From: Sasha Levin Date: Mon, 4 Jul 2022 14:51:30 +0000 (-0400) Subject: Fixes for 5.15 X-Git-Tag: v4.9.322~26^2~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0fcb8a9436cb3dcfd89dd476dfa9e72826fc8dab;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/drivers-cpufreq-add-missing-of_node_put-in-qoriq-cpu.patch b/queue-5.15/drivers-cpufreq-add-missing-of_node_put-in-qoriq-cpu.patch new file mode 100644 index 00000000000..08a08685eaf --- /dev/null +++ b/queue-5.15/drivers-cpufreq-add-missing-of_node_put-in-qoriq-cpu.patch @@ -0,0 +1,37 @@ +From d49e0e8c17d20a73187b87f1b6d3bd0a1d8c9059 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jun 2022 17:48:07 +0800 +Subject: drivers: cpufreq: Add missing of_node_put() in qoriq-cpufreq.c + +From: Liang He + +[ Upstream commit 4ff5a9b6d95f3524bf6d27147df497eb21968300 ] + +In qoriq_cpufreq_probe(), of_find_matching_node() will return a +node pointer with refcount incremented. We should use of_node_put() +when it is not used anymore. + +Fixes: 157f527639da ("cpufreq: qoriq: convert to a platform driver") +[ Viresh: Fixed Author's name in commit log ] +Signed-off-by: Liang He +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/qoriq-cpufreq.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/cpufreq/qoriq-cpufreq.c b/drivers/cpufreq/qoriq-cpufreq.c +index 6b6b20da2bcf..573b417e1483 100644 +--- a/drivers/cpufreq/qoriq-cpufreq.c ++++ b/drivers/cpufreq/qoriq-cpufreq.c +@@ -275,6 +275,7 @@ static int qoriq_cpufreq_probe(struct platform_device *pdev) + + np = of_find_matching_node(NULL, qoriq_cpufreq_blacklist); + if (np) { ++ of_node_put(np); + dev_info(&pdev->dev, "Disabling due to erratum A-008083"); + return -ENODEV; + } +-- +2.35.1 + diff --git a/queue-5.15/drm-fourcc-fix-integer-type-usage-in-uapi-header.patch b/queue-5.15/drm-fourcc-fix-integer-type-usage-in-uapi-header.patch new file mode 100644 index 00000000000..890a027e20e --- /dev/null +++ b/queue-5.15/drm-fourcc-fix-integer-type-usage-in-uapi-header.patch @@ -0,0 +1,66 @@ +From bfa3195e1ccce16163bef543a8771c56e66cfe58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Jun 2022 20:39:21 +0000 +Subject: drm/fourcc: fix integer type usage in uapi header +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Carlos Llamas + +[ Upstream commit 20b8264394b33adb1640a485a62a84bc1388b6a3 ] + +Kernel uapi headers are supposed to use __[us]{8,16,32,64} types defined +by as opposed to 'uint32_t' and similar. See [1] for the +relevant discussion about this topic. In this particular case, the usage +of 'uint64_t' escaped headers_check as these macros are not being called +here. However, the following program triggers a compilation error: + + #include + + int main() + { + unsigned long x = AMD_FMT_MOD_CLEAR(RB); + return 0; + } + +gcc error: + drm.c:5:27: error: ‘uint64_t’ undeclared (first use in this function) + 5 | unsigned long x = AMD_FMT_MOD_CLEAR(RB); + | ^~~~~~~~~~~~~~~~~ + +This patch changes AMD_FMT_MOD_{SET,CLEAR} macros to use the correct +integer types, which fixes the above issue. + + [1] https://lkml.org/lkml/2019/6/5/18 + +Fixes: 8ba16d599374 ("drm/fourcc: Add AMD DRM modifiers.") +Signed-off-by: Carlos Llamas +Reviewed-by: Simon Ser +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + include/uapi/drm/drm_fourcc.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/uapi/drm/drm_fourcc.h b/include/uapi/drm/drm_fourcc.h +index 9f4bb4a6f358..808c73c52820 100644 +--- a/include/uapi/drm/drm_fourcc.h ++++ b/include/uapi/drm/drm_fourcc.h +@@ -1352,11 +1352,11 @@ drm_fourcc_canonicalize_nvidia_format_mod(__u64 modifier) + #define AMD_FMT_MOD_PIPE_MASK 0x7 + + #define AMD_FMT_MOD_SET(field, value) \ +- ((uint64_t)(value) << AMD_FMT_MOD_##field##_SHIFT) ++ ((__u64)(value) << AMD_FMT_MOD_##field##_SHIFT) + #define AMD_FMT_MOD_GET(field, value) \ + (((value) >> AMD_FMT_MOD_##field##_SHIFT) & AMD_FMT_MOD_##field##_MASK) + #define AMD_FMT_MOD_CLEAR(field) \ +- (~((uint64_t)AMD_FMT_MOD_##field##_MASK << AMD_FMT_MOD_##field##_SHIFT)) ++ (~((__u64)AMD_FMT_MOD_##field##_MASK << AMD_FMT_MOD_##field##_SHIFT)) + + #if defined(__cplusplus) + } +-- +2.35.1 + diff --git a/queue-5.15/drm-i915-gem-add-missing-else.patch b/queue-5.15/drm-i915-gem-add-missing-else.patch new file mode 100644 index 00000000000..19d405379a1 --- /dev/null +++ b/queue-5.15/drm-i915-gem-add-missing-else.patch @@ -0,0 +1,44 @@ +From 5c9369f01cbfb21f0c0c84c58b367e5d7873067b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Jun 2022 13:49:26 +0100 +Subject: drm/i915/gem: add missing else + +From: katrinzhou + +[ Upstream commit 9efdd519d001ee3e761f6ff80d5eb123387421c1 ] + +Add missing else in set_proto_ctx_param() to fix coverity issue. + +Addresses-Coverity: ("Unused value") +Fixes: d4433c7600f7 ("drm/i915/gem: Use the proto-context to handle create parameters (v5)") +Suggested-by: Tvrtko Ursulin +Signed-off-by: katrinzhou +[tursulin: fixup alignment] +Signed-off-by: Tvrtko Ursulin +Link: https://patchwork.freedesktop.org/patch/msgid/20220621124926.615884-1-tvrtko.ursulin@linux.intel.com +(cherry picked from commit 7482a65664c16cc88eb84d2b545a1fed887378a1) +Signed-off-by: Jani Nikula +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gem/i915_gem_context.