From a4fd87a4a74c4058802b1b67686d699c45b8f953 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 15 Aug 2022 11:07:43 +0200 Subject: [PATCH] fix up duplicates in 5.19 queue --- ...cu-verify-that-mount_lock-remains-un.patch | 51 -- ...-a-uaf-bug-on-the-error-path-of-prob.patch | 48 -- ...tek-add-quirk-for-clevo-nv45pz.patch-15916 | 35 -- ...-add-quirk-for-hp-spectre-x360-15-eb.patch | 38 -- ...d-quirk-for-behringer-umc202hd.patch-24063 | 37 -- ...fix-usb-interrupts-for-pxs2-soc.patch-2243 | 51 -- ...fix-usb-interrupts-for-pxs3-soc.patch-8226 | 51 -- ...e-after-free-read-in-compute_effecti.patch | 142 ------ ...-replay-if-there-is-unsupported-ro-c.patch | 89 ---- ...-the-connection-field-properly.patch-22500 | 123 ----- ...zalloc-for-sev-ioctl-interfaces-to-p.patch | 90 ---- ...csky-abiv1-fixup-compile-error.patch-25803 | 46 -- ...-userspace-break-from-using-bin_attr.patch | 188 -------- ...-bo-s-requested-pinning-domains-agai.patch | 55 --- ...the-extended-dpcd-capabilities-durin.patch | 57 --- ...elper-fix-out-of-bounds-access.patch-14074 | 100 ---- ...e-framebuffer-and-edid-headers.patch-15144 | 67 --- ...ighest-possible-dma-burst-size.patch-22931 | 110 ----- ...p-dsi-as-lp00-before-dcs-cmds-transf.patch | 15 +- ...-dsi-funcs-to-atomic-operations.patch-7159 | 59 --- ...-poweron-poweroff-from-enable-d.patch-3169 | 130 ------ ...-don-t-print-error-when-we-get-einpr.patch | 38 -- ...t-pm_runtime_put_sync-only-pm_runtim.patch | 62 --- ...ther-off-by-one-in-nvbios_addr.patch-28623 | 40 -- ...fix-failure-path-for-creating-dp-con.patch | 51 -- ...-fix-vmapping-of-prime-buffers.patch-28390 | 56 --- ...able-audio-if-dmas-property-is-prese.patch | 51 -- ...e-wakers-even-more-aggressively.patch-6975 | 95 ---- ...rated-fbdev-scrolling-while-logo-is-.patch | 57 --- ...ry-checks-for-fbcon-vc-n1-n2-paramet.patch | 59 --- ...ndling-in-copy_mc_pipe_to_iter.patch-23282 | 89 ---- ...back-ftrace_expected-assignment.patch-6434 | 49 -- ...k-between-atomic-o_trunc-and-page-in.patch | 176 ------- .../fuse-ioctl-translate-enosys.patch-17448 | 89 ---- queue-5.19/fuse-limit-nsec.patch-2050 | 39 -- ...se-write-inode-in-fuse_release.patch-28840 | 48 -- ...ut-add-surface-go-battery-quirk.patch-7851 | 54 --- ...-add-missing-array-termination.patch-24808 | 43 -- ...ister-pad_input-for-touch-switch.patch-820 | 114 ----- ...ly-report-rotation-for-art-pen.patch-25074 | 101 ---- ...ix-wincompatible-pointer-types-in-ia.patch | 49 -- ...at_avail_range-printing-for-none-iio.patch | 59 --- ...28-fix-the-warning-in-isl29028_remov.patch | 54 --- ...ck-return-value-of-ioremap-in-gscps2.patch | 40 -- ...tel_th-pci-add-meteor-lake-p-support.patch | 15 +- ...th-pci-add-raptor-lake-s-cpu-support.patch | 15 +- ...th-pci-add-raptor-lake-s-pch-support.patch | 15 +- ...sed-overflow-in-set_ntacl_dacl.patch-15594 | 441 ------------------ ...y-leak-in-smb2_handle_negotiate.patch-5672 | 47 -- ...ree-bug-in-smb2_tree_disconect.patch-30412 | 64 --- ...t-of-bound-read-for-smb2_tree_connne.patch | 74 --- ...t-of-bound-read-for-smb2_write.patch-20867 | 128 ----- ...porate-page-offset-into-gfn-pfn-cach.patch | 43 -- ...gpa-param-from-gfn-pfn-cache-s-__rel.patch | 92 ---- ...races-in-gfn-pfn-cache-refresh.patch-19149 | 363 -------------- ...gfn-pfn-cache-refresh-via-mutex.patch-7350 | 112 ----- ...-for-kvm-reserved-cr4-bits-in-consis.patch | 50 -- ...ud-if-vmxon-is-attempted-with-incomp.patch | 80 ---- ...rspace-set-nvmx-msr-to-any-_host_-su.patch | 180 ------- ...t-pre-vm-enter-bndcfgs-for-nested_ru.patch | 58 --- ...t-pre-vm-enter-debugctl-for-nested_r.patch | 59 --- ...a-pfn-reference-when-reusing-a-pfn-i.patch | 46 -- ...sent-the-ecall-interrupt-twice.patch-16826 | 107 ----- ...permit-guests-to-ignore-single-bit-e.patch | 9 +- ...g-if-userspace-injects-an-interrupt-.patch | 67 --- ...-busy-during-ltr-emulation-_after_-a.patch | 71 --- ...-nx-as-a-valid-spte-bit-for-npt.patch-3797 | 70 --- ...r-code-to-segment-selector-on-lldt-l.patch | 47 -- ...p-not-eperm-on-bad-wrmsr-mci_ctl-sta.patch | 9 +- ...m_is_valid_cr4-and-export-only-the-n.patch | 116 ----- ...ions-to-delete-entry-if-unused.patch-21045 | 155 ------ ...che-don-t-reclaim-used-entries.patch-21676 | 55 --- ...the-bitmap-after-destroying-the-thre.patch | 134 ------ .../md-raid10-fix-kasan-warning.patch-1758 | 153 ------ ...v4l2_fwnode-to-fix-build-error.patch-24025 | 44 -- ...atomisp_cmd-fix-three-missing-checks.patch | 148 ------ ...-a-warning-for-config_cpumask_offsta.patch | 68 --- ...rasan-fix-clock-rate-in-nv-ddr.patch-18581 | 51 -- ...an-update-nand-bus-clock-instead-of-.patch | 55 --- ...e-the-iounit-field-during-fid-creati.patch | 9 +- ...entry-is-null-in-ovl_encode_fh.patch-29266 | 62 --- ...-return-value-of-ioremap-in-lba_driv.patch | 44 -- ...op-pa_swapper_pg_lock-spinlock.patch-26906 | 39 -- ...fix-device-names-in-proc-iomem.patch-18836 | 50 -- ...ents_time64-needs-compat-syscall-in-.patch | 42 -- ...n-phy-before-ipq8074-dbi-register-ac.patch | 15 +- ...e-fix-early-tlb-miss-with-kuap.patch-29650 | 93 ---- ...ix-class-code-of-pcie-root-port.patch-7836 | 93 ---- ...v-avoid-crashing-if-rng-is-null.patch-9536 | 44 -- ...splay-of-rw-pages-on-fsl_book3e.patch-3011 | 51 -- ...onfig_debug_info-in-defconfigs.patch-27837 | 309 ------------ ...-extra-atomic_inc-on-cmd_pending-in-.patch | 40 -- ...qla2xxx-edif-fix-dropped-ike-message.patch | 126 ----- ...-crash-due-to-stale-srb-access-aroun.patch | 125 ----- ...overy-issues-in-fc-al-topology.patch-25366 | 116 ----- ...-erroneous-mailbox-timeout-after-pci.patch | 67 --- ...-excessive-i-o-error-messages-by-def.patch | 48 -- ...x-fix-imbalance-vha-vref_count.patch-12738 | 61 --- ...rect-display-of-max-frame-size.patch-30577 | 110 ----- ...-losing-fcp-2-targets-during-port-pe.patch | 41 -- ...-losing-fcp-2-targets-on-long-port-d.patch | 72 --- ...-losing-target-when-it-reappears-dur.patch | 84 ---- ...-response-queue-handler-reading-stal.patch | 128 ----- ...ff-multi-queue-for-8g-adapters.patch-20754 | 68 --- ...-qla2xxx-update-manufacturer-details.patch | 52 --- ...-down-adapter-after-pcie-error.patch-31117 | 210 --------- ...-undefined-mailbox-in-registers.patch-4895 | 41 -- ...-qla2xxx-fix-disk-failure-to-redisco.patch | 74 --- ...iting-for-commands-to-complete-on-re.patch | 147 ------ ...uart-uart2-error-bits-clearing.patch-15528 | 59 --- queue-5.19/series | 119 ----- ...heck-device-status-before-reading-de.patch | 43 -- ...tack-out-of-bound-access-in-spmi-tra.patch | 115 ----- ...x-cooling_device_stats_setup-error-c.patch | 74 --- ...upport-for-brainboxes-px-cards.patch-25863 | 147 ------ ...nitialize-unicode-screen-buffer.patch-8483 | 57 --- .../um-remove-straying-parenthesis.patch-5379 | 40 -- .../um-seed-rng-using-host-os-rng.patch-8415 | 163 ------- ...-high-speed-multiplier-setting.patch-13588 | 44 -- ...et-refactor-dwc3_repare_one_trb.patch-8861 | 151 ------ ...er-free-read-in-usb_udc_uevent.patch-12274 | 78 ---- ...back-issue-in-tasklet-function.patch-24136 | 132 ------ ...cknowledge-the-get_error_status-comm.patch | 46 -- ...h-use-after-free-on-disconnect.patch-30140 | 90 ---- ...fix-deadlock-on-runtime-resume.patch-22908 | 193 -------- ...uncate-maximum-size-in-inode_newsize.patch | 73 --- ...te-kcb-status-flag-after-singlestepp.patch | 67 --- ...ical-not-is-only-applied-to-the-left.patch | 54 --- 128 files changed, 31 insertions(+), 10511 deletions(-) delete mode 100644 queue-5.19/__follow_mount_rcu-verify-that-mount_lock-remains-un.patch delete mode 100644 queue-5.19/alsa-bcd2000-fix-a-uaf-bug-on-the-error-path-of-prob.patch delete mode 100644 queue-5.19/alsa-hda-realtek-add-quirk-for-clevo-nv45pz.patch-15916 delete mode 100644 queue-5.19/alsa-hda-realtek-add-quirk-for-hp-spectre-x360-15-eb.patch delete mode 100644 queue-5.19/alsa-usb-audio-add-quirk-for-behringer-umc202hd.patch-24063 delete mode 100644 queue-5.19/arm-dts-uniphier-fix-usb-interrupts-for-pxs2-soc.patch-2243 delete mode 100644 queue-5.19/arm64-dts-uniphier-fix-usb-interrupts-for-pxs3-soc.patch-8226 delete mode 100644 queue-5.19/bpf-fix-kasan-use-after-free-read-in-compute_effecti.patch delete mode 100644 queue-5.19/btrfs-reject-log-replay-if-there-is-unsupported-ro-c.patch delete mode 100644 queue-5.19/coresight-clear-the-connection-field-properly.patch-22500 delete mode 100644 queue-5.19/crypto-ccp-use-kzalloc-for-sev-ioctl-interfaces-to-p.patch delete mode 100644 queue-5.19/csky-abiv1-fixup-compile-error.patch-25803 delete mode 100644 queue-5.19/drivers-base-fix-userspace-break-from-using-bin_attr.patch delete mode 100644 queue-5.19/drm-amdgpu-check-bo-s-requested-pinning-domains-agai.patch delete mode 100644 queue-5.19/drm-dp-mst-read-the-extended-dpcd-capabilities-durin.patch delete mode 100644 queue-5.19/drm-fb-helper-fix-out-of-bounds-access.patch-14074 delete mode 100644 queue-5.19/drm-hyperv-drm-include-framebuffer-and-edid-headers.patch-15144 delete mode 100644 queue-5.19/drm-ingenic-use-the-highest-possible-dma-burst-size.patch-22931 delete mode 100644 queue-5.19/drm-mediatek-modify-dsi-funcs-to-atomic-operations.patch-7159 delete mode 100644 queue-5.19/drm-mediatek-separate-poweron-poweroff-from-enable-d.patch-3169 delete mode 100644 queue-5.19/drm-nouveau-acpi-don-t-print-error-when-we-get-einpr.patch delete mode 100644 queue-5.19/drm-nouveau-don-t-pm_runtime_put_sync-only-pm_runtim.patch delete mode 100644 queue-5.19/drm-nouveau-fix-another-off-by-one-in-nvbios_addr.patch-28623 delete mode 100644 queue-5.19/drm-nouveau-kms-fix-failure-path-for-creating-dp-con.patch delete mode 100644 queue-5.19/drm-tegra-fix-vmapping-of-prime-buffers.patch-28390 delete mode 100644 queue-5.19/drm-vc4-hdmi-disable-audio-if-dmas-property-is-prese.patch delete mode 100644 queue-5.19/epoll-autoremove-wakers-even-more-aggressively.patch-6975 delete mode 100644 queue-5.19/fbcon-fix-accelerated-fbdev-scrolling-while-logo-is-.patch delete mode 100644 queue-5.19/fbcon-fix-boundary-checks-for-fbcon-vc-n1-n2-paramet.patch delete mode 100644 queue-5.19/fix-short-copy-handling-in-copy_mc_pipe_to_iter.patch-23282 delete mode 100644 queue-5.19/ftrace-x86-add-back-ftrace_expected-assignment.patch-6434 delete mode 100644 queue-5.19/fuse-fix-deadlock-between-atomic-o_trunc-and-page-in.patch delete mode 100644 queue-5.19/fuse-ioctl-translate-enosys.patch-17448 delete mode 100644 queue-5.19/fuse-limit-nsec.patch-2050 delete mode 100644 queue-5.19/fuse-write-inode-in-fuse_release.patch-28840 delete mode 100644 queue-5.19/hid-hid-input-add-surface-go-battery-quirk.patch-7851 delete mode 100644 queue-5.19/hid-nintendo-add-missing-array-termination.patch-24808 delete mode 100644 queue-5.19/hid-wacom-don-t-register-pad_input-for-touch-switch.patch-820 delete mode 100644 queue-5.19/hid-wacom-only-report-rotation-for-art-pen.patch-25074 delete mode 100644 queue-5.19/ia64-processor-fix-wincompatible-pointer-types-in-ia.patch delete mode 100644 queue-5.19/iio-fix-iio_format_avail_range-printing-for-none-iio.patch delete mode 100644 queue-5.19/iio-light-isl29028-fix-the-warning-in-isl29028_remov.patch delete mode 100644 queue-5.19/input-gscps2-check-return-value-of-ioremap-in-gscps2.patch delete mode 100644 queue-5.19/ksmbd-fix-heap-based-overflow-in-set_ntacl_dacl.patch-15594 delete mode 100644 queue-5.19/ksmbd-fix-memory-leak-in-smb2_handle_negotiate.patch-5672 delete mode 100644 queue-5.19/ksmbd-fix-use-after-free-bug-in-smb2_tree_disconect.patch-30412 delete mode 100644 queue-5.19/ksmbd-prevent-out-of-bound-read-for-smb2_tree_connne.patch delete mode 100644 queue-5.19/ksmbd-prevent-out-of-bound-read-for-smb2_write.patch-20867 delete mode 100644 queue-5.19/kvm-do-not-incorporate-page-offset-into-gfn-pfn-cach.patch delete mode 100644 queue-5.19/kvm-drop-unused-gpa-param-from-gfn-pfn-cache-s-__rel.patch delete mode 100644 queue-5.19/kvm-fix-multiple-races-in-gfn-pfn-cache-refresh.patch-19149 delete mode 100644 queue-5.19/kvm-fully-serialize-gfn-pfn-cache-refresh-via-mutex.patch-7350 delete mode 100644 queue-5.19/kvm-nvmx-account-for-kvm-reserved-cr4-bits-in-consis.patch delete mode 100644 queue-5.19/kvm-nvmx-inject-ud-if-vmxon-is-attempted-with-incomp.patch delete mode 100644 queue-5.19/kvm-nvmx-let-userspace-set-nvmx-msr-to-any-_host_-su.patch delete mode 100644 queue-5.19/kvm-nvmx-snapshot-pre-vm-enter-bndcfgs-for-nested_ru.patch delete mode 100644 queue-5.19/kvm-nvmx-snapshot-pre-vm-enter-debugctl-for-nested_r.patch delete mode 100644 queue-5.19/kvm-put-the-extra-pfn-reference-when-reusing-a-pfn-i.patch delete mode 100644 queue-5.19/kvm-s390-pv-don-t-present-the-ecall-interrupt-twice.patch-16826 delete mode 100644 queue-5.19/kvm-svm-don-t-bug-if-userspace-injects-an-interrupt-.patch delete mode 100644 queue-5.19/kvm-x86-mark-tss-busy-during-ltr-emulation-_after_-a.patch delete mode 100644 queue-5.19/kvm-x86-mmu-treat-nx-as-a-valid-spte-bit-for-npt.patch-3797 delete mode 100644 queue-5.19/kvm-x86-set-error-code-to-segment-selector-on-lldt-l.patch delete mode 100644 queue-5.19/kvm-x86-split-kvm_is_valid_cr4-and-export-only-the-n.patch delete mode 100644 queue-5.19/mbcache-add-functions-to-delete-entry-if-unused.patch-21045 delete mode 100644 queue-5.19/mbcache-don-t-reclaim-used-entries.patch-21676 delete mode 100644 queue-5.19/md-raid-destroy-the-bitmap-after-destroying-the-thre.patch delete mode 100644 queue-5.19/md-raid10-fix-kasan-warning.patch-1758 delete mode 100644 queue-5.19/media-isl7998x-select-v4l2_fwnode-to-fix-build-error.patch-24025 delete mode 100644 queue-5.19/media-patch-pci-atomisp_cmd-fix-three-missing-checks.patch delete mode 100644 queue-5.19/mips-cpuinfo-fix-a-warning-for-config_cpumask_offsta.patch delete mode 100644 queue-5.19/mtd-rawnand-arasan-fix-clock-rate-in-nv-ddr.patch-18581 delete mode 100644 queue-5.19/mtd-rawnand-arasan-update-nand-bus-clock-instead-of-.patch delete mode 100644 queue-5.19/ovl-drop-warn_on-dentry-is-null-in-ovl_encode_fh.patch-29266 delete mode 100644 queue-5.19/parisc-check-the-return-value-of-ioremap-in-lba_driv.patch delete mode 100644 queue-5.19/parisc-drop-pa_swapper_pg_lock-spinlock.patch-26906 delete mode 100644 queue-5.19/parisc-fix-device-names-in-proc-iomem.patch-18836 delete mode 100644 queue-5.19/parisc-io_pgetevents_time64-needs-compat-syscall-in-.patch delete mode 100644 queue-5.19/powerpc-64e-fix-early-tlb-miss-with-kuap.patch-29650 delete mode 100644 queue-5.19/powerpc-fsl-pci-fix-class-code-of-pcie-root-port.patch-7836 delete mode 100644 queue-5.19/powerpc-powernv-avoid-crashing-if-rng-is-null.patch-9536 delete mode 100644 queue-5.19/powerpc-ptdump-fix-display-of-rw-pages-on-fsl_book3e.patch-3011 delete mode 100644 queue-5.19/powerpc-restore-config_debug_info-in-defconfigs.patch-27837 delete mode 100644 queue-5.19/scsi-lpfc-remove-extra-atomic_inc-on-cmd_pending-in-.patch delete mode 100644 queue-5.19/scsi-qla2xxx-edif-fix-dropped-ike-message.patch delete mode 100644 queue-5.19/scsi-qla2xxx-fix-crash-due-to-stale-srb-access-aroun.patch delete mode 100644 queue-5.19/scsi-qla2xxx-fix-discovery-issues-in-fc-al-topology.patch-25366 delete mode 100644 queue-5.19/scsi-qla2xxx-fix-erroneous-mailbox-timeout-after-pci.patch delete mode 100644 queue-5.19/scsi-qla2xxx-fix-excessive-i-o-error-messages-by-def.patch delete mode 100644 queue-5.19/scsi-qla2xxx-fix-imbalance-vha-vref_count.patch-12738 delete mode 100644 queue-5.19/scsi-qla2xxx-fix-incorrect-display-of-max-frame-size.patch-30577 delete mode 100644 queue-5.19/scsi-qla2xxx-fix-losing-fcp-2-targets-during-port-pe.patch delete mode 100644 queue-5.19/scsi-qla2xxx-fix-losing-fcp-2-targets-on-long-port-d.patch delete mode 100644 queue-5.19/scsi-qla2xxx-fix-losing-target-when-it-reappears-dur.patch delete mode 100644 queue-5.19/scsi-qla2xxx-fix-response-queue-handler-reading-stal.patch delete mode 100644 queue-5.19/scsi-qla2xxx-turn-off-multi-queue-for-8g-adapters.patch-20754 delete mode 100644 queue-5.19/scsi-qla2xxx-update-manufacturer-details.patch delete mode 100644 queue-5.19/scsi-qla2xxx-wind-down-adapter-after-pcie-error.patch-31117 delete mode 100644 queue-5.19/scsi-qla2xxx-zero-undefined-mailbox-in-registers.patch-4895 delete mode 100644 queue-5.19/scsi-revert-scsi-qla2xxx-fix-disk-failure-to-redisco.patch delete mode 100644 queue-5.19/scsi-sg-allow-waiting-for-commands-to-complete-on-re.patch delete mode 100644 queue-5.19/serial-mvebu-uart-uart2-error-bits-clearing.patch-15528 delete mode 100644 queue-5.19/soundwire-qcom-check-device-status-before-reading-de.patch delete mode 100644 queue-5.19/spmi-trace-fix-stack-out-of-bound-access-in-spmi-tra.patch delete mode 100644 queue-5.19/thermal-sysfs-fix-cooling_device_stats_setup-error-c.patch delete mode 100644 queue-5.19/tty-8250-add-support-for-brainboxes-px-cards.patch-25863 delete mode 100644 queue-5.19/tty-vt-initialize-unicode-screen-buffer.patch-8483 delete mode 100644 queue-5.19/um-remove-straying-parenthesis.patch-5379 delete mode 100644 queue-5.19/um-seed-rng-using-host-os-rng.patch-8415 delete mode 100644 queue-5.19/usb-dwc3-gadget-fix-high-speed-multiplier-setting.patch-13588 delete mode 100644 queue-5.19/usb-dwc3-gadget-refactor-dwc3_repare_one_trb.patch-8861 delete mode 100644 queue-5.19/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch-12274 delete mode 100644 queue-5.19/usb-hcd-fix-urb-giveback-issue-in-tasklet-function.patch-24136 delete mode 100644 queue-5.19/usb-typec-ucsi-acknowledge-the-get_error_status-comm.patch delete mode 100644 queue-5.19/usbnet-fix-linkwatch-use-after-free-on-disconnect.patch-30140 delete mode 100644 queue-5.19/usbnet-smsc95xx-fix-deadlock-on-runtime-resume.patch-22908 delete mode 100644 queue-5.19/vfs-check-the-truncate-maximum-size-in-inode_newsize.patch delete mode 100644 queue-5.19/x86-kprobes-update-kcb-status-flag-after-singlestepp.patch delete mode 100644 queue-5.19/x86-olpc-fix-logical-not-is-only-applied-to-the-left.patch diff --git a/queue-5.19/__follow_mount_rcu-verify-that-mount_lock-remains-un.patch b/queue-5.19/__follow_mount_rcu-verify-that-mount_lock-remains-un.patch deleted file mode 100644 index b6af4d9d01e..00000000000 --- a/queue-5.19/__follow_mount_rcu-verify-that-mount_lock-remains-un.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 14eb61274e33ef7ccdbc22c5a5afca83678ede58 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 4 Jul 2022 17:26:29 -0400 -Subject: __follow_mount_rcu(): verify that mount_lock remains unchanged - -From: Al Viro - -[ Upstream commit 20aac6c60981f5bfacd66661d090d907bf1482f0 ] - -Validate mount_lock seqcount as soon as we cross into mount in RCU -mode. Sure, ->mnt_root is pinned and will remain so until we -do rcu_read_unlock() anyway, and we will eventually fail to unlazy if -the mount_lock had been touched, but we might run into a hard error -(e.g. -ENOENT) before trying to unlazy. And it's possible to end -up with RCU pathwalk racing with rename() and umount() in a way -that would fail with -ENOENT while non-RCU pathwalk would've -succeeded with any timings. - -Once upon a time we hadn't needed that, but analysis had been subtle, -brittle and went out of window as soon as RENAME_EXCHANGE had been -added. - -It's narrow, hard to hit and won't get you anything other than -stray -ENOENT that could be arranged in much easier way with the -same priveleges, but it's a bug all the same. - -Cc: stable@kernel.org -X-sky-is-falling: unlikely -Fixes: da1ce0670c14 "vfs: add cross-rename" -Signed-off-by: Al Viro -Signed-off-by: Sasha Levin ---- - fs/namei.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/fs/namei.c b/fs/namei.c -index 1f28d3f463c3..4dbf55b37ec6 100644 ---- a/fs/namei.c -+++ b/fs/namei.c -@@ -1505,6 +1505,8 @@ static bool __follow_mount_rcu(struct nameidata *nd, struct path *path, - * becoming unpinned. - */ - flags = dentry->d_flags; -+ if (read_seqretry(&mount_lock, nd->m_seq)) -+ return false; - continue; - } - if (read_seqretry(&mount_lock, nd->m_seq)) --- -2.35.1 - diff --git a/queue-5.19/alsa-bcd2000-fix-a-uaf-bug-on-the-error-path-of-prob.patch b/queue-5.19/alsa-bcd2000-fix-a-uaf-bug-on-the-error-path-of-prob.patch deleted file mode 100644 index 9d10a34dbb8..00000000000 --- a/queue-5.19/alsa-bcd2000-fix-a-uaf-bug-on-the-error-path-of-prob.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 9305db9f54d884157d6086c63315de25fc2537bb Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 15 Jul 2022 09:05:15 +0800 -Subject: ALSA: bcd2000: Fix a UAF bug on the error path of probing - -From: Zheyu Ma - -[ Upstream commit ffb2759df7efbc00187bfd9d1072434a13a54139 ] - -When the driver fails in snd_card_register() at probe time, it will free -the 'bcd2k->midi_out_urb' before killing it, which may cause a UAF bug. - -The following log can reveal it: - -[ 50.727020] BUG: KASAN: use-after-free in bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000] -[ 50.727623] Read of size 8 at addr ffff88810fab0e88 by task swapper/4/0 -[ 50.729530] Call Trace: -[ 50.732899] bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000] - -Fix this by adding usb_kill_urb() before usb_free_urb(). - -Fixes: b47a22290d58 ("ALSA: MIDI driver for Behringer BCD2000 USB device") -Signed-off-by: Zheyu Ma -Cc: -Link: https://lore.kernel.org/r/20220715010515.2087925-1-zheyuma97@gmail.com -Signed-off-by: Takashi Iwai -Signed-off-by: Sasha Levin ---- - sound/usb/bcd2000/bcd2000.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/sound/usb/bcd2000/bcd2000.c b/sound/usb/bcd2000/bcd2000.c -index cd4a0bc6d278..7aec0a95c609 100644 ---- a/sound/usb/bcd2000/bcd2000.c -+++ b/sound/usb/bcd2000/bcd2000.c -@@ -348,7 +348,8 @@ static int bcd2000_init_midi(struct bcd2000 *bcd2k) - static void bcd2000_free_usb_related_resources(struct bcd2000 *bcd2k, - struct usb_interface *interface) - { -- /* usb_kill_urb not necessary, urb is aborted automatically */ -+ usb_kill_urb(bcd2k->midi_out_urb); -+ usb_kill_urb(bcd2k->midi_in_urb); - - usb_free_urb(bcd2k->midi_out_urb); - usb_free_urb(bcd2k->midi_in_urb); --- -2.35.1 - diff --git a/queue-5.19/alsa-hda-realtek-add-quirk-for-clevo-nv45pz.patch-15916 b/queue-5.19/alsa-hda-realtek-add-quirk-for-clevo-nv45pz.patch-15916 deleted file mode 100644 index 5718dd51228..00000000000 --- a/queue-5.19/alsa-hda-realtek-add-quirk-for-clevo-nv45pz.patch-15916 +++ /dev/null @@ -1,35 +0,0 @@ -From ec205a0c7a273c9b18e5866c366403ce72bde318 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 30 Jul 2022 21:22:43 -0600 -Subject: ALSA: hda/realtek: Add quirk for Clevo NV45PZ - -From: Tim Crawford - -[ Upstream commit be561ffad708f0cee18aee4231f80ffafaf7a419 ] - -Fixes headset detection on Clevo NV45PZ. - -Signed-off-by: Tim Crawford -Cc: -Link: https://lore.kernel.org/r/20220731032243.4300-1-tcrawford@system76.com -Signed-off-by: Takashi Iwai -Signed-off-by: Sasha Levin ---- - sound/pci/hda/patch_realtek.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c -index 2f55bc43bfa9..6a65b962e96d 100644 ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -9203,6 +9203,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { - SND_PCI_QUIRK(0x1558, 0x4018, "Clevo NV40M[BE]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), - SND_PCI_QUIRK(0x1558, 0x4019, "Clevo NV40MZ", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), - SND_PCI_QUIRK(0x1558, 0x4020, "Clevo NV40MB", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), -+ SND_PCI_QUIRK(0x1558, 0x4041, "Clevo NV4[15]PZ", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), - SND_PCI_QUIRK(0x1558, 0x40a1, "Clevo NL40GU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), - SND_PCI_QUIRK(0x1558, 0x40c1, "Clevo NL40[CZ]U", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), - SND_PCI_QUIRK(0x1558, 0x40d1, "Clevo NL41DU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), --- -2.35.1 - diff --git a/queue-5.19/alsa-hda-realtek-add-quirk-for-hp-spectre-x360-15-eb.patch b/queue-5.19/alsa-hda-realtek-add-quirk-for-hp-spectre-x360-15-eb.patch deleted file mode 100644 index 18053200948..00000000000 --- a/queue-5.19/alsa-hda-realtek-add-quirk-for-hp-spectre-x360-15-eb.patch +++ /dev/null @@ -1,38 +0,0 @@ -From e0d45922b6479d94a947996ea00a627b829dfb4d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 3 Aug 2022 18:40:01 +0200 -Subject: ALSA: hda/realtek: Add quirk for HP Spectre x360 15-eb0xxx - -From: Ivan Hasenkampf - -[ Upstream commit 24df5428ef9d1ca1edd54eca7eb667110f2dfae3 ] - -Fixes speaker output on HP Spectre x360 15-eb0xxx - -[ re-sorted in SSID order by tiwai ] - -Signed-off-by: Ivan Hasenkampf -Cc: -Link: https://lore.kernel.org/r/20220803164001.290394-1-ivan.hasenkampf@gmail.com -Signed-off-by: Takashi Iwai -Signed-off-by: Sasha Levin ---- - sound/pci/hda/patch_realtek.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c -index 6a65b962e96d..93680621c90f 100644 ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -9044,6 +9044,8 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { - SND_PCI_QUIRK(0x103c, 0x861f, "HP Elite Dragonfly G1", ALC285_FIXUP_HP_GPIO_AMP_INIT), - SND_PCI_QUIRK(0x103c, 0x869d, "HP", ALC236_FIXUP_HP_MUTE_LED), - SND_PCI_QUIRK(0x103c, 0x86c7, "HP Envy AiO 32", ALC274_FIXUP_HP_ENVY_GPIO), -+ SND_PCI_QUIRK(0x103c, 0x86e7, "HP Spectre x360 15-eb0xxx", ALC285_FIXUP_HP_SPECTRE_X360_EB1), -+ SND_PCI_QUIRK(0x103c, 0x86e8, "HP Spectre x360 15-eb0xxx", ALC285_FIXUP_HP_SPECTRE_X360_EB1), - SND_PCI_QUIRK(0x103c, 0x8716, "HP Elite Dragonfly G2 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), - SND_PCI_QUIRK(0x103c, 0x8720, "HP EliteBook x360 1040 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), - SND_PCI_QUIRK(0x103c, 0x8724, "HP EliteBook 850 G7", ALC285_FIXUP_HP_GPIO_LED), --- -2.35.1 - diff --git a/queue-5.19/alsa-usb-audio-add-quirk-for-behringer-umc202hd.patch-24063 b/queue-5.19/alsa-usb-audio-add-quirk-for-behringer-umc202hd.patch-24063 deleted file mode 100644 index c34f41cb1e7..00000000000 --- a/queue-5.19/alsa-usb-audio-add-quirk-for-behringer-umc202hd.patch-24063 +++ /dev/null @@ -1,37 +0,0 @@ -From 03c77c56dcd131bc52f4fee118914a7ca7899ceb Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 22 Jul 2022 16:39:48 +0200 -Subject: ALSA: usb-audio: Add quirk for Behringer UMC202HD - -From: Takashi Iwai - -[ Upstream commit e086c37f876fd1f551e2b4f9be97d4a1923cd219 ] - -Just like other Behringer models, UMC202HD (USB ID 1397:0507) requires -the quirk for the stable streaming, too. - -BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=215934 -Cc: -Link: https://lore.kernel.org/r/20220722143948.29804-1-tiwai@suse.de -Signed-off-by: Takashi Iwai -Signed-off-by: Sasha Levin ---- - sound/usb/quirks.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c -index 968d90caeefa..168fd802d70b 100644 ---- a/sound/usb/quirks.c -+++ b/sound/usb/quirks.c -@@ -1843,6 +1843,8 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = { - QUIRK_FLAG_SHARE_MEDIA_DEVICE | QUIRK_FLAG_ALIGN_TRANSFER), - DEVICE_FLG(0x1395, 0x740a, /* Sennheiser DECT */ - QUIRK_FLAG_GET_SAMPLE_RATE), -+ DEVICE_FLG(0x1397, 0x0507, /* Behringer UMC202HD */ -+ QUIRK_FLAG_PLAYBACK_FIRST | QUIRK_FLAG_GENERIC_IMPLICIT_FB), - DEVICE_FLG(0x1397, 0x0508, /* Behringer UMC204HD */ - QUIRK_FLAG_PLAYBACK_FIRST | QUIRK_FLAG_GENERIC_IMPLICIT_FB), - DEVICE_FLG(0x1397, 0x0509, /* Behringer UMC404HD */ --- -2.35.1 - diff --git a/queue-5.19/arm-dts-uniphier-fix-usb-interrupts-for-pxs2-soc.patch-2243 b/queue-5.19/arm-dts-uniphier-fix-usb-interrupts-for-pxs2-soc.patch-2243 deleted file mode 100644 index c0359bc00d6..00000000000 --- a/queue-5.19/arm-dts-uniphier-fix-usb-interrupts-for-pxs2-soc.patch-2243 +++ /dev/null @@ -1,51 +0,0 @@ -From b4923067cbd4e5d5d7227feb103adcbdacae9b80 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 2 Aug 2022 22:36:25 +0900 -Subject: ARM: dts: uniphier: Fix USB interrupts for PXs2 SoC - -From: Kunihiko Hayashi - -[ Upstream commit 9b0dc7abb5cc43a2dbf90690c3c6011dcadc574d ] - -An interrupt for USB device are shared with USB host. Set interrupt-names -property to common "dwc_usb3" instead of "host" and "peripheral". - -Cc: stable@vger.kernel.org -Fixes: 45be1573ad19 ("ARM: dts: uniphier: Add USB3 controller nodes") -Reported-by: Ryuta NAKANISHI -Signed-off-by: Kunihiko Hayashi -Signed-off-by: Arnd Bergmann -Signed-off-by: Sasha Levin ---- - arch/arm/boot/dts/uniphier-pxs2.dtsi | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/arch/arm/boot/dts/uniphier-pxs2.dtsi b/arch/arm/boot/dts/uniphier-pxs2.dtsi -index e81e5937a60a..03301ddb3403 100644 ---- a/arch/arm/boot/dts/uniphier-pxs2.dtsi -+++ b/arch/arm/boot/dts/uniphier-pxs2.dtsi -@@ -597,8 +597,8 @@ usb0: usb@65a00000 { - compatible = "socionext,uniphier-dwc3", "snps,dwc3"; - status = "disabled"; - reg = <0x65a00000 0xcd00>; -- interrupt-names = "host", "peripheral"; -- interrupts = <0 134 4>, <0 135 4>; -+ interrupt-names = "dwc_usb3"; -+ interrupts = <0 134 4>; - pinctrl-names = "default"; - pinctrl-0 = <&pinctrl_usb0>, <&pinctrl_usb2>; - clock-names = "ref", "bus_early", "suspend"; -@@ -693,8 +693,8 @@ usb1: usb@65c00000 { - compatible = "socionext,uniphier-dwc3", "snps,dwc3"; - status = "disabled"; - reg = <0x65c00000 0xcd00>; -- interrupt-names = "host", "peripheral"; -- interrupts = <0 137 4>, <0 138 4>; -+ interrupt-names = "dwc_usb3"; -+ interrupts = <0 137 4>; - pinctrl-names = "default"; - pinctrl-0 = <&pinctrl_usb1>, <&pinctrl_usb3>; - clock-names = "ref", "bus_early", "suspend"; --- -2.35.1 - diff --git a/queue-5.19/arm64-dts-uniphier-fix-usb-interrupts-for-pxs3-soc.patch-8226 b/queue-5.19/arm64-dts-uniphier-fix-usb-interrupts-for-pxs3-soc.patch-8226 deleted file mode 100644 index 794d18078b6..00000000000 --- a/queue-5.19/arm64-dts-uniphier-fix-usb-interrupts-for-pxs3-soc.patch-8226 +++ /dev/null @@ -1,51 +0,0 @@ -From 2a0fbcf58cb586a5517846eeb48180483653574a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 2 Aug 2022 22:36:47 +0900 -Subject: arm64: dts: uniphier: Fix USB interrupts for PXs3 SoC - -From: Kunihiko Hayashi - -[ Upstream commit fe17b91a7777df140d0f1433991da67ba658796c ] - -An interrupt for USB device are shared with USB host. Set interrupt-names -property to common "dwc_usb3" instead of "host" and "peripheral". - -Cc: stable@vger.kernel.org -Fixes: d7b9beb830d7 ("arm64: dts: uniphier: Add USB3 controller nodes") -Reported-by: Ryuta NAKANISHI -Signed-off-by: Kunihiko Hayashi -Signed-off-by: Arnd Bergmann -Signed-off-by: Sasha Levin ---- - arch/arm64/boot/dts/socionext/uniphier-pxs3.dtsi | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/arch/arm64/boot/dts/socionext/uniphier-pxs3.dtsi b/arch/arm64/boot/dts/socionext/uniphier-pxs3.dtsi -index be97da132258..ba75adedbf79 100644 ---- a/arch/arm64/boot/dts/socionext/uniphier-pxs3.dtsi -+++ b/arch/arm64/boot/dts/socionext/uniphier-pxs3.dtsi -@@ -599,8 +599,8 @@ usb0: usb@65a00000 { - compatible = "socionext,uniphier-dwc3", "snps,dwc3"; - status = "disabled"; - reg = <0x65a00000 0xcd00>; -- interrupt-names = "host", "peripheral"; -- interrupts = <0 134 4>, <0 135 4>; -+ interrupt-names = "dwc_usb3"; -+ interrupts = <0 134 4>; - pinctrl-names = "default"; - pinctrl-0 = <&pinctrl_usb0>, <&pinctrl_usb2>; - clock-names = "ref", "bus_early", "suspend"; -@@ -701,8 +701,8 @@ usb1: usb@65c00000 { - compatible = "socionext,uniphier-dwc3", "snps,dwc3"; - status = "disabled"; - reg = <0x65c00000 0xcd00>; -- interrupt-names = "host", "peripheral"; -- interrupts = <0 137 4>, <0 138 4>; -+ interrupt-names = "dwc_usb3"; -+ interrupts = <0 137 4>; - pinctrl-names = "default"; - pinctrl-0 = <&pinctrl_usb1>, <&pinctrl_usb3>; - clock-names = "ref", "bus_early", "suspend"; --- -2.35.1 - diff --git a/queue-5.19/bpf-fix-kasan-use-after-free-read-in-compute_effecti.patch b/queue-5.19/bpf-fix-kasan-use-after-free-read-in-compute_effecti.patch deleted file mode 100644 index cad01d84ee1..00000000000 --- a/queue-5.19/bpf-fix-kasan-use-after-free-read-in-compute_effecti.patch +++ /dev/null @@ -1,142 +0,0 @@ -From 98b8d2386f7e0243a609a693968681f979d159f1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 17 May 2022 11:04:20 -0700 -Subject: bpf: Fix KASAN use-after-free Read in compute_effective_progs - -From: Tadeusz Struk - -[ Upstream commit 4c46091ee985ae84c60c5e95055d779fcd291d87 ] - -Syzbot found a Use After Free bug in compute_effective_progs(). -The reproducer creates a number of BPF links, and causes a fault -injected alloc to fail, while calling bpf_link_detach on them. -Link detach triggers the link to be freed by bpf_link_free(), -which calls __cgroup_bpf_detach() and update_effective_progs(). -If the memory allocation in this function fails, the function restores -the pointer to the bpf_cgroup_link on the cgroup list, but the memory -gets freed just after it returns. After this, every subsequent call to -update_effective_progs() causes this already deallocated pointer to be -dereferenced in prog_list_length(), and triggers KASAN UAF error. - -To fix this issue don't preserve the pointer to the prog or link in the -list, but remove it and replace it with a dummy prog without shrinking -the table. The subsequent call to __cgroup_bpf_detach() or -__cgroup_bpf_detach() will correct it. - -Fixes: af6eea57437a ("bpf: Implement bpf_link-based cgroup BPF program attachment") -Reported-by: -Signed-off-by: Tadeusz Struk -Signed-off-by: Andrii Nakryiko -Cc: -Link: https://syzkaller.appspot.com/bug?id=8ebf179a95c2a2670f7cf1ba62429ec044369db4 -Link: https://lore.kernel.org/bpf/20220517180420.87954-1-tadeusz.struk@linaro.org -Signed-off-by: Sasha Levin ---- - kernel/bpf/cgroup.c | 70 ++++++++++++++++++++++++++++++++++++++------- - 1 file changed, 60 insertions(+), 10 deletions(-) - -diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c -index afb414b26d01..7a394f7c205c 100644 ---- a/kernel/bpf/cgroup.c -+++ b/kernel/bpf/cgroup.c -@@ -720,6 +720,60 @@ static struct bpf_prog_list *find_detach_entry(struct list_head *progs, - return ERR_PTR(-ENOENT); - } - -+/** -+ * purge_effective_progs() - After compute_effective_progs fails to alloc new -+ * cgrp->bpf.inactive table we can recover by -+ * recomputing the array in place. -+ * -+ * @cgrp: The cgroup which descendants to travers -+ * @prog: A program to detach or NULL -+ * @link: A link to detach or NULL -+ * @atype: Type of detach operation -+ */ -+static void purge_effective_progs(struct cgroup *cgrp, struct bpf_prog *prog, -+ struct bpf_cgroup_link *link, -+ enum cgroup_bpf_attach_type atype) -+{ -+ struct cgroup_subsys_state *css; -+ struct bpf_prog_array *progs; -+ struct bpf_prog_list *pl; -+ struct list_head *head; -+ struct cgroup *cg; -+ int pos; -+ -+ /* recompute effective prog array in place */ -+ css_for_each_descendant_pre(css, &cgrp->self) { -+ struct cgroup *desc = container_of(css, struct cgroup, self); -+ -+ if (percpu_ref_is_zero(&desc->bpf.refcnt)) -+ continue; -+ -+ /* find position of link or prog in effective progs array */ -+ for (pos = 0, cg = desc; cg; cg = cgroup_parent(cg)) { -+ if (pos && !(cg->bpf.flags[atype] & BPF_F_ALLOW_MULTI)) -+ continue; -+ -+ head = &cg->bpf.progs[atype]; -+ list_for_each_entry(pl, head, node) { -+ if (!prog_list_prog(pl)) -+ continue; -+ if (pl->prog == prog && pl->link == link) -+ goto found; -+ pos++; -+ } -+ } -+found: -+ BUG_ON(!cg); -+ progs = rcu_dereference_protected( -+ desc->bpf.effective[atype], -+ lockdep_is_held(&cgroup_mutex)); -+ -+ /* Remove the program from the array */ -+ WARN_ONCE(bpf_prog_array_delete_safe_at(progs, pos), -+ "Failed to purge a prog from array at index %d", pos); -+ } -+} -+ - /** - * __cgroup_bpf_detach() - Detach the program or link from a cgroup, and - * propagate the change to descendants -@@ -739,7 +793,6 @@ static int __cgroup_bpf_detach(struct cgroup *cgrp, struct bpf_prog *prog, - struct bpf_prog_list *pl; - struct list_head *progs; - u32 flags; -- int err; - - atype = to_cgroup_bpf_attach_type(type); - if (atype < 0) -@@ -761,9 +814,12 @@ static int __cgroup_bpf_detach(struct cgroup *cgrp, struct bpf_prog *prog, - pl->prog = NULL; - pl->link = NULL; - -- err = update_effective_progs(cgrp, atype); -- if (err) -- goto cleanup; -+ if (update_effective_progs(cgrp, atype)) { -+ /* if update effective array failed replace the prog with a dummy prog*/ -+ pl->prog = old_prog; -+ pl->link = link; -+ purge_effective_progs(cgrp, old_prog, link, atype); -+ } - - /* now can actually delete it from this cgroup list */ - list_del(&pl->node); -@@ -775,12 +831,6 @@ static int __cgroup_bpf_detach(struct cgroup *cgrp, struct bpf_prog *prog, - bpf_prog_put(old_prog); - static_branch_dec(&cgroup_bpf_enabled_key[atype]); - return 0; -- --cleanup: -- /* restore back prog or link */ -- pl->prog = old_prog; -- pl->link = link; -- return err; - } - - static int cgroup_bpf_detach(struct cgroup *cgrp, struct bpf_prog *prog, --- -2.35.1 - diff --git a/queue-5.19/btrfs-reject-log-replay-if-there-is-unsupported-ro-c.patch b/queue-5.19/btrfs-reject-log-replay-if-there-is-unsupported-ro-c.patch deleted file mode 100644 index 9e3ca8d33c7..00000000000 --- a/queue-5.19/btrfs-reject-log-replay-if-there-is-unsupported-ro-c.patch +++ /dev/null @@ -1,89 +0,0 @@ -From ce8a11f5c1af5069d3c52bc8a1d74d83d8775bb8 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 7 Jun 2022 19:48:24 +0800 -Subject: btrfs: reject log replay if there is unsupported RO compat flag - -From: Qu Wenruo - -[ Upstream commit dc4d31684974d140250f3ee612c3f0cab13b3146 ] - -[BUG] -If we have a btrfs image with dirty log, along with an unsupported RO -compatible flag: - -log_root 30474240 -... -compat_flags 0x0 -compat_ro_flags 0x40000003 - ( FREE_SPACE_TREE | - FREE_SPACE_TREE_VALID | - unknown flag: 0x40000000 ) - -Then even if we can only mount it RO, we will still cause metadata -update for log replay: - - BTRFS info (device dm-1): flagging fs with big metadata feature - BTRFS info (device dm-1): using free space tree - BTRFS info (device dm-1): has skinny extents - BTRFS info (device dm-1): start tree-log replay - -This is definitely against RO compact flag requirement. - -[CAUSE] -RO compact flag only forces us to do RO mount, but we will still do log -replay for plain RO mount. - -Thus this will result us to do log replay and update metadata. - -This can be very problematic for new RO compat flag, for example older -kernel can not understand v2 cache, and if we allow metadata update on -RO mount and invalidate/corrupt v2 cache. - -[FIX] -Just reject the mount unless rescue=nologreplay is provided: - - BTRFS error (device dm-1): cannot replay dirty log with unsupport optional features (0x40000000), try rescue=nologreplay instead - -We don't want to set rescue=nologreply directly, as this would make the -end user to read the old data, and cause confusion. - -Since the such case is really rare, we're mostly fine to just reject the -mount with an error message, which also includes the proper workaround. - -CC: stable@vger.kernel.org #4.9+ -Signed-off-by: Qu Wenruo -Reviewed-by: David Sterba -Signed-off-by: David Sterba -Signed-off-by: Sasha Levin ---- - fs/btrfs/disk-io.c | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - -diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c -index de440ebf5648..8daa5bb93a4c 100644 ---- a/fs/btrfs/disk-io.c -+++ b/fs/btrfs/disk-io.c -@@ -3670,6 +3670,20 @@ int __cold open_ctree(struct super_block *sb, struct btrfs_fs_devices *fs_device - err = -EINVAL; - goto fail_alloc; - } -+ /* -+ * We have unsupported RO compat features, although RO mounted, we -+ * should not cause any metadata write, including log replay. -+ * Or we could screw up whatever the new feature requires. -+ */ -+ if (unlikely(features && btrfs_super_log_root(disk_super) && -+ !btrfs_test_opt(fs_info, NOLOGREPLAY))) { -+ btrfs_err(fs_info, -+"cannot replay dirty log with unsupported compat_ro features (0x%llx), try rescue=nologreplay", -+ features); -+ err = -EINVAL; -+ goto fail_alloc; -+ } -+ - - if (sectorsize < PAGE_SIZE) { - struct btrfs_subpage_info *subpage_info; --- -2.35.1 - diff --git a/queue-5.19/coresight-clear-the-connection-field-properly.patch-22500 b/queue-5.19/coresight-clear-the-connection-field-properly.patch-22500 deleted file mode 100644 index 4a2039b73b3..00000000000 --- a/queue-5.19/coresight-clear-the-connection-field-properly.patch-22500 +++ /dev/null @@ -1,123 +0,0 @@ -From 8eeb51ad2a4674628201ee893e70546808e56fb4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 14 Jun 2022 22:40:24 +0100 -Subject: coresight: Clear the connection field properly - -From: Suzuki K Poulose - -[ Upstream commit 2af89ebacf299b7fba5f3087d35e8a286ec33706 ] - -coresight devices track their connections (output connections) and -hold a reference to the fwnode. When a device goes away, we walk through -the devices on the coresight bus and make sure that the references -are dropped. This happens both ways: - a) For all output connections from the device, drop the reference to - the target device via coresight_release_platform_data() - -b) Iterate over all the devices on the coresight bus and drop the - reference to fwnode if *this* device is the target of the output - connection, via coresight_remove_conns()->coresight_remove_match(). - -However, the coresight_remove_match() doesn't clear the fwnode field, -after dropping the reference, this causes use-after-free and -additional refcount drops on the fwnode. - -e.g., if we have two devices, A and B, with a connection, A -> B. -If we remove B first, B would clear the reference on B, from A -via coresight_remove_match(). But when A is removed, it still has -a connection with fwnode still pointing to B. Thus it tries to drops -the reference in coresight_release_platform_data(), raising the bells -like : - -[ 91.990153] ------------[ cut here ]------------ -[ 91.990163] refcount_t: addition on 0; use-after-free. -[ 91.990212] WARNING: CPU: 0 PID: 461 at lib/refcount.c:25 refcount_warn_saturate+0xa0/0x144 -[ 91.990260] Modules linked in: coresight_funnel coresight_replicator coresight_etm4x(-) - crct10dif_ce coresight ip_tables x_tables ipv6 [last unloaded: coresight_cpu_debug] -[ 91.990398] CPU: 0 PID: 461 Comm: rmmod Tainted: G W T 5.19.0-rc2+ #53 -[ 91.990418] Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform, BIOS EDK II Feb 1 2019 -[ 91.990434] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) -[ 91.990454] pc : refcount_warn_saturate+0xa0/0x144 -[ 91.990476] lr : refcount_warn_saturate+0xa0/0x144 -[ 91.990496] sp : ffff80000c843640 -[ 91.990509] x29: ffff80000c843640 x28: ffff800009957c28 x27: ffff80000c8439a8 -[ 91.990560] x26: ffff00097eff1990 x25: ffff8000092b6ad8 x24: ffff00097eff19a8 -[ 91.990610] x23: ffff80000c8439a8 x22: 0000000000000000 x21: ffff80000c8439c2 -[ 91.990659] x20: 0000000000000000 x19: ffff00097eff1a10 x18: ffff80000ab99c40 -[ 91.990708] x17: 0000000000000000 x16: 0000000000000000 x15: ffff80000abf6fa0 -[ 91.990756] x14: 000000000000001d x13: 0a2e656572662d72 x12: 657466612d657375 -[ 91.990805] x11: 203b30206e6f206e x10: 6f69746964646120 x9 : ffff8000081aba28 -[ 91.990854] x8 : 206e6f206e6f6974 x7 : 69646461203a745f x6 : 746e756f63666572 -[ 91.990903] x5 : ffff00097648ec58 x4 : 0000000000000000 x3 : 0000000000000027 -[ 91.990952] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00080260ba00 -[ 91.991000] Call trace: -[ 91.991012] refcount_warn_saturate+0xa0/0x144 -[ 91.991034] kobject_get+0xac/0xb0 -[ 91.991055] of_node_get+0x2c/0x40 -[ 91.991076] of_fwnode_get+0x40/0x60 -[ 91.991094] fwnode_handle_get+0x3c/0x60 -[ 91.991116] fwnode_get_nth_parent+0xf4/0x110 -[ 91.991137] fwnode_full_name_string+0x48/0xc0 -[ 91.991158] device_node_string+0x41c/0x530 -[ 91.991178] pointer+0x320/0x3ec -[ 91.991198] vsnprintf+0x23c/0x750 -[ 91.991217] vprintk_store+0x104/0x4b0 -[ 91.991238] vprintk_emit+0x8c/0x360 -[ 91.991257] vprintk_default+0x44/0x50 -[ 91.991276] vprintk+0xcc/0xf0 -[ 91.991295] _printk+0x68/0x90 -[ 91.991315] of_node_release+0x13c/0x14c -[ 91.991334] kobject_put+0x98/0x114 -[ 91.991354] of_node_put+0x24/0x34 -[ 91.991372] of_fwnode_put+0x40/0x5c -[ 91.991390] fwnode_handle_put+0x38/0x50 -[ 91.991411] coresight_release_platform_data+0x74/0xb0 [coresight] -[ 91.991472] coresight_unregister+0x64/0xcc [coresight] -[ 91.991525] etm4_remove_dev+0x64/0x78 [coresight_etm4x] -[ 91.991563] etm4_remove_amba+0x1c/0x2c [coresight_etm4x] -[ 91.991598] amba_remove+0x3c/0x19c - -Reproducible by: (Build all coresight components as modules): - - #!/bin/sh - while true - do - for m in tmc stm cpu_debug etm4x replicator funnel - do - modprobe coresight_${m} - done - - for m in tmc stm cpu_debug etm4x replicator funnel - do - rmmode coresight_${m} - done - done - -Cc: stable@vger.kernel.org -Cc: Mathieu Poirier -Cc: Mike Leach -Cc: Leo Yan -Signed-off-by: Suzuki K Poulose -Fixes: 37ea1ffddffa ("coresight: Use fwnode handle instead of device names") -Link: https://lore.kernel.org/r/20220614214024.3005275-1-suzuki.poulose@arm.com -Signed-off-by: Mathieu Poirier -Signed-off-by: Sasha Levin ---- - drivers/hwtracing/coresight/coresight-core.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/hwtracing/coresight/coresight-core.c b/drivers/hwtracing/coresight/coresight-core.c -index ee6ce92ab4c3..1edfec1e9d18 100644 ---- a/drivers/hwtracing/coresight/coresight-core.c -+++ b/drivers/hwtracing/coresight/coresight-core.c -@@ -1424,6 +1424,7 @@ static int coresight_remove_match(struct device *dev, void *data) - * platform data. - */ - fwnode_handle_put(conn->child_fwnode); -+ conn->child_fwnode = NULL; - /* No need to continue */ - break; - } --- -2.35.1 - diff --git a/queue-5.19/crypto-ccp-use-kzalloc-for-sev-ioctl-interfaces-to-p.patch b/queue-5.19/crypto-ccp-use-kzalloc-for-sev-ioctl-interfaces-to-p.patch deleted file mode 100644 index 0fbb2650012..00000000000 --- a/queue-5.19/crypto-ccp-use-kzalloc-for-sev-ioctl-interfaces-to-p.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 3d3deb65f4881a79e177b5234f8547c5c212e78e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 18 May 2022 15:31:26 +0000 -Subject: crypto: ccp - Use kzalloc for sev ioctl interfaces to prevent kernel - memory leak - -From: John Allen - -[ Upstream commit 13dc15a3f5fd7f884e4bfa8c011a0ae868df12ae ] - -For some sev ioctl interfaces, input may be passed that is less than or -equal to SEV_FW_BLOB_MAX_SIZE, but larger than the data that PSP -firmware returns. In this case, kmalloc will allocate memory that is the -size of the input rather than the size of the data. Since PSP firmware -doesn't fully overwrite the buffer, the sev ioctl interfaces with the -issue may return uninitialized slab memory. - -Currently, all of the ioctl interfaces in the ccp driver are safe, but -to prevent future problems, change all ioctl interfaces that allocate -memory with kmalloc to use kzalloc and memset the data buffer to zero -in sev_ioctl_do_platform_status. - -Fixes: 38103671aad3 ("crypto: ccp: Use the stack and common buffer for status commands") -Fixes: e799035609e15 ("crypto: ccp: Implement SEV_PEK_CSR ioctl command") -Fixes: 76a2b524a4b1d ("crypto: ccp: Implement SEV_PDH_CERT_EXPORT ioctl command") -Fixes: d6112ea0cb344 ("crypto: ccp - introduce SEV_GET_ID2 command") -Cc: stable@vger.kernel.org -Reported-by: Andy Nguyen -Suggested-by: David Rientjes -Suggested-by: Peter Gonda -Signed-off-by: John Allen -Reviewed-by: Peter Gonda -Acked-by: David Rientjes -Signed-off-by: Herbert Xu -Signed-off-by: Sasha Levin ---- - drivers/crypto/ccp/sev-dev.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c -index 799b476fc3e8..0c92d940ac4e 100644 ---- a/drivers/crypto/ccp/sev-dev.c -+++ b/drivers/crypto/ccp/sev-dev.c -@@ -577,6 +577,8 @@ static int sev_ioctl_do_platform_status(struct sev_issue_cmd *argp) - struct sev_user_data_status data; - int ret; - -+ memset(&data, 0, sizeof(data)); -+ - ret = __sev_do_cmd_locked(SEV_CMD_PLATFORM_STATUS, &data, &argp->error); - if (ret) - return ret; -@@ -630,7 +632,7 @@ static int sev_ioctl_do_pek_csr(struct sev_issue_cmd *argp, bool writable) - if (input.length > SEV_FW_BLOB_MAX_SIZE) - return -EFAULT; - -- blob = kmalloc(input.length, GFP_KERNEL); -+ blob = kzalloc(input.length, GFP_KERNEL); - if (!blob) - return -ENOMEM; - -@@ -854,7 +856,7 @@ static int sev_ioctl_do_get_id2(struct sev_issue_cmd *argp) - input_address = (void __user *)input.address; - - if (input.address && input.length) { -- id_blob = kmalloc(input.length, GFP_KERNEL); -+ id_blob = kzalloc(input.length, GFP_KERNEL); - if (!id_blob) - return -ENOMEM; - -@@ -973,14 +975,14 @@ static int sev_ioctl_do_pdh_export(struct sev_issue_cmd *argp, bool writable) - if (input.cert_chain_len > SEV_FW_BLOB_MAX_SIZE) - return -EFAULT; - -- pdh_blob = kmalloc(input.pdh_cert_len, GFP_KERNEL); -+ pdh_blob = kzalloc(input.pdh_cert_len, GFP_KERNEL); - if (!pdh_blob) - return -ENOMEM; - - data.pdh_cert_address = __psp_pa(pdh_blob); - data.pdh_cert_len = input.pdh_cert_len; - -- cert_blob = kmalloc(input.cert_chain_len, GFP_KERNEL); -+ cert_blob = kzalloc(input.cert_chain_len, GFP_KERNEL); - if (!cert_blob) { - ret = -ENOMEM; - goto e_free_pdh; --- -2.35.1 - diff --git a/queue-5.19/csky-abiv1-fixup-compile-error.patch-25803 b/queue-5.19/csky-abiv1-fixup-compile-error.patch-25803 deleted file mode 100644 index b30581b70a8..00000000000 --- a/queue-5.19/csky-abiv1-fixup-compile-error.patch-25803 +++ /dev/null @@ -1,46 +0,0 @@ -From eea6736378d992206ba2376b2dae701fa4a3fabd Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 31 Jul 2022 22:34:24 -0400 -Subject: csky: abiv1: Fixup compile error - -From: Guo Ren - -[ Upstream commit 45fef4c4b9c94e86d9c13f0b2e7e71bb32254509 ] - - LD vmlinux.o -arch/csky/lib/string.o: In function `memmove': -string.c:(.text+0x108): multiple definition of `memmove' -lib/string.o:string.c:(.text+0x7e8): first defined here -arch/csky/lib/string.o: In function `memset': -string.c:(.text+0x148): multiple definition of `memset' -lib/string.o:string.c:(.text+0x2ac): first defined here -scripts/Makefile.vmlinux_o:68: recipe for target 'vmlinux.o' failed -make[4]: *** [vmlinux.o] Error 1 - -Fixes: e4df2d5e852a ("csky: Add C based string functions") -Signed-off-by: Guo Ren -Signed-off-by: Guo Ren -Cc: -Signed-off-by: Sasha Levin ---- - arch/csky/abiv1/inc/abi/string.h | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/arch/csky/abiv1/inc/abi/string.h b/arch/csky/abiv1/inc/abi/string.h -index 9d95594b0feb..de50117b904d 100644 ---- a/arch/csky/abiv1/inc/abi/string.h -+++ b/arch/csky/abiv1/inc/abi/string.h -@@ -6,4 +6,10 @@ - #define __HAVE_ARCH_MEMCPY - extern void *memcpy(void *, const void *, __kernel_size_t); - -+#define __HAVE_ARCH_MEMMOVE -+extern void *memmove(void *, const void *, __kernel_size_t); -+ -+#define __HAVE_ARCH_MEMSET -+extern void *memset(void *, int, __kernel_size_t); -+ - #endif /* __ABI_CSKY_STRING_H */ --- -2.35.1 - diff --git a/queue-5.19/drivers-base-fix-userspace-break-from-using-bin_attr.patch b/queue-5.19/drivers-base-fix-userspace-break-from-using-bin_attr.patch deleted file mode 100644 index 2adb03864d7..00000000000 --- a/queue-5.19/drivers-base-fix-userspace-break-from-using-bin_attr.patch +++ /dev/null @@ -1,188 +0,0 @@ -From b1dac98d489b9236a15b491dd955722d3a7e7b20 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 15 Jul 2022 09:49:24 -0400 -Subject: drivers/base: fix userspace break from using bin_attributes for - cpumap and cpulist - -From: Phil Auld - -[ Upstream commit 7ee951acd31a88f941fd6535fbdee3a1567f1d63 ] - -Using bin_attributes with a 0 size causes fstat and friends to return that -0 size. This breaks userspace code that retrieves the size before reading -the file. Rather than reverting 75bd50fa841 ("drivers/base/node.c: use -bin_attribute to break the size limitation of cpumap ABI") let's put in a -size value at compile time. - -For cpulist the maximum size is on the order of - NR_CPUS * (ceil(log10(NR_CPUS)) + 1)/2 - -which for 8192 is 20480 (8192 * 5)/2. In order to get near that you'd need -a system with every other CPU on one node. For example: (0,2,4,8, ... ). -To simplify the math and support larger NR_CPUS in the future we are using -(NR_CPUS * 7)/2. We also set it to a min of PAGE_SIZE to retain the older -behavior for smaller NR_CPUS. - -The cpumap file the size works out to be NR_CPUS/4 + NR_CPUS/32 - 1 -(or NR_CPUS * 9/32 - 1) including the ","s. - -Add a set of macros for these values to cpumask.h so they can be used in -multiple places. Apply these to the handful of such files in -drivers/base/topology.c as well as node.c. - -As an example, on an 80 cpu 4-node system (NR_CPUS == 8192): - -before: - --r--r--r--. 1 root root 0 Jul 12 14:08 system/node/node0/cpulist --r--r--r--. 1 root root 0 Jul 11 17:25 system/node/node0/cpumap - -after: - --r--r--r--. 1 root root 28672 Jul 13 11:32 system/node/node0/cpulist --r--r--r--. 1 root root 4096 Jul 13 11:31 system/node/node0/cpumap - -CONFIG_NR_CPUS = 16384 --r--r--r--. 1 root root 57344 Jul 13 14:03 system/node/node0/cpulist --r--r--r--. 1 root root 4607 Jul 13 14:02 system/node/node0/cpumap - -The actual number of cpus doesn't matter for the reported size since they -are based on NR_CPUS. - -Fixes: 75bd50fa841d ("drivers/base/node.c: use bin_attribute to break the size limitation of cpumap ABI") -Fixes: bb9ec13d156e ("topology: use bin_attribute to break the size limitation of cpumap ABI") -Cc: Greg Kroah-Hartman -Cc: "Rafael J. Wysocki" -Cc: Yury Norov -Cc: stable@vger.kernel.org -Acked-by: Yury Norov (for include/linux/cpumask.h) -Signed-off-by: Phil Auld -Link: https://lore.kernel.org/r/20220715134924.3466194-1-pauld@redhat.