From: Sasha Levin Date: Fri, 8 Sep 2023 21:36:56 +0000 (-0400) Subject: Fixes for 5.15 X-Git-Tag: v6.1.53~111 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=304469cba3b954784594857507dc9f20ab6b8e9a;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/acpi-x86-s2idle-fix-a-logic-error-parsing-amd-constr.patch b/queue-5.15/acpi-x86-s2idle-fix-a-logic-error-parsing-amd-constr.patch new file mode 100644 index 00000000000..f3eb4881453 --- /dev/null +++ b/queue-5.15/acpi-x86-s2idle-fix-a-logic-error-parsing-amd-constr.patch @@ -0,0 +1,84 @@ +From aa69b697a073d7645f20a98018c7f71d401f630a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Aug 2023 14:40:04 -0500 +Subject: ACPI: x86: s2idle: Fix a logic error parsing AMD constraints table + +From: Mario Limonciello + +[ Upstream commit 9cc8cd086f05d9a01026c65c98da88561e9c619e ] + +The constraints table should be resetting the `list` object +after running through all of `info_obj` iterations. + +This adjusts whitespace as well as less code will now be included +with each loop. This fixes a functional problem is fixed where a +badly formed package in the inner loop may have incorrect data. + +Fixes: 146f1ed852a8 ("ACPI: PM: s2idle: Add AMD support to handle _DSM") +Signed-off-by: Mario Limonciello +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/x86/s2idle.c | 31 ++++++++++++------------------- + 1 file changed, 12 insertions(+), 19 deletions(-) + +diff --git a/drivers/acpi/x86/s2idle.c b/drivers/acpi/x86/s2idle.c +index 7658953dfce8f..946e0160ad3bf 100644 +--- a/drivers/acpi/x86/s2idle.c ++++ b/drivers/acpi/x86/s2idle.c +@@ -127,12 +127,11 @@ static void lpi_device_get_constraints_amd(void) + struct lpi_constraints *list; + acpi_status status; + ++ list = &lpi_constraints_table[lpi_constraints_table_size]; ++ + for (k = 0; k < info_obj->package.count; k++) { + union acpi_object *obj = &info_obj->package.elements[k]; + +- list = &lpi_constraints_table[lpi_constraints_table_size]; +- list->min_dstate = -1; +- + switch (k) { + case 0: + dev_info.enabled = obj->integer.value; +@@ -147,27 +146,21 @@ static void lpi_device_get_constraints_amd(void) + dev_info.min_dstate = obj->integer.value; + break; + } ++ } + +- if (!dev_info.enabled || !dev_info.name || +- !dev_info.min_dstate) +- continue; ++ if (!dev_info.enabled || !dev_info.name || ++ !dev_info.min_dstate) ++ continue; + +- status = acpi_get_handle(NULL, dev_info.name, +- &list->handle); +- if (ACPI_FAILURE(status)) +- continue; ++ status = acpi_get_handle(NULL, dev_info.name, &list->handle); ++ if (ACPI_FAILURE(status)) ++ continue; + +- acpi_handle_debug(lps0_device_handle, +- "Name:%s\n", dev_info.name); ++ acpi_handle_debug(lps0_device_handle, ++ "Name:%s\n", dev_info.name); + +- list->min_dstate = dev_info.min_dstate; ++ list->min_dstate = dev_info.min_dstate; + +- if (list->min_dstate < 0) { +- acpi_handle_debug(lps0_device_handle, +- "Incomplete constraint defined\n"); +- continue; +- } +- } + lpi_constraints_table_size++; + } + } +-- +2.40.1 + diff --git a/queue-5.15/acpi-x86-s2idle-post-increment-variables-when-gettin.patch b/queue-5.15/acpi-x86-s2idle-post-increment-variables-when-gettin.patch new file mode 100644 index 00000000000..1575712ef3f --- /dev/null +++ b/queue-5.15/acpi-x86-s2idle-post-increment-variables-when-gettin.patch @@ -0,0 +1,65 @@ +From e2cf1b622d8255a78dbf38409bea01cd04f034c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Aug 2023 14:40:02 -0500 +Subject: ACPI: x86: s2idle: Post-increment variables when getting constraints + +From: Mario Limonciello + +[ Upstream commit 3c6b1212d20bbbffcad5709ab0f2d5ed9b5859a8 ] + +When code uses a pre-increment it makes the reader question "why". +In the constraint fetching code there is no reason for the variables +to be pre-incremented so adjust to post-increment. +No intended functional changes. + +Reviewed-by: Kuppuswamy Sathyanarayanan +Suggested-by: Bjorn Helgaas +Signed-off-by: Mario Limonciello +Signed-off-by: Rafael J. Wysocki +Stable-dep-of: 9cc8cd086f05 ("ACPI: x86: s2idle: Fix a logic error parsing AMD constraints table") +Signed-off-by: Sasha Levin +--- + drivers/acpi/x86/s2idle.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/acpi/x86/s2idle.c b/drivers/acpi/x86/s2idle.c +index 4a11a38764321..7658953dfce8f 100644 +--- a/drivers/acpi/x86/s2idle.c ++++ b/drivers/acpi/x86/s2idle.c +@@ -121,13 +121,13 @@ static void lpi_device_get_constraints_amd(void) + acpi_handle_debug(lps0_device_handle, + "LPI: constraints list begin:\n"); + +- for (j = 0; j < package->package.count; ++j) { ++ for (j = 0; j < package->package.count; j++) { + union acpi_object *info_obj = &package->package.elements[j]; + struct lpi_device_constraint_amd dev_info = {}; + struct lpi_constraints *list; + acpi_status status; + +- for (k = 0; k < info_obj->package.count; ++k) { ++ for (k = 0; k < info_obj->package.count; k++) { + union acpi_object *obj = &info_obj->package.elements[k]; + + list = &lpi_constraints_table[lpi_constraints_table_size]; +@@ -212,7 +212,7 @@ static void lpi_device_get_constraints(void) + if (!package) + continue; + +- for (j = 0; j < package->package.count; ++j) { ++ for (j = 0; j < package->package.count; j++) { + union acpi_object *element = + &(package->package.elements[j]); + +@@ -244,7 +244,7 @@ static void lpi_device_get_constraints(void) + + constraint->min_dstate = -1; + +- for (j = 0; j < package_count; ++j) { ++ for (j = 0; j < package_count; j++) { + union acpi_object *info_obj = &info.package[j]; + union acpi_object *cnstr_pkg; + union acpi_object *obj; +-- +2.40.1 + diff --git a/queue-5.15/alsa-ac97-fix-possible-error-value-of-rac97.patch b/queue-5.15/alsa-ac97-fix-possible-error-value-of-rac97.patch new file mode 100644 index 00000000000..0bb41d0e213 --- /dev/null +++ b/queue-5.15/alsa-ac97-fix-possible-error-value-of-rac97.patch @@ -0,0 +1,52 @@ +From dfa2b6b30b7716b498a949cca3128429202273bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Aug 2023 10:52:13 +0800 +Subject: ALSA: ac97: Fix possible error value of *rac97 + +From: Su Hui + +[ Upstream commit 67de40c9df94037769967ba28c7d951afb45b7fb ] + +Before committing 79597c8bf64c, *rac97 always be NULL if there is +an error. When error happens, make sure *rac97 is NULL is safer. + +For examble, in snd_vortex_mixer(): + err = snd_ac97_mixer(pbus, &ac97, &vortex->codec); + vortex->isquad = ((vortex->codec == NULL) ? + 0 : (vortex->codec->ext_id&0x80)); +If error happened but vortex->codec isn't NULL, this may cause some +problems. + +Move the judgement order to be clearer and better. + +Fixes: 79597c8bf64c ("ALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer") +Suggested-by: Christophe JAILLET +Acked-by: Christophe JAILLET +Signed-off-by: Su Hui +Link: https://lore.kernel.org/r/20230823025212.1000961-1-suhui@nfschina.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/ac97/ac97_codec.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/sound/pci/ac97/ac97_codec.c b/sound/pci/ac97/ac97_codec.c +index 58ae0c3ce1e49..b81b3c1f76499 100644 +--- a/sound/pci/ac97/ac97_codec.c ++++ b/sound/pci/ac97/ac97_codec.c +@@ -2070,10 +2070,9 @@ int snd_ac97_mixer(struct snd_ac97_bus *bus, struct snd_ac97_template *template, + .dev_disconnect = snd_ac97_dev_disconnect, + }; + +- if (!rac97) +- return -EINVAL; +- if (snd_BUG_ON(!bus || !template)) ++ if (snd_BUG_ON(!bus || !template || !rac97)) + return -EINVAL; ++ *rac97 = NULL; + if (snd_BUG_ON(template->num >= 4)) + return -EINVAL; + if (bus->codec[template->num]) +-- +2.40.1 + diff --git a/queue-5.15/amba-bus-fix-refcount-leak.patch b/queue-5.15/amba-bus-fix-refcount-leak.patch new file mode 100644 index 00000000000..bc07495d25a --- /dev/null +++ b/queue-5.15/amba-bus-fix-refcount-leak.patch @@ -0,0 +1,39 @@ +From 6904893ce8cd54551be644099ce0ee163696224a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Aug 2023 10:39:27 +0800 +Subject: amba: bus: fix refcount leak + +From: Peng Fan + +[ Upstream commit e312cbdc11305568554a9e18a2ea5c2492c183f3 ] + +commit 5de1540b7bc4 ("drivers/amba: create devices from device tree") +increases the refcount of of_node, but not releases it in +amba_device_release, so there is refcount leak. By using of_node_put +to avoid refcount leak. + +Fixes: 5de1540b7bc4 ("drivers/amba: create devices from device tree") +Signed-off-by: Peng Fan +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230821023928.3324283-1-peng.fan@oss.nxp.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/amba/bus.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/amba/bus.c b/drivers/amba/bus.c +index 6c0f7f4f7d1de..1af5ff9231eb0 100644 +--- a/drivers/amba/bus.c ++++ b/drivers/amba/bus.c +@@ -366,6 +366,7 @@ static void amba_device_release(struct device *dev) + { + struct amba_device *d = to_amba_device(dev); + ++ of_node_put(d->dev.of_node); + if (d->res.parent) + release_resource(&d->res); + kfree(d); +-- +2.40.1 + diff --git a/queue-5.15/arm-dts-bcm53573-add-cells-sizes-to-pcie-node.patch b/queue-5.15/arm-dts-bcm53573-add-cells-sizes-to-pcie-node.patch new file mode 100644 index 00000000000..9f6d7bba49f --- /dev/null +++ b/queue-5.15/arm-dts-bcm53573-add-cells-sizes-to-pcie-node.patch @@ -0,0 +1,47 @@ +From 66adf8124e8698c6602bcc195ccd1fe739498be4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 13:40:03 +0200 +Subject: ARM: dts: BCM53573: Add cells sizes to PCIe node +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit 3392ef368d9b04622fe758b1079b512664b6110a ] + +This fixes: +arch/arm/boot/dts/broadcom/bcm47189-luxul-xap-1440.dtb: pcie@2000: '#address-cells' is a required property + From schema: /lib/python3.10/site-packages/dtschema/schemas/pci/pci-bus.yaml +arch/arm/boot/dts/broadcom/bcm47189-luxul-xap-1440.dtb: pcie@2000: '#size-cells' is a required property + From schema: /lib/python3.10/site-packages/dtschema/schemas/pci/pci-bus.yaml + +Two properties that need to be added later are "device_type" and +"ranges". Adding "device_type" on its own causes a new warning and the +value of "ranges" needs to be determined yet. + +Signed-off-by: Rafał Miłecki +Link: https://lore.kernel.org/r/20230707114004.2740-3-zajec5@gmail.com +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm53573.dtsi | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm/boot/dts/bcm53573.dtsi b/arch/arm/boot/dts/bcm53573.dtsi +index 51546fccc6168..933b6a380c367 100644 +--- a/arch/arm/boot/dts/bcm53573.dtsi ++++ b/arch/arm/boot/dts/bcm53573.dtsi +@@ -127,6 +127,9 @@ uart0: serial@300 { + + pcie0: pcie@2000 { + reg = <0x00002000 0x1000>; ++ ++ #address-cells = <3>; ++ #size-cells = <2>; + }; + + usb2: usb2@4000 { +-- +2.40.1 + diff --git a/queue-5.15/arm-dts-bcm53573-fix-ethernet-info-for-luxul-devices.patch b/queue-5.15/arm-dts-bcm53573-fix-ethernet-info-for-luxul-devices.patch new file mode 100644 index 00000000000..c22ccc9dd00 --- /dev/null +++ b/queue-5.15/arm-dts-bcm53573-fix-ethernet-info-for-luxul-devices.patch @@ -0,0 +1,87 @@ +From 0535b8dcd97d800f5068ed4456ae7b4238290c1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 13:11:45 +0200 +Subject: ARM: dts: BCM53573: Fix Ethernet info for Luxul devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit 44ad8207806973f4e4f7d870fff36cc01f494250 ] + +Both Luxul's XAP devices (XAP-810 and XAP-1440) are access points that +use a non-default design. They don't include switch but have a single +Ethernet port and BCM54210E PHY connected to the Ethernet controller's +MDIO bus. + +Support for those devices regressed due to two changes: + +1. Describing MDIO bus with switch +After commit 9fb90ae6cae7 ("ARM: dts: BCM53573: Describe on-SoC BCM53125 +rev 4 switch") Linux stopped probing for MDIO devices. + +2. Dropping hardcoded BCM54210E delays +In commit fea7fda7f50a ("net: phy: broadcom: Fix RGMII delays +configuration for BCM54210E") support for other PHY modes was added but +that requires a proper "phy-mode" value in DT. + +Both above changes are correct (they don't need to be reverted or +anything) but they need this fix for DT data to be correct and for Linux +to work properly. + +Fixes: 9fb90ae6cae7 ("ARM: dts: BCM53573: Describe on-SoC BCM53125 rev 4 switch") +Signed-off-by: Rafał Miłecki +Link: https://lore.kernel.org/r/20230713111145.14864-1-zajec5@gmail.com +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm47189-luxul-xap-1440.dts | 13 +++++++++++++ + arch/arm/boot/dts/bcm47189-luxul-xap-810.dts | 13 +++++++++++++ + 2 files changed, 26 insertions(+) + +diff --git a/arch/arm/boot/dts/bcm47189-luxul-xap-1440.dts b/arch/arm/boot/dts/bcm47189-luxul-xap-1440.dts +index 57ca1cfaecd8e..00e688b45d981 100644 +--- a/arch/arm/boot/dts/bcm47189-luxul-xap-1440.dts ++++ b/arch/arm/boot/dts/bcm47189-luxul-xap-1440.dts +@@ -46,3 +46,16 @@ restart { + }; + }; + }; ++ ++&gmac0 { ++ phy-mode = "rgmii"; ++ phy-handle = <&bcm54210e>; ++ ++ mdio { ++ /delete-node/ switch@1e; ++ ++ bcm54210e: ethernet-phy@0 { ++ reg = <0>; ++ }; ++ }; ++}; +diff --git a/arch/arm/boot/dts/bcm47189-luxul-xap-810.dts b/arch/arm/boot/dts/bcm47189-luxul-xap-810.dts +index 2e1a7e382cb7a..78c80a5d3f4fa 100644 +--- a/arch/arm/boot/dts/bcm47189-luxul-xap-810.dts ++++ b/arch/arm/boot/dts/bcm47189-luxul-xap-810.dts +@@ -83,3 +83,16 @@ pcie0_chipcommon: chipcommon@0 { + }; + }; + }; ++ ++&gmac0 { ++ phy-mode = "rgmii"; ++ phy-handle = <&bcm54210e>; ++ ++ mdio { ++ /delete-node/ switch@1e; ++ ++ bcm54210e: ethernet-phy@0 { ++ reg = <0>; ++ }; ++ }; ++}; +-- +2.40.1 + diff --git a/queue-5.15/arm-dts-bcm53573-use-updated-spi-gpio-binding-proper.patch b/queue-5.15/arm-dts-bcm53573-use-updated-spi-gpio-binding-proper.patch new file mode 100644 index 00000000000..c1563a7834f --- /dev/null +++ b/queue-5.15/arm-dts-bcm53573-use-updated-spi-gpio-binding-proper.patch @@ -0,0 +1,54 @@ +From f25f01d67e7e181c27ebcee15e9cebe3543cf491 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 13:40:04 +0200 +Subject: ARM: dts: BCM53573: Use updated "spi-gpio" binding properties +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit 2c0fd6b3d0778ceab40205315ccef74568490f17 ] + +Switch away from deprecated properties. + +This fixes: +arch/arm/boot/dts/broadcom/bcm947189acdbmr.dtb: spi: gpio-sck: False schema does not allow [[3, 21, 0]] + From schema: Documentation/devicetree/bindings/spi/spi-gpio.yaml +arch/arm/boot/dts/broadcom/bcm947189acdbmr.dtb: spi: gpio-miso: False schema does not allow [[3, 22, 0]] + From schema: Documentation/devicetree/bindings/spi/spi-gpio.yaml +arch/arm/boot/dts/broadcom/bcm947189acdbmr.dtb: spi: gpio-mosi: False schema does not allow [[3, 23, 0]] + From schema: Documentation/devicetree/bindings/spi/spi-gpio.yaml +arch/arm/boot/dts/broadcom/bcm947189acdbmr.dtb: spi: 'sck-gpios' is a required property + From schema: Documentation/devicetree/bindings/spi/spi-gpio.yaml +arch/arm/boot/dts/broadcom/bcm947189acdbmr.dtb: spi: Unevaluated properties are not allowed ('gpio-miso', 'gpio-mosi', 'gpio-sck' were unexpected) + From schema: Documentation/devicetree/bindings/spi/spi-gpio.yaml + +Signed-off-by: Rafał Miłecki +Link: https://lore.kernel.org/r/20230707114004.2740-4-zajec5@gmail.com +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm947189acdbmr.dts | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/boot/dts/bcm947189acdbmr.dts b/arch/arm/boot/dts/bcm947189acdbmr.dts +index b0b8c774a37f9..1f0be30e54435 100644 +--- a/arch/arm/boot/dts/bcm947189acdbmr.dts ++++ b/arch/arm/boot/dts/bcm947189acdbmr.dts +@@ -60,9 +60,9 @@ wps { + spi { + compatible = "spi-gpio"; + num-chipselects = <1>; +- gpio-sck = <&chipcommon 21 0>; +- gpio-miso = <&chipcommon 22 0>; +- gpio-mosi = <&chipcommon 23 0>; ++ sck-gpios = <&chipcommon 21 0>; ++ miso-gpios = <&chipcommon 22 0>; ++ mosi-gpios = <&chipcommon 23 0>; + cs-gpios = <&chipcommon 24 0>; + #address-cells = <1>; + #size-cells = <0>; +-- +2.40.1 + diff --git a/queue-5.15/arm-dts-s3c64xx-align-pinctrl-with-dtschema.patch b/queue-5.15/arm-dts-s3c64xx-align-pinctrl-with-dtschema.patch new file mode 100644 index 00000000000..32a96dd93f6 --- /dev/null +++ b/queue-5.15/arm-dts-s3c64xx-align-pinctrl-with-dtschema.patch @@ -0,0 +1,808 @@ +From 37113da994312076bbb9a4979c117e6d829806f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jan 2022 21:17:16 +0100 +Subject: ARM: dts: s3c64xx: align pinctrl with dtschema + +From: Krzysztof Kozlowski + +[ Upstream commit 9e47ccc01284aba7fe5fbf6ee2a7abc29bf2a740 ] + +Align the pin controller related nodes with dtschema. No functional +change expected. + +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220111201722.327219-16-krzysztof.kozlowski@canonical.com +Stable-dep-of: cf0cb2af6a18 ("ARM: dts: samsung: s3c6410-mini6410: correct ethernet reg addresses (split)") +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/s3c6410-mini6410.dts | 4 +- + arch/arm/boot/dts/s3c64xx-pinctrl.dtsi | 210 ++++++++++++------------- + 2 files changed, 107 insertions(+), 107 deletions(-) + +diff --git a/arch/arm/boot/dts/s3c6410-mini6410.dts b/arch/arm/boot/dts/s3c6410-mini6410.dts +index 285555b9ed943..17097da36f5ed 100644 +--- a/arch/arm/boot/dts/s3c6410-mini6410.dts ++++ b/arch/arm/boot/dts/s3c6410-mini6410.dts +@@ -193,12 +193,12 @@ &uart3 { + }; + + &pinctrl0 { +- gpio_leds: gpio-leds { ++ gpio_leds: gpio-leds-pins { + samsung,pins = "gpk-4", "gpk-5", "gpk-6", "gpk-7"; + samsung,pin-pud = ; + }; + +- gpio_keys: gpio-keys { ++ gpio_keys: gpio-keys-pins { + samsung,pins = "gpn-0", "gpn-1", "gpn-2", "gpn-3", + "gpn-4", "gpn-5", "gpl-11", "gpl-12"; + samsung,pin-pud = ; +diff --git a/arch/arm/boot/dts/s3c64xx-pinctrl.dtsi b/arch/arm/boot/dts/s3c64xx-pinctrl.dtsi +index 8e9594d64b579..0a3186d57cb56 100644 +--- a/arch/arm/boot/dts/s3c64xx-pinctrl.dtsi ++++ b/arch/arm/boot/dts/s3c64xx-pinctrl.dtsi +@@ -16,111 +16,111 @@ &pinctrl0 { + * Pin banks + */ + +- gpa: gpa { ++ gpa: gpa-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + interrupt-controller; + #interrupt-cells = <2>; + }; + +- gpb: gpb { ++ gpb: gpb-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + interrupt-controller; + #interrupt-cells = <2>; + }; + +- gpc: gpc { ++ gpc: gpc-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + interrupt-controller; + #interrupt-cells = <2>; + }; + +- gpd: gpd { ++ gpd: gpd-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + interrupt-controller; + #interrupt-cells = <2>; + }; + +- gpe: gpe { ++ gpe: gpe-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + }; + +- gpf: gpf { ++ gpf: gpf-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + interrupt-controller; + #interrupt-cells = <2>; + }; + +- gpg: gpg { ++ gpg: gpg-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + interrupt-controller; + #interrupt-cells = <2>; + }; + +- gph: gph { ++ gph: gph-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + interrupt-controller; + #interrupt-cells = <2>; + }; + +- gpi: gpi { ++ gpi: gpi-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + }; + +- gpj: gpj { ++ gpj: gpj-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + }; + +- gpk: gpk { ++ gpk: gpk-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + }; + +- gpl: gpl { ++ gpl: gpl-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + interrupt-controller; + #interrupt-cells = <2>; + }; + +- gpm: gpm { ++ gpm: gpm-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + interrupt-controller; + #interrupt-cells = <2>; + }; + +- gpn: gpn { ++ gpn: gpn-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + interrupt-controller; + #interrupt-cells = <2>; + }; + +- gpo: gpo { ++ gpo: gpo-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + interrupt-controller; + #interrupt-cells = <2>; + }; + +- gpp: gpp { ++ gpp: gpp-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + interrupt-controller; + #interrupt-cells = <2>; + }; + +- gpq: gpq { ++ gpq: gpq-gpio-bank { + gpio-controller; + #gpio-cells = <2>; + interrupt-controller; +@@ -131,225 +131,225 @@ gpq: gpq { + * Pin groups + */ + +- uart0_data: uart0-data { ++ uart0_data: uart0-data-pins { + samsung,pins = "gpa-0", "gpa-1"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- uart0_fctl: uart0-fctl { ++ uart0_fctl: uart0-fctl-pins { + samsung,pins = "gpa-2", "gpa-3"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- uart1_data: uart1-data { ++ uart1_data: uart1-data-pins { + samsung,pins = "gpa-4", "gpa-5"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- uart1_fctl: uart1-fctl { ++ uart1_fctl: uart1-fctl-pins { + samsung,pins = "gpa-6", "gpa-7"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- uart2_data: uart2-data { ++ uart2_data: uart2-data-pins { + samsung,pins = "gpb-0", "gpb-1"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- uart3_data: uart3-data { ++ uart3_data: uart3-data-pins { + samsung,pins = "gpb-2", "gpb-3"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- ext_dma_0: ext-dma-0 { ++ ext_dma_0: ext-dma-0-pins { + samsung,pins = "gpb-0", "gpb-1"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- ext_dma_1: ext-dma-1 { ++ ext_dma_1: ext-dma-1-pins { + samsung,pins = "gpb-2", "gpb-3"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- irda_data_0: irda-data-0 { ++ irda_data_0: irda-data-0-pins { + samsung,pins = "gpb-0", "gpb-1"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- irda_data_1: irda-data-1 { ++ irda_data_1: irda-data-1-pins { + samsung,pins = "gpb-2", "gpb-3"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- irda_sdbw: irda-sdbw { ++ irda_sdbw: irda-sdbw-pins { + samsung,pins = "gpb-4"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- i2c0_bus: i2c0-bus { ++ i2c0_bus: i2c0-bus-pins { + samsung,pins = "gpb-5", "gpb-6"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- i2c1_bus: i2c1-bus { ++ i2c1_bus: i2c1-bus-pins { + /* S3C6410-only */ + samsung,pins = "gpb-2", "gpb-3"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- spi0_bus: spi0-bus { ++ spi0_bus: spi0-bus-pins { + samsung,pins = "gpc-0", "gpc-1", "gpc-2"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- spi0_cs: spi0-cs { ++ spi0_cs: spi0-cs-pins { + samsung,pins = "gpc-3"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- spi1_bus: spi1-bus { ++ spi1_bus: spi1-bus-pins { + samsung,pins = "gpc-4", "gpc-5", "gpc-6"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- spi1_cs: spi1-cs { ++ spi1_cs: spi1-cs-pins { + samsung,pins = "gpc-7"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- sd0_cmd: sd0-cmd { ++ sd0_cmd: sd0-cmd-pins { + samsung,pins = "gpg-1"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- sd0_clk: sd0-clk { ++ sd0_clk: sd0-clk-pins { + samsung,pins = "gpg-0"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- sd0_bus1: sd0-bus1 { ++ sd0_bus1: sd0-bus1-pins { + samsung,pins = "gpg-2"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- sd0_bus4: sd0-bus4 { ++ sd0_bus4: sd0-bus4-pins { + samsung,pins = "gpg-2", "gpg-3", "gpg-4", "gpg-5"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- sd0_cd: sd0-cd { ++ sd0_cd: sd0-cd-pins { + samsung,pins = "gpg-6"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- sd1_cmd: sd1-cmd { ++ sd1_cmd: sd1-cmd-pins { + samsung,pins = "gph-1"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- sd1_clk: sd1-clk { ++ sd1_clk: sd1-clk-pins { + samsung,pins = "gph-0"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- sd1_bus1: sd1-bus1 { ++ sd1_bus1: sd1-bus1-pins { + samsung,pins = "gph-2"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- sd1_bus4: sd1-bus4 { ++ sd1_bus4: sd1-bus4-pins { + samsung,pins = "gph-2", "gph-3", "gph-4", "gph-5"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- sd1_bus8: sd1-bus8 { ++ sd1_bus8: sd1-bus8-pins { + samsung,pins = "gph-2", "gph-3", "gph-4", "gph-5", + "gph-6", "gph-7", "gph-8", "gph-9"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- sd1_cd: sd1-cd { ++ sd1_cd: sd1-cd-pins { + samsung,pins = "gpg-6"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- sd2_cmd: sd2-cmd { ++ sd2_cmd: sd2-cmd-pins { + samsung,pins = "gpc-4"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- sd2_clk: sd2-clk { ++ sd2_clk: sd2-clk-pins { + samsung,pins = "gpc-5"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- sd2_bus1: sd2-bus1 { ++ sd2_bus1: sd2-bus1-pins { + samsung,pins = "gph-6"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- sd2_bus4: sd2-bus4 { ++ sd2_bus4: sd2-bus4-pins { + samsung,pins = "gph-6", "gph-7", "gph-8", "gph-9"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- i2s0_bus: i2s0-bus { ++ i2s0_bus: i2s0-bus-pins { + samsung,pins = "gpd-0", "gpd-2", "gpd-3", "gpd-4"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- i2s0_cdclk: i2s0-cdclk { ++ i2s0_cdclk: i2s0-cdclk-pins { + samsung,pins = "gpd-1"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- i2s1_bus: i2s1-bus { ++ i2s1_bus: i2s1-bus-pins { + samsung,pins = "gpe-0", "gpe-2", "gpe-3", "gpe-4"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- i2s1_cdclk: i2s1-cdclk { ++ i2s1_cdclk: i2s1-cdclk-pins { + samsung,pins = "gpe-1"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- i2s2_bus: i2s2-bus { ++ i2s2_bus: i2s2-bus-pins { + /* S3C6410-only */ + samsung,pins = "gpc-4", "gpc-5", "gpc-6", "gph-6", + "gph-8", "gph-9"; +@@ -357,50 +357,50 @@ i2s2_bus: i2s2-bus { + samsung,pin-pud = ; + }; + +- i2s2_cdclk: i2s2-cdclk { ++ i2s2_cdclk: i2s2-cdclk-pins { + /* S3C6410-only */ + samsung,pins = "gph-7"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- pcm0_bus: pcm0-bus { ++ pcm0_bus: pcm0-bus-pins { + samsung,pins = "gpd-0", "gpd-2", "gpd-3", "gpd-4"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- pcm0_extclk: pcm0-extclk { ++ pcm0_extclk: pcm0-extclk-pins { + samsung,pins = "gpd-1"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- pcm1_bus: pcm1-bus { ++ pcm1_bus: pcm1-bus-pins { + samsung,pins = "gpe-0", "gpe-2", "gpe-3", "gpe-4"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- pcm1_extclk: pcm1-extclk { ++ pcm1_extclk: pcm1-extclk-pins { + samsung,pins = "gpe-1"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- ac97_bus_0: ac97-bus-0 { ++ ac97_bus_0: ac97-bus-0-pins { + samsung,pins = "gpd-0", "gpd-1", "gpd-2", "gpd-3", "gpd-4"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- ac97_bus_1: ac97-bus-1 { ++ ac97_bus_1: ac97-bus-1-pins { + samsung,pins = "gpe-0", "gpe-1", "gpe-2", "gpe-3", "gpe-4"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- cam_port: cam-port { ++ cam_port: cam-port-pins { + samsung,pins = "gpf-0", "gpf-1", "gpf-2", "gpf-4", + "gpf-5", "gpf-6", "gpf-7", "gpf-8", + "gpf-9", "gpf-10", "gpf-11", "gpf-12"; +@@ -408,242 +408,242 @@ cam_port: cam-port { + samsung,pin-pud = ; + }; + +- cam_rst: cam-rst { ++ cam_rst: cam-rst-pins { + samsung,pins = "gpf-3"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- cam_field: cam-field { ++ cam_field: cam-field-pins { + /* S3C6410-only */ + samsung,pins = "gpb-4"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- pwm_extclk: pwm-extclk { ++ pwm_extclk: pwm-extclk-pins { + samsung,pins = "gpf-13"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- pwm0_out: pwm0-out { ++ pwm0_out: pwm0-out-pins { + samsung,pins = "gpf-14"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- pwm1_out: pwm1-out { ++ pwm1_out: pwm1-out-pins { + samsung,pins = "gpf-15"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- clkout0: clkout-0 { ++ clkout0: clkout-0-pins { + samsung,pins = "gpf-14"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_col0_0: keypad-col0-0 { ++ keypad_col0_0: keypad-col0-0-pins { + samsung,pins = "gph-0"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_col1_0: keypad-col1-0 { ++ keypad_col1_0: keypad-col1-0-pins { + samsung,pins = "gph-1"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_col2_0: keypad-col2-0 { ++ keypad_col2_0: keypad-col2-0-pins { + samsung,pins = "gph-2"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_col3_0: keypad-col3-0 { ++ keypad_col3_0: keypad-col3-0-pins { + samsung,pins = "gph-3"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_col4_0: keypad-col4-0 { ++ keypad_col4_0: keypad-col4-0-pins { + samsung,pins = "gph-4"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_col5_0: keypad-col5-0 { ++ keypad_col5_0: keypad-col5-0-pins { + samsung,pins = "gph-5"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_col6_0: keypad-col6-0 { ++ keypad_col6_0: keypad-col6-0-pins { + samsung,pins = "gph-6"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_col7_0: keypad-col7-0 { ++ keypad_col7_0: keypad-col7-0-pins { + samsung,pins = "gph-7"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_col0_1: keypad-col0-1 { ++ keypad_col0_1: keypad-col0-1-pins { + samsung,pins = "gpl-0"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_col1_1: keypad-col1-1 { ++ keypad_col1_1: keypad-col1-1-pins { + samsung,pins = "gpl-1"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_col2_1: keypad-col2-1 { ++ keypad_col2_1: keypad-col2-1-pins { + samsung,pins = "gpl-2"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_col3_1: keypad-col3-1 { ++ keypad_col3_1: keypad-col3-1-pins { + samsung,pins = "gpl-3"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_col4_1: keypad-col4-1 { ++ keypad_col4_1: keypad-col4-1-pins { + samsung,pins = "gpl-4"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_col5_1: keypad-col5-1 { ++ keypad_col5_1: keypad-col5-1-pins { + samsung,pins = "gpl-5"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_col6_1: keypad-col6-1 { ++ keypad_col6_1: keypad-col6-1-pins { + samsung,pins = "gpl-6"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_col7_1: keypad-col7-1 { ++ keypad_col7_1: keypad-col7-1-pins { + samsung,pins = "gpl-7"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_row0_0: keypad-row0-0 { ++ keypad_row0_0: keypad-row0-0-pins { + samsung,pins = "gpk-8"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_row1_0: keypad-row1-0 { ++ keypad_row1_0: keypad-row1-0-pins { + samsung,pins = "gpk-9"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_row2_0: keypad-row2-0 { ++ keypad_row2_0: keypad-row2-0-pins { + samsung,pins = "gpk-10"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_row3_0: keypad-row3-0 { ++ keypad_row3_0: keypad-row3-0-pins { + samsung,pins = "gpk-11"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_row4_0: keypad-row4-0 { ++ keypad_row4_0: keypad-row4-0-pins { + samsung,pins = "gpk-12"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_row5_0: keypad-row5-0 { ++ keypad_row5_0: keypad-row5-0-pins { + samsung,pins = "gpk-13"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_row6_0: keypad-row6-0 { ++ keypad_row6_0: keypad-row6-0-pins { + samsung,pins = "gpk-14"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_row7_0: keypad-row7-0 { ++ keypad_row7_0: keypad-row7-0-pins { + samsung,pins = "gpk-15"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_row0_1: keypad-row0-1 { ++ keypad_row0_1: keypad-row0-1-pins { + samsung,pins = "gpn-0"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_row1_1: keypad-row1-1 { ++ keypad_row1_1: keypad-row1-1-pins { + samsung,pins = "gpn-1"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_row2_1: keypad-row2-1 { ++ keypad_row2_1: keypad-row2-1-pins { + samsung,pins = "gpn-2"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_row3_1: keypad-row3-1 { ++ keypad_row3_1: keypad-row3-1-pins { + samsung,pins = "gpn-3"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_row4_1: keypad-row4-1 { ++ keypad_row4_1: keypad-row4-1-pins { + samsung,pins = "gpn-4"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_row5_1: keypad-row5-1 { ++ keypad_row5_1: keypad-row5-1-pins { + samsung,pins = "gpn-5"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_row6_1: keypad-row6-1 { ++ keypad_row6_1: keypad-row6-1-pins { + samsung,pins = "gpn-6"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- keypad_row7_1: keypad-row7-1 { ++ keypad_row7_1: keypad-row7-1-pins { + samsung,pins = "gpn-7"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- lcd_ctrl: lcd-ctrl { ++ lcd_ctrl: lcd-ctrl-pins { + samsung,pins = "gpj-8", "gpj-9", "gpj-10", "gpj-11"; + samsung,pin-function = ; + samsung,pin-pud = ; + }; + +- lcd_data16: lcd-data-width16 { ++ lcd_data16: lcd-data-width16-pins { + samsung,pins = "gpi-3", "gpi-4", "gpi-5", "gpi-6", + "gpi-7", "gpi-10", "gpi-11", "gpi-12", + "gpi-13", "gpi-14", "gpi-15", "gpj-3", +@@ -652,7 +652,7 @@ lcd_data16: lcd-data-width16 { + samsung,pin-pud = ; + }; + +- lcd_data18: lcd-data-width18 { ++ lcd_data18: lcd-data-width18-pins { + samsung,pins = "gpi-2", "gpi-3", "gpi-4", "gpi-5", + "gpi-6", "gpi-7", "gpi-10", "gpi-11", + "gpi-12", "gpi-13", "gpi-14", "gpi-15", +@@ -662,7 +662,7 @@ lcd_data18: lcd-data-width18 { + samsung,pin-pud = ; + }; + +- lcd_data24: lcd-data-width24 { ++ lcd_data24: lcd-data-width24-pins { + samsung,pins = "gpi-0", "gpi-1", "gpi-2", "gpi-3", + "gpi-4", "gpi-5", "gpi-6", "gpi-7", + "gpi-8", "gpi-9", "gpi-10", "gpi-11", +@@ -673,7 +673,7 @@ lcd_data24: lcd-data-width24 { + samsung,pin-pud = ; + }; + +- hsi_bus: hsi-bus { ++ hsi_bus: hsi-bus-pins { + samsung,pins = "gpk-0", "gpk-1", "gpk-2", "gpk-3", + "gpk-4", "gpk-5", "gpk-6", "gpk-7"; + samsung,pin-function = ; +-- +2.40.1 + diff --git a/queue-5.15/arm-dts-s5pv210-add-dummy-5v-regulator-for-backlight.patch b/queue-5.15/arm-dts-s5pv210-add-dummy-5v-regulator-for-backlight.patch new file mode 100644 index 00000000000..c50305a2dea --- /dev/null +++ b/queue-5.15/arm-dts-s5pv210-add-dummy-5v-regulator-for-backlight.patch @@ -0,0 +1,44 @@ +From 53e24bcc1e990b93f84c63133da5b242b087647d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Apr 2023 11:57:21 +0200 +Subject: ARM: dts: s5pv210: add dummy 5V regulator for backlight on SMDKv210 + +From: Krzysztof Kozlowski + +[ Upstream commit b77904ba177a9c67b6dbc3637fdf1faa22df6e5c ] + +Backlight is supplied by DC5V regulator. The DTS has no PMIC node, so +just add a regulator-fixed to solve it and fix dtbs_check warning: + + s5pv210-smdkv210.dtb: backlight: 'power-supply' is a required property + +Link: https://lore.kernel.org/r/20230421095721.31857-4-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Stable-dep-of: 982655cb0e7f ("ARM: dts: samsung: s5pv210-smdkv210: correct ethernet reg addresses (split)") +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/s5pv210-smdkv210.dts | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/arm/boot/dts/s5pv210-smdkv210.dts b/arch/arm/boot/dts/s5pv210-smdkv210.dts +index fbae768d65e27..6e26c67e0a26e 100644 +--- a/arch/arm/boot/dts/s5pv210-smdkv210.dts ++++ b/arch/arm/boot/dts/s5pv210-smdkv210.dts +@@ -55,6 +55,14 @@ backlight { + default-brightness-level = <6>; + pinctrl-names = "default"; + pinctrl-0 = <&pwm3_out>; ++ power-supply = <&dc5v_reg>; ++ }; ++ ++ dc5v_reg: regulator-0 { ++ compatible = "regulator-fixed"; ++ regulator-name = "DC5V"; ++ regulator-min-microvolt = <5000000>; ++ regulator-max-microvolt = <5000000>; + }; + }; + +-- +2.40.1 + diff --git a/queue-5.15/arm-dts-samsung-s3c6410-mini6410-correct-ethernet-re.patch b/queue-5.15/arm-dts-samsung-s3c6410-mini6410-correct-ethernet-re.patch new file mode 100644 index 00000000000..900897d7f2f --- /dev/null +++ b/queue-5.15/arm-dts-samsung-s3c6410-mini6410-correct-ethernet-re.patch @@ -0,0 +1,37 @@ +From 5653fac803982332db2ac8be84f820e92a72c12c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 17:29:25 +0200 +Subject: ARM: dts: samsung: s3c6410-mini6410: correct ethernet reg addresses + (split) + +From: Krzysztof Kozlowski + +[ Upstream commit cf0cb2af6a18f28b84f9f1416bff50ca60d6e98a ] + +The davicom,dm9000 Ethernet Controller accepts two reg addresses. + +Fixes: a43736deb47d ("ARM: dts: Add dts file for S3C6410-based Mini6410 board") +Reviewed-by: Alim Akhtar +Link: https://lore.kernel.org/r/20230713152926.82884-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/s3c6410-mini6410.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/s3c6410-mini6410.dts b/arch/arm/boot/dts/s3c6410-mini6410.dts +index 17097da36f5ed..0b07b3c319604 100644 +--- a/arch/arm/boot/dts/s3c6410-mini6410.dts ++++ b/arch/arm/boot/dts/s3c6410-mini6410.dts +@@ -51,7 +51,7 @@ srom-cs1-bus@18000000 { + + ethernet@18000000 { + compatible = "davicom,dm9000"; +- reg = <0x18000000 0x2 0x18000004 0x2>; ++ reg = <0x18000000 0x2>, <0x18000004 0x2>; + interrupt-parent = <&gpn>; + interrupts = <7 IRQ_TYPE_LEVEL_HIGH>; + davicom,no-eeprom; +-- +2.40.1 + diff --git a/queue-5.15/arm-dts-samsung-s5pv210-smdkv210-correct-ethernet-re.patch b/queue-5.15/arm-dts-samsung-s5pv210-smdkv210-correct-ethernet-re.patch new file mode 100644 index 00000000000..97f5d2872b2 --- /dev/null +++ b/queue-5.15/arm-dts-samsung-s5pv210-smdkv210-correct-ethernet-re.patch @@ -0,0 +1,37 @@ +From 489fdd4afdd68ad8b2e6e53cb3fb7d1660747bd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 17:29:26 +0200 +Subject: ARM: dts: samsung: s5pv210-smdkv210: correct ethernet reg addresses + (split) + +From: Krzysztof Kozlowski + +[ Upstream commit 982655cb0e7f18934d7532c32366e574ad61dbd7 ] + +The davicom,dm9000 Ethernet Controller accepts two reg addresses. + +Fixes: b672b27d232e ("ARM: dts: Add Device tree for s5pc110/s5pv210 boards") +Reviewed-by: Alim Akhtar +Link: https://lore.kernel.org/r/20230713152926.82884-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/s5pv210-smdkv210.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/s5pv210-smdkv210.dts b/arch/arm/boot/dts/s5pv210-smdkv210.dts +index 6e26c67e0a26e..901e7197b1368 100644 +--- a/arch/arm/boot/dts/s5pv210-smdkv210.dts ++++ b/arch/arm/boot/dts/s5pv210-smdkv210.dts +@@ -41,7 +41,7 @@ pmic_ap_clk: clock-0 { + + ethernet@a8000000 { + compatible = "davicom,dm9000"; +- reg = <0xA8000000 0x2 0xA8000002 0x2>; ++ reg = <0xa8000000 0x2>, <0xa8000002 0x2>; + interrupt-parent = <&gph1>; + interrupts = <1 IRQ_TYPE_LEVEL_HIGH>; + local-mac-address = [00 00 de ad be ef]; +-- +2.40.1 + diff --git a/queue-5.15/arm-ptrace-restore-syscall-restart-tracing.patch b/queue-5.15/arm-ptrace-restore-syscall-restart-tracing.patch new file mode 100644 index 00000000000..0cbc54c03ff --- /dev/null +++ b/queue-5.15/arm-ptrace-restore-syscall-restart-tracing.patch @@ -0,0 +1,45 @@ +From 35a98f2a07c6e3f7606f44aa3236aa513b500918 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Aug 2023 12:54:18 -0700 +Subject: ARM: ptrace: Restore syscall restart tracing + +From: Kees Cook + +[ Upstream commit cf007647475b5090819c5fe8da771073145c7334 ] + +Since commit 4e57a4ddf6b0 ("ARM: 9107/1: syscall: always store +thread_info->abi_syscall"), the seccomp selftests "syscall_restart" has +been broken. This was caused by the restart syscall not being stored to +"abi_syscall" during restart setup before branching to the "local_restart" +label. Tracers would see the wrong syscall, and scno would get overwritten +while returning from the TIF_WORK path. Add the missing store. + +Cc: Russell King +Cc: Arnd Bergmann +Cc: Lecopzer Chen +Cc: Oleg Nesterov +Cc: linux-arm-kernel@lists.infradead.org +Fixes: 4e57a4ddf6b0 ("ARM: 9107/1: syscall: always store thread_info->abi_syscall") +Reviewed-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20230810195422.2304827-1-keescook@chromium.org +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/entry-common.S | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S +index fde7ac271b147..e7bfdd10bbcd3 100644 +--- a/arch/arm/kernel/entry-common.S ++++ b/arch/arm/kernel/entry-common.S +@@ -101,6 +101,7 @@ slow_work_pending: + cmp r0, #0 + beq no_work_pending + movlt scno, #(__NR_restart_syscall - __NR_SYSCALL_BASE) ++ str scno, [tsk, #TI_ABI_SYSCALL] @ make sure tracers see update + ldmia sp, {r0 - r6} @ have to reload r0 - r6 + b local_restart @ ... and off we go + ENDPROC(ret_fast_syscall) +-- +2.40.1 + diff --git a/queue-5.15/arm-ptrace-restore-syscall-skipping-for-tracers.patch b/queue-5.15/arm-ptrace-restore-syscall-skipping-for-tracers.patch new file mode 100644 index 00000000000..b39de293430 --- /dev/null +++ b/queue-5.15/arm-ptrace-restore-syscall-skipping-for-tracers.patch @@ -0,0 +1,68 @@ +From 59ea93232610a49398471ad6af1590169f2e02b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Aug 2023 12:54:19 -0700 +Subject: ARM: ptrace: Restore syscall skipping for tracers + +From: Kees Cook + +[ Upstream commit 4697b5848bd933f68ebd04836362c8de0cacaf71 ] + +Since commit 4e57a4ddf6b0 ("ARM: 9107/1: syscall: always store +thread_info->abi_syscall"), the seccomp selftests "syscall_errno" +and "syscall_faked" have been broken. Both seccomp and PTRACE depend +on using the special value of "-1" for skipping syscalls. This value +wasn't working because it was getting masked by __NR_SYSCALL_MASK in +both PTRACE_SET_SYSCALL and get_syscall_nr(). + +Explicitly test for -1 in PTRACE_SET_SYSCALL and get_syscall_nr(), +leaving it exposed when present, allowing tracers to skip syscalls +again. + +Cc: Russell King +Cc: Arnd Bergmann +Cc: Lecopzer Chen +Cc: Oleg Nesterov +Cc: linux-arm-kernel@lists.infradead.org +Fixes: 4e57a4ddf6b0 ("ARM: 9107/1: syscall: always store thread_info->abi_syscall") +Reviewed-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20230810195422.2304827-2-keescook@chromium.org +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + arch/arm/include/asm/syscall.h | 3 +++ + arch/arm/kernel/ptrace.c | 5 +++-- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/include/asm/syscall.h b/arch/arm/include/asm/syscall.h +index 24c19d63ff0a1..95bf70ebd878e 100644 +--- a/arch/arm/include/asm/syscall.h ++++ b/arch/arm/include/asm/syscall.h +@@ -25,6 +25,9 @@ static inline int syscall_get_nr(struct task_struct *task, + if (IS_ENABLED(CONFIG_AEABI) && !IS_ENABLED(CONFIG_OABI_COMPAT)) + return task_thread_info(task)->abi_syscall; + ++ if (task_thread_info(task)->abi_syscall == -1) ++ return -1; ++ + return task_thread_info(task)->abi_syscall & __NR_SYSCALL_MASK; + } + +diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c +index 43b963ea4a0e2..71c98ca3a455a 100644 +--- a/arch/arm/kernel/ptrace.c ++++ b/arch/arm/kernel/ptrace.c +@@ -786,8 +786,9 @@ long arch_ptrace(struct task_struct *child, long request, + break; + + case PTRACE_SET_SYSCALL: +- task_thread_info(child)->abi_syscall = data & +- __NR_SYSCALL_MASK; ++ if (data != -1) ++ data &= __NR_SYSCALL_MASK; ++ task_thread_info(child)->abi_syscall = data; + ret = 0; + break; + +-- +2.40.1 + diff --git a/queue-5.15/arm64-dts-qcom-apq8016-sbc-fix-ov5640-regulator-supp.patch b/queue-5.15/arm64-dts-qcom-apq8016-sbc-fix-ov5640-regulator-supp.patch new file mode 100644 index 00000000000..e53ef9b4dff --- /dev/null +++ b/queue-5.15/arm64-dts-qcom-apq8016-sbc-fix-ov5640-regulator-supp.patch @@ -0,0 +1,49 @@ +From 6998d1af553877bdd23a39eaf7c98cbefccf0e8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Aug 2023 00:47:33 +0100 +Subject: arm64: dts: qcom: apq8016-sbc: Fix ov5640 regulator supply names + +From: Bryan O'Donoghue + +[ Upstream commit 43a684580819e7f35b6cb38236be63c4cba26ef4 ] + +The ov5640 driver expects DOVDD, AVDD and DVDD as regulator supply names. + +The ov5640 has depended on these names since the driver was committed +upstream in 2017. Similarly apq8016-sbc.dtsi has had completely different +regulator names since its own initial commit in 2020. + +Perhaps the regulators were left on in previous 410c bootloaders. In any +case today on 6.5 we won't switch on the ov5640 without correctly naming +the regulators. + +Fixes: 39e0ce6cd1bf ("arm64: dts: qcom: apq8016-sbc: Add CCI/Sensor nodes") +Signed-off-by: Bryan O'Donoghue +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20230811234738.2859417-3-bryan.odonoghue@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/apq8016-sbc.dts | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/apq8016-sbc.dts b/arch/arm64/boot/dts/qcom/apq8016-sbc.dts +index c6e8bf18defc6..ad4c2ccec63ee 100644 +--- a/arch/arm64/boot/dts/qcom/apq8016-sbc.dts ++++ b/arch/arm64/boot/dts/qcom/apq8016-sbc.dts +@@ -280,9 +280,9 @@ camera_rear@3b { + clock-names = "xclk"; + clock-frequency = <23880000>; + +- vdddo-supply = <&camera_vdddo_1v8>; +- vdda-supply = <&camera_vdda_2v8>; +- vddd-supply = <&camera_vddd_1v5>; ++ DOVDD-supply = <&camera_vdddo_1v8>; ++ AVDD-supply = <&camera_vdda_2v8>; ++ DVDD-supply = <&camera_vddd_1v5>; + + /* No camera mezzanine by default */ + status = "disabled"; +-- +2.40.1 + diff --git a/queue-5.15/arm64-dts-qcom-correct-spmi-wled-register-range-enco.patch b/queue-5.15/arm64-dts-qcom-correct-spmi-wled-register-range-enco.patch new file mode 100644 index 00000000000..462d231e09b --- /dev/null +++ b/queue-5.15/arm64-dts-qcom-correct-spmi-wled-register-range-enco.patch @@ -0,0 +1,65 @@ +From e0563f3d9cb45effeb0169068fb020ecf452c922 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 May 2022 17:47:02 +0200 +Subject: arm64: dts: qcom: correct SPMI WLED register range encoding + +From: Krzysztof Kozlowski + +[ Upstream commit d66b1d2e4afc0c8a9eb267740825240b67f6b1d1 ] + +On PM660L, PMI8994 and PMI8998, the WLED has two address spaces and with +size-cells=0, they should be encoded as two separate items. + +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220505154702.422108-2-krzysztof.kozlowski@linaro.org +Stable-dep-of: 9a4ac09db3c7 ("arm64: dts: qcom: pm660l: Add missing short interrupt") +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/pm660l.dtsi | 2 +- + arch/arm64/boot/dts/qcom/pmi8994.dtsi | 2 +- + arch/arm64/boot/dts/qcom/pmi8998.dtsi | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/pm660l.dtsi b/arch/arm64/boot/dts/qcom/pm660l.dtsi +index 05086cbe573be..536bf9920fa92 100644 +--- a/arch/arm64/boot/dts/qcom/pm660l.dtsi ++++ b/arch/arm64/boot/dts/qcom/pm660l.dtsi +@@ -67,7 +67,7 @@ pmic@3 { + + pm660l_wled: leds@d800 { + compatible = "qcom,pm660l-wled"; +- reg = <0xd800 0xd900>; ++ reg = <0xd800>, <0xd900>; + interrupts = <0x3 0xd8 0x1 IRQ_TYPE_EDGE_RISING>; + interrupt-names = "ovp"; + label = "backlight"; +diff --git a/arch/arm64/boot/dts/qcom/pmi8994.dtsi b/arch/arm64/boot/dts/qcom/pmi8994.dtsi +index a06ea9adae810..7b41c1ed464ac 100644 +--- a/arch/arm64/boot/dts/qcom/pmi8994.dtsi ++++ b/arch/arm64/boot/dts/qcom/pmi8994.dtsi +@@ -35,7 +35,7 @@ pmi8994_spmi_regulators: regulators { + + pmi8994_wled: wled@d800 { + compatible = "qcom,pmi8994-wled"; +- reg = <0xd800 0xd900>; ++ reg = <0xd800>, <0xd900>; + interrupts = <3 0xd8 0x02 IRQ_TYPE_EDGE_RISING>; + interrupt-names = "short"; + qcom,num-strings = <3>; +diff --git a/arch/arm64/boot/dts/qcom/pmi8998.dtsi b/arch/arm64/boot/dts/qcom/pmi8998.dtsi +index 0fef5f113f05e..ef29e80c442c7 100644 +--- a/arch/arm64/boot/dts/qcom/pmi8998.dtsi ++++ b/arch/arm64/boot/dts/qcom/pmi8998.dtsi +@@ -44,7 +44,7 @@ lab: lab { + + pmi8998_wled: leds@d800 { + compatible = "qcom,pmi8998-wled"; +- reg = <0xd800 0xd900>; ++ reg = <0xd800>, <0xd900>; + interrupts = <0x3 0xd8 0x1 IRQ_TYPE_EDGE_RISING>, + <0x3 0xd8 0x2 IRQ_TYPE_EDGE_RISING>; + interrupt-names = "ovp", "short"; +-- +2.40.1 + diff --git a/queue-5.15/arm64-dts-qcom-move-wled-num-strings-from-pmi8994-to.patch b/queue-5.15/arm64-dts-qcom-move-wled-num-strings-from-pmi8994-to.patch new file mode 100644 index 00000000000..6e3625876e9 --- /dev/null +++ b/queue-5.15/arm64-dts-qcom-move-wled-num-strings-from-pmi8994-to.patch @@ -0,0 +1,52 @@ +From c986bca3ad24e4813f98ebd038bfae0eaace264e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Oct 2021 23:33:59 +0200 +Subject: arm64: dts: qcom: Move WLED num-strings from pmi8994 to + sony-xperia-tone + +From: Marijn Suijten + +[ Upstream commit 360f20c801f7ea2ddc9afcbc5ab74cebf8adea6b ] + +The number of WLED strings used by a certain platform depend on the +panel connected to that board and may not be the same for every user of +pmi8994. + +Signed-off-by: Marijn Suijten +Reviewed-By: AngeloGioacchino Del Regno +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20211007213400.258371-13-marijn.suijten@somainline.org +Stable-dep-of: 8db944326903 ("arm64: dts: qcom: pmi8994: Add missing OVP interrupt") +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8996-sony-xperia-tone.dtsi | 1 + + arch/arm64/boot/dts/qcom/pmi8994.dtsi | 1 - + 2 files changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/msm8996-sony-xperia-tone.dtsi b/arch/arm64/boot/dts/qcom/msm8996-sony-xperia-tone.dtsi +index 7802abac39fa5..e85f7cf4a56ce 100644 +--- a/arch/arm64/boot/dts/qcom/msm8996-sony-xperia-tone.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8996-sony-xperia-tone.dtsi +@@ -620,6 +620,7 @@ pmi8994_s11: s11 { + &pmi8994_wled { + status = "okay"; + default-brightness = <512>; ++ qcom,num-strings = <3>; + }; + + &rpm_requests { +diff --git a/arch/arm64/boot/dts/qcom/pmi8994.dtsi b/arch/arm64/boot/dts/qcom/pmi8994.dtsi +index 166467b637527..81899fe17f2b2 100644 +--- a/arch/arm64/boot/dts/qcom/pmi8994.dtsi ++++ b/arch/arm64/boot/dts/qcom/pmi8994.dtsi +@@ -38,7 +38,6 @@ pmi8994_wled: wled@d800 { + reg = <0xd800>, <0xd900>; + interrupts = <3 0xd8 0x02 IRQ_TYPE_EDGE_RISING>; + interrupt-names = "short"; +- qcom,num-strings = <3>; + qcom,cabc; + qcom,external-pfet; + status = "disabled"; +-- +2.40.1 + diff --git a/queue-5.15/arm64-dts-qcom-msm8996-add-missing-interrupt-to-the-.patch b/queue-5.15/arm64-dts-qcom-msm8996-add-missing-interrupt-to-the-.patch new file mode 100644 index 00000000000..2732fcc9a01 --- /dev/null +++ b/queue-5.15/arm64-dts-qcom-msm8996-add-missing-interrupt-to-the-.patch @@ -0,0 +1,38 @@ +From 67ebc8b50f95f69458c274a606912b0fb8e0f5b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jun 2023 18:24:27 +0200 +Subject: arm64: dts: qcom: msm8996: Add missing interrupt to the USB2 + controller + +From: Konrad Dybcio + +[ Upstream commit 36541089c4733355ed844c67eebd0c3936953454 ] + +The interrupt line was previously not described. Take care of that. + +Fixes: 1e39255ed29d ("arm64: dts: msm8996: Add device node for qcom,dwc3") +Signed-off-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20230627-topic-more_bindings-v1-11-6b4b6cd081e5@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8996.dtsi | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm64/boot/dts/qcom/msm8996.dtsi b/arch/arm64/boot/dts/qcom/msm8996.dtsi +index ec3ef14048cc0..8a7c651785073 100644 +--- a/arch/arm64/boot/dts/qcom/msm8996.