From c5bf66cc7ad14aa5b3d8765d01d7a7ee3abdb735 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 2 Mar 2024 08:51:33 -0500 Subject: [PATCH] Fixes for 6.1 Signed-off-by: Sasha Levin --- ...ask-hung-while-purging-oob_skb-in-gc.patch | 108 +++++++++ ...rm-dts-imx-adjust-dma-apbh-node-name.patch | 108 +++++++++ ...s-imx7s-drop-dma-apb-interrupt-names.patch | 36 +++ ...-fix-gcc-7-constant-overflow-warning.patch | 75 +++++++ ...remove-bridges-which-are-created-by-.patch | 63 ++++++ ...ix-unbind-path-if-hdmi-fails-to-bind.patch | 96 ++++++++ ...s3-add-length-check-in-indx_get_root.patch | 133 +++++++++++ ...ossible-null-pointer-dereference-in-.patch | 49 +++++ ...x-null-dereference-in-ni_write_inode.patch | 43 ++++ ...l-pointer-dereference-in-ni_write_in.patch | 109 +++++++++ ...-constants-for-gip-interface-numbers.patch | 47 ++++ ...mmu-qcom-limit-the-smr-groups-to-128.patch | 67 ++++++ ...3-acknowledge-pri-event-queue-overfl.patch | 90 ++++++++ ...ease-dma-buffer-to-avoid-memory-leak.patch | 71 ++++++ ...m_acl_tcam-add-missing-mutex_destroy.patch | 51 +++++ ...acl_tcam-make-fini-symmetric-to-init.patch | 41 ++++ ...mptcp-fix-duplicate-subflow-creation.patch | 102 +++++++++ ...-kernel-pm-use-mixed-ipv4-and-ipv6-a.patch | 175 +++++++++++++++ ...a-order-to-ethernet-devices-in-confi.patch | 48 ++++ ...der-struct-fragment-fields-kerneldoc.patch | 38 ++++ ...dd-the-endpoint-linkup-notifier-supp.patch | 170 +++++++++++++++ ...dd-workaround-for-lost-link-capabili.patch | 89 ++++++++ ...-fix-multiple-warray-bounds-warnings.patch | 187 ++++++++++++++++ ...ruct-for-args-to-execution-functions.patch | 206 ++++++++++++++++++ ...age-uas-access-media-prior-to-queryi.patch | 156 +++++++++++++ queue-6.1/series | 26 +++ ...rly-configure-the-device-for-remote-.patch | 196 +++++++++++++++++ 27 files changed, 2580 insertions(+) create mode 100644 queue-6.1/af_unix-fix-task-hung-while-purging-oob_skb-in-gc.patch create mode 100644 queue-6.1/arm-dts-imx-adjust-dma-apbh-node-name.patch create mode 100644 queue-6.1/arm-dts-imx7s-drop-dma-apb-interrupt-names.patch create mode 100644 queue-6.1/clk-tegra20-fix-gcc-7-constant-overflow-warning.patch create mode 100644 queue-6.1/drm-meson-don-t-remove-bridges-which-are-created-by-.patch create mode 100644 queue-6.1/drm-meson-fix-unbind-path-if-hdmi-fails-to-bind.patch create mode 100644 queue-6.1/fs-ntfs3-add-length-check-in-indx_get_root.patch create mode 100644 queue-6.1/fs-ntfs3-fix-a-possible-null-pointer-dereference-in-.patch create mode 100644 queue-6.1/fs-ntfs3-fix-null-dereference-in-ni_write_inode.patch create mode 100644 queue-6.1/fs-ntfs3-fix-null-pointer-dereference-in-ni_write_in.patch create mode 100644 queue-6.1/input-xpad-add-constants-for-gip-interface-numbers.patch create mode 100644 queue-6.1/iommu-arm-smmu-qcom-limit-the-smr-groups-to-128.patch create mode 100644 queue-6.1/iommu-arm-smmu-v3-acknowledge-pri-event-queue-overfl.patch create mode 100644 queue-6.1/iommu-sprd-release-dma-buffer-to-avoid-memory-leak.patch create mode 100644 queue-6.1/mlxsw-spectrum_acl_tcam-add-missing-mutex_destroy.patch create mode 100644 queue-6.1/mlxsw-spectrum_acl_tcam-make-fini-symmetric-to-init.patch create mode 100644 queue-6.1/mptcp-fix-duplicate-subflow-creation.patch create mode 100644 queue-6.1/mptcp-let-the-in-kernel-pm-use-mixed-ipv4-and-ipv6-a.patch create mode 100644 queue-6.1/net-restore-alpha-order-to-ethernet-devices-in-confi.patch create mode 100644 queue-6.1/of-overlay-reorder-struct-fragment-fields-kerneldoc.patch create mode 100644 queue-6.1/pci-layerscape-add-the-endpoint-linkup-notifier-supp.patch create mode 100644 queue-6.1/pci-layerscape-add-workaround-for-lost-link-capabili.patch create mode 100644 queue-6.1/rdma-core-fix-multiple-warray-bounds-warnings.patch create mode 100644 queue-6.1/scsi-core-add-struct-for-args-to-execution-functions.patch create mode 100644 queue-6.1/scsi-sd-usb_storage-uas-access-media-prior-to-queryi.patch create mode 100644 queue-6.1/series create mode 100644 queue-6.1/usb-gadget-properly-configure-the-device-for-remote-.patch diff --git a/queue-6.1/af_unix-fix-task-hung-while-purging-oob_skb-in-gc.patch b/queue-6.1/af_unix-fix-task-hung-while-purging-oob_skb-in-gc.patch new file mode 100644 index 00000000000..c99b1553545 --- /dev/null +++ b/queue-6.1/af_unix-fix-task-hung-while-purging-oob_skb-in-gc.patch @@ -0,0 +1,108 @@ +From d41886e1d65588cc669a92da39e84fafbc52a849 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Feb 2024 14:04:53 -0800 +Subject: af_unix: Fix task hung while purging oob_skb in GC. + +From: Kuniyuki Iwashima + +[ Upstream commit 25236c91b5ab4a26a56ba2e79b8060cf4e047839 ] + +syzbot reported a task hung; at the same time, GC was looping infinitely +in list_for_each_entry_safe() for OOB skb. [0] + +syzbot demonstrated that the list_for_each_entry_safe() was not actually +safe in this case. + +A single skb could have references for multiple sockets. If we free such +a skb in the list_for_each_entry_safe(), the current and next sockets could +be unlinked in a single iteration. + +unix_notinflight() uses list_del_init() to unlink the socket, so the +prefetched next socket forms a loop itself and list_for_each_entry_safe() +never stops. + +Here, we must use while() and make sure we always fetch the first socket. + +[0]: +Sending NMI from CPU 0 to CPUs 1: +NMI backtrace for cpu 1 +CPU: 1 PID: 5065 Comm: syz-executor236 Not tainted 6.8.0-rc3-syzkaller-00136-g1f719a2f3fa6 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 +RIP: 0010:preempt_count arch/x86/include/asm/preempt.h:26 [inline] +RIP: 0010:check_kcov_mode kernel/kcov.c:173 [inline] +RIP: 0010:__sanitizer_cov_trace_pc+0xd/0x60 kernel/kcov.c:207 +Code: cc cc cc cc 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 65 48 8b 14 25 40 c2 03 00 <65> 8b 05 b4 7c 78 7e a9 00 01 ff 00 48 8b 34 24 74 0f f6 c4 01 74 +RSP: 0018:ffffc900033efa58 EFLAGS: 00000283 +RAX: ffff88807b077800 RBX: ffff88807b077800 RCX: 1ffffffff27b1189 +RDX: ffff88802a5a3b80 RSI: ffffffff8968488d RDI: ffff88807b077f70 +RBP: ffffc900033efbb0 R08: 0000000000000001 R09: fffffbfff27a900c +R10: ffffffff93d48067 R11: ffffffff8ae000eb R12: ffff88807b077800 +R13: dffffc0000000000 R14: ffff88807b077e40 R15: 0000000000000001 +FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000564f4fc1e3a8 CR3: 000000000d57a000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + + + unix_gc+0x563/0x13b0 net/unix/garbage.c:319 + unix_release_sock+0xa93/0xf80 net/unix/af_unix.c:683 + unix_release+0x91/0xf0 net/unix/af_unix.c:1064 + __sock_release+0xb0/0x270 net/socket.c:659 + sock_close+0x1c/0x30 net/socket.c:1421 + __fput+0x270/0xb80 fs/file_table.c:376 + task_work_run+0x14f/0x250 kernel/task_work.c:180 + exit_task_work include/linux/task_work.h:38 [inline] + do_exit+0xa8a/0x2ad0 kernel/exit.c:871 + do_group_exit+0xd4/0x2a0 kernel/exit.c:1020 + __do_sys_exit_group kernel/exit.c:1031 [inline] + __se_sys_exit_group kernel/exit.c:1029 [inline] + __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1029 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xd5/0x270 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x6f/0x77 +RIP: 0033:0x7f9d6cbdac09 +Code: Unable to access opcode bytes at 0x7f9d6cbdabdf. +RSP: 002b:00007fff5952feb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9d6cbdac09 +RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 +RBP: 00007f9d6cc552b0 R08: ffffffffffffffb8 R09: 0000000000000006 +R10: 0000000000000006 R11: 0000000000000246 R12: 00007f9d6cc552b0 +R13: 0000000000000000 R14: 00007f9d6cc55d00 R15: 00007f9d6cbabe70 + + +Reported-by: syzbot+4fa4a2d1f5a5ee06f006@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=4fa4a2d1f5a5ee06f006 +Fixes: 1279f9d9dec2 ("af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC.") +Signed-off-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20240209220453.96053-1-kuniyu@amazon.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/unix/garbage.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/unix/garbage.c b/net/unix/garbage.c +index 767b338a7a2d4..9e1bab97c05ba 100644 +--- a/net/unix/garbage.c ++++ b/net/unix/garbage.c +@@ -315,10 +315,11 @@ void unix_gc(void) + __skb_queue_purge(&hitlist); + + #if IS_ENABLED(CONFIG_AF_UNIX_OOB) +- list_for_each_entry_safe(u, next, &gc_candidates, link) { +- struct sk_buff *skb = u->oob_skb; ++ while (!list_empty(&gc_candidates)) { ++ u = list_entry(gc_candidates.next, struct unix_sock, link); ++ if (u->oob_skb) { ++ struct sk_buff *skb = u->oob_skb; + +- if (skb) { + u->oob_skb = NULL; + kfree_skb(skb); + } +-- +2.43.0 + diff --git a/queue-6.1/arm-dts-imx-adjust-dma-apbh-node-name.patch b/queue-6.1/arm-dts-imx-adjust-dma-apbh-node-name.patch new file mode 100644 index 00000000000..343516de020 --- /dev/null +++ b/queue-6.1/arm-dts-imx-adjust-dma-apbh-node-name.patch @@ -0,0 +1,108 @@ +From 4cec56b62381722cdde279ed0461e31806f4ca3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Apr 2023 11:19:46 +0200 +Subject: ARM: dts: imx: Adjust dma-apbh node name + +From: Stefan Wahren + +[ Upstream commit e9f5cd85f1f931bb7b64031492f7051187ccaac7 ] + +Currently the dtbs_check generates warnings like this: + +$nodename:0: 'dma-apbh@110000' does not match '^dma-controller(@.*)?$' + +So fix all affected dma-apbh node names. + +Signed-off-by: Stefan Wahren +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx23.dtsi | 2 +- + arch/arm/boot/dts/imx28.dtsi | 2 +- + arch/arm/boot/dts/imx6qdl.dtsi | 2 +- + arch/arm/boot/dts/imx6sx.dtsi | 2 +- + arch/arm/boot/dts/imx6ul.dtsi | 2 +- + arch/arm/boot/dts/imx7s.dtsi | 2 +- + 6 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/arch/arm/boot/dts/imx23.dtsi b/arch/arm/boot/dts/imx23.dtsi +index ec476b1596496..b236d23f80715 100644 +--- a/arch/arm/boot/dts/imx23.dtsi ++++ b/arch/arm/boot/dts/imx23.dtsi +@@ -59,7 +59,7 @@ icoll: interrupt-controller@80000000 { + reg = <0x80000000 0x2000>; + }; + +- dma_apbh: dma-apbh@80004000 { ++ dma_apbh: dma-controller@80004000 { + compatible = "fsl,imx23-dma-apbh"; + reg = <0x80004000 0x2000>; + interrupts = <0 14 20 0 +diff --git a/arch/arm/boot/dts/imx28.dtsi b/arch/arm/boot/dts/imx28.dtsi +index b15df16ecb01a..b81592a613112 100644 +--- a/arch/arm/boot/dts/imx28.dtsi ++++ b/arch/arm/boot/dts/imx28.dtsi +@@ -78,7 +78,7 @@ hsadc: hsadc@80002000 { + status = "disabled"; + }; + +- dma_apbh: dma-apbh@80004000 { ++ dma_apbh: dma-controller@80004000 { + compatible = "fsl,imx28-dma-apbh"; + reg = <0x80004000 0x2000>; + interrupts = <82 83 84 85 +diff --git a/arch/arm/boot/dts/imx6qdl.dtsi b/arch/arm/boot/dts/imx6qdl.dtsi +index ff1e0173b39be..2c6eada01d792 100644 +--- a/arch/arm/boot/dts/imx6qdl.dtsi ++++ b/arch/arm/boot/dts/imx6qdl.dtsi +@@ -150,7 +150,7 @@ soc: soc { + interrupt-parent = <&gpc>; + ranges; + +- dma_apbh: dma-apbh@110000 { ++ dma_apbh: dma-controller@110000 { + compatible = "fsl,imx6q-dma-apbh", "fsl,imx28-dma-apbh"; + reg = <0x00110000 0x2000>; + interrupts = <0 13 IRQ_TYPE_LEVEL_HIGH>, +diff --git a/arch/arm/boot/dts/imx6sx.dtsi b/arch/arm/boot/dts/imx6sx.dtsi +index 1f1053a898fbf..67d344ae76b51 100644 +--- a/arch/arm/boot/dts/imx6sx.dtsi ++++ b/arch/arm/boot/dts/imx6sx.dtsi +@@ -209,7 +209,7 @@ gpu: gpu@1800000 { + power-domains = <&pd_pu>; + }; + +- dma_apbh: dma-apbh@1804000 { ++ dma_apbh: dma-controller@1804000 { + compatible = "fsl,imx6sx-dma-apbh", "fsl,imx28-dma-apbh"; + reg = <0x01804000 0x2000>; + interrupts = , +diff --git a/arch/arm/boot/dts/imx6ul.dtsi b/arch/arm/boot/dts/imx6ul.dtsi +index 2b5996395701a..aac081b6daaac 100644 +--- a/arch/arm/boot/dts/imx6ul.dtsi ++++ b/arch/arm/boot/dts/imx6ul.dtsi +@@ -164,7 +164,7 @@ intc: interrupt-controller@a01000 { + <0x00a06000 0x2000>; + }; + +- dma_apbh: dma-apbh@1804000 { ++ dma_apbh: dma-controller@1804000 { + compatible = "fsl,imx6q-dma-apbh", "fsl,imx28-dma-apbh"; + reg = <0x01804000 0x2000>; + interrupts = <0 13 IRQ_TYPE_LEVEL_HIGH>, +diff --git a/arch/arm/boot/dts/imx7s.dtsi b/arch/arm/boot/dts/imx7s.dtsi +index 4b23630fc738d..2940dacaa56fc 100644 +--- a/arch/arm/boot/dts/imx7s.dtsi ++++ b/arch/arm/boot/dts/imx7s.dtsi +@@ -1267,7 +1267,7 @@ fec1: ethernet@30be0000 { + }; + }; + +- dma_apbh: dma-apbh@33000000 { ++ dma_apbh: dma-controller@33000000 { + compatible = "fsl,imx7d-dma-apbh", "fsl,imx28-dma-apbh"; + reg = <0x33000000 0x2000>; + interrupts = , +-- +2.43.0 + diff --git a/queue-6.1/arm-dts-imx7s-drop-dma-apb-interrupt-names.patch b/queue-6.1/arm-dts-imx7s-drop-dma-apb-interrupt-names.patch new file mode 100644 index 00000000000..3961ee3b175 --- /dev/null +++ b/queue-6.1/arm-dts-imx7s-drop-dma-apb-interrupt-names.patch @@ -0,0 +1,36 @@ +From 