From b096bae53ee1013406f68ee6953c0c8b6c3d7d56 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 6 Sep 2022 14:06:13 +0200 Subject: [PATCH] 5.15-stable patches added patches: alsa-hda-realtek-add-speaker-amp-init-for-samsung-laptops-with-alc298.patch alsa-seq-fix-data-race-at-module-auto-loading.patch alsa-seq-oss-fix-data-race-for-max_midi_devs-access.patch drm-i915-glk-ecs-liva-q2-needs-glk-hdmi-port-timing-quirk.patch drm-i915-skip-wm-ddb-readout-for-disabled-pipes.patch ip-fix-triggering-of-icmp-redirect.patch kbuild-add-skip_encoding_btf_enum64-option-to-pahole.patch kbuild-unify-options-for-btf-generation-for-vmlinux-and-modules.patch net-mac802154-fix-a-condition-in-the-receive-path.patch net-use-u64_stats_fetch_begin_irq-for-stats-fetch.patch tty-n_gsm-add-sanity-check-for-gsm-receive-in-gsm_receive_buf.patch wifi-mac80211-don-t-finalize-csa-in-ibss-mode-if-state-is-disconnected.patch wifi-mac80211-fix-uaf-in-ieee80211_scan_rx.patch --- ...init-for-samsung-laptops-with-alc298.patch | 129 ++++++ ...fix-data-race-at-module-auto-loading.patch | 62 +++ ...x-data-race-for-max_midi_devs-access.patch | 44 ++ ...-q2-needs-glk-hdmi-port-timing-quirk.patch | 44 ++ ...ip-wm-ddb-readout-for-disabled-pipes.patch | 57 +++ .../ip-fix-triggering-of-icmp-redirect.patch | 55 +++ ...encoding_btf_enum64-option-to-pahole.patch | 45 ++ ...f-generation-for-vmlinux-and-modules.patch | 114 +++++ ...-fix-a-condition-in-the-receive-path.patch | 45 ++ ...tats_fetch_begin_irq-for-stats-fetch.patch | 398 ++++++++++++++++++ queue-5.15/series | 13 + ...k-for-gsm-receive-in-gsm_receive_buf.patch | 55 +++ ...n-ibss-mode-if-state-is-disconnected.patch | 48 +++ ...ac80211-fix-uaf-in-ieee80211_scan_rx.patch | 57 +++ 14 files changed, 1166 insertions(+) create mode 100644 queue-5.15/alsa-hda-realtek-add-speaker-amp-init-for-samsung-laptops-with-alc298.patch create mode 100644 queue-5.15/alsa-seq-fix-data-race-at-module-auto-loading.patch create mode 100644 queue-5.15/alsa-seq-oss-fix-data-race-for-max_midi_devs-access.patch create mode 100644 queue-5.15/drm-i915-glk-ecs-liva-q2-needs-glk-hdmi-port-timing-quirk.patch create mode 100644 queue-5.15/drm-i915-skip-wm-ddb-readout-for-disabled-pipes.patch create mode 100644 queue-5.15/ip-fix-triggering-of-icmp-redirect.patch create mode 100644 queue-5.15/kbuild-add-skip_encoding_btf_enum64-option-to-pahole.patch create mode 100644 queue-5.15/kbuild-unify-options-for-btf-generation-for-vmlinux-and-modules.patch create mode 100644 queue-5.15/net-mac802154-fix-a-condition-in-the-receive-path.patch create mode 100644 queue-5.15/net-use-u64_stats_fetch_begin_irq-for-stats-fetch.patch create mode 100644 queue-5.15/tty-n_gsm-add-sanity-check-for-gsm-receive-in-gsm_receive_buf.patch create mode 100644 queue-5.15/wifi-mac80211-don-t-finalize-csa-in-ibss-mode-if-state-is-disconnected.patch create mode 100644 queue-5.15/wifi-mac80211-fix-uaf-in-ieee80211_scan_rx.patch diff --git a/queue-5.15/alsa-hda-realtek-add-speaker-amp-init-for-samsung-laptops-with-alc298.patch b/queue-5.15/alsa-hda-realtek-add-speaker-amp-init-for-samsung-laptops-with-alc298.patch new file mode 100644 index 00000000000..f85155b1c5a --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-add-speaker-amp-init-for-samsung-laptops-with-alc298.patch @@ -0,0 +1,129 @@ +From a2d57ebec1e15f0ac256eb8397e82b07adfaaacc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Kacper=20Michaj=C5=82ow?= +Date: Sat, 27 Aug 2022 22:33:28 +0200 +Subject: ALSA: hda/realtek: Add speaker AMP init for Samsung laptops with ALC298 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kacper Michajłow + +commit a2d57ebec1e15f0ac256eb8397e82b07adfaaacc upstream. + +Magic initialization sequence was extracted from Windows driver and +cleaned up manually. + +Fixes internal speakers output. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=207423 +Link: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1851518 +Signed-off-by: Kacper Michajłow +Cc: +Link: https://lore.kernel.org/r/20220827203328.30363-1-kasper93@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 63 +++++++++++++++++++++++++++++++++++++----- + 1 file changed, 56 insertions(+), 7 deletions(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -4684,6 +4684,48 @@ static void alc236_fixup_hp_mute_led_mic + alc236_fixup_hp_micmute_led_vref(codec, fix, action); + } + ++static inline void alc298_samsung_write_coef_pack(struct hda_codec *codec, ++ const unsigned short coefs[2]) ++{ ++ alc_write_coef_idx(codec, 0x23, coefs[0]); ++ alc_write_coef_idx(codec, 0x25, coefs[1]); ++ alc_write_coef_idx(codec, 0x26, 0xb011); ++} ++ ++struct alc298_samsung_amp_desc { ++ unsigned char nid; ++ unsigned short init_seq[2][2]; ++}; ++ ++static void alc298_fixup_samsung_amp(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ int i, j; ++ static const unsigned short init_seq[][2] = { ++ { 0x19, 0x00 }, { 0x20, 0xc0 }, { 0x22, 0x44 }, { 0x23, 0x08 }, ++ { 0x24, 0x85 }, { 0x25, 0x41 }, { 0x35, 0x40 }, { 0x36, 0x01 }, ++ { 0x38, 0x81 }, { 0x3a, 0x03 }, { 0x3b, 0x81 }, { 0x40, 0x3e }, ++ { 0x41, 0x07 }, { 0x400, 0x1 } ++ }; ++ static const struct alc298_samsung_amp_desc amps[] = { ++ { 0x3a, { { 0x18, 0x1 }, { 0x26, 0x0 } } }, ++ { 0x39, { { 0x18, 0x2 }, { 0x26, 0x1 } } } ++ }; ++ ++ if (action != HDA_FIXUP_ACT_INIT) ++ return; ++ ++ for (i = 0; i < ARRAY_SIZE(amps); i++) { ++ alc_write_coef_idx(codec, 0x22, amps[i].nid); ++ ++ for (j = 0; j < ARRAY_SIZE(amps[i].init_seq); j++) ++ alc298_samsung_write_coef_pack(codec, amps[i].init_seq[j]); ++ ++ for (j = 0; j < ARRAY_SIZE(init_seq); j++) ++ alc298_samsung_write_coef_pack(codec, init_seq[j]); ++ } ++} ++ + #if IS_REACHABLE(CONFIG_INPUT) + static void gpio2_mic_hotkey_event(struct hda_codec *codec, + struct hda_jack_callback *event) +@@ -6842,6 +6884,7 @@ enum { + ALC236_FIXUP_HP_GPIO_LED, + ALC236_FIXUP_HP_MUTE_LED, + ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF, ++ ALC298_FIXUP_SAMSUNG_AMP, + ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET, + ALC256_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET, + ALC295_FIXUP_ASUS_MIC_NO_PRESENCE, +@@ -8196,6 +8239,12 @@ static const struct hda_fixup alc269_fix + .type = HDA_FIXUP_FUNC, + .v.func = alc236_fixup_hp_mute_led_micmute_vref, + }, ++ [ALC298_FIXUP_SAMSUNG_AMP] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc298_fixup_samsung_amp, ++ .chained = true, ++ .chain_id = ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET ++ }, + [ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET] = { + .type = HDA_FIXUP_VERBS, + .v.verbs = (const struct hda_verb[]) { +@@ -8985,13 +9034,13 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x10ec, 0x1254, "Intel Reference board", ALC295_FIXUP_CHROME_BOOK), + SND_PCI_QUIRK(0x10f7, 0x8338, "Panasonic CF-SZ6", ALC269_FIXUP_HEADSET_MODE), + SND_PCI_QUIRK(0x144d, 0xc109, "Samsung Ativ book 9 (NP900X3G)", ALC269_FIXUP_INV_DMIC), +- SND_PCI_QUIRK(0x144d, 0xc169, "Samsung Notebook 9 Pen (NP930SBE-K01US)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), +- SND_PCI_QUIRK(0x144d, 0xc176, "Samsung Notebook 9 Pro (NP930MBE-K04US)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), +- SND_PCI_QUIRK(0x144d, 0xc189, "Samsung Galaxy Flex Book (NT950QCG-X716)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), +- SND_PCI_QUIRK(0x144d, 0xc18a, "Samsung Galaxy Book Ion (NP930XCJ-K01US)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), ++ SND_PCI_QUIRK(0x144d, 0xc169, "Samsung Notebook 9 Pen (NP930SBE-K01US)", ALC298_FIXUP_SAMSUNG_AMP), ++ SND_PCI_QUIRK(0x144d, 0xc176, "Samsung Notebook 9 Pro (NP930MBE-K04US)", ALC298_FIXUP_SAMSUNG_AMP), ++ SND_PCI_QUIRK(0x144d, 0xc189, "Samsung Galaxy Flex Book (NT950QCG-X716)", ALC298_FIXUP_SAMSUNG_AMP), ++ SND_PCI_QUIRK(0x144d, 0xc18a, "Samsung Galaxy Book Ion (NP930XCJ-K01US)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc740, "Samsung Ativ book 8 (NP870Z5G)", ALC269_FIXUP_ATIV_BOOK_8), +- SND_PCI_QUIRK(0x144d, 0xc812, "Samsung Notebook Pen S (NT950SBE-X58)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), +- SND_PCI_QUIRK(0x144d, 0xc830, "Samsung Galaxy Book Ion (NT950XCJ-X716A)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), ++ SND_PCI_QUIRK(0x144d, 0xc812, "Samsung Notebook Pen S (NT950SBE-X58)", ALC298_FIXUP_SAMSUNG_AMP), ++ SND_PCI_QUIRK(0x144d, 0xc830, "Samsung Galaxy Book Ion (NT950XCJ-X716A)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc832, "Samsung Galaxy Book Flex Alpha (NP730QCJ)", ALC256_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), + SND_PCI_QUIRK(0x1458, 0xfa53, "Gigabyte BXBT-2807", ALC283_FIXUP_HEADSET_MIC), + SND_PCI_QUIRK(0x1462, 0xb120, "MSI Cubi MS-B120", ALC283_FIXUP_HEADSET_MIC), +@@ -9351,7 +9400,7 @@ static const struct hda_model_fixup alc2 + {.id = ALC299_FIXUP_PREDATOR_SPK, .name = "predator-spk"}, + {.id = ALC298_FIXUP_HUAWEI_MBX_STEREO, .name = "huawei-mbx-stereo"}, + {.id = ALC256_FIXUP_MEDION_HEADSET_NO_PRESENCE, .name = "alc256-medion-headset"}, +- {.id = ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET, .name = "alc298-samsung-headphone"}, ++ {.id = ALC298_FIXUP_SAMSUNG_AMP, .name = "alc298-samsung-amp"}, + {.id = ALC256_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET, .name = "alc256-samsung-headphone"}, + {.id = ALC255_FIXUP_XIAOMI_HEADSET_MIC, .name = "alc255-xiaomi-headset"}, + {.id = ALC274_FIXUP_HP_MIC, .name = "alc274-hp-mic-detect"}, diff --git a/queue-5.15/alsa-seq-fix-data-race-at-module-auto-loading.patch b/queue-5.15/alsa-seq-fix-data-race-at-module-auto-loading.patch new file mode 100644 index 00000000000..4c18623b81d --- /dev/null +++ b/queue-5.15/alsa-seq-fix-data-race-at-module-auto-loading.patch @@ -0,0 +1,62 @@ +From 3e7e04b747adea36f349715d9f0998eeebf15d72 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 23 Aug 2022 09:27:17 +0200 +Subject: ALSA: seq: Fix data-race at module auto-loading + +From: Takashi Iwai + +commit 3e7e04b747adea36f349715d9f0998eeebf15d72 upstream. + +It's been reported that there is a possible data-race accessing to the +global card_requested[] array at ALSA sequencer core, which is used +for determining whether to call request_module() for the card or not. +This data race itself is almost harmless, as it might end up with one +extra request_module() call for the already loaded module at most. +But it's still better to fix. + +This patch addresses the possible data race of card_requested[] and +client_requested[] arrays by replacing them with bitmask. +It's an atomic operation and can work without locks. + +Reported-by: Abhishek Shah +Cc: +Link: https://lore.kernel.org/r/CAEHB24_ay6YzARpA1zgCsE7=H9CSJJzux618E=Ka4h0YdKn=qA@mail.gmail.com +Link: https://lore.kernel.org/r/20220823072717.1706-2-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/seq/seq_clientmgr.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -121,13 +121,13 @@ struct snd_seq_client *snd_seq_client_us + spin_unlock_irqrestore(&clients_lock, flags); + #ifdef CONFIG_MODULES + if (!in_interrupt()) { +- static char client_requested[SNDRV_SEQ_GLOBAL_CLIENTS]; +- static char card_requested[SNDRV_CARDS]; ++ static DECLARE_BITMAP(client_requested, SNDRV_SEQ_GLOBAL_CLIENTS); ++ static DECLARE_BITMAP(card_requested, SNDRV_CARDS); ++ + if (clientid < SNDRV_SEQ_GLOBAL_CLIENTS) { + int idx; + +- if (!client_requested[clientid]) { +- client_requested[clientid] = 1; ++ if (!test_and_set_bit(clientid, client_requested)) { + for (idx = 0; idx < 15; idx++) { + if (seq_client_load[idx] < 0) + break; +@@ -142,10 +142,8 @@ struct snd_seq_client *snd_seq_client_us + int card = (clientid - SNDRV_SEQ_GLOBAL_CLIENTS) / + SNDRV_SEQ_CLIENTS_PER_CARD; + if (card < snd_ecards_limit) { +- if (! card_requested[card]) { +- card_requested[card] = 1; ++ if (!test_and_set_bit(card, card_requested)) + snd_request_card(card); +- } + snd_seq_device_load_drivers(); + } + } diff --git a/queue-5.15/alsa-seq-oss-fix-data-race-for-max_midi_devs-access.patch b/queue-5.15/alsa-seq-oss-fix-data-race-for-max_midi_devs-access.patch new file mode 100644 index 00000000000..ef4588b1a26 --- /dev/null +++ b/queue-5.15/alsa-seq-oss-fix-data-race-for-max_midi_devs-access.patch @@ -0,0 +1,44 @@ +From 22dec134dbfa825b963f8a1807ad19b943e46a56 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 23 Aug 2022 09:27:16 +0200 +Subject: ALSA: seq: oss: Fix data-race for max_midi_devs access + +From: Takashi Iwai + +commit 22dec134dbfa825b963f8a1807ad19b943e46a56 upstream. + +ALSA OSS sequencer refers to a global variable max_midi_devs at +creating a new port, storing it to its own field. Meanwhile this +variable may be changed by other sequencer events at +snd_seq_oss_midi_check_exit_port() in parallel, which may cause a data +race. + +OTOH, this data race itself is almost harmless, as the access to the +MIDI device is done via get_mdev() and it's protected with a refcount, +hence its presence is guaranteed. + +Though, it's sill better to address the data-race from the code sanity +POV, and this patch adds the proper spinlock for the protection. + +Reported-by: Abhishek Shah +Cc: +Link: https://lore.kernel.org/r/CAEHB2493pZRXs863w58QWnUTtv3HHfg85aYhLn5HJHCwxqtHQg@mail.gmail.com +Link: https://lore.kernel.org/r/20220823072717.1706-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/seq/oss/seq_oss_midi.