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8996.dtsi +@@ -2902,6 +2902,9 @@ usb2: usb@76f8800 { + #size-cells = <1>; + ranges; + ++ interrupts = ; ++ interrupt-names = "hs_phy_irq"; ++ + clocks = <&gcc GCC_PERIPH_NOC_USB20_AHB_CLK>, + <&gcc GCC_USB20_MASTER_CLK>, + <&gcc GCC_USB20_MOCK_UTMI_CLK>, +-- +2.40.1 + diff --git a/queue-5.15/arm64-dts-qcom-pm660l-add-missing-short-interrupt.patch b/queue-5.15/arm64-dts-qcom-pm660l-add-missing-short-interrupt.patch new file mode 100644 index 00000000000..39e2d08107a --- /dev/null +++ b/queue-5.15/arm64-dts-qcom-pm660l-add-missing-short-interrupt.patch @@ -0,0 +1,41 @@ +From 2edc8246c45f6ee18f87957eb63cada9f13b3dbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jun 2023 22:00:26 +0200 +Subject: arm64: dts: qcom: pm660l: Add missing short interrupt + +From: Konrad Dybcio + +[ Upstream commit 9a4ac09db3c7413e334b4abd6b2f6de8930dd781 ] + +Add the missing short interrupt. This fixes the schema warning: + +wled@d800: interrupt-names: ['ovp'] is too short + +Fixes: 7b56a804e58b ("arm64: dts: qcom: pm660l: Add WLED support") +Signed-off-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20230626-topic-bindingsfixups-v1-4-254ae8642e69@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/pm660l.dtsi | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/pm660l.dtsi b/arch/arm64/boot/dts/qcom/pm660l.dtsi +index 536bf9920fa92..902e15d05a95b 100644 +--- a/arch/arm64/boot/dts/qcom/pm660l.dtsi ++++ b/arch/arm64/boot/dts/qcom/pm660l.dtsi +@@ -68,8 +68,9 @@ pmic@3 { + pm660l_wled: leds@d800 { + compatible = "qcom,pm660l-wled"; + reg = <0xd800>, <0xd900>; +- interrupts = <0x3 0xd8 0x1 IRQ_TYPE_EDGE_RISING>; +- interrupt-names = "ovp"; ++ interrupts = <0x3 0xd8 0x1 IRQ_TYPE_EDGE_RISING>, ++ <0x3 0xd8 0x2 IRQ_TYPE_EDGE_RISING>; ++ interrupt-names = "ovp", "short"; + label = "backlight"; + + qcom,switching-freq = <800>; +-- +2.40.1 + diff --git a/queue-5.15/arm64-dts-qcom-pmi8994-add-missing-ovp-interrupt.patch b/queue-5.15/arm64-dts-qcom-pmi8994-add-missing-ovp-interrupt.patch new file mode 100644 index 00000000000..cc0b3c0f736 --- /dev/null +++ b/queue-5.15/arm64-dts-qcom-pmi8994-add-missing-ovp-interrupt.patch @@ -0,0 +1,41 @@ +From 4f70b5a0063604be2afec803f984eecce0f3b790 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jun 2023 22:00:28 +0200 +Subject: arm64: dts: qcom: pmi8994: Add missing OVP interrupt + +From: Konrad Dybcio + +[ Upstream commit 8db94432690371b1736e9a2566a9b3d8a73d5a97 ] + +Add the missing OVP interrupt. This fixes the schema warning: + +wled@d800: interrupt-names: ['short'] is too short + +Fixes: 37aa540cbd30 ("arm64: dts: qcom: pmi8994: Add WLED node") +Signed-off-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20230626-topic-bindingsfixups-v1-6-254ae8642e69@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/pmi8994.dtsi | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/pmi8994.dtsi b/arch/arm64/boot/dts/qcom/pmi8994.dtsi +index 81899fe17f2b2..38cf0f14e8798 100644 +--- a/arch/arm64/boot/dts/qcom/pmi8994.dtsi ++++ b/arch/arm64/boot/dts/qcom/pmi8994.dtsi +@@ -36,8 +36,9 @@ pmi8994_spmi_regulators: regulators { + pmi8994_wled: wled@d800 { + compatible = "qcom,pmi8994-wled"; + reg = <0xd800>, <0xd900>; +- interrupts = <3 0xd8 0x02 IRQ_TYPE_EDGE_RISING>; +- interrupt-names = "short"; ++ interrupts = <0x3 0xd8 0x1 IRQ_TYPE_EDGE_RISING>, ++ <0x3 0xd8 0x2 IRQ_TYPE_EDGE_RISING>; ++ interrupt-names = "ovp", "short"; + qcom,cabc; + qcom,external-pfet; + status = "disabled"; +-- +2.40.1 + diff --git a/queue-5.15/arm64-dts-qcom-pmi8994-remove-hardcoded-linear-wled-.patch b/queue-5.15/arm64-dts-qcom-pmi8994-remove-hardcoded-linear-wled-.patch new file mode 100644 index 00000000000..517f1b5cd42 --- /dev/null +++ b/queue-5.15/arm64-dts-qcom-pmi8994-remove-hardcoded-linear-wled-.patch @@ -0,0 +1,45 @@ +From 3490bd45fd77e9160327e4e60089b51d9aec0fc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Oct 2021 23:33:58 +0200 +Subject: arm64: dts: qcom: pmi8994: Remove hardcoded linear WLED + enabled-strings + +From: Marijn Suijten + +[ Upstream commit 9b729b0932d0e6097d9f103e9dd149ef10881f43 ] + +The driver now sets an appropriate default for WLED4 (and WLED5) just +like WLED3 making this linear array from 0-3 redundant. In addition the +driver is now able to parse arrays of variable length solving the "all +four strings *have to* be defined" comment. + +Besides the driver will now warn when both properties are specified to +prevent ambiguity: the length of the array is enough to imply a set +number of strings. + +Signed-off-by: Marijn Suijten +Reviewed-By: AngeloGioacchino Del Regno +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20211007213400.258371-12-marijn.suijten@somainline.org +Stable-dep-of: 8db944326903 ("arm64: dts: qcom: pmi8994: Add missing OVP interrupt") +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/pmi8994.dtsi | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/pmi8994.dtsi b/arch/arm64/boot/dts/qcom/pmi8994.dtsi +index 7b41c1ed464ac..166467b637527 100644 +--- a/arch/arm64/boot/dts/qcom/pmi8994.dtsi ++++ b/arch/arm64/boot/dts/qcom/pmi8994.dtsi +@@ -39,8 +39,6 @@ pmi8994_wled: wled@d800 { + interrupts = <3 0xd8 0x02 IRQ_TYPE_EDGE_RISING>; + interrupt-names = "short"; + qcom,num-strings = <3>; +- /* Yes, all four strings *have to* be defined or things won't work. */ +- qcom,enabled-strings = <0 1 2 3>; + qcom,cabc; + qcom,external-pfet; + status = "disabled"; +-- +2.40.1 + diff --git a/queue-5.15/arm64-dts-qcom-pmi8998-add-node-for-wled.patch b/queue-5.15/arm64-dts-qcom-pmi8998-add-node-for-wled.patch new file mode 100644 index 00000000000..5cd772513e9 --- /dev/null +++ b/queue-5.15/arm64-dts-qcom-pmi8998-add-node-for-wled.patch @@ -0,0 +1,52 @@ +From 3ee3785e672e8016b3ceb52dd970ef819a073100 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Sep 2021 14:36:28 +0200 +Subject: arm64: dts: qcom: pmi8998: Add node for WLED + +From: AngeloGioacchino Del Regno + +[ Upstream commit 17d32c10a2880ae7702d8e56128a542d9c6e9c75 ] + +The PMI8998 PMIC has a WLED backlight controller, which is used on +most MSM8998 and SDM845 based devices: add a base configuration for +it and keep it disabled. + +This contains only the PMIC specific configuration that does not +change across boards; parameters like number of strings, OVP and +current limits are product specific and shall be specified in the +product DT in order to achieve functionality. + +Signed-off-by: AngeloGioacchino Del Regno +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20210909123628.365968-1-angelogioacchino.delregno@somainline.org +Stable-dep-of: 9a4ac09db3c7 ("arm64: dts: qcom: pm660l: Add missing short interrupt") +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/pmi8998.dtsi | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/arch/arm64/boot/dts/qcom/pmi8998.dtsi b/arch/arm64/boot/dts/qcom/pmi8998.dtsi +index d230c510d4b7d..0fef5f113f05e 100644 +--- a/arch/arm64/boot/dts/qcom/pmi8998.dtsi ++++ b/arch/arm64/boot/dts/qcom/pmi8998.dtsi +@@ -41,5 +41,17 @@ lab: lab { + interrupt-names = "sc-err", "ocp"; + }; + }; ++ ++ pmi8998_wled: leds@d800 { ++ compatible = "qcom,pmi8998-wled"; ++ reg = <0xd800 0xd900>; ++ interrupts = <0x3 0xd8 0x1 IRQ_TYPE_EDGE_RISING>, ++ <0x3 0xd8 0x2 IRQ_TYPE_EDGE_RISING>; ++ interrupt-names = "ovp", "short"; ++ label = "backlight"; ++ ++ status = "disabled"; ++ }; ++ + }; + }; +-- +2.40.1 + diff --git a/queue-5.15/arm64-dts-qcom-pmk8350-fix-adc-tm-compatible-string.patch b/queue-5.15/arm64-dts-qcom-pmk8350-fix-adc-tm-compatible-string.patch new file mode 100644 index 00000000000..e7c4aaf6b7a --- /dev/null +++ b/queue-5.15/arm64-dts-qcom-pmk8350-fix-adc-tm-compatible-string.patch @@ -0,0 +1,41 @@ +From 491388c6d3f71dcdbec3582de97d438702b6c439 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 15:30:24 +0300 +Subject: arm64: dts: qcom: pmk8350: fix ADC-TM compatible string + +From: Dmitry Baryshkov + +[ Upstream commit 435a73d7377ceb29c1a22d2711dd85c831b40c45 ] + +The commit b2de43136058 ("arm64: dts: qcom: pmk8350: Add peripherals for +pmk8350") for the ADC TM (thermal monitoring device) have used the +compatible string from the vendor kernel ("qcom,adc-tm7"). Use the +proper compatible string that is defined in the upstream kernel +("qcom,spmi-adc-tm5-gen2"). + +Fixes: b2de43136058 ("arm64: dts: qcom: pmk8350: Add peripherals for pmk8350") +Reviewed-by: Konrad Dybcio +Signed-off-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20230707123027.1510723-6-dmitry.baryshkov@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/pmk8350.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/pmk8350.dtsi b/arch/arm64/boot/dts/qcom/pmk8350.dtsi +index fc38f77d12a36..9e99fcf269dfd 100644 +--- a/arch/arm64/boot/dts/qcom/pmk8350.dtsi ++++ b/arch/arm64/boot/dts/qcom/pmk8350.dtsi +@@ -45,7 +45,7 @@ pmk8350_vadc: adc@3100 { + }; + + pmk8350_adc_tm: adc-tm@3400 { +- compatible = "qcom,adc-tm7"; ++ compatible = "qcom,spmi-adc-tm5-gen2"; + reg = <0x3400>; + interrupts = <0x0 0x34 0x0 IRQ_TYPE_EDGE_RISING>; + interrupt-names = "threshold"; +-- +2.40.1 + diff --git a/queue-5.15/arm64-dts-qcom-sdm845-add-missing-rpmh-power-domain-.patch b/queue-5.15/arm64-dts-qcom-sdm845-add-missing-rpmh-power-domain-.patch new file mode 100644 index 00000000000..61275d12074 --- /dev/null +++ b/queue-5.15/arm64-dts-qcom-sdm845-add-missing-rpmh-power-domain-.patch @@ -0,0 +1,39 @@ +From 75cede2b6e155a7278e6b154dc55f15a577b5259 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 11:10:48 +0530 +Subject: arm64: dts: qcom: sdm845: Add missing RPMh power domain to GCC + +From: Manivannan Sadhasivam + +[ Upstream commit 4b6ea15c0a1122422b44bf6c47a3c22fc8d46777 ] + +GCC and it's GDSCs are under the RPMh CX power domain. So let's add the +missing RPMh power domain to the GCC node. + +Fixes: 6d4cf750d03a ("arm64: dts: sdm845: Add minimal dts/dtsi files for sdm845 SoC and MTP") +Reviewed-by: Konrad Dybcio +Co-developed-by: Krzysztof Kozlowski +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20230720054100.9940-4-manivannan.sadhasivam@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sdm845.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/qcom/sdm845.dtsi b/arch/arm64/boot/dts/qcom/sdm845.dtsi +index a0489a45aafbd..6fa8a91545709 100644 +--- a/arch/arm64/boot/dts/qcom/sdm845.dtsi ++++ b/arch/arm64/boot/dts/qcom/sdm845.dtsi +@@ -1074,6 +1074,7 @@ gcc: clock-controller@100000 { + #clock-cells = <1>; + #reset-cells = <1>; + #power-domain-cells = <1>; ++ power-domains = <&rpmhpd SDM845_CX>; + }; + + qfprom@784000 { +-- +2.40.1 + diff --git a/queue-5.15/arm64-dts-qcom-sdm845-fix-the-min-frequency-of-ice_c.patch b/queue-5.15/arm64-dts-qcom-sdm845-fix-the-min-frequency-of-ice_c.patch new file mode 100644 index 00000000000..99665420886 --- /dev/null +++ b/queue-5.15/arm64-dts-qcom-sdm845-fix-the-min-frequency-of-ice_c.patch @@ -0,0 +1,39 @@ +From 20bec1499a59de98638a2adcc289dd96b50c79ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 11:10:49 +0530 +Subject: arm64: dts: qcom: sdm845: Fix the min frequency of "ice_core_clk" + +From: Manivannan Sadhasivam + +[ Upstream commit bbbef6e24bc4493602df68b052f6f48d48e3184a ] + +Minimum frequency of the "ice_core_clk" should be 75MHz as specified in the +downstream vendor devicetree. So fix it! + +https://git.codelinaro.org/clo/la/kernel/msm-4.9/-/blob/LA.UM.7.3.r1-09300-sdm845.0/arch/arm64/boot/dts/qcom/sdm845.dtsi + +Fixes: 433f9a57298f ("arm64: dts: sdm845: add Inline Crypto Engine registers and clock") +Signed-off-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20230720054100.9940-5-manivannan.sadhasivam@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sdm845.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/sdm845.dtsi b/arch/arm64/boot/dts/qcom/sdm845.dtsi +index 6fa8a91545709..6a0e30cbf88f1 100644 +--- a/arch/arm64/boot/dts/qcom/sdm845.dtsi ++++ b/arch/arm64/boot/dts/qcom/sdm845.dtsi +@@ -2283,7 +2283,7 @@ ufs_mem_hc: ufshc@1d84000 { + <0 0>, + <0 0>, + <0 0>, +- <0 300000000>; ++ <75000000 300000000>; + + status = "disabled"; + }; +-- +2.40.1 + diff --git a/queue-5.15/arm64-dts-qcom-sm8150-fix-the-i2c7-interrupt.patch b/queue-5.15/arm64-dts-qcom-sm8150-fix-the-i2c7-interrupt.patch new file mode 100644 index 00000000000..61c30ff80cb --- /dev/null +++ b/queue-5.15/arm64-dts-qcom-sm8150-fix-the-i2c7-interrupt.patch @@ -0,0 +1,38 @@ +From a207361578e8337bdc8cd09287b918a7210084d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jul 2023 10:53:21 +0800 +Subject: arm64: dts: qcom: sm8150: Fix the I2C7 interrupt + +From: Zeyan Li + +[ Upstream commit f9568d22ce06192a7e14bda3a29dc216659554ff ] + +I2C6 and I2C7 use the same interrupts, which is incorrect. +In the downstream kernel, I2C7 has interrupts of 608 instead of 607. + +Fixes: 81bee6953b58 ("arm64: dts: qcom: sm8150: add i2c nodes") +Signed-off-by: Zeyan Li +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/SY7P282MB378712225CBCEA95FE71554DB201A@SY7P282MB3787.AUSP282.PROD.OUTLOOK.COM +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sm8150.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/sm8150.dtsi b/arch/arm64/boot/dts/qcom/sm8150.dtsi +index 292e40d6162dd..e8cb20c4cbf22 100644 +--- a/arch/arm64/boot/dts/qcom/sm8150.dtsi ++++ b/arch/arm64/boot/dts/qcom/sm8150.dtsi +@@ -1131,7 +1131,7 @@ i2c7: i2c@89c000 { + clocks = <&gcc GCC_QUPV3_WRAP0_S7_CLK>; + pinctrl-names = "default"; + pinctrl-0 = <&qup_i2c7_default>; +- interrupts = ; ++ interrupts = ; + #address-cells = <1>; + #size-cells = <0>; + status = "disabled"; +-- +2.40.1 + diff --git a/queue-5.15/arm64-dts-qcom-sm8250-correct-dynamic-power-coeffici.patch b/queue-5.15/arm64-dts-qcom-sm8250-correct-dynamic-power-coeffici.patch new file mode 100644 index 00000000000..4cc87645000 --- /dev/null +++ b/queue-5.15/arm64-dts-qcom-sm8250-correct-dynamic-power-coeffici.patch @@ -0,0 +1,92 @@ +From 52f17399243f5c6f0327001cc77b2c8bfe02ed44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 17:48:52 +0200 +Subject: arm64: dts: qcom: sm8250: correct dynamic power coefficients + +From: Vincent Guittot + +[ Upstream commit 775a5283c25d160b2a1359018c447bc518096547 ] + +sm8250 faces the same problem with its Energy Model as sdm845. The energy +cost of LITTLE cores is reported to be higher than medium or big cores + +EM computes the energy with formula: + +energy = OPP's cost / maximum cpu capacity * utilization + +On v6.4-rc6 we have: +max capacity of CPU0 = 284 +capacity of CPU0's OPP(1612800 Hz) = 253 +cost of CPU0's OPP(1612800 Hz) = 191704 + +max capacity of CPU4 = 871 +capacity of CPU4's OPP(710400 Hz) = 255 +cost of CPU4's OPP(710400 Hz) = 343217 + +Both OPPs have almost the same compute capacity but the estimated energy +per unit of utilization will be estimated to: + +energy CPU0 = 191704 / 284 * 1 = 675 +energy CPU4 = 343217 / 871 * 1 = 394 + +EM estimates that little CPU0 will consume 71% more than medium CPU4 for +the same compute capacity. According to [1], little consumes 25% less than +medium core for Coremark benchmark at those OPPs for the same duration. + +Set the dynamic-power-coefficient of CPU0-3 to 105 to fix the energy model +for little CPUs. + +[1] https://github.com/kdrag0n/freqbench/tree/master/results/sm8250/k30s + +Fixes: 6aabed5526ee ("arm64: dts: qcom: sm8250: Add CPU capacities and energy model") +Signed-off-by: Vincent Guittot +Link: https://lore.kernel.org/r/20230615154852.130076-1-vincent.guittot@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sm8250.dtsi | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sm8250.dtsi b/arch/arm64/boot/dts/qcom/sm8250.dtsi +index 181e32b8a2728..005e75dc6919e 100644 +--- a/arch/arm64/boot/dts/qcom/sm8250.dtsi ++++ b/arch/arm64/boot/dts/qcom/sm8250.dtsi +@@ -97,7 +97,7 @@ CPU0: cpu@0 { + reg = <0x0 0x0>; + enable-method = "psci"; + capacity-dmips-mhz = <448>; +- dynamic-power-coefficient = <205>; ++ dynamic-power-coefficient = <105>; + next-level-cache = <&L2_0>; + qcom,freq-domain = <&cpufreq_hw 0>; + #cooling-cells = <2>; +@@ -116,7 +116,7 @@ CPU1: cpu@100 { + reg = <0x0 0x100>; + enable-method = "psci"; + capacity-dmips-mhz = <448>; +- dynamic-power-coefficient = <205>; ++ dynamic-power-coefficient = <105>; + next-level-cache = <&L2_100>; + qcom,freq-domain = <&cpufreq_hw 0>; + #cooling-cells = <2>; +@@ -132,7 +132,7 @@ CPU2: cpu@200 { + reg = <0x0 0x200>; + enable-method = "psci"; + capacity-dmips-mhz = <448>; +- dynamic-power-coefficient = <205>; ++ dynamic-power-coefficient = <105>; + next-level-cache = <&L2_200>; + qcom,freq-domain = <&cpufreq_hw 0>; + #cooling-cells = <2>; +@@ -148,7 +148,7 @@ CPU3: cpu@300 { + reg = <0x0 0x300>; + enable-method = "psci"; + capacity-dmips-mhz = <448>; +- dynamic-power-coefficient = <205>; ++ dynamic-power-coefficient = <105>; + next-level-cache = <&L2_300>; + qcom,freq-domain = <&cpufreq_hw 0>; + #cooling-cells = <2>; +-- +2.40.1 + diff --git a/queue-5.15/arm64-dts-qcom-sm8250-edo-add-gpio-line-names-for-pm.patch b/queue-5.15/arm64-dts-qcom-sm8250-edo-add-gpio-line-names-for-pm.patch new file mode 100644 index 00000000000..a03b97cab1c --- /dev/null +++ b/queue-5.15/arm64-dts-qcom-sm8250-edo-add-gpio-line-names-for-pm.patch @@ -0,0 +1,164 @@ +From f985ac6ed9a1e2fb75715f21c74907bfb2ff82d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 13:05:35 +0200 +Subject: arm64: dts: qcom: sm8250-edo: Add GPIO line names for PMIC GPIOs + +From: Konrad Dybcio + +[ Upstream commit 6b8a63350752c6a5e4b54f2de6174084652cd3cd ] + +Sony ever so graciously provides GPIO line names in their downstream +kernel (though sometimes they are not 100% accurate and you can judge +that by simply looking at them and with what drivers they are used). + +Add these to the PDX203&206 DTSIs to better document the hardware. + +Diff between 203 and 206: +pm8009_gpios +< "CAM_PWR_LD_EN", +> "NC", + +pm8150_gpios +< "NC", +> "G_ASSIST_N", +< "WLC_EN_N", /* GPIO_10 */ +> "NC", /* GPIO_10 */ +Which is due to 5 II having an additional Google Assistant hardware +button and 1 II having a wireless charger & different camera wiring +to accommodate the additional 3D iToF sensor. + +Signed-off-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20230614-topic-edo_pinsgpiopmic-v2-2-6f90bba54c53@linaro.org +Signed-off-by: Bjorn Andersson +Stable-dep-of: a422c6a91a66 ("arm64: dts: qcom: sm8250-edo: Rectify gpio-keys") +Signed-off-by: Sasha Levin +--- + .../qcom/sm8250-sony-xperia-edo-pdx203.dts | 50 +++++++++++++++++++ + .../qcom/sm8250-sony-xperia-edo-pdx206.dts | 50 +++++++++++++++++++ + 2 files changed, 100 insertions(+) + +diff --git a/arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo-pdx203.dts b/arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo-pdx203.dts +index 9b758385faafd..792911af1637b 100644 +--- a/arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo-pdx203.dts ++++ b/arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo-pdx203.dts +@@ -14,6 +14,56 @@ / { + + /delete-node/ &vreg_l7f_1p8; + ++&pm8009_gpios { ++ gpio-line-names = "NC", /* GPIO_1 */ ++ "CAM_PWR_LD_EN", ++ "WIDEC_PWR_EN", ++ "NC"; ++}; ++ ++&pm8150_gpios { ++ gpio-line-names = "VOL_DOWN_N", /* GPIO_1 */ ++ "OPTION_2", ++ "NC", ++ "PM_SLP_CLK_IN", ++ "OPTION_1", ++ "NC", ++ "NC", ++ "SP_ARI_PWR_ALARM", ++ "NC", ++ "NC"; /* GPIO_10 */ ++}; ++ ++&pm8150b_gpios { ++ gpio-line-names = "SNAPSHOT_N", /* GPIO_1 */ ++ "FOCUS_N", ++ "NC", ++ "NC", ++ "RF_LCD_ID_EN", ++ "NC", ++ "NC", ++ "LCD_ID", ++ "NC", ++ "WLC_EN_N", /* GPIO_10 */ ++ "NC", ++ "RF_ID"; ++}; ++ ++&pm8150l_gpios { ++ gpio-line-names = "NC", /* GPIO_1 */ ++ "PM3003A_EN", ++ "NC", ++ "NC", ++ "NC", ++ "AUX2_THERM", ++ "BB_HP_EN", ++ "FP_LDO_EN", ++ "PMX_RESET_N", ++ "AUX3_THERM", /* GPIO_10 */ ++ "DTV_PWR_EN", ++ "PM3003A_MODE"; ++}; ++ + &tlmm { + gpio-line-names = "AP_CTI_IN", /* GPIO_0 */ + "MDM2AP_ERR_FATAL", +diff --git a/arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo-pdx206.dts b/arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo-pdx206.dts +index bf4e6a32736de..9b6228f7010b5 100644 +--- a/arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo-pdx206.dts ++++ b/arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo-pdx206.dts +@@ -29,6 +29,56 @@ g-assist-key { + }; + }; + ++&pm8009_gpios { ++ gpio-line-names = "NC", /* GPIO_1 */ ++ "NC", ++ "WIDEC_PWR_EN", ++ "NC"; ++}; ++ ++&pm8150_gpios { ++ gpio-line-names = "VOL_DOWN_N", /* GPIO_1 */ ++ "OPTION_2", ++ "NC", ++ "PM_SLP_CLK_IN", ++ "OPTION_1", ++ "G_ASSIST_N", ++ "NC", ++ "SP_ARI_PWR_ALARM", ++ "NC", ++ "NC"; /* GPIO_10 */ ++}; ++ ++&pm8150b_gpios { ++ gpio-line-names = "SNAPSHOT_N", /* GPIO_1 */ ++ "FOCUS_N", ++ "NC", ++ "NC", ++ "RF_LCD_ID_EN", ++ "NC", ++ "NC", ++ "LCD_ID", ++ "NC", ++ "NC", /* GPIO_10 */ ++ "NC", ++ "RF_ID"; ++}; ++ ++&pm8150l_gpios { ++ gpio-line-names = "NC", /* GPIO_1 */ ++ "PM3003A_EN", ++ "NC", ++ "NC", ++ "NC", ++ "AUX2_THERM", ++ "BB_HP_EN", ++ "FP_LDO_EN", ++ "PMX_RESET_N", ++ "NC", /* GPIO_10 */ ++ "NC", ++ "PM3003A_MODE"; ++}; ++ + &tlmm { + gpio-line-names = "AP_CTI_IN", /* GPIO_0 */ + "MDM2AP_ERR_FATAL", +-- +2.40.1 + diff --git a/queue-5.15/arm64-dts-qcom-sm8250-edo-add-gpio-line-names-for-tl.patch b/queue-5.15/arm64-dts-qcom-sm8250-edo-add-gpio-line-names-for-tl.patch new file mode 100644 index 00000000000..1a7132494f2 --- /dev/null +++ b/queue-5.15/arm64-dts-qcom-sm8250-edo-add-gpio-line-names-for-tl.patch @@ -0,0 +1,430 @@ +From 146ffd38ab4d6ce97ae36f2287a8c5cebcc35fc0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 13:05:34 +0200 +Subject: arm64: dts: qcom: sm8250-edo: Add gpio line names for TLMM + +From: Konrad Dybcio + +[ Upstream commit 40b398beabdfe0e9088b13976e56b1dc706fe851 ] + +Sony ever so graciously provides GPIO line names in their downstream +kernel (though sometimes they are not 100% accurate and you can judge +that by simply looking at them and with what drivers they are used). + +Add these to the PDX203&206 DTSIs to better document the hardware. + +Diff between 203 and 206: +< "CAM_PWR_A_CS", +> "FRONTC_PWR_EN", +< "CAM4_MCLK", +< "TOF_RST_N", +> "NC", +> "NC", +< "WLC_I2C_SDA", +< "WLC_I2C_SCL", /* GPIO_120 */ +> "NC", +> "NC", +< "WLC_INT_N", +> "NC", + +Which makes sense, as 203 has a 3D iToF, slightly different camera +power wiring and WLC (WireLess Charging). + +Signed-off-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20230614-topic-edo_pinsgpiopmic-v2-1-6f90bba54c53@linaro.org +Signed-off-by: Bjorn Andersson +Stable-dep-of: a422c6a91a66 ("arm64: dts: qcom: sm8250-edo: Rectify gpio-keys") +Signed-off-by: Sasha Levin +--- + .../qcom/sm8250-sony-xperia-edo-pdx203.dts | 183 ++++++++++++++++++ + .../qcom/sm8250-sony-xperia-edo-pdx206.dts | 183 ++++++++++++++++++ + 2 files changed, 366 insertions(+) + +diff --git a/arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo-pdx203.dts b/arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo-pdx203.dts +index 79afeb07f4a24..9b758385faafd 100644 +--- a/arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo-pdx203.dts ++++ b/arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo-pdx203.dts +@@ -13,3 +13,186 @@ / { + }; + + /delete-node/ &vreg_l7f_1p8; ++ ++&tlmm { ++ gpio-line-names = "AP_CTI_IN", /* GPIO_0 */ ++ "MDM2AP_ERR_FATAL", ++ "AP_CTI_OUT", ++ "MDM2AP_STATUS", ++ "NFC_I2C_SDA", ++ "NFC_I2C_SCL", ++ "NFC_EN", ++ "NFC_CLK_REQ", ++ "NFC_ESE_PWR_REQ", ++ "DVDT_WRT_DET_AND", ++ "SPK_AMP_RESET_N", /* GPIO_10 */ ++ "SPK_AMP_INT_N", ++ "APPS_I2C_1_SDA", ++ "APPS_I2C_1_SCL", ++ "NC", ++ "TX_GTR_THRES_IN", ++ "HST_BT_UART_CTS", ++ "HST_BT_UART_RFR", ++ "HST_BT_UART_TX", ++ "HST_BT_UART_RX", ++ "HST_WLAN_EN", /* GPIO_20 */ ++ "HST_BT_EN", ++ "RGBC_IR_PWR_EN", ++ "FP_INT_N", ++ "NC", ++ "NC", ++ "NC", ++ "NC", ++ "NFC_ESE_SPI_MISO", ++ "NFC_ESE_SPI_MOSI", ++ "NFC_ESE_SPI_SCLK", /* GPIO_30 */ ++ "NFC_ESE_SPI_CS_N", ++ "WCD_RST_N", ++ "NC", ++ "SDM_DEBUG_UART_TX", ++ "SDM_DEBUG_UART_RX", ++ "TS_I2C_SDA", ++ "TS_I2C_SCL", ++ "TS_INT_N", ++ "FP_SPI_MISO", /* GPIO_40 */ ++ "FP_SPI_MOSI", ++ "FP_SPI_SCLK", ++ "FP_SPI_CS_N", ++ "APPS_I2C_0_SDA", ++ "APPS_I2C_0_SCL", ++ "DISP_ERR_FG", ++ "UIM2_DETECT_EN", ++ "NC", ++ "NC", ++ "NC", /* GPIO_50 */ ++ "NC", ++ "MDM_UART_CTS", ++ "MDM_UART_RFR", ++ "MDM_UART_TX", ++ "MDM_UART_RX", ++ "AP2MDM_STATUS", ++ "AP2MDM_ERR_FATAL", ++ "MDM_IPC_HS_UART_TX", ++ "MDM_IPC_HS_UART_RX", ++ "NC", /* GPIO_60 */ ++ "NC", ++ "NC", ++ "NC", ++ "NC", ++ "USB_CC_DIR", ++ "DISP_VSYNC", ++ "NC", ++ "NC", ++ "CAM_PWR_B_CS", ++ "NC", /* GPIO_70 */ ++ "CAM_PWR_A_CS", ++ "SBU_SW_SEL", ++ "SBU_SW_OE", ++ "FP_RESET_N", ++ "FP_RESET_N", ++ "DISP_RESET_N", ++ "DEBUG_GPIO0", ++ "TRAY_DET", ++ "CAM2_RST_N", ++ "PCIE0_RST_N", ++ "PCIE0_CLK_REQ_N", /* GPIO_80 */ ++ "PCIE0_WAKE_N", ++ "DVDT_ENABLE", ++ "DVDT_WRT_DET_OR", ++ "NC", ++ "PCIE2_RST_N", ++ "PCIE2_CLK_REQ_N", ++ "PCIE2_WAKE_N", ++ "MDM_VFR_IRQ0", ++ "MDM_VFR_IRQ1", ++ "SW_SERVICE", /* GPIO_90 */ ++ "CAM_SOF", ++ "CAM1_RST_N", ++ "CAM0_RST_N", ++ "CAM0_MCLK", ++ "CAM1_MCLK", ++ "CAM2_MCLK", ++ "CAM3_MCLK", ++ "CAM4_MCLK", ++ "TOF_RST_N", ++ "NC", /* GPIO_100 */ ++ "CCI0_I2C_SDA", ++ "CCI0_I2C_SCL", ++ "CCI1_I2C_SDA", ++ "CCI1_I2C_SCL_", ++ "CCI2_I2C_SDA", ++ "CCI2_I2C_SCL", ++ "CCI3_I2C_SDA", ++ "CCI3_I2C_SCL", ++ "CAM3_RST_N", ++ "NFC_DWL_REQ", /* GPIO_110 */ ++ "NFC_IRQ", ++ "XVS", ++ "NC", ++ "RF_ID_EXTENSION", ++ "SPK_AMP_I2C_SDA", ++ "SPK_AMP_I2C_SCL", ++ "NC", ++ "NC", ++ "WLC_I2C_SDA", ++ "WLC_I2C_SCL", /* GPIO_120 */ ++ "ACC_COVER_OPEN", ++ "ALS_PROX_INT_N", ++ "ACCEL_INT", ++ "WLAN_SW_CTRL", ++ "CAMSENSOR_I2C_SDA", ++ "CAMSENSOR_I2C_SCL", ++ "UDON_SWITCH_SEL", ++ "WDOG_DISABLE", ++ "BAROMETER_INT", ++ "NC", /* GPIO_130 */ ++ "NC", ++ "FORCED_USB_BOOT", ++ "NC", ++ "NC", ++ "WLC_INT_N", ++ "NC", ++ "NC", ++ "RGBC_IR_INT", ++ "NC", ++ "NC", /* GPIO_140 */ ++ "NC", ++ "BT_SLIMBUS_CLK", ++ "BT_SLIMBUS_DATA", ++ "HW_ID_0", ++ "HW_ID_1", ++ "WCD_SWR_TX_CLK", ++ "WCD_SWR_TX_DATA0", ++ "WCD_SWR_TX_DATA1", ++ "WCD_SWR_RX_CLK", ++ "WCD_SWR_RX_DATA0", /* GPIO_150 */ ++ "WCD_SWR_RX_DATA1", ++ "SDM_DMIC_CLK1", ++ "SDM_DMIC_DATA1", ++ "SDM_DMIC_CLK2", ++ "SDM_DMIC_DATA2", ++ "SPK_AMP_I2S_CLK", ++ "SPK_AMP_I2S_WS", ++ "SPK_AMP_I2S_ASP_DIN", ++ "SPK_AMP_I2S_ASP_DOUT", ++ "COMPASS_I2C_SDA", /* GPIO_160 */ ++ "COMPASS_I2C_SCL", ++ "NC", ++ "NC", ++ "SSC_SPI_1_MISO", ++ "SSC_SPI_1_MOSI", ++ "SSC_SPI_1_CLK", ++ "SSC_SPI_1_CS_N", ++ "NC", ++ "NC", ++ "SSC_SENSOR_I2C_SDA", /* GPIO_170 */ ++ "SSC_SENSOR_I2C_SCL", ++ "NC", ++ "NC", ++ "NC", ++ "NC", ++ "HST_BLE_SNS_UART6_TX", ++ "HST_BLE_SNS_UART6_RX", ++ "HST_WLAN_UART_TX", ++ "HST_WLAN_UART_RX"; ++}; +diff --git a/arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo-pdx206.dts b/arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo-pdx206.dts +index 16c96e8385348..bf4e6a32736de 100644 +--- a/arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo-pdx206.dts ++++ b/arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo-pdx206.dts +@@ -29,6 +29,189 @@ g-assist-key { + }; + }; + ++&tlmm { ++ gpio-line-names = "AP_CTI_IN", /* GPIO_0 */ ++ "MDM2AP_ERR_FATAL", ++ "AP_CTI_OUT", ++ "MDM2AP_STATUS", ++ "NFC_I2C_SDA", ++ "NFC_I2C_SCL", ++ "NFC_EN", ++ "NFC_CLK_REQ", ++ "NFC_ESE_PWR_REQ", ++ "DVDT_WRT_DET_AND", ++ "SPK_AMP_RESET_N", /* GPIO_10 */ ++ "SPK_AMP_INT_N", ++ "APPS_I2C_1_SDA", ++ "APPS_I2C_1_SCL", ++ "NC", ++ "TX_GTR_THRES_IN", ++ "HST_BT_UART_CTS", ++ "HST_BT_UART_RFR", ++ "HST_BT_UART_TX", ++ "HST_BT_UART_RX", ++ "HST_WLAN_EN", /* GPIO_20 */ ++ "HST_BT_EN", ++ "RGBC_IR_PWR_EN", ++ "FP_INT_N", ++ "NC", ++ "NC", ++ "NC", ++ "NC", ++ "NFC_ESE_SPI_MISO", ++ "NFC_ESE_SPI_MOSI", ++ "NFC_ESE_SPI_SCLK", /* GPIO_30 */ ++ "NFC_ESE_SPI_CS_N", ++ "WCD_RST_N", ++ "NC", ++ "SDM_DEBUG_UART_TX", ++ "SDM_DEBUG_UART_RX", ++ "TS_I2C_SDA", ++ "TS_I2C_SCL", ++ "TS_INT_N", ++ "FP_SPI_MISO", /* GPIO_40 */ ++ "FP_SPI_MOSI", ++ "FP_SPI_SCLK", ++ "FP_SPI_CS_N", ++ "APPS_I2C_0_SDA", ++ "APPS_I2C_0_SCL", ++ "DISP_ERR_FG", ++ "UIM2_DETECT_EN", ++ "NC", ++ "NC", ++ "NC", /* GPIO_50 */ ++ "NC", ++ "MDM_UART_CTS", ++ "MDM_UART_RFR", ++ "MDM_UART_TX", ++ "MDM_UART_RX", ++ "AP2MDM_STATUS", ++ "AP2MDM_ERR_FATAL", ++ "MDM_IPC_HS_UART_TX", ++ "MDM_IPC_HS_UART_RX", ++ "NC", /* GPIO_60 */ ++ "NC", ++ "NC", ++ "NC", ++ "NC", ++ "USB_CC_DIR", ++ "DISP_VSYNC", ++ "NC", ++ "NC", ++ "CAM_PWR_B_CS", ++ "NC", /* GPIO_70 */ ++ "FRONTC_PWR_EN", ++ "SBU_SW_SEL", ++ "SBU_SW_OE", ++ "FP_RESET_N", ++ "FP_RESET_N", ++ "DISP_RESET_N", ++ "DEBUG_GPIO0", ++ "TRAY_DET", ++ "CAM2_RST_N", ++ "PCIE0_RST_N", ++ "PCIE0_CLK_REQ_N", /* GPIO_80 */ ++ "PCIE0_WAKE_N", ++ "DVDT_ENABLE", ++ "DVDT_WRT_DET_OR", ++ "NC", ++ "PCIE2_RST_N", ++ "PCIE2_CLK_REQ_N", ++ "PCIE2_WAKE_N", ++ "MDM_VFR_IRQ0", ++ "MDM_VFR_IRQ1", ++ "SW_SERVICE", /* GPIO_90 */ ++ "CAM_SOF", ++ "CAM1_RST_N", ++ "CAM0_RST_N", ++ "CAM0_MCLK", ++ "CAM1_MCLK", ++ "CAM2_MCLK", ++ "CAM3_MCLK", ++ "NC", ++ "NC", ++ "NC", /* GPIO_100 */ ++ "CCI0_I2C_SDA", ++ "CCI0_I2C_SCL", ++ "CCI1_I2C_SDA", ++ "CCI1_I2C_SCL_", ++ "CCI2_I2C_SDA", ++ "CCI2_I2C_SCL", ++ "CCI3_I2C_SDA", ++ "CCI3_I2C_SCL", ++ "CAM3_RST_N", ++ "NFC_DWL_REQ", /* GPIO_110 */ ++ "NFC_IRQ", ++ "XVS", ++ "NC", ++ "RF_ID_EXTENSION", ++ "SPK_AMP_I2C_SDA", ++ "SPK_AMP_I2C_SCL", ++ "NC", ++ "NC", ++ "NC", ++ "NC", ++ "ACC_COVER_OPEN", ++ "ALS_PROX_INT_N", ++ "ACCEL_INT", ++ "WLAN_SW_CTRL", ++ "CAMSENSOR_I2C_SDA", ++ "CAMSENSOR_I2C_SCL", ++ "UDON_SWITCH_SEL", ++ "WDOG_DISABLE", ++ "BAROMETER_INT", ++ "NC", /* GPIO_130 */ ++ "NC", ++ "FORCED_USB_BOOT", ++ "NC", ++ "NC", ++ "NC", ++ "NC", ++ "NC", ++ "RGBC_IR_INT", ++ "NC", ++ "NC", /* GPIO_140 */ ++ "NC", ++ "BT_SLIMBUS_CLK", ++ "BT_SLIMBUS_DATA", ++ "HW_ID_0", ++ "HW_ID_1", ++ "WCD_SWR_TX_CLK", ++ "WCD_SWR_TX_DATA0", ++ "WCD_SWR_TX_DATA1", ++ "WCD_SWR_RX_CLK", ++ "WCD_SWR_RX_DATA0", /* GPIO_150 */ ++ "WCD_SWR_RX_DATA1", ++ "SDM_DMIC_CLK1", ++ "SDM_DMIC_DATA1", ++ "SDM_DMIC_CLK2", ++ "SDM_DMIC_DATA2", ++ "SPK_AMP_I2S_CLK", ++ "SPK_AMP_I2S_WS", ++ "SPK_AMP_I2S_ASP_DIN", ++ "SPK_AMP_I2S_ASP_DOUT", ++ "COMPASS_I2C_SDA", /* GPIO_160 */ ++ "COMPASS_I2C_SCL", ++ "NC", ++ "NC", ++ "SSC_SPI_1_MISO", ++ "SSC_SPI_1_MOSI", ++ "SSC_SPI_1_CLK", ++ "SSC_SPI_1_CS_N", ++ "NC", ++ "NC", ++ "SSC_SENSOR_I2C_SDA", /* GPIO_170 */ ++ "SSC_SENSOR_I2C_SCL", ++ "NC", ++ "NC", ++ "NC", ++ "NC", ++ "HST_BLE_SNS_UART6_TX", ++ "HST_BLE_SNS_UART6_RX", ++ "HST_WLAN_UART_TX", ++ "HST_WLAN_UART_RX"; ++}; ++ + &vreg_l2f_1p3 { + regulator-min-microvolt = <1200000>; + regulator-max-microvolt = <1200000>; +-- +2.40.1 + diff --git a/queue-5.15/arm64-dts-qcom-sm8250-edo-rectify-gpio-keys.patch b/queue-5.15/arm64-dts-qcom-sm8250-edo-rectify-gpio-keys.patch new file mode 100644 index 00000000000..b702db125d1 --- /dev/null +++ b/queue-5.15/arm64-dts-qcom-sm8250-edo-rectify-gpio-keys.patch @@ -0,0 +1,126 @@ +From fada8797849db83151eecfe8f2ebd7c264b393ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 13:05:37 +0200 +Subject: arm64: dts: qcom: sm8250-edo: Rectify gpio-keys + +From: Konrad Dybcio + +[ Upstream commit a422c6a91a667b309ca1a6c08b30dbfcf7d4e866 ] + +Set up the corresponding GPIOs properly and add the leftover hardware +buttons to mark this piece of the puzzle complete. + +Fixes: 46e14907c716 ("arm64: dts: qcom: sm8250-edo: Add hardware keys") +Reviewed-by: Marijn Suijten +Signed-off-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20230614-topic-edo_pinsgpiopmic-v2-4-6f90bba54c53@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + .../qcom/sm8250-sony-xperia-edo-pdx206.dts | 10 ++++ + .../boot/dts/qcom/sm8250-sony-xperia-edo.dtsi | 54 ++++++++++++++++--- + 2 files changed, 58 insertions(+), 6 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo-pdx206.dts b/arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo-pdx206.dts +index 9b6228f7010b5..b0f4ecc911144 100644 +--- a/arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo-pdx206.dts ++++ b/arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo-pdx206.dts +@@ -19,6 +19,8 @@ &framebuffer { + }; + + &gpio_keys { ++ pinctrl-0 = <&focus_n &snapshot_n &vol_down_n &g_assist_n>; ++ + g-assist-key { + label = "Google Assistant Key"; + linux,code = ; +@@ -47,6 +49,14 @@ &pm8150_gpios { + "SP_ARI_PWR_ALARM", + "NC", + "NC"; /* GPIO_10 */ ++ ++ g_assist_n: g-assist-n-state { ++ pins = "gpio6"; ++ function = "normal"; ++ power-source = <1>; ++ bias-pull-up; ++ input-enable; ++ }; + }; + + &pm8150b_gpios { +diff --git a/arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo.dtsi b/arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo.dtsi +index b093f2a02a9cb..60c62fbc2650d 100644 +--- a/arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo.dtsi ++++ b/arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo.dtsi +@@ -51,12 +51,26 @@ framebuffer: framebuffer@9c000000 { + gpio_keys: gpio-keys { + compatible = "gpio-keys"; + +- /* +- * Camera focus (light press) and camera snapshot (full press) +- * seem not to work properly.. Adding the former one stalls the CPU +- * and the latter kills the volume down key for whatever reason. In any +- * case, they are both on &pm8150b_gpios: camera focus(2), camera snapshot(1). +- */ ++ pinctrl-0 = <&focus_n &snapshot_n &vol_down_n>; ++ pinctrl-names = "default"; ++ ++ key-camera-focus { ++ label = "Camera Focus"; ++ linux,code = ; ++ gpios = <&pm8150b_gpios 2 GPIO_ACTIVE_LOW>; ++ debounce-interval = <15>; ++ linux,can-disable; ++ gpio-key,wakeup; ++ }; ++ ++ key-camera-snapshot { ++ label = "Camera Snapshot"; ++ linux,code = ; ++ gpios = <&pm8150b_gpios 1 GPIO_ACTIVE_LOW>; ++ debounce-interval = <15>; ++ linux,can-disable; ++ gpio-key,wakeup; ++ }; + + vol-down { + label = "Volume Down"; +@@ -518,6 +532,34 @@ &pcie2_phy { + vdda-pll-supply = <&vreg_l9a_1p2>; + }; + ++&pm8150_gpios { ++ vol_down_n: vol-down-n-state { ++ pins = "gpio1"; ++ function = "normal"; ++ power-source = <0>; ++ bias-pull-up; ++ input-enable; ++ }; ++}; ++ ++&pm8150b_gpios { ++ snapshot_n: snapshot-n-state { ++ pins = "gpio1"; ++ function = "normal"; ++ power-source = <0>; ++ bias-pull-up; ++ input-enable; ++ }; ++ ++ focus_n: focus-n-state { ++ pins = "gpio2"; ++ function = "normal"; ++ power-source = <0>; ++ bias-pull-up; ++ input-enable; ++ }; ++}; ++ + &pon_pwrkey { + status = "okay"; + }; +-- +2.40.1 + diff --git a/queue-5.15/arm64-dts-qcom-sm8250-mark-pcie-hosts-as-dma-coheren.patch b/queue-5.15/arm64-dts-qcom-sm8250-mark-pcie-hosts-as-dma-coheren.patch new file mode 100644 index 00000000000..40824e46af5 --- /dev/null +++ b/queue-5.15/arm64-dts-qcom-sm8250-mark-pcie-hosts-as-dma-coheren.patch @@ -0,0 +1,51 @@ +From f3716c2d4f3ba349515aad584cf16392eab0df23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jul 2023 14:23:17 +0200 +Subject: arm64: dts: qcom: sm8250: Mark PCIe hosts as DMA coherent + +From: Konrad Dybcio + +[ Upstream commit 339d38a436f30d0f874815eafc7de2257346bf26 ] + +The PCIe hosts on SM8250 are cache-coherent. Mark them as such. + +Fixes: e53bdfc00977 ("arm64: dts: qcom: sm8250: Add PCIe support") +Signed-off-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20230704-topic-8250_pcie_dmac-v1-1-799603a980b0@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sm8250.dtsi | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm64/boot/dts/qcom/sm8250.dtsi b/arch/arm64/boot/dts/qcom/sm8250.dtsi +index 005e75dc6919e..5d6551e1fcd8d 100644 +--- a/arch/arm64/boot/dts/qcom/sm8250.dtsi ++++ b/arch/arm64/boot/dts/qcom/sm8250.dtsi +@@ -1439,6 +1439,7 @@ pcie0: pci@1c00000 { + + pinctrl-names = "default"; + pinctrl-0 = <&pcie0_default_state>; ++ dma-coherent; + + status = "disabled"; + }; +@@ -1545,6 +1546,7 @@ pcie1: pci@1c08000 { + + pinctrl-names = "default"; + pinctrl-0 = <&pcie1_default_state>; ++ dma-coherent; + + status = "disabled"; + }; +@@ -1653,6 +1655,7 @@ pcie2: pci@1c10000 { + + pinctrl-names = "default"; + pinctrl-0 = <&pcie2_default_state>; ++ dma-coherent; + + status = "disabled"; + }; +-- +2.40.1 + diff --git a/queue-5.15/arm64-dts-qcom-sm8250-sony-xperia-correct-gpio-keys-.patch b/queue-5.15/arm64-dts-qcom-sm8250-sony-xperia-correct-gpio-keys-.patch new file mode 100644 index 00000000000..9b3d7e46867 --- /dev/null +++ b/queue-5.15/arm64-dts-qcom-sm8250-sony-xperia-correct-gpio-keys-.patch @@ -0,0 +1,48 @@ +From 6c0ec0e53dd80d4eee51d6680b4ba41b715fdb0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jul 2023 08:30:11 +0200 +Subject: arm64: dts: qcom: sm8250-sony-xperia: correct GPIO keys wakeup again + +From: Krzysztof Kozlowski + +[ Upstream commit b8fbeea0253211d97c579eae787274633d3eaf0d ] + +gpio-keys,wakeup is a deprecated property: + + m8250-sony-xperia-edo-pdx206.dtb: gpio-keys: key-camera-focus: Unevaluated properties are not allowed ('gpio-key,wakeup' was unexpected) + +Fixes: a422c6a91a66 ("arm64: dts: qcom: sm8250-edo: Rectify gpio-keys") +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20230711063011.16222-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo.dtsi b/arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo.dtsi +index 60c62fbc2650d..e622cbe167b0d 100644 +--- a/arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo.dtsi ++++ b/arch/arm64/boot/dts/qcom/sm8250-sony-xperia-edo.dtsi +@@ -60,7 +60,7 @@ key-camera-focus { + gpios = <&pm8150b_gpios 2 GPIO_ACTIVE_LOW>; + debounce-interval = <15>; + linux,can-disable; +- gpio-key,wakeup; ++ wakeup-source; + }; + + key-camera-snapshot { +@@ -69,7 +69,7 @@ key-camera-snapshot { + gpios = <&pm8150b_gpios 1 GPIO_ACTIVE_LOW>; + debounce-interval = <15>; + linux,can-disable; +- gpio-key,wakeup; ++ wakeup-source; + }; + + vol-down { +-- +2.40.1 + diff --git a/queue-5.15/arm64-dts-qcom-sm8350-add-missing-lmh-interrupts-to-.patch b/queue-5.15/arm64-dts-qcom-sm8350-add-missing-lmh-interrupts-to-.patch new file mode 100644 index 00000000000..efa303bd581 --- /dev/null +++ b/queue-5.15/arm64-dts-qcom-sm8350-add-missing-lmh-interrupts-to-.patch @@ -0,0 +1,42 @@ +From 4d75a86e8b4d0a630991dac91d6d794415e58fc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 15:36:23 +0200 +Subject: arm64: dts: qcom: sm8350: Add missing LMH interrupts to cpufreq + +From: Konrad Dybcio + +[ Upstream commit 951151c2bb548e0f6b2c40ab4c48675f5342c914 ] + +Add the missing interrupts that communicate the hardware-managed +throttling to Linux. + +Fixes: ccbb3abb23a5 ("arm64: dts: qcom: sm8350: Add cpufreq node") +Signed-off-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20230705-topic-sm8350_fixes-v1-3-0f69f70ccb6a@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sm8350.dtsi | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/arch/arm64/boot/dts/qcom/sm8350.dtsi b/arch/arm64/boot/dts/qcom/sm8350.dtsi +index 1ef16975d13a1..635e9f17a549f 100644 +--- a/arch/arm64/boot/dts/qcom/sm8350.dtsi ++++ b/arch/arm64/boot/dts/qcom/sm8350.dtsi +@@ -1052,6 +1052,13 @@ cpufreq_hw: cpufreq@18591000 { + <0 0x18593000 0 0x1000>; + reg-names = "freq-domain0", "freq-domain1", "freq-domain2"; + ++ interrupts = , ++ , ++ ; ++ interrupt-names = "dcvsh-irq-0", ++ "dcvsh-irq-1", ++ "dcvsh-irq-2"; ++ + clocks = <&rpmhcc RPMH_CXO_CLK>, <&gcc GCC_GPLL0>; + clock-names = "xo", "alternate"; + +-- +2.40.1 + diff --git a/queue-5.15/arm64-dts-qcom-sm8350-use-proper-cpu-compatibles.patch b/queue-5.15/arm64-dts-qcom-sm8350-use-proper-cpu-compatibles.patch new file mode 100644 index 00000000000..68c4b375e7c --- /dev/null +++ b/queue-5.15/arm64-dts-qcom-sm8350-use-proper-cpu-compatibles.patch @@ -0,0 +1,105 @@ +From bbc2be7bcfd9b6174a43d69e9042dbaa7896892c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jul 2023 18:35:37 +0200 +Subject: arm64: dts: qcom: sm8350: Use proper CPU compatibles + +From: Konrad Dybcio + +[ Upstream commit 4390730cc12af25f7c997f477795f5f4200149c0 ] + +The Kryo names (once again) turned out to be fake. The CPUs report: + +0x412fd050 (CA55 r2p0) (0 - 3) +0x411fd410 (CA78 r1p1) (4 - 6) +0x411fd440 (CX1 r1p1) (7) + +Use the compatibles that reflect that. + +Fixes: b7e8f433a673 ("arm64: dts: qcom: Add basic devicetree support for SM8350 SoC") +Signed-off-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20230706-topic-sm8350-cpu-compat-v1-1-f8d6a1869781@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sm8350.dtsi | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sm8350.dtsi b/arch/arm64/boot/dts/qcom/sm8350.dtsi +index 635e9f17a549f..b0ba63b5869d2 100644 +--- a/arch/arm64/boot/dts/qcom/sm8350.dtsi ++++ b/arch/arm64/boot/dts/qcom/sm8350.dtsi +@@ -61,7 +61,7 @@ cpus { + + CPU0: cpu@0 { + device_type = "cpu"; +- compatible = "qcom,kryo685"; ++ compatible = "arm,cortex-a55"; + reg = <0x0 0x0>; + enable-method = "psci"; + next-level-cache = <&L2_0>; +@@ -78,7 +78,7 @@ L3_0: l3-cache { + + CPU1: cpu@100 { + device_type = "cpu"; +- compatible = "qcom,kryo685"; ++ compatible = "arm,cortex-a55"; + reg = <0x0 0x100>; + enable-method = "psci"; + next-level-cache = <&L2_100>; +@@ -92,7 +92,7 @@ L2_100: l2-cache { + + CPU2: cpu@200 { + device_type = "cpu"; +- compatible = "qcom,kryo685"; ++ compatible = "arm,cortex-a55"; + reg = <0x0 0x200>; + enable-method = "psci"; + next-level-cache = <&L2_200>; +@@ -106,7 +106,7 @@ L2_200: l2-cache { + + CPU3: cpu@300 { + device_type = "cpu"; +- compatible = "qcom,kryo685"; ++ compatible = "arm,cortex-a55"; + reg = <0x0 0x300>; + enable-method = "psci"; + next-level-cache = <&L2_300>; +@@ -120,7 +120,7 @@ L2_300: l2-cache { + + CPU4: cpu@400 { + device_type = "cpu"; +- compatible = "qcom,kryo685"; ++ compatible = "arm,cortex-a78"; + reg = <0x0 0x400>; + enable-method = "psci"; + next-level-cache = <&L2_400>; +@@ -134,7 +134,7 @@ L2_400: l2-cache { + + CPU5: cpu@500 { + device_type = "cpu"; +- compatible = "qcom,kryo685"; ++ compatible = "arm,cortex-a78"; + reg = <0x0 0x500>; + enable-method = "psci"; + next-level-cache = <&L2_500>; +@@ -149,7 +149,7 @@ L2_500: l2-cache { + + CPU6: cpu@600 { + device_type = "cpu"; +- compatible = "qcom,kryo685"; ++ compatible = "arm,cortex-a78"; + reg = <0x0 0x600>; + enable-method = "psci"; + next-level-cache = <&L2_600>; +@@ -163,7 +163,7 @@ L2_600: l2-cache { + + CPU7: cpu@700 { + device_type = "cpu"; +- compatible = "qcom,kryo685"; ++ compatible = "arm,cortex-x1"; + reg = <0x0 0x700>; + enable-method = "psci"; + next-level-cache = <&L2_700>; +-- +2.40.1 + diff --git a/queue-5.15/asoc-stac9766-fix-build-errors-with-regmap_ac97.patch b/queue-5.15/asoc-stac9766-fix-build-errors-with-regmap_ac97.patch new file mode 100644 index 00000000000..a28224e6cec --- /dev/null +++ b/queue-5.15/asoc-stac9766-fix-build-errors-with-regmap_ac97.patch @@ -0,0 +1,42 @@ +From 7886dd5152b99c384f0c17b2aa2f25d4f27d0b62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jun 2023 21:48:36 -0700 +Subject: ASoC: stac9766: fix build errors with REGMAP_AC97 + +From: Randy Dunlap + +[ Upstream commit c70064b96f509daa78f57992aeabcf274fb2fed4 ] + +Select REGMAP_AC97 to fix these build errors: + +ERROR: modpost: "regmap_ac97_default_volatile" [sound/soc/codecs/snd-soc-stac9766.ko] undefined! +ERROR: modpost: "__regmap_init_ac97" [sound/soc/codecs/snd-soc-stac9766.ko] undefined! + +Fixes: 6bbf787bb70c ("ASoC: stac9766: Convert to regmap") +Signed-off-by: Randy Dunlap +Cc: Lars-Peter Clausen +Cc: Mark Brown +Cc: Liam Girdwood +Cc: alsa-devel@alsa-project.org +Link: https://lore.kernel.org/r/20230701044836.18789-1-rdunlap@infradead.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/codecs/Kconfig b/sound/soc/codecs/Kconfig +index c3deb82c5da3a..1750cc888bbe8 100644 +--- a/sound/soc/codecs/Kconfig ++++ b/sound/soc/codecs/Kconfig +@@ -1383,6 +1383,7 @@ config SND_SOC_STA529 + config SND_SOC_STAC9766 + tristate + depends on SND_SOC_AC97_BUS ++ select REGMAP_AC97 + + config SND_SOC_STI_SAS + tristate "codec Audio support for STI SAS codec" +-- +2.40.1 + diff --git a/queue-5.15/audit-fix-possible-soft-lockup-in-__audit_inode_chil.patch b/queue-5.15/audit-fix-possible-soft-lockup-in-__audit_inode_chil.patch new file mode 100644 index 00000000000..311fc8ede24 --- /dev/null +++ b/queue-5.15/audit-fix-possible-soft-lockup-in-__audit_inode_chil.patch @@ -0,0 +1,80 @@ +From 13e9b39f21b047104399103570051aea3a4370a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Aug 2023 20:14:35 +0800 +Subject: audit: fix possible soft lockup in __audit_inode_child() + +From: Gaosheng Cui + +[ Upstream commit b59bc6e37237e37eadf50cd5de369e913f524463 ] + +Tracefs or debugfs maybe cause hundreds to thousands of PATH records, +too many PATH records maybe cause soft lockup. + +For example: + 1. CONFIG_KASAN=y && CONFIG_PREEMPTION=n + 2. auditctl -a exit,always -S open -k key + 3. sysctl -w kernel.watchdog_thresh=5 + 4. mkdir /sys/kernel/debug/tracing/instances/test + +There may be a soft lockup as follows: + watchdog: BUG: soft lockup - CPU#45 stuck for 7s! [mkdir:15498] + Kernel panic - not syncing: softlockup: hung tasks + Call trace: + dump_backtrace+0x0/0x30c + show_stack+0x20/0x30 + dump_stack+0x11c/0x174 + panic+0x27c/0x494 + watchdog_timer_fn+0x2bc/0x390 + __run_hrtimer+0x148/0x4fc + __hrtimer_run_queues+0x154/0x210 + hrtimer_interrupt+0x2c4/0x760 + arch_timer_handler_phys+0x48/0x60 + handle_percpu_devid_irq+0xe0/0x340 + __handle_domain_irq+0xbc/0x130 + gic_handle_irq+0x78/0x460 + el1_irq+0xb8/0x140 + __audit_inode_child+0x240/0x7bc + tracefs_create_file+0x1b8/0x2a0 + trace_create_file+0x18/0x50 + event_create_dir+0x204/0x30c + __trace_add_new_event+0xac/0x100 + event_trace_add_tracer+0xa0/0x130 + trace_array_create_dir+0x60/0x140 + trace_array_create+0x1e0/0x370 + instance_mkdir+0x90/0xd0 + tracefs_syscall_mkdir+0x68/0xa0 + vfs_mkdir+0x21c/0x34c + do_mkdirat+0x1b4/0x1d4 + __arm64_sys_mkdirat+0x4c/0x60 + el0_svc_common.constprop.0+0xa8/0x240 + do_el0_svc+0x8c/0xc0 + el0_svc+0x20/0x30 + el0_sync_handler+0xb0/0xb4 + el0_sync+0x160/0x180 + +Therefore, we add cond_resched() to __audit_inode_child() to fix it. + +Fixes: 5195d8e217a7 ("audit: dynamically allocate audit_names when not enough space is in the names array") +Signed-off-by: Gaosheng Cui +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + kernel/auditsc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/auditsc.c b/kernel/auditsc.c +index 2f036bab3c28f..e7fedf504f760 100644 +--- a/kernel/auditsc.c ++++ b/kernel/auditsc.c +@@ -2200,6 +2200,8 @@ void __audit_inode_child(struct inode *parent, + } + } + ++ cond_resched(); ++ + /* is there a matching child entry? */ + list_for_each_entry(n, &context->names_list, list) { + /* can only match entries that have a name */ +-- +2.40.1 + diff --git a/queue-5.15/bluetooth-btusb-do-not-call-kfree_skb-under-spin_loc.patch b/queue-5.15/bluetooth-btusb-do-not-call-kfree_skb-under-spin_loc.patch new file mode 100644 index 00000000000..591ebb278f0 --- /dev/null +++ b/queue-5.15/bluetooth-btusb-do-not-call-kfree_skb-under-spin_loc.patch @@ -0,0 +1,38 @@ +From 2e4d4467c5feb19fc175f9e05bcb2b30d7993c17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Aug 2023 11:46:37 +0800 +Subject: Bluetooth: btusb: Do not call kfree_skb() under spin_lock_irqsave() + +From: Jinjie Ruan + +[ Upstream commit 2a05334d7f91ff189692089c05fc48cc1d8204de ] + +It is not allowed to call kfree_skb() from hardware interrupt +context or with hardware interrupts being disabled. +So replace kfree_skb() with dev_kfree_skb_irq() under +spin_lock_irqsave(). Compile tested only. + +Fixes: baac6276c0a9 ("Bluetooth: btusb: handle mSBC audio over USB Endpoints") +Signed-off-by: Jinjie Ruan +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btusb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 15d253325fd8a..84a42348b3bcb 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -1756,7 +1756,7 @@ static int btusb_switch_alt_setting(struct hci_dev *hdev, int new_alts) + * alternate setting. + */ + spin_lock_irqsave(&data->rxlock, flags); +- kfree_skb(data->sco_skb); ++ dev_kfree_skb_irq(data->sco_skb); + data->sco_skb = NULL; + spin_unlock_irqrestore(&data->rxlock, flags); + +-- +2.40.1 + diff --git a/queue-5.15/bluetooth-fix-potential-use-after-free-when-clear-ke.patch b/queue-5.15/bluetooth-fix-potential-use-after-free-when-clear-ke.patch new file mode 100644 index 00000000000..51c5123a7e1 --- /dev/null +++ b/queue-5.15/bluetooth-fix-potential-use-after-free-when-clear-ke.patch @@ -0,0 +1,76 @@ +From 72aa72dae1219aa2d8e334908556de7b43c4e186 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Aug 2023 19:07:41 +0800 +Subject: Bluetooth: Fix potential use-after-free when clear keys + +From: Min Li + +[ Upstream commit 3673952cf0c6cf81b06c66a0b788abeeb02ff3ae ] + +Similar to commit c5d2b6fa26b5 ("Bluetooth: Fix use-after-free in +hci_remove_ltk/hci_remove_irk"). We can not access k after kfree_rcu() +call. + +Fixes: d7d41682efc2 ("Bluetooth: Fix Suspicious RCU usage warnings") +Signed-off-by: Min Li +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index 682a09e7fea66..e777ccf76b2b7 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -2355,9 +2355,9 @@ void hci_uuids_clear(struct hci_dev *hdev) + + void hci_link_keys_clear(struct hci_dev *hdev) + { +- struct link_key *key; ++ struct link_key *key, *tmp; + +- list_for_each_entry(key, &hdev->link_keys, list) { ++ list_for_each_entry_safe(key, tmp, &hdev->link_keys, list) { + list_del_rcu(&key->list); + kfree_rcu(key, rcu); + } +@@ -2365,9 +2365,9 @@ void hci_link_keys_clear(struct hci_dev *hdev) + + void hci_smp_ltks_clear(struct hci_dev *hdev) + { +- struct smp_ltk *k; ++ struct smp_ltk *k, *tmp; + +- list_for_each_entry(k, &hdev->long_term_keys, list) { ++ list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) { + list_del_rcu(&k->list); + kfree_rcu(k, rcu); + } +@@ -2375,9 +2375,9 @@ void hci_smp_ltks_clear(struct hci_dev *hdev) + + void hci_smp_irks_clear(struct hci_dev *hdev) + { +- struct smp_irk *k; ++ struct smp_irk *k, *tmp; + +- list_for_each_entry(k, &hdev->identity_resolving_keys, list) { ++ list_for_each_entry_safe(k, tmp, &hdev->identity_resolving_keys, list) { + list_del_rcu(&k->list); + kfree_rcu(k, rcu); + } +@@ -2385,9 +2385,9 @@ void hci_smp_irks_clear(struct hci_dev *hdev) + + void hci_blocked_keys_clear(struct hci_dev *hdev) + { +- struct blocked_key *b; ++ struct blocked_key *b, *tmp; + +- list_for_each_entry(b, &hdev->blocked_keys, list) { ++ list_for_each_entry_safe(b, tmp, &hdev->blocked_keys, list) { + list_del_rcu(&b->list); + kfree_rcu(b, rcu); + } +-- +2.40.1 + diff --git a/queue-5.15/bluetooth-nokia-fix-value-check-in-nokia_bluetooth_s.patch b/queue-5.15/bluetooth-nokia-fix-value-check-in-nokia_bluetooth_s.patch new file mode 100644 index 00000000000..b84b0077e66 --- /dev/null +++ b/queue-5.15/bluetooth-nokia-fix-value-check-in-nokia_bluetooth_s.patch @@ -0,0 +1,41 @@ +From 8cc07470fd6df0ed4d306dc8869b842cebbaca6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jul 2023 21:30:00 +0800 +Subject: Bluetooth: nokia: fix value check in nokia_bluetooth_serdev_probe() + +From: Yuanjun Gong + +[ Upstream commit e8b5aed31355072faac8092ead4938ddec3111fd ] + +in nokia_bluetooth_serdev_probe(), check the return value of +clk_prepare_enable() and return the error code if +clk_prepare_enable() returns an unexpected value. + +Fixes: 7bb318680e86 ("Bluetooth: add nokia driver") +Signed-off-by: Yuanjun Gong +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_nokia.