9a00a38a2bef39fb0c5917fda698100e25b50f56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Dec 2022 02:08:53 +0100 +Subject: ARM: dts: imx7s: Drop dma-apb interrupt-names + +From: Marek Vasut + +[ Upstream commit 9928f0a9e7c0cee3360ca1442b4001d34ad67556 ] + +Drop "interrupt-names" property, since it is broken. The drivers/dma/mxs-dma.c +in Linux kernel does not use it, the property contains duplicate array entries +in existing DTs, and even malformed entries (gmpi, should have been gpmi). Get +rid of that optional property altogether. + +Signed-off-by: Marek Vasut +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx7s.dtsi | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx7s.dtsi b/arch/arm/boot/dts/imx7s.dtsi +index 2940dacaa56fc..69aebc691526f 100644 +--- a/arch/arm/boot/dts/imx7s.dtsi ++++ b/arch/arm/boot/dts/imx7s.dtsi +@@ -1274,7 +1274,6 @@ dma_apbh: dma-controller@33000000 { + , + , + ; +- interrupt-names = "gpmi0", "gpmi1", "gpmi2", "gpmi3"; + #dma-cells = <1>; + dma-channels = <4>; + clocks = <&clks IMX7D_NAND_USDHC_BUS_RAWNAND_CLK>; +-- +2.43.0 + diff --git a/queue-6.1/clk-tegra20-fix-gcc-7-constant-overflow-warning.patch b/queue-6.1/clk-tegra20-fix-gcc-7-constant-overflow-warning.patch new file mode 100644 index 00000000000..a7b658af1bd --- /dev/null +++ b/queue-6.1/clk-tegra20-fix-gcc-7-constant-overflow-warning.patch @@ -0,0 +1,75 @@ +From d36713c8efc0cb605b54bd6516006f43e303e52e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Feb 2023 09:59:10 +0100 +Subject: clk: tegra20: fix gcc-7 constant overflow warning + +From: Arnd Bergmann + +[ Upstream commit b4a2adbf3586efa12fe78b9dec047423e01f3010 ] + +Older gcc versions get confused by comparing a u32 value to a negative +constant in a switch()/case block: + +drivers/clk/tegra/clk-tegra20.c: In function 'tegra20_clk_measure_input_freq': +drivers/clk/tegra/clk-tegra20.c:581:2: error: case label does not reduce to an integer constant + case OSC_CTRL_OSC_FREQ_12MHZ: + ^~~~ +drivers/clk/tegra/clk-tegra20.c:593:2: error: case label does not reduce to an integer constant + case OSC_CTRL_OSC_FREQ_26MHZ: + +Make the constants unsigned instead. + +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20230227085914.2560984-1-arnd@kernel.org +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/tegra/clk-tegra20.c | 28 ++++++++++++++-------------- + 1 file changed, 14 insertions(+), 14 deletions(-) + +diff --git a/drivers/clk/tegra/clk-tegra20.c b/drivers/clk/tegra/clk-tegra20.c +index 422d782475532..dcacc5064d339 100644 +--- a/drivers/clk/tegra/clk-tegra20.c ++++ b/drivers/clk/tegra/clk-tegra20.c +@@ -21,24 +21,24 @@ + #define MISC_CLK_ENB 0x48 + + #define OSC_CTRL 0x50 +-#define OSC_CTRL_OSC_FREQ_MASK (3<<30) +-#define OSC_CTRL_OSC_FREQ_13MHZ (0<<30) +-#define OSC_CTRL_OSC_FREQ_19_2MHZ (1<<30) +-#define OSC_CTRL_OSC_FREQ_12MHZ (2<<30) +-#define OSC_CTRL_OSC_FREQ_26MHZ (3<<30) +-#define OSC_CTRL_MASK (0x3f2 | OSC_CTRL_OSC_FREQ_MASK) +- +-#define OSC_CTRL_PLL_REF_DIV_MASK (3<<28) +-#define OSC_CTRL_PLL_REF_DIV_1 (0<<28) +-#define OSC_CTRL_PLL_REF_DIV_2 (1<<28) +-#define OSC_CTRL_PLL_REF_DIV_4 (2<<28) ++#define OSC_CTRL_OSC_FREQ_MASK (3u<<30) ++#define OSC_CTRL_OSC_FREQ_13MHZ (0u<<30) ++#define OSC_CTRL_OSC_FREQ_19_2MHZ (1u<<30) ++#define OSC_CTRL_OSC_FREQ_12MHZ (2u<<30) ++#define OSC_CTRL_OSC_FREQ_26MHZ (3u<<30) ++#define OSC_CTRL_MASK (0x3f2u | OSC_CTRL_OSC_FREQ_MASK) ++ ++#define OSC_CTRL_PLL_REF_DIV_MASK (3u<<28) ++#define OSC_CTRL_PLL_REF_DIV_1 (0u<<28) ++#define OSC_CTRL_PLL_REF_DIV_2 (1u<<28) ++#define OSC_CTRL_PLL_REF_DIV_4 (2u<<28) + + #define OSC_FREQ_DET 0x58 +-#define OSC_FREQ_DET_TRIG (1<<31) ++#define OSC_FREQ_DET_TRIG (1u<<31) + + #define OSC_FREQ_DET_STATUS 0x5c +-#define OSC_FREQ_DET_BUSY (1<<31) +-#define OSC_FREQ_DET_CNT_MASK 0xFFFF ++#define OSC_FREQ_DET_BUSYu (1<<31) ++#define OSC_FREQ_DET_CNT_MASK 0xFFFFu + + #define TEGRA20_CLK_PERIPH_BANKS 3 + +-- +2.43.0 + diff --git a/queue-6.1/drm-meson-don-t-remove-bridges-which-are-created-by-.patch b/queue-6.1/drm-meson-don-t-remove-bridges-which-are-created-by-.patch new file mode 100644 index 00000000000..928e4e84789 --- /dev/null +++ b/queue-6.1/drm-meson-don-t-remove-bridges-which-are-created-by-.patch @@ -0,0 +1,63 @@ +From 8570bba2179af0db25e4e55e97d9cc2dd15fa6f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Feb 2024 23:04:42 +0100 +Subject: drm/meson: Don't remove bridges which are created by other drivers + +From: Martin Blumenstingl + +[ Upstream commit bd915ae73a2d78559b376ad2caf5e4ef51de2455 ] + +Stop calling drm_bridge_remove() for bridges allocated/managed by other +drivers in the remove paths of meson_encoder_{cvbs,dsi,hdmi}. +drm_bridge_remove() unregisters the bridge so it cannot be used +anymore. Doing so for bridges we don't own can lead to the video +pipeline not being able to come up after -EPROBE_DEFER of the VPU +because we're unregistering a bridge that's managed by another driver. +The other driver doesn't know that we have unregistered it's bridge +and on subsequent .probe() we're not able to find those bridges anymore +(since nobody re-creates them). + +This fixes probe errors on Meson8b boards with the CVBS outputs enabled. + +Fixes: 09847723c12f ("drm/meson: remove drm bridges at aggregate driver unbind time") +Fixes: 42dcf15f901c ("drm/meson: add DSI encoder") +Cc: +Reported-by: Steve Morvai +Signed-off-by: Martin Blumenstingl +Reviewed-by: Neil Armstrong +Tested-by: Steve Morvai +Link: https://lore.kernel.org/r/20240215220442.1343152-1-martin.blumenstingl@googlemail.com +Reviewed-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20240215220442.1343152-1-martin.blumenstingl@googlemail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/meson/meson_encoder_cvbs.c | 1 - + drivers/gpu/drm/meson/meson_encoder_hdmi.c | 1 - + 2 files changed, 2 deletions(-) + +diff --git a/drivers/gpu/drm/meson/meson_encoder_cvbs.c b/drivers/gpu/drm/meson/meson_encoder_cvbs.c +index 3f73b211fa8e3..3407450435e20 100644 +--- a/drivers/gpu/drm/meson/meson_encoder_cvbs.c ++++ b/drivers/gpu/drm/meson/meson_encoder_cvbs.c +@@ -294,6 +294,5 @@ void meson_encoder_cvbs_remove(struct meson_drm *priv) + if (priv->encoders[MESON_ENC_CVBS]) { + meson_encoder_cvbs = priv->encoders[MESON_ENC_CVBS]; + drm_bridge_remove(&meson_encoder_cvbs->bridge); +- drm_bridge_remove(meson_encoder_cvbs->next_bridge); + } + } +diff --git a/drivers/gpu/drm/meson/meson_encoder_hdmi.c b/drivers/gpu/drm/meson/meson_encoder_hdmi.c +index b14e6e507c61b..03062e7a02b64 100644 +--- a/drivers/gpu/drm/meson/meson_encoder_hdmi.c ++++ b/drivers/gpu/drm/meson/meson_encoder_hdmi.c +@@ -472,6 +472,5 @@ void meson_encoder_hdmi_remove(struct meson_drm *priv) + if (priv->encoders[MESON_ENC_HDMI]) { + meson_encoder_hdmi = priv->encoders[MESON_ENC_HDMI]; + drm_bridge_remove(&meson_encoder_hdmi->bridge); +- drm_bridge_remove(meson_encoder_hdmi->next_bridge); + } + } +-- +2.43.0 + diff --git a/queue-6.1/drm-meson-fix-unbind-path-if-hdmi-fails-to-bind.patch b/queue-6.1/drm-meson-fix-unbind-path-if-hdmi-fails-to-bind.patch new file mode 100644 index 00000000000..b3322b5f892 --- /dev/null +++ b/queue-6.1/drm-meson-fix-unbind-path-if-hdmi-fails-to-bind.patch @@ -0,0 +1,96 @@ +From 3b5e3c1e7104ebd124f37def40b8e6c592afc258 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 09:38:09 +0200 +Subject: drm/meson: fix unbind path if HDMI fails to bind + +From: Neil Armstrong + +[ Upstream commit 6a044642988b5f8285f3173b8e88784bef2bc306 ] + +If the case the HDMI controller fails to bind, we try to unbind +all components before calling drm_dev_put() which makes drm_bridge_detach() +crash because unbinding the HDMI controller frees the bridge memory. + +The solution is the unbind all components at the end like in the remove +path. + +Reviewed-by: Nicolas Belin +Tested-by: Nicolas Belin +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20230512-amlogic-v6-4-upstream-dsi-ccf-vim3-v5-8-56eb7a4d5b8e@linaro.org +Stable-dep-of: bd915ae73a2d ("drm/meson: Don't remove bridges which are created by other drivers") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/meson/meson_drv.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/drivers/gpu/drm/meson/meson_drv.c b/drivers/gpu/drm/meson/meson_drv.c +index 119544d88b586..fbac39aa38cc4 100644 +--- a/drivers/gpu/drm/meson/meson_drv.c ++++ b/drivers/gpu/drm/meson/meson_drv.c +@@ -316,32 +316,34 @@ static int meson_drv_bind_master(struct device *dev, bool has_components) + goto exit_afbcd; + + if (has_components) { +- ret = component_bind_all(drm->dev, drm); ++ ret = component_bind_all(dev, drm); + if (ret) { + dev_err(drm->dev, "Couldn't bind all components\n"); ++ /* Do not try to unbind */ ++ has_components = false; + goto exit_afbcd; + } + } + + ret = meson_encoder_hdmi_init(priv); + if (ret) +- goto unbind_all; ++ goto exit_afbcd; + + ret = meson_plane_create(priv); + if (ret) +- goto unbind_all; ++ goto exit_afbcd; + + ret = meson_overlay_create(priv); + if (ret) +- goto unbind_all; ++ goto exit_afbcd; + + ret = meson_crtc_create(priv); + if (ret) +- goto unbind_all; ++ goto exit_afbcd; + + ret = request_irq(priv->vsync_irq, meson_irq, 0, drm->driver->name, drm); + if (ret) +- goto unbind_all; ++ goto exit_afbcd; + + drm_mode_config_reset(drm); + +@@ -359,15 +361,18 @@ static int meson_drv_bind_master(struct device *dev, bool has_components) + + uninstall_irq: + free_irq(priv->vsync_irq, drm); +-unbind_all: +- if (has_components) +- component_unbind_all(drm->dev, drm); + exit_afbcd: + if (priv->afbcd.ops) + priv->afbcd.ops->exit(priv); + free_drm: + drm_dev_put(drm); + ++ meson_encoder_hdmi_remove(priv); ++ meson_encoder_cvbs_remove(priv); ++ ++ if (has_components) ++ component_unbind_all(dev, drm); ++ + return ret; + } + +-- +2.43.0 + diff --git a/queue-6.1/fs-ntfs3-add-length-check-in-indx_get_root.patch b/queue-6.1/fs-ntfs3-add-length-check-in-indx_get_root.patch new file mode 100644 index 00000000000..c141bdb9a8d --- /dev/null +++ b/queue-6.1/fs-ntfs3-add-length-check-in-indx_get_root.patch @@ -0,0 +1,133 @@ +From 2ea9b26948d4d70c1ebfa1f54657b5ba66c2eddb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Oct 2022 23:15:06 +0800 +Subject: fs/ntfs3: Add length check in indx_get_root + +From: Edward Lo + +[ Upstream commit 08e8cf5f2d9ec383a2e339a2711b62a54ff3fba0 ] + +This adds a length check to guarantee the retrieved index root is legit. + +[ 162.459513] BUG: KASAN: use-after-free in hdr_find_e.isra.0+0x10c/0x320 +[ 162.460176] Read of size 2 at addr ffff8880037bca99 by task mount/243 +[ 162.460851] +[ 162.461252] CPU: 0 PID: 243 Comm: mount Not tainted 6.0.0-rc7 #42 +[ 162.461744] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +[ 162.462609] Call Trace: +[ 162.462954] +[ 162.463276] dump_stack_lvl+0x49/0x63 +[ 162.463822] print_report.cold+0xf5/0x689 +[ 162.464608] ? unwind_get_return_address+0x3a/0x60 +[ 162.465766] ? hdr_find_e.isra.0+0x10c/0x320 +[ 162.466975] kasan_report+0xa7/0x130 +[ 162.467506] ? _raw_spin_lock_irq+0xc0/0xf0 +[ 162.467998] ? hdr_find_e.isra.0+0x10c/0x320 +[ 162.468536] __asan_load2+0x68/0x90 +[ 162.468923] hdr_find_e.isra.0+0x10c/0x320 +[ 162.469282] ? cmp_uints+0xe0/0xe0 +[ 162.469557] ? cmp_sdh+0x90/0x90 +[ 162.469864] ? ni_find_attr+0x214/0x300 +[ 162.470217] ? ni_load_mi+0x80/0x80 +[ 162.470479] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 162.470931] ? ntfs_bread_run+0x190/0x190 +[ 162.471307] ? indx_get_root+0xe4/0x190 +[ 162.471556] ? indx_get_root+0x140/0x190 +[ 162.471833] ? indx_init+0x1e0/0x1e0 +[ 162.472069] ? fnd_clear+0x115/0x140 +[ 162.472363] ? _raw_spin_lock_irqsave+0x100/0x100 +[ 162.472731] indx_find+0x184/0x470 +[ 162.473461] ? sysvec_apic_timer_interrupt+0x57/0xc0 +[ 162.474429] ? indx_find_buffer+0x2d0/0x2d0 +[ 162.474704] ? do_syscall_64+0x3b/0x90 +[ 162.474962] dir_search_u+0x196/0x2f0 +[ 162.475381] ? ntfs_nls_to_utf16+0x450/0x450 +[ 162.475661] ? ntfs_security_init+0x3d6/0x440 +[ 162.475906] ? is_sd_valid+0x180/0x180 +[ 162.476191] ntfs_extend_init+0x13f/0x2c0 +[ 162.476496] ? ntfs_fix_post_read+0x130/0x130 +[ 162.476861] ? iput.part.0+0x286/0x320 +[ 162.477325] ntfs_fill_super+0x11e0/0x1b50 +[ 162.477709] ? put_ntfs+0x1d0/0x1d0 +[ 162.477970] ? vsprintf+0x20/0x20 +[ 162.478258] ? set_blocksize+0x95/0x150 +[ 162.478538] get_tree_bdev+0x232/0x370 +[ 162.478789] ? put_ntfs+0x1d0/0x1d0 +[ 162.479038] ntfs_fs_get_tree+0x15/0x20 +[ 162.479374] vfs_get_tree+0x4c/0x130 +[ 162.479729] path_mount+0x654/0xfe0 +[ 162.480124] ? putname+0x80/0xa0 +[ 162.480484] ? finish_automount+0x2e0/0x2e0 +[ 162.480894] ? putname+0x80/0xa0 +[ 162.481467] ? kmem_cache_free+0x1c4/0x440 +[ 162.482280] ? putname+0x80/0xa0 +[ 