000 + x2 : 0000000000000000 x1 : ffffdc5ae5d382f0 x0 : 0000000000000001 + Call trace: + __request_module+0x1e0/0x460 + try_then_request_governor+0x7c/0x100 + devfreq_add_device+0x4b0/0x5fc + ufshcd_async_scan+0x1d4/0x310 [ufshcd_core] + async_run_entry_fn+0x34/0xe0 + process_one_work+0x1d0/0x320 + worker_thread+0x14c/0x444 + kthread+0x10c/0x110 + ret_from_fork+0x10/0x20 + +This occurs because synchronous module loading from async is not +allowed. According to __request_module(): + + /* + * We don't allow synchronous module loading from async. Module + * init may invoke async_synchronize_full() which will end up + * waiting for this task which already is waiting for the module + * loading to complete, leading to a deadlock. + */ + +Such a deadlock was experienced on the Qualcomm QDrive3/sa8540p-ride. With +DEVFREQ_GOV_SIMPLE_ONDEMAND=m, the boot hangs after the warning. + +Fix both the warning and the deadlock by moving devfreq initialization out +of the async routine. + +Tested on the sa8540p-ride by using fio to put the UFS under load, and +printing the trace generated by +/sys/kernel/tracing/events/ufs/ufshcd_clk_scaling events. The trace looks +similar with and without the change. + +Link: https://lore.kernel.org/r/20230217194423.42553-1-athierry@redhat.com +Signed-off-by: Adrien Thierry +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd.c | 47 ++++++++++++++++++++++++++------------- + drivers/scsi/ufs/ufshcd.h | 1 + + 2 files changed, 32 insertions(+), 16 deletions(-) + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index 120831428ec6f..eaa91aec036b1 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -1307,6 +1307,13 @@ static int ufshcd_devfreq_target(struct device *dev, + struct ufs_clk_info *clki; + unsigned long irq_flags; + ++ /* ++ * Skip devfreq if UFS initialization is not finished. ++ * Otherwise ufs could be in a inconsistent state. ++ */ ++ if (!smp_load_acquire(&hba->logical_unit_scan_finished)) ++ return 0; ++ + if (!ufshcd_is_clkscaling_supported(hba)) + return -EINVAL; + +@@ -7881,22 +7888,6 @@ static int ufshcd_add_lus(struct ufs_hba *hba) + if (ret) + goto out; + +- /* Initialize devfreq after UFS device is detected */ +- if (ufshcd_is_clkscaling_supported(hba)) { +- memcpy(&hba->clk_scaling.saved_pwr_info.info, +- &hba->pwr_info, +- sizeof(struct ufs_pa_layer_attr)); +- hba->clk_scaling.saved_pwr_info.is_valid = true; +- hba->clk_scaling.is_allowed = true; +- +- ret = ufshcd_devfreq_init(hba); +- if (ret) +- goto out; +- +- hba->clk_scaling.is_enabled = true; +- ufshcd_init_clk_scaling_sysfs(hba); +- } +- + ufs_bsg_probe(hba); + ufshpb_init(hba); + scsi_scan_host(hba->host); +@@ -8030,6 +8021,12 @@ static void ufshcd_async_scan(void *data, async_cookie_t cookie) + if (ret) { + pm_runtime_put_sync(hba->dev); + ufshcd_hba_exit(hba); ++ } else { ++ /* ++ * Make sure that when reader code sees UFS initialization has finished, ++ * all initialization steps have really been executed. ++ */ ++ smp_store_release(&hba->logical_unit_scan_finished, true); + } + } + +@@ -9590,12 +9587,30 @@ int ufshcd_init(struct ufs_hba *hba, void __iomem *mmio_base, unsigned int irq) + */ + ufshcd_set_ufs_dev_active(hba); + ++ /* Initialize devfreq */ ++ if (ufshcd_is_clkscaling_supported(hba)) { ++ memcpy(&hba->clk_scaling.saved_pwr_info.info, ++ &hba->pwr_info, ++ sizeof(struct ufs_pa_layer_attr)); ++ hba->clk_scaling.saved_pwr_info.is_valid = true; ++ hba->clk_scaling.is_allowed = true; ++ ++ err = ufshcd_devfreq_init(hba); ++ if (err) ++ goto rpm_put_sync; ++ ++ hba->clk_scaling.is_enabled = true; ++ ufshcd_init_clk_scaling_sysfs(hba); ++ } ++ + async_schedule(ufshcd_async_scan, hba); + ufs_sysfs_add_nodes(hba->dev); + + device_enable_async_suspend(dev); + return 0; + ++rpm_put_sync: ++ pm_runtime_put_sync(dev); + free_tmf_queue: + blk_cleanup_queue(hba->tmf_queue); + free_tmf_tag_set: +diff --git a/drivers/scsi/ufs/ufshcd.h b/drivers/scsi/ufs/ufshcd.h +index c8513cc6c2bdd..33d9c096ec7fd 100644 +--- a/drivers/scsi/ufs/ufshcd.h ++++ b/drivers/scsi/ufs/ufshcd.h +@@ -838,6 +838,7 @@ struct ufs_hba { + struct completion *uic_async_done; + + enum ufshcd_state ufshcd_state; ++ bool logical_unit_scan_finished; + u32 eh_flags; + u32 intr_mask; + u16 ee_ctrl_mask; /* Exception event mask */ +-- +2.39.2 + diff --git a/queue-5.15/selftests-bpf-check-that-modifier-resolves-after-poi.patch b/queue-5.15/selftests-bpf-check-that-modifier-resolves-after-poi.patch new file mode 100644 index 00000000000..37c41a951ab --- /dev/null +++ b/queue-5.15/selftests-bpf-check-that-modifier-resolves-after-poi.patch @@ -0,0 +1,63 @@ +From a524b212fd945e47005874a2869bdee50777d27f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Mar 2023 11:21:38 +0000 +Subject: selftests/bpf: check that modifier resolves after pointer + +From: Lorenz Bauer + +[ Upstream commit dfdd608c3b365f0fd49d7e13911ebcde06b9865b ] + +Add a regression test that ensures that a VAR pointing at a +modifier which follows a PTR (or STRUCT or ARRAY) is resolved +correctly by the datasec validator. + +Signed-off-by: Lorenz Bauer +Link: https://lore.kernel.org/r/20230306112138.155352-3-lmb@isovalent.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/btf.c | 28 ++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +diff --git a/tools/testing/selftests/bpf/prog_tests/btf.c b/tools/testing/selftests/bpf/prog_tests/btf.c +index 50afa75bd45b1..2a04dbec510de 100644 +--- a/tools/testing/selftests/bpf/prog_tests/btf.c ++++ b/tools/testing/selftests/bpf/prog_tests/btf.c +@@ -882,6 +882,34 @@ static struct btf_raw_test raw_tests[] = { + .btf_load_err = true, + .err_str = "Invalid elem", + }, ++{ ++ .descr = "var after datasec, ptr followed by modifier", ++ .raw_types = { ++ /* .bss section */ /* [1] */ ++ BTF_TYPE_ENC(NAME_TBD, BTF_INFO_ENC(BTF_KIND_DATASEC, 0, 2), ++ sizeof(void*)+4), ++ BTF_VAR_SECINFO_ENC(4, 0, sizeof(void*)), ++ BTF_VAR_SECINFO_ENC(6, sizeof(void*), 4), ++ /* int */ /* [2] */ ++ BTF_TYPE_INT_ENC(0, BTF_INT_SIGNED, 0, 32, 4), ++ /* int* */ /* [3] */ ++ BTF_TYPE_ENC(0, BTF_INFO_ENC(BTF_KIND_PTR, 0, 0), 2), ++ BTF_VAR_ENC(NAME_TBD, 3, 0), /* [4] */ ++ /* const int */ /* [5] */ ++ BTF_TYPE_ENC(0, BTF_INFO_ENC(BTF_KIND_CONST, 0, 0), 2), ++ BTF_VAR_ENC(NAME_TBD, 5, 0), /* [6] */ ++ BTF_END_RAW, ++ }, ++ .str_sec = "\0a\0b\0c\0", ++ .str_sec_size = sizeof("\0a\0b\0c\0"), ++ .map_type = BPF_MAP_TYPE_ARRAY, ++ .map_name = ".bss", ++ .key_size = sizeof(int), ++ .value_size = sizeof(void*)+4, ++ .key_type_id = 0, ++ .value_type_id = 1, ++ .max_entries = 1, ++}, + /* Test member exceeds the size of struct. + * + * struct A { +-- +2.39.2 + diff --git a/queue-5.15/series b/queue-5.15/series index 70aab9df2f4..404b9040a5b 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -79,3 +79,23 @@ thunderbolt-disable-interrupt-auto-clear-for-rings.patch thunderbolt-add-missing-unset_inbound_sbtx-for-retimer-access.patch thunderbolt-use-const-qualifier-for-ring_interrupt_index.patch thunderbolt-rename-shadowed-variables-bit-to-interrupt_bit-and-auto_clear_bit.patch +scsi-ufs-core-initialize-devfreq-synchronously.patch +acpi-x86-utils-add-cezanne-to-the-list-for-forcing-s.patch +riscv-bump-command_line_size-value-to-1024.patch +drm-cirrus-null-check-pipe-plane.state-fb-in-cirrus_.patch +hid-cp2112-fix-driver-not-registering-gpio-irq-chip-.patch +ca8210-fix-mac_len-negative-array-access.patch +hid-intel-ish-hid-ipc-fix-potential-use-after-free-i.patch +m68k-only-force-030-bus-error-if-pc-not-in-exception.patch +selftests-bpf-check-that-modifier-resolves-after-poi.patch +scsi-target-iscsi-fix-an-error-message-in-iscsi_chec.patch +scsi-hisi_sas-check-devm_add_action-return-value.patch +scsi-ufs-core-add-soft-dependency-on-governor_simple.patch +scsi-lpfc-check-kzalloc-in-lpfc_sli4_cgn_params_read.patch +scsi-lpfc-avoid-usage-of-list-iterator-variable-afte.patch +scsi-storvsc-handle-blocksize-change-in-hyper-v-vhd-.patch +net-usb-cdc_mbim-avoid-altsetting-toggling-for-telit.patch +net-usb-qmi_wwan-add-telit-0x1080-composition.patch +sh-sanitize-the-flags-on-sigreturn.patch +net-sched-act_mirred-better-wording-on-protection-ag.patch +act_mirred-use-the-backlog-for-nested-calls-to-mirre.patch diff --git a/queue-5.15/sh-sanitize-the-flags-on-sigreturn.patch b/queue-5.15/sh-sanitize-the-flags-on-sigreturn.patch new file mode 100644 index 00000000000..7d25918fbb5 --- /dev/null +++ b/queue-5.15/sh-sanitize-the-flags-on-sigreturn.patch @@ -0,0 +1,58 @@ +From 38c7d2b9dff3c9fbb663533bf565a48b60bebc78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Mar 2023 01:20:30 +0000 +Subject: sh: sanitize the flags on sigreturn + +From: Al Viro + +[ Upstream commit 573b22ccb7ce9ab7f0539a2e11a9d3609a8783f5 ] + +We fetch %SR value from sigframe; it might have been modified by signal +handler, so we can't trust it with any bits that are not modifiable in +user mode. + +Signed-off-by: Al Viro +Cc: Rich Felker +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/sh/include/asm/processor_32.h | 1 + + arch/sh/kernel/signal_32.c | 3 +++ + 2 files changed, 4 insertions(+) + +diff --git a/arch/sh/include/asm/processor_32.h b/arch/sh/include/asm/processor_32.h +index aa92cc933889d..6c7966e627758 100644 +--- a/arch/sh/include/asm/processor_32.h ++++ b/arch/sh/include/asm/processor_32.h +@@ -50,6 +50,7 @@ + #define SR_FD 0x00008000 + #define SR_MD 0x40000000 + ++#define SR_USER_MASK 0x00000303 // M, Q, S, T bits + /* + * DSP structure and data + */ +diff --git a/arch/sh/kernel/signal_32.c b/arch/sh/kernel/signal_32.c +index dd3092911efad..dc13702003f0f 100644 +--- a/arch/sh/kernel/signal_32.c ++++ b/arch/sh/kernel/signal_32.c +@@ -115,6 +115,7 @@ static int + restore_sigcontext(struct pt_regs *regs, struct sigcontext __user *sc, int *r0_p) + { + unsigned int err = 0; ++ unsigned int sr = regs->sr & ~SR_USER_MASK; + + #define COPY(x) err |= __get_user(regs->x, &sc->sc_##x) + COPY(regs[1]); +@@ -130,6 +131,8 @@ restore_sigcontext(struct pt_regs *regs, struct sigcontext __user *sc, int *r0_p + COPY(sr); COPY(pc); + #undef COPY + ++ regs->sr = (regs->sr & SR_USER_MASK) | sr; ++ + #ifdef CONFIG_SH_FPU + if (boot_cpu_data.flags & CPU_HAS_FPU) { + int owned_fp; +-- +2.39.2 + -- 2.47.3