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/hci_nokia.c b/drivers/bluetooth/hci_nokia.c +index 05f7f6de6863d..97da0b2bfd17e 100644 +--- a/drivers/bluetooth/hci_nokia.c ++++ b/drivers/bluetooth/hci_nokia.c +@@ -734,7 +734,11 @@ static int nokia_bluetooth_serdev_probe(struct serdev_device *serdev) + return err; + } + +- clk_prepare_enable(sysclk); ++ err = clk_prepare_enable(sysclk); ++ if (err) { ++ dev_err(dev, "could not enable sysclk: %d", err); ++ return err; ++ } + btdev->sysclk_speed = clk_get_rate(sysclk); + clk_disable_unprepare(sysclk); + +-- +2.40.1 + diff --git a/queue-5.15/bpf-clear-the-probe_addr-for-uprobe.patch b/queue-5.15/bpf-clear-the-probe_addr-for-uprobe.patch new file mode 100644 index 00000000000..f4471b8da97 --- /dev/null +++ b/queue-5.15/bpf-clear-the-probe_addr-for-uprobe.patch @@ -0,0 +1,77 @@ +From b34effb5c2b0dff0a1e3c63d0f52f5affe5820ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Jul 2023 02:56:25 +0000 +Subject: bpf: Clear the probe_addr for uprobe + +From: Yafang Shao + +[ Upstream commit 5125e757e62f6c1d5478db4c2b61a744060ddf3f ] + +To avoid returning uninitialized or random values when querying the file +descriptor (fd) and accessing probe_addr, it is necessary to clear the +variable prior to its use. + +Fixes: 41bdc4b40ed6 ("bpf: introduce bpf subcommand BPF_TASK_FD_QUERY") +Signed-off-by: Yafang Shao +Acked-by: Yonghong Song +Acked-by: Jiri Olsa +Link: https://lore.kernel.org/r/20230709025630.3735-6-laoar.shao@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + include/linux/trace_events.h | 3 ++- + kernel/trace/bpf_trace.c | 2 +- + kernel/trace/trace_uprobe.c | 3 ++- + 3 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/include/linux/trace_events.h b/include/linux/trace_events.h +index ff137179e0c30..9c91c3531d830 100644 +--- a/include/linux/trace_events.h ++++ b/include/linux/trace_events.h +@@ -846,7 +846,8 @@ extern int perf_uprobe_init(struct perf_event *event, + extern void perf_uprobe_destroy(struct perf_event *event); + extern int bpf_get_uprobe_info(const struct perf_event *event, + u32 *fd_type, const char **filename, +- u64 *probe_offset, bool perf_type_tracepoint); ++ u64 *probe_offset, u64 *probe_addr, ++ bool perf_type_tracepoint); + #endif + extern int ftrace_profile_set_filter(struct perf_event *event, int event_id, + char *filter_str); +diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c +index 6352a41380e53..85a36b19c2b80 100644 +--- a/kernel/trace/bpf_trace.c ++++ b/kernel/trace/bpf_trace.c +@@ -1996,7 +1996,7 @@ int bpf_get_perf_event_info(const struct perf_event *event, u32 *prog_id, + #ifdef CONFIG_UPROBE_EVENTS + if (flags & TRACE_EVENT_FL_UPROBE) + err = bpf_get_uprobe_info(event, fd_type, buf, +- probe_offset, ++ probe_offset, probe_addr, + event->attr.type == PERF_TYPE_TRACEPOINT); + #endif + } +diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c +index debc651015489..720b46b34ab94 100644 +--- a/kernel/trace/trace_uprobe.c ++++ b/kernel/trace/trace_uprobe.c +@@ -1423,7 +1423,7 @@ static void uretprobe_perf_func(struct trace_uprobe *tu, unsigned long func, + + int bpf_get_uprobe_info(const struct perf_event *event, u32 *fd_type, + const char **filename, u64 *probe_offset, +- bool perf_type_tracepoint) ++ u64 *probe_addr, bool perf_type_tracepoint) + { + const char *pevent = trace_event_name(event->tp_event); + const char *group = event->tp_event->class->system; +@@ -1440,6 +1440,7 @@ int bpf_get_uprobe_info(const struct perf_event *event, u32 *fd_type, + : BPF_FD_TYPE_UPROBE; + *filename = tu->filename; + *probe_offset = tu->offset; ++ *probe_addr = 0; + return 0; + } + #endif /* CONFIG_PERF_EVENTS */ +-- +2.40.1 + diff --git a/queue-5.15/bpf-net-support-so_reuseport-sockets-with-bpf_sk_ass.patch b/queue-5.15/bpf-net-support-so_reuseport-sockets-with-bpf_sk_ass.patch new file mode 100644 index 00000000000..cacfc03c641 --- /dev/null +++ b/queue-5.15/bpf-net-support-so_reuseport-sockets-with-bpf_sk_ass.patch @@ -0,0 +1,332 @@ +From 6ce9726cde011d60974f784cd8e849820b062de2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 17:30:11 +0200 +Subject: bpf, net: Support SO_REUSEPORT sockets with bpf_sk_assign + +From: Lorenz Bauer + +[ Upstream commit 9c02bec95954252c3c01bfbb3f7560e0b95ca955 ] + +Currently the bpf_sk_assign helper in tc BPF context refuses SO_REUSEPORT +sockets. This means we can't use the helper to steer traffic to Envoy, +which configures SO_REUSEPORT on its sockets. In turn, we're blocked +from removing TPROXY from our setup. + +The reason that bpf_sk_assign refuses such sockets is that the +bpf_sk_lookup helpers don't execute SK_REUSEPORT programs. Instead, +one of the reuseport sockets is selected by hash. This could cause +dispatch to the "wrong" socket: + + sk = bpf_sk_lookup_tcp(...) // select SO_REUSEPORT by hash + bpf_sk_assign(skb, sk) // SK_REUSEPORT wasn't executed + +Fixing this isn't as simple as invoking SK_REUSEPORT from the lookup +helpers unfortunately. In the tc context, L2 headers are at the start +of the skb, while SK_REUSEPORT expects L3 headers instead. + +Instead, we execute the SK_REUSEPORT program when the assigned socket +is pulled out of the skb, further up the stack. This creates some +trickiness with regards to refcounting as bpf_sk_assign will put both +refcounted and RCU freed sockets in skb->sk. reuseport sockets are RCU +freed. We can infer that the sk_assigned socket is RCU freed if the +reuseport lookup succeeds, but convincing yourself of this fact isn't +straight forward. Therefore we defensively check refcounting on the +sk_assign sock even though it's probably not required in practice. + +Fixes: 8e368dc72e86 ("bpf: Fix use of sk->sk_reuseport from sk_assign") +Fixes: cf7fbe660f2d ("bpf: Add socket assign support") +Co-developed-by: Daniel Borkmann +Signed-off-by: Daniel Borkmann +Cc: Joe Stringer +Link: https://lore.kernel.org/bpf/CACAyw98+qycmpQzKupquhkxbvWK4OFyDuuLMBNROnfWMZxUWeA@mail.gmail.com/ +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: Lorenz Bauer +Link: https://lore.kernel.org/r/20230720-so-reuseport-v6-7-7021b683cdae@isovalent.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + include/net/inet6_hashtables.h | 56 +++++++++++++++++++++++++++++++--- + include/net/inet_hashtables.h | 49 +++++++++++++++++++++++++++-- + include/net/sock.h | 7 +++-- + include/uapi/linux/bpf.h | 3 -- + net/core/filter.c | 2 -- + net/ipv4/udp.c | 8 +++-- + net/ipv6/udp.c | 8 +++-- + tools/include/uapi/linux/bpf.h | 3 -- + 8 files changed, 115 insertions(+), 21 deletions(-) + +diff --git a/include/net/inet6_hashtables.h b/include/net/inet6_hashtables.h +index f89320b6fee31..475e672b4facc 100644 +--- a/include/net/inet6_hashtables.h ++++ b/include/net/inet6_hashtables.h +@@ -94,6 +94,46 @@ static inline struct sock *__inet6_lookup(struct net *net, + daddr, hnum, dif, sdif); + } + ++static inline ++struct sock *inet6_steal_sock(struct net *net, struct sk_buff *skb, int doff, ++ const struct in6_addr *saddr, const __be16 sport, ++ const struct in6_addr *daddr, const __be16 dport, ++ bool *refcounted, inet6_ehashfn_t *ehashfn) ++{ ++ struct sock *sk, *reuse_sk; ++ bool prefetched; ++ ++ sk = skb_steal_sock(skb, refcounted, &prefetched); ++ if (!sk) ++ return NULL; ++ ++ if (!prefetched) ++ return sk; ++ ++ if (sk->sk_protocol == IPPROTO_TCP) { ++ if (sk->sk_state != TCP_LISTEN) ++ return sk; ++ } else if (sk->sk_protocol == IPPROTO_UDP) { ++ if (sk->sk_state != TCP_CLOSE) ++ return sk; ++ } else { ++ return sk; ++ } ++ ++ reuse_sk = inet6_lookup_reuseport(net, sk, skb, doff, ++ saddr, sport, daddr, ntohs(dport), ++ ehashfn); ++ if (!reuse_sk) ++ return sk; ++ ++ /* We've chosen a new reuseport sock which is never refcounted. This ++ * implies that sk also isn't refcounted. ++ */ ++ WARN_ON_ONCE(*refcounted); ++ ++ return reuse_sk; ++} ++ + static inline struct sock *__inet6_lookup_skb(struct inet_hashinfo *hashinfo, + struct sk_buff *skb, int doff, + const __be16 sport, +@@ -101,14 +141,20 @@ static inline struct sock *__inet6_lookup_skb(struct inet_hashinfo *hashinfo, + int iif, int sdif, + bool *refcounted) + { +- struct sock *sk = skb_steal_sock(skb, refcounted); +- ++ struct net *net = dev_net(skb_dst(skb)->dev); ++ const struct ipv6hdr *ip6h = ipv6_hdr(skb); ++ struct sock *sk; ++ ++ sk = inet6_steal_sock(net, skb, doff, &ip6h->saddr, sport, &ip6h->daddr, dport, ++ refcounted, inet6_ehashfn); ++ if (IS_ERR(sk)) ++ return NULL; + if (sk) + return sk; + +- return __inet6_lookup(dev_net(skb_dst(skb)->dev), hashinfo, skb, +- doff, &ipv6_hdr(skb)->saddr, sport, +- &ipv6_hdr(skb)->daddr, ntohs(dport), ++ return __inet6_lookup(net, hashinfo, skb, ++ doff, &ip6h->saddr, sport, ++ &ip6h->daddr, ntohs(dport), + iif, sdif, refcounted); + } + +diff --git a/include/net/inet_hashtables.h b/include/net/inet_hashtables.h +index f4b4102744a50..06f1ab600481e 100644 +--- a/include/net/inet_hashtables.h ++++ b/include/net/inet_hashtables.h +@@ -382,6 +382,46 @@ static inline struct sock *inet_lookup(struct net *net, + return sk; + } + ++static inline ++struct sock *inet_steal_sock(struct net *net, struct sk_buff *skb, int doff, ++ const __be32 saddr, const __be16 sport, ++ const __be32 daddr, const __be16 dport, ++ bool *refcounted, inet_ehashfn_t *ehashfn) ++{ ++ struct sock *sk, *reuse_sk; ++ bool prefetched; ++ ++ sk = skb_steal_sock(skb, refcounted, &prefetched); ++ if (!sk) ++ return NULL; ++ ++ if (!prefetched) ++ return sk; ++ ++ if (sk->sk_protocol == IPPROTO_TCP) { ++ if (sk->sk_state != TCP_LISTEN) ++ return sk; ++ } else if (sk->sk_protocol == IPPROTO_UDP) { ++ if (sk->sk_state != TCP_CLOSE) ++ return sk; ++ } else { ++ return sk; ++ } ++ ++ reuse_sk = inet_lookup_reuseport(net, sk, skb, doff, ++ saddr, sport, daddr, ntohs(dport), ++ ehashfn); ++ if (!reuse_sk) ++ return sk; ++ ++ /* We've chosen a new reuseport sock which is never refcounted. This ++ * implies that sk also isn't refcounted. ++ */ ++ WARN_ON_ONCE(*refcounted); ++ ++ return reuse_sk; ++} ++ + static inline struct sock *__inet_lookup_skb(struct inet_hashinfo *hashinfo, + struct sk_buff *skb, + int doff, +@@ -390,13 +430,18 @@ static inline struct sock *__inet_lookup_skb(struct inet_hashinfo *hashinfo, + const int sdif, + bool *refcounted) + { +- struct sock *sk = skb_steal_sock(skb, refcounted); ++ struct net *net = dev_net(skb_dst(skb)->dev); + const struct iphdr *iph = ip_hdr(skb); ++ struct sock *sk; + ++ sk = inet_steal_sock(net, skb, doff, iph->saddr, sport, iph->daddr, dport, ++ refcounted, inet_ehashfn); ++ if (IS_ERR(sk)) ++ return NULL; + if (sk) + return sk; + +- return __inet_lookup(dev_net(skb_dst(skb)->dev), hashinfo, skb, ++ return __inet_lookup(net, hashinfo, skb, + doff, iph->saddr, sport, + iph->daddr, dport, inet_iif(skb), sdif, + refcounted); +diff --git a/include/net/sock.h b/include/net/sock.h +index 640bd7a367779..68579cb022e25 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -2745,20 +2745,23 @@ sk_is_refcounted(struct sock *sk) + * skb_steal_sock - steal a socket from an sk_buff + * @skb: sk_buff to steal the socket from + * @refcounted: is set to true if the socket is reference-counted ++ * @prefetched: is set to true if the socket was assigned from bpf + */ + static inline struct sock * +-skb_steal_sock(struct sk_buff *skb, bool *refcounted) ++skb_steal_sock(struct sk_buff *skb, bool *refcounted, bool *prefetched) + { + if (skb->sk) { + struct sock *sk = skb->sk; + + *refcounted = true; +- if (skb_sk_is_prefetched(skb)) ++ *prefetched = skb_sk_is_prefetched(skb); ++ if (*prefetched) + *refcounted = sk_is_refcounted(sk); + skb->destructor = NULL; + skb->sk = NULL; + return sk; + } ++ *prefetched = false; + *refcounted = false; + return NULL; + } +diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h +index a887e582f0e78..b9c5a942bc545 100644 +--- a/include/uapi/linux/bpf.h ++++ b/include/uapi/linux/bpf.h +@@ -3976,9 +3976,6 @@ union bpf_attr { + * **-EOPNOTSUPP** if the operation is not supported, for example + * a call from outside of TC ingress. + * +- * **-ESOCKTNOSUPPORT** if the socket type is not supported +- * (reuseport). +- * + * long bpf_sk_assign(struct bpf_sk_lookup *ctx, struct bpf_sock *sk, u64 flags) + * Description + * Helper is overloaded depending on BPF program type. This +diff --git a/net/core/filter.c b/net/core/filter.c +index 76432aa3b717c..6f1fab853e77e 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -6957,8 +6957,6 @@ BPF_CALL_3(bpf_sk_assign, struct sk_buff *, skb, struct sock *, sk, u64, flags) + return -EOPNOTSUPP; + if (unlikely(dev_net(skb->dev) != sock_net(sk))) + return -ENETUNREACH; +- if (unlikely(sk_fullsock(sk) && sk->sk_reuseport)) +- return -ESOCKTNOSUPPORT; + if (sk_unhashed(sk)) + return -EOPNOTSUPP; + if (sk_is_refcounted(sk) && +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index de672235ceee5..9149b7aeddc65 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -2446,7 +2446,11 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, + if (udp4_csum_init(skb, uh, proto)) + goto csum_error; + +- sk = skb_steal_sock(skb, &refcounted); ++ sk = inet_steal_sock(net, skb, sizeof(struct udphdr), saddr, uh->source, daddr, uh->dest, ++ &refcounted, udp_ehashfn); ++ if (IS_ERR(sk)) ++ goto no_sk; ++ + if (sk) { + struct dst_entry *dst = skb_dst(skb); + int ret; +@@ -2467,7 +2471,7 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, + sk = __udp4_lib_lookup_skb(skb, uh->source, uh->dest, udptable); + if (sk) + return udp_unicast_rcv_skb(sk, skb, uh); +- ++no_sk: + if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) + goto drop; + nf_reset_ct(skb); +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index 2c653ed1add1f..04dfc16425de9 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -969,7 +969,11 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, + goto csum_error; + + /* Check if the socket is already available, e.g. due to early demux */ +- sk = skb_steal_sock(skb, &refcounted); ++ sk = inet6_steal_sock(net, skb, sizeof(struct udphdr), saddr, uh->source, daddr, uh->dest, ++ &refcounted, udp6_ehashfn); ++ if (IS_ERR(sk)) ++ goto no_sk; ++ + if (sk) { + struct dst_entry *dst = skb_dst(skb); + int ret; +@@ -1003,7 +1007,7 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, + goto report_csum_error; + return udp6_unicast_rcv_skb(sk, skb, uh); + } +- ++no_sk: + reason = SKB_DROP_REASON_NO_SOCKET; + + if (!uh->check) +diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h +index 8330e3ca8fbfb..39a209c4c65c4 100644 +--- a/tools/include/uapi/linux/bpf.h ++++ b/tools/include/uapi/linux/bpf.h +@@ -3976,9 +3976,6 @@ union bpf_attr { + * **-EOPNOTSUPP** if the operation is not supported, for example + * a call from outside of TC ingress. + * +- * **-ESOCKTNOSUPPORT** if the socket type is not supported +- * (reuseport). +- * + * long bpf_sk_assign(struct bpf_sk_lookup *ctx, struct bpf_sock *sk, u64 flags) + * Description + * Helper is overloaded depending on BPF program type. This +-- +2.40.1 + diff --git a/queue-5.15/bpf-reject-unhashed-sockets-in-bpf_sk_assign.patch b/queue-5.15/bpf-reject-unhashed-sockets-in-bpf_sk_assign.patch new file mode 100644 index 00000000000..ac66da5ebb0 --- /dev/null +++ b/queue-5.15/bpf-reject-unhashed-sockets-in-bpf_sk_assign.patch @@ -0,0 +1,96 @@ +From bede9c3851c5fe72121662eda53227399edd9aa9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 17:30:06 +0200 +Subject: bpf: reject unhashed sockets in bpf_sk_assign + +From: Lorenz Bauer + +[ Upstream commit 67312adc96b5a585970d03b62412847afe2c6b01 ] + +The semantics for bpf_sk_assign are as follows: + + sk = some_lookup_func() + bpf_sk_assign(skb, sk) + bpf_sk_release(sk) + +That is, the sk is not consumed by bpf_sk_assign. The function +therefore needs to make sure that sk lives long enough to be +consumed from __inet_lookup_skb. The path through the stack for a +TCPv4 packet is roughly: + + netif_receive_skb_core: takes RCU read lock + __netif_receive_skb_core: + sch_handle_ingress: + tcf_classify: + bpf_sk_assign() + deliver_ptype_list_skb: + deliver_skb: + ip_packet_type->func == ip_rcv: + ip_rcv_core: + ip_rcv_finish_core: + dst_input: + ip_local_deliver: + ip_local_deliver_finish: + ip_protocol_deliver_rcu: + tcp_v4_rcv: + __inet_lookup_skb: + skb_steal_sock + +The existing helper takes advantage of the fact that everything +happens in the same RCU critical section: for sockets with +SOCK_RCU_FREE set bpf_sk_assign never takes a reference. +skb_steal_sock then checks SOCK_RCU_FREE again and does sock_put +if necessary. + +This approach assumes that SOCK_RCU_FREE is never set on a sk +between bpf_sk_assign and skb_steal_sock, but this invariant is +violated by unhashed UDP sockets. A new UDP socket is created +in TCP_CLOSE state but without SOCK_RCU_FREE set. That flag is only +added in udp_lib_get_port() which happens when a socket is bound. + +When bpf_sk_assign was added it wasn't possible to access unhashed +UDP sockets from BPF, so this wasn't a problem. This changed +in commit 0c48eefae712 ("sock_map: Lift socket state restriction +for datagram sockets"), but the helper wasn't adjusted accordingly. +The following sequence of events will therefore lead to a refcount +leak: + +1. Add socket(AF_INET, SOCK_DGRAM) to a sockmap. +2. Pull socket out of sockmap and bpf_sk_assign it. Since + SOCK_RCU_FREE is not set we increment the refcount. +3. bind() or connect() the socket, setting SOCK_RCU_FREE. +4. skb_steal_sock will now set refcounted = false due to + SOCK_RCU_FREE. +5. tcp_v4_rcv() skips sock_put(). + +Fix the problem by rejecting unhashed sockets in bpf_sk_assign(). +This matches the behaviour of __inet_lookup_skb which is ultimately +the goal of bpf_sk_assign(). + +Fixes: cf7fbe660f2d ("bpf: Add socket assign support") +Cc: Joe Stringer +Signed-off-by: Lorenz Bauer +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230720-so-reuseport-v6-2-7021b683cdae@isovalent.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + net/core/filter.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/core/filter.c b/net/core/filter.c +index 458756334c4f9..76432aa3b717c 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -6959,6 +6959,8 @@ BPF_CALL_3(bpf_sk_assign, struct sk_buff *, skb, struct sock *, sk, u64, flags) + return -ENETUNREACH; + if (unlikely(sk_fullsock(sk) && sk->sk_reuseport)) + return -ESOCKTNOSUPPORT; ++ if (sk_unhashed(sk)) ++ return -EOPNOTSUPP; + if (sk_is_refcounted(sk) && + unlikely(!refcount_inc_not_zero(&sk->sk_refcnt))) + return -ENOENT; +-- +2.40.1 + diff --git a/queue-5.15/bpftool-use-a-local-bpf_perf_event_value-to-fix-acce.patch b/queue-5.15/bpftool-use-a-local-bpf_perf_event_value-to-fix-acce.patch new file mode 100644 index 00000000000..674a356a828 --- /dev/null +++ b/queue-5.15/bpftool-use-a-local-bpf_perf_event_value-to-fix-acce.patch @@ -0,0 +1,137 @@ +From abb87251459a96d622ae17499f99af2fd758a8ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 10:54:25 +0100 +Subject: bpftool: Use a local bpf_perf_event_value to fix accessing its fields + +From: Alexander Lobakin + +[ Upstream commit 658ac06801315b739774a15796ff06913ef5cad5 ] + +Fix the following error when building bpftool: + + CLANG profiler.bpf.o + CLANG pid_iter.bpf.o +skeleton/profiler.bpf.c:18:21: error: invalid application of 'sizeof' to an incomplete type 'struct bpf_perf_event_value' + __uint(value_size, sizeof(struct bpf_perf_event_value)); + ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +tools/bpf/bpftool/bootstrap/libbpf/include/bpf/bpf_helpers.h:13:39: note: expanded from macro '__uint' +tools/bpf/bpftool/bootstrap/libbpf/include/bpf/bpf_helper_defs.h:7:8: note: forward declaration of 'struct bpf_perf_event_value' +struct bpf_perf_event_value; + ^ + +struct bpf_perf_event_value is being used in the kernel only when +CONFIG_BPF_EVENTS is enabled, so it misses a BTF entry then. +Define struct bpf_perf_event_value___local with the +`preserve_access_index` attribute inside the pid_iter BPF prog to +allow compiling on any configs. It is a full mirror of a UAPI +structure, so is compatible both with and w/o CO-RE. +bpf_perf_event_read_value() requires a pointer of the original type, +so a cast is needed. + +Fixes: 47c09d6a9f67 ("bpftool: Introduce "prog profile" command") +Suggested-by: Andrii Nakryiko +Signed-off-by: Alexander Lobakin +Signed-off-by: Quentin Monnet +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20230707095425.168126-5-quentin@isovalent.com +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/skeleton/profiler.bpf.c | 27 ++++++++++++++--------- + 1 file changed, 17 insertions(+), 10 deletions(-) + +diff --git a/tools/bpf/bpftool/skeleton/profiler.bpf.c b/tools/bpf/bpftool/skeleton/profiler.bpf.c +index ce5b65e07ab10..2f80edc682f11 100644 +--- a/tools/bpf/bpftool/skeleton/profiler.bpf.c ++++ b/tools/bpf/bpftool/skeleton/profiler.bpf.c +@@ -4,6 +4,12 @@ + #include + #include + ++struct bpf_perf_event_value___local { ++ __u64 counter; ++ __u64 enabled; ++ __u64 running; ++} __attribute__((preserve_access_index)); ++ + /* map of perf event fds, num_cpu * num_metric entries */ + struct { + __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY); +@@ -15,14 +21,14 @@ struct { + struct { + __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY); + __uint(key_size, sizeof(u32)); +- __uint(value_size, sizeof(struct bpf_perf_event_value)); ++ __uint(value_size, sizeof(struct bpf_perf_event_value___local)); + } fentry_readings SEC(".maps"); + + /* accumulated readings */ + struct { + __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY); + __uint(key_size, sizeof(u32)); +- __uint(value_size, sizeof(struct bpf_perf_event_value)); ++ __uint(value_size, sizeof(struct bpf_perf_event_value___local)); + } accum_readings SEC(".maps"); + + /* sample counts, one per cpu */ +@@ -39,7 +45,7 @@ const volatile __u32 num_metric = 1; + SEC("fentry/XXX") + int BPF_PROG(fentry_XXX) + { +- struct bpf_perf_event_value *ptrs[MAX_NUM_MATRICS]; ++ struct bpf_perf_event_value___local *ptrs[MAX_NUM_MATRICS]; + u32 key = bpf_get_smp_processor_id(); + u32 i; + +@@ -53,10 +59,10 @@ int BPF_PROG(fentry_XXX) + } + + for (i = 0; i < num_metric && i < MAX_NUM_MATRICS; i++) { +- struct bpf_perf_event_value reading; ++ struct bpf_perf_event_value___local reading; + int err; + +- err = bpf_perf_event_read_value(&events, key, &reading, ++ err = bpf_perf_event_read_value(&events, key, (void *)&reading, + sizeof(reading)); + if (err) + return 0; +@@ -68,14 +74,14 @@ int BPF_PROG(fentry_XXX) + } + + static inline void +-fexit_update_maps(u32 id, struct bpf_perf_event_value *after) ++fexit_update_maps(u32 id, struct bpf_perf_event_value___local *after) + { +- struct bpf_perf_event_value *before, diff; ++ struct bpf_perf_event_value___local *before, diff; + + before = bpf_map_lookup_elem(&fentry_readings, &id); + /* only account samples with a valid fentry_reading */ + if (before && before->counter) { +- struct bpf_perf_event_value *accum; ++ struct bpf_perf_event_value___local *accum; + + diff.counter = after->counter - before->counter; + diff.enabled = after->enabled - before->enabled; +@@ -93,7 +99,7 @@ fexit_update_maps(u32 id, struct bpf_perf_event_value *after) + SEC("fexit/XXX") + int BPF_PROG(fexit_XXX) + { +- struct bpf_perf_event_value readings[MAX_NUM_MATRICS]; ++ struct bpf_perf_event_value___local readings[MAX_NUM_MATRICS]; + u32 cpu = bpf_get_smp_processor_id(); + u32 i, zero = 0; + int err; +@@ -102,7 +108,8 @@ int BPF_PROG(fexit_XXX) + /* read all events before updating the maps, to reduce error */ + for (i = 0; i < num_metric && i < MAX_NUM_MATRICS; i++) { + err = bpf_perf_event_read_value(&events, cpu + i * num_cpu, +- readings + i, sizeof(*readings)); ++ (void *)(readings + i), ++ sizeof(*readings)); + if (err) + return 0; + } +-- +2.40.1 + diff --git a/queue-5.15/bus-ti-sysc-fix-build-warning-for-64-bit-build.patch b/queue-5.15/bus-ti-sysc-fix-build-warning-for-64-bit-build.patch new file mode 100644 index 00000000000..6719bc1f1df --- /dev/null +++ b/queue-5.15/bus-ti-sysc-fix-build-warning-for-64-bit-build.patch @@ -0,0 +1,40 @@ +From 3ba2dfa019a555c05afa11623bfdaebe247f93ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Aug 2023 13:38:01 +0300 +Subject: bus: ti-sysc: Fix build warning for 64-bit build + +From: Tony Lindgren + +[ Upstream commit e1e1e9bb9d943ec690670a609a5f660ca10eaf85 ] + +Fix "warning: cast from pointer to integer of different size" on 64-bit +builds. + +Note that this is a cosmetic fix at this point as the driver is not yet +used for 64-bit systems. + +Fixes: feaa8baee82a ("bus: ti-sysc: Implement SoC revision handling") +Reviewed-by: Dhruva Gole +Reviewed-by: Nishanth Menon +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + drivers/bus/ti-sysc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/bus/ti-sysc.c b/drivers/bus/ti-sysc.c +index 71b541538801e..b756807501f69 100644 +--- a/drivers/bus/ti-sysc.c ++++ b/drivers/bus/ti-sysc.c +@@ -3055,7 +3055,7 @@ static int sysc_init_static_data(struct sysc *ddata) + + match = soc_device_match(sysc_soc_match); + if (match && match->data) +- sysc_soc->soc = (int)match->data; ++ sysc_soc->soc = (enum sysc_soc)match->data; + + /* + * Check and warn about possible old incomplete dtb. We now want to see +-- +2.40.1 + diff --git a/queue-5.15/bus-ti-sysc-fix-cast-to-enum-warning.patch b/queue-5.15/bus-ti-sysc-fix-cast-to-enum-warning.patch new file mode 100644 index 00000000000..3d7bdc73bee --- /dev/null +++ b/queue-5.15/bus-ti-sysc-fix-cast-to-enum-warning.patch @@ -0,0 +1,38 @@ +From ba61b0d9ec0ad50f44cebedcba56f42acc5f0c83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Aug 2023 08:49:05 +0300 +Subject: bus: ti-sysc: Fix cast to enum warning + +From: Tony Lindgren + +[ Upstream commit de44bf2f7683347f75690ef6cf61a1d5ba8f0891 ] + +Fix warning for "cast to smaller integer type 'enum sysc_soc' from 'const +void *'". + +Cc: Nishanth Menon +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202308150723.ziuGCdM3-lkp@intel.com/ +Fixes: e1e1e9bb9d94 ("bus: ti-sysc: Fix build warning for 64-bit build") +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + drivers/bus/ti-sysc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/bus/ti-sysc.c b/drivers/bus/ti-sysc.c +index b756807501f69..436c0f3563d79 100644 +--- a/drivers/bus/ti-sysc.c ++++ b/drivers/bus/ti-sysc.c +@@ -3055,7 +3055,7 @@ static int sysc_init_static_data(struct sysc *ddata) + + match = soc_device_match(sysc_soc_match); + if (match && match->data) +- sysc_soc->soc = (enum sysc_soc)match->data; ++ sysc_soc->soc = (enum sysc_soc)(uintptr_t)match->data; + + /* + * Check and warn about possible old incomplete dtb. We now want to see +-- +2.40.1 + diff --git a/queue-5.15/can-gs_usb-gs_usb_receive_bulk_callback-count-rx-ove.patch b/queue-5.15/can-gs_usb-gs_usb_receive_bulk_callback-count-rx-ove.patch new file mode 100644 index 00000000000..d2621cb893a --- /dev/null +++ b/queue-5.15/can-gs_usb-gs_usb_receive_bulk_callback-count-rx-ove.patch @@ -0,0 +1,50 @@ +From 1a8d0580ebb84ad15c513cbdda5f00a0e2422120 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jul 2023 11:23:37 +0200 +Subject: can: gs_usb: gs_usb_receive_bulk_callback(): count RX overflow errors + also in case of OOM + +From: Marc Kleine-Budde + +[ Upstream commit 6c8bc15f02b85bc8f47074110d8fd8caf7a1e42d ] + +In case of an RX overflow error from the CAN controller and an OOM +where no skb can be allocated, the error counters are not incremented. + +Fix this by first incrementing the error counters and then allocate +the skb. + +Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices") +Link: https://lore.kernel.org/all/20230718-gs_usb-cleanups-v1-7-c3b9154ec605@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/gs_usb.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c +index 5d6062fbebfcc..7dc4fb574e459 100644 +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -382,6 +382,9 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) + } + + if (hf->flags & GS_CAN_FLAG_OVERFLOW) { ++ stats->rx_over_errors++; ++ stats->rx_errors++; ++ + skb = alloc_can_err_skb(netdev, &cf); + if (!skb) + goto resubmit_urb; +@@ -389,8 +392,6 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) + cf->can_id |= CAN_ERR_CRTL; + cf->len = CAN_ERR_DLC; + cf->data[1] = CAN_ERR_CRTL_RX_OVERFLOW; +- stats->rx_over_errors++; +- stats->rx_errors++; + netif_rx(skb); + } + +-- +2.40.1 + diff --git a/queue-5.15/cgroup-namespace-remove-unused-cgroup_namespaces_ini.patch b/queue-5.15/cgroup-namespace-remove-unused-cgroup_namespaces_ini.patch new file mode 100644 index 00000000000..de07d7c1dbf --- /dev/null +++ b/queue-5.15/cgroup-namespace-remove-unused-cgroup_namespaces_ini.patch @@ -0,0 +1,37 @@ +From 77e3aad28a19e5f9504086784f93ad96c1b2cbae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Aug 2023 11:25:28 +0000 +Subject: cgroup:namespace: Remove unused cgroup_namespaces_init() + +From: Lu Jialin + +[ Upstream commit 82b90b6c5b38e457c7081d50dff11ecbafc1e61a ] + +cgroup_namspace_init() just return 0. Therefore, there is no need to +call it during start_kernel. Just remove it. + +Fixes: a79a908fd2b0 ("cgroup: introduce cgroup namespaces") +Signed-off-by: Lu Jialin +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/cgroup/namespace.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/kernel/cgroup/namespace.c b/kernel/cgroup/namespace.c +index 0d5c29879a50b..144a464e45c66 100644 +--- a/kernel/cgroup/namespace.c ++++ b/kernel/cgroup/namespace.c +@@ -149,9 +149,3 @@ const struct proc_ns_operations cgroupns_operations = { + .install = cgroupns_install, + .owner = cgroupns_owner, + }; +- +-static __init int cgroup_namespaces_init(void) +-{ +- return 0; +-} +-subsys_initcall(cgroup_namespaces_init); +-- +2.40.1 + diff --git a/queue-5.15/clk-imx-composite-8m-fix-clock-pauses-when-set_rate-.patch b/queue-5.15/clk-imx-composite-8m-fix-clock-pauses-when-set_rate-.patch new file mode 100644 index 00000000000..c3ac76a3ba8 --- /dev/null +++ b/queue-5.15/clk-imx-composite-8m-fix-clock-pauses-when-set_rate-.patch @@ -0,0 +1,78 @@ +From d988d98241bb869424cc6120171385d8cf8f1a41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Aug 2023 10:22:00 +0200 +Subject: clk: imx: composite-8m: fix clock pauses when set_rate would be a + no-op + +From: Ahmad Fatoum + +[ Upstream commit 4dd432d985ef258e3bc436e568fba4b987b59171 ] + +Reconfiguring the clock divider to the exact same value is observed +on an i.MX8MN to often cause a longer than usual clock pause, probably +because the divider restarts counting whenever the register is rewritten. + +This issue doesn't show up normally, because the clock framework will +take care to not call set_rate when the clock rate is the same. +However, when we reconfigure an upstream clock, the common code will +call set_rate with the newly calculated rate on all children, e.g.: + + - sai5 is running normally and divides Audio PLL out by 16. + - Audio PLL rate is increased by 32Hz (glitch-free kdiv change) + - rates for children are recalculated and rates are set recursively + - imx8m_clk_composite_divider_set_rate(sai5) is called with + 32/16 = 2Hz more + - imx8m_clk_composite_divider_set_rate computes same divider as before + - divider register is written, so it restarts counting from zero and + MCLK is briefly paused, so instead of e.g. 40ns, MCLK is low for 120ns. + +Some external clock consumers can be upset by such unexpected clock pauses, +so let's make sure we only rewrite the divider value when the value to be +written is actually different. + +Fixes: d3ff9728134e ("clk: imx: Add imx composite clock") +Signed-off-by: Ahmad Fatoum +Reviewed-by: Peng Fan +Link: https://lore.kernel.org/r/20230807082201.2332746-1-a.fatoum@pengutronix.de +Signed-off-by: Abel Vesa +Signed-off-by: Sasha Levin +--- + drivers/clk/imx/clk-composite-8m.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/clk/imx/clk-composite-8m.c b/drivers/clk/imx/clk-composite-8m.c +index 04e728538cefe..75e05582cb24f 100644 +--- a/drivers/clk/imx/clk-composite-8m.c ++++ b/drivers/clk/imx/clk-composite-8m.c +@@ -97,7 +97,7 @@ static int imx8m_clk_composite_divider_set_rate(struct clk_hw *hw, + int prediv_value; + int div_value; + int ret; +- u32 val; ++ u32 orig, val; + + ret = imx8m_clk_composite_compute_dividers(rate, parent_rate, + &prediv_value, &div_value); +@@ -106,13 +106,15 @@ static int imx8m_clk_composite_divider_set_rate(struct clk_hw *hw, + + spin_lock_irqsave(divider->lock, flags); + +- val = readl(divider->reg); +- val &= ~((clk_div_mask(divider->width) << divider->shift) | +- (clk_div_mask(PCG_DIV_WIDTH) << PCG_DIV_SHIFT)); ++ orig = readl(divider->reg); ++ val = orig & ~((clk_div_mask(divider->width) << divider->shift) | ++ (clk_div_mask(PCG_DIV_WIDTH) << PCG_DIV_SHIFT)); + + val |= (u32)(prediv_value - 1) << divider->shift; + val |= (u32)(div_value - 1) << PCG_DIV_SHIFT; +- writel(val, divider->reg); ++ ++ if (val != orig) ++ writel(val, divider->reg); + + spin_unlock_irqrestore(divider->lock, flags); + +-- +2.40.1 + diff --git a/queue-5.15/clk-imx8mp-fix-sai4-clock.patch b/queue-5.15/clk-imx8mp-fix-sai4-clock.patch new file mode 100644 index 00000000000..eaaf12304ea --- /dev/null +++ b/queue-5.15/clk-imx8mp-fix-sai4-clock.patch @@ -0,0 +1,49 @@ +From aa31cf6887519cd45e89bd51100a9afe238a11d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jul 2023 16:21:49 +0200 +Subject: clk: imx8mp: fix sai4 clock + +From: Marco Felsch + +[ Upstream commit c30f600f1f41dcf5ef0fb02e9a201f9b2e8f31bd ] + +The reference manual don't mention a SAI4 hardware block. This would be +clock slice 78 which is skipped (TRM, page 237). Remove any reference to +this clock to align the driver with the reality. + +Fixes: 9c140d992676 ("clk: imx: Add support for i.MX8MP clock driver") +Acked-by: Stephen Boyd +Signed-off-by: Marco Felsch +Link: https://lore.kernel.org/r/20230731142150.3186650-1-m.felsch@pengutronix.de +Signed-off-by: Abel Vesa +Signed-off-by: Sasha Levin +--- + drivers/clk/imx/clk-imx8mp.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/clk/imx/clk-imx8mp.c b/drivers/clk/imx/clk-imx8mp.c +index 0191457fb3cfc..2f898c0bc867c 100644 +--- a/drivers/clk/imx/clk-imx8mp.c ++++ b/drivers/clk/imx/clk-imx8mp.c +@@ -176,10 +176,6 @@ static const char * const imx8mp_sai3_sels[] = {"osc_24m", "audio_pll1_out", "au + "video_pll1_out", "sys_pll1_133m", "osc_hdmi", + "clk_ext3", "clk_ext4", }; + +-static const char * const imx8mp_sai4_sels[] = {"osc_24m", "audio_pll1_out", "audio_pll2_out", +- "video_pll1_out", "sys_pll1_133m", "osc_hdmi", +- "clk_ext1", "clk_ext2", }; +- + static const char * const imx8mp_sai5_sels[] = {"osc_24m", "audio_pll1_out", "audio_pll2_out", + "video_pll1_out", "sys_pll1_133m", "osc_hdmi", + "clk_ext2", "clk_ext3", }; +@@ -566,7 +562,6 @@ static int imx8mp_clocks_probe(struct platform_device *pdev) + hws[IMX8MP_CLK_SAI1] = imx8m_clk_hw_composite("sai1", imx8mp_sai1_sels, ccm_base + 0xa580); + hws[IMX8MP_CLK_SAI2] = imx8m_clk_hw_composite("sai2", imx8mp_sai2_sels, ccm_base + 0xa600); + hws[IMX8MP_CLK_SAI3] = imx8m_clk_hw_composite("sai3", imx8mp_sai3_sels, ccm_base + 0xa680); +- hws[IMX8MP_CLK_SAI4] = imx8m_clk_hw_composite("sai4", imx8mp_sai4_sels, ccm_base + 0xa700); + hws[IMX8MP_CLK_SAI5] = imx8m_clk_hw_composite("sai5", imx8mp_sai5_sels, ccm_base + 0xa780); + hws[IMX8MP_CLK_SAI6] = imx8m_clk_hw_composite("sai6", imx8mp_sai6_sels, ccm_base + 0xa800); + hws[IMX8MP_CLK_ENET_QOS] = imx8m_clk_hw_composite("enet_qos", imx8mp_enet_qos_sels, ccm_base + 0xa880); +-- +2.40.1 + diff --git a/queue-5.15/clk-qcom-gcc-sc7180-fix-up-gcc_sdcc2_apps_clk_src.patch b/queue-5.15/clk-qcom-gcc-sc7180-fix-up-gcc_sdcc2_apps_clk_src.patch new file mode 100644 index 00000000000..032fdf4d890 --- /dev/null +++ b/queue-5.15/clk-qcom-gcc-sc7180-fix-up-gcc_sdcc2_apps_clk_src.patch @@ -0,0 +1,37 @@ +From 75d61946783f5f0d63d8b2f88b12a75cdd58c680 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Jul 2023 21:05:02 +0200 +Subject: clk: qcom: gcc-sc7180: Fix up gcc_sdcc2_apps_clk_src + +From: David Wronek + +[ Upstream commit fd0b5ba87ad5709f0fd3d2bc4b7870494a75f96a ] + +Set .flags = CLK_OPS_PARENT_ENABLE to fix "gcc_sdcc2_apps_clk_src: rcg +didn't update its configuration" error. + +Fixes: 17269568f726 ("clk: qcom: Add Global Clock controller (GCC) driver for SC7180") +Signed-off-by: David Wronek +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20230723190725.1619193-2-davidwronek@gmail.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-sc7180.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/qcom/gcc-sc7180.c b/drivers/clk/qcom/gcc-sc7180.c +index c2ea09945c472..a38394b4739a2 100644 +--- a/drivers/clk/qcom/gcc-sc7180.c ++++ b/drivers/clk/qcom/gcc-sc7180.c +@@ -667,6 +667,7 @@ static struct clk_rcg2 gcc_sdcc2_apps_clk_src = { + .name = "gcc_sdcc2_apps_clk_src", + .parent_data = gcc_parent_data_5, + .num_parents = ARRAY_SIZE(gcc_parent_data_5), ++ .flags = CLK_OPS_PARENT_ENABLE, + .ops = &clk_rcg2_floor_ops, + }, + }; +-- +2.40.1 + diff --git a/queue-5.15/clk-qcom-gcc-sm6350-fix-gcc_sdcc2_apps_clk_src.patch b/queue-5.15/clk-qcom-gcc-sm6350-fix-gcc_sdcc2_apps_clk_src.patch new file mode 100644 index 00000000000..886837dea51 --- /dev/null +++ b/queue-5.15/clk-qcom-gcc-sm6350-fix-gcc_sdcc2_apps_clk_src.patch @@ -0,0 +1,38 @@ +From 7b9e9c64f07dc89c7f8314069ef4ec049bf34db8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Aug 2023 16:09:30 +0200 +Subject: clk: qcom: gcc-sm6350: Fix gcc_sdcc2_apps_clk_src + +From: Luca Weiss + +[ Upstream commit df04d166d1f346dbf740bbea64a3bed3e7f14c8d ] + +GPLL7 is not on by default, which causes a "gcc_sdcc2_apps_clk_src: rcg +didn't update its configuration" error when booting. Set .flags = +CLK_OPS_PARENT_ENABLE to fix the error. + +Fixes: 131abae905df ("clk: qcom: Add SM6350 GCC driver") +Signed-off-by: Luca Weiss +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20230804-sm6350-sdcc2-v1-1-3d946927d37d@fairphone.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-sm6350.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/qcom/gcc-sm6350.c b/drivers/clk/qcom/gcc-sm6350.c +index 3236706771b11..e32ad7499285f 100644 +--- a/drivers/clk/qcom/gcc-sm6350.c ++++ b/drivers/clk/qcom/gcc-sm6350.c +@@ -640,6 +640,7 @@ static struct clk_rcg2 gcc_sdcc2_apps_clk_src = { + .name = "gcc_sdcc2_apps_clk_src", + .parent_data = gcc_parent_data_8, + .num_parents = ARRAY_SIZE(gcc_parent_data_8), ++ .flags = CLK_OPS_PARENT_ENABLE, + .ops = &clk_rcg2_floor_ops, + }, + }; +-- +2.40.1 + diff --git a/queue-5.15/clk-qcom-gcc-sm8250-fix-gcc_sdcc2_apps_clk_src.patch b/queue-5.15/clk-qcom-gcc-sm8250-fix-gcc_sdcc2_apps_clk_src.patch new file mode 100644 index 00000000000..1a3f53a93f5 --- /dev/null +++ b/queue-5.15/clk-qcom-gcc-sm8250-fix-gcc_sdcc2_apps_clk_src.patch @@ -0,0 +1,40 @@ +From 445012e9f003634497daf1e4c730a30a44937943 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 14:04:00 -0700 +Subject: clk: qcom: gcc-sm8250: Fix gcc_sdcc2_apps_clk_src + +From: Patrick Whewell + +[ Upstream commit 783cb693828ce487cf0bc6ad16cbcf2caae6f8d9 ] + +GPLL9 is not on by default, which causes a "gcc_sdcc2_apps_clk_src: rcg +didn't update its configuration" error when booting. Set .flags = +CLK_OPS_PARENT_ENABLE to fix the error. + +Fixes: 3e5770921a88 ("clk: qcom: gcc: Add global clock controller driver for SM8250") +Reviewed-by: Konrad Dybcio +Reviewed-by: Bryan O'Donoghue +Signed-off-by: Patrick Whewell +Reviewed-by: Vinod Koul +Link: https://lore.kernel.org/r/20230802210359.408-1-patrick.whewell@sightlineapplications.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-sm8250.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/qcom/gcc-sm8250.c b/drivers/clk/qcom/gcc-sm8250.c +index a0ba37656b07b..30bd561461074 100644 +--- a/drivers/clk/qcom/gcc-sm8250.c ++++ b/drivers/clk/qcom/gcc-sm8250.c +@@ -721,6 +721,7 @@ static struct clk_rcg2 gcc_sdcc2_apps_clk_src = { + .name = "gcc_sdcc2_apps_clk_src", + .parent_data = gcc_parent_data_4, + .num_parents = ARRAY_SIZE(gcc_parent_data_4), ++ .flags = CLK_OPS_PARENT_ENABLE, + .ops = &clk_rcg2_floor_ops, + }, + }; +-- +2.40.1 + diff --git a/queue-5.15/clk-qcom-reset-use-the-correct-type-of-sleep-delay-b.patch b/queue-5.15/clk-qcom-reset-use-the-correct-type-of-sleep-delay-b.patch new file mode 100644 index 00000000000..a2d57808619 --- /dev/null +++ b/queue-5.15/clk-qcom-reset-use-the-correct-type-of-sleep-delay-b.patch @@ -0,0 +1,40 @@ +From a14433007983c6554cff918fd69570ae10e81e7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jul 2023 09:57:38 +0200 +Subject: clk: qcom: reset: Use the correct type of sleep/delay based on length + +From: Konrad Dybcio + +[ Upstream commit 181b66ee7cdd824797fc99b53bec29cf5630a04f ] + +Use the fsleep() helper that (based on the length of the delay, see: [1]) +chooses the correct sleep/delay functions. + +[1] https://www.kernel.org/doc/Documentation/timers/timers-howto.txt + +Fixes: 2cb8a39b6781 ("clk: qcom: reset: Allow specifying custom reset delay") +Signed-off-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20230726-topic-qcom_reset-v3-1-5958facd5db2@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/reset.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/qcom/reset.c b/drivers/clk/qcom/reset.c +index 0e914ec7aeae1..e45e32804d2c7 100644 +--- a/drivers/clk/qcom/reset.c ++++ b/drivers/clk/qcom/reset.c +@@ -16,7 +16,8 @@ static int qcom_reset(struct reset_controller_dev *rcdev, unsigned long id) + struct qcom_reset_controller *rst = to_qcom_reset_controller(rcdev); + + rcdev->ops->assert(rcdev, id); +- udelay(rst->reset_map[id].udelay ?: 1); /* use 1 us as default */ ++ fsleep(rst->reset_map[id].udelay ?: 1); /* use 1 us as default */ ++ + rcdev->ops->deassert(rcdev, id); + return 0; + } +-- +2.40.1 + diff --git a/queue-5.15/clk-sunxi-ng-modify-mismatched-function-name.patch b/queue-5.15/clk-sunxi-ng-modify-mismatched-function-name.patch new file mode 100644 index 00000000000..33096b8e734 --- /dev/null +++ b/queue-5.15/clk-sunxi-ng-modify-mismatched-function-name.patch @@ -0,0 +1,39 @@ +From fa25fc824c6ed57b632ed386071492747eac7525 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Jul 2023 15:31:07 +0000 +Subject: clk: sunxi-ng: Modify mismatched function name + +From: Zhang Jianhua + +[ Upstream commit 075d9ca5b4e17f84fd1c744a405e69ec743be7f0 ] + +No functional modification involved. + +drivers/clk/sunxi-ng/ccu_mmc_timing.c:54: warning: expecting prototype for sunxi_ccu_set_mmc_timing_mode(). Prototype was for sunxi_ccu_get_mmc_timing_mode() instead + +Fixes: f6f64ed868d3 ("clk: sunxi-ng: Add interface to query or configure MMC timing modes.") +Signed-off-by: Zhang Jianhua +Reviewed-by: Randy Dunlap +Link: https://lore.kernel.org/r/20230722153107.2078179-1-chris.zjh@huawei.com +Signed-off-by: Jernej Skrabec +Signed-off-by: Sasha Levin +--- + drivers/clk/sunxi-ng/ccu_mmc_timing.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/sunxi-ng/ccu_mmc_timing.c b/drivers/clk/sunxi-ng/ccu_mmc_timing.c +index de33414fc5c28..c6a6ce98ca03a 100644 +--- a/drivers/clk/sunxi-ng/ccu_mmc_timing.c ++++ b/drivers/clk/sunxi-ng/ccu_mmc_timing.c +@@ -43,7 +43,7 @@ int sunxi_ccu_set_mmc_timing_mode(struct clk *clk, bool new_mode) + EXPORT_SYMBOL_GPL(sunxi_ccu_set_mmc_timing_mode); + + /** +- * sunxi_ccu_set_mmc_timing_mode: Get the current MMC clock timing mode ++ * sunxi_ccu_get_mmc_timing_mode: Get the current MMC clock timing mode + * @clk: clock to query + * + * Returns 0 if the clock is in old timing mode, > 0 if it is in +-- +2.40.1 + diff --git a/queue-5.15/coresight-tmc-explicit-type-conversions-to-prevent-i.patch b/queue-5.15/coresight-tmc-explicit-type-conversions-to-prevent-i.patch new file mode 100644 index 00000000000..d999ef08f5a --- /dev/null +++ b/queue-5.15/coresight-tmc-explicit-type-conversions-to-prevent-i.patch @@ -0,0 +1,89 @@ +From f3a47acf33d79d19332fe4e590197e608471945a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Aug 2023 16:15:14 +0800 +Subject: coresight: tmc: Explicit type conversions to prevent integer overflow + +From: Ruidong Tian + +[ Upstream commit fd380097cdb305582b7a1f9476391330299d2c59 ] + +Perf cs_etm session executed unexpectedly when AUX buffer > 1G. + + perf record -C 0 -m ,2G -e cs_etm// -- + [ perf record: Captured and wrote 2.615 MB perf.data ] + +Perf only collect about 2M perf data rather than 2G. This is becasuse +the operation, "nr_pages << PAGE_SHIFT", in coresight tmc driver, will +overflow when nr_pages >= 0x80000(correspond to 1G AUX buffer). The +overflow cause buffer allocation to fail, and TMC driver will alloc +minimal buffer size(1M). You can just get about 2M perf data(1M AUX +buffer + perf data header) at least. + +Explicit convert nr_pages to 64 bit to avoid overflow. + +Fixes: 22f429f19c41 ("coresight: etm-perf: Add support for ETR backend") +Fixes: 99443ea19e8b ("coresight: Add generic TMC sg table framework") +Fixes: 2e499bbc1a92 ("coresight: tmc: implementing TMC-ETF AUX space API") +Signed-off-by: Ruidong Tian +Reviewed-by: James Clark +Signed-off-by: Suzuki K Poulose +Link: https://lore.kernel.org/r/20230804081514.120171-2-tianruidong@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-tmc-etf.c | 2 +- + drivers/hwtracing/coresight/coresight-tmc-etr.c | 5 +++-- + drivers/hwtracing/coresight/coresight-tmc.h | 2 +- + 3 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/hwtracing/coresight/coresight-tmc-etf.c b/drivers/hwtracing/coresight/coresight-tmc-etf.c +index cd0fb7bfba684..e9c2b0796f372 100644 +--- a/drivers/hwtracing/coresight/coresight-tmc-etf.c ++++ b/drivers/hwtracing/coresight/coresight-tmc-etf.c +@@ -428,7 +428,7 @@ static int tmc_set_etf_buffer(struct coresight_device *csdev, + return -EINVAL; + + /* wrap head around to the amount of space we have */ +- head = handle->head & ((buf->nr_pages << PAGE_SHIFT) - 1); ++ head = handle->head & (((unsigned long)buf->nr_pages << PAGE_SHIFT) - 1); + + /* find the page to write to */ + buf->cur = head / PAGE_SIZE; +diff --git a/drivers/hwtracing/coresight/coresight-tmc-etr.c b/drivers/hwtracing/coresight/coresight-tmc-etr.c +index 0000d0c6068fd..b9cd1f9555523 100644 +--- a/drivers/hwtracing/coresight/coresight-tmc-etr.c ++++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c +@@ -47,7 +47,8 @@ struct etr_perf_buffer { + }; + + /* Convert the perf index to an offset within the ETR buffer */ +-#define PERF_IDX2OFF(idx, buf) ((idx) % ((buf)->nr_pages << PAGE_SHIFT)) ++#define PERF_IDX2OFF(idx, buf) \ ++ ((idx) % ((unsigned long)(buf)->nr_pages << PAGE_SHIFT)) + + /* Lower limit for ETR hardware buffer */ + #define TMC_ETR_PERF_MIN_BUF_SIZE SZ_1M +@@ -1232,7 +1233,7 @@ alloc_etr_buf(struct tmc_drvdata *drvdata, struct perf_event *event, + * than the size requested via sysfs. + */ + if ((nr_pages << PAGE_SHIFT) > drvdata->size) { +- etr_buf = tmc_alloc_etr_buf(drvdata, (nr_pages << PAGE_SHIFT), ++ etr_buf = tmc_alloc_etr_buf(drvdata, ((ssize_t)nr_pages << PAGE_SHIFT), + 0, node, NULL); + if (!IS_ERR(etr_buf)) + goto done; +diff --git a/drivers/hwtracing/coresight/coresight-tmc.h b/drivers/hwtracing/coresight/coresight-tmc.h +index b91ec7dde7bc9..3655b3bfb2e32 100644 +--- a/drivers/hwtracing/coresight/coresight-tmc.h ++++ b/drivers/hwtracing/coresight/coresight-tmc.h +@@ -321,7 +321,7 @@ ssize_t tmc_sg_table_get_data(struct tmc_sg_table *sg_table, + static inline unsigned long + tmc_sg_table_buf_size(struct tmc_sg_table *sg_table) + { +- return sg_table->data_pages.nr_pages << PAGE_SHIFT; ++ return (unsigned long)sg_table->data_pages.nr_pages << PAGE_SHIFT; + } + + struct coresight_device *tmc_etr_get_catu_device(struct tmc_drvdata *drvdata); +-- +2.40.1 + diff --git a/queue-5.15/cpufreq-fix-the-race-condition-while-updating-the-tr.patch b/queue-5.15/cpufreq-fix-the-race-condition-while-updating-the-tr.patch new file mode 100644 index 00000000000..7d2b56dd2ed --- /dev/null +++ b/queue-5.15/cpufreq-fix-the-race-condition-while-updating-the-tr.patch @@ -0,0 +1,81 @@ +From a8f85d4e64baa51fe1e36ab70ef58d8a8013f3d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Aug 2023 07:03:18 +0000 +Subject: cpufreq: Fix the race condition while updating the transition_task of + policy + +From: Liao Chang + +[ Upstream commit 61bfbf7951ba561dcbdd5357702d3cbc2d447812 ] + +The field 'transition_task' of policy structure is used to track the +task which is performing the frequency transition. Using this field to +print a warning once detect a case where the same task is calling +_begin() again before completing the preivous frequency transition via +the _end(). + +However, there is a potential race condition in _end() and _begin() APIs +while updating the field 'transition_task' of policy, the scenario is +depicted below: + + Task A Task B + + /* 1st freq transition */ + Invoke _begin() { + ... + ... + } + /* 2nd freq transition */ + Invoke _begin() { + ... //waiting for A to + ... //clear + ... //transition_ongoing + ... //in _end() for + ... //the 1st transition + | + Change the frequency | + | + Invoke _end() { | + ... | + ... | + transition_ongoing = false; V + transition_ongoing = true; + transition_task = current; + transition_task = NULL; + ... //A overwrites the task + ... //performing the transition + ... //result in error warning. + } + +To fix this race condition, the transition_lock of policy structure is +now acquired before updating policy structure in _end() API. Which ensure +that only one task can update the 'transition_task' field at a time. + +Link: https://lore.kernel.org/all/b3c61d8a-d52d-3136-fbf0-d1de9f1ba411@huawei.com/ +Fixes: ca654dc3a93d ("cpufreq: Catch double invocations of cpufreq_freq_transition_begin/end") +Signed-off-by: Liao Chang +Acked-by: Viresh Kumar +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/cpufreq.