162.482714] do_mount+0xd6/0xf0 +[ 162.483264] ? path_mount+0xfe0/0xfe0 +[ 162.484782] ? __kasan_check_write+0x14/0x20 +[ 162.485593] __x64_sys_mount+0xca/0x110 +[ 162.486024] do_syscall_64+0x3b/0x90 +[ 162.486543] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 162.487141] RIP: 0033:0x7f9d374e948a +[ 162.488324] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 +[ 162.489728] RSP: 002b:00007ffe30e73d18 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 +[ 162.490971] RAX: ffffffffffffffda RBX: 0000561cdb43a060 RCX: 00007f9d374e948a +[ 162.491669] RDX: 0000561cdb43a260 RSI: 0000561cdb43a2e0 RDI: 0000561cdb442af0 +[ 162.492050] RBP: 0000000000000000 R08: 0000561cdb43a280 R09: 0000000000000020 +[ 162.492459] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000561cdb442af0 +[ 162.493183] R13: 0000561cdb43a260 R14: 0000000000000000 R15: 00000000ffffffff +[ 162.493644] +[ 162.493908] +[ 162.494214] The buggy address belongs to the physical page: +[ 162.494761] page:000000003e38a3d5 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x37bc +[ 162.496064] flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff) +[ 162.497278] raw: 000fffffc0000000 ffffea00000df1c8 ffffea00000df008 0000000000000000 +[ 162.498928] raw: 0000000000000000 0000000000240000 00000000ffffffff 0000000000000000 +[ 162.500542] page dumped because: kasan: bad access detected +[ 162.501057] +[ 162.501242] Memory state around the buggy address: +[ 162.502230] ffff8880037bc980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 162.502977] ffff8880037bca00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 162.503522] >ffff8880037bca80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 162.503963] ^ +[ 162.504370] ffff8880037bcb00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 162.504766] ffff8880037bcb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + +Signed-off-by: Edward Lo +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/index.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c +index 7371f7855e4c4..eee01db6e0cc5 100644 +--- a/fs/ntfs3/index.c ++++ b/fs/ntfs3/index.c +@@ -998,6 +998,7 @@ struct INDEX_ROOT *indx_get_root(struct ntfs_index *indx, struct ntfs_inode *ni, + struct ATTR_LIST_ENTRY *le = NULL; + struct ATTRIB *a; + const struct INDEX_NAMES *in = &s_index_names[indx->type]; ++ struct INDEX_ROOT *root = NULL; + + a = ni_find_attr(ni, NULL, &le, ATTR_ROOT, in->name, in->name_len, NULL, + mi); +@@ -1007,7 +1008,15 @@ struct INDEX_ROOT *indx_get_root(struct ntfs_index *indx, struct ntfs_inode *ni, + if (attr) + *attr = a; + +- return resident_data_ex(a, sizeof(struct INDEX_ROOT)); ++ root = resident_data_ex(a, sizeof(struct INDEX_ROOT)); ++ ++ /* length check */ ++ if (root && offsetof(struct INDEX_ROOT, ihdr) + le32_to_cpu(root->ihdr.used) > ++ le32_to_cpu(a->res.data_size)) { ++ return NULL; ++ } ++ ++ return root; + } + + static int indx_write(struct ntfs_index *indx, struct ntfs_inode *ni, +-- +2.43.0 + diff --git a/queue-6.1/fs-ntfs3-fix-a-possible-null-pointer-dereference-in-.patch b/queue-6.1/fs-ntfs3-fix-a-possible-null-pointer-dereference-in-.patch new file mode 100644 index 00000000000..b47f129c805 --- /dev/null +++ b/queue-6.1/fs-ntfs3-fix-a-possible-null-pointer-dereference-in-.patch @@ -0,0 +1,49 @@ +From f8f15d8d060ea5d23f22b377ab438cdeb846ed04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jan 2023 16:59:43 +0800 +Subject: fs/ntfs3: Fix a possible null-pointer dereference in ni_clear() + +From: Jia-Ju Bai + +[ Upstream commit ec275bf9693d19cc0fdce8436f4c425ced86f6e7 ] + +In a previous commit c1006bd13146, ni->mi.mrec in ni_write_inode() +could be NULL, and thus a NULL check is added for this variable. + +However, in the same call stack, ni->mi.mrec can be also dereferenced +in ni_clear(): + +ntfs_evict_inode(inode) + ni_write_inode(inode, ...) + ni = ntfs_i(inode); + is_rec_inuse(ni->mi.mrec) -> Add a NULL check by previous commit + ni_clear(ntfs_i(inode)) + is_rec_inuse(ni->mi.mrec) -> No check + +Thus, a possible null-pointer dereference may exist in ni_clear(). +To fix it, a NULL check is added in this function. + +Signed-off-by: Jia-Ju Bai +Reported-by: TOTE Robot +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/frecord.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c +index bb7e33c240737..1f0e230ec9e2c 100644 +--- a/fs/ntfs3/frecord.c ++++ b/fs/ntfs3/frecord.c +@@ -102,7 +102,7 @@ void ni_clear(struct ntfs_inode *ni) + { + struct rb_node *node; + +- if (!ni->vfs_inode.i_nlink && is_rec_inuse(ni->mi.mrec)) ++ if (!ni->vfs_inode.i_nlink && ni->mi.mrec && is_rec_inuse(ni->mi.mrec)) + ni_delete_all(ni); + + al_destroy(ni); +-- +2.43.0 + diff --git a/queue-6.1/fs-ntfs3-fix-null-dereference-in-ni_write_inode.patch b/queue-6.1/fs-ntfs3-fix-null-dereference-in-ni_write_inode.patch new file mode 100644 index 00000000000..b41b53d0573 --- /dev/null +++ b/queue-6.1/fs-ntfs3-fix-null-dereference-in-ni_write_inode.patch @@ -0,0 +1,43 @@ +From 63d7078b2a30d58c5fd46c6290de2eb73314d423 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 Oct 2022 12:32:51 +0530 +Subject: fs/ntfs3: Fix NULL dereference in ni_write_inode + +From: Abdun Nihaal + +[ Upstream commit 8dae4f6341e335a09575be60b4fdf697c732a470 ] + +Syzbot reports a NULL dereference in ni_write_inode. +When creating a new inode, if allocation fails in mi_init function +(called in mi_format_new function), mi->mrec is set to NULL. +In the error path of this inode creation, mi->mrec is later +dereferenced in ni_write_inode. + +Add a NULL check to prevent NULL dereference. + +Link: https://syzkaller.appspot.com/bug?extid=f45957555ed4a808cc7a +Reported-and-tested-by: syzbot+f45957555ed4a808cc7a@syzkaller.appspotmail.com +Signed-off-by: Abdun Nihaal +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/frecord.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c +index 1f0e230ec9e2c..d260260900241 100644 +--- a/fs/ntfs3/frecord.c ++++ b/fs/ntfs3/frecord.c +@@ -3255,6 +3255,9 @@ int ni_write_inode(struct inode *inode, int sync, const char *hint) + return 0; + } + ++ if (!ni->mi.mrec) ++ goto out; ++ + if (is_rec_inuse(ni->mi.mrec) && + !(sbi->flags & NTFS_FLAGS_LOG_REPLAYING) && inode->i_nlink) { + bool modified = false; +-- +2.43.0 + diff --git a/queue-6.1/fs-ntfs3-fix-null-pointer-dereference-in-ni_write_in.patch b/queue-6.1/fs-ntfs3-fix-null-pointer-dereference-in-ni_write_in.patch new file mode 100644 index 00000000000..ede819a6ad6 --- /dev/null +++ b/queue-6.1/fs-ntfs3-fix-null-pointer-dereference-in-ni_write_in.patch @@ -0,0 +1,109 @@ +From 90423707156da032e551b29f264967cc543c9569 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 17:19:12 +0800 +Subject: fs/ntfs3: Fix NULL pointer dereference in 'ni_write_inode' + +From: Ye Bin + +[ Upstream commit db2a3cc6a3481076da6344cc62a80a4e2525f36f ] + +Syzbot found the following issue: +Unable to handle kernel NULL pointer dereference at virtual address 0000000000000016 +Mem abort info: + ESR = 0x0000000096000006 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x06: level 2 translation fault +Data abort info: + ISV = 0, ISS = 0x00000006 + CM = 0, WnR = 0 +user pgtable: 4k pages, 48-bit VAs, pgdp=000000010af56000 +[0000000000000016] pgd=08000001090da003, p4d=08000001090da003, pud=08000001090ce003, pmd=0000000000000000 +Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP +Modules linked in: +CPU: 1 PID: 3036 Comm: syz-executor206 Not tainted 6.0.0-rc6-syzkaller-17739-g16c9f284e746 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 +pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : is_rec_inuse fs/ntfs3/ntfs.h:313 [inline] +pc : ni_write_inode+0xac/0x798 fs/ntfs3/frecord.c:3232 +lr : ni_write_inode+0xa0/0x798 fs/ntfs3/frecord.c:3226 +sp : ffff8000126c3800 +x29: ffff8000126c3860 x28: 0000000000000000 x27: ffff0000c8b02000 +x26: ffff0000c7502320 x25: ffff0000c7502288 x24: 0000000000000000 +x23: ffff80000cbec91c x22: ffff0000c8b03000 x21: ffff0000c8b02000 +x20: 0000000000000001 x19: ffff0000c75024d8 x18: 00000000000000c0 +x17: ffff80000dd1b198 x16: ffff80000db59158 x15: ffff0000c4b6b500 +x14: 00000000000000b8 x13: 0000000000000000 x12: ffff0000c4b6b500 +x11: ff80800008be1b60 x10: 0000000000000000 x9 : ffff0000c4b6b500 +x8 : 0000000000000000 x7 : ffff800008be1b50 x6 : 0000000000000000 +x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000 +x2 : 0000000000000008 x1 : 0000000000000001 x0 : 0000000000000000 +Call trace: + is_rec_inuse fs/ntfs3/ntfs.h:313 [inline] + ni_write_inode+0xac/0x798 fs/ntfs3/frecord.c:3232 + ntfs_evict_inode+0x54/0x84 fs/ntfs3/inode.c:1744 + evict+0xec/0x334 fs/inode.c:665 + iput_final fs/inode.c:1748 [inline] + iput+0x2c4/0x324 fs/inode.c:1774 + ntfs_new_inode+0x7c/0xe0 fs/ntfs3/fsntfs.c:1660 + ntfs_create_inode+0x20c/0xe78 fs/ntfs3/inode.c:1278 + ntfs_create+0x54/0x74 fs/ntfs3/namei.c:100 + lookup_open fs/namei.c:3413 [inline] + open_last_lookups fs/namei.c:3481 [inline] + path_openat+0x804/0x11c4 fs/namei.c:3688 + do_filp_open+0xdc/0x1b8 fs/namei.c:3718 + do_sys_openat2+0xb8/0x22c fs/open.c:1311 + do_sys_open fs/open.c:1327 [inline] + __do_sys_openat fs/open.c:1343 [inline] + __se_sys_openat fs/open.c:1338 [inline] + __arm64_sys_openat+0xb0/0xe0 fs/open.c:1338 + __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] + invoke_syscall arch/arm64/kernel/syscall.c:52 [inline] + el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142 + do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206 + el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636 + el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654 + el0t_64_sync+0x18c/0x190 +Code: 97dafee4 340001b4 f9401328 2a1f03e0 (79402d14) +---[ end trace 0000000000000000 ]--- + +Above issue may happens as follows: +ntfs_new_inode + mi_init + mi->mrec = kmalloc(sbi->record_size, GFP_NOFS); -->failed to allocate memory + if (!mi->mrec) + return -ENOMEM; +iput + iput_final + evict + ntfs_evict_inode + ni_write_inode + is_rec_inuse(ni->mi.mrec)-> As 'ni->mi.mrec' is NULL trigger NULL-ptr-deref + +To solve above issue if new inode failed make inode bad before call 'iput()' in +'ntfs_new_inode()'. + +Reported-by: syzbot+f45957555ed4a808cc7a@syzkaller.appspotmail.com +Signed-off-by: Ye Bin +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/fsntfs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/ntfs3/fsntfs.c b/fs/ntfs3/fsntfs.c +index 1eac80d55b554..4c2d079b3d49b 100644 +--- a/fs/ntfs3/fsntfs.c ++++ b/fs/ntfs3/fsntfs.c +@@ -1674,6 +1674,7 @@ struct ntfs_inode *ntfs_new_inode(struct ntfs_sb_info *sbi, CLST rno, bool dir) + + out: + if (err) { ++ make_bad_inode(inode); + iput(inode); + ni = ERR_PTR(err); + } +-- +2.43.0 + diff --git a/queue-6.1/input-xpad-add-constants-for-gip-interface-numbers.patch b/queue-6.1/input-xpad-add-constants-for-gip-interface-numbers.patch new file mode 100644 index 00000000000..877c8995845 --- /dev/null +++ b/queue-6.1/input-xpad-add-constants-for-gip-interface-numbers.patch @@ -0,0 +1,47 @@ +From a440716c71c895bf58862eda211a423a6abdd233 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Apr 2023 23:57:42 -0700 +Subject: Input: xpad - add constants for GIP interface numbers + +From: Vicki Pfau + +[ Upstream commit f9b2e603c6216824e34dc9a67205d98ccc9a41ca ] + +Wired GIP devices present multiple interfaces with the same USB identification +other than the interface number. This adds constants for differentiating two of +them and uses them where appropriate + +Signed-off-by: Vicki Pfau +Link: https://lore.kernel.org/r/20230411031650.960322-2-vi@endrift.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/joystick/xpad.