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/base/node.c | 4 ++-- - drivers/base/topology.c | 32 ++++++++++++++++---------------- - include/linux/cpumask.h | 18 ++++++++++++++++++ - 3 files changed, 36 insertions(+), 18 deletions(-) - -diff --git a/drivers/base/node.c b/drivers/base/node.c -index 0ac6376ef7a1..eb0f43784c2b 100644 ---- a/drivers/base/node.c -+++ b/drivers/base/node.c -@@ -45,7 +45,7 @@ static inline ssize_t cpumap_read(struct file *file, struct kobject *kobj, - return n; - } - --static BIN_ATTR_RO(cpumap, 0); -+static BIN_ATTR_RO(cpumap, CPUMAP_FILE_MAX_BYTES); - - static inline ssize_t cpulist_read(struct file *file, struct kobject *kobj, - struct bin_attribute *attr, char *buf, -@@ -66,7 +66,7 @@ static inline ssize_t cpulist_read(struct file *file, struct kobject *kobj, - return n; - } - --static BIN_ATTR_RO(cpulist, 0); -+static BIN_ATTR_RO(cpulist, CPULIST_FILE_MAX_BYTES); - - /** - * struct node_access_nodes - Access class device to hold user visible -diff --git a/drivers/base/topology.c b/drivers/base/topology.c -index ac6ad9ab67f9..89f98be5c5b9 100644 ---- a/drivers/base/topology.c -+++ b/drivers/base/topology.c -@@ -62,47 +62,47 @@ define_id_show_func(ppin, "0x%llx"); - static DEVICE_ATTR_ADMIN_RO(ppin); - - define_siblings_read_func(thread_siblings, sibling_cpumask); --static BIN_ATTR_RO(thread_siblings, 0); --static BIN_ATTR_RO(thread_siblings_list, 0); -+static BIN_ATTR_RO(thread_siblings, CPUMAP_FILE_MAX_BYTES); -+static BIN_ATTR_RO(thread_siblings_list, CPULIST_FILE_MAX_BYTES); - - define_siblings_read_func(core_cpus, sibling_cpumask); --static BIN_ATTR_RO(core_cpus, 0); --static BIN_ATTR_RO(core_cpus_list, 0); -+static BIN_ATTR_RO(core_cpus, CPUMAP_FILE_MAX_BYTES); -+static BIN_ATTR_RO(core_cpus_list, CPULIST_FILE_MAX_BYTES); - - define_siblings_read_func(core_siblings, core_cpumask); --static BIN_ATTR_RO(core_siblings, 0); --static BIN_ATTR_RO(core_siblings_list, 0); -+static BIN_ATTR_RO(core_siblings, CPUMAP_FILE_MAX_BYTES); -+static BIN_ATTR_RO(core_siblings_list, CPULIST_FILE_MAX_BYTES); - - #ifdef TOPOLOGY_CLUSTER_SYSFS - define_siblings_read_func(cluster_cpus, cluster_cpumask); --static BIN_ATTR_RO(cluster_cpus, 0); --static BIN_ATTR_RO(cluster_cpus_list, 0); -+static BIN_ATTR_RO(cluster_cpus, CPUMAP_FILE_MAX_BYTES); -+static BIN_ATTR_RO(cluster_cpus_list, CPULIST_FILE_MAX_BYTES); - #endif - - #ifdef TOPOLOGY_DIE_SYSFS - define_siblings_read_func(die_cpus, die_cpumask); --static BIN_ATTR_RO(die_cpus, 0); --static BIN_ATTR_RO(die_cpus_list, 0); -+static BIN_ATTR_RO(die_cpus, CPUMAP_FILE_MAX_BYTES); -+static BIN_ATTR_RO(die_cpus_list, CPULIST_FILE_MAX_BYTES); - #endif - - define_siblings_read_func(package_cpus, core_cpumask); --static BIN_ATTR_RO(package_cpus, 0); --static BIN_ATTR_RO(package_cpus_list, 0); -+static BIN_ATTR_RO(package_cpus, CPUMAP_FILE_MAX_BYTES); -+static BIN_ATTR_RO(package_cpus_list, CPULIST_FILE_MAX_BYTES); - - #ifdef TOPOLOGY_BOOK_SYSFS - define_id_show_func(book_id, "%d"); - static DEVICE_ATTR_RO(book_id); - define_siblings_read_func(book_siblings, book_cpumask); --static BIN_ATTR_RO(book_siblings, 0); --static BIN_ATTR_RO(book_siblings_list, 0); -+static BIN_ATTR_RO(book_siblings, CPUMAP_FILE_MAX_BYTES); -+static BIN_ATTR_RO(book_siblings_list, CPULIST_FILE_MAX_BYTES); - #endif - - #ifdef TOPOLOGY_DRAWER_SYSFS - define_id_show_func(drawer_id, "%d"); - static DEVICE_ATTR_RO(drawer_id); - define_siblings_read_func(drawer_siblings, drawer_cpumask); --static BIN_ATTR_RO(drawer_siblings, 0); --static BIN_ATTR_RO(drawer_siblings_list, 0); -+static BIN_ATTR_RO(drawer_siblings, CPUMAP_FILE_MAX_BYTES); -+static BIN_ATTR_RO(drawer_siblings_list, CPULIST_FILE_MAX_BYTES); - #endif - - static struct bin_attribute *bin_attrs[] = { -diff --git a/include/linux/cpumask.h b/include/linux/cpumask.h -index fe29ac7cc469..4592d0845941 100644 ---- a/include/linux/cpumask.h -+++ b/include/linux/cpumask.h -@@ -1071,4 +1071,22 @@ cpumap_print_list_to_buf(char *buf, const struct cpumask *mask, - [0] = 1UL \ - } } - -+/* -+ * Provide a valid theoretical max size for cpumap and cpulist sysfs files -+ * to avoid breaking userspace which may allocate a buffer based on the size -+ * reported by e.g. fstat. -+ * -+ * for cpumap NR_CPUS * 9/32 - 1 should be an exact length. -+ * -+ * For cpulist 7 is (ceil(log10(NR_CPUS)) + 1) allowing for NR_CPUS to be up -+ * to 2 orders of magnitude larger than 8192. And then we divide by 2 to -+ * cover a worst-case of every other cpu being on one of two nodes for a -+ * very large NR_CPUS. -+ * -+ * Use PAGE_SIZE as a minimum for smaller configurations. -+ */ -+#define CPUMAP_FILE_MAX_BYTES ((((NR_CPUS * 9)/32 - 1) > PAGE_SIZE) \ -+ ? (NR_CPUS * 9)/32 - 1 : PAGE_SIZE) -+#define CPULIST_FILE_MAX_BYTES (((NR_CPUS * 7)/2 > PAGE_SIZE) ? (NR_CPUS * 7)/2 : PAGE_SIZE) -+ - #endif /* __LINUX_CPUMASK_H */ --- -2.35.1 - diff --git a/queue-5.19/drm-amdgpu-check-bo-s-requested-pinning-domains-agai.patch b/queue-5.19/drm-amdgpu-check-bo-s-requested-pinning-domains-agai.patch deleted file mode 100644 index b1f7e696bdb..00000000000 --- a/queue-5.19/drm-amdgpu-check-bo-s-requested-pinning-domains-agai.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 4eac50b82fb2d529a4802828b19b092b0cbf0715 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 12 Jul 2022 12:30:29 -0400 -Subject: drm/amdgpu: Check BO's requested pinning domains against its - preferred_domains -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Leo Li - -[ Upstream commit f5ba14043621f4afdf3ad5f92ee2d8dbebbe4340 ] - -When pinning a buffer, we should check to see if there are any -additional restrictions imposed by bo->preferred_domains. This will -prevent the BO from being moved to an invalid domain when pinning. - -For example, this can happen if the user requests to create a BO in GTT -domain for display scanout. amdgpu_dm will allow pinning to either VRAM -or GTT domains, since DCN can scanout from either or. However, in -amdgpu_bo_pin_restricted(), pinning to VRAM is preferred if there is -adequate carveout. This can lead to pinning to VRAM despite the user -requesting GTT placement for the BO. - -v2: Allow the kernel to override the domain, which can happen when - exporting a BO to a V4L camera (for example). - -Signed-off-by: Leo Li -Reviewed-by: Alex Deucher -Reviewed-by: Christian König -Signed-off-by: Alex Deucher -Cc: stable@vger.kernel.org -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c -index 2c82b1d5a0d7..4570ad449390 100644 ---- a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c -+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c -@@ -882,6 +882,10 @@ int amdgpu_bo_pin_restricted(struct amdgpu_bo *bo, u32 domain, - if (WARN_ON_ONCE(min_offset > max_offset)) - return -EINVAL; - -+ /* Check domain to be pinned to against preferred domains */ -+ if (bo->preferred_domains & domain) -+ domain = bo->preferred_domains & domain; -+ - /* A shared bo cannot be migrated to VRAM */ - if (bo->tbo.base.import_attach) { - if (domain & AMDGPU_GEM_DOMAIN_GTT) --- -2.35.1 - diff --git a/queue-5.19/drm-dp-mst-read-the-extended-dpcd-capabilities-durin.patch b/queue-5.19/drm-dp-mst-read-the-extended-dpcd-capabilities-durin.patch deleted file mode 100644 index eadfcb2af1e..00000000000 --- a/queue-5.19/drm-dp-mst-read-the-extended-dpcd-capabilities-durin.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 9850d6a91e51f3700fdfd4443f77b459b037e07d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 14 Jun 2022 12:45:37 +0300 -Subject: drm/dp/mst: Read the extended DPCD capabilities during system resume - -From: Imre Deak - -[ Upstream commit 7a710a8bc909313951eb9252d8419924c771d7c2 ] - -The WD22TB4 Thunderbolt dock at least will revert its DP_MAX_LINK_RATE -from HBR3 to HBR2 after system suspend/resume if the DP_DP13_DPCD_REV -registers are not read subsequently also as required. - -Fix this by reading DP_DP13_DPCD_REV registers as well, matching what is -done during connector detection. While at it also fix up the same call -in drm_dp_mst_dump_topology(). - -Cc: Lyude Paul -Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/5292 -Signed-off-by: Imre Deak -Reviewed-by: Jani Nikula -Cc: # v5.14+ -Reviewed-by: Lyude Paul -Link: https://patchwork.freedesktop.org/patch/msgid/20220614094537.885472-1-imre.deak@intel.com -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/display/drm_dp_mst_topology.c | 7 ++----- - 1 file changed, 2 insertions(+), 5 deletions(-) - -diff --git a/drivers/gpu/drm/display/drm_dp_mst_topology.c b/drivers/gpu/drm/display/drm_dp_mst_topology.c -index 67b3b9697da7..18f2b6075b78 100644 ---- a/drivers/gpu/drm/display/drm_dp_mst_topology.c -+++ b/drivers/gpu/drm/display/drm_dp_mst_topology.c -@@ -3860,9 +3860,7 @@ int drm_dp_mst_topology_mgr_resume(struct drm_dp_mst_topology_mgr *mgr, - if (!mgr->mst_primary) - goto out_fail; - -- ret = drm_dp_dpcd_read(mgr->aux, DP_DPCD_REV, mgr->dpcd, -- DP_RECEIVER_CAP_SIZE); -- if (ret != DP_RECEIVER_CAP_SIZE) { -+ if (drm_dp_read_dpcd_caps(mgr->aux, mgr->dpcd) < 0) { - drm_dbg_kms(mgr->dev, "dpcd read failed - undocked during suspend?\n"); - goto out_fail; - } -@@ -4911,8 +4909,7 @@ void drm_dp_mst_dump_topology(struct seq_file *m, - u8 buf[DP_PAYLOAD_TABLE_SIZE]; - int ret; - -- ret = drm_dp_dpcd_read(mgr->aux, DP_DPCD_REV, buf, DP_RECEIVER_CAP_SIZE); -- if (ret) { -+ if (drm_dp_read_dpcd_caps(mgr->aux, buf) < 0) { - seq_printf(m, "dpcd read failed\n"); - goto out; - } --- -2.35.1 - diff --git a/queue-5.19/drm-fb-helper-fix-out-of-bounds-access.patch-14074 b/queue-5.19/drm-fb-helper-fix-out-of-bounds-access.patch-14074 deleted file mode 100644 index ba9fb32fbdf..00000000000 --- a/queue-5.19/drm-fb-helper-fix-out-of-bounds-access.patch-14074 +++ /dev/null @@ -1,100 +0,0 @@ -From 4ba6933086fff9c00b0faa445d6f4e7d4e5ff751 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 21 Jun 2022 12:46:17 +0200 -Subject: drm/fb-helper: Fix out-of-bounds access -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Thomas Zimmermann - -[ Upstream commit ae25885bdf59fde40726863c57fd20e4a0642183 ] - -Clip memory range to screen-buffer size to avoid out-of-bounds access -in fbdev deferred I/O's damage handling. - -Fbdev's deferred I/O can only track pages. From the range of pages, the -damage handler computes the clipping rectangle for the display update. -If the fbdev screen buffer ends near the beginning of a page, that page -could contain more scanlines. The damage handler would then track these -non-existing scanlines as dirty and provoke an out-of-bounds access -during the screen update. Hence, clip the maximum memory range to the -size of the screen buffer. - -While at it, rename the variables min/max to min_off/max_off in -drm_fb_helper_deferred_io(). This avoids confusion with the macros of -the same name. - -Reported-by: Nuno Gonçalves -Signed-off-by: Thomas Zimmermann -Reviewed-by: Javier Martinez Canillas -Tested-by: Nuno Gonçalves -Fixes: 67b723f5b742 ("drm/fb-helper: Calculate damaged area in separate helper") -Cc: Thomas Zimmermann -Cc: Javier Martinez Canillas -Cc: Maarten Lankhorst -Cc: Maxime Ripard -Cc: # v5.18+ -Link: https://patchwork.freedesktop.org/patch/msgid/20220621104617.8817-1-tzimmermann@suse.de -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/drm_fb_helper.c | 27 +++++++++++++++++++-------- - 1 file changed, 19 insertions(+), 8 deletions(-) - -diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c -index 5ad2b6a2778c..1705e8d345ab 100644 ---- a/drivers/gpu/drm/drm_fb_helper.c -+++ b/drivers/gpu/drm/drm_fb_helper.c -@@ -680,7 +680,11 @@ static void drm_fb_helper_damage(struct fb_info *info, u32 x, u32 y, - schedule_work(&helper->damage_work); - } - --/* Convert memory region into area of scanlines and pixels per scanline */ -+/* -+ * Convert memory region into area of scanlines and pixels per -+ * scanline. The parameters off and len must not reach beyond -+ * the end of the framebuffer. -+ */ - static void drm_fb_helper_memory_range_to_clip(struct fb_info *info, off_t off, size_t len, - struct drm_rect *clip) - { -@@ -715,22 +719,29 @@ static void drm_fb_helper_memory_range_to_clip(struct fb_info *info, off_t off, - */ - void drm_fb_helper_deferred_io(struct fb_info *info, struct list_head *pagereflist) - { -- unsigned long start, end, min, max; -+ unsigned long start, end, min_off, max_off; - struct fb_deferred_io_pageref *pageref; - struct drm_rect damage_area; - -- min = ULONG_MAX; -- max = 0; -+ min_off = ULONG_MAX; -+ max_off = 0; - list_for_each_entry(pageref, pagereflist, list) { - start = pageref->offset; - end = start + PAGE_SIZE; -- min = min(min, start); -- max = max(max, end); -+ min_off = min(min_off, start); -+ max_off = max(max_off, end); - } -- if (min >= max) -+ if (min_off >= max_off) - return; - -- drm_fb_helper_memory_range_to_clip(info, min, max - min, &damage_area); -+ /* -+ * As we can only track pages, we might reach beyond the end -+ * of the screen and account for non-existing scanlines. Hence, -+ * keep the covered memory area within the screen buffer. -+ */ -+ max_off = min(max_off, info->screen_size); -+ -+ drm_fb_helper_memory_range_to_clip(info, min_off, max_off - min_off, &damage_area); - drm_fb_helper_damage(info, damage_area.x1, damage_area.y1, - drm_rect_width(&damage_area), - drm_rect_height(&damage_area)); --- -2.35.1 - diff --git a/queue-5.19/drm-hyperv-drm-include-framebuffer-and-edid-headers.patch-15144 b/queue-5.19/drm-hyperv-drm-include-framebuffer-and-edid-headers.patch-15144 deleted file mode 100644 index dee42c44bcd..00000000000 --- a/queue-5.19/drm-hyperv-drm-include-framebuffer-and-edid-headers.patch-15144 +++ /dev/null @@ -1,67 +0,0 @@ -From c788aef49db3a12b08d26fbbf7fddb8cf92a71ac Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 22 Jun 2022 10:34:13 +0200 -Subject: drm/hyperv-drm: Include framebuffer and EDID headers -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Thomas Zimmermann - -[ Upstream commit 009a3a52791f31c57d755a73f6bc66fbdd8bd76c ] - -Fix a number of compile errors by including the correct header -files. Examples are shown below. - - ../drivers/gpu/drm/hyperv/hyperv_drm_modeset.c: In function 'hyperv_blit_to_vram_rect': - ../drivers/gpu/drm/hyperv/hyperv_drm_modeset.c:25:48: error: invalid use of undefined type 'struct drm_framebuffer' - 25 | struct hyperv_drm_device *hv = to_hv(fb->dev); - | ^~ - - ../drivers/gpu/drm/hyperv/hyperv_drm_modeset.c: In function 'hyperv_connector_get_modes': - ../drivers/gpu/drm/hyperv/hyperv_drm_modeset.c:59:17: error: implicit declaration of function 'drm_add_modes_noedid' [-Werror=implicit-function-declaration] - 59 | count = drm_add_modes_noedid(connector, - | ^~~~~~~~~~~~~~~~~~~~ - - ../drivers/gpu/drm/hyperv/hyperv_drm_modeset.c:62:9: error: implicit declaration of function 'drm_set_preferred_mode'; did you mean 'drm_mm_reserve_node'? [-Werror=implicit-function-declaration] - 62 | drm_set_preferred_mode(connector, hv->preferred_width, - | ^~~~~~~~~~~~~~~~~~~~~~ - -Signed-off-by: Thomas Zimmermann -Fixes: 76c56a5affeb ("drm/hyperv: Add DRM driver for hyperv synthetic video device") -Fixes: 720cf96d8fec ("drm: Drop drm_framebuffer.h from drm_crtc.h") -Fixes: 255490f9150d ("drm: Drop drm_edid.h from drm_crtc.h") -Cc: Deepak Rawat -Cc: Thomas Zimmermann -Cc: Maarten Lankhorst -Cc: Maxime Ripard -Cc: linux-hyperv@vger.kernel.org -Cc: dri-devel@lists.freedesktop.org -Cc: # v5.14+ -Acked-by: Maxime Ripard -Reviewed-by: Ville Syrjälä -Link: https://patchwork.freedesktop.org/patch/msgid/20220622083413.12573-1-tzimmermann@suse.de -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/hyperv/hyperv_drm_modeset.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/gpu/drm/hyperv/hyperv_drm_modeset.c b/drivers/gpu/drm/hyperv/hyperv_drm_modeset.c -index 27f4fcb058f9..b8e64dd8d3a6 100644 ---- a/drivers/gpu/drm/hyperv/hyperv_drm_modeset.c -+++ b/drivers/gpu/drm/hyperv/hyperv_drm_modeset.c -@@ -7,9 +7,11 @@ - - #include - #include -+#include - #include - #include - #include -+#include - #include - #include - #include --- -2.35.1 - diff --git a/queue-5.19/drm-ingenic-use-the-highest-possible-dma-burst-size.patch-22931 b/queue-5.19/drm-ingenic-use-the-highest-possible-dma-burst-size.patch-22931 deleted file mode 100644 index a19c2a0429e..00000000000 --- a/queue-5.19/drm-ingenic-use-the-highest-possible-dma-burst-size.patch-22931 +++ /dev/null @@ -1,110 +0,0 @@ -From ca2b56495ef3523ca282c39439e94ca901512595 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 3 Jul 2022 00:07:27 +0100 -Subject: drm/ingenic: Use the highest possible DMA burst size - -From: Paul Cercueil - -[ Upstream commit f0dce5c4fdaf9e98dd2755ffb1363822854b6287 ] - -Until now, when running at the maximum resolution of 1280x720 at 32bpp -on the JZ4770 SoC the output was garbled, the X/Y position of the -top-left corner of the framebuffer warping to a random position with -the whole image being offset accordingly, every time a new frame was -being submitted. - -This problem can be eliminated by using a bigger burst size for the DMA. - -Set in each soc_info structure the maximum burst size supported by the -corresponding SoC, and use it in the driver. - -Set the new value using regmap_update_bits() instead of -regmap_set_bits(), since we do want to override the old value of the -burst size. (Note that regmap_set_bits() wasn't really valid before for -the same reason, but it never seemed to be a problem). - -Cc: -Fixes: 90b86fcc47b4 ("DRM: Add KMS driver for the Ingenic JZ47xx SoCs") -Signed-off-by: Paul Cercueil -Link: https://patchwork.freedesktop.org/patch/msgid/20220702230727.66704-1-paul@crapouillou.net -Acked-by: Sam Ravnborg -Tested-by: Christophe Branchereau -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/ingenic/ingenic-drm-drv.c | 10 ++++++++-- - drivers/gpu/drm/ingenic/ingenic-drm.h | 3 +++ - 2 files changed, 11 insertions(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/ingenic/ingenic-drm-drv.c b/drivers/gpu/drm/ingenic/ingenic-drm-drv.c -index 8eb0ad501a7b..150a973c6001 100644 ---- a/drivers/gpu/drm/ingenic/ingenic-drm-drv.c -+++ b/drivers/gpu/drm/ingenic/ingenic-drm-drv.c -@@ -69,6 +69,7 @@ struct jz_soc_info { - bool map_noncoherent; - bool use_extended_hwdesc; - bool plane_f0_not_working; -+ u32 max_burst; - unsigned int max_width, max_height; - const u32 *formats_f0, *formats_f1; - unsigned int num_formats_f0, num_formats_f1; -@@ -318,8 +319,9 @@ static void ingenic_drm_crtc_update_timings(struct ingenic_drm *priv, - regmap_write(priv->map, JZ_REG_LCD_REV, mode->htotal << 16); - } - -- regmap_set_bits(priv->map, JZ_REG_LCD_CTRL, -- JZ_LCD_CTRL_OFUP | JZ_LCD_CTRL_BURST_16); -+ regmap_update_bits(priv->map, JZ_REG_LCD_CTRL, -+ JZ_LCD_CTRL_OFUP | JZ_LCD_CTRL_BURST_MASK, -+ JZ_LCD_CTRL_OFUP | priv->soc_info->max_burst); - - /* - * IPU restart - specify how much time the LCDC will wait before -@@ -1518,6 +1520,7 @@ static const struct jz_soc_info jz4740_soc_info = { - .map_noncoherent = false, - .max_width = 800, - .max_height = 600, -+ .max_burst = JZ_LCD_CTRL_BURST_16, - .formats_f1 = jz4740_formats, - .num_formats_f1 = ARRAY_SIZE(jz4740_formats), - /* JZ4740 has only one plane */ -@@ -1529,6 +1532,7 @@ static const struct jz_soc_info jz4725b_soc_info = { - .map_noncoherent = false, - .max_width = 800, - .max_height = 600, -+ .max_burst = JZ_LCD_CTRL_BURST_16, - .formats_f1 = jz4725b_formats_f1, - .num_formats_f1 = ARRAY_SIZE(jz4725b_formats_f1), - .formats_f0 = jz4725b_formats_f0, -@@ -1541,6 +1545,7 @@ static const struct jz_soc_info jz4770_soc_info = { - .map_noncoherent = true, - .max_width = 1280, - .max_height = 720, -+ .max_burst = JZ_LCD_CTRL_BURST_64, - .formats_f1 = jz4770_formats_f1, - .num_formats_f1 = ARRAY_SIZE(jz4770_formats_f1), - .formats_f0 = jz4770_formats_f0, -@@ -1555,6 +1560,7 @@ static const struct jz_soc_info jz4780_soc_info = { - .plane_f0_not_working = true, /* REVISIT */ - .max_width = 4096, - .max_height = 2048, -+ .max_burst = JZ_LCD_CTRL_BURST_64, - .formats_f1 = jz4770_formats_f1, - .num_formats_f1 = ARRAY_SIZE(jz4770_formats_f1), - .formats_f0 = jz4770_formats_f0, -diff --git a/drivers/gpu/drm/ingenic/ingenic-drm.h b/drivers/gpu/drm/ingenic/ingenic-drm.h -index cb1d09b62588..e5bd007ea93d 100644 ---- a/drivers/gpu/drm/ingenic/ingenic-drm.h -+++ b/drivers/gpu/drm/ingenic/ingenic-drm.h -@@ -106,6 +106,9 @@ - #define JZ_LCD_CTRL_BURST_4 (0x0 << 28) - #define JZ_LCD_CTRL_BURST_8 (0x1 << 28) - #define JZ_LCD_CTRL_BURST_16 (0x2 << 28) -+#define JZ_LCD_CTRL_BURST_32 (0x3 << 28) -+#define JZ_LCD_CTRL_BURST_64 (0x4 << 28) -+#define JZ_LCD_CTRL_BURST_MASK (0x7 << 28) - #define JZ_LCD_CTRL_RGB555 BIT(27) - #define JZ_LCD_CTRL_OFUP BIT(26) - #define JZ_LCD_CTRL_FRC_GRAYSCALE_16 (0x0 << 24) --- -2.35.1 - diff --git a/queue-5.19/drm-mediatek-keep-dsi-as-lp00-before-dcs-cmds-transf.patch b/queue-5.19/drm-mediatek-keep-dsi-as-lp00-before-dcs-cmds-transf.patch index 7ba59a73980..08b579c1a7e 100644 --- a/queue-5.19/drm-mediatek-keep-dsi-as-lp00-before-dcs-cmds-transf.patch +++ b/queue-5.19/drm-mediatek-keep-dsi-as-lp00-before-dcs-cmds-transf.patch @@ -36,11 +36,9 @@ Reviewed-by: Rex-BC Chen Signed-off-by: Chun-Kuang Hu Signed-off-by: Sasha Levin --- - drivers/gpu/drm/mediatek/mtk_dsi.c | 28 +++++++++++++++++++++------- + drivers/gpu/drm/mediatek/mtk_dsi.c | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) -diff --git a/drivers/gpu/drm/mediatek/mtk_dsi.c b/drivers/gpu/drm/mediatek/mtk_dsi.c -index 966a4729bb41..907d07eda000 100644 --- a/drivers/gpu/drm/mediatek/mtk_dsi.c +++ b/drivers/gpu/drm/mediatek/mtk_dsi.c @@ -203,6 +203,7 @@ struct mtk_dsi { @@ -51,7 +49,7 @@ index 966a4729bb41..907d07eda000 100644 u32 irq_data; wait_queue_head_t irq_wait_queue; const struct mtk_dsi_driver_data *driver_data; -@@ -661,18 +662,11 @@ static int mtk_dsi_poweron(struct mtk_dsi *dsi) +@@ -661,18 +662,11 @@ static int mtk_dsi_poweron(struct mtk_ds mtk_dsi_reset_engine(dsi); mtk_dsi_phy_timconfig(dsi); @@ -70,7 +68,7 @@ index 966a4729bb41..907d07eda000 100644 return 0; err_disable_engine_clk: clk_disable_unprepare(dsi->engine_clk); -@@ -701,6 +695,23 @@ static void mtk_dsi_poweroff(struct mtk_dsi *dsi) +@@ -703,6 +697,23 @@ static void mtk_dsi_poweroff(struct mtk_ clk_disable_unprepare(dsi->digital_clk); phy_power_off(dsi->phy); @@ -94,7 +92,7 @@ index 966a4729bb41..907d07eda000 100644 } static void mtk_output_dsi_enable(struct mtk_dsi *dsi) -@@ -708,6 +719,7 @@ static void mtk_output_dsi_enable(struct mtk_dsi *dsi) +@@ -710,6 +721,7 @@ static void mtk_output_dsi_enable(struct if (dsi->enabled) return; @@ -102,7 +100,7 @@ index 966a4729bb41..907d07eda000 100644 mtk_dsi_set_mode(dsi); mtk_dsi_clk_hs_mode(dsi, 1); -@@ -1017,6 +1029,8 @@ static ssize_t mtk_dsi_host_transfer(struct mipi_dsi_host *host, +@@ -1019,6 +1031,8 @@ static ssize_t mtk_dsi_host_transfer(str if (MTK_DSI_HOST_IS_READ(msg->type)) irq_flag |= LPRX_RD_RDY_INT_FLAG; @@ -111,6 +109,3 @@ index 966a4729bb41..907d07eda000 100644 ret = mtk_dsi_host_send_cmd(dsi, msg, irq_flag); if (ret) goto restore_dsi_mode; --- -2.35.1 - diff --git a/queue-5.19/drm-mediatek-modify-dsi-funcs-to-atomic-operations.patch-7159 b/queue-5.19/drm-mediatek-modify-dsi-funcs-to-atomic-operations.patch-7159 deleted file mode 100644 index d37918d3ea6..00000000000 --- a/queue-5.19/drm-mediatek-modify-dsi-funcs-to-atomic-operations.patch-7159 +++ /dev/null @@ -1,59 +0,0 @@ -From eee633764249f17bb03e27d0f62b3d3f56f7bf55 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 20 May 2022 10:00:04 +0800 -Subject: drm/mediatek: Modify dsi funcs to atomic operations - -From: Xinlei Lee - -[ Upstream commit 7f6335c6a258edf4d5ff1b904bc033188dc7b48b ] - -Because .enable & .disable are deprecated. -Use .atomic_enable & .atomic_disable instead. - -Link: https://patchwork.kernel.org/project/linux-mediatek/patch/1653012007-11854-2-git-send-email-xinlei.lee@mediatek.com/ -Signed-off-by: Jitao Shi -Signed-off-by: Xinlei Lee -Reviewed-by: Rex-BC Chen -Signed-off-by: Chun-Kuang Hu -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/mediatek/mtk_dsi.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/drivers/gpu/drm/mediatek/mtk_dsi.c b/drivers/gpu/drm/mediatek/mtk_dsi.c -index d9f10a33e6fa..6e7793f935da 100644 ---- a/drivers/gpu/drm/mediatek/mtk_dsi.c -+++ b/drivers/gpu/drm/mediatek/mtk_dsi.c -@@ -763,14 +763,16 @@ static void mtk_dsi_bridge_mode_set(struct drm_bridge *bridge, - drm_display_mode_to_videomode(adjusted, &dsi->vm); - } - --static void mtk_dsi_bridge_disable(struct drm_bridge *bridge) -+static void mtk_dsi_bridge_atomic_disable(struct drm_bridge *bridge, -+ struct drm_bridge_state *old_bridge_state) - { - struct mtk_dsi *dsi = bridge_to_dsi(bridge); - - mtk_output_dsi_disable(dsi); - } - --static void mtk_dsi_bridge_enable(struct drm_bridge *bridge) -+static void mtk_dsi_bridge_atomic_enable(struct drm_bridge *bridge, -+ struct drm_bridge_state *old_bridge_state) - { - struct mtk_dsi *dsi = bridge_to_dsi(bridge); - -@@ -779,8 +781,8 @@ static void mtk_dsi_bridge_enable(struct drm_bridge *bridge) - - static const struct drm_bridge_funcs mtk_dsi_bridge_funcs = { - .attach = mtk_dsi_bridge_attach, -- .disable = mtk_dsi_bridge_disable, -- .enable = mtk_dsi_bridge_enable, -+ .atomic_disable = mtk_dsi_bridge_atomic_disable, -+ .atomic_enable = mtk_dsi_bridge_atomic_enable, - .mode_set = mtk_dsi_bridge_mode_set, - }; - --- -2.35.1 - diff --git a/queue-5.19/drm-mediatek-separate-poweron-poweroff-from-enable-d.patch-3169 b/queue-5.19/drm-mediatek-separate-poweron-poweroff-from-enable-d.patch-3169 deleted file mode 100644 index 908a9130a81..00000000000 --- a/queue-5.19/drm-mediatek-separate-poweron-poweroff-from-enable-d.patch-3169 +++ /dev/null @@ -1,130 +0,0 @@ -From fdbabb61cb02a8883acbb52d303ced70bd0ec21e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 20 May 2022 10:00:05 +0800 -Subject: drm/mediatek: Separate poweron/poweroff from enable/disable and - define new funcs - -From: Jitao Shi - -[ Upstream commit cde7e2e35c2866d22a3a012e72a41052dfcc255d ] - -In order to match the changes of "Use the drm_panel_bridge API", -the poweron/poweroff of dsi is extracted from enable/disable and -defined as new funcs (atomic_pre_enable/atomic_post_disable). - -Since dsi_poweron is moved from dsi_enable to pre_enable function, in -order to avoid poweron failure, the operation of dsi register fails to -cause bus hang. Therefore, the protection mechanism is added to the -dsi_enable function. - -Fixes: 2dd8075d2185 ("drm/mediatek: mtk_dsi: Use the drm_panel_bridge API") - -Link: https://patchwork.kernel.org/project/linux-mediatek/patch/1653012007-11854-3-git-send-email-xinlei.lee@mediatek.com/ -Signed-off-by: Jitao Shi -Signed-off-by: Xinlei Lee -Reviewed-by: AngeloGioacchino Del Regno -Reviewed-by: Rex-BC Chen -Signed-off-by: Chun-Kuang Hu -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/mediatek/mtk_dsi.c | 53 +++++++++++++++++++----------- - 1 file changed, 34 insertions(+), 19 deletions(-) - -diff --git a/drivers/gpu/drm/mediatek/mtk_dsi.c b/drivers/gpu/drm/mediatek/mtk_dsi.c -index 6e7793f935da..966a4729bb41 100644 ---- a/drivers/gpu/drm/mediatek/mtk_dsi.c -+++ b/drivers/gpu/drm/mediatek/mtk_dsi.c -@@ -691,16 +691,6 @@ static void mtk_dsi_poweroff(struct mtk_dsi *dsi) - if (--dsi->refcount != 0) - return; - -- /* -- * mtk_dsi_stop() and mtk_dsi_start() is asymmetric, since -- * mtk_dsi_stop() should be called after mtk_drm_crtc_atomic_disable(), -- * which needs irq for vblank, and mtk_dsi_stop() will disable irq. -- * mtk_dsi_start() needs to be called in mtk_output_dsi_enable(), -- * after dsi is fully set. -- */ -- mtk_dsi_stop(dsi); -- -- mtk_dsi_switch_to_cmd_mode(dsi, VM_DONE_INT_FLAG, 500); - mtk_dsi_reset_engine(dsi); - mtk_dsi_lane0_ulp_mode_enter(dsi); - mtk_dsi_clk_ulp_mode_enter(dsi); -@@ -715,17 +705,9 @@ static void mtk_dsi_poweroff(struct mtk_dsi *dsi) - - static void mtk_output_dsi_enable(struct mtk_dsi *dsi) - { -- int ret; -- - if (dsi->enabled) - return; - -- ret = mtk_dsi_poweron(dsi); -- if (ret < 0) { -- DRM_ERROR("failed to power on dsi\n"); -- return; -- } -- - mtk_dsi_set_mode(dsi); - mtk_dsi_clk_hs_mode(dsi, 1); - -@@ -739,7 +721,16 @@ static void mtk_output_dsi_disable(struct mtk_dsi *dsi) - if (!dsi->enabled) - return; - -- mtk_dsi_poweroff(dsi); -+ /* -+ * mtk_dsi_stop() and mtk_dsi_start() is asymmetric, since -+ * mtk_dsi_stop() should be called after mtk_drm_crtc_atomic_disable(), -+ * which needs irq for vblank, and mtk_dsi_stop() will disable irq. -+ * mtk_dsi_start() needs to be called in mtk_output_dsi_enable(), -+ * after dsi is fully set. -+ */ -+ mtk_dsi_stop(dsi); -+ -+ mtk_dsi_switch_to_cmd_mode(dsi, VM_DONE_INT_FLAG, 500); - - dsi->enabled = false; - } -@@ -776,13 +767,37 @@ static void mtk_dsi_bridge_atomic_enable(struct drm_bridge *bridge, - { - struct mtk_dsi *dsi = bridge_to_dsi(bridge); - -+ if (dsi->refcount == 0) -+ return; -+ - mtk_output_dsi_enable(dsi); - } - -+static void mtk_dsi_bridge_atomic_pre_enable(struct drm_bridge *bridge, -+ struct drm_bridge_state *old_bridge_state) -+{ -+ struct mtk_dsi *dsi = bridge_to_dsi(bridge); -+ int ret; -+ -+ ret = mtk_dsi_poweron(dsi); -+ if (ret < 0) -+ DRM_ERROR("failed to power on dsi\n"); -+} -+ -+static void mtk_dsi_bridge_atomic_post_disable(struct drm_bridge *bridge, -+ struct drm_bridge_state *old_bridge_state) -+{ -+ struct mtk_dsi *dsi = bridge_to_dsi(bridge); -+ -+ mtk_dsi_poweroff(dsi); -+} -+ - static const struct drm_bridge_funcs mtk_dsi_bridge_funcs = { - .attach = mtk_dsi_bridge_attach, - .atomic_disable = mtk_dsi_bridge_atomic_disable, - .atomic_enable = mtk_dsi_bridge_atomic_enable, -+ .atomic_pre_enable = mtk_dsi_bridge_atomic_pre_enable, -+ .atomic_post_disable = mtk_dsi_bridge_atomic_post_disable, - .mode_set = mtk_dsi_bridge_mode_set, - }; - --- -2.35.1 - diff --git a/queue-5.19/drm-nouveau-acpi-don-t-print-error-when-we-get-einpr.patch b/queue-5.19/drm-nouveau-acpi-don-t-print-error-when-we-get-einpr.patch deleted file mode 100644 index 50348b57314..00000000000 --- a/queue-5.19/drm-nouveau-acpi-don-t-print-error-when-we-get-einpr.patch +++ /dev/null @@ -1,38 +0,0 @@ -From a3d015c94a8063fa5733033f7e3cb13d9164e73d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 14 Jul 2022 13:42:33 -0400 -Subject: drm/nouveau/acpi: Don't print error when we get -EINPROGRESS from - pm_runtime - -From: Lyude Paul - -[ Upstream commit 53c26181950ddc3c8ace3c0939c89e9c4d8deeb9 ] - -Since this isn't actually a failure. - -Signed-off-by: Lyude Paul -Reviewed-by: David Airlie -Fixes: 79e765ad665d ("drm/nouveau/drm/nouveau: Prevent handling ACPI HPD events too early") -Cc: # v4.19+ -Link: https://patchwork.freedesktop.org/patch/msgid/20220714174234.949259-2-lyude@redhat.com -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/nouveau/nouveau_display.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/gpu/drm/nouveau/nouveau_display.c b/drivers/gpu/drm/nouveau/nouveau_display.c -index 2cd0932b3d68..9f5a45f24e5b 100644 ---- a/drivers/gpu/drm/nouveau/nouveau_display.c -+++ b/drivers/gpu/drm/nouveau/nouveau_display.c -@@ -537,7 +537,7 @@ nouveau_display_acpi_ntfy(struct notifier_block *nb, unsigned long val, - * it's own hotplug events. - */ - pm_runtime_put_autosuspend(drm->dev->dev); -- } else if (ret == 0) { -+ } else if (ret == 0 || ret == -EINPROGRESS) { - /* We've started resuming the GPU already, so - * it will handle scheduling a full reprobe - * itself --- -2.35.1 - diff --git a/queue-5.19/drm-nouveau-don-t-pm_runtime_put_sync-only-pm_runtim.patch b/queue-5.19/drm-nouveau-don-t-pm_runtime_put_sync-only-pm_runtim.patch deleted file mode 100644 index 5a3dfeaad7a..00000000000 --- a/queue-5.19/drm-nouveau-don-t-pm_runtime_put_sync-only-pm_runtim.patch +++ /dev/null @@ -1,62 +0,0 @@ -From d4a4ca1be1af412505da2fd5b60858077e313854 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 14 Jul 2022 13:42:34 -0400 -Subject: drm/nouveau: Don't pm_runtime_put_sync(), only - pm_runtime_put_autosuspend() - -From: Lyude Paul - -[ Upstream commit c96cfaf8fc02d4bb70727dfa7ce7841a3cff9be2 ] - -While trying to fix another issue, it occurred to me that I don't actually -think there is any situation where we want pm_runtime_put() in nouveau to -be synchronous. In fact, this kind of just seems like it would cause -issues where we may unexpectedly block a thread we don't expect to be -blocked. - -So, let's only use pm_runtime_put_autosuspend(). - -Changes since v1: -* Use pm_runtime_put_autosuspend(), not pm_runtime_put() - -Signed-off-by: Lyude Paul -Reviewed-by: David Airlie -Fixes: 3a6536c51d5d ("drm/nouveau: Intercept ACPI_VIDEO_NOTIFY_PROBE") -Cc: Hans de Goede -Cc: # v4.10+ -Link: https://patchwork.freedesktop.org/patch/msgid/20220714174234.949259-3-lyude@redhat.com -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/nouveau/nouveau_display.c | 2 +- - drivers/gpu/drm/nouveau/nouveau_fbcon.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/nouveau/nouveau_display.c b/drivers/gpu/drm/nouveau/nouveau_display.c -index 9f5a45f24e5b..a2f5df568ca5 100644 ---- a/drivers/gpu/drm/nouveau/nouveau_display.c -+++ b/drivers/gpu/drm/nouveau/nouveau_display.c -@@ -515,7 +515,7 @@ nouveau_display_hpd_work(struct work_struct *work) - - pm_runtime_mark_last_busy(drm->dev->dev); - noop: -- pm_runtime_put_sync(drm->dev->dev); -+ pm_runtime_put_autosuspend(dev->dev); - } - - #ifdef CONFIG_ACPI -diff --git a/drivers/gpu/drm/nouveau/nouveau_fbcon.c b/drivers/gpu/drm/nouveau/nouveau_fbcon.c -index 4f9b3aa5deda..20ac1ce2c0f1 100644 ---- a/drivers/gpu/drm/nouveau/nouveau_fbcon.c -+++ b/drivers/gpu/drm/nouveau/nouveau_fbcon.c -@@ -466,7 +466,7 @@ nouveau_fbcon_set_suspend_work(struct work_struct *work) - if (state == FBINFO_STATE_RUNNING) { - nouveau_fbcon_hotplug_resume(drm->fbcon); - pm_runtime_mark_last_busy(drm->dev->dev); -- pm_runtime_put_sync(drm->dev->dev); -+ pm_runtime_put_autosuspend(drm->dev->dev); - } - } - --- -2.35.1 - diff --git a/queue-5.19/drm-nouveau-fix-another-off-by-one-in-nvbios_addr.patch-28623 b/queue-5.19/drm-nouveau-fix-another-off-by-one-in-nvbios_addr.patch-28623 deleted file mode 100644 index a4a5c256531..00000000000 --- a/queue-5.19/drm-nouveau-fix-another-off-by-one-in-nvbios_addr.patch-28623 +++ /dev/null @@ -1,40 +0,0 @@ -From bc0f39623d2a1b3b85f1c5b11f566aaa119ccbb3 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 11 May 2022 11:37:16 -0500 -Subject: drm/nouveau: fix another off-by-one in nvbios_addr - -From: Timur Tabi - -[ Upstream commit c441d28945fb113220d48d6c86ebc0b090a2b677 ] - -This check determines whether a given address is part of -image 0 or image 1. Image 1 starts at offset image0_size, -so that address should be included. - -Fixes: 4d4e9907ff572 ("drm/nouveau/bios: guard against out-of-bounds accesses to image") -Cc: # v4.8+ -Signed-off-by: Timur Tabi -Reviewed-by: Karol Herbst -Signed-off-by: Lyude Paul -Link: https://patchwork.freedesktop.org/patch/msgid/20220511163716.3520591-1-ttabi@nvidia.com -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c -index 64e423dddd9e..6c318e41bde0 100644 ---- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c -+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c -@@ -33,7 +33,7 @@ nvbios_addr(struct nvkm_bios *bios, u32 *addr, u8 size) - { - u32 p = *addr; - -- if (*addr > bios->image0_size && bios->imaged_addr) { -+ if (*addr >= bios->image0_size && bios->imaged_addr) { - *addr -= bios->image0_size; - *addr += bios->imaged_addr; - } --- -2.35.1 - diff --git a/queue-5.19/drm-nouveau-kms-fix-failure-path-for-creating-dp-con.patch b/queue-5.19/drm-nouveau-kms-fix-failure-path-for-creating-dp-con.patch deleted file mode 100644 index dfb02838594..00000000000 --- a/queue-5.19/drm-nouveau-kms-fix-failure-path-for-creating-dp-con.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 06dd7fcf1e1e47ca3ed1e14497e5246821c9ef4c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 26 May 2022 16:43:13 -0400 -Subject: drm/nouveau/kms: Fix failure path for creating DP connectors - -From: Lyude Paul - -[ Upstream commit ca0367ca5d9216644b41f86348d6661f8d9e32d8 ] - -It looks like that when we moved nouveau over to using drm_dp_aux_init() -and registering it's aux bus during late connector registration, we totally -forgot to fix the failure codepath in nouveau_connector_create() - as it -still seems to assume that drm_dp_aux_init() can fail (it can't). - -So, let's fix that and also add a missing check to ensure that we've -properly allocated nv_connector->aux.name while we're at it. - -Signed-off-by: Lyude Paul -Reviewed-by: David Airlie -Fixes: fd43ad9d47e7 ("drm/nouveau/kms/nv50-: Move AUX adapter reg to connector late register/early unregister") -Cc: # v5.14+ -Link: https://patchwork.freedesktop.org/patch/msgid/20220526204313.656473-1-lyude@redhat.com -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/nouveau/nouveau_connector.c | 8 +++----- - 1 file changed, 3 insertions(+), 5 deletions(-) - -diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c b/drivers/gpu/drm/nouveau/nouveau_connector.c -index 22b83a6577eb..df83c4654e26 100644 ---- a/drivers/gpu/drm/nouveau/nouveau_connector.c -+++ b/drivers/gpu/drm/nouveau/nouveau_connector.c -@@ -1361,13 +1361,11 @@ nouveau_connector_create(struct drm_device *dev, - snprintf(aux_name, sizeof(aux_name), "sor-%04x-%04x", - dcbe->hasht, dcbe->hashm); - nv_connector->aux.name = kstrdup(aux_name, GFP_KERNEL); -- drm_dp_aux_init(&nv_connector->aux); -- if (ret) { -- NV_ERROR(drm, "Failed to init AUX adapter for sor-%04x-%04x: %d\n", -- dcbe->hasht, dcbe->hashm, ret); -+ if (!nv_connector->aux.name) { - kfree(nv_connector); -- return ERR_PTR(ret); -+ return ERR_PTR(-ENOMEM); - } -+ drm_dp_aux_init(&nv_connector->aux); - fallthrough; - default: - funcs = &nouveau_connector_funcs; --- -2.35.1 - diff --git a/queue-5.19/drm-tegra-fix-vmapping-of-prime-buffers.patch-28390 b/queue-5.19/drm-tegra-fix-vmapping-of-prime-buffers.patch-28390 deleted file mode 100644 index a033a389be7..00000000000 --- a/queue-5.19/drm-tegra-fix-vmapping-of-prime-buffers.patch-28390 +++ /dev/null @@ -1,56 +0,0 @@ -From ac0c918731ae633f821d9f30277fb30ec0a05cbd Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 29 Jun 2022 01:42:39 +0300 -Subject: drm/tegra: Fix vmapping of prime buffers - -From: Dmitry Osipenko - -[ Upstream commit c7860cbee9989882d2908682526a5ef617523cfe ] - -The code assumes that Tegra GEM is permanently vmapped, which is not -true for the scattered buffers. After converting Tegra video decoder -driver to V4L API, we're now getting a BUG_ON from dma-buf core on playing -video using libvdpau-tegra on T30+ because tegra_gem_prime_vmap() sets -vaddr to NULL. Older pre-V4L video decoder driver wasn't vmapping dma-bufs. -Fix it by actually vmapping the exported GEMs. - -Cc: stable@vger.kernel.org -Signed-off-by: Dmitry Osipenko -Signed-off-by: Thierry Reding -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/tegra/gem.c | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/drivers/gpu/drm/tegra/gem.c b/drivers/gpu/drm/tegra/gem.c -index 7c7dd84e6db8..81991090adcc 100644 ---- a/drivers/gpu/drm/tegra/gem.c -+++ b/drivers/gpu/drm/tegra/gem.c -@@ -704,14 +704,23 @@ static int tegra_gem_prime_vmap(struct dma_buf *buf, struct iosys_map *map) - { - struct drm_gem_object *gem = buf->priv; - struct tegra_bo *bo = to_tegra_bo(gem); -+ void *vaddr; - -- iosys_map_set_vaddr(map, bo->vaddr); -+ vaddr = tegra_bo_mmap(&bo->base); -+ if (IS_ERR(vaddr)) -+ return PTR_ERR(vaddr); -+ -+ iosys_map_set_vaddr(map, vaddr); - - return 0; - } - - static void tegra_gem_prime_vunmap(struct dma_buf *buf, struct iosys_map *map) - { -+ struct drm_gem_object *gem = buf->priv; -+ struct tegra_bo *bo = to_tegra_bo(gem); -+ -+ tegra_bo_munmap(&bo->base, map->vaddr); - } - - static const struct dma_buf_ops tegra_gem_prime_dmabuf_ops = { --- -2.35.1 - diff --git a/queue-5.19/drm-vc4-hdmi-disable-audio-if-dmas-property-is-prese.patch b/queue-5.19/drm-vc4-hdmi-disable-audio-if-dmas-property-is-prese.patch deleted file mode 100644 index 8bbe566832b..00000000000 --- a/queue-5.19/drm-vc4-hdmi-disable-audio-if-dmas-property-is-prese.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 78f1cd97e0c8ffa01b96be7ef7893e038cd96508 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 13 Jun 2022 16:47:44 +0200 -Subject: drm/vc4: hdmi: Disable audio if dmas property is present but empty - -From: Phil Elwell - -[ Upstream commit db2b927f8668adf3ac765e0921cd2720f5c04172 ] - -The dmas property is used to hold the dmaengine channel used for audio -output. - -Older device trees were missing that property, so if it's not there we -disable the audio output entirely. - -However, some overlays have set an empty value to that property, mostly -to workaround the fact that overlays cannot remove a property. Let's add -a test for that case and if it's empty, let's disable it as well. - -Cc: -Signed-off-by: Phil Elwell -Link: https://lore.kernel.org/r/20220613144800.326124-18-maxime@cerno.tech -Signed-off-by: Maxime Ripard -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/vc4/vc4_hdmi.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c -index ce9d16666d91..6b4f42332d95 100644 ---- a/drivers/gpu/drm/vc4/vc4_hdmi.c -+++ b/drivers/gpu/drm/vc4/vc4_hdmi.c -@@ -2035,12 +2035,12 @@ static int vc4_hdmi_audio_init(struct vc4_hdmi *vc4_hdmi) - struct device *dev = &vc4_hdmi->pdev->dev; - struct platform_device *codec_pdev; - const __be32 *addr; -- int index; -+ int index, len; - int ret; - -- if (!of_find_property(dev->of_node, "dmas", NULL)) { -+ if (!of_find_property(dev->of_node, "dmas", &len) || !len) { - dev_warn(dev, -- "'dmas' DT property is missing, no HDMI audio\n"); -+ "'dmas' DT property is missing or empty, no HDMI audio\n"); - return 0; - } - --- -2.35.1 - diff --git a/queue-5.19/epoll-autoremove-wakers-even-more-aggressively.patch-6975 b/queue-5.19/epoll-autoremove-wakers-even-more-aggressively.patch-6975 deleted file mode 100644 index 28b5ddba3cd..00000000000 --- a/queue-5.19/epoll-autoremove-wakers-even-more-aggressively.patch-6975 +++ /dev/null @@ -1,95 +0,0 @@ -From a243ba1c4a932a2513ab0222b5c31d019538b199 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 15 Jun 2022 14:24:23 -0700 -Subject: epoll: autoremove wakers even more aggressively - -From: Benjamin Segall - -[ Upstream commit a16ceb13961068f7209e34d7984f8e42d2c06159 ] - -If a process is killed or otherwise exits while having active network -connections and many threads waiting on epoll_wait, the threads will all -be woken immediately, but not removed from ep->wq. Then when network -traffic scans ep->wq in wake_up, every wakeup attempt will fail, and will -not remove the entries from the list. - -This means that the cost of the wakeup attempt is far higher than usual, -does not decrease, and this also competes with the dying threads trying to -actually make progress and remove themselves from the wq. - -Handle this by removing visited epoll wq entries unconditionally, rather -than only when the wakeup succeeds - the structure of ep_poll means that -the only potential loss is the timed_out->eavail heuristic, which now can -race and result in a redundant ep_send_events attempt. (But only when -incoming data and a timeout actually race, not on every timeout) - -Shakeel added: - -: We are seeing this issue in production with real workloads and it has -: caused hard lockups. Particularly network heavy workloads with a lot -: of threads in epoll_wait() can easily trigger this issue if they get -: killed (oom-killed in our case). - -Link: https://lkml.kernel.org/r/xm26fsjotqda.fsf@google.com -Signed-off-by: Ben Segall -Tested-by: Shakeel Butt -Cc: Alexander Viro -Cc: Linus Torvalds -Cc: Shakeel Butt -Cc: Eric Dumazet -Cc: Roman Penyaev -Cc: Jason Baron -Cc: Khazhismel Kumykov -Cc: Heiher -Cc: -Signed-off-by: Andrew Morton -Signed-off-by: Sasha Levin ---- - fs/eventpoll.c | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - -diff --git a/fs/eventpoll.c b/fs/eventpoll.c -index e2daa940ebce..8b56b94e2f56 100644 ---- a/fs/eventpoll.c -+++ b/fs/eventpoll.c -@@ -1747,6 +1747,21 @@ static struct timespec64 *ep_timeout_to_timespec(struct timespec64 *to, long ms) - return to; - } - -+/* -+ * autoremove_wake_function, but remove even on failure to wake up, because we -+ * know that default_wake_function/ttwu will only fail if the thread is already -+ * woken, and in that case the ep_poll loop will remove the entry anyways, not -+ * try to reuse it. -+ */ -+static int ep_autoremove_wake_function(struct wait_queue_entry *wq_entry, -+ unsigned int mode, int sync, void *key) -+{ -+ int ret = default_wake_function(wq_entry, mode, sync, key); -+ -+ list_del_init(&wq_entry->entry); -+ return ret; -+} -+ - /** - * ep_poll - Retrieves ready events, and delivers them to the caller-supplied - * event buffer. -@@ -1828,8 +1843,15 @@ static int ep_poll(struct eventpoll *ep, struct epoll_event __user *events, - * normal wakeup path no need to call __remove_wait_queue() - * explicitly, thus ep->lock is not taken, which halts the - * event delivery. -+ * -+ * In fact, we now use an even more aggressive function that -+ * unconditionally removes, because we don't reuse the wait -+ * entry between loop iterations. This lets us also avoid the -+ * performance issue if a process is killed, causing all of its -+ * threads to wake up without being removed normally. - */ - init_wait(&wait); -+ wait.func = ep_autoremove_wake_function; - - write_lock_irq(&ep->lock); - /* --- -2.35.1 - diff --git a/queue-5.19/fbcon-fix-accelerated-fbdev-scrolling-while-logo-is-.patch b/queue-5.19/fbcon-fix-accelerated-fbdev-scrolling-while-logo-is-.patch deleted file mode 100644 index 0339e1b02df..00000000000 --- a/queue-5.19/fbcon-fix-accelerated-fbdev-scrolling-while-logo-is-.patch +++ /dev/null @@ -1,57 +0,0 @@ -From b98c086153d76fbbb9ccae4d4416547027db47db Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 2 Jun 2022 22:08:38 +0200 -Subject: fbcon: Fix accelerated fbdev scrolling while logo is still shown - -From: Helge Deller - -[ Upstream commit 3866cba87dcd0162fb41e9b3b653d0af68fad5ec ] - -There is no need to directly skip over to the SCROLL_REDRAW case while -the logo is still shown. - -When using DRM, this change has no effect because the code will reach -the SCROLL_REDRAW case immediately anyway. - -But if you run an accelerated fbdev driver and have -FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION enabled, console scrolling is -slowed down by factors so that it feels as if you use a 9600 baud -terminal. - -So, drop those unnecessary checks and speed up fbdev console -acceleration during bootup. - -Cc: stable@vger.kernel.org # v5.10+ -Acked-by: Daniel Vetter -Signed-off-by: Helge Deller -Link: https://patchwork.freedesktop.org/patch/msgid/YpkYxk7wsBPx3po+@p100 -Signed-off-by: Sasha Levin ---- - drivers/video/fbdev/core/fbcon.c | 4 ---- - 1 file changed, 4 deletions(-) - -diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c -index 1a9aa12cf886..1a1de5b4645c 100644 ---- a/drivers/video/fbdev/core/fbcon.c -+++ b/drivers/video/fbdev/core/fbcon.c -@@ -1758,8 +1758,6 @@ static bool fbcon_scroll(struct vc_data *vc, unsigned int t, unsigned int b, - case SM_UP: - if (count > vc->vc_rows) /* Maximum realistic size */ - count = vc->vc_rows; -- if (logo_shown >= 0) -- goto redraw_up; - switch (fb_scrollmode(p)) { - case SCROLL_MOVE: - fbcon_redraw_blit(vc, info, p, t, b - t - count, -@@ -1848,8 +1846,6 @@ static bool fbcon_scroll(struct vc_data *vc, unsigned int t, unsigned int b, - case SM_DOWN: - if (count > vc->vc_rows) /* Maximum realistic size */ - count = vc->vc_rows; -- if (logo_shown >= 0) -- goto redraw_down; - switch (fb_scrollmode(p)) { - case SCROLL_MOVE: - fbcon_redraw_blit(vc, info, p, b - 1, b - t - count, --- -2.35.1 - diff --git a/queue-5.19/fbcon-fix-boundary-checks-for-fbcon-vc-n1-n2-paramet.patch b/queue-5.19/fbcon-fix-boundary-checks-for-fbcon-vc-n1-n2-paramet.patch deleted file mode 100644 index 53e9eae3396..00000000000 --- a/queue-5.19/fbcon-fix-boundary-checks-for-fbcon-vc-n1-n2-paramet.patch +++ /dev/null @@ -1,59 +0,0 @@ -From d9d27d24ba7501f40215af66b500159644245533 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 2 Jun 2022 22:06:28 +0200 -Subject: fbcon: Fix boundary checks for fbcon=vc:n1-n2 parameters - -From: Helge Deller - -[ Upstream commit cad564ca557f8d3bb3b1fa965d9a2b3f6490ec69 ] - -The user may use the fbcon=vc:- option to tell fbcon to take -over the given range (n1...n2) of consoles. The value for n1 and n2 -needs to be a positive number and up to (MAX_NR_CONSOLES - 1). -The given values were not fully checked against those boundaries yet. - -To fix the issue, convert first_fb_vc and last_fb_vc to unsigned -integers and check them against the upper boundary, and make sure that -first_fb_vc is smaller than last_fb_vc. - -Cc: stable@vger.kernel.org # v4.19+ -Reviewed-by: Daniel Vetter -Signed-off-by: Helge Deller -Link: https://patchwork.freedesktop.org/patch/msgid/YpkYRMojilrtZIgM@p100 -Signed-off-by: Sasha Levin ---- - drivers/video/fbdev/core/fbcon.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c -index 1a1de5b4645c..b89075f3b6ab 100644 ---- a/drivers/video/fbdev/core/fbcon.c -+++ b/drivers/video/fbdev/core/fbcon.c -@@ -125,8 +125,8 @@ static int logo_lines; - enums. */ - static int logo_shown = FBCON_LOGO_CANSHOW; - /* console mappings */ --static int first_fb_vc; --static int last_fb_vc = MAX_NR_CONSOLES - 1; -+static unsigned int first_fb_vc; -+static unsigned int last_fb_vc = MAX_NR_CONSOLES - 1; - static int fbcon_is_default = 1; - static int primary_device = -1; - static int fbcon_has_console_bind; -@@ -440,10 +440,12 @@ static int __init fb_console_setup(char *this_opt) - options += 3; - if (*options) - first_fb_vc = simple_strtoul(options, &options, 10) - 1; -- if (first_fb_vc < 0) -+ if (first_fb_vc >= MAX_NR_CONSOLES) - first_fb_vc = 0; - if (*options++ == '-') - last_fb_vc = simple_strtoul(options, &options, 10) - 1; -+ if (last_fb_vc < first_fb_vc || last_fb_vc >= MAX_NR_CONSOLES) -+ last_fb_vc = MAX_NR_CONSOLES - 1; - fbcon_is_default = 0; - continue; - } --- -2.35.1 - diff --git a/queue-5.19/fix-short-copy-handling-in-copy_mc_pipe_to_iter.patch-23282 b/queue-5.19/fix-short-copy-handling-in-copy_mc_pipe_to_iter.patch-23282 deleted file mode 100644 index 9d208a86ff3..00000000000 --- a/queue-5.19/fix-short-copy-handling-in-copy_mc_pipe_to_iter.patch-23282 +++ /dev/null @@ -1,89 +0,0 @@ -From efb1a337a02e06df948da844dc408e0fd50cd258 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 12 Jun 2022 19:50:29 -0400 -Subject: fix short copy handling in copy_mc_pipe_to_iter() - -From: Al Viro - -[ Upstream commit c3497fd009ef2c59eea60d21c3ac22de3585ed7d ] - -Unlike other copying operations on ITER_PIPE, copy_mc_to_iter() can -result in a short copy. In that case we need to trim the unused -buffers, as well as the length of partially filled one - it's not -enough to set ->head, ->iov_offset and ->count to reflect how -much had we copied. Not hard to fix, fortunately... - -I'd put a helper (pipe_discard_from(pipe, head)) into pipe_fs_i.h, -rather than iov_iter.c - it has nothing to do with iov_iter and -having it will allow us to avoid an ugly kludge in fs/splice.c. -We could put it into lib/iov_iter.c for now and move it later, -but I don't see the point going that way... - -Cc: stable@kernel.org # 4.19+ -Fixes: ca146f6f091e "lib/iov_iter: Fix pipe handling in _copy_to_iter_mcsafe()" -Reviewed-by: Jeff Layton -Reviewed-by: Christian Brauner (Microsoft) -Signed-off-by: Al Viro -Signed-off-by: Sasha Levin ---- - include/linux/pipe_fs_i.h | 9 +++++++++ - lib/iov_iter.c | 15 +++++++++++---- - 2 files changed, 20 insertions(+), 4 deletions(-) - -diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h -index cb0fd633a610..4ea496924106 100644 ---- a/include/linux/pipe_fs_i.h -+++ b/include/linux/pipe_fs_i.h -@@ -229,6 +229,15 @@ static inline bool pipe_buf_try_steal(struct pipe_inode_info *pipe, - return buf->ops->try_steal(pipe, buf); - } - -+static inline void pipe_discard_from(struct pipe_inode_info *pipe, -+ unsigned int old_head) -+{ -+ unsigned int mask = pipe->ring_size - 1; -+ -+ while (pipe->head > old_head) -+ pipe_buf_release(pipe, &pipe->bufs[--pipe->head & mask]); -+} -+ - /* Differs from PIPE_BUF in that PIPE_SIZE is the length of the actual - memory allocation, whereas PIPE_BUF makes atomicity guarantees. */ - #define PIPE_SIZE PAGE_SIZE -diff --git a/lib/iov_iter.c b/lib/iov_iter.c -index 0b64695ab632..2bf20b48a04a 100644 ---- a/lib/iov_iter.c -+++ b/lib/iov_iter.c -@@ -689,6 +689,7 @@ static size_t copy_mc_pipe_to_iter(const void *addr, size_t bytes, - struct pipe_inode_info *pipe = i->pipe; - unsigned int p_mask = pipe->ring_size - 1; - unsigned int i_head; -+ unsigned int valid = pipe->head; - size_t n, off, xfer = 0; - - if (!sanity(i)) -@@ -702,11 +703,17 @@ static size_t copy_mc_pipe_to_iter(const void *addr, size_t bytes, - rem = copy_mc_to_kernel(p + off, addr + xfer, chunk); - chunk -= rem; - kunmap_local(p); -- i->head = i_head; -- i->iov_offset = off + chunk; -- xfer += chunk; -- if (rem) -+ if (chunk) { -+ i->head = i_head; -+ i->iov_offset = off + chunk; -+ xfer += chunk; -+ valid = i_head + 1; -+ } -+ if (rem) { -+ pipe->bufs[i_head & p_mask].len -= rem; -+ pipe_discard_from(pipe, valid); - break; -+ } - n -= chunk; - off = 0; - i_head++; --- -2.35.1 - diff --git a/queue-5.19/ftrace-x86-add-back-ftrace_expected-assignment.patch-6434 b/queue-5.19/ftrace-x86-add-back-ftrace_expected-assignment.patch-6434 deleted file mode 100644 index a121b49f073..00000000000 --- a/queue-5.19/ftrace-x86-add-back-ftrace_expected-assignment.patch-6434 +++ /dev/null @@ -1,49 +0,0 @@ -From 64fc62d5d534496e9c262c5f45b6053c5d019208 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 26 Jul 2022 10:18:51 -0400 -Subject: ftrace/x86: Add back ftrace_expected assignment - -From: Steven Rostedt (Google) - -[ Upstream commit ac6c1b2ca77e722a1e5d651f12f437f2f237e658 ] - -When a ftrace_bug happens (where ftrace fails to modify a location) it is -helpful to have what was at that location as well as what was expected to -be there. - -But with the conversion to text_poke() the variable that assigns the -expected for debugging was dropped. Unfortunately, I noticed this when I -needed it. Add it back. - -Link: https://lkml.kernel.org/r/20220726101851.069d2e70@gandalf.local.home - -Cc: "x86@kernel.org" -Cc: Peter Zijlstra -Cc: Thomas Gleixner -Cc: Ingo Molnar -Cc: Borislav Petkov -Cc: "H. Peter Anvin" -Cc: Andrew Morton -Cc: stable@vger.kernel.org -Fixes: 768ae4406a5c ("x86/ftrace: Use text_poke()") -Signed-off-by: Steven Rostedt (Google) -Signed-off-by: Sasha Levin ---- - arch/x86/kernel/ftrace.