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c +index ae7b95e15ac7e..c2227be7bad88 100644 +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -450,8 +450,10 @@ void cpufreq_freq_transition_end(struct cpufreq_policy *policy, + policy->cur, + policy->cpuinfo.max_freq); + ++ spin_lock(&policy->transition_lock); + policy->transition_ongoing = false; + policy->transition_task = NULL; ++ spin_unlock(&policy->transition_lock); + + wake_up(&policy->transition_wait); + } +-- +2.40.1 + diff --git a/queue-5.15/cpufreq-powernow-k8-use-related_cpus-instead-of-cpus.patch b/queue-5.15/cpufreq-powernow-k8-use-related_cpus-instead-of-cpus.patch new file mode 100644 index 00000000000..70fcc175d32 --- /dev/null +++ b/queue-5.15/cpufreq-powernow-k8-use-related_cpus-instead-of-cpus.patch @@ -0,0 +1,39 @@ +From ad0dc0cfd5970e5a005cd2fc4ade9c7f0dc2e4f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Aug 2023 09:51:13 +0000 +Subject: cpufreq: powernow-k8: Use related_cpus instead of cpus in + driver.exit() + +From: Liao Chang + +[ Upstream commit 03997da042dac73c69e60d91942c727c76828b65 ] + +Since the 'cpus' field of policy structure will become empty in the +cpufreq core API, it is better to use 'related_cpus' in the exit() +callback of driver. + +Fixes: c3274763bfc3 ("cpufreq: powernow-k8: Initialize per-cpu data-structures properly") +Signed-off-by: Liao Chang +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/powernow-k8.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/cpufreq/powernow-k8.c b/drivers/cpufreq/powernow-k8.c +index 12ab4014af712..94fe0e15623e4 100644 +--- a/drivers/cpufreq/powernow-k8.c ++++ b/drivers/cpufreq/powernow-k8.c +@@ -1101,7 +1101,8 @@ static int powernowk8_cpu_exit(struct cpufreq_policy *pol) + + kfree(data->powernow_table); + kfree(data); +- for_each_cpu(cpu, pol->cpus) ++ /* pol->cpus will be empty here, use related_cpus instead. */ ++ for_each_cpu(cpu, pol->related_cpus) + per_cpu(powernow_data, cpu) = NULL; + + return 0; +-- +2.40.1 + diff --git a/queue-5.15/crypto-api-use-work-queue-in-crypto_destroy_instance.patch b/queue-5.15/crypto-api-use-work-queue-in-crypto_destroy_instance.patch new file mode 100644 index 00000000000..29f46b79ab8 --- /dev/null +++ b/queue-5.15/crypto-api-use-work-queue-in-crypto_destroy_instance.patch @@ -0,0 +1,95 @@ +From 2c2b06142bf8fe7e1c017ac8bc3f7a6ed2ed285c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Aug 2023 17:59:28 +0800 +Subject: crypto: api - Use work queue in crypto_destroy_instance + +From: Herbert Xu + +[ Upstream commit 9ae4577bc077a7e32c3c7d442c95bc76865c0f17 ] + +The function crypto_drop_spawn expects to be called in process +context. However, when an instance is unregistered while it still +has active users, the last user may cause the instance to be freed +in atomic context. + +Fix this by delaying the freeing to a work queue. + +Fixes: 6bfd48096ff8 ("[CRYPTO] api: Added spawns") +Reported-by: Florent Revest +Reported-by: syzbot+d769eed29cc42d75e2a3@syzkaller.appspotmail.com +Reported-by: syzbot+610ec0671f51e838436e@syzkaller.appspotmail.com +Signed-off-by: Herbert Xu +Tested-by: Florent Revest +Acked-by: Florent Revest +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/algapi.c | 16 ++++++++++++++-- + include/crypto/algapi.h | 3 +++ + 2 files changed, 17 insertions(+), 2 deletions(-) + +diff --git a/crypto/algapi.c b/crypto/algapi.c +index 3920c4b1e9c13..c390a79c5a669 100644 +--- a/crypto/algapi.c ++++ b/crypto/algapi.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + + #include "internal.h" + +@@ -68,15 +69,26 @@ static void crypto_free_instance(struct crypto_instance *inst) + inst->alg.cra_type->free(inst); + } + +-static void crypto_destroy_instance(struct crypto_alg *alg) ++static void crypto_destroy_instance_workfn(struct work_struct *w) + { +- struct crypto_instance *inst = (void *)alg; ++ struct crypto_instance *inst = container_of(w, struct crypto_instance, ++ free_work); + struct crypto_template *tmpl = inst->tmpl; + + crypto_free_instance(inst); + crypto_tmpl_put(tmpl); + } + ++static void crypto_destroy_instance(struct crypto_alg *alg) ++{ ++ struct crypto_instance *inst = container_of(alg, ++ struct crypto_instance, ++ alg); ++ ++ INIT_WORK(&inst->free_work, crypto_destroy_instance_workfn); ++ schedule_work(&inst->free_work); ++} ++ + /* + * This function adds a spawn to the list secondary_spawns which + * will be used at the end of crypto_remove_spawns to unregister +diff --git a/include/crypto/algapi.h b/include/crypto/algapi.h +index 0ffd61930e180..62fa7e82ff5b9 100644 +--- a/include/crypto/algapi.h ++++ b/include/crypto/algapi.h +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + + /* + * Maximum values for blocksize and alignmask, used to allocate +@@ -55,6 +56,8 @@ struct crypto_instance { + struct crypto_spawn *spawns; + }; + ++ struct work_struct free_work; ++ + void *__ctx[] CRYPTO_MINALIGN_ATTR; + }; + +-- +2.40.1 + diff --git a/queue-5.15/crypto-caam-fix-unchecked-return-value-error.patch b/queue-5.15/crypto-caam-fix-unchecked-return-value-error.patch new file mode 100644 index 00000000000..302f048ecc1 --- /dev/null +++ b/queue-5.15/crypto-caam-fix-unchecked-return-value-error.patch @@ -0,0 +1,44 @@ +From d828b9f57c708b619d74801ba0c2c5fa5ea5c2d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Aug 2023 12:55:25 +0200 +Subject: crypto: caam - fix unchecked return value error + +From: Gaurav Jain + +[ Upstream commit e30685204711a6be40dec2622606950ccd37dafe ] + +error: +Unchecked return value (CHECKED_RETURN) +check_return: Calling sg_miter_next without checking return value + +fix: +added check if(!sg_miter_next) + +Fixes: 8a2a0dd35f2e ("crypto: caam - strip input zeros from RSA input buffer") +Signed-off-by: Gaurav Jain +Signed-off-by: Meenakshi Aggarwal +Reviewed-by: Gaurav Jain +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/caam/caampkc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/caam/caampkc.c b/drivers/crypto/caam/caampkc.c +index 8867275767101..51b48b57266a6 100644 +--- a/drivers/crypto/caam/caampkc.c ++++ b/drivers/crypto/caam/caampkc.c +@@ -223,7 +223,9 @@ static int caam_rsa_count_leading_zeros(struct scatterlist *sgl, + if (len && *buff) + break; + +- sg_miter_next(&miter); ++ if (!sg_miter_next(&miter)) ++ break; ++ + buff = miter.addr; + len = miter.length; + +-- +2.40.1 + diff --git a/queue-5.15/crypto-stm32-properly-handle-pm_runtime_get-failing.patch b/queue-5.15/crypto-stm32-properly-handle-pm_runtime_get-failing.patch new file mode 100644 index 00000000000..65d8cc812af --- /dev/null +++ b/queue-5.15/crypto-stm32-properly-handle-pm_runtime_get-failing.patch @@ -0,0 +1,61 @@ +From 73adcf22d3cb95efe396396eb005bdcf1367def0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jul 2023 18:54:54 +0200 +Subject: crypto: stm32 - Properly handle pm_runtime_get failing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit aec48805163338f8413118796c1dd035661b9140 ] + +If pm_runtime_get() (disguised as pm_runtime_resume_and_get()) fails, this +means the clk wasn't prepared and enabled. Returning early in this case +however is wrong as then the following resource frees are skipped and this +is never catched up. So do all the cleanups but clk_disable_unprepare(). + +Also don't emit a warning, as stm32_hash_runtime_resume() already emitted +one. + +Note that the return value of stm32_hash_remove() is mostly ignored by +the device core. The only effect of returning zero instead of an error +value is to suppress another warning in platform_remove(). So return 0 +even if pm_runtime_resume_and_get() failed. + +Fixes: 8b4d566de6a5 ("crypto: stm32/hash - Add power management support") +Signed-off-by: Uwe Kleine-König +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/stm32/stm32-hash.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/crypto/stm32/stm32-hash.c b/drivers/crypto/stm32/stm32-hash.c +index d33006d43f761..e3f765434d64e 100644 +--- a/drivers/crypto/stm32/stm32-hash.c ++++ b/drivers/crypto/stm32/stm32-hash.c +@@ -1566,9 +1566,7 @@ static int stm32_hash_remove(struct platform_device *pdev) + if (!hdev) + return -ENODEV; + +- ret = pm_runtime_resume_and_get(hdev->dev); +- if (ret < 0) +- return ret; ++ ret = pm_runtime_get_sync(hdev->dev); + + stm32_hash_unregister_algs(hdev); + +@@ -1584,7 +1582,8 @@ static int stm32_hash_remove(struct platform_device *pdev) + pm_runtime_disable(hdev->dev); + pm_runtime_put_noidle(hdev->dev); + +- clk_disable_unprepare(hdev->clk); ++ if (ret >= 0) ++ clk_disable_unprepare(hdev->clk); + + return 0; + } +-- +2.40.1 + diff --git a/queue-5.15/dma-buf-sync_file-fix-docs-syntax.patch b/queue-5.15/dma-buf-sync_file-fix-docs-syntax.patch new file mode 100644 index 00000000000..f4b170c5b4c --- /dev/null +++ b/queue-5.15/dma-buf-sync_file-fix-docs-syntax.patch @@ -0,0 +1,39 @@ +From c69708b48457c2c061b4985b7216ccb68cd470c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jul 2023 07:49:41 -0700 +Subject: dma-buf/sync_file: Fix docs syntax + +From: Rob Clark + +[ Upstream commit 05d56d8079d510a2994039470f65bea85f0075ee ] + +Fixes the warning: + + include/uapi/linux/sync_file.h:77: warning: Function parameter or member 'num_fences' not described in 'sync_file_info' + +Fixes: 2d75c88fefb2 ("staging/android: refactor SYNC IOCTLs") +Signed-off-by: Rob Clark +Reviewed-by: Randy Dunlap +Link: https://lore.kernel.org/r/20230724145000.125880-1-robdclark@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + include/uapi/linux/sync_file.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/linux/sync_file.h b/include/uapi/linux/sync_file.h +index ee2dcfb3d6602..d7f7c04a6e0c1 100644 +--- a/include/uapi/linux/sync_file.h ++++ b/include/uapi/linux/sync_file.h +@@ -52,7 +52,7 @@ struct sync_fence_info { + * @name: name of fence + * @status: status of fence. 1: signaled 0:active <0:error + * @flags: sync_file_info flags +- * @num_fences number of fences in the sync_file ++ * @num_fences: number of fences in the sync_file + * @pad: padding for 64-bit alignment, should always be zero + * @sync_fence_info: pointer to array of structs sync_fence_info with all + * fences in the sync_file +-- +2.40.1 + diff --git a/queue-5.15/dmaengine-ste_dma40-add-missing-irq-check-in-d40_pro.patch b/queue-5.15/dmaengine-ste_dma40-add-missing-irq-check-in-d40_pro.patch new file mode 100644 index 00000000000..392f9ef646b --- /dev/null +++ b/queue-5.15/dmaengine-ste_dma40-add-missing-irq-check-in-d40_pro.patch @@ -0,0 +1,40 @@ +From ffc1d8228ba8428bd5107660c328cc5a18483ef4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jul 2023 14:41:08 +0000 +Subject: dmaengine: ste_dma40: Add missing IRQ check in d40_probe + +From: ruanjinjie + +[ Upstream commit c05ce6907b3d6e148b70f0bb5eafd61dcef1ddc1 ] + +Check for the return value of platform_get_irq(): if no interrupt +is specified, it wouldn't make sense to call request_irq(). + +Fixes: 8d318a50b3d7 ("DMAENGINE: Support for ST-Ericssons DMA40 block v3") +Signed-off-by: Ruan Jinjie +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20230724144108.2582917-1-ruanjinjie@huawei.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/ste_dma40.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/dma/ste_dma40.c b/drivers/dma/ste_dma40.c +index e1827393143f1..cb6b0e9ed5adc 100644 +--- a/drivers/dma/ste_dma40.c ++++ b/drivers/dma/ste_dma40.c +@@ -3597,6 +3597,10 @@ static int __init d40_probe(struct platform_device *pdev) + spin_lock_init(&base->lcla_pool.lock); + + base->irq = platform_get_irq(pdev, 0); ++ if (base->irq < 0) { ++ ret = base->irq; ++ goto destroy_cache; ++ } + + ret = request_irq(base->irq, d40_handle_interrupt, 0, D40_NAME, base); + if (ret) { +-- +2.40.1 + diff --git a/queue-5.15/driver-core-test_async-fix-an-error-code.patch b/queue-5.15/driver-core-test_async-fix-an-error-code.patch new file mode 100644 index 00000000000..3841fe0c55b --- /dev/null +++ b/queue-5.15/driver-core-test_async-fix-an-error-code.patch @@ -0,0 +1,37 @@ +From 6744de60b4324f85bea711045e1e9bab2cc96a44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jul 2023 10:03:49 +0300 +Subject: driver core: test_async: fix an error code + +From: Dan Carpenter + +[ Upstream commit 22d2381bbd70a5853c2ee77522f4965139672db9 ] + +The test_platform_device_register_node() function should return error +pointers instead of NULL. That is what the callers are expecting. + +Fixes: 57ea974fb871 ("driver core: Rewrite test_async_driver_probe to cover serialization and NUMA affinity") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/1e11ed19-e1f6-43d8-b352-474134b7c008@moroto.mountain +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/base/test/test_async_driver_probe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/base/test/test_async_driver_probe.c b/drivers/base/test/test_async_driver_probe.c +index c157a912d6739..88336f093decd 100644 +--- a/drivers/base/test/test_async_driver_probe.c ++++ b/drivers/base/test/test_async_driver_probe.c +@@ -84,7 +84,7 @@ test_platform_device_register_node(char *name, int id, int nid) + + pdev = platform_device_alloc(name, id); + if (!pdev) +- return NULL; ++ return ERR_PTR(-ENOMEM); + + if (nid != NUMA_NO_NODE) + set_dev_node(&pdev->dev, nid); +-- +2.40.1 + diff --git a/queue-5.15/drivers-clk-keystone-fix-parameter-judgment-in-_of_p.patch b/queue-5.15/drivers-clk-keystone-fix-parameter-judgment-in-_of_p.patch new file mode 100644 index 00000000000..c4180651d7b --- /dev/null +++ b/queue-5.15/drivers-clk-keystone-fix-parameter-judgment-in-_of_p.patch @@ -0,0 +1,38 @@ +From eaee723b57ecf1101bcdd00b721dc3d4bea29a66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Jul 2023 18:22:46 +0800 +Subject: drivers: clk: keystone: Fix parameter judgment in _of_pll_clk_init() + +From: Minjie Du + +[ Upstream commit a995c50db887ef97f3160775aef7d772635a6f6e ] + +The function clk_register_pll() may return NULL or an ERR_PTR. Don't +treat an ERR_PTR as valid. + +Signed-off-by: Minjie Du +Link: https://lore.kernel.org/r/20230712102246.10348-1-duminjie@vivo.com +Fixes: b9e0d40c0d83 ("clk: keystone: add Keystone PLL clock driver") +[sboyd@kernel.org: Reword commit text] +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/keystone/pll.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/keystone/pll.c b/drivers/clk/keystone/pll.c +index d59a7621bb204..ee5c72369334f 100644 +--- a/drivers/clk/keystone/pll.c ++++ b/drivers/clk/keystone/pll.c +@@ -209,7 +209,7 @@ static void __init _of_pll_clk_init(struct device_node *node, bool pllctrl) + } + + clk = clk_register_pll(NULL, node->name, parent_name, pll_data); +- if (clk) { ++ if (!IS_ERR_OR_NULL(clk)) { + of_clk_add_provider(node, of_clk_src_simple_get, clk); + return; + } +-- +2.40.1 + diff --git a/queue-5.15/drivers-usb-smsusb-fix-error-handling-code-in-smsusb.patch b/queue-5.15/drivers-usb-smsusb-fix-error-handling-code-in-smsusb.patch new file mode 100644 index 00000000000..b3ebd2e31c9 --- /dev/null +++ b/queue-5.15/drivers-usb-smsusb-fix-error-handling-code-in-smsusb.patch @@ -0,0 +1,80 @@ +From 5e8783019f2e107a28de93d9333cb9254f8fe679 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Feb 2023 18:24:08 +0800 +Subject: drivers: usb: smsusb: fix error handling code in smsusb_init_device + +From: Dongliang Mu + +[ Upstream commit b9c7141f384097fa4fa67d2f72e5731d628aef7c ] + +The previous commit 4b208f8b561f ("[media] siano: register media controller +earlier")moves siano_media_device_register before smscore_register_device, +and adds corresponding error handling code if smscore_register_device +fails. However, it misses the following error handling code of +smsusb_init_device. + +Fix this by moving error handling code at the end of smsusb_init_device +and adding a goto statement in the following error handling parts. + +Fixes: 4b208f8b561f ("[media] siano: register media controller earlier") +Signed-off-by: Dongliang Mu +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/siano/smsusb.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c +index 5c223b5498b4b..6036ad3b15681 100644 +--- a/drivers/media/usb/siano/smsusb.c ++++ b/drivers/media/usb/siano/smsusb.c +@@ -455,12 +455,7 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id) + rc = smscore_register_device(¶ms, &dev->coredev, 0, mdev); + if (rc < 0) { + pr_err("smscore_register_device(...) failed, rc %d\n", rc); +- smsusb_term_device(intf); +-#ifdef CONFIG_MEDIA_CONTROLLER_DVB +- media_device_unregister(mdev); +-#endif +- kfree(mdev); +- return rc; ++ goto err_unregister_device; + } + + smscore_set_board_id(dev->coredev, board_id); +@@ -477,8 +472,7 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id) + rc = smsusb_start_streaming(dev); + if (rc < 0) { + pr_err("smsusb_start_streaming(...) failed\n"); +- smsusb_term_device(intf); +- return rc; ++ goto err_unregister_device; + } + + dev->state = SMSUSB_ACTIVE; +@@ -486,13 +480,20 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id) + rc = smscore_start_device(dev->coredev); + if (rc < 0) { + pr_err("smscore_start_device(...) failed\n"); +- smsusb_term_device(intf); +- return rc; ++ goto err_unregister_device; + } + + pr_debug("device 0x%p created\n", dev); + + return rc; ++ ++err_unregister_device: ++ smsusb_term_device(intf); ++#ifdef CONFIG_MEDIA_CONTROLLER_DVB ++ media_device_unregister(mdev); ++#endif ++ kfree(mdev); ++ return rc; + } + + static int smsusb_probe(struct usb_interface *intf, +-- +2.40.1 + diff --git a/queue-5.15/drm-adv7511-fix-low-refresh-rate-register-for-adv753.patch b/queue-5.15/drm-adv7511-fix-low-refresh-rate-register-for-adv753.patch new file mode 100644 index 00000000000..5f497524bfc --- /dev/null +++ b/queue-5.15/drm-adv7511-fix-low-refresh-rate-register-for-adv753.patch @@ -0,0 +1,49 @@ +From f321db0a2c2375f8929c8459a9fd8f6c53369458 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 09:01:43 +0300 +Subject: drm: adv7511: Fix low refresh rate register for ADV7533/5 + +From: Bogdan Togorean + +[ Upstream commit d281eeaa4de2636ff0c8e6ae387bb07b50e5fcbb ] + +For ADV7533 and ADV7535 low refresh rate is selected using +bits [3:2] of 0x4a main register. +So depending on ADV model write 0xfb or 0x4a register. + +Fixes: 2437e7cd88e8 ("drm/bridge: adv7533: Initial support for ADV7533") +Reviewed-by: Robert Foss +Reviewed-by: Nuno Sa +Signed-off-by: Bogdan Togorean +Signed-off-by: Alexandru Ardelean +Reviewed-by: Frieder Schrempf +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20230719060143.63649-1-alex@shruggie.ro +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c +index 44762116aac97..ce40cd1ae1670 100644 +--- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c ++++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c +@@ -786,8 +786,13 @@ static void adv7511_mode_set(struct adv7511 *adv7511, + else + low_refresh_rate = ADV7511_LOW_REFRESH_RATE_NONE; + +- regmap_update_bits(adv7511->regmap, 0xfb, +- 0x6, low_refresh_rate << 1); ++ if (adv7511->type == ADV7511) ++ regmap_update_bits(adv7511->regmap, 0xfb, ++ 0x6, low_refresh_rate << 1); ++ else ++ regmap_update_bits(adv7511->regmap, 0x4a, ++ 0xc, low_refresh_rate << 2); ++ + regmap_update_bits(adv7511->regmap, 0x17, + 0x60, (vsync_polarity << 6) | (hsync_polarity << 5)); + +-- +2.40.1 + diff --git a/queue-5.15/drm-amd-pm-fix-variable-dereferenced-issue-in-amdgpu.patch b/queue-5.15/drm-amd-pm-fix-variable-dereferenced-issue-in-amdgpu.patch new file mode 100644 index 00000000000..29741e51ac5 --- /dev/null +++ b/queue-5.15/drm-amd-pm-fix-variable-dereferenced-issue-in-amdgpu.patch @@ -0,0 +1,53 @@ +From f6f5709396d222216ae1d73b3af4fc0657c3bee8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Aug 2023 16:53:23 +0800 +Subject: drm/amd/pm: fix variable dereferenced issue in + amdgpu_device_attr_create() + +From: Yang Wang + +[ Upstream commit 25e6373a5b8efc623443f2699d2b929bf3067d76 ] + +- fix variable ('attr') dereferenced issue. +- using condition check instead of BUG_ON(). + +Fixes: 4e01847c38f7 ("drm/amdgpu: optimize amdgpu device attribute code") +Cc: Dan Carpenter +Signed-off-by: Yang Wang +Reviewed-by: Kenneth Feng +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/amdgpu_pm.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/amdgpu_pm.c b/drivers/gpu/drm/amd/pm/amdgpu_pm.c +index 6aaf1230655f4..73794c1c12082 100644 +--- a/drivers/gpu/drm/amd/pm/amdgpu_pm.c ++++ b/drivers/gpu/drm/amd/pm/amdgpu_pm.c +@@ -2134,15 +2134,19 @@ static int amdgpu_device_attr_create(struct amdgpu_device *adev, + uint32_t mask, struct list_head *attr_list) + { + int ret = 0; +- struct device_attribute *dev_attr = &attr->dev_attr; +- const char *name = dev_attr->attr.name; + enum amdgpu_device_attr_states attr_states = ATTR_STATE_SUPPORTED; + struct amdgpu_device_attr_entry *attr_entry; ++ struct device_attribute *dev_attr; ++ const char *name; + + int (*attr_update)(struct amdgpu_device *adev, struct amdgpu_device_attr *attr, + uint32_t mask, enum amdgpu_device_attr_states *states) = default_attr_update; + +- BUG_ON(!attr); ++ if (!attr) ++ return -EINVAL; ++ ++ dev_attr = &attr->dev_attr; ++ name = dev_attr->attr.name; + + attr_update = attr->attr_update ? attr->attr_update : default_attr_update; + +-- +2.40.1 + diff --git a/queue-5.15/drm-amdgpu-avoid-integer-overflow-warning-in-amdgpu_.patch b/queue-5.15/drm-amdgpu-avoid-integer-overflow-warning-in-amdgpu_.patch new file mode 100644 index 00000000000..eeefebfbbd6 --- /dev/null +++ b/queue-5.15/drm-amdgpu-avoid-integer-overflow-warning-in-amdgpu_.patch @@ -0,0 +1,52 @@ +From 393c0be6444586ca23ab1d2141422a60aad8d8d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 13:11:51 +0200 +Subject: drm/amdgpu: avoid integer overflow warning in + amdgpu_device_resize_fb_bar() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arnd Bergmann + +[ Upstream commit 822130b5e8834ab30ad410cf19a582e5014b9a85 ] + +On 32-bit architectures comparing a resource against a value larger than +U32_MAX can cause a warning: + +drivers/gpu/drm/amd/amdgpu/amdgpu_device.c:1344:18: error: result of comparison of constant 4294967296 with expression of type 'resource_size_t' (aka 'unsigned int') is always false [-Werror,-Wtautological-constant-out-of-range-compare] + res->start > 0x100000000ull) + ~~~~~~~~~~ ^ ~~~~~~~~~~~~~~ + +As gcc does not warn about this in dead code, add an IS_ENABLED() check at +the start of the function. This will always return success but not actually resize +the BAR on 32-bit architectures without high memory, which is exactly what +we want here, as the driver can fall back to bank switching the VRAM +access. + +Fixes: 31b8adab3247 ("drm/amdgpu: require a root bus window above 4GB for BAR resize") +Reviewed-by: Christian König +Signed-off-by: Arnd Bergmann +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index 2b5766d3789b2..8b6b47fd9b880 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -1195,6 +1195,9 @@ int amdgpu_device_resize_fb_bar(struct amdgpu_device *adev) + u16 cmd; + int r; + ++ if (!IS_ENABLED(CONFIG_PHYS_ADDR_T_64BIT)) ++ return 0; ++ + /* Bypass for VF */ + if (amdgpu_sriov_vf(adev)) + return 0; +-- +2.40.1 + diff --git a/queue-5.15/drm-amdgpu-update-min-to-min_t-in-amdgpu_info_ioctl.patch b/queue-5.15/drm-amdgpu-update-min-to-min_t-in-amdgpu_info_ioctl.patch new file mode 100644 index 00000000000..b2bc456370b --- /dev/null +++ b/queue-5.15/drm-amdgpu-update-min-to-min_t-in-amdgpu_info_ioctl.patch @@ -0,0 +1,88 @@ +From 826d32602d67f14e3a9774dead8ae78357046fdb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Jul 2023 12:29:14 +0530 +Subject: drm/amdgpu: Update min() to min_t() in 'amdgpu_info_ioctl' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Srinivasan Shanmugam + +[ Upstream commit a0cc8e1512ad72c9f97cdcb76d42715730adaf62 ] + +Fixes the following: + +WARNING: min() should probably be min_t(size_t, size, sizeof(ip)) ++ ret = copy_to_user(out, &ip, min((size_t)size, sizeof(ip))); + +And other style fixes: + +WARNING: Prefer 'unsigned int' to bare use of 'unsigned' +WARNING: Missing a blank line after declarations + +Cc: Christian König +Cc: Alex Deucher +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c +index 43e30b9a2e024..e8485b1f02ed6 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c +@@ -582,6 +582,7 @@ int amdgpu_info_ioctl(struct drm_device *dev, void *data, struct drm_file *filp) + crtc = (struct drm_crtc *)minfo->crtcs[i]; + if (crtc && crtc->base.id == info->mode_crtc.id) { + struct amdgpu_crtc *amdgpu_crtc = to_amdgpu_crtc(crtc); ++ + ui32 = amdgpu_crtc->crtc_id; + found = 1; + break; +@@ -600,7 +601,7 @@ int amdgpu_info_ioctl(struct drm_device *dev, void *data, struct drm_file *filp) + if (ret) + return ret; + +- ret = copy_to_user(out, &ip, min((size_t)size, sizeof(ip))); ++ ret = copy_to_user(out, &ip, min_t(size_t, size, sizeof(ip))); + return ret ? -EFAULT : 0; + } + case AMDGPU_INFO_HW_IP_COUNT: { +@@ -748,17 +749,18 @@ int amdgpu_info_ioctl(struct drm_device *dev, void *data, struct drm_file *filp) + ? -EFAULT : 0; + } + case AMDGPU_INFO_READ_MMR_REG: { +- unsigned n, alloc_size; ++ unsigned int n, alloc_size; + uint32_t *regs; +- unsigned se_num = (info->read_mmr_reg.instance >> ++ unsigned int se_num = (info->read_mmr_reg.instance >> + AMDGPU_INFO_MMR_SE_INDEX_SHIFT) & + AMDGPU_INFO_MMR_SE_INDEX_MASK; +- unsigned sh_num = (info->read_mmr_reg.instance >> ++ unsigned int sh_num = (info->read_mmr_reg.instance >> + AMDGPU_INFO_MMR_SH_INDEX_SHIFT) & + AMDGPU_INFO_MMR_SH_INDEX_MASK; + + /* set full masks if the userspace set all bits +- * in the bitfields */ ++ * in the bitfields ++ */ + if (se_num == AMDGPU_INFO_MMR_SE_INDEX_MASK) + se_num = 0xffffffff; + else if (se_num >= AMDGPU_GFX_MAX_SE) +@@ -882,7 +884,7 @@ int amdgpu_info_ioctl(struct drm_device *dev, void *data, struct drm_file *filp) + return ret; + } + case AMDGPU_INFO_VCE_CLOCK_TABLE: { +- unsigned i; ++ unsigned int i; + struct drm_amdgpu_info_vce_clock_table vce_clk_table = {}; + struct amd_vce_state *vce_state; + +-- +2.40.1 + diff --git a/queue-5.15/drm-amdgpu-use-rmw-accessors-for-changing-lnkctl.patch b/queue-5.15/drm-amdgpu-use-rmw-accessors-for-changing-lnkctl.patch new file mode 100644 index 00000000000..fe04fde7174 --- /dev/null +++ b/queue-5.15/drm-amdgpu-use-rmw-accessors-for-changing-lnkctl.patch @@ -0,0 +1,144 @@ +From 33fdb5d1f91a1eeb8abb3d5dde37fe6208003c9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 15:04:57 +0300 +Subject: drm/amdgpu: Use RMW accessors for changing LNKCTL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit ce7d88110b9ed5f33fe79ea6d4ed049fb0e57bce ] + +Don't assume that only the driver would be accessing LNKCTL. ASPM policy +changes can trigger write to LNKCTL outside of driver's control. And in +the case of upstream bridge, the driver does not even own the device it's +changing the registers for. + +Use RMW capability accessors which do proper locking to avoid losing +concurrent updates to the register value. + +Suggested-by: Lukas Wunner +Fixes: a2e73f56fa62 ("drm/amdgpu: Add support for CIK parts") +Fixes: 62a37553414a ("drm/amdgpu: add si implementation v10") +Link: https://lore.kernel.org/r/20230717120503.15276-6-ilpo.jarvinen@linux.intel.com +Signed-off-by: Ilpo Järvinen +Signed-off-by: Bjorn Helgaas +Acked-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/cik.c | 36 +++++++++----------------------- + drivers/gpu/drm/amd/amdgpu/si.c | 36 +++++++++----------------------- + 2 files changed, 20 insertions(+), 52 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/cik.c b/drivers/gpu/drm/amd/amdgpu/cik.c +index de6d10390ab2f..9be6da37032a7 100644 +--- a/drivers/gpu/drm/amd/amdgpu/cik.c ++++ b/drivers/gpu/drm/amd/amdgpu/cik.c +@@ -1574,17 +1574,8 @@ static void cik_pcie_gen3_enable(struct amdgpu_device *adev) + u16 bridge_cfg2, gpu_cfg2; + u32 max_lw, current_lw, tmp; + +- pcie_capability_read_word(root, PCI_EXP_LNKCTL, +- &bridge_cfg); +- pcie_capability_read_word(adev->pdev, PCI_EXP_LNKCTL, +- &gpu_cfg); +- +- tmp16 = bridge_cfg | PCI_EXP_LNKCTL_HAWD; +- pcie_capability_write_word(root, PCI_EXP_LNKCTL, tmp16); +- +- tmp16 = gpu_cfg | PCI_EXP_LNKCTL_HAWD; +- pcie_capability_write_word(adev->pdev, PCI_EXP_LNKCTL, +- tmp16); ++ pcie_capability_set_word(root, PCI_EXP_LNKCTL, PCI_EXP_LNKCTL_HAWD); ++ pcie_capability_set_word(adev->pdev, PCI_EXP_LNKCTL, PCI_EXP_LNKCTL_HAWD); + + tmp = RREG32_PCIE(ixPCIE_LC_STATUS1); + max_lw = (tmp & PCIE_LC_STATUS1__LC_DETECTED_LINK_WIDTH_MASK) >> +@@ -1637,21 +1628,14 @@ static void cik_pcie_gen3_enable(struct amdgpu_device *adev) + msleep(100); + + /* linkctl */ +- pcie_capability_read_word(root, PCI_EXP_LNKCTL, +- &tmp16); +- tmp16 &= ~PCI_EXP_LNKCTL_HAWD; +- tmp16 |= (bridge_cfg & PCI_EXP_LNKCTL_HAWD); +- pcie_capability_write_word(root, PCI_EXP_LNKCTL, +- tmp16); +- +- pcie_capability_read_word(adev->pdev, +- PCI_EXP_LNKCTL, +- &tmp16); +- tmp16 &= ~PCI_EXP_LNKCTL_HAWD; +- tmp16 |= (gpu_cfg & PCI_EXP_LNKCTL_HAWD); +- pcie_capability_write_word(adev->pdev, +- PCI_EXP_LNKCTL, +- tmp16); ++ pcie_capability_clear_and_set_word(root, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_HAWD, ++ bridge_cfg & ++ PCI_EXP_LNKCTL_HAWD); ++ pcie_capability_clear_and_set_word(adev->pdev, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_HAWD, ++ gpu_cfg & ++ PCI_EXP_LNKCTL_HAWD); + + /* linkctl2 */ + pcie_capability_read_word(root, PCI_EXP_LNKCTL2, +diff --git a/drivers/gpu/drm/amd/amdgpu/si.c b/drivers/gpu/drm/amd/amdgpu/si.c +index 7f99e130acd06..fd34c2100bd96 100644 +--- a/drivers/gpu/drm/amd/amdgpu/si.c ++++ b/drivers/gpu/drm/amd/amdgpu/si.c +@@ -2276,17 +2276,8 @@ static void si_pcie_gen3_enable(struct amdgpu_device *adev) + u16 bridge_cfg2, gpu_cfg2; + u32 max_lw, current_lw, tmp; + +- pcie_capability_read_word(root, PCI_EXP_LNKCTL, +- &bridge_cfg); +- pcie_capability_read_word(adev->pdev, PCI_EXP_LNKCTL, +- &gpu_cfg); +- +- tmp16 = bridge_cfg | PCI_EXP_LNKCTL_HAWD; +- pcie_capability_write_word(root, PCI_EXP_LNKCTL, tmp16); +- +- tmp16 = gpu_cfg | PCI_EXP_LNKCTL_HAWD; +- pcie_capability_write_word(adev->pdev, PCI_EXP_LNKCTL, +- tmp16); ++ pcie_capability_set_word(root, PCI_EXP_LNKCTL, PCI_EXP_LNKCTL_HAWD); ++ pcie_capability_set_word(adev->pdev, PCI_EXP_LNKCTL, PCI_EXP_LNKCTL_HAWD); + + tmp = RREG32_PCIE(PCIE_LC_STATUS1); + max_lw = (tmp & LC_DETECTED_LINK_WIDTH_MASK) >> LC_DETECTED_LINK_WIDTH_SHIFT; +@@ -2331,21 +2322,14 @@ static void si_pcie_gen3_enable(struct amdgpu_device *adev) + + mdelay(100); + +- pcie_capability_read_word(root, PCI_EXP_LNKCTL, +- &tmp16); +- tmp16 &= ~PCI_EXP_LNKCTL_HAWD; +- tmp16 |= (bridge_cfg & PCI_EXP_LNKCTL_HAWD); +- pcie_capability_write_word(root, PCI_EXP_LNKCTL, +- tmp16); +- +- pcie_capability_read_word(adev->pdev, +- PCI_EXP_LNKCTL, +- &tmp16); +- tmp16 &= ~PCI_EXP_LNKCTL_HAWD; +- tmp16 |= (gpu_cfg & PCI_EXP_LNKCTL_HAWD); +- pcie_capability_write_word(adev->pdev, +- PCI_EXP_LNKCTL, +- tmp16); ++ pcie_capability_clear_and_set_word(root, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_HAWD, ++ bridge_cfg & ++ PCI_EXP_LNKCTL_HAWD); ++ pcie_capability_clear_and_set_word(adev->pdev, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_HAWD, ++ gpu_cfg & ++ PCI_EXP_LNKCTL_HAWD); + + pcie_capability_read_word(root, PCI_EXP_LNKCTL2, + &tmp16); +-- +2.40.1 + diff --git a/queue-5.15/drm-armada-fix-off-by-one-error-in-armada_overlay_ge.patch b/queue-5.15/drm-armada-fix-off-by-one-error-in-armada_overlay_ge.patch new file mode 100644 index 00000000000..e4218b49d6e --- /dev/null +++ b/queue-5.15/drm-armada-fix-off-by-one-error-in-armada_overlay_ge.patch @@ -0,0 +1,52 @@ +From 5c63025a033fbbd4a94f24c08dbf0ba19522272f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 15:25:40 +0200 +Subject: drm/armada: Fix off-by-one error in armada_overlay_get_property() + +From: Geert Uytterhoeven + +[ Upstream commit 5f0d984053f74983a287100a9519b2fabb785fb5 ] + +As ffs() returns one more than the index of the first bit set (zero +means no bits set), the color key mode value is shifted one position too +much. + +Fix this by using FIELD_GET() instead. + +Fixes: c96103b6c49ff9a8 ("drm/armada: move colorkey properties into overlay plane state") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Russell King (Oracle) +Signed-off-by: Javier Martinez Canillas +Link: https://patchwork.freedesktop.org/patch/msgid/a4d779d954a7515ddbbf31cb0f0d8184c0e7c879.1689600265.git.geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/armada/armada_overlay.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/armada/armada_overlay.c b/drivers/gpu/drm/armada/armada_overlay.c +index 424250535fed9..0383deb970bbb 100644 +--- a/drivers/gpu/drm/armada/armada_overlay.c ++++ b/drivers/gpu/drm/armada/armada_overlay.c +@@ -4,6 +4,8 @@ + * Rewritten from the dovefb driver, and Armada510 manuals. + */ + ++#include ++ + #include + #include + #include +@@ -451,8 +453,8 @@ static int armada_overlay_get_property(struct drm_plane *plane, + drm_to_overlay_state(state)->colorkey_ug, + drm_to_overlay_state(state)->colorkey_vb, 0); + } else if (property == priv->colorkey_mode_prop) { +- *val = (drm_to_overlay_state(state)->colorkey_mode & +- CFG_CKMODE_MASK) >> ffs(CFG_CKMODE_MASK); ++ *val = FIELD_GET(CFG_CKMODE_MASK, ++ drm_to_overlay_state(state)->colorkey_mode); + } else if (property == priv->brightness_prop) { + *val = drm_to_overlay_state(state)->brightness + 256; + } else if (property == priv->contrast_prop) { +-- +2.40.1 + diff --git a/queue-5.15/drm-bridge-tc358764-fix-debug-print-parameter-order.patch b/queue-5.15/drm-bridge-tc358764-fix-debug-print-parameter-order.patch new file mode 100644 index 00000000000..5cc809b180a --- /dev/null +++ b/queue-5.15/drm-bridge-tc358764-fix-debug-print-parameter-order.patch @@ -0,0 +1,40 @@ +From b193fc9026cd0d4a64c6ebd92426a5e09bfd3a10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 17:28:17 +0200 +Subject: drm/bridge: tc358764: Fix debug print parameter order + +From: Marek Vasut + +[ Upstream commit 7f947be02aab5b154427cb5b0fffe858fc387b02 ] + +The debug print parameters were swapped in the output and they were +printed as decimal values, both the hardware address and the value. +Update the debug print to print the parameters in correct order, and +use hexadecimal print for both address and value. + +Fixes: f38b7cca6d0e ("drm/bridge: tc358764: Add DSI to LVDS bridge driver") +Signed-off-by: Marek Vasut +Reviewed-by: Robert Foss +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20230615152817.359420-1-marex@denx.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/tc358764.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bridge/tc358764.c b/drivers/gpu/drm/bridge/tc358764.c +index c1e35bdf9232a..ba4e869f58a4a 100644 +--- a/drivers/gpu/drm/bridge/tc358764.c ++++ b/drivers/gpu/drm/bridge/tc358764.c +@@ -181,7 +181,7 @@ static void tc358764_read(struct tc358764 *ctx, u16 addr, u32 *val) + if (ret >= 0) + le32_to_cpus(val); + +- dev_dbg(ctx->dev, "read: %d, addr: %d\n", addr, *val); ++ dev_dbg(ctx->dev, "read: addr=0x%04x data=0x%08x\n", addr, *val); + } + + static void tc358764_write(struct tc358764 *ctx, u16 addr, u32 val) +-- +2.40.1 + diff --git a/queue-5.15/drm-etnaviv-fix-dumping-of-active-mmu-context.patch b/queue-5.15/drm-etnaviv-fix-dumping-of-active-mmu-context.patch new file mode 100644 index 00000000000..d2963d9613b --- /dev/null +++ b/queue-5.15/drm-etnaviv-fix-dumping-of-active-mmu-context.patch @@ -0,0 +1,72 @@ +From 1b68e4eb2130513281e2cf7f452e58afb0cee55e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Apr 2023 16:38:10 +0200 +Subject: drm/etnaviv: fix dumping of active MMU context + +From: Lucas Stach + +[ Upstream commit 20faf2005ec85fa1a6acc9a74ff27de667f90576 ] + +gpu->mmu_context is the MMU context of the last job in the HW queue, which +isn't necessarily the same as the context from the bad job. Dump the MMU +context from the scheduler determined bad submit to make it work as intended. + +Fixes: 17e4660ae3d7 ("drm/etnaviv: implement per-process address spaces on MMUv2") +Signed-off-by: Lucas Stach +Reviewed-by: Christian Gmeiner +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/etnaviv/etnaviv_dump.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/etnaviv/etnaviv_dump.c b/drivers/gpu/drm/etnaviv/etnaviv_dump.c +index f418e0b75772e..0edcf8ceb4a78 100644 +--- a/drivers/gpu/drm/etnaviv/etnaviv_dump.c ++++ b/drivers/gpu/drm/etnaviv/etnaviv_dump.c +@@ -125,9 +125,9 @@ void etnaviv_core_dump(struct etnaviv_gem_submit *submit) + return; + etnaviv_dump_core = false; + +- mutex_lock(&gpu->mmu_context->lock); ++ mutex_lock(&submit->mmu_context->lock); + +- mmu_size = etnaviv_iommu_dump_size(gpu->mmu_context); ++ mmu_size = etnaviv_iommu_dump_size(submit->mmu_context); + + /* We always dump registers, mmu, ring, hanging cmdbuf and end marker */ + n_obj = 5; +@@ -157,7 +157,7 @@ void etnaviv_core_dump(struct etnaviv_gem_submit *submit) + iter.start = __vmalloc(file_size, GFP_KERNEL | __GFP_NOWARN | + __GFP_NORETRY); + if (!iter.start) { +- mutex_unlock(&gpu->mmu_context->lock); ++ mutex_unlock(&submit->mmu_context->lock); + dev_warn(gpu->dev, "failed to allocate devcoredump file\n"); + return; + } +@@ -169,18 +169,18 @@ void etnaviv_core_dump(struct etnaviv_gem_submit *submit) + memset(iter.hdr, 0, iter.data - iter.start); + + etnaviv_core_dump_registers(&iter, gpu); +- etnaviv_core_dump_mmu(&iter, gpu->mmu_context, mmu_size); ++ etnaviv_core_dump_mmu(&iter, submit->mmu_context, mmu_size); + etnaviv_core_dump_mem(&iter, ETDUMP_BUF_RING, gpu->buffer.vaddr, + gpu->buffer.size, + etnaviv_cmdbuf_get_va(&gpu->buffer, +- &gpu->mmu_context->cmdbuf_mapping)); ++ &submit->mmu_context->cmdbuf_mapping)); + + etnaviv_core_dump_mem(&iter, ETDUMP_BUF_CMD, + submit->cmdbuf.vaddr, submit->cmdbuf.size, + etnaviv_cmdbuf_get_va(&submit->cmdbuf, +- &gpu->mmu_context->cmdbuf_mapping)); ++ &submit->mmu_context->cmdbuf_mapping)); + +- mutex_unlock(&gpu->mmu_context->lock); ++ mutex_unlock(&submit->mmu_context->lock); + + /* Reserve space for the bomap */ + if (n_bomap_pages) { +-- +2.40.1 + diff --git a/queue-5.15/drm-mediatek-fix-potential-memory-leak-if-vmap-fail.patch b/queue-5.15/drm-mediatek-fix-potential-memory-leak-if-vmap-fail.patch new file mode 100644 index 00000000000..33acb3ae83b --- /dev/null +++ b/queue-5.15/drm-mediatek-fix-potential-memory-leak-if-vmap-fail.patch @@ -0,0 +1,45 @@ +From 8de66fea3a4fec730b1ca5dd1966cf391e8b45a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jul 2023 21:40:00 +0800 +Subject: drm/mediatek: Fix potential memory leak if vmap() fail + +From: Sui Jingfeng + +[ Upstream commit 379091e0f6d179d1a084c65de90fa44583b14a70 ] + +Also return -ENOMEM if such a failure happens, the implement should take +responsibility for the error handling. + +Fixes: 3df64d7b0a4f ("drm/mediatek: Implement gem prime vmap/vunmap function") +Reviewed-by: Matthias Brugger +Reviewed-by: Alexandre Mergnat +Signed-off-by: Sui Jingfeng +Reviewed-by: CK Hu +Reviewed-by: AngeloGioacchino Del Regno +Link: https://patchwork.kernel.org/project/dri-devel/patch/20230706134000.130098-1-suijingfeng@loongson.cn/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_drm_gem.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c b/drivers/gpu/drm/mediatek/mtk_drm_gem.c +index 726a34c4725c4..b983adffa3929 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c +@@ -242,7 +242,11 @@ int mtk_drm_gem_prime_vmap(struct drm_gem_object *obj, struct dma_buf_map *map) + + mtk_gem->kvaddr = vmap(mtk_gem->pages, npages, VM_MAP, + pgprot_writecombine(PAGE_KERNEL)); +- ++ if (!mtk_gem->kvaddr) { ++ kfree(sgt); ++ kfree(mtk_gem->pages); ++ return -ENOMEM; ++ } + out: + kfree(sgt); + dma_buf_map_set_vaddr(map, mtk_gem->kvaddr); +-- +2.40.1 + diff --git a/queue-5.15/drm-mediatek-remove-freeing-not-dynamic-allocated-me.patch b/queue-5.15/drm-mediatek-remove-freeing-not-dynamic-allocated-me.patch new file mode 100644 index 00000000000..cd536e40cf8 --- /dev/null +++ b/queue-5.15/drm-mediatek-remove-freeing-not-dynamic-allocated-me.patch @@ -0,0 +1,62 @@ +From b533ca908cd5f1abc96f3350cc7e3a6ede5878e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Jul 2023 17:49:05 +0800 +Subject: drm/mediatek: Remove freeing not dynamic allocated memory + +From: Jason-JH.Lin + +[ Upstream commit 27b9e2ea3f2757da26bb8280e46f7fdbb1acb219 ] + +Fixing the coverity issue of: +mtk_drm_cmdq_pkt_destroy frees address of mtk_crtc->cmdq_handle + +So remove the free function. + +Fixes: 7627122fd1c0 ("drm/mediatek: Add cmdq_handle in mtk_crtc") +Signed-off-by: Jason-JH.Lin +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: CK Hu +Reviewed-by: Alexandre Mergnat +Link: https://patchwork.kernel.org/project/dri-devel/patch/20230714094908.13087-2-jason-jh.lin@mediatek.com/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c +index 6497c9fcd2af7..0b93013061e6a 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c +@@ -116,10 +116,9 @@ static int mtk_drm_cmdq_pkt_create(struct cmdq_client *client, struct cmdq_pkt * + dma_addr_t dma_addr; + + pkt->va_base = kzalloc(size, GFP_KERNEL); +- if (!pkt->va_base) { +- kfree(pkt); ++ if (!pkt->va_base) + return -ENOMEM; +- } ++ + pkt->buf_size = size; + pkt->cl = (void *)client; + +@@ -129,7 +128,6 @@ static int mtk_drm_cmdq_pkt_create(struct cmdq_client *client, struct cmdq_pkt * + if (dma_mapping_error(dev, dma_addr)) { + dev_err(dev, "dma map failed, size=%u\n", (u32)(u64)size); + kfree(pkt->va_base); +- kfree(pkt); + return -ENOMEM; + } + +@@ -145,7 +143,6 @@ static void mtk_drm_cmdq_pkt_destroy(struct cmdq_pkt *pkt) + dma_unmap_single(client->chan->mbox->dev, pkt->pa_base, pkt->buf_size, + DMA_TO_DEVICE); + kfree(pkt->va_base); +- kfree(pkt); + } + #endif + +-- +2.40.1 + diff --git a/queue-5.15/drm-msm-a2xx-call-adreno_gpu_init-earlier.patch b/queue-5.15/drm-msm-a2xx-call-adreno_gpu_init-earlier.patch new file mode 100644 index 00000000000..b170f214fe9 --- /dev/null +++ b/queue-5.15/drm-msm-a2xx-call-adreno_gpu_init-earlier.patch @@ -0,0 +1,58 @@ +From eede0f59719729a719daef7cfb05c37f460c0441 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 20:23:19 -0300 +Subject: drm/msm/a2xx: Call adreno_gpu_init() earlier + +From: Fabio Estevam + +[ Upstream commit db07ce5da8b26bfeaf437a676ae49bd3bb1eace6 ] + +The adreno_is_a20x() and adreno_is_a225() functions rely on the +GPU revision, but such information is retrieved inside adreno_gpu_init(), +which is called afterwards. + +Fix this problem by caling adreno_gpu_init() earlier, so that +the GPU information revision is available when adreno_is_a20x() +and adreno_is_a225() run. + +Tested on a imx53-qsb board. + +Fixes: 21af872cd8c6 ("drm/msm/adreno: add a2xx") +Signed-off-by: Fabio Estevam +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/543456/ +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a2xx_gpu.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/msm/adreno/a2xx_gpu.c b/drivers/gpu/drm/msm/adreno/a2xx_gpu.c +index bdc989183c648..17d6a1ecb1110 100644 +--- a/drivers/gpu/drm/msm/adreno/a2xx_gpu.c ++++ b/drivers/gpu/drm/msm/adreno/a2xx_gpu.c +@@ -521,6 +521,10 @@ struct msm_gpu *a2xx_gpu_init(struct drm_device *dev) + gpu->perfcntrs = perfcntrs; + gpu->num_perfcntrs = ARRAY_SIZE(perfcntrs); + ++ ret = adreno_gpu_init(dev, pdev, adreno_gpu, &funcs, 1); ++ if (ret) ++ goto fail; ++ + if (adreno_is_a20x(adreno_gpu)) + adreno_gpu->registers = a200_registers; + else if (adreno_is_a225(adreno_gpu)) +@@ -528,10 +532,6 @@ struct msm_gpu *a2xx_gpu_init(struct drm_device *dev) + else + adreno_gpu->registers = a220_registers; + +- ret = adreno_gpu_init(dev, pdev, adreno_gpu, &funcs, 1); +- if (ret) +- goto fail; +- + if (!gpu->aspace) { + dev_err(dev->dev, "No memory protection without MMU\n"); + if (!allow_vram_carveout) { +-- +2.40.1 + diff --git a/queue-5.15/drm-msm-mdp5-don-t-leak-some-plane-state.patch b/queue-5.15/drm-msm-mdp5-don-t-leak-some-plane-state.patch new file mode 100644 index 00000000000..70bf06a1dd5 --- /dev/null +++ b/queue-5.15/drm-msm-mdp5-don-t-leak-some-plane-state.patch @@ -0,0 +1,55 @@ +From 9bcfb13a20e06f8433e676abe0f3fe5fe3c04a0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Aug 2023 22:45:21 +0200 +Subject: drm/msm/mdp5: Don't leak some plane state + +From: Daniel Vetter + +[ Upstream commit fd0ad3b2365c1c58aa5a761c18efc4817193beb6 ] + +Apparently no one noticed that mdp5 plane states leak like a sieve +ever since we introduced plane_state->commit refcount a few years ago +in 21a01abbe32a ("drm/atomic: Fix freeing connector/plane state too +early by tracking commits, v3.") + +Fix it by using the right helpers. + +Fixes: 21a01abbe32a ("drm/atomic: Fix freeing connector/plane state too early by tracking commits, v3.") +Cc: Maarten Lankhorst +Cc: Daniel Vetter +Cc: Rob Clark +Cc: Abhinav Kumar +Cc: Dmitry Baryshkov +Cc: linux-arm-msm@vger.kernel.org +Cc: freedreno@lists.freedesktop.org +Reported-and-tested-by: dorum@noisolation.com +Cc: dorum@noisolation.com +Signed-off-by: Daniel Vetter +Reviewed-by: Rob Clark +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/551236/ +Link: https://lore.kernel.org/r/20230803204521.928582-1-daniel.vetter@ffwll.ch +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c b/drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c +index 9c42776cb9a8a..f9cae6460c3be 100644 +--- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c ++++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c +@@ -128,8 +128,7 @@ static void mdp5_plane_destroy_state(struct drm_plane *plane, + { + struct mdp5_plane_state *pstate = to_mdp5_plane_state(state); + +- if (state->fb) +- drm_framebuffer_put(state->fb); ++ __drm_atomic_helper_plane_destroy_state(state); + + kfree(pstate); + } +-- +2.40.1 + diff --git a/queue-5.15/drm-msm-update-dev-core-dump-to-not-print-backwards.patch b/queue-5.15/drm-msm-update-dev-core-dump-to-not-print-backwards.patch new file mode 100644 index 00000000000..7eedd906f3b --- /dev/null +++ b/queue-5.15/drm-msm-update-dev-core-dump-to-not-print-backwards.patch @@ -0,0 +1,40 @@ +From 465d3620ea24cb5fbe256c0525db4c724bdb81eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 18:24:40 -0700 +Subject: drm/msm: Update dev core dump to not print backwards + +From: Ryan McCann + +[ Upstream commit 903705111d863ed8ccf73465da77d232fc422ec1 ] + +Device core dump add block method adds hardware blocks to dumping queue +with stack behavior which causes the hardware blocks to be printed in +reverse order. Change the addition to dumping queue data structure +from "list_add" to "list_add_tail" for FIFO queue behavior. + +Fixes: 98659487b845 ("drm/msm: add support to take dpu snapshot") +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Signed-off-by: Ryan McCann +Patchwork: https://patchwork.freedesktop.org/patch/546200/ +Link: https://lore.kernel.org/r/20230622-devcoredump_patch-v5-1-67e8b66c4723@quicinc.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c b/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c +index 369e57f73a470..8746ceae8fca9 100644 +--- a/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c ++++ b/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c +@@ -185,5 +185,5 @@ void msm_disp_snapshot_add_block(struct msm_disp_state *disp_state, u32 len, + new_blk->base_addr = base_addr; + + msm_disp_state_dump_regs(&new_blk->state, new_blk->size, base_addr); +- list_add(&new_blk->node, &disp_state->blocks); ++ list_add_tail(&new_blk->node, &disp_state->blocks); + } +-- +2.40.1 + diff --git a/queue-5.15/drm-panel-simple-add-missing-connector-type-and-pixe.patch b/queue-5.15/drm-panel-simple-add-missing-connector-type-and-pixe.patch new file mode 100644 index 00000000000..76f9e0c0b01 --- /dev/null +++ b/queue-5.15/drm-panel-simple-add-missing-connector-type-and-pixe.patch @@ -0,0 +1,41 @@ +From 3ca2eb06292cf8a5016f78834a2ad51194271c43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Jul 2023 15:49:14 +0200 +Subject: drm/panel: simple: Add missing connector type and pixel format for + AUO T215HVN01 + +From: Marek Vasut + +[ Upstream commit 7a675a8fa598edb29a664a91adb80f0340649f6f ] + +The connector type and pixel format are missing for this panel, +add them to prevent various drivers from failing to determine +either of those parameters. + +Fixes: 7ee933a1d5c4 ("drm/panel: simple: Add support for AUO T215HVN01") +Signed-off-by: Marek Vasut +Reviewed-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20230709134914.449328-1-marex@denx.