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c +index 02f3bc4e4895e..13c36f51b9353 100644 +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -564,6 +564,9 @@ struct xboxone_init_packet { + #define GIP_MOTOR_LT BIT(3) + #define GIP_MOTOR_ALL (GIP_MOTOR_R | GIP_MOTOR_L | GIP_MOTOR_RT | GIP_MOTOR_LT) + ++#define GIP_WIRED_INTF_DATA 0 ++#define GIP_WIRED_INTF_AUDIO 1 ++ + /* + * This packet is required for all Xbox One pads with 2015 + * or later firmware installed (or present from the factory). +@@ -2008,7 +2011,7 @@ static int xpad_probe(struct usb_interface *intf, const struct usb_device_id *id + } + + if (xpad->xtype == XTYPE_XBOXONE && +- intf->cur_altsetting->desc.bInterfaceNumber != 0) { ++ intf->cur_altsetting->desc.bInterfaceNumber != GIP_WIRED_INTF_DATA) { + /* + * The Xbox One controller lists three interfaces all with the + * same interface class, subclass and protocol. Differentiate by +-- +2.43.0 + diff --git a/queue-6.1/iommu-arm-smmu-qcom-limit-the-smr-groups-to-128.patch b/queue-6.1/iommu-arm-smmu-qcom-limit-the-smr-groups-to-128.patch new file mode 100644 index 00000000000..0b5581e119f --- /dev/null +++ b/queue-6.1/iommu-arm-smmu-qcom-limit-the-smr-groups-to-128.patch @@ -0,0 +1,67 @@ +From fcc184e92c49f8faacce09999edc6f666cf57e4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Mar 2023 13:30:29 +0530 +Subject: iommu/arm-smmu-qcom: Limit the SMR groups to 128 + +From: Manivannan Sadhasivam + +[ Upstream commit 12261134732689b7e30c59db9978f81230965181 ] + +Some platforms support more than 128 stream matching groups than what is +defined by the ARM SMMU architecture specification. But due to some unknown +reasons, those additional groups don't exhibit the same behavior as the +architecture supported ones. + +For instance, the additional groups will not detect the quirky behavior of +some firmware versions intercepting writes to S2CR register, thus skipping +the quirk implemented in the driver and causing boot crash. + +So let's limit the groups to 128 for now until the issue with those groups +are fixed and issue a notice to users in that case. + +Reviewed-by: Johan Hovold +Tested-by: Johan Hovold +Signed-off-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20230327080029.11584-1-manivannan.sadhasivam@linaro.org +[will: Reworded the comment slightly] +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c +index d80065c8105af..f15dcb9e4175c 100644 +--- a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c ++++ b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c +@@ -267,12 +267,26 @@ static int qcom_smmu_init_context(struct arm_smmu_domain *smmu_domain, + + static int qcom_smmu_cfg_probe(struct arm_smmu_device *smmu) + { +- unsigned int last_s2cr = ARM_SMMU_GR0_S2CR(smmu->num_mapping_groups - 1); + struct qcom_smmu *qsmmu = to_qcom_smmu(smmu); ++ unsigned int last_s2cr; + u32 reg; + u32 smr; + int i; + ++ /* ++ * Some platforms support more than the Arm SMMU architected maximum of ++ * 128 stream matching groups. For unknown reasons, the additional ++ * groups don't exhibit the same behavior as the architected registers, ++ * so limit the groups to 128 until the behavior is fixed for the other ++ * groups. ++ */ ++ if (smmu->num_mapping_groups > 128) { ++ dev_notice(smmu->dev, "\tLimiting the stream matching groups to 128\n"); ++ smmu->num_mapping_groups = 128; ++ } ++ ++ last_s2cr = ARM_SMMU_GR0_S2CR(smmu->num_mapping_groups - 1); ++ + /* + * With some firmware versions writes to S2CR of type FAULT are + * ignored, and writing BYPASS will end up written as FAULT in the +-- +2.43.0 + diff --git a/queue-6.1/iommu-arm-smmu-v3-acknowledge-pri-event-queue-overfl.patch b/queue-6.1/iommu-arm-smmu-v3-acknowledge-pri-event-queue-overfl.patch new file mode 100644 index 00000000000..833a781f528 --- /dev/null +++ b/queue-6.1/iommu-arm-smmu-v3-acknowledge-pri-event-queue-overfl.patch @@ -0,0 +1,90 @@ +From 6b7fa0b87d14d425d000378fd76d5a5073d23727 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Mar 2023 12:34:19 +0000 +Subject: iommu/arm-smmu-v3: Acknowledge pri/event queue overflow if any + +From: Tomas Krcka + +[ Upstream commit 67ea0b7ce41844eae7c10bb04dfe66a23318c224 ] + +When an overflow occurs in the PRI queue, the SMMU toggles the overflow +flag in the PROD register. To exit the overflow condition, the PRI thread +is supposed to acknowledge it by toggling this flag in the CONS register. +Unacknowledged overflow causes the queue to stop adding anything new. + +Currently, the priq thread always writes the CONS register back to the +SMMU after clearing the queue. + +The writeback is not necessary if the OVFLG in the PROD register has not +been changed, no overflow has occured. + +This commit checks the difference of the overflow flag between CONS and +PROD register. If it's different, toggles the OVACKFLG flag in the CONS +register and write it to the SMMU. + +The situation is similar for the event queue. +The acknowledge register is also toggled after clearing the event +queue but never propagated to the hardware. This would only be done the +next time when executing evtq thread. + +Unacknowledged event queue overflow doesn't affect the event +queue, because the SMMU still adds elements to that queue when the +overflow condition is active. +But it feel nicer to keep SMMU in sync when possible, so use the same +way here as well. + +Signed-off-by: Tomas Krcka +Link: https://lore.kernel.org/r/20230329123420.34641-1-tomas.krcka@gmail.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c +index 8966f7d5aab61..82f100e591b5a 100644 +--- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c ++++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c +@@ -152,6 +152,18 @@ static void queue_inc_cons(struct arm_smmu_ll_queue *q) + q->cons = Q_OVF(q->cons) | Q_WRP(q, cons) | Q_IDX(q, cons); + } + ++static void queue_sync_cons_ovf(struct arm_smmu_queue *q) ++{ ++ struct arm_smmu_ll_queue *llq = &q->llq; ++ ++ if (likely(Q_OVF(llq->prod) == Q_OVF(llq->cons))) ++ return; ++ ++ llq->cons = Q_OVF(llq->prod) | Q_WRP(llq, llq->cons) | ++ Q_IDX(llq, llq->cons); ++ queue_sync_cons_out(q); ++} ++ + static int queue_sync_prod_in(struct arm_smmu_queue *q) + { + u32 prod; +@@ -1583,8 +1595,7 @@ static irqreturn_t arm_smmu_evtq_thread(int irq, void *dev) + } while (!queue_empty(llq)); + + /* Sync our overflow flag, as we believe we're up to speed */ +- llq->cons = Q_OVF(llq->prod) | Q_WRP(llq, llq->cons) | +- Q_IDX(llq, llq->cons); ++ queue_sync_cons_ovf(q); + return IRQ_HANDLED; + } + +@@ -1642,9 +1653,7 @@ static irqreturn_t arm_smmu_priq_thread(int irq, void *dev) + } while (!queue_empty(llq)); + + /* Sync our overflow flag, as we believe we're up to speed */ +- llq->cons = Q_OVF(llq->prod) | Q_WRP(llq, llq->cons) | +- Q_IDX(llq, llq->cons); +- queue_sync_cons_out(q); ++ queue_sync_cons_ovf(q); + return IRQ_HANDLED; + } + +-- +2.43.0 + diff --git a/queue-6.1/iommu-sprd-release-dma-buffer-to-avoid-memory-leak.patch b/queue-6.1/iommu-sprd-release-dma-buffer-to-avoid-memory-leak.patch new file mode 100644 index 00000000000..6c8fada079c --- /dev/null +++ b/queue-6.1/iommu-sprd-release-dma-buffer-to-avoid-memory-leak.patch @@ -0,0 +1,71 @@ +From eb96b4d3b6cc26ce373f857f13dfe579f45dc4f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Mar 2023 11:31:23 +0800 +Subject: iommu/sprd: Release dma buffer to avoid memory leak + +From: Chunyan Zhang + +[ Upstream commit 9afea57384d4ae7b2034593eac7fa76c7122762a ] + +When attaching to a domain, the driver would alloc a DMA buffer which +is used to store address mapping table, and it need to be released +when the IOMMU domain is freed. + +Signed-off-by: Chunyan Zhang +Link: https://lore.kernel.org/r/20230331033124.864691-2-zhang.lyra@gmail.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/sprd-iommu.c | 29 ++++++++++++++++++++++------- + 1 file changed, 22 insertions(+), 7 deletions(-) + +diff --git a/drivers/iommu/sprd-iommu.c b/drivers/iommu/sprd-iommu.c +index 8261066de07d7..e4358393fe378 100644 +--- a/drivers/iommu/sprd-iommu.c ++++ b/drivers/iommu/sprd-iommu.c +@@ -152,13 +152,6 @@ static struct iommu_domain *sprd_iommu_domain_alloc(unsigned int domain_type) + return &dom->domain; + } + +-static void sprd_iommu_domain_free(struct iommu_domain *domain) +-{ +- struct sprd_iommu_domain *dom = to_sprd_domain(domain); +- +- kfree(dom); +-} +- + static void sprd_iommu_first_vpn(struct sprd_iommu_domain *dom) + { + struct sprd_iommu_device *sdev = dom->sdev; +@@ -231,6 +224,28 @@ static void sprd_iommu_hw_en(struct sprd_iommu_device *sdev, bool en) + sprd_iommu_update_bits(sdev, reg_cfg, mask, 0, val); + } + ++static void sprd_iommu_cleanup(struct sprd_iommu_domain *dom) ++{ ++ size_t pgt_size; ++ ++ /* Nothing need to do if the domain hasn't been attached */ ++ if (!dom->sdev) ++ return; ++ ++ pgt_size = sprd_iommu_pgt_size(&dom->domain); ++ dma_free_coherent(dom->sdev->dev, pgt_size, dom->pgt_va, dom->pgt_pa); ++ dom->sdev = NULL; ++ sprd_iommu_hw_en(dom->sdev, false); ++} ++ ++static void sprd_iommu_domain_free(struct iommu_domain *domain) ++{ ++ struct sprd_iommu_domain *dom = to_sprd_domain(domain); ++ ++ sprd_iommu_cleanup(dom); ++ kfree(dom); ++} ++ + static int sprd_iommu_attach_device(struct iommu_domain *domain, + struct device *dev) + { +-- +2.43.0 + diff --git a/queue-6.1/mlxsw-spectrum_acl_tcam-add-missing-mutex_destroy.patch b/queue-6.1/mlxsw-spectrum_acl_tcam-add-missing-mutex_destroy.patch new file mode 100644 index 00000000000..24789113805 --- /dev/null +++ b/queue-6.1/mlxsw-spectrum_acl_tcam-add-missing-mutex_destroy.patch @@ -0,0 +1,51 @@ +From 49246922f8d56e82b23b8ef2b0c9e2421ecfdef3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Feb 2023 16:39:19 +0100 +Subject: mlxsw: spectrum_acl_tcam: Add missing mutex_destroy() + +From: Ido Schimmel + +[ Upstream commit 65823e07b1e4055b6278725fd92f4d7e6f8d53fd ] + +Pair mutex_init() with a mutex_destroy() in the error path. Found during +code review. No functional changes. + +Signed-off-by: Ido Schimmel +Reviewed-by: Jiri Pirko +Signed-off-by: Petr Machata +Reviewed-by: Jacob Keller +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c +index 2107de4e9d99b..41eac7dfb67e7 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c +@@ -52,8 +52,10 @@ int mlxsw_sp_acl_tcam_init(struct mlxsw_sp *mlxsw_sp, + max_regions = max_tcam_regions; + + tcam->used_regions = bitmap_zalloc(max_regions, GFP_KERNEL); +- if (!tcam->used_regions) +- return -ENOMEM; ++ if (!tcam->used_regions) { ++ err = -ENOMEM; ++ goto err_alloc_used_regions; ++ } + tcam->max_regions = max_regions; + + max_groups = MLXSW_CORE_RES_GET(mlxsw_sp->core, ACL_MAX_GROUPS); +@@ -78,6 +80,8 @@ int mlxsw_sp_acl_tcam_init(struct mlxsw_sp *mlxsw_sp, + bitmap_free(tcam->used_groups); + err_alloc_used_groups: + bitmap_free(tcam->used_regions); ++err_alloc_used_regions: ++ mutex_destroy(&tcam->lock); + return err; + } + +-- +2.43.0 + diff --git a/queue-6.1/mlxsw-spectrum_acl_tcam-make-fini-symmetric-to-init.patch b/queue-6.1/mlxsw-spectrum_acl_tcam-make-fini-symmetric-to-init.patch new file mode 100644 index 00000000000..5d89cd97403 --- /dev/null +++ b/queue-6.1/mlxsw-spectrum_acl_tcam-make-fini-symmetric-to-init.patch @@ -0,0 +1,41 @@ +From 7fc230bb132e9e5f1b4265c23d039143621983bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Feb 2023 16:39:20 +0100 +Subject: mlxsw: spectrum_acl_tcam: Make fini symmetric to init + +From: Ido Schimmel + +[ Upstream commit 61fe3b9102ac84ba479ab84d8f5454af2e21e468 ] + +Move mutex_destroy() to the end to make the function symmetric with +mlxsw_sp_acl_tcam_init(). No functional changes. + +Signed-off-by: Ido Schimmel +Reviewed-by: Jiri Pirko +Signed-off-by: Petr Machata +Reviewed-by: Jacob Keller +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c +index dc2e204bcd727..2107de4e9d99b 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c +@@ -86,10 +86,10 @@ void mlxsw_sp_acl_tcam_fini(struct mlxsw_sp *mlxsw_sp, + { + const struct mlxsw_sp_acl_tcam_ops *ops = mlxsw_sp->acl_tcam_ops; + +- mutex_destroy(&tcam->lock); + ops->fini(mlxsw_sp, tcam->priv); + bitmap_free(tcam->used_groups); + bitmap_free(tcam->used_regions); ++ mutex_destroy(&tcam->lock); + } + + int mlxsw_sp_acl_tcam_priority_get(struct mlxsw_sp *mlxsw_sp, +-- +2.43.0 + diff --git a/queue-6.1/mptcp-fix-duplicate-subflow-creation.patch b/queue-6.1/mptcp-fix-duplicate-subflow-creation.patch new file mode 100644 index 00000000000..3c907c3e940 --- /dev/null +++ b/queue-6.1/mptcp-fix-duplicate-subflow-creation.patch @@ -0,0 +1,102 @@ +From db1cb1b3347989a7492fd5e33c9597da8cc5194c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Feb 2024 19:25:33 +0100 +Subject: mptcp: fix duplicate subflow creation + +From: Paolo Abeni + +[ Upstream commit 045e9d812868a2d80b7a57b224ce8009444b7bbc ] + +Fullmesh endpoints could end-up unexpectedly generating duplicate +subflows - same local and remote addresses - when multiple incoming +ADD_ADDR are processed before the PM creates the subflow for the local +endpoints. + +Address the issue explicitly checking for duplicates at subflow +creation time. + +To avoid a quadratic computational complexity, track the unavailable +remote address ids in a temporary bitmap and initialize such bitmap +with the remote ids of all the existing subflows matching the local +address currently processed. + +The above allows additionally replacing the existing code checking +for duplicate entry in the current set with a simple bit test +operation. + +Fixes: 2843ff6f36db ("mptcp: remote addresses fullmesh") +Cc: stable@vger.kernel.org +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/435 +Signed-off-by: Paolo Abeni +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/mptcp/pm_netlink.c | 33 ++++++++++++++++++--------------- + 1 file changed, 18 insertions(+), 15 deletions(-) + +diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c +index beacea4d5da51..4f8f8c27a59e9 100644 +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -396,19 +396,6 @@ void mptcp_pm_free_anno_list(struct mptcp_sock *msk) + } + } + +-static bool lookup_address_in_vec(const struct mptcp_addr_info *addrs, unsigned int nr, +- const struct mptcp_addr_info *addr) +-{ +- int i; +- +- for (i = 0; i < nr; i++) { +- if (addrs[i].id == addr->id) +- return true; +- } +- +- return false; +-} +- + /* Fill all the remote addresses into the array addrs[], + * and return the array size. + */ +@@ -440,6 +427,16 @@ static unsigned int fill_remote_addresses_vec(struct mptcp_sock *msk, + msk->pm.subflows++; + addrs[i++] = remote; + } else { ++ DECLARE_BITMAP(unavail_id, MPTCP_PM_MAX_ADDR_ID + 1); ++ ++ /* Forbid creation of new subflows matching existing ++ * ones, possibly already created by incoming ADD_ADDR ++ */ ++ bitmap_zero(unavail_id, MPTCP_PM_MAX_ADDR_ID + 1); ++ mptcp_for_each_subflow(msk, subflow) ++ if (READ_ONCE(subflow->local_id) == local->id) ++ __set_bit(subflow->remote_id, unavail_id); ++ + mptcp_for_each_subflow(msk, subflow) { + ssk = mptcp_subflow_tcp_sock(subflow); + remote_address((struct sock_common *)ssk, &addrs[i]); +@@ -447,11 +444,17 @@ static unsigned int fill_remote_addresses_vec(struct mptcp_sock *msk, + if (deny_id0 && !addrs[i].id) + continue; + ++ if (test_bit(addrs[i].id, unavail_id)) ++ continue; ++ + if (!mptcp_pm_addr_families_match(sk, local, &addrs[i])) + continue; + +- if (!lookup_address_in_vec(addrs, i, &addrs[i]) && +- msk->pm.subflows < subflows_max) { ++ if (msk->pm.subflows < subflows_max) { ++ /* forbid creating multiple address towards ++ * this id ++ */ ++ __set_bit(addrs[i].id, unavail_id); + msk->pm.subflows++; + i++; + } +-- +2.43.0 + diff --git a/queue-6.1/mptcp-let-the-in-kernel-pm-use-mixed-ipv4-and-ipv6-a.patch b/queue-6.1/mptcp-let-the-in-kernel-pm-use-mixed-ipv4-and-ipv6-a.patch new file mode 100644 index 00000000000..f9b6cf1a41e --- /dev/null +++ b/queue-6.1/mptcp-let-the-in-kernel-pm-use-mixed-ipv4-and-ipv6-a.patch @@ -0,0 +1,175 @@ +From e671d10ddf30b6bb0474802666f944919d001148 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jan 2023 11:47:21 +0100 +Subject: mptcp: let the in-kernel PM use mixed IPv4 and IPv6 addresses + +From: Paolo Abeni + +[ Upstream commit b9d69db87fb77fc80997993d40f091b323b3651e ] + +Currently the in-kernel PM arbitrary enforces that created subflow's +family must match the main MPTCP socket while the RFC allows mixing +IPv4 and IPv6 subflows. + +This patch changes the in-kernel PM logic to create subflows matching +the currently selected source (or destination) address. IPv4 sockets +can pick only IPv4 addresses (and v4 mapped in v6), while IPv6 sockets +not restricted to V6ONLY can pick either IPv4 and IPv6 addresses as +long as the source and destination matches. + +A helper, previously introduced is used to ease family matching checks, +taking care of IPv4 vs IPv4-mapped-IPv6 vs IPv6 only addresses. + +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/269 +Co-developed-by: Matthieu Baerts +Signed-off-by: Matthieu Baerts +Signed-off-by: Paolo Abeni +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts +Signed-off-by: Paolo Abeni +Stable-dep-of: 045e9d812868 ("mptcp: fix duplicate subflow creation") +Signed-off-by: Sasha Levin +--- + net/mptcp/pm_netlink.c | 58 ++++++++++++++++++++++-------------------- + 1 file changed, 31 insertions(+), 27 deletions(-) + +diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c +index 70a1025f093cf..beacea4d5da51 100644 +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -152,7 +152,6 @@ static struct mptcp_pm_addr_entry * + select_local_address(const struct pm_nl_pernet *pernet, + const struct mptcp_sock *msk) + { +- const struct sock *sk = (const struct sock *)msk; + struct mptcp_pm_addr_entry *entry, *ret = NULL; + + msk_owned_by_me(msk); +@@ -165,16 +164,6 @@ select_local_address(const struct pm_nl_pernet *pernet, + if (!test_bit(entry->addr.id, msk->pm.id_avail_bitmap)) + continue; + +- if (entry->addr.family != sk->sk_family) { +-#if IS_ENABLED(CONFIG_MPTCP_IPV6) +- if ((entry->addr.family == AF_INET && +- !ipv6_addr_v4mapped(&sk->sk_v6_daddr)) || +- (sk->sk_family == AF_INET && +- !ipv6_addr_v4mapped(&entry->addr.addr6))) +-#endif +- continue; +- } +- + ret = entry; + break; + } +@@ -423,7 +412,9 @@ static bool lookup_address_in_vec(const struct mptcp_addr_info *addrs, unsigned + /* Fill all the remote addresses into the array addrs[], + * and return the array size. + */ +-static unsigned int fill_remote_addresses_vec(struct mptcp_sock *msk, bool fullmesh, ++static unsigned int fill_remote_addresses_vec(struct mptcp_sock *msk, ++ struct mptcp_addr_info *local, ++ bool fullmesh, + struct mptcp_addr_info *addrs) + { + bool deny_id0 = READ_ONCE(msk->pm.remote_deny_join_id0); +@@ -443,6 +434,9 @@ static unsigned int fill_remote_addresses_vec(struct mptcp_sock *msk, bool fullm + if (deny_id0) + return 0; + ++ if (!mptcp_pm_addr_families_match(sk, local, &remote)) ++ return 0; ++ + msk->pm.subflows++; + addrs[i++] = remote; + } else { +@@ -453,6 +447,9 @@ static unsigned int fill_remote_addresses_vec(struct mptcp_sock *msk, bool fullm + if (deny_id0 && !addrs[i].id) + continue; + ++ if (!mptcp_pm_addr_families_match(sk, local, &addrs[i])) ++ continue; ++ + if (!lookup_address_in_vec(addrs, i, &addrs[i]) && + msk->pm.subflows < subflows_max) { + msk->pm.subflows++; +@@ -603,9 +600,11 @@ static void mptcp_pm_create_subflow_or_signal_addr(struct mptcp_sock *msk) + fullmesh = !!(local->flags & MPTCP_PM_ADDR_FLAG_FULLMESH); + + msk->pm.local_addr_used++; +- nr = fill_remote_addresses_vec(msk, fullmesh, addrs); +- if (nr) +- __clear_bit(local->addr.id, msk->pm.id_avail_bitmap); ++ __clear_bit(local->addr.id, msk->pm.id_avail_bitmap); ++ nr = fill_remote_addresses_vec(msk, &local->addr, fullmesh, addrs); ++ if (nr == 0) ++ continue; ++ + spin_unlock_bh(&msk->pm.lock); + for (i = 0; i < nr; i++) + __mptcp_subflow_connect(sk, &local->addr, &addrs[i]); +@@ -628,11 +627,11 @@ static void mptcp_pm_nl_subflow_established(struct mptcp_sock *msk) + * and return the array size. + */ + static unsigned int fill_local_addresses_vec(struct mptcp_sock *msk, ++ struct mptcp_addr_info *remote, + struct mptcp_addr_info *addrs) + { + struct sock *sk = (struct sock *)msk; + struct mptcp_pm_addr_entry *entry; +- struct mptcp_addr_info local; + struct pm_nl_pernet *pernet; + unsigned int subflows_max; + int i = 0; +@@ -645,15 +644,8 @@ static unsigned int fill_local_addresses_vec(struct mptcp_sock *msk, + if (!(entry->flags & MPTCP_PM_ADDR_FLAG_FULLMESH)) + continue; + +- if (entry->addr.family != sk->sk_family) { +-#if IS_ENABLED(CONFIG_MPTCP_IPV6) +- if ((entry->addr.family == AF_INET && +- !ipv6_addr_v4mapped(&sk->sk_v6_daddr)) || +- (sk->sk_family == AF_INET && +- !ipv6_addr_v4mapped(&entry->addr.addr6))) +-#endif +- continue; +- } ++ if (!mptcp_pm_addr_families_match(sk, &entry->addr, remote)) ++ continue; + + if (msk->pm.subflows < subflows_max) { + msk->pm.subflows++; +@@ -666,8 +658,18 @@ static unsigned int fill_local_addresses_vec(struct mptcp_sock *msk, + * 'IPADDRANY' local address + */ + if (!i) { ++ struct mptcp_addr_info local; ++ + memset(&local, 0, sizeof(local)); +- local.family = msk->pm.remote.family; ++ local.family = ++#if IS_ENABLED(CONFIG_MPTCP_IPV6) ++ remote->family == AF_INET6 && ++ ipv6_addr_v4mapped(&remote->addr6) ? AF_INET : ++#endif ++ remote->family; ++ ++ if (!mptcp_pm_addr_families_match(sk, &local, remote)) ++ return 0; + + msk->pm.subflows++; + addrs[i++] = local; +@@ -706,7 +708,9 @@ static void mptcp_pm_nl_add_addr_received(struct mptcp_sock *msk) + /* connect to the specified remote address, using whatever + * local address the routing configuration will pick. + */ +- nr = fill_local_addresses_vec(msk, addrs); ++ nr = fill_local_addresses_vec(msk, &remote, addrs); ++ if (nr == 0) ++ return; + + msk->pm.add_addr_accepted++; + if (msk->pm.add_addr_accepted >= add_addr_accept_max || +-- +2.43.0 + diff --git a/queue-6.1/net-restore-alpha-order-to-ethernet-devices-in-confi.patch b/queue-6.1/net-restore-alpha-order-to-ethernet-devices-in-confi.patch new file mode 100644 index 00000000000..af280396e99 --- /dev/null +++ b/queue-6.1/net-restore-alpha-order-to-ethernet-devices-in-confi.patch @@ -0,0 +1,48 @@ +From 08f9c679444ff15a84464cdf61462156f8ae13b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 16:10:51 -0600 +Subject: net: restore alpha order to Ethernet devices in config + +From: Bjorn Helgaas + +[ Upstream commit a1331535aeb41b08fe0c2c78af51885edc93615b ] + +The filename "wangxun" sorts between "intel" and "xscale", but +xscale/Kconfig contains "Intel XScale" prompts, so Wangxun ends up in the +wrong place in the config front-ends. + +Move wangxun/Kconfig so the Wangxun devices appear in order in the user +interface. + +Fixes: 3ce7547e5b71 ("net: txgbe: Add build support for txgbe") +Signed-off-by: Bjorn Helgaas +Link: https://lore.kernel.org/r/20230307221051.890135-1-helgaas@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/Kconfig b/drivers/net/ethernet/Kconfig +index 1917da7841919..5a274b99f2992 100644 +--- a/drivers/net/ethernet/Kconfig ++++ b/drivers/net/ethernet/Kconfig +@@ -84,7 +84,6 @@ source "drivers/net/ethernet/huawei/Kconfig" + source "drivers/net/ethernet/i825xx/Kconfig" + source "drivers/net/ethernet/ibm/Kconfig" + source "drivers/net/ethernet/intel/Kconfig" +-source "drivers/net/ethernet/wangxun/Kconfig" + source "drivers/net/ethernet/xscale/Kconfig" + + config JME +@@ -189,6 +188,7 @@ source "drivers/net/ethernet/toshiba/Kconfig" + source "drivers/net/ethernet/tundra/Kconfig" + source "drivers/net/ethernet/vertexcom/Kconfig" + source "drivers/net/ethernet/via/Kconfig" ++source "drivers/net/ethernet/wangxun/Kconfig" + source "drivers/net/ethernet/wiznet/Kconfig" + source "drivers/net/ethernet/xilinx/Kconfig" + source "drivers/net/ethernet/xircom/Kconfig" +-- +2.43.0 + diff --git a/queue-6.1/of-overlay-reorder-struct-fragment-fields-kerneldoc.patch b/queue-6.1/of-overlay-reorder-struct-fragment-fields-kerneldoc.patch new file mode 100644 index 00000000000..1fea7a3c1eb --- /dev/null +++ b/queue-6.1/of-overlay-reorder-struct-fragment-fields-kerneldoc.patch @@ -0,0 +1,38 @@ +From daeff512c17e05cda1e0b8597eb08104e21a3946 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Sep 2023 11:35:39 +0200 +Subject: of: overlay: Reorder struct fragment fields kerneldoc + +From: Geert Uytterhoeven + +[ Upstream commit 5d007ffdf6025fe83e497c44ed7c8aa8f150c4d1 ] + +The fields of the fragment structure were reordered, but the kerneldoc +was not updated. + +Fixes: 81225ea682f45629 ("of: overlay: reorder fields in struct fragment") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/cfa36d2bb95e3c399c415dbf58057302c70ef375.1695893695.git.geert+renesas@glider.be +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/overlay.