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/arch/x86/kernel/ftrace.c b/arch/x86/kernel/ftrace.c -index 24b9fa89aa27..bd165004776d 100644 ---- a/arch/x86/kernel/ftrace.c -+++ b/arch/x86/kernel/ftrace.c -@@ -91,6 +91,7 @@ static int ftrace_verify_code(unsigned long ip, const char *old_code) - - /* Make sure it is what we expect it to be */ - if (memcmp(cur_code, old_code, MCOUNT_INSN_SIZE) != 0) { -+ ftrace_expected = old_code; - WARN_ON(1); - return -EINVAL; - } --- -2.35.1 - diff --git a/queue-5.19/fuse-fix-deadlock-between-atomic-o_trunc-and-page-in.patch b/queue-5.19/fuse-fix-deadlock-between-atomic-o_trunc-and-page-in.patch deleted file mode 100644 index 656a093c77f..00000000000 --- a/queue-5.19/fuse-fix-deadlock-between-atomic-o_trunc-and-page-in.patch +++ /dev/null @@ -1,176 +0,0 @@ -From 6a8e4273ffe4f780a39f1c0677b80a21e832dc9d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 22 Apr 2022 15:48:53 +0200 -Subject: fuse: fix deadlock between atomic O_TRUNC and page invalidation - -From: Miklos Szeredi - -[ Upstream commit 2fdbb8dd01556e1501132b5ad3826e8f71e24a8b ] - -fuse_finish_open() will be called with FUSE_NOWRITE set in case of atomic -O_TRUNC open(), so commit 76224355db75 ("fuse: truncate pagecache on -atomic_o_trunc") replaced invalidate_inode_pages2() by truncate_pagecache() -in such a case to avoid the A-A deadlock. However, we found another A-B-B-A -deadlock related to the case above, which will cause the xfstests -generic/464 testcase hung in our virtio-fs test environment. - -For example, consider two processes concurrently open one same file, one -with O_TRUNC and another without O_TRUNC. The deadlock case is described -below, if open(O_TRUNC) is already set_nowrite(acquired A), and is trying -to lock a page (acquiring B), open() could have held the page lock -(acquired B), and waiting on the page writeback (acquiring A). This would -lead to deadlocks. - -open(O_TRUNC) ----------------------------------------------------------------- -fuse_open_common - inode_lock [C acquire] - fuse_set_nowrite [A acquire] - - fuse_finish_open - truncate_pagecache - lock_page [B acquire] - truncate_inode_page - unlock_page [B release] - - fuse_release_nowrite [A release] - inode_unlock [C release] ----------------------------------------------------------------- - -open() ----------------------------------------------------------------- -fuse_open_common - fuse_finish_open - invalidate_inode_pages2 - lock_page [B acquire] - fuse_launder_page - fuse_wait_on_page_writeback [A acquire & release] - unlock_page [B release] ----------------------------------------------------------------- - -Besides this case, all calls of invalidate_inode_pages2() and -invalidate_inode_pages2_range() in fuse code also can deadlock with -open(O_TRUNC). - -Fix by moving the truncate_pagecache() call outside the nowrite protected -region. The nowrite protection is only for delayed writeback -(writeback_cache) case, where inode lock does not protect against -truncation racing with writes on the server. Write syscalls racing with -page cache truncation still get the inode lock protection. - -This patch also changes the order of filemap_invalidate_lock() -vs. fuse_set_nowrite() in fuse_open_common(). This new order matches the -order found in fuse_file_fallocate() and fuse_do_setattr(). - -Reported-by: Jiachen Zhang -Tested-by: Jiachen Zhang -Fixes: e4648309b85a ("fuse: truncate pending writes on O_TRUNC") -Cc: -Signed-off-by: Miklos Szeredi -Signed-off-by: Sasha Levin ---- - fs/fuse/dir.c | 7 ++++++- - fs/fuse/file.c | 30 +++++++++++++++++------------- - 2 files changed, 23 insertions(+), 14 deletions(-) - -diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c -index 74303d6e987b..a93d675a726a 100644 ---- a/fs/fuse/dir.c -+++ b/fs/fuse/dir.c -@@ -537,6 +537,7 @@ static int fuse_create_open(struct inode *dir, struct dentry *entry, - struct fuse_file *ff; - void *security_ctx = NULL; - u32 security_ctxlen; -+ bool trunc = flags & O_TRUNC; - - /* Userspace expects S_IFREG in create mode */ - BUG_ON((mode & S_IFMT) != S_IFREG); -@@ -561,7 +562,7 @@ static int fuse_create_open(struct inode *dir, struct dentry *entry, - inarg.mode = mode; - inarg.umask = current_umask(); - -- if (fm->fc->handle_killpriv_v2 && (flags & O_TRUNC) && -+ if (fm->fc->handle_killpriv_v2 && trunc && - !(flags & O_EXCL) && !capable(CAP_FSETID)) { - inarg.open_flags |= FUSE_OPEN_KILL_SUIDGID; - } -@@ -623,6 +624,10 @@ static int fuse_create_open(struct inode *dir, struct dentry *entry, - } else { - file->private_data = ff; - fuse_finish_open(inode, file); -+ if (fm->fc->atomic_o_trunc && trunc) -+ truncate_pagecache(inode, 0); -+ else if (!(ff->open_flags & FOPEN_KEEP_CACHE)) -+ invalidate_inode_pages2(inode->i_mapping); - } - return err; - -diff --git a/fs/fuse/file.c b/fs/fuse/file.c -index 60885ff9157c..dfee142bca5c 100644 ---- a/fs/fuse/file.c -+++ b/fs/fuse/file.c -@@ -210,13 +210,9 @@ void fuse_finish_open(struct inode *inode, struct file *file) - fi->attr_version = atomic64_inc_return(&fc->attr_version); - i_size_write(inode, 0); - spin_unlock(&fi->lock); -- truncate_pagecache(inode, 0); - file_update_time(file); - fuse_invalidate_attr_mask(inode, FUSE_STATX_MODSIZE); -- } else if (!(ff->open_flags & FOPEN_KEEP_CACHE)) { -- invalidate_inode_pages2(inode->i_mapping); - } -- - if ((file->f_mode & FMODE_WRITE) && fc->writeback_cache) - fuse_link_write_file(file); - } -@@ -239,30 +235,38 @@ int fuse_open_common(struct inode *inode, struct file *file, bool isdir) - if (err) - return err; - -- if (is_wb_truncate || dax_truncate) { -+ if (is_wb_truncate || dax_truncate) - inode_lock(inode); -- fuse_set_nowrite(inode); -- } - - if (dax_truncate) { - filemap_invalidate_lock(inode->i_mapping); - err = fuse_dax_break_layouts(inode, 0, 0); - if (err) -- goto out; -+ goto out_inode_unlock; - } - -+ if (is_wb_truncate || dax_truncate) -+ fuse_set_nowrite(inode); -+ - err = fuse_do_open(fm, get_node_id(inode), file, isdir); - if (!err) - fuse_finish_open(inode, file); - --out: -+ if (is_wb_truncate || dax_truncate) -+ fuse_release_nowrite(inode); -+ if (!err) { -+ struct fuse_file *ff = file->private_data; -+ -+ if (fc->atomic_o_trunc && (file->f_flags & O_TRUNC)) -+ truncate_pagecache(inode, 0); -+ else if (!(ff->open_flags & FOPEN_KEEP_CACHE)) -+ invalidate_inode_pages2(inode->i_mapping); -+ } - if (dax_truncate) - filemap_invalidate_unlock(inode->i_mapping); -- -- if (is_wb_truncate | dax_truncate) { -- fuse_release_nowrite(inode); -+out_inode_unlock: -+ if (is_wb_truncate || dax_truncate) - inode_unlock(inode); -- } - - return err; - } --- -2.35.1 - diff --git a/queue-5.19/fuse-ioctl-translate-enosys.patch-17448 b/queue-5.19/fuse-ioctl-translate-enosys.patch-17448 deleted file mode 100644 index 7cb118a118e..00000000000 --- a/queue-5.19/fuse-ioctl-translate-enosys.patch-17448 +++ /dev/null @@ -1,89 +0,0 @@ -From 9a76a72661a15caa9ccd7884caa7f17bffb7a9ea Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 21 Jul 2022 16:06:18 +0200 -Subject: fuse: ioctl: translate ENOSYS -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Miklos Szeredi - -[ Upstream commit 02c0cab8e7345b06f1c0838df444e2902e4138d3 ] - -Overlayfs may fail to complete updates when a filesystem lacks -fileattr/xattr syscall support and responds with an ENOSYS error code, -resulting in an unexpected "Function not implemented" error. - -This bug may occur with FUSE filesystems, such as davfs2. - -Steps to reproduce: - - # install davfs2, e.g., apk add davfs2 - mkdir /test mkdir /test/lower /test/upper /test/work /test/mnt - yes '' | mount -t davfs -o ro http://some-web-dav-server/path \ - /test/lower - mount -t overlay -o upperdir=/test/upper,lowerdir=/test/lower \ - -o workdir=/test/work overlay /test/mnt - - # when "some-file" exists in the lowerdir, this fails with "Function - # not implemented", with dmesg showing "overlayfs: failed to retrieve - # lower fileattr (/some-file, err=-38)" - touch /test/mnt/some-file - -The underlying cause of this regresion is actually in FUSE, which fails to -translate the ENOSYS error code returned by userspace filesystem (which -means that the ioctl operation is not supported) to ENOTTY. - -Reported-by: Christian Kohlschütter -Fixes: 72db82115d2b ("ovl: copy up sync/noatime fileattr flags") -Fixes: 59efec7b9039 ("fuse: implement ioctl support") -Cc: -Signed-off-by: Miklos Szeredi -Signed-off-by: Sasha Levin ---- - fs/fuse/ioctl.c | 15 +++++++++++++-- - 1 file changed, 13 insertions(+), 2 deletions(-) - -diff --git a/fs/fuse/ioctl.c b/fs/fuse/ioctl.c -index 33cde4bbccdc..61d8afcb10a3 100644 ---- a/fs/fuse/ioctl.c -+++ b/fs/fuse/ioctl.c -@@ -9,6 +9,17 @@ - #include - #include - -+static ssize_t fuse_send_ioctl(struct fuse_mount *fm, struct fuse_args *args) -+{ -+ ssize_t ret = fuse_simple_request(fm, args); -+ -+ /* Translate ENOSYS, which shouldn't be returned from fs */ -+ if (ret == -ENOSYS) -+ ret = -ENOTTY; -+ -+ return ret; -+} -+ - /* - * CUSE servers compiled on 32bit broke on 64bit kernels because the - * ABI was defined to be 'struct iovec' which is different on 32bit -@@ -259,7 +270,7 @@ long fuse_do_ioctl(struct file *file, unsigned int cmd, unsigned long arg, - ap.args.out_pages = true; - ap.args.out_argvar = true; - -- transferred = fuse_simple_request(fm, &ap.args); -+ transferred = fuse_send_ioctl(fm, &ap.args); - err = transferred; - if (transferred < 0) - goto out; -@@ -393,7 +404,7 @@ static int fuse_priv_ioctl(struct inode *inode, struct fuse_file *ff, - args.out_args[1].size = inarg.out_size; - args.out_args[1].value = ptr; - -- err = fuse_simple_request(fm, &args); -+ err = fuse_send_ioctl(fm, &args); - if (!err) { - if (outarg.result < 0) - err = outarg.result; --- -2.35.1 - diff --git a/queue-5.19/fuse-limit-nsec.patch-2050 b/queue-5.19/fuse-limit-nsec.patch-2050 deleted file mode 100644 index 4ac1a553224..00000000000 --- a/queue-5.19/fuse-limit-nsec.patch-2050 +++ /dev/null @@ -1,39 +0,0 @@ -From 415837824b69f800cea848df2bc04c46605413db Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 21 Jul 2022 16:06:18 +0200 -Subject: fuse: limit nsec - -From: Miklos Szeredi - -[ Upstream commit 47912eaa061a6a81e4aa790591a1874c650733c0 ] - -Limit nanoseconds to 0..999999999. - -Fixes: d8a5ba45457e ("[PATCH] FUSE - core") -Cc: -Signed-off-by: Miklos Szeredi -Signed-off-by: Sasha Levin ---- - fs/fuse/inode.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c -index 8c0665c5dff8..7c290089e693 100644 ---- a/fs/fuse/inode.c -+++ b/fs/fuse/inode.c -@@ -180,6 +180,12 @@ void fuse_change_attributes_common(struct inode *inode, struct fuse_attr *attr, - inode->i_uid = make_kuid(fc->user_ns, attr->uid); - inode->i_gid = make_kgid(fc->user_ns, attr->gid); - inode->i_blocks = attr->blocks; -+ -+ /* Sanitize nsecs */ -+ attr->atimensec = min_t(u32, attr->atimensec, NSEC_PER_SEC - 1); -+ attr->mtimensec = min_t(u32, attr->mtimensec, NSEC_PER_SEC - 1); -+ attr->ctimensec = min_t(u32, attr->ctimensec, NSEC_PER_SEC - 1); -+ - inode->i_atime.tv_sec = attr->atime; - inode->i_atime.tv_nsec = attr->atimensec; - /* mtime from server may be stale due to local buffered write */ --- -2.35.1 - diff --git a/queue-5.19/fuse-write-inode-in-fuse_release.patch-28840 b/queue-5.19/fuse-write-inode-in-fuse_release.patch-28840 deleted file mode 100644 index ed7398e264c..00000000000 --- a/queue-5.19/fuse-write-inode-in-fuse_release.patch-28840 +++ /dev/null @@ -1,48 +0,0 @@ -From 8674a3b26deade1bbd04e752246293b72bf6863c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 20 Apr 2022 16:05:41 +0200 -Subject: fuse: write inode in fuse_release() - -From: Miklos Szeredi - -[ Upstream commit 035ff33cf4db101250fb980a3941bf078f37a544 ] - -A race between write(2) and close(2) allows pages to be dirtied after -fuse_flush -> write_inode_now(). If these pages are not flushed from -fuse_release(), then there might not be a writable open file later. So any -remaining dirty pages must be written back before the file is released. - -This is a partial revert of the blamed commit. - -Reported-by: syzbot+6e1efbd8efaaa6860e91@syzkaller.appspotmail.com -Fixes: 36ea23374d1f ("fuse: write inode in fuse_vma_close() instead of fuse_release()") -Cc: # v5.16 -Signed-off-by: Miklos Szeredi -Signed-off-by: Sasha Levin ---- - fs/fuse/file.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/fs/fuse/file.c b/fs/fuse/file.c -index 05caa2b9272e..60885ff9157c 100644 ---- a/fs/fuse/file.c -+++ b/fs/fuse/file.c -@@ -338,6 +338,15 @@ static int fuse_open(struct inode *inode, struct file *file) - - static int fuse_release(struct inode *inode, struct file *file) - { -+ struct fuse_conn *fc = get_fuse_conn(inode); -+ -+ /* -+ * Dirty pages might remain despite write_inode_now() call from -+ * fuse_flush() due to writes racing with the close. -+ */ -+ if (fc->writeback_cache) -+ write_inode_now(inode, 1); -+ - fuse_release_common(file, false); - - /* return value is ignored by VFS */ --- -2.35.1 - diff --git a/queue-5.19/hid-hid-input-add-surface-go-battery-quirk.patch-7851 b/queue-5.19/hid-hid-input-add-surface-go-battery-quirk.patch-7851 deleted file mode 100644 index 112f496d1d1..00000000000 --- a/queue-5.19/hid-hid-input-add-surface-go-battery-quirk.patch-7851 +++ /dev/null @@ -1,54 +0,0 @@ -From bfb446268f6178e53244ad8b7cc1a6b20435f790 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 26 May 2022 01:08:27 +0200 -Subject: HID: hid-input: add Surface Go battery quirk - -From: Maximilian Luz - -[ Upstream commit db925d809011c37b246434fdce71209fc2e6c0c2 ] - -Similar to the Surface Go (1), the (Elantech) touchscreen/digitizer in -the Surface Go 2 mistakenly reports the battery of the stylus. Instead -of over the touchscreen device, battery information is provided via -bluetooth and the touchscreen device reports an empty battery. - -Apply the HID_BATTERY_QUIRK_IGNORE quirk to ignore this battery and -prevent the erroneous low battery warnings. - -Cc: stable@vger.kernel.org -Signed-off-by: Maximilian Luz -Signed-off-by: Jiri Kosina -Signed-off-by: Sasha Levin ---- - drivers/hid/hid-ids.h | 1 + - drivers/hid/hid-input.c | 2 ++ - 2 files changed, 3 insertions(+) - -diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h -index d9eb676abe96..9c4e92a9c646 100644 ---- a/drivers/hid/hid-ids.h -+++ b/drivers/hid/hid-ids.h -@@ -413,6 +413,7 @@ - #define USB_DEVICE_ID_ASUS_UX550VE_TOUCHSCREEN 0x2544 - #define USB_DEVICE_ID_ASUS_UX550_TOUCHSCREEN 0x2706 - #define I2C_DEVICE_ID_SURFACE_GO_TOUCHSCREEN 0x261A -+#define I2C_DEVICE_ID_SURFACE_GO2_TOUCHSCREEN 0x2A1C - - #define USB_VENDOR_ID_ELECOM 0x056e - #define USB_DEVICE_ID_ELECOM_BM084 0x0061 -diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c -index c6b27aab9041..48c1c02c69f4 100644 ---- a/drivers/hid/hid-input.c -+++ b/drivers/hid/hid-input.c -@@ -381,6 +381,8 @@ static const struct hid_device_id hid_battery_quirks[] = { - HID_BATTERY_QUIRK_IGNORE }, - { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_SURFACE_GO_TOUCHSCREEN), - HID_BATTERY_QUIRK_IGNORE }, -+ { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_SURFACE_GO2_TOUCHSCREEN), -+ HID_BATTERY_QUIRK_IGNORE }, - {} - }; - --- -2.35.1 - diff --git a/queue-5.19/hid-nintendo-add-missing-array-termination.patch-24808 b/queue-5.19/hid-nintendo-add-missing-array-termination.patch-24808 deleted file mode 100644 index 9700f7087b2..00000000000 --- a/queue-5.19/hid-nintendo-add-missing-array-termination.patch-24808 +++ /dev/null @@ -1,43 +0,0 @@ -From fda2e32fadf0b81d5d65e6535b400165619be6c8 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 12 Jul 2022 15:17:05 -0700 -Subject: HID: nintendo: Add missing array termination - -From: Guenter Roeck - -[ Upstream commit ab5f3404b7762b88403fbddbdda6b1b464bd6cbc ] - -joycon_dpad_inputs_jc[] is unterminated. This may result in odd warnings -such as - -input: input_set_capability: invalid code 3077588140 for type 1 - -or in kernel crashes in nintendo_hid_probe(). Terminate the array to fix -the problem. - -Fixes: 2af16c1f846bd ("HID: nintendo: add nintendo switch controller driver") -Cc: Daniel J. Ogorchock -Signed-off-by: Guenter Roeck -Reviewed-by: Dmitry Torokhov -Cc: stable@vger.kernel.org -Signed-off-by: Jiri Kosina -Signed-off-by: Sasha Levin ---- - drivers/hid/hid-nintendo.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/hid/hid-nintendo.c b/drivers/hid/hid-nintendo.c -index 2204de889739..4b1173957c17 100644 ---- a/drivers/hid/hid-nintendo.c -+++ b/drivers/hid/hid-nintendo.c -@@ -1586,6 +1586,7 @@ static const unsigned int joycon_button_inputs_r[] = { - /* We report joy-con d-pad inputs as buttons and pro controller as a hat. */ - static const unsigned int joycon_dpad_inputs_jc[] = { - BTN_DPAD_UP, BTN_DPAD_DOWN, BTN_DPAD_LEFT, BTN_DPAD_RIGHT, -+ 0 /* 0 signals end of array */ - }; - - static int joycon_input_create(struct joycon_ctlr *ctlr) --- -2.35.1 - diff --git a/queue-5.19/hid-wacom-don-t-register-pad_input-for-touch-switch.patch-820 b/queue-5.19/hid-wacom-don-t-register-pad_input-for-touch-switch.patch-820 deleted file mode 100644 index 8b87375fbe7..00000000000 --- a/queue-5.19/hid-wacom-don-t-register-pad_input-for-touch-switch.patch-820 +++ /dev/null @@ -1,114 +0,0 @@ -From 0137a15938b0f57b5698e4493c44ca69b3a208c3 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 13 May 2022 14:52:37 -0700 -Subject: HID: wacom: Don't register pad_input for touch switch - -From: Ping Cheng - -[ Upstream commit d6b675687a4ab4dba684716d97c8c6f81bf10905 ] - -Touch switch state is received through WACOM_PAD_FIELD. However, it -is reported by touch_input. Don't register pad_input if no other pad -events require the interface. - -Cc: stable@vger.kernel.org -Signed-off-by: Ping Cheng -Reviewed-by: Jason Gerecke -Signed-off-by: Jiri Kosina -Signed-off-by: Sasha Levin ---- - drivers/hid/wacom_sys.c | 2 +- - drivers/hid/wacom_wac.c | 43 ++++++++++++++++++++++++----------------- - 2 files changed, 26 insertions(+), 19 deletions(-) - -diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c -index 620fe74f5676..98384b911288 100644 ---- a/drivers/hid/wacom_sys.c -+++ b/drivers/hid/wacom_sys.c -@@ -2121,7 +2121,7 @@ static int wacom_register_inputs(struct wacom *wacom) - - error = wacom_setup_pad_input_capabilities(pad_input_dev, wacom_wac); - if (error) { -- /* no pad in use on this interface */ -+ /* no pad events using this interface */ - input_free_device(pad_input_dev); - wacom_wac->pad_input = NULL; - pad_input_dev = NULL; -diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c -index 866b484b82de..f8cc4bb3e3a7 100644 ---- a/drivers/hid/wacom_wac.c -+++ b/drivers/hid/wacom_wac.c -@@ -2019,7 +2019,6 @@ static void wacom_wac_pad_usage_mapping(struct hid_device *hdev, - wacom_wac->has_mute_touch_switch = true; - usage->type = EV_SW; - usage->code = SW_MUTE_DEVICE; -- features->device_type |= WACOM_DEVICETYPE_PAD; - break; - case WACOM_HID_WD_TOUCHSTRIP: - wacom_map_usage(input, usage, field, EV_ABS, ABS_RX, 0); -@@ -2099,6 +2098,30 @@ static void wacom_wac_pad_event(struct hid_device *hdev, struct hid_field *field - wacom_wac->hid_data.inrange_state |= value; - } - -+ /* Process touch switch state first since it is reported through touch interface, -+ * which is indepentent of pad interface. In the case when there are no other pad -+ * events, the pad interface will not even be created. -+ */ -+ if ((equivalent_usage == WACOM_HID_WD_MUTE_DEVICE) || -+ (equivalent_usage == WACOM_HID_WD_TOUCHONOFF)) { -+ if (wacom_wac->shared->touch_input) { -+ bool *is_touch_on = &wacom_wac->shared->is_touch_on; -+ -+ if (equivalent_usage == WACOM_HID_WD_MUTE_DEVICE && value) -+ *is_touch_on = !(*is_touch_on); -+ else if (equivalent_usage == WACOM_HID_WD_TOUCHONOFF) -+ *is_touch_on = value; -+ -+ input_report_switch(wacom_wac->shared->touch_input, -+ SW_MUTE_DEVICE, !(*is_touch_on)); -+ input_sync(wacom_wac->shared->touch_input); -+ } -+ return; -+ } -+ -+ if (!input) -+ return; -+ - switch (equivalent_usage) { - case WACOM_HID_WD_TOUCHRING: - /* -@@ -2134,22 +2157,6 @@ static void wacom_wac_pad_event(struct hid_device *hdev, struct hid_field *field - input_event(input, usage->type, usage->code, 0); - break; - -- case WACOM_HID_WD_MUTE_DEVICE: -- case WACOM_HID_WD_TOUCHONOFF: -- if (wacom_wac->shared->touch_input) { -- bool *is_touch_on = &wacom_wac->shared->is_touch_on; -- -- if (equivalent_usage == WACOM_HID_WD_MUTE_DEVICE && value) -- *is_touch_on = !(*is_touch_on); -- else if (equivalent_usage == WACOM_HID_WD_TOUCHONOFF) -- *is_touch_on = value; -- -- input_report_switch(wacom_wac->shared->touch_input, -- SW_MUTE_DEVICE, !(*is_touch_on)); -- input_sync(wacom_wac->shared->touch_input); -- } -- break; -- - case WACOM_HID_WD_MODE_CHANGE: - if (wacom_wac->is_direct_mode != value) { - wacom_wac->is_direct_mode = value; -@@ -2835,7 +2842,7 @@ void wacom_wac_event(struct hid_device *hdev, struct hid_field *field, - /* usage tests must precede field tests */ - if (WACOM_BATTERY_USAGE(usage)) - wacom_wac_battery_event(hdev, field, usage, value); -- else if (WACOM_PAD_FIELD(field) && wacom->wacom_wac.pad_input) -+ else if (WACOM_PAD_FIELD(field)) - wacom_wac_pad_event(hdev, field, usage, value); - else if (WACOM_PEN_FIELD(field) && wacom->wacom_wac.pen_input) - wacom_wac_pen_event(hdev, field, usage, value); --- -2.35.1 - diff --git a/queue-5.19/hid-wacom-only-report-rotation-for-art-pen.patch-25074 b/queue-5.19/hid-wacom-only-report-rotation-for-art-pen.patch-25074 deleted file mode 100644 index 4bbf9455379..00000000000 --- a/queue-5.19/hid-wacom-only-report-rotation-for-art-pen.patch-25074 +++ /dev/null @@ -1,101 +0,0 @@ -From 45bea7616fc78940408008d1bbb3b8ce92304f93 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 13 May 2022 14:51:56 -0700 -Subject: HID: wacom: Only report rotation for art pen - -From: Ping Cheng - -[ Upstream commit 7ccced33a0ba39b0103ae1dfbf7f1dffdc0a1bc2 ] - -The generic routine, wacom_wac_pen_event, turns rotation value 90 -degree anti-clockwise before posting the events. This non-zero -event trggers a non-zero ABS_Z event for non art pen tools. However, -HID_DG_TWIST is only supported by art pen. - -[jkosina@suse.cz: fix build: add missing brace] -Cc: stable@vger.kernel.org -Signed-off-by: Ping Cheng -Reviewed-by: Jason Gerecke --- -Hi Jiri, - -This is kind of a version 2 of the last one I posted two days ago. -I updated the logic so it has less changed lines: 29 vs 158! Hopefully, -the logic is easier to follow now. Please ignore the last one. - -Thank you! -Signed-off-by: Jiri Kosina -Signed-off-by: Sasha Levin ---- - drivers/hid/wacom_wac.c | 29 +++++++++++++++++++++-------- - 1 file changed, 21 insertions(+), 8 deletions(-) - -diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c -index 9470c2b0b529..866b484b82de 100644 ---- a/drivers/hid/wacom_wac.c -+++ b/drivers/hid/wacom_wac.c -@@ -638,9 +638,26 @@ static int wacom_intuos_id_mangle(int tool_id) - return (tool_id & ~0xFFF) << 4 | (tool_id & 0xFFF); - } - -+static bool wacom_is_art_pen(int tool_id) -+{ -+ bool is_art_pen = false; -+ -+ switch (tool_id) { -+ case 0x885: /* Intuos3 Marker Pen */ -+ case 0x804: /* Intuos4/5 13HD/24HD Marker Pen */ -+ case 0x10804: /* Intuos4/5 13HD/24HD Art Pen */ -+ is_art_pen = true; -+ break; -+ } -+ return is_art_pen; -+} -+ - static int wacom_intuos_get_tool_type(int tool_id) - { -- int tool_type; -+ int tool_type = BTN_TOOL_PEN; -+ -+ if (wacom_is_art_pen(tool_id)) -+ return tool_type; - - switch (tool_id) { - case 0x812: /* Inking pen */ -@@ -655,12 +672,9 @@ static int wacom_intuos_get_tool_type(int tool_id) - case 0x852: - case 0x823: /* Intuos3 Grip Pen */ - case 0x813: /* Intuos3 Classic Pen */ -- case 0x885: /* Intuos3 Marker Pen */ - case 0x802: /* Intuos4/5 13HD/24HD General Pen */ -- case 0x804: /* Intuos4/5 13HD/24HD Marker Pen */ - case 0x8e2: /* IntuosHT2 pen */ - case 0x022: -- case 0x10804: /* Intuos4/5 13HD/24HD Art Pen */ - case 0x10842: /* MobileStudio Pro Pro Pen slim */ - case 0x14802: /* Intuos4/5 13HD/24HD Classic Pen */ - case 0x16802: /* Cintiq 13HD Pro Pen */ -@@ -718,10 +732,6 @@ static int wacom_intuos_get_tool_type(int tool_id) - case 0x10902: /* Intuos4/5 13HD/24HD Airbrush */ - tool_type = BTN_TOOL_AIRBRUSH; - break; -- -- default: /* Unknown tool */ -- tool_type = BTN_TOOL_PEN; -- break; - } - return tool_type; - } -@@ -2336,6 +2346,9 @@ static void wacom_wac_pen_event(struct hid_device *hdev, struct hid_field *field - } - return; - case HID_DG_TWIST: -+ /* don't modify the value if the pen doesn't support the feature */ -+ if (!wacom_is_art_pen(wacom_wac->id[0])) return; -+ - /* - * Userspace expects pen twist to have its zero point when - * the buttons/finger is on the tablet's left. HID values --- -2.35.1 - diff --git a/queue-5.19/ia64-processor-fix-wincompatible-pointer-types-in-ia.patch b/queue-5.19/ia64-processor-fix-wincompatible-pointer-types-in-ia.patch deleted file mode 100644 index 4f075fbc6e2..00000000000 --- a/queue-5.19/ia64-processor-fix-wincompatible-pointer-types-in-ia.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 8d278756aab6ff9b002539a96ddecedc470c5fcc Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 24 Jun 2022 14:13:05 +0200 -Subject: ia64, processor: fix -Wincompatible-pointer-types in ia64_get_irr() - -From: Alexander Lobakin - -[ Upstream commit e5a16a5c4602c119262f350274021f90465f479d ] - -test_bit(), as any other bitmap op, takes `unsigned long *` as a -second argument (pointer to the actual bitmap), as any bitmap -itself is an array of unsigned longs. However, the ia64_get_irr() -code passes a ref to `u64` as a second argument. -This works with the ia64 bitops implementation due to that they -have `void *` as the second argument and then cast it later on. -This works with the bitmap API itself due to that `unsigned long` -has the same size on ia64 as `u64` (`unsigned long long`), but -from the compiler PoV those two are different. -Define @irr as `unsigned long` to fix that. That implies no -functional changes. Has been hidden for 16 years! - -Fixes: a58786917ce2 ("[IA64] avoid broken SAL_CACHE_FLUSH implementations") -Cc: stable@vger.kernel.org # 2.6.16+ -Reported-by: kernel test robot -Signed-off-by: Alexander Lobakin -Reviewed-by: Andy Shevchenko -Reviewed-by: Yury Norov -Signed-off-by: Yury Norov -Signed-off-by: Sasha Levin ---- - arch/ia64/include/asm/processor.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/ia64/include/asm/processor.h b/arch/ia64/include/asm/processor.h -index 7cbce290f4e5..757c2f6d8d4b 100644 ---- a/arch/ia64/include/asm/processor.h -+++ b/arch/ia64/include/asm/processor.h -@@ -538,7 +538,7 @@ ia64_get_irr(unsigned int vector) - { - unsigned int reg = vector / 64; - unsigned int bit = vector % 64; -- u64 irr; -+ unsigned long irr; - - switch (reg) { - case 0: irr = ia64_getreg(_IA64_REG_CR_IRR0); break; --- -2.35.1 - diff --git a/queue-5.19/iio-fix-iio_format_avail_range-printing-for-none-iio.patch b/queue-5.19/iio-fix-iio_format_avail_range-printing-for-none-iio.patch deleted file mode 100644 index e95585290eb..00000000000 --- a/queue-5.19/iio-fix-iio_format_avail_range-printing-for-none-iio.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 574bac6c5e4c8f3d6063039b1d9b4d006a170357 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 18 Jul 2022 15:07:06 +0200 -Subject: iio: fix iio_format_avail_range() printing for none IIO_VAL_INT - -From: Fawzi Khaber - -[ Upstream commit 5e1f91850365de55ca74945866c002fda8f00331 ] - -iio_format_avail_range() should print range as follow [min, step, max], so -the function was previously calling iio_format_list() with length = 3, -length variable refers to the array size of values not the number of -elements. In case of non IIO_VAL_INT values each element has integer part -and decimal part. With length = 3 this would cause premature end of loop -and result in printing only one element. - -Signed-off-by: Fawzi Khaber -Signed-off-by: Jean-Baptiste Maneyrol -Fixes: eda20ba1e25e ("iio: core: Consolidate iio_format_avail_{list,range}()") -Link: https://lore.kernel.org/r/20220718130706.32571-1-jmaneyrol@invensense.com -Cc: -Signed-off-by: Jonathan Cameron -Signed-off-by: Sasha Levin ---- - drivers/iio/industrialio-core.c | 18 +++++++++++++++++- - 1 file changed, 17 insertions(+), 1 deletion(-) - -diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c -index adf054c7a75e..299ae3ad2fe5 100644 ---- a/drivers/iio/industrialio-core.c -+++ b/drivers/iio/industrialio-core.c -@@ -835,7 +835,23 @@ static ssize_t iio_format_avail_list(char *buf, const int *vals, - - static ssize_t iio_format_avail_range(char *buf, const int *vals, int type) - { -- return iio_format_list(buf, vals, type, 3, "[", "]"); -+ int length; -+ -+ /* -+ * length refers to the array size , not the number of elements. -+ * The purpose is to print the range [min , step ,max] so length should -+ * be 3 in case of int, and 6 for other types. -+ */ -+ switch (type) { -+ case IIO_VAL_INT: -+ length = 3; -+ break; -+ default: -+ length = 6; -+ break; -+ } -+ -+ return iio_format_list(buf, vals, type, length, "[", "]"); - } - - static ssize_t iio_read_channel_info_avail(struct device *dev, --- -2.35.1 - diff --git a/queue-5.19/iio-light-isl29028-fix-the-warning-in-isl29028_remov.patch b/queue-5.19/iio-light-isl29028-fix-the-warning-in-isl29028_remov.patch deleted file mode 100644 index 1f68a103131..00000000000 --- a/queue-5.19/iio-light-isl29028-fix-the-warning-in-isl29028_remov.patch +++ /dev/null @@ -1,54 +0,0 @@ -From fccda6e8e53e594d0b4589122144a7b6c4fe3c39 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 17 Jul 2022 08:42:41 +0800 -Subject: iio: light: isl29028: Fix the warning in isl29028_remove() - -From: Zheyu Ma - -[ Upstream commit 06674fc7c003b9d0aa1d37fef7ab2c24802cc6ad ] - -The driver use the non-managed form of the register function in -isl29028_remove(). To keep the release order as mirroring the ordering -in probe, the driver should use non-managed form in probe, too. - -The following log reveals it: - -[ 32.374955] isl29028 0-0010: remove -[ 32.376861] general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN PTI -[ 32.377676] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] -[ 32.379432] RIP: 0010:kernfs_find_and_get_ns+0x28/0xe0 -[ 32.385461] Call Trace: -[ 32.385807] sysfs_unmerge_group+0x59/0x110 -[ 32.386110] dpm_sysfs_remove+0x58/0xc0 -[ 32.386391] device_del+0x296/0xe50 -[ 32.386959] cdev_device_del+0x1d/0xd0 -[ 32.387231] devm_iio_device_unreg+0x27/0xb0 -[ 32.387542] devres_release_group+0x319/0x3d0 -[ 32.388162] i2c_device_remove+0x93/0x1f0 - -Fixes: 2db5054ac28d ("staging: iio: isl29028: add runtime power management support") -Signed-off-by: Zheyu Ma -Link: https://lore.kernel.org/r/20220717004241.2281028-1-zheyuma97@gmail.com -Cc: -Signed-off-by: Jonathan Cameron -Signed-off-by: Sasha Levin ---- - drivers/iio/light/isl29028.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/iio/light/isl29028.c b/drivers/iio/light/isl29028.c -index 9de3262aa688..a62787f5d5e7 100644 ---- a/drivers/iio/light/isl29028.c -+++ b/drivers/iio/light/isl29028.c -@@ -625,7 +625,7 @@ static int isl29028_probe(struct i2c_client *client, - ISL29028_POWER_OFF_DELAY_MS); - pm_runtime_use_autosuspend(&client->dev); - -- ret = devm_iio_device_register(indio_dev->dev.parent, indio_dev); -+ ret = iio_device_register(indio_dev); - if (ret < 0) { - dev_err(&client->dev, - "%s(): iio registration failed with error %d\n", --- -2.35.1 - diff --git a/queue-5.19/input-gscps2-check-return-value-of-ioremap-in-gscps2.patch b/queue-5.19/input-gscps2-check-return-value-of-ioremap-in-gscps2.patch deleted file mode 100644 index 5e8358664ef..00000000000 --- a/queue-5.19/input-gscps2-check-return-value-of-ioremap-in-gscps2.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 6983dec2f67e9edf159f000438f316aeb7a36614 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 2 Aug 2022 15:20:33 +0800 -Subject: Input: gscps2 - check return value of ioremap() in gscps2_probe() - -From: Xie Shaowen - -[ Upstream commit e61b3125a4f036b3c6b87ffd656fc1ab00440ae9 ] - -The function ioremap() in gscps2_probe() can fail, so -its return value should be checked. - -Fixes: 4bdc0d676a643 ("remove ioremap_nocache and devm_ioremap_nocache") -Cc: # v5.6+ -Reported-by: Hacash Robot -Signed-off-by: Xie Shaowen -Signed-off-by: Helge Deller -Signed-off-by: Sasha Levin ---- - drivers/input/serio/gscps2.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/drivers/input/serio/gscps2.c b/drivers/input/serio/gscps2.c -index a9065c6ab550..da2c67cb8642 100644 ---- a/drivers/input/serio/gscps2.c -+++ b/drivers/input/serio/gscps2.c -@@ -350,6 +350,10 @@ static int __init gscps2_probe(struct parisc_device *dev) - ps2port->port = serio; - ps2port->padev = dev; - ps2port->addr = ioremap(hpa, GSC_STATUS + 4); -+ if (!ps2port->addr) { -+ ret = -ENOMEM; -+ goto fail_nomem; -+ } - spin_lock_init(&ps2port->lock); - - gscps2_reset(ps2port); --- -2.35.1 - diff --git a/queue-5.19/intel_th-pci-add-meteor-lake-p-support.patch b/queue-5.19/intel_th-pci-add-meteor-lake-p-support.patch index e9ee9f2e027..874660271b9 100644 --- a/queue-5.19/intel_th-pci-add-meteor-lake-p-support.patch +++ b/queue-5.19/intel_th-pci-add-meteor-lake-p-support.patch @@ -16,25 +16,20 @@ Link: https://lore.kernel.org/r/20220705082637.59979-5-alexander.shishkin@linux. Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- - drivers/hwtracing/intel_th/pci.c | 5 +++++ + drivers/hwtracing/intel_th/pci.c | 5 +++++ 1 file changed, 5 insertions(+) -diff --git a/drivers/hwtracing/intel_th/pci.c b/drivers/hwtracing/intel_th/pci.c -index 7da4f298ed01..f432a772571b 100644 --- a/drivers/hwtracing/intel_th/pci.c +++ b/drivers/hwtracing/intel_th/pci.c -@@ -278,6 +278,11 @@ static const struct pci_device_id intel_th_pci_id_table[] = { - PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x54a6), +@@ -285,6 +285,11 @@ static const struct pci_device_id intel_ .driver_data = (kernel_ulong_t)&intel_th_2x, }, -+ { + { + /* Meteor Lake-P */ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x7e24), + .driver_data = (kernel_ulong_t)&intel_th_2x, + }, - { ++ { /* Alder Lake CPU */ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x466f), --- -2.35.1 - + .driver_data = (kernel_ulong_t)&intel_th_2x, diff --git a/queue-5.19/intel_th-pci-add-raptor-lake-s-cpu-support.patch b/queue-5.19/intel_th-pci-add-raptor-lake-s-cpu-support.patch index 2d28f2081bc..b6ab529b38a 100644 --- a/queue-5.19/intel_th-pci-add-raptor-lake-s-cpu-support.patch +++ b/queue-5.19/intel_th-pci-add-raptor-lake-s-cpu-support.patch @@ -16,25 +16,20 @@ Link: https://lore.kernel.org/r/20220705082637.59979-7-alexander.shishkin@linux. Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- - drivers/hwtracing/intel_th/pci.c | 5 +++++ + drivers/hwtracing/intel_th/pci.c | 5 +++++ 1 file changed, 5 insertions(+) -diff --git a/drivers/hwtracing/intel_th/pci.c b/drivers/hwtracing/intel_th/pci.c -index ff034eac7c7b..2f450e6ce4a8 100644 --- a/drivers/hwtracing/intel_th/pci.c +++ b/drivers/hwtracing/intel_th/pci.c -@@ -288,6 +288,11 @@ static const struct pci_device_id intel_th_pci_id_table[] = { - PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x7a26), +@@ -295,6 +295,11 @@ static const struct pci_device_id intel_ .driver_data = (kernel_ulong_t)&intel_th_2x, }, -+ { + { + /* Raptor Lake-S CPU */ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xa76f), + .driver_data = (kernel_ulong_t)&intel_th_2x, + }, - { ++ { /* Alder Lake CPU */ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x466f), --- -2.35.1 - + .driver_data = (kernel_ulong_t)&intel_th_2x, diff --git a/queue-5.19/intel_th-pci-add-raptor-lake-s-pch-support.patch b/queue-5.19/intel_th-pci-add-raptor-lake-s-pch-support.patch index 4b55e04c52b..9f049a1f6e7 100644 --- a/queue-5.19/intel_th-pci-add-raptor-lake-s-pch-support.patch +++ b/queue-5.19/intel_th-pci-add-raptor-lake-s-pch-support.patch @@ -16,25 +16,20 @@ Link: https://lore.kernel.org/r/20220705082637.59979-6-alexander.shishkin@linux. Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- - drivers/hwtracing/intel_th/pci.c | 5 +++++ + drivers/hwtracing/intel_th/pci.c | 5 +++++ 1 file changed, 5 insertions(+) -diff --git a/drivers/hwtracing/intel_th/pci.c b/drivers/hwtracing/intel_th/pci.c -index f432a772571b..ff034eac7c7b 100644 --- a/drivers/hwtracing/intel_th/pci.c +++ b/drivers/hwtracing/intel_th/pci.c -@@ -283,6 +283,11 @@ static const struct pci_device_id intel_th_pci_id_table[] = { - PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x7e24), +@@ -290,6 +290,11 @@ static const struct pci_device_id intel_ .driver_data = (kernel_ulong_t)&intel_th_2x, }, -+ { + { + /* Raptor Lake-S */ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x7a26), + .driver_data = (kernel_ulong_t)&intel_th_2x, + }, - { ++ { /* Alder Lake CPU */ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x466f), --- -2.35.1 - + .driver_data = (kernel_ulong_t)&intel_th_2x, diff --git a/queue-5.19/ksmbd-fix-heap-based-overflow-in-set_ntacl_dacl.patch-15594 b/queue-5.19/ksmbd-fix-heap-based-overflow-in-set_ntacl_dacl.patch-15594 deleted file mode 100644 index 4785f008b54..00000000000 --- a/queue-5.19/ksmbd-fix-heap-based-overflow-in-set_ntacl_dacl.patch-15594 +++ /dev/null @@ -1,441 +0,0 @@ -From 9bf4a78ad07955391a1bcea5c8192e58c1385198 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 2 Aug 2022 07:28:51 +0900 -Subject: ksmbd: fix heap-based overflow in set_ntacl_dacl() - -From: Namjae Jeon - -[ Upstream commit 8f0541186e9ad1b62accc9519cc2b7a7240272a7 ] - -The testcase use SMB2_SET_INFO_HE command to set a malformed file attribute -under the label `security.NTACL`. SMB2_QUERY_INFO_HE command in testcase -trigger the following overflow. - -[ 4712.003781] ================================================================== -[ 4712.003790] BUG: KASAN: slab-out-of-bounds in build_sec_desc+0x842/0x1dd0 [ksmbd] -[ 4712.003807] Write of size 1060 at addr ffff88801e34c068 by task kworker/0:0/4190 - -[ 4712.003813] CPU: 0 PID: 4190 Comm: kworker/0:0 Not tainted 5.19.0-rc5 #1 -[ 4712.003850] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] -[ 4712.003867] Call Trace: -[ 4712.003870] -[ 4712.003873] dump_stack_lvl+0x49/0x5f -[ 4712.003935] print_report.cold+0x5e/0x5cf -[ 4712.003972] ? ksmbd_vfs_get_sd_xattr+0x16d/0x500 [ksmbd] -[ 4712.003984] ? cmp_map_id+0x200/0x200 -[ 4712.003988] ? build_sec_desc+0x842/0x1dd0 [ksmbd] -[ 4712.004000] kasan_report+0xaa/0x120 -[ 4712.004045] ? build_sec_desc+0x842/0x1dd0 [ksmbd] -[ 4712.004056] kasan_check_range+0x100/0x1e0 -[ 4712.004060] memcpy+0x3c/0x60 -[ 4712.004064] build_sec_desc+0x842/0x1dd0 [ksmbd] -[ 4712.004076] ? parse_sec_desc+0x580/0x580 [ksmbd] -[ 4712.004088] ? ksmbd_acls_fattr+0x281/0x410 [ksmbd] -[ 4712.004099] smb2_query_info+0xa8f/0x6110 [ksmbd] -[ 4712.004111] ? psi_group_change+0x856/0xd70 -[ 4712.004148] ? update_load_avg+0x1c3/0x1af0 -[ 4712.004152] ? asym_cpu_capacity_scan+0x5d0/0x5d0 -[ 4712.004157] ? xas_load+0x23/0x300 -[ 4712.004162] ? smb2_query_dir+0x1530/0x1530 [ksmbd] -[ 4712.004173] ? _raw_spin_lock_bh+0xe0/0xe0 -[ 4712.004179] handle_ksmbd_work+0x30e/0x1020 [ksmbd] -[ 4712.004192] process_one_work+0x778/0x11c0 -[ 4712.004227] ? _raw_spin_lock_irq+0x8e/0xe0 -[ 4712.004231] worker_thread+0x544/0x1180 -[ 4712.004234] ? __cpuidle_text_end+0x4/0x4 -[ 4712.004239] kthread+0x282/0x320 -[ 4712.004243] ? process_one_work+0x11c0/0x11c0 -[ 4712.004246] ? kthread_complete_and_exit+0x30/0x30 -[ 4712.004282] ret_from_fork+0x1f/0x30 - -This patch add the buffer validation for security descriptor that is -stored by malformed SMB2_SET_INFO_HE command. and allocate large -response buffer about SMB2_O_INFO_SECURITY file info class. - -Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") -Cc: stable@vger.kernel.org -Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17771 -Reviewed-by: Hyunchul Lee -Signed-off-by: Namjae Jeon -Signed-off-by: Steve French -Signed-off-by: Sasha Levin ---- - fs/ksmbd/smb2pdu.c | 39 +++++++++----- - fs/ksmbd/smbacl.c | 130 ++++++++++++++++++++++++++++++--------------- - fs/ksmbd/smbacl.h | 2 +- - fs/ksmbd/vfs.c | 5 ++ - 4 files changed, 119 insertions(+), 57 deletions(-) - -diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c -index 54aaf9014136..a9c33d15ca1f 100644 ---- a/fs/ksmbd/smb2pdu.c -+++ b/fs/ksmbd/smb2pdu.c -@@ -535,9 +535,10 @@ int smb2_allocate_rsp_buf(struct ksmbd_work *work) - struct smb2_query_info_req *req; - - req = smb2_get_msg(work->request_buf); -- if (req->InfoType == SMB2_O_INFO_FILE && -- (req->FileInfoClass == FILE_FULL_EA_INFORMATION || -- req->FileInfoClass == FILE_ALL_INFORMATION)) -+ if ((req->InfoType == SMB2_O_INFO_FILE && -+ (req->FileInfoClass == FILE_FULL_EA_INFORMATION || -+ req->FileInfoClass == FILE_ALL_INFORMATION)) || -+ req->InfoType == SMB2_O_INFO_SECURITY) - sz = large_sz; - } - -@@ -2974,7 +2975,7 @@ int smb2_open(struct ksmbd_work *work) - goto err_out; - - rc = build_sec_desc(user_ns, -- pntsd, NULL, -+ pntsd, NULL, 0, - OWNER_SECINFO | - GROUP_SECINFO | - DACL_SECINFO, -@@ -3819,6 +3820,15 @@ static int verify_info_level(int info_level) - return 0; - } - -+static int smb2_resp_buf_len(struct ksmbd_work *work, unsigned short hdr2_len) -+{ -+ int free_len; -+ -+ free_len = (int)(work->response_sz - -+ (get_rfc1002_len(work->response_buf) + 4)) - hdr2_len; -+ return free_len; -+} -+ - static int smb2_calc_max_out_buf_len(struct ksmbd_work *work, - unsigned short hdr2_len, - unsigned int out_buf_len) -@@ -3828,9 +3838,7 @@ static int smb2_calc_max_out_buf_len(struct ksmbd_work *work, - if (out_buf_len > work->conn->vals->max_trans_size) - return -EINVAL; - -- free_len = (int)(work->response_sz - -- (get_rfc1002_len(work->response_buf) + 4)) - -- hdr2_len; -+ free_len = smb2_resp_buf_len(work, hdr2_len); - if (free_len < 0) - return -EINVAL; - -@@ -5093,10 +5101,10 @@ static int smb2_get_info_sec(struct ksmbd_work *work, - struct smb_ntsd *pntsd = (struct smb_ntsd *)rsp->Buffer, *ppntsd = NULL; - struct smb_fattr fattr = {{0}}; - struct inode *inode; -- __u32 secdesclen; -+ __u32 secdesclen = 0; - unsigned int id = KSMBD_NO_FID, pid = KSMBD_NO_FID; - int addition_info = le32_to_cpu(req->AdditionalInformation); -- int rc; -+ int rc = 0, ppntsd_size = 0; - - if (addition_info & ~(OWNER_SECINFO | GROUP_SECINFO | DACL_SECINFO | - PROTECTED_DACL_SECINFO | -@@ -5142,11 +5150,14 @@ static int smb2_get_info_sec(struct ksmbd_work *work, - - if (test_share_config_flag(work->tcon->share_conf, - KSMBD_SHARE_FLAG_ACL_XATTR)) -- ksmbd_vfs_get_sd_xattr(work->conn, user_ns, -- fp->filp->f_path.dentry, &ppntsd); -- -- rc = build_sec_desc(user_ns, pntsd, ppntsd, addition_info, -- &secdesclen, &fattr); -+ ppntsd_size = ksmbd_vfs_get_sd_xattr(work->conn, user_ns, -+ fp->filp->f_path.dentry, -+ &ppntsd); -+ -+ /* Check if sd buffer size exceeds response buffer size */ -+ if (smb2_resp_buf_len(work, 8) > ppntsd_size) -+ rc = build_sec_desc(user_ns, pntsd, ppntsd, ppntsd_size, -+ addition_info, &secdesclen, &fattr); - posix_acl_release(fattr.cf_acls); - posix_acl_release(fattr.cf_dacls); - kfree(ppntsd); -diff --git a/fs/ksmbd/smbacl.c b/fs/ksmbd/smbacl.c -index 38f23bf981ac..3781bca2c8fc 100644 ---- a/fs/ksmbd/smbacl.c -+++ b/fs/ksmbd/smbacl.c -@@ -690,6 +690,7 @@ static void set_posix_acl_entries_dacl(struct user_namespace *user_ns, - static void set_ntacl_dacl(struct user_namespace *user_ns, - struct smb_acl *pndacl, - struct smb_acl *nt_dacl, -+ unsigned int aces_size, - const struct smb_sid *pownersid, - const struct smb_sid *pgrpsid, - struct smb_fattr *fattr) -@@ -703,9 +704,19 @@ static void set_ntacl_dacl(struct user_namespace *user_ns, - if (nt_num_aces) { - ntace = (struct smb_ace *)((char *)nt_dacl + sizeof(struct smb_acl)); - for (i = 0; i < nt_num_aces; i++) { -- memcpy((char *)pndace + size, ntace, le16_to_cpu(ntace->size)); -- size += le16_to_cpu(ntace->size); -- ntace = (struct smb_ace *)((char *)ntace + le16_to_cpu(ntace->size)); -+ unsigned short nt_ace_size; -+ -+ if (offsetof(struct smb_ace, access_req) > aces_size) -+ break; -+ -+ nt_ace_size = le16_to_cpu(ntace->size); -+ if (nt_ace_size > aces_size) -+ break; -+ -+ memcpy((char *)pndace + size, ntace, nt_ace_size); -+ size += nt_ace_size; -+ aces_size -= nt_ace_size; -+ ntace = (struct smb_ace *)((char *)ntace + nt_ace_size); - num_aces++; - } - } -@@ -878,7 +889,7 @@ int parse_sec_desc(struct user_namespace *user_ns, struct smb_ntsd *pntsd, - /* Convert permission bits from mode to equivalent CIFS ACL */ - int build_sec_desc(struct user_namespace *user_ns, - struct smb_ntsd *pntsd, struct smb_ntsd *ppntsd, -- int addition_info, __u32 *secdesclen, -+ int ppntsd_size, int addition_info, __u32 *secdesclen, - struct smb_fattr *fattr) - { - int rc = 0; -@@ -938,15 +949,25 @@ int build_sec_desc(struct user_namespace *user_ns, - - if (!ppntsd) { - set_mode_dacl(user_ns, dacl_ptr, fattr); -- } else if (!ppntsd->dacloffset) { -- goto out; - } else { - struct smb_acl *ppdacl_ptr; -+ unsigned int dacl_offset = le32_to_cpu(ppntsd->dacloffset); -+ int ppdacl_size, ntacl_size = ppntsd_size - dacl_offset; -+ -+ if (!dacl_offset || -+ (dacl_offset + sizeof(struct smb_acl) > ppntsd_size)) -+ goto out; -+ -+ ppdacl_ptr = (struct smb_acl *)((char *)ppntsd + dacl_offset); -+ ppdacl_size = le16_to_cpu(ppdacl_ptr->size); -+ if (ppdacl_size > ntacl_size || -+ ppdacl_size < sizeof(struct smb_acl)) -+ goto out; - -- ppdacl_ptr = (struct smb_acl *)((char *)ppntsd + -- le32_to_cpu(ppntsd->dacloffset)); - set_ntacl_dacl(user_ns, dacl_ptr, ppdacl_ptr, -- nowner_sid_ptr, ngroup_sid_ptr, fattr); -+ ntacl_size - sizeof(struct smb_acl), -+ nowner_sid_ptr, ngroup_sid_ptr, -+ fattr); - } - pntsd->dacloffset = cpu_to_le32(offset); - offset += le16_to_cpu(dacl_ptr->size); -@@ -980,24 +1001,31 @@ int smb_inherit_dacl(struct ksmbd_conn *conn, - struct smb_sid owner_sid, group_sid; - struct dentry *parent = path->dentry->d_parent; - struct user_namespace *user_ns = mnt_user_ns(path->mnt); -- int inherited_flags = 0, flags = 0, i, ace_cnt = 0, nt_size = 0; -- int rc = 0, num_aces, dacloffset, pntsd_type, acl_len; -+ int inherited_flags = 0, flags = 0, i, ace_cnt = 0, nt_size = 0, pdacl_size; -+ int rc = 0, num_aces, dacloffset, pntsd_type, pntsd_size, acl_len, aces_size; - char *aces_base; - bool is_dir = S_ISDIR(d_inode(path->dentry)->i_mode); - -- acl_len = ksmbd_vfs_get_sd_xattr(conn, user_ns, -- parent, &parent_pntsd); -- if (acl_len <= 0) -+ pntsd_size = ksmbd_vfs_get_sd_xattr(conn, user_ns, -+ parent, &parent_pntsd); -+ if (pntsd_size <= 0) - return -ENOENT; - dacloffset = le32_to_cpu(parent_pntsd->dacloffset); -- if (!dacloffset) { -+ if (!dacloffset || (dacloffset + sizeof(struct smb_acl) > pntsd_size)) { - rc = -EINVAL; - goto free_parent_pntsd; - } - - parent_pdacl = (struct smb_acl *)((char *)parent_pntsd + dacloffset); -+ acl_len = pntsd_size - dacloffset; - num_aces = le32_to_cpu(parent_pdacl->num_aces); - pntsd_type = le16_to_cpu(parent_pntsd->type); -+ pdacl_size = le16_to_cpu(parent_pdacl->size); -+ -+ if (pdacl_size > acl_len || pdacl_size < sizeof(struct smb_acl)) { -+ rc = -EINVAL; -+ goto free_parent_pntsd; -+ } - - aces_base = kmalloc(sizeof(struct smb_ace) * num_aces * 2, GFP_KERNEL); - if (!aces_base) { -@@ -1008,11 +1036,23 @@ int smb_inherit_dacl(struct ksmbd_conn *conn, - aces = (struct smb_ace *)aces_base; - parent_aces = (struct smb_ace *)((char *)parent_pdacl + - sizeof(struct smb_acl)); -+ aces_size = acl_len - sizeof(struct smb_acl); - - if (pntsd_type & DACL_AUTO_INHERITED) - inherited_flags = INHERITED_ACE; - - for (i = 0; i < num_aces; i++) { -+ int pace_size; -+ -+ if (offsetof(struct smb_ace, access_req) > aces_size) -+ break; -+ -+ pace_size = le16_to_cpu(parent_aces->size); -+ if (pace_size > aces_size) -+ break; -+ -+ aces_size -= pace_size; -+ - flags = parent_aces->flags; - if (!smb_inherit_flags(flags, is_dir)) - goto pass; -@@ -1057,8 +1097,7 @@ int smb_inherit_dacl(struct ksmbd_conn *conn, - aces = (struct smb_ace *)((char *)aces + le16_to_cpu(aces->size)); - ace_cnt++; - pass: -- parent_aces = -- (struct smb_ace *)((char *)parent_aces + le16_to_cpu(parent_aces->size)); -+ parent_aces = (struct smb_ace *)((char *)parent_aces + pace_size); - } - - if (nt_size > 0) { -@@ -1153,7 +1192,7 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, struct path *path, - struct smb_ntsd *pntsd = NULL; - struct smb_acl *pdacl; - struct posix_acl *posix_acls; -- int rc = 0, acl_size; -+ int rc = 0, pntsd_size, acl_size, aces_size, pdacl_size, dacl_offset; - struct smb_sid sid; - int granted = le32_to_cpu(*pdaccess & ~FILE_MAXIMAL_ACCESS_LE); - struct smb_ace *ace; -@@ -1162,37 +1201,33 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, struct path *path, - struct smb_ace *others_ace = NULL; - struct posix_acl_entry *pa_entry; - unsigned int sid_type = SIDOWNER; -- char *end_of_acl; -+ unsigned short ace_size; - - ksmbd_debug(SMB, "check permission using windows acl\n"); -- acl_size = ksmbd_vfs_get_sd_xattr(conn, user_ns, -- path->dentry, &pntsd); -- if (acl_size <= 0 || !pntsd || !pntsd->dacloffset) { -- kfree(pntsd); -- return 0; -- } -+ pntsd_size = ksmbd_vfs_get_sd_xattr(conn, user_ns, -+ path->dentry, &pntsd); -+ if (pntsd_size <= 0 || !pntsd) -+ goto err_out; -+ -+ dacl_offset = le32_to_cpu(pntsd->dacloffset); -+ if (!dacl_offset || -+ (dacl_offset + sizeof(struct smb_acl) > pntsd_size)) -+ goto err_out; - - pdacl = (struct smb_acl *)((char *)pntsd + le32_to_cpu(pntsd->dacloffset)); -- end_of_acl = ((char *)pntsd) + acl_size; -- if (end_of_acl <= (char *)pdacl) { -- kfree(pntsd); -- return 0; -- } -+ acl_size = pntsd_size - dacl_offset; -+ pdacl_size = le16_to_cpu(pdacl->size); - -- if (end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size) || -- le16_to_cpu(pdacl->size) < sizeof(struct smb_acl)) { -- kfree(pntsd); -- return 0; -- } -+ if (pdacl_size > acl_size || pdacl_size < sizeof(struct smb_acl)) -+ goto err_out; - - if (!pdacl->num_aces) { -- if (!(le16_to_cpu(pdacl->size) - sizeof(struct smb_acl)) && -+ if (!(pdacl_size - sizeof(struct smb_acl)) && - *pdaccess & ~(FILE_READ_CONTROL_LE | FILE_WRITE_DAC_LE)) { - rc = -EACCES; - goto err_out; - } -- kfree(pntsd); -- return 0; -+ goto err_out; - } - - if (*pdaccess & FILE_MAXIMAL_ACCESS_LE) { -@@ -1200,11 +1235,16 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, struct path *path, - DELETE; - - ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl)); -+ aces_size = acl_size - sizeof(struct smb_acl); - for (i = 0; i < le32_to_cpu(pdacl->num_aces); i++) { -+ if (offsetof(struct smb_ace, access_req) > aces_size) -+ break; -+ ace_size = le16_to_cpu(ace->size); -+ if (ace_size > aces_size) -+ break; -+ aces_size -= ace_size; - granted |= le32_to_cpu(ace->access_req); - ace = (struct smb_ace *)((char *)ace + le16_to_cpu(ace->size)); -- if (end_of_acl < (char *)ace) -- goto err_out; - } - - if (!pdacl->num_aces) -@@ -1216,7 +1256,15 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, struct path *path, - id_to_sid(uid, sid_type, &sid); - - ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl)); -+ aces_size = acl_size - sizeof(struct smb_acl); - for (i = 0; i < le32_to_cpu(pdacl->num_aces); i++) { -+ if (offsetof(struct smb_ace, access_req) > aces_size) -+ break; -+ ace_size = le16_to_cpu(ace->size); -+ if (ace_size > aces_size) -+ break; -+ aces_size -= ace_size; -+ - if (!compare_sids(&sid, &ace->sid) || - !compare_sids(&sid_unix_NFS_mode, &ace->sid)) { - found = 1; -@@ -1226,8 +1274,6 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, struct path *path, - others_ace = ace; - - ace = (struct smb_ace *)((char *)ace + le16_to_cpu(ace->size)); -- if (end_of_acl < (char *)ace) -- goto err_out; - } - - if (*pdaccess & FILE_MAXIMAL_ACCESS_LE && found) { -diff --git a/fs/ksmbd/smbacl.h b/fs/ksmbd/smbacl.h -index 811af3309429..fcb2c83f2992 100644 ---- a/fs/ksmbd/smbacl.h -+++ b/fs/ksmbd/smbacl.h -@@ -193,7 +193,7 @@ struct posix_acl_state { - int parse_sec_desc(struct user_namespace *user_ns, struct smb_ntsd *pntsd, - int acl_len, struct smb_fattr *fattr); - int build_sec_desc(struct user_namespace *user_ns, struct smb_ntsd *pntsd, -- struct smb_ntsd *ppntsd, int addition_info, -+ struct smb_ntsd *ppntsd, int ppntsd_size, int addition_info, - __u32 *secdesclen, struct smb_fattr *fattr); - int init_acl_state(struct posix_acl_state *state, int cnt); - void free_acl_state(struct posix_acl_state *state); -diff --git a/fs/ksmbd/vfs.c b/fs/ksmbd/vfs.c -index 05efcdf7a4a7..201962f03772 100644 ---- a/fs/ksmbd/vfs.c -+++ b/fs/ksmbd/vfs.c -@@ -1540,6 +1540,11 @@ int ksmbd_vfs_get_sd_xattr(struct ksmbd_conn *conn, - } - - *pntsd = acl.sd_buf; -+ if (acl.sd_size < sizeof(struct smb_ntsd)) { -+ pr_err("sd size is invalid\n"); -+ goto out_free; -+ } -+ - (*pntsd)->osidoffset = cpu_to_le32(le32_to_cpu((*pntsd)->osidoffset) - - NDR_NTSD_OFFSETOF); - (*pntsd)->gsidoffset = cpu_to_le32(le32_to_cpu((*pntsd)->gsidoffset) - --- -2.35.1 - diff --git a/queue-5.19/ksmbd-fix-memory-leak-in-smb2_handle_negotiate.patch-5672 b/queue-5.19/ksmbd-fix-memory-leak-in-smb2_handle_negotiate.patch-5672 deleted file mode 100644 index 7d1aa6fdc67..00000000000 --- a/queue-5.19/ksmbd-fix-memory-leak-in-smb2_handle_negotiate.patch-5672 +++ /dev/null @@ -1,47 +0,0 @@ -From 1aee2ce6d6f534f164521c98e4804bd102190706 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 28 Jul 2022 21:56:19 +0900 -Subject: ksmbd: fix memory leak in smb2_handle_negotiate - -From: Namjae Jeon - -[ Upstream commit aa7253c2393f6dcd6a1468b0792f6da76edad917 ] - -The allocated memory didn't free under an error -path in smb2_handle_negotiate(). - -Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") -Cc: stable@vger.kernel.org -Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17815 -Signed-off-by: Namjae Jeon -Reviewed-by: Hyunchul Lee -Signed-off-by: Steve French -Signed-off-by: Sasha Levin ---- - fs/ksmbd/smb2pdu.