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/core/seq/oss/seq_oss_midi.c ++++ b/sound/core/seq/oss/seq_oss_midi.c +@@ -270,7 +270,9 @@ snd_seq_oss_midi_clear_all(void) + void + snd_seq_oss_midi_setup(struct seq_oss_devinfo *dp) + { ++ spin_lock_irq(®ister_lock); + dp->max_mididev = max_midi_devs; ++ spin_unlock_irq(®ister_lock); + } + + /* diff --git a/queue-5.15/drm-i915-glk-ecs-liva-q2-needs-glk-hdmi-port-timing-quirk.patch b/queue-5.15/drm-i915-glk-ecs-liva-q2-needs-glk-hdmi-port-timing-quirk.patch new file mode 100644 index 00000000000..26eae4dd10f --- /dev/null +++ b/queue-5.15/drm-i915-glk-ecs-liva-q2-needs-glk-hdmi-port-timing-quirk.patch @@ -0,0 +1,44 @@ +From 919bef7a106ade2bda73681bbc2f3678198f44fc Mon Sep 17 00:00:00 2001 +From: Diego Santa Cruz +Date: Thu, 16 Jun 2022 15:41:37 +0300 +Subject: drm/i915/glk: ECS Liva Q2 needs GLK HDMI port timing quirk +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Diego Santa Cruz + +commit 919bef7a106ade2bda73681bbc2f3678198f44fc upstream. + +The quirk added in upstream commit 90c3e2198777 ("drm/i915/glk: Add +Quirk for GLK NUC HDMI port issues.") is also required on the ECS Liva +Q2. + +Note: Would be nicer to figure out the extra delay required for the +retimer without quirks, however don't know how to check for that. + +Cc: stable@vger.kernel.org +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/1326 +Signed-off-by: Diego Santa Cruz +Reviewed-by: Ville Syrjälä +Signed-off-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/20220616124137.3184371-1-jani.nikula@intel.com +(cherry picked from commit 08e9505fa8f9aa00072a47b6f234d89b6b27a89c) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/i915/display/intel_quirks.c ++++ b/drivers/gpu/drm/i915/display/intel_quirks.c +@@ -190,6 +190,9 @@ static struct intel_quirk intel_quirks[] + /* ASRock ITX*/ + { 0x3185, 0x1849, 0x2212, quirk_increase_ddi_disabled_time }, + { 0x3184, 0x1849, 0x2212, quirk_increase_ddi_disabled_time }, ++ /* ECS Liva Q2 */ ++ { 0x3185, 0x1019, 0xa94d, quirk_increase_ddi_disabled_time }, ++ { 0x3184, 0x1019, 0xa94d, quirk_increase_ddi_disabled_time }, + }; + + void intel_init_quirks(struct drm_i915_private *i915) diff --git a/queue-5.15/drm-i915-skip-wm-ddb-readout-for-disabled-pipes.patch b/queue-5.15/drm-i915-skip-wm-ddb-readout-for-disabled-pipes.patch new file mode 100644 index 00000000000..35ec8a1bf2e --- /dev/null +++ b/queue-5.15/drm-i915-skip-wm-ddb-readout-for-disabled-pipes.patch @@ -0,0 +1,57 @@ +From 0211c2a0ea600e25db3044daaeff4fe41c3ed6d9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Fri, 17 Jun 2022 22:59:48 +0300 +Subject: drm/i915: Skip wm/ddb readout for disabled pipes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit 0211c2a0ea600e25db3044daaeff4fe41c3ed6d9 upstream. + +The stuff programmed into the wm/ddb registers of planes +on disabled pipes doesn't matter. So during readout just +leave our software state tracking for those zeroed. + +This should avoid us trying too hard to clean up after +whatever mess the VBIOS/GOP left in there. The actual +hardware state will get cleaned up if/when we enable +the pipe anyway. + +Cc: stable@vger.kernel.org +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/5711 +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20220617195948.24007-1-ville.syrjala@linux.intel.com +Reviewed-by: Stanislav Lisovskiy +(cherry picked from commit b183db8f4783ca2efc9b47734f15aad9477a108a) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/intel_pm.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/intel_pm.c ++++ b/drivers/gpu/drm/i915/intel_pm.c +@@ -6638,7 +6638,10 @@ void skl_wm_get_hw_state(struct drm_i915 + enum plane_id plane_id; + u8 slices; + +- skl_pipe_wm_get_hw_state(crtc, &crtc_state->wm.skl.optimal); ++ memset(&crtc_state->wm.skl.optimal, 0, ++ sizeof(crtc_state->wm.skl.optimal)); ++ if (crtc_state->hw.active) ++ skl_pipe_wm_get_hw_state(crtc, &crtc_state->wm.skl.optimal); + crtc_state->wm.skl.raw = crtc_state->wm.skl.optimal; + + memset(&dbuf_state->ddb[pipe], 0, sizeof(dbuf_state->ddb[pipe])); +@@ -6649,6 +6652,9 @@ void skl_wm_get_hw_state(struct drm_i915 + struct skl_ddb_entry *ddb_uv = + &crtc_state->wm.skl.plane_ddb_uv[plane_id]; + ++ if (!crtc_state->hw.active) ++ continue; ++ + skl_ddb_get_hw_plane_state(dev_priv, crtc->pipe, + plane_id, ddb_y, ddb_uv); + diff --git a/queue-5.15/ip-fix-triggering-of-icmp-redirect.patch b/queue-5.15/ip-fix-triggering-of-icmp-redirect.patch new file mode 100644 index 00000000000..2a125e656ef --- /dev/null +++ b/queue-5.15/ip-fix-triggering-of-icmp-redirect.patch @@ -0,0 +1,55 @@ +From eb55dc09b5dd040232d5de32812cc83001a23da6 Mon Sep 17 00:00:00 2001 +From: Nicolas Dichtel +Date: Mon, 29 Aug 2022 12:01:21 +0200 +Subject: ip: fix triggering of 'icmp redirect' + +From: Nicolas Dichtel + +commit eb55dc09b5dd040232d5de32812cc83001a23da6 upstream. + +__mkroute_input() uses fib_validate_source() to trigger an icmp redirect. +My understanding is that fib_validate_source() is used to know if the src +address and the gateway address are on the same link. For that, +fib_validate_source() returns 1 (same link) or 0 (not the same network). +__mkroute_input() is the only user of these positive values, all other +callers only look if the returned value is negative. + +Since the below patch, fib_validate_source() didn't return anymore 1 when +both addresses are on the same network, because the route lookup returns +RT_SCOPE_LINK instead of RT_SCOPE_HOST. But this is, in fact, right. +Let's adapat the test to return 1 again when both addresses are on the same +link. + +CC: stable@vger.kernel.org +Fixes: 747c14307214 ("ip: fix dflt addr selection for connected nexthop") +Reported-by: kernel test robot +Reported-by: Heng Qi +Signed-off-by: Nicolas Dichtel +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20220829100121.3821-1-nicolas.dichtel@6wind.