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/of/overlay.c b/drivers/of/overlay.c +index 4402871b5c0c0..e663d5585a057 100644 +--- a/drivers/of/overlay.c ++++ b/drivers/of/overlay.c +@@ -45,8 +45,8 @@ struct target { + + /** + * struct fragment - info about fragment nodes in overlay expanded device tree +- * @target: target of the overlay operation + * @overlay: pointer to the __overlay__ node ++ * @target: target of the overlay operation + */ + struct fragment { + struct device_node *overlay; +-- +2.43.0 + diff --git a/queue-6.1/pci-layerscape-add-the-endpoint-linkup-notifier-supp.patch b/queue-6.1/pci-layerscape-add-the-endpoint-linkup-notifier-supp.patch new file mode 100644 index 00000000000..f396b07a8c2 --- /dev/null +++ b/queue-6.1/pci-layerscape-add-the-endpoint-linkup-notifier-supp.patch @@ -0,0 +1,170 @@ +From 34cfc536b52a6ef58b607ff6714ce307618338a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 11:10:49 -0400 +Subject: PCI: layerscape: Add the endpoint linkup notifier support + +From: Frank Li + +[ Upstream commit 061cbfab09fb35898f2907d42f936cf9ae271d93 ] + +Layerscape has PME interrupt, which can be used as linkup notifier. Set +CFG_READY bit of PEX_PF0_CONFIG to enable accesses from root complex when +linkup detected. + +Link: https://lore.kernel.org/r/20230515151049.2797105-1-Frank.Li@nxp.com +Signed-off-by: Xiaowei Bao +Signed-off-by: Frank Li +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Bjorn Helgaas +Acked-by: Manivannan Sadhasivam +Signed-off-by: Sasha Levin +--- + .../pci/controller/dwc/pci-layerscape-ep.c | 100 +++++++++++++++++- + 1 file changed, 99 insertions(+), 1 deletion(-) + +diff --git a/drivers/pci/controller/dwc/pci-layerscape-ep.c b/drivers/pci/controller/dwc/pci-layerscape-ep.c +index ad99707b3b994..5b27554e071a1 100644 +--- a/drivers/pci/controller/dwc/pci-layerscape-ep.c ++++ b/drivers/pci/controller/dwc/pci-layerscape-ep.c +@@ -18,6 +18,20 @@ + + #include "pcie-designware.h" + ++#define PEX_PF0_CONFIG 0xC0014 ++#define PEX_PF0_CFG_READY BIT(0) ++ ++/* PEX PFa PCIE PME and message interrupt registers*/ ++#define PEX_PF0_PME_MES_DR 0xC0020 ++#define PEX_PF0_PME_MES_DR_LUD BIT(7) ++#define PEX_PF0_PME_MES_DR_LDD BIT(9) ++#define PEX_PF0_PME_MES_DR_HRD BIT(10) ++ ++#define PEX_PF0_PME_MES_IER 0xC0028 ++#define PEX_PF0_PME_MES_IER_LUDIE BIT(7) ++#define PEX_PF0_PME_MES_IER_LDDIE BIT(9) ++#define PEX_PF0_PME_MES_IER_HRDIE BIT(10) ++ + #define to_ls_pcie_ep(x) dev_get_drvdata((x)->dev) + + struct ls_pcie_ep_drvdata { +@@ -30,8 +44,84 @@ struct ls_pcie_ep { + struct dw_pcie *pci; + struct pci_epc_features *ls_epc; + const struct ls_pcie_ep_drvdata *drvdata; ++ int irq; ++ bool big_endian; + }; + ++static u32 ls_lut_readl(struct ls_pcie_ep *pcie, u32 offset) ++{ ++ struct dw_pcie *pci = pcie->pci; ++ ++ if (pcie->big_endian) ++ return ioread32be(pci->dbi_base + offset); ++ else ++ return ioread32(pci->dbi_base + offset); ++} ++ ++static void ls_lut_writel(struct ls_pcie_ep *pcie, u32 offset, u32 value) ++{ ++ struct dw_pcie *pci = pcie->pci; ++ ++ if (pcie->big_endian) ++ iowrite32be(value, pci->dbi_base + offset); ++ else ++ iowrite32(value, pci->dbi_base + offset); ++} ++ ++static irqreturn_t ls_pcie_ep_event_handler(int irq, void *dev_id) ++{ ++ struct ls_pcie_ep *pcie = dev_id; ++ struct dw_pcie *pci = pcie->pci; ++ u32 val, cfg; ++ ++ val = ls_lut_readl(pcie, PEX_PF0_PME_MES_DR); ++ ls_lut_writel(pcie, PEX_PF0_PME_MES_DR, val); ++ ++ if (!val) ++ return IRQ_NONE; ++ ++ if (val & PEX_PF0_PME_MES_DR_LUD) { ++ cfg = ls_lut_readl(pcie, PEX_PF0_CONFIG); ++ cfg |= PEX_PF0_CFG_READY; ++ ls_lut_writel(pcie, PEX_PF0_CONFIG, cfg); ++ dw_pcie_ep_linkup(&pci->ep); ++ ++ dev_dbg(pci->dev, "Link up\n"); ++ } else if (val & PEX_PF0_PME_MES_DR_LDD) { ++ dev_dbg(pci->dev, "Link down\n"); ++ } else if (val & PEX_PF0_PME_MES_DR_HRD) { ++ dev_dbg(pci->dev, "Hot reset\n"); ++ } ++ ++ return IRQ_HANDLED; ++} ++ ++static int ls_pcie_ep_interrupt_init(struct ls_pcie_ep *pcie, ++ struct platform_device *pdev) ++{ ++ u32 val; ++ int ret; ++ ++ pcie->irq = platform_get_irq_byname(pdev, "pme"); ++ if (pcie->irq < 0) ++ return pcie->irq; ++ ++ ret = devm_request_irq(&pdev->dev, pcie->irq, ls_pcie_ep_event_handler, ++ IRQF_SHARED, pdev->name, pcie); ++ if (ret) { ++ dev_err(&pdev->dev, "Can't register PCIe IRQ\n"); ++ return ret; ++ } ++ ++ /* Enable interrupts */ ++ val = ls_lut_readl(pcie, PEX_PF0_PME_MES_IER); ++ val |= PEX_PF0_PME_MES_IER_LDDIE | PEX_PF0_PME_MES_IER_HRDIE | ++ PEX_PF0_PME_MES_IER_LUDIE; ++ ls_lut_writel(pcie, PEX_PF0_PME_MES_IER, val); ++ ++ return 0; ++} ++ + static const struct pci_epc_features* + ls_pcie_ep_get_features(struct dw_pcie_ep *ep) + { +@@ -124,6 +214,7 @@ static int __init ls_pcie_ep_probe(struct platform_device *pdev) + struct ls_pcie_ep *pcie; + struct pci_epc_features *ls_epc; + struct resource *dbi_base; ++ int ret; + + pcie = devm_kzalloc(dev, sizeof(*pcie), GFP_KERNEL); + if (!pcie) +@@ -143,6 +234,7 @@ static int __init ls_pcie_ep_probe(struct platform_device *pdev) + pci->ops = pcie->drvdata->dw_pcie_ops; + + ls_epc->bar_fixed_64bit = (1 << BAR_2) | (1 << BAR_4); ++ ls_epc->linkup_notifier = true; + + pcie->pci = pci; + pcie->ls_epc = ls_epc; +@@ -154,9 +246,15 @@ static int __init ls_pcie_ep_probe(struct platform_device *pdev) + + pci->ep.ops = &ls_pcie_ep_ops; + ++ pcie->big_endian = of_property_read_bool(dev->of_node, "big-endian"); ++ + platform_set_drvdata(pdev, pcie); + +- return dw_pcie_ep_init(&pci->ep); ++ ret = dw_pcie_ep_init(&pci->ep); ++ if (ret) ++ return ret; ++ ++ return ls_pcie_ep_interrupt_init(pcie, pdev); + } + + static struct platform_driver ls_pcie_ep_driver = { +-- +2.43.0 + diff --git a/queue-6.1/pci-layerscape-add-workaround-for-lost-link-capabili.patch b/queue-6.1/pci-layerscape-add-workaround-for-lost-link-capabili.patch new file mode 100644 index 00000000000..5ef89717c7b --- /dev/null +++ b/queue-6.1/pci-layerscape-add-workaround-for-lost-link-capabili.patch @@ -0,0 +1,89 @@ +From e0f7193cdd401fde177ba46dc8ece2c802956182 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 09:58:34 -0400 +Subject: PCI: layerscape: Add workaround for lost link capabilities during + reset + +From: Xiaowei Bao + +[ Upstream commit 17cf8661ee0f065c08152e611a568dd1fb0285f1 ] + +The endpoint controller loses the Maximum Link Width and Supported Link Speed +value from the Link Capabilities Register - initially configured by the Reset +Configuration Word (RCW) - during a link-down or hot reset event. + +Address this issue in the endpoint event handler. + +Link: https://lore.kernel.org/r/20230720135834.1977616-2-Frank.Li@nxp.com +Fixes: a805770d8a22 ("PCI: layerscape: Add EP mode support") +Signed-off-by: Xiaowei Bao +Signed-off-by: Hou Zhiqiang +Signed-off-by: Frank Li +Signed-off-by: Lorenzo Pieralisi +Acked-by: Manivannan Sadhasivam +Signed-off-by: Sasha Levin +--- + .../pci/controller/dwc/pci-layerscape-ep.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/drivers/pci/controller/dwc/pci-layerscape-ep.c b/drivers/pci/controller/dwc/pci-layerscape-ep.c +index 5b27554e071a1..dd7d74fecc48e 100644 +--- a/drivers/pci/controller/dwc/pci-layerscape-ep.c ++++ b/drivers/pci/controller/dwc/pci-layerscape-ep.c +@@ -45,6 +45,7 @@ struct ls_pcie_ep { + struct pci_epc_features *ls_epc; + const struct ls_pcie_ep_drvdata *drvdata; + int irq; ++ u32 lnkcap; + bool big_endian; + }; + +@@ -73,6 +74,7 @@ static irqreturn_t ls_pcie_ep_event_handler(int irq, void *dev_id) + struct ls_pcie_ep *pcie = dev_id; + struct dw_pcie *pci = pcie->pci; + u32 val, cfg; ++ u8 offset; + + val = ls_lut_readl(pcie, PEX_PF0_PME_MES_DR); + ls_lut_writel(pcie, PEX_PF0_PME_MES_DR, val); +@@ -81,6 +83,19 @@ static irqreturn_t ls_pcie_ep_event_handler(int irq, void *dev_id) + return IRQ_NONE; + + if (val & PEX_PF0_PME_MES_DR_LUD) { ++ ++ offset = dw_pcie_find_capability(pci, PCI_CAP_ID_EXP); ++ ++ /* ++ * The values of the Maximum Link Width and Supported Link ++ * Speed from the Link Capabilities Register will be lost ++ * during link down or hot reset. Restore initial value ++ * that configured by the Reset Configuration Word (RCW). ++ */ ++ dw_pcie_dbi_ro_wr_en(pci); ++ dw_pcie_writel_dbi(pci, offset + PCI_EXP_LNKCAP, pcie->lnkcap); ++ dw_pcie_dbi_ro_wr_dis(pci); ++ + cfg = ls_lut_readl(pcie, PEX_PF0_CONFIG); + cfg |= PEX_PF0_CFG_READY; + ls_lut_writel(pcie, PEX_PF0_CONFIG, cfg); +@@ -214,6 +229,7 @@ static int __init ls_pcie_ep_probe(struct platform_device *pdev) + struct ls_pcie_ep *pcie; + struct pci_epc_features *ls_epc; + struct resource *dbi_base; ++ u8 offset; + int ret; + + pcie = devm_kzalloc(dev, sizeof(*pcie), GFP_KERNEL); +@@ -250,6 +266,9 @@ static int __init ls_pcie_ep_probe(struct platform_device *pdev) + + platform_set_drvdata(pdev, pcie); + ++ offset = dw_pcie_find_capability(pci, PCI_CAP_ID_EXP); ++ pcie->lnkcap = dw_pcie_readl_dbi(pci, offset + PCI_EXP_LNKCAP); ++ + ret = dw_pcie_ep_init(&pci->ep); + if (ret) + return ret; +-- +2.43.0 + diff --git a/queue-6.1/rdma-core-fix-multiple-warray-bounds-warnings.patch b/queue-6.1/rdma-core-fix-multiple-warray-bounds-warnings.patch new file mode 100644 index 00000000000..c97eaa8dc78 --- /dev/null +++ b/queue-6.1/rdma-core-fix-multiple-warray-bounds-warnings.patch @@ -0,0 +1,187 @@ +From 37b204d5fbd6d579a5f2526bc675439ae406a4f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Mar 2023 17:47:03 -0600 +Subject: RDMA/core: Fix multiple -Warray-bounds warnings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gustavo A. R. Silva + +[ Upstream commit aa4d540b4150052ae3b36d286b9c833a961ce291 ] + +GCC-13 (and Clang)[1] does not like to access a partially allocated +object, since it cannot reason about it for bounds checking. + +In this case 140 bytes are allocated for an object of type struct +ib_umad_packet: + + packet = kzalloc(sizeof(*packet) + IB_MGMT_RMPP_HDR, GFP_KERNEL); + +However, notice that sizeof(*packet) is only 104 bytes: + +struct ib_umad_packet { + struct ib_mad_send_buf * msg; /* 0 8 */ + struct ib_mad_recv_wc * recv_wc; /* 8 8 */ + struct list_head list; /* 16 16 */ + int length; /* 32 4 */ + + /* XXX 4 bytes hole, try to pack */ + + struct ib_user_mad mad __attribute__((__aligned__(8))); /* 40 64 */ + + /* size: 104, cachelines: 2, members: 5 */ + /* sum members: 100, holes: 1, sum holes: 4 */ + /* forced alignments: 1, forced holes: 1, sum forced holes: 4 */ + /* last cacheline: 40 bytes */ +} __attribute__((__aligned__(8))); + +and 36 bytes extra bytes are allocated for a flexible-array member in +struct ib_user_mad: + +include/rdma/ib_mad.h: +120 enum { +... +123 IB_MGMT_RMPP_HDR = 36, +... } + +struct ib_user_mad { + struct ib_user_mad_hdr hdr; /* 0 64 */ + /* --- cacheline 1 boundary (64 bytes) --- */ + __u64 data[] __attribute__((__aligned__(8))); /* 64 0 */ + + /* size: 64, cachelines: 1, members: 2 */ + /* forced alignments: 1 */ +} __attribute__((__aligned__(8))); + +So we have sizeof(*packet) + IB_MGMT_RMPP_HDR == 140 bytes + +Then the address of the flex-array member (for which only 36 bytes were +allocated) is casted and copied into a pointer to struct ib_rmpp_mad, +which, in turn, is of size 256 bytes: + + rmpp_mad = (struct ib_rmpp_mad *) packet->mad.data; + +struct ib_rmpp_mad { + struct ib_mad_hdr mad_hdr; /* 0 24 */ + struct ib_rmpp_hdr rmpp_hdr; /* 24 12 */ + u8 data[220]; /* 36 220 */ + + /* size: 256, cachelines: 4, members: 3 */ +}; + +The thing is that those 36 bytes allocated for flex-array member data +in struct ib_user_mad onlly account for the size of both struct ib_mad_hdr +and struct ib_rmpp_hdr, but nothing is left for array u8 data[220]. +So, the compiler is legitimately complaining about accessing an object +for which not enough memory was allocated. + +Apparently, the only members of struct ib_rmpp_mad that are relevant +(that are actually being used) in function ib_umad_write() are mad_hdr +and rmpp_hdr. So, instead of casting packet->mad.data to +(struct ib_rmpp_mad *) create a new structure + +struct ib_rmpp_mad_hdr { + struct ib_mad_hdr mad_hdr; + struct ib_rmpp_hdr rmpp_hdr; +} __packed; + +and cast packet->mad.data to (struct ib_rmpp_mad_hdr *). + +Notice that + + IB_MGMT_RMPP_HDR == sizeof(struct ib_rmpp_mad_hdr) == 36 bytes + +Refactor the rest of the code, accordingly. + +Fix the following warnings seen under GCC-13 and -Warray-bounds: +drivers/infiniband/core/user_mad.c:564:50: warning: array subscript ‘struct ib_rmpp_mad[0]’ is partly outside array bounds of ‘unsigned char[140]’ [-Warray-bounds=] +drivers/infiniband/core/user_mad.c:566:42: warning: array subscript ‘struct ib_rmpp_mad[0]’ is partly outside array bounds of ‘unsigned char[140]’ [-Warray-bounds=] +drivers/infiniband/core/user_mad.c:618:25: warning: array subscript ‘struct ib_rmpp_mad[0]’ is partly outside array bounds of ‘unsigned char[140]’ [-Warray-bounds=] +drivers/infiniband/core/user_mad.c:622:44: warning: array subscript ‘struct ib_rmpp_mad[0]’ is partly outside array bounds of ‘unsigned char[140]’ [-Warray-bounds=] + +Link: https://github.com/KSPP/linux/issues/273 +Link: https://godbolt.org/z/oYWaGM4Yb [1] +Signed-off-by: Gustavo A. R. Silva +Link: https://lore.kernel.org/r/ZBpB91qQcB10m3Fw@work +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/user_mad.