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c -index 353f047e783c..a06dad0d1bb7 100644 ---- a/fs/ksmbd/smb2pdu.c -+++ b/fs/ksmbd/smb2pdu.c -@@ -1139,12 +1139,16 @@ int smb2_handle_negotiate(struct ksmbd_work *work) - status); - rsp->hdr.Status = status; - rc = -EINVAL; -+ kfree(conn->preauth_info); -+ conn->preauth_info = NULL; - goto err_out; - } - - rc = init_smb3_11_server(conn); - if (rc < 0) { - rsp->hdr.Status = STATUS_INVALID_PARAMETER; -+ kfree(conn->preauth_info); -+ conn->preauth_info = NULL; - goto err_out; - } - --- -2.35.1 - diff --git a/queue-5.19/ksmbd-fix-use-after-free-bug-in-smb2_tree_disconect.patch-30412 b/queue-5.19/ksmbd-fix-use-after-free-bug-in-smb2_tree_disconect.patch-30412 deleted file mode 100644 index 27652025411..00000000000 --- a/queue-5.19/ksmbd-fix-use-after-free-bug-in-smb2_tree_disconect.patch-30412 +++ /dev/null @@ -1,64 +0,0 @@ -From 0fd5c7331b0c3cb35bf6512187a54dae4e16631f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 28 Jul 2022 21:57:08 +0900 -Subject: ksmbd: fix use-after-free bug in smb2_tree_disconect - -From: Namjae Jeon - -[ Upstream commit cf6531d98190fa2cf92a6d8bbc8af0a4740a223c ] - -smb2_tree_disconnect() freed the struct ksmbd_tree_connect, -but it left the dangling pointer. It can be accessed -again under compound requests. - -This bug can lead an oops looking something link: - -[ 1685.468014 ] BUG: KASAN: use-after-free in ksmbd_tree_conn_disconnect+0x131/0x160 [ksmbd] -[ 1685.468068 ] Read of size 4 at addr ffff888102172180 by task kworker/1:2/4807 -... -[ 1685.468130 ] Call Trace: -[ 1685.468132 ] -[ 1685.468135 ] dump_stack_lvl+0x49/0x5f -[ 1685.468141 ] print_report.cold+0x5e/0x5cf -[ 1685.468145 ] ? ksmbd_tree_conn_disconnect+0x131/0x160 [ksmbd] -[ 1685.468157 ] kasan_report+0xaa/0x120 -[ 1685.468194 ] ? ksmbd_tree_conn_disconnect+0x131/0x160 [ksmbd] -[ 1685.468206 ] __asan_report_load4_noabort+0x14/0x20 -[ 1685.468210 ] ksmbd_tree_conn_disconnect+0x131/0x160 [ksmbd] -[ 1685.468222 ] smb2_tree_disconnect+0x175/0x250 [ksmbd] -[ 1685.468235 ] handle_ksmbd_work+0x30e/0x1020 [ksmbd] -[ 1685.468247 ] process_one_work+0x778/0x11c0 -[ 1685.468251 ] ? _raw_spin_lock_irq+0x8e/0xe0 -[ 1685.468289 ] worker_thread+0x544/0x1180 -[ 1685.468293 ] ? __cpuidle_text_end+0x4/0x4 -[ 1685.468297 ] kthread+0x282/0x320 -[ 1685.468301 ] ? process_one_work+0x11c0/0x11c0 -[ 1685.468305 ] ? kthread_complete_and_exit+0x30/0x30 -[ 1685.468309 ] ret_from_fork+0x1f/0x30 - -Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") -Cc: stable@vger.kernel.org -Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17816 -Signed-off-by: Namjae Jeon -Reviewed-by: Hyunchul Lee -Signed-off-by: Steve French -Signed-off-by: Sasha Levin ---- - fs/ksmbd/smb2pdu.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c -index a06dad0d1bb7..b5835e78a325 100644 ---- a/fs/ksmbd/smb2pdu.c -+++ b/fs/ksmbd/smb2pdu.c -@@ -2043,6 +2043,7 @@ int smb2_tree_disconnect(struct ksmbd_work *work) - - ksmbd_close_tree_conn_fds(work); - ksmbd_tree_conn_disconnect(sess, tcon); -+ work->tcon = NULL; - return 0; - } - --- -2.35.1 - diff --git a/queue-5.19/ksmbd-prevent-out-of-bound-read-for-smb2_tree_connne.patch b/queue-5.19/ksmbd-prevent-out-of-bound-read-for-smb2_tree_connne.patch deleted file mode 100644 index 2dd061c2dd3..00000000000 --- a/queue-5.19/ksmbd-prevent-out-of-bound-read-for-smb2_tree_connne.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 03cee3ff6652e9af63d94336023f871553f60b74 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 28 Jul 2022 21:58:53 +0900 -Subject: ksmbd: prevent out of bound read for SMB2_TREE_CONNNECT - -From: Hyunchul Lee - -[ Upstream commit 824d4f64c20093275f72fc8101394d75ff6a249e ] - -if Status is not 0 and PathLength is long, -smb_strndup_from_utf16 could make out of bound -read in smb2_tree_connnect. - -This bug can lead an oops looking something like: - -[ 1553.882047] BUG: KASAN: slab-out-of-bounds in smb_strndup_from_utf16+0x469/0x4c0 [ksmbd] -[ 1553.882064] Read of size 2 at addr ffff88802c4eda04 by task kworker/0:2/42805 -... -[ 1553.882095] Call Trace: -[ 1553.882098] -[ 1553.882101] dump_stack_lvl+0x49/0x5f -[ 1553.882107] print_report.cold+0x5e/0x5cf -[ 1553.882112] ? smb_strndup_from_utf16+0x469/0x4c0 [ksmbd] -[ 1553.882122] kasan_report+0xaa/0x120 -[ 1553.882128] ? smb_strndup_from_utf16+0x469/0x4c0 [ksmbd] -[ 1553.882139] __asan_report_load_n_noabort+0xf/0x20 -[ 1553.882143] smb_strndup_from_utf16+0x469/0x4c0 [ksmbd] -[ 1553.882155] ? smb_strtoUTF16+0x3b0/0x3b0 [ksmbd] -[ 1553.882166] ? __kmalloc_node+0x185/0x430 -[ 1553.882171] smb2_tree_connect+0x140/0xab0 [ksmbd] -[ 1553.882185] handle_ksmbd_work+0x30e/0x1020 [ksmbd] -[ 1553.882197] process_one_work+0x778/0x11c0 -[ 1553.882201] ? _raw_spin_lock_irq+0x8e/0xe0 -[ 1553.882206] worker_thread+0x544/0x1180 -[ 1553.882209] ? __cpuidle_text_end+0x4/0x4 -[ 1553.882214] kthread+0x282/0x320 -[ 1553.882218] ? process_one_work+0x11c0/0x11c0 -[ 1553.882221] ? kthread_complete_and_exit+0x30/0x30 -[ 1553.882225] ret_from_fork+0x1f/0x30 -[ 1553.882231] - -There is no need to check error request validation in server. -This check allow invalid requests not to validate message. - -Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") -Cc: stable@vger.kernel.org -Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17818 -Signed-off-by: Hyunchul Lee -Acked-by: Namjae Jeon -Signed-off-by: Steve French -Signed-off-by: Sasha Levin ---- - fs/ksmbd/smb2misc.c | 5 ----- - 1 file changed, 5 deletions(-) - -diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c -index aa1e663d9deb..6e25ace36568 100644 ---- a/fs/ksmbd/smb2misc.c -+++ b/fs/ksmbd/smb2misc.c -@@ -90,11 +90,6 @@ static int smb2_get_data_area_len(unsigned int *off, unsigned int *len, - *off = 0; - *len = 0; - -- /* error reqeusts do not have data area */ -- if (hdr->Status && hdr->Status != STATUS_MORE_PROCESSING_REQUIRED && -- (((struct smb2_err_rsp *)hdr)->StructureSize) == SMB2_ERROR_STRUCTURE_SIZE2_LE) -- return ret; -- - /* - * Following commands have data areas so we have to get the location - * of the data buffer offset and data buffer length for the particular --- -2.35.1 - diff --git a/queue-5.19/ksmbd-prevent-out-of-bound-read-for-smb2_write.patch-20867 b/queue-5.19/ksmbd-prevent-out-of-bound-read-for-smb2_write.patch-20867 deleted file mode 100644 index 0b95033053a..00000000000 --- a/queue-5.19/ksmbd-prevent-out-of-bound-read-for-smb2_write.patch-20867 +++ /dev/null @@ -1,128 +0,0 @@ -From 40b114a8b3385152b4e63c017bc73d910d2556dc Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 28 Jul 2022 23:41:51 +0900 -Subject: ksmbd: prevent out of bound read for SMB2_WRITE - -From: Hyunchul Lee - -[ Upstream commit ac60778b87e45576d7bfdbd6f53df902654e6f09 ] - -OOB read memory can be written to a file, -if DataOffset is 0 and Length is too large -in SMB2_WRITE request of compound request. - -To prevent this, when checking the length of -the data area of SMB2_WRITE in smb2_get_data_area_len(), -let the minimum of DataOffset be the size of -SMB2 header + the size of SMB2_WRITE header. - -This bug can lead an oops looking something like: - -[ 798.008715] BUG: KASAN: slab-out-of-bounds in copy_page_from_iter_atomic+0xd3d/0x14b0 -[ 798.008724] Read of size 252 at addr ffff88800f863e90 by task kworker/0:2/2859 -... -[ 798.008754] Call Trace: -[ 798.008756] -[ 798.008759] dump_stack_lvl+0x49/0x5f -[ 798.008764] print_report.cold+0x5e/0x5cf -[ 798.008768] ? __filemap_get_folio+0x285/0x6d0 -[ 798.008774] ? copy_page_from_iter_atomic+0xd3d/0x14b0 -[ 798.008777] kasan_report+0xaa/0x120 -[ 798.008781] ? copy_page_from_iter_atomic+0xd3d/0x14b0 -[ 798.008784] kasan_check_range+0x100/0x1e0 -[ 798.008788] memcpy+0x24/0x60 -[ 798.008792] copy_page_from_iter_atomic+0xd3d/0x14b0 -[ 798.008795] ? pagecache_get_page+0x53/0x160 -[ 798.008799] ? iov_iter_get_pages_alloc+0x1590/0x1590 -[ 798.008803] ? ext4_write_begin+0xfc0/0xfc0 -[ 798.008807] ? current_time+0x72/0x210 -[ 798.008811] generic_perform_write+0x2c8/0x530 -[ 798.008816] ? filemap_fdatawrite_wbc+0x180/0x180 -[ 798.008820] ? down_write+0xb4/0x120 -[ 798.008824] ? down_write_killable+0x130/0x130 -[ 798.008829] ext4_buffered_write_iter+0x137/0x2c0 -[ 798.008833] ext4_file_write_iter+0x40b/0x1490 -[ 798.008837] ? __fsnotify_parent+0x275/0xb20 -[ 798.008842] ? __fsnotify_update_child_dentry_flags+0x2c0/0x2c0 -[ 798.008846] ? ext4_buffered_write_iter+0x2c0/0x2c0 -[ 798.008851] __kernel_write+0x3a1/0xa70 -[ 798.008855] ? __x64_sys_preadv2+0x160/0x160 -[ 798.008860] ? security_file_permission+0x4a/0xa0 -[ 798.008865] kernel_write+0xbb/0x360 -[ 798.008869] ksmbd_vfs_write+0x27e/0xb90 [ksmbd] -[ 798.008881] ? ksmbd_vfs_read+0x830/0x830 [ksmbd] -[ 798.008892] ? _raw_read_unlock+0x2a/0x50 -[ 798.008896] smb2_write+0xb45/0x14e0 [ksmbd] -[ 798.008909] ? __kasan_check_write+0x14/0x20 -[ 798.008912] ? _raw_spin_lock_bh+0xd0/0xe0 -[ 798.008916] ? smb2_read+0x15e0/0x15e0 [ksmbd] -[ 798.008927] ? memcpy+0x4e/0x60 -[ 798.008931] ? _raw_spin_unlock+0x19/0x30 -[ 798.008934] ? ksmbd_smb2_check_message+0x16af/0x2350 [ksmbd] -[ 798.008946] ? _raw_spin_lock_bh+0xe0/0xe0 -[ 798.008950] handle_ksmbd_work+0x30e/0x1020 [ksmbd] -[ 798.008962] process_one_work+0x778/0x11c0 -[ 798.008966] ? _raw_spin_lock_irq+0x8e/0xe0 -[ 798.008970] worker_thread+0x544/0x1180 -[ 798.008973] ? __cpuidle_text_end+0x4/0x4 -[ 798.008977] kthread+0x282/0x320 -[ 798.008982] ? process_one_work+0x11c0/0x11c0 -[ 798.008985] ? kthread_complete_and_exit+0x30/0x30 -[ 798.008989] ret_from_fork+0x1f/0x30 -[ 798.008995] - -Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") -Cc: stable@vger.kernel.org -Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17817 -Signed-off-by: Hyunchul Lee -Acked-by: Namjae Jeon -Signed-off-by: Steve French -Signed-off-by: Sasha Levin ---- - fs/ksmbd/smb2misc.c | 7 +++++-- - fs/ksmbd/smb2pdu.c | 8 +++----- - 2 files changed, 8 insertions(+), 7 deletions(-) - -diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c -index f8f456377a51..aa1e663d9deb 100644 ---- a/fs/ksmbd/smb2misc.c -+++ b/fs/ksmbd/smb2misc.c -@@ -136,8 +136,11 @@ static int smb2_get_data_area_len(unsigned int *off, unsigned int *len, - *len = le16_to_cpu(((struct smb2_read_req *)hdr)->ReadChannelInfoLength); - break; - case SMB2_WRITE: -- if (((struct smb2_write_req *)hdr)->DataOffset) { -- *off = le16_to_cpu(((struct smb2_write_req *)hdr)->DataOffset); -+ if (((struct smb2_write_req *)hdr)->DataOffset || -+ ((struct smb2_write_req *)hdr)->Length) { -+ *off = max_t(unsigned int, -+ le16_to_cpu(((struct smb2_write_req *)hdr)->DataOffset), -+ offsetof(struct smb2_write_req, Buffer)); - *len = le32_to_cpu(((struct smb2_write_req *)hdr)->Length); - break; - } -diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c -index b5835e78a325..54aaf9014136 100644 ---- a/fs/ksmbd/smb2pdu.c -+++ b/fs/ksmbd/smb2pdu.c -@@ -6500,14 +6500,12 @@ int smb2_write(struct ksmbd_work *work) - writethrough = true; - - if (is_rdma_channel == false) { -- if ((u64)le16_to_cpu(req->DataOffset) + length > -- get_rfc1002_len(work->request_buf)) { -- pr_err("invalid write data offset %u, smb_len %u\n", -- le16_to_cpu(req->DataOffset), -- get_rfc1002_len(work->request_buf)); -+ if (le16_to_cpu(req->DataOffset) < -+ offsetof(struct smb2_write_req, Buffer)) { - err = -EINVAL; - goto out; - } -+ - data_buf = (char *)(((char *)&req->hdr.ProtocolId) + - le16_to_cpu(req->DataOffset)); - --- -2.35.1 - diff --git a/queue-5.19/kvm-do-not-incorporate-page-offset-into-gfn-pfn-cach.patch b/queue-5.19/kvm-do-not-incorporate-page-offset-into-gfn-pfn-cach.patch deleted file mode 100644 index 872cec81bae..00000000000 --- a/queue-5.19/kvm-do-not-incorporate-page-offset-into-gfn-pfn-cach.patch +++ /dev/null @@ -1,43 +0,0 @@ -From ea59497b46e7a2ab3f493caa24e211a155376ac1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 29 Apr 2022 21:00:22 +0000 -Subject: KVM: Do not incorporate page offset into gfn=>pfn cache user address - -From: Sean Christopherson - -[ Upstream commit 3ba2c95ea180740b16281fa43a3ee5f47279c0ed ] - -Don't adjust the userspace address in the gfn=>pfn cache by the page -offset from the gpa. KVM should never use the user address directly, and -all KVM operations that translate a user address to something else -require the user address to be page aligned. Ignoring the offset will -allow the cache to reuse a gfn=>hva translation in the unlikely event -that the page offset of the gpa changes, but the gfn does not. And more -importantly, not having to (un)adjust the user address will simplify a -future bug fix. - -Cc: stable@vger.kernel.org -Signed-off-by: Sean Christopherson -Message-Id: <20220429210025.3293691-6-seanjc@google.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Sasha Levin ---- - virt/kvm/pfncache.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/virt/kvm/pfncache.c b/virt/kvm/pfncache.c -index 40cbe90d52e0..05cb0bcbf662 100644 ---- a/virt/kvm/pfncache.c -+++ b/virt/kvm/pfncache.c -@@ -179,8 +179,6 @@ int kvm_gfn_to_pfn_cache_refresh(struct kvm *kvm, struct gfn_to_pfn_cache *gpc, - ret = -EFAULT; - goto out; - } -- -- gpc->uhva += page_offset; - } - - /* --- -2.35.1 - diff --git a/queue-5.19/kvm-drop-unused-gpa-param-from-gfn-pfn-cache-s-__rel.patch b/queue-5.19/kvm-drop-unused-gpa-param-from-gfn-pfn-cache-s-__rel.patch deleted file mode 100644 index 6b32d3c6b44..00000000000 --- a/queue-5.19/kvm-drop-unused-gpa-param-from-gfn-pfn-cache-s-__rel.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 42a8593225a8bdc485b1f7203bc49cd5b103376f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 29 Apr 2022 21:00:20 +0000 -Subject: KVM: Drop unused @gpa param from gfn=>pfn cache's __release_gpc() - helper - -From: Sean Christopherson - -[ Upstream commit 345b0fd6fe5f66dfe841bad0b39dd11a5672df68 ] - -Drop the @pga param from __release_gpc() and rename the helper to make it -more obvious that the cache itself is not being released. The helper -will be reused by a future commit to release a pfn+khva combination that -is _never_ associated with the cache, at which point the current name -would go from slightly misleading to blatantly wrong. - -No functional change intended. - -Cc: stable@vger.kernel.org -Signed-off-by: Sean Christopherson -Message-Id: <20220429210025.3293691-4-seanjc@google.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Sasha Levin ---- - virt/kvm/pfncache.c | 10 +++------- - 1 file changed, 3 insertions(+), 7 deletions(-) - -diff --git a/virt/kvm/pfncache.c b/virt/kvm/pfncache.c -index dd84676615f1..e05a6a1b8eff 100644 ---- a/virt/kvm/pfncache.c -+++ b/virt/kvm/pfncache.c -@@ -95,7 +95,7 @@ bool kvm_gfn_to_pfn_cache_check(struct kvm *kvm, struct gfn_to_pfn_cache *gpc, - } - EXPORT_SYMBOL_GPL(kvm_gfn_to_pfn_cache_check); - --static void __release_gpc(struct kvm *kvm, kvm_pfn_t pfn, void *khva, gpa_t gpa) -+static void gpc_release_pfn_and_khva(struct kvm *kvm, kvm_pfn_t pfn, void *khva) - { - /* Unmap the old page if it was mapped before, and release it */ - if (!is_error_noslot_pfn(pfn)) { -@@ -146,7 +146,6 @@ int kvm_gfn_to_pfn_cache_refresh(struct kvm *kvm, struct gfn_to_pfn_cache *gpc, - unsigned long page_offset = gpa & ~PAGE_MASK; - kvm_pfn_t old_pfn, new_pfn; - unsigned long old_uhva; -- gpa_t old_gpa; - void *old_khva; - bool old_valid; - int ret = 0; -@@ -160,7 +159,6 @@ int kvm_gfn_to_pfn_cache_refresh(struct kvm *kvm, struct gfn_to_pfn_cache *gpc, - - write_lock_irq(&gpc->lock); - -- old_gpa = gpc->gpa; - old_pfn = gpc->pfn; - old_khva = gpc->khva - offset_in_page(gpc->khva); - old_uhva = gpc->uhva; -@@ -244,7 +242,7 @@ int kvm_gfn_to_pfn_cache_refresh(struct kvm *kvm, struct gfn_to_pfn_cache *gpc, - out: - write_unlock_irq(&gpc->lock); - -- __release_gpc(kvm, old_pfn, old_khva, old_gpa); -+ gpc_release_pfn_and_khva(kvm, old_pfn, old_khva); - - return ret; - } -@@ -254,14 +252,12 @@ void kvm_gfn_to_pfn_cache_unmap(struct kvm *kvm, struct gfn_to_pfn_cache *gpc) - { - void *old_khva; - kvm_pfn_t old_pfn; -- gpa_t old_gpa; - - write_lock_irq(&gpc->lock); - - gpc->valid = false; - - old_khva = gpc->khva - offset_in_page(gpc->khva); -- old_gpa = gpc->gpa; - old_pfn = gpc->pfn; - - /* -@@ -273,7 +269,7 @@ void kvm_gfn_to_pfn_cache_unmap(struct kvm *kvm, struct gfn_to_pfn_cache *gpc) - - write_unlock_irq(&gpc->lock); - -- __release_gpc(kvm, old_pfn, old_khva, old_gpa); -+ gpc_release_pfn_and_khva(kvm, old_pfn, old_khva); - } - EXPORT_SYMBOL_GPL(kvm_gfn_to_pfn_cache_unmap); - --- -2.35.1 - diff --git a/queue-5.19/kvm-fix-multiple-races-in-gfn-pfn-cache-refresh.patch-19149 b/queue-5.19/kvm-fix-multiple-races-in-gfn-pfn-cache-refresh.patch-19149 deleted file mode 100644 index 778dee81fcd..00000000000 --- a/queue-5.19/kvm-fix-multiple-races-in-gfn-pfn-cache-refresh.patch-19149 +++ /dev/null @@ -1,363 +0,0 @@ -From 2efc1788a4dacd0abc511650fbbbd867149698b7 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 29 Apr 2022 21:00:24 +0000 -Subject: KVM: Fix multiple races in gfn=>pfn cache refresh - -From: Sean Christopherson - -[ Upstream commit 58cd407ca4c6278cf9f9d09a2e663bf645b0c982 ] - -Rework the gfn=>pfn cache (gpc) refresh logic to address multiple races -between the cache itself, and between the cache and mmu_notifier events. - -The existing refresh code attempts to guard against races with the -mmu_notifier by speculatively marking the cache valid, and then marking -it invalid if a mmu_notifier invalidation occurs. That handles the case -where an invalidation occurs between dropping and re-acquiring gpc->lock, -but it doesn't handle the scenario where the cache is refreshed after the -cache was invalidated by the notifier, but before the notifier elevates -mmu_notifier_count. The gpc refresh can't use the "retry" helper as its -invalidation occurs _before_ mmu_notifier_count is elevated and before -mmu_notifier_range_start is set/updated. - - CPU0 CPU1 - ---- ---- - - gfn_to_pfn_cache_invalidate_start() - | - -> gpc->valid = false; - kvm_gfn_to_pfn_cache_refresh() - | - |-> gpc->valid = true; - - hva_to_pfn_retry() - | - -> acquire kvm->mmu_lock - kvm->mmu_notifier_count == 0 - mmu_seq == kvm->mmu_notifier_seq - drop kvm->mmu_lock - return pfn 'X' - acquire kvm->mmu_lock - kvm_inc_notifier_count() - drop kvm->mmu_lock() - kernel frees pfn 'X' - kvm_gfn_to_pfn_cache_check() - | - |-> gpc->valid == true - - caller accesses freed pfn 'X' - -Key off of mn_active_invalidate_count to detect that a pfncache refresh -needs to wait for an in-progress mmu_notifier invalidation. While -mn_active_invalidate_count is not guaranteed to be stable, it is -guaranteed to be elevated prior to an invalidation acquiring gpc->lock, -so either the refresh will see an active invalidation and wait, or the -invalidation will run after the refresh completes. - -Speculatively marking the cache valid is itself flawed, as a concurrent -kvm_gfn_to_pfn_cache_check() would see a valid cache with stale pfn/khva -values. The KVM Xen use case explicitly allows/wants multiple users; -even though the caches are allocated per vCPU, __kvm_xen_has_interrupt() -can read a different vCPU (or vCPUs). Address this race by invalidating -the cache prior to dropping gpc->lock (this is made possible by fixing -the above mmu_notifier race). - -Complicating all of this is the fact that both the hva=>pfn resolution -and mapping of the kernel address can sleep, i.e. must be done outside -of gpc->lock. - -Fix the above races in one fell swoop, trying to fix each individual race -is largely pointless and essentially impossible to test, e.g. closing one -hole just shifts the focus to the other hole. - -Fixes: 982ed0de4753 ("KVM: Reinstate gfn_to_pfn_cache with invalidation support") -Cc: stable@vger.kernel.org -Cc: David Woodhouse -Cc: Mingwei Zhang -Signed-off-by: Sean Christopherson -Message-Id: <20220429210025.3293691-8-seanjc@google.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Sasha Levin ---- - virt/kvm/kvm_main.c | 9 +++ - virt/kvm/pfncache.c | 193 ++++++++++++++++++++++++++++---------------- - 2 files changed, 131 insertions(+), 71 deletions(-) - -diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c -index a49df8988cd6..28126ee221b5 100644 ---- a/virt/kvm/kvm_main.c -+++ b/virt/kvm/kvm_main.c -@@ -724,6 +724,15 @@ static int kvm_mmu_notifier_invalidate_range_start(struct mmu_notifier *mn, - kvm->mn_active_invalidate_count++; - spin_unlock(&kvm->mn_invalidate_lock); - -+ /* -+ * Invalidate pfn caches _before_ invalidating the secondary MMUs, i.e. -+ * before acquiring mmu_lock, to avoid holding mmu_lock while acquiring -+ * each cache's lock. There are relatively few caches in existence at -+ * any given time, and the caches themselves can check for hva overlap, -+ * i.e. don't need to rely on memslot overlap checks for performance. -+ * Because this runs without holding mmu_lock, the pfn caches must use -+ * mn_active_invalidate_count (see above) instead of mmu_notifier_count. -+ */ - gfn_to_pfn_cache_invalidate_start(kvm, range->start, range->end, - hva_range.may_block); - -diff --git a/virt/kvm/pfncache.c b/virt/kvm/pfncache.c -index f610d3945b69..b0b678367376 100644 ---- a/virt/kvm/pfncache.c -+++ b/virt/kvm/pfncache.c -@@ -112,31 +112,122 @@ static void gpc_release_pfn_and_khva(struct kvm *kvm, kvm_pfn_t pfn, void *khva) - } - } - --static kvm_pfn_t hva_to_pfn_retry(struct kvm *kvm, unsigned long uhva) -+static inline bool mmu_notifier_retry_cache(struct kvm *kvm, unsigned long mmu_seq) - { -+ /* -+ * mn_active_invalidate_count acts for all intents and purposes -+ * like mmu_notifier_count here; but the latter cannot be used -+ * here because the invalidation of caches in the mmu_notifier -+ * event occurs _before_ mmu_notifier_count is elevated. -+ * -+ * Note, it does not matter that mn_active_invalidate_count -+ * is not protected by gpc->lock. It is guaranteed to -+ * be elevated before the mmu_notifier acquires gpc->lock, and -+ * isn't dropped until after mmu_notifier_seq is updated. -+ */ -+ if (kvm->mn_active_invalidate_count) -+ return true; -+ -+ /* -+ * Ensure mn_active_invalidate_count is read before -+ * mmu_notifier_seq. This pairs with the smp_wmb() in -+ * mmu_notifier_invalidate_range_end() to guarantee either the -+ * old (non-zero) value of mn_active_invalidate_count or the -+ * new (incremented) value of mmu_notifier_seq is observed. -+ */ -+ smp_rmb(); -+ return kvm->mmu_notifier_seq != mmu_seq; -+} -+ -+static kvm_pfn_t hva_to_pfn_retry(struct kvm *kvm, struct gfn_to_pfn_cache *gpc) -+{ -+ /* Note, the new page offset may be different than the old! */ -+ void *old_khva = gpc->khva - offset_in_page(gpc->khva); -+ kvm_pfn_t new_pfn = KVM_PFN_ERR_FAULT; -+ void *new_khva = NULL; - unsigned long mmu_seq; -- kvm_pfn_t new_pfn; -- int retry; -+ -+ lockdep_assert_held(&gpc->refresh_lock); -+ -+ lockdep_assert_held_write(&gpc->lock); -+ -+ /* -+ * Invalidate the cache prior to dropping gpc->lock, the gpa=>uhva -+ * assets have already been updated and so a concurrent check() from a -+ * different task may not fail the gpa/uhva/generation checks. -+ */ -+ gpc->valid = false; - - do { - mmu_seq = kvm->mmu_notifier_seq; - smp_rmb(); - -+ write_unlock_irq(&gpc->lock); -+ -+ /* -+ * If the previous iteration "failed" due to an mmu_notifier -+ * event, release the pfn and unmap the kernel virtual address -+ * from the previous attempt. Unmapping might sleep, so this -+ * needs to be done after dropping the lock. Opportunistically -+ * check for resched while the lock isn't held. -+ */ -+ if (new_pfn != KVM_PFN_ERR_FAULT) { -+ /* -+ * Keep the mapping if the previous iteration reused -+ * the existing mapping and didn't create a new one. -+ */ -+ if (new_khva == old_khva) -+ new_khva = NULL; -+ -+ gpc_release_pfn_and_khva(kvm, new_pfn, new_khva); -+ -+ cond_resched(); -+ } -+ - /* We always request a writeable mapping */ -- new_pfn = hva_to_pfn(uhva, false, NULL, true, NULL); -+ new_pfn = hva_to_pfn(gpc->uhva, false, NULL, true, NULL); - if (is_error_noslot_pfn(new_pfn)) -- break; -+ goto out_error; -+ -+ /* -+ * Obtain a new kernel mapping if KVM itself will access the -+ * pfn. Note, kmap() and memremap() can both sleep, so this -+ * too must be done outside of gpc->lock! -+ */ -+ if (gpc->usage & KVM_HOST_USES_PFN) { -+ if (new_pfn == gpc->pfn) { -+ new_khva = old_khva; -+ } else if (pfn_valid(new_pfn)) { -+ new_khva = kmap(pfn_to_page(new_pfn)); -+#ifdef CONFIG_HAS_IOMEM -+ } else { -+ new_khva = memremap(pfn_to_hpa(new_pfn), PAGE_SIZE, MEMREMAP_WB); -+#endif -+ } -+ if (!new_khva) { -+ kvm_release_pfn_clean(new_pfn); -+ goto out_error; -+ } -+ } -+ -+ write_lock_irq(&gpc->lock); - -- KVM_MMU_READ_LOCK(kvm); -- retry = mmu_notifier_retry_hva(kvm, mmu_seq, uhva); -- KVM_MMU_READ_UNLOCK(kvm); -- if (!retry) -- break; -+ /* -+ * Other tasks must wait for _this_ refresh to complete before -+ * attempting to refresh. -+ */ -+ WARN_ON_ONCE(gpc->valid); -+ } while (mmu_notifier_retry_cache(kvm, mmu_seq)); - -- cond_resched(); -- } while (1); -+ gpc->valid = true; -+ gpc->pfn = new_pfn; -+ gpc->khva = new_khva + (gpc->gpa & ~PAGE_MASK); -+ return 0; -+ -+out_error: -+ write_lock_irq(&gpc->lock); - -- return new_pfn; -+ return -EFAULT; - } - - int kvm_gfn_to_pfn_cache_refresh(struct kvm *kvm, struct gfn_to_pfn_cache *gpc, -@@ -147,7 +238,6 @@ int kvm_gfn_to_pfn_cache_refresh(struct kvm *kvm, struct gfn_to_pfn_cache *gpc, - kvm_pfn_t old_pfn, new_pfn; - unsigned long old_uhva; - void *old_khva; -- bool old_valid; - int ret = 0; - - /* -@@ -169,7 +259,6 @@ int kvm_gfn_to_pfn_cache_refresh(struct kvm *kvm, struct gfn_to_pfn_cache *gpc, - old_pfn = gpc->pfn; - old_khva = gpc->khva - offset_in_page(gpc->khva); - old_uhva = gpc->uhva; -- old_valid = gpc->valid; - - /* If the userspace HVA is invalid, refresh that first */ - if (gpc->gpa != gpa || gpc->generation != slots->generation || -@@ -182,7 +271,6 @@ int kvm_gfn_to_pfn_cache_refresh(struct kvm *kvm, struct gfn_to_pfn_cache *gpc, - gpc->uhva = gfn_to_hva_memslot(gpc->memslot, gfn); - - if (kvm_is_error_hva(gpc->uhva)) { -- gpc->pfn = KVM_PFN_ERR_FAULT; - ret = -EFAULT; - goto out; - } -@@ -192,60 +280,8 @@ int kvm_gfn_to_pfn_cache_refresh(struct kvm *kvm, struct gfn_to_pfn_cache *gpc, - * If the userspace HVA changed or the PFN was already invalid, - * drop the lock and do the HVA to PFN lookup again. - */ -- if (!old_valid || old_uhva != gpc->uhva) { -- unsigned long uhva = gpc->uhva; -- void *new_khva = NULL; -- -- /* Placeholders for "hva is valid but not yet mapped" */ -- gpc->pfn = KVM_PFN_ERR_FAULT; -- gpc->khva = NULL; -- gpc->valid = true; -- -- write_unlock_irq(&gpc->lock); -- -- new_pfn = hva_to_pfn_retry(kvm, uhva); -- if (is_error_noslot_pfn(new_pfn)) { -- ret = -EFAULT; -- goto map_done; -- } -- -- if (gpc->usage & KVM_HOST_USES_PFN) { -- if (new_pfn == old_pfn) { -- /* -- * Reuse the existing pfn and khva, but put the -- * reference acquired hva_to_pfn_retry(); the -- * cache still holds a reference to the pfn -- * from the previous refresh. -- */ -- gpc_release_pfn_and_khva(kvm, new_pfn, NULL); -- -- new_khva = old_khva; -- old_pfn = KVM_PFN_ERR_FAULT; -- old_khva = NULL; -- } else if (pfn_valid(new_pfn)) { -- new_khva = kmap(pfn_to_page(new_pfn)); --#ifdef CONFIG_HAS_IOMEM -- } else { -- new_khva = memremap(pfn_to_hpa(new_pfn), PAGE_SIZE, MEMREMAP_WB); --#endif -- } -- if (new_khva) -- new_khva += page_offset; -- else -- ret = -EFAULT; -- } -- -- map_done: -- write_lock_irq(&gpc->lock); -- if (ret) { -- gpc->valid = false; -- gpc->pfn = KVM_PFN_ERR_FAULT; -- gpc->khva = NULL; -- } else { -- /* At this point, gpc->valid may already have been cleared */ -- gpc->pfn = new_pfn; -- gpc->khva = new_khva; -- } -+ if (!gpc->valid || old_uhva != gpc->uhva) { -+ ret = hva_to_pfn_retry(kvm, gpc); - } else { - /* If the HVA→PFN mapping was already valid, don't unmap it. */ - old_pfn = KVM_PFN_ERR_FAULT; -@@ -253,11 +289,26 @@ int kvm_gfn_to_pfn_cache_refresh(struct kvm *kvm, struct gfn_to_pfn_cache *gpc, - } - - out: -+ /* -+ * Invalidate the cache and purge the pfn/khva if the refresh failed. -+ * Some/all of the uhva, gpa, and memslot generation info may still be -+ * valid, leave it as is. -+ */ -+ if (ret) { -+ gpc->valid = false; -+ gpc->pfn = KVM_PFN_ERR_FAULT; -+ gpc->khva = NULL; -+ } -+ -+ /* Snapshot the new pfn before dropping the lock! */ -+ new_pfn = gpc->pfn; -+ - write_unlock_irq(&gpc->lock); - - mutex_unlock(&gpc->refresh_lock); - -- gpc_release_pfn_and_khva(kvm, old_pfn, old_khva); -+ if (old_pfn != new_pfn) -+ gpc_release_pfn_and_khva(kvm, old_pfn, old_khva); - - return ret; - } --- -2.35.1 - diff --git a/queue-5.19/kvm-fully-serialize-gfn-pfn-cache-refresh-via-mutex.patch-7350 b/queue-5.19/kvm-fully-serialize-gfn-pfn-cache-refresh-via-mutex.patch-7350 deleted file mode 100644 index 854a6669bf0..00000000000 --- a/queue-5.19/kvm-fully-serialize-gfn-pfn-cache-refresh-via-mutex.patch-7350 +++ /dev/null @@ -1,112 +0,0 @@ -From 52ddf24c3e8dd515588fd249a9c0e59735e9281e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 29 Apr 2022 21:00:23 +0000 -Subject: KVM: Fully serialize gfn=>pfn cache refresh via mutex - -From: Sean Christopherson - -[ Upstream commit 93984f19e7bce4c18084a6ef3dacafb155b806ed ] - -Protect gfn=>pfn cache refresh with a mutex to fully serialize refreshes. -The refresh logic doesn't protect against - -- concurrent unmaps, or refreshes with different GPAs (which may or may not - happen in practice, for example if a cache is only used under vcpu->mutex; - but it's allowed in the code) - -- a false negative on the memslot generation. If the first refresh sees - a stale memslot generation, it will refresh the hva and generation before - moving on to the hva=>pfn translation. If it then drops gpc->lock, a - different user of the cache can come along, acquire gpc->lock, see that - the memslot generation is fresh, and skip the hva=>pfn update due to the - userspace address also matching (because it too was updated). - -The refresh path can already sleep during hva=>pfn resolution, so wrap -the refresh with a mutex to ensure that any given refresh runs to -completion before other callers can start their refresh. - -Cc: stable@vger.kernel.org -Cc: Lai Jiangshan -Signed-off-by: Sean Christopherson -Message-Id: <20220429210025.3293691-7-seanjc@google.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Sasha Levin ---- - include/linux/kvm_types.h | 2 ++ - virt/kvm/pfncache.c | 12 ++++++++++++ - 2 files changed, 14 insertions(+) - -diff --git a/include/linux/kvm_types.h b/include/linux/kvm_types.h -index ac1ebb37a0ff..f328a01db4fe 100644 ---- a/include/linux/kvm_types.h -+++ b/include/linux/kvm_types.h -@@ -19,6 +19,7 @@ struct kvm_memslots; - enum kvm_mr_change; - - #include -+#include - #include - #include - -@@ -69,6 +70,7 @@ struct gfn_to_pfn_cache { - struct kvm_vcpu *vcpu; - struct list_head list; - rwlock_t lock; -+ struct mutex refresh_lock; - void *khva; - kvm_pfn_t pfn; - enum pfn_cache_usage usage; -diff --git a/virt/kvm/pfncache.c b/virt/kvm/pfncache.c -index 05cb0bcbf662..f610d3945b69 100644 ---- a/virt/kvm/pfncache.c -+++ b/virt/kvm/pfncache.c -@@ -157,6 +157,13 @@ int kvm_gfn_to_pfn_cache_refresh(struct kvm *kvm, struct gfn_to_pfn_cache *gpc, - if (page_offset + len > PAGE_SIZE) - return -EINVAL; - -+ /* -+ * If another task is refreshing the cache, wait for it to complete. -+ * There is no guarantee that concurrent refreshes will see the same -+ * gpa, memslots generation, etc..., so they must be fully serialized. -+ */ -+ mutex_lock(&gpc->refresh_lock); -+ - write_lock_irq(&gpc->lock); - - old_pfn = gpc->pfn; -@@ -248,6 +255,8 @@ int kvm_gfn_to_pfn_cache_refresh(struct kvm *kvm, struct gfn_to_pfn_cache *gpc, - out: - write_unlock_irq(&gpc->lock); - -+ mutex_unlock(&gpc->refresh_lock); -+ - gpc_release_pfn_and_khva(kvm, old_pfn, old_khva); - - return ret; -@@ -259,6 +268,7 @@ void kvm_gfn_to_pfn_cache_unmap(struct kvm *kvm, struct gfn_to_pfn_cache *gpc) - void *old_khva; - kvm_pfn_t old_pfn; - -+ mutex_lock(&gpc->refresh_lock); - write_lock_irq(&gpc->lock); - - gpc->valid = false; -@@ -274,6 +284,7 @@ void kvm_gfn_to_pfn_cache_unmap(struct kvm *kvm, struct gfn_to_pfn_cache *gpc) - gpc->pfn = KVM_PFN_ERR_FAULT; - - write_unlock_irq(&gpc->lock); -+ mutex_unlock(&gpc->refresh_lock); - - gpc_release_pfn_and_khva(kvm, old_pfn, old_khva); - } -@@ -288,6 +299,7 @@ int kvm_gfn_to_pfn_cache_init(struct kvm *kvm, struct gfn_to_pfn_cache *gpc, - - if (!gpc->active) { - rwlock_init(&gpc->lock); -+ mutex_init(&gpc->refresh_lock); - - gpc->khva = NULL; - gpc->pfn = KVM_PFN_ERR_FAULT; --- -2.35.1 - diff --git a/queue-5.19/kvm-nvmx-account-for-kvm-reserved-cr4-bits-in-consis.patch b/queue-5.19/kvm-nvmx-account-for-kvm-reserved-cr4-bits-in-consis.patch deleted file mode 100644 index 10dad5d8ac1..00000000000 --- a/queue-5.19/kvm-nvmx-account-for-kvm-reserved-cr4-bits-in-consis.patch +++ /dev/null @@ -1,50 +0,0 @@ -From d767abce1471976905ba9734b7e1e3756377d9e8 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 7 Jun 2022 21:35:51 +0000 -Subject: KVM: nVMX: Account for KVM reserved CR4 bits in consistency checks - -From: Sean Christopherson - -[ Upstream commit ca58f3aa53d165afe4ab74c755bc2f6d168617ac ] - -Check that the guest (L2) and host (L1) CR4 values that would be loaded -by nested VM-Enter and VM-Exit respectively are valid with respect to -KVM's (L0 host) allowed CR4 bits. Failure to check KVM reserved bits -would allow L1 to load an illegal CR4 (or trigger hardware VM-Fail or -failed VM-Entry) by massaging guest CPUID to allow features that are not -supported by KVM. Amusingly, KVM itself is an accomplice in its doom, as -KVM adjusts L1's MSR_IA32_VMX_CR4_FIXED1 to allow L1 to enable bits for -L2 based on L1's CPUID model. - -Note, although nested_{guest,host}_cr4_valid() are _currently_ used if -and only if the vCPU is post-VMXON (nested.vmxon == true), that may not -be true in the future, e.g. emulating VMXON has a bug where it doesn't -check the allowed/required CR0/CR4 bits. - -Cc: stable@vger.kernel.org -Fixes: 3899152ccbf4 ("KVM: nVMX: fix checks on CR{0,4} during virtual VMX operation") -Signed-off-by: Sean Christopherson -Message-Id: <20220607213604.3346000-3-seanjc@google.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Sasha Levin ---- - arch/x86/kvm/vmx/nested.h | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/kvm/vmx/nested.h b/arch/x86/kvm/vmx/nested.h -index c92cea0b8ccc..129ae4e01f7c 100644 ---- a/arch/x86/kvm/vmx/nested.h -+++ b/arch/x86/kvm/vmx/nested.h -@@ -281,7 +281,8 @@ static inline bool nested_cr4_valid(struct kvm_vcpu *vcpu, unsigned long val) - u64 fixed0 = to_vmx(vcpu)->nested.msrs.cr4_fixed0; - u64 fixed1 = to_vmx(vcpu)->nested.msrs.cr4_fixed1; - -- return fixed_bits_valid(val, fixed0, fixed1); -+ return fixed_bits_valid(val, fixed0, fixed1) && -+ __kvm_is_valid_cr4(vcpu, val); - } - - /* No difference in the restrictions on guest and host CR4 in VMX operation. */ --- -2.35.1 - diff --git a/queue-5.19/kvm-nvmx-inject-ud-if-vmxon-is-attempted-with-incomp.patch b/queue-5.19/kvm-nvmx-inject-ud-if-vmxon-is-attempted-with-incomp.patch deleted file mode 100644 index 41d04466663..00000000000 --- a/queue-5.19/kvm-nvmx-inject-ud-if-vmxon-is-attempted-with-incomp.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 452c457abb5411372c478172ce17b997bce37923 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 7 Jun 2022 21:35:52 +0000 -Subject: KVM: nVMX: Inject #UD if VMXON is attempted with incompatible CR0/CR4 - -From: Sean Christopherson - -[ Upstream commit c7d855c2aff2d511fd60ee2e356134c4fb394799 ] - -Inject a #UD if L1 attempts VMXON with a CR0 or CR4 that is disallowed -per the associated nested VMX MSRs' fixed0/1 settings. KVM cannot rely -on hardware to perform the checks, even for the few checks that have -higher priority than VM-Exit, as (a) KVM may have forced CR0/CR4 bits in -hardware while running the guest, (b) there may incompatible CR0/CR4 bits -that have lower priority than VM-Exit, e.g. CR0.NE, and (c) userspace may -have further restricted the allowed CR0/CR4 values by manipulating the -guest's nested VMX MSRs. - -Note, despite a very strong desire to throw shade at Jim, commit -70f3aac964ae ("kvm: nVMX: Remove superfluous VMX instruction fault checks") -is not to blame for the buggy behavior (though the comment...). That -commit only removed the CR0.PE, EFLAGS.VM, and COMPATIBILITY mode checks -(though it did erroneously drop the CPL check, but that has already been -remedied). KVM may force CR0.PE=1, but will do so only when also -forcing EFLAGS.VM=1 to emulate Real Mode, i.e. hardware will still #UD. - -Link: https://bugzilla.kernel.org/show_bug.cgi?id=216033 -Fixes: ec378aeef9df ("KVM: nVMX: Implement VMXON and VMXOFF") -Reported-by: Eric Li -Cc: stable@vger.kernel.org -Signed-off-by: Sean Christopherson -Message-Id: <20220607213604.3346000-4-seanjc@google.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Sasha Levin ---- - arch/x86/kvm/vmx/nested.c | 23 ++++++++++++++--------- - 1 file changed, 14 insertions(+), 9 deletions(-) - -diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c -index 30babb471ae3..f3b500b8475f 100644 ---- a/arch/x86/kvm/vmx/nested.c -+++ b/arch/x86/kvm/vmx/nested.c -@@ -4964,20 +4964,25 @@ static int handle_vmon(struct kvm_vcpu *vcpu) - | FEAT_CTL_VMX_ENABLED_OUTSIDE_SMX; - - /* -- * The Intel VMX Instruction Reference lists a bunch of bits that are -- * prerequisite to running VMXON, most notably cr4.VMXE must be set to -- * 1 (see vmx_is_valid_cr4() for when we allow the guest to set this). -- * Otherwise, we should fail with #UD. But most faulting conditions -- * have already been checked by hardware, prior to the VM-exit for -- * VMXON. We do test guest cr4.VMXE because processor CR4 always has -- * that bit set to 1 in non-root mode. -+ * Note, KVM cannot rely on hardware to perform the CR0/CR4 #UD checks -+ * that have higher priority than VM-Exit (see Intel SDM's pseudocode -+ * for VMXON), as KVM must load valid CR0/CR4 values into hardware while -+ * running the guest, i.e. KVM needs to check the _guest_ values. -+ * -+ * Rely on hardware for the other two pre-VM-Exit checks, !VM86 and -+ * !COMPATIBILITY modes. KVM may run the guest in VM86 to emulate Real -+ * Mode, but KVM will never take the guest out of those modes. - */ -- if (!kvm_read_cr4_bits(vcpu, X86_CR4_VMXE)) { -+ if (!nested_host_cr0_valid(vcpu, kvm_read_cr0(vcpu)) || -+ !nested_host_cr4_valid(vcpu, kvm_read_cr4(vcpu))) { - kvm_queue_exception(vcpu, UD_VECTOR); - return 1; - } - -- /* CPL=0 must be checked manually. */ -+ /* -+ * CPL=0 and all other checks that are lower priority than VM-Exit must -+ * be checked manually. -+ */ - if (vmx_get_cpl(vcpu)) { - kvm_inject_gp(vcpu, 0); - return 1; --- -2.35.1 - diff --git a/queue-5.19/kvm-nvmx-let-userspace-set-nvmx-msr-to-any-_host_-su.patch b/queue-5.19/kvm-nvmx-let-userspace-set-nvmx-msr-to-any-_host_-su.patch deleted file mode 100644 index a3c4c720a2d..00000000000 --- a/queue-5.19/kvm-nvmx-let-userspace-set-nvmx-msr-to-any-_host_-su.patch +++ /dev/null @@ -1,180 +0,0 @@ -From 386e4970d04eb231b4e6fb4a700344e6164b67e8 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 7 Jun 2022 21:35:54 +0000 -Subject: KVM: nVMX: Let userspace set nVMX MSR to any _host_ supported value - -From: Sean Christopherson - -[ Upstream commit f8ae08f9789ad59d318ea75b570caa454aceda81 ] - -Restrict the nVMX MSRs based on KVM's config, not based on the guest's -current config. Using the guest's config to audit the new config -prevents userspace from restoring the original config (KVM's config) if -at any point in the past the guest's config was restricted in any way. - -Fixes: 62cc6b9dc61e ("KVM: nVMX: support restore of VMX capability MSRs") -Cc: stable@vger.kernel.org -Cc: David Matlack -Signed-off-by: Sean Christopherson -Message-Id: <20220607213604.3346000-6-seanjc@google.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Sasha Levin ---- - arch/x86/kvm/vmx/nested.c | 70 +++++++++++++++++++++------------------ - 1 file changed, 37 insertions(+), 33 deletions(-) - -diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c -index f3b500b8475f..66735fbb791d 100644 ---- a/arch/x86/kvm/vmx/nested.c -+++ b/arch/x86/kvm/vmx/nested.c -@@ -1223,7 +1223,7 @@ static int vmx_restore_vmx_basic(struct vcpu_vmx *vmx, u64 data) - BIT_ULL(49) | BIT_ULL(54) | BIT_ULL(55) | - /* reserved */ - BIT_ULL(31) | GENMASK_ULL(47, 45) | GENMASK_ULL(63, 56); -- u64 vmx_basic = vmx->nested.msrs.basic; -+ u64 vmx_basic = vmcs_config.nested.basic; - - if (!is_bitwise_subset(vmx_basic, data, feature_and_reserved)) - return -EINVAL; -@@ -1246,36 +1246,42 @@ static int vmx_restore_vmx_basic(struct vcpu_vmx *vmx, u64 data) - return 0; - } - --static int --vmx_restore_control_msr(struct vcpu_vmx *vmx, u32 msr_index, u64 data) -+static void vmx_get_control_msr(struct nested_vmx_msrs *msrs, u32 msr_index, -+ u32 **low, u32 **high) - { -- u64 supported; -- u32 *lowp, *highp; -- - switch (msr_index) { - case MSR_IA32_VMX_TRUE_PINBASED_CTLS: -- lowp = &vmx->nested.msrs.pinbased_ctls_low; -- highp = &vmx->nested.msrs.pinbased_ctls_high; -+ *low = &msrs->pinbased_ctls_low; -+ *high = &msrs->pinbased_ctls_high; - break; - case MSR_IA32_VMX_TRUE_PROCBASED_CTLS: -- lowp = &vmx->nested.msrs.procbased_ctls_low; -- highp = &vmx->nested.msrs.procbased_ctls_high; -+ *low = &msrs->procbased_ctls_low; -+ *high = &msrs->procbased_ctls_high; - break; - case MSR_IA32_VMX_TRUE_EXIT_CTLS: -- lowp = &vmx->nested.msrs.exit_ctls_low; -- highp = &vmx->nested.msrs.exit_ctls_high; -+ *low = &msrs->exit_ctls_low; -+ *high = &msrs->exit_ctls_high; - break; - case MSR_IA32_VMX_TRUE_ENTRY_CTLS: -- lowp = &vmx->nested.msrs.entry_ctls_low; -- highp = &vmx->nested.msrs.entry_ctls_high; -+ *low = &msrs->entry_ctls_low; -+ *high = &msrs->entry_ctls_high; - break; - case MSR_IA32_VMX_PROCBASED_CTLS2: -- lowp = &vmx->nested.msrs.secondary_ctls_low; -- highp = &vmx->nested.msrs.secondary_ctls_high; -+ *low = &msrs->secondary_ctls_low; -+ *high = &msrs->secondary_ctls_high; - break; - default: - BUG(); - } -+} -+ -+static int -+vmx_restore_control_msr(struct vcpu_vmx *vmx, u32 msr_index, u64 data) -+{ -+ u32 *lowp, *highp; -+ u64 supported; -+ -+ vmx_get_control_msr(&vmcs_config.nested, msr_index, &lowp, &highp); - - supported = vmx_control_msr(*lowp, *highp); - -@@ -1287,6 +1293,7 @@ vmx_restore_control_msr(struct vcpu_vmx *vmx, u32 msr_index, u64 data) - if (!is_bitwise_subset(supported, data, GENMASK_ULL(63, 32))) - return -EINVAL; - -+ vmx_get_control_msr(&vmx->nested.msrs, msr_index, &lowp, &highp); - *lowp = data; - *highp = data >> 32; - return 0; -@@ -1300,10 +1307,8 @@ static int vmx_restore_vmx_misc(struct vcpu_vmx *vmx, u64 data) - BIT_ULL(28) | BIT_ULL(29) | BIT_ULL(30) | - /* reserved */ - GENMASK_ULL(13, 9) | BIT_ULL(31); -- u64 vmx_misc; -- -- vmx_misc = vmx_control_msr(vmx->nested.msrs.misc_low, -- vmx->nested.msrs.misc_high); -+ u64 vmx_misc = vmx_control_msr(vmcs_config.nested.misc_low, -+ vmcs_config.nested.misc_high); - - if (!is_bitwise_subset(vmx_misc, data, feature_and_reserved_bits)) - return -EINVAL; -@@ -1331,10 +1336,8 @@ static int vmx_restore_vmx_misc(struct vcpu_vmx *vmx, u64 data) - - static int vmx_restore_vmx_ept_vpid_cap(struct vcpu_vmx *vmx, u64 data) - { -- u64 vmx_ept_vpid_cap; -- -- vmx_ept_vpid_cap = vmx_control_msr(vmx->nested.msrs.ept_caps, -- vmx->nested.msrs.vpid_caps); -+ u64 vmx_ept_vpid_cap = vmx_control_msr(vmcs_config.nested.ept_caps, -+ vmcs_config.nested.vpid_caps); - - /* Every bit is either reserved or a feature bit. */ - if (!is_bitwise_subset(vmx_ept_vpid_cap, data, -1ULL)) -@@ -1345,20 +1348,21 @@ static int vmx_restore_vmx_ept_vpid_cap(struct vcpu_vmx *vmx, u64 data) - return 0; - } - --static int vmx_restore_fixed0_msr(struct vcpu_vmx *vmx, u32 msr_index, u64 data) -+static u64 *vmx_get_fixed0_msr(struct nested_vmx_msrs *msrs, u32 msr_index) - { -- u64 *msr; -- - switch (msr_index) { - case MSR_IA32_VMX_CR0_FIXED0: -- msr = &vmx->nested.msrs.cr0_fixed0; -- break; -+ return &msrs->cr0_fixed0; - case MSR_IA32_VMX_CR4_FIXED0: -- msr = &vmx->nested.msrs.cr4_fixed0; -- break; -+ return &msrs->cr4_fixed0; - default: - BUG(); - } -+} -+ -+static int vmx_restore_fixed0_msr(struct vcpu_vmx *vmx, u32 msr_index, u64 data) -+{ -+ const u64 *msr = vmx_get_fixed0_msr(&vmcs_config.nested, msr_index); - - /* - * 1 bits (which indicates bits which "must-be-1" during VMX operation) -@@ -1367,7 +1371,7 @@ static int vmx_restore_fixed0_msr(struct vcpu_vmx *vmx, u32 msr_index, u64 data) - if (!is_bitwise_subset(data, *msr, -1ULL)) - return -EINVAL; - -- *msr = data; -+ *vmx_get_fixed0_msr(&vmx->nested.msrs, msr_index) = data; - return 0; - } - -@@ -1428,7 +1432,7 @@ int vmx_set_vmx_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 data) - vmx->nested.msrs.vmcs_enum = data; - return 0; - case MSR_IA32_VMX_VMFUNC: -- if (data & ~vmx->nested.msrs.vmfunc_controls) -+ if (data & ~vmcs_config.nested.vmfunc_controls) - return -EINVAL; - vmx->nested.msrs.vmfunc_controls = data; - return 0; --- -2.35.1 - diff --git a/queue-5.19/kvm-nvmx-snapshot-pre-vm-enter-bndcfgs-for-nested_ru.patch b/queue-5.19/kvm-nvmx-snapshot-pre-vm-enter-bndcfgs-for-nested_ru.patch deleted file mode 100644 index dee3062ce51..00000000000 --- a/queue-5.19/kvm-nvmx-snapshot-pre-vm-enter-bndcfgs-for-nested_ru.patch +++ /dev/null @@ -1,58 +0,0 @@ -From b52bbbb1b583491cdb74bb02fc84bec3ec4dbe2d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 14 Jun 2022 21:58:27 +0000 -Subject: KVM: nVMX: Snapshot pre-VM-Enter BNDCFGS for !nested_run_pending case - -From: Sean Christopherson - -[ Upstream commit fa578398a0ba2c079fa1170da21fa5baae0cedb2 ] - -If a nested run isn't pending, snapshot vmcs01.GUEST_BNDCFGS irrespective -of whether or not VM_ENTRY_LOAD_BNDCFGS is set in vmcs12. When restoring -nested state, e.g. after migration, without a nested run pending, -prepare_vmcs02() will propagate nested.vmcs01_guest_bndcfgs to vmcs02, -i.e. will load garbage/zeros into vmcs02.GUEST_BNDCFGS. - -If userspace restores nested state before MSRs, then loading garbage is a -non-issue as loading BNDCFGS will also update vmcs02. But if usersepace -restores MSRs first, then KVM is responsible for propagating L2's value, -which is actually thrown into vmcs01, into vmcs02. - -Restoring L2 MSRs into vmcs01, i.e. loading all MSRs before nested state -is all kinds of bizarre and ideally would not be supported. Sadly, some -VMMs do exactly that and rely on KVM to make things work. - -Note, there's still a lurking SMM bug, as propagating vmcs01.GUEST_BNDFGS -to vmcs02 across RSM may corrupt L2's BNDCFGS. But KVM's entire VMX+SMM -emulation is flawed as SMI+RSM should not toouch _any_ VMCS when use the -"default treatment of SMIs", i.e. when not using an SMI Transfer Monitor. - -Link: https://lore.kernel.org/all/Yobt1XwOfb5M6Dfa@google.com -Fixes: 62cf9bd8118c ("KVM: nVMX: Fix emulation of VM_ENTRY_LOAD_BNDCFGS") -Cc: stable@vger.kernel.org -Cc: Lei Wang -Signed-off-by: Sean Christopherson -Message-Id: <20220614215831.3762138-2-seanjc@google.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Sasha Levin ---- - arch/x86/kvm/vmx/nested.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c -index ab135f9ef52f..d6cb040966f9 100644 ---- a/arch/x86/kvm/vmx/nested.c -+++ b/arch/x86/kvm/vmx/nested.c -@@ -3376,7 +3376,8 @@ enum nvmx_vmentry_status nested_vmx_enter_non_root_mode(struct kvm_vcpu *vcpu, - if (!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS)) - vmx->nested.vmcs01_debugctl = vmcs_read64(GUEST_IA32_DEBUGCTL); - if (kvm_mpx_supported() && -- !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS)) -+ (!vmx->nested.nested_run_pending || -+ !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS))) - vmx->nested.vmcs01_guest_bndcfgs = vmcs_read64(GUEST_BNDCFGS); - - /* --- -2.35.1 - diff --git a/queue-5.19/kvm-nvmx-snapshot-pre-vm-enter-debugctl-for-nested_r.patch b/queue-5.19/kvm-nvmx-snapshot-pre-vm-enter-debugctl-for-nested_r.patch deleted file mode 100644 index 576e2c6a810..00000000000 --- a/queue-5.19/kvm-nvmx-snapshot-pre-vm-enter-debugctl-for-nested_r.patch +++ /dev/null @@ -1,59 +0,0 @@ -From b840ad0bc32e8dc61c68c80d5a88dd6f19b2c01e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 14 Jun 2022 21:58:28 +0000 -Subject: KVM: nVMX: Snapshot pre-VM-Enter DEBUGCTL for !nested_run_pending - case - -From: Sean Christopherson - -[ Upstream commit 764643a6be07445308e492a528197044c801b3ba ] - -If a nested run isn't pending, snapshot vmcs01.GUEST_IA32_DEBUGCTL -irrespective of whether or not VM_ENTRY_LOAD_DEBUG_CONTROLS is set in -vmcs12. When restoring nested state, e.g. after migration, without a -nested run pending, prepare_vmcs02() will propagate -nested.vmcs01_debugctl to vmcs02, i.e. will load garbage/zeros into -vmcs02.GUEST_IA32_DEBUGCTL. - -If userspace restores nested state before MSRs, then loading garbage is a -non-issue as loading DEBUGCTL will also update vmcs02. But if usersepace -restores MSRs first, then KVM is responsible for propagating L2's value, -which is actually thrown into vmcs01, into vmcs02. - -Restoring L2 MSRs into vmcs01, i.e. loading all MSRs before nested state -is all kinds of bizarre and ideally would not be supported. Sadly, some -VMMs do exactly that and rely on KVM to make things work. - -Note, there's still a lurking SMM bug, as propagating vmcs01's DEBUGCTL -to vmcs02 across RSM may corrupt L2's DEBUGCTL. But KVM's entire VMX+SMM -emulation is flawed as SMI+RSM should not toouch _any_ VMCS when use the -"default treatment of SMIs", i.e. when not using an SMI Transfer Monitor. - -Link: https://lore.kernel.org/all/Yobt1XwOfb5M6Dfa@google.com -Fixes: 8fcc4b5923af ("kvm: nVMX: Introduce KVM_CAP_NESTED_STATE") -Cc: stable@vger.kernel.org -Signed-off-by: Sean Christopherson -Message-Id: <20220614215831.3762138-3-seanjc@google.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Sasha Levin ---- - arch/x86/kvm/vmx/nested.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c -index d6cb040966f9..30babb471ae3 100644 ---- a/arch/x86/kvm/vmx/nested.c -+++ b/arch/x86/kvm/vmx/nested.c -@@ -3373,7 +3373,8 @@ enum nvmx_vmentry_status nested_vmx_enter_non_root_mode(struct kvm_vcpu *vcpu, - if (likely(!evaluate_pending_interrupts) && kvm_vcpu_apicv_active(vcpu)) - evaluate_pending_interrupts |= vmx_has_apicv_interrupt(vcpu); - -- if (!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS)) -+ if (!vmx->nested.nested_run_pending || -+ !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS)) - vmx->nested.vmcs01_debugctl = vmcs_read64(GUEST_IA32_DEBUGCTL); - if (kvm_mpx_supported() && - (!vmx->nested.nested_run_pending || --- -2.35.1 - diff --git a/queue-5.19/kvm-put-the-extra-pfn-reference-when-reusing-a-pfn-i.patch b/queue-5.19/kvm-put-the-extra-pfn-reference-when-reusing-a-pfn-i.patch deleted file mode 100644 index 4efe10017fe..00000000000 --- a/queue-5.19/kvm-put-the-extra-pfn-reference-when-reusing-a-pfn-i.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 4094f6c440d7010664567898b9271e38ef241895 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 29 Apr 2022 21:00:21 +0000 -Subject: KVM: Put the extra pfn reference when reusing a pfn in the gpc cache - -From: Sean Christopherson - -[ Upstream commit 3dddf65b4f4c451c345d34ae85bdf1791a746e49 ] - -Put the struct page reference to pfn acquired by hva_to_pfn() when the -old and new pfns for a gfn=>pfn cache match. The cache already has a -reference via the old/current pfn, and will only put one reference when -the cache is done with the pfn. - -Fixes: 982ed0de4753 ("KVM: Reinstate gfn_to_pfn_cache with invalidation support") -Cc: stable@vger.kernel.org -Signed-off-by: Sean Christopherson -Message-Id: <20220429210025.3293691-5-seanjc@google.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Sasha Levin ---- - virt/kvm/pfncache.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/virt/kvm/pfncache.c b/virt/kvm/pfncache.c -index e05a6a1b8eff..40cbe90d52e0 100644 ---- a/virt/kvm/pfncache.c -+++ b/virt/kvm/pfncache.c -@@ -206,6 +206,14 @@ int kvm_gfn_to_pfn_cache_refresh(struct kvm *kvm, struct gfn_to_pfn_cache *gpc, - - if (gpc->usage & KVM_HOST_USES_PFN) { - if (new_pfn == old_pfn) { -+ /* -+ * Reuse the existing pfn and khva, but put the -+ * reference acquired hva_to_pfn_retry(); the -+ * cache still holds a reference to the pfn -+ * from the previous refresh. -+ */ -+ gpc_release_pfn_and_khva(kvm, new_pfn, NULL); -+ - new_khva = old_khva; - old_pfn = KVM_PFN_ERR_FAULT; - old_khva = NULL; --- -2.35.1 - diff --git a/queue-5.19/kvm-s390-pv-don-t-present-the-ecall-interrupt-twice.patch-16826 b/queue-5.19/kvm-s390-pv-don-t-present-the-ecall-interrupt-twice.patch-16826 deleted file mode 100644 index 6c91603bd68..00000000000 --- a/queue-5.19/kvm-s390-pv-don-t-present-the-ecall-interrupt-twice.patch-16826 +++ /dev/null @@ -1,107 +0,0 @@ -From 312aee67f8e93778405734e49ade001a9fad4211 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 18 Jul 2022 15:04:34 +0200 -Subject: KVM: s390: pv: don't present the ecall interrupt twice - -From: Nico Boehr - -[ Upstream commit c3f0e5fd2d33d80c5a5a8b5e5d2bab2841709cc8 ] - -When the SIGP interpretation facility is present and a VCPU sends an -ecall to another VCPU in enabled wait, the sending VCPU receives a 56 -intercept (partial execution), so KVM can wake up the receiving CPU. -Note that the SIGP interpretation facility will take care of the -interrupt delivery and KVM's only job is to wake the receiving VCPU. - -For PV, the sending VCPU will receive a 108 intercept (pv notify) and -should continue like in the non-PV case, i.e. wake the receiving VCPU. - -For PV and non-PV guests the interrupt delivery will occur through the -SIGP interpretation facility on SIE entry when SIE finds the X bit in -the status field set. - -However, in handle_pv_notification(), there was no special handling for -SIGP, which leads to interrupt injection being requested by KVM for the -next SIE entry. This results in the interrupt being delivered twice: -once by the SIGP interpretation facility and once by KVM through the -IICTL. - -Add the necessary special handling in handle_pv_notification(), similar -to handle_partial_execution(), which simply wakes the receiving VCPU and -leave interrupt delivery to the SIGP interpretation facility. - -In contrast to external calls, emergency calls are not interpreted but -also cause a 108 intercept, which is why we still need to call -handle_instruction() for SIGP orders other than ecall. - -Since kvm_s390_handle_sigp_pei() is now called for all SIGP orders which -cause a 108 intercept - even if they are actually handled by -handle_instruction() - move the tracepoint in kvm_s390_handle_sigp_pei() -to avoid possibly confusing trace messages. - -Signed-off-by: Nico Boehr -Cc: # 5.7 -Fixes: da24a0cc58ed ("KVM: s390: protvirt: Instruction emulation") -Reviewed-by: Claudio Imbrenda -Reviewed-by: Janosch Frank -Reviewed-by: Christian Borntraeger -Link: https://lore.kernel.org/r/20220718130434.73302-1-nrb@linux.ibm.com -Message-Id: <20220718130434.73302-1-nrb@linux.ibm.com> -Signed-off-by: Claudio Imbrenda -Signed-off-by: Sasha Levin ---- - arch/s390/kvm/intercept.c | 15 +++++++++++++++ - arch/s390/kvm/sigp.c | 4 ++-- - 2 files changed, 17 insertions(+), 2 deletions(-) - -diff --git a/arch/s390/kvm/intercept.c b/arch/s390/kvm/intercept.c -index 8bd42a20d924..88112065d941 100644 ---- a/arch/s390/kvm/intercept.c -+++ b/arch/s390/kvm/intercept.c -@@ -528,12 +528,27 @@ static int handle_pv_uvc(struct kvm_vcpu *vcpu) - - static int handle_pv_notification(struct kvm_vcpu *vcpu) - { -+ int ret; -+ - if (vcpu->arch.sie_block->ipa == 0xb210) - return handle_pv_spx(vcpu); - if (vcpu->arch.sie_block->ipa == 0xb220) - return handle_pv_sclp(vcpu); - if (vcpu->arch.sie_block->ipa == 0xb9a4) - return handle_pv_uvc(vcpu); -+ if (vcpu->arch.sie_block->ipa >> 8 == 0xae) { -+ /* -+ * Besides external call, other SIGP orders also cause a -+ * 108 (pv notify) intercept. In contrast to external call, -+ * these orders need to be emulated and hence the appropriate -+ * place to handle them is in handle_instruction(). -+ * So first try kvm_s390_handle_sigp_pei() and if that isn't -+ * successful, go on with handle_instruction(). -+ */ -+ ret = kvm_s390_handle_sigp_pei(vcpu); -+ if (!ret) -+ return ret; -+ } - - return handle_instruction(vcpu); - } -diff --git a/arch/s390/kvm/sigp.c b/arch/s390/kvm/sigp.c -index 8aaee2892ec3..cb747bf6c798 100644 ---- a/arch/s390/kvm/sigp.c -+++ b/arch/s390/kvm/sigp.c -@@ -480,9 +480,9 @@ int kvm_s390_handle_sigp_pei(struct kvm_vcpu *vcpu) - struct kvm_vcpu *dest_vcpu; - u8 order_code = kvm_s390_get_base_disp_rs(vcpu, NULL); - -- trace_kvm_s390_handle_sigp_pei(vcpu, order_code, cpu_addr); -- - if (order_code == SIGP_EXTERNAL_CALL) { -+ trace_kvm_s390_handle_sigp_pei(vcpu, order_code, cpu_addr); -+ - dest_vcpu = kvm_get_vcpu_by_id(vcpu->kvm, cpu_addr); - BUG_ON(dest_vcpu == NULL); - --- -2.35.1 - diff --git a/queue-5.19/kvm-set_msr_mce-permit-guests-to-ignore-single-bit-e.patch b/queue-5.19/kvm-set_msr_mce-permit-guests-to-ignore-single-bit-e.patch index 99a744c30e5..2b33efde351 100644 --- a/queue-5.19/kvm-set_msr_mce-permit-guests-to-ignore-single-bit-e.patch +++ b/queue-5.19/kvm-set_msr_mce-permit-guests-to-ignore-single-bit-e.patch @@ -43,14 +43,12 @@ Message-Id: <20220521081511.187388-1-lkujaw@member.fsf.org> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin --- - arch/x86/kvm/x86.c | 7 +++++-- + arch/x86/kvm/x86.