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/i915/gem/i915_gem_context.c b/drivers/gpu/drm/i915/gem/i915_gem_context.c +index 166bb46408a9..ee0c0b712522 100644 +--- a/drivers/gpu/drm/i915/gem/i915_gem_context.c ++++ b/drivers/gpu/drm/i915/gem/i915_gem_context.c +@@ -720,8 +720,9 @@ static int set_proto_ctx_param(struct drm_i915_file_private *fpriv, + case I915_CONTEXT_PARAM_PERSISTENCE: + if (args->size) + ret = -EINVAL; +- ret = proto_context_set_persistence(fpriv->dev_priv, pc, +- args->value); ++ else ++ ret = proto_context_set_persistence(fpriv->dev_priv, pc, ++ args->value); + break; + + case I915_CONTEXT_PARAM_NO_ZEROMAP: +-- +2.35.1 + diff --git a/queue-5.15/drm-msm-gem-fix-error-return-on-fence-id-alloc-fail.patch b/queue-5.15/drm-msm-gem-fix-error-return-on-fence-id-alloc-fail.patch new file mode 100644 index 00000000000..cc63efedcda --- /dev/null +++ b/queue-5.15/drm-msm-gem-fix-error-return-on-fence-id-alloc-fail.patch @@ -0,0 +1,37 @@ +From 5b84d307df9943fea566c3e473777a2e4ed29ca9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jun 2022 11:45:28 -0700 +Subject: drm/msm/gem: Fix error return on fence id alloc fail + +From: Rob Clark + +[ Upstream commit 08de214138cdea438a0dfcb10d355a6650c6017c ] + +This was a typo, we didn't actually want to return zero. + +Fixes: a61acbbe9cf8 ("drm/msm: Track "seqno" fences by idr") +Signed-off-by: Rob Clark +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/491145/ +Link: https://lore.kernel.org/r/20220624184528.4036837-1-robdclark@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_gem_submit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c +index 7fb7ff043bcd..1f74bab9e231 100644 +--- a/drivers/gpu/drm/msm/msm_gem_submit.c ++++ b/drivers/gpu/drm/msm/msm_gem_submit.c +@@ -889,7 +889,7 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data, + submit->fence_id = idr_alloc_cyclic(&queue->fence_idr, + submit->user_fence, 1, INT_MAX, GFP_KERNEL); + if (submit->fence_id < 0) { +- ret = submit->fence_id = 0; ++ ret = submit->fence_id; + submit->fence_id = 0; + goto out; + } +-- +2.35.1 + diff --git a/queue-5.15/hwmon-ibmaem-don-t-call-platform_device_del-if-platf.patch b/queue-5.15/hwmon-ibmaem-don-t-call-platform_device_del-if-platf.patch new file mode 100644 index 00000000000..a0656d8bede --- /dev/null +++ b/queue-5.15/hwmon-ibmaem-don-t-call-platform_device_del-if-platf.patch @@ -0,0 +1,71 @@ +From fab3ca49234df9f67ef46210a45f27579c47e996 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Jul 2022 15:41:53 +0800 +Subject: hwmon: (ibmaem) don't call platform_device_del() if + platform_device_add() fails + +From: Yang Yingliang + +[ Upstream commit d0e51022a025ca5350fafb8e413a6fe5d4baf833 ] + +If platform_device_add() fails, it no need to call platform_device_del(), split +platform_device_unregister() into platform_device_del/put(), so platform_device_put() +can be called separately. + +Fixes: 8808a793f052 ("ibmaem: new driver for power/energy/temp meters in IBM System X hardware") +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20220701074153.4021556-1-yangyingliang@huawei.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/ibmaem.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/hwmon/ibmaem.c b/drivers/hwmon/ibmaem.c +index a4ec85207782..2e6d6a5cffa1 100644 +--- a/drivers/hwmon/ibmaem.c ++++ b/drivers/hwmon/ibmaem.c +@@ -550,7 +550,7 @@ static int aem_init_aem1_inst(struct aem_ipmi_data *probe, u8 module_handle) + + res = platform_device_add(data->pdev); + if (res) +- goto ipmi_err; ++ goto dev_add_err; + + platform_set_drvdata(data->pdev, data); + +@@ -598,7 +598,9 @@ static int aem_init_aem1_inst(struct aem_ipmi_data *probe, u8 module_handle) + ipmi_destroy_user(data->ipmi.user); + ipmi_err: + platform_set_drvdata(data->pdev, NULL); +- platform_device_unregister(data->pdev); ++ platform_device_del(data->pdev); ++dev_add_err: ++ platform_device_put(data->pdev); + dev_err: + ida_simple_remove(&aem_ida, data->id); + id_err: +@@ -690,7 +692,7 @@ static int aem_init_aem2_inst(struct aem_ipmi_data *probe, + + res = platform_device_add(data->pdev); + if (res) +- goto ipmi_err; ++ goto dev_add_err; + + platform_set_drvdata(data->pdev, data); + +@@ -738,7 +740,9 @@ static int aem_init_aem2_inst(struct aem_ipmi_data *probe, + ipmi_destroy_user(data->ipmi.user); + ipmi_err: + platform_set_drvdata(data->pdev, NULL); +- platform_device_unregister(data->pdev); ++ platform_device_del(data->pdev); ++dev_add_err: ++ platform_device_put(data->pdev); + dev_err: + ida_simple_remove(&aem_ida, data->id); + id_err: +-- +2.35.1 + diff --git a/queue-5.15/hwmon-occ-prevent-power-cap-command-overwriting-poll.patch