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/fib_frontend.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -389,7 +389,7 @@ static int __fib_validate_source(struct + dev_match = dev_match || (res.type == RTN_LOCAL && + dev == net->loopback_dev); + if (dev_match) { +- ret = FIB_RES_NHC(res)->nhc_scope >= RT_SCOPE_HOST; ++ ret = FIB_RES_NHC(res)->nhc_scope >= RT_SCOPE_LINK; + return ret; + } + if (no_addr) +@@ -401,7 +401,7 @@ static int __fib_validate_source(struct + ret = 0; + if (fib_lookup(net, &fl4, &res, FIB_LOOKUP_IGNORE_LINKSTATE) == 0) { + if (res.type == RTN_UNICAST) +- ret = FIB_RES_NHC(res)->nhc_scope >= RT_SCOPE_HOST; ++ ret = FIB_RES_NHC(res)->nhc_scope >= RT_SCOPE_LINK; + } + return ret; + diff --git a/queue-5.15/kbuild-add-skip_encoding_btf_enum64-option-to-pahole.patch b/queue-5.15/kbuild-add-skip_encoding_btf_enum64-option-to-pahole.patch new file mode 100644 index 00000000000..b0e1e62dcfe --- /dev/null +++ b/queue-5.15/kbuild-add-skip_encoding_btf_enum64-option-to-pahole.patch @@ -0,0 +1,45 @@ +From foo@baz Tue Sep 6 02:02:46 PM CEST 2022 +From: Jiri Olsa +Date: Sun, 4 Sep 2022 15:19:01 +0200 +Subject: kbuild: Add skip_encoding_btf_enum64 option to pahole +To: stable@vger.kernel.org +Cc: bpf@vger.kernel.org, Arnaldo Carvalho de Melo , Daniel Borkmann , Martin Rodriguez Reboredo , Andrii Nakryiko +Message-ID: <20220904131901.13025-3-jolsa@kernel.org> + +From: Martin Rodriguez Reboredo + +New pahole (version 1.24) generates by default new BTF_KIND_ENUM64 BTF tag, +which is not supported by stable kernel. + +As a result the kernel with CONFIG_DEBUG_INFO_BTF option will fail to +compile with following error: + + BTFIDS vmlinux +FAILED: load BTF from vmlinux: Invalid argument + +New pahole provides --skip_encoding_btf_enum64 option to skip BTF_KIND_ENUM64 +generation and produce BTF supported by stable kernel. + +Adding this option to scripts/pahole-flags.sh. + +This change does not have equivalent commit in linus tree, because linus tree +has support for BTF_KIND_ENUM64 tag, so it does not need to be disabled. + +Signed-off-by: Martin Rodriguez Reboredo +Signed-off-by: Jiri Olsa +Signed-off-by: Greg Kroah-Hartman +--- + scripts/pahole-flags.sh | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/scripts/pahole-flags.sh ++++ b/scripts/pahole-flags.sh +@@ -17,4 +17,8 @@ if [ "${pahole_ver}" -ge "121" ]; then + extra_paholeopt="${extra_paholeopt} --btf_gen_floats" + fi + ++if [ "${pahole_ver}" -ge "124" ]; then ++ extra_paholeopt="${extra_paholeopt} --skip_encoding_btf_enum64" ++fi ++ + echo ${extra_paholeopt} diff --git a/queue-5.15/kbuild-unify-options-for-btf-generation-for-vmlinux-and-modules.patch b/queue-5.15/kbuild-unify-options-for-btf-generation-for-vmlinux-and-modules.patch new file mode 100644 index 00000000000..47f2fad23f2 --- /dev/null +++ b/queue-5.15/kbuild-unify-options-for-btf-generation-for-vmlinux-and-modules.patch @@ -0,0 +1,114 @@ +From foo@baz Tue Sep 6 02:02:46 PM CEST 2022 +From: Jiri Olsa +Date: Sun, 4 Sep 2022 15:19:00 +0200 +Subject: kbuild: Unify options for BTF generation for vmlinux and modules +To: stable@vger.kernel.org +Cc: Andrii Nakryiko , bpf@vger.kernel.org, Arnaldo Carvalho de Melo , Daniel Borkmann , Martin Rodriguez Reboredo +Message-ID: <20220904131901.13025-2-jolsa@kernel.org> + +From: Jiri Olsa + +commit e27f05147bff21408c1b8410ad8e90cd286e7952 upstream. + +Using new PAHOLE_FLAGS variable to pass extra arguments to +pahole for both vmlinux and modules BTF data generation. + +Adding new scripts/pahole-flags.sh script that detect and +prints pahole options. + +[ fixed issues found by kernel test robot ] + +Signed-off-by: Jiri Olsa +Signed-off-by: Andrii Nakryiko +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20211029125729.70002-1-jolsa@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + Makefile | 3 +++ + scripts/Makefile.modfinal | 2 +- + scripts/link-vmlinux.sh | 11 +---------- + scripts/pahole-flags.sh | 20 ++++++++++++++++++++ + 4 files changed, 25 insertions(+), 11 deletions(-) + create mode 100755 scripts/pahole-flags.sh + +--- a/Makefile ++++ b/Makefile +@@ -480,6 +480,8 @@ LZ4 = lz4c + XZ = xz + ZSTD = zstd + ++PAHOLE_FLAGS = $(shell PAHOLE=$(PAHOLE) $(srctree)/scripts/pahole-flags.sh) ++ + CHECKFLAGS := -D__linux__ -Dlinux -D__STDC__ -Dunix -D__unix__ \ + -Wbitwise -Wno-return-void -Wno-unknown-attribute $(CF) + NOSTDINC_FLAGS := +@@ -534,6 +536,7 @@ export KBUILD_CFLAGS CFLAGS_KERNEL CFLAG + export KBUILD_AFLAGS AFLAGS_KERNEL AFLAGS_MODULE + export KBUILD_AFLAGS_MODULE KBUILD_CFLAGS_MODULE KBUILD_LDFLAGS_MODULE + export KBUILD_AFLAGS_KERNEL KBUILD_CFLAGS_KERNEL ++export PAHOLE_FLAGS + + # Files to ignore in find ... statements + +--- a/scripts/Makefile.modfinal ++++ b/scripts/Makefile.modfinal +@@ -40,7 +40,7 @@ quiet_cmd_ld_ko_o = LD [M] $@ + quiet_cmd_btf_ko = BTF [M] $@ + cmd_btf_ko = \ + if [ -f vmlinux ]; then \ +- LLVM_OBJCOPY="$(OBJCOPY)" $(PAHOLE) -J --btf_base vmlinux $@; \ ++ LLVM_OBJCOPY="$(OBJCOPY)" $(PAHOLE) -J $(PAHOLE_FLAGS) --btf_base vmlinux $@; \ + else \ + printf "Skipping BTF generation for %s due to unavailability of vmlinux\n" $@ 1>&2; \ + fi; +--- a/scripts/link-vmlinux.sh ++++ b/scripts/link-vmlinux.sh +@@ -211,7 +211,6 @@ vmlinux_link() + gen_btf() + { + local pahole_ver +- local extra_paholeopt= + + if ! [ -x "$(command -v ${PAHOLE})" ]; then + echo >&2 "BTF: ${1}: pahole (${PAHOLE}) is not available" +@@ -226,16 +225,8 @@ gen_btf() + + vmlinux_link ${1} + +- if [ "${pahole_ver}" -ge "118" ] && [ "${pahole_ver}" -le "121" ]; then +- # pahole 1.18 through 1.21 can't handle zero-sized per-CPU vars +- extra_paholeopt="${extra_paholeopt} --skip_encoding_btf_vars" +- fi +- if [ "${pahole_ver}" -ge "121" ]; then +- extra_paholeopt="${extra_paholeopt} --btf_gen_floats" +- fi +- + info "BTF" ${2} +- LLVM_OBJCOPY="${OBJCOPY}" ${PAHOLE} -J ${extra_paholeopt} ${1} ++ LLVM_OBJCOPY="${OBJCOPY}" ${PAHOLE} -J ${PAHOLE_FLAGS} ${1} + + # Create ${2} which contains just .BTF section but no symbols. Add + # SHF_ALLOC because .BTF will be part of the vmlinux image. --strip-all +--- /dev/null ++++ b/scripts/pahole-flags.sh +@@ -0,0 +1,20 @@ ++#!