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) -diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index e5fa335a4ea7..b2949f653564 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c -@@ -3239,10 +3239,13 @@ static int set_msr_mce(struct kvm_vcpu *vcpu, struct msr_data *msr_info) +@@ -3245,10 +3245,13 @@ static int set_msr_mce(struct kvm_vcpu * /* only 0 or all 1s can be written to IA32_MCi_CTL * some Linux kernels though clear bit 10 in bank 4 to * workaround a BIOS/GART TBL issue on AMD K8s, ignore @@ -66,6 +64,3 @@ index e5fa335a4ea7..b2949f653564 100644 return -1; /* MCi_STATUS */ --- -2.35.1 - diff --git a/queue-5.19/kvm-svm-don-t-bug-if-userspace-injects-an-interrupt-.patch b/queue-5.19/kvm-svm-don-t-bug-if-userspace-injects-an-interrupt-.patch deleted file mode 100644 index 509ec337206..00000000000 --- a/queue-5.19/kvm-svm-don-t-bug-if-userspace-injects-an-interrupt-.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 3f99761427448c41f59799a25942ebf1c92b772e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 2 May 2022 00:07:26 +0200 -Subject: KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0 - -From: Maciej S. Szmigiero - -[ Upstream commit f17c31c48e5cde9895a491d91c424eeeada3e134 ] - -Don't BUG/WARN on interrupt injection due to GIF being cleared, -since it's trivial for userspace to force the situation via -KVM_SET_VCPU_EVENTS (even if having at least a WARN there would be correct -for KVM internally generated injections). - - kernel BUG at arch/x86/kvm/svm/svm.c:3386! - invalid opcode: 0000 [#1] SMP - CPU: 15 PID: 926 Comm: smm_test Not tainted 5.17.0-rc3+ #264 - Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 - RIP: 0010:svm_inject_irq+0xab/0xb0 [kvm_amd] - Code: <0f> 0b 0f 1f 00 0f 1f 44 00 00 80 3d ac b3 01 00 00 55 48 89 f5 53 - RSP: 0018:ffffc90000b37d88 EFLAGS: 00010246 - RAX: 0000000000000000 RBX: ffff88810a234ac0 RCX: 0000000000000006 - RDX: 0000000000000000 RSI: ffffc90000b37df7 RDI: ffff88810a234ac0 - RBP: ffffc90000b37df7 R08: ffff88810a1fa410 R09: 0000000000000000 - R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 - R13: ffff888109571000 R14: ffff88810a234ac0 R15: 0000000000000000 - FS: 0000000001821380(0000) GS:ffff88846fdc0000(0000) knlGS:0000000000000000 - CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 - CR2: 00007f74fc550008 CR3: 000000010a6fe000 CR4: 0000000000350ea0 - Call Trace: - - inject_pending_event+0x2f7/0x4c0 [kvm] - kvm_arch_vcpu_ioctl_run+0x791/0x17a0 [kvm] - kvm_vcpu_ioctl+0x26d/0x650 [kvm] - __x64_sys_ioctl+0x82/0xb0 - do_syscall_64+0x3b/0xc0 - entry_SYSCALL_64_after_hwframe+0x44/0xae - - -Fixes: 219b65dcf6c0 ("KVM: SVM: Improve nested interrupt injection") -Cc: stable@vger.kernel.org -Co-developed-by: Sean Christopherson -Signed-off-by: Sean Christopherson -Signed-off-by: Maciej S. Szmigiero -Message-Id: <35426af6e123cbe91ec7ce5132ce72521f02b1b5.1651440202.git.maciej.szmigiero@oracle.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Sasha Levin ---- - arch/x86/kvm/svm/svm.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c -index 44bbf25dfeb9..e9f479acf941 100644 ---- a/arch/x86/kvm/svm/svm.c -+++ b/arch/x86/kvm/svm/svm.c -@@ -3385,8 +3385,6 @@ static void svm_inject_irq(struct kvm_vcpu *vcpu) - { - struct vcpu_svm *svm = to_svm(vcpu); - -- BUG_ON(!(gif_set(svm))); -- - trace_kvm_inj_virq(vcpu->arch.interrupt.nr); - ++vcpu->stat.irq_injections; - --- -2.35.1 - diff --git a/queue-5.19/kvm-x86-mark-tss-busy-during-ltr-emulation-_after_-a.patch b/queue-5.19/kvm-x86-mark-tss-busy-during-ltr-emulation-_after_-a.patch deleted file mode 100644 index 5c912841c52..00000000000 --- a/queue-5.19/kvm-x86-mark-tss-busy-during-ltr-emulation-_after_-a.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 5ef7132f5c1b5e760c2d86b0c56383dc22c9f3fc Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 11 Jul 2022 23:27:48 +0000 -Subject: KVM: x86: Mark TSS busy during LTR emulation _after_ all fault checks - -From: Sean Christopherson - -[ Upstream commit ec6e4d863258d4bfb36d48d5e3ef68140234d688 ] - -Wait to mark the TSS as busy during LTR emulation until after all fault -checks for the LTR have passed. Specifically, don't mark the TSS busy if -the new TSS base is non-canonical. - -Opportunistically drop the one-off !seg_desc.PRESENT check for TR as the -only reason for the early check was to avoid marking a !PRESENT TSS as -busy, i.e. the common !PRESENT is now done before setting the busy bit. - -Fixes: e37a75a13cda ("KVM: x86: Emulator ignores LDTR/TR extended base on LLDT/LTR") -Reported-by: syzbot+760a73552f47a8cd0fd9@syzkaller.appspotmail.com -Cc: stable@vger.kernel.org -Cc: Tetsuo Handa -Cc: Hou Wenlong -Signed-off-by: Sean Christopherson -Reviewed-by: Maxim Levitsky -Link: https://lore.kernel.org/r/20220711232750.1092012-2-seanjc@google.com -Signed-off-by: Sean Christopherson -Signed-off-by: Sasha Levin ---- - arch/x86/kvm/emulate.c | 19 +++++++++---------- - 1 file changed, 9 insertions(+), 10 deletions(-) - -diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c -index f8382abe22ff..93a969066d5c 100644 ---- a/arch/x86/kvm/emulate.c -+++ b/arch/x86/kvm/emulate.c -@@ -1687,16 +1687,6 @@ static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt, - case VCPU_SREG_TR: - if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9)) - goto exception; -- if (!seg_desc.p) { -- err_vec = NP_VECTOR; -- goto exception; -- } -- old_desc = seg_desc; -- seg_desc.type |= 2; /* busy */ -- ret = ctxt->ops->cmpxchg_emulated(ctxt, desc_addr, &old_desc, &seg_desc, -- sizeof(seg_desc), &ctxt->exception); -- if (ret != X86EMUL_CONTINUE) -- return ret; - break; - case VCPU_SREG_LDTR: - if (seg_desc.s || seg_desc.type != 2) -@@ -1737,6 +1727,15 @@ static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt, - ((u64)base3 << 32), ctxt)) - return emulate_gp(ctxt, 0); - } -+ -+ if (seg == VCPU_SREG_TR) { -+ old_desc = seg_desc; -+ seg_desc.type |= 2; /* busy */ -+ ret = ctxt->ops->cmpxchg_emulated(ctxt, desc_addr, &old_desc, &seg_desc, -+ sizeof(seg_desc), &ctxt->exception); -+ if (ret != X86EMUL_CONTINUE) -+ return ret; -+ } - load: - ctxt->ops->set_segment(ctxt, selector, &seg_desc, base3, seg); - if (desc) --- -2.35.1 - diff --git a/queue-5.19/kvm-x86-mmu-treat-nx-as-a-valid-spte-bit-for-npt.patch-3797 b/queue-5.19/kvm-x86-mmu-treat-nx-as-a-valid-spte-bit-for-npt.patch-3797 deleted file mode 100644 index c10c87820fc..00000000000 --- a/queue-5.19/kvm-x86-mmu-treat-nx-as-a-valid-spte-bit-for-npt.patch-3797 +++ /dev/null @@ -1,70 +0,0 @@ -From 1d4354d553be3fc86438d397274ddf854202ea95 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 23 Jul 2022 01:30:29 +0000 -Subject: KVM: x86/mmu: Treat NX as a valid SPTE bit for NPT - -From: Sean Christopherson - -[ Upstream commit 6c6ab524cfae0799e55c82b2c1d61f1af0156f8d ] - -Treat the NX bit as valid when using NPT, as KVM will set the NX bit when -the NX huge page mitigation is enabled (mindblowing) and trigger the WARN -that fires on reserved SPTE bits being set. - -KVM has required NX support for SVM since commit b26a71a1a5b9 ("KVM: SVM: -Refuse to load kvm_amd if NX support is not available") for exactly this -reason, but apparently it never occurred to anyone to actually test NPT -with the mitigation enabled. - - ------------[ cut here ]------------ - spte = 0x800000018a600ee7, level = 2, rsvd bits = 0x800f0000001fe000 - WARNING: CPU: 152 PID: 15966 at arch/x86/kvm/mmu/spte.c:215 make_spte+0x327/0x340 [kvm] - Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 10.48.0 01/27/2022 - RIP: 0010:make_spte+0x327/0x340 [kvm] - Call Trace: - - tdp_mmu_map_handle_target_level+0xc3/0x230 [kvm] - kvm_tdp_mmu_map+0x343/0x3b0 [kvm] - direct_page_fault+0x1ae/0x2a0 [kvm] - kvm_tdp_page_fault+0x7d/0x90 [kvm] - kvm_mmu_page_fault+0xfb/0x2e0 [kvm] - npf_interception+0x55/0x90 [kvm_amd] - svm_invoke_exit_handler+0x31/0xf0 [kvm_amd] - svm_handle_exit+0xf6/0x1d0 [kvm_amd] - vcpu_enter_guest+0xb6d/0xee0 [kvm] - ? kvm_pmu_trigger_event+0x6d/0x230 [kvm] - vcpu_run+0x65/0x2c0 [kvm] - kvm_arch_vcpu_ioctl_run+0x355/0x610 [kvm] - kvm_vcpu_ioctl+0x551/0x610 [kvm] - __se_sys_ioctl+0x77/0xc0 - __x64_sys_ioctl+0x1d/0x20 - do_syscall_64+0x44/0xa0 - entry_SYSCALL_64_after_hwframe+0x46/0xb0 - - ---[ end trace 0000000000000000 ]--- - -Cc: stable@vger.kernel.org -Signed-off-by: Sean Christopherson -Message-Id: <20220723013029.1753623-1-seanjc@google.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Sasha Levin ---- - arch/x86/kvm/mmu/mmu.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c -index 17252f39bd7c..a1d17a826807 100644 ---- a/arch/x86/kvm/mmu/mmu.c -+++ b/arch/x86/kvm/mmu/mmu.c -@@ -4567,7 +4567,7 @@ reset_tdp_shadow_zero_bits_mask(struct kvm_mmu *context) - - if (boot_cpu_is_amd()) - __reset_rsvds_bits_mask(shadow_zero_check, reserved_hpa_bits(), -- context->root_role.level, false, -+ context->root_role.level, true, - boot_cpu_has(X86_FEATURE_GBPAGES), - false, true); - else --- -2.35.1 - diff --git a/queue-5.19/kvm-x86-set-error-code-to-segment-selector-on-lldt-l.patch b/queue-5.19/kvm-x86-set-error-code-to-segment-selector-on-lldt-l.patch deleted file mode 100644 index 93fb9e9da53..00000000000 --- a/queue-5.19/kvm-x86-set-error-code-to-segment-selector-on-lldt-l.patch +++ /dev/null @@ -1,47 +0,0 @@ -From a1cc01410606cb8a22afc4b77d94cb1df15fb3ca Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 11 Jul 2022 23:27:49 +0000 -Subject: KVM: x86: Set error code to segment selector on LLDT/LTR - non-canonical #GP - -From: Sean Christopherson - -[ Upstream commit 2626206963ace9e8bf92b6eea5ff78dd674c555c ] - -When injecting a #GP on LLDT/LTR due to a non-canonical LDT/TSS base, set -the error code to the selector. Intel SDM's says nothing about the #GP, -but AMD's APM explicitly states that both LLDT and LTR set the error code -to the selector, not zero. - -Note, a non-canonical memory operand on LLDT/LTR does generate a #GP(0), -but the KVM code in question is specific to the base from the descriptor. - -Fixes: e37a75a13cda ("KVM: x86: Emulator ignores LDTR/TR extended base on LLDT/LTR") -Cc: stable@vger.kernel.org -Signed-off-by: Sean Christopherson -Reviewed-by: Maxim Levitsky -Link: https://lore.kernel.org/r/20220711232750.1092012-3-seanjc@google.com -Signed-off-by: Sean Christopherson -Signed-off-by: Sasha Levin ---- - arch/x86/kvm/emulate.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c -index 93a969066d5c..aa907cec0918 100644 ---- a/arch/x86/kvm/emulate.c -+++ b/arch/x86/kvm/emulate.c -@@ -1724,8 +1724,8 @@ static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt, - if (ret != X86EMUL_CONTINUE) - return ret; - if (emul_is_noncanonical_address(get_desc_base(&seg_desc) | -- ((u64)base3 << 32), ctxt)) -- return emulate_gp(ctxt, 0); -+ ((u64)base3 << 32), ctxt)) -+ return emulate_gp(ctxt, err_code); - } - - if (seg == VCPU_SREG_TR) { --- -2.35.1 - diff --git a/queue-5.19/kvm-x86-signal-gp-not-eperm-on-bad-wrmsr-mci_ctl-sta.patch b/queue-5.19/kvm-x86-signal-gp-not-eperm-on-bad-wrmsr-mci_ctl-sta.patch index 7e85a48de83..843b538edfa 100644 --- a/queue-5.19/kvm-x86-signal-gp-not-eperm-on-bad-wrmsr-mci_ctl-sta.patch +++ b/queue-5.19/kvm-x86-signal-gp-not-eperm-on-bad-wrmsr-mci_ctl-sta.patch @@ -22,14 +22,12 @@ Reviewed-by: Jim Mattson Link: https://lore.kernel.org/r/20220512222716.4112548-2-seanjc@google.com Signed-off-by: Sasha Levin --- - arch/x86/kvm/x86.c | 4 ++-- + arch/x86/kvm/x86.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index b2949f653564..68d40cb5709d 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c -@@ -3246,13 +3246,13 @@ static int set_msr_mce(struct kvm_vcpu *vcpu, struct msr_data *msr_info) +@@ -3252,13 +3252,13 @@ static int set_msr_mce(struct kvm_vcpu * */ if ((offset & 0x3) == 0 && data != 0 && (data | (1 << 10) | 1) != ~(u64)0) @@ -45,6 +43,3 @@ index b2949f653564..68d40cb5709d 100644 } vcpu->arch.mce_banks[offset] = data; --- -2.35.1 - diff --git a/queue-5.19/kvm-x86-split-kvm_is_valid_cr4-and-export-only-the-n.patch b/queue-5.19/kvm-x86-split-kvm_is_valid_cr4-and-export-only-the-n.patch deleted file mode 100644 index e9e0dd62820..00000000000 --- a/queue-5.19/kvm-x86-split-kvm_is_valid_cr4-and-export-only-the-n.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 38fd254b03ece4442185f4ea788de4316699491a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 7 Jun 2022 21:35:50 +0000 -Subject: KVM: x86: Split kvm_is_valid_cr4() and export only the non-vendor - bits - -From: Sean Christopherson - -[ Upstream commit c33f6f2228fe8517e38941a508e9f905f99ecba9 ] - -Split the common x86 parts of kvm_is_valid_cr4(), i.e. the reserved bits -checks, into a separate helper, __kvm_is_valid_cr4(), and export only the -inner helper to vendor code in order to prevent nested VMX from calling -back into vmx_is_valid_cr4() via kvm_is_valid_cr4(). - -On SVM, this is a nop as SVM doesn't place any additional restrictions on -CR4. - -On VMX, this is also currently a nop, but only because nested VMX is -missing checks on reserved CR4 bits for nested VM-Enter. That bug will -be fixed in a future patch, and could simply use kvm_is_valid_cr4() as-is, -but nVMX has _another_ bug where VMXON emulation doesn't enforce VMX's -restrictions on CR0/CR4. The cleanest and most intuitive way to fix the -VMXON bug is to use nested_host_cr{0,4}_valid(). If the CR4 variant -routes through kvm_is_valid_cr4(), using nested_host_cr4_valid() won't do -the right thing for the VMXON case as vmx_is_valid_cr4() enforces VMX's -restrictions if and only if the vCPU is post-VMXON. - -Cc: stable@vger.kernel.org -Signed-off-by: Sean Christopherson -Message-Id: <20220607213604.3346000-2-seanjc@google.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Sasha Levin ---- - arch/x86/kvm/svm/nested.c | 3 ++- - arch/x86/kvm/vmx/vmx.c | 4 ++-- - arch/x86/kvm/x86.c | 12 +++++++++--- - arch/x86/kvm/x86.h | 2 +- - 4 files changed, 14 insertions(+), 7 deletions(-) - -diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c -index ba7cd26f438f..1773080976ca 100644 ---- a/arch/x86/kvm/svm/nested.c -+++ b/arch/x86/kvm/svm/nested.c -@@ -320,7 +320,8 @@ static bool __nested_vmcb_check_save(struct kvm_vcpu *vcpu, - return false; - } - -- if (CC(!kvm_is_valid_cr4(vcpu, save->cr4))) -+ /* Note, SVM doesn't have any additional restrictions on CR4. */ -+ if (CC(!__kvm_is_valid_cr4(vcpu, save->cr4))) - return false; - - if (CC(!kvm_valid_efer(vcpu, save->efer))) -diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c -index be7c19374fdd..0aaea87a1459 100644 ---- a/arch/x86/kvm/vmx/vmx.c -+++ b/arch/x86/kvm/vmx/vmx.c -@@ -3230,8 +3230,8 @@ static bool vmx_is_valid_cr4(struct kvm_vcpu *vcpu, unsigned long cr4) - { - /* - * We operate under the default treatment of SMM, so VMX cannot be -- * enabled under SMM. Note, whether or not VMXE is allowed at all is -- * handled by kvm_is_valid_cr4(). -+ * enabled under SMM. Note, whether or not VMXE is allowed at all, -+ * i.e. is a reserved bit, is handled by common x86 code. - */ - if ((cr4 & X86_CR4_VMXE) && is_smm(vcpu)) - return false; -diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index 68d40cb5709d..9eac0528d584 100644 ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -1094,7 +1094,7 @@ int kvm_emulate_xsetbv(struct kvm_vcpu *vcpu) - } - EXPORT_SYMBOL_GPL(kvm_emulate_xsetbv); - --bool kvm_is_valid_cr4(struct kvm_vcpu *vcpu, unsigned long cr4) -+bool __kvm_is_valid_cr4(struct kvm_vcpu *vcpu, unsigned long cr4) - { - if (cr4 & cr4_reserved_bits) - return false; -@@ -1102,9 +1102,15 @@ bool kvm_is_valid_cr4(struct kvm_vcpu *vcpu, unsigned long cr4) - if (cr4 & vcpu->arch.cr4_guest_rsvd_bits) - return false; - -- return static_call(kvm_x86_is_valid_cr4)(vcpu, cr4); -+ return true; -+} -+EXPORT_SYMBOL_GPL(__kvm_is_valid_cr4); -+ -+static bool kvm_is_valid_cr4(struct kvm_vcpu *vcpu, unsigned long cr4) -+{ -+ return __kvm_is_valid_cr4(vcpu, cr4) && -+ static_call(kvm_x86_is_valid_cr4)(vcpu, cr4); - } --EXPORT_SYMBOL_GPL(kvm_is_valid_cr4); - - void kvm_post_set_cr4(struct kvm_vcpu *vcpu, unsigned long old_cr4, unsigned long cr4) - { -diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h -index 588792f00334..80417761fe4a 100644 ---- a/arch/x86/kvm/x86.h -+++ b/arch/x86/kvm/x86.h -@@ -407,7 +407,7 @@ static inline void kvm_machine_check(void) - void kvm_load_guest_xsave_state(struct kvm_vcpu *vcpu); - void kvm_load_host_xsave_state(struct kvm_vcpu *vcpu); - int kvm_spec_ctrl_test_value(u64 value); --bool kvm_is_valid_cr4(struct kvm_vcpu *vcpu, unsigned long cr4); -+bool __kvm_is_valid_cr4(struct kvm_vcpu *vcpu, unsigned long cr4); - int kvm_handle_memory_failure(struct kvm_vcpu *vcpu, int r, - struct x86_exception *e); - int kvm_handle_invpcid(struct kvm_vcpu *vcpu, unsigned long type, gva_t gva); --- -2.35.1 - diff --git a/queue-5.19/mbcache-add-functions-to-delete-entry-if-unused.patch-21045 b/queue-5.19/mbcache-add-functions-to-delete-entry-if-unused.patch-21045 deleted file mode 100644 index 9205bdc3b5d..00000000000 --- a/queue-5.19/mbcache-add-functions-to-delete-entry-if-unused.patch-21045 +++ /dev/null @@ -1,155 +0,0 @@ -From 5e473ef1c39d9c7a4982900926db3650f9bb71cc Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 12 Jul 2022 12:54:21 +0200 -Subject: mbcache: add functions to delete entry if unused - -From: Jan Kara - -[ Upstream commit 3dc96bba65f53daa217f0a8f43edad145286a8f5 ] - -Add function mb_cache_entry_delete_or_get() to delete mbcache entry if -it is unused and also add a function to wait for entry to become unused -- mb_cache_entry_wait_unused(). We do not share code between the two -deleting function as one of them will go away soon. - -CC: stable@vger.kernel.org -Fixes: 82939d7999df ("ext4: convert to mbcache2") -Signed-off-by: Jan Kara -Link: https://lore.kernel.org/r/20220712105436.32204-2-jack@suse.cz -Signed-off-by: Theodore Ts'o -Signed-off-by: Sasha Levin ---- - fs/mbcache.c | 66 +++++++++++++++++++++++++++++++++++++++-- - include/linux/mbcache.h | 10 ++++++- - 2 files changed, 73 insertions(+), 3 deletions(-) - -diff --git a/fs/mbcache.c b/fs/mbcache.c -index cfc28129fb6f..2010bc80a3f2 100644 ---- a/fs/mbcache.c -+++ b/fs/mbcache.c -@@ -11,7 +11,7 @@ - /* - * Mbcache is a simple key-value store. Keys need not be unique, however - * key-value pairs are expected to be unique (we use this fact in -- * mb_cache_entry_delete()). -+ * mb_cache_entry_delete_or_get()). - * - * Ext2 and ext4 use this cache for deduplication of extended attribute blocks. - * Ext4 also uses it for deduplication of xattr values stored in inodes. -@@ -125,6 +125,19 @@ void __mb_cache_entry_free(struct mb_cache_entry *entry) - } - EXPORT_SYMBOL(__mb_cache_entry_free); - -+/* -+ * mb_cache_entry_wait_unused - wait to be the last user of the entry -+ * -+ * @entry - entry to work on -+ * -+ * Wait to be the last user of the entry. -+ */ -+void mb_cache_entry_wait_unused(struct mb_cache_entry *entry) -+{ -+ wait_var_event(&entry->e_refcnt, atomic_read(&entry->e_refcnt) <= 3); -+} -+EXPORT_SYMBOL(mb_cache_entry_wait_unused); -+ - static struct mb_cache_entry *__entry_find(struct mb_cache *cache, - struct mb_cache_entry *entry, - u32 key) -@@ -217,7 +230,7 @@ struct mb_cache_entry *mb_cache_entry_get(struct mb_cache *cache, u32 key, - } - EXPORT_SYMBOL(mb_cache_entry_get); - --/* mb_cache_entry_delete - remove a cache entry -+/* mb_cache_entry_delete - try to remove a cache entry - * @cache - cache we work with - * @key - key - * @value - value -@@ -254,6 +267,55 @@ void mb_cache_entry_delete(struct mb_cache *cache, u32 key, u64 value) - } - EXPORT_SYMBOL(mb_cache_entry_delete); - -+/* mb_cache_entry_delete_or_get - remove a cache entry if it has no users -+ * @cache - cache we work with -+ * @key - key -+ * @value - value -+ * -+ * Remove entry from cache @cache with key @key and value @value. The removal -+ * happens only if the entry is unused. The function returns NULL in case the -+ * entry was successfully removed or there's no entry in cache. Otherwise the -+ * function grabs reference of the entry that we failed to delete because it -+ * still has users and return it. -+ */ -+struct mb_cache_entry *mb_cache_entry_delete_or_get(struct mb_cache *cache, -+ u32 key, u64 value) -+{ -+ struct hlist_bl_node *node; -+ struct hlist_bl_head *head; -+ struct mb_cache_entry *entry; -+ -+ head = mb_cache_entry_head(cache, key); -+ hlist_bl_lock(head); -+ hlist_bl_for_each_entry(entry, node, head, e_hash_list) { -+ if (entry->e_key == key && entry->e_value == value) { -+ if (atomic_read(&entry->e_refcnt) > 2) { -+ atomic_inc(&entry->e_refcnt); -+ hlist_bl_unlock(head); -+ return entry; -+ } -+ /* We keep hash list reference to keep entry alive */ -+ hlist_bl_del_init(&entry->e_hash_list); -+ hlist_bl_unlock(head); -+ spin_lock(&cache->c_list_lock); -+ if (!list_empty(&entry->e_list)) { -+ list_del_init(&entry->e_list); -+ if (!WARN_ONCE(cache->c_entry_count == 0, -+ "mbcache: attempt to decrement c_entry_count past zero")) -+ cache->c_entry_count--; -+ atomic_dec(&entry->e_refcnt); -+ } -+ spin_unlock(&cache->c_list_lock); -+ mb_cache_entry_put(cache, entry); -+ return NULL; -+ } -+ } -+ hlist_bl_unlock(head); -+ -+ return NULL; -+} -+EXPORT_SYMBOL(mb_cache_entry_delete_or_get); -+ - /* mb_cache_entry_touch - cache entry got used - * @cache - cache the entry belongs to - * @entry - entry that got used -diff --git a/include/linux/mbcache.h b/include/linux/mbcache.h -index 20f1e3ff6013..8eca7f25c432 100644 ---- a/include/linux/mbcache.h -+++ b/include/linux/mbcache.h -@@ -30,15 +30,23 @@ void mb_cache_destroy(struct mb_cache *cache); - int mb_cache_entry_create(struct mb_cache *cache, gfp_t mask, u32 key, - u64 value, bool reusable); - void __mb_cache_entry_free(struct mb_cache_entry *entry); -+void mb_cache_entry_wait_unused(struct mb_cache_entry *entry); - static inline int mb_cache_entry_put(struct mb_cache *cache, - struct mb_cache_entry *entry) - { -- if (!atomic_dec_and_test(&entry->e_refcnt)) -+ unsigned int cnt = atomic_dec_return(&entry->e_refcnt); -+ -+ if (cnt > 0) { -+ if (cnt <= 3) -+ wake_up_var(&entry->e_refcnt); - return 0; -+ } - __mb_cache_entry_free(entry); - return 1; - } - -+struct mb_cache_entry *mb_cache_entry_delete_or_get(struct mb_cache *cache, -+ u32 key, u64 value); - void mb_cache_entry_delete(struct mb_cache *cache, u32 key, u64 value); - struct mb_cache_entry *mb_cache_entry_get(struct mb_cache *cache, u32 key, - u64 value); --- -2.35.1 - diff --git a/queue-5.19/mbcache-don-t-reclaim-used-entries.patch-21676 b/queue-5.19/mbcache-don-t-reclaim-used-entries.patch-21676 deleted file mode 100644 index 55cb781acec..00000000000 --- a/queue-5.19/mbcache-don-t-reclaim-used-entries.patch-21676 +++ /dev/null @@ -1,55 +0,0 @@ -From 7bd38da9abe3f76a78a3a3a79043c0c887d99af3 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 12 Jul 2022 12:54:20 +0200 -Subject: mbcache: don't reclaim used entries - -From: Jan Kara - -[ Upstream commit 58318914186c157477b978b1739dfe2f1b9dc0fe ] - -Do not reclaim entries that are currently used by somebody from a -shrinker. Firstly, these entries are likely useful. Secondly, we will -need to keep such entries to protect pending increment of xattr block -refcount. - -CC: stable@vger.kernel.org -Fixes: 82939d7999df ("ext4: convert to mbcache2") -Signed-off-by: Jan Kara -Link: https://lore.kernel.org/r/20220712105436.32204-1-jack@suse.cz -Signed-off-by: Theodore Ts'o -Signed-off-by: Sasha Levin ---- - fs/mbcache.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/fs/mbcache.c b/fs/mbcache.c -index 97c54d3a2227..cfc28129fb6f 100644 ---- a/fs/mbcache.c -+++ b/fs/mbcache.c -@@ -288,7 +288,7 @@ static unsigned long mb_cache_shrink(struct mb_cache *cache, - while (nr_to_scan-- && !list_empty(&cache->c_list)) { - entry = list_first_entry(&cache->c_list, - struct mb_cache_entry, e_list); -- if (entry->e_referenced) { -+ if (entry->e_referenced || atomic_read(&entry->e_refcnt) > 2) { - entry->e_referenced = 0; - list_move_tail(&entry->e_list, &cache->c_list); - continue; -@@ -302,6 +302,14 @@ static unsigned long mb_cache_shrink(struct mb_cache *cache, - spin_unlock(&cache->c_list_lock); - head = mb_cache_entry_head(cache, entry->e_key); - hlist_bl_lock(head); -+ /* Now a reliable check if the entry didn't get used... */ -+ if (atomic_read(&entry->e_refcnt) > 2) { -+ hlist_bl_unlock(head); -+ spin_lock(&cache->c_list_lock); -+ list_add_tail(&entry->e_list, &cache->c_list); -+ cache->c_entry_count++; -+ continue; -+ } - if (!hlist_bl_unhashed(&entry->e_hash_list)) { - hlist_bl_del_init(&entry->e_hash_list); - atomic_dec(&entry->e_refcnt); --- -2.35.1 - diff --git a/queue-5.19/md-raid-destroy-the-bitmap-after-destroying-the-thre.patch b/queue-5.19/md-raid-destroy-the-bitmap-after-destroying-the-thre.patch deleted file mode 100644 index 928143ae0b1..00000000000 --- a/queue-5.19/md-raid-destroy-the-bitmap-after-destroying-the-thre.patch +++ /dev/null @@ -1,134 +0,0 @@ -From bbbaa00ff25f7981f951b2a3b98b902494102db6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 24 Jul 2022 14:26:12 -0400 -Subject: md-raid: destroy the bitmap after destroying the thread - -From: Mikulas Patocka - -[ Upstream commit e151db8ecfb019b7da31d076130a794574c89f6f ] - -When we ran the lvm test "shell/integrity-blocksize-3.sh" on a kernel with -kasan, we got failure in write_page. - -The reason for the failure is that md_bitmap_destroy is called before -destroying the thread and the thread may be waiting in the function -write_page for the bio to complete. When the thread finishes waiting, it -executes "if (test_bit(BITMAP_WRITE_ERROR, &bitmap->flags))", which -triggers the kasan warning. - -Note that the commit 48df498daf62 that caused this bug claims that it is -neede for md-cluster, you should check md-cluster and possibly find -another bugfix for it. - -BUG: KASAN: use-after-free in write_page+0x18d/0x680 [md_mod] -Read of size 8 at addr ffff889162030c78 by task mdX_raid1/5539 - -CPU: 10 PID: 5539 Comm: mdX_raid1 Not tainted 5.19.0-rc2 #1 -Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 -Call Trace: - - dump_stack_lvl+0x34/0x44 - print_report.cold+0x45/0x57a - ? __lock_text_start+0x18/0x18 - ? write_page+0x18d/0x680 [md_mod] - kasan_report+0xa8/0xe0 - ? write_page+0x18d/0x680 [md_mod] - kasan_check_range+0x13f/0x180 - write_page+0x18d/0x680 [md_mod] - ? super_sync+0x4d5/0x560 [dm_raid] - ? md_bitmap_file_kick+0xa0/0xa0 [md_mod] - ? rs_set_dev_and_array_sectors+0x2e0/0x2e0 [dm_raid] - ? mutex_trylock+0x120/0x120 - ? preempt_count_add+0x6b/0xc0 - ? preempt_count_sub+0xf/0xc0 - md_update_sb+0x707/0xe40 [md_mod] - md_reap_sync_thread+0x1b2/0x4a0 [md_mod] - md_check_recovery+0x533/0x960 [md_mod] - raid1d+0xc8/0x2a20 [raid1] - ? var_wake_function+0xe0/0xe0 - ? psi_group_change+0x411/0x500 - ? preempt_count_sub+0xf/0xc0 - ? _raw_spin_lock_irqsave+0x78/0xc0 - ? __lock_text_start+0x18/0x18 - ? raid1_end_read_request+0x2a0/0x2a0 [raid1] - ? preempt_count_sub+0xf/0xc0 - ? _raw_spin_unlock_irqrestore+0x19/0x40 - ? del_timer_sync+0xa9/0x100 - ? try_to_del_timer_sync+0xc0/0xc0 - ? _raw_spin_lock_irqsave+0x78/0xc0 - ? __lock_text_start+0x18/0x18 - ? __list_del_entry_valid+0x68/0xa0 - ? finish_wait+0xa3/0x100 - md_thread+0x161/0x260 [md_mod] - ? unregister_md_personality+0xa0/0xa0 [md_mod] - ? _raw_spin_lock_irqsave+0x78/0xc0 - ? prepare_to_wait_event+0x2c0/0x2c0 - ? unregister_md_personality+0xa0/0xa0 [md_mod] - kthread+0x148/0x180 - ? kthread_complete_and_exit+0x20/0x20 - ret_from_fork+0x1f/0x30 - - -Allocated by task 5522: - kasan_save_stack+0x1e/0x40 - __kasan_kmalloc+0x80/0xa0 - md_bitmap_create+0xa8/0xe80 [md_mod] - md_run+0x777/0x1300 [md_mod] - raid_ctr+0x249c/0x4a30 [dm_raid] - dm_table_add_target+0x2b0/0x620 [dm_mod] - table_load+0x1c8/0x400 [dm_mod] - ctl_ioctl+0x29e/0x560 [dm_mod] - dm_compat_ctl_ioctl+0x7/0x20 [dm_mod] - __do_compat_sys_ioctl+0xfa/0x160 - do_syscall_64+0x90/0xc0 - entry_SYSCALL_64_after_hwframe+0x46/0xb0 - -Freed by task 5680: - kasan_save_stack+0x1e/0x40 - kasan_set_track+0x21/0x40 - kasan_set_free_info+0x20/0x40 - __kasan_slab_free+0xf7/0x140 - kfree+0x80/0x240 - md_bitmap_free+0x1c3/0x280 [md_mod] - __md_stop+0x21/0x120 [md_mod] - md_stop+0x9/0x40 [md_mod] - raid_dtr+0x1b/0x40 [dm_raid] - dm_table_destroy+0x98/0x1e0 [dm_mod] - __dm_destroy+0x199/0x360 [dm_mod] - dev_remove+0x10c/0x160 [dm_mod] - ctl_ioctl+0x29e/0x560 [dm_mod] - dm_compat_ctl_ioctl+0x7/0x20 [dm_mod] - __do_compat_sys_ioctl+0xfa/0x160 - do_syscall_64+0x90/0xc0 - entry_SYSCALL_64_after_hwframe+0x46/0xb0 - -Signed-off-by: Mikulas Patocka -Cc: stable@vger.kernel.org -Fixes: 48df498daf62 ("md: move bitmap_destroy to the beginning of __md_stop") -Signed-off-by: Song Liu -Signed-off-by: Jens Axboe -Signed-off-by: Sasha Levin ---- - drivers/md/md.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/md/md.c b/drivers/md/md.c -index c7ecb0bffda0..660c52d48256 100644 ---- a/drivers/md/md.c -+++ b/drivers/md/md.c -@@ -6244,11 +6244,11 @@ static void mddev_detach(struct mddev *mddev) - static void __md_stop(struct mddev *mddev) - { - struct md_personality *pers = mddev->pers; -- md_bitmap_destroy(mddev); - mddev_detach(mddev); - /* Ensure ->event_work is done */ - if (mddev->event_work.func) - flush_workqueue(md_misc_wq); -+ md_bitmap_destroy(mddev); - spin_lock(&mddev->lock); - mddev->pers = NULL; - spin_unlock(&mddev->lock); --- -2.35.1 - diff --git a/queue-5.19/md-raid10-fix-kasan-warning.patch-1758 b/queue-5.19/md-raid10-fix-kasan-warning.patch-1758 deleted file mode 100644 index 0cd6af51c71..00000000000 --- a/queue-5.19/md-raid10-fix-kasan-warning.patch-1758 +++ /dev/null @@ -1,153 +0,0 @@ -From 24f0e8306bf150abac23c3c24598c1bedb55fe12 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 26 Jul 2022 04:33:12 -0400 -Subject: md-raid10: fix KASAN warning - -From: Mikulas Patocka - -[ Upstream commit d17f744e883b2f8d13cca252d71cfe8ace346f7d ] - -There's a KASAN warning in raid10_remove_disk when running the lvm -test lvconvert-raid-reshape.sh. We fix this warning by verifying that the -value "number" is valid. - -BUG: KASAN: slab-out-of-bounds in raid10_remove_disk+0x61/0x2a0 [raid10] -Read of size 8 at addr ffff889108f3d300 by task mdX_raid10/124682 - -CPU: 3 PID: 124682 Comm: mdX_raid10 Not tainted 5.19.0-rc6 #1 -Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 -Call Trace: - - dump_stack_lvl+0x34/0x44 - print_report.cold+0x45/0x57a - ? __lock_text_start+0x18/0x18 - ? raid10_remove_disk+0x61/0x2a0 [raid10] - kasan_report+0xa8/0xe0 - ? raid10_remove_disk+0x61/0x2a0 [raid10] - raid10_remove_disk+0x61/0x2a0 [raid10] -Buffer I/O error on dev dm-76, logical block 15344, async page read - ? __mutex_unlock_slowpath.constprop.0+0x1e0/0x1e0 - remove_and_add_spares+0x367/0x8a0 [md_mod] - ? super_written+0x1c0/0x1c0 [md_mod] - ? mutex_trylock+0xac/0x120 - ? _raw_spin_lock+0x72/0xc0 - ? _raw_spin_lock_bh+0xc0/0xc0 - md_check_recovery+0x848/0x960 [md_mod] - raid10d+0xcf/0x3360 [raid10] - ? sched_clock_cpu+0x185/0x1a0 - ? rb_erase+0x4d4/0x620 - ? var_wake_function+0xe0/0xe0 - ? psi_group_change+0x411/0x500 - ? preempt_count_sub+0xf/0xc0 - ? _raw_spin_lock_irqsave+0x78/0xc0 - ? __lock_text_start+0x18/0x18 - ? raid10_sync_request+0x36c0/0x36c0 [raid10] - ? preempt_count_sub+0xf/0xc0 - ? _raw_spin_unlock_irqrestore+0x19/0x40 - ? del_timer_sync+0xa9/0x100 - ? try_to_del_timer_sync+0xc0/0xc0 - ? _raw_spin_lock_irqsave+0x78/0xc0 - ? __lock_text_start+0x18/0x18 - ? _raw_spin_unlock_irq+0x11/0x24 - ? __list_del_entry_valid+0x68/0xa0 - ? finish_wait+0xa3/0x100 - md_thread+0x161/0x260 [md_mod] - ? unregister_md_personality+0xa0/0xa0 [md_mod] - ? _raw_spin_lock_irqsave+0x78/0xc0 - ? prepare_to_wait_event+0x2c0/0x2c0 - ? unregister_md_personality+0xa0/0xa0 [md_mod] - kthread+0x148/0x180 - ? kthread_complete_and_exit+0x20/0x20 - ret_from_fork+0x1f/0x30 - - -Allocated by task 124495: - kasan_save_stack+0x1e/0x40 - __kasan_kmalloc+0x80/0xa0 - setup_conf+0x140/0x5c0 [raid10] - raid10_run+0x4cd/0x740 [raid10] - md_run+0x6f9/0x1300 [md_mod] - raid_ctr+0x2531/0x4ac0 [dm_raid] - dm_table_add_target+0x2b0/0x620 [dm_mod] - table_load+0x1c8/0x400 [dm_mod] - ctl_ioctl+0x29e/0x560 [dm_mod] - dm_compat_ctl_ioctl+0x7/0x20 [dm_mod] - __do_compat_sys_ioctl+0xfa/0x160 - do_syscall_64+0x90/0xc0 - entry_SYSCALL_64_after_hwframe+0x46/0xb0 - -Last potentially related work creation: - kasan_save_stack+0x1e/0x40 - __kasan_record_aux_stack+0x9e/0xc0 - kvfree_call_rcu+0x84/0x480 - timerfd_release+0x82/0x140 -L __fput+0xfa/0x400 - task_work_run+0x80/0xc0 - exit_to_user_mode_prepare+0x155/0x160 - syscall_exit_to_user_mode+0x12/0x40 - do_syscall_64+0x42/0xc0 - entry_SYSCALL_64_after_hwframe+0x46/0xb0 - -Second to last potentially related work creation: - kasan_save_stack+0x1e/0x40 - __kasan_record_aux_stack+0x9e/0xc0 - kvfree_call_rcu+0x84/0x480 - timerfd_release+0x82/0x140 - __fput+0xfa/0x400 - task_work_run+0x80/0xc0 - exit_to_user_mode_prepare+0x155/0x160 - syscall_exit_to_user_mode+0x12/0x40 - do_syscall_64+0x42/0xc0 - entry_SYSCALL_64_after_hwframe+0x46/0xb0 - -The buggy address belongs to the object at ffff889108f3d200 - which belongs to the cache kmalloc-256 of size 256 -The buggy address is located 0 bytes to the right of - 256-byte region [ffff889108f3d200, ffff889108f3d300) - -The buggy address belongs to the physical page: -page:000000007ef2a34c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1108f3c -head:000000007ef2a34c order:2 compound_mapcount:0 compound_pincount:0 -flags: 0x4000000000010200(slab|head|zone=2) -raw: 4000000000010200 0000000000000000 dead000000000001 ffff889100042b40 -raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 -page dumped because: kasan: bad access detected - -Memory state around the buggy address: - ffff889108f3d200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - ffff889108f3d280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ->ffff889108f3d300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc - ^ - ffff889108f3d380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc - ffff889108f3d400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - -Signed-off-by: Mikulas Patocka -Cc: stable@vger.kernel.org -Signed-off-by: Song Liu -Signed-off-by: Jens Axboe -Signed-off-by: Sasha Levin ---- - drivers/md/raid10.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c -index d589f823feb1..f1908fe61677 100644 ---- a/drivers/md/raid10.c -+++ b/drivers/md/raid10.c -@@ -2167,9 +2167,12 @@ static int raid10_remove_disk(struct mddev *mddev, struct md_rdev *rdev) - int err = 0; - int number = rdev->raid_disk; - struct md_rdev **rdevp; -- struct raid10_info *p = conf->mirrors + number; -+ struct raid10_info *p; - - print_conf(conf); -+ if (unlikely(number >= mddev->raid_disks)) -+ return 0; -+ p = conf->mirrors + number; - if (rdev == p->rdev) - rdevp = &p->rdev; - else if (rdev == p->replacement) --- -2.35.1 - diff --git a/queue-5.19/media-isl7998x-select-v4l2_fwnode-to-fix-build-error.patch-24025 b/queue-5.19/media-isl7998x-select-v4l2_fwnode-to-fix-build-error.patch-24025 deleted file mode 100644 index cf4e5eb36ea..00000000000 --- a/queue-5.19/media-isl7998x-select-v4l2_fwnode-to-fix-build-error.patch-24025 +++ /dev/null @@ -1,44 +0,0 @@ -From f2eeacd8cefb521e349a7d6c49d07c065dc84beb Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 30 Mar 2022 02:56:52 +0100 -Subject: media: isl7998x: select V4L2_FWNODE to fix build error - -From: Randy Dunlap - -[ Upstream commit 81e005842d0b8167c059553a1c29c36d8a7a9329 ] - -Fix build error when VIDEO_ISL7998X=y and V4L2_FWNODE=m -by selecting V4L2_FWNODE. - -microblaze-linux-ld: drivers/media/i2c/isl7998x.o: in function `isl7998x_probe': -(.text+0x8f4): undefined reference to `v4l2_fwnode_endpoint_parse' - -Cc: stable@vger.kernel.org # 5.18 and above -Fixes: 51ef2be546e2 ("media: i2c: isl7998x: Add driver for Intersil ISL7998x") -Signed-off-by: Randy Dunlap -Reported-by: kernel test robot -Cc: Marek Vasut -Cc: Pengutronix Kernel Team -Reviewed-by: Michael Tretter -Signed-off-by: Sakari Ailus -Signed-off-by: Mauro Carvalho Chehab -Signed-off-by: Sasha Levin ---- - drivers/media/i2c/Kconfig | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/media/i2c/Kconfig b/drivers/media/i2c/Kconfig -index 2b20aa6c37b1..c926e5d43820 100644 ---- a/drivers/media/i2c/Kconfig -+++ b/drivers/media/i2c/Kconfig -@@ -1178,6 +1178,7 @@ config VIDEO_ISL7998X - depends on OF_GPIO - select MEDIA_CONTROLLER - select VIDEO_V4L2_SUBDEV_API -+ select V4L2_FWNODE - help - Support for Intersil ISL7998x analog to MIPI-CSI2 or - BT.656 decoder. --- -2.35.1 - diff --git a/queue-5.19/media-patch-pci-atomisp_cmd-fix-three-missing-checks.patch b/queue-5.19/media-patch-pci-atomisp_cmd-fix-three-missing-checks.patch deleted file mode 100644 index f329fc30e85..00000000000 --- a/queue-5.19/media-patch-pci-atomisp_cmd-fix-three-missing-checks.patch +++ /dev/null @@ -1,148 +0,0 @@ -From ad019b312a26390838e88bff7ec653e493796d75 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 14 Apr 2022 05:14:15 +0100 -Subject: media: [PATCH] pci: atomisp_cmd: fix three missing checks on list - iterator - -From: Xiaomeng Tong - -[ Upstream commit 09b204eb9de9fdf07d028c41c4331b5cfeb70dd7 ] - -The three bugs are here: - __func__, s3a_buf->s3a_data->exp_id); - __func__, md_buf->metadata->exp_id); - __func__, dis_buf->dis_data->exp_id); - -The list iterator 's3a_buf/md_buf/dis_buf' will point to a bogus -position containing HEAD if the list is empty or no element is found. -This case must be checked before any use of the iterator, otherwise -it will lead to a invalid memory access. - -To fix this bug, add an check. Use a new variable '*_iter' as the -list iterator, while use the old variable '*_buf' as a dedicated -pointer to point to the found element. - -Link: https://lore.kernel.org/linux-media/20220414041415.3342-1-xiam0nd.tong@gmail.com -Cc: stable@vger.kernel.org -Fixes: ad85094b293e4 ("Revert "media: staging: atomisp: Remove driver"") -Signed-off-by: Xiaomeng Tong -Signed-off-by: Mauro Carvalho Chehab -Signed-off-by: Sasha Levin ---- - .../staging/media/atomisp/pci/atomisp_cmd.c | 57 ++++++++++++------- - 1 file changed, 36 insertions(+), 21 deletions(-) - -diff --git a/drivers/staging/media/atomisp/pci/atomisp_cmd.c b/drivers/staging/media/atomisp/pci/atomisp_cmd.c -index 97d5a528969b..0da0b69a4637 100644 ---- a/drivers/staging/media/atomisp/pci/atomisp_cmd.c -+++ b/drivers/staging/media/atomisp/pci/atomisp_cmd.c -@@ -901,9 +901,9 @@ void atomisp_buf_done(struct atomisp_sub_device *asd, int error, - int err; - unsigned long irqflags; - struct ia_css_frame *frame = NULL; -- struct atomisp_s3a_buf *s3a_buf = NULL, *_s3a_buf_tmp; -- struct atomisp_dis_buf *dis_buf = NULL, *_dis_buf_tmp; -- struct atomisp_metadata_buf *md_buf = NULL, *_md_buf_tmp; -+ struct atomisp_s3a_buf *s3a_buf = NULL, *_s3a_buf_tmp, *s3a_iter; -+ struct atomisp_dis_buf *dis_buf = NULL, *_dis_buf_tmp, *dis_iter; -+ struct atomisp_metadata_buf *md_buf = NULL, *_md_buf_tmp, *md_iter; - enum atomisp_metadata_type md_type; - struct atomisp_device *isp = asd->isp; - struct v4l2_control ctrl; -@@ -942,60 +942,75 @@ void atomisp_buf_done(struct atomisp_sub_device *asd, int error, - - switch (buf_type) { - case IA_CSS_BUFFER_TYPE_3A_STATISTICS: -- list_for_each_entry_safe(s3a_buf, _s3a_buf_tmp, -+ list_for_each_entry_safe(s3a_iter, _s3a_buf_tmp, - &asd->s3a_stats_in_css, list) { -- if (s3a_buf->s3a_data == -+ if (s3a_iter->s3a_data == - buffer.css_buffer.data.stats_3a) { -- list_del_init(&s3a_buf->list); -- list_add_tail(&s3a_buf->list, -+ list_del_init(&s3a_iter->list); -+ list_add_tail(&s3a_iter->list, - &asd->s3a_stats_ready); -+ s3a_buf = s3a_iter; - break; - } - } - - asd->s3a_bufs_in_css[css_pipe_id]--; - atomisp_3a_stats_ready_event(asd, buffer.css_buffer.exp_id); -- dev_dbg(isp->dev, "%s: s3a stat with exp_id %d is ready\n", -- __func__, s3a_buf->s3a_data->exp_id); -+ if (s3a_buf) -+ dev_dbg(isp->dev, "%s: s3a stat with exp_id %d is ready\n", -+ __func__, s3a_buf->s3a_data->exp_id); -+ else -+ dev_dbg(isp->dev, "%s: s3a stat is ready with no exp_id found\n", -+ __func__); - break; - case IA_CSS_BUFFER_TYPE_METADATA: - if (error) - break; - - md_type = atomisp_get_metadata_type(asd, css_pipe_id); -- list_for_each_entry_safe(md_buf, _md_buf_tmp, -+ list_for_each_entry_safe(md_iter, _md_buf_tmp, - &asd->metadata_in_css[md_type], list) { -- if (md_buf->metadata == -+ if (md_iter->metadata == - buffer.css_buffer.data.metadata) { -- list_del_init(&md_buf->list); -- list_add_tail(&md_buf->list, -+ list_del_init(&md_iter->list); -+ list_add_tail(&md_iter->list, - &asd->metadata_ready[md_type]); -+ md_buf = md_iter; - break; - } - } - asd->metadata_bufs_in_css[stream_id][css_pipe_id]--; - atomisp_metadata_ready_event(asd, md_type); -- dev_dbg(isp->dev, "%s: metadata with exp_id %d is ready\n", -- __func__, md_buf->metadata->exp_id); -+ if (md_buf) -+ dev_dbg(isp->dev, "%s: metadata with exp_id %d is ready\n", -+ __func__, md_buf->metadata->exp_id); -+ else -+ dev_dbg(isp->dev, "%s: metadata is ready with no exp_id found\n", -+ __func__); - break; - case IA_CSS_BUFFER_TYPE_DIS_STATISTICS: -- list_for_each_entry_safe(dis_buf, _dis_buf_tmp, -+ list_for_each_entry_safe(dis_iter, _dis_buf_tmp, - &asd->dis_stats_in_css, list) { -- if (dis_buf->dis_data == -+ if (dis_iter->dis_data == - buffer.css_buffer.data.stats_dvs) { - spin_lock_irqsave(&asd->dis_stats_lock, - irqflags); -- list_del_init(&dis_buf->list); -- list_add(&dis_buf->list, &asd->dis_stats); -+ list_del_init(&dis_iter->list); -+ list_add(&dis_iter->list, &asd->dis_stats); - asd->params.dis_proj_data_valid = true; - spin_unlock_irqrestore(&asd->dis_stats_lock, - irqflags); -+ dis_buf = dis_iter; - break; - } - } - asd->dis_bufs_in_css--; -- dev_dbg(isp->dev, "%s: dis stat with exp_id %d is ready\n", -- __func__, dis_buf->dis_data->exp_id); -+ if (dis_buf) -+ dev_dbg(isp->dev, "%s: dis stat with exp_id %d is ready\n", -+ __func__, dis_buf->dis_data->exp_id); -+ else -+ dev_dbg(isp->dev, "%s: dis stat is ready with no exp_id found\n", -+ __func__); - break; - case IA_CSS_BUFFER_TYPE_VF_OUTPUT_FRAME: - case IA_CSS_BUFFER_TYPE_SEC_VF_OUTPUT_FRAME: --- -2.35.1 - diff --git a/queue-5.19/mips-cpuinfo-fix-a-warning-for-config_cpumask_offsta.patch b/queue-5.19/mips-cpuinfo-fix-a-warning-for-config_cpumask_offsta.patch deleted file mode 100644 index 1da20ec53ae..00000000000 --- a/queue-5.19/mips-cpuinfo-fix-a-warning-for-config_cpumask_offsta.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 4ec7e9e909329887c2c397938d5deccbe1f97c21 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 14 Jul 2022 16:41:34 +0800 -Subject: MIPS: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK - -From: Huacai Chen - -[ Upstream commit e1a534f5d074db45ae5cbac41d8912b98e96a006 ] - -When CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS is selected, -cpu_max_bits_warn() generates a runtime warning similar as below while -we show /proc/cpuinfo. Fix this by using nr_cpu_ids (the runtime limit) -instead of NR_CPUS to iterate CPUs. - -[ 3.052463] ------------[ cut here ]------------ -[ 3.059679] WARNING: CPU: 3 PID: 1 at include/linux/cpumask.h:108 show_cpuinfo+0x5e8/0x5f0 -[ 3.070072] Modules linked in: efivarfs autofs4 -[ 3.076257] CPU: 0 PID: 1 Comm: systemd Not tainted 5.19-rc5+ #1052 -[ 3.084034] Hardware name: Loongson Loongson-3A4000-7A1000-1w-V0.1-CRB/Loongson-LS3A4000-7A1000-1w-EVB-V1.21, BIOS Loongson-UDK2018-V2.0.04082-beta7 04/27 -[ 3.099465] Stack : 9000000100157b08 9000000000f18530 9000000000cf846c 9000000100154000 -[ 3.109127] 9000000100157a50 0000000000000000 9000000100157a58 9000000000ef7430 -[ 3.118774] 90000001001578e8 0000000000000040 0000000000000020 ffffffffffffffff -[ 3.128412] 0000000000aaaaaa 1ab25f00eec96a37 900000010021de80 900000000101c890 -[ 3.138056] 0000000000000000 0000000000000000 0000000000000000 0000000000aaaaaa -[ 3.147711] ffff8000339dc220 0000000000000001 0000000006ab4000 0000000000000000 -[ 3.157364] 900000000101c998 0000000000000004 9000000000ef7430 0000000000000000 -[ 3.167012] 0000000000000009 000000000000006c 0000000000000000 0000000000000000 -[ 3.176641] 9000000000d3de08 9000000001639390 90000000002086d8 00007ffff0080286 -[ 3.186260] 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1c -[ 3.195868] ... -[ 3.199917] Call Trace: -[ 3.203941] [<98000000002086d8>] show_stack+0x38/0x14c -[ 3.210666] [<9800000000cf846c>] dump_stack_lvl+0x60/0x88 -[ 3.217625] [<980000000023d268>] __warn+0xd0/0x100 -[ 3.223958] [<9800000000cf3c90>] warn_slowpath_fmt+0x7c/0xcc -[ 3.231150] [<9800000000210220>] show_cpuinfo+0x5e8/0x5f0 -[ 3.238080] [<98000000004f578c>] seq_read_iter+0x354/0x4b4 -[ 3.245098] [<98000000004c2e90>] new_sync_read+0x17c/0x1c4 -[ 3.252114] [<98000000004c5174>] vfs_read+0x138/0x1d0 -[ 3.258694] [<98000000004c55f8>] ksys_read+0x70/0x100 -[ 3.265265] [<9800000000cfde9c>] do_syscall+0x7c/0x94 -[ 3.271820] [<9800000000202fe4>] handle_syscall+0xc4/0x160 -[ 3.281824] ---[ end trace 8b484262b4b8c24c ]--- - -Cc: stable@vger.kernel.org -Signed-off-by: Huacai Chen -Signed-off-by: Thomas Bogendoerfer -Signed-off-by: Sasha Levin ---- - arch/mips/kernel/proc.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/mips/kernel/proc.c b/arch/mips/kernel/proc.c -index bb43bf850314..8eba5a1ed664 100644 ---- a/arch/mips/kernel/proc.c -+++ b/arch/mips/kernel/proc.c -@@ -311,7 +311,7 @@ static void *c_start(struct seq_file *m, loff_t *pos) - { - unsigned long i = *pos; - -- return i < NR_CPUS ? (void *) (i + 1) : NULL; -+ return i < nr_cpu_ids ? (void *) (i + 1) : NULL; - } - - static void *c_next(struct seq_file *m, void *v, loff_t *pos) --- -2.35.1 - diff --git a/queue-5.19/mtd-rawnand-arasan-fix-clock-rate-in-nv-ddr.patch-18581 b/queue-5.19/mtd-rawnand-arasan-fix-clock-rate-in-nv-ddr.patch-18581 deleted file mode 100644 index cbe75482bf5..00000000000 --- a/queue-5.19/mtd-rawnand-arasan-fix-clock-rate-in-nv-ddr.patch-18581 +++ /dev/null @@ -1,51 +0,0 @@ -From bbb048ec8a35951f2c60fed8519533208a158421 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 28 Jun 2022 21:18:24 +0530 -Subject: mtd: rawnand: arasan: Fix clock rate in NV-DDR - -From: Olga Kitaina - -[ Upstream commit e16eceea863b417fd328588b1be1a79de0bc937f ] - -According to the Arasan NAND controller spec, the flash clock rate for SDR -must be <= 100 MHz, while for NV-DDR it must be the same as the rate of the -CLK line for the mode. The driver previously always set 100 MHz for NV-DDR, -which would result in incorrect behavior for NV-DDR modes 0-4. - -The appropriate clock rate can be calculated from the NV-DDR timing -parameters as 1/tCK, or for rates measured in picoseconds, -10^12 / nand_nvddr_timings->tCK_min. - -Fixes: 197b88fecc50 ("mtd: rawnand: arasan: Add new Arasan NAND controller") -CC: stable@vger.kernel.org # 5.8+ -Signed-off-by: Olga Kitaina -Signed-off-by: Amit Kumar Mahapatra -Signed-off-by: Miquel Raynal -Link: https://lore.kernel.org/linux-mtd/20220628154824.12222-3-amit.kumar-mahapatra@xilinx.com -Signed-off-by: Sasha Levin ---- - drivers/mtd/nand/raw/arasan-nand-controller.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/drivers/mtd/nand/raw/arasan-nand-controller.c b/drivers/mtd/nand/raw/arasan-nand-controller.c -index c5264fa223c4..296fb16c8dc3 100644 ---- a/drivers/mtd/nand/raw/arasan-nand-controller.c -+++ b/drivers/mtd/nand/raw/arasan-nand-controller.c -@@ -1043,7 +1043,13 @@ static int anfc_setup_interface(struct nand_chip *chip, int target, - DQS_BUFF_SEL_OUT(dqs_mode); - } - -- anand->clk = ANFC_XLNX_SDR_DFLT_CORE_CLK; -+ if (nand_interface_is_sdr(conf)) { -+ anand->clk = ANFC_XLNX_SDR_DFLT_CORE_CLK; -+ } else { -+ /* ONFI timings are defined in picoseconds */ -+ anand->clk = div_u64((u64)NSEC_PER_SEC * 1000, -+ conf->timings.nvddr.tCK_min); -+ } - - /* - * Due to a hardware bug in the ZynqMP SoC, SDR timing modes 0-1 work --- -2.35.1 - diff --git a/queue-5.19/mtd-rawnand-arasan-update-nand-bus-clock-instead-of-.patch b/queue-5.19/mtd-rawnand-arasan-update-nand-bus-clock-instead-of-.patch deleted file mode 100644 index ee9e0c088e5..00000000000 --- a/queue-5.19/mtd-rawnand-arasan-update-nand-bus-clock-instead-of-.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 50be5f20b7d115ecf9abf210cb452dccfbc8cbd1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 28 Jun 2022 21:18:23 +0530 -Subject: mtd: rawnand: arasan: Update NAND bus clock instead of system clock - -From: Amit Kumar Mahapatra - -[ Upstream commit 7499bfeedb47efc1ee4dc793b92c610d46e6d6a6 ] - -In current implementation the Arasan NAND driver is updating the -system clock(i.e., anand->clk) in accordance to the timing modes -(i.e., SDR or NVDDR). But as per the Arasan NAND controller spec the -flash clock or the NAND bus clock(i.e., nfc->bus_clk), need to be -updated instead. This patch keeps the system clock unchanged and updates -the NAND bus clock as per the timing modes. - -Fixes: 197b88fecc50 ("mtd: rawnand: arasan: Add new Arasan NAND controller") -CC: stable@vger.kernel.org # 5.8+ -Signed-off-by: Amit Kumar Mahapatra -Signed-off-by: Miquel Raynal -Link: https://lore.kernel.org/linux-mtd/20220628154824.12222-2-amit.kumar-mahapatra@xilinx.com -Signed-off-by: Sasha Levin ---- - drivers/mtd/nand/raw/arasan-nand-controller.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/drivers/mtd/nand/raw/arasan-nand-controller.c b/drivers/mtd/nand/raw/arasan-nand-controller.c -index 53bd10738418..c5264fa223c4 100644 ---- a/drivers/mtd/nand/raw/arasan-nand-controller.c -+++ b/drivers/mtd/nand/raw/arasan-nand-controller.c -@@ -347,17 +347,17 @@ static int anfc_select_target(struct nand_chip *chip, int target) - - /* Update clock frequency */ - if (nfc->cur_clk != anand->clk) { -- clk_disable_unprepare(nfc->controller_clk); -- ret = clk_set_rate(nfc->controller_clk, anand->clk); -+ clk_disable_unprepare(nfc->bus_clk); -+ ret = clk_set_rate(nfc->bus_clk, anand->clk); - if (ret) { - dev_err(nfc->dev, "Failed to change clock rate\n"); - return ret; - } - -- ret = clk_prepare_enable(nfc->controller_clk); -+ ret = clk_prepare_enable(nfc->bus_clk); - if (ret) { - dev_err(nfc->dev, -- "Failed to re-enable the controller clock\n"); -+ "Failed to re-enable the bus clock\n"); - return ret; - } - --- -2.35.1 - diff --git a/queue-5.19/net-9p-initialize-the-iounit-field-during-fid-creati.patch b/queue-5.19/net-9p-initialize-the-iounit-field-during-fid-creati.patch index 49f84fb0e3b..655194ea03c 100644 --- a/queue-5.19/net-9p-initialize-the-iounit-field-during-fid-creati.patch +++ b/queue-5.19/net-9p-initialize-the-iounit-field-during-fid-creati.patch @@ -38,14 +38,12 @@ Reviewed-by: Christian Schoenebeck Signed-off-by: Dominique Martinet Signed-off-by: Sasha Levin --- - net/9p/client.c | 5 +---- + net/9p/client.