b/queue-5.15/hwmon-occ-prevent-power-cap-command-overwriting-poll.patch new file mode 100644 index 00000000000..cfaeef8181b --- /dev/null +++ b/queue-5.15/hwmon-occ-prevent-power-cap-command-overwriting-poll.patch @@ -0,0 +1,153 @@ +From 635857e05d2d341eafc0579b3698f700a34860c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jun 2022 15:30:29 -0500 +Subject: hwmon: (occ) Prevent power cap command overwriting poll response + +From: Eddie James + +[ Upstream commit 1bbb2809040a1f9c7c53c9f06c21aa83275ed27b ] + +Currently, the response to the power cap command overwrites the +first eight bytes of the poll response, since the commands use +the same buffer. This means that user's get the wrong data between +the time of sending the power cap and the next poll response update. +Fix this by specifying a different buffer for the power cap command +response. + +Fixes: 5b5513b88002 ("hwmon: Add On-Chip Controller (OCC) hwmon driver") +Signed-off-by: Eddie James +Link: https://lore.kernel.org/r/20220628203029.51747-1-eajames@linux.ibm.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/occ/common.c | 5 +++-- + drivers/hwmon/occ/common.h | 3 ++- + drivers/hwmon/occ/p8_i2c.c | 13 +++++++------ + drivers/hwmon/occ/p9_sbe.c | 7 +++---- + 4 files changed, 15 insertions(+), 13 deletions(-) + +diff --git a/drivers/hwmon/occ/common.c b/drivers/hwmon/occ/common.c +index 0cb4a0a6cbc1..bbe5e4ef4113 100644 +--- a/drivers/hwmon/occ/common.c ++++ b/drivers/hwmon/occ/common.c +@@ -145,7 +145,7 @@ static int occ_poll(struct occ *occ) + cmd[6] = 0; /* checksum lsb */ + + /* mutex should already be locked if necessary */ +- rc = occ->send_cmd(occ, cmd, sizeof(cmd)); ++ rc = occ->send_cmd(occ, cmd, sizeof(cmd), &occ->resp, sizeof(occ->resp)); + if (rc) { + occ->last_error = rc; + if (occ->error_count++ > OCC_ERROR_COUNT_THRESHOLD) +@@ -182,6 +182,7 @@ static int occ_set_user_power_cap(struct occ *occ, u16 user_power_cap) + { + int rc; + u8 cmd[8]; ++ u8 resp[8]; + __be16 user_power_cap_be = cpu_to_be16(user_power_cap); + + cmd[0] = 0; /* sequence number */ +@@ -198,7 +199,7 @@ static int occ_set_user_power_cap(struct occ *occ, u16 user_power_cap) + if (rc) + return rc; + +- rc = occ->send_cmd(occ, cmd, sizeof(cmd)); ++ rc = occ->send_cmd(occ, cmd, sizeof(cmd), resp, sizeof(resp)); + + mutex_unlock(&occ->lock); + +diff --git a/drivers/hwmon/occ/common.h b/drivers/hwmon/occ/common.h +index 5020117be740..7abf19102062 100644 +--- a/drivers/hwmon/occ/common.h ++++ b/drivers/hwmon/occ/common.h +@@ -96,7 +96,8 @@ struct occ { + + int powr_sample_time_us; /* average power sample time */ + u8 poll_cmd_data; /* to perform OCC poll command */ +- int (*send_cmd)(struct occ *occ, u8 *cmd, size_t len); ++ int (*send_cmd)(struct occ *occ, u8 *cmd, size_t len, void *resp, ++ size_t resp_len); + + unsigned long next_update; + struct mutex lock; /* lock OCC access */ +diff --git a/drivers/hwmon/occ/p8_i2c.c b/drivers/hwmon/occ/p8_i2c.c +index 9e61e1fb5142..c35c07964d85 100644 +--- a/drivers/hwmon/occ/p8_i2c.c ++++ b/drivers/hwmon/occ/p8_i2c.c +@@ -111,7 +111,8 @@ static int p8_i2c_occ_putscom_be(struct i2c_client *client, u32 address, + be32_to_cpu(data1)); + } + +-static int p8_i2c_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len) ++static int p8_i2c_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len, ++ void *resp, size_t resp_len) + { + int i, rc; + unsigned long start; +@@ -120,7 +121,7 @@ static int p8_i2c_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len) + const long wait_time = msecs_to_jiffies(OCC_CMD_IN_PRG_WAIT_MS); + struct p8_i2c_occ *ctx = to_p8_i2c_occ(occ); + struct i2c_client *client = ctx->client; +- struct occ_response *resp = &occ->resp; ++ struct occ_response *or = (struct occ_response *)resp; + + start = jiffies; + +@@ -151,7 +152,7 @@ static int p8_i2c_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len) + return rc; + + /* wait for OCC */ +- if (resp->return_status == OCC_RESP_CMD_IN_PRG) { ++ if (or->return_status == OCC_RESP_CMD_IN_PRG) { + rc = -EALREADY; + + if (time_after(jiffies, start + timeout)) +@@ -163,7 +164,7 @@ static int p8_i2c_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len) + } while (rc); + + /* check the OCC response */ +- switch (resp->return_status) { ++ switch (or->return_status) { + case OCC_RESP_CMD_IN_PRG: + rc = -ETIMEDOUT; + break; +@@ -192,8 +193,8 @@ static int p8_i2c_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len) + if (rc < 0) + return rc; + +- data_length = get_unaligned_be16(&resp->data_length); +- if (data_length > OCC_RESP_DATA_BYTES) ++ data_length = get_unaligned_be16(&or->data_length); ++ if ((data_length + 7) > resp_len) + return -EMSGSIZE; + + /* fetch the rest of the response data */ +diff --git a/drivers/hwmon/occ/p9_sbe.c b/drivers/hwmon/occ/p9_sbe.c +index 9709f2b9c052..14923e78e1f3 100644 +--- a/drivers/hwmon/occ/p9_sbe.c ++++ b/drivers/hwmon/occ/p9_sbe.c +@@ -16,18 +16,17 @@ struct p9_sbe_occ { + + #define