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index 7cf0af78b7bc9..e58eb93e9bc9e 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -1448,7 +1448,9 @@ static const struct panel_desc auo_t215hvn01 = { + .delay = { + .disable = 5, + .unprepare = 1000, +- } ++ }, ++ .bus_format = MEDIA_BUS_FMT_RGB888_1X7X4_SPWG, ++ .connector_type = DRM_MODE_CONNECTOR_LVDS, + }; + + static const struct drm_display_mode avic_tm070ddh03_mode = { +-- +2.40.1 + diff --git a/queue-5.15/drm-radeon-use-rmw-accessors-for-changing-lnkctl.patch b/queue-5.15/drm-radeon-use-rmw-accessors-for-changing-lnkctl.patch new file mode 100644 index 00000000000..4f4896b80fb --- /dev/null +++ b/queue-5.15/drm-radeon-use-rmw-accessors-for-changing-lnkctl.patch @@ -0,0 +1,145 @@ +From 32aec7e6544c8d9588023bee12d592269d4dfebf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 15:04:58 +0300 +Subject: drm/radeon: Use RMW accessors for changing LNKCTL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 7189576e8a829130192b33c5b64e8a475369c776 ] + +Don't assume that only the driver would be accessing LNKCTL. ASPM policy +changes can trigger write to LNKCTL outside of driver's control. And in +the case of upstream bridge, the driver does not even own the device it's +changing the registers for. + +Use RMW capability accessors which do proper locking to avoid losing +concurrent updates to the register value. + +Suggested-by: Lukas Wunner +Fixes: 8a7cd27679d0 ("drm/radeon/cik: add support for pcie gen1/2/3 switching") +Fixes: b9d305dfb66c ("drm/radeon: implement pcie gen2/3 support for SI") +Link: https://lore.kernel.org/r/20230717120503.15276-7-ilpo.jarvinen@linux.intel.com +Signed-off-by: Ilpo Järvinen +Signed-off-by: Bjorn Helgaas +Acked-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/cik.c | 36 ++++++++++------------------------- + drivers/gpu/drm/radeon/si.c | 37 ++++++++++-------------------------- + 2 files changed, 20 insertions(+), 53 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/cik.c b/drivers/gpu/drm/radeon/cik.c +index 81b4de7be9f2b..a42f29b6ed7cf 100644 +--- a/drivers/gpu/drm/radeon/cik.c ++++ b/drivers/gpu/drm/radeon/cik.c +@@ -9534,17 +9534,8 @@ static void cik_pcie_gen3_enable(struct radeon_device *rdev) + u16 bridge_cfg2, gpu_cfg2; + u32 max_lw, current_lw, tmp; + +- pcie_capability_read_word(root, PCI_EXP_LNKCTL, +- &bridge_cfg); +- pcie_capability_read_word(rdev->pdev, PCI_EXP_LNKCTL, +- &gpu_cfg); +- +- tmp16 = bridge_cfg | PCI_EXP_LNKCTL_HAWD; +- pcie_capability_write_word(root, PCI_EXP_LNKCTL, tmp16); +- +- tmp16 = gpu_cfg | PCI_EXP_LNKCTL_HAWD; +- pcie_capability_write_word(rdev->pdev, PCI_EXP_LNKCTL, +- tmp16); ++ pcie_capability_set_word(root, PCI_EXP_LNKCTL, PCI_EXP_LNKCTL_HAWD); ++ pcie_capability_set_word(rdev->pdev, PCI_EXP_LNKCTL, PCI_EXP_LNKCTL_HAWD); + + tmp = RREG32_PCIE_PORT(PCIE_LC_STATUS1); + max_lw = (tmp & LC_DETECTED_LINK_WIDTH_MASK) >> LC_DETECTED_LINK_WIDTH_SHIFT; +@@ -9591,21 +9582,14 @@ static void cik_pcie_gen3_enable(struct radeon_device *rdev) + msleep(100); + + /* linkctl */ +- pcie_capability_read_word(root, PCI_EXP_LNKCTL, +- &tmp16); +- tmp16 &= ~PCI_EXP_LNKCTL_HAWD; +- tmp16 |= (bridge_cfg & PCI_EXP_LNKCTL_HAWD); +- pcie_capability_write_word(root, PCI_EXP_LNKCTL, +- tmp16); +- +- pcie_capability_read_word(rdev->pdev, +- PCI_EXP_LNKCTL, +- &tmp16); +- tmp16 &= ~PCI_EXP_LNKCTL_HAWD; +- tmp16 |= (gpu_cfg & PCI_EXP_LNKCTL_HAWD); +- pcie_capability_write_word(rdev->pdev, +- PCI_EXP_LNKCTL, +- tmp16); ++ pcie_capability_clear_and_set_word(root, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_HAWD, ++ bridge_cfg & ++ PCI_EXP_LNKCTL_HAWD); ++ pcie_capability_clear_and_set_word(rdev->pdev, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_HAWD, ++ gpu_cfg & ++ PCI_EXP_LNKCTL_HAWD); + + /* linkctl2 */ + pcie_capability_read_word(root, PCI_EXP_LNKCTL2, +diff --git a/drivers/gpu/drm/radeon/si.c b/drivers/gpu/drm/radeon/si.c +index 013e44ed0f39a..4679b798a0384 100644 +--- a/drivers/gpu/drm/radeon/si.c ++++ b/drivers/gpu/drm/radeon/si.c +@@ -7131,17 +7131,8 @@ static void si_pcie_gen3_enable(struct radeon_device *rdev) + u16 bridge_cfg2, gpu_cfg2; + u32 max_lw, current_lw, tmp; + +- pcie_capability_read_word(root, PCI_EXP_LNKCTL, +- &bridge_cfg); +- pcie_capability_read_word(rdev->pdev, PCI_EXP_LNKCTL, +- &gpu_cfg); +- +- tmp16 = bridge_cfg | PCI_EXP_LNKCTL_HAWD; +- pcie_capability_write_word(root, PCI_EXP_LNKCTL, tmp16); +- +- tmp16 = gpu_cfg | PCI_EXP_LNKCTL_HAWD; +- pcie_capability_write_word(rdev->pdev, PCI_EXP_LNKCTL, +- tmp16); ++ pcie_capability_set_word(root, PCI_EXP_LNKCTL, PCI_EXP_LNKCTL_HAWD); ++ pcie_capability_set_word(rdev->pdev, PCI_EXP_LNKCTL, PCI_EXP_LNKCTL_HAWD); + + tmp = RREG32_PCIE(PCIE_LC_STATUS1); + max_lw = (tmp & LC_DETECTED_LINK_WIDTH_MASK) >> LC_DETECTED_LINK_WIDTH_SHIFT; +@@ -7188,22 +7179,14 @@ static void si_pcie_gen3_enable(struct radeon_device *rdev) + msleep(100); + + /* linkctl */ +- pcie_capability_read_word(root, PCI_EXP_LNKCTL, +- &tmp16); +- tmp16 &= ~PCI_EXP_LNKCTL_HAWD; +- tmp16 |= (bridge_cfg & PCI_EXP_LNKCTL_HAWD); +- pcie_capability_write_word(root, +- PCI_EXP_LNKCTL, +- tmp16); +- +- pcie_capability_read_word(rdev->pdev, +- PCI_EXP_LNKCTL, +- &tmp16); +- tmp16 &= ~PCI_EXP_LNKCTL_HAWD; +- tmp16 |= (gpu_cfg & PCI_EXP_LNKCTL_HAWD); +- pcie_capability_write_word(rdev->pdev, +- PCI_EXP_LNKCTL, +- tmp16); ++ pcie_capability_clear_and_set_word(root, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_HAWD, ++ bridge_cfg & ++ PCI_EXP_LNKCTL_HAWD); ++ pcie_capability_clear_and_set_word(rdev->pdev, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_HAWD, ++ gpu_cfg & ++ PCI_EXP_LNKCTL_HAWD); + + /* linkctl2 */ + pcie_capability_read_word(root, PCI_EXP_LNKCTL2, +-- +2.40.1 + diff --git a/queue-5.15/drm-tegra-dpaux-fix-incorrect-return-value-of-platfo.patch b/queue-5.15/drm-tegra-dpaux-fix-incorrect-return-value-of-platfo.patch new file mode 100644 index 00000000000..7a1133b06ac --- /dev/null +++ b/queue-5.15/drm-tegra-dpaux-fix-incorrect-return-value-of-platfo.patch @@ -0,0 +1,37 @@ +From c793d22ece99a036cdbdcf7c44a3e9a33f26a370 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jul 2023 11:23:49 +0800 +Subject: drm/tegra: dpaux: Fix incorrect return value of platform_get_irq + +From: Yangtao Li + +[ Upstream commit 2a1ca44b654346cadfc538c4fb32eecd8daf3140 ] + +When platform_get_irq fails, we should return dpaux->irq +instead of -ENXIO. + +Fixes: 6b6b604215c6 ("drm/tegra: Add eDP support") +Signed-off-by: Yangtao Li +Signed-off-by: Thierry Reding +Link: https://patchwork.freedesktop.org/patch/msgid/20230710032355.72914-13-frank.li@vivo.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/dpaux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/tegra/dpaux.c b/drivers/gpu/drm/tegra/dpaux.c +index 1f96e416fa082..c96c07c6458c3 100644 +--- a/drivers/gpu/drm/tegra/dpaux.c ++++ b/drivers/gpu/drm/tegra/dpaux.c +@@ -468,7 +468,7 @@ static int tegra_dpaux_probe(struct platform_device *pdev) + + dpaux->irq = platform_get_irq(pdev, 0); + if (dpaux->irq < 0) +- return -ENXIO; ++ return dpaux->irq; + + if (!pdev->dev.pm_domain) { + dpaux->rst = devm_reset_control_get(&pdev->dev, "dpaux"); +-- +2.40.1 + diff --git a/queue-5.15/drm-xlnx-zynqmp_dpsub-add-missing-check-for-dma_set_.patch b/queue-5.15/drm-xlnx-zynqmp_dpsub-add-missing-check-for-dma_set_.patch new file mode 100644 index 00000000000..6ef5420eed8 --- /dev/null +++ b/queue-5.15/drm-xlnx-zynqmp_dpsub-add-missing-check-for-dma_set_.patch @@ -0,0 +1,39 @@ +From c2091797feadd6963f362bca11afb8c7144d854f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jun 2023 10:05:29 +0800 +Subject: drm: xlnx: zynqmp_dpsub: Add missing check for dma_set_mask + +From: Jiasheng Jiang + +[ Upstream commit 1832fba7f9780aff67c96ad30f397c2d76141833 ] + +Add check for dma_set_mask() and return the error if it fails. + +Fixes: d76271d22694 ("drm: xlnx: DRM/KMS driver for Xilinx ZynqMP DisplayPort Subsystem") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Laurent Pinchart +Reviewed-by: Tomi Valkeinen +Signed-off-by: Laurent Pinchart +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xlnx/zynqmp_dpsub.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/xlnx/zynqmp_dpsub.c b/drivers/gpu/drm/xlnx/zynqmp_dpsub.c +index ac37053412a13..5bb42d0a2de98 100644 +--- a/drivers/gpu/drm/xlnx/zynqmp_dpsub.c ++++ b/drivers/gpu/drm/xlnx/zynqmp_dpsub.c +@@ -200,7 +200,9 @@ static int zynqmp_dpsub_probe(struct platform_device *pdev) + dpsub->dev = &pdev->dev; + platform_set_drvdata(pdev, dpsub); + +- dma_set_mask(dpsub->dev, DMA_BIT_MASK(ZYNQMP_DISP_MAX_DMA_BIT)); ++ ret = dma_set_mask(dpsub->dev, DMA_BIT_MASK(ZYNQMP_DISP_MAX_DMA_BIT)); ++ if (ret) ++ return ret; + + /* Try the reserved memory. Proceed if there's none. */ + of_reserved_mem_device_init(&pdev->dev); +-- +2.40.1 + diff --git a/queue-5.15/edac-igen6-fix-the-issue-of-no-error-events.patch b/queue-5.15/edac-igen6-fix-the-issue-of-no-error-events.patch new file mode 100644 index 00000000000..2bdb8a4f318 --- /dev/null +++ b/queue-5.15/edac-igen6-fix-the-issue-of-no-error-events.patch @@ -0,0 +1,65 @@ +From 7ec552d3660b2a39a2683b5a22fc86a23d407ad2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jul 2023 16:04:27 +0800 +Subject: EDAC/igen6: Fix the issue of no error events + +From: Qiuxu Zhuo + +[ Upstream commit ce53ad81ed36c24aff075f94474adecfabfcf239 ] + +Current igen6_edac checks for pending errors before the registration +of the error handler. However, there is a possibility that the error +occurs during the registration process, leading to unhandled pending +errors and no future error events. This issue can be reproduced by +repeatedly injecting errors during the loading of the igen6_edac. + +Fix this issue by moving the pending error handler after the registration +of the error handler, ensuring that no pending errors are left unhandled. + +Fixes: 10590a9d4f23 ("EDAC/igen6: Add EDAC driver for Intel client SoCs using IBECC") +Reported-by: Ee Wey Lim +Tested-by: Ee Wey Lim +Signed-off-by: Qiuxu Zhuo +Signed-off-by: Tony Luck +Link: https://lore.kernel.org/r/20230725080427.23883-1-qiuxu.zhuo@intel.com +Signed-off-by: Sasha Levin +--- + drivers/edac/igen6_edac.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/edac/igen6_edac.c b/drivers/edac/igen6_edac.c +index a07bbfd075d06..8ec70da8d84fe 100644 +--- a/drivers/edac/igen6_edac.c ++++ b/drivers/edac/igen6_edac.c +@@ -27,7 +27,7 @@ + #include "edac_mc.h" + #include "edac_module.h" + +-#define IGEN6_REVISION "v2.5" ++#define IGEN6_REVISION "v2.5.1" + + #define EDAC_MOD_STR "igen6_edac" + #define IGEN6_NMI_NAME "igen6_ibecc" +@@ -1216,9 +1216,6 @@ static int igen6_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + INIT_WORK(&ecclog_work, ecclog_work_cb); + init_irq_work(&ecclog_irq_work, ecclog_irq_work_cb); + +- /* Check if any pending errors before registering the NMI handler */ +- ecclog_handler(); +- + rc = register_err_handler(); + if (rc) + goto fail3; +@@ -1230,6 +1227,9 @@ static int igen6_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + goto fail4; + } + ++ /* Check if any pending errors before/during the registration of the error handler */ ++ ecclog_handler(); ++ + igen6_debug_setup(); + return 0; + fail4: +-- +2.40.1 + diff --git a/queue-5.15/eventfd-prevent-underflow-for-eventfd-semaphores.patch b/queue-5.15/eventfd-prevent-underflow-for-eventfd-semaphores.patch new file mode 100644 index 00000000000..1f4bc6682c7 --- /dev/null +++ b/queue-5.15/eventfd-prevent-underflow-for-eventfd-semaphores.patch @@ -0,0 +1,76 @@ +From c1b2e3ef3247bff34283e2808510acc7549e0d7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Jul 2023 14:54:51 +0800 +Subject: eventfd: prevent underflow for eventfd semaphores + +From: Wen Yang + +[ Upstream commit 758b492047816a3158d027e9fca660bc5bcf20bf ] + +For eventfd with flag EFD_SEMAPHORE, when its ctx->count is 0, calling +eventfd_ctx_do_read will cause ctx->count to overflow to ULLONG_MAX. + +An underflow can happen with EFD_SEMAPHORE eventfds in at least the +following three subsystems: + +(1) virt/kvm/eventfd.c +(2) drivers/vfio/virqfd.c +(3) drivers/virt/acrn/irqfd.c + +where (2) and (3) are just modeled after (1). An eventfd must be +specified for use with the KVM_IRQFD ioctl(). This can also be an +EFD_SEMAPHORE eventfd. When the eventfd count is zero or has been +decremented to zero an underflow can be triggered when the irqfd is shut +down by raising the KVM_IRQFD_FLAG_DEASSIGN flag in the KVM_IRQFD +ioctl(): + + // ctx->count == 0 + kvm_vm_ioctl() + -> kvm_irqfd() + -> kvm_irqfd_deassign() + -> irqfd_deactivate() + -> irqfd_shutdown() + -> eventfd_ctx_remove_wait_queue(&cnt) + -> eventfd_ctx_do_read(&cnt) + +Userspace polling on the eventfd wouldn't notice the underflow because 1 +is always returned as the value from eventfd_read() while ctx->count +would've underflowed. It's not a huge deal because this should only be +happening when the irqfd is shutdown but we should still fix it and +avoid the spurious wakeup. + +Fixes: cb289d6244a3 ("eventfd - allow atomic read and waitqueue remove") +Signed-off-by: Wen Yang +Cc: Alexander Viro +Cc: Jens Axboe +Cc: Christian Brauner +Cc: Christoph Hellwig +Cc: Dylan Yudaken +Cc: David Woodhouse +Cc: Matthew Wilcox +Cc: linux-fsdevel@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Message-Id: +[brauner: rewrite commit message and add explanation how this underflow can happen] +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/eventfd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/eventfd.c b/fs/eventfd.c +index 249ca6c0b7843..4a60ea932e3d9 100644 +--- a/fs/eventfd.c ++++ b/fs/eventfd.c +@@ -189,7 +189,7 @@ void eventfd_ctx_do_read(struct eventfd_ctx *ctx, __u64 *cnt) + { + lockdep_assert_held(&ctx->wqh.lock); + +- *cnt = (ctx->flags & EFD_SEMAPHORE) ? 1 : ctx->count; ++ *cnt = ((ctx->flags & EFD_SEMAPHORE) && ctx->count) ? 1 : ctx->count; + ctx->count -= *cnt; + } + EXPORT_SYMBOL_GPL(eventfd_ctx_do_read); +-- +2.40.1 + diff --git a/queue-5.15/ext4-avoid-potential-data-overflow-in-next_linear_gr.patch b/queue-5.15/ext4-avoid-potential-data-overflow-in-next_linear_gr.patch new file mode 100644 index 00000000000..04754b4776e --- /dev/null +++ b/queue-5.15/ext4-avoid-potential-data-overflow-in-next_linear_gr.patch @@ -0,0 +1,44 @@ +From 058b91b1de6bbc72969c24379f3672efb34bf9ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Aug 2023 22:31:56 +0800 +Subject: ext4: avoid potential data overflow in next_linear_group + +From: Kemeng Shi + +[ Upstream commit 60c672b7f2d1e5dd1774f2399b355c9314e709f8 ] + +ngroups is ext4_group_t (unsigned int) while next_linear_group treat it +in int. If ngroups is bigger than max number described by int, it will +be treat as a negative number. Then "return group + 1 >= ngroups ? 0 : +group + 1;" may keep returning 0. +Switch int to ext4_group_t in next_linear_group to fix the overflow. + +Fixes: 196e402adf2e ("ext4: improve cr 0 / cr 1 group scanning") +Signed-off-by: Kemeng Shi +Reviewed-by: Ritesh Harjani (IBM) +Link: https://lore.kernel.org/r/20230801143204.2284343-3-shikemeng@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/mballoc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index c52833d07602c..7e7153c673c0d 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -1011,8 +1011,9 @@ static inline int should_optimize_scan(struct ext4_allocation_context *ac) + * Return next linear group for allocation. If linear traversal should not be + * performed, this function just returns the same group + */ +-static int +-next_linear_group(struct ext4_allocation_context *ac, int group, int ngroups) ++static ext4_group_t ++next_linear_group(struct ext4_allocation_context *ac, ext4_group_t group, ++ ext4_group_t ngroups) + { + if (!should_optimize_scan(ac)) + goto inc_and_return; +-- +2.40.1 + diff --git a/queue-5.15/ext4-correct-grp-validation-in-ext4_mb_good_group.patch b/queue-5.15/ext4-correct-grp-validation-in-ext4_mb_good_group.patch new file mode 100644 index 00000000000..77194da65bf --- /dev/null +++ b/queue-5.15/ext4-correct-grp-validation-in-ext4_mb_good_group.patch @@ -0,0 +1,38 @@ +From e59536ad8658b411e3e5a3a256e9bbf7a7821dc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Aug 2023 22:31:55 +0800 +Subject: ext4: correct grp validation in ext4_mb_good_group + +From: Kemeng Shi + +[ Upstream commit a9ce5993a0f5c0887c8a1b4ffa3b8046fbcfdc93 ] + +Group corruption check will access memory of grp and will trigger kernel +crash if grp is NULL. So do NULL check before corruption check. + +Fixes: 5354b2af3406 ("ext4: allow ext4_get_group_info() to fail") +Signed-off-by: Kemeng Shi +Reviewed-by: Ritesh Harjani (IBM) +Link: https://lore.kernel.org/r/20230801143204.2284343-2-shikemeng@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/mballoc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index 47c28e3582fd8..c52833d07602c 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -2445,7 +2445,7 @@ static bool ext4_mb_good_group(struct ext4_allocation_context *ac, + + BUG_ON(cr < 0 || cr >= 4); + +- if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(grp) || !grp)) ++ if (unlikely(!grp || EXT4_MB_GRP_BBITMAP_CORRUPT(grp))) + return false; + + free = grp->bb_free; +-- +2.40.1 + diff --git a/queue-5.15/ext4-fix-unttached-inode-after-power-cut-with-orphan.patch b/queue-5.15/ext4-fix-unttached-inode-after-power-cut-with-orphan.patch new file mode 100644 index 00000000000..ae876a44837 --- /dev/null +++ b/queue-5.15/ext4-fix-unttached-inode-after-power-cut-with-orphan.patch @@ -0,0 +1,91 @@ +From dd59b18ed12377bc7a7fdbe2255c04735b1cddcb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jun 2023 21:20:11 +0800 +Subject: ext4: fix unttached inode after power cut with orphan file feature + enabled + +From: Zhihao Cheng + +[ Upstream commit 1524773425ae8113b0b782886366e68656b34e53 ] + +Running generic/475(filesystem consistent tests after power cut) could +easily trigger unattached inode error while doing fsck: + Unattached zero-length inode 39405. Clear? no + + Unattached inode 39405 + Connect to /lost+found? no + +Above inconsistence is caused by following process: + P1 P2 +ext4_create + inode = ext4_new_inode_start_handle // itable records nlink=1 + ext4_add_nondir + err = ext4_add_entry // ENOSPC + ext4_append + ext4_bread + ext4_getblk + ext4_map_blocks // returns ENOSPC + drop_nlink(inode) // won't be updated into disk inode + ext4_orphan_add(handle, inode) + ext4_orphan_file_add + ext4_journal_stop(handle) + jbd2_journal_commit_transaction // commit success + >> power cut << +ext4_fill_super + ext4_load_and_init_journal // itable records nlink=1 + ext4_orphan_cleanup + ext4_process_orphan + if (inode->i_nlink) // true, inode won't be deleted + +Then, allocated inode will be reserved on disk and corresponds to no +dentries, so e2fsck reports 'unattached inode' problem. + +The problem won't happen if orphan file feature is disabled, because +ext4_orphan_add() will update disk inode in orphan list mode. There +are several places not updating disk inode while putting inode into +orphan area, such as ext4_add_nondir(), ext4_symlink() and whiteout +in ext4_rename(). Fix it by updating inode into disk in all error +branches of these places. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217605 +Fixes: 02f310fcf47f ("ext4: Speedup ext4 orphan inode handling") +Signed-off-by: Zhihao Cheng +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230628132011.650383-1-chengzhihao1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/namei.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index 2629e90f8dbb5..d44fe5b1a7255 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -2799,6 +2799,7 @@ static int ext4_add_nondir(handle_t *handle, + return err; + } + drop_nlink(inode); ++ ext4_mark_inode_dirty(handle, inode); + ext4_orphan_add(handle, inode); + unlock_new_inode(inode); + return err; +@@ -3455,6 +3456,7 @@ static int ext4_symlink(struct user_namespace *mnt_userns, struct inode *dir, + if (handle) + ext4_journal_stop(handle); + clear_nlink(inode); ++ ext4_mark_inode_dirty(handle, inode); + unlock_new_inode(inode); + iput(inode); + out_free_encrypted_link: +@@ -4028,6 +4030,7 @@ static int ext4_rename(struct user_namespace *mnt_userns, struct inode *old_dir, + ext4_resetent(handle, &old, + old.inode->i_ino, old_file_type); + drop_nlink(whiteout); ++ ext4_mark_inode_dirty(handle, whiteout); + ext4_orphan_add(handle, whiteout); + } + unlock_new_inode(whiteout); +-- +2.40.1 + diff --git a/queue-5.15/firmware-meson_sm-fix-to-avoid-potential-null-pointe.patch b/queue-5.15/firmware-meson_sm-fix-to-avoid-potential-null-pointe.patch new file mode 100644 index 00000000000..7ef9dacfa83 --- /dev/null +++ b/queue-5.15/firmware-meson_sm-fix-to-avoid-potential-null-pointe.patch @@ -0,0 +1,39 @@ +From 43e6b622ead86abd8ac6321299193351f33b44e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Jul 2023 22:13:38 +0800 +Subject: firmware: meson_sm: fix to avoid potential NULL pointer dereference + +From: Zhang Shurong + +[ Upstream commit f2ed165619c16577c02b703a114a1f6b52026df4 ] + +of_match_device() may fail and returns a NULL pointer. + +Fix this by checking the return value of of_match_device. + +Fixes: 8cde3c2153e8 ("firmware: meson_sm: Rework driver as a proper platform driver") +Signed-off-by: Zhang Shurong +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/tencent_AA08AAA6C4F34D53ADCE962E188A879B8206@qq.com +Signed-off-by: Neil Armstrong +Signed-off-by: Sasha Levin +--- + drivers/firmware/meson/meson_sm.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/firmware/meson/meson_sm.c b/drivers/firmware/meson/meson_sm.c +index 77aa5c6398aa6..d081a6312627b 100644 +--- a/drivers/firmware/meson/meson_sm.c ++++ b/drivers/firmware/meson/meson_sm.c +@@ -292,6 +292,8 @@ static int __init meson_sm_probe(struct platform_device *pdev) + return -ENOMEM; + + chip = of_match_device(meson_sm_ids, dev)->data; ++ if (!chip) ++ return -EINVAL; + + if (chip->cmd_shmem_in_base) { + fw->sm_shmem_in_base = meson_sm_map_shmem(chip->cmd_shmem_in_base, +-- +2.40.1 + diff --git a/queue-5.15/fs-fix-error-checking-for-d_hash_and_lookup.patch b/queue-5.15/fs-fix-error-checking-for-d_hash_and_lookup.patch new file mode 100644 index 00000000000..36573a4e20b --- /dev/null +++ b/queue-5.15/fs-fix-error-checking-for-d_hash_and_lookup.patch @@ -0,0 +1,38 @@ +From 0f31dbce55895450d369dcdfabbcce82e08e0328 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 20:05:42 +0800 +Subject: fs: Fix error checking for d_hash_and_lookup() + +From: Wang Ming + +[ Upstream commit 0d5a4f8f775ff990142cdc810a84eae078589d27 ] + +The d_hash_and_lookup() function returns error pointers or NULL. +Most incorrect error checks were fixed, but the one in int path_pts() +was forgotten. + +Fixes: eedf265aa003 ("devpts: Make each mount of devpts an independent filesystem.") +Signed-off-by: Wang Ming +Message-Id: <20230713120555.7025-1-machel@vivo.com> +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/namei.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/namei.c b/fs/namei.c +index 885b0e93ee966..ea2785103376e 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -2836,7 +2836,7 @@ int path_pts(struct path *path) + dput(path->dentry); + path->dentry = parent; + child = d_hash_and_lookup(parent, &this); +- if (!child) ++ if (IS_ERR_OR_NULL(child)) + return -ENOENT; + + path->dentry = child; +-- +2.40.1 + diff --git a/queue-5.15/fs-lockd-avoid-possible-wrong-null-parameter.patch b/queue-5.15/fs-lockd-avoid-possible-wrong-null-parameter.patch new file mode 100644 index 00000000000..d742bab3991 --- /dev/null +++ b/queue-5.15/fs-lockd-avoid-possible-wrong-null-parameter.patch @@ -0,0 +1,43 @@ +From af576c6f69cef766e7de4c41d9562138d0ebfef1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Aug 2023 09:26:57 +0800 +Subject: fs: lockd: avoid possible wrong NULL parameter + +From: Su Hui + +[ Upstream commit de8d38cf44bac43e83bad28357ba84784c412752 ] + +clang's static analysis warning: fs/lockd/mon.c: line 293, column 2: +Null pointer passed as 2nd argument to memory copy function. + +Assuming 'hostname' is NULL and calling 'nsm_create_handle()', this will +pass NULL as 2nd argument to memory copy function 'memcpy()'. So return +NULL if 'hostname' is invalid. + +Fixes: 77a3ef33e2de ("NSM: More clean up of nsm_get_handle()") +Signed-off-by: Su Hui +Reviewed-by: Nick Desaulniers +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/lockd/mon.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/lockd/mon.c b/fs/lockd/mon.c +index 1d9488cf05348..87a0f207df0b9 100644 +--- a/fs/lockd/mon.c ++++ b/fs/lockd/mon.c +@@ -276,6 +276,9 @@ static struct nsm_handle *nsm_create_handle(const struct sockaddr *sap, + { + struct nsm_handle *new; + ++ if (!hostname) ++ return NULL; ++ + new = kzalloc(sizeof(*new) + hostname_len + 1, GFP_KERNEL); + if (unlikely(new == NULL)) + return NULL; +-- +2.40.1 + diff --git a/queue-5.15/fs-ocfs2-namei-check-return-value-of-ocfs2_add_entry.patch b/queue-5.15/fs-ocfs2-namei-check-return-value-of-ocfs2_add_entry.patch new file mode 100644 index 00000000000..df608166049 --- /dev/null +++ b/queue-5.15/fs-ocfs2-namei-check-return-value-of-ocfs2_add_entry.patch @@ -0,0 +1,50 @@ +From acac3451cabc850ecf5eabb38c865c0a75f0fb74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Aug 2023 17:54:17 +0300 +Subject: fs: ocfs2: namei: check return value of ocfs2_add_entry() + +From: Artem Chernyshev + +[ Upstream commit 6b72e5f9e79360fce4f2be7fe81159fbdf4256a5 ] + +Process result of ocfs2_add_entry() in case we have an error +value. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Link: https://lkml.kernel.org/r/20230803145417.177649-1-artem.chernyshev@red-soft.ru +Fixes: ccd979bdbce9 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem") +Signed-off-by: Artem Chernyshev +Reviewed-by: Joseph Qi +Cc: Artem Chernyshev +Cc: Joel Becker +Cc: Kurt Hackel +Cc: Mark Fasheh +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/ocfs2/namei.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/ocfs2/namei.c b/fs/ocfs2/namei.c +index 3c24eceeb4ffc..0b4f3d287cbc0 100644 +--- a/fs/ocfs2/namei.c ++++ b/fs/ocfs2/namei.c +@@ -1535,6 +1535,10 @@ static int ocfs2_rename(struct user_namespace *mnt_userns, + status = ocfs2_add_entry(handle, new_dentry, old_inode, + OCFS2_I(old_inode)->ip_blkno, + new_dir_bh, &target_insert); ++ if (status < 0) { ++ mlog_errno(status); ++ goto bail; ++ } + } + + old_inode->i_ctime = current_time(old_inode); +-- +2.40.1 + diff --git a/queue-5.15/fsi-aspeed-reset-master-errors-after-cfam-reset.patch b/queue-5.15/fsi-aspeed-reset-master-errors-after-cfam-reset.patch new file mode 100644 index 00000000000..9d6f4045bda --- /dev/null +++ b/queue-5.15/fsi-aspeed-reset-master-errors-after-cfam-reset.patch @@ -0,0 +1,38 @@ +From 1eeebee453480592031c7aa519b9bb57c0086302 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jun 2023 14:56:50 -0500 +Subject: fsi: aspeed: Reset master errors after CFAM reset + +From: Eddie James + +[ Upstream commit 52300909f4670ac552bfeb33c1355b896eac8c06 ] + +It has been observed that sometimes the FSI master will return all 0xffs +after a CFAM has been taken out of reset, without presenting any error. +Resetting the FSI master errors resolves the issue. + +Fixes: 4a851d714ead ("fsi: aspeed: Support CFAM reset GPIO") +Signed-off-by: Eddie James +Link: https://lore.kernel.org/r/20230612195657.245125-8-eajames@linux.ibm.com +Signed-off-by: Joel Stanley +Signed-off-by: Sasha Levin +--- + drivers/fsi/fsi-master-aspeed.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/fsi/fsi-master-aspeed.c b/drivers/fsi/fsi-master-aspeed.c +index 0bed2fab80558..a3645da1f1bf3 100644 +--- a/drivers/fsi/fsi-master-aspeed.c ++++ b/drivers/fsi/fsi-master-aspeed.c +@@ -453,6 +453,8 @@ static ssize_t cfam_reset_store(struct device *dev, struct device_attribute *att + gpiod_set_value(aspeed->cfam_reset_gpio, 1); + usleep_range(900, 1000); + gpiod_set_value(aspeed->cfam_reset_gpio, 0); ++ usleep_range(900, 1000); ++ opb_writel(aspeed, ctrl_base + FSI_MRESP0, cpu_to_be32(FSI_MRESP_RST_ALL_MASTER)); + mutex_unlock(&aspeed->lock); + + return count; +-- +2.40.1 + diff --git a/queue-5.15/hid-logitech-dj-fix-error-handling-in-logi_dj_recv_s.patch b/queue-5.15/hid-logitech-dj-fix-error-handling-in-logi_dj_recv_s.patch new file mode 100644 index 00000000000..11b118e7b0a --- /dev/null +++ b/queue-5.15/hid-logitech-dj-fix-error-handling-in-logi_dj_recv_s.patch @@ -0,0 +1,55 @@ +From 52f4731eabf9c45ea8fcb59e2706e67e2eed1367 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jun 2023 03:16:35 -0700 +Subject: HID: logitech-dj: Fix error handling in + logi_dj_recv_switch_to_dj_mode() + +From: Nikita Zhandarovich + +[ Upstream commit 6f20d3261265885f6a6be4cda49d7019728760e0 ] + +Presently, if a call to logi_dj_recv_send_report() fails, we do +not learn about the error until after sending short +HID_OUTPUT_REPORT with hid_hw_raw_request(). +To handle this somewhat unlikely issue, return on error in +logi_dj_recv_send_report() (minding ugly sleep workaround) and +take into account the result of hid_hw_raw_request(). + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: 6a9ddc897883 ("HID: logitech-dj: enable notifications on connect/disconnect") +Signed-off-by: Nikita Zhandarovich +Link: https://lore.kernel.org/r/20230613101635.77820-1-n.zhandarovich@fintech.ru +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-logitech-dj.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c +index c358778e070bc..08768e5accedc 100644 +--- a/drivers/hid/hid-logitech-dj.c ++++ b/drivers/hid/hid-logitech-dj.c +@@ -1285,6 +1285,9 @@ static int logi_dj_recv_switch_to_dj_mode(struct dj_receiver_dev *djrcv_dev, + * 50 msec should gives enough time to the receiver to be ready. + */ + msleep(50); ++ ++ if (retval) ++ return retval; + } + + /* +@@ -1306,7 +1309,7 @@ static int logi_dj_recv_switch_to_dj_mode(struct dj_receiver_dev *djrcv_dev, + buf[5] = 0x09; + buf[6] = 0x00; + +- hid_hw_raw_request(hdev, REPORT_ID_HIDPP_SHORT, buf, ++ retval = hid_hw_raw_request(hdev, REPORT_ID_HIDPP_SHORT, buf, + HIDPP_REPORT_SHORT_LENGTH, HID_OUTPUT_REPORT, + HID_REQ_SET_REPORT); + +-- +2.40.1 + diff --git a/queue-5.15/hid-multitouch-correct-devm-device-reference-for-hid.patch b/queue-5.15/hid-multitouch-correct-devm-device-reference-for-hid.patch new file mode 100644 index 00000000000..1673df7ed2d --- /dev/null +++ b/queue-5.15/hid-multitouch-correct-devm-device-reference-for-hid.patch @@ -0,0 +1,67 @@ +From 021c34a0c4d4366374ea0c95139c7b55e8381d24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Aug 2023 06:14:33 +0000 +Subject: HID: multitouch: Correct devm device reference for hidinput input_dev + name + +From: Rahul Rameshbabu + +[ Upstream commit 4794394635293a3e74591351fff469cea7ad15a2 ] + +Reference the HID device rather than the input device for the devm +allocation of the input_dev name. Referencing the input_dev would lead to a +use-after-free when the input_dev was unregistered and subsequently fires a +uevent that depends on the name. At the point of firing the uevent, the +name would be freed by devres management. + +Use devm_kasprintf to simplify the logic for allocating memory and +formatting the input_dev name string. + +Reported-by: Maxime Ripard +Closes: https://lore.kernel.org/linux-input/ZOZIZCND+L0P1wJc@penguin/T/#m443f3dce92520f74b6cf6ffa8653f9c92643d4ae +Fixes: c08d46aa805b ("HID: multitouch: devm conversion") +Suggested-by: Maxime Ripard +Suggested-by: Dmitry Torokhov +Signed-off-by: Rahul Rameshbabu +Reviewed-by: Maxime Ripard +Link: https://lore.kernel.org/r/20230824061308.222021-3-sergeantsagara@protonmail.com +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-multitouch.c | 13 +++---------- + 1 file changed, 3 insertions(+), 10 deletions(-) + +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index 592ffdd546fb4..a5bc11750bdc1 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -1594,7 +1594,6 @@ static void mt_post_parse(struct mt_device *td, struct mt_application *app) + static int mt_input_configured(struct hid_device *hdev, struct hid_input *hi) + { + struct mt_device *td = hid_get_drvdata(hdev); +- char *name; + const char *suffix = NULL; + struct mt_report_data *rdata; + struct mt_application *mt_application = NULL; +@@ -1648,15 +1647,9 @@ static int mt_input_configured(struct hid_device *hdev, struct hid_input *hi) + break; + } + +- if (suffix) { +- name = devm_kzalloc(&hi->input->dev, +- strlen(hdev->name) + strlen(suffix) + 2, +- GFP_KERNEL); +- if (name) { +- sprintf(name, "%s %s", hdev->name, suffix); +- hi->input->name = name; +- } +- } ++ if (suffix) ++ hi->input->name = devm_kasprintf(&hdev->dev, GFP_KERNEL, ++ "%s %s", hdev->name, suffix); + + return 0; + } +-- +2.40.1 + diff --git a/queue-5.15/hwmon-tmp513-fix-the-channel-number-in-tmp51x_is_vis.patch b/queue-5.15/hwmon-tmp513-fix-the-channel-number-in-tmp51x_is_vis.patch new file mode 100644 index 00000000000..83b785b380a --- /dev/null +++ b/queue-5.15/hwmon-tmp513-fix-the-channel-number-in-tmp51x_is_vis.patch @@ -0,0 +1,39 @@ +From 5f26e8b78f28e6c8f4d0f97986e0df6707b8a694 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Aug 2023 21:44:54 +0100 +Subject: hwmon: (tmp513) Fix the channel number in tmp51x_is_visible() + +From: Biju Das + +[ Upstream commit d103337e38e7e64c3d915029e947b1cb0b512737 ] + +The supported channels for this driver are {0..3}. Fix the incorrect +channel in tmp51x_is_visible(). + +Reported-by: Guenter Roeck +Closes: https://lore.kernel.org/all/ea0eccc0-a29f-41e4-9049-a1a13f8b16f1@roeck-us.net/ +Fixes: 59dfa75e5d82 ("hwmon: Add driver for Texas Instruments TMP512/513 sensor chips.") +Signed-off-by: Biju Das +Link: https://lore.kernel.org/r/20230824204456.401580-2-biju.das.jz@bp.renesas.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/tmp513.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/tmp513.c b/drivers/hwmon/tmp513.c +index 7d5f7441aceb1..b9a93ee9c2364 100644 +--- a/drivers/hwmon/tmp513.c ++++ b/drivers/hwmon/tmp513.c +@@ -434,7 +434,7 @@ static umode_t tmp51x_is_visible(const void *_data, + + switch (type) { + case hwmon_temp: +- if (data->id == tmp512 && channel == 4) ++ if (data->id == tmp512 && channel == 3) + return 0; + switch (attr) { + case hwmon_temp_input: +-- +2.40.1 + diff --git a/queue-5.15/hwrng-iproc-rng200-implement-suspend-and-resume-call.patch b/queue-5.15/hwrng-iproc-rng200-implement-suspend-and-resume-call.patch new file mode 100644 index 00000000000..617aec8387c --- /dev/null +++ b/queue-5.15/hwrng-iproc-rng200-implement-suspend-and-resume-call.patch @@ -0,0 +1,75 @@ +From 2bdd299c443eb845c0309f1b10aabda6c81c2723 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Aug 2023 12:22:08 -0700 +Subject: hwrng: iproc-rng200 - Implement suspend and resume calls + +From: Florian Fainelli + +[ Upstream commit 8e03dd62e5be811efbf0cbeba47e79e793519105 ] + +Chips such as BCM7278 support system wide suspend/resume which will +cause the HWRNG block to lose its state and reset to its power on reset +register values. We need to cleanup and re-initialize the HWRNG for it +to be functional coming out of a system suspend cycle. + +Fixes: c3577f6100ca ("hwrng: iproc-rng200 - Add support for BCM7278") +Signed-off-by: Florian Fainelli +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/iproc-rng200.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/drivers/char/hw_random/iproc-rng200.c b/drivers/char/hw_random/iproc-rng200.c +index a43743887db19..9142a63b92b30 100644 +--- a/drivers/char/hw_random/iproc-rng200.c ++++ b/drivers/char/hw_random/iproc-rng200.c +@@ -189,6 +189,8 @@ static int iproc_rng200_probe(struct platform_device *pdev) + return PTR_ERR(priv->base); + } + ++ dev_set_drvdata(dev, priv); ++ + priv->rng.name = "iproc-rng200"; + priv->rng.read = iproc_rng200_read; + priv->rng.init = iproc_rng200_init; +@@ -206,6 +208,28 @@ static int iproc_rng200_probe(struct platform_device *pdev) + return 0; + } + ++static int __maybe_unused iproc_rng200_suspend(struct device *dev) ++{ ++ struct iproc_rng200_dev *priv = dev_get_drvdata(dev); ++ ++ iproc_rng200_cleanup(&priv->rng); ++ ++ return 0; ++} ++ ++static int __maybe_unused iproc_rng200_resume(struct device *dev) ++{ ++ struct iproc_rng200_dev *priv = dev_get_drvdata(dev); ++ ++ iproc_rng200_init(&priv->rng); ++ ++ return 0; ++} ++ ++static const struct dev_pm_ops iproc_rng200_pm_ops = { ++ SET_SYSTEM_SLEEP_PM_OPS(iproc_rng200_suspend, iproc_rng200_resume) ++}; ++ + static const struct of_device_id iproc_rng200_of_match[] = { + { .compatible = "brcm,bcm2711-rng200", }, + { .compatible = "brcm,bcm7211-rng200", }, +@@ -219,6 +243,7 @@ static struct platform_driver iproc_rng200_driver = { + .driver = { + .name = "iproc-rng200", + .of_match_table = iproc_rng200_of_match, ++ .pm = &iproc_rng200_pm_ops, + }, + .probe = iproc_rng200_probe, + }; +-- +2.40.1 + diff --git a/queue-5.15/hwrng-nomadik-keep-clock-enabled-while-hwrng-is-regi.patch b/queue-5.15/hwrng-nomadik-keep-clock-enabled-while-hwrng-is-regi.patch new file mode 100644 index 00000000000..aa2bbd22a0e --- /dev/null +++ b/queue-5.15/hwrng-nomadik-keep-clock-enabled-while-hwrng-is-regi.patch @@ -0,0 +1,86 @@ +From 5d5f2062573a5bb00f7b5eeff17391d2b35f50fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Jul 2023 19:35:02 +0200 +Subject: hwrng: nomadik - keep clock enabled while hwrng is registered + +From: Martin Kaiser + +[ Upstream commit 039980de89dc9dd757418d6f296e4126cc3f86c3 ] + +The nomadik driver uses devres to register itself with the hwrng core, +the driver will be unregistered from hwrng when its device goes out of +scope. This happens after the driver's remove function is called. + +However, nomadik's clock is disabled in the remove function. There's a +short timeframe where nomadik is still registered with the hwrng core +although its clock is disabled. I suppose the clock must be active to +access the hardware and serve requests from the hwrng core. + +Switch to devm_clk_get_enabled and let devres disable the clock and +unregister the hwrng. This avoids the race condition. + +Fixes: 3e75241be808 ("hwrng: drivers - Use device-managed registration API") +Signed-off-by: Martin Kaiser +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/nomadik-rng.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +diff --git a/drivers/char/hw_random/nomadik-rng.c b/drivers/char/hw_random/nomadik-rng.c +index e8f9621e79541..3774adf903a83 100644 +--- a/drivers/char/hw_random/nomadik-rng.c ++++ b/drivers/char/hw_random/nomadik-rng.c +@@ -13,8 +13,6 @@ + #include + #include + +-static struct clk *rng_clk; +- + static int nmk_rng_read(struct hwrng *rng, void *data, size_t max, bool wait) + { + void __iomem *base = (void __iomem *)rng->priv; +@@ -36,21 +34,20 @@ static struct hwrng nmk_rng = { + + static int nmk_rng_probe(struct amba_device *dev, const struct amba_id *id) + { ++ struct clk *rng_clk; + void __iomem *base; + int ret; + +- rng_clk = devm_clk_get(&dev->dev, NULL); ++ rng_clk = devm_clk_get_enabled(&dev->dev, NULL); + if (IS_ERR(rng_clk)) { + dev_err(&dev->dev, "could not get rng clock\n"); + ret = PTR_ERR(rng_clk); + return ret; + } + +- clk_prepare_enable(rng_clk); +- + ret = amba_request_regions(dev, dev->dev.init_name); + if (ret) +- goto out_clk; ++ return ret; + ret = -ENOMEM; + base = devm_ioremap(&dev->dev, dev->res.start, + resource_size(&dev->res)); +@@ -64,15 +61,12 @@ static int nmk_rng_probe(struct amba_device *dev, const struct amba_id *id) + + out_release: + amba_release_regions(dev); +-out_clk: +- clk_disable_unprepare(rng_clk); + return ret; + } + + static void nmk_rng_remove(struct amba_device *dev) + { + amba_release_regions(dev); +- clk_disable_unprepare(rng_clk); + } + + static const struct amba_id nmk_rng_ids[] = { +-- +2.40.1 + diff --git a/queue-5.15/hwrng-pic32-use-devm_clk_get_enabled.patch b/queue-5.15/hwrng-pic32-use-devm_clk_get_enabled.patch new file mode 100644 index 00000000000..f5fff765153 --- /dev/null +++ b/queue-5.15/hwrng-pic32-use-devm_clk_get_enabled.patch @@ -0,0 +1,85 @@ +From 7f5d4e4dbf92af087643d47b1cc3c8e9285a6d71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jul 2023 19:32:01 +0200 +Subject: hwrng: pic32 - use devm_clk_get_enabled + +From: Martin Kaiser + +[ Upstream commit 6755ad74aac0fb1c79b14724feb81b2f6ff25847 ] + +Use devm_clk_get_enabled in the pic32 driver. Ensure that the clock is +enabled as long as the driver is registered with the hwrng core. + +Fixes: 7ea39973d1e5 ("hwrng: pic32 - Use device-managed registration API") +Signed-off-by: Martin Kaiser +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/pic32-rng.c | 19 +++++-------------- + 1 file changed, 5 insertions(+), 14 deletions(-) + +diff --git a/drivers/char/hw_random/pic32-rng.c b/drivers/char/hw_random/pic32-rng.c +index 99c8bd0859a14..e04a054e89307 100644 +--- a/drivers/char/hw_random/pic32-rng.c ++++ b/drivers/char/hw_random/pic32-rng.c +@@ -36,7 +36,6 @@ + struct pic32_rng { + void __iomem *base; + struct hwrng rng; +- struct clk *clk; + }; + + /* +@@ -70,6 +69,7 @@ static int pic32_rng_read(struct hwrng *rng, void *buf, size_t max, + static int pic32_rng_probe(struct platform_device *pdev) + { + struct pic32_rng *priv; ++ struct clk *clk; + u32 v; + int ret; + +@@ -81,13 +81,9 @@ static int pic32_rng_probe(struct platform_device *pdev) + if (IS_ERR(priv->base)) + return PTR_ERR(priv->base); + +- priv->clk = devm_clk_get(&pdev->dev, NULL); +- if (IS_ERR(priv->clk)) +- return PTR_ERR(priv->clk); +- +- ret = clk_prepare_enable(priv->clk); +- if (ret) +- return ret; ++ clk = devm_clk_get_enabled(&pdev->dev, NULL); ++ if (IS_ERR(clk)) ++ return PTR_ERR(clk); + + /* enable TRNG in enhanced mode */ + v = TRNGEN | TRNGMOD; +@@ -98,15 +94,11 @@ static int pic32_rng_probe(struct platform_device *pdev) + + ret = devm_hwrng_register(&pdev->dev, &priv->rng); + if (ret) +- goto err_register; ++ return ret; + + platform_set_drvdata(pdev, priv); + + return 0; +- +-err_register: +- clk_disable_unprepare(priv->clk); +- return ret; + } + + static int pic32_rng_remove(struct platform_device *pdev) +@@ -114,7 +106,6 @@ static int pic32_rng_remove(struct platform_device *pdev) + struct pic32_rng *rng = platform_get_drvdata(pdev); + + writel(0, rng->base + RNGCON); +- clk_disable_unprepare(rng->clk); + return 0; + } + +-- +2.40.1 + diff --git a/queue-5.15/ib-uverbs-fix-an-potential-error-pointer-dereference.patch b/queue-5.15/ib-uverbs-fix-an-potential-error-pointer-dereference.patch new file mode 100644 index 00000000000..8fa331db4eb --- /dev/null +++ b/queue-5.15/ib-uverbs-fix-an-potential-error-pointer-dereference.patch @@ -0,0 +1,42 @@ +From 4a13a45e4dc22b4a322291661ab9dd33aea43ec4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Aug 2023 10:25:25 +0800 +Subject: IB/uverbs: Fix an potential error pointer dereference + +From: Xiang Yang + +[ Upstream commit 26b7d1a27167e7adf75b150755e05d2bc123ce55 ] + +smatch reports the warning below: +drivers/infiniband/core/uverbs_std_types_counters.c:110 +ib_uverbs_handler_UVERBS_METHOD_COUNTERS_READ() error: 'uattr' +dereferencing possible ERR_PTR() + +The return value of uattr maybe ERR_PTR(-ENOENT), fix this by checking +the value of uattr before using it. + +Fixes: ebb6796bd397 ("IB/uverbs: Add read counters support") +Signed-off-by: Xiang Yang +Link: https://lore.kernel.org/r/20230804022525.1916766-1-xiangyang3@huawei.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/uverbs_std_types_counters.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/core/uverbs_std_types_counters.c b/drivers/infiniband/core/uverbs_std_types_counters.c +index 999da9c798668..381aa57976417 100644 +--- a/drivers/infiniband/core/uverbs_std_types_counters.c ++++ b/drivers/infiniband/core/uverbs_std_types_counters.c +@@ -107,6 +107,8 @@ static int UVERBS_HANDLER(UVERBS_METHOD_COUNTERS_READ)( + return ret; + + uattr = uverbs_attr_get(attrs, UVERBS_ATTR_READ_COUNTERS_BUFF); ++ if (IS_ERR(uattr)) ++ return PTR_ERR(uattr); + read_attr.ncounters = uattr->ptr_attr.len / sizeof(u64); + read_attr.counters_buff = uverbs_zalloc( + attrs, array_size(read_attr.ncounters, sizeof(u64))); +-- +2.40.1 + diff --git a/queue-5.15/ice-ice_aq_check_events-fix-off-by-one-check-when-fi.patch b/queue-5.15/ice-ice_aq_check_events-fix-off-by-one-check-when-fi.patch new file mode 100644 index 00000000000..00c4fe53ee8 --- /dev/null +++ b/queue-5.15/ice-ice_aq_check_events-fix-off-by-one-check-when-fi.patch @@ -0,0 +1,60 @@ +From 0f0318a9cf090836ff595e50653ebc4ca84d761f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Aug 2023 17:54:15 -0400 +Subject: ice: ice_aq_check_events: fix off-by-one check when filling buffer + +From: Przemek Kitszel + +[ Upstream commit e1e8a142c43336e3d25bfa1cb3a4ae7d00875c48 ] + +Allow task's event buffer to be filled also in the case that it's size +is exactly the size of the message. + +Fixes: d69ea414c9b4 ("ice: implement device flash update via devlink") +Reviewed-by: Jacob Keller +Signed-off-by: Przemek Kitszel +Reviewed-by: Simon Horman +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index a18fa054b4fae..deba18cdc5ef7 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -1177,6 +1177,7 @@ int ice_aq_wait_for_event(struct ice_pf *pf, u16 opcode, unsigned long timeout, + static void ice_aq_check_events(struct ice_pf *pf, u16 opcode, + struct ice_rq_event_info *event) + { ++ struct ice_rq_event_info *task_ev; + struct ice_aq_task *task; + bool found = false; + +@@ -1185,15 +1186,15 @@ static void ice_aq_check_events(struct ice_pf *pf, u16 opcode, + if (task->state || task->opcode != opcode) + continue; + +- memcpy(&task->event->desc, &event->desc, sizeof(event->desc)); +- task->event->msg_len = event->msg_len; ++ task_ev = task->event; ++ memcpy(&task_ev->desc, &event->desc, sizeof(event->desc)); ++ task_ev->msg_len = event->msg_len; + + /* Only copy the data buffer if a destination was set */ +- if (task->event->msg_buf && +- task->event->buf_len > event->buf_len) { +- memcpy(task->event->msg_buf, event->msg_buf, ++ if (task_ev->msg_buf && task_ev->buf_len >= event->buf_len) { ++ memcpy(task_ev->msg_buf, event->msg_buf, + event->buf_len); +- task->event->buf_len = event->buf_len; ++ task_ev->buf_len = event->buf_len; + } + + task->state = ICE_AQ_TASK_COMPLETE; +-- +2.40.1 + diff --git a/queue-5.15/ima-remove-deprecated-ima_trusted_keyring-kconfig.patch b/queue-5.15/ima-remove-deprecated-ima_trusted_keyring-kconfig.patch new file mode 100644 index 00000000000..de1b54edb7e --- /dev/null +++ b/queue-5.15/ima-remove-deprecated-ima_trusted_keyring-kconfig.patch @@ -0,0 +1,45 @@ +From 5858da46578ca42aba291f8e5dd76af88ad9b286 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jul 2023 12:44:47 -0400 +Subject: ima: Remove deprecated IMA_TRUSTED_KEYRING Kconfig + +From: Nayna Jain + +[ Upstream commit 5087fd9e80e539d2163accd045b73da64de7de95 ] + +Time to remove "IMA_TRUSTED_KEYRING". + +Fixes: f4dc37785e9b ("integrity: define '.evm' as a builtin 'trusted' keyring") # v4.5+ +Signed-off-by: Nayna Jain +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + security/integrity/ima/Kconfig | 12 ------------ + 1 file changed, 12 deletions(-) + +diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig +index 5d2c8990d1ac5..7bc416c172119 100644 +--- a/security/integrity/ima/Kconfig ++++ b/security/integrity/ima/Kconfig +@@ -248,18 +248,6 @@ config IMA_APPRAISE_MODSIG + The modsig keyword can be used in the IMA policy to allow a hook + to accept such signatures. + +-config IMA_TRUSTED_KEYRING +- bool "Require all keys on the .ima keyring be signed (deprecated)" +- depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING +- depends on INTEGRITY_ASYMMETRIC_KEYS +- select INTEGRITY_TRUSTED_KEYRING +- default y +- help +- This option requires that all keys added to the .ima +- keyring be signed by a key on the system trusted keyring. +- +- This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING +- + config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY + bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)" + depends on SYSTEM_TRUSTED_KEYRING +-- +2.40.1 + diff --git a/queue-5.15/io_uring-fix-drain-stalls-by-invalid-sqe.patch b/queue-5.15/io_uring-fix-drain-stalls-by-invalid-sqe.patch new file mode 100644 index 00000000000..39b3b3cfdaa --- /dev/null +++ b/queue-5.15/io_uring-fix-drain-stalls-by-invalid-sqe.patch @@ -0,0 +1,41 @@ +From 5151d88480b9b33dd194ec309b83d4bbcf3bf656 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Aug 2023 13:21:41 +0100 +Subject: io_uring: fix drain stalls by invalid SQE + +From: Pavel Begunkov + +[ Upstream commit cfdbaa3a291d6fd2cb4a1a70d74e63b4abc2f5ec ] + +cq_extra is protected by ->completion_lock, which io_get_sqe() misses. +The bug is harmless as it doesn't happen in real life, requires invalid +SQ index array and racing with submission, and only messes up the +userspace, i.e. stall requests execution but will be cleaned up on +ring destruction. + +Fixes: 15641e427070f ("io_uring: don't cache number of dropped SQEs") +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/66096d54651b1a60534bb2023f2947f09f50ef73.1691538547.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + io_uring/io_uring.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c +index 7c98a820c8dd0..e4de493bcff43 100644 +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -7531,7 +7531,9 @@ static const struct io_uring_sqe *io_get_sqe(struct io_ring_ctx *ctx) + return &ctx->sq_sqes[head]; + + /* drop invalid entries */ ++ spin_lock(&ctx->completion_lock); + ctx->cq_extra--; ++ spin_unlock(&ctx->completion_lock); + WRITE_ONCE(ctx->rings->sq_dropped, + READ_ONCE(ctx->rings->sq_dropped) + 1); + return NULL; +-- +2.40.1 + diff --git a/queue-5.15/iommu-amd-iommu_v2-fix-pasid_state-refcount-dec-hit-.patch b/queue-5.15/iommu-amd-iommu_v2-fix-pasid_state-refcount-dec-hit-.patch new file mode 100644 index 00000000000..626613d4532 --- /dev/null +++ b/queue-5.15/iommu-amd-iommu_v2-fix-pasid_state-refcount-dec-hit-.patch @@ -0,0 +1,54 @@ +From 9b6c606e1074c3b2b25f96669042965cbd5e7268 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jun 2023 10:51:45 +0000 +Subject: iommu/amd/iommu_v2: Fix pasid_state refcount dec hit 0 warning on + pasid unbind + +From: Daniel Marcovitch + +[ Upstream commit 534103bcd52ca9c1fecbc70e717b4a538dc4ded8 ] + +When unbinding pasid - a race condition exists vs outstanding page faults. + +To prevent this, the pasid_state object contains a refcount. + * set to 1 on pasid bind + * incremented on each ppr notification start + * decremented on each ppr notification done + * decremented on pasid unbind + +Since refcount_dec assumes that refcount will never reach 0: + the current implementation causes the following to be invoked on + pasid unbind: + REFCOUNT_WARN("decrement hit 0; leaking memory") + +Fix this issue by changing refcount_dec to refcount_dec_and_test +to explicitly handle refcount=1. + +Fixes: 8bc54824da4e ("iommu/amd: Convert from atomic_t to refcount_t on pasid_state->count") +Signed-off-by: Daniel Marcovitch +Signed-off-by: Vasant Hegde +Link: https://lore.kernel.org/r/20230609105146.7773-2-vasant.hegde@amd.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd/iommu_v2.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/iommu/amd/iommu_v2.c b/drivers/iommu/amd/iommu_v2.c +index c96cf9b217197..29a3a62b7a3ac 100644 +--- a/drivers/iommu/amd/iommu_v2.c ++++ b/drivers/iommu/amd/iommu_v2.c +@@ -264,8 +264,8 @@ static void put_pasid_state(struct pasid_state *pasid_state) + + static void put_pasid_state_wait(struct pasid_state *pasid_state) + { +- refcount_dec(&pasid_state->count); +- wait_event(pasid_state->wq, !refcount_read(&pasid_state->count)); ++ if (!refcount_dec_and_test(&pasid_state->count)) ++ wait_event(pasid_state->wq, !refcount_read(&pasid_state->count)); + free_pasid_state(pasid_state); + } + +-- +2.40.1 + diff --git a/queue-5.15/iommu-qcom-disable-and-reset-context-bank-before-pro.patch b/queue-5.15/iommu-qcom-disable-and-reset-context-bank-before-pro.patch new file mode 100644 index 00000000000..88d70cc7ae0 --- /dev/null +++ b/queue-5.15/iommu-qcom-disable-and-reset-context-bank-before-pro.patch @@ -0,0 +1,47 @@ +From 2f5b1abcd1edbd28b6b748cb79137843ae34787b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jun 2023 11:27:39 +0200 +Subject: iommu/qcom: Disable and reset context bank before programming + +From: AngeloGioacchino Del Regno + +[ Upstream commit 9f3fef23d9b5a858a6e6d5f478bb1b6b76265e76 ] + +Writing the new TTBRs, TCRs and MAIRs on a previously enabled +context bank may trigger a context fault, resulting in firmware +driven AP resets: change the domain initialization programming +sequence to disable the context bank(s) and to also clear the +related fault address (CB_FAR) and fault status (CB_FSR) +registers before writing new values to TTBR0/1, TCR/TCR2, MAIR0/1. + +Fixes: 0ae349a0f33f ("iommu/qcom: Add qcom_iommu") +Signed-off-by: AngeloGioacchino Del Regno +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20230622092742.74819-4-angelogioacchino.delregno@collabora.