/bin/sh ++# SPDX-License-Identifier: GPL-2.0 ++ ++extra_paholeopt= ++ ++if ! [ -x "$(command -v ${PAHOLE})" ]; then ++ exit 0 ++fi ++ ++pahole_ver=$(${PAHOLE} --version | sed -E 's/v([0-9]+)\.([0-9]+)/\1\2/') ++ ++if [ "${pahole_ver}" -ge "118" ] && [ "${pahole_ver}" -le "121" ]; then ++ # pahole 1.18 through 1.21 can't handle zero-sized per-CPU vars ++ extra_paholeopt="${extra_paholeopt} --skip_encoding_btf_vars" ++fi ++if [ "${pahole_ver}" -ge "121" ]; then ++ extra_paholeopt="${extra_paholeopt} --btf_gen_floats" ++fi ++ ++echo ${extra_paholeopt} diff --git a/queue-5.15/net-mac802154-fix-a-condition-in-the-receive-path.patch b/queue-5.15/net-mac802154-fix-a-condition-in-the-receive-path.patch new file mode 100644 index 00000000000..cf630a81e60 --- /dev/null +++ b/queue-5.15/net-mac802154-fix-a-condition-in-the-receive-path.patch @@ -0,0 +1,45 @@ +From f0da47118c7e93cdbbc6fb403dd729a5f2c90ee3 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Fri, 26 Aug 2022 16:29:54 +0200 +Subject: net: mac802154: Fix a condition in the receive path + +From: Miquel Raynal + +commit f0da47118c7e93cdbbc6fb403dd729a5f2c90ee3 upstream. + +Upon reception, a packet must be categorized, either it's destination is +the host, or it is another host. A packet with no destination addressing +fields may be valid in two situations: +- the packet has no source field: only ACKs are built like that, we + consider the host as the destination. +- the packet has a valid source field: it is directed to the PAN + coordinator, as for know we don't have this information we consider we + are not the PAN coordinator. + +There was likely a copy/paste error made during a previous cleanup +because the if clause is now containing exactly the same condition as in +the switch case, which can never be true. In the past the destination +address was used in the switch and the source address was used in the +if, which matches what the spec says. + +Cc: stable@vger.kernel.org +Fixes: ae531b9475f6 ("ieee802154: use ieee802154_addr instead of *_sa variants") +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/r/20220826142954.254853-1-miquel.raynal@bootlin.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Greg Kroah-Hartman +--- + net/mac802154/rx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac802154/rx.c ++++ b/net/mac802154/rx.c +@@ -44,7 +44,7 @@ ieee802154_subif_frame(struct ieee802154 + + switch (mac_cb(skb)->dest.mode) { + case IEEE802154_ADDR_NONE: +- if (mac_cb(skb)->dest.mode != IEEE802154_ADDR_NONE) ++ if (hdr->source.mode != IEEE802154_ADDR_NONE) + /* FIXME: check if we are PAN coordinator */ + skb->pkt_type = PACKET_OTHERHOST; + else diff --git a/queue-5.15/net-use-u64_stats_fetch_begin_irq-for-stats-fetch.patch b/queue-5.15/net-use-u64_stats_fetch_begin_irq-for-stats-fetch.patch new file mode 100644 index 00000000000..c4b9b6e3191 --- /dev/null +++ b/queue-5.15/net-use-u64_stats_fetch_begin_irq-for-stats-fetch.patch @@ -0,0 +1,398 @@ +From 278d3ba61563ceed3cb248383ced19e14ec7bc1f Mon Sep 17 00:00:00 2001 +From: Sebastian Andrzej Siewior +Date: Thu, 25 Aug 2022 13:36:45 +0200 +Subject: net: Use u64_stats_fetch_begin_irq() for stats fetch. + +From: Sebastian Andrzej Siewior + +commit 278d3ba61563ceed3cb248383ced19e14ec7bc1f upstream. + +On 32bit-UP u64_stats_fetch_begin() disables only preemption. If the +reader is in preemptible context and the writer side +(u64_stats_update_begin*()) runs in an interrupt context (IRQ or +softirq) then the writer can update the stats during the read operation. +This update remains undetected. + +Use u64_stats_fetch_begin_irq() to ensure the stats fetch on 32bit-UP +are not interrupted by a writer. 32bit-SMP remains unaffected by this +change. + +Cc: "David S. Miller" +Cc: Catherine Sullivan +Cc: David Awogbemila +Cc: Dimitris Michailidis +Cc: Eric Dumazet +Cc: Hans Ulli Kroll +Cc: Jakub Kicinski +Cc: Jeroen de Borst +Cc: Johannes Berg +Cc: Linus Walleij +Cc: Paolo Abeni +Cc: Simon Horman +Cc: linux-arm-kernel@lists.infradead.org +Cc: linux-wireless@vger.kernel.org +Cc: netdev@vger.kernel.org +Cc: oss-drivers@corigine.com +Cc: stable@vger.kernel.org +Signed-off-by: Sebastian Andrzej Siewior +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cortina/gemini.c | 24 +++++++++---------- + drivers/net/ethernet/google/gve/gve_ethtool.c | 16 ++++++------ + drivers/net/ethernet/google/gve/gve_main.c | 12 ++++----- + drivers/net/ethernet/huawei/hinic/hinic_rx.c | 4 +-- + drivers/net/ethernet/huawei/hinic/hinic_tx.c | 4 +-- + drivers/net/ethernet/netronome/nfp/nfp_net_common.c | 8 +++--- + drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c | 8 +++--- + drivers/net/netdevsim/netdev.c | 4 +-- + net/mac80211/sta_info.c | 8 +++--- + net/mpls/af_mpls.c | 4 +-- + 10 files changed, 46 insertions(+), 46 deletions(-) + +--- a/drivers/net/ethernet/cortina/gemini.c ++++ b/drivers/net/ethernet/cortina/gemini.c +@@ -1920,7 +1920,7 @@ static void gmac_get_stats64(struct net_ + + /* Racing with RX NAPI */ + do { +- start = u64_stats_fetch_begin(&port->rx_stats_syncp); ++ start = u64_stats_fetch_begin_irq(&port->rx_stats_syncp); + + stats->rx_packets = port->stats.rx_packets; + stats->rx_bytes = port->stats.rx_bytes; +@@ -1932,11 +1932,11 @@ static void gmac_get_stats64(struct net_ + stats->rx_crc_errors = port->stats.rx_crc_errors; + stats->rx_frame_errors = port->stats.rx_frame_errors; + +- } while (u64_stats_fetch_retry(&port->rx_stats_syncp, start)); ++ } while (u64_stats_fetch_retry_irq(&port->rx_stats_syncp, start)); + + /* Racing with MIB and TX completion interrupts */ + do { +- start = u64_stats_fetch_begin(&port->ir_stats_syncp); ++ start = u64_stats_fetch_begin_irq(&port->ir_stats_syncp); + + stats->tx_errors = port->stats.tx_errors; + stats->tx_packets = port->stats.tx_packets; +@@ -1946,15 +1946,15 @@ static void gmac_get_stats64(struct net_ + stats->rx_missed_errors = port->stats.rx_missed_errors; + stats->rx_fifo_errors = port->stats.rx_fifo_errors; + +- } while (u64_stats_fetch_retry(&port->ir_stats_syncp, start)); ++ } while (u64_stats_fetch_retry_irq(&port->ir_stats_syncp, start)); + + /* Racing with hard_start_xmit */ + do { +- start = u64_stats_fetch_begin(&port->tx_stats_syncp); ++ start = u64_stats_fetch_begin_irq(&port->tx_stats_syncp); + + stats->tx_dropped = port->stats.tx_dropped; + +- } while (u64_stats_fetch_retry(&port->tx_stats_syncp, start)); ++ } while (u64_stats_fetch_retry_irq(&port->tx_stats_syncp, start)); + + stats->rx_dropped += stats->rx_missed_errors; + } +@@ -2032,18 +2032,18 @@ static void gmac_get_ethtool_stats(struc + /* Racing with MIB interrupt */ + do { + p = values; +- start = u64_stats_fetch_begin(&port->ir_stats_syncp); ++ start = u64_stats_fetch_begin_irq(&port->ir_stats_syncp); + + for (i = 0; i < RX_STATS_NUM; i++) + *p++ = port->hw_stats[i]; + +- } while (u64_stats_fetch_retry(&port->ir_stats_syncp, start)); ++ } while (u64_stats_fetch_retry_irq(&port->ir_stats_syncp, start)); + values = p; + + /* Racing with RX NAPI */ + do { + p = values; +- start = u64_stats_fetch_begin(&port->rx_stats_syncp); ++ start = u64_stats_fetch_begin_irq(&port->rx_stats_syncp); + + for (i = 0; i < RX_STATUS_NUM; i++) + *p++ = port->rx_stats[i]; +@@ -2051,13 +2051,13 @@ static void gmac_get_ethtool_stats(struc + *p++ = port->rx_csum_stats[i]; + *p++ = port->rx_napi_exits; + +- } while (u64_stats_fetch_retry(&port->rx_stats_syncp, start)); ++ } while (u64_stats_fetch_retry_irq(&port->rx_stats_syncp, start)); + values = p; + + /* Racing with TX start_xmit */ + do { + p = values; +- start = u64_stats_fetch_begin(&port->tx_stats_syncp); ++ start = u64_stats_fetch_begin_irq(&port->tx_stats_syncp); + + for (i = 0; i < TX_MAX_FRAGS; i++) { + *values++ = port->tx_frag_stats[i]; +@@ -2066,7 +2066,7 @@ static void gmac_get_ethtool_stats(struc + *values++ = port->tx_frags_linearized; + *values++ = port->tx_hw_csummed; + +- } while (u64_stats_fetch_retry(&port->tx_stats_syncp, start)); ++ } while (u64_stats_fetch_retry_irq(&port->tx_stats_syncp, start)); + } + + static int gmac_get_ksettings(struct net_device *netdev, +--- a/drivers/net/ethernet/google/gve/gve_ethtool.c ++++ b/drivers/net/ethernet/google/gve/gve_ethtool.c +@@ -174,14 +174,14 @@ gve_get_ethtool_stats(struct net_device + struct gve_rx_ring *rx = &priv->rx[ring]; + + start = +- u64_stats_fetch_begin(&priv->rx[ring].statss); ++ u64_stats_fetch_begin_irq(&priv->rx[ring].statss); + tmp_rx_pkts = rx->rpackets; + tmp_rx_bytes = rx->rbytes; + tmp_rx_skb_alloc_fail = rx->rx_skb_alloc_fail; + tmp_rx_buf_alloc_fail = rx->rx_buf_alloc_fail; + tmp_rx_desc_err_dropped_pkt = + rx->rx_desc_err_dropped_pkt; +- } while (u64_stats_fetch_retry(&priv->rx[ring].statss, ++ } while (u64_stats_fetch_retry_irq(&priv->rx[ring].statss, + start)); + rx_pkts += tmp_rx_pkts; + rx_bytes += tmp_rx_bytes; +@@ -195,10 +195,10 @@ gve_get_ethtool_stats(struct net_device + if (priv->tx) { + do { + start = +- u64_stats_fetch_begin(&priv->tx[ring].statss); ++ u64_stats_fetch_begin_irq(&priv->tx[ring].statss); + tmp_tx_pkts = priv->tx[ring].pkt_done; + tmp_tx_bytes = priv->tx[ring].bytes_done; +- } while (u64_stats_fetch_retry(&priv->tx[ring].statss, ++ } while (u64_stats_fetch_retry_irq(&priv->tx[ring].statss, + start)); + tx_pkts += tmp_tx_pkts; + tx_bytes += tmp_tx_bytes; +@@ -256,13 +256,13 @@ gve_get_ethtool_stats(struct net_device + data[i++] = rx->cnt; + do { + start = +- u64_stats_fetch_begin(&priv->rx[ring].statss); ++ u64_stats_fetch_begin_irq(&priv->rx[ring].statss); + tmp_rx_bytes = rx->rbytes; + tmp_rx_skb_alloc_fail = rx->rx_skb_alloc_fail; + tmp_rx_buf_alloc_fail = rx->rx_buf_alloc_fail; + tmp_rx_desc_err_dropped_pkt = + rx->rx_desc_err_dropped_pkt; +- } while (u64_stats_fetch_retry(&priv->rx[ring].statss, ++ } while (u64_stats_fetch_retry_irq(&priv->rx[ring].statss, + start)); + data[i++] = tmp_rx_bytes; + /* rx dropped packets */ +@@ -323,9 +323,9 @@ gve_get_ethtool_stats(struct net_device + } + do { + start = +- u64_stats_fetch_begin(&priv->tx[ring].statss); ++ u64_stats_fetch_begin_irq(&priv->tx[ring].statss); + tmp_tx_bytes = tx->bytes_done; +- } while (u64_stats_fetch_retry(&priv->tx[ring].statss, ++ } while (u64_stats_fetch_retry_irq(&priv->tx[ring].statss, + start)); + data[i++] = tmp_tx_bytes; + data[i++] = tx->wake_queue; +--- a/drivers/net/ethernet/google/gve/gve_main.c ++++ b/drivers/net/ethernet/google/gve/gve_main.c +@@ -51,10 +51,10 @@ static void gve_get_stats(struct net_dev + for (ring = 0; ring < priv->rx_cfg.num_queues; ring++) { + do { + start = +- u64_stats_fetch_begin(&priv->rx[ring].statss); ++ u64_stats_fetch_begin_irq(&priv->rx[ring].statss); + packets = priv->rx[ring].rpackets; + bytes = priv->rx[ring].rbytes; +- } while (u64_stats_fetch_retry(&priv->rx[ring].statss, ++ } while (u64_stats_fetch_retry_irq(&priv->rx[ring].statss, + start)); + s->rx_packets += packets; + s->rx_bytes += bytes; +@@ -64,10 +64,10 @@ static void gve_get_stats(struct net_dev + for (ring = 0; ring < priv->tx_cfg.num_queues; ring++) { + do { + start = +- u64_stats_fetch_begin(&priv->tx[ring].statss); ++ u64_stats_fetch_begin_irq(&priv->tx[ring].statss); + packets = priv->tx[ring].pkt_done; + bytes = priv->tx[ring].bytes_done; +- } while (u64_stats_fetch_retry(&priv->tx[ring].statss, ++ } while (u64_stats_fetch_retry_irq(&priv->tx[ring].statss, + start)); + s->tx_packets += packets; + s->tx_bytes += bytes; +@@ -1260,9 +1260,9 @@ void gve_handle_report_stats(struct gve_ + } + + do { +- start = u64_stats_fetch_begin(&priv->tx[idx].statss); ++ start = u64_stats_fetch_begin_irq(&priv->tx[idx].statss); + tx_bytes = priv->tx[idx].bytes_done; +- } while (u64_stats_fetch_retry(&priv->tx[idx].statss, start)); ++ } while (u64_stats_fetch_retry_irq(&priv->tx[idx].statss, start)); + stats[stats_idx++] = (struct stats) { + .stat_name = cpu_to_be32(TX_WAKE_CNT), + .value = cpu_to_be64(priv->tx[idx].wake_queue), +--- a/drivers/net/ethernet/huawei/hinic/hinic_rx.c ++++ b/drivers/net/ethernet/huawei/hinic/hinic_rx.c +@@ -74,14 +74,14 @@ void hinic_rxq_get_stats(struct hinic_rx + unsigned int start; + + do { +- start = u64_stats_fetch_begin(&rxq_stats->syncp); ++ start = u64_stats_fetch_begin_irq(&rxq_stats->syncp); + stats->pkts = rxq_stats->pkts; + stats->bytes = rxq_stats->bytes; + stats->errors = rxq_stats->csum_errors + + rxq_stats->other_errors; + stats->csum_errors = rxq_stats->csum_errors; + stats->other_errors = rxq_stats->other_errors; +- } while (u64_stats_fetch_retry(&rxq_stats->syncp, start)); ++ } while (u64_stats_fetch_retry_irq(&rxq_stats->syncp, start)); + } + + /** +--- a/drivers/net/ethernet/huawei/hinic/hinic_tx.c ++++ b/drivers/net/ethernet/huawei/hinic/hinic_tx.c +@@ -98,14 +98,14 @@ void hinic_txq_get_stats(struct hinic_tx + unsigned int start; + + do { +- start = u64_stats_fetch_begin(&txq_stats->syncp); ++ start = u64_stats_fetch_begin_irq(&txq_stats->syncp); + stats->pkts = txq_stats->pkts; + stats->bytes = txq_stats->bytes; + stats->tx_busy = txq_stats->tx_busy; + stats->tx_wake = txq_stats->tx_wake; + stats->tx_dropped = txq_stats->tx_dropped; + stats->big_frags_pkts = txq_stats->big_frags_pkts; +- } while (u64_stats_fetch_retry(&txq_stats->syncp, start)); ++ } while (u64_stats_fetch_retry_irq(&txq_stats->syncp, start)); + } + + /** +--- a/drivers/net/ethernet/netronome/nfp/nfp_net_common.c ++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_common.c +@@ -3482,21 +3482,21 @@ static void nfp_net_stat64(struct net_de + unsigned int start; + + do { +- start = u64_stats_fetch_begin(&r_vec->rx_sync); ++ start = u64_stats_fetch_begin_irq(&r_vec->rx_sync); + data[0] = r_vec->rx_pkts; + data[1] = r_vec->rx_bytes; + data[2] = r_vec->rx_drops; +- } while (u64_stats_fetch_retry(&r_vec->rx_sync, start)); ++ } while (u64_stats_fetch_retry_irq(&r_vec->rx_sync, start)); + stats->rx_packets += data[0]; + stats->rx_bytes += data[1]; + stats->rx_dropped += data[2]; + + do { +- start = u64_stats_fetch_begin(&r_vec->tx_sync); ++ start = u64_stats_fetch_begin_irq(&r_vec->tx_sync); + data[0] = r_vec->tx_pkts; + data[1] = r_vec->tx_bytes; + data[2] = r_vec->tx_errors; +- } while (u64_stats_fetch_retry(&r_vec->tx_sync, start)); ++ } while (u64_stats_fetch_retry_irq(&r_vec->tx_sync, start)); + stats->tx_packets += data[0]; + stats->tx_bytes += data[1]; + stats->tx_errors += data[2]; +--- a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c ++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c +@@ -483,7 +483,7 @@ static u64 *nfp_vnic_get_sw_stats(struct + unsigned int start; + + do { +- start = u64_stats_fetch_begin(&nn->r_vecs[i].rx_sync); ++ start = u64_stats_fetch_begin_irq(&nn->r_vecs[i].rx_sync); + data[0] = nn->r_vecs[i].rx_pkts; + tmp[0] = nn->r_vecs[i].hw_csum_rx_ok; + tmp[1] = nn->r_vecs[i].hw_csum_rx_inner_ok; +@@ -491,10 +491,10 @@ static u64 *nfp_vnic_get_sw_stats(struct + tmp[3] = nn->r_vecs[i].hw_csum_rx_error; + tmp[4] = nn->r_vecs[i].rx_replace_buf_alloc_fail; + tmp[5] = nn->r_vecs[i].hw_tls_rx; +- } while (u64_stats_fetch_retry(&nn->r_vecs[i].rx_sync, start)); ++ } while (u64_stats_fetch_retry_irq(&nn->r_vecs[i].rx_sync, start)); + + do { +- start = u64_stats_fetch_begin(&nn->r_vecs[i].tx_sync); ++ start = u64_stats_fetch_begin_irq(&nn->r_vecs[i].tx_sync); + data[1] = nn->r_vecs[i].tx_pkts; + data[2] = nn->r_vecs[i].tx_busy; + tmp[6] = nn->r_vecs[i].hw_csum_tx; +@@ -504,7 +504,7 @@ static u64 *nfp_vnic_get_sw_stats(struct + tmp[10] = nn->r_vecs[i].hw_tls_tx; + tmp[11] = nn->r_vecs[i].tls_tx_fallback; + tmp[12] = nn->r_vecs[i].tls_tx_no_fallback; +- } while (u64_stats_fetch_retry(&nn->r_vecs[i].tx_sync, start)); ++ } while (u64_stats_fetch_retry_irq(&nn->r_vecs[i].tx_sync, start)); + + data += NN_RVEC_PER_Q_STATS; + +--- a/drivers/net/netdevsim/netdev.c ++++ b/drivers/net/netdevsim/netdev.c +@@ -67,10 +67,10 @@ nsim_get_stats64(struct net_device *dev, + unsigned int start; + + do { +- start = u64_stats_fetch_begin(&ns->syncp); ++ start = u64_stats_fetch_begin_irq(&ns->syncp); + stats->tx_bytes = ns->tx_bytes; + stats->tx_packets = ns->tx_packets; +- } while (u64_stats_fetch_retry(&ns->syncp, start)); ++ } while (u64_stats_fetch_retry_irq(&ns->syncp, start)); + } + + static int +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -2206,9 +2206,9 @@ static inline u64 sta_get_tidstats_msdu( + u64 value; + + do { +- start = u64_stats_fetch_begin(&rxstats->syncp); ++ start = u64_stats_fetch_begin_irq(&rxstats->syncp); + value = rxstats->msdu[tid]; +- } while (u64_stats_fetch_retry(&rxstats->syncp, start)); ++ } while (u64_stats_fetch_retry_irq(&rxstats->syncp, start)); + + return value; + } +@@ -2272,9 +2272,9 @@ static inline u64 sta_get_stats_bytes(st + u64 value; + + do { +- start = u64_stats_fetch_begin(&rxstats->syncp); ++ start = u64_stats_fetch_begin_irq(&rxstats->syncp); + value = rxstats->bytes; +- } while (u64_stats_fetch_retry(&rxstats->syncp, start)); ++ } while (u64_stats_fetch_retry_irq(&rxstats->syncp, start)); + + return value; + } +--- a/net/mpls/af_mpls.c ++++ b/net/mpls/af_mpls.c +@@ -1079,9 +1079,9 @@ static void mpls_get_stats(struct mpls_d + + p = per_cpu_ptr(mdev->stats, i); + do { +- start = u64_stats_fetch_begin(&p->syncp); ++ start = u64_stats_fetch_begin_irq(&p->syncp); + local = p->stats; +- } while (u64_stats_fetch_retry(&p->syncp, start)); ++ } while (u64_stats_fetch_retry_irq(&p->syncp, start)); + + stats->rx_packets += local.rx_packets; + stats->rx_bytes += local.rx_bytes; diff --git a/queue-5.15/series b/queue-5.15/series index 4e45b1cea53..425131dfdb5 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -87,3 +87,16 @@ usb-xhci-mtk-relax-tt-periodic-bandwidth-allocation.patch usb-xhci-mtk-fix-bandwidth-release-issue.patch usb-gadget-mass_storage-fix-cdrom-data-transfers-on-mac-os.patch driver-core-don-t-probe-devices-after-bus_type.match-probe-deferral.patch +wifi-mac80211-don-t-finalize-csa-in-ibss-mode-if-state-is-disconnected.patch +wifi-mac80211-fix-uaf-in-ieee80211_scan_rx.patch +ip-fix-triggering-of-icmp-redirect.patch +net-use-u64_stats_fetch_begin_irq-for-stats-fetch.patch +net-mac802154-fix-a-condition-in-the-receive-path.patch +alsa-hda-realtek-add-speaker-amp-init-for-samsung-laptops-with-alc298.patch +alsa-seq-oss-fix-data-race-for-max_midi_devs-access.patch +alsa-seq-fix-data-race-at-module-auto-loading.patch +drm-i915-glk-ecs-liva-q2-needs-glk-hdmi-port-timing-quirk.patch +drm-i915-skip-wm-ddb-readout-for-disabled-pipes.patch +tty-n_gsm-add-sanity-check-for-gsm-receive-in-gsm_receive_buf.patch +kbuild-unify-options-for-btf-generation-for-vmlinux-and-modules.patch +kbuild-add-skip_encoding_btf_enum64-option-to-pahole.patch diff --git a/queue-5.15/tty-n_gsm-add-sanity-check-for-gsm-receive-in-gsm_receive_buf.patch b/queue-5.15/tty-n_gsm-add-sanity-check-for-gsm-receive-in-gsm_receive_buf.patch new file mode 100644 index 00000000000..d73a8b36394 --- /dev/null +++ b/queue-5.15/tty-n_gsm-add-sanity-check-for-gsm-receive-in-gsm_receive_buf.patch @@ -0,0 +1,55 @@ +From f16c6d2e58a4c2b972efcf9eb12390ee0ba3befb Mon Sep 17 00:00:00 2001 +From: Mazin Al Haddad +Date: Sun, 14 Aug 2022 04:52:12 +0300 +Subject: tty: n_gsm: add sanity check for gsm->receive in gsm_receive_buf() + +From: Mazin Al Haddad + +commit f16c6d2e58a4c2b972efcf9eb12390ee0ba3befb upstream. + +A null pointer dereference can happen when attempting to access the +"gsm->receive()" function in gsmld_receive_buf(). Currently, the code +assumes that gsm->recieve is only called after MUX activation. +Since the gsmld_receive_buf() function can be accessed without the need to +initialize the MUX, the gsm->receive() function will not be set and a +NULL pointer dereference will occur. + +Fix this by avoiding the call to "gsm->receive()" in case the function is +not initialized by adding a sanity check. + +Call Trace: + + gsmld_receive_buf+0x1c2/0x2f0 drivers/tty/n_gsm.c:2861 + tiocsti drivers/tty/tty_io.c:2293 [inline] + tty_ioctl+0xa75/0x15d0 drivers/tty/tty_io.c:2692 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:870 [inline] + __se_sys_ioctl fs/ioctl.c:856 [inline] + __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Link: https://syzkaller.appspot.com/bug?id=bdf035c61447f8c6e0e6920315d577cb5cc35ac5 +Fixes: 01aecd917114 ("tty: n_gsm: fix tty registration before control channel open") +Cc: stable +Reported-and-tested-by: syzbot+e3563f0c94e188366dbb@syzkaller.appspotmail.com +Signed-off-by: Mazin Al Haddad +Link: https://lore.kernel.org/r/20220814015211.84180-1-mazinalhaddad05@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/n_gsm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -2753,7 +2753,8 @@ static void gsmld_receive_buf(struct tty + flags = *fp++; + switch (flags) { + case TTY_NORMAL: +- gsm->receive(gsm, *cp); ++ if (gsm->receive) ++ gsm->receive(gsm, *cp); + break; + case TTY_OVERRUN: + case TTY_BREAK: diff --git a/queue-5.15/wifi-mac80211-don-t-finalize-csa-in-ibss-mode-if-state-is-disconnected.patch b/queue-5.15/wifi-mac80211-don-t-finalize-csa-in-ibss-mode-if-state-is-disconnected.patch new file mode 100644 index 00000000000..90d3c383bc0 --- /dev/null +++ b/queue-5.15/wifi-mac80211-don-t-finalize-csa-in-ibss-mode-if-state-is-disconnected.patch @@ -0,0 +1,48 @@ +From 15bc8966b6d3a5b9bfe4c9facfa02f2b69b1e5f0 Mon Sep 17 00:00:00 2001 +From: Siddh Raman Pant +Date: Sun, 14 Aug 2022 20:45:12 +0530 +Subject: wifi: mac80211: Don't finalize CSA in IBSS mode if state is disconnected + +From: Siddh Raman Pant + +commit 15bc8966b6d3a5b9bfe4c9facfa02f2b69b1e5f0 upstream. + +When we are not connected to a channel, sending channel "switch" +announcement doesn't make any sense. + +The BSS list is empty in that case. This causes the for loop in +cfg80211_get_bss() to be bypassed, so the function returns NULL +(check line 1424 of net/wireless/scan.c), causing the WARN_ON() +in ieee80211_ibss_csa_beacon() to get triggered (check line 500 +of net/mac80211/ibss.c), which was consequently reported on the +syzkaller dashboard. + +Thus, check if we have an existing connection before generating +the CSA beacon in ieee80211_ibss_finish_csa(). + +Cc: stable@vger.kernel.org +Fixes: cd7760e62c2a ("mac80211: add support for CSA in IBSS mode") +Link: https://syzkaller.appspot.com/bug?id=05603ef4ae8926761b678d2939a3b2ad28ab9ca6 +Reported-by: syzbot+b6c9fe29aefe68e4ad34@syzkaller.appspotmail.com +Signed-off-by: Siddh Raman Pant +Tested-by: syzbot+b6c9fe29aefe68e4ad34@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20220814151512.9985-1-code@siddh.me +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/ibss.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/mac80211/ibss.c ++++ b/net/mac80211/ibss.c +@@ -534,6 +534,10 @@ int ieee80211_ibss_finish_csa(struct iee + + sdata_assert_lock(sdata); + ++ /* When not connected/joined, sending CSA doesn't make sense. */ ++ if (ifibss->state != IEEE80211_IBSS_MLME_JOINED) ++ return -ENOLINK; ++ + /* update cfg80211 bss information with the new channel */ + if (!is_zero_ether_addr(ifibss->bssid)) { + cbss = cfg80211_get_bss(sdata->local->hw.wiphy, diff --git a/queue-5.15/wifi-mac80211-fix-uaf-in-ieee80211_scan_rx.patch b/queue-5.15/wifi-mac80211-fix-uaf-in-ieee80211_scan_rx.patch new file mode 100644 index 00000000000..b7ab2e59b1f --- /dev/null +++ b/queue-5.15/wifi-mac80211-fix-uaf-in-ieee80211_scan_rx.patch @@ -0,0 +1,57 @@ +From 60deb9f10eec5c6a20252ed36238b55d8b614a2c Mon Sep 17 00:00:00 2001 +From: Siddh Raman Pant +Date: Sat, 20 Aug 2022 01:33:40 +0530 +Subject: wifi: mac80211: Fix UAF in ieee80211_scan_rx() + +From: Siddh Raman Pant + +commit 60deb9f10eec5c6a20252ed36238b55d8b614a2c upstream. + +ieee80211_scan_rx() tries to access scan_req->flags after a +null check, but a UAF is observed when the scan is completed +and __ieee80211_scan_completed() executes, which then calls +cfg80211_scan_done() leading to the freeing of scan_req. + +Since scan_req is rcu_dereference()'d, prevent the racing in +__ieee80211_scan_completed() by ensuring that from mac80211's +POV it is no longer accessed from an RCU read critical section +before we call cfg80211_scan_done(). + +Cc: stable@vger.kernel.org +Link: https://syzkaller.appspot.com/bug?extid=f9acff9bf08a845f225d +Reported-by: syzbot+f9acff9bf08a845f225d@syzkaller.appspotmail.com +Suggested-by: Johannes Berg +Signed-off-by: Siddh Raman Pant +Link: https://lore.kernel.org/r/20220819200340.34826-1-code@siddh.me +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/scan.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/net/mac80211/scan.c ++++ b/net/mac80211/scan.c +@@ -461,16 +461,19 @@ static void __ieee80211_scan_completed(s + scan_req = rcu_dereference_protected(local->scan_req, + lockdep_is_held(&local->mtx)); + +- if (scan_req != local->int_scan_req) { +- local->scan_info.aborted = aborted; +- cfg80211_scan_done(scan_req, &local->scan_info); +- } + RCU_INIT_POINTER(local->scan_req, NULL); + RCU_INIT_POINTER(local->scan_sdata, NULL); + + local->scanning = 0; + local->scan_chandef.chan = NULL; + ++ synchronize_rcu(); ++ ++ if (scan_req != local->int_scan_req) { ++ local->scan_info.aborted = aborted; ++ cfg80211_scan_done(scan_req, &local->scan_info); ++ } ++ + /* Set power back to normal operating levels. */ + ieee80211_hw_config(local, 0); + -- 2.47.3