to_p9_sbe_occ(x) container_of((x), struct p9_sbe_occ, occ) + +-static int p9_sbe_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len) ++static int p9_sbe_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len, ++ void *resp, size_t resp_len) + { +- struct occ_response *resp = &occ->resp; + struct p9_sbe_occ *ctx = to_p9_sbe_occ(occ); +- size_t resp_len = sizeof(*resp); + int rc; + + rc = fsi_occ_submit(ctx->sbe, cmd, len, resp, &resp_len); + if (rc < 0) + return rc; + +- switch (resp->return_status) { ++ switch (((struct occ_response *)resp)->return_status) { + case OCC_RESP_CMD_IN_PRG: + rc = -ETIMEDOUT; + break; +-- +2.35.1 + diff --git a/queue-5.15/hwmon-occ-remove-sequence-numbering-and-checksum-cal.patch b/queue-5.15/hwmon-occ-remove-sequence-numbering-and-checksum-cal.patch new file mode 100644 index 00000000000..0bc3b0e5698 --- /dev/null +++ b/queue-5.15/hwmon-occ-remove-sequence-numbering-and-checksum-cal.patch @@ -0,0 +1,182 @@ +From 3094c4b5d7465bd69dc71fd3eac4d0be42846864 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jul 2021 14:02:30 -0500 +Subject: hwmon: (occ) Remove sequence numbering and checksum calculation + +From: Eddie James + +[ Upstream commit 908dbf0242e21dd95c69a1b0935814cd1abfc134 ] + +Checksumming of the request and sequence numbering is now done in the +OCC interface driver in order to keep unique sequence numbers. So +remove those in the hwmon driver. Also, add the command length to the +send_cmd function pointer, since the checksum must be placed in the +last two bytes of the command. The submit interface must receive the +exact size of the command - previously it could be rounded to the +nearest 8 bytes with no consequence. + +Signed-off-by: Eddie James +Acked-by: Guenter Roeck +Link: https://lore.kernel.org/r/20210721190231.117185-3-eajames@linux.ibm.com +Signed-off-by: Joel Stanley +Signed-off-by: Sasha Levin +--- + drivers/hwmon/occ/common.c | 30 ++++++++++++------------------ + drivers/hwmon/occ/common.h | 3 +-- + drivers/hwmon/occ/p8_i2c.c | 15 +++++++++------ + drivers/hwmon/occ/p9_sbe.c | 4 ++-- + 4 files changed, 24 insertions(+), 28 deletions(-) + +diff --git a/drivers/hwmon/occ/common.c b/drivers/hwmon/occ/common.c +index ae664613289c..0cb4a0a6cbc1 100644 +--- a/drivers/hwmon/occ/common.c ++++ b/drivers/hwmon/occ/common.c +@@ -132,22 +132,20 @@ struct extended_sensor { + static int occ_poll(struct occ *occ) + { + int rc; +- u16 checksum = occ->poll_cmd_data + occ->seq_no + 1; +- u8 cmd[8]; ++ u8 cmd[7]; + struct occ_poll_response_header *header; + + /* big endian */ +- cmd[0] = occ->seq_no++; /* sequence number */ ++ cmd[0] = 0; /* sequence number */ + cmd[1] = 0; /* cmd type */ + cmd[2] = 0; /* data length msb */ + cmd[3] = 1; /* data length lsb */ + cmd[4] = occ->poll_cmd_data; /* data */ +- cmd[5] = checksum >> 8; /* checksum msb */ +- cmd[6] = checksum & 0xFF; /* checksum lsb */ +- cmd[7] = 0; ++ cmd[5] = 0; /* checksum msb */ ++ cmd[6] = 0; /* checksum lsb */ + + /* mutex should already be locked if necessary */ +- rc = occ->send_cmd(occ, cmd); ++ rc = occ->send_cmd(occ, cmd, sizeof(cmd)); + if (rc) { + occ->last_error = rc; + if (occ->error_count++ > OCC_ERROR_COUNT_THRESHOLD) +@@ -184,25 +182,23 @@ static int occ_set_user_power_cap(struct occ *occ, u16 user_power_cap) + { + int rc; + u8 cmd[8]; +- u16 checksum = 0x24; + __be16 user_power_cap_be = cpu_to_be16(user_power_cap); + +- cmd[0] = 0; +- cmd[1] = 0x22; +- cmd[2] = 0; +- cmd[3] = 2; ++ cmd[0] = 0; /* sequence number */ ++ cmd[1] = 0x22; /* cmd type */ ++ cmd[2] = 0; /* data length msb */ ++ cmd[3] = 2; /* data length lsb */ + + memcpy(&cmd[4], &user_power_cap_be, 2); + +- checksum += cmd[4] + cmd[5]; +- cmd[6] = checksum >> 8; +- cmd[7] = checksum & 0xFF; ++ cmd[6] = 0; /* checksum msb */ ++ cmd[7] = 0; /* checksum lsb */ + + rc = mutex_lock_interruptible(&occ->lock); + if (rc) + return rc; + +- rc = occ->send_cmd(occ, cmd); ++ rc = occ->send_cmd(occ, cmd, sizeof(cmd)); + + mutex_unlock(&occ->lock); + +@@ -1144,8 +1140,6 @@ int occ_setup(struct occ *occ, const char *name) + { + int rc; + +- /* start with 1 to avoid false match with zero-initialized SRAM buffer */ +- occ->seq_no = 1; + mutex_init(&occ->lock); + occ->groups[0] = &occ->group; + +diff --git a/drivers/hwmon/occ/common.h b/drivers/hwmon/occ/common.h +index e6df719770e8..5020117be740 100644 +--- a/drivers/hwmon/occ/common.h ++++ b/drivers/hwmon/occ/common.h +@@ -95,9 +95,8 @@ struct occ { + struct occ_sensors sensors; + + int powr_sample_time_us; /* average power sample time */ +- u8 seq_no; + u8 poll_cmd_data; /* to perform OCC poll command */ +- int (*send_cmd)(struct occ *occ, u8 *cmd); ++ int (*send_cmd)(struct occ *occ, u8 *cmd, size_t len); + + unsigned long next_update; + struct mutex lock; /* lock OCC access */ +diff --git a/drivers/hwmon/occ/p8_i2c.c b/drivers/hwmon/occ/p8_i2c.c +index 0cf8588be35a..9e61e1fb5142 100644 +--- a/drivers/hwmon/occ/p8_i2c.c ++++ b/drivers/hwmon/occ/p8_i2c.c +@@ -97,18 +97,21 @@ static int p8_i2c_occ_putscom_u32(struct i2c_client *client, u32 address, + } + + static int p8_i2c_occ_putscom_be(struct i2c_client *client, u32 address, +- u8 *data) ++ u8 *data, size_t len) + { +- __be32 data0, data1; ++ __be32 data0 = 0, data1 = 0; + +- memcpy(&data0, data, 4); +- memcpy(&data1, data + 4, 4); ++ memcpy(&data0, data, min_t(size_t, len, 4)); ++ if (len > 4) { ++ len -= 4; ++ memcpy(&data1, data + 4, min_t(size_t, len, 4)); ++ } + + return p8_i2c_occ_putscom_u32(client, address, be32_to_cpu(data0), + be32_to_cpu(data1)); + } + +-static int p8_i2c_occ_send_cmd(struct occ *occ, u8 *cmd) ++static int p8_i2c_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len) + { + int i, rc; + unsigned long start; +@@ -127,7 +130,7 @@ static int p8_i2c_occ_send_cmd(struct occ *occ, u8 *cmd) + return rc; + + /* write command (expected to already be BE), we need bus-endian... */ +- rc = p8_i2c_occ_putscom_be(client, OCB_DATA3, cmd); ++ rc = p8_i2c_occ_putscom_be(client, OCB_DATA3, cmd, len); + if (rc) + return rc; + +diff --git a/drivers/hwmon/occ/p9_sbe.c b/drivers/hwmon/occ/p9_sbe.c +index f6387cc0b754..9709f2b9c052 100644 +--- a/drivers/hwmon/occ/p9_sbe.c ++++ b/drivers/hwmon/occ/p9_sbe.c +@@ -16,14 +16,14 @@ struct p9_sbe_occ { + + #define to_p9_sbe_occ(x) container_of((x), struct p9_sbe_occ, occ) + +-static int p9_sbe_occ_send_cmd(struct occ *occ, u8 *cmd) ++static int p9_sbe_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len) + { + struct occ_response *resp = &occ->resp; + struct p9_sbe_occ *ctx = to_p9_sbe_occ(occ); + size_t resp_len = sizeof(*resp); + int rc; + +- rc = fsi_occ_submit(ctx->sbe, cmd, 8, resp, &resp_len); ++ rc = fsi_occ_submit(ctx->sbe, cmd, len, resp, &resp_len); + if (rc < 0) + return rc; + +-- +2.35.1 + diff --git a/queue-5.15/net-fix-iff_tx_skb_no_linear-definition.patch b/queue-5.15/net-fix-iff_tx_skb_no_linear-definition.patch new file mode 100644 index 00000000000..f0dc548ad11 --- /dev/null +++ b/queue-5.15/net-fix-iff_tx_skb_no_linear-definition.patch @@ -0,0 +1,38 @@ +From b1f45aa2e85f45a52aeff267f0f35a0decce6b41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jun 2022 16:32:32 +0300 +Subject: net: fix IFF_TX_SKB_NO_LINEAR definition + +From: Dan Carpenter + +[ Upstream commit 3b89b511ea0c705cc418440e2abf9d692a556d84 ] + +The "1<<31" shift has a sign extension bug so IFF_TX_SKB_NO_LINEAR is +0xffffffff80000000 instead of 0x0000000080000000. + +Fixes: c2ff53d8049f ("net: Add priv_flags for allow tx skb without linear") +Signed-off-by: Dan Carpenter +Reviewed-by: Xuan Zhuo +Link: https://lore.kernel.org/r/YrRrcGttfEVnf85Q@kili +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/netdevice.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index 39f1893ecac0..f8d46dc62d65 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -1645,7 +1645,7 @@ enum netdev_priv_flags { + IFF_FAILOVER_SLAVE = 1<<28, + IFF_L3MDEV_RX_HANDLER = 1<<29, + IFF_LIVE_RENAME_OK = 1<<30, +- IFF_TX_SKB_NO_LINEAR = 1<<31, ++ IFF_TX_SKB_NO_LINEAR = BIT_ULL(31), + }; + + #define IFF_802_1Q_VLAN IFF_802_1Q_VLAN +-- +2.35.1 + diff --git a/queue-5.15/platform-x86-panasonic-laptop-de-obfuscate-button-co.patch b/queue-5.15/platform-x86-panasonic-laptop-de-obfuscate-button-co.patch new file mode 100644 index 00000000000..cacff2ef78f --- /dev/null +++ b/queue-5.15/platform-x86-panasonic-laptop-de-obfuscate-button-co.patch @@ -0,0 +1,70 @@ +From 22b213c14d2cb15081d6d4e01218e098a4f57544 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jun 2022 13:23:35 +0200 +Subject: platform/x86: panasonic-laptop: de-obfuscate button codes + +From: Stefan Seyfried + +[ Upstream commit 65a3e6c8d3f7c346813a05f3d76fc46b640d76d6 ] + +In the definition of panasonic_keymap[] the key codes are given in +decimal, later checks are done with hexadecimal values, which does +not help in understanding the code. +Additionally use two helper variables to shorten the code and make +the logic more obvious. + +Fixes: ed83c9171829 ("platform/x86: panasonic-laptop: Resolve hotkey double trigger bug") +Signed-off-by: Stefan Seyfried +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220624112340.10130-3-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/panasonic-laptop.