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/iommu/arm/arm-smmu/qcom_iommu.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/iommu/arm/arm-smmu/qcom_iommu.c b/drivers/iommu/arm/arm-smmu/qcom_iommu.c +index a47cb654b7048..9438203f08de7 100644 +--- a/drivers/iommu/arm/arm-smmu/qcom_iommu.c ++++ b/drivers/iommu/arm/arm-smmu/qcom_iommu.c +@@ -273,6 +273,13 @@ static int qcom_iommu_init_domain(struct iommu_domain *domain, + ctx->secure_init = true; + } + ++ /* Disable context bank before programming */ ++ iommu_writel(ctx, ARM_SMMU_CB_SCTLR, 0); ++ ++ /* Clear context bank fault address fault status registers */ ++ iommu_writel(ctx, ARM_SMMU_CB_FAR, 0); ++ iommu_writel(ctx, ARM_SMMU_CB_FSR, ARM_SMMU_FSR_FAULT); ++ + /* TTBRs */ + iommu_writeq(ctx, ARM_SMMU_CB_TTBR0, + pgtbl_cfg.arm_lpae_s1_cfg.ttbr | +-- +2.40.1 + diff --git a/queue-5.15/iommu-rockchip-fix-directory-table-address-encoding.patch b/queue-5.15/iommu-rockchip-fix-directory-table-address-encoding.patch new file mode 100644 index 00000000000..96791c6e953 --- /dev/null +++ b/queue-5.15/iommu-rockchip-fix-directory-table-address-encoding.patch @@ -0,0 +1,156 @@ +From a6bdbbd1e367ce5bfd4926f050f960bf974aa3c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jun 2023 18:25:45 +0000 +Subject: iommu: rockchip: Fix directory table address encoding + +From: Jonas Karlman + +[ Upstream commit 6df63b7ebdaf5fcd75dceedf6967d0761e56eca1 ] + +The physical address to the directory table is currently encoded using +the following bit layout for IOMMU v2. + + 31:12 - Address bit 31:0 + 11: 4 - Address bit 39:32 + +This is also the bit layout used by the vendor kernel. + +However, testing has shown that addresses to the directory/page tables +and memory pages are all encoded using the same bit layout. + +IOMMU v1: + 31:12 - Address bit 31:0 + +IOMMU v2: + 31:12 - Address bit 31:0 + 11: 8 - Address bit 35:32 + 7: 4 - Address bit 39:36 + +Change to use the mk_dtentries ops to encode the directory table address +correctly. The value written to DTE_ADDR may include the valid bit set, +a bit that is ignored and DTE_ADDR reg read it back as 0. + +This also update the bit layout comment for the page address and the +number of nybbles that are read back for DTE_ADDR comment. + +These changes render the dte_addr_phys and dma_addr_dte ops unused and +is removed. + +Fixes: 227014b33f62 ("iommu: rockchip: Add internal ops to handle variants") +Fixes: c55356c534aa ("iommu: rockchip: Add support for iommu v2") +Fixes: c987b65a574f ("iommu/rockchip: Fix physical address decoding") +Signed-off-by: Jonas Karlman +Reviewed-by: Robin Murphy +Link: https://lore.kernel.org/r/20230617182540.3091374-2-jonas@kwiboo.se +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/rockchip-iommu.c | 43 ++++------------------------------ + 1 file changed, 5 insertions(+), 38 deletions(-) + +diff --git a/drivers/iommu/rockchip-iommu.c b/drivers/iommu/rockchip-iommu.c +index e3557f8dc44ea..f9f6492c430df 100644 +--- a/drivers/iommu/rockchip-iommu.c ++++ b/drivers/iommu/rockchip-iommu.c +@@ -98,8 +98,6 @@ struct rk_iommu_ops { + phys_addr_t (*pt_address)(u32 dte); + u32 (*mk_dtentries)(dma_addr_t pt_dma); + u32 (*mk_ptentries)(phys_addr_t page, int prot); +- phys_addr_t (*dte_addr_phys)(u32 addr); +- u32 (*dma_addr_dte)(dma_addr_t dt_dma); + u64 dma_bit_mask; + }; + +@@ -277,8 +275,8 @@ static u32 rk_mk_pte(phys_addr_t page, int prot) + /* + * In v2: + * 31:12 - Page address bit 31:0 +- * 11:9 - Page address bit 34:32 +- * 8:4 - Page address bit 39:35 ++ * 11: 8 - Page address bit 35:32 ++ * 7: 4 - Page address bit 39:36 + * 3 - Security + * 2 - Writable + * 1 - Readable +@@ -505,7 +503,7 @@ static int rk_iommu_force_reset(struct rk_iommu *iommu) + + /* + * Check if register DTE_ADDR is working by writing DTE_ADDR_DUMMY +- * and verifying that upper 5 nybbles are read back. ++ * and verifying that upper 5 (v1) or 7 (v2) nybbles are read back. + */ + for (i = 0; i < iommu->num_mmu; i++) { + dte_addr = rk_ops->pt_address(DTE_ADDR_DUMMY); +@@ -530,33 +528,6 @@ static int rk_iommu_force_reset(struct rk_iommu *iommu) + return 0; + } + +-static inline phys_addr_t rk_dte_addr_phys(u32 addr) +-{ +- return (phys_addr_t)addr; +-} +- +-static inline u32 rk_dma_addr_dte(dma_addr_t dt_dma) +-{ +- return dt_dma; +-} +- +-#define DT_HI_MASK GENMASK_ULL(39, 32) +-#define DTE_BASE_HI_MASK GENMASK(11, 4) +-#define DT_SHIFT 28 +- +-static inline phys_addr_t rk_dte_addr_phys_v2(u32 addr) +-{ +- u64 addr64 = addr; +- return (phys_addr_t)(addr64 & RK_DTE_PT_ADDRESS_MASK) | +- ((addr64 & DTE_BASE_HI_MASK) << DT_SHIFT); +-} +- +-static inline u32 rk_dma_addr_dte_v2(dma_addr_t dt_dma) +-{ +- return (dt_dma & RK_DTE_PT_ADDRESS_MASK) | +- ((dt_dma & DT_HI_MASK) >> DT_SHIFT); +-} +- + static void log_iova(struct rk_iommu *iommu, int index, dma_addr_t iova) + { + void __iomem *base = iommu->bases[index]; +@@ -576,7 +547,7 @@ static void log_iova(struct rk_iommu *iommu, int index, dma_addr_t iova) + page_offset = rk_iova_page_offset(iova); + + mmu_dte_addr = rk_iommu_read(base, RK_MMU_DTE_ADDR); +- mmu_dte_addr_phys = rk_ops->dte_addr_phys(mmu_dte_addr); ++ mmu_dte_addr_phys = rk_ops->pt_address(mmu_dte_addr); + + dte_addr_phys = mmu_dte_addr_phys + (4 * dte_index); + dte_addr = phys_to_virt(dte_addr_phys); +@@ -966,7 +937,7 @@ static int rk_iommu_enable(struct rk_iommu *iommu) + + for (i = 0; i < iommu->num_mmu; i++) { + rk_iommu_write(iommu->bases[i], RK_MMU_DTE_ADDR, +- rk_ops->dma_addr_dte(rk_domain->dt_dma)); ++ rk_ops->mk_dtentries(rk_domain->dt_dma)); + rk_iommu_base_command(iommu->bases[i], RK_MMU_CMD_ZAP_CACHE); + rk_iommu_write(iommu->bases[i], RK_MMU_INT_MASK, RK_MMU_IRQ_MASK); + } +@@ -1373,8 +1344,6 @@ static struct rk_iommu_ops iommu_data_ops_v1 = { + .pt_address = &rk_dte_pt_address, + .mk_dtentries = &rk_mk_dte, + .mk_ptentries = &rk_mk_pte, +- .dte_addr_phys = &rk_dte_addr_phys, +- .dma_addr_dte = &rk_dma_addr_dte, + .dma_bit_mask = DMA_BIT_MASK(32), + }; + +@@ -1382,8 +1351,6 @@ static struct rk_iommu_ops iommu_data_ops_v2 = { + .pt_address = &rk_dte_pt_address_v2, + .mk_dtentries = &rk_mk_dte_v2, + .mk_ptentries = &rk_mk_pte_v2, +- .dte_addr_phys = &rk_dte_addr_phys_v2, +- .dma_addr_dte = &rk_dma_addr_dte_v2, + .dma_bit_mask = DMA_BIT_MASK(40), + }; + +-- +2.40.1 + diff --git a/queue-5.15/iommu-sprd-add-missing-force_aperture.patch b/queue-5.15/iommu-sprd-add-missing-force_aperture.patch new file mode 100644 index 00000000000..87e3669488d --- /dev/null +++ b/queue-5.15/iommu-sprd-add-missing-force_aperture.patch @@ -0,0 +1,37 @@ +From 2db7d72de3aa6db898507221e6c8f06467c3cc92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jul 2023 14:36:05 -0300 +Subject: iommu/sprd: Add missing force_aperture + +From: Jason Gunthorpe + +[ Upstream commit d48a51286c698f7fe8efc688f23a532f4fe9a904 ] + +force_aperture was intended to false only by GART drivers that have an +identity translation outside the aperture. This does not describe sprd, so +add the missing 'force_aperture = true'. + +Fixes: b23e4fc4e3fa ("iommu: add Unisoc IOMMU basic driver") +Signed-off-by: Jason Gunthorpe +Acked-by: Chunyan Zhang +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/sprd-iommu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/iommu/sprd-iommu.c b/drivers/iommu/sprd-iommu.c +index 723940e841612..6b11770e3d75a 100644 +--- a/drivers/iommu/sprd-iommu.c ++++ b/drivers/iommu/sprd-iommu.c +@@ -147,6 +147,7 @@ static struct iommu_domain *sprd_iommu_domain_alloc(unsigned int domain_type) + + dom->domain.geometry.aperture_start = 0; + dom->domain.geometry.aperture_end = SZ_256M - 1; ++ dom->domain.geometry.force_aperture = true; + + return &dom->domain; + } +-- +2.40.1 + diff --git a/queue-5.15/iommu-vt-d-fix-to-flush-cache-of-pasid-directory-tab.patch b/queue-5.15/iommu-vt-d-fix-to-flush-cache-of-pasid-directory-tab.patch new file mode 100644 index 00000000000..c0463011472 --- /dev/null +++ b/queue-5.15/iommu-vt-d-fix-to-flush-cache-of-pasid-directory-tab.patch @@ -0,0 +1,44 @@ +From 39f78f4e616c194bcf3c64b3d6ef828f0c782b3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Aug 2023 20:48:04 +0800 +Subject: iommu/vt-d: Fix to flush cache of PASID directory table + +From: Yanfei Xu + +[ Upstream commit 8a3b8e63f8371c1247b7aa24ff9c5312f1a6948b ] + +Even the PCI devices don't support pasid capability, PASID table is +mandatory for a PCI device in scalable mode. However flushing cache +of pasid directory table for these devices are not taken after pasid +table is allocated as the "size" of table is zero. Fix it by +calculating the size by page order. + +Found this when reading the code, no real problem encountered for now. + +Fixes: 194b3348bdbb ("iommu/vt-d: Fix PASID directory pointer coherency") +Suggested-by: Lu Baolu +Signed-off-by: Yanfei Xu +Link: https://lore.kernel.org/r/20230616081045.721873-1-yanfei.xu@intel.com +Signed-off-by: Lu Baolu +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel/pasid.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iommu/intel/pasid.c b/drivers/iommu/intel/pasid.c +index 6dbc43b414ca3..dc9d665d7365c 100644 +--- a/drivers/iommu/intel/pasid.c ++++ b/drivers/iommu/intel/pasid.c +@@ -187,7 +187,7 @@ int intel_pasid_alloc_table(struct device *dev) + device_attach_pasid_table(info, pasid_table); + + if (!ecap_coherent(info->iommu->ecap)) +- clflush_cache_range(pasid_table->table, size); ++ clflush_cache_range(pasid_table->table, (1 << order) * PAGE_SIZE); + + return 0; + } +-- +2.40.1 + diff --git a/queue-5.15/ipmi-ssif-add-check-for-kstrdup.patch b/queue-5.15/ipmi-ssif-add-check-for-kstrdup.patch new file mode 100644 index 00000000000..1e3f9fb524d --- /dev/null +++ b/queue-5.15/ipmi-ssif-add-check-for-kstrdup.patch @@ -0,0 +1,40 @@ +From 3edbc41217d77fcfbc25c4461586adcbd4a50584 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jun 2023 17:28:02 +0800 +Subject: ipmi:ssif: Add check for kstrdup + +From: Jiasheng Jiang + +[ Upstream commit c5586d0f711e9744d0cade39b0c4a2d116a333ca ] + +Add check for the return value of kstrdup() and return the error +if it fails in order to avoid NULL pointer dereference. + +Fixes: c4436c9149c5 ("ipmi_ssif: avoid registering duplicate ssif interface") +Signed-off-by: Jiasheng Jiang +Message-Id: <20230619092802.35384-1-jiasheng@iscas.ac.cn> +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +--- + drivers/char/ipmi/ipmi_ssif.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c +index a3745fa643f3b..87aa12ab8c66f 100644 +--- a/drivers/char/ipmi/ipmi_ssif.c ++++ b/drivers/char/ipmi/ipmi_ssif.c +@@ -1614,6 +1614,11 @@ static int ssif_add_infos(struct i2c_client *client) + info->addr_src = SI_ACPI; + info->client = client; + info->adapter_name = kstrdup(client->adapter->name, GFP_KERNEL); ++ if (!info->adapter_name) { ++ kfree(info); ++ return -ENOMEM; ++ } ++ + info->binfo.addr = client->addr; + list_add_tail(&info->link, &ssif_infos); + return 0; +-- +2.40.1 + diff --git a/queue-5.15/ipmi-ssif-fix-a-memory-leak-when-scanning-for-an-ada.patch b/queue-5.15/ipmi-ssif-fix-a-memory-leak-when-scanning-for-an-ada.patch new file mode 100644 index 00000000000..d895bf8704f --- /dev/null +++ b/queue-5.15/ipmi-ssif-fix-a-memory-leak-when-scanning-for-an-ada.patch @@ -0,0 +1,37 @@ +From bfe5a3a6b857151efde6a20d4bb4d6bc1633ad87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jun 2023 11:43:33 -0500 +Subject: ipmi:ssif: Fix a memory leak when scanning for an adapter + +From: Corey Minyard + +[ Upstream commit b8d72e32e1453d37ee5c8a219f24e7eeadc471ef ] + +The adapter scan ssif_info_find() sets info->adapter_name if the adapter +info came from SMBIOS, as it's not set in that case. However, this +function can be called more than once, and it will leak the adapter name +if it had already been set. So check for NULL before setting it. + +Fixes: c4436c9149c5 ("ipmi_ssif: avoid registering duplicate ssif interface") +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +--- + drivers/char/ipmi/ipmi_ssif.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c +index 87aa12ab8c66f..30f757249c5c0 100644 +--- a/drivers/char/ipmi/ipmi_ssif.c ++++ b/drivers/char/ipmi/ipmi_ssif.c +@@ -1414,7 +1414,7 @@ static struct ssif_addr_info *ssif_info_find(unsigned short addr, + restart: + list_for_each_entry(info, &ssif_infos, link) { + if (info->binfo.addr == addr) { +- if (info->addr_src == SI_SMBIOS) ++ if (info->addr_src == SI_SMBIOS && !info->adapter_name) + info->adapter_name = kstrdup(adapter_name, + GFP_KERNEL); + +-- +2.40.1 + diff --git a/queue-5.15/ipv6-add-reasons-for-skb-drops-to-__udp6_lib_rcv.patch b/queue-5.15/ipv6-add-reasons-for-skb-drops-to-__udp6_lib_rcv.patch new file mode 100644 index 00000000000..f794b1b9316 --- /dev/null +++ b/queue-5.15/ipv6-add-reasons-for-skb-drops-to-__udp6_lib_rcv.patch @@ -0,0 +1,73 @@ +From ca80e6dbddb257dc8ba700a753f9f4409c7858f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Feb 2022 09:15:07 -0800 +Subject: ipv6: Add reasons for skb drops to __udp6_lib_rcv + +From: David Ahern + +[ Upstream commit 4cf91f825b2777f81799f98ce32172b829acd1b2 ] + +Add reasons to __udp6_lib_rcv for skb drops. The only twist is that the +NO_SOCKET takes precedence over the CSUM or other counters for that +path (motivation behind this patch - csum counter was misleading). + +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Stable-dep-of: 9c02bec95954 ("bpf, net: Support SO_REUSEPORT sockets with bpf_sk_assign") +Signed-off-by: Sasha Levin +--- + net/ipv6/udp.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index 2dab9aab551c3..d5d254ca2dfe6 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -936,6 +936,7 @@ static int udp6_unicast_rcv_skb(struct sock *sk, struct sk_buff *skb, + int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, + int proto) + { ++ enum skb_drop_reason reason = SKB_DROP_REASON_NOT_SPECIFIED; + const struct in6_addr *saddr, *daddr; + struct net *net = dev_net(skb->dev); + struct udphdr *uh; +@@ -1012,6 +1013,8 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, + return udp6_unicast_rcv_skb(sk, skb, uh); + } + ++ reason = SKB_DROP_REASON_NO_SOCKET; ++ + if (!uh->check) + goto report_csum_error; + +@@ -1024,10 +1027,12 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, + __UDP6_INC_STATS(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE); + icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0); + +- kfree_skb(skb); ++ kfree_skb_reason(skb, reason); + return 0; + + short_packet: ++ if (reason == SKB_DROP_REASON_NOT_SPECIFIED) ++ reason = SKB_DROP_REASON_PKT_TOO_SMALL; + net_dbg_ratelimited("UDP%sv6: short packet: From [%pI6c]:%u %d/%d to [%pI6c]:%u\n", + proto == IPPROTO_UDPLITE ? "-Lite" : "", + saddr, ntohs(uh->source), +@@ -1038,10 +1043,12 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, + report_csum_error: + udp6_csum_zero_error(skb); + csum_error: ++ if (reason == SKB_DROP_REASON_NOT_SPECIFIED) ++ reason = SKB_DROP_REASON_UDP_CSUM; + __UDP6_INC_STATS(net, UDP_MIB_CSUMERRORS, proto == IPPROTO_UDPLITE); + discard: + __UDP6_INC_STATS(net, UDP_MIB_INERRORS, proto == IPPROTO_UDPLITE); +- kfree_skb(skb); ++ kfree_skb_reason(skb, reason); + return 0; + } + +-- +2.40.1 + diff --git a/queue-5.15/jfs-validate-max-amount-of-blocks-before-allocation.patch b/queue-5.15/jfs-validate-max-amount-of-blocks-before-allocation.patch new file mode 100644 index 00000000000..f77fe14dcc4 --- /dev/null +++ b/queue-5.15/jfs-validate-max-amount-of-blocks-before-allocation.patch @@ -0,0 +1,42 @@ +From 09d9eadbcb1e840f32a9e60c5b76df2fcdb05958 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Aug 2023 20:32:16 +0300 +Subject: jfs: validate max amount of blocks before allocation. + +From: Alexei Filippov + +[ Upstream commit 0225e10972fa809728b8d4c1bd2772b3ec3fdb57 ] + +The lack of checking bmp->db_max_freebud in extBalloc() can lead to +shift out of bounds, so this patch prevents undefined behavior, because +bmp->db_max_freebud == -1 only if there is no free space. + +Signed-off-by: Aleksei Filippov +Signed-off-by: Dave Kleikamp +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-and-tested-by: syzbot+5f088f29593e6b4c8db8@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?id=01abadbd6ae6a08b1f1987aa61554c6b3ac19ff2 +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_extent.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/jfs/jfs_extent.c b/fs/jfs/jfs_extent.c +index bb4a342a193d4..6420b6749d48f 100644 +--- a/fs/jfs/jfs_extent.c ++++ b/fs/jfs/jfs_extent.c +@@ -508,6 +508,11 @@ extBalloc(struct inode *ip, s64 hint, s64 * nblocks, s64 * blkno) + * blocks in the map. in that case, we'll start off with the + * maximum free. + */ ++ ++ /* give up if no space left */ ++ if (bmp->db_maxfreebud == -1) ++ return -ENOSPC; ++ + max = (s64) 1 << bmp->db_maxfreebud; + if (*nblocks >= max && *nblocks > nbperpage) + nb = nblks = (max > nbperpage) ? max : nbperpage; +-- +2.40.1 + diff --git a/queue-5.15/leds-fix-bug_on-check-for-led_color_id_multi-that-is.patch b/queue-5.15/leds-fix-bug_on-check-for-led_color_id_multi-that-is.patch new file mode 100644 index 00000000000..fc625dffb04 --- /dev/null +++ b/queue-5.15/leds-fix-bug_on-check-for-led_color_id_multi-that-is.patch @@ -0,0 +1,54 @@ +From efafe9913f709b5f6625f52e42cbc43f3725f205 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Aug 2023 17:16:23 +0200 +Subject: leds: Fix BUG_ON check for LED_COLOR_ID_MULTI that is always false +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +[ Upstream commit c3f853184bed04105682383c2971798c572226b5 ] + +At the time we call + BUG_ON(props.color == LED_COLOR_ID_MULTI); +the props variable is still initialized to zero. + +Call the BUG_ON only after we parse fwnode into props. + +Fixes: 77dce3a22e89 ("leds: disallow /sys/class/leds/*:multi:* for now") +Signed-off-by: Marek Behún +Link: https://lore.kernel.org/r/20230801151623.30387-1-kabel@kernel.org +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/leds/led-core.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/leds/led-core.c b/drivers/leds/led-core.c +index 4a97cb7457888..aad8bc44459fe 100644 +--- a/drivers/leds/led-core.c ++++ b/drivers/leds/led-core.c +@@ -419,15 +419,15 @@ int led_compose_name(struct device *dev, struct led_init_data *init_data, + struct fwnode_handle *fwnode = init_data->fwnode; + const char *devicename = init_data->devicename; + +- /* We want to label LEDs that can produce full range of colors +- * as RGB, not multicolor */ +- BUG_ON(props.color == LED_COLOR_ID_MULTI); +- + if (!led_classdev_name) + return -EINVAL; + + led_parse_fwnode_props(dev, fwnode, &props); + ++ /* We want to label LEDs that can produce full range of colors ++ * as RGB, not multicolor */ ++ BUG_ON(props.color == LED_COLOR_ID_MULTI); ++ + if (props.label) { + /* + * If init_data.devicename is NULL, then it indicates that +-- +2.40.1 + diff --git a/queue-5.15/leds-multicolor-use-rounded-division-when-calculatin.patch b/queue-5.15/leds-multicolor-use-rounded-division-when-calculatin.patch new file mode 100644 index 00000000000..de0e258f73b --- /dev/null +++ b/queue-5.15/leds-multicolor-use-rounded-division-when-calculatin.patch @@ -0,0 +1,68 @@ +From bf8886bb44aa1a6d0158aaf58afeb0e9c7535c1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Aug 2023 14:49:31 +0200 +Subject: leds: multicolor: Use rounded division when calculating color + components +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +[ Upstream commit 065d099f1be58187e6629273c50b948a02b7e1bf ] + +Given channel intensity, LED brightness and max LED brightness, the +multicolor LED framework helper led_mc_calc_color_components() computes +the color channel brightness as + + chan_brightness = brightness * chan_intensity / max_brightness + +Consider the situation when (brightness, intensity, max_brightness) is +for example (16, 15, 255), then chan_brightness is computed to 0 +although the fractional divison would give 0.94, which should be rounded +to 1. + +Use DIV_ROUND_CLOSEST here for the division to give more realistic +component computation: + + chan_brightness = DIV_ROUND_CLOSEST(brightness * chan_intensity, + max_brightness) + +Fixes: 55d5d3b46b08 ("leds: multicolor: Introduce a multicolor class definition") +Signed-off-by: Marek Behún +Link: https://lore.kernel.org/r/20230801124931.8661-1-kabel@kernel.org +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/leds/led-class-multicolor.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/leds/led-class-multicolor.c b/drivers/leds/led-class-multicolor.c +index e317408583df9..ec62a48116135 100644 +--- a/drivers/leds/led-class-multicolor.c ++++ b/drivers/leds/led-class-multicolor.c +@@ -6,6 +6,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -19,9 +20,10 @@ int led_mc_calc_color_components(struct led_classdev_mc *mcled_cdev, + int i; + + for (i = 0; i < mcled_cdev->num_colors; i++) +- mcled_cdev->subled_info[i].brightness = brightness * +- mcled_cdev->subled_info[i].intensity / +- led_cdev->max_brightness; ++ mcled_cdev->subled_info[i].brightness = ++ DIV_ROUND_CLOSEST(brightness * ++ mcled_cdev->subled_info[i].intensity, ++ led_cdev->max_brightness); + + return 0; + } +-- +2.40.1 + diff --git a/queue-5.15/leds-pwm-fix-error-code-in-led_pwm_create_fwnode.patch b/queue-5.15/leds-pwm-fix-error-code-in-led_pwm_create_fwnode.patch new file mode 100644 index 00000000000..64a89125371 --- /dev/null +++ b/queue-5.15/leds-pwm-fix-error-code-in-led_pwm_create_fwnode.patch @@ -0,0 +1,37 @@ +From b86a0593cac1f64c010ff89111086ace60d80a3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jul 2023 09:13:34 +0300 +Subject: leds: pwm: Fix error code in led_pwm_create_fwnode() + +From: Dan Carpenter + +[ Upstream commit cadb2de2a7fd9e955381307de3eddfcc386c208e ] + +Negative -EINVAL was intended, not positive EINVAL. Fix it. + +Fixes: 95138e01275e ("leds: pwm: Make error handling more robust") +Signed-off-by: Dan Carpenter +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/a33b981a-b2c4-4dc2-b00a-626a090d2f11@moroto.mountain +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/leds/leds-pwm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/leds/leds-pwm.c b/drivers/leds/leds-pwm.c +index 6832180c1c54f..cc892ecd52408 100644 +--- a/drivers/leds/leds-pwm.c ++++ b/drivers/leds/leds-pwm.c +@@ -146,7 +146,7 @@ static int led_pwm_create_fwnode(struct device *dev, struct led_pwm_priv *priv) + led.name = to_of_node(fwnode)->name; + + if (!led.name) { +- ret = EINVAL; ++ ret = -EINVAL; + goto err_child_out; + } + +-- +2.40.1 + diff --git a/queue-5.15/leds-trigger-tty-do-not-use-led_on-off-constants-use.patch b/queue-5.15/leds-trigger-tty-do-not-use-led_on-off-constants-use.patch new file mode 100644 index 00000000000..8888c6939c1 --- /dev/null +++ b/queue-5.15/leds-trigger-tty-do-not-use-led_on-off-constants-use.patch @@ -0,0 +1,78 @@ +From 7e6501ff8ba41999445a0af370a2317e5198e160 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 11:07:53 +0200 +Subject: leds: trigger: tty: Do not use LED_ON/OFF constants, use + led_blink_set_oneshot instead +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +[ Upstream commit 730094577e0c37e1bc40be37cbd41f71b0a8a2a4 ] + +The tty LED trigger uses the obsolete LED_ON & LED_OFF constants when +setting LED brightness. This is bad because the LED_ON constant is equal +to 1, and so when activating the tty LED trigger on a LED class device +with max_brightness greater than 1, the LED is dimmer than it can be +(when max_brightness is 255, the LED is very dimm indeed; some devices +translate 1/255 to 0, so the LED is OFF all the time). + +Instead of directly setting brightness to a specific value, use the +led_blink_set_oneshot() function from LED core to configure the blink. +This function takes the current configured brightness as blink +brightness if not zero, and max brightness otherwise. + +This also changes the behavior of the TTY LED trigger. Previously if +rx/tx stats kept changing, the LED was ON all the time they kept +changing. With this patch the LED will blink on TTY activity. + +Fixes: fd4a641ac88f ("leds: trigger: implement a tty trigger") +Signed-off-by: Marek Behún +Link: https://lore.kernel.org/r/20230802090753.13611-1-kabel@kernel.org +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/leds/trigger/ledtrig-tty.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/leds/trigger/ledtrig-tty.c b/drivers/leds/trigger/ledtrig-tty.c +index f62db7e520b52..8ae0d2d284aff 100644 +--- a/drivers/leds/trigger/ledtrig-tty.c ++++ b/drivers/leds/trigger/ledtrig-tty.c +@@ -7,6 +7,8 @@ + #include + #include + ++#define LEDTRIG_TTY_INTERVAL 50 ++ + struct ledtrig_tty_data { + struct led_classdev *led_cdev; + struct delayed_work dwork; +@@ -122,17 +124,19 @@ static void ledtrig_tty_work(struct work_struct *work) + + if (icount.rx != trigger_data->rx || + icount.tx != trigger_data->tx) { +- led_set_brightness_sync(trigger_data->led_cdev, LED_ON); ++ unsigned long interval = LEDTRIG_TTY_INTERVAL; ++ ++ led_blink_set_oneshot(trigger_data->led_cdev, &interval, ++ &interval, 0); + + trigger_data->rx = icount.rx; + trigger_data->tx = icount.tx; +- } else { +- led_set_brightness_sync(trigger_data->led_cdev, LED_OFF); + } + + out: + mutex_unlock(&trigger_data->mutex); +- schedule_delayed_work(&trigger_data->dwork, msecs_to_jiffies(100)); ++ schedule_delayed_work(&trigger_data->dwork, ++ msecs_to_jiffies(LEDTRIG_TTY_INTERVAL * 2)); + } + + static struct attribute *ledtrig_tty_attrs[] = { +-- +2.40.1 + diff --git a/queue-5.15/lwt-check-lwtunnel_xmit_continue-strictly.patch b/queue-5.15/lwt-check-lwtunnel_xmit_continue-strictly.patch new file mode 100644 index 00000000000..57bcb0d22c5 --- /dev/null +++ b/queue-5.15/lwt-check-lwtunnel_xmit_continue-strictly.patch @@ -0,0 +1,78 @@ +From 9b031b7e93e5e96a7bd37c950d2bf62d13a6c821 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Aug 2023 19:58:14 -0700 +Subject: lwt: Check LWTUNNEL_XMIT_CONTINUE strictly + +From: Yan Zhai + +[ Upstream commit a171fbec88a2c730b108c7147ac5e7b2f5a02b47 ] + +LWTUNNEL_XMIT_CONTINUE is implicitly assumed in ip(6)_finish_output2, +such that any positive return value from a xmit hook could cause +unexpected continue behavior, despite that related skb may have been +freed. This could be error-prone for future xmit hook ops. One of the +possible errors is to return statuses of dst_output directly. + +To make the code safer, redefine LWTUNNEL_XMIT_CONTINUE value to +distinguish from dst_output statuses and check the continue +condition explicitly. + +Fixes: 3a0af8fd61f9 ("bpf: BPF for lightweight tunnel infrastructure") +Suggested-by: Dan Carpenter +Signed-off-by: Yan Zhai +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/96b939b85eda00e8df4f7c080f770970a4c5f698.1692326837.git.yan@cloudflare.com +Signed-off-by: Sasha Levin +--- + include/net/lwtunnel.h | 5 ++++- + net/ipv4/ip_output.c | 2 +- + net/ipv6/ip6_output.c | 2 +- + 3 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/include/net/lwtunnel.h b/include/net/lwtunnel.h +index 6f15e6fa154e6..53bd2d02a4f0d 100644 +--- a/include/net/lwtunnel.h ++++ b/include/net/lwtunnel.h +@@ -16,9 +16,12 @@ + #define LWTUNNEL_STATE_INPUT_REDIRECT BIT(1) + #define LWTUNNEL_STATE_XMIT_REDIRECT BIT(2) + ++/* LWTUNNEL_XMIT_CONTINUE should be distinguishable from dst_output return ++ * values (NET_XMIT_xxx and NETDEV_TX_xxx in linux/netdevice.h) for safety. ++ */ + enum { + LWTUNNEL_XMIT_DONE, +- LWTUNNEL_XMIT_CONTINUE, ++ LWTUNNEL_XMIT_CONTINUE = 0x100, + }; + + +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index ae8a456df5ab2..a5f09d64c6ed1 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -214,7 +214,7 @@ static int ip_finish_output2(struct net *net, struct sock *sk, struct sk_buff *s + if (lwtunnel_xmit_redirect(dst->lwtstate)) { + int res = lwtunnel_xmit(skb); + +- if (res < 0 || res == LWTUNNEL_XMIT_DONE) ++ if (res != LWTUNNEL_XMIT_CONTINUE) + return res; + } + +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index be63929b1ac53..2207acd7108c1 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -112,7 +112,7 @@ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff * + if (lwtunnel_xmit_redirect(dst->lwtstate)) { + int res = lwtunnel_xmit(skb); + +- if (res < 0 || res == LWTUNNEL_XMIT_DONE) ++ if (res != LWTUNNEL_XMIT_CONTINUE) + return res; + } + +-- +2.40.1 + diff --git a/queue-5.15/lwt-fix-return-values-of-bpf-xmit-ops.patch b/queue-5.15/lwt-fix-return-values-of-bpf-xmit-ops.patch new file mode 100644 index 00000000000..8acaf2dbf98 --- /dev/null +++ b/queue-5.15/lwt-fix-return-values-of-bpf-xmit-ops.patch @@ -0,0 +1,63 @@ +From cd491cbd424b2bb3814cc74533d25c785fb7214f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Aug 2023 19:58:11 -0700 +Subject: lwt: Fix return values of BPF xmit ops + +From: Yan Zhai + +[ Upstream commit 29b22badb7a84b783e3a4fffca16f7768fb31205 ] + +BPF encap ops can return different types of positive values, such like +NET_RX_DROP, NET_XMIT_CN, NETDEV_TX_BUSY, and so on, from function +skb_do_redirect and bpf_lwt_xmit_reroute. At the xmit hook, such return +values would be treated implicitly as LWTUNNEL_XMIT_CONTINUE in +ip(6)_finish_output2. When this happens, skbs that have been freed would +continue to the neighbor subsystem, causing use-after-free bug and +kernel crashes. + +To fix the incorrect behavior, skb_do_redirect return values can be +simply discarded, the same as tc-egress behavior. On the other hand, +bpf_lwt_xmit_reroute returns useful errors to local senders, e.g. PMTU +information. Thus convert its return values to avoid the conflict with +LWTUNNEL_XMIT_CONTINUE. + +Fixes: 3a0af8fd61f9 ("bpf: BPF for lightweight tunnel infrastructure") +Reported-by: Jordan Griege +Suggested-by: Martin KaFai Lau +Suggested-by: Stanislav Fomichev +Signed-off-by: Yan Zhai +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/0d2b878186cfe215fec6b45769c1cd0591d3628d.1692326837.git.yan@cloudflare.com +Signed-off-by: Sasha Levin +--- + net/core/lwt_bpf.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/net/core/lwt_bpf.c b/net/core/lwt_bpf.c +index 3fd207fe1284a..f6c327c7badb4 100644 +--- a/net/core/lwt_bpf.c ++++ b/net/core/lwt_bpf.c +@@ -59,9 +59,8 @@ static int run_lwt_bpf(struct sk_buff *skb, struct bpf_lwt_prog *lwt, + ret = BPF_OK; + } else { + skb_reset_mac_header(skb); +- ret = skb_do_redirect(skb); +- if (ret == 0) +- ret = BPF_REDIRECT; ++ skb_do_redirect(skb); ++ ret = BPF_REDIRECT; + } + break; + +@@ -254,7 +253,7 @@ static int bpf_lwt_xmit_reroute(struct sk_buff *skb) + + err = dst_output(dev_net(skb_dst(skb)->dev), skb->sk, skb); + if (unlikely(err)) +- return err; ++ return net_xmit_errno(err); + + /* ip[6]_finish_output2 understand LWTUNNEL_XMIT_DONE */ + return LWTUNNEL_XMIT_DONE; +-- +2.40.1 + diff --git a/queue-5.15/md-add-error_handlers-for-raid0-and-linear.patch b/queue-5.15/md-add-error_handlers-for-raid0-and-linear.patch new file mode 100644 index 00000000000..1a123cbc208 --- /dev/null +++ b/queue-5.15/md-add-error_handlers-for-raid0-and-linear.patch @@ -0,0 +1,150 @@ +From 7f20455877de09ae0f6bd66c484a93abe7943afd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Mar 2023 14:03:17 +0100 +Subject: md: add error_handlers for raid0 and linear + +From: Mariusz Tkaczyk + +[ Upstream commit c31fea2f8e2a72c817f318016bbc327095175a9f ] + +After the commit 9631abdbf406c("md: Set MD_BROKEN for RAID1 and RAID10") +MD_BROKEN must be set if array is failed because state_store() checks it. +If it is set then -EBUSY is returned to userspace. + +For raid0 and linear MD_BROKEN is not set by error_handler(). As a result +mdadm is unable to trigger clean-up actions. It is a regression. + +This patch adds appropriate error_handler for raid0 and linear. The +error handler sets MD_BROKEN for this device. + +Reviewed-by: Xiao Ni +Signed-off-by: Mariusz Tkaczyk +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230306130317.3418-1-mariusz.tkaczyk@linux.intel.com +Stable-dep-of: 319ff40a5427 ("md/raid0: Fix performance regression for large sequential writes") +Signed-off-by: Sasha Levin +--- + drivers/md/md-linear.c | 14 +++++++++++++- + drivers/md/md.c | 3 +++ + drivers/md/md.h | 10 ++-------- + drivers/md/raid0.c | 14 +++++++++++++- + 4 files changed, 31 insertions(+), 10 deletions(-) + +diff --git a/drivers/md/md-linear.c b/drivers/md/md-linear.c +index 1ff51647a6822..c33cd28f1dba0 100644 +--- a/drivers/md/md-linear.c ++++ b/drivers/md/md-linear.c +@@ -233,7 +233,8 @@ static bool linear_make_request(struct mddev *mddev, struct bio *bio) + bio_sector < start_sector)) + goto out_of_bounds; + +- if (unlikely(is_mddev_broken(tmp_dev->rdev, "linear"))) { ++ if (unlikely(is_rdev_broken(tmp_dev->rdev))) { ++ md_error(mddev, tmp_dev->rdev); + bio_io_error(bio); + return true; + } +@@ -281,6 +282,16 @@ static void linear_status (struct seq_file *seq, struct mddev *mddev) + seq_printf(seq, " %dk rounding", mddev->chunk_sectors / 2); + } + ++static void linear_error(struct mddev *mddev, struct md_rdev *rdev) ++{ ++ if (!test_and_set_bit(MD_BROKEN, &mddev->flags)) { ++ char *md_name = mdname(mddev); ++ ++ pr_crit("md/linear%s: Disk failure on %pg detected, failing array.\n", ++ md_name, rdev->bdev); ++ } ++} ++ + static void linear_quiesce(struct mddev *mddev, int state) + { + } +@@ -297,6 +308,7 @@ static struct md_personality linear_personality = + .hot_add_disk = linear_add, + .size = linear_size, + .quiesce = linear_quiesce, ++ .error_handler = linear_error, + }; + + static int __init linear_init (void) +diff --git a/drivers/md/md.c b/drivers/md/md.c +index a6e855cbf3946..b585b642a0763 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -7987,6 +7987,9 @@ void md_error(struct mddev *mddev, struct md_rdev *rdev) + return; + mddev->pers->error_handler(mddev, rdev); + ++ if (mddev->pers->level == 0 || mddev->pers->level == LEVEL_LINEAR) ++ return; ++ + if (mddev->degraded && !test_bit(MD_BROKEN, &mddev->flags)) + set_bit(MD_RECOVERY_RECOVER, &mddev->recovery); + sysfs_notify_dirent_safe(rdev->sysfs_state); +diff --git a/drivers/md/md.h b/drivers/md/md.h +index 0e0cc5d7921bd..99780e89531e5 100644 +--- a/drivers/md/md.h ++++ b/drivers/md/md.h +@@ -772,15 +772,9 @@ extern void mddev_destroy_serial_pool(struct mddev *mddev, struct md_rdev *rdev, + struct md_rdev *md_find_rdev_nr_rcu(struct mddev *mddev, int nr); + struct md_rdev *md_find_rdev_rcu(struct mddev *mddev, dev_t dev); + +-static inline bool is_mddev_broken(struct md_rdev *rdev, const char *md_type) ++static inline bool is_rdev_broken(struct md_rdev *rdev) + { +- if (!disk_live(rdev->bdev->bd_disk)) { +- if (!test_and_set_bit(MD_BROKEN, &rdev->mddev->flags)) +- pr_warn("md: %s: %s array has a missing/failed member\n", +- mdname(rdev->mddev), md_type); +- return true; +- } +- return false; ++ return !disk_live(rdev->bdev->bd_disk); + } + + static inline void rdev_dec_pending(struct md_rdev *rdev, struct mddev *mddev) +diff --git a/drivers/md/raid0.c b/drivers/md/raid0.c +index dca912387ec19..6917d72c18132 100644 +--- a/drivers/md/raid0.c ++++ b/drivers/md/raid0.c +@@ -628,8 +628,9 @@ static bool raid0_make_request(struct mddev *mddev, struct bio *bio) + return true; + } + +- if (unlikely(is_mddev_broken(tmp_dev, "raid0"))) { ++ if (unlikely(is_rdev_broken(tmp_dev))) { + bio_io_error(bio); ++ md_error(mddev, tmp_dev); + return true; + } + +@@ -652,6 +653,16 @@ static void raid0_status(struct seq_file *seq, struct mddev *mddev) + return; + } + ++static void raid0_error(struct mddev *mddev, struct md_rdev *rdev) ++{ ++ if (!test_and_set_bit(MD_BROKEN, &mddev->flags)) { ++ char *md_name = mdname(mddev); ++ ++ pr_crit("md/raid0%s: Disk failure on %pg detected, failing array.\n", ++ md_name, rdev->bdev); ++ } ++} ++ + static void *raid0_takeover_raid45(struct mddev *mddev) + { + struct md_rdev *rdev; +@@ -827,6 +838,7 @@ static struct md_personality raid0_personality= + .size = raid0_size, + .takeover = raid0_takeover, + .quiesce = raid0_quiesce, ++ .error_handler = raid0_error, + }; + + static int __init raid0_init (void) +-- +2.40.1 + diff --git a/queue-5.15/md-bitmap-don-t-set-max_write_behind-if-there-is-no-.patch b/queue-5.15/md-bitmap-don-t-set-max_write_behind-if-there-is-no-.patch new file mode 100644 index 00000000000..4c072380603 --- /dev/null +++ b/queue-5.15/md-bitmap-don-t-set-max_write_behind-if-there-is-no-.patch @@ -0,0 +1,59 @@ +From 81b7365765743fbf12fc865e4914af16118c9ce3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Oct 2021 21:50:17 +0800 +Subject: md/bitmap: don't set max_write_behind if there is no write mostly + device + +From: Guoqing Jiang + +[ Upstream commit 8c13ab115b577bd09097b9d77916732e97e31b7b ] + +We shouldn't set it since write behind IO should only happen to write +mostly device. + +Signed-off-by: Guoqing Jiang +Signed-off-by: Song Liu +Stable-dep-of: 44abfa6a95df ("md/md-bitmap: hold 'reconfig_mutex' in backlog_store()") +Signed-off-by: Sasha Levin +--- + drivers/md/md-bitmap.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c +index adada558a1b09..daedd9fcc4e5e 100644 +--- a/drivers/md/md-bitmap.c ++++ b/drivers/md/md-bitmap.c +@@ -2476,11 +2476,30 @@ backlog_store(struct mddev *mddev, const char *buf, size_t len) + { + unsigned long backlog; + unsigned long old_mwb = mddev->bitmap_info.max_write_behind; ++ struct md_rdev *rdev; ++ bool has_write_mostly = false; + int rv = kstrtoul(buf, 10, &backlog); + if (rv) + return rv; + if (backlog > COUNTER_MAX) + return -EINVAL; ++ ++ /* ++ * Without write mostly device, it doesn't make sense to set ++ * backlog for max_write_behind. ++ */ ++ rdev_for_each(rdev, mddev) { ++ if (test_bit(WriteMostly, &rdev->flags)) { ++ has_write_mostly = true; ++ break; ++ } ++ } ++ if (!has_write_mostly) { ++ pr_warn_ratelimited("%s: can't set backlog, no write mostly device available\n", ++ mdname(mddev)); ++ return -EINVAL; ++ } ++ + mddev->bitmap_info.max_write_behind = backlog; + if (!backlog && mddev->serial_info_pool) { + /* serial_info_pool is not needed if backlog is zero */ +-- +2.40.1 + diff --git a/queue-5.15/md-md-bitmap-hold-reconfig_mutex-in-backlog_store.patch b/queue-5.15/md-md-bitmap-hold-reconfig_mutex-in-backlog_store.patch new file mode 100644 index 00000000000..c67b7cd8e87 --- /dev/null +++ b/queue-5.15/md-md-bitmap-hold-reconfig_mutex-in-backlog_store.patch @@ -0,0 +1,62 @@ +From 59872262e528223dc681421a755550dfcd04a900 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jul 2023 16:37:27 +0800 +Subject: md/md-bitmap: hold 'reconfig_mutex' in backlog_store() + +From: Yu Kuai + +[ Upstream commit 44abfa6a95df425c0660d56043020b67e6d93ab8 ] + +Several reasons why 'reconfig_mutex' should be held: + +1) rdev_for_each() is not safe to be called without the lock, because + rdev can be removed concurrently. +2) mddev_destroy_serial_pool() and mddev_create_serial_pool() should not + be called concurrently. +3) mddev_suspend() from mddev_destroy/create_serial_pool() should be + protected by the lock. + +Fixes: 10c92fca636e ("md-bitmap: create and destroy wb_info_pool with the change of backlog") +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20230706083727.608914-3-yukuai1@huaweicloud.com +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/md-bitmap.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c +index daedd9fcc4e5e..9354fd8618e3d 100644 +--- a/drivers/md/md-bitmap.c ++++ b/drivers/md/md-bitmap.c +@@ -2484,6 +2484,10 @@ backlog_store(struct mddev *mddev, const char *buf, size_t len) + if (backlog > COUNTER_MAX) + return -EINVAL; + ++ rv = mddev_lock(mddev); ++ if (rv) ++ return rv; ++ + /* + * Without write mostly device, it doesn't make sense to set + * backlog for max_write_behind. +@@ -2497,6 +2501,7 @@ backlog_store(struct mddev *mddev, const char *buf, size_t len) + if (!has_write_mostly) { + pr_warn_ratelimited("%s: can't set backlog, no write mostly device available\n", + mdname(mddev)); ++ mddev_unlock(mddev); + return -EINVAL; + } + +@@ -2514,6 +2519,8 @@ backlog_store(struct mddev *mddev, const char *buf, size_t len) + } + if (old_mwb != backlog) + md_bitmap_update_sb(mddev->bitmap); ++ ++ mddev_unlock(mddev); + return len; + } + +-- +2.40.1 + diff --git a/queue-5.15/md-raid0-account-for-split-bio-in-iostat-accounting.patch b/queue-5.15/md-raid0-account-for-split-bio-in-iostat-accounting.patch new file mode 100644 index 00000000000..63aac090063 --- /dev/null +++ b/queue-5.15/md-raid0-account-for-split-bio-in-iostat-accounting.patch @@ -0,0 +1,73 @@ +From 65620a1a2f2e50d41164c9ff224e25b2671081a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Aug 2023 14:13:55 -0400 +Subject: md: raid0: account for split bio in iostat accounting + +From: David Jeffery + +[ Upstream commit cc22b5407e9ca76adb7efeed843146510b1b72a5 ] + +When a bio is split by md raid0, the newly created bio will not be tracked +by md for I/O accounting. Only the portion of I/O still assigned to the +original bio which was reduced by the split will be accounted for. This +results in md iostat data sometimes showing I/O values far below the actual +amount of data being sent through md. + +md_account_bio() needs to be called for all bio generated by the bio split. + +A simple example of the issue was generated using a raid0 device on partitions +to the same device. Since all raid0 I/O then goes to one device, it makes it +easy to see a gap between the md device and its sd storage. Reading an lvm +device on top of the md device, the iostat output (some 0 columns and extra +devices removed to make the data more compact) was: + +Device tps kB_read/s kB_wrtn/s kB_dscd/s kB_read +md2 0.00 0.00 0.00 0.00 0 +sde 0.00 0.00 0.00 0.00 0 +md2 1364.00 411496.00 0.00 0.00 411496 +sde 1734.00 646144.00 0.00 0.00 646144 +md2 1699.00 510680.00 0.00 0.00 510680 +sde 2155.00 802784.00 0.00 0.00 802784 +md2 803.00 241480.00 0.00 0.00 241480 +sde 1016.00 377888.00 0.00 0.00 377888 +md2 0.00 0.00 0.00 0.00 0 +sde 0.00 0.00 0.00 0.00 0 + +I/O was generated doing large direct I/O reads (12M) with dd to a linear +lvm volume on top of the 4 leg raid0 device. + +The md2 reads were showing as roughly 2/3 of the reads to the sde device +containing all of md2's raid partitions. The sum of reads to sde was +1826816 kB, which was the expected amount as it was the amount read by +dd. With the patch, the total reads from md will match the reads from +sde and be consistent with the amount of I/O generated. + +Fixes: 10764815ff47 ("md: add io accounting for raid0 and raid5") +Signed-off-by: David Jeffery +Tested-by: Laurence Oberman +Reviewed-by: Laurence Oberman +Reviewed-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230816181433.13289-1-djeffery@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/md/raid0.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/md/raid0.c b/drivers/md/raid0.c +index b1df1877c864b..2290307e0910f 100644 +--- a/drivers/md/raid0.c ++++ b/drivers/md/raid0.c +@@ -578,8 +578,7 @@ static void raid0_map_submit_bio(struct mddev *mddev, struct bio *bio) + sector_t bio_sector = bio->bi_iter.bi_sector; + sector_t sector = bio_sector; + +- if (bio->bi_pool != &mddev->bio_set) +- md_account_bio(mddev, &bio); ++ md_account_bio(mddev, &bio); + + zone = find_zone(mddev->private, §or); + switch (conf->layout) { +-- +2.40.1 + diff --git a/queue-5.15/md-raid0-factor-out-helper-for-mapping-and-submittin.patch b/queue-5.15/md-raid0-factor-out-helper-for-mapping-and-submittin.patch new file mode 100644 index 00000000000..7c7f06feba7 --- /dev/null +++ b/queue-5.15/md-raid0-factor-out-helper-for-mapping-and-submittin.patch @@ -0,0 +1,146 @@ +From da1f7d3469f673c0dccb01008658a7b858ed0199 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Aug 2023 11:27:07 +0200 +Subject: md/raid0: Factor out helper for mapping and submitting a bio + +From: Jan Kara + +[ Upstream commit af50e20afb401cc203bd2a9ff62ece0ae4976103 ] + +Factor out helper function for mapping and submitting a bio out of +raid0_make_request(). We will use it later for submitting both parts of +a split bio. + +Signed-off-by: Jan Kara +Reviewed-by: Yu Kuai +Link: https://lore.kernel.org/r/20230814092720.3931-1-jack@suse.cz +Signed-off-by: Song Liu +Stable-dep-of: 319ff40a5427 ("md/raid0: Fix performance regression for large sequential writes") +Signed-off-by: Sasha Levin +--- + drivers/md/raid0.c | 79 +++++++++++++++++++++++----------------------- + 1 file changed, 40 insertions(+), 39 deletions(-) + +diff --git a/drivers/md/raid0.c b/drivers/md/raid0.c +index 6917d72c18132..eca0022588c6d 100644 +--- a/drivers/md/raid0.c ++++ b/drivers/md/raid0.c +@@ -570,54 +570,21 @@ static void raid0_handle_discard(struct mddev *mddev, struct bio *bio) + bio_endio(bio); + } + +-static bool raid0_make_request(struct mddev *mddev, struct bio *bio) ++static void raid0_map_submit_bio(struct mddev *mddev, struct bio *bio) + { + struct r0conf *conf = mddev->private; + struct strip_zone *zone; + struct md_rdev *tmp_dev; +- sector_t bio_sector; +- sector_t sector; +- sector_t orig_sector; +- unsigned chunk_sects; +- unsigned sectors; +- +- if (unlikely(bio->bi_opf & REQ_PREFLUSH) +- && md_flush_request(mddev, bio)) +- return true; +- +- if (unlikely((bio_op(bio) == REQ_OP_DISCARD))) { +- raid0_handle_discard(mddev, bio); +- return true; +- } +- +- bio_sector = bio->bi_iter.bi_sector; +- sector = bio_sector; +- chunk_sects = mddev->chunk_sectors; +- +- sectors = chunk_sects - +- (likely(is_power_of_2(chunk_sects)) +- ? (sector & (chunk_sects-1)) +- : sector_div(sector, chunk_sects)); +- +- /* Restore due to sector_div */ +- sector = bio_sector; +- +- if (sectors < bio_sectors(bio)) { +- struct bio *split = bio_split(bio, sectors, GFP_NOIO, +- &mddev->bio_set); +- bio_chain(split, bio); +- submit_bio_noacct(bio); +- bio = split; +- } ++ sector_t bio_sector = bio->bi_iter.bi_sector; ++ sector_t sector = bio_sector; + + if (bio->bi_pool != &mddev->bio_set) + md_account_bio(mddev, &bio); + +- orig_sector = sector; + zone = find_zone(mddev->private, §or); + switch (conf->layout) { + case RAID0_ORIG_LAYOUT: +- tmp_dev = map_sector(mddev, zone, orig_sector, §or); ++ tmp_dev = map_sector(mddev, zone, bio_sector, §or); + break; + case RAID0_ALT_MULTIZONE_LAYOUT: + tmp_dev = map_sector(mddev, zone, sector, §or); +@@ -625,13 +592,13 @@ static bool raid0_make_request(struct mddev *mddev, struct bio *bio) + default: + WARN(1, "md/raid0:%s: Invalid layout\n", mdname(mddev)); + bio_io_error(bio); +- return true; ++ return; + } + + if (unlikely(is_rdev_broken(tmp_dev))) { + bio_io_error(bio); + md_error(mddev, tmp_dev); +- return true; ++ return; + } + + bio_set_dev(bio, tmp_dev->bdev); +@@ -644,6 +611,40 @@ static bool raid0_make_request(struct mddev *mddev, struct bio *bio) + mddev_check_writesame(mddev, bio); + mddev_check_write_zeroes(mddev, bio); + submit_bio_noacct(bio); ++} ++ ++static bool raid0_make_request(struct mddev *mddev, struct bio *bio) ++{ ++ sector_t sector; ++ unsigned chunk_sects; ++ unsigned sectors; ++ ++ if (unlikely(bio->bi_opf & REQ_PREFLUSH) ++ && md_flush_request(mddev, bio)) ++ return true; ++ ++ if (unlikely((bio_op(bio) == REQ_OP_DISCARD))) { ++ raid0_handle_discard(mddev, bio); ++ return true; ++ } ++ ++ sector = bio->bi_iter.bi_sector; ++ chunk_sects = mddev->chunk_sectors; ++ ++ sectors = chunk_sects - ++ (likely(is_power_of_2(chunk_sects)) ++ ? (sector & (chunk_sects-1)) ++ : sector_div(sector, chunk_sects)); ++ ++ if (sectors < bio_sectors(bio)) { ++ struct bio *split = bio_split(bio, sectors, GFP_NOIO, ++ &mddev->bio_set); ++ bio_chain(split, bio); ++ submit_bio_noacct(bio); ++ bio = split; ++ } ++ ++ raid0_map_submit_bio(mddev, bio); + return true; + } + +-- +2.40.1 + diff --git a/queue-5.15/md-raid0-fix-performance-regression-for-large-sequen.patch b/queue-5.15/md-raid0-fix-performance-regression-for-large-sequen.patch new file mode 100644 index 00000000000..bd9506290da --- /dev/null +++ b/queue-5.15/md-raid0-fix-performance-regression-for-large-sequen.patch @@ -0,0 +1,91 @@ +From 975c1eae090952ba81390b266fb7190122c05b71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Aug 2023 11:27:08 +0200 +Subject: md/raid0: Fix performance regression for large sequential writes + +From: Jan Kara + +[ Upstream commit 319ff40a542736d67e5bce18635de35d0e7a0bff ] + +Commit f00d7c85be9e ("md/raid0: fix up bio splitting.") among other +things changed how bio that needs to be split is submitted. Before this +commit, we have split the bio, mapped and submitted each part. After +this commit, we map only the first part of the split bio and submit the +second part unmapped. Due to bio sorting in __submit_bio_noacct() this +results in the following request ordering: + + 9,0 18 1181 0.525037895 15995 Q WS 1479315464 + 63392 + + Split off chunk-sized (1024 sectors) request: + + 9,0 18 1182 0.629019647 15995 X WS 1479315464 / 1479316488 + + Request is unaligned to the chunk so it's split in + raid0_make_request(). This is the first part mapped and punted to + bio_list: + + 8,0 18 7053 0.629020455 15995 A WS 739921928 + 1016 <- (9,0) 1479315464 + + Now raid0_make_request() returns, second part is postponed on + bio_list. __submit_bio_noacct() resorts the bio_list, mapped request + is submitted to the underlying device: + + 8,0 18 7054 0.629022782 15995 G WS 739921928 + 1016 + + Now we take another request from the bio_list which is the remainder + of the original huge request. Split off another chunk-sized bit from + it and the situation repeats: + + 9,0 18 1183 0.629024499 15995 X WS 1479316488 / 1479317512 + 8,16 18 6998 0.629025110 15995 A WS 739921928 + 1016 <- (9,0) 1479316488 + 8,16 18 6999 0.629026728 15995 G WS 739921928 + 1016 + ... + 9,0 18 1184 0.629032940 15995 X WS 1479317512 / 1479318536 [libnetacq-write] + 8,0 18 7059 0.629033294 15995 A WS 739922952 + 1016 <- (9,0) 1479317512 + 8,0 18 7060 0.629033902 15995 G WS 739922952 + 1016 + ... + + This repeats until we consume the whole original huge request. Now we + finally get to processing the second parts of the split off requests + (in reverse order): + + 8,16 18 7181 0.629161384 15995 A WS 739952640 + 8 <- (9,0) 1479377920 + 8,0 18 7239 0.629162140 15995 A WS 739952640 + 8 <- (9,0) 1479376896 + 8,16 18 7186 0.629163881 15995 A WS 739951616 + 8 <- (9,0) 1479375872 + 8,0 18 7242 0.629164421 15995 A WS 739951616 + 8 <- (9,0) 1479374848 + ... + +I guess it is obvious that this IO pattern is extremely inefficient way +to perform sequential IO. It also makes bio_list to grow to rather long +lengths. + +Change raid0_make_request() to map both parts of the split bio. Since we +know we are provided with at most chunk-sized bios, we will always need +to split the incoming bio at most once. + +Fixes: f00d7c85be9e ("md/raid0: fix up bio splitting.") +Signed-off-by: Jan Kara +Reviewed-by: Yu Kuai +Link: https://lore.kernel.org/r/20230814092720.3931-2-jack@suse.cz +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/raid0.