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) -diff --git a/net/9p/client.c b/net/9p/client.c -index 8bba0d9cf975..371519e7b885 100644 --- a/net/9p/client.c +++ b/net/9p/client.c -@@ -889,16 +889,13 @@ static struct p9_fid *p9_fid_create(struct p9_client *clnt) +@@ -886,16 +886,13 @@ static struct p9_fid *p9_fid_create(stru struct p9_fid *fid; p9_debug(P9_DEBUG_FID, "clnt %p\n", clnt); @@ -63,6 +61,3 @@ index 8bba0d9cf975..371519e7b885 100644 refcount_set(&fid->count, 1); idr_preload(GFP_KERNEL); --- -2.35.1 - diff --git a/queue-5.19/ovl-drop-warn_on-dentry-is-null-in-ovl_encode_fh.patch-29266 b/queue-5.19/ovl-drop-warn_on-dentry-is-null-in-ovl_encode_fh.patch-29266 deleted file mode 100644 index 576a78d84df..00000000000 --- a/queue-5.19/ovl-drop-warn_on-dentry-is-null-in-ovl_encode_fh.patch-29266 +++ /dev/null @@ -1,62 +0,0 @@ -From ba2c0597b0c1aaf5277e7c02c68e8535863025bc Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 28 Jul 2022 19:49:15 +0800 -Subject: ovl: drop WARN_ON() dentry is NULL in ovl_encode_fh() - -From: Jiachen Zhang - -[ Upstream commit dd524b7f317de8d31d638cbfdc7be4cf9b770e42 ] - -Some code paths cannot guarantee the inode have any dentry alias. So -WARN_ON() all !dentry may flood the kernel logs. - -For example, when an overlayfs inode is watched by inotifywait (1), and -someone is trying to read the /proc/$(pidof inotifywait)/fdinfo/INOTIFY_FD, -at that time if the dentry has been reclaimed by kernel (such as -echo 2 > /proc/sys/vm/drop_caches), there will be a WARN_ON(). The -printed call stack would be like: - - ? show_mark_fhandle+0xf0/0xf0 - show_mark_fhandle+0x4a/0xf0 - ? show_mark_fhandle+0xf0/0xf0 - ? seq_vprintf+0x30/0x50 - ? seq_printf+0x53/0x70 - ? show_mark_fhandle+0xf0/0xf0 - inotify_fdinfo+0x70/0x90 - show_fdinfo.isra.4+0x53/0x70 - seq_show+0x130/0x170 - seq_read+0x153/0x440 - vfs_read+0x94/0x150 - ksys_read+0x5f/0xe0 - do_syscall_64+0x59/0x1e0 - entry_SYSCALL_64_after_hwframe+0x44/0xa9 - -So let's drop WARN_ON() to avoid kernel log flooding. - -Reported-by: Hongbo Yin -Signed-off-by: Jiachen Zhang -Signed-off-by: Tianci Zhang -Fixes: 8ed5eec9d6c4 ("ovl: encode pure upper file handles") -Cc: # v4.16 -Signed-off-by: Miklos Szeredi -Signed-off-by: Sasha Levin ---- - fs/overlayfs/export.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/fs/overlayfs/export.c b/fs/overlayfs/export.c -index 2eada97bbd23..e065a5b9a442 100644 ---- a/fs/overlayfs/export.c -+++ b/fs/overlayfs/export.c -@@ -259,7 +259,7 @@ static int ovl_encode_fh(struct inode *inode, u32 *fid, int *max_len, - return FILEID_INVALID; - - dentry = d_find_any_alias(inode); -- if (WARN_ON(!dentry)) -+ if (!dentry) - return FILEID_INVALID; - - bytes = ovl_dentry_to_fid(ofs, dentry, fid, buflen); --- -2.35.1 - diff --git a/queue-5.19/parisc-check-the-return-value-of-ioremap-in-lba_driv.patch b/queue-5.19/parisc-check-the-return-value-of-ioremap-in-lba_driv.patch deleted file mode 100644 index e8732d63ac1..00000000000 --- a/queue-5.19/parisc-check-the-return-value-of-ioremap-in-lba_driv.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 9a81465effab09f20d63b68e363001be45ebe2c4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 22 Jul 2022 10:57:09 +0800 -Subject: parisc: Check the return value of ioremap() in lba_driver_probe() - -From: William Dean - -[ Upstream commit cf59f34d7f978d14d6520fd80a78a5ad5cb8abf8 ] - -The function ioremap() in lba_driver_probe() can fail, so -its return value should be checked. - -Fixes: 4bdc0d676a643 ("remove ioremap_nocache and devm_ioremap_nocache") -Reported-by: Hacash Robot -Signed-off-by: William Dean -Signed-off-by: Helge Deller -Cc: # v5.6+ -Signed-off-by: Sasha Levin ---- - drivers/parisc/lba_pci.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/drivers/parisc/lba_pci.c b/drivers/parisc/lba_pci.c -index 732b516c7bf8..afc6e66ddc31 100644 ---- a/drivers/parisc/lba_pci.c -+++ b/drivers/parisc/lba_pci.c -@@ -1476,9 +1476,13 @@ lba_driver_probe(struct parisc_device *dev) - u32 func_class; - void *tmp_obj; - char *version; -- void __iomem *addr = ioremap(dev->hpa.start, 4096); -+ void __iomem *addr; - int max; - -+ addr = ioremap(dev->hpa.start, 4096); -+ if (addr == NULL) -+ return -ENOMEM; -+ - /* Read HW Rev First */ - func_class = READ_REG32(addr + LBA_FCLASS); - --- -2.35.1 - diff --git a/queue-5.19/parisc-drop-pa_swapper_pg_lock-spinlock.patch-26906 b/queue-5.19/parisc-drop-pa_swapper_pg_lock-spinlock.patch-26906 deleted file mode 100644 index af6a8fc76b8..00000000000 --- a/queue-5.19/parisc-drop-pa_swapper_pg_lock-spinlock.patch-26906 +++ /dev/null @@ -1,39 +0,0 @@ -From c22343f0a3caf17518da7e6bc969dd3cc55726a1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 19 Jul 2022 06:19:41 +0200 -Subject: parisc: Drop pa_swapper_pg_lock spinlock - -From: Helge Deller - -[ Upstream commit 3fbc9a7de0564c55d8a9584c9cd2c9dfe6bd6d43 ] - -This spinlock was dropped with commit b7795074a046 ("parisc: Optimize -per-pagetable spinlocks") in kernel v5.12. - -Remove it to silence a sparse warning. - -Signed-off-by: Helge Deller -Reported-by: kernel test robot -Cc: # v5.12+ -Signed-off-by: Sasha Levin ---- - arch/parisc/kernel/cache.c | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/arch/parisc/kernel/cache.c b/arch/parisc/kernel/cache.c -index a9bc578e4c52..af3d7cdc1541 100644 ---- a/arch/parisc/kernel/cache.c -+++ b/arch/parisc/kernel/cache.c -@@ -50,9 +50,6 @@ void flush_instruction_cache_local(void); /* flushes local code-cache only */ - */ - DEFINE_SPINLOCK(pa_tlb_flush_lock); - --/* Swapper page setup lock. */ --DEFINE_SPINLOCK(pa_swapper_pg_lock); -- - #if defined(CONFIG_64BIT) && defined(CONFIG_SMP) - int pa_serialize_tlb_flushes __ro_after_init; - #endif --- -2.35.1 - diff --git a/queue-5.19/parisc-fix-device-names-in-proc-iomem.patch-18836 b/queue-5.19/parisc-fix-device-names-in-proc-iomem.patch-18836 deleted file mode 100644 index 15956dadba6..00000000000 --- a/queue-5.19/parisc-fix-device-names-in-proc-iomem.patch-18836 +++ /dev/null @@ -1,50 +0,0 @@ -From 156a90cb6307af38a8e9e3293999b846a0a84fa0 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 18 Jul 2022 17:06:47 +0200 -Subject: parisc: Fix device names in /proc/iomem - -From: Helge Deller - -[ Upstream commit cab56b51ec0e69128909cef4650e1907248d821b ] - -Fix the output of /proc/iomem to show the real hardware device name -including the pa_pathname, e.g. "Merlin 160 Core Centronics [8:16:0]". -Up to now only the pa_pathname ("[8:16.0]") was shown. - -Signed-off-by: Helge Deller -Cc: # v4.9+ -Signed-off-by: Sasha Levin ---- - arch/parisc/kernel/drivers.c | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git a/arch/parisc/kernel/drivers.c b/arch/parisc/kernel/drivers.c -index 776d624a7207..d126e78e101a 100644 ---- a/arch/parisc/kernel/drivers.c -+++ b/arch/parisc/kernel/drivers.c -@@ -520,7 +520,6 @@ alloc_pa_dev(unsigned long hpa, struct hardware_path *mod_path) - dev->id.hversion_rev = iodc_data[1] & 0x0f; - dev->id.sversion = ((iodc_data[4] & 0x0f) << 16) | - (iodc_data[5] << 8) | iodc_data[6]; -- dev->hpa.name = parisc_pathname(dev); - dev->hpa.start = hpa; - /* This is awkward. The STI spec says that gfx devices may occupy - * 32MB or 64MB. Unfortunately, we don't know how to tell whether -@@ -534,10 +533,10 @@ alloc_pa_dev(unsigned long hpa, struct hardware_path *mod_path) - dev->hpa.end = hpa + 0xfff; - } - dev->hpa.flags = IORESOURCE_MEM; -- name = parisc_hardware_description(&dev->id); -- if (name) { -- strlcpy(dev->name, name, sizeof(dev->name)); -- } -+ dev->hpa.name = dev->name; -+ name = parisc_hardware_description(&dev->id) ? : "unknown"; -+ snprintf(dev->name, sizeof(dev->name), "%s [%s]", -+ name, parisc_pathname(dev)); - - /* Silently fail things like mouse ports which are subsumed within - * the keyboard controller --- -2.35.1 - diff --git a/queue-5.19/parisc-io_pgetevents_time64-needs-compat-syscall-in-.patch b/queue-5.19/parisc-io_pgetevents_time64-needs-compat-syscall-in-.patch deleted file mode 100644 index 189d46a0a3b..00000000000 --- a/queue-5.19/parisc-io_pgetevents_time64-needs-compat-syscall-in-.patch +++ /dev/null @@ -1,42 +0,0 @@ -From a66c3e5c25c595fb101a1744bda69271cebe8ed3 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 1 Aug 2022 17:36:15 +0200 -Subject: parisc: io_pgetevents_time64() needs compat syscall in 32-bit compat - mode - -From: Helge Deller - -[ Upstream commit 6431e92fc827bdd2d28f79150d90415ba9ce0d21 ] - -For all syscalls in 32-bit compat mode on 64-bit kernels the upper -32-bits of the 64-bit registers are zeroed out, so a negative 32-bit -signed value will show up as positive 64-bit signed value. - -This behaviour breaks the io_pgetevents_time64() syscall which expects -signed 64-bit values for the "min_nr" and "nr" parameters. -Fix this by switching to the compat_sys_io_pgetevents_time64() syscall, -which uses "compat_long_t" types for those parameters. - -Cc: # v5.1+ -Signed-off-by: Helge Deller -Signed-off-by: Sasha Levin ---- - arch/parisc/kernel/syscalls/syscall.tbl | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/parisc/kernel/syscalls/syscall.tbl b/arch/parisc/kernel/syscalls/syscall.tbl -index 68b46fe2f17c..8a99c998da9b 100644 ---- a/arch/parisc/kernel/syscalls/syscall.tbl -+++ b/arch/parisc/kernel/syscalls/syscall.tbl -@@ -413,7 +413,7 @@ - 412 32 utimensat_time64 sys_utimensat sys_utimensat - 413 32 pselect6_time64 sys_pselect6 compat_sys_pselect6_time64 - 414 32 ppoll_time64 sys_ppoll compat_sys_ppoll_time64 --416 32 io_pgetevents_time64 sys_io_pgetevents sys_io_pgetevents -+416 32 io_pgetevents_time64 sys_io_pgetevents compat_sys_io_pgetevents_time64 - 417 32 recvmmsg_time64 sys_recvmmsg compat_sys_recvmmsg_time64 - 418 32 mq_timedsend_time64 sys_mq_timedsend sys_mq_timedsend - 419 32 mq_timedreceive_time64 sys_mq_timedreceive sys_mq_timedreceive --- -2.35.1 - diff --git a/queue-5.19/pci-qcom-power-on-phy-before-ipq8074-dbi-register-ac.patch b/queue-5.19/pci-qcom-power-on-phy-before-ipq8074-dbi-register-ac.patch index c868734e1ff..330cb05dc95 100644 --- a/queue-5.19/pci-qcom-power-on-phy-before-ipq8074-dbi-register-ac.patch +++ b/queue-5.19/pci-qcom-power-on-phy-before-ipq8074-dbi-register-ac.patch @@ -22,14 +22,12 @@ Reviewed-by: Dmitry Baryshkov Cc: stable@vger.kernel.org # v5.11+ Signed-off-by: Sasha Levin --- - drivers/pci/controller/dwc/pcie-qcom.c | 48 +++++++++++++++----------- + drivers/pci/controller/dwc/pcie-qcom.c | 48 +++++++++++++++++++-------------- 1 file changed, 28 insertions(+), 20 deletions(-) -diff --git a/drivers/pci/controller/dwc/pcie-qcom.c b/drivers/pci/controller/dwc/pcie-qcom.c -index 2ea13750b492..3bbe1612a930 100644 --- a/drivers/pci/controller/dwc/pcie-qcom.c +++ b/drivers/pci/controller/dwc/pcie-qcom.c -@@ -1038,9 +1038,7 @@ static int qcom_pcie_init_2_3_3(struct qcom_pcie *pcie) +@@ -1036,9 +1036,7 @@ static int qcom_pcie_init_2_3_3(struct q struct qcom_pcie_resources_2_3_3 *res = &pcie->res.v2_3_3; struct dw_pcie *pci = pcie->pci; struct device *dev = pci->dev; @@ -39,7 +37,7 @@ index 2ea13750b492..3bbe1612a930 100644 for (i = 0; i < ARRAY_SIZE(res->rst); i++) { ret = reset_control_assert(res->rst[i]); -@@ -1097,6 +1095,33 @@ static int qcom_pcie_init_2_3_3(struct qcom_pcie *pcie) +@@ -1095,6 +1093,33 @@ static int qcom_pcie_init_2_3_3(struct q goto err_clk_aux; } @@ -73,7 +71,7 @@ index 2ea13750b492..3bbe1612a930 100644 writel(SLV_ADDR_SPACE_SZ, pcie->parf + PCIE20_v3_PARF_SLV_ADDR_SPACE_SIZE); -@@ -1124,24 +1149,6 @@ static int qcom_pcie_init_2_3_3(struct qcom_pcie *pcie) +@@ -1122,24 +1147,6 @@ static int qcom_pcie_init_2_3_3(struct q PCI_EXP_DEVCTL2); return 0; @@ -98,7 +96,7 @@ index 2ea13750b492..3bbe1612a930 100644 } static int qcom_pcie_get_resources_2_7_0(struct qcom_pcie *pcie) -@@ -1467,6 +1474,7 @@ static const struct qcom_pcie_ops ops_2_4_0 = { +@@ -1465,6 +1472,7 @@ static const struct qcom_pcie_ops ops_2_ static const struct qcom_pcie_ops ops_2_3_3 = { .get_resources = qcom_pcie_get_resources_2_3_3, .init = qcom_pcie_init_2_3_3, @@ -106,6 +104,3 @@ index 2ea13750b492..3bbe1612a930 100644 .deinit = qcom_pcie_deinit_2_3_3, .ltssm_enable = qcom_pcie_2_3_2_ltssm_enable, }; --- -2.35.1 - diff --git a/queue-5.19/powerpc-64e-fix-early-tlb-miss-with-kuap.patch-29650 b/queue-5.19/powerpc-64e-fix-early-tlb-miss-with-kuap.patch-29650 deleted file mode 100644 index ef947a00078..00000000000 --- a/queue-5.19/powerpc-64e-fix-early-tlb-miss-with-kuap.patch-29650 +++ /dev/null @@ -1,93 +0,0 @@ -From b57c15bda53986f1a0827a03ea2444bd6bc5bbbf Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 28 Jun 2022 16:48:54 +0200 -Subject: powerpc/64e: Fix early TLB miss with KUAP - -From: Christophe Leroy - -[ Upstream commit 09317643117ade87c03158341e87466413fa8f1a ] - -With KUAP, the TLB miss handler bails out when an access to user -memory is performed with a nul TID. - -But the normal TLB miss routine which is only used early during boot -does the check regardless for all memory areas, not only user memory. - -By chance there is no early IO or vmalloc access, but when KASAN -come we will start having early TLB misses. - -Fix it by creating a special branch for user accesses similar to the -one in the 'bolted' TLB miss handlers. Unfortunately SPRN_MAS1 is -now read too early and there are no registers available to preserve -it so it will be read a second time. - -Fixes: 57bc963837f5 ("powerpc/kuap: Wire-up KUAP on book3e/64") -Cc: stable@vger.kernel.org -Signed-off-by: Christophe Leroy -Signed-off-by: Michael Ellerman -Link: https://lore.kernel.org/r/8d6c5859a45935d6e1a336da4dc20be421e8cea7.1656427701.git.christophe.leroy@csgroup.eu -Signed-off-by: Sasha Levin ---- - arch/powerpc/mm/nohash/tlb_low_64e.S | 17 ++++++++--------- - 1 file changed, 8 insertions(+), 9 deletions(-) - -diff --git a/arch/powerpc/mm/nohash/tlb_low_64e.S b/arch/powerpc/mm/nohash/tlb_low_64e.S -index 8b97c4acfebf..9e9ab3803fb2 100644 ---- a/arch/powerpc/mm/nohash/tlb_low_64e.S -+++ b/arch/powerpc/mm/nohash/tlb_low_64e.S -@@ -583,7 +583,7 @@ itlb_miss_fault_e6500: - */ - rlwimi r11,r14,32-19,27,27 - rlwimi r11,r14,32-16,19,19 -- beq normal_tlb_miss -+ beq normal_tlb_miss_user - /* XXX replace the RMW cycles with immediate loads + writes */ - 1: mfspr r10,SPRN_MAS1 - cmpldi cr0,r15,8 /* Check for vmalloc region */ -@@ -626,7 +626,7 @@ itlb_miss_fault_e6500: - - cmpldi cr0,r15,0 /* Check for user region */ - std r14,EX_TLB_ESR(r12) /* write crazy -1 to frame */ -- beq normal_tlb_miss -+ beq normal_tlb_miss_user - - li r11,_PAGE_PRESENT|_PAGE_BAP_SX /* Base perm */ - oris r11,r11,_PAGE_ACCESSED@h -@@ -653,6 +653,12 @@ itlb_miss_fault_e6500: - * r11 = PTE permission mask - * r10 = crap (free to use) - */ -+normal_tlb_miss_user: -+#ifdef CONFIG_PPC_KUAP -+ mfspr r14,SPRN_MAS1 -+ rlwinm. r14,r14,0,0x3fff0000 -+ beq- normal_tlb_miss_access_fault /* KUAP fault */ -+#endif - normal_tlb_miss: - /* So we first construct the page table address. We do that by - * shifting the bottom of the address (not the region ID) by -@@ -683,11 +689,6 @@ finish_normal_tlb_miss: - /* Check if required permissions are met */ - andc. r15,r11,r14 - bne- normal_tlb_miss_access_fault --#ifdef CONFIG_PPC_KUAP -- mfspr r11,SPRN_MAS1 -- rlwinm. r10,r11,0,0x3fff0000 -- beq- normal_tlb_miss_access_fault /* KUAP fault */ --#endif - - /* Now we build the MAS: - * -@@ -709,9 +710,7 @@ finish_normal_tlb_miss: - rldicl r10,r14,64-8,64-8 - cmpldi cr0,r10,BOOK3E_PAGESZ_4K - beq- 1f --#ifndef CONFIG_PPC_KUAP - mfspr r11,SPRN_MAS1 --#endif - rlwimi r11,r14,31,21,24 - rlwinm r11,r11,0,21,19 - mtspr SPRN_MAS1,r11 --- -2.35.1 - diff --git a/queue-5.19/powerpc-fsl-pci-fix-class-code-of-pcie-root-port.patch-7836 b/queue-5.19/powerpc-fsl-pci-fix-class-code-of-pcie-root-port.patch-7836 deleted file mode 100644 index 9dc0ca9aafe..00000000000 --- a/queue-5.19/powerpc-fsl-pci-fix-class-code-of-pcie-root-port.patch-7836 +++ /dev/null @@ -1,93 +0,0 @@ -From 786ebb67ed1e8ac601ff8f1dcdfdc3e12e3cb5b5 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 6 Jul 2022 12:10:43 +0200 -Subject: powerpc/fsl-pci: Fix Class Code of PCIe Root Port -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Pali Rohár - -[ Upstream commit 0c551abfa004ce154d487d91777bf221c808a64f ] - -By default old pre-3.0 Freescale PCIe controllers reports invalid PCI Class -Code 0x0b20 for PCIe Root Port. It can be seen by lspci -b output on P2020 -board which has this pre-3.0 controller: - - $ lspci -bvnn - 00:00.0 Power PC [0b20]: Freescale Semiconductor Inc P2020E [1957:0070] (rev 21) - !!! Invalid class 0b20 for header type 01 - Capabilities: [4c] Express Root Port (Slot-), MSI 00 - -Fix this issue by programming correct PCI Class Code 0x0604 for PCIe Root -Port to the Freescale specific PCIe register 0x474. - -With this change lspci -b output is: - - $ lspci -bvnn - 00:00.0 PCI bridge [0604]: Freescale Semiconductor Inc P2020E [1957:0070] (rev 21) (prog-if 00 [Normal decode]) - Capabilities: [4c] Express Root Port (Slot-), MSI 00 - -Without any "Invalid class" error. So class code was properly reflected -into standard (read-only) PCI register 0x08. - -Same fix is already implemented in U-Boot pcie_fsl.c driver in commit: -http://source.denx.de/u-boot/u-boot/-/commit/d18d06ac35229345a0af80977a408cfbe1d1015b - -Fix activated by U-Boot stay active also after booting Linux kernel. -But boards which use older U-Boot version without that fix are affected and -still require this fix. - -So implement this class code fix also in kernel fsl_pci.c driver. - -Cc: stable@vger.kernel.org -Signed-off-by: Pali Rohár -Signed-off-by: Michael Ellerman -Link: https://lore.kernel.org/r/20220706101043.4867-1-pali@kernel.org -Signed-off-by: Sasha Levin ---- - arch/powerpc/sysdev/fsl_pci.c | 8 ++++++++ - arch/powerpc/sysdev/fsl_pci.h | 1 + - 2 files changed, 9 insertions(+) - -diff --git a/arch/powerpc/sysdev/fsl_pci.c b/arch/powerpc/sysdev/fsl_pci.c -index 1011cfea2e32..bfbb8c8fc9aa 100644 ---- a/arch/powerpc/sysdev/fsl_pci.c -+++ b/arch/powerpc/sysdev/fsl_pci.c -@@ -521,6 +521,7 @@ int fsl_add_bridge(struct platform_device *pdev, int is_primary) - struct resource rsrc; - const int *bus_range; - u8 hdr_type, progif; -+ u32 class_code; - struct device_node *dev; - struct ccsr_pci __iomem *pci; - u16 temp; -@@ -594,6 +595,13 @@ int fsl_add_bridge(struct platform_device *pdev, int is_primary) - PPC_INDIRECT_TYPE_SURPRESS_PRIMARY_BUS; - if (fsl_pcie_check_link(hose)) - hose->indirect_type |= PPC_INDIRECT_TYPE_NO_PCIE_LINK; -+ /* Fix Class Code to PCI_CLASS_BRIDGE_PCI_NORMAL for pre-3.0 controller */ -+ if (in_be32(&pci->block_rev1) < PCIE_IP_REV_3_0) { -+ early_read_config_dword(hose, 0, 0, PCIE_FSL_CSR_CLASSCODE, &class_code); -+ class_code &= 0xff; -+ class_code |= PCI_CLASS_BRIDGE_PCI_NORMAL << 8; -+ early_write_config_dword(hose, 0, 0, PCIE_FSL_CSR_CLASSCODE, class_code); -+ } - } else { - /* - * Set PBFR(PCI Bus Function Register)[10] = 1 to -diff --git a/arch/powerpc/sysdev/fsl_pci.h b/arch/powerpc/sysdev/fsl_pci.h -index cdbde2e0c96e..093a875d7d1e 100644 ---- a/arch/powerpc/sysdev/fsl_pci.h -+++ b/arch/powerpc/sysdev/fsl_pci.h -@@ -18,6 +18,7 @@ struct platform_device; - - #define PCIE_LTSSM 0x0404 /* PCIE Link Training and Status */ - #define PCIE_LTSSM_L0 0x16 /* L0 state */ -+#define PCIE_FSL_CSR_CLASSCODE 0x474 /* FSL GPEX CSR */ - #define PCIE_IP_REV_2_2 0x02080202 /* PCIE IP block version Rev2.2 */ - #define PCIE_IP_REV_3_0 0x02080300 /* PCIE IP block version Rev3.0 */ - #define PIWAR_EN 0x80000000 /* Enable */ --- -2.35.1 - diff --git a/queue-5.19/powerpc-powernv-avoid-crashing-if-rng-is-null.patch-9536 b/queue-5.19/powerpc-powernv-avoid-crashing-if-rng-is-null.patch-9536 deleted file mode 100644 index 589f237481e..00000000000 --- a/queue-5.19/powerpc-powernv-avoid-crashing-if-rng-is-null.patch-9536 +++ /dev/null @@ -1,44 +0,0 @@ -From a167a432b19b5f7084da36f2a360ff5a55a3a4e2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 28 Jul 2022 00:32:17 +1000 -Subject: powerpc/powernv: Avoid crashing if rng is NULL - -From: Michael Ellerman - -[ Upstream commit 90b5d4fe0b3ba7f589c6723c6bfb559d9e83956a ] - -On a bare-metal Power8 system that doesn't have an "ibm,power-rng", a -malicious QEMU and guest that ignore the absence of the -KVM_CAP_PPC_HWRNG flag, and calls H_RANDOM anyway, will dereference a -NULL pointer. - -In practice all Power8 machines have an "ibm,power-rng", but let's not -rely on that, add a NULL check and early return in -powernv_get_random_real_mode(). - -Fixes: e928e9cb3601 ("KVM: PPC: Book3S HV: Add fast real-mode H_RANDOM implementation.") -Cc: stable@vger.kernel.org # v4.1+ -Signed-off-by: Jason A. Donenfeld -Signed-off-by: Michael Ellerman -Link: https://lore.kernel.org/r/20220727143219.2684192-1-mpe@ellerman.id.au -Signed-off-by: Sasha Levin ---- - arch/powerpc/platforms/powernv/rng.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/arch/powerpc/platforms/powernv/rng.c b/arch/powerpc/platforms/powernv/rng.c -index 3805ad13b8f3..2287c9cd0cd5 100644 ---- a/arch/powerpc/platforms/powernv/rng.c -+++ b/arch/powerpc/platforms/powernv/rng.c -@@ -63,6 +63,8 @@ int powernv_get_random_real_mode(unsigned long *v) - struct powernv_rng *rng; - - rng = raw_cpu_read(powernv_rng); -+ if (!rng) -+ return 0; - - *v = rng_whiten(rng, __raw_rm_readq(rng->regs_real)); - --- -2.35.1 - diff --git a/queue-5.19/powerpc-ptdump-fix-display-of-rw-pages-on-fsl_book3e.patch-3011 b/queue-5.19/powerpc-ptdump-fix-display-of-rw-pages-on-fsl_book3e.patch-3011 deleted file mode 100644 index 78fa7cd0ba7..00000000000 --- a/queue-5.19/powerpc-ptdump-fix-display-of-rw-pages-on-fsl_book3e.patch-3011 +++ /dev/null @@ -1,51 +0,0 @@ -From 025ddb197f7de58ae9c168a668e11e460880a24f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 28 Jun 2022 16:43:35 +0200 -Subject: powerpc/ptdump: Fix display of RW pages on FSL_BOOK3E - -From: Christophe Leroy - -[ Upstream commit dd8de84b57b02ba9c1fe530a6d916c0853f136bd ] - -On FSL_BOOK3E, _PAGE_RW is defined with two bits, one for user and one -for supervisor. As soon as one of the two bits is set, the page has -to be display as RW. But the way it is implemented today requires both -bits to be set in order to display it as RW. - -Instead of display RW when _PAGE_RW bits are set and R otherwise, -reverse the logic and display R when _PAGE_RW bits are all 0 and -RW otherwise. - -This change has no impact on other platforms as _PAGE_RW is a single -bit on all of them. - -Fixes: 8eb07b187000 ("powerpc/mm: Dump linux pagetables") -Cc: stable@vger.kernel.org -Signed-off-by: Christophe Leroy -Signed-off-by: Michael Ellerman -Link: https://lore.kernel.org/r/0c33b96317811edf691e81698aaee8fa45ec3449.1656427391.git.christophe.leroy@csgroup.eu -Signed-off-by: Sasha Levin ---- - arch/powerpc/mm/ptdump/shared.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/arch/powerpc/mm/ptdump/shared.c b/arch/powerpc/mm/ptdump/shared.c -index 03607ab90c66..f884760ca5cf 100644 ---- a/arch/powerpc/mm/ptdump/shared.c -+++ b/arch/powerpc/mm/ptdump/shared.c -@@ -17,9 +17,9 @@ static const struct flag_info flag_array[] = { - .clear = " ", - }, { - .mask = _PAGE_RW, -- .val = _PAGE_RW, -- .set = "rw", -- .clear = "r ", -+ .val = 0, -+ .set = "r ", -+ .clear = "rw", - }, { - .mask = _PAGE_EXEC, - .val = _PAGE_EXEC, --- -2.35.1 - diff --git a/queue-5.19/powerpc-restore-config_debug_info-in-defconfigs.patch-27837 b/queue-5.19/powerpc-restore-config_debug_info-in-defconfigs.patch-27837 deleted file mode 100644 index 24bd9aa13c9..00000000000 --- a/queue-5.19/powerpc-restore-config_debug_info-in-defconfigs.patch-27837 +++ /dev/null @@ -1,309 +0,0 @@ -From b7d3d9e06c7ee60503525173d9dbda4c5ced3247 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 11 Jun 2022 08:51:57 +0200 -Subject: powerpc: Restore CONFIG_DEBUG_INFO in defconfigs - -From: Christophe Leroy - -[ Upstream commit 92f89ec1b534b6eca2b81bae97d30a786932f51a ] - -Commit f9b3cd245784 ("Kconfig.debug: make DEBUG_INFO selectable from a -choice") broke the selection of CONFIG_DEBUG_INFO by powerpc defconfigs. - -It is now necessary to select one of the three DEBUG_INFO_DWARF* -options to get DEBUG_INFO enabled. - -Replace DEBUG_INFO=y by DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y in all -defconfigs using the following command: - -sed -i s/DEBUG_INFO=y/DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y/g `git grep -l DEBUG_INFO arch/powerpc/configs/` - -Fixes: f9b3cd245784 ("Kconfig.debug: make DEBUG_INFO selectable from a choice") -Cc: stable@vger.kernel.org -Signed-off-by: Christophe Leroy -Reviewed-by: Kees Cook -Signed-off-by: Michael Ellerman -Link: https://lore.kernel.org/r/98a4c2603bf9e4b776e219f5b8541d23aa24e854.1654930308.git.christophe.leroy@csgroup.eu -Signed-off-by: Sasha Levin ---- - arch/powerpc/configs/44x/akebono_defconfig | 2 +- - arch/powerpc/configs/44x/currituck_defconfig | 2 +- - arch/powerpc/configs/44x/fsp2_defconfig | 2 +- - arch/powerpc/configs/44x/iss476-smp_defconfig | 2 +- - arch/powerpc/configs/44x/warp_defconfig | 2 +- - arch/powerpc/configs/52xx/lite5200b_defconfig | 2 +- - arch/powerpc/configs/52xx/motionpro_defconfig | 2 +- - arch/powerpc/configs/52xx/tqm5200_defconfig | 2 +- - arch/powerpc/configs/adder875_defconfig | 2 +- - arch/powerpc/configs/ep8248e_defconfig | 2 +- - arch/powerpc/configs/ep88xc_defconfig | 2 +- - arch/powerpc/configs/fsl-emb-nonhw.config | 2 +- - arch/powerpc/configs/mgcoge_defconfig | 2 +- - arch/powerpc/configs/mpc5200_defconfig | 2 +- - arch/powerpc/configs/mpc8272_ads_defconfig | 2 +- - arch/powerpc/configs/mpc885_ads_defconfig | 2 +- - arch/powerpc/configs/ppc6xx_defconfig | 2 +- - arch/powerpc/configs/pq2fads_defconfig | 2 +- - arch/powerpc/configs/ps3_defconfig | 2 +- - arch/powerpc/configs/tqm8xx_defconfig | 2 +- - 20 files changed, 20 insertions(+), 20 deletions(-) - -diff --git a/arch/powerpc/configs/44x/akebono_defconfig b/arch/powerpc/configs/44x/akebono_defconfig -index 4bc549c6edc5..fde4824f235e 100644 ---- a/arch/powerpc/configs/44x/akebono_defconfig -+++ b/arch/powerpc/configs/44x/akebono_defconfig -@@ -118,7 +118,7 @@ CONFIG_CRAMFS=y - CONFIG_NLS_DEFAULT="n" - CONFIG_NLS_CODEPAGE_437=y - CONFIG_NLS_ISO8859_1=y --CONFIG_DEBUG_INFO=y -+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y - CONFIG_MAGIC_SYSRQ=y - CONFIG_DETECT_HUNG_TASK=y - CONFIG_XMON=y -diff --git a/arch/powerpc/configs/44x/currituck_defconfig b/arch/powerpc/configs/44x/currituck_defconfig -index 717827219921..7283b7d4a1a5 100644 ---- a/arch/powerpc/configs/44x/currituck_defconfig -+++ b/arch/powerpc/configs/44x/currituck_defconfig -@@ -73,7 +73,7 @@ CONFIG_NFS_FS=y - CONFIG_NFS_V3_ACL=y - CONFIG_NFS_V4=y - CONFIG_NLS_DEFAULT="n" --CONFIG_DEBUG_INFO=y -+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y - CONFIG_MAGIC_SYSRQ=y - CONFIG_DETECT_HUNG_TASK=y - CONFIG_XMON=y -diff --git a/arch/powerpc/configs/44x/fsp2_defconfig b/arch/powerpc/configs/44x/fsp2_defconfig -index 8da316e61a08..3fdfbb29b854 100644 ---- a/arch/powerpc/configs/44x/fsp2_defconfig -+++ b/arch/powerpc/configs/44x/fsp2_defconfig -@@ -110,7 +110,7 @@ CONFIG_XZ_DEC=y - CONFIG_PRINTK_TIME=y - CONFIG_MESSAGE_LOGLEVEL_DEFAULT=3 - CONFIG_DYNAMIC_DEBUG=y --CONFIG_DEBUG_INFO=y -+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y - CONFIG_MAGIC_SYSRQ=y - CONFIG_DETECT_HUNG_TASK=y - CONFIG_CRYPTO_CBC=y -diff --git a/arch/powerpc/configs/44x/iss476-smp_defconfig b/arch/powerpc/configs/44x/iss476-smp_defconfig -index c11e777b2f3d..0f6380e1e612 100644 ---- a/arch/powerpc/configs/44x/iss476-smp_defconfig -+++ b/arch/powerpc/configs/44x/iss476-smp_defconfig -@@ -56,7 +56,7 @@ CONFIG_PROC_KCORE=y - CONFIG_TMPFS=y - CONFIG_CRAMFS=y - # CONFIG_NETWORK_FILESYSTEMS is not set --CONFIG_DEBUG_INFO=y -+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y - CONFIG_MAGIC_SYSRQ=y - CONFIG_DETECT_HUNG_TASK=y - CONFIG_PPC_EARLY_DEBUG=y -diff --git a/arch/powerpc/configs/44x/warp_defconfig b/arch/powerpc/configs/44x/warp_defconfig -index 47252c2d7669..20891c413149 100644 ---- a/arch/powerpc/configs/44x/warp_defconfig -+++ b/arch/powerpc/configs/44x/warp_defconfig -@@ -88,7 +88,7 @@ CONFIG_NLS_UTF8=y - CONFIG_CRC_CCITT=y - CONFIG_CRC_T10DIF=y - CONFIG_PRINTK_TIME=y --CONFIG_DEBUG_INFO=y -+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y - CONFIG_DEBUG_FS=y - CONFIG_MAGIC_SYSRQ=y - CONFIG_DETECT_HUNG_TASK=y -diff --git a/arch/powerpc/configs/52xx/lite5200b_defconfig b/arch/powerpc/configs/52xx/lite5200b_defconfig -index 63368e677506..7db479dcbc0c 100644 ---- a/arch/powerpc/configs/52xx/lite5200b_defconfig -+++ b/arch/powerpc/configs/52xx/lite5200b_defconfig -@@ -58,6 +58,6 @@ CONFIG_NFS_FS=y - CONFIG_NFS_V4=y - CONFIG_ROOT_NFS=y - CONFIG_PRINTK_TIME=y --CONFIG_DEBUG_INFO=y -+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y - CONFIG_DETECT_HUNG_TASK=y - # CONFIG_DEBUG_BUGVERBOSE is not set -diff --git a/arch/powerpc/configs/52xx/motionpro_defconfig b/arch/powerpc/configs/52xx/motionpro_defconfig -index 72762da94846..6186ead1e105 100644 ---- a/arch/powerpc/configs/52xx/motionpro_defconfig -+++ b/arch/powerpc/configs/52xx/motionpro_defconfig -@@ -84,7 +84,7 @@ CONFIG_ROOT_NFS=y - CONFIG_NLS_CODEPAGE_437=y - CONFIG_NLS_ISO8859_1=y - CONFIG_PRINTK_TIME=y --CONFIG_DEBUG_INFO=y -+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y - CONFIG_DETECT_HUNG_TASK=y - # CONFIG_DEBUG_BUGVERBOSE is not set - CONFIG_CRYPTO_ECB=y -diff --git a/arch/powerpc/configs/52xx/tqm5200_defconfig b/arch/powerpc/configs/52xx/tqm5200_defconfig -index a3c8ca74032c..e6735b945327 100644 ---- a/arch/powerpc/configs/52xx/tqm5200_defconfig -+++ b/arch/powerpc/configs/52xx/tqm5200_defconfig -@@ -85,7 +85,7 @@ CONFIG_ROOT_NFS=y - CONFIG_NLS_CODEPAGE_437=y - CONFIG_NLS_ISO8859_1=y - CONFIG_PRINTK_TIME=y --CONFIG_DEBUG_INFO=y -+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y - CONFIG_DETECT_HUNG_TASK=y - # CONFIG_DEBUG_BUGVERBOSE is not set - CONFIG_CRYPTO_ECB=y -diff --git a/arch/powerpc/configs/adder875_defconfig b/arch/powerpc/configs/adder875_defconfig -index 5326bc739279..7f35d5bc1229 100644 ---- a/arch/powerpc/configs/adder875_defconfig -+++ b/arch/powerpc/configs/adder875_defconfig -@@ -45,7 +45,7 @@ CONFIG_CRAMFS=y - CONFIG_NFS_FS=y - CONFIG_ROOT_NFS=y - CONFIG_CRC32_SLICEBY4=y --CONFIG_DEBUG_INFO=y -+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y - CONFIG_DEBUG_FS=y - CONFIG_MAGIC_SYSRQ=y - CONFIG_DETECT_HUNG_TASK=y -diff --git a/arch/powerpc/configs/ep8248e_defconfig b/arch/powerpc/configs/ep8248e_defconfig -index 00d69965f898..8df6d3a293e3 100644 ---- a/arch/powerpc/configs/ep8248e_defconfig -+++ b/arch/powerpc/configs/ep8248e_defconfig -@@ -59,7 +59,7 @@ CONFIG_NLS_CODEPAGE_437=y - CONFIG_NLS_ASCII=y - CONFIG_NLS_ISO8859_1=y - CONFIG_NLS_UTF8=y --CONFIG_DEBUG_INFO=y -+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y - CONFIG_MAGIC_SYSRQ=y - # CONFIG_SCHED_DEBUG is not set - CONFIG_BDI_SWITCH=y -diff --git a/arch/powerpc/configs/ep88xc_defconfig b/arch/powerpc/configs/ep88xc_defconfig -index f5c3e72da719..a98ef6a4abef 100644 ---- a/arch/powerpc/configs/ep88xc_defconfig -+++ b/arch/powerpc/configs/ep88xc_defconfig -@@ -48,6 +48,6 @@ CONFIG_CRAMFS=y - CONFIG_NFS_FS=y - CONFIG_ROOT_NFS=y - CONFIG_CRC32_SLICEBY4=y --CONFIG_DEBUG_INFO=y -+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y - CONFIG_MAGIC_SYSRQ=y - CONFIG_DETECT_HUNG_TASK=y -diff --git a/arch/powerpc/configs/fsl-emb-nonhw.config b/arch/powerpc/configs/fsl-emb-nonhw.config -index df37efed0aec..f14c6dbd7346 100644 ---- a/arch/powerpc/configs/fsl-emb-nonhw.config -+++ b/arch/powerpc/configs/fsl-emb-nonhw.config -@@ -24,7 +24,7 @@ CONFIG_CRYPTO_PCBC=m - CONFIG_CRYPTO_SHA256=y - CONFIG_CRYPTO_SHA512=y - CONFIG_DEBUG_FS=y --CONFIG_DEBUG_INFO=y -+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y - CONFIG_DEBUG_KERNEL=y - CONFIG_DEBUG_SHIRQ=y - CONFIG_DETECT_HUNG_TASK=y -diff --git a/arch/powerpc/configs/mgcoge_defconfig b/arch/powerpc/configs/mgcoge_defconfig -index dcc8dccf54f3..498d35db7833 100644 ---- a/arch/powerpc/configs/mgcoge_defconfig -+++ b/arch/powerpc/configs/mgcoge_defconfig -@@ -73,7 +73,7 @@ CONFIG_NLS_CODEPAGE_437=y - CONFIG_NLS_ASCII=y - CONFIG_NLS_ISO8859_1=y - CONFIG_NLS_UTF8=y --CONFIG_DEBUG_INFO=y -+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y - CONFIG_DEBUG_FS=y - CONFIG_MAGIC_SYSRQ=y - # CONFIG_SCHED_DEBUG is not set -diff --git a/arch/powerpc/configs/mpc5200_defconfig b/arch/powerpc/configs/mpc5200_defconfig -index 83d801307178..c0fe5e76604a 100644 ---- a/arch/powerpc/configs/mpc5200_defconfig -+++ b/arch/powerpc/configs/mpc5200_defconfig -@@ -122,6 +122,6 @@ CONFIG_ROOT_NFS=y - CONFIG_NLS_CODEPAGE_437=y - CONFIG_NLS_ISO8859_1=y - CONFIG_PRINTK_TIME=y --CONFIG_DEBUG_INFO=y -+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y - CONFIG_DEBUG_KERNEL=y - CONFIG_DETECT_HUNG_TASK=y -diff --git a/arch/powerpc/configs/mpc8272_ads_defconfig b/arch/powerpc/configs/mpc8272_ads_defconfig -index 00a4d2bf43b2..4145ef5689ca 100644 ---- a/arch/powerpc/configs/mpc8272_ads_defconfig -+++ b/arch/powerpc/configs/mpc8272_ads_defconfig -@@ -67,7 +67,7 @@ CONFIG_NLS_CODEPAGE_437=y - CONFIG_NLS_ASCII=y - CONFIG_NLS_ISO8859_1=y - CONFIG_NLS_UTF8=y --CONFIG_DEBUG_INFO=y -+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y - CONFIG_MAGIC_SYSRQ=y - CONFIG_DETECT_HUNG_TASK=y - CONFIG_BDI_SWITCH=y -diff --git a/arch/powerpc/configs/mpc885_ads_defconfig b/arch/powerpc/configs/mpc885_ads_defconfig -index c74dc76b1d0d..700115d85d6f 100644 ---- a/arch/powerpc/configs/mpc885_ads_defconfig -+++ b/arch/powerpc/configs/mpc885_ads_defconfig -@@ -71,7 +71,7 @@ CONFIG_ROOT_NFS=y - CONFIG_CRYPTO=y - CONFIG_CRYPTO_DEV_TALITOS=y - CONFIG_CRC32_SLICEBY4=y --CONFIG_DEBUG_INFO=y -+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y - CONFIG_MAGIC_SYSRQ=y - CONFIG_DEBUG_FS=y - CONFIG_DEBUG_VM_PGTABLE=y -diff --git a/arch/powerpc/configs/ppc6xx_defconfig b/arch/powerpc/configs/ppc6xx_defconfig -index b622ecd73286..91967824272e 100644 ---- a/arch/powerpc/configs/ppc6xx_defconfig -+++ b/arch/powerpc/configs/ppc6xx_defconfig -@@ -1065,7 +1065,7 @@ CONFIG_NLS_ISO8859_14=m - CONFIG_NLS_ISO8859_15=m - CONFIG_NLS_KOI8_R=m - CONFIG_NLS_KOI8_U=m --CONFIG_DEBUG_INFO=y -+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y - CONFIG_HEADERS_INSTALL=y - CONFIG_MAGIC_SYSRQ=y - CONFIG_DEBUG_KERNEL=y -diff --git a/arch/powerpc/configs/pq2fads_defconfig b/arch/powerpc/configs/pq2fads_defconfig -index 9d8a76857c6f..9d63e2e65211 100644 ---- a/arch/powerpc/configs/pq2fads_defconfig -+++ b/arch/powerpc/configs/pq2fads_defconfig -@@ -68,7 +68,7 @@ CONFIG_NLS_CODEPAGE_437=y - CONFIG_NLS_ASCII=y - CONFIG_NLS_ISO8859_1=y - CONFIG_NLS_UTF8=y --CONFIG_DEBUG_INFO=y -+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y - CONFIG_MAGIC_SYSRQ=y - CONFIG_DETECT_HUNG_TASK=y - # CONFIG_SCHED_DEBUG is not set -diff --git a/arch/powerpc/configs/ps3_defconfig b/arch/powerpc/configs/ps3_defconfig -index 7c95fab4b920..2d9ac233da68 100644 ---- a/arch/powerpc/configs/ps3_defconfig -+++ b/arch/powerpc/configs/ps3_defconfig -@@ -153,7 +153,7 @@ CONFIG_NLS_CODEPAGE_437=y - CONFIG_NLS_ISO8859_1=y - CONFIG_CRC_CCITT=m - CONFIG_CRC_T10DIF=y --CONFIG_DEBUG_INFO=y -+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y - CONFIG_MAGIC_SYSRQ=y - CONFIG_DEBUG_MEMORY_INIT=y - CONFIG_DEBUG_STACKOVERFLOW=y -diff --git a/arch/powerpc/configs/tqm8xx_defconfig b/arch/powerpc/configs/tqm8xx_defconfig -index 77857d513022..083c2e57520a 100644 ---- a/arch/powerpc/configs/tqm8xx_defconfig -+++ b/arch/powerpc/configs/tqm8xx_defconfig -@@ -55,6 +55,6 @@ CONFIG_CRAMFS=y - CONFIG_NFS_FS=y - CONFIG_ROOT_NFS=y - CONFIG_CRC32_SLICEBY4=y --CONFIG_DEBUG_INFO=y -+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y - CONFIG_MAGIC_SYSRQ=y - CONFIG_DETECT_HUNG_TASK=y --- -2.35.1 - diff --git a/queue-5.19/scsi-lpfc-remove-extra-atomic_inc-on-cmd_pending-in-.patch b/queue-5.19/scsi-lpfc-remove-extra-atomic_inc-on-cmd_pending-in-.patch deleted file mode 100644 index 5e2e9b043cf..00000000000 --- a/queue-5.19/scsi-lpfc-remove-extra-atomic_inc-on-cmd_pending-in-.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 452a991df03fea2d6438fa8f8da69e1767cab1b8 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 1 Jul 2022 14:14:17 -0700 -Subject: scsi: lpfc: Remove extra atomic_inc on cmd_pending in queuecommand - after VMID - -From: James Smart - -[ Upstream commit 0948a9c5386095baae4012190a6b65aba684a907 ] - -VMID introduced an extra increment of cmd_pending, causing double-counting -of the I/O. The normal increment ios performed in lpfc_get_scsi_buf. - -Link: https://lore.kernel.org/r/20220701211425.2708-5-jsmart2021@gmail.com -Fixes: 33c79741deaf ("scsi: lpfc: vmid: Introduce VMID in I/O path") -Cc: # v5.14+ -Co-developed-by: Justin Tee -Signed-off-by: Justin Tee -Signed-off-by: James Smart -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/lpfc/lpfc_scsi.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c -index ba5e4016262e..084c0f9fdc3a 100644 ---- a/drivers/scsi/lpfc/lpfc_scsi.c -+++ b/drivers/scsi/lpfc/lpfc_scsi.c -@@ -5456,7 +5456,6 @@ lpfc_queuecommand(struct Scsi_Host *shost, struct scsi_cmnd *cmnd) - cur_iocbq->cmd_flag |= LPFC_IO_VMID; - } - } -- atomic_inc(&ndlp->cmd_pending); - - #ifdef CONFIG_SCSI_LPFC_DEBUG_FS - if (unlikely(phba->hdwqstat_on & LPFC_CHECK_SCSI_IO)) --- -2.35.1 - diff --git a/queue-5.19/scsi-qla2xxx-edif-fix-dropped-ike-message.patch b/queue-5.19/scsi-qla2xxx-edif-fix-dropped-ike-message.patch deleted file mode 100644 index 64e8c584ac4..00000000000 --- a/queue-5.19/scsi-qla2xxx-edif-fix-dropped-ike-message.patch +++ /dev/null @@ -1,126 +0,0 @@ -From b9f9bae7f3cc422d1625e07eae230361a3e4e4e5 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 12 Jul 2022 22:20:40 -0700 -Subject: scsi: qla2xxx: edif: Fix dropped IKE message - -From: Quinn Tran - -[ Upstream commit c019cd656e717349ff22d0c41d6fbfc773f48c52 ] - -This patch fixes IKE message being dropped due to error in processing Purex -IOCB and Continuation IOCBs. - -Link: https://lore.kernel.org/r/20220713052045.10683-6-njavali@marvell.com -Fixes: fac2807946c1 ("scsi: qla2xxx: edif: Add extraction of auth_els from the wire") -Cc: stable@vger.kernel.org -Reviewed-by: Himanshu Madhani -Signed-off-by: Quinn Tran -Signed-off-by: Nilesh Javali -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/qla2xxx/qla_isr.c | 54 +++++++++++++++------------------- - 1 file changed, 24 insertions(+), 30 deletions(-) - -diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c -index 1353a5b61c14..895a8d6a5f0e 100644 ---- a/drivers/scsi/qla2xxx/qla_isr.c -+++ b/drivers/scsi/qla2xxx/qla_isr.c -@@ -3710,12 +3710,11 @@ void qla24xx_nvme_ls4_iocb(struct scsi_qla_host *vha, - * Return: 0 all iocbs has arrived, xx- all iocbs have not arrived. - */ - static int qla_chk_cont_iocb_avail(struct scsi_qla_host *vha, -- struct rsp_que *rsp, response_t *pkt) -+ struct rsp_que *rsp, response_t *pkt, u32 rsp_q_in) - { -- int start_pkt_ring_index, end_pkt_ring_index, n_ring_index; -- response_t *end_pkt; -+ int start_pkt_ring_index; -+ u32 iocb_cnt = 0; - int rc = 0; -- u32 rsp_q_in; - - if (pkt->entry_count == 1) - return rc; -@@ -3726,34 +3725,18 @@ static int qla_chk_cont_iocb_avail(struct scsi_qla_host *vha, - else - start_pkt_ring_index = rsp->ring_index - 1; - -- if ((start_pkt_ring_index + pkt->entry_count) >= rsp->length) -- end_pkt_ring_index = start_pkt_ring_index + pkt->entry_count - -- rsp->length - 1; -+ if (rsp_q_in < start_pkt_ring_index) -+ /* q in ptr is wrapped */ -+ iocb_cnt = rsp->length - start_pkt_ring_index + rsp_q_in; - else -- end_pkt_ring_index = start_pkt_ring_index + pkt->entry_count - 1; -+ iocb_cnt = rsp_q_in - start_pkt_ring_index; - -- end_pkt = rsp->ring + end_pkt_ring_index; -- -- /* next pkt = end_pkt + 1 */ -- n_ring_index = end_pkt_ring_index + 1; -- if (n_ring_index >= rsp->length) -- n_ring_index = 0; -- -- rsp_q_in = rsp->qpair->use_shadow_reg ? *rsp->in_ptr : -- rd_reg_dword(rsp->rsp_q_in); -- -- /* rsp_q_in is either wrapped or pointing beyond endpkt */ -- if ((rsp_q_in < start_pkt_ring_index && rsp_q_in < n_ring_index) || -- rsp_q_in >= n_ring_index) -- /* all IOCBs arrived. */ -- rc = 0; -- else -+ if (iocb_cnt < pkt->entry_count) - rc = -EIO; - -- ql_dbg(ql_dbg_init + ql_dbg_verbose, vha, 0x5091, -- "%s - ring %p pkt %p end pkt %p entry count %#x rsp_q_in %d rc %d\n", -- __func__, rsp->ring, pkt, end_pkt, pkt->entry_count, -- rsp_q_in, rc); -+ ql_dbg(ql_dbg_init, vha, 0x5091, -+ "%s - ring %p pkt %p entry count %d iocb_cnt %d rsp_q_in %d rc %d\n", -+ __func__, rsp->ring, pkt, pkt->entry_count, iocb_cnt, rsp_q_in, rc); - - return rc; - } -@@ -3770,7 +3753,7 @@ void qla24xx_process_response_queue(struct scsi_qla_host *vha, - struct qla_hw_data *ha = vha->hw; - struct purex_entry_24xx *purex_entry; - struct purex_item *pure_item; -- u16 rsp_in = 0; -+ u16 rsp_in = 0, cur_ring_index; - int follow_inptr, is_shadow_hba; - - if (!ha->flags.fw_started) -@@ -3801,6 +3784,7 @@ void qla24xx_process_response_queue(struct scsi_qla_host *vha, - (!follow_inptr && - rsp->ring_ptr->signature != RESPONSE_PROCESSED)) { - pkt = (struct sts_entry_24xx *)rsp->ring_ptr; -+ cur_ring_index = rsp->ring_index; - - rsp->ring_index++; - if (rsp->ring_index == rsp->length) { -@@ -3921,7 +3905,17 @@ void qla24xx_process_response_queue(struct scsi_qla_host *vha, - break; - - case ELS_AUTH_ELS: -- if (qla_chk_cont_iocb_avail(vha, rsp, (response_t *)pkt)) { -+ if (qla_chk_cont_iocb_avail(vha, rsp, (response_t *)pkt, rsp_in)) { -+ /* -+ * ring_ptr and ring_index were -+ * pre-incremented above. Reset them -+ * back to current. Wait for next -+ * interrupt with all IOCBs to arrive -+ * and re-process. -+ */ -+ rsp->ring_ptr = (response_t *)pkt; -+ rsp->ring_index = cur_ring_index; -+ - ql_dbg(ql_dbg_init, vha, 0x5091, - "Defer processing ELS opcode %#x...\n", - purex_entry->els_frame_payload[3]); --- -2.35.1 - diff --git a/queue-5.19/scsi-qla2xxx-fix-crash-due-to-stale-srb-access-aroun.patch b/queue-5.19/scsi-qla2xxx-fix-crash-due-to-stale-srb-access-aroun.patch deleted file mode 100644 index 5b7c62806ce..00000000000 --- a/queue-5.19/scsi-qla2xxx-fix-crash-due-to-stale-srb-access-aroun.patch +++ /dev/null @@ -1,125 +0,0 @@ -From bbf97f698babaae6efec80f94f046833506fccf4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 15 Jun 2022 22:35:02 -0700 -Subject: scsi: qla2xxx: Fix crash due to stale SRB access around I/O timeouts - -From: Arun Easi - -[ Upstream commit c39587bc0abaf16593f7abcdf8aeec3c038c7d52 ] - -Ensure SRB is returned during I/O timeout error escalation. If that is not -possible fail the escalation path. - -Following crash stack was seen: - -BUG: unable to handle kernel paging request at 0000002f56aa90f8 -IP: qla_chk_edif_rx_sa_delete_pending+0x14/0x30 [qla2xxx] -Call Trace: - ? qla2x00_status_entry+0x19f/0x1c50 [qla2xxx] - ? qla2x00_start_sp+0x116/0x1170 [qla2xxx] - ? dma_pool_alloc+0x1d6/0x210 - ? mempool_alloc+0x54/0x130 - ? qla24xx_process_response_queue+0x548/0x12b0 [qla2xxx] - ? qla_do_work+0x2d/0x40 [qla2xxx] - ? process_one_work+0x14c/0x390 - -Link: https://lore.kernel.org/r/20220616053508.27186-6-njavali@marvell.com -Fixes: d74595278f4a ("scsi: qla2xxx: Add multiple queue pair functionality.") -Cc: stable@vger.kernel.org -Signed-off-by: Arun Easi -Signed-off-by: Nilesh Javali -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/qla2xxx/qla_os.c | 43 +++++++++++++++++++++++++---------- - 1 file changed, 31 insertions(+), 12 deletions(-) - -diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c -index 6fd5c21ad1f5..66f1723c8583 100644 ---- a/drivers/scsi/qla2xxx/qla_os.c -+++ b/drivers/scsi/qla2xxx/qla_os.c -@@ -1342,21 +1342,20 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd) - /* - * Returns: QLA_SUCCESS or QLA_FUNCTION_FAILED. - */ --int --qla2x00_eh_wait_for_pending_commands(scsi_qla_host_t *vha, unsigned int t, -- uint64_t l, enum nexus_wait_type type) -+static int -+__qla2x00_eh_wait_for_pending_commands(struct qla_qpair *qpair, unsigned int t, -+ uint64_t l, enum nexus_wait_type type) - { - int cnt, match, status; - unsigned long flags; -- struct qla_hw_data *ha = vha->hw; -- struct req_que *req; -+ scsi_qla_host_t *vha = qpair->vha; -+ struct req_que *req = qpair->req; - srb_t *sp; - struct scsi_cmnd *cmd; - - status = QLA_SUCCESS; - -- spin_lock_irqsave(&ha->hardware_lock, flags); -- req = vha->req; -+ spin_lock_irqsave(qpair->qp_lock_ptr, flags); - for (cnt = 1; status == QLA_SUCCESS && - cnt < req->num_outstanding_cmds; cnt++) { - sp = req->outstanding_cmds[cnt]; -@@ -1383,12 +1382,32 @@ qla2x00_eh_wait_for_pending_commands(scsi_qla_host_t *vha, unsigned int t, - if (!match) - continue; - -- spin_unlock_irqrestore(&ha->hardware_lock, flags); -+ spin_unlock_irqrestore(qpair->qp_lock_ptr, flags); - status = qla2x00_eh_wait_on_command(cmd); -- spin_lock_irqsave(&ha->hardware_lock, flags); -+ spin_lock_irqsave(qpair->qp_lock_ptr, flags); - } -- spin_unlock_irqrestore(&ha->hardware_lock, flags); -+ spin_unlock_irqrestore(qpair->qp_lock_ptr, flags); -+ -+ return status; -+} -+ -+int -+qla2x00_eh_wait_for_pending_commands(scsi_qla_host_t *vha, unsigned int t, -+ uint64_t l, enum nexus_wait_type type) -+{ -+ struct qla_qpair *qpair; -+ struct qla_hw_data *ha = vha->hw; -+ int i, status = QLA_SUCCESS; - -+ status = __qla2x00_eh_wait_for_pending_commands(ha->base_qpair, t, l, -+ type); -+ for (i = 0; status == QLA_SUCCESS && i < ha->max_qpairs; i++) { -+ qpair = ha->queue_pair_map[i]; -+ if (!qpair) -+ continue; -+ status = __qla2x00_eh_wait_for_pending_commands(qpair, t, l, -+ type); -+ } - return status; - } - -@@ -1425,7 +1444,7 @@ qla2xxx_eh_device_reset(struct scsi_cmnd *cmd) - return err; - - if (fcport->deleted) -- return SUCCESS; -+ return FAILED; - - ql_log(ql_log_info, vha, 0x8009, - "DEVICE RESET ISSUED nexus=%ld:%d:%llu cmd=%p.\n", vha->host_no, -@@ -1493,7 +1512,7 @@ qla2xxx_eh_target_reset(struct scsi_cmnd *cmd) - return err; - - if (fcport->deleted) -- return SUCCESS; -+ return FAILED; - - ql_log(ql_log_info, vha, 0x8009, - "TARGET RESET ISSUED nexus=%ld:%d cmd=%p.\n", vha->host_no, --- -2.35.1 - diff --git a/queue-5.19/scsi-qla2xxx-fix-discovery-issues-in-fc-al-topology.patch-25366 b/queue-5.19/scsi-qla2xxx-fix-discovery-issues-in-fc-al-topology.patch-25366 deleted file mode 100644 index a3d472a623d..00000000000 --- a/queue-5.19/scsi-qla2xxx-fix-discovery-issues-in-fc-al-topology.patch-25366 +++ /dev/null @@ -1,116 +0,0 @@ -From 6cfb8ba3f898fc966bba265d8baccb83d66f73f3 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 12 Jul 2022 22:20:42 -0700 -Subject: scsi: qla2xxx: Fix discovery issues in FC-AL topology - -From: Arun Easi - -[ Upstream commit 47ccb113cead905bdc236571bf8ac6fed90321b3 ] - -A direct attach tape device, when gets swapped with another, was not -discovered. Fix this by looking at loop map and reinitialize link if there -are devices present. - -Link: https://lore.kernel.org/linux-scsi/baef87c3-5dad-3b47-44c1-6914bfc90108@cybernetics.com/ -Link: https://lore.kernel.org/r/20220713052045.10683-8-njavali@marvell.com -Cc: stable@vger.kernel.org -Reported-by: Tony Battersby -Tested-by: Tony Battersby -Reviewed-by: Himanshu Madhani -Signed-off-by: Arun Easi -Signed-off-by: Nilesh Javali -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/qla2xxx/qla_gbl.h | 3 ++- - drivers/scsi/qla2xxx/qla_init.c | 29 +++++++++++++++++++++++++++++ - drivers/scsi/qla2xxx/qla_mbx.c | 5 ++++- - 3 files changed, 35 insertions(+), 2 deletions(-) - -diff --git a/drivers/scsi/qla2xxx/qla_gbl.h b/drivers/scsi/qla2xxx/qla_gbl.h -index a211ed18d4e9..1c2c161b4e9f 100644 ---- a/drivers/scsi/qla2xxx/qla_gbl.h -+++ b/drivers/scsi/qla2xxx/qla_gbl.h -@@ -435,7 +435,8 @@ extern int - qla2x00_get_resource_cnts(scsi_qla_host_t *); - - extern int --qla2x00_get_fcal_position_map(scsi_qla_host_t *ha, char *pos_map); -+qla2x00_get_fcal_position_map(scsi_qla_host_t *ha, char *pos_map, -+ u8 *num_entries); - - extern int - qla2x00_get_link_status(scsi_qla_host_t *, uint16_t, struct link_statistics *, -diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c -index f8a7b6f2541e..7b78d331aabd 100644 ---- a/drivers/scsi/qla2xxx/qla_init.c -+++ b/drivers/scsi/qla2xxx/qla_init.c -@@ -5505,6 +5505,22 @@ static int qla2x00_configure_n2n_loop(scsi_qla_host_t *vha) - return QLA_FUNCTION_FAILED; - } - -+static void -+qla_reinitialize_link(scsi_qla_host_t *vha) -+{ -+ int rval; -+ -+ atomic_set(&vha->loop_state, LOOP_DOWN); -+ atomic_set(&vha->loop_down_timer, LOOP_DOWN_TIME); -+ rval = qla2x00_full_login_lip(vha); -+ if (rval == QLA_SUCCESS) { -+ ql_dbg(ql_dbg_disc, vha, 0xd050, "Link reinitialized\n"); -+ } else { -+ ql_dbg(ql_dbg_disc, vha, 0xd051, -+ "Link reinitialization failed (%d)\n", rval); -+ } -+} -+ - /* - * qla2x00_configure_local_loop - * Updates Fibre Channel Device Database with local loop devices. -@@ -5556,6 +5572,19 @@ qla2x00_configure_local_loop(scsi_qla_host_t *vha) - spin_unlock_irqrestore(&vha->work_lock, flags); - - if (vha->scan.scan_retry < MAX_SCAN_RETRIES) { -+ u8 loop_map_entries = 0; -+ int rc; -+ -+ rc = qla2x00_get_fcal_position_map(vha, NULL, -+ &loop_map_entries); -+ if (rc == QLA_SUCCESS && loop_map_entries > 1) { -+ /* -+ * There are devices that are still not logged -+ * in. Reinitialize to give them a chance. -+ */ -+ qla_reinitialize_link(vha); -+ return QLA_FUNCTION_FAILED; -+ } - set_bit(LOCAL_LOOP_UPDATE, &vha->dpc_flags); - set_bit(LOOP_RESYNC_NEEDED, &vha->dpc_flags); - } -diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c -index bcade1deb798..86d8c455c07a 100644 ---- a/drivers/scsi/qla2xxx/qla_mbx.c -+++ b/drivers/scsi/qla2xxx/qla_mbx.c -@@ -3068,7 +3068,8 @@ qla2x00_get_resource_cnts(scsi_qla_host_t *vha) - * Kernel context. - */ - int --qla2x00_get_fcal_position_map(scsi_qla_host_t *vha, char *pos_map) -+qla2x00_get_fcal_position_map(scsi_qla_host_t *vha, char *pos_map, -+ u8 *num_entries) - { - int rval; - mbx_cmd_t mc; -@@ -3108,6 +3109,8 @@ qla2x00_get_fcal_position_map(scsi_qla_host_t *vha, char *pos_map) - - if (pos_map) - memcpy(pos_map, pmap, FCAL_MAP_SIZE); -+ if (num_entries) -+ *num_entries = pmap[0]; - } - dma_pool_free(ha->s_dma_pool, pmap, pmap_dma); - --- -2.35.1 - diff --git a/queue-5.19/scsi-qla2xxx-fix-erroneous-mailbox-timeout-after-pci.patch b/queue-5.19/scsi-qla2xxx-fix-erroneous-mailbox-timeout-after-pci.patch deleted file mode 100644 index bd8146c30b9..00000000000 --- a/queue-5.19/scsi-qla2xxx-fix-erroneous-mailbox-timeout-after-pci.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 60e461e5c6fe788bcc728e8b17d25dfb9f1c8be4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 15 Jun 2022 22:35:07 -0700 -Subject: scsi: qla2xxx: Fix erroneous mailbox timeout after PCI error - injection - -From: Quinn Tran - -[ Upstream commit f260694e6463b63ae550aad25ddefe94cb1904da ] - -Clear wait for mailbox interrupt flag to prevent stale mailbox: - -Feb 22 05:22:56 ltcden4-lp7 kernel: qla2xxx [0135:90:00.1]-500a:4: LOOP UP detected (16 Gbps). -Feb 22 05:22:59 ltcden4-lp7 kernel: qla2xxx [0135:90:00.1]-d04c:4: MBX Command timeout for cmd 69, ... - -To fix the issue, driver needs to clear the MBX_INTR_WAIT flag on purging -the mailbox. When the stale mailbox completion does arrive, it will be -dropped. - -Link: https://lore.kernel.org/r/20220616053508.27186-11-njavali@marvell.com -Fixes: b6faaaf796d7 ("scsi: qla2xxx: Serialize mailbox request") -Cc: Naresh Bannoth -Cc: Kyle Mahlkuch -Cc: stable@vger.kernel.org -Reported-by: Naresh Bannoth -Tested-by: Naresh Bannoth -Signed-off-by: Quinn Tran -Signed-off-by: Nilesh Javali -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/qla2xxx/qla_mbx.c | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c -index 892caf2475df..1b154ab025bd 100644 ---- a/drivers/scsi/qla2xxx/qla_mbx.c -+++ b/drivers/scsi/qla2xxx/qla_mbx.c -@@ -274,6 +274,12 @@ qla2x00_mailbox_command(scsi_qla_host_t *vha, mbx_cmd_t *mcp) - atomic_inc(&ha->num_pend_mbx_stage3); - if (!wait_for_completion_timeout(&ha->mbx_intr_comp, - mcp->tov * HZ)) { -+ ql_dbg(ql_dbg_mbx, vha, 0x117a, -+ "cmd=%x Timeout.\n", command); -+ spin_lock_irqsave(&ha->hardware_lock, flags); -+ clear_bit(MBX_INTR_WAIT, &ha->mbx_cmd_flags); -+ spin_unlock_irqrestore(&ha->hardware_lock, flags); -+ - if (chip_reset != ha->chip_reset) { - eeh_delay = ha->flags.eeh_busy ? 1 : 0; - -@@ -286,12 +292,6 @@ qla2x00_mailbox_command(scsi_qla_host_t *vha, mbx_cmd_t *mcp) - rval = QLA_ABORTED; - goto premature_exit; - } -- ql_dbg(ql_dbg_mbx, vha, 0x117a, -- "cmd=%x Timeout.\n", command); -- spin_lock_irqsave(&ha->hardware_lock, flags); -- clear_bit(MBX_INTR_WAIT, &ha->mbx_cmd_flags); -- spin_unlock_irqrestore(&ha->hardware_lock, flags); -- - } else if (ha->flags.purge_mbox || - chip_reset != ha->chip_reset) { - eeh_delay = ha->flags.eeh_busy ? 1 : 0; --- -2.35.1 - diff --git a/queue-5.19/scsi-qla2xxx-fix-excessive-i-o-error-messages-by-def.patch b/queue-5.19/scsi-qla2xxx-fix-excessive-i-o-error-messages-by-def.patch deleted file mode 100644 index 7bb70e0861c..00000000000 --- a/queue-5.19/scsi-qla2xxx-fix-excessive-i-o-error-messages-by-def.patch +++ /dev/null @@ -1,48 +0,0 @@ -From a46bb1ecd095c0bbfe78b1da5476ebd6575afc56 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 15 Jun 2022 22:34:58 -0700 -Subject: scsi: qla2xxx: Fix excessive I/O error messages by default - -From: Arun Easi - -[ Upstream commit bff4873c709085e09d0ffae0c25b8e65256e3205 ] - -Disable printing I/O error messages by default. The messages will be -printed only when logging was enabled. - -Link: https://lore.kernel.org/r/20220616053508.27186-2-njavali@marvell.com -Fixes: 8e2d81c6b5be ("scsi: qla2xxx: Fix excessive messages during device logout") -Cc: stable@vger.kernel.org -Signed-off-by: Arun Easi -Signed-off-by: Nilesh Javali -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/qla2xxx/qla_isr.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c -index 21b31d6359c8..ae47fc559ae0 100644 ---- a/drivers/scsi/qla2xxx/qla_isr.c -+++ b/drivers/scsi/qla2xxx/qla_isr.c -@@ -2639,7 +2639,7 @@ static void qla24xx_nvme_iocb_entry(scsi_qla_host_t *vha, struct req_que *req, - } - - if (unlikely(logit)) -- ql_log(ql_dbg_io, fcport->vha, 0x5060, -+ ql_dbg(ql_dbg_io, fcport->vha, 0x5060, - "NVME-%s ERR Handling - hdl=%x status(%x) tr_len:%x resid=%x ox_id=%x\n", - sp->name, sp->handle, comp_status, - fd->transferred_length, le32_to_cpu(sts->residual_len), -@@ -3496,7 +3496,7 @@ qla2x00_status_entry(scsi_qla_host_t *vha, struct rsp_que *rsp, void *pkt) - - out: - if (logit) -- ql_log(ql_dbg_io, fcport->vha, 0x3022, -+ ql_dbg(ql_dbg_io, fcport->vha, 0x3022, - "FCP command status: 0x%x-0x%x (0x%x) nexus=%ld:%d:%llu portid=%02x%02x%02x oxid=0x%x cdb=%10phN len=0x%x rsp_info=0x%x resid=0x%x fw_resid=0x%x sp=%p cp=%p.\n", - comp_status, scsi_status, res, vha->host_no, - cp->device->id, cp->device->lun, fcport->d_id.b.domain, --- -2.35.1 - diff --git a/queue-5.19/scsi-qla2xxx-fix-imbalance-vha-vref_count.patch-12738 b/queue-5.19/scsi-qla2xxx-fix-imbalance-vha-vref_count.patch-12738 deleted file mode 100644 index 5a7130ded66..00000000000 --- a/queue-5.19/scsi-qla2xxx-fix-imbalance-vha-vref_count.patch-12738 +++ /dev/null @@ -1,61 +0,0 @@ -From 484e602f833c764c9bb58e8b43c1c64302a8814b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 12 Jul 2022 22:20:41 -0700 -Subject: scsi: qla2xxx: Fix imbalance vha->vref_count - -From: Quinn Tran - -[ Upstream commit 63fa7f2644b4b48e1913af33092c044bf48e9321 ] - -vref_count took an extra decrement in the task management path. Add an -extra ref count to compensate the imbalance. - -Link: https://lore.kernel.org/r/20220713052045.10683-7-njavali@marvell.com -Cc: stable@vger.kernel.org -Reviewed-by: Himanshu Madhani -Signed-off-by: Quinn Tran -Signed-off-by: Nilesh Javali -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/qla2xxx/qla_init.