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/platform/x86/panasonic-laptop.c b/drivers/platform/x86/panasonic-laptop.c +index d4f444401496..84c16d9d9f8e 100644 +--- a/drivers/platform/x86/panasonic-laptop.c ++++ b/drivers/platform/x86/panasonic-laptop.c +@@ -762,6 +762,8 @@ static void acpi_pcc_generate_keyinput(struct pcc_acpi *pcc) + struct input_dev *hotk_input_dev = pcc->input_dev; + int rc; + unsigned long long result; ++ unsigned int key; ++ unsigned int updown; + + rc = acpi_evaluate_integer(pcc->handle, METHOD_HKEY_QUERY, + NULL, &result); +@@ -770,18 +772,22 @@ static void acpi_pcc_generate_keyinput(struct pcc_acpi *pcc) + return; + } + ++ key = result & 0xf; ++ updown = result & 0x80; /* 0x80 == key down; 0x00 = key up */ ++ + /* hack: some firmware sends no key down for sleep / hibernate */ +- if ((result & 0xf) == 0x7 || (result & 0xf) == 0xa) { +- if (result & 0x80) ++ if (key == 7 || key == 10) { ++ if (updown) + sleep_keydown_seen = 1; + if (!sleep_keydown_seen) + sparse_keymap_report_event(hotk_input_dev, +- result & 0xf, 0x80, false); ++ key, 0x80, false); + } + +- if ((result & 0xf) == 0x7 || (result & 0xf) == 0x9 || (result & 0xf) == 0xa) { ++ /* for the magic values, see panasonic_keymap[] above */ ++ if (key == 7 || key == 9 || key == 10) { + if (!sparse_keymap_report_event(hotk_input_dev, +- result & 0xf, result & 0x80, false)) ++ key, updown, false)) + pr_err("Unknown hotkey event: 0x%04llx\n", result); + } + } +-- +2.35.1 + diff --git a/queue-5.15/platform-x86-panasonic-laptop-don-t-report-duplicate.patch b/queue-5.15/platform-x86-panasonic-laptop-don-t-report-duplicate.patch new file mode 100644 index 00000000000..1ba2a7b027b --- /dev/null +++ b/queue-5.15/platform-x86-panasonic-laptop-don-t-report-duplicate.patch @@ -0,0 +1,67 @@ +From 5e2029529b22dc8625cdf24eddec34ba8adfa13a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jun 2022 13:23:38 +0200 +Subject: platform/x86: panasonic-laptop: don't report duplicate brightness + key-presses + +From: Hans de Goede + +[ Upstream commit 1f2c9de83a50447a2d7166f6273ab0c0e97cd68e ] + +The brightness key-presses might also get reported by the ACPI video bus, +check for this and in this case don't report the presses to avoid reporting +2 presses for a single key-press. + +Fixes: ed83c9171829 ("platform/x86: panasonic-laptop: Resolve hotkey double trigger bug") +Reported-and-tested-by: Stefan Seyfried +Reported-and-tested-by: Kenneth Chan +Signed-off-by: Hans de Goede +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220624112340.10130-6-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/Kconfig | 1 + + drivers/platform/x86/panasonic-laptop.c | 8 ++++++++ + 2 files changed, 9 insertions(+) + +diff --git a/drivers/platform/x86/Kconfig b/drivers/platform/x86/Kconfig +index e21ea3d23e6f..50a5c4f3cefd 100644 +--- a/drivers/platform/x86/Kconfig ++++ b/drivers/platform/x86/Kconfig +@@ -871,6 +871,7 @@ config PANASONIC_LAPTOP + tristate "Panasonic Laptop Extras" + depends on INPUT && ACPI + depends on BACKLIGHT_CLASS_DEVICE ++ depends on ACPI_VIDEO=n || ACPI_VIDEO + select INPUT_SPARSEKMAP + help + This driver adds support for access to backlight control and hotkeys +diff --git a/drivers/platform/x86/panasonic-laptop.c b/drivers/platform/x86/panasonic-laptop.c +index cd3c23593eee..65ca863ffb9f 100644 +--- a/drivers/platform/x86/panasonic-laptop.c ++++ b/drivers/platform/x86/panasonic-laptop.c +@@ -132,6 +132,7 @@ + #include + #include + #include ++#include + + MODULE_AUTHOR("Hiroshi Miura "); + MODULE_AUTHOR("David Bronaugh "); +@@ -783,6 +784,13 @@ static void acpi_pcc_generate_keyinput(struct pcc_acpi *pcc) + key, 0x80, false); + } + ++ /* ++ * Don't report brightness key-presses if they are also reported ++ * by the ACPI video bus. ++ */ ++ if ((key == 1 || key == 2) && acpi_video_handles_brightness_key_presses()) ++ return; ++ + if (!sparse_keymap_report_event(hotk_input_dev, key, updown, false)) + pr_err("Unknown hotkey event: 0x%04llx\n", result); + } +-- +2.35.1 + diff --git a/queue-5.15/platform-x86-panasonic-laptop-filter-out-duplicate-v.patch b/queue-5.15/platform-x86-panasonic-laptop-filter-out-duplicate-v.patch new file mode 100644 index 00000000000..5c97d5e88bf --- /dev/null +++ b/queue-5.15/platform-x86-panasonic-laptop-filter-out-duplicate-v.patch @@ -0,0 +1,129 @@ +From e9f69ec23ddd41f9cc8b4f0ed6e48ee7252406bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jun 2022 13:23:39 +0200 +Subject: platform/x86: panasonic-laptop: filter out duplicate volume + up/down/mute keypresses + +From: Hans de Goede + +[ Upstream commit aacb455dfe01b7a24a792a2fbe7a04112ce8321d ] + +On some Panasonic models the volume up/down/mute keypresses get +reported both through the Panasonic ACPI HKEY interface as well as +through the atkbd device. + +Filter out the atkbd scan-codes for these to avoid reporting presses +twice. + +Note normally we would leave the filtering of these to userspace by mapping +the scan-codes to KEY_UNKNOWN through /lib/udev/hwdb.d/60-keyboard.hwdb. +However in this case that would cause regressions since we were filtering +the Panasonic ACPI HKEY events before, so filter these in the kernel. + +Fixes: ed83c9171829 ("platform/x86: panasonic-laptop: Resolve hotkey double trigger bug") +Reported-and-tested-by: Stefan Seyfried +Reported-and-tested-by: Kenneth Chan +Signed-off-by: Hans de Goede +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220624112340.10130-7-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/Kconfig | 1 + + drivers/platform/x86/panasonic-laptop.c | 41 +++++++++++++++++++++++++ + 2 files changed, 42 insertions(+) + +diff --git a/drivers/platform/x86/Kconfig b/drivers/platform/x86/Kconfig +index 50a5c4f3cefd..f1ff003bb14b 100644 +--- a/drivers/platform/x86/Kconfig ++++ b/drivers/platform/x86/Kconfig +@@ -872,6 +872,7 @@ config PANASONIC_LAPTOP + depends on INPUT && ACPI + depends on BACKLIGHT_CLASS_DEVICE + depends on ACPI_VIDEO=n || ACPI_VIDEO ++ depends on SERIO_I8042 || SERIO_I8042 = n + select INPUT_SPARSEKMAP + help + This driver adds support for access to backlight control and hotkeys +diff --git a/drivers/platform/x86/panasonic-laptop.c b/drivers/platform/x86/panasonic-laptop.c +index 65ca863ffb9f..7ca49b3fc6c2 100644 +--- a/drivers/platform/x86/panasonic-laptop.c ++++ b/drivers/platform/x86/panasonic-laptop.c +@@ -122,6 +122,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -129,6 +130,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -241,6 +243,42 @@ struct pcc_acpi { + struct platform_device *platform; + }; + ++/* ++ * On some Panasonic models the volume up / down / mute keys send duplicate ++ * keypress events over the PS/2 kbd interface, filter these out. ++ */ ++static bool panasonic_i8042_filter(unsigned char data, unsigned char str, ++ struct serio *port) ++{ ++ static bool extended; ++ ++ if (str & I8042_STR_AUXDATA) ++ return false; ++ ++ if (data == 0xe0) { ++ extended = true; ++ return true; ++ } else if (extended) { ++ extended = false; ++ ++ switch (data & 0x7f) { ++ case 0x20: /* e0 20 / e0 a0, Volume Mute press / release */ ++ case 0x2e: /* e0 2e / e0 ae, Volume Down press / release */ ++ case 0x30: /* e0 30 / e0 b0, Volume Up press / release */ ++ return true; ++ default: ++ /* ++ * Report the previously filtered e0 before continuing ++ * with the next non-filtered byte. ++ */ ++ serio_interrupt(port, 0xe0, 0); ++ return false; ++ } ++ } ++ ++ return false; ++} ++ + /* method access functions */ + static int acpi_pcc_write_sset(struct pcc_acpi *pcc, int func, int val) + { +@@ -1006,6 +1044,7 @@ static int acpi_pcc_hotkey_add(struct acpi_device *device) + pcc->platform = NULL; + } + ++ i8042_install_filter(panasonic_i8042_filter); + return 0; + + out_platform: +@@ -1029,6 +1068,8 @@ static int acpi_pcc_hotkey_remove(struct acpi_device *device) + if (!device || !pcc) + return -EINVAL; + ++ i8042_remove_filter(panasonic_i8042_filter); ++ + if (pcc->platform) { + device_remove_file(&pcc->platform->dev, &dev_attr_cdpower); + platform_device_unregister(pcc->platform); +-- +2.35.1 + diff --git a/queue-5.15/platform-x86-panasonic-laptop-revert-resolve-hotkey-.patch b/queue-5.15/platform-x86-panasonic-laptop-revert-resolve-hotkey-.patch new file mode 100644 index 00000000000..1d6a5415f11 --- /dev/null +++ b/queue-5.15/platform-x86-panasonic-laptop-revert-resolve-hotkey-.patch @@ -0,0 +1,47 @@ +From 007ebc3a55a00e71ac3920c304f17f87ad992464 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jun 2022 13:23:37 +0200 +Subject: platform/x86: panasonic-laptop: revert "Resolve hotkey double trigger + bug" + +From: Hans de Goede + +[ Upstream commit 83a5ddc3dc561c40d948b85553514aaba99123d8 ] + +In hindsight blindly throwing away most of the key-press events is not +a good idea. So revert commit ed83c9171829 ("platform/x86: +panasonic-laptop: Resolve hotkey double trigger bug"). + +Fixes: ed83c9171829 ("platform/x86: panasonic-laptop: Resolve hotkey double trigger bug") +Reported-and-tested-by: Stefan Seyfried +Reported-and-tested-by: Kenneth Chan +Signed-off-by: Hans de Goede +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220624112340.10130-5-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/panasonic-laptop.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/drivers/platform/x86/panasonic-laptop.c b/drivers/platform/x86/panasonic-laptop.c +index b89fbbc2fd08..cd3c23593eee 100644 +--- a/drivers/platform/x86/panasonic-laptop.c ++++ b/drivers/platform/x86/panasonic-laptop.c +@@ -783,12 +783,8 @@ static void acpi_pcc_generate_keyinput(struct pcc_acpi *pcc) + key, 0x80, false); + } + +- /* for the magic values, see panasonic_keymap[] above */ +- if (key == 7 || key == 9 || key == 10) { +- if (!sparse_keymap_report_event(hotk_input_dev, +- key, updown, false)) +- pr_err("Unknown hotkey event: 0x%04llx\n", result); +- } ++ if (!sparse_keymap_report_event(hotk_input_dev, key, updown, false)) ++ pr_err("Unknown hotkey event: 0x%04llx\n", result); + } + + static void acpi_pcc_hotkey_notify(struct acpi_device *device, u32 event) +-- +2.35.1 + diff --git a/queue-5.15/platform-x86-panasonic-laptop-sort-includes-alphabet.patch b/queue-5.15/platform-x86-panasonic-laptop-sort-includes-alphabet.patch new file mode 100644 index 00000000000..39c198d2f04 --- /dev/null +++ b/queue-5.15/platform-x86-panasonic-laptop-sort-includes-alphabet.patch @@ -0,0 +1,57 @@ +From 67d7f84ff65754b5b32c9341da42fdc10a0f7bc6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jun 2022 13:23:36 +0200 +Subject: platform/x86: panasonic-laptop: sort includes alphabetically + +From: Hans de Goede + +[ Upstream commit fe4326c8d18dc8a54affdc9ab269ad92dafef659 ] + +Sort includes alphabetically, small cleanup patch in preparation of +further changes. + +Fixes: ed83c9171829 ("platform/x86: panasonic-laptop: Resolve hotkey double trigger bug") +Signed-off-by: Hans de Goede +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220624112340.10130-4-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/panasonic-laptop.