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c +index d96c78e436f98..5c284dfbe6923 100644 +--- a/drivers/infiniband/core/user_mad.c ++++ b/drivers/infiniband/core/user_mad.c +@@ -131,6 +131,11 @@ struct ib_umad_packet { + struct ib_user_mad mad; + }; + ++struct ib_rmpp_mad_hdr { ++ struct ib_mad_hdr mad_hdr; ++ struct ib_rmpp_hdr rmpp_hdr; ++} __packed; ++ + #define CREATE_TRACE_POINTS + #include + +@@ -494,11 +499,11 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf, + size_t count, loff_t *pos) + { + struct ib_umad_file *file = filp->private_data; ++ struct ib_rmpp_mad_hdr *rmpp_mad_hdr; + struct ib_umad_packet *packet; + struct ib_mad_agent *agent; + struct rdma_ah_attr ah_attr; + struct ib_ah *ah; +- struct ib_rmpp_mad *rmpp_mad; + __be64 *tid; + int ret, data_len, hdr_len, copy_offset, rmpp_active; + u8 base_version; +@@ -506,7 +511,7 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf, + if (count < hdr_size(file) + IB_MGMT_RMPP_HDR) + return -EINVAL; + +- packet = kzalloc(sizeof *packet + IB_MGMT_RMPP_HDR, GFP_KERNEL); ++ packet = kzalloc(sizeof(*packet) + IB_MGMT_RMPP_HDR, GFP_KERNEL); + if (!packet) + return -ENOMEM; + +@@ -560,13 +565,13 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf, + goto err_up; + } + +- rmpp_mad = (struct ib_rmpp_mad *) packet->mad.data; +- hdr_len = ib_get_mad_data_offset(rmpp_mad->mad_hdr.mgmt_class); ++ rmpp_mad_hdr = (struct ib_rmpp_mad_hdr *)packet->mad.data; ++ hdr_len = ib_get_mad_data_offset(rmpp_mad_hdr->mad_hdr.mgmt_class); + +- if (ib_is_mad_class_rmpp(rmpp_mad->mad_hdr.mgmt_class) ++ if (ib_is_mad_class_rmpp(rmpp_mad_hdr->mad_hdr.mgmt_class) + && ib_mad_kernel_rmpp_agent(agent)) { + copy_offset = IB_MGMT_RMPP_HDR; +- rmpp_active = ib_get_rmpp_flags(&rmpp_mad->rmpp_hdr) & ++ rmpp_active = ib_get_rmpp_flags(&rmpp_mad_hdr->rmpp_hdr) & + IB_MGMT_RMPP_FLAG_ACTIVE; + } else { + copy_offset = IB_MGMT_MAD_HDR; +@@ -615,12 +620,12 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf, + tid = &((struct ib_mad_hdr *) packet->msg->mad)->tid; + *tid = cpu_to_be64(((u64) agent->hi_tid) << 32 | + (be64_to_cpup(tid) & 0xffffffff)); +- rmpp_mad->mad_hdr.tid = *tid; ++ rmpp_mad_hdr->mad_hdr.tid = *tid; + } + + if (!ib_mad_kernel_rmpp_agent(agent) +- && ib_is_mad_class_rmpp(rmpp_mad->mad_hdr.mgmt_class) +- && (ib_get_rmpp_flags(&rmpp_mad->rmpp_hdr) & IB_MGMT_RMPP_FLAG_ACTIVE)) { ++ && ib_is_mad_class_rmpp(rmpp_mad_hdr->mad_hdr.mgmt_class) ++ && (ib_get_rmpp_flags(&rmpp_mad_hdr->rmpp_hdr) & IB_MGMT_RMPP_FLAG_ACTIVE)) { + spin_lock_irq(&file->send_lock); + list_add_tail(&packet->list, &file->send_list); + spin_unlock_irq(&file->send_lock); +-- +2.43.0 + diff --git a/queue-6.1/scsi-core-add-struct-for-args-to-execution-functions.patch b/queue-6.1/scsi-core-add-struct-for-args-to-execution-functions.patch new file mode 100644 index 00000000000..4a5fdcb2d77 --- /dev/null +++ b/queue-6.1/scsi-core-add-struct-for-args-to-execution-functions.patch @@ -0,0 +1,206 @@ +From 547a47c0b62517e7054bf9fd97a3d82ead3e0313 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Dec 2022 13:01:40 -0600 +Subject: scsi: core: Add struct for args to execution functions + +From: Mike Christie + +[ Upstream commit d0949565811f0896c1c7e781ab2ad99d34273fdf ] + +Move the SCSI execution functions to use a struct for passing in optional +args. This commit adds the new struct, temporarily converts scsi_execute() +and scsi_execute_req() ands a new helper, scsi_execute_cmd(), which takes +the scsi_exec_args struct. + +There should be no change in behavior. We no longer allow users to pass in +any request->rq_flags value, but they were only passing in RQF_PM which we +do support by allowing users to pass in the BLK_MQ_REQ flags used by +blk_mq_alloc_request(). + +Subsequent commits will convert scsi_execute() and scsi_execute_req() users +to the new helpers then remove scsi_execute() and scsi_execute_req(). + +Signed-off-by: Mike Christie +Reviewed-by: Bart Van Assche +Reviewed-by: Christoph Hellwig +Reviewed-by: John Garry +Signed-off-by: Martin K. Petersen +Stable-dep-of: 321da3dc1f3c ("scsi: sd: usb_storage: uas: Access media prior to querying device properties") +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_lib.c | 52 ++++++++++++++++++-------------------- + include/scsi/scsi_device.h | 51 +++++++++++++++++++++++++++---------- + 2 files changed, 62 insertions(+), 41 deletions(-) + +diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c +index 5c5954b78585e..edd296f950a33 100644 +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -185,39 +185,37 @@ void scsi_queue_insert(struct scsi_cmnd *cmd, int reason) + __scsi_queue_insert(cmd, reason, true); + } + +- + /** +- * __scsi_execute - insert request and wait for the result +- * @sdev: scsi device ++ * scsi_execute_cmd - insert request and wait for the result ++ * @sdev: scsi_device + * @cmd: scsi command +- * @data_direction: data direction ++ * @opf: block layer request cmd_flags + * @buffer: data buffer + * @bufflen: len of buffer +- * @sense: optional sense buffer +- * @sshdr: optional decoded sense header + * @timeout: request timeout in HZ + * @retries: number of times to retry request +- * @flags: flags for ->cmd_flags +- * @rq_flags: flags for ->rq_flags +- * @resid: optional residual length ++ * @args: Optional args. See struct definition for field descriptions + * + * Returns the scsi_cmnd result field if a command was executed, or a negative + * Linux error code if we didn't get that far. + */ +-int __scsi_execute(struct scsi_device *sdev, const unsigned char *cmd, +- int data_direction, void *buffer, unsigned bufflen, +- unsigned char *sense, struct scsi_sense_hdr *sshdr, +- int timeout, int retries, blk_opf_t flags, +- req_flags_t rq_flags, int *resid) ++int scsi_execute_cmd(struct scsi_device *sdev, const unsigned char *cmd, ++ blk_opf_t opf, void *buffer, unsigned int bufflen, ++ int timeout, int retries, ++ const struct scsi_exec_args *args) + { ++ static const struct scsi_exec_args default_args; + struct request *req; + struct scsi_cmnd *scmd; + int ret; + +- req = scsi_alloc_request(sdev->request_queue, +- data_direction == DMA_TO_DEVICE ? +- REQ_OP_DRV_OUT : REQ_OP_DRV_IN, +- rq_flags & RQF_PM ? BLK_MQ_REQ_PM : 0); ++ if (!args) ++ args = &default_args; ++ else if (WARN_ON_ONCE(args->sense && ++ args->sense_len != SCSI_SENSE_BUFFERSIZE)) ++ return -EINVAL; ++ ++ req = scsi_alloc_request(sdev->request_queue, opf, args->req_flags); + if (IS_ERR(req)) + return PTR_ERR(req); + +@@ -232,8 +230,7 @@ int __scsi_execute(struct scsi_device *sdev, const unsigned char *cmd, + memcpy(scmd->cmnd, cmd, scmd->cmd_len); + scmd->allowed = retries; + req->timeout = timeout; +- req->cmd_flags |= flags; +- req->rq_flags |= rq_flags | RQF_QUIET; ++ req->rq_flags |= RQF_QUIET; + + /* + * head injection *required* here otherwise quiesce won't work +@@ -249,20 +246,21 @@ int __scsi_execute(struct scsi_device *sdev, const unsigned char *cmd, + if (unlikely(scmd->resid_len > 0 && scmd->resid_len <= bufflen)) + memset(buffer + bufflen - scmd->resid_len, 0, scmd->resid_len); + +- if (resid) +- *resid = scmd->resid_len; +- if (sense && scmd->sense_len) +- memcpy(sense, scmd->sense_buffer, SCSI_SENSE_BUFFERSIZE); +- if (sshdr) ++ if (args->resid) ++ *args->resid = scmd->resid_len; ++ if (args->sense) ++ memcpy(args->sense, scmd->sense_buffer, SCSI_SENSE_BUFFERSIZE); ++ if (args->sshdr) + scsi_normalize_sense(scmd->sense_buffer, scmd->sense_len, +- sshdr); ++ args->sshdr); ++ + ret = scmd->result; + out: + blk_mq_free_request(req); + + return ret; + } +-EXPORT_SYMBOL(__scsi_execute); ++EXPORT_SYMBOL(scsi_execute_cmd); + + /* + * Wake up the error handler if necessary. Avoid as follows that the error +diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h +index d2751ed536df2..b407807cc6695 100644 +--- a/include/scsi/scsi_device.h ++++ b/include/scsi/scsi_device.h +@@ -479,28 +479,51 @@ extern const char *scsi_device_state_name(enum scsi_device_state); + extern int scsi_is_sdev_device(const struct device *); + extern int scsi_is_target_device(const struct device *); + extern void scsi_sanitize_inquiry_string(unsigned char *s, int len); +-extern int __scsi_execute(struct scsi_device *sdev, const unsigned char *cmd, +- int data_direction, void *buffer, unsigned bufflen, +- unsigned char *sense, struct scsi_sense_hdr *sshdr, +- int timeout, int retries, blk_opf_t flags, +- req_flags_t rq_flags, int *resid); ++ ++/* Optional arguments to scsi_execute_cmd */ ++struct scsi_exec_args { ++ unsigned char *sense; /* sense buffer */ ++ unsigned int sense_len; /* sense buffer len */ ++ struct scsi_sense_hdr *sshdr; /* decoded sense header */ ++ blk_mq_req_flags_t req_flags; /* BLK_MQ_REQ flags */ ++ int *resid; /* residual length */ ++}; ++ ++int scsi_execute_cmd(struct scsi_device *sdev, const unsigned char *cmd, ++ blk_opf_t opf, void *buffer, unsigned int bufflen, ++ int timeout, int retries, ++ const struct scsi_exec_args *args); ++ + /* Make sure any sense buffer is the correct size. */ +-#define scsi_execute(sdev, cmd, data_direction, buffer, bufflen, sense, \ +- sshdr, timeout, retries, flags, rq_flags, resid) \ ++#define scsi_execute(_sdev, _cmd, _data_dir, _buffer, _bufflen, _sense, \ ++ _sshdr, _timeout, _retries, _flags, _rq_flags, \ ++ _resid) \ + ({ \ +- BUILD_BUG_ON((sense) != NULL && \ +- sizeof(sense) != SCSI_SENSE_BUFFERSIZE); \ +- __scsi_execute(sdev, cmd, data_direction, buffer, bufflen, \ +- sense, sshdr, timeout, retries, flags, rq_flags, \ +- resid); \ ++ scsi_execute_cmd(_sdev, _cmd, (_data_dir == DMA_TO_DEVICE ? \ ++ REQ_OP_DRV_OUT : REQ_OP_DRV_IN) | _flags, \ ++ _buffer, _bufflen, _timeout, _retries, \ ++ &(struct scsi_exec_args) { \ ++ .sense = _sense, \ ++ .sshdr = _sshdr, \ ++ .req_flags = _rq_flags & RQF_PM ? \ ++ BLK_MQ_REQ_PM : 0, \ ++ .resid = _resid, \ ++ }); \ + }) ++ + static inline int scsi_execute_req(struct scsi_device *sdev, + const unsigned char *cmd, int data_direction, void *buffer, + unsigned bufflen, struct scsi_sense_hdr *sshdr, int timeout, + int retries, int *resid) + { +- return scsi_execute(sdev, cmd, data_direction, buffer, +- bufflen, NULL, sshdr, timeout, retries, 0, 0, resid); ++ return scsi_execute_cmd(sdev, cmd, ++ data_direction == DMA_TO_DEVICE ? ++ REQ_OP_DRV_OUT : REQ_OP_DRV_IN, buffer, ++ bufflen, timeout, retries, ++ &(struct scsi_exec_args) { ++ .sshdr = sshdr, ++ .resid = resid, ++ }); + } + extern void sdev_disable_disk_events(struct scsi_device *sdev); + extern void sdev_enable_disk_events(struct scsi_device *sdev); +-- +2.43.0 + diff --git a/queue-6.1/scsi-sd-usb_storage-uas-access-media-prior-to-queryi.patch b/queue-6.1/scsi-sd-usb_storage-uas-access-media-prior-to-queryi.patch new file mode 100644 index 00000000000..767701a6711 --- /dev/null +++ b/queue-6.1/scsi-sd-usb_storage-uas-access-media-prior-to-queryi.patch @@ -0,0 +1,156 @@ +From c3a450f19d741d9a79f5e41aa39e16c25076a093 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 09:33:06 -0500 +Subject: scsi: sd: usb_storage: uas: Access media prior to querying device + properties + +From: Martin K. Petersen + +[ Upstream commit 321da3dc1f3c92a12e3c5da934090d2992a8814c ] + +It has been observed that some USB/UAS devices return generic properties +hardcoded in firmware for mode pages for a period of time after a device +has been discovered. The reported properties are either garbage or they do +not accurately reflect the characteristics of the physical storage device +attached in the case of a bridge. + +Prior to commit 1e029397d12f ("scsi: sd: Reorganize DIF/DIX code to +avoid calling revalidate twice") we would call revalidate several +times during device discovery. As a result, incorrect values would +eventually get replaced with ones accurately describing the attached +storage. When we did away with the redundant revalidate pass, several +cases were reported where devices reported nonsensical values or would +end up in write-protected state. + +An initial attempt at addressing this issue involved introducing a +delayed second revalidate invocation. However, this approach still +left some devices reporting incorrect characteristics. + +Tasos Sahanidis debugged the problem further and identified that +introducing a READ operation prior to MODE SENSE fixed the problem and that +it wasn't a timing issue. Issuing a READ appears to cause the devices to +update their state to reflect the actual properties of the storage +media. Device properties like vendor, model, and storage capacity appear to +be correctly reported from the get-go. It is unclear why these devices +defer populating the remaining characteristics. + +Match the behavior of a well known commercial operating system and +trigger a READ operation prior to querying device characteristics to +force the device to populate the mode pages. + +The additional READ is triggered by a flag set in the USB storage and +UAS drivers. We avoid issuing the READ for other transport classes +since some storage devices identify Linux through our particular +discovery command sequence. + +Link: https://lore.kernel.org/r/20240213143306.2194237-1-martin.petersen@oracle.com +Fixes: 1e029397d12f ("scsi: sd: Reorganize DIF/DIX code to avoid calling revalidate twice") +Cc: stable@vger.kernel.org +Reported-by: Tasos Sahanidis +Reviewed-by: Ewan D. Milne +Reviewed-by: Bart Van Assche +Tested-by: Tasos Sahanidis +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/sd.c | 26 +++++++++++++++++++++++++- + drivers/usb/storage/scsiglue.c | 7 +++++++ + drivers/usb/storage/uas.c | 7 +++++++ + include/scsi/scsi_device.h | 1 + + 4 files changed, 40 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c +index 31b5273f43a71..4433b02c8935f 100644 +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -3284,6 +3284,24 @@ static bool sd_validate_opt_xfer_size(struct scsi_disk *sdkp, + return true; + } + ++static void sd_read_block_zero(struct scsi_disk *sdkp) ++{ ++ unsigned int buf_len = sdkp->device->sector_size; ++ char *buffer, cmd[10] = { }; ++ ++ buffer = kmalloc(buf_len, GFP_KERNEL); ++ if (!buffer) ++ return; ++ ++ cmd[0] = READ_10; ++ put_unaligned_be32(0, &cmd[2]); /* Logical block address 0 */ ++ put_unaligned_be16(1, &cmd[7]); /* Transfer 1 logical block */ ++ ++ scsi_execute_cmd(sdkp->device, cmd, REQ_OP_DRV_IN, buffer, buf_len, ++ SD_TIMEOUT, sdkp->max_retries, NULL); ++ kfree(buffer); ++} ++ + /** + * sd_revalidate_disk - called the first time a new disk is seen, + * performs disk spin up, read_capacity, etc. +@@ -3323,7 +3341,13 @@ static int sd_revalidate_disk(struct gendisk *disk) + */ + if (sdkp->media_present) { + sd_read_capacity(sdkp, buffer); +- ++ /* ++ * Some USB/UAS devices return generic values for mode pages ++ * until the media has been accessed. Trigger a READ operation ++ * to force the device to populate mode pages. ++ */ ++ if (sdp->read_before_ms) ++ sd_read_block_zero(sdkp); + /* + * set the default to rotational. All non-rotational devices + * support the block characteristics VPD page, which will +diff --git a/drivers/usb/storage/scsiglue.c b/drivers/usb/storage/scsiglue.c +index c54e9805da536..12cf9940e5b67 100644 +--- a/drivers/usb/storage/scsiglue.c ++++ b/drivers/usb/storage/scsiglue.c +@@ -179,6 +179,13 @@ static int slave_configure(struct scsi_device *sdev) + */ + sdev->use_192_bytes_for_3f = 1; + ++ /* ++ * Some devices report generic values until the media has been ++ * accessed. Force a READ(10) prior to querying device ++ * characteristics. ++ */ ++ sdev->read_before_ms = 1; ++ + /* + * Some devices don't like MODE SENSE with page=0x3f, + * which is the command used for checking if a device +diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c +index de3836412bf32..ed22053b3252f 100644 +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -878,6 +878,13 @@ static int uas_slave_configure(struct scsi_device *sdev) + if (devinfo->flags & US_FL_CAPACITY_HEURISTICS) + sdev->guess_capacity = 1; + ++ /* ++ * Some devices report generic values until the media has been ++ * accessed. Force a READ(10) prior to querying device ++ * characteristics. ++ */ ++ sdev->read_before_ms = 1; ++ + /* + * Some devices don't like MODE SENSE with page=0x3f, + * which is the command used for checking if a device +diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h +index b407807cc6695..a64713fe52640 100644 +--- a/include/scsi/scsi_device.h ++++ b/include/scsi/scsi_device.h +@@ -204,6 +204,7 @@ struct scsi_device { + unsigned use_10_for_rw:1; /* first try 10-byte read / write */ + unsigned use_10_for_ms:1; /* first try 10-byte mode sense/select */ + unsigned set_dbd_for_ms:1; /* Set "DBD" field in mode sense */ ++ unsigned read_before_ms:1; /* perform a READ before MODE SENSE */ + unsigned no_report_opcodes:1; /* no REPORT SUPPORTED OPERATION CODES */ + unsigned no_write_same:1; /* no WRITE SAME command */ + unsigned use_16_for_rw:1; /* Use read/write(16) over read/write(10) */ +-- +2.43.0 + diff --git a/queue-6.1/series b/queue-6.1/series new file mode 100644 index 00000000000..f1da3238005 --- /dev/null +++ b/queue-6.1/series @@ -0,0 +1,26 @@ +drm-meson-fix-unbind-path-if-hdmi-fails-to-bind.patch +drm-meson-don-t-remove-bridges-which-are-created-by-.patch +scsi-core-add-struct-for-args-to-execution-functions.patch +scsi-sd-usb_storage-uas-access-media-prior-to-queryi.patch +mptcp-let-the-in-kernel-pm-use-mixed-ipv4-and-ipv6-a.patch +mptcp-fix-duplicate-subflow-creation.patch +af_unix-fix-task-hung-while-purging-oob_skb-in-gc.patch +of-overlay-reorder-struct-fragment-fields-kerneldoc.patch +net-restore-alpha-order-to-ethernet-devices-in-confi.patch +mlxsw-spectrum_acl_tcam-make-fini-symmetric-to-init.patch +mlxsw-spectrum_acl_tcam-add-missing-mutex_destroy.patch +pci-layerscape-add-the-endpoint-linkup-notifier-supp.patch +pci-layerscape-add-workaround-for-lost-link-capabili.patch +arm-dts-imx-adjust-dma-apbh-node-name.patch +arm-dts-imx7s-drop-dma-apb-interrupt-names.patch +usb-gadget-properly-configure-the-device-for-remote-.patch +input-xpad-add-constants-for-gip-interface-numbers.patch +iommu-sprd-release-dma-buffer-to-avoid-memory-leak.patch +iommu-arm-smmu-v3-acknowledge-pri-event-queue-overfl.patch +fs-ntfs3-fix-a-possible-null-pointer-dereference-in-.patch +clk-tegra20-fix-gcc-7-constant-overflow-warning.patch +fs-ntfs3-add-length-check-in-indx_get_root.patch +fs-ntfs3-fix-null-dereference-in-ni_write_inode.patch +fs-ntfs3-fix-null-pointer-dereference-in-ni_write_in.patch +iommu-arm-smmu-qcom-limit-the-smr-groups-to-128.patch +rdma-core-fix-multiple-warray-bounds-warnings.patch diff --git a/queue-6.1/usb-gadget-properly-configure-the-device-for-remote-.patch b/queue-6.1/usb-gadget-properly-configure-the-device-for-remote-.patch new file mode 100644 index 00000000000..9f737047794 --- /dev/null +++ b/queue-6.1/usb-gadget-properly-configure-the-device-for-remote-.patch @@ -0,0 +1,196 @@ +From 1d72f159248029e9c044071234a4d7980e02aa09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Mar 2023 14:47:57 -0700 +Subject: usb: gadget: Properly configure the device for remote wakeup + +From: Elson Roy Serrao + +[ Upstream commit b93c2a68f3d9dc98ec30dcb342ae47c1c8d09d18 ] + +The wakeup bit in the bmAttributes field indicates whether the device +is configured for remote wakeup. But this field should be allowed to +set only if the UDC supports such wakeup mechanism. So configure this +field based on UDC capability. Also inform the UDC whether the device +is configured for remote wakeup by implementing a gadget op. + +Reviewed-by: Thinh Nguyen +Signed-off-by: Elson Roy Serrao +Link: https://lore.kernel.org/r/1679694482-16430-2-git-send-email-quic_eserrao@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/composite.c | 18 ++++++++++++++++++ + drivers/usb/gadget/configfs.c | 3 +++ + drivers/usb/gadget/udc/core.c | 27 +++++++++++++++++++++++++++ + drivers/usb/gadget/udc/trace.h | 5 +++++ + include/linux/usb/composite.h | 2 ++ + include/linux/usb/gadget.h | 8 ++++++++ + 6 files changed, 63 insertions(+) + +diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c +index cb0a4e2cdbb73..247cca46cdfae 100644 +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -511,6 +511,19 @@ static u8 encode_bMaxPower(enum usb_device_speed speed, + return min(val, 900U) / 8; + } + ++void check_remote_wakeup_config(struct usb_gadget *g, ++ struct usb_configuration *c) ++{ ++ if (USB_CONFIG_ATT_WAKEUP & c->bmAttributes) { ++ /* Reset the rw bit if gadget is not capable of it */ ++ if (!g->wakeup_capable && g->ops->set_remote_wakeup) { ++ WARN(c->cdev, "Clearing wakeup bit for config c.%d\n", ++ c->bConfigurationValue); ++ c->bmAttributes &= ~USB_CONFIG_ATT_WAKEUP; ++ } ++ } ++} ++ + static int config_buf(struct usb_configuration *config, + enum usb_device_speed speed, void *buf, u8 type) + { +@@ -959,6 +972,11 @@ static int set_config(struct usb_composite_dev *cdev, + power = min(power, 500U); + else + power = min(power, 900U); ++ ++ if (USB_CONFIG_ATT_WAKEUP & c->bmAttributes) ++ usb_gadget_set_remote_wakeup(gadget, 1); ++ else ++ usb_gadget_set_remote_wakeup(gadget, 0); + done: + if (power <= USB_SELF_POWER_VBUS_MAX_DRAW) + usb_gadget_set_selfpowered(gadget); +diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c +index 4dcf29577f8f1..b94aec6227c51 100644 +--- a/drivers/usb/gadget/configfs.c ++++ b/drivers/usb/gadget/configfs.c +@@ -1376,6 +1376,9 @@ static int configfs_composite_bind(struct usb_gadget *gadget, + if (gadget_is_otg(gadget)) + c->descriptors = otg_desc; + ++ /* Properly configure the bmAttributes wakeup bit */ ++ check_remote_wakeup_config(gadget, c); ++ + cfg = container_of(c, struct config_usb_cfg, c); + if (!list_empty(&cfg->string_list)) { + i = 0; +diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c +index c40f2ecbe1b8c..0edd9e53fc5a1 100644 +--- a/drivers/usb/gadget/udc/core.c ++++ b/drivers/usb/gadget/udc/core.c +@@ -525,6 +525,33 @@ int usb_gadget_wakeup(struct usb_gadget *gadget) + } + EXPORT_SYMBOL_GPL(usb_gadget_wakeup); + ++/** ++ * usb_gadget_set_remote_wakeup - configures the device remote wakeup feature. ++ * @gadget:the device being configured for remote wakeup ++ * @set:value to be configured. ++ * ++ * set to one to enable remote wakeup feature and zero to disable it. ++ * ++ * returns zero on success, else negative errno. ++ */ ++int usb_gadget_set_remote_wakeup(struct usb_gadget *gadget, int set) ++{ ++ int ret = 0; ++ ++ if (!gadget->ops->set_remote_wakeup) { ++ ret = -EOPNOTSUPP; ++ goto out; ++ } ++ ++ ret = gadget->ops->set_remote_wakeup(gadget, set); ++ ++out: ++ trace_usb_gadget_set_remote_wakeup(gadget, ret); ++ ++ return ret; ++} ++EXPORT_SYMBOL_GPL(usb_gadget_set_remote_wakeup); ++ + /** + * usb_gadget_set_selfpowered - sets the device selfpowered feature. + * @gadget:the device being declared as self-powered +diff --git a/drivers/usb/gadget/udc/trace.h b/drivers/usb/gadget/udc/trace.h +index abdbcb1bacb0b..a5ed26fbc2dad 100644 +--- a/drivers/usb/gadget/udc/trace.h ++++ b/drivers/usb/gadget/udc/trace.h +@@ -91,6 +91,11 @@ DEFINE_EVENT(udc_log_gadget, usb_gadget_wakeup, + TP_ARGS(g, ret) + ); + ++DEFINE_EVENT(udc_log_gadget, usb_gadget_set_remote_wakeup, ++ TP_PROTO(struct usb_gadget *g, int ret), ++ TP_ARGS(g, ret) ++); ++ + DEFINE_EVENT(udc_log_gadget, usb_gadget_set_selfpowered, + TP_PROTO(struct usb_gadget *g, int ret), + TP_ARGS(g, ret) +diff --git a/include/linux/usb/composite.h b/include/linux/usb/composite.h +index 43ac3fa760dbe..9783b9107d76b 100644 +--- a/include/linux/usb/composite.h ++++ b/include/linux/usb/composite.h +@@ -412,6 +412,8 @@ extern int composite_dev_prepare(struct usb_composite_driver *composite, + extern int composite_os_desc_req_prepare(struct usb_composite_dev *cdev, + struct usb_ep *ep0); + void composite_dev_cleanup(struct usb_composite_dev *cdev); ++void check_remote_wakeup_config(struct usb_gadget *g, ++ struct usb_configuration *c); + + static inline struct usb_composite_driver *to_cdriver( + struct usb_gadget_driver *gdrv) +diff --git a/include/linux/usb/gadget.h b/include/linux/usb/gadget.h +index dc3092cea99e9..5bec668b41dcd 100644 +--- a/include/linux/usb/gadget.h ++++ b/include/linux/usb/gadget.h +@@ -309,6 +309,7 @@ struct usb_udc; + struct usb_gadget_ops { + int (*get_frame)(struct usb_gadget *); + int (*wakeup)(struct usb_gadget *); ++ int (*set_remote_wakeup)(struct usb_gadget *, int set); + int (*set_selfpowered) (struct usb_gadget *, int is_selfpowered); + int (*vbus_session) (struct usb_gadget *, int is_active); + int (*vbus_draw) (struct usb_gadget *, unsigned mA); +@@ -383,6 +384,8 @@ struct usb_gadget_ops { + * @connected: True if gadget is connected. + * @lpm_capable: If the gadget max_speed is FULL or HIGH, this flag + * indicates that it supports LPM as per the LPM ECN & errata. ++ * @wakeup_capable: True if gadget is capable of sending remote wakeup. ++ * @wakeup_armed: True if gadget is armed by the host for remote wakeup. + * @irq: the interrupt number for device controller. + * @id_number: a unique ID number for ensuring that gadget names are distinct + * +@@ -444,6 +447,8 @@ struct usb_gadget { + unsigned deactivated:1; + unsigned connected:1; + unsigned lpm_capable:1; ++ unsigned wakeup_capable:1; ++ unsigned wakeup_armed:1; + int irq; + int id_number; + }; +@@ -600,6 +605,7 @@ static inline int gadget_is_otg(struct usb_gadget *g) + #if IS_ENABLED(CONFIG_USB_GADGET) + int usb_gadget_frame_number(struct usb_gadget *gadget); + int usb_gadget_wakeup(struct usb_gadget *gadget); ++int usb_gadget_set_remote_wakeup(struct usb_gadget *gadget, int set); + int usb_gadget_set_selfpowered(struct usb_gadget *gadget); + int usb_gadget_clear_selfpowered(struct usb_gadget *gadget); + int usb_gadget_vbus_connect(struct usb_gadget *gadget); +@@ -615,6 +621,8 @@ static inline int usb_gadget_frame_number(struct usb_gadget *gadget) + { return 0; } + static inline int usb_gadget_wakeup(struct usb_gadget *gadget) + { return 0; } ++static inline int usb_gadget_set_remote_wakeup(struct usb_gadget *gadget, int set) ++{ return 0; } + static inline int usb_gadget_set_selfpowered(struct usb_gadget *gadget) + { return 0; } + static inline int usb_gadget_clear_selfpowered(struct usb_gadget *gadget) +-- +2.43.0 + -- 2.47.3