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/raid0.c b/drivers/md/raid0.c +index eca0022588c6d..b1df1877c864b 100644 +--- a/drivers/md/raid0.c ++++ b/drivers/md/raid0.c +@@ -640,7 +640,7 @@ static bool raid0_make_request(struct mddev *mddev, struct bio *bio) + struct bio *split = bio_split(bio, sectors, GFP_NOIO, + &mddev->bio_set); + bio_chain(split, bio); +- submit_bio_noacct(bio); ++ raid0_map_submit_bio(mddev, bio); + bio = split; + } + +-- +2.40.1 + diff --git a/queue-5.15/md-raid1-free-the-r1bio-before-waiting-for-blocked-r.patch b/queue-5.15/md-raid1-free-the-r1bio-before-waiting-for-blocked-r.patch new file mode 100644 index 00000000000..b5a1e38b73c --- /dev/null +++ b/queue-5.15/md-raid1-free-the-r1bio-before-waiting-for-blocked-r.patch @@ -0,0 +1,55 @@ +From 42c298d231b7d90a22c68a91c9536637e5cbf618 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Aug 2023 21:53:55 +0800 +Subject: md/raid1: free the r1bio before waiting for blocked rdev + +From: Xueshi Hu + +[ Upstream commit 992db13a4aee766c8bfbf046ad15c2db5fa7cab8 ] + +Raid1 reshape will change mempool and r1conf::raid_disks which are +needed to free r1bio. allow_barrier() make a concurrent raid1_reshape() +possible. So, free the in-flight r1bio before waiting blocked rdev. + +Fixes: 6bfe0b499082 ("md: support blocking writes to an array on device failure") +Reviewed-by: Yu Kuai +Signed-off-by: Xueshi Hu +Link: https://lore.kernel.org/r/20230814135356.1113639-3-xueshi.hu@smartx.com +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/raid1.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c +index 47997a9a3ca18..0e5fd8a524a1d 100644 +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -1355,6 +1355,7 @@ static void raid1_write_request(struct mddev *mddev, struct bio *bio, + */ + wait_barrier(conf, bio->bi_iter.bi_sector); + ++ retry_write: + r1_bio = alloc_r1bio(mddev, bio); + r1_bio->sectors = max_write_sectors; + +@@ -1370,7 +1371,6 @@ static void raid1_write_request(struct mddev *mddev, struct bio *bio, + */ + + disks = conf->raid_disks * 2; +- retry_write: + blocked_rdev = NULL; + rcu_read_lock(); + max_sectors = r1_bio->sectors; +@@ -1450,7 +1450,7 @@ static void raid1_write_request(struct mddev *mddev, struct bio *bio, + for (j = 0; j < i; j++) + if (r1_bio->bios[j]) + rdev_dec_pending(conf->mirrors[j].rdev, mddev); +- r1_bio->state = 0; ++ free_r1bio(r1_bio); + allow_barrier(conf, bio->bi_iter.bi_sector); + raid1_log(mddev, "wait rdev %d blocked", blocked_rdev->raid_disk); + md_wait_for_blocked_rdev(blocked_rdev, mddev); +-- +2.40.1 + diff --git a/queue-5.15/md-raid1-hold-the-barrier-until-handle_read_error-fi.patch b/queue-5.15/md-raid1-hold-the-barrier-until-handle_read_error-fi.patch new file mode 100644 index 00000000000..c5dfc68e863 --- /dev/null +++ b/queue-5.15/md-raid1-hold-the-barrier-until-handle_read_error-fi.patch @@ -0,0 +1,53 @@ +From 215d4c4f74d212ddcc146e9d26c4f1776f460637 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Aug 2023 21:53:56 +0800 +Subject: md/raid1: hold the barrier until handle_read_error() finishes + +From: Xueshi Hu + +[ Upstream commit c069da449a13669ffa754fd971747e7e17e7d691 ] + +handle_read_error() will call allow_barrier() to match the former barrier +raising. However, it should put the allow_barrier() at the end to avoid a +concurrent raid reshape. + +Fixes: 689389a06ce7 ("md/raid1: simplify handle_read_error().") +Reviewed-by: Yu Kuai +Signed-off-by: Xueshi Hu +Link: https://lore.kernel.org/r/20230814135356.1113639-4-xueshi.hu@smartx.com +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/raid1.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c +index 0e5fd8a524a1d..e8e475b082567 100644 +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -2484,6 +2484,7 @@ static void handle_read_error(struct r1conf *conf, struct r1bio *r1_bio) + struct mddev *mddev = conf->mddev; + struct bio *bio; + struct md_rdev *rdev; ++ sector_t sector; + + clear_bit(R1BIO_ReadError, &r1_bio->state); + /* we got a read error. Maybe the drive is bad. Maybe just +@@ -2513,12 +2514,13 @@ static void handle_read_error(struct r1conf *conf, struct r1bio *r1_bio) + } + + rdev_dec_pending(rdev, conf->mddev); +- allow_barrier(conf, r1_bio->sector); ++ sector = r1_bio->sector; + bio = r1_bio->master_bio; + + /* Reuse the old r1_bio so that the IO_BLOCKED settings are preserved */ + r1_bio->state = 0; + raid1_read_request(mddev, bio, r1_bio->sectors, r1_bio); ++ allow_barrier(conf, sector); + } + + static void raid1d(struct md_thread *thread) +-- +2.40.1 + diff --git a/queue-5.15/md-raid10-factor-out-dereference_rdev_and_rrdev.patch b/queue-5.15/md-raid10-factor-out-dereference_rdev_and_rrdev.patch new file mode 100644 index 00000000000..34d2943995f --- /dev/null +++ b/queue-5.15/md-raid10-factor-out-dereference_rdev_and_rrdev.patch @@ -0,0 +1,74 @@ +From 19e87d4599990d2c3eca74b69608ef6c55887ec6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Jul 2023 16:05:28 +0800 +Subject: md/raid10: factor out dereference_rdev_and_rrdev() + +From: Li Nan + +[ Upstream commit b99f8fd2d91eb734f13098aa1cf337edaca454b7 ] + +Factor out a helper to get 'rdev' and 'replacement' from config->mirrors. +Just to make code cleaner and prepare to fix the bug of io loss while +'replacement' replace 'rdev'. + +There is no functional change. + +Signed-off-by: Li Nan +Link: https://lore.kernel.org/r/20230701080529.2684932-3-linan666@huaweicloud.com +Signed-off-by: Song Liu +Stable-dep-of: 673643490b9a ("md/raid10: use dereference_rdev_and_rrdev() to get devices") +Signed-off-by: Sasha Levin +--- + drivers/md/raid10.c | 29 ++++++++++++++++++++--------- + 1 file changed, 20 insertions(+), 9 deletions(-) + +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c +index edd3b65c447db..ff3c97cde7699 100644 +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -1316,6 +1316,25 @@ static void raid10_write_one_disk(struct mddev *mddev, struct r10bio *r10_bio, + } + } + ++static struct md_rdev *dereference_rdev_and_rrdev(struct raid10_info *mirror, ++ struct md_rdev **prrdev) ++{ ++ struct md_rdev *rdev, *rrdev; ++ ++ rrdev = rcu_dereference(mirror->replacement); ++ /* ++ * Read replacement first to prevent reading both rdev and ++ * replacement as NULL during replacement replace rdev. ++ */ ++ smp_mb(); ++ rdev = rcu_dereference(mirror->rdev); ++ if (rdev == rrdev) ++ rrdev = NULL; ++ ++ *prrdev = rrdev; ++ return rdev; ++} ++ + static void wait_blocked_dev(struct mddev *mddev, struct r10bio *r10_bio) + { + int i; +@@ -1459,15 +1478,7 @@ static void raid10_write_request(struct mddev *mddev, struct bio *bio, + int d = r10_bio->devs[i].devnum; + struct md_rdev *rdev, *rrdev; + +- rrdev = rcu_dereference(conf->mirrors[d].replacement); +- /* +- * Read replacement first to prevent reading both rdev and +- * replacement as NULL during replacement replace rdev. +- */ +- smp_mb(); +- rdev = rcu_dereference(conf->mirrors[d].rdev); +- if (rdev == rrdev) +- rrdev = NULL; ++ rdev = dereference_rdev_and_rrdev(&conf->mirrors[d], &rrdev); + if (rdev && (test_bit(Faulty, &rdev->flags))) + rdev = NULL; + if (rrdev && (test_bit(Faulty, &rrdev->flags))) +-- +2.40.1 + diff --git a/queue-5.15/md-raid10-use-dereference_rdev_and_rrdev-to-get-devi.patch b/queue-5.15/md-raid10-use-dereference_rdev_and_rrdev-to-get-devi.patch new file mode 100644 index 00000000000..153893620eb --- /dev/null +++ b/queue-5.15/md-raid10-use-dereference_rdev_and_rrdev-to-get-devi.patch @@ -0,0 +1,59 @@ +From e74871d6e028a78b22eeb7983f073f0c5da94f86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Jul 2023 16:05:29 +0800 +Subject: md/raid10: use dereference_rdev_and_rrdev() to get devices + +From: Li Nan + +[ Upstream commit 673643490b9a0eb3b25633abe604f62b8f63dba1 ] + +Commit 2ae6aaf76912 ("md/raid10: fix io loss while replacement replace +rdev") reads replacement first to prevent io loss. However, there are same +issue in wait_blocked_dev() and raid10_handle_discard(), too. Fix it by +using dereference_rdev_and_rrdev() to get devices. + +Fixes: d30588b2731f ("md/raid10: improve raid10 discard request") +Fixes: f2e7e269a752 ("md/raid10: pull the code that wait for blocked dev into one function") +Signed-off-by: Li Nan +Link: https://lore.kernel.org/r/20230701080529.2684932-4-linan666@huaweicloud.com +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/raid10.c | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c +index ff3c97cde7699..a3a3a02d48b17 100644 +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -1345,11 +1345,9 @@ static void wait_blocked_dev(struct mddev *mddev, struct r10bio *r10_bio) + blocked_rdev = NULL; + rcu_read_lock(); + for (i = 0; i < conf->copies; i++) { +- struct md_rdev *rdev = rcu_dereference(conf->mirrors[i].rdev); +- struct md_rdev *rrdev = rcu_dereference( +- conf->mirrors[i].replacement); +- if (rdev == rrdev) +- rrdev = NULL; ++ struct md_rdev *rdev, *rrdev; ++ ++ rdev = dereference_rdev_and_rrdev(&conf->mirrors[i], &rrdev); + if (rdev && unlikely(test_bit(Blocked, &rdev->flags))) { + atomic_inc(&rdev->nr_pending); + blocked_rdev = rdev; +@@ -1785,10 +1783,9 @@ static int raid10_handle_discard(struct mddev *mddev, struct bio *bio) + */ + rcu_read_lock(); + for (disk = 0; disk < geo->raid_disks; disk++) { +- struct md_rdev *rdev = rcu_dereference(conf->mirrors[disk].rdev); +- struct md_rdev *rrdev = rcu_dereference( +- conf->mirrors[disk].replacement); ++ struct md_rdev *rdev, *rrdev; + ++ rdev = dereference_rdev_and_rrdev(&conf->mirrors[disk], &rrdev); + r10_bio->devs[disk].bio = NULL; + r10_bio->devs[disk].repl_bio = NULL; + +-- +2.40.1 + diff --git a/queue-5.15/md-set-md_broken-for-raid1-and-raid10.patch b/queue-5.15/md-set-md_broken-for-raid1-and-raid10.patch new file mode 100644 index 00000000000..a21784254bb --- /dev/null +++ b/queue-5.15/md-set-md_broken-for-raid1-and-raid10.patch @@ -0,0 +1,313 @@ +From 7444670d6c0373c3f1e257b41bfbdd154b68b805 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Mar 2022 16:23:38 +0100 +Subject: md: Set MD_BROKEN for RAID1 and RAID10 + +From: Mariusz Tkaczyk + +[ Upstream commit 9631abdbf406c764f2a5d8305eac063bc3396a0a ] + +There is no direct mechanism to determine raid failure outside +personality. It is done by checking rdev->flags after executing +md_error(). If "faulty" flag is not set then -EBUSY is returned to +userspace. -EBUSY means that array will be failed after drive removal. + +Mdadm has special routine to handle the array failure and it is executed +if -EBUSY is returned by md. + +There are at least two known reasons to not consider this mechanism +as correct: +1. drive can be removed even if array will be failed[1]. +2. -EBUSY seems to be wrong status. Array is not busy, but removal + process cannot proceed safe. + +-EBUSY expectation cannot be removed without breaking compatibility +with userspace. In this patch first issue is resolved by adding support +for MD_BROKEN flag for RAID1 and RAID10. Support for RAID456 is added in +next commit. + +The idea is to set the MD_BROKEN if we are sure that raid is in failed +state now. This is done in each error_handler(). In md_error() MD_BROKEN +flag is checked. If is set, then -EBUSY is returned to userspace. + +As in previous commit, it causes that #mdadm --set-faulty is able to +fail array. Previously proposed workaround is valid if optional +functionality[1] is disabled. + +[1] commit 9a567843f7ce("md: allow last device to be forcibly removed from + RAID1/RAID10.") + +Reviewd-by: Xiao Ni +Signed-off-by: Mariusz Tkaczyk +Signed-off-by: Song Liu +Stable-dep-of: 319ff40a5427 ("md/raid0: Fix performance regression for large sequential writes") +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 27 +++++++++++--------- + drivers/md/md.h | 62 +++++++++++++++++++++++++-------------------- + drivers/md/raid1.c | 43 ++++++++++++++++++------------- + drivers/md/raid10.c | 40 +++++++++++++++++------------ + 4 files changed, 100 insertions(+), 72 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 89a270d293698..a6e855cbf3946 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -2992,10 +2992,11 @@ state_store(struct md_rdev *rdev, const char *buf, size_t len) + + if (cmd_match(buf, "faulty") && rdev->mddev->pers) { + md_error(rdev->mddev, rdev); +- if (test_bit(Faulty, &rdev->flags)) +- err = 0; +- else ++ ++ if (test_bit(MD_BROKEN, &rdev->mddev->flags)) + err = -EBUSY; ++ else ++ err = 0; + } else if (cmd_match(buf, "remove")) { + if (rdev->mddev->pers) { + clear_bit(Blocked, &rdev->flags); +@@ -4364,10 +4365,9 @@ __ATTR_PREALLOC(resync_start, S_IRUGO|S_IWUSR, + * like active, but no writes have been seen for a while (100msec). + * + * broken +- * RAID0/LINEAR-only: same as clean, but array is missing a member. +- * It's useful because RAID0/LINEAR mounted-arrays aren't stopped +- * when a member is gone, so this state will at least alert the +- * user that something is wrong. ++* Array is failed. It's useful because mounted-arrays aren't stopped ++* when array is failed, so this state will at least alert the user that ++* something is wrong. + */ + enum array_state { clear, inactive, suspended, readonly, read_auto, clean, active, + write_pending, active_idle, broken, bad_word}; +@@ -7439,7 +7439,7 @@ static int set_disk_faulty(struct mddev *mddev, dev_t dev) + err = -ENODEV; + else { + md_error(mddev, rdev); +- if (!test_bit(Faulty, &rdev->flags)) ++ if (test_bit(MD_BROKEN, &mddev->flags)) + err = -EBUSY; + } + rcu_read_unlock(); +@@ -7985,13 +7985,16 @@ void md_error(struct mddev *mddev, struct md_rdev *rdev) + + if (!mddev->pers || !mddev->pers->error_handler) + return; +- mddev->pers->error_handler(mddev,rdev); +- if (mddev->degraded) ++ mddev->pers->error_handler(mddev, rdev); ++ ++ if (mddev->degraded && !test_bit(MD_BROKEN, &mddev->flags)) + set_bit(MD_RECOVERY_RECOVER, &mddev->recovery); + sysfs_notify_dirent_safe(rdev->sysfs_state); + set_bit(MD_RECOVERY_INTR, &mddev->recovery); +- set_bit(MD_RECOVERY_NEEDED, &mddev->recovery); +- md_wakeup_thread(mddev->thread); ++ if (!test_bit(MD_BROKEN, &mddev->flags)) { ++ set_bit(MD_RECOVERY_NEEDED, &mddev->recovery); ++ md_wakeup_thread(mddev->thread); ++ } + if (mddev->event_work.func) + queue_work(md_misc_wq, &mddev->event_work); + md_new_event(mddev); +diff --git a/drivers/md/md.h b/drivers/md/md.h +index 62852d7011457..0e0cc5d7921bd 100644 +--- a/drivers/md/md.h ++++ b/drivers/md/md.h +@@ -234,34 +234,42 @@ extern int rdev_clear_badblocks(struct md_rdev *rdev, sector_t s, int sectors, + int is_new); + struct md_cluster_info; + +-/* change UNSUPPORTED_MDDEV_FLAGS for each array type if new flag is added */ ++/** ++ * enum mddev_flags - md device flags. ++ * @MD_ARRAY_FIRST_USE: First use of array, needs initialization. ++ * @MD_CLOSING: If set, we are closing the array, do not open it then. ++ * @MD_JOURNAL_CLEAN: A raid with journal is already clean. ++ * @MD_HAS_JOURNAL: The raid array has journal feature set. ++ * @MD_CLUSTER_RESYNC_LOCKED: cluster raid only, which means node, already took ++ * resync lock, need to release the lock. ++ * @MD_FAILFAST_SUPPORTED: Using MD_FAILFAST on metadata writes is supported as ++ * calls to md_error() will never cause the array to ++ * become failed. ++ * @MD_HAS_PPL: The raid array has PPL feature set. ++ * @MD_HAS_MULTIPLE_PPLS: The raid array has multiple PPLs feature set. ++ * @MD_ALLOW_SB_UPDATE: md_check_recovery is allowed to update the metadata ++ * without taking reconfig_mutex. ++ * @MD_UPDATING_SB: md_check_recovery is updating the metadata without ++ * explicitly holding reconfig_mutex. ++ * @MD_NOT_READY: do_md_run() is active, so 'array_state', ust not report that ++ * array is ready yet. ++ * @MD_BROKEN: This is used to stop writes and mark array as failed. ++ * ++ * change UNSUPPORTED_MDDEV_FLAGS for each array type if new flag is added ++ */ + enum mddev_flags { +- MD_ARRAY_FIRST_USE, /* First use of array, needs initialization */ +- MD_CLOSING, /* If set, we are closing the array, do not open +- * it then */ +- MD_JOURNAL_CLEAN, /* A raid with journal is already clean */ +- MD_HAS_JOURNAL, /* The raid array has journal feature set */ +- MD_CLUSTER_RESYNC_LOCKED, /* cluster raid only, which means node +- * already took resync lock, need to +- * release the lock */ +- MD_FAILFAST_SUPPORTED, /* Using MD_FAILFAST on metadata writes is +- * supported as calls to md_error() will +- * never cause the array to become failed. +- */ +- MD_HAS_PPL, /* The raid array has PPL feature set */ +- MD_HAS_MULTIPLE_PPLS, /* The raid array has multiple PPLs feature set */ +- MD_ALLOW_SB_UPDATE, /* md_check_recovery is allowed to update +- * the metadata without taking reconfig_mutex. +- */ +- MD_UPDATING_SB, /* md_check_recovery is updating the metadata +- * without explicitly holding reconfig_mutex. +- */ +- MD_NOT_READY, /* do_md_run() is active, so 'array_state' +- * must not report that array is ready yet +- */ +- MD_BROKEN, /* This is used in RAID-0/LINEAR only, to stop +- * I/O in case an array member is gone/failed. +- */ ++ MD_ARRAY_FIRST_USE, ++ MD_CLOSING, ++ MD_JOURNAL_CLEAN, ++ MD_HAS_JOURNAL, ++ MD_CLUSTER_RESYNC_LOCKED, ++ MD_FAILFAST_SUPPORTED, ++ MD_HAS_PPL, ++ MD_HAS_MULTIPLE_PPLS, ++ MD_ALLOW_SB_UPDATE, ++ MD_UPDATING_SB, ++ MD_NOT_READY, ++ MD_BROKEN, + }; + + enum mddev_sb_flags { +diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c +index e8e475b082567..6f2570f36b9b9 100644 +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -1611,30 +1611,39 @@ static void raid1_status(struct seq_file *seq, struct mddev *mddev) + seq_printf(seq, "]"); + } + ++/** ++ * raid1_error() - RAID1 error handler. ++ * @mddev: affected md device. ++ * @rdev: member device to fail. ++ * ++ * The routine acknowledges &rdev failure and determines new @mddev state. ++ * If it failed, then: ++ * - &MD_BROKEN flag is set in &mddev->flags. ++ * - recovery is disabled. ++ * Otherwise, it must be degraded: ++ * - recovery is interrupted. ++ * - &mddev->degraded is bumped. ++ * ++ * @rdev is marked as &Faulty excluding case when array is failed and ++ * &mddev->fail_last_dev is off. ++ */ + static void raid1_error(struct mddev *mddev, struct md_rdev *rdev) + { + char b[BDEVNAME_SIZE]; + struct r1conf *conf = mddev->private; + unsigned long flags; + +- /* +- * If it is not operational, then we have already marked it as dead +- * else if it is the last working disks with "fail_last_dev == false", +- * ignore the error, let the next level up know. +- * else mark the drive as failed +- */ + spin_lock_irqsave(&conf->device_lock, flags); +- if (test_bit(In_sync, &rdev->flags) && !mddev->fail_last_dev +- && (conf->raid_disks - mddev->degraded) == 1) { +- /* +- * Don't fail the drive, act as though we were just a +- * normal single drive. +- * However don't try a recovery from this drive as +- * it is very likely to fail. +- */ +- conf->recovery_disabled = mddev->recovery_disabled; +- spin_unlock_irqrestore(&conf->device_lock, flags); +- return; ++ ++ if (test_bit(In_sync, &rdev->flags) && ++ (conf->raid_disks - mddev->degraded) == 1) { ++ set_bit(MD_BROKEN, &mddev->flags); ++ ++ if (!mddev->fail_last_dev) { ++ conf->recovery_disabled = mddev->recovery_disabled; ++ spin_unlock_irqrestore(&conf->device_lock, flags); ++ return; ++ } + } + set_bit(Blocked, &rdev->flags); + if (test_and_clear_bit(In_sync, &rdev->flags)) +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c +index a3a3a02d48b17..910e7db7d5736 100644 +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -2008,32 +2008,40 @@ static int enough(struct r10conf *conf, int ignore) + _enough(conf, 1, ignore); + } + ++/** ++ * raid10_error() - RAID10 error handler. ++ * @mddev: affected md device. ++ * @rdev: member device to fail. ++ * ++ * The routine acknowledges &rdev failure and determines new @mddev state. ++ * If it failed, then: ++ * - &MD_BROKEN flag is set in &mddev->flags. ++ * Otherwise, it must be degraded: ++ * - recovery is interrupted. ++ * - &mddev->degraded is bumped. ++ ++ * @rdev is marked as &Faulty excluding case when array is failed and ++ * &mddev->fail_last_dev is off. ++ */ + static void raid10_error(struct mddev *mddev, struct md_rdev *rdev) + { + char b[BDEVNAME_SIZE]; + struct r10conf *conf = mddev->private; + unsigned long flags; + +- /* +- * If it is not operational, then we have already marked it as dead +- * else if it is the last working disks with "fail_last_dev == false", +- * ignore the error, let the next level up know. +- * else mark the drive as failed +- */ + spin_lock_irqsave(&conf->device_lock, flags); +- if (test_bit(In_sync, &rdev->flags) && !mddev->fail_last_dev +- && !enough(conf, rdev->raid_disk)) { +- /* +- * Don't fail the drive, just return an IO error. +- */ +- spin_unlock_irqrestore(&conf->device_lock, flags); +- return; ++ ++ if (test_bit(In_sync, &rdev->flags) && !enough(conf, rdev->raid_disk)) { ++ set_bit(MD_BROKEN, &mddev->flags); ++ ++ if (!mddev->fail_last_dev) { ++ spin_unlock_irqrestore(&conf->device_lock, flags); ++ return; ++ } + } + if (test_and_clear_bit(In_sync, &rdev->flags)) + mddev->degraded++; +- /* +- * If recovery is running, make sure it aborts. +- */ ++ + set_bit(MD_RECOVERY_INTR, &mddev->recovery); + set_bit(Blocked, &rdev->flags); + set_bit(Faulty, &rdev->flags); +-- +2.40.1 + diff --git a/queue-5.15/media-ad5820-drop-unsupported-ad5823-from-i2c_-and-o.patch b/queue-5.15/media-ad5820-drop-unsupported-ad5823-from-i2c_-and-o.patch new file mode 100644 index 00000000000..14ca818e4a9 --- /dev/null +++ b/queue-5.15/media-ad5820-drop-unsupported-ad5823-from-i2c_-and-o.patch @@ -0,0 +1,66 @@ +From 2e9b6a765c370a7049663dec2e848e5d1d961b7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jun 2023 20:17:40 +0200 +Subject: media: ad5820: Drop unsupported ad5823 from i2c_ and of_device_id + tables + +From: Hans de Goede + +[ Upstream commit f126ff7e4024f6704e6ec0d4137037568708a3c7 ] + +The supported ad5820 and ad5821 VCMs both use a single 16 bit register +which is written by sending 2 bytes with the data directly after sending +the i2c-client address. + +The ad5823 OTOH has a more typical i2c / smbus device setup with multiple +8 bit registers where the first byte send after the i2c-client address is +the register address and the actual data only starts from the second byte +after the i2c-client address. + +The ad5823 i2c_ and of_device_id-s was added at the same time as +the ad5821 ids with as rationale: + +""" +Some camera modules also refer that AD5823 is a replacement of AD5820: +https://download.kamami.com/p564094-OV8865_DS.pdf +""" + +The AD5823 may be an electrical and functional replacement of the AD5820, +but from a software pov it is not compatible at all and it is going to +need its own driver, drop its id from the ad5820 driver. + +Fixes: b8bf73136bae ("media: ad5820: Add support for ad5821 and ad5823") +Cc: Pavel Machek +Cc: Ricardo Ribalda Delgado +Signed-off-by: Hans de Goede +Reviewed-by: Ricardo Ribalda +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ad5820.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/media/i2c/ad5820.c b/drivers/media/i2c/ad5820.c +index 07639ecc85aa8..63b5bf1fae761 100644 +--- a/drivers/media/i2c/ad5820.c ++++ b/drivers/media/i2c/ad5820.c +@@ -357,7 +357,6 @@ static int ad5820_remove(struct i2c_client *client) + static const struct i2c_device_id ad5820_id_table[] = { + { "ad5820", 0 }, + { "ad5821", 0 }, +- { "ad5823", 0 }, + { } + }; + MODULE_DEVICE_TABLE(i2c, ad5820_id_table); +@@ -365,7 +364,6 @@ MODULE_DEVICE_TABLE(i2c, ad5820_id_table); + static const struct of_device_id ad5820_of_table[] = { + { .compatible = "adi,ad5820" }, + { .compatible = "adi,ad5821" }, +- { .compatible = "adi,ad5823" }, + { } + }; + MODULE_DEVICE_TABLE(of, ad5820_of_table); +-- +2.40.1 + diff --git a/queue-5.15/media-cx24120-add-retval-check-for-cx24120_message_s.patch b/queue-5.15/media-cx24120-add-retval-check-for-cx24120_message_s.patch new file mode 100644 index 00000000000..ccfbc778740 --- /dev/null +++ b/queue-5.15/media-cx24120-add-retval-check-for-cx24120_message_s.patch @@ -0,0 +1,40 @@ +From 90229c7b410e6245a828e4a183158b51056b7f7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jun 2023 01:55:01 -0700 +Subject: media: cx24120: Add retval check for cx24120_message_send() + +From: Daniil Dulov + +[ Upstream commit 96002c0ac824e1773d3f706b1f92e2a9f2988047 ] + +If cx24120_message_send() returns error, we should keep local struct +unchanged. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 5afc9a25be8d ("[media] Add support for TechniSat Skystar S2") +Signed-off-by: Daniil Dulov +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/cx24120.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/dvb-frontends/cx24120.c b/drivers/media/dvb-frontends/cx24120.c +index d8acd582c7111..0f778660c72b8 100644 +--- a/drivers/media/dvb-frontends/cx24120.c ++++ b/drivers/media/dvb-frontends/cx24120.c +@@ -973,7 +973,9 @@ static void cx24120_set_clock_ratios(struct dvb_frontend *fe) + cmd.arg[8] = (clock_ratios_table[idx].rate >> 8) & 0xff; + cmd.arg[9] = (clock_ratios_table[idx].rate >> 0) & 0xff; + +- cx24120_message_send(state, &cmd); ++ ret = cx24120_message_send(state, &cmd); ++ if (ret != 0) ++ return; + + /* Calculate ber window rates for stat work */ + cx24120_calculate_ber_window(state, clock_ratios_table[idx].rate); +-- +2.40.1 + diff --git a/queue-5.15/media-dib7000p-fix-potential-division-by-zero.patch b/queue-5.15/media-dib7000p-fix-potential-division-by-zero.patch new file mode 100644 index 00000000000..28d72542422 --- /dev/null +++ b/queue-5.15/media-dib7000p-fix-potential-division-by-zero.patch @@ -0,0 +1,39 @@ +From 45d96993b9a1b7bc7f4641b212f48a82b35ff82c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Mar 2023 06:38:32 -0700 +Subject: media: dib7000p: Fix potential division by zero + +From: Daniil Dulov + +[ Upstream commit a1db7b2c5533fc67e2681eb5efc921a67bc7d5b8 ] + +Variable loopdiv can be assigned 0, then it is used as a denominator, +without checking it for 0. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 713d54a8bd81 ("[media] DiB7090: add support for the dib7090 based") +Signed-off-by: Daniil Dulov +Signed-off-by: Hans Verkuil +[hverkuil: (bw != NULL) -> bw] +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/dib7000p.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/dvb-frontends/dib7000p.c b/drivers/media/dvb-frontends/dib7000p.c +index 55bee50aa8716..1f0b0690198ef 100644 +--- a/drivers/media/dvb-frontends/dib7000p.c ++++ b/drivers/media/dvb-frontends/dib7000p.c +@@ -497,7 +497,7 @@ static int dib7000p_update_pll(struct dvb_frontend *fe, struct dibx000_bandwidth + prediv = reg_1856 & 0x3f; + loopdiv = (reg_1856 >> 6) & 0x3f; + +- if ((bw != NULL) && (bw->pll_prediv != prediv || bw->pll_ratio != loopdiv)) { ++ if (loopdiv && bw && (bw->pll_prediv != prediv || bw->pll_ratio != loopdiv)) { + dprintk("Updating pll (prediv: old = %d new = %d ; loopdiv : old = %d new = %d)\n", prediv, bw->pll_prediv, loopdiv, bw->pll_ratio); + reg_1856 &= 0xf000; + reg_1857 = dib7000p_read_word(state, 1857); +-- +2.40.1 + diff --git a/queue-5.15/media-dvb-usb-m920x-fix-a-potential-memory-leak-in-m.patch b/queue-5.15/media-dvb-usb-m920x-fix-a-potential-memory-leak-in-m.patch new file mode 100644 index 00000000000..7d8c54e9d6b --- /dev/null +++ b/queue-5.15/media-dvb-usb-m920x-fix-a-potential-memory-leak-in-m.patch @@ -0,0 +1,50 @@ +From be1fe18912df1b6dc1856e83cf5d7862a160a518 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 May 2023 07:58:36 +0200 +Subject: media: dvb-usb: m920x: Fix a potential memory leak in + m920x_i2c_xfer() + +From: Christophe JAILLET + +[ Upstream commit ea9ef6c2e001c5dc94bee35ebd1c8a98621cf7b8 ] + +'read' is freed when it is known to be NULL, but not when a read error +occurs. + +Revert the logic to avoid a small leak, should a m920x_read() call fail. + +Fixes: a2ab06d7c4d6 ("media: m920x: don't use stack on USB reads") +Signed-off-by: Christophe JAILLET +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/m920x.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb/m920x.c b/drivers/media/usb/dvb-usb/m920x.c +index 691e05833db19..da81fa189b5d5 100644 +--- a/drivers/media/usb/dvb-usb/m920x.c ++++ b/drivers/media/usb/dvb-usb/m920x.c +@@ -277,7 +277,6 @@ static int m920x_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int nu + char *read = kmalloc(1, GFP_KERNEL); + if (!read) { + ret = -ENOMEM; +- kfree(read); + goto unlock; + } + +@@ -288,8 +287,10 @@ static int m920x_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int nu + + if ((ret = m920x_read(d->udev, M9206_I2C, 0x0, + 0x20 | stop, +- read, 1)) != 0) ++ read, 1)) != 0) { ++ kfree(read); + goto unlock; ++ } + msg[i].buf[j] = read[0]; + } + +-- +2.40.1 + diff --git a/queue-5.15/media-go7007-remove-redundant-if-statement.patch b/queue-5.15/media-go7007-remove-redundant-if-statement.patch new file mode 100644 index 00000000000..36e63ee91e0 --- /dev/null +++ b/queue-5.15/media-go7007-remove-redundant-if-statement.patch @@ -0,0 +1,43 @@ +From cf21497a209bd24027edfb3979082f8d710b1316 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jul 2023 19:40:07 +0200 +Subject: media: go7007: Remove redundant if statement + +From: Colin Ian King + +[ Upstream commit f33cb49081da0ec5af0888f8ecbd566bd326eed1 ] + +The if statement that compares msgs[i].len != 3 is always false because +it is in a code block where msg[i].len is equal to 3. The check is +redundant and can be removed. + +As detected by cppcheck static analysis: +drivers/media/usb/go7007/go7007-i2c.c:168:20: warning: Opposite inner +'if' condition leads to a dead code block. [oppositeInnerCondition] + +Link: https://lore.kernel.org/linux-media/20230727174007.635572-1-colin.i.king@gmail.com + +Fixes: 866b8695d67e ("Staging: add the go7007 video driver") +Signed-off-by: Colin Ian King +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/go7007/go7007-i2c.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/media/usb/go7007/go7007-i2c.c b/drivers/media/usb/go7007/go7007-i2c.c +index 38339dd2f83f7..2880370e45c8b 100644 +--- a/drivers/media/usb/go7007/go7007-i2c.c ++++ b/drivers/media/usb/go7007/go7007-i2c.c +@@ -165,8 +165,6 @@ static int go7007_i2c_master_xfer(struct i2c_adapter *adapter, + } else if (msgs[i].len == 3) { + if (msgs[i].flags & I2C_M_RD) + return -EIO; +- if (msgs[i].len != 3) +- return -EIO; + if (go7007_i2c_xfer(go, msgs[i].addr, 0, + (msgs[i].buf[0] << 8) | msgs[i].buf[1], + 0x01, &msgs[i].buf[2]) < 0) +-- +2.40.1 + diff --git a/queue-5.15/media-i2c-ov2680-set-v4l2_ctrl_flag_modify_layout-on.patch b/queue-5.15/media-i2c-ov2680-set-v4l2_ctrl_flag_modify_layout-on.patch new file mode 100644 index 00000000000..32327df0e5e --- /dev/null +++ b/queue-5.15/media-i2c-ov2680-set-v4l2_ctrl_flag_modify_layout-on.patch @@ -0,0 +1,41 @@ +From 67e7dd368b542f991a9a18e336eb69e410163928 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Dec 2022 15:21:45 +0000 +Subject: media: i2c: ov2680: Set V4L2_CTRL_FLAG_MODIFY_LAYOUT on flips + +From: Dave Stevenson + +[ Upstream commit 66274280b2c745d380508dc27b9a4dfd736e5eda ] + +The driver changes the Bayer order based on the flips, but +does not define the control correctly with the +V4L2_CTRL_FLAG_MODIFY_LAYOUT flag. + +Add the V4L2_CTRL_FLAG_MODIFY_LAYOUT flag. + +Signed-off-by: Dave Stevenson +Acked-by: Rui Miguel Silva +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Stable-dep-of: 7b5a42e6ae71 ("media: ov2680: Remove auto-gain and auto-exposure controls") +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov2680.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/i2c/ov2680.c b/drivers/media/i2c/ov2680.c +index 906c711f6821b..f5d45d31014b9 100644 +--- a/drivers/media/i2c/ov2680.c ++++ b/drivers/media/i2c/ov2680.c +@@ -967,6 +967,8 @@ static int ov2680_v4l2_register(struct ov2680_dev *sensor) + + ctrls->gain->flags |= V4L2_CTRL_FLAG_VOLATILE; + ctrls->exposure->flags |= V4L2_CTRL_FLAG_VOLATILE; ++ ctrls->vflip->flags |= V4L2_CTRL_FLAG_MODIFY_LAYOUT; ++ ctrls->hflip->flags |= V4L2_CTRL_FLAG_MODIFY_LAYOUT; + + v4l2_ctrl_auto_cluster(2, &ctrls->auto_gain, 0, true); + v4l2_ctrl_auto_cluster(2, &ctrls->auto_exp, 1, true); +-- +2.40.1 + diff --git a/queue-5.15/media-i2c-rdacm21-fix-uninitialized-value.patch b/queue-5.15/media-i2c-rdacm21-fix-uninitialized-value.patch new file mode 100644 index 00000000000..9e14bdcae48 --- /dev/null +++ b/queue-5.15/media-i2c-rdacm21-fix-uninitialized-value.patch @@ -0,0 +1,41 @@ +From 9541d9860a50c38e6e8fb3d74bc49747b8b48e92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Aug 2023 15:33:37 +0200 +Subject: media: i2c: rdacm21: Fix uninitialized value + +From: Jacopo Mondi + +[ Upstream commit 33c7ae8f49e3413c81e879e1fdfcea4c5516e37b ] + +Fix the following smatch warning: + +drivers/media/i2c/rdacm21.c:373 ov10640_check_id() error: uninitialized +symbol 'val'. + +Initialize 'val' to 0 in the ov10640_check_id() function. + +Fixes: 2b821698dc73 ("media: i2c: rdacm21: Power up OV10640 before OV490") +Reported-by: Hans Verkuil +Signed-off-by: Jacopo Mondi +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/rdacm21.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/rdacm21.c b/drivers/media/i2c/rdacm21.c +index ef31cf5f23cac..7995cb956aa7f 100644 +--- a/drivers/media/i2c/rdacm21.c ++++ b/drivers/media/i2c/rdacm21.c +@@ -351,7 +351,7 @@ static void ov10640_power_up(struct rdacm21_device *dev) + static int ov10640_check_id(struct rdacm21_device *dev) + { + unsigned int i; +- u8 val; ++ u8 val = 0; + + /* Read OV10640 ID to test communications. */ + for (i = 0; i < OV10640_PID_TIMEOUT; ++i) { +-- +2.40.1 + diff --git a/queue-5.15/media-i2c-tvp5150-check-return-value-of-devm_kasprin.patch b/queue-5.15/media-i2c-tvp5150-check-return-value-of-devm_kasprin.patch new file mode 100644 index 00000000000..0f8373908a7 --- /dev/null +++ b/queue-5.15/media-i2c-tvp5150-check-return-value-of-devm_kasprin.patch @@ -0,0 +1,41 @@ +From c3ba34465dde5a778bfbc5d86fa62bde90bd6791 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 12:30:30 +0200 +Subject: media: i2c: tvp5150: check return value of devm_kasprintf() + +From: Claudiu Beznea + +[ Upstream commit 26ce7054d804be73935b9268d6e0ecf2fbbc8aef ] + +devm_kasprintf() returns a pointer to dynamically allocated memory. +Pointer could be NULL in case allocation fails. Check pointer validity. +Identified with coccinelle (kmerr.cocci script). + +Fixes: 0556f1d580d4 ("media: tvp5150: add input source selection of_graph support") +Signed-off-by: Claudiu Beznea +Reviewed-by: Marco Felsch +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/tvp5150.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/i2c/tvp5150.c b/drivers/media/i2c/tvp5150.c +index 4b16ffcaef98a..b0dc21ba25c31 100644 +--- a/drivers/media/i2c/tvp5150.c ++++ b/drivers/media/i2c/tvp5150.c +@@ -2066,6 +2066,10 @@ static int tvp5150_parse_dt(struct tvp5150 *decoder, struct device_node *np) + tvpc->ent.name = devm_kasprintf(dev, GFP_KERNEL, "%s %s", + v4l2c->name, v4l2c->label ? + v4l2c->label : ""); ++ if (!tvpc->ent.name) { ++ ret = -ENOMEM; ++ goto err_free; ++ } + } + + ep_np = of_graph_get_endpoint_by_regs(np, TVP5150_PAD_VID_OUT, 0); +-- +2.40.1 + diff --git a/queue-5.15/media-mediatek-vcodec-return-null-if-no-vdec_fb-is-f.patch b/queue-5.15/media-mediatek-vcodec-return-null-if-no-vdec_fb-is-f.patch new file mode 100644 index 00000000000..fc3476e13a8 --- /dev/null +++ b/queue-5.15/media-mediatek-vcodec-return-null-if-no-vdec_fb-is-f.patch @@ -0,0 +1,43 @@ +From e6fb3443cd3cadacae22dcb8a7028afb0f6c7cf4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 17:14:41 +0800 +Subject: media: mediatek: vcodec: Return NULL if no vdec_fb is found + +From: Irui Wang + +[ Upstream commit dfa2d6e07432270330ae191f50a0e70636a4cd2b ] + +"fb_use_list" is used to store used or referenced frame buffers for +vp9 stateful decoder. "NULL" should be returned when getting target +frame buffer failed from "fb_use_list", not a random unexpected one. + +Fixes: f77e89854b3e ("[media] vcodec: mediatek: Add Mediatek VP9 Video Decoder Driver") +Signed-off-by: Irui Wang +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/mtk-vcodec/vdec/vdec_vp9_if.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/mtk-vcodec/vdec/vdec_vp9_if.c b/drivers/media/platform/mtk-vcodec/vdec/vdec_vp9_if.c +index 71cdc3ddafcbb..0b2cde3b3439a 100644 +--- a/drivers/media/platform/mtk-vcodec/vdec/vdec_vp9_if.c ++++ b/drivers/media/platform/mtk-vcodec/vdec/vdec_vp9_if.c +@@ -226,10 +226,11 @@ static struct vdec_fb *vp9_rm_from_fb_use_list(struct vdec_vp9_inst + if (fb->base_y.va == addr) { + list_move_tail(&node->list, + &inst->available_fb_node_list); +- break; ++ return fb; + } + } +- return fb; ++ ++ return NULL; + } + + static void vp9_add_to_fb_free_list(struct vdec_vp9_inst *inst, +-- +2.40.1 + diff --git a/queue-5.15/media-ov2680-add-ov2680_fill_format-helper-function.patch b/queue-5.15/media-ov2680-add-ov2680_fill_format-helper-function.patch new file mode 100644 index 00000000000..0915b115102 --- /dev/null +++ b/queue-5.15/media-ov2680-add-ov2680_fill_format-helper-function.patch @@ -0,0 +1,146 @@ +From cb5a926372387ceb41e18066613ba3543014324f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Aug 2023 11:33:21 +0200 +Subject: media: ov2680: Add ov2680_fill_format() helper function + +From: Hans de Goede + +[ Upstream commit 6d6849b2203f3244b575ba01d3e41ee19aa2cadf ] + +Add a ov2680_fill_format() helper function and use this everywhere were +a v4l2_mbus_framefmt struct needs to be filled in so that the driver always +fills it consistently. + +This is a preparation patch for fixing ov2680_set_fmt() +which == V4L2_SUBDEV_FORMAT_TRY calls not properly filling in +the passed in v4l2_mbus_framefmt struct. + +Note that for ov2680_init_cfg() this now simply always fills +the try_fmt struct of the passed in sd_state. This is correct because +ov2680_init_cfg() is never called with a NULL sd_state so the old +sd_state check is not necessary. + +Fixes: 3ee47cad3e69 ("media: ov2680: Add Omnivision OV2680 sensor driver") +Acked-by: Rui Miguel Silva +Reviewed-by: Daniel Scally +Signed-off-by: Hans de Goede +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov2680.c | 49 +++++++++++++++++++++----------------- + 1 file changed, 27 insertions(+), 22 deletions(-) + +diff --git a/drivers/media/i2c/ov2680.c b/drivers/media/i2c/ov2680.c +index b594943d38862..ec3972409f653 100644 +--- a/drivers/media/i2c/ov2680.c ++++ b/drivers/media/i2c/ov2680.c +@@ -54,6 +54,9 @@ + #define OV2680_WIDTH_MAX 1600 + #define OV2680_HEIGHT_MAX 1200 + ++#define OV2680_DEFAULT_WIDTH 800 ++#define OV2680_DEFAULT_HEIGHT 600 ++ + enum ov2680_mode_id { + OV2680_MODE_QUXGA_800_600, + OV2680_MODE_720P_1280_720, +@@ -315,7 +318,8 @@ static void ov2680_power_down(struct ov2680_dev *sensor) + usleep_range(5000, 10000); + } + +-static void ov2680_set_bayer_order(struct ov2680_dev *sensor) ++static void ov2680_set_bayer_order(struct ov2680_dev *sensor, ++ struct v4l2_mbus_framefmt *fmt) + { + int hv_flip = 0; + +@@ -325,7 +329,19 @@ static void ov2680_set_bayer_order(struct ov2680_dev *sensor) + if (sensor->ctrls.hflip && sensor->ctrls.hflip->val) + hv_flip += 2; + +- sensor->fmt.code = ov2680_hv_flip_bayer_order[hv_flip]; ++ fmt->code = ov2680_hv_flip_bayer_order[hv_flip]; ++} ++ ++static void ov2680_fill_format(struct ov2680_dev *sensor, ++ struct v4l2_mbus_framefmt *fmt, ++ unsigned int width, unsigned int height) ++{ ++ memset(fmt, 0, sizeof(*fmt)); ++ fmt->width = width; ++ fmt->height = height; ++ fmt->field = V4L2_FIELD_NONE; ++ fmt->colorspace = V4L2_COLORSPACE_SRGB; ++ ov2680_set_bayer_order(sensor, fmt); + } + + static int ov2680_set_vflip(struct ov2680_dev *sensor, s32 val) +@@ -340,7 +356,7 @@ static int ov2680_set_vflip(struct ov2680_dev *sensor, s32 val) + if (ret < 0) + return ret; + +- ov2680_set_bayer_order(sensor); ++ ov2680_set_bayer_order(sensor, &sensor->fmt); + return 0; + } + +@@ -356,7 +372,7 @@ static int ov2680_set_hflip(struct ov2680_dev *sensor, s32 val) + if (ret < 0) + return ret; + +- ov2680_set_bayer_order(sensor); ++ ov2680_set_bayer_order(sensor, &sensor->fmt); + return 0; + } + +@@ -614,10 +630,7 @@ static int ov2680_set_fmt(struct v4l2_subdev *sd, + goto unlock; + } + +- fmt->width = mode->width; +- fmt->height = mode->height; +- fmt->code = sensor->fmt.code; +- fmt->colorspace = sensor->fmt.colorspace; ++ ov2680_fill_format(sensor, fmt, mode->width, mode->height); + + sensor->current_mode = mode; + sensor->fmt = format->format; +@@ -632,16 +645,11 @@ static int ov2680_set_fmt(struct v4l2_subdev *sd, + static int ov2680_init_cfg(struct v4l2_subdev *sd, + struct v4l2_subdev_state *sd_state) + { +- struct v4l2_subdev_format fmt = { +- .which = sd_state ? V4L2_SUBDEV_FORMAT_TRY +- : V4L2_SUBDEV_FORMAT_ACTIVE, +- .format = { +- .width = 800, +- .height = 600, +- } +- }; ++ struct ov2680_dev *sensor = to_ov2680_dev(sd); + +- return ov2680_set_fmt(sd, sd_state, &fmt); ++ ov2680_fill_format(sensor, &sd_state->pads[0].try_fmt, ++ OV2680_DEFAULT_WIDTH, OV2680_DEFAULT_HEIGHT); ++ return 0; + } + + static int ov2680_enum_frame_size(struct v4l2_subdev *sd, +@@ -740,11 +748,8 @@ static int ov2680_mode_init(struct ov2680_dev *sensor) + const struct ov2680_mode_info *init_mode; + + /* set initial mode */ +- sensor->fmt.code = MEDIA_BUS_FMT_SBGGR10_1X10; +- sensor->fmt.width = 800; +- sensor->fmt.height = 600; +- sensor->fmt.field = V4L2_FIELD_NONE; +- sensor->fmt.colorspace = V4L2_COLORSPACE_SRGB; ++ ov2680_fill_format(sensor, &sensor->fmt, ++ OV2680_DEFAULT_WIDTH, OV2680_DEFAULT_HEIGHT); + + sensor->frame_interval.denominator = OV2680_FRAME_RATE; + sensor->frame_interval.numerator = 1; +-- +2.40.1 + diff --git a/queue-5.15/media-ov2680-don-t-take-the-lock-for-try_fmt-calls.patch b/queue-5.15/media-ov2680-don-t-take-the-lock-for-try_fmt-calls.patch new file mode 100644 index 00000000000..2642bfef81c --- /dev/null +++ b/queue-5.15/media-ov2680-don-t-take-the-lock-for-try_fmt-calls.patch @@ -0,0 +1,67 @@ +From be431a8816d26c34b794d83ec2ccd13e8a194340 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Aug 2023 11:33:20 +0200 +Subject: media: ov2680: Don't take the lock for try_fmt calls + +From: Hans de Goede + +[ Upstream commit e521b9cc1a49de677f4fc65909ce4877fbf7b113 ] + +On ov2680_set_fmt() calls with format->which == V4L2_SUBDEV_FORMAT_TRY, +ov2680_set_fmt() does not talk to the sensor. + +So in this case there is no need to lock the sensor->lock mutex or +to check that the sensor is streaming. + +Fixes: 3ee47cad3e69 ("media: ov2680: Add Omnivision OV2680 sensor driver") +Acked-by: Rui Miguel Silva +Reviewed-by: Daniel Scally +Signed-off-by: Hans de Goede +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov2680.c | 20 +++++++++----------- + 1 file changed, 9 insertions(+), 11 deletions(-) + +diff --git a/drivers/media/i2c/ov2680.c b/drivers/media/i2c/ov2680.c +index 2a89deacb6ab1..b594943d38862 100644 +--- a/drivers/media/i2c/ov2680.c ++++ b/drivers/media/i2c/ov2680.c +@@ -595,24 +595,22 @@ static int ov2680_set_fmt(struct v4l2_subdev *sd, + if (format->pad != 0) + return -EINVAL; + +- mutex_lock(&sensor->lock); +- +- if (sensor->is_streaming) { +- ret = -EBUSY; +- goto unlock; +- } +- + mode = v4l2_find_nearest_size(ov2680_mode_data, + ARRAY_SIZE(ov2680_mode_data), width, + height, fmt->width, fmt->height); +- if (!mode) { +- ret = -EINVAL; +- goto unlock; +- } ++ if (!mode) ++ return -EINVAL; + + if (format->which == V4L2_SUBDEV_FORMAT_TRY) { + try_fmt = v4l2_subdev_get_try_format(sd, sd_state, 0); + format->format = *try_fmt; ++ return 0; ++ } ++ ++ mutex_lock(&sensor->lock); ++ ++ if (sensor->is_streaming) { ++ ret = -EBUSY; + goto unlock; + } + +-- +2.40.1 + diff --git a/queue-5.15/media-ov2680-fix-ov2680_bayer_order.patch b/queue-5.15/media-ov2680-fix-ov2680_bayer_order.patch new file mode 100644 index 00000000000..3e1d7c6b4ee --- /dev/null +++ b/queue-5.15/media-ov2680-fix-ov2680_bayer_order.patch @@ -0,0 +1,117 @@ +From 0b839165e8d302b600264a491b62af8b0f02cd7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Aug 2023 11:33:17 +0200 +Subject: media: ov2680: Fix ov2680_bayer_order() + +From: Hans de Goede + +[ Upstream commit 50a7bad4e0a37d7018ab6fe843dd84bc6b2ecf72 ] + +The index into ov2680_hv_flip_bayer_order[] should be 0-3, but +ov2680_bayer_order() was using 0 + BIT(2) + (BIT(2) << 1) as +max index, while the intention was to use: 0 + 1 + 2 as max index. + +Fix the index calculation in ov2680_bayer_order(), while at it +also just use the ctrl values rather then reading them back using +a slow i2c-read transaction. + +This also allows making the function void, since there now are +no more i2c-reads to error check. + +Note the check for the ctrls being NULL is there to allow +adding an ov2680_fill_format() helper later, which will call +ov2680_set_bayer_order() during probe() before the ctrls are created. + +[Sakari Ailus: Change all users of ov2680_set_bayer_order() here] + +Fixes: 3ee47cad3e69 ("media: ov2680: Add Omnivision OV2680 sensor driver") +Reviewed-by: Daniel Scally +Acked-by: Rui Miguel Silva +Signed-off-by: Hans de Goede +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov2680.c | 33 ++++++++++++++------------------- + 1 file changed, 14 insertions(+), 19 deletions(-) + +diff --git a/drivers/media/i2c/ov2680.c b/drivers/media/i2c/ov2680.c +index 8c729955e5e84..f43881fe997c5 100644 +--- a/drivers/media/i2c/ov2680.c ++++ b/drivers/media/i2c/ov2680.c +@@ -315,26 +315,17 @@ static void ov2680_power_down(struct ov2680_dev *sensor) + usleep_range(5000, 10000); + } + +-static int ov2680_bayer_order(struct ov2680_dev *sensor) ++static void ov2680_set_bayer_order(struct ov2680_dev *sensor) + { +- u32 format1; +- u32 format2; +- u32 hv_flip; +- int ret; +- +- ret = ov2680_read_reg(sensor, OV2680_REG_FORMAT1, &format1); +- if (ret < 0) +- return ret; ++ int hv_flip = 0; + +- ret = ov2680_read_reg(sensor, OV2680_REG_FORMAT2, &format2); +- if (ret < 0) +- return ret; ++ if (sensor->ctrls.vflip && sensor->ctrls.vflip->val) ++ hv_flip += 1; + +- hv_flip = (format2 & BIT(2) << 1) | (format1 & BIT(2)); ++ if (sensor->ctrls.hflip && sensor->ctrls.hflip->val) ++ hv_flip += 2; + + sensor->fmt.code = ov2680_hv_flip_bayer_order[hv_flip]; +- +- return 0; + } + + static int ov2680_vflip_enable(struct ov2680_dev *sensor) +@@ -345,7 +336,8 @@ static int ov2680_vflip_enable(struct ov2680_dev *sensor) + if (ret < 0) + return ret; + +- return ov2680_bayer_order(sensor); ++ ov2680_set_bayer_order(sensor); ++ return 0; + } + + static int ov2680_vflip_disable(struct ov2680_dev *sensor) +@@ -356,7 +348,8 @@ static int ov2680_vflip_disable(struct ov2680_dev *sensor) + if (ret < 0) + return ret; + +- return ov2680_bayer_order(sensor); ++ ov2680_set_bayer_order(sensor); ++ return 0; + } + + static int ov2680_hflip_enable(struct ov2680_dev *sensor) +@@ -367,7 +360,8 @@ static int ov2680_hflip_enable(struct ov2680_dev *sensor) + if (ret < 0) + return ret; + +- return ov2680_bayer_order(sensor); ++ ov2680_set_bayer_order(sensor); ++ return 0; + } + + static int ov2680_hflip_disable(struct ov2680_dev *sensor) +@@ -378,7 +372,8 @@ static int ov2680_hflip_disable(struct ov2680_dev *sensor) + if (ret < 0) + return ret; + +- return ov2680_bayer_order(sensor); ++ ov2680_set_bayer_order(sensor); ++ return 0; + } + + static int ov2680_test_pattern_set(struct ov2680_dev *sensor, int value) +-- +2.40.1 + diff --git a/queue-5.15/media-ov2680-fix-ov2680_set_fmt-which-v4l2_subdev_fo.patch b/queue-5.15/media-ov2680-fix-ov2680_set_fmt-which-v4l2_subdev_fo.patch new file mode 100644 index 00000000000..567303ee5e2 --- /dev/null +++ b/queue-5.15/media-ov2680-fix-ov2680_set_fmt-which-v4l2_subdev_fo.patch @@ -0,0 +1,95 @@ +From 19d288f5dab54ac7ba23c49c6a75e1330967fff8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Aug 2023 11:33:22 +0200 +Subject: media: ov2680: Fix ov2680_set_fmt() which == V4L2_SUBDEV_FORMAT_TRY + not working + +From: Hans de Goede + +[ Upstream commit c0e97a4b4f20639f74cd5809b42ba6cbf9736a7d ] + +ov2680_set_fmt() which == V4L2_SUBDEV_FORMAT_TRY was getting +the try_fmt v4l2_mbus_framefmt struct from the passed in sd_state +and then storing the contents of that into the return by reference +format->format struct. + +While the right thing to do would be filling format->format based on +the just looked up mode and then store the results of that in +sd_state->pads[0].try_fmt . + +Before the previous change introducing ov2680_fill_format() this +resulted in ov2680_set_fmt() which == V4L2_SUBDEV_FORMAT_TRY always +returning the zero-ed out sd_state->pads[0].try_fmt in format->format +breaking callers using this. + +After the introduction of ov2680_fill_format() which at least +initializes sd_state->pads[0].try_fmt properly, format->format +is now always being filled with the default 800x600 mode set by +ov2680_init_cfg() independent of the actual requested mode. + +Move the filling of format->format with ov2680_fill_format() to +before the if (which == V4L2_SUBDEV_FORMAT_TRY) and then store +the filled in format->format in sd_state->pads[0].try_fmt to +fix this. + +Note this removes the fmt local variable because IMHO having a local +variable which points to a sub-struct of one of the function arguments +just leads to confusion when reading the code. + +Fixes: 3ee47cad3e69 ("media: ov2680: Add Omnivision OV2680 sensor driver") +Acked-by: Rui Miguel Silva +Reviewed-by: Daniel Scally +Signed-off-by: Hans de Goede +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov2680.