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c -index ef6857ad148d..f8a7b6f2541e 100644 ---- a/drivers/scsi/qla2xxx/qla_init.c -+++ b/drivers/scsi/qla2xxx/qla_init.c -@@ -168,6 +168,7 @@ int qla24xx_async_abort_cmd(srb_t *cmd_sp, bool wait) - struct srb_iocb *abt_iocb; - srb_t *sp; - int rval = QLA_FUNCTION_FAILED; -+ uint8_t bail; - - /* ref: INIT for ABTS command */ - sp = qla2xxx_get_qpair_sp(cmd_sp->vha, cmd_sp->qpair, cmd_sp->fcport, -@@ -175,6 +176,7 @@ int qla24xx_async_abort_cmd(srb_t *cmd_sp, bool wait) - if (!sp) - return QLA_MEMORY_ALLOC_FAILED; - -+ QLA_VHA_MARK_BUSY(vha, bail); - abt_iocb = &sp->u.iocb_cmd; - sp->type = SRB_ABT_CMD; - sp->name = "abort"; -@@ -2011,12 +2013,14 @@ qla2x00_async_tm_cmd(fc_port_t *fcport, uint32_t flags, uint32_t lun, - struct srb_iocb *tm_iocb; - srb_t *sp; - int rval = QLA_FUNCTION_FAILED; -+ uint8_t bail; - - /* ref: INIT */ - sp = qla2x00_get_sp(vha, fcport, GFP_KERNEL); - if (!sp) - goto done; - -+ QLA_VHA_MARK_BUSY(vha, bail); - sp->type = SRB_TM_CMD; - sp->name = "tmf"; - qla2x00_init_async_sp(sp, qla2x00_get_async_timeout(vha), --- -2.35.1 - diff --git a/queue-5.19/scsi-qla2xxx-fix-incorrect-display-of-max-frame-size.patch-30577 b/queue-5.19/scsi-qla2xxx-fix-incorrect-display-of-max-frame-size.patch-30577 deleted file mode 100644 index 5434137db68..00000000000 --- a/queue-5.19/scsi-qla2xxx-fix-incorrect-display-of-max-frame-size.patch-30577 +++ /dev/null @@ -1,110 +0,0 @@ -From 8624f3a1810a248525365cbad29b1bfc9356ec61 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 12 Jul 2022 22:20:37 -0700 -Subject: scsi: qla2xxx: Fix incorrect display of max frame size - -From: Bikash Hazarika - -[ Upstream commit cf3b4fb655796674e605268bd4bfb47a47c8bce6 ] - -Replace display field with the correct field. - -Link: https://lore.kernel.org/r/20220713052045.10683-3-njavali@marvell.com -Fixes: 8777e4314d39 ("scsi: qla2xxx: Migrate NVME N2N handling into state machine") -Cc: stable@vger.kernel.org -Reviewed-by: Himanshu Madhani -Signed-off-by: Bikash Hazarika -Signed-off-by: Nilesh Javali -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/qla2xxx/qla_def.h | 1 + - drivers/scsi/qla2xxx/qla_gs.c | 9 +++------ - drivers/scsi/qla2xxx/qla_init.c | 2 ++ - drivers/scsi/qla2xxx/qla_isr.c | 4 +--- - 4 files changed, 7 insertions(+), 9 deletions(-) - -diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h -index 77ef82df6d4d..5d594c82d14c 100644 ---- a/drivers/scsi/qla2xxx/qla_def.h -+++ b/drivers/scsi/qla2xxx/qla_def.h -@@ -3975,6 +3975,7 @@ struct qla_hw_data { - /* SRB cache. */ - #define SRB_MIN_REQ 128 - mempool_t *srb_mempool; -+ u8 port_name[WWN_SIZE]; - - volatile struct { - uint32_t mbox_int :1; -diff --git a/drivers/scsi/qla2xxx/qla_gs.c b/drivers/scsi/qla2xxx/qla_gs.c -index f56b578475ba..c999221912e5 100644 ---- a/drivers/scsi/qla2xxx/qla_gs.c -+++ b/drivers/scsi/qla2xxx/qla_gs.c -@@ -1596,7 +1596,6 @@ qla2x00_hba_attributes(scsi_qla_host_t *vha, void *entries, - unsigned int callopt) - { - struct qla_hw_data *ha = vha->hw; -- struct init_cb_24xx *icb24 = (void *)ha->init_cb; - struct new_utsname *p_sysid = utsname(); - struct ct_fdmi_hba_attr *eiter; - uint16_t alen; -@@ -1758,8 +1757,8 @@ qla2x00_hba_attributes(scsi_qla_host_t *vha, void *entries, - /* MAX CT Payload Length */ - eiter = entries + size; - eiter->type = cpu_to_be16(FDMI_HBA_MAXIMUM_CT_PAYLOAD_LENGTH); -- eiter->a.max_ct_len = cpu_to_be32(le16_to_cpu(IS_FWI2_CAPABLE(ha) ? -- icb24->frame_payload_size : ha->init_cb->frame_payload_size)); -+ eiter->a.max_ct_len = cpu_to_be32(ha->frame_payload_size >> 2); -+ - alen = sizeof(eiter->a.max_ct_len); - alen += FDMI_ATTR_TYPELEN(eiter); - eiter->len = cpu_to_be16(alen); -@@ -1851,7 +1850,6 @@ qla2x00_port_attributes(scsi_qla_host_t *vha, void *entries, - unsigned int callopt) - { - struct qla_hw_data *ha = vha->hw; -- struct init_cb_24xx *icb24 = (void *)ha->init_cb; - struct new_utsname *p_sysid = utsname(); - char *hostname = p_sysid ? - p_sysid->nodename : fc_host_system_hostname(vha->host); -@@ -1903,8 +1901,7 @@ qla2x00_port_attributes(scsi_qla_host_t *vha, void *entries, - /* Max frame size. */ - eiter = entries + size; - eiter->type = cpu_to_be16(FDMI_PORT_MAX_FRAME_SIZE); -- eiter->a.max_frame_size = cpu_to_be32(le16_to_cpu(IS_FWI2_CAPABLE(ha) ? -- icb24->frame_payload_size : ha->init_cb->frame_payload_size)); -+ eiter->a.max_frame_size = cpu_to_be32(ha->frame_payload_size); - alen = sizeof(eiter->a.max_frame_size); - alen += FDMI_ATTR_TYPELEN(eiter); - eiter->len = cpu_to_be16(alen); -diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c -index ad96bc19ed05..ef6857ad148d 100644 ---- a/drivers/scsi/qla2xxx/qla_init.c -+++ b/drivers/scsi/qla2xxx/qla_init.c -@@ -4520,6 +4520,8 @@ qla2x00_init_rings(scsi_qla_host_t *vha) - BIT_6) != 0; - ql_dbg(ql_dbg_init, vha, 0x00bc, "FA-WWPN Support: %s.\n", - (ha->flags.fawwpn_enabled) ? "enabled" : "disabled"); -+ /* Init_cb will be reused for other command(s). Save a backup copy of port_name */ -+ memcpy(ha->port_name, ha->init_cb->port_name, WWN_SIZE); - } - - /* ELS pass through payload is limit by frame size. */ -diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c -index 5f2949e03fc8..fc252dbfb0bf 100644 ---- a/drivers/scsi/qla2xxx/qla_isr.c -+++ b/drivers/scsi/qla2xxx/qla_isr.c -@@ -1354,9 +1354,7 @@ qla2x00_async_event(scsi_qla_host_t *vha, struct rsp_que *rsp, uint16_t *mb) - if (!vha->vp_idx) { - if (ha->flags.fawwpn_enabled && - (ha->current_topology == ISP_CFG_F)) { -- void *wwpn = ha->init_cb->port_name; -- -- memcpy(vha->port_name, wwpn, WWN_SIZE); -+ memcpy(vha->port_name, ha->port_name, WWN_SIZE); - fc_host_port_name(vha->host) = - wwn_to_u64(vha->port_name); - ql_dbg(ql_dbg_init + ql_dbg_verbose, --- -2.35.1 - diff --git a/queue-5.19/scsi-qla2xxx-fix-losing-fcp-2-targets-during-port-pe.patch b/queue-5.19/scsi-qla2xxx-fix-losing-fcp-2-targets-during-port-pe.patch deleted file mode 100644 index 270ba67f2ac..00000000000 --- a/queue-5.19/scsi-qla2xxx-fix-losing-fcp-2-targets-during-port-pe.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 784659d081ede75e363b4ecc62e6719d952efee0 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 15 Jun 2022 22:35:03 -0700 -Subject: scsi: qla2xxx: Fix losing FCP-2 targets during port perturbation - tests - -From: Arun Easi - -[ Upstream commit 58d1c124cd79ea686b512043c5bd515590b2ed95 ] - -When a mix of FCP-2 (tape) and non-FCP-2 targets are present, FCP-2 target -state was incorrectly transitioned when both of the targets were gone. Fix -this by ignoring state transition for FCP-2 targets. - -Link: https://lore.kernel.org/r/20220616053508.27186-7-njavali@marvell.com -Fixes: 44c57f205876 ("scsi: qla2xxx: Changes to support FCP2 Target") -Cc: stable@vger.kernel.org -Signed-off-by: Arun Easi -Signed-off-by: Nilesh Javali -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/qla2xxx/qla_gs.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/scsi/qla2xxx/qla_gs.c b/drivers/scsi/qla2xxx/qla_gs.c -index e811de2f6a25..f56b578475ba 100644 ---- a/drivers/scsi/qla2xxx/qla_gs.c -+++ b/drivers/scsi/qla2xxx/qla_gs.c -@@ -3578,7 +3578,7 @@ void qla24xx_async_gnnft_done(scsi_qla_host_t *vha, srb_t *sp) - do_delete) { - if (fcport->loop_id != FC_NO_LOOP_ID) { - if (fcport->flags & FCF_FCP2_DEVICE) -- fcport->logout_on_delete = 0; -+ continue; - - ql_log(ql_log_warn, vha, 0x20f0, - "%s %d %8phC post del sess\n", --- -2.35.1 - diff --git a/queue-5.19/scsi-qla2xxx-fix-losing-fcp-2-targets-on-long-port-d.patch b/queue-5.19/scsi-qla2xxx-fix-losing-fcp-2-targets-on-long-port-d.patch deleted file mode 100644 index 5eeb237a61f..00000000000 --- a/queue-5.19/scsi-qla2xxx-fix-losing-fcp-2-targets-on-long-port-d.patch +++ /dev/null @@ -1,72 +0,0 @@ -From f71cffc3a88951cfc872dd7ad62e3145f7852d5d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 15 Jun 2022 22:35:06 -0700 -Subject: scsi: qla2xxx: Fix losing FCP-2 targets on long port disable with - I/Os - -From: Arun Easi - -[ Upstream commit 2416ccd3815ba1613e10a6da0a24ef21acfe5633 ] - -FCP-2 devices were not coming back online once they were lost, login -retries exhausted, and then came back up. Fix this by accepting RSCN when -the device is not online. - -Link: https://lore.kernel.org/r/20220616053508.27186-10-njavali@marvell.com -Fixes: 44c57f205876 ("scsi: qla2xxx: Changes to support FCP2 Target") -Cc: stable@vger.kernel.org -Signed-off-by: Arun Easi -Signed-off-by: Nilesh Javali -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/qla2xxx/qla_init.c | 12 ++++++++---- - 1 file changed, 8 insertions(+), 4 deletions(-) - -diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c -index 88ca398be485..b6c3f66c4988 100644 ---- a/drivers/scsi/qla2xxx/qla_init.c -+++ b/drivers/scsi/qla2xxx/qla_init.c -@@ -1825,7 +1825,8 @@ void qla2x00_handle_rscn(scsi_qla_host_t *vha, struct event_arg *ea) - case RSCN_PORT_ADDR: - fcport = qla2x00_find_fcport_by_nportid(vha, &ea->id, 1); - if (fcport) { -- if (fcport->flags & FCF_FCP2_DEVICE) { -+ if (fcport->flags & FCF_FCP2_DEVICE && -+ atomic_read(&fcport->state) == FCS_ONLINE) { - ql_dbg(ql_dbg_disc, vha, 0x2115, - "Delaying session delete for FCP2 portid=%06x %8phC ", - fcport->d_id.b24, fcport->port_name); -@@ -1857,7 +1858,8 @@ void qla2x00_handle_rscn(scsi_qla_host_t *vha, struct event_arg *ea) - break; - case RSCN_AREA_ADDR: - list_for_each_entry(fcport, &vha->vp_fcports, list) { -- if (fcport->flags & FCF_FCP2_DEVICE) -+ if (fcport->flags & FCF_FCP2_DEVICE && -+ atomic_read(&fcport->state) == FCS_ONLINE) - continue; - - if ((ea->id.b24 & 0xffff00) == (fcport->d_id.b24 & 0xffff00)) { -@@ -1868,7 +1870,8 @@ void qla2x00_handle_rscn(scsi_qla_host_t *vha, struct event_arg *ea) - break; - case RSCN_DOM_ADDR: - list_for_each_entry(fcport, &vha->vp_fcports, list) { -- if (fcport->flags & FCF_FCP2_DEVICE) -+ if (fcport->flags & FCF_FCP2_DEVICE && -+ atomic_read(&fcport->state) == FCS_ONLINE) - continue; - - if ((ea->id.b24 & 0xff0000) == (fcport->d_id.b24 & 0xff0000)) { -@@ -1880,7 +1883,8 @@ void qla2x00_handle_rscn(scsi_qla_host_t *vha, struct event_arg *ea) - case RSCN_FAB_ADDR: - default: - list_for_each_entry(fcport, &vha->vp_fcports, list) { -- if (fcport->flags & FCF_FCP2_DEVICE) -+ if (fcport->flags & FCF_FCP2_DEVICE && -+ atomic_read(&fcport->state) == FCS_ONLINE) - continue; - - fcport->scan_needed = 1; --- -2.35.1 - diff --git a/queue-5.19/scsi-qla2xxx-fix-losing-target-when-it-reappears-dur.patch b/queue-5.19/scsi-qla2xxx-fix-losing-target-when-it-reappears-dur.patch deleted file mode 100644 index 608b7920cc9..00000000000 --- a/queue-5.19/scsi-qla2xxx-fix-losing-target-when-it-reappears-dur.patch +++ /dev/null @@ -1,84 +0,0 @@ -From ec0466138dab2ba0b7570578a316aef299cf25a8 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 15 Jun 2022 22:35:04 -0700 -Subject: scsi: qla2xxx: Fix losing target when it reappears during delete - -From: Arun Easi - -[ Upstream commit 118b0c863c8f5629cc5271fc24d72d926e0715d9 ] - -FC target disappeared during port perturbation tests due to a race that -tramples target state. Fix the issue by adding state checks before -proceeding. - -Link: https://lore.kernel.org/r/20220616053508.27186-8-njavali@marvell.com -Fixes: 44c57f205876 ("scsi: qla2xxx: Changes to support FCP2 Target") -Cc: stable@vger.kernel.org -Signed-off-by: Arun Easi -Signed-off-by: Nilesh Javali -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/qla2xxx/qla_attr.c | 24 +++++++++++++++++------- - 1 file changed, 17 insertions(+), 7 deletions(-) - -diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c -index 3b3e4234f37a..412ad888bdc1 100644 ---- a/drivers/scsi/qla2xxx/qla_attr.c -+++ b/drivers/scsi/qla2xxx/qla_attr.c -@@ -2716,17 +2716,24 @@ qla2x00_dev_loss_tmo_callbk(struct fc_rport *rport) - if (!fcport) - return; - -- /* Now that the rport has been deleted, set the fcport state to -- FCS_DEVICE_DEAD */ -- qla2x00_set_fcport_state(fcport, FCS_DEVICE_DEAD); -+ -+ /* -+ * Now that the rport has been deleted, set the fcport state to -+ * FCS_DEVICE_DEAD, if the fcport is still lost. -+ */ -+ if (fcport->scan_state != QLA_FCPORT_FOUND) -+ qla2x00_set_fcport_state(fcport, FCS_DEVICE_DEAD); - - /* - * Transport has effectively 'deleted' the rport, clear - * all local references. - */ - spin_lock_irqsave(host->host_lock, flags); -- fcport->rport = fcport->drport = NULL; -- *((fc_port_t **)rport->dd_data) = NULL; -+ /* Confirm port has not reappeared before clearing pointers. */ -+ if (rport->port_state != FC_PORTSTATE_ONLINE) { -+ fcport->rport = fcport->drport = NULL; -+ *((fc_port_t **)rport->dd_data) = NULL; -+ } - spin_unlock_irqrestore(host->host_lock, flags); - - if (test_bit(ABORT_ISP_ACTIVE, &fcport->vha->dpc_flags)) -@@ -2759,9 +2766,12 @@ qla2x00_terminate_rport_io(struct fc_rport *rport) - /* - * At this point all fcport's software-states are cleared. Perform any - * final cleanup of firmware resources (PCBs and XCBs). -+ * -+ * Attempt to cleanup only lost devices. - */ - if (fcport->loop_id != FC_NO_LOOP_ID) { -- if (IS_FWI2_CAPABLE(fcport->vha->hw)) { -+ if (IS_FWI2_CAPABLE(fcport->vha->hw) && -+ fcport->scan_state != QLA_FCPORT_FOUND) { - if (fcport->loop_id != FC_NO_LOOP_ID) - fcport->logout_on_delete = 1; - -@@ -2771,7 +2781,7 @@ qla2x00_terminate_rport_io(struct fc_rport *rport) - __LINE__); - qlt_schedule_sess_for_deletion(fcport); - } -- } else { -+ } else if (!IS_FWI2_CAPABLE(fcport->vha->hw)) { - qla2x00_port_logout(fcport->vha, fcport); - } - } --- -2.35.1 - diff --git a/queue-5.19/scsi-qla2xxx-fix-response-queue-handler-reading-stal.patch b/queue-5.19/scsi-qla2xxx-fix-response-queue-handler-reading-stal.patch deleted file mode 100644 index 36ca2374bfe..00000000000 --- a/queue-5.19/scsi-qla2xxx-fix-response-queue-handler-reading-stal.patch +++ /dev/null @@ -1,128 +0,0 @@ -From 3cd334b11de490fefa146ff75313d30f8c9f75a6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 12 Jul 2022 22:20:39 -0700 -Subject: scsi: qla2xxx: Fix response queue handler reading stale packets - -From: Arun Easi - -[ Upstream commit b1f707146923335849fb70237eec27d4d1ae7d62 ] - -On some platforms, the current logic of relying on finding new packet -solely based on signature pattern can lead to driver reading stale -packets. Though this is a bug in those platforms, reduce such exposures by -limiting reading packets until the IN pointer. - -Two module parameters are introduced: - - ql2xrspq_follow_inptr: - - When set, on newer adapters that has queue pointer shadowing, look for - response packets only until response queue in pointer. - - When reset, response packets are read based on a signature pattern - logic (old way). - - ql2xrspq_follow_inptr_legacy: - - Like ql2xrspq_follow_inptr, but for those adapters where there is no - queue pointer shadowing. - -Link: https://lore.kernel.org/r/20220713052045.10683-5-njavali@marvell.com -Cc: stable@vger.kernel.org -Reviewed-by: Himanshu Madhani -Signed-off-by: Arun Easi -Signed-off-by: Nilesh Javali -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/qla2xxx/qla_gbl.h | 2 ++ - drivers/scsi/qla2xxx/qla_isr.c | 24 +++++++++++++++++++++++- - drivers/scsi/qla2xxx/qla_os.c | 10 ++++++++++ - 3 files changed, 35 insertions(+), 1 deletion(-) - -diff --git a/drivers/scsi/qla2xxx/qla_gbl.h b/drivers/scsi/qla2xxx/qla_gbl.h -index dac27b5ff0ac..a211ed18d4e9 100644 ---- a/drivers/scsi/qla2xxx/qla_gbl.h -+++ b/drivers/scsi/qla2xxx/qla_gbl.h -@@ -193,6 +193,8 @@ extern int ql2xsecenable; - extern int ql2xenforce_iocb_limit; - extern int ql2xabts_wait_nvme; - extern u32 ql2xnvme_queues; -+extern int ql2xrspq_follow_inptr; -+extern int ql2xrspq_follow_inptr_legacy; - - extern int qla2x00_loop_reset(scsi_qla_host_t *); - extern void qla2x00_abort_all_cmds(scsi_qla_host_t *, int); -diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c -index fc252dbfb0bf..1353a5b61c14 100644 ---- a/drivers/scsi/qla2xxx/qla_isr.c -+++ b/drivers/scsi/qla2xxx/qla_isr.c -@@ -3770,6 +3770,8 @@ void qla24xx_process_response_queue(struct scsi_qla_host *vha, - struct qla_hw_data *ha = vha->hw; - struct purex_entry_24xx *purex_entry; - struct purex_item *pure_item; -+ u16 rsp_in = 0; -+ int follow_inptr, is_shadow_hba; - - if (!ha->flags.fw_started) - return; -@@ -3779,7 +3781,25 @@ void qla24xx_process_response_queue(struct scsi_qla_host *vha, - qla_cpu_update(rsp->qpair, smp_processor_id()); - } - -- while (rsp->ring_ptr->signature != RESPONSE_PROCESSED) { -+#define __update_rsp_in(_update, _is_shadow_hba, _rsp, _rsp_in) \ -+ do { \ -+ if (_update) { \ -+ _rsp_in = _is_shadow_hba ? *(_rsp)->in_ptr : \ -+ rd_reg_dword_relaxed((_rsp)->rsp_q_in); \ -+ } \ -+ } while (0) -+ -+ is_shadow_hba = IS_SHADOW_REG_CAPABLE(ha); -+ follow_inptr = is_shadow_hba ? ql2xrspq_follow_inptr : -+ ql2xrspq_follow_inptr_legacy; -+ -+ __update_rsp_in(follow_inptr, is_shadow_hba, rsp, rsp_in); -+ -+ while ((likely(follow_inptr && -+ rsp->ring_index != rsp_in && -+ rsp->ring_ptr->signature != RESPONSE_PROCESSED)) || -+ (!follow_inptr && -+ rsp->ring_ptr->signature != RESPONSE_PROCESSED)) { - pkt = (struct sts_entry_24xx *)rsp->ring_ptr; - - rsp->ring_index++; -@@ -3892,6 +3912,8 @@ void qla24xx_process_response_queue(struct scsi_qla_host *vha, - } - pure_item = qla27xx_copy_fpin_pkt(vha, - (void **)&pkt, &rsp); -+ __update_rsp_in(follow_inptr, is_shadow_hba, -+ rsp, rsp_in); - if (!pure_item) - break; - qla24xx_queue_purex_item(vha, pure_item, -diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c -index 66f1723c8583..0bbb48d31441 100644 ---- a/drivers/scsi/qla2xxx/qla_os.c -+++ b/drivers/scsi/qla2xxx/qla_os.c -@@ -338,6 +338,16 @@ module_param(ql2xdelay_before_pci_error_handling, uint, 0644); - MODULE_PARM_DESC(ql2xdelay_before_pci_error_handling, - "Number of seconds delayed before qla begin PCI error self-handling (default: 5).\n"); - -+int ql2xrspq_follow_inptr = 1; -+module_param(ql2xrspq_follow_inptr, int, 0644); -+MODULE_PARM_DESC(ql2xrspq_follow_inptr, -+ "Follow RSP IN pointer for RSP updates for HBAs 27xx and newer (default: 1)."); -+ -+int ql2xrspq_follow_inptr_legacy = 1; -+module_param(ql2xrspq_follow_inptr_legacy, int, 0644); -+MODULE_PARM_DESC(ql2xrspq_follow_inptr_legacy, -+ "Follow RSP IN pointer for RSP updates for HBAs older than 27XX. (default: 1)."); -+ - static void qla2x00_clear_drv_active(struct qla_hw_data *); - static void qla2x00_free_device(scsi_qla_host_t *); - static int qla2xxx_map_queues(struct Scsi_Host *shost); --- -2.35.1 - diff --git a/queue-5.19/scsi-qla2xxx-turn-off-multi-queue-for-8g-adapters.patch-20754 b/queue-5.19/scsi-qla2xxx-turn-off-multi-queue-for-8g-adapters.patch-20754 deleted file mode 100644 index 5c464067b79..00000000000 --- a/queue-5.19/scsi-qla2xxx-turn-off-multi-queue-for-8g-adapters.patch-20754 +++ /dev/null @@ -1,68 +0,0 @@ -From 707c5b307f91b8248188d891e19d58b2f5511157 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 15 Jun 2022 22:35:01 -0700 -Subject: scsi: qla2xxx: Turn off multi-queue for 8G adapters - -From: Quinn Tran - -[ Upstream commit 5304673bdb1635e27555bd636fd5d6956f1cd552 ] - -For 8G adapters, multi-queue was enabled accidentally. Make sure -multi-queue is not enabled. - -Link: https://lore.kernel.org/r/20220616053508.27186-5-njavali@marvell.com -Cc: stable@vger.kernel.org -Signed-off-by: Quinn Tran -Signed-off-by: Nilesh Javali -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/qla2xxx/qla_def.h | 4 ++-- - drivers/scsi/qla2xxx/qla_isr.c | 16 ++++++---------- - 2 files changed, 8 insertions(+), 12 deletions(-) - -diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h -index b4ff8eea7879..77ef82df6d4d 100644 ---- a/drivers/scsi/qla2xxx/qla_def.h -+++ b/drivers/scsi/qla2xxx/qla_def.h -@@ -4260,8 +4260,8 @@ struct qla_hw_data { - #define IS_OEM_001(ha) ((ha)->device_type & DT_OEM_001) - #define HAS_EXTENDED_IDS(ha) ((ha)->device_type & DT_EXTENDED_IDS) - #define IS_CT6_SUPPORTED(ha) ((ha)->device_type & DT_CT6_SUPPORTED) --#define IS_MQUE_CAPABLE(ha) ((ha)->mqenable || IS_QLA83XX(ha) || \ -- IS_QLA27XX(ha) || IS_QLA28XX(ha)) -+#define IS_MQUE_CAPABLE(ha) (IS_QLA83XX(ha) || IS_QLA27XX(ha) || \ -+ IS_QLA28XX(ha)) - #define IS_BIDI_CAPABLE(ha) \ - (IS_QLA25XX(ha) || IS_QLA2031(ha) || IS_QLA27XX(ha) || IS_QLA28XX(ha)) - /* Bit 21 of fw_attributes decides the MCTP capabilities */ -diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c -index ae47fc559ae0..5f2949e03fc8 100644 ---- a/drivers/scsi/qla2xxx/qla_isr.c -+++ b/drivers/scsi/qla2xxx/qla_isr.c -@@ -4420,16 +4420,12 @@ qla24xx_enable_msix(struct qla_hw_data *ha, struct rsp_que *rsp) - } - - /* Enable MSI-X vector for response queue update for queue 0 */ -- if (IS_QLA83XX(ha) || IS_QLA27XX(ha) || IS_QLA28XX(ha)) { -- if (ha->msixbase && ha->mqiobase && -- (ha->max_rsp_queues > 1 || ha->max_req_queues > 1 || -- ql2xmqsupport)) -- ha->mqenable = 1; -- } else -- if (ha->mqiobase && -- (ha->max_rsp_queues > 1 || ha->max_req_queues > 1 || -- ql2xmqsupport)) -- ha->mqenable = 1; -+ if (IS_MQUE_CAPABLE(ha) && -+ (ha->msixbase && ha->mqiobase && ha->max_qpairs)) -+ ha->mqenable = 1; -+ else -+ ha->mqenable = 0; -+ - ql_dbg(ql_dbg_multiq, vha, 0xc005, - "mqiobase=%p, max_rsp_queues=%d, max_req_queues=%d.\n", - ha->mqiobase, ha->max_rsp_queues, ha->max_req_queues); --- -2.35.1 - diff --git a/queue-5.19/scsi-qla2xxx-update-manufacturer-details.patch b/queue-5.19/scsi-qla2xxx-update-manufacturer-details.patch deleted file mode 100644 index 1ff97483231..00000000000 --- a/queue-5.19/scsi-qla2xxx-update-manufacturer-details.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 8df583fe738190a8f20b53f8c755ef7fdc1020b2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 12 Jul 2022 22:20:44 -0700 -Subject: scsi: qla2xxx: Update manufacturer details - -From: Bikash Hazarika - -[ Upstream commit 1ccad27716ecad1fd58c35e579bedb81fa5e1ad5 ] - -Update manufacturer details to indicate Marvell Semiconductors. - -Link: https://lore.kernel.org/r/20220713052045.10683-10-njavali@marvell.com -Cc: stable@vger.kernel.org -Reviewed-by: Himanshu Madhani -Signed-off-by: Bikash Hazarika -Signed-off-by: Nilesh Javali -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/qla2xxx/qla_def.h | 2 +- - drivers/scsi/qla2xxx/qla_gs.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h -index 5d594c82d14c..5a1a2ab7b852 100644 ---- a/drivers/scsi/qla2xxx/qla_def.h -+++ b/drivers/scsi/qla2xxx/qla_def.h -@@ -78,7 +78,7 @@ typedef union { - #include "qla_nvme.h" - #define QLA2XXX_DRIVER_NAME "qla2xxx" - #define QLA2XXX_APIDEV "ql2xapidev" --#define QLA2XXX_MANUFACTURER "QLogic Corporation" -+#define QLA2XXX_MANUFACTURER "Marvell Semiconductor, Inc." - - /* - * We have MAILBOX_REGISTER_COUNT sized arrays in a few places, -diff --git a/drivers/scsi/qla2xxx/qla_gs.c b/drivers/scsi/qla2xxx/qla_gs.c -index c999221912e5..0a95816afd0b 100644 ---- a/drivers/scsi/qla2xxx/qla_gs.c -+++ b/drivers/scsi/qla2xxx/qla_gs.c -@@ -1616,7 +1616,7 @@ qla2x00_hba_attributes(scsi_qla_host_t *vha, void *entries, - eiter->type = cpu_to_be16(FDMI_HBA_MANUFACTURER); - alen = scnprintf( - eiter->a.manufacturer, sizeof(eiter->a.manufacturer), -- "%s", "QLogic Corporation"); -+ "%s", QLA2XXX_MANUFACTURER); - alen += FDMI_ATTR_ALIGNMENT(alen); - alen += FDMI_ATTR_TYPELEN(eiter); - eiter->len = cpu_to_be16(alen); --- -2.35.1 - diff --git a/queue-5.19/scsi-qla2xxx-wind-down-adapter-after-pcie-error.patch-31117 b/queue-5.19/scsi-qla2xxx-wind-down-adapter-after-pcie-error.patch-31117 deleted file mode 100644 index e26b7ddd345..00000000000 --- a/queue-5.19/scsi-qla2xxx-wind-down-adapter-after-pcie-error.patch-31117 +++ /dev/null @@ -1,210 +0,0 @@ -From c751cb3aef1515ae098ecbb8829f3aabc5f17cac Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 15 Jun 2022 22:35:00 -0700 -Subject: scsi: qla2xxx: Wind down adapter after PCIe error - -From: Quinn Tran - -[ Upstream commit d3117c83ba316b3200d9f2fe900f2b9a5525a25c ] - -Put adapter into a wind down state if OS does not make any attempt to -recover the adapter after PCIe error. - -Link: https://lore.kernel.org/r/20220616053508.27186-4-njavali@marvell.com -Cc: stable@vger.kernel.org -Signed-off-by: Quinn Tran -Signed-off-by: Nilesh Javali -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/qla2xxx/qla_bsg.c | 10 ++++++- - drivers/scsi/qla2xxx/qla_def.h | 4 +++ - drivers/scsi/qla2xxx/qla_init.c | 20 ++++++++++++++ - drivers/scsi/qla2xxx/qla_os.c | 48 +++++++++++++++++++++++++++++++++ - 4 files changed, 81 insertions(+), 1 deletion(-) - -diff --git a/drivers/scsi/qla2xxx/qla_bsg.c b/drivers/scsi/qla2xxx/qla_bsg.c -index c2f00f076f79..726af9e40572 100644 ---- a/drivers/scsi/qla2xxx/qla_bsg.c -+++ b/drivers/scsi/qla2xxx/qla_bsg.c -@@ -2975,6 +2975,13 @@ qla24xx_bsg_timeout(struct bsg_job *bsg_job) - - ql_log(ql_log_info, vha, 0x708b, "%s CMD timeout. bsg ptr %p.\n", - __func__, bsg_job); -+ -+ if (qla2x00_isp_reg_stat(ha)) { -+ ql_log(ql_log_info, vha, 0x9007, -+ "PCI/Register disconnect.\n"); -+ qla_pci_set_eeh_busy(vha); -+ } -+ - /* find the bsg job from the active list of commands */ - spin_lock_irqsave(&ha->hardware_lock, flags); - for (que = 0; que < ha->max_req_queues; que++) { -@@ -2992,7 +2999,8 @@ qla24xx_bsg_timeout(struct bsg_job *bsg_job) - sp->u.bsg_job == bsg_job) { - req->outstanding_cmds[cnt] = NULL; - spin_unlock_irqrestore(&ha->hardware_lock, flags); -- if (ha->isp_ops->abort_command(sp)) { -+ -+ if (!ha->flags.eeh_busy && ha->isp_ops->abort_command(sp)) { - ql_log(ql_log_warn, vha, 0x7089, - "mbx abort_command failed.\n"); - bsg_reply->result = -EIO; -diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h -index e8f69c486be1..b4ff8eea7879 100644 ---- a/drivers/scsi/qla2xxx/qla_def.h -+++ b/drivers/scsi/qla2xxx/qla_def.h -@@ -4040,6 +4040,9 @@ struct qla_hw_data { - uint32_t n2n_fw_acc_sec:1; - uint32_t plogi_template_valid:1; - uint32_t port_isolated:1; -+ uint32_t eeh_flush:2; -+#define EEH_FLUSH_RDY 1 -+#define EEH_FLUSH_DONE 2 - } flags; - - uint16_t max_exchg; -@@ -4074,6 +4077,7 @@ struct qla_hw_data { - uint32_t rsp_que_len; - uint32_t req_que_off; - uint32_t rsp_que_off; -+ unsigned long eeh_jif; - - /* Multi queue data structs */ - device_reg_t *mqiobase; -diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c -index 3f3417a3e891..88ca398be485 100644 ---- a/drivers/scsi/qla2xxx/qla_init.c -+++ b/drivers/scsi/qla2xxx/qla_init.c -@@ -47,6 +47,7 @@ qla2x00_sp_timeout(struct timer_list *t) - { - srb_t *sp = from_timer(sp, t, u.iocb_cmd.timer); - struct srb_iocb *iocb; -+ scsi_qla_host_t *vha = sp->vha; - - WARN_ON(irqs_disabled()); - iocb = &sp->u.iocb_cmd; -@@ -54,6 +55,12 @@ qla2x00_sp_timeout(struct timer_list *t) - - /* ref: TMR */ - kref_put(&sp->cmd_kref, qla2x00_sp_release); -+ -+ if (vha && qla2x00_isp_reg_stat(vha->hw)) { -+ ql_log(ql_log_info, vha, 0x9008, -+ "PCI/Register disconnect.\n"); -+ qla_pci_set_eeh_busy(vha); -+ } - } - - void qla2x00_sp_free(srb_t *sp) -@@ -9657,6 +9664,12 @@ int qla2xxx_disable_port(struct Scsi_Host *host) - - vha->hw->flags.port_isolated = 1; - -+ if (qla2x00_isp_reg_stat(vha->hw)) { -+ ql_log(ql_log_info, vha, 0x9006, -+ "PCI/Register disconnect, exiting.\n"); -+ qla_pci_set_eeh_busy(vha); -+ return FAILED; -+ } - if (qla2x00_chip_is_down(vha)) - return 0; - -@@ -9672,6 +9685,13 @@ int qla2xxx_enable_port(struct Scsi_Host *host) - { - scsi_qla_host_t *vha = shost_priv(host); - -+ if (qla2x00_isp_reg_stat(vha->hw)) { -+ ql_log(ql_log_info, vha, 0x9001, -+ "PCI/Register disconnect, exiting.\n"); -+ qla_pci_set_eeh_busy(vha); -+ return FAILED; -+ } -+ - vha->hw->flags.port_isolated = 0; - /* Set the flag to 1, so that isp_abort can proceed */ - vha->flags.online = 1; -diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c -index 73073fb08369..6fd5c21ad1f5 100644 ---- a/drivers/scsi/qla2xxx/qla_os.c -+++ b/drivers/scsi/qla2xxx/qla_os.c -@@ -333,6 +333,11 @@ MODULE_PARM_DESC(ql2xabts_wait_nvme, - "To wait for ABTS response on I/O timeouts for NVMe. (default: 1)"); - - -+u32 ql2xdelay_before_pci_error_handling = 5; -+module_param(ql2xdelay_before_pci_error_handling, uint, 0644); -+MODULE_PARM_DESC(ql2xdelay_before_pci_error_handling, -+ "Number of seconds delayed before qla begin PCI error self-handling (default: 5).\n"); -+ - static void qla2x00_clear_drv_active(struct qla_hw_data *); - static void qla2x00_free_device(scsi_qla_host_t *); - static int qla2xxx_map_queues(struct Scsi_Host *shost); -@@ -7238,6 +7243,44 @@ static void qla_heart_beat(struct scsi_qla_host *vha, u16 dpc_started) - } - } - -+static void qla_wind_down_chip(scsi_qla_host_t *vha) -+{ -+ struct qla_hw_data *ha = vha->hw; -+ -+ if (!ha->flags.eeh_busy) -+ return; -+ if (ha->pci_error_state) -+ /* system is trying to recover */ -+ return; -+ -+ /* -+ * Current system is not handling PCIE error. At this point, this is -+ * best effort to wind down the adapter. -+ */ -+ if (time_after_eq(jiffies, ha->eeh_jif + ql2xdelay_before_pci_error_handling * HZ) && -+ !ha->flags.eeh_flush) { -+ ql_log(ql_log_info, vha, 0x9009, -+ "PCI Error detected, attempting to reset hardware.\n"); -+ -+ ha->isp_ops->reset_chip(vha); -+ ha->isp_ops->disable_intrs(ha); -+ -+ ha->flags.eeh_flush = EEH_FLUSH_RDY; -+ ha->eeh_jif = jiffies; -+ -+ } else if (ha->flags.eeh_flush == EEH_FLUSH_RDY && -+ time_after_eq(jiffies, ha->eeh_jif + 5 * HZ)) { -+ pci_clear_master(ha->pdev); -+ -+ /* flush all command */ -+ qla2x00_abort_isp_cleanup(vha); -+ ha->flags.eeh_flush = EEH_FLUSH_DONE; -+ -+ ql_log(ql_log_info, vha, 0x900a, -+ "PCI Error handling complete, all IOs aborted.\n"); -+ } -+} -+ - /************************************************************************** - * qla2x00_timer - * -@@ -7261,6 +7304,8 @@ qla2x00_timer(struct timer_list *t) - fc_port_t *fcport = NULL; - - if (ha->flags.eeh_busy) { -+ qla_wind_down_chip(vha); -+ - ql_dbg(ql_dbg_timer, vha, 0x6000, - "EEH = %d, restarting timer.\n", - ha->flags.eeh_busy); -@@ -7841,6 +7886,9 @@ void qla_pci_set_eeh_busy(struct scsi_qla_host *vha) - - spin_lock_irqsave(&base_vha->work_lock, flags); - if (!ha->flags.eeh_busy) { -+ ha->eeh_jif = jiffies; -+ ha->flags.eeh_flush = 0; -+ - ha->flags.eeh_busy = 1; - do_cleanup = true; - } --- -2.35.1 - diff --git a/queue-5.19/scsi-qla2xxx-zero-undefined-mailbox-in-registers.patch-4895 b/queue-5.19/scsi-qla2xxx-zero-undefined-mailbox-in-registers.patch-4895 deleted file mode 100644 index 77770fb8113..00000000000 --- a/queue-5.19/scsi-qla2xxx-zero-undefined-mailbox-in-registers.patch-4895 +++ /dev/null @@ -1,41 +0,0 @@ -From 74f0c3d28a9666032ef45b5df22ebf8019605add Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 12 Jul 2022 22:20:38 -0700 -Subject: scsi: qla2xxx: Zero undefined mailbox IN registers - -From: Bikash Hazarika - -[ Upstream commit 6c96a3c7d49593ef15805f5e497601c87695abc9 ] - -While requesting a new mailbox command, driver does not write any data to -unused registers. Initialize the unused register value to zero while -requesting a new mailbox command to prevent stale entry access by firmware. - -Link: https://lore.kernel.org/r/20220713052045.10683-4-njavali@marvell.com -Cc: stable@vger.kernel.org -Reviewed-by: Himanshu Madhani -Signed-off-by: Bikash Hazarika -Signed-off-by: Quinn Tran -Signed-off-by: Nilesh Javali -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/qla2xxx/qla_mbx.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c -index 1b154ab025bd..bcade1deb798 100644 ---- a/drivers/scsi/qla2xxx/qla_mbx.c -+++ b/drivers/scsi/qla2xxx/qla_mbx.c -@@ -238,6 +238,8 @@ qla2x00_mailbox_command(scsi_qla_host_t *vha, mbx_cmd_t *mcp) - ql_dbg(ql_dbg_mbx, vha, 0x1112, - "mbox[%d]<-0x%04x\n", cnt, *iptr); - wrt_reg_word(optr, *iptr); -+ } else { -+ wrt_reg_word(optr, 0); - } - - mboxes >>= 1; --- -2.35.1 - diff --git a/queue-5.19/scsi-revert-scsi-qla2xxx-fix-disk-failure-to-redisco.patch b/queue-5.19/scsi-revert-scsi-qla2xxx-fix-disk-failure-to-redisco.patch deleted file mode 100644 index 53e439f0948..00000000000 --- a/queue-5.19/scsi-revert-scsi-qla2xxx-fix-disk-failure-to-redisco.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 0c185f582d18580b73851b74739c9ab1501c2fa7 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 12 Jul 2022 22:20:36 -0700 -Subject: scsi: Revert "scsi: qla2xxx: Fix disk failure to rediscover" - -From: Nilesh Javali - -[ Upstream commit 5bc7b01c513a4a9b4cfe306e8d1720cfcfd3b8a3 ] - -This fixes the regression of NVMe discovery failure during driver load -time. - -This reverts commit 6a45c8e137d4e2c72eecf1ac7cf64f2fdfcead99. - -Link: https://lore.kernel.org/r/20220713052045.10683-2-njavali@marvell.com -Cc: stable@vger.kernel.org -Reviewed-by: Himanshu Madhani -Signed-off-by: Nilesh Javali -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/qla2xxx/qla_init.c | 5 ++--- - drivers/scsi/qla2xxx/qla_nvme.c | 5 ----- - 2 files changed, 2 insertions(+), 8 deletions(-) - -diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c -index b6c3f66c4988..ad96bc19ed05 100644 ---- a/drivers/scsi/qla2xxx/qla_init.c -+++ b/drivers/scsi/qla2xxx/qla_init.c -@@ -5778,8 +5778,6 @@ qla2x00_reg_remote_port(scsi_qla_host_t *vha, fc_port_t *fcport) - if (atomic_read(&fcport->state) == FCS_ONLINE) - return; - -- qla2x00_set_fcport_state(fcport, FCS_ONLINE); -- - rport_ids.node_name = wwn_to_u64(fcport->node_name); - rport_ids.port_name = wwn_to_u64(fcport->port_name); - rport_ids.port_id = fcport->d_id.b.domain << 16 | -@@ -5880,7 +5878,6 @@ qla2x00_update_fcport(scsi_qla_host_t *vha, fc_port_t *fcport) - qla2x00_reg_remote_port(vha, fcport); - break; - case MODE_TARGET: -- qla2x00_set_fcport_state(fcport, FCS_ONLINE); - if (!vha->vha_tgt.qla_tgt->tgt_stop && - !vha->vha_tgt.qla_tgt->tgt_stopped) - qlt_fc_port_added(vha, fcport); -@@ -5898,6 +5895,8 @@ qla2x00_update_fcport(scsi_qla_host_t *vha, fc_port_t *fcport) - if (NVME_TARGET(vha->hw, fcport)) - qla_nvme_register_remote(vha, fcport); - -+ qla2x00_set_fcport_state(fcport, FCS_ONLINE); -+ - if (IS_IIDMA_CAPABLE(vha->hw) && vha->hw->flags.gpsc_supported) { - if (fcport->id_changed) { - fcport->id_changed = 0; -diff --git a/drivers/scsi/qla2xxx/qla_nvme.c b/drivers/scsi/qla2xxx/qla_nvme.c -index 87c9404aa401..7450c3458be7 100644 ---- a/drivers/scsi/qla2xxx/qla_nvme.c -+++ b/drivers/scsi/qla2xxx/qla_nvme.c -@@ -37,11 +37,6 @@ int qla_nvme_register_remote(struct scsi_qla_host *vha, struct fc_port *fcport) - (fcport->nvme_flag & NVME_FLAG_REGISTERED)) - return 0; - -- if (atomic_read(&fcport->state) == FCS_ONLINE) -- return 0; -- -- qla2x00_set_fcport_state(fcport, FCS_ONLINE); -- - fcport->nvme_flag &= ~NVME_FLAG_RESETTING; - - memset(&req, 0, sizeof(struct nvme_fc_port_info)); --- -2.35.1 - diff --git a/queue-5.19/scsi-sg-allow-waiting-for-commands-to-complete-on-re.patch b/queue-5.19/scsi-sg-allow-waiting-for-commands-to-complete-on-re.patch deleted file mode 100644 index c17f4169846..00000000000 --- a/queue-5.19/scsi-sg-allow-waiting-for-commands-to-complete-on-re.patch +++ /dev/null @@ -1,147 +0,0 @@ -From 7180280ffcbdb8a1d9212cc2afab8b3d7b72ce5d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 11 Jul 2022 10:51:32 -0400 -Subject: scsi: sg: Allow waiting for commands to complete on removed device - -From: Tony Battersby - -[ Upstream commit 3455607fd7be10b449f5135c00dc306b85dc0d21 ] - -When a SCSI device is removed while in active use, currently sg will -immediately return -ENODEV on any attempt to wait for active commands that -were sent before the removal. This is problematic for commands that use -SG_FLAG_DIRECT_IO since the data buffer may still be in use by the kernel -when userspace frees or reuses it after getting ENODEV, leading to -corrupted userspace memory (in the case of READ-type commands) or corrupted -data being sent to the device (in the case of WRITE-type commands). This -has been seen in practice when logging out of a iscsi_tcp session, where -the iSCSI driver may still be processing commands after the device has been -marked for removal. - -Change the policy to allow userspace to wait for active sg commands even -when the device is being removed. Return -ENODEV only when there are no -more responses to read. - -Link: https://lore.kernel.org/r/5ebea46f-fe83-2d0b-233d-d0dcb362dd0a@cybernetics.com -Cc: -Acked-by: Douglas Gilbert -Signed-off-by: Tony Battersby -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/sg.c | 53 +++++++++++++++++++++++++++++------------------ - 1 file changed, 33 insertions(+), 20 deletions(-) - -diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c -index 118c7b4a8af2..340b050ad28d 100644 ---- a/drivers/scsi/sg.c -+++ b/drivers/scsi/sg.c -@@ -195,7 +195,7 @@ static void sg_link_reserve(Sg_fd * sfp, Sg_request * srp, int size); - static void sg_unlink_reserve(Sg_fd * sfp, Sg_request * srp); - static Sg_fd *sg_add_sfp(Sg_device * sdp); - static void sg_remove_sfp(struct kref *); --static Sg_request *sg_get_rq_mark(Sg_fd * sfp, int pack_id); -+static Sg_request *sg_get_rq_mark(Sg_fd * sfp, int pack_id, bool *busy); - static Sg_request *sg_add_request(Sg_fd * sfp); - static int sg_remove_request(Sg_fd * sfp, Sg_request * srp); - static Sg_device *sg_get_dev(int dev); -@@ -444,6 +444,7 @@ sg_read(struct file *filp, char __user *buf, size_t count, loff_t * ppos) - Sg_fd *sfp; - Sg_request *srp; - int req_pack_id = -1; -+ bool busy; - sg_io_hdr_t *hp; - struct sg_header *old_hdr; - int retval; -@@ -466,20 +467,16 @@ sg_read(struct file *filp, char __user *buf, size_t count, loff_t * ppos) - if (retval) - return retval; - -- srp = sg_get_rq_mark(sfp, req_pack_id); -+ srp = sg_get_rq_mark(sfp, req_pack_id, &busy); - if (!srp) { /* now wait on packet to arrive */ -- if (atomic_read(&sdp->detaching)) -- return -ENODEV; - if (filp->f_flags & O_NONBLOCK) - return -EAGAIN; - retval = wait_event_interruptible(sfp->read_wait, -- (atomic_read(&sdp->detaching) || -- (srp = sg_get_rq_mark(sfp, req_pack_id)))); -- if (atomic_read(&sdp->detaching)) -- return -ENODEV; -- if (retval) -- /* -ERESTARTSYS as signal hit process */ -- return retval; -+ ((srp = sg_get_rq_mark(sfp, req_pack_id, &busy)) || -+ (!busy && atomic_read(&sdp->detaching)))); -+ if (!srp) -+ /* signal or detaching */ -+ return retval ? retval : -ENODEV; - } - if (srp->header.interface_id != '\0') - return sg_new_read(sfp, buf, count, srp); -@@ -940,9 +937,7 @@ sg_ioctl_common(struct file *filp, Sg_device *sdp, Sg_fd *sfp, - if (result < 0) - return result; - result = wait_event_interruptible(sfp->read_wait, -- (srp_done(sfp, srp) || atomic_read(&sdp->detaching))); -- if (atomic_read(&sdp->detaching)) -- return -ENODEV; -+ srp_done(sfp, srp)); - write_lock_irq(&sfp->rq_list_lock); - if (srp->done) { - srp->done = 2; -@@ -2079,19 +2074,28 @@ sg_unlink_reserve(Sg_fd * sfp, Sg_request * srp) - } - - static Sg_request * --sg_get_rq_mark(Sg_fd * sfp, int pack_id) -+sg_get_rq_mark(Sg_fd * sfp, int pack_id, bool *busy) - { - Sg_request *resp; - unsigned long iflags; - -+ *busy = false; - write_lock_irqsave(&sfp->rq_list_lock, iflags); - list_for_each_entry(resp, &sfp->rq_list, entry) { -- /* look for requests that are ready + not SG_IO owned */ -- if ((1 == resp->done) && (!resp->sg_io_owned) && -+ /* look for requests that are not SG_IO owned */ -+ if ((!resp->sg_io_owned) && - ((-1 == pack_id) || (resp->header.pack_id == pack_id))) { -- resp->done = 2; /* guard against other readers */ -- write_unlock_irqrestore(&sfp->rq_list_lock, iflags); -- return resp; -+ switch (resp->done) { -+ case 0: /* request active */ -+ *busy = true; -+ break; -+ case 1: /* request done; response ready to return */ -+ resp->done = 2; /* guard against other readers */ -+ write_unlock_irqrestore(&sfp->rq_list_lock, iflags); -+ return resp; -+ case 2: /* response already being returned */ -+ break; -+ } - } - } - write_unlock_irqrestore(&sfp->rq_list_lock, iflags); -@@ -2145,6 +2149,15 @@ sg_remove_request(Sg_fd * sfp, Sg_request * srp) - res = 1; - } - write_unlock_irqrestore(&sfp->rq_list_lock, iflags); -+ -+ /* -+ * If the device is detaching, wakeup any readers in case we just -+ * removed the last response, which would leave nothing for them to -+ * return other than -ENODEV. -+ */ -+ if (unlikely(atomic_read(&sfp->parentdp->detaching))) -+ wake_up_interruptible_all(&sfp->read_wait); -+ - return res; - } - --- -2.35.1 - diff --git a/queue-5.19/serial-mvebu-uart-uart2-error-bits-clearing.patch-15528 b/queue-5.19/serial-mvebu-uart-uart2-error-bits-clearing.patch-15528 deleted file mode 100644 index 05a8e6c0b98..00000000000 --- a/queue-5.19/serial-mvebu-uart-uart2-error-bits-clearing.patch-15528 +++ /dev/null @@ -1,59 +0,0 @@ -From 040076f0ab10143dc046c3347c9b3c04d0330d7a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 26 Jul 2022 11:12:21 +0200 -Subject: serial: mvebu-uart: uart2 error bits clearing -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Narendra Hadke - -[ Upstream commit a7209541239e5dd44d981289e5f9059222d40fd1 ] - -For mvebu uart2, error bits are not cleared on buffer read. -This causes interrupt loop and system hang. - -Cc: stable@vger.kernel.org -Reviewed-by: Yi Guo -Reviewed-by: Nadav Haklai -Signed-off-by: Narendra Hadke -Signed-off-by: Pali Rohár -Link: https://lore.kernel.org/r/20220726091221.12358-1-pali@kernel.org -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/tty/serial/mvebu-uart.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/drivers/tty/serial/mvebu-uart.c b/drivers/tty/serial/mvebu-uart.c -index 93489fe334d0..65eaecd10b7c 100644 ---- a/drivers/tty/serial/mvebu-uart.c -+++ b/drivers/tty/serial/mvebu-uart.c -@@ -265,6 +265,7 @@ static void mvebu_uart_rx_chars(struct uart_port *port, unsigned int status) - struct tty_port *tport = &port->state->port; - unsigned char ch = 0; - char flag = 0; -+ int ret; - - do { - if (status & STAT_RX_RDY(port)) { -@@ -277,6 +278,16 @@ static void mvebu_uart_rx_chars(struct uart_port *port, unsigned int status) - port->icount.parity++; - } - -+ /* -+ * For UART2, error bits are not cleared on buffer read. -+ * This causes interrupt loop and system hang. -+ */ -+ if (IS_EXTENDED(port) && (status & STAT_BRK_ERR)) { -+ ret = readl(port->membase + UART_STAT); -+ ret |= STAT_BRK_ERR; -+ writel(ret, port->membase + UART_STAT); -+ } -+ - if (status & STAT_BRK_DET) { - port->icount.brk++; - status &= ~(STAT_FRM_ERR | STAT_PAR_ERR); --- -2.35.1 - diff --git a/queue-5.19/series b/queue-5.19/series index 812b3120eb4..7db3dcc5e62 100644 --- a/queue-5.19/series +++ b/queue-5.19/series @@ -1055,112 +1055,28 @@ __follow_mount_rcu-verify-that-mount_lock-remains-unchanged.patch spmi-trace-fix-stack-out-of-bound-access-in-spmi-tracing-functions.patch csky-abiv1-fixup-compile-error.patch drivers-base-fix-userspace-break-from-using-bin_attributes-for-cpumap-and-cpulist.patch -kvm-drop-unused-gpa-param-from-gfn-pfn-cache-s-__rel.patch -kvm-put-the-extra-pfn-reference-when-reusing-a-pfn-i.patch -kvm-do-not-incorporate-page-offset-into-gfn-pfn-cach.patch -kvm-fully-serialize-gfn-pfn-cache-refresh-via-mutex.patch-7350 -kvm-fix-multiple-races-in-gfn-pfn-cache-refresh.patch-19149 -hid-wacom-only-report-rotation-for-art-pen.patch-25074 -hid-wacom-don-t-register-pad_input-for-touch-switch.patch-820 -drm-nouveau-fix-another-off-by-one-in-nvbios_addr.patch-28623 -bpf-fix-kasan-use-after-free-read-in-compute_effecti.patch -drm-mediatek-modify-dsi-funcs-to-atomic-operations.patch-7159 -drm-mediatek-separate-poweron-poweroff-from-enable-d.patch-3169 drm-mediatek-keep-dsi-as-lp00-before-dcs-cmds-transf.patch -kvm-svm-don-t-bug-if-userspace-injects-an-interrupt-.patch -hid-hid-input-add-surface-go-battery-quirk.patch-7851 -crypto-ccp-use-kzalloc-for-sev-ioctl-interfaces-to-p.patch crypto-blake2s-remove-shash-module.patch -drm-dp-mst-read-the-extended-dpcd-capabilities-durin.patch -scsi-qla2xxx-fix-excessive-i-o-error-messages-by-def.patch -scsi-qla2xxx-wind-down-adapter-after-pcie-error.patch-31117 -scsi-qla2xxx-turn-off-multi-queue-for-8g-adapters.patch-20754 -scsi-qla2xxx-fix-crash-due-to-stale-srb-access-aroun.patch -scsi-qla2xxx-fix-losing-fcp-2-targets-during-port-pe.patch -scsi-qla2xxx-fix-losing-target-when-it-reappears-dur.patch -scsi-qla2xxx-fix-losing-fcp-2-targets-on-long-port-d.patch -scsi-qla2xxx-fix-erroneous-mailbox-timeout-after-pci.patch -fbcon-fix-accelerated-fbdev-scrolling-while-logo-is-.patch -fbcon-fix-boundary-checks-for-fbcon-vc-n1-n2-paramet.patch -kvm-nvmx-snapshot-pre-vm-enter-bndcfgs-for-nested_ru.patch -kvm-nvmx-snapshot-pre-vm-enter-debugctl-for-nested_r.patch -drm-hyperv-drm-include-framebuffer-and-edid-headers.patch-15144 -coresight-clear-the-connection-field-properly.patch-22500 -usbnet-fix-linkwatch-use-after-free-on-disconnect.patch-30140 -drm-fb-helper-fix-out-of-bounds-access.patch-14074 -drm-vc4-hdmi-disable-audio-if-dmas-property-is-prese.patch -fix-short-copy-handling-in-copy_mc_pipe_to_iter.patch-23282 -powerpc-restore-config_debug_info-in-defconfigs.patch-27837 -powerpc-ptdump-fix-display-of-rw-pages-on-fsl_book3e.patch-3011 -powerpc-64e-fix-early-tlb-miss-with-kuap.patch-29650 -mtd-rawnand-arasan-update-nand-bus-clock-instead-of-.patch -mtd-rawnand-arasan-fix-clock-rate-in-nv-ddr.patch-18581 -ia64-processor-fix-wincompatible-pointer-types-in-ia.patch -usbnet-smsc95xx-fix-deadlock-on-runtime-resume.patch-22908 -drm-ingenic-use-the-highest-possible-dma-burst-size.patch-22931 firmware-arm_scpi-ensure-scpi_info-is-not-assigned-i.patch -media-isl7998x-select-v4l2_fwnode-to-fix-build-error.patch-24025 -__follow_mount_rcu-verify-that-mount_lock-remains-un.patch -soundwire-qcom-check-device-status-before-reading-de.patch -scsi-lpfc-remove-extra-atomic_inc-on-cmd_pending-in-.patch -usb-dwc3-gadget-refactor-dwc3_repare_one_trb.patch-8861 -usb-dwc3-gadget-fix-high-speed-multiplier-setting.patch-13588 intel_th-pci-add-meteor-lake-p-support.patch intel_th-pci-add-raptor-lake-s-pch-support.patch intel_th-pci-add-raptor-lake-s-cpu-support.patch -drm-tegra-fix-vmapping-of-prime-buffers.patch-28390 -media-patch-pci-atomisp_cmd-fix-three-missing-checks.patch kvm-set_msr_mce-permit-guests-to-ignore-single-bit-e.patch kvm-x86-signal-gp-not-eperm-on-bad-wrmsr-mci_ctl-sta.patch iommu-vt-d-avoid-invalid-memory-access-via-node_onli.patch pci-aer-iterate-over-error-counters-instead-of-error.patch pci-qcom-power-on-phy-before-ipq8074-dbi-register-ac.patch -drm-amdgpu-check-bo-s-requested-pinning-domains-agai.patch -kvm-x86-mark-tss-busy-during-ltr-emulation-_after_-a.patch -kvm-x86-set-error-code-to-segment-selector-on-lldt-l.patch -mips-cpuinfo-fix-a-warning-for-config_cpumask_offsta.patch -tty-8250-add-support-for-brainboxes-px-cards.patch-25863 dm-writecache-set-a-default-max_writeback_jobs.patch -drm-nouveau-kms-fix-failure-path-for-creating-dp-con.patch -drm-nouveau-acpi-don-t-print-error-when-we-get-einpr.patch -drm-nouveau-don-t-pm_runtime_put_sync-only-pm_runtim.patch -alsa-bcd2000-fix-a-uaf-bug-on-the-error-path-of-prob.patch -x86-olpc-fix-logical-not-is-only-applied-to-the-left.patch -drivers-base-fix-userspace-break-from-using-bin_attr.patch kexec_file-drop-weak-attribute-from-functions.patch kexec-clean-up-arch_kexec_kernel_verify_sig.patch kexec-keys-s390-make-use-of-built-in-and-secondary-k.patch tracing-events-add-__vstring-and-__assign_vstr-helpe.patch dm-thin-fix-use-after-free-crash-in-dm_sm_register_t.patch net-9p-initialize-the-iounit-field-during-fid-creati.patch -um-remove-straying-parenthesis.patch-5379 -epoll-autoremove-wakers-even-more-aggressively.patch-6975 arm-marvell-update-pcie-fixup.patch timekeeping-contribute-wall-clock-to-rng-on-time-cha.patch -um-seed-rng-using-host-os-rng.patch-8415 -scsi-revert-scsi-qla2xxx-fix-disk-failure-to-redisco.patch -scsi-qla2xxx-fix-incorrect-display-of-max-frame-size.patch-30577 -scsi-qla2xxx-zero-undefined-mailbox-in-registers.patch-4895 -scsi-qla2xxx-fix-response-queue-handler-reading-stal.patch -scsi-qla2xxx-edif-fix-dropped-ike-message.patch -scsi-qla2xxx-fix-imbalance-vha-vref_count.patch-12738 -scsi-qla2xxx-fix-discovery-issues-in-fc-al-topology.patch-25366 -scsi-qla2xxx-update-manufacturer-details.patch -scsi-sg-allow-waiting-for-commands-to-complete-on-re.patch -iio-fix-iio_format_avail_range-printing-for-none-iio.patch -iio-light-isl29028-fix-the-warning-in-isl29028_remov.patch -tty-vt-initialize-unicode-screen-buffer.patch-8483 -kvm-s390-pv-don-t-present-the-ecall-interrupt-twice.patch-16826 locking-csd_lock-change-csdlock_debug-from-early_par.patch block-don-t-allow-the-same-type-rq_qos-add-more-than.patch -hid-nintendo-add-missing-array-termination.patch-24808 -fuse-write-inode-in-fuse_release.patch-28840 -fuse-fix-deadlock-between-atomic-o_trunc-and-page-in.patch -fuse-limit-nsec.patch-2050 -fuse-ioctl-translate-enosys.patch-17448 -alsa-usb-audio-add-quirk-for-behringer-umc202hd.patch-24063 -spmi-trace-fix-stack-out-of-bound-access-in-spmi-tra.patch -btrfs-reject-log-replay-if-there-is-unsupported-ro-c.patch btrfs-tree-log-make-the-return-value-for-log-syncing.patch btrfs-ensure-pages-are-unlocked-on-cow_file_range-fa.patch btrfs-fix-error-handling-of-fallback-uncompress-writ.patch @@ -1182,19 +1098,8 @@ btrfs-zoned-wait-until-zone-is-finished-when-allocat.patch btrfs-join-running-log-transaction-when-logging-new-.patch intel_idle-make-spr-c1-and-c1e-be-independent.patch acpi-cppc-do-not-prevent-cppc-from-working-in-the-fu.patch -powerpc-fsl-pci-fix-class-code-of-pcie-root-port.patch-7836 -usb-hcd-fix-urb-giveback-issue-in-tasklet-function.patch-24136 -usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch-12274 -usb-typec-ucsi-acknowledge-the-get_error_status-comm.patch -powerpc-powernv-avoid-crashing-if-rng-is-null.patch-9536 powerpc-powernv-kvm-use-darn-for-h_random-on-power9.patch -serial-mvebu-uart-uart2-error-bits-clearing.patch-15528 -ovl-drop-warn_on-dentry-is-null-in-ovl_encode_fh.patch-29266 s390-unwind-fix-fgraph-return-address-recovery.patch -kvm-x86-split-kvm_is_valid_cr4-and-export-only-the-n.patch -kvm-nvmx-account-for-kvm-reserved-cr4-bits-in-consis.patch -kvm-nvmx-inject-ud-if-vmxon-is-attempted-with-incomp.patch -kvm-nvmx-let-userspace-set-nvmx-msr-to-any-_host_-su.patch kvm-x86-pmu-introduce-the-ctrl_mask-value-for-fixed-.patch kvm-vmx-mark-all-perf_global_-ovf-_ctrl-bits-reserve.patch kvm-x86-pmu-ignore-pmu-global_ctrl-check-if-vpmu-doe.patch @@ -1202,31 +1107,13 @@ kvm-x86-pmu-accept-0-for-absent-pmu-msrs-when-host-i.patch revert-kvm-x86-pmu-accept-0-for-absent-pmu-msrs-when.patch kvm-vmx-add-helper-to-check-if-the-guest-pmu-has-per.patch kvm-nvmx-attempt-to-load-perf_global_ctrl-on-nvmx-xf.patch -kvm-x86-mmu-treat-nx-as-a-valid-spte-bit-for-npt.patch-3797 dm-raid-fix-address-sanitizer-warning-in-raid_status.patch dm-raid-fix-address-sanitizer-warning-in-raid_resume.patch dm-fix-dm-raid-crash-if-md_handle_request-splits-bio.patch mm-damon-reclaim-fix-potential-memory-leak-in-damon_.patch hugetlb_cgroup-fix-wrong-hugetlb-cgroup-numa-stat.patch batman-adv-tracing-use-the-new-__vstring-helper.patch -ftrace-x86-add-back-ftrace_expected-assignment.patch-6434 -alsa-hda-realtek-add-quirk-for-clevo-nv45pz.patch-15916 tracing-use-a-struct-alignof-to-determine-trace-even.patch -csky-abiv1-fixup-compile-error.patch-25803 -ksmbd-fix-memory-leak-in-smb2_handle_negotiate.patch-5672 -ksmbd-fix-use-after-free-bug-in-smb2_tree_disconect.patch-30412 -ksmbd-prevent-out-of-bound-read-for-smb2_write.patch-20867 -ksmbd-prevent-out-of-bound-read-for-smb2_tree_connne.patch -parisc-fix-device-names-in-proc-iomem.patch-18836 -parisc-drop-pa_swapper_pg_lock-spinlock.patch-26906 -parisc-check-the-return-value-of-ioremap-in-lba_driv.patch -parisc-io_pgetevents_time64-needs-compat-syscall-in-.patch -input-gscps2-check-return-value-of-ioremap-in-gscps2.patch -x86-kprobes-update-kcb-status-flag-after-singlestepp.patch -arm-dts-uniphier-fix-usb-interrupts-for-pxs2-soc.patch-2243 -arm64-dts-uniphier-fix-usb-interrupts-for-pxs3-soc.patch-8226 -md-raid-destroy-the-bitmap-after-destroying-the-thre.patch -md-raid10-fix-kasan-warning.patch-1758 ext4-fix-reading-leftover-inlined-symlinks.patch ext4-update-s_overhead_clusters-in-the-superblock-du.patch ext4-fix-extent-status-tree-race-in-writeback-error-.patch @@ -1238,15 +1125,9 @@ ext4-fix-warning-in-ext4_iomap_begin-as-race-between.patch documentation-ext4-fix-cell-spacing-of-table-heading.patch ext4-check-if-directory-block-is-within-i_size.patch ext4-make-sure-ext4_append-always-allocates-new-bloc.patch -mbcache-don-t-reclaim-used-entries.patch-21676 -mbcache-add-functions-to-delete-entry-if-unused.patch-21045 ext4-remove-ea-inode-entry-from-mbcache-on-inode-evi.patch ext4-unindent-codeblock-in-ext4_xattr_block_set.patch ext4-fix-race-when-reusing-xattr-blocks.patch -thermal-sysfs-fix-cooling_device_stats_setup-error-c.patch -alsa-hda-realtek-add-quirk-for-hp-spectre-x360-15-eb.patch keys-asymmetric-enforce-sm2-signature-use-pkey-algo.patch tpm-eventlog-fix-section-mismatch-for-debug_section_.patch tpm-add-check-for-failure-mode-for-tpm2-modules.patch -ksmbd-fix-heap-based-overflow-in-set_ntacl_dacl.patch-15594 -vfs-check-the-truncate-maximum-size-in-inode_newsize.patch diff --git a/queue-5.19/soundwire-qcom-check-device-status-before-reading-de.patch b/queue-5.19/soundwire-qcom-check-device-status-before-reading-de.patch deleted file mode 100644 index 5b35a9c10cb..00000000000 --- a/queue-5.19/soundwire-qcom-check-device-status-before-reading-de.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 22279f33dd8646f63cc191b62fa6c863d0dd016b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 6 Jul 2022 10:56:44 +0100 -Subject: soundwire: qcom: Check device status before reading devid - -From: Srinivas Kandagatla - -[ Upstream commit aa1262ca66957183ea1fb32a067e145b995f3744 ] - -As per hardware datasheet its recommended that we check the device -status before reading devid assigned by auto-enumeration. - -Without this patch we see SoundWire devices with invalid enumeration -addresses on the bus. - -Cc: stable@vger.kernel.org -Fixes: a6e6581942ca ("soundwire: qcom: add auto enumeration support") -Signed-off-by: Srinivas Kandagatla -Link: https://lore.kernel.org/r/20220706095644.5852-1-srinivas.kandagatla@linaro.org -Signed-off-by: Vinod Koul -Signed-off-by: Sasha Levin ---- - drivers/soundwire/qcom.