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/drivers/platform/x86/panasonic-laptop.c b/drivers/platform/x86/panasonic-laptop.c +index 84c16d9d9f8e..b89fbbc2fd08 100644 +--- a/drivers/platform/x86/panasonic-laptop.c ++++ b/drivers/platform/x86/panasonic-laptop.c +@@ -119,20 +119,19 @@ + * - v0.1 start from toshiba_acpi driver written by John Belmonte + */ + +-#include +-#include +-#include +-#include ++#include + #include + #include +-#include +-#include +-#include +-#include ++#include + #include + #include ++#include ++#include + #include +- ++#include ++#include ++#include ++#include + + MODULE_AUTHOR("Hiroshi Miura "); + MODULE_AUTHOR("David Bronaugh "); +-- +2.35.1 + diff --git a/queue-5.15/series b/queue-5.15/series index c671a8845a9..35df4f5c7df 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -56,3 +56,17 @@ ipv6-sit-fix-ipip6_tunnel_get_prl-return-value.patch ipv6-fix-lockdep-splat-in-in6_dump_addrs.patch mlxsw-spectrum_router-fix-rollback-in-tunnel-next-hop-init.patch net-tun-avoid-disabling-napi-twice.patch +tcp-add-a-missing-nf_reset_ct-in-3whs-handling.patch +net-fix-iff_tx_skb_no_linear-definition.patch +drm-i915-gem-add-missing-else.patch +drm-msm-gem-fix-error-return-on-fence-id-alloc-fail.patch +drivers-cpufreq-add-missing-of_node_put-in-qoriq-cpu.patch +platform-x86-panasonic-laptop-de-obfuscate-button-co.patch +platform-x86-panasonic-laptop-sort-includes-alphabet.patch +platform-x86-panasonic-laptop-revert-resolve-hotkey-.patch +platform-x86-panasonic-laptop-don-t-report-duplicate.patch +platform-x86-panasonic-laptop-filter-out-duplicate-v.patch +drm-fourcc-fix-integer-type-usage-in-uapi-header.patch +hwmon-occ-remove-sequence-numbering-and-checksum-cal.patch +hwmon-occ-prevent-power-cap-command-overwriting-poll.patch +hwmon-ibmaem-don-t-call-platform_device_del-if-platf.patch diff --git a/queue-5.15/tcp-add-a-missing-nf_reset_ct-in-3whs-handling.patch b/queue-5.15/tcp-add-a-missing-nf_reset_ct-in-3whs-handling.patch new file mode 100644 index 00000000000..5149d29f32c --- /dev/null +++ b/queue-5.15/tcp-add-a-missing-nf_reset_ct-in-3whs-handling.patch @@ -0,0 +1,75 @@ +From d7818cf91995c67a2d241724fce8d34a44b0addd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jun 2022 05:04:36 +0000 +Subject: tcp: add a missing nf_reset_ct() in 3WHS handling + +From: Eric Dumazet + +[ Upstream commit 6f0012e35160cd08a53e46e3b3bbf724b92dfe68 ] + +When the third packet of 3WHS connection establishment +contains payload, it is added into socket receive queue +without the XFRM check and the drop of connection tracking +context. + +This means that if the data is left unread in the socket +receive queue, conntrack module can not be unloaded. + +As most applications usually reads the incoming data +immediately after accept(), bug has been hiding for +quite a long time. + +Commit 68822bdf76f1 ("net: generalize skb freeing +deferral to per-cpu lists") exposed this bug because +even if the application reads this data, the skb +with nfct state could stay in a per-cpu cache for +an arbitrary time, if said cpu no longer process RX softirqs. + +Many thanks to Ilya Maximets for reporting this issue, +and for testing various patches: +https://lore.kernel.org/netdev/20220619003919.394622-1-i.maximets@ovn.org/ + +Note that I also added a missing xfrm4_policy_check() call, +although this is probably not a big issue, as the SYN +packet should have been dropped earlier. + +Fixes: b59c270104f0 ("[NETFILTER]: Keep conntrack reference until IPsec policy checks are done") +Reported-by: Ilya Maximets +Signed-off-by: Eric Dumazet +Cc: Florian Westphal +Cc: Pablo Neira Ayuso +Cc: Steffen Klassert +Tested-by: Ilya Maximets +Reviewed-by: Ilya Maximets +Link: https://lore.kernel.org/r/20220623050436.1290307-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_ipv4.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index a189625098ba..ac078d081212 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -2014,7 +2014,8 @@ int tcp_v4_rcv(struct sk_buff *skb) + struct sock *nsk; + + sk = req->rsk_listener; +- if (unlikely(tcp_v4_inbound_md5_hash(sk, skb, dif, sdif))) { ++ if (unlikely(tcp_v4_inbound_md5_hash(sk, skb, dif, sdif) || ++ !xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))) { + sk_drops_add(sk, skb); + reqsk_put(req); + goto discard_it; +@@ -2061,6 +2062,7 @@ int tcp_v4_rcv(struct sk_buff *skb) + } + goto discard_and_relse; + } ++ nf_reset_ct(skb); + if (nsk == sk) { + reqsk_put(req); + tcp_v4_restore_cb(skb); +-- +2.35.1 +