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/drivers/soundwire/qcom.c b/drivers/soundwire/qcom.c -index 22b706350ead..b5ec7726592c 100644 ---- a/drivers/soundwire/qcom.c -+++ b/drivers/soundwire/qcom.c -@@ -471,6 +471,10 @@ static int qcom_swrm_enumerate(struct sdw_bus *bus) - char *buf1 = (char *)&val1, *buf2 = (char *)&val2; - - for (i = 1; i <= SDW_MAX_DEVICES; i++) { -+ /* do not continue if the status is Not Present */ -+ if (!ctrl->status[i]) -+ continue; -+ - /*SCP_Devid5 - Devid 4*/ - ctrl->reg_read(ctrl, SWRM_ENUMERATOR_SLAVE_DEV_ID_1(i), &val1); - --- -2.35.1 - diff --git a/queue-5.19/spmi-trace-fix-stack-out-of-bound-access-in-spmi-tra.patch b/queue-5.19/spmi-trace-fix-stack-out-of-bound-access-in-spmi-tra.patch deleted file mode 100644 index dd73534e111..00000000000 --- a/queue-5.19/spmi-trace-fix-stack-out-of-bound-access-in-spmi-tra.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 2d56df30d76af97123d66b3f131f270e6d686b5d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 27 Jun 2022 16:55:12 -0700 -Subject: spmi: trace: fix stack-out-of-bound access in SPMI tracing functions - -From: David Collins - -[ Upstream commit 2af28b241eea816e6f7668d1954f15894b45d7e3 ] - -trace_spmi_write_begin() and trace_spmi_read_end() both call -memcpy() with a length of "len + 1". This leads to one extra -byte being read beyond the end of the specified buffer. Fix -this out-of-bound memory access by using a length of "len" -instead. - -Here is a KASAN log showing the issue: - -BUG: KASAN: stack-out-of-bounds in trace_event_raw_event_spmi_read_end+0x1d0/0x234 -Read of size 2 at addr ffffffc0265b7540 by task thermal@2.0-ser/1314 -... -Call trace: - dump_backtrace+0x0/0x3e8 - show_stack+0x2c/0x3c - dump_stack_lvl+0xdc/0x11c - print_address_description+0x74/0x384 - kasan_report+0x188/0x268 - kasan_check_range+0x270/0x2b0 - memcpy+0x90/0xe8 - trace_event_raw_event_spmi_read_end+0x1d0/0x234 - spmi_read_cmd+0x294/0x3ac - spmi_ext_register_readl+0x84/0x9c - regmap_spmi_ext_read+0x144/0x1b0 [regmap_spmi] - _regmap_raw_read+0x40c/0x754 - regmap_raw_read+0x3a0/0x514 - regmap_bulk_read+0x418/0x494 - adc5_gen3_poll_wait_hs+0xe8/0x1e0 [qcom_spmi_adc5_gen3] - ... - __arm64_sys_read+0x4c/0x60 - invoke_syscall+0x80/0x218 - el0_svc_common+0xec/0x1c8 - ... - -addr ffffffc0265b7540 is located in stack of task thermal@2.0-ser/1314 at offset 32 in frame: - adc5_gen3_poll_wait_hs+0x0/0x1e0 [qcom_spmi_adc5_gen3] - -this frame has 1 object: - [32, 33) 'status' - -Memory state around the buggy address: - ffffffc0265b7400: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 - ffffffc0265b7480: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 ->ffffffc0265b7500: 00 00 00 00 f1 f1 f1 f1 01 f3 f3 f3 00 00 00 00 - ^ - ffffffc0265b7580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - ffffffc0265b7600: f1 f1 f1 f1 01 f2 07 f2 f2 f2 01 f3 00 00 00 00 -================================================================== - -Fixes: a9fce374815d ("spmi: add command tracepoints for SPMI") -Cc: stable@vger.kernel.org -Reviewed-by: Stephen Boyd -Acked-by: Steven Rostedt (Google) -Signed-off-by: David Collins -Link: https://lore.kernel.org/r/20220627235512.2272783-1-quic_collinsd@quicinc.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - include/trace/events/spmi.h | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/include/trace/events/spmi.h b/include/trace/events/spmi.h -index 8b60efe18ba6..a6819fd85cdf 100644 ---- a/include/trace/events/spmi.h -+++ b/include/trace/events/spmi.h -@@ -21,15 +21,15 @@ TRACE_EVENT(spmi_write_begin, - __field ( u8, sid ) - __field ( u16, addr ) - __field ( u8, len ) -- __dynamic_array ( u8, buf, len + 1 ) -+ __dynamic_array ( u8, buf, len ) - ), - - TP_fast_assign( - __entry->opcode = opcode; - __entry->sid = sid; - __entry->addr = addr; -- __entry->len = len + 1; -- memcpy(__get_dynamic_array(buf), buf, len + 1); -+ __entry->len = len; -+ memcpy(__get_dynamic_array(buf), buf, len); - ), - - TP_printk("opc=%d sid=%02d addr=0x%04x len=%d buf=0x[%*phD]", -@@ -92,7 +92,7 @@ TRACE_EVENT(spmi_read_end, - __field ( u16, addr ) - __field ( int, ret ) - __field ( u8, len ) -- __dynamic_array ( u8, buf, len + 1 ) -+ __dynamic_array ( u8, buf, len ) - ), - - TP_fast_assign( -@@ -100,8 +100,8 @@ TRACE_EVENT(spmi_read_end, - __entry->sid = sid; - __entry->addr = addr; - __entry->ret = ret; -- __entry->len = len + 1; -- memcpy(__get_dynamic_array(buf), buf, len + 1); -+ __entry->len = len; -+ memcpy(__get_dynamic_array(buf), buf, len); - ), - - TP_printk("opc=%d sid=%02d addr=0x%04x ret=%d len=%02d buf=0x[%*phD]", --- -2.35.1 - diff --git a/queue-5.19/thermal-sysfs-fix-cooling_device_stats_setup-error-c.patch b/queue-5.19/thermal-sysfs-fix-cooling_device_stats_setup-error-c.patch deleted file mode 100644 index 05cd032e574..00000000000 --- a/queue-5.19/thermal-sysfs-fix-cooling_device_stats_setup-error-c.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 801cc2015d8cbd8a81277013b3c4ec0b643d3a2a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 29 Jul 2022 17:39:07 +0200 -Subject: thermal: sysfs: Fix cooling_device_stats_setup() error code path - -From: Rafael J. Wysocki - -[ Upstream commit d5a8aa5d7d80d21ab6b266f1bed4194b61746199 ] - -If cooling_device_stats_setup() fails to create the stats object, it -must clear the last slot in cooling_device_attr_groups that was -initially empty (so as to make it possible to add stats attributes to -the cooling device attribute groups). - -Failing to do so may cause the stats attributes to be created by -mistake for a device that doesn't have a stats object, because the -slot in question might be populated previously during the registration -of another cooling device. - -Fixes: 8ea229511e06 ("thermal: Add cooling device's statistics in sysfs") -Reported-by: Di Shen -Tested-by: Di Shen -Cc: 4.17+ # 4.17+ -Signed-off-by: Rafael J. Wysocki -Signed-off-by: Sasha Levin ---- - drivers/thermal/thermal_sysfs.c | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - -diff --git a/drivers/thermal/thermal_sysfs.c b/drivers/thermal/thermal_sysfs.c -index 1c4aac8464a7..1e5a78131aba 100644 ---- a/drivers/thermal/thermal_sysfs.c -+++ b/drivers/thermal/thermal_sysfs.c -@@ -813,12 +813,13 @@ static const struct attribute_group cooling_device_stats_attr_group = { - - static void cooling_device_stats_setup(struct thermal_cooling_device *cdev) - { -+ const struct attribute_group *stats_attr_group = NULL; - struct cooling_dev_stats *stats; - unsigned long states; - int var; - - if (cdev->ops->get_max_state(cdev, &states)) -- return; -+ goto out; - - states++; /* Total number of states is highest state + 1 */ - -@@ -828,7 +829,7 @@ static void cooling_device_stats_setup(struct thermal_cooling_device *cdev) - - stats = kzalloc(var, GFP_KERNEL); - if (!stats) -- return; -+ goto out; - - stats->time_in_state = (ktime_t *)(stats + 1); - stats->trans_table = (unsigned int *)(stats->time_in_state + states); -@@ -838,9 +839,12 @@ static void cooling_device_stats_setup(struct thermal_cooling_device *cdev) - - spin_lock_init(&stats->lock); - -+ stats_attr_group = &cooling_device_stats_attr_group; -+ -+out: - /* Fill the empty slot left in cooling_device_attr_groups */ - var = ARRAY_SIZE(cooling_device_attr_groups) - 2; -- cooling_device_attr_groups[var] = &cooling_device_stats_attr_group; -+ cooling_device_attr_groups[var] = stats_attr_group; - } - - static void cooling_device_stats_destroy(struct thermal_cooling_device *cdev) --- -2.35.1 - diff --git a/queue-5.19/tty-8250-add-support-for-brainboxes-px-cards.patch-25863 b/queue-5.19/tty-8250-add-support-for-brainboxes-px-cards.patch-25863 deleted file mode 100644 index ff5f560ac15..00000000000 --- a/queue-5.19/tty-8250-add-support-for-brainboxes-px-cards.patch-25863 +++ /dev/null @@ -1,147 +0,0 @@ -From d5a779b3947b0de53727a97e7a50c53e27258d0e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 11 Jul 2022 16:35:10 +0100 -Subject: tty: 8250: Add support for Brainboxes PX cards. - -From: Cameron Williams - -[ Upstream commit ef5a03a26c87a760bc3d86b5af7b773e82f8b1b7 ] - -Add support for some of the Brainboxes PCIe (PX) range of -serial cards, including the PX-101, PX-235/PX-246, -PX-203/PX-257, PX-260/PX-701, PX-310, PX-313, -PX-320/PX-324/PX-376/PX-387, PX-335/PX-346, PX-368, PX-420, -PX-803 and PX-846. - -Signed-off-by: Cameron Williams -Cc: stable -Link: https://lore.kernel.org/r/AM5PR0202MB2564669252BDC59BF55A6E87C4879@AM5PR0202MB2564.eurprd02.prod.outlook.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/tty/serial/8250/8250_pci.c | 109 +++++++++++++++++++++++++++++ - 1 file changed, 109 insertions(+) - -diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c -index a17619db7939..f6732c1ed238 100644 ---- a/drivers/tty/serial/8250/8250_pci.c -+++ b/drivers/tty/serial/8250/8250_pci.c -@@ -5076,6 +5076,115 @@ static const struct pci_device_id serial_pci_tbl[] = { - PCI_ANY_ID, PCI_ANY_ID, - 0, 0, - pbn_b2_4_115200 }, -+ /* -+ * Brainboxes PX-101 -+ */ -+ { PCI_VENDOR_ID_INTASHIELD, 0x4005, -+ PCI_ANY_ID, PCI_ANY_ID, -+ 0, 0, -+ pbn_b0_2_115200 }, -+ { PCI_VENDOR_ID_INTASHIELD, 0x4019, -+ PCI_ANY_ID, PCI_ANY_ID, -+ 0, 0, -+ pbn_oxsemi_2_15625000 }, -+ /* -+ * Brainboxes PX-235/246 -+ */ -+ { PCI_VENDOR_ID_INTASHIELD, 0x4004, -+ PCI_ANY_ID, PCI_ANY_ID, -+ 0, 0, -+ pbn_b0_1_115200 }, -+ { PCI_VENDOR_ID_INTASHIELD, 0x4016, -+ PCI_ANY_ID, PCI_ANY_ID, -+ 0, 0, -+ pbn_oxsemi_1_15625000 }, -+ /* -+ * Brainboxes PX-203/PX-257 -+ */ -+ { PCI_VENDOR_ID_INTASHIELD, 0x4006, -+ PCI_ANY_ID, PCI_ANY_ID, -+ 0, 0, -+ pbn_b0_2_115200 }, -+ { PCI_VENDOR_ID_INTASHIELD, 0x4015, -+ PCI_ANY_ID, PCI_ANY_ID, -+ 0, 0, -+ pbn_oxsemi_4_15625000 }, -+ /* -+ * Brainboxes PX-260/PX-701 -+ */ -+ { PCI_VENDOR_ID_INTASHIELD, 0x400A, -+ PCI_ANY_ID, PCI_ANY_ID, -+ 0, 0, -+ pbn_oxsemi_4_15625000 }, -+ /* -+ * Brainboxes PX-310 -+ */ -+ { PCI_VENDOR_ID_INTASHIELD, 0x400E, -+ PCI_ANY_ID, PCI_ANY_ID, -+ 0, 0, -+ pbn_oxsemi_2_15625000 }, -+ /* -+ * Brainboxes PX-313 -+ */ -+ { PCI_VENDOR_ID_INTASHIELD, 0x400C, -+ PCI_ANY_ID, PCI_ANY_ID, -+ 0, 0, -+ pbn_oxsemi_2_15625000 }, -+ /* -+ * Brainboxes PX-320/324/PX-376/PX-387 -+ */ -+ { PCI_VENDOR_ID_INTASHIELD, 0x400B, -+ PCI_ANY_ID, PCI_ANY_ID, -+ 0, 0, -+ pbn_oxsemi_1_15625000 }, -+ /* -+ * Brainboxes PX-335/346 -+ */ -+ { PCI_VENDOR_ID_INTASHIELD, 0x400F, -+ PCI_ANY_ID, PCI_ANY_ID, -+ 0, 0, -+ pbn_oxsemi_4_15625000 }, -+ /* -+ * Brainboxes PX-368 -+ */ -+ { PCI_VENDOR_ID_INTASHIELD, 0x4010, -+ PCI_ANY_ID, PCI_ANY_ID, -+ 0, 0, -+ pbn_oxsemi_4_15625000 }, -+ /* -+ * Brainboxes PX-420 -+ */ -+ { PCI_VENDOR_ID_INTASHIELD, 0x4000, -+ PCI_ANY_ID, PCI_ANY_ID, -+ 0, 0, -+ pbn_b0_4_115200 }, -+ { PCI_VENDOR_ID_INTASHIELD, 0x4011, -+ PCI_ANY_ID, PCI_ANY_ID, -+ 0, 0, -+ pbn_oxsemi_4_15625000 }, -+ /* -+ * Brainboxes PX-803 -+ */ -+ { PCI_VENDOR_ID_INTASHIELD, 0x4009, -+ PCI_ANY_ID, PCI_ANY_ID, -+ 0, 0, -+ pbn_b0_1_115200 }, -+ { PCI_VENDOR_ID_INTASHIELD, 0x401E, -+ PCI_ANY_ID, PCI_ANY_ID, -+ 0, 0, -+ pbn_oxsemi_1_15625000 }, -+ /* -+ * Brainboxes PX-846 -+ */ -+ { PCI_VENDOR_ID_INTASHIELD, 0x4008, -+ PCI_ANY_ID, PCI_ANY_ID, -+ 0, 0, -+ pbn_b0_1_115200 }, -+ { PCI_VENDOR_ID_INTASHIELD, 0x4017, -+ PCI_ANY_ID, PCI_ANY_ID, -+ 0, 0, -+ pbn_oxsemi_1_15625000 }, -+ - /* - * Perle PCI-RAS cards - */ --- -2.35.1 - diff --git a/queue-5.19/tty-vt-initialize-unicode-screen-buffer.patch-8483 b/queue-5.19/tty-vt-initialize-unicode-screen-buffer.patch-8483 deleted file mode 100644 index 62812af3004..00000000000 --- a/queue-5.19/tty-vt-initialize-unicode-screen-buffer.patch-8483 +++ /dev/null @@ -1,57 +0,0 @@ -From 4ba55f6cee68a9d823d68a382f70be58049709e0 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 19 Jul 2022 14:49:39 +0900 -Subject: tty: vt: initialize unicode screen buffer - -From: Tetsuo Handa - -[ Upstream commit af77c56aa35325daa2bc2bed5c2ebf169be61b86 ] - -syzbot reports kernel infoleak at vcs_read() [1], for buffer can be read -immediately after resize operation. Initialize buffer using kzalloc(). - - ---------- - #include - #include - #include - #include - - int main(int argc, char *argv[]) - { - struct fb_var_screeninfo var = { }; - const int fb_fd = open("/dev/fb0", 3); - ioctl(fb_fd, FBIOGET_VSCREENINFO, &var); - var.yres = 0x21; - ioctl(fb_fd, FBIOPUT_VSCREENINFO, &var); - return read(open("/dev/vcsu", O_RDONLY), &var, sizeof(var)) == -1; - } - ---------- - -Link: https://syzkaller.appspot.com/bug?extid=31a641689d43387f05d3 [1] -Cc: stable -Reported-by: syzbot -Reviewed-by: Jiri Slaby -Signed-off-by: Tetsuo Handa -Link: https://lore.kernel.org/r/4ef053cf-e796-fb5e-58b7-3ae58242a4ad@I-love.SAKURA.ne.jp -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/tty/vt/vt.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c -index dfc1f4b445f3..6eaf8eb84661 100644 ---- a/drivers/tty/vt/vt.c -+++ b/drivers/tty/vt/vt.c -@@ -344,7 +344,7 @@ static struct uni_screen *vc_uniscr_alloc(unsigned int cols, unsigned int rows) - /* allocate everything in one go */ - memsize = cols * rows * sizeof(char32_t); - memsize += rows * sizeof(char32_t *); -- p = vmalloc(memsize); -+ p = vzalloc(memsize); - if (!p) - return NULL; - --- -2.35.1 - diff --git a/queue-5.19/um-remove-straying-parenthesis.patch-5379 b/queue-5.19/um-remove-straying-parenthesis.patch-5379 deleted file mode 100644 index c876bb3ef13..00000000000 --- a/queue-5.19/um-remove-straying-parenthesis.patch-5379 +++ /dev/null @@ -1,40 +0,0 @@ -From a6a0f18473e1a64bfda2f4a192f3692fd833716c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 31 May 2022 11:17:39 +0000 -Subject: um: Remove straying parenthesis - -From: Benjamin Beichler - -[ Upstream commit c6496e0a4a90d8149203c16323cff3fa46e422e7 ] - -Commit e3a33af812c6 ("um: fix and optimize xor select template for CONFIG64 and timetravel mode") -caused a build regression when CONFIG_XOR_BLOCKS and CONFIG_UML_TIME_TRAVEL_SUPPORT -are selected. -Fix it by removing the straying parenthesis. - -Cc: stable@vger.kernel.org -Fixes: e3a33af812c6 ("um: fix and optimize xor select template for CONFIG64 and timetravel mode") -Signed-off-by: Benjamin Beichler -[rw: Added commit message] -Signed-off-by: Richard Weinberger -Signed-off-by: Sasha Levin ---- - arch/um/include/asm/xor.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/um/include/asm/xor.h b/arch/um/include/asm/xor.h -index 22b39de73c24..647fae200c5d 100644 ---- a/arch/um/include/asm/xor.h -+++ b/arch/um/include/asm/xor.h -@@ -18,7 +18,7 @@ - #undef XOR_SELECT_TEMPLATE - /* pick an arbitrary one - measuring isn't possible with inf-cpu */ - #define XOR_SELECT_TEMPLATE(x) \ -- (time_travel_mode == TT_MODE_INFCPU ? TT_CPU_INF_XOR_DEFAULT : x)) -+ (time_travel_mode == TT_MODE_INFCPU ? TT_CPU_INF_XOR_DEFAULT : x) - #endif - - #endif --- -2.35.1 - diff --git a/queue-5.19/um-seed-rng-using-host-os-rng.patch-8415 b/queue-5.19/um-seed-rng-using-host-os-rng.patch-8415 deleted file mode 100644 index 2a2fd9ae353..00000000000 --- a/queue-5.19/um-seed-rng-using-host-os-rng.patch-8415 +++ /dev/null @@ -1,163 +0,0 @@ -From 2e26ddf816692690d73af68c3eb552e320ca3e2b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 13 Jul 2022 01:12:21 +0200 -Subject: um: seed rng using host OS rng - -From: Jason A. Donenfeld - -[ Upstream commit 0b9ba6135d7f18b82f3d8bebb55ded725ba88e0e ] - -UML generally does not provide access to special CPU instructions like -RDRAND, and execution tends to be rather deterministic, with no real -hardware interrupts, making good randomness really very hard, if not -all together impossible. Not only is this a security eyebrow raiser, but -it's also quite annoying when trying to do various pieces of UML-based -automation that takes a long time to boot, if ever. - -Fix this by trivially calling getrandom() in the host and using that -seed as "bootloader randomness", which initializes the rng immediately -at UML boot. - -The old behavior can be restored the same way as on any other arch, by -way of CONFIG_TRUST_BOOTLOADER_RANDOMNESS=n or -random.trust_bootloader=0. So seen from that perspective, this just -makes UML act like other archs, which is positive in its own right. - -Additionally, wire up arch_get_random_{int,long}() in the same way, so -that reseeds can also make use of the host RNG, controllable by -CONFIG_TRUST_CPU_RANDOMNESS and random.trust_cpu, per usual. - -Cc: stable@vger.kernel.org -Acked-by: Johannes Berg -Acked-By: Anton Ivanov -Signed-off-by: Jason A. Donenfeld -Signed-off-by: Sasha Levin ---- - arch/um/include/asm/archrandom.h | 30 ++++++++++++++++++++++++++++++ - arch/um/include/shared/os.h | 7 +++++++ - arch/um/kernel/um_arch.c | 8 ++++++++ - arch/um/os-Linux/util.c | 6 ++++++ - 4 files changed, 51 insertions(+) - create mode 100644 arch/um/include/asm/archrandom.h - -diff --git a/arch/um/include/asm/archrandom.h b/arch/um/include/asm/archrandom.h -new file mode 100644 -index 000000000000..2f24cb96391d ---- /dev/null -+++ b/arch/um/include/asm/archrandom.h -@@ -0,0 +1,30 @@ -+/* SPDX-License-Identifier: GPL-2.0 */ -+#ifndef __ASM_UM_ARCHRANDOM_H__ -+#define __ASM_UM_ARCHRANDOM_H__ -+ -+#include -+ -+/* This is from , but better not to #include that in a global header here. */ -+ssize_t os_getrandom(void *buf, size_t len, unsigned int flags); -+ -+static inline bool __must_check arch_get_random_long(unsigned long *v) -+{ -+ return os_getrandom(v, sizeof(*v), 0) == sizeof(*v); -+} -+ -+static inline bool __must_check arch_get_random_int(unsigned int *v) -+{ -+ return os_getrandom(v, sizeof(*v), 0) == sizeof(*v); -+} -+ -+static inline bool __must_check arch_get_random_seed_long(unsigned long *v) -+{ -+ return false; -+} -+ -+static inline bool __must_check arch_get_random_seed_int(unsigned int *v) -+{ -+ return false; -+} -+ -+#endif -diff --git a/arch/um/include/shared/os.h b/arch/um/include/shared/os.h -index fafde1d5416e..0df646c6651e 100644 ---- a/arch/um/include/shared/os.h -+++ b/arch/um/include/shared/os.h -@@ -11,6 +11,12 @@ - #include - #include - #include -+/* This is to get size_t */ -+#ifndef __UM_HOST__ -+#include -+#else -+#include -+#endif - - #define CATCH_EINTR(expr) while ((errno = 0, ((expr) < 0)) && (errno == EINTR)) - -@@ -243,6 +249,7 @@ extern void stack_protections(unsigned long address); - extern int raw(int fd); - extern void setup_machinename(char *machine_out); - extern void setup_hostinfo(char *buf, int len); -+extern ssize_t os_getrandom(void *buf, size_t len, unsigned int flags); - extern void os_dump_core(void) __attribute__ ((noreturn)); - extern void um_early_printk(const char *s, unsigned int n); - extern void os_fix_helper_signals(void); -diff --git a/arch/um/kernel/um_arch.c b/arch/um/kernel/um_arch.c -index 9838967d0b2f..e0de60e503b9 100644 ---- a/arch/um/kernel/um_arch.c -+++ b/arch/um/kernel/um_arch.c -@@ -16,6 +16,7 @@ - #include - #include - #include -+#include - - #include - #include -@@ -406,6 +407,8 @@ int __init __weak read_initrd(void) - - void __init setup_arch(char **cmdline_p) - { -+ u8 rng_seed[32]; -+ - stack_protections((unsigned long) &init_thread_info); - setup_physmem(uml_physmem, uml_reserved, physmem_size, highmem); - mem_total_pages(physmem_size, iomem_size, highmem); -@@ -416,6 +419,11 @@ void __init setup_arch(char **cmdline_p) - strlcpy(boot_command_line, command_line, COMMAND_LINE_SIZE); - *cmdline_p = command_line; - setup_hostinfo(host_info, sizeof host_info); -+ -+ if (os_getrandom(rng_seed, sizeof(rng_seed), 0) == sizeof(rng_seed)) { -+ add_bootloader_randomness(rng_seed, sizeof(rng_seed)); -+ memzero_explicit(rng_seed, sizeof(rng_seed)); -+ } - } - - void __init check_bugs(void) -diff --git a/arch/um/os-Linux/util.c b/arch/um/os-Linux/util.c -index 41297ec404bf..fc0f2a9dee5a 100644 ---- a/arch/um/os-Linux/util.c -+++ b/arch/um/os-Linux/util.c -@@ -14,6 +14,7 @@ - #include - #include - #include -+#include - #include - #include - -@@ -96,6 +97,11 @@ static inline void __attribute__ ((noreturn)) uml_abort(void) - exit(127); - } - -+ssize_t os_getrandom(void *buf, size_t len, unsigned int flags) -+{ -+ return getrandom(buf, len, flags); -+} -+ - /* - * UML helper threads must not handle SIGWINCH/INT/TERM - */ --- -2.35.1 - diff --git a/queue-5.19/usb-dwc3-gadget-fix-high-speed-multiplier-setting.patch-13588 b/queue-5.19/usb-dwc3-gadget-fix-high-speed-multiplier-setting.patch-13588 deleted file mode 100644 index b93f1a64cf9..00000000000 --- a/queue-5.19/usb-dwc3-gadget-fix-high-speed-multiplier-setting.patch-13588 +++ /dev/null @@ -1,44 +0,0 @@ -From 25eec0f3ea8c7037878dbfa2801f71808bbe3897 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 4 Jul 2022 16:18:12 +0200 -Subject: usb: dwc3: gadget: fix high speed multiplier setting - -From: Michael Grzeschik - -[ Upstream commit 8affe37c525d800a2628c4ecfaed13b77dc5634a ] - -For High-Speed Transfers the prepare_one_trb function is calculating the -multiplier setting for the trb based on the length parameter of the trb -currently prepared. This assumption is wrong. For trbs with a sg list, -the length of the actual request has to be taken instead. - -Fixes: 40d829fb2ec6 ("usb: dwc3: gadget: Correct ISOC DATA PIDs for short packets") -Cc: stable -Signed-off-by: Michael Grzeschik -Link: https://lore.kernel.org/r/20220704141812.1532306-3-m.grzeschik@pengutronix.de -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/dwc3/gadget.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c -index 1b7d73638969..52d5a7c81362 100644 ---- a/drivers/usb/dwc3/gadget.c -+++ b/drivers/usb/dwc3/gadget.c -@@ -1264,10 +1264,10 @@ static void dwc3_prepare_one_trb(struct dwc3_ep *dep, - unsigned int mult = 2; - unsigned int maxp = usb_endpoint_maxp(ep->desc); - -- if (trb_length <= (2 * maxp)) -+ if (req->request.length <= (2 * maxp)) - mult--; - -- if (trb_length <= maxp) -+ if (req->request.length <= maxp) - mult--; - - trb->size |= DWC3_TRB_SIZE_PCM1(mult); --- -2.35.1 - diff --git a/queue-5.19/usb-dwc3-gadget-refactor-dwc3_repare_one_trb.patch-8861 b/queue-5.19/usb-dwc3-gadget-refactor-dwc3_repare_one_trb.patch-8861 deleted file mode 100644 index 24672e2d782..00000000000 --- a/queue-5.19/usb-dwc3-gadget-refactor-dwc3_repare_one_trb.patch-8861 +++ /dev/null @@ -1,151 +0,0 @@ -From a4c08ba674cd5fa59b05d31b34a23c96236de36f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 4 Jul 2022 16:18:11 +0200 -Subject: usb: dwc3: gadget: refactor dwc3_repare_one_trb - -From: Michael Grzeschik - -[ Upstream commit 23385cec5f354794dadced7f28c31da7ae3eb54c ] - -The function __dwc3_prepare_one_trb has many parameters. Since it is -only used in dwc3_prepare_one_trb there is no point in keeping the -function. We merge both functions and get rid of the big list of -parameters. - -Fixes: 40d829fb2ec6 ("usb: dwc3: gadget: Correct ISOC DATA PIDs for short packets") -Cc: stable -Signed-off-by: Michael Grzeschik -Link: https://lore.kernel.org/r/20220704141812.1532306-2-m.grzeschik@pengutronix.de -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/dwc3/gadget.c | 92 +++++++++++++++++---------------------- - 1 file changed, 40 insertions(+), 52 deletions(-) - -diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c -index 0d89dfa6eef5..1b7d73638969 100644 ---- a/drivers/usb/dwc3/gadget.c -+++ b/drivers/usb/dwc3/gadget.c -@@ -1182,17 +1182,49 @@ static u32 dwc3_calc_trbs_left(struct dwc3_ep *dep) - return trbs_left; - } - --static void __dwc3_prepare_one_trb(struct dwc3_ep *dep, struct dwc3_trb *trb, -- dma_addr_t dma, unsigned int length, unsigned int chain, -- unsigned int node, unsigned int stream_id, -- unsigned int short_not_ok, unsigned int no_interrupt, -- unsigned int is_last, bool must_interrupt) -+/** -+ * dwc3_prepare_one_trb - setup one TRB from one request -+ * @dep: endpoint for which this request is prepared -+ * @req: dwc3_request pointer -+ * @trb_length: buffer size of the TRB -+ * @chain: should this TRB be chained to the next? -+ * @node: only for isochronous endpoints. First TRB needs different type. -+ * @use_bounce_buffer: set to use bounce buffer -+ * @must_interrupt: set to interrupt on TRB completion -+ */ -+static void dwc3_prepare_one_trb(struct dwc3_ep *dep, -+ struct dwc3_request *req, unsigned int trb_length, -+ unsigned int chain, unsigned int node, bool use_bounce_buffer, -+ bool must_interrupt) - { -+ struct dwc3_trb *trb; -+ dma_addr_t dma; -+ unsigned int stream_id = req->request.stream_id; -+ unsigned int short_not_ok = req->request.short_not_ok; -+ unsigned int no_interrupt = req->request.no_interrupt; -+ unsigned int is_last = req->request.is_last; - struct dwc3 *dwc = dep->dwc; - struct usb_gadget *gadget = dwc->gadget; - enum usb_device_speed speed = gadget->speed; - -- trb->size = DWC3_TRB_SIZE_LENGTH(length); -+ if (use_bounce_buffer) -+ dma = dep->dwc->bounce_addr; -+ else if (req->request.num_sgs > 0) -+ dma = sg_dma_address(req->start_sg); -+ else -+ dma = req->request.dma; -+ -+ trb = &dep->trb_pool[dep->trb_enqueue]; -+ -+ if (!req->trb) { -+ dwc3_gadget_move_started_request(req); -+ req->trb = trb; -+ req->trb_dma = dwc3_trb_dma_offset(dep, trb); -+ } -+ -+ req->num_trbs++; -+ -+ trb->size = DWC3_TRB_SIZE_LENGTH(trb_length); - trb->bpl = lower_32_bits(dma); - trb->bph = upper_32_bits(dma); - -@@ -1232,10 +1264,10 @@ static void __dwc3_prepare_one_trb(struct dwc3_ep *dep, struct dwc3_trb *trb, - unsigned int mult = 2; - unsigned int maxp = usb_endpoint_maxp(ep->desc); - -- if (length <= (2 * maxp)) -+ if (trb_length <= (2 * maxp)) - mult--; - -- if (length <= maxp) -+ if (trb_length <= maxp) - mult--; - - trb->size |= DWC3_TRB_SIZE_PCM1(mult); -@@ -1309,50 +1341,6 @@ static void __dwc3_prepare_one_trb(struct dwc3_ep *dep, struct dwc3_trb *trb, - trace_dwc3_prepare_trb(dep, trb); - } - --/** -- * dwc3_prepare_one_trb - setup one TRB from one request -- * @dep: endpoint for which this request is prepared -- * @req: dwc3_request pointer -- * @trb_length: buffer size of the TRB -- * @chain: should this TRB be chained to the next? -- * @node: only for isochronous endpoints. First TRB needs different type. -- * @use_bounce_buffer: set to use bounce buffer -- * @must_interrupt: set to interrupt on TRB completion -- */ --static void dwc3_prepare_one_trb(struct dwc3_ep *dep, -- struct dwc3_request *req, unsigned int trb_length, -- unsigned int chain, unsigned int node, bool use_bounce_buffer, -- bool must_interrupt) --{ -- struct dwc3_trb *trb; -- dma_addr_t dma; -- unsigned int stream_id = req->request.stream_id; -- unsigned int short_not_ok = req->request.short_not_ok; -- unsigned int no_interrupt = req->request.no_interrupt; -- unsigned int is_last = req->request.is_last; -- -- if (use_bounce_buffer) -- dma = dep->dwc->bounce_addr; -- else if (req->request.num_sgs > 0) -- dma = sg_dma_address(req->start_sg); -- else -- dma = req->request.dma; -- -- trb = &dep->trb_pool[dep->trb_enqueue]; -- -- if (!req->trb) { -- dwc3_gadget_move_started_request(req); -- req->trb = trb; -- req->trb_dma = dwc3_trb_dma_offset(dep, trb); -- } -- -- req->num_trbs++; -- -- __dwc3_prepare_one_trb(dep, trb, dma, trb_length, chain, node, -- stream_id, short_not_ok, no_interrupt, is_last, -- must_interrupt); --} -- - static bool dwc3_needs_extra_trb(struct dwc3_ep *dep, struct dwc3_request *req) - { - unsigned int maxp = usb_endpoint_maxp(dep->endpoint.desc); --- -2.35.1 - diff --git a/queue-5.19/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch-12274 b/queue-5.19/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch-12274 deleted file mode 100644 index eed8f8a51ac..00000000000 --- a/queue-5.19/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch-12274 +++ /dev/null @@ -1,78 +0,0 @@ -From 695e00b305c742f7d25e7a4347d0a6f6f3488047 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 21 Jul 2022 11:07:10 -0400 -Subject: USB: gadget: Fix use-after-free Read in usb_udc_uevent() - -From: Alan Stern - -[ Upstream commit 2191c00855b03aa59c20e698be713d952d51fc18 ] - -The syzbot fuzzer found a race between uevent callbacks and gadget -driver unregistration that can cause a use-after-free bug: - ---------------------------------------------------------------- -BUG: KASAN: use-after-free in usb_udc_uevent+0x11f/0x130 -drivers/usb/gadget/udc/core.c:1732 -Read of size 8 at addr ffff888078ce2050 by task udevd/2968 - -CPU: 1 PID: 2968 Comm: udevd Not tainted 5.19.0-rc4-next-20220628-syzkaller #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google -06/29/2022 -Call Trace: - - __dump_stack lib/dump_stack.c:88 [inline] - dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 - print_address_description mm/kasan/report.c:317 [inline] - print_report.cold+0x2ba/0x719 mm/kasan/report.c:433 - kasan_report+0xbe/0x1f0 mm/kasan/report.c:495 - usb_udc_uevent+0x11f/0x130 drivers/usb/gadget/udc/core.c:1732 - dev_uevent+0x290/0x770 drivers/base/core.c:2424 ---------------------------------------------------------------- - -The bug occurs because usb_udc_uevent() dereferences udc->driver but -does so without acquiring the udc_lock mutex, which protects this -field. If the gadget driver is unbound from the udc concurrently with -uevent processing, the driver structure may be accessed after it has -been deallocated. - -To prevent the race, we make sure that the routine holds the mutex -around the racing accesses. - -Link: -CC: stable@vger.kernel.org # fc274c1e9973 -Reported-and-tested-by: syzbot+b0de012ceb1e2a97891b@syzkaller.appspotmail.com -Signed-off-by: Alan Stern -Link: https://lore.kernel.org/r/YtlrnhHyrHsSky9m@rowland.harvard.edu -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/gadget/udc/core.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c -index 7886497253cc..cafcf260394c 100644 ---- a/drivers/usb/gadget/udc/core.c -+++ b/drivers/usb/gadget/udc/core.c -@@ -1728,13 +1728,14 @@ static int usb_udc_uevent(struct device *dev, struct kobj_uevent_env *env) - return ret; - } - -- if (udc->driver) { -+ mutex_lock(&udc_lock); -+ if (udc->driver) - ret = add_uevent_var(env, "USB_UDC_DRIVER=%s", - udc->driver->function); -- if (ret) { -- dev_err(dev, "failed to add uevent USB_UDC_DRIVER\n"); -- return ret; -- } -+ mutex_unlock(&udc_lock); -+ if (ret) { -+ dev_err(dev, "failed to add uevent USB_UDC_DRIVER\n"); -+ return ret; - } - - return 0; --- -2.35.1 - diff --git a/queue-5.19/usb-hcd-fix-urb-giveback-issue-in-tasklet-function.patch-24136 b/queue-5.19/usb-hcd-fix-urb-giveback-issue-in-tasklet-function.patch-24136 deleted file mode 100644 index 085ee9dc10a..00000000000 --- a/queue-5.19/usb-hcd-fix-urb-giveback-issue-in-tasklet-function.patch-24136 +++ /dev/null @@ -1,132 +0,0 @@ -From bcd8d6752d2fa9b3d117527f7cd8444380afa4a8 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 26 Jul 2022 15:49:18 +0800 -Subject: USB: HCD: Fix URB giveback issue in tasklet function - -From: Weitao Wang - -[ Upstream commit 26c6c2f8a907c9e3a2f24990552a4d77235791e6 ] - -Usb core introduce the mechanism of giveback of URB in tasklet context to -reduce hardware interrupt handling time. On some test situation(such as -FIO with 4KB block size), when tasklet callback function called to -giveback URB, interrupt handler add URB node to the bh->head list also. -If check bh->head list again after finish all URB giveback of local_list, -then it may introduce a "dynamic balance" between giveback URB and add URB -to bh->head list. This tasklet callback function may not exit for a long -time, which will cause other tasklet function calls to be delayed. Some -real-time applications(such as KB and Mouse) will see noticeable lag. - -In order to prevent the tasklet function from occupying the cpu for a long -time at a time, new URBS will not be added to the local_list even though -the bh->head list is not empty. But also need to ensure the left URB -giveback to be processed in time, so add a member high_prio for structure -giveback_urb_bh to prioritize tasklet and schelule this tasklet again if -bh->head list is not empty. - -At the same time, we are able to prioritize tasklet through structure -member high_prio. So, replace the local high_prio_bh variable with this -structure member in usb_hcd_giveback_urb. - -Fixes: 94dfd7edfd5c ("USB: HCD: support giveback of URB in tasklet context") -Cc: stable -Reviewed-by: Alan Stern -Signed-off-by: Weitao Wang -Link: https://lore.kernel.org/r/20220726074918.5114-1-WeitaoWang-oc@zhaoxin.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/core/hcd.c | 26 +++++++++++++++----------- - include/linux/usb/hcd.h | 1 + - 2 files changed, 16 insertions(+), 11 deletions(-) - -diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c -index 06eea8848ccc..11c8ea0cccc8 100644 ---- a/drivers/usb/core/hcd.c -+++ b/drivers/usb/core/hcd.c -@@ -1691,7 +1691,6 @@ static void usb_giveback_urb_bh(struct tasklet_struct *t) - - spin_lock_irq(&bh->lock); - bh->running = true; -- restart: - list_replace_init(&bh->head, &local_list); - spin_unlock_irq(&bh->lock); - -@@ -1705,10 +1704,17 @@ static void usb_giveback_urb_bh(struct tasklet_struct *t) - bh->completing_ep = NULL; - } - -- /* check if there are new URBs to giveback */ -+ /* -+ * giveback new URBs next time to prevent this function -+ * from not exiting for a long time. -+ */ - spin_lock_irq(&bh->lock); -- if (!list_empty(&bh->head)) -- goto restart; -+ if (!list_empty(&bh->head)) { -+ if (bh->high_prio) -+ tasklet_hi_schedule(&bh->bh); -+ else -+ tasklet_schedule(&bh->bh); -+ } - bh->running = false; - spin_unlock_irq(&bh->lock); - } -@@ -1737,7 +1743,7 @@ static void usb_giveback_urb_bh(struct tasklet_struct *t) - void usb_hcd_giveback_urb(struct usb_hcd *hcd, struct urb *urb, int status) - { - struct giveback_urb_bh *bh; -- bool running, high_prio_bh; -+ bool running; - - /* pass status to tasklet via unlinked */ - if (likely(!urb->unlinked)) -@@ -1748,13 +1754,10 @@ void usb_hcd_giveback_urb(struct usb_hcd *hcd, struct urb *urb, int status) - return; - } - -- if (usb_pipeisoc(urb->pipe) || usb_pipeint(urb->pipe)) { -+ if (usb_pipeisoc(urb->pipe) || usb_pipeint(urb->pipe)) - bh = &hcd->high_prio_bh; -- high_prio_bh = true; -- } else { -+ else - bh = &hcd->low_prio_bh; -- high_prio_bh = false; -- } - - spin_lock(&bh->lock); - list_add_tail(&urb->urb_list, &bh->head); -@@ -1763,7 +1766,7 @@ void usb_hcd_giveback_urb(struct usb_hcd *hcd, struct urb *urb, int status) - - if (running) - ; -- else if (high_prio_bh) -+ else if (bh->high_prio) - tasklet_hi_schedule(&bh->bh); - else - tasklet_schedule(&bh->bh); -@@ -2959,6 +2962,7 @@ int usb_add_hcd(struct usb_hcd *hcd, - - /* initialize tasklets */ - init_giveback_urb_bh(&hcd->high_prio_bh); -+ hcd->high_prio_bh.high_prio = true; - init_giveback_urb_bh(&hcd->low_prio_bh); - - /* enable irqs just before we start the controller, -diff --git a/include/linux/usb/hcd.h b/include/linux/usb/hcd.h -index 2c1fc9212cf2..98d1921f02b1 100644 ---- a/include/linux/usb/hcd.h -+++ b/include/linux/usb/hcd.h -@@ -66,6 +66,7 @@ - - struct giveback_urb_bh { - bool running; -+ bool high_prio; - spinlock_t lock; - struct list_head head; - struct tasklet_struct bh; --- -2.35.1 - diff --git a/queue-5.19/usb-typec-ucsi-acknowledge-the-get_error_status-comm.patch b/queue-5.19/usb-typec-ucsi-acknowledge-the-get_error_status-comm.patch deleted file mode 100644 index cda8ea20f88..00000000000 --- a/queue-5.19/usb-typec-ucsi-acknowledge-the-get_error_status-comm.patch +++ /dev/null @@ -1,46 +0,0 @@ -From d6b81f001c2bae43f67f2e757774341def8894be Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 26 Jul 2022 14:45:49 +0800 -Subject: usb: typec: ucsi: Acknowledge the GET_ERROR_STATUS command completion - -From: Linyu Yuan - -[ Upstream commit a7dc438b5e446afcd1b3b6651da28271400722f2 ] - -We found PPM will not send any notification after it report error status -and OPM issue GET_ERROR_STATUS command to read the details about error. - -According UCSI spec, PPM may clear the Error Status Data after the OPM -has acknowledged the command completion. - -This change add operation to acknowledge the command completion from PPM. - -Fixes: bdc62f2bae8f (usb: typec: ucsi: Simplified registration and I/O API) -Cc: # 5.10 -Signed-off-by: Jack Pham -Signed-off-by: Linyu Yuan -Link: https://lore.kernel.org/r/1658817949-4632-1-git-send-email-quic_linyyuan@quicinc.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/typec/ucsi/ucsi.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c -index cbd862f9f2a1..1aea46493b85 100644 ---- a/drivers/usb/typec/ucsi/ucsi.c -+++ b/drivers/usb/typec/ucsi/ucsi.c -@@ -76,6 +76,10 @@ static int ucsi_read_error(struct ucsi *ucsi) - if (ret) - return ret; - -+ ret = ucsi_acknowledge_command(ucsi); -+ if (ret) -+ return ret; -+ - switch (error) { - case UCSI_ERROR_INCOMPATIBLE_PARTNER: - return -EOPNOTSUPP; --- -2.35.1 - diff --git a/queue-5.19/usbnet-fix-linkwatch-use-after-free-on-disconnect.patch-30140 b/queue-5.19/usbnet-fix-linkwatch-use-after-free-on-disconnect.patch-30140 deleted file mode 100644 index aaf8f9a2994..00000000000 --- a/queue-5.19/usbnet-fix-linkwatch-use-after-free-on-disconnect.patch-30140 +++ /dev/null @@ -1,90 +0,0 @@ -From e76a4cdb309afe50d707c3a04df9f64540323d98 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 23 Jun 2022 14:50:59 +0200 -Subject: usbnet: Fix linkwatch use-after-free on disconnect - -From: Lukas Wunner - -[ Upstream commit a69e617e533edddf3fa3123149900f36e0a6dc74 ] - -usbnet uses the work usbnet_deferred_kevent() to perform tasks which may -sleep. On disconnect, completion of the work was originally awaited in -->ndo_stop(). But in 2003, that was moved to ->disconnect() by historic -commit "[PATCH] USB: usbnet, prevent exotic rtnl deadlock": - - https://git.kernel.org/tglx/history/c/0f138bbfd83c - -The change was made because back then, the kernel's workqueue -implementation did not allow waiting for a single work. One had to wait -for completion of *all* work by calling flush_scheduled_work(), and that -could deadlock when waiting for usbnet_deferred_kevent() with rtnl_mutex -held in ->ndo_stop(). - -The commit solved one problem but created another: It causes a -use-after-free in USB Ethernet drivers aqc111.c, asix_devices.c, -ax88179_178a.c, ch9200.c and smsc75xx.c: - -* If the drivers receive a link change interrupt immediately before - disconnect, they raise EVENT_LINK_RESET in their (non-sleepable) - ->status() callback and schedule usbnet_deferred_kevent(). -* usbnet_deferred_kevent() invokes the driver's ->link_reset() callback, - which calls netif_carrier_{on,off}(). -* That in turn schedules the work linkwatch_event(). - -Because usbnet_deferred_kevent() is awaited after unregister_netdev(), -netif_carrier_{on,off}() may operate on an unregistered netdev and -linkwatch_event() may run after free_netdev(), causing a use-after-free. - -In 2010, usbnet was changed to only wait for a single instance of -usbnet_deferred_kevent() instead of *all* work by commit 23f333a2bfaf -("drivers/net: don't use flush_scheduled_work()"). - -Unfortunately the commit neglected to move the wait back to -->ndo_stop(). Rectify that omission at long last. - -Reported-by: Jann Horn -Link: https://lore.kernel.org/netdev/CAG48ez0MHBbENX5gCdHAUXZ7h7s20LnepBF-pa5M=7Bi-jZrEA@mail.gmail.com/ -Reported-by: Oleksij Rempel -Link: https://lore.kernel.org/netdev/20220315113841.GA22337@pengutronix.de/ -Signed-off-by: Lukas Wunner -Cc: stable@vger.kernel.org -Acked-by: Oliver Neukum -Link: https://lore.kernel.org/r/d1c87ebe9fc502bffcd1576e238d685ad08321e4.1655987888.git.lukas@wunner.de -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - drivers/net/usb/usbnet.c | 8 ++------ - 1 file changed, 2 insertions(+), 6 deletions(-) - -diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c -index 78a92751ce4c..0ed09bb91c44 100644 ---- a/drivers/net/usb/usbnet.c -+++ b/drivers/net/usb/usbnet.c -@@ -849,13 +849,11 @@ int usbnet_stop (struct net_device *net) - - mpn = !test_and_clear_bit(EVENT_NO_RUNTIME_PM, &dev->flags); - -- /* deferred work (task, timer, softirq) must also stop. -- * can't flush_scheduled_work() until we drop rtnl (later), -- * else workers could deadlock; so make workers a NOP. -- */ -+ /* deferred work (timer, softirq, task) must also stop */ - dev->flags = 0; - del_timer_sync (&dev->delay); - tasklet_kill (&dev->bh); -+ cancel_work_sync(&dev->kevent); - if (!pm) - usb_autopm_put_interface(dev->intf); - -@@ -1619,8 +1617,6 @@ void usbnet_disconnect (struct usb_interface *intf) - net = dev->net; - unregister_netdev (net); - -- cancel_work_sync(&dev->kevent); -- - usb_scuttle_anchored_urbs(&dev->deferred); - - if (dev->driver_info->unbind) --- -2.35.1 - diff --git a/queue-5.19/usbnet-smsc95xx-fix-deadlock-on-runtime-resume.patch-22908 b/queue-5.19/usbnet-smsc95xx-fix-deadlock-on-runtime-resume.patch-22908 deleted file mode 100644 index e57706bdfef..00000000000 --- a/queue-5.19/usbnet-smsc95xx-fix-deadlock-on-runtime-resume.patch-22908 +++ /dev/null @@ -1,193 +0,0 @@ -From 7660b6340c5f30ea6c98ee7271cefad4f9193d98 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 1 Jul 2022 22:47:51 +0200 -Subject: usbnet: smsc95xx: Fix deadlock on runtime resume - -From: Lukas Wunner - -[ Upstream commit 7b960c967f2aa01ab8f45c5a0bd78e754cffdeee ] - -Commit 05b35e7eb9a1 ("smsc95xx: add phylib support") amended -smsc95xx_resume() to call phy_init_hw(). That function waits for the -device to runtime resume even though it is placed in the runtime resume -path, causing a deadlock. - -The problem is that phy_init_hw() calls down to smsc95xx_mdiobus_read(), -which never uses the _nopm variant of usbnet_read_cmd(). - -Commit b4df480f68ae ("usbnet: smsc95xx: add reset_resume function with -reset operation") causes a similar deadlock on resume if the device was -already runtime suspended when entering system sleep: - -That's because the commit introduced smsc95xx_reset_resume(), which -calls down to smsc95xx_reset(), which neglects to use _nopm accessors. - -Fix by auto-detecting whether a device access is performed by the -suspend/resume task_struct and use the _nopm variant if so. This works -because the PM core guarantees that suspend/resume callbacks are run in -task context. - -Stacktrace for posterity: - - INFO: task kworker/2:1:49 blocked for more than 122 seconds. - Workqueue: usb_hub_wq hub_event - schedule - rpm_resume - __pm_runtime_resume - usb_autopm_get_interface - usbnet_read_cmd - __smsc95xx_read_reg - __smsc95xx_phy_wait_not_busy - __smsc95xx_mdio_read - smsc95xx_mdiobus_read - __mdiobus_read - mdiobus_read - smsc_phy_reset - phy_init_hw - smsc95xx_resume - usb_resume_interface - usb_resume_both - usb_runtime_resume - __rpm_callback - rpm_callback - rpm_resume - __pm_runtime_resume - usb_autoresume_device - hub_event - process_one_work - -Fixes: b4df480f68ae ("usbnet: smsc95xx: add reset_resume function with reset operation") -Signed-off-by: Lukas Wunner -Cc: stable@vger.kernel.org # v3.16+ -Cc: Andre Edich -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - drivers/net/usb/smsc95xx.c | 26 ++++++++++++++++++++------ - 1 file changed, 20 insertions(+), 6 deletions(-) - -diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c -index bd03e16f98a1..4dc43929e370 100644 ---- a/drivers/net/usb/smsc95xx.c -+++ b/drivers/net/usb/smsc95xx.c -@@ -71,6 +71,7 @@ struct smsc95xx_priv { - struct fwnode_handle *irqfwnode; - struct mii_bus *mdiobus; - struct phy_device *phydev; -+ struct task_struct *pm_task; - }; - - static bool turbo_mode = true; -@@ -80,13 +81,14 @@ MODULE_PARM_DESC(turbo_mode, "Enable multiple frames per Rx transaction"); - static int __must_check __smsc95xx_read_reg(struct usbnet *dev, u32 index, - u32 *data, int in_pm) - { -+ struct smsc95xx_priv *pdata = dev->driver_priv; - u32 buf; - int ret; - int (*fn)(struct usbnet *, u8, u8, u16, u16, void *, u16); - - BUG_ON(!dev); - -- if (!in_pm) -+ if (current != pdata->pm_task) - fn = usbnet_read_cmd; - else - fn = usbnet_read_cmd_nopm; -@@ -110,13 +112,14 @@ static int __must_check __smsc95xx_read_reg(struct usbnet *dev, u32 index, - static int __must_check __smsc95xx_write_reg(struct usbnet *dev, u32 index, - u32 data, int in_pm) - { -+ struct smsc95xx_priv *pdata = dev->driver_priv; - u32 buf; - int ret; - int (*fn)(struct usbnet *, u8, u8, u16, u16, const void *, u16); - - BUG_ON(!dev); - -- if (!in_pm) -+ if (current != pdata->pm_task) - fn = usbnet_write_cmd; - else - fn = usbnet_write_cmd_nopm; -@@ -1490,9 +1493,12 @@ static int smsc95xx_suspend(struct usb_interface *intf, pm_message_t message) - u32 val, link_up; - int ret; - -+ pdata->pm_task = current; -+ - ret = usbnet_suspend(intf, message); - if (ret < 0) { - netdev_warn(dev->net, "usbnet_suspend error\n"); -+ pdata->pm_task = NULL; - return ret; - } - -@@ -1732,6 +1738,7 @@ static int smsc95xx_suspend(struct usb_interface *intf, pm_message_t message) - if (ret && PMSG_IS_AUTO(message)) - usbnet_resume(intf); - -+ pdata->pm_task = NULL; - return ret; - } - -@@ -1752,29 +1759,31 @@ static int smsc95xx_resume(struct usb_interface *intf) - /* do this first to ensure it's cleared even in error case */ - pdata->suspend_flags = 0; - -+ pdata->pm_task = current; -+ - if (suspend_flags & SUSPEND_ALLMODES) { - /* clear wake-up sources */ - ret = smsc95xx_read_reg_nopm(dev, WUCSR, &val); - if (ret < 0) -- return ret; -+ goto done; - - val &= ~(WUCSR_WAKE_EN_ | WUCSR_MPEN_); - - ret = smsc95xx_write_reg_nopm(dev, WUCSR, val); - if (ret < 0) -- return ret; -+ goto done; - - /* clear wake-up status */ - ret = smsc95xx_read_reg_nopm(dev, PM_CTRL, &val); - if (ret < 0) -- return ret; -+ goto done; - - val &= ~PM_CTL_WOL_EN_; - val |= PM_CTL_WUPS_; - - ret = smsc95xx_write_reg_nopm(dev, PM_CTRL, val); - if (ret < 0) -- return ret; -+ goto done; - } - - phy_init_hw(pdata->phydev); -@@ -1783,15 +1792,20 @@ static int smsc95xx_resume(struct usb_interface *intf) - if (ret < 0) - netdev_warn(dev->net, "usbnet_resume error\n"); - -+done: -+ pdata->pm_task = NULL; - return ret; - } - - static int smsc95xx_reset_resume(struct usb_interface *intf) - { - struct usbnet *dev = usb_get_intfdata(intf); -+ struct smsc95xx_priv *pdata = dev->driver_priv; - int ret; - -+ pdata->pm_task = current; - ret = smsc95xx_reset(dev); -+ pdata->pm_task = NULL; - if (ret < 0) - return ret; - --- -2.35.1 - diff --git a/queue-5.19/vfs-check-the-truncate-maximum-size-in-inode_newsize.patch b/queue-5.19/vfs-check-the-truncate-maximum-size-in-inode_newsize.patch deleted file mode 100644 index 79006fe15a3..00000000000 --- a/queue-5.19/vfs-check-the-truncate-maximum-size-in-inode_newsize.patch +++ /dev/null @@ -1,73 +0,0 @@ -From e04fea8cd8ac26f4d38a6c8f8550dc732235ab0c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 8 Aug 2022 09:52:35 +0100 -Subject: vfs: Check the truncate maximum size in inode_newsize_ok() - -From: David Howells - -[ Upstream commit e2ebff9c57fe4eb104ce4768f6ebcccf76bef849 ] - -If something manages to set the maximum file size to MAX_OFFSET+1, this -can cause the xfs and ext4 filesystems at least to become corrupt. - -Ordinarily, the kernel protects against userspace trying this by -checking the value early in the truncate() and ftruncate() system calls -calls - but there are at least two places that this check is bypassed: - - (1) Cachefiles will round up the EOF of the backing file to DIO block - size so as to allow DIO on the final block - but this might push - the offset negative. It then calls notify_change(), but this - inadvertently bypasses the checking. This can be triggered if - someone puts an 8EiB-1 file on a server for someone else to try and - access by, say, nfs. - - (2) ksmbd doesn't check the value it is given in set_end_of_file_info() - and then calls vfs_truncate() directly - which also bypasses the - check. - -In both cases, it is potentially possible for a network filesystem to -cause a disk filesystem to be corrupted: cachefiles in the client's -cache filesystem; ksmbd in the server's filesystem. - -nfsd is okay as it checks the value, but we can then remove this check -too. - -Fix this by adding a check to inode_newsize_ok(), as called from -setattr_prepare(), thereby catching the issue as filesystems set up to -perform the truncate with minimal opportunity for bypassing the new -check. - -Fixes: 1f08c925e7a3 ("cachefiles: Implement backing file wrangling") -Fixes: f44158485826 ("cifsd: add file operations") -Signed-off-by: David Howells -Reported-by: Jeff Layton -Tested-by: Jeff Layton -Reviewed-by: Namjae Jeon -Cc: stable@kernel.org -Acked-by: Alexander Viro -cc: Steve French -cc: Hyunchul Lee -cc: Chuck Lever -cc: Dave Wysochanski -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin ---- - fs/attr.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/fs/attr.c b/fs/attr.c -index dbe996b0dedf..f581c4d00897 100644 ---- a/fs/attr.c -+++ b/fs/attr.c -@@ -184,6 +184,8 @@ EXPORT_SYMBOL(setattr_prepare); - */ - int inode_newsize_ok(const struct inode *inode, loff_t offset) - { -+ if (offset < 0) -+ return -EINVAL; - if (inode->i_size < offset) { - unsigned long limit; - --- -2.35.1 - diff --git a/queue-5.19/x86-kprobes-update-kcb-status-flag-after-singlestepp.patch b/queue-5.19/x86-kprobes-update-kcb-status-flag-after-singlestepp.patch deleted file mode 100644 index a7472e2d645..00000000000 --- a/queue-5.19/x86-kprobes-update-kcb-status-flag-after-singlestepp.patch +++ /dev/null @@ -1,67 +0,0 @@ -From d71f841a854f95581d4ab63274cd768d8381a44c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 2 Aug 2022 15:04:16 +0900 -Subject: x86/kprobes: Update kcb status flag after singlestepping -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Masami Hiramatsu (Google) - -[ Upstream commit dec8784c9088b131a1523f582c2194cfc8107dc0 ] - -Fix kprobes to update kcb (kprobes control block) status flag to -KPROBE_HIT_SSDONE even if the kp->post_handler is not set. - -This bug may cause a kernel panic if another INT3 user runs right -after kprobes because kprobe_int3_handler() misunderstands the -INT3 is kprobe's single stepping INT3. - -Fixes: 6256e668b7af ("x86/kprobes: Use int3 instead of debug trap for single-step") -Reported-by: Daniel Müller -Signed-off-by: Masami Hiramatsu (Google) -Signed-off-by: Ingo Molnar -Tested-by: Daniel Müller -Cc: stable@vger.kernel.org -Link: https://lore.kernel.org/all/20220727210136.jjgc3lpqeq42yr3m@muellerd-fedora-PC2BDTX9 -Link: https://lore.kernel.org/r/165942025658.342061.12452378391879093249.stgit@devnote2 -Signed-off-by: Sasha Levin ---- - arch/x86/kernel/kprobes/core.c | 18 +++++++++++------- - 1 file changed, 11 insertions(+), 7 deletions(-) - -diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c -index 7c4ab8870da4..74167dc5f55e 100644 ---- a/arch/x86/kernel/kprobes/core.c -+++ b/arch/x86/kernel/kprobes/core.c -@@ -814,16 +814,20 @@ set_current_kprobe(struct kprobe *p, struct pt_regs *regs, - static void kprobe_post_process(struct kprobe *cur, struct pt_regs *regs, - struct kprobe_ctlblk *kcb) - { -- if ((kcb->kprobe_status != KPROBE_REENTER) && cur->post_handler) { -- kcb->kprobe_status = KPROBE_HIT_SSDONE; -- cur->post_handler(cur, regs, 0); -- } -- - /* Restore back the original saved kprobes variables and continue. */ -- if (kcb->kprobe_status == KPROBE_REENTER) -+ if (kcb->kprobe_status == KPROBE_REENTER) { -+ /* This will restore both kcb and current_kprobe */ - restore_previous_kprobe(kcb); -- else -+ } else { -+ /* -+ * Always update the kcb status because -+ * reset_curent_kprobe() doesn't update kcb. -+ */ -+ kcb->kprobe_status = KPROBE_HIT_SSDONE; -+ if (cur->post_handler) -+ cur->post_handler(cur, regs, 0); - reset_current_kprobe(); -+ } - } - NOKPROBE_SYMBOL(kprobe_post_process); - --- -2.35.1 - diff --git a/queue-5.19/x86-olpc-fix-logical-not-is-only-applied-to-the-left.patch b/queue-5.19/x86-olpc-fix-logical-not-is-only-applied-to-the-left.patch deleted file mode 100644 index 84467c49feb..00000000000 --- a/queue-5.19/x86-olpc-fix-logical-not-is-only-applied-to-the-left.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 181fac7e1d71b4723e799eb09ab117ee9407108b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 15 Jul 2022 17:15:36 +0200 -Subject: x86/olpc: fix 'logical not is only applied to the left hand side' - -From: Alexander Lobakin - -[ Upstream commit 3a2ba42cbd0b669ce3837ba400905f93dd06c79f ] - -The bitops compile-time optimization series revealed one more -problem in olpc-xo1-sci.c:send_ebook_state(), resulted in GCC -warnings: - -arch/x86/platform/olpc/olpc-xo1-sci.c: In function 'send_ebook_state': -arch/x86/platform/olpc/olpc-xo1-sci.c:83:63: warning: logical not is only applied to the left hand side of comparison [-Wlogical-not-parentheses] - 83 | if (!!test_bit(SW_TABLET_MODE, ebook_switch_idev->sw) == state) - | ^~ -arch/x86/platform/olpc/olpc-xo1-sci.c:83:13: note: add parentheses around left hand side expression to silence this warning - -Despite this code working as intended, this redundant double -negation of boolean value, together with comparing to `char` -with no explicit conversion to bool, makes compilers think -the author made some unintentional logical mistakes here. -Make it the other way around and negate the char instead -to silence the warnings. - -Fixes: d2aa37411b8e ("x86/olpc/xo1/sci: Produce wakeup events for buttons and switches") -Cc: stable@vger.kernel.org # 3.5+ -Reported-by: Guenter Roeck -Reported-by: kernel test robot -Reviewed-and-tested-by: Guenter Roeck -Signed-off-by: Alexander Lobakin -Signed-off-by: Yury Norov -Signed-off-by: Sasha Levin ---- - arch/x86/platform/olpc/olpc-xo1-sci.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/x86/platform/olpc/olpc-xo1-sci.c b/arch/x86/platform/olpc/olpc-xo1-sci.c -index f03a6883dcc6..89f25af4b3c3 100644 ---- a/arch/x86/platform/olpc/olpc-xo1-sci.c -+++ b/arch/x86/platform/olpc/olpc-xo1-sci.c -@@ -80,7 +80,7 @@ static void send_ebook_state(void) - return; - } - -- if (!!test_bit(SW_TABLET_MODE, ebook_switch_idev->sw) == state) -+ if (test_bit(SW_TABLET_MODE, ebook_switch_idev->sw) == !!state) - return; /* Nothing new to report. */ - - input_report_switch(ebook_switch_idev, SW_TABLET_MODE, state); --- -2.35.1 - -- 2.47.3