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/media/i2c/ov2680.c b/drivers/media/i2c/ov2680.c +index ec3972409f653..0b9bc4a461c05 100644 +--- a/drivers/media/i2c/ov2680.c ++++ b/drivers/media/i2c/ov2680.c +@@ -603,7 +603,6 @@ static int ov2680_set_fmt(struct v4l2_subdev *sd, + struct v4l2_subdev_format *format) + { + struct ov2680_dev *sensor = to_ov2680_dev(sd); +- struct v4l2_mbus_framefmt *fmt = &format->format; + struct v4l2_mbus_framefmt *try_fmt; + const struct ov2680_mode_info *mode; + int ret = 0; +@@ -612,14 +611,18 @@ static int ov2680_set_fmt(struct v4l2_subdev *sd, + return -EINVAL; + + mode = v4l2_find_nearest_size(ov2680_mode_data, +- ARRAY_SIZE(ov2680_mode_data), width, +- height, fmt->width, fmt->height); ++ ARRAY_SIZE(ov2680_mode_data), ++ width, height, ++ format->format.width, ++ format->format.height); + if (!mode) + return -EINVAL; + ++ ov2680_fill_format(sensor, &format->format, mode->width, mode->height); ++ + if (format->which == V4L2_SUBDEV_FORMAT_TRY) { + try_fmt = v4l2_subdev_get_try_format(sd, sd_state, 0); +- format->format = *try_fmt; ++ *try_fmt = format->format; + return 0; + } + +@@ -630,8 +633,6 @@ static int ov2680_set_fmt(struct v4l2_subdev *sd, + goto unlock; + } + +- ov2680_fill_format(sensor, fmt, mode->width, mode->height); +- + sensor->current_mode = mode; + sensor->fmt = format->format; + sensor->mode_pending_changes = true; +-- +2.40.1 + diff --git a/queue-5.15/media-ov2680-fix-regulators-being-left-enabled-on-ov.patch b/queue-5.15/media-ov2680-fix-regulators-being-left-enabled-on-ov.patch new file mode 100644 index 00000000000..8ec16c127af --- /dev/null +++ b/queue-5.15/media-ov2680-fix-regulators-being-left-enabled-on-ov.patch @@ -0,0 +1,64 @@ +From 925b2130b838b3edb38c9bf144aee801b7ef8be0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Aug 2023 11:33:23 +0200 +Subject: media: ov2680: Fix regulators being left enabled on ov2680_power_on() + errors + +From: Hans de Goede + +[ Upstream commit 84b4bd7e0d98166aa32fd470e672721190492eae ] + +When the ov2680_power_on() "sensor soft reset failed" path is hit during +probe() the WARN() about putting an enabled regulator at +drivers/regulator/core.c:2398 triggers 3 times (once for each regulator), +filling dmesg with backtraces. + +Fix this by properly disabling the regulators on ov2680_power_on() errors. + +Fixes: 3ee47cad3e69 ("media: ov2680: Add Omnivision OV2680 sensor driver") +Reviewed-by: Daniel Scally +Acked-by: Rui Miguel Silva +Signed-off-by: Hans de Goede +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov2680.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/i2c/ov2680.c b/drivers/media/i2c/ov2680.c +index 0b9bc4a461c05..3059d1157bac3 100644 +--- a/drivers/media/i2c/ov2680.c ++++ b/drivers/media/i2c/ov2680.c +@@ -475,7 +475,7 @@ static int ov2680_power_on(struct ov2680_dev *sensor) + ret = ov2680_write_reg(sensor, OV2680_REG_SOFT_RESET, 0x01); + if (ret != 0) { + dev_err(dev, "sensor soft reset failed\n"); +- return ret; ++ goto err_disable_regulators; + } + usleep_range(1000, 2000); + } else { +@@ -485,7 +485,7 @@ static int ov2680_power_on(struct ov2680_dev *sensor) + + ret = clk_prepare_enable(sensor->xvclk); + if (ret < 0) +- return ret; ++ goto err_disable_regulators; + + sensor->is_enabled = true; + +@@ -495,6 +495,10 @@ static int ov2680_power_on(struct ov2680_dev *sensor) + ov2680_stream_disable(sensor); + + return 0; ++ ++err_disable_regulators: ++ regulator_bulk_disable(OV2680_NUM_SUPPLIES, sensor->supplies); ++ return ret; + } + + static int ov2680_s_power(struct v4l2_subdev *sd, int on) +-- +2.40.1 + diff --git a/queue-5.15/media-ov2680-fix-vflip-hflip-set-functions.patch b/queue-5.15/media-ov2680-fix-vflip-hflip-set-functions.patch new file mode 100644 index 00000000000..bb13c8b6f34 --- /dev/null +++ b/queue-5.15/media-ov2680-fix-vflip-hflip-set-functions.patch @@ -0,0 +1,118 @@ +From 5832e1179a72cf9153005ec7147b9781ee5ffd78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Aug 2023 11:33:18 +0200 +Subject: media: ov2680: Fix vflip / hflip set functions + +From: Hans de Goede + +[ Upstream commit d5d08ad330c9ccebc5e066fda815423a290f48b0 ] + +ov2680_vflip_disable() / ov2680_hflip_disable() pass BIT(0) instead of +0 as value to ov2680_mod_reg(). + +While fixing this also: + +1. Stop having separate enable/disable functions for hflip / vflip +2. Move the is_streaming check, which is unique to hflip / vflip + into the ov2680_set_?flip() functions. + +for a nice code cleanup. + +Fixes: 3ee47cad3e69 ("media: ov2680: Add Omnivision OV2680 sensor driver") +Reviewed-by: Daniel Scally +Acked-by: Rui Miguel Silva +Signed-off-by: Hans de Goede +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov2680.c | 50 +++++++++----------------------------- + 1 file changed, 12 insertions(+), 38 deletions(-) + +diff --git a/drivers/media/i2c/ov2680.c b/drivers/media/i2c/ov2680.c +index f43881fe997c5..c78ac547ddbc1 100644 +--- a/drivers/media/i2c/ov2680.c ++++ b/drivers/media/i2c/ov2680.c +@@ -328,23 +328,15 @@ static void ov2680_set_bayer_order(struct ov2680_dev *sensor) + sensor->fmt.code = ov2680_hv_flip_bayer_order[hv_flip]; + } + +-static int ov2680_vflip_enable(struct ov2680_dev *sensor) ++static int ov2680_set_vflip(struct ov2680_dev *sensor, s32 val) + { + int ret; + +- ret = ov2680_mod_reg(sensor, OV2680_REG_FORMAT1, BIT(2), BIT(2)); +- if (ret < 0) +- return ret; +- +- ov2680_set_bayer_order(sensor); +- return 0; +-} +- +-static int ov2680_vflip_disable(struct ov2680_dev *sensor) +-{ +- int ret; ++ if (sensor->is_streaming) ++ return -EBUSY; + +- ret = ov2680_mod_reg(sensor, OV2680_REG_FORMAT1, BIT(2), BIT(0)); ++ ret = ov2680_mod_reg(sensor, OV2680_REG_FORMAT1, ++ BIT(2), val ? BIT(2) : 0); + if (ret < 0) + return ret; + +@@ -352,23 +344,15 @@ static int ov2680_vflip_disable(struct ov2680_dev *sensor) + return 0; + } + +-static int ov2680_hflip_enable(struct ov2680_dev *sensor) ++static int ov2680_set_hflip(struct ov2680_dev *sensor, s32 val) + { + int ret; + +- ret = ov2680_mod_reg(sensor, OV2680_REG_FORMAT2, BIT(2), BIT(2)); +- if (ret < 0) +- return ret; +- +- ov2680_set_bayer_order(sensor); +- return 0; +-} +- +-static int ov2680_hflip_disable(struct ov2680_dev *sensor) +-{ +- int ret; ++ if (sensor->is_streaming) ++ return -EBUSY; + +- ret = ov2680_mod_reg(sensor, OV2680_REG_FORMAT2, BIT(2), BIT(0)); ++ ret = ov2680_mod_reg(sensor, OV2680_REG_FORMAT2, ++ BIT(2), val ? BIT(2) : 0); + if (ret < 0) + return ret; + +@@ -722,19 +706,9 @@ static int ov2680_s_ctrl(struct v4l2_ctrl *ctrl) + case V4L2_CID_EXPOSURE: + return ov2680_exposure_set(sensor, ctrl->val); + case V4L2_CID_VFLIP: +- if (sensor->is_streaming) +- return -EBUSY; +- if (ctrl->val) +- return ov2680_vflip_enable(sensor); +- else +- return ov2680_vflip_disable(sensor); ++ return ov2680_set_vflip(sensor, ctrl->val); + case V4L2_CID_HFLIP: +- if (sensor->is_streaming) +- return -EBUSY; +- if (ctrl->val) +- return ov2680_hflip_enable(sensor); +- else +- return ov2680_hflip_disable(sensor); ++ return ov2680_set_hflip(sensor, ctrl->val); + case V4L2_CID_TEST_PATTERN: + return ov2680_test_pattern_set(sensor, ctrl->val); + default: +-- +2.40.1 + diff --git a/queue-5.15/media-ov2680-remove-auto-gain-and-auto-exposure-cont.patch b/queue-5.15/media-ov2680-remove-auto-gain-and-auto-exposure-cont.patch new file mode 100644 index 00000000000..7c19670ec21 --- /dev/null +++ b/queue-5.15/media-ov2680-remove-auto-gain-and-auto-exposure-cont.patch @@ -0,0 +1,331 @@ +From 84abdd54a3627bc5ec5131a9355564afa18c10e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Aug 2023 11:33:16 +0200 +Subject: media: ov2680: Remove auto-gain and auto-exposure controls + +From: Hans de Goede + +[ Upstream commit 7b5a42e6ae71927359ea67a2c22570ba97fa4059 ] + +Quoting the OV2680 datasheet: + +"3.2 exposure and gain control + +In the OV2680, the exposure time and gain are set manually from an external +controller. The OV2680 supports manual gain and exposure control only for +normal applications, no auto mode." + +And indeed testing with the atomisp_ov2680 fork of ov2680.c has shown that +auto-exposure and auto-gain do not work. + +Note that the code setting the auto-exposure flag was broken, callers +of ov2680_exposure_set() were directly passing !!ctrls->auto_exp->val as +"bool auto_exp" value, but ctrls->auto_exp is a menu control with: + +enum v4l2_exposure_auto_type { + V4L2_EXPOSURE_AUTO = 0, + V4L2_EXPOSURE_MANUAL = 1, + ... + +So instead of passing !!ctrls->auto_exp->val they should have been passing +ctrls->auto_exp->val == V4L2_EXPOSURE_AUTO, iow the passed value was +inverted of what it should have been. + +Also remove ov2680_g_volatile_ctrl() since without auto support the gain +and exposure controls are not volatile. + +This also fixes the control values not being properly applied in +ov2680_mode_set(). The 800x600 mode register-list also sets gain, +exposure and vflip overriding the last set ctrl values. + +ov2680_mode_set() does call ov2680_gain_set() and ov2680_exposure_set() +but did this before writing the mode register-list, so these values +would still be overridden by the mode register-list. + +Add a v4l2_ctrl_handler_setup() call after writing the mode register-list +to restore all ctrl values. Also remove the ctrls->gain->is_new check from +ov2680_gain_set() so that the gain always gets restored properly. + +Last since ov2680_mode_set() now calls v4l2_ctrl_handler_setup(), remove +the v4l2_ctrl_handler_setup() call after ov2680_mode_restore() since +ov2680_mode_restore() calls ov2680_mode_set(). + +Fixes: 3ee47cad3e69 ("media: ov2680: Add Omnivision OV2680 sensor driver") +Reviewed-by: Daniel Scally +Acked-by: Rui Miguel Silva +Signed-off-by: Hans de Goede +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov2680.c | 161 ++++--------------------------------- + 1 file changed, 17 insertions(+), 144 deletions(-) + +diff --git a/drivers/media/i2c/ov2680.c b/drivers/media/i2c/ov2680.c +index f5d45d31014b9..8c729955e5e84 100644 +--- a/drivers/media/i2c/ov2680.c ++++ b/drivers/media/i2c/ov2680.c +@@ -85,15 +85,8 @@ struct ov2680_mode_info { + + struct ov2680_ctrls { + struct v4l2_ctrl_handler handler; +- struct { +- struct v4l2_ctrl *auto_exp; +- struct v4l2_ctrl *exposure; +- }; +- struct { +- struct v4l2_ctrl *auto_gain; +- struct v4l2_ctrl *gain; +- }; +- ++ struct v4l2_ctrl *exposure; ++ struct v4l2_ctrl *gain; + struct v4l2_ctrl *hflip; + struct v4l2_ctrl *vflip; + struct v4l2_ctrl *test_pattern; +@@ -143,6 +136,7 @@ static const struct reg_value ov2680_setting_30fps_QUXGA_800_600[] = { + {0x380e, 0x02}, {0x380f, 0x84}, {0x3811, 0x04}, {0x3813, 0x04}, + {0x3814, 0x31}, {0x3815, 0x31}, {0x3820, 0xc0}, {0x4008, 0x00}, + {0x4009, 0x03}, {0x4837, 0x1e}, {0x3501, 0x4e}, {0x3502, 0xe0}, ++ {0x3503, 0x03}, + }; + + static const struct reg_value ov2680_setting_30fps_720P_1280_720[] = { +@@ -405,69 +399,15 @@ static int ov2680_test_pattern_set(struct ov2680_dev *sensor, int value) + return 0; + } + +-static int ov2680_gain_set(struct ov2680_dev *sensor, bool auto_gain) +-{ +- struct ov2680_ctrls *ctrls = &sensor->ctrls; +- u32 gain; +- int ret; +- +- ret = ov2680_mod_reg(sensor, OV2680_REG_R_MANUAL, BIT(1), +- auto_gain ? 0 : BIT(1)); +- if (ret < 0) +- return ret; +- +- if (auto_gain || !ctrls->gain->is_new) +- return 0; +- +- gain = ctrls->gain->val; +- +- ret = ov2680_write_reg16(sensor, OV2680_REG_GAIN_PK, gain); +- +- return 0; +-} +- +-static int ov2680_gain_get(struct ov2680_dev *sensor) +-{ +- u32 gain; +- int ret; +- +- ret = ov2680_read_reg16(sensor, OV2680_REG_GAIN_PK, &gain); +- if (ret) +- return ret; +- +- return gain; +-} +- +-static int ov2680_exposure_set(struct ov2680_dev *sensor, bool auto_exp) ++static int ov2680_gain_set(struct ov2680_dev *sensor, u32 gain) + { +- struct ov2680_ctrls *ctrls = &sensor->ctrls; +- u32 exp; +- int ret; +- +- ret = ov2680_mod_reg(sensor, OV2680_REG_R_MANUAL, BIT(0), +- auto_exp ? 0 : BIT(0)); +- if (ret < 0) +- return ret; +- +- if (auto_exp || !ctrls->exposure->is_new) +- return 0; +- +- exp = (u32)ctrls->exposure->val; +- exp <<= 4; +- +- return ov2680_write_reg24(sensor, OV2680_REG_EXPOSURE_PK_HIGH, exp); ++ return ov2680_write_reg16(sensor, OV2680_REG_GAIN_PK, gain); + } + +-static int ov2680_exposure_get(struct ov2680_dev *sensor) ++static int ov2680_exposure_set(struct ov2680_dev *sensor, u32 exp) + { +- int ret; +- u32 exp; +- +- ret = ov2680_read_reg24(sensor, OV2680_REG_EXPOSURE_PK_HIGH, &exp); +- if (ret) +- return ret; +- +- return exp >> 4; ++ return ov2680_write_reg24(sensor, OV2680_REG_EXPOSURE_PK_HIGH, ++ exp << 4); + } + + static int ov2680_stream_enable(struct ov2680_dev *sensor) +@@ -482,33 +422,17 @@ static int ov2680_stream_disable(struct ov2680_dev *sensor) + + static int ov2680_mode_set(struct ov2680_dev *sensor) + { +- struct ov2680_ctrls *ctrls = &sensor->ctrls; + int ret; + +- ret = ov2680_gain_set(sensor, false); +- if (ret < 0) +- return ret; +- +- ret = ov2680_exposure_set(sensor, false); ++ ret = ov2680_load_regs(sensor, sensor->current_mode); + if (ret < 0) + return ret; + +- ret = ov2680_load_regs(sensor, sensor->current_mode); ++ /* Restore value of all ctrls */ ++ ret = __v4l2_ctrl_handler_setup(&sensor->ctrls.handler); + if (ret < 0) + return ret; + +- if (ctrls->auto_gain->val) { +- ret = ov2680_gain_set(sensor, true); +- if (ret < 0) +- return ret; +- } +- +- if (ctrls->auto_exp->val == V4L2_EXPOSURE_AUTO) { +- ret = ov2680_exposure_set(sensor, true); +- if (ret < 0) +- return ret; +- } +- + sensor->mode_pending_changes = false; + + return 0; +@@ -590,15 +514,10 @@ static int ov2680_s_power(struct v4l2_subdev *sd, int on) + else + ret = ov2680_power_off(sensor); + +- mutex_unlock(&sensor->lock); +- +- if (on && ret == 0) { +- ret = v4l2_ctrl_handler_setup(&sensor->ctrls.handler); +- if (ret < 0) +- return ret; +- ++ if (on && ret == 0) + ret = ov2680_mode_restore(sensor); +- } ++ ++ mutex_unlock(&sensor->lock); + + return ret; + } +@@ -794,52 +713,19 @@ static int ov2680_enum_frame_interval(struct v4l2_subdev *sd, + return 0; + } + +-static int ov2680_g_volatile_ctrl(struct v4l2_ctrl *ctrl) +-{ +- struct v4l2_subdev *sd = ctrl_to_sd(ctrl); +- struct ov2680_dev *sensor = to_ov2680_dev(sd); +- struct ov2680_ctrls *ctrls = &sensor->ctrls; +- int val; +- +- if (!sensor->is_enabled) +- return 0; +- +- switch (ctrl->id) { +- case V4L2_CID_GAIN: +- val = ov2680_gain_get(sensor); +- if (val < 0) +- return val; +- ctrls->gain->val = val; +- break; +- case V4L2_CID_EXPOSURE: +- val = ov2680_exposure_get(sensor); +- if (val < 0) +- return val; +- ctrls->exposure->val = val; +- break; +- } +- +- return 0; +-} +- + static int ov2680_s_ctrl(struct v4l2_ctrl *ctrl) + { + struct v4l2_subdev *sd = ctrl_to_sd(ctrl); + struct ov2680_dev *sensor = to_ov2680_dev(sd); +- struct ov2680_ctrls *ctrls = &sensor->ctrls; + + if (!sensor->is_enabled) + return 0; + + switch (ctrl->id) { +- case V4L2_CID_AUTOGAIN: +- return ov2680_gain_set(sensor, !!ctrl->val); + case V4L2_CID_GAIN: +- return ov2680_gain_set(sensor, !!ctrls->auto_gain->val); +- case V4L2_CID_EXPOSURE_AUTO: +- return ov2680_exposure_set(sensor, !!ctrl->val); ++ return ov2680_gain_set(sensor, ctrl->val); + case V4L2_CID_EXPOSURE: +- return ov2680_exposure_set(sensor, !!ctrls->auto_exp->val); ++ return ov2680_exposure_set(sensor, ctrl->val); + case V4L2_CID_VFLIP: + if (sensor->is_streaming) + return -EBUSY; +@@ -864,7 +750,6 @@ static int ov2680_s_ctrl(struct v4l2_ctrl *ctrl) + } + + static const struct v4l2_ctrl_ops ov2680_ctrl_ops = { +- .g_volatile_ctrl = ov2680_g_volatile_ctrl, + .s_ctrl = ov2680_s_ctrl, + }; + +@@ -936,7 +821,7 @@ static int ov2680_v4l2_register(struct ov2680_dev *sensor) + if (ret < 0) + return ret; + +- v4l2_ctrl_handler_init(hdl, 7); ++ v4l2_ctrl_handler_init(hdl, 5); + + hdl->lock = &sensor->lock; + +@@ -948,16 +833,9 @@ static int ov2680_v4l2_register(struct ov2680_dev *sensor) + ARRAY_SIZE(test_pattern_menu) - 1, + 0, 0, test_pattern_menu); + +- ctrls->auto_exp = v4l2_ctrl_new_std_menu(hdl, ops, +- V4L2_CID_EXPOSURE_AUTO, +- V4L2_EXPOSURE_MANUAL, 0, +- V4L2_EXPOSURE_AUTO); +- + ctrls->exposure = v4l2_ctrl_new_std(hdl, ops, V4L2_CID_EXPOSURE, + 0, 32767, 1, 0); + +- ctrls->auto_gain = v4l2_ctrl_new_std(hdl, ops, V4L2_CID_AUTOGAIN, +- 0, 1, 1, 1); + ctrls->gain = v4l2_ctrl_new_std(hdl, ops, V4L2_CID_GAIN, 0, 2047, 1, 0); + + if (hdl->error) { +@@ -965,14 +843,9 @@ static int ov2680_v4l2_register(struct ov2680_dev *sensor) + goto cleanup_entity; + } + +- ctrls->gain->flags |= V4L2_CTRL_FLAG_VOLATILE; +- ctrls->exposure->flags |= V4L2_CTRL_FLAG_VOLATILE; + ctrls->vflip->flags |= V4L2_CTRL_FLAG_MODIFY_LAYOUT; + ctrls->hflip->flags |= V4L2_CTRL_FLAG_MODIFY_LAYOUT; + +- v4l2_ctrl_auto_cluster(2, &ctrls->auto_gain, 0, true); +- v4l2_ctrl_auto_cluster(2, &ctrls->auto_exp, 1, true); +- + sensor->sd.ctrl_handler = hdl; + + ret = v4l2_async_register_subdev(&sensor->sd); +-- +2.40.1 + diff --git a/queue-5.15/media-ov2680-remove-video_v4l2_subdev_api-ifdef-s.patch b/queue-5.15/media-ov2680-remove-video_v4l2_subdev_api-ifdef-s.patch new file mode 100644 index 00000000000..ed5382d3450 --- /dev/null +++ b/queue-5.15/media-ov2680-remove-video_v4l2_subdev_api-ifdef-s.patch @@ -0,0 +1,99 @@ +From ae1dd288a9b3ade02e3f02af8f2e2f0f01a1f8ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Aug 2023 11:33:19 +0200 +Subject: media: ov2680: Remove VIDEO_V4L2_SUBDEV_API ifdef-s + +From: Hans de Goede + +[ Upstream commit 49c282d5a8c5f4d1d9088622bec792294c716010 ] + +VIDEO_V4L2_SUBDEV_API is now automatically selected in Kconfig +for all sensor drivers. Remove the ifdef CONFIG_VIDEO_V4L2_SUBDEV_API +checks. + +This is a preparation patch for fixing ov2680_set_fmt() +which == V4L2_SUBDEV_FORMAT_TRY calls not properly filling in +the passed in v4l2_mbus_framefmt struct. + +Fixes: 3ee47cad3e69 ("media: ov2680: Add Omnivision OV2680 sensor driver") +Reviewed-by: Daniel Scally +Acked-by: Rui Miguel Silva +Signed-off-by: Hans de Goede +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov2680.c | 16 ++-------------- + 1 file changed, 2 insertions(+), 14 deletions(-) + +diff --git a/drivers/media/i2c/ov2680.c b/drivers/media/i2c/ov2680.c +index c78ac547ddbc1..2a89deacb6ab1 100644 +--- a/drivers/media/i2c/ov2680.c ++++ b/drivers/media/i2c/ov2680.c +@@ -562,7 +562,6 @@ static int ov2680_get_fmt(struct v4l2_subdev *sd, + { + struct ov2680_dev *sensor = to_ov2680_dev(sd); + struct v4l2_mbus_framefmt *fmt = NULL; +- int ret = 0; + + if (format->pad != 0) + return -EINVAL; +@@ -570,22 +569,17 @@ static int ov2680_get_fmt(struct v4l2_subdev *sd, + mutex_lock(&sensor->lock); + + if (format->which == V4L2_SUBDEV_FORMAT_TRY) { +-#ifdef CONFIG_VIDEO_V4L2_SUBDEV_API + fmt = v4l2_subdev_get_try_format(&sensor->sd, sd_state, + format->pad); +-#else +- ret = -EINVAL; +-#endif + } else { + fmt = &sensor->fmt; + } + +- if (fmt) +- format->format = *fmt; ++ format->format = *fmt; + + mutex_unlock(&sensor->lock); + +- return ret; ++ return 0; + } + + static int ov2680_set_fmt(struct v4l2_subdev *sd, +@@ -594,9 +588,7 @@ static int ov2680_set_fmt(struct v4l2_subdev *sd, + { + struct ov2680_dev *sensor = to_ov2680_dev(sd); + struct v4l2_mbus_framefmt *fmt = &format->format; +-#ifdef CONFIG_VIDEO_V4L2_SUBDEV_API + struct v4l2_mbus_framefmt *try_fmt; +-#endif + const struct ov2680_mode_info *mode; + int ret = 0; + +@@ -619,10 +611,8 @@ static int ov2680_set_fmt(struct v4l2_subdev *sd, + } + + if (format->which == V4L2_SUBDEV_FORMAT_TRY) { +-#ifdef CONFIG_VIDEO_V4L2_SUBDEV_API + try_fmt = v4l2_subdev_get_try_format(sd, sd_state, 0); + format->format = *try_fmt; +-#endif + goto unlock; + } + +@@ -780,9 +770,7 @@ static int ov2680_v4l2_register(struct ov2680_dev *sensor) + v4l2_i2c_subdev_init(&sensor->sd, sensor->i2c_client, + &ov2680_subdev_ops); + +-#ifdef CONFIG_VIDEO_V4L2_SUBDEV_API + sensor->sd.flags = V4L2_SUBDEV_FL_HAS_DEVNODE; +-#endif + sensor->pad.flags = MEDIA_PAD_FL_SOURCE; + sensor->sd.entity.function = MEDIA_ENT_F_CAM_SENSOR; + +-- +2.40.1 + diff --git a/queue-5.15/media-ov5640-enable-mipi-interface-in-ov5640_set_pow.patch b/queue-5.15/media-ov5640-enable-mipi-interface-in-ov5640_set_pow.patch new file mode 100644 index 00000000000..a9e82bdc791 --- /dev/null +++ b/queue-5.15/media-ov5640-enable-mipi-interface-in-ov5640_set_pow.patch @@ -0,0 +1,51 @@ +From 9c08cb832f1391287dd3f3beb6c61ec94d71e4ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 16:47:25 +0200 +Subject: media: ov5640: Enable MIPI interface in ov5640_set_power_mipi() + +From: Marek Vasut + +[ Upstream commit 98cb72d3b9c5e03b10fa993752ecfcbd9c572d8c ] + +Set OV5640_REG_IO_MIPI_CTRL00 bit 2 to 1 instead of 0, since 1 means +MIPI CSI2 interface, while 0 means CPI parallel interface. + +In the ov5640_set_power_mipi() the interface should obviously be set +to MIPI CSI2 since this functions is used to power up the sensor when +operated in MIPI CSI2 mode. The sensor should not be in CPI mode in +that case. + +This fixes a corner case where capturing the first frame on i.MX8MN +with CSI/ISI resulted in corrupted frame. + +Fixes: aa4bb8b8838f ("media: ov5640: Re-work MIPI startup sequence") +Reviewed-by: Jacopo Mondi +Tested-by: Jacopo Mondi # [Test on imx6q] +Signed-off-by: Marek Vasut +Tested-by: Jai Luthra # [Test on bplay, sk-am62] +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov5640.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/i2c/ov5640.c b/drivers/media/i2c/ov5640.c +index a141552531f7e..13144e87f47a1 100644 +--- a/drivers/media/i2c/ov5640.c ++++ b/drivers/media/i2c/ov5640.c +@@ -1968,9 +1968,9 @@ static int ov5640_set_power_mipi(struct ov5640_dev *sensor, bool on) + * "ov5640_set_stream_mipi()") + * [4] = 0 : Power up MIPI HS Tx + * [3] = 0 : Power up MIPI LS Rx +- * [2] = 0 : MIPI interface disabled ++ * [2] = 1 : MIPI interface enabled + */ +- ret = ov5640_write_reg(sensor, OV5640_REG_IO_MIPI_CTRL00, 0x40); ++ ret = ov5640_write_reg(sensor, OV5640_REG_IO_MIPI_CTRL00, 0x44); + if (ret) + return ret; + +-- +2.40.1 + diff --git a/queue-5.15/media-rkvdec-increase-max-supported-height-for-h.264.patch b/queue-5.15/media-rkvdec-increase-max-supported-height-for-h.264.patch new file mode 100644 index 00000000000..eb2af5ce717 --- /dev/null +++ b/queue-5.15/media-rkvdec-increase-max-supported-height-for-h.264.patch @@ -0,0 +1,37 @@ +From 18ab7f7bf56f306b04e3a8a417755a98864db5a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 17:06:11 +0200 +Subject: media: rkvdec: increase max supported height for H.264 + +From: Benjamin Gaignard + +[ Upstream commit f000e6ca2d60fefd02a180a57df2c4162fa0c1b7 ] + +After testing it is possible for the hardware to decode H264 +bistream with a height up to 2560. + +Signed-off-by: Benjamin Gaignard +Fixes: cd33c830448ba ("media: rkvdec: Add the rkvdec driver") +Reviewed-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/staging/media/rkvdec/rkvdec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/media/rkvdec/rkvdec.c b/drivers/staging/media/rkvdec/rkvdec.c +index bc4683a75e61f..29b68a13674ee 100644 +--- a/drivers/staging/media/rkvdec/rkvdec.c ++++ b/drivers/staging/media/rkvdec/rkvdec.c +@@ -111,7 +111,7 @@ static const struct rkvdec_coded_fmt_desc rkvdec_coded_fmts[] = { + .max_width = 4096, + .step_width = 16, + .min_height = 48, +- .max_height = 2304, ++ .max_height = 2560, + .step_height = 16, + }, + .ctrls = &rkvdec_h264_ctrls, +-- +2.40.1 + diff --git a/queue-5.15/media-v4l2-core-fix-a-potential-resource-leak-in-v4l.patch b/queue-5.15/media-v4l2-core-fix-a-potential-resource-leak-in-v4l.patch new file mode 100644 index 00000000000..462bf2d894d --- /dev/null +++ b/queue-5.15/media-v4l2-core-fix-a-potential-resource-leak-in-v4l.patch @@ -0,0 +1,71 @@ +From c00206119d4fc53d12bef37a270ce78eda49af1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 20:31:05 +0200 +Subject: media: v4l2-core: Fix a potential resource leak in + v4l2_fwnode_parse_link() + +From: Christophe JAILLET + +[ Upstream commit d7b13edd4cb4bfa335b6008ab867ac28582d3e5c ] + +If fwnode_graph_get_remote_endpoint() fails, 'fwnode' is known to be NULL, +so fwnode_handle_put() is a no-op. + +Release the reference taken from a previous fwnode_graph_get_port_parent() +call instead. + +Also handle fwnode_graph_get_port_parent() failures. + +In order to fix these issues, add an error handling path to the function +and the needed gotos. + +Fixes: ca50c197bd96 ("[media] v4l: fwnode: Support generic fwnode for parsing standardised properties") +Signed-off-by: Christophe JAILLET +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/v4l2-core/v4l2-fwnode.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/v4l2-core/v4l2-fwnode.c b/drivers/media/v4l2-core/v4l2-fwnode.c +index 843259c304bb5..5d2eaad1fa684 100644 +--- a/drivers/media/v4l2-core/v4l2-fwnode.c ++++ b/drivers/media/v4l2-core/v4l2-fwnode.c +@@ -549,19 +549,29 @@ int v4l2_fwnode_parse_link(struct fwnode_handle *fwnode, + link->local_id = fwep.id; + link->local_port = fwep.port; + link->local_node = fwnode_graph_get_port_parent(fwnode); ++ if (!link->local_node) ++ return -ENOLINK; + + fwnode = fwnode_graph_get_remote_endpoint(fwnode); +- if (!fwnode) { +- fwnode_handle_put(fwnode); +- return -ENOLINK; +- } ++ if (!fwnode) ++ goto err_put_local_node; + + fwnode_graph_parse_endpoint(fwnode, &fwep); + link->remote_id = fwep.id; + link->remote_port = fwep.port; + link->remote_node = fwnode_graph_get_port_parent(fwnode); ++ if (!link->remote_node) ++ goto err_put_remote_endpoint; + + return 0; ++ ++err_put_remote_endpoint: ++ fwnode_handle_put(fwnode); ++ ++err_put_local_node: ++ fwnode_handle_put(link->local_node); ++ ++ return -ENOLINK; + } + EXPORT_SYMBOL_GPL(v4l2_fwnode_parse_link); + +-- +2.40.1 + diff --git a/queue-5.15/media-venus-hfi_venus-only-consider-sys_idle_indicat.patch b/queue-5.15/media-venus-hfi_venus-only-consider-sys_idle_indicat.patch new file mode 100644 index 00000000000..f883f0728e4 --- /dev/null +++ b/queue-5.15/media-venus-hfi_venus-only-consider-sys_idle_indicat.patch @@ -0,0 +1,69 @@ +From 17c133918c37c2664449e5128d38dac18c097993 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 14:30:35 +0200 +Subject: media: venus: hfi_venus: Only consider sys_idle_indicator on V1 + +From: Konrad Dybcio + +[ Upstream commit 6283e4834c69fa93a108efa18c6aa09c7e626f49 ] + +As per information from Qualcomm [1], this property is not really +supported beyond msm8916 (HFI V1) and some newer HFI versions really +dislike receiving it, going as far as crashing the device. + +Only consider toggling it (via the module option) on HFIV1. +While at it, get rid of the global static variable (which defaulted +to zero) which was never explicitly assigned to for V1. + +Note: [1] is a reply to the actual message in question, as lore did not +properly receive some of the emails.. + +[1] https://lore.kernel.org/lkml/955cd520-3881-0c22-d818-13fe9a47e124@linaro.org/ +Fixes: 7ed9e0b3393c ("media: venus: hfi, vdec: v6 Add IS_V6() to existing IS_V4() if locations") +Signed-off-by: Konrad Dybcio +Signed-off-by: Stanimir Varbanov +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/qcom/venus/hfi_venus.c | 18 ++++++------------ + 1 file changed, 6 insertions(+), 12 deletions(-) + +diff --git a/drivers/media/platform/qcom/venus/hfi_venus.c b/drivers/media/platform/qcom/venus/hfi_venus.c +index ce98c523b3c68..d8351f806aacc 100644 +--- a/drivers/media/platform/qcom/venus/hfi_venus.c ++++ b/drivers/media/platform/qcom/venus/hfi_venus.c +@@ -131,7 +131,6 @@ struct venus_hfi_device { + + static bool venus_pkt_debug; + int venus_fw_debug = HFI_DEBUG_MSG_ERROR | HFI_DEBUG_MSG_FATAL; +-static bool venus_sys_idle_indicator; + static bool venus_fw_low_power_mode = true; + static int venus_hw_rsp_timeout = 1000; + static bool venus_fw_coverage; +@@ -924,17 +923,12 @@ static int venus_sys_set_default_properties(struct venus_hfi_device *hdev) + if (ret) + dev_warn(dev, "setting fw debug msg ON failed (%d)\n", ret); + +- /* +- * Idle indicator is disabled by default on some 4xx firmware versions, +- * enable it explicitly in order to make suspend functional by checking +- * WFI (wait-for-interrupt) bit. +- */ +- if (IS_V4(hdev->core) || IS_V6(hdev->core)) +- venus_sys_idle_indicator = true; +- +- ret = venus_sys_set_idle_message(hdev, venus_sys_idle_indicator); +- if (ret) +- dev_warn(dev, "setting idle response ON failed (%d)\n", ret); ++ /* HFI_PROPERTY_SYS_IDLE_INDICATOR is not supported beyond 8916 (HFI V1) */ ++ if (IS_V1(hdev->core)) { ++ ret = venus_sys_set_idle_message(hdev, false); ++ if (ret) ++ dev_warn(dev, "setting idle response ON failed (%d)\n", ret); ++ } + + ret = venus_sys_set_power_control(hdev, venus_fw_low_power_mode); + if (ret) +-- +2.40.1 + diff --git a/queue-5.15/mlxsw-i2c-fix-chunk-size-setting-in-output-mailbox-b.patch b/queue-5.15/mlxsw-i2c-fix-chunk-size-setting-in-output-mailbox-b.patch new file mode 100644 index 00000000000..398212d9947 --- /dev/null +++ b/queue-5.15/mlxsw-i2c-fix-chunk-size-setting-in-output-mailbox-b.patch @@ -0,0 +1,43 @@ +From 225ff6b479f5421acc5a43dae4ea8f9f0dc8db13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Aug 2023 15:43:08 +0200 +Subject: mlxsw: i2c: Fix chunk size setting in output mailbox buffer + +From: Vadim Pasternak + +[ Upstream commit 146c7c330507c0384bf29d567186632bfe975927 ] + +The driver reads commands output from the output mailbox. If the size +of the output mailbox is not a multiple of the transaction / +block size, then the driver will not issue enough read transactions +to read the entire output, which can result in driver initialization +errors. + +Fix by determining the number of transactions using DIV_ROUND_UP(). + +Fixes: 3029a693beda ("mlxsw: i2c: Allow flexible setting of I2C transactions size") +Signed-off-by: Vadim Pasternak +Reviewed-by: Ido Schimmel +Signed-off-by: Petr Machata +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/i2c.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/i2c.c b/drivers/net/ethernet/mellanox/mlxsw/i2c.c +index ce843ea914646..f20dca41424c9 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/i2c.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/i2c.c +@@ -428,7 +428,7 @@ mlxsw_i2c_cmd(struct device *dev, u16 opcode, u32 in_mod, size_t in_mbox_size, + } else { + /* No input mailbox is case of initialization query command. */ + reg_size = MLXSW_I2C_MAX_DATA_SIZE; +- num = reg_size / mlxsw_i2c->block_size; ++ num = DIV_ROUND_UP(reg_size, mlxsw_i2c->block_size); + + if (mutex_lock_interruptible(&mlxsw_i2c->cmd.lock) < 0) { + dev_err(&client->dev, "Could not acquire lock"); +-- +2.40.1 + diff --git a/queue-5.15/mlxsw-i2c-limit-single-transaction-buffer-size.patch b/queue-5.15/mlxsw-i2c-limit-single-transaction-buffer-size.patch new file mode 100644 index 00000000000..30f0bbfd85a --- /dev/null +++ b/queue-5.15/mlxsw-i2c-limit-single-transaction-buffer-size.patch @@ -0,0 +1,56 @@ +From 6169ae595243e27ec3f865574ad752f322a06702 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Aug 2023 15:43:09 +0200 +Subject: mlxsw: i2c: Limit single transaction buffer size + +From: Vadim Pasternak + +[ Upstream commit d7248f1cc835bd80e936dc5b2d94b149bdd0077d ] + +Maximum size of buffer is obtained from underlying I2C adapter and in +case adapter allows I2C transaction buffer size greater than 100 bytes, +transaction will fail due to firmware limitation. + +As a result driver will fail initialization. + +Limit the maximum size of transaction buffer by 100 bytes to fit to +firmware. + +Remove unnecessary calculation: +max_t(u16, MLXSW_I2C_BLK_DEF, quirk_size). +This condition can not happened. + +Fixes: 3029a693beda ("mlxsw: i2c: Allow flexible setting of I2C transactions size") +Signed-off-by: Vadim Pasternak +Reviewed-by: Petr Machata +Signed-off-by: Petr Machata +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/i2c.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/i2c.c b/drivers/net/ethernet/mellanox/mlxsw/i2c.c +index f20dca41424c9..61d2f621d65fc 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/i2c.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/i2c.c +@@ -47,6 +47,7 @@ + #define MLXSW_I2C_MBOX_SIZE_BITS 12 + #define MLXSW_I2C_ADDR_BUF_SIZE 4 + #define MLXSW_I2C_BLK_DEF 32 ++#define MLXSW_I2C_BLK_MAX 100 + #define MLXSW_I2C_RETRY 5 + #define MLXSW_I2C_TIMEOUT_MSECS 5000 + #define MLXSW_I2C_MAX_DATA_SIZE 256 +@@ -576,7 +577,7 @@ static int mlxsw_i2c_probe(struct i2c_client *client, + return -EOPNOTSUPP; + } + +- mlxsw_i2c->block_size = max_t(u16, MLXSW_I2C_BLK_DEF, ++ mlxsw_i2c->block_size = min_t(u16, MLXSW_I2C_BLK_MAX, + min_t(u16, quirks->max_read_len, + quirks->max_write_len)); + } else { +-- +2.40.1 + diff --git a/queue-5.15/mtd-rawnand-brcmnand-fix-mtd-oobsize.patch b/queue-5.15/mtd-rawnand-brcmnand-fix-mtd-oobsize.patch new file mode 100644 index 00000000000..6620c195ebc --- /dev/null +++ b/queue-5.15/mtd-rawnand-brcmnand-fix-mtd-oobsize.patch @@ -0,0 +1,62 @@ +From 3e228068c418a1fc66164fbe594c77c6fadff269 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jul 2023 11:29:09 -0700 +Subject: mtd: rawnand: brcmnand: Fix mtd oobsize + +From: William Zhang + +[ Upstream commit 60177390fa061c62d156f4a546e3efd90df3c183 ] + +brcmnand controller can only access the flash spare area up to certain +bytes based on the ECC level. It can be less than the actual flash spare +area size. For example, for many NAND chip supporting ECC BCH-8, it has +226 bytes spare area. But controller can only uses 218 bytes. So brcmand +driver overrides the mtd oobsize with the controller's accessible spare +area size. When the nand base driver utilizes the nand_device object, it +resets the oobsize back to the actual flash spare aprea size from +nand_memory_organization structure and controller may not able to access +all the oob area as mtd advises. + +This change fixes the issue by overriding the oobsize in the +nand_memory_organization structure to the controller's accessible spare +area size. + +Fixes: a7ab085d7c16 ("mtd: rawnand: Initialize the nand_device object") +Signed-off-by: William Zhang +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20230706182909.79151-6-william.zhang@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/brcmnand/brcmnand.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/mtd/nand/raw/brcmnand/brcmnand.c b/drivers/mtd/nand/raw/brcmnand/brcmnand.c +index aee78f5f4f156..ff3891b774561 100644 +--- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c ++++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c +@@ -2583,6 +2583,8 @@ static int brcmnand_setup_dev(struct brcmnand_host *host) + struct nand_chip *chip = &host->chip; + const struct nand_ecc_props *requirements = + nanddev_get_ecc_requirements(&chip->base); ++ struct nand_memory_organization *memorg = ++ nanddev_get_memorg(&chip->base); + struct brcmnand_controller *ctrl = host->ctrl; + struct brcmnand_cfg *cfg = &host->hwcfg; + char msg[128]; +@@ -2604,10 +2606,11 @@ static int brcmnand_setup_dev(struct brcmnand_host *host) + if (cfg->spare_area_size > ctrl->max_oob) + cfg->spare_area_size = ctrl->max_oob; + /* +- * Set oobsize to be consistent with controller's spare_area_size, as +- * the rest is inaccessible. ++ * Set mtd and memorg oobsize to be consistent with controller's ++ * spare_area_size, as the rest is inaccessible. + */ + mtd->oobsize = cfg->spare_area_size * (mtd->writesize >> FC_SHIFT); ++ memorg->oobsize = mtd->oobsize; + + cfg->device_size = mtd->size; + cfg->block_size = mtd->erasesize; +-- +2.40.1 + diff --git a/queue-5.15/mtd-rawnand-fsmc-handle-clk-prepare-error-in-fsmc_na.patch b/queue-5.15/mtd-rawnand-fsmc-handle-clk-prepare-error-in-fsmc_na.patch new file mode 100644 index 00000000000..c5e1e99f424 --- /dev/null +++ b/queue-5.15/mtd-rawnand-fsmc-handle-clk-prepare-error-in-fsmc_na.patch @@ -0,0 +1,44 @@ +From 678900f8bfd0a4e3859637c6f833fa50dd37bb4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Aug 2023 19:58:39 +0800 +Subject: mtd: rawnand: fsmc: handle clk prepare error in fsmc_nand_resume() + +From: Yi Yang + +[ Upstream commit a5a88125d00612586e941ae13e7fcf36ba8f18a7 ] + +In fsmc_nand_resume(), the return value of clk_prepare_enable() should be +checked since it might fail. + +Fixes: e25da1c07dfb ("mtd: fsmc_nand: Add clk_{un}prepare() support") +Signed-off-by: Yi Yang +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20230817115839.10192-1-yiyang13@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/fsmc_nand.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/mtd/nand/raw/fsmc_nand.c b/drivers/mtd/nand/raw/fsmc_nand.c +index 6b2bda815b880..17786e1331e6d 100644 +--- a/drivers/mtd/nand/raw/fsmc_nand.c ++++ b/drivers/mtd/nand/raw/fsmc_nand.c +@@ -1202,9 +1202,14 @@ static int fsmc_nand_suspend(struct device *dev) + static int fsmc_nand_resume(struct device *dev) + { + struct fsmc_nand_data *host = dev_get_drvdata(dev); ++ int ret; + + if (host) { +- clk_prepare_enable(host->clk); ++ ret = clk_prepare_enable(host->clk); ++ if (ret) { ++ dev_err(dev, "failed to enable clk\n"); ++ return ret; ++ } + if (host->dev_timings) + fsmc_nand_setup(host, host->dev_timings); + nand_reset(&host->nand, 0); +-- +2.40.1 + diff --git a/queue-5.15/mtd-spi-nor-check-bus-width-while-setting-qe-bit.patch b/queue-5.15/mtd-spi-nor-check-bus-width-while-setting-qe-bit.patch new file mode 100644 index 00000000000..7b47e72871c --- /dev/null +++ b/queue-5.15/mtd-spi-nor-check-bus-width-while-setting-qe-bit.patch @@ -0,0 +1,63 @@ +From 0bc920d3998519465e1dd7138d5dc27c6751a0a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Aug 2023 14:42:23 +0800 +Subject: mtd: spi-nor: Check bus width while setting QE bit + +From: Hsin-Yi Wang + +[ Upstream commit f01d8155a92e33cdaa85d20bfbe6c441907b3c1f ] + +spi_nor_write_16bit_sr_and_check() should also check if bus width is +4 before setting QE bit. + +Fixes: 39d1e3340c73 ("mtd: spi-nor: Fix clearing of QE bit on lock()/unlock()") +Suggested-by: Michael Walle +Suggested-by: Tudor Ambarus +Signed-off-by: Hsin-Yi Wang +Reviewed-by: Michael Walle +Link: https://lore.kernel.org/r/20230818064524.1229100-2-hsinyi@chromium.org +Signed-off-by: Tudor Ambarus +Signed-off-by: Sasha Levin +--- + drivers/mtd/spi-nor/core.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/drivers/mtd/spi-nor/core.c b/drivers/mtd/spi-nor/core.c +index 1e61c2364622f..e115aab7243e1 100644 +--- a/drivers/mtd/spi-nor/core.c ++++ b/drivers/mtd/spi-nor/core.c +@@ -980,21 +980,22 @@ static int spi_nor_write_16bit_sr_and_check(struct spi_nor *nor, u8 sr1) + ret = spi_nor_read_cr(nor, &sr_cr[1]); + if (ret) + return ret; +- } else if (nor->params->quad_enable) { ++ } else if (spi_nor_get_protocol_width(nor->read_proto) == 4 && ++ spi_nor_get_protocol_width(nor->write_proto) == 4 && ++ nor->params->quad_enable) { + /* + * If the Status Register 2 Read command (35h) is not + * supported, we should at least be sure we don't + * change the value of the SR2 Quad Enable bit. + * +- * We can safely assume that when the Quad Enable method is +- * set, the value of the QE bit is one, as a consequence of the +- * nor->params->quad_enable() call. ++ * When the Quad Enable method is set and the buswidth is 4, we ++ * can safely assume that the value of the QE bit is one, as a ++ * consequence of the nor->params->quad_enable() call. + * +- * We can safely assume that the Quad Enable bit is present in +- * the Status Register 2 at BIT(1). According to the JESD216 +- * revB standard, BFPT DWORDS[15], bits 22:20, the 16-bit +- * Write Status (01h) command is available just for the cases +- * in which the QE bit is described in SR2 at BIT(1). ++ * According to the JESD216 revB standard, BFPT DWORDS[15], ++ * bits 22:20, the 16-bit Write Status (01h) command is ++ * available just for the cases in which the QE bit is ++ * described in SR2 at BIT(1). + */ + sr_cr[1] = SR2_QUAD_EN_BIT1; + } else { +-- +2.40.1 + diff --git a/queue-5.15/net-arcnet-do-not-call-kfree_skb-under-local_irq_dis.patch b/queue-5.15/net-arcnet-do-not-call-kfree_skb-under-local_irq_dis.patch new file mode 100644 index 00000000000..68b0a28c73e --- /dev/null +++ b/queue-5.15/net-arcnet-do-not-call-kfree_skb-under-local_irq_dis.patch @@ -0,0 +1,38 @@ +From d1f2fb850ffd4b752b869a310c71619c577eaf35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Aug 2023 14:43:36 +0800 +Subject: net: arcnet: Do not call kfree_skb() under local_irq_disable() + +From: Jinjie Ruan + +[ Upstream commit 786c96e92fb9e854cb8b0cb7399bb2fb28e15c4b ] + +It is not allowed to call kfree_skb() from hardware interrupt +context or with hardware interrupts being disabled. +So replace kfree_skb() with dev_kfree_skb_irq() under +local_irq_disable(). Compile tested only. + +Fixes: 05fcd31cc472 ("arcnet: add err_skb package for package status feedback") +Signed-off-by: Jinjie Ruan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/arcnet/arcnet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/arcnet/arcnet.c b/drivers/net/arcnet/arcnet.c +index 1bad1866ae462..a48220f91a2df 100644 +--- a/drivers/net/arcnet/arcnet.c ++++ b/drivers/net/arcnet/arcnet.c +@@ -468,7 +468,7 @@ static void arcnet_reply_tasklet(struct tasklet_struct *t) + + ret = sock_queue_err_skb(sk, ackskb); + if (ret) +- kfree_skb(ackskb); ++ dev_kfree_skb_irq(ackskb); + + local_irq_enable(); + }; +-- +2.40.1 + diff --git a/queue-5.15/net-export-inet_lookup_reuseport-and-inet6_lookup_re.patch b/queue-5.15/net-export-inet_lookup_reuseport-and-inet6_lookup_re.patch new file mode 100644 index 00000000000..3d75d9c4e70 --- /dev/null +++ b/queue-5.15/net-export-inet_lookup_reuseport-and-inet6_lookup_re.patch @@ -0,0 +1,163 @@ +From 9b7d85edbdcc2fbbf712f90893ba61c2e99134d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 17:30:07 +0200 +Subject: net: export inet_lookup_reuseport and inet6_lookup_reuseport + +From: Lorenz Bauer + +[ Upstream commit ce796e60b3b196b61fcc565df195443cbb846ef0 ] + +Rename the existing reuseport helpers for IPv4 and IPv6 so that they +can be invoked in the follow up commit. Export them so that building +DCCP and IPv6 as a module works. + +No change in functionality. + +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: Lorenz Bauer +Link: https://lore.kernel.org/r/20230720-so-reuseport-v6-3-7021b683cdae@isovalent.com +Signed-off-by: Martin KaFai Lau +Stable-dep-of: 9c02bec95954 ("bpf, net: Support SO_REUSEPORT sockets with bpf_sk_assign") +Signed-off-by: Sasha Levin +--- + include/net/inet6_hashtables.h | 7 +++++++ + include/net/inet_hashtables.h | 5 +++++ + net/ipv4/inet_hashtables.c | 15 ++++++++------- + net/ipv6/inet6_hashtables.c | 19 ++++++++++--------- + 4 files changed, 30 insertions(+), 16 deletions(-) + +diff --git a/include/net/inet6_hashtables.h b/include/net/inet6_hashtables.h +index 56f1286583d3c..032ddab48f8f8 100644 +--- a/include/net/inet6_hashtables.h ++++ b/include/net/inet6_hashtables.h +@@ -48,6 +48,13 @@ struct sock *__inet6_lookup_established(struct net *net, + const u16 hnum, const int dif, + const int sdif); + ++struct sock *inet6_lookup_reuseport(struct net *net, struct sock *sk, ++ struct sk_buff *skb, int doff, ++ const struct in6_addr *saddr, ++ __be16 sport, ++ const struct in6_addr *daddr, ++ unsigned short hnum); ++ + struct sock *inet6_lookup_listener(struct net *net, + struct inet_hashinfo *hashinfo, + struct sk_buff *skb, int doff, +diff --git a/include/net/inet_hashtables.h b/include/net/inet_hashtables.h +index 53c22b64e9724..6c7606b5cadfd 100644 +--- a/include/net/inet_hashtables.h ++++ b/include/net/inet_hashtables.h +@@ -319,6 +319,11 @@ struct sock *__inet_lookup_established(struct net *net, + const __be32 daddr, const u16 hnum, + const int dif, const int sdif); + ++struct sock *inet_lookup_reuseport(struct net *net, struct sock *sk, ++ struct sk_buff *skb, int doff, ++ __be32 saddr, __be16 sport, ++ __be32 daddr, unsigned short hnum); ++ + static inline struct sock * + inet_lookup_established(struct net *net, struct inet_hashinfo *hashinfo, + const __be32 saddr, const __be16 sport, +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index 2936676f86eb8..ce32401567647 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -252,10 +252,10 @@ static inline int compute_score(struct sock *sk, struct net *net, + return score; + } + +-static inline struct sock *lookup_reuseport(struct net *net, struct sock *sk, +- struct sk_buff *skb, int doff, +- __be32 saddr, __be16 sport, +- __be32 daddr, unsigned short hnum) ++struct sock *inet_lookup_reuseport(struct net *net, struct sock *sk, ++ struct sk_buff *skb, int doff, ++ __be32 saddr, __be16 sport, ++ __be32 daddr, unsigned short hnum) + { + struct sock *reuse_sk = NULL; + u32 phash; +@@ -266,6 +266,7 @@ static inline struct sock *lookup_reuseport(struct net *net, struct sock *sk, + } + return reuse_sk; + } ++EXPORT_SYMBOL_GPL(inet_lookup_reuseport); + + /* + * Here are some nice properties to exploit here. The BSD API +@@ -290,8 +291,8 @@ static struct sock *inet_lhash2_lookup(struct net *net, + sk = (struct sock *)icsk; + score = compute_score(sk, net, hnum, daddr, dif, sdif); + if (score > hiscore) { +- result = lookup_reuseport(net, sk, skb, doff, +- saddr, sport, daddr, hnum); ++ result = inet_lookup_reuseport(net, sk, skb, doff, ++ saddr, sport, daddr, hnum); + if (result) + return result; + +@@ -320,7 +321,7 @@ static inline struct sock *inet_lookup_run_bpf(struct net *net, + if (no_reuseport || IS_ERR_OR_NULL(sk)) + return sk; + +- reuse_sk = lookup_reuseport(net, sk, skb, doff, saddr, sport, daddr, hnum); ++ reuse_sk = inet_lookup_reuseport(net, sk, skb, doff, saddr, sport, daddr, hnum); + if (reuse_sk) + sk = reuse_sk; + return sk; +diff --git a/net/ipv6/inet6_hashtables.c b/net/ipv6/inet6_hashtables.c +index b4a5e01e12016..2267f973e2df3 100644 +--- a/net/ipv6/inet6_hashtables.c ++++ b/net/ipv6/inet6_hashtables.c +@@ -113,12 +113,12 @@ static inline int compute_score(struct sock *sk, struct net *net, + return score; + } + +-static inline struct sock *lookup_reuseport(struct net *net, struct sock *sk, +- struct sk_buff *skb, int doff, +- const struct in6_addr *saddr, +- __be16 sport, +- const struct in6_addr *daddr, +- unsigned short hnum) ++struct sock *inet6_lookup_reuseport(struct net *net, struct sock *sk, ++ struct sk_buff *skb, int doff, ++ const struct in6_addr *saddr, ++ __be16 sport, ++ const struct in6_addr *daddr, ++ unsigned short hnum) + { + struct sock *reuse_sk = NULL; + u32 phash; +@@ -129,6 +129,7 @@ static inline struct sock *lookup_reuseport(struct net *net, struct sock *sk, + } + return reuse_sk; + } ++EXPORT_SYMBOL_GPL(inet6_lookup_reuseport); + + /* called with rcu_read_lock() */ + static struct sock *inet6_lhash2_lookup(struct net *net, +@@ -146,8 +147,8 @@ static struct sock *inet6_lhash2_lookup(struct net *net, + sk = (struct sock *)icsk; + score = compute_score(sk, net, hnum, daddr, dif, sdif); + if (score > hiscore) { +- result = lookup_reuseport(net, sk, skb, doff, +- saddr, sport, daddr, hnum); ++ result = inet6_lookup_reuseport(net, sk, skb, doff, ++ saddr, sport, daddr, hnum); + if (result) + return result; + +@@ -178,7 +179,7 @@ static inline struct sock *inet6_lookup_run_bpf(struct net *net, + if (no_reuseport || IS_ERR_OR_NULL(sk)) + return sk; + +- reuse_sk = lookup_reuseport(net, sk, skb, doff, saddr, sport, daddr, hnum); ++ reuse_sk = inet6_lookup_reuseport(net, sk, skb, doff, saddr, sport, daddr, hnum); + if (reuse_sk) + sk = reuse_sk; + return sk; +-- +2.40.1 + diff --git a/queue-5.15/net-fix-slab-out-of-bounds-in-inet-6-_steal_sock.patch b/queue-5.15/net-fix-slab-out-of-bounds-in-inet-6-_steal_sock.patch new file mode 100644 index 00000000000..45452d0a6fb --- /dev/null +++ b/queue-5.15/net-fix-slab-out-of-bounds-in-inet-6-_steal_sock.patch @@ -0,0 +1,63 @@ +From 430fce638025f2cbeed253cadc4471699844dddb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Aug 2023 09:53:41 +0100 +Subject: net: Fix slab-out-of-bounds in inet[6]_steal_sock + +From: Lorenz Bauer + +[ Upstream commit 8897562f67b3e61ad736cd5c9f307447d33280e4 ] + +Kumar reported a KASAN splat in tcp_v6_rcv: + + bash-5.2# ./test_progs -t btf_skc_cls_ingress + ... + [ 51.810085] BUG: KASAN: slab-out-of-bounds in tcp_v6_rcv+0x2d7d/0x3440 + [ 51.810458] Read of size 2 at addr ffff8881053f038c by task test_progs/226 + +The problem is that inet[6]_steal_sock accesses sk->sk_protocol without +accounting for request or timewait sockets. To fix this we can't just +check sock_common->skc_reuseport since that flag is present on timewait +sockets. + +Instead, add a fullsock check to avoid the out of bands access of sk_protocol. + +Fixes: 9c02bec95954 ("bpf, net: Support SO_REUSEPORT sockets with bpf_sk_assign") +Reported-by: Kumar Kartikeya Dwivedi +Signed-off-by: Lorenz Bauer +Link: https://lore.kernel.org/r/20230815-bpf-next-v2-1-95126eaa4c1b@isovalent.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + include/net/inet6_hashtables.h | 2 +- + include/net/inet_hashtables.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/net/inet6_hashtables.h b/include/net/inet6_hashtables.h +index 475e672b4facc..12780b8fb5630 100644 +--- a/include/net/inet6_hashtables.h ++++ b/include/net/inet6_hashtables.h +@@ -107,7 +107,7 @@ struct sock *inet6_steal_sock(struct net *net, struct sk_buff *skb, int doff, + if (!sk) + return NULL; + +- if (!prefetched) ++ if (!prefetched || !sk_fullsock(sk)) + return sk; + + if (sk->sk_protocol == IPPROTO_TCP) { +diff --git a/include/net/inet_hashtables.h b/include/net/inet_hashtables.h +index 06f1ab600481e..0cc2a88d1c37c 100644 +--- a/include/net/inet_hashtables.h ++++ b/include/net/inet_hashtables.h +@@ -395,7 +395,7 @@ struct sock *inet_steal_sock(struct net *net, struct sk_buff *skb, int doff, + if (!sk) + return NULL; + +- if (!prefetched) ++ if (!prefetched || !sk_fullsock(sk)) + return sk; + + if (sk->sk_protocol == IPPROTO_TCP) { +-- +2.40.1 + diff --git a/queue-5.15/net-memcg-fix-scope-of-sockmem-pressure-indicators.patch b/queue-5.15/net-memcg-fix-scope-of-sockmem-pressure-indicators.patch new file mode 100644 index 00000000000..a37ba6dea5e --- /dev/null +++ b/queue-5.15/net-memcg-fix-scope-of-sockmem-pressure-indicators.patch @@ -0,0 +1,86 @@ +From e3cd7c7f780fbe7aba1db9ec6f38fea9f7a8ea4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Aug 2023 15:09:11 +0800 +Subject: net-memcg: Fix scope of sockmem pressure indicators + +From: Abel Wu + +[ Upstream commit ac8a52962164a50e693fa021d3564d7745b83a7f ] + +Now there are two indicators of socket memory pressure sit inside +struct mem_cgroup, socket_pressure and tcpmem_pressure, indicating +memory reclaim pressure in memcg->memory and ->tcpmem respectively. + +When in legacy mode (cgroupv1), the socket memory is charged into +->tcpmem which is independent of ->memory, so socket_pressure has +nothing to do with socket's pressure at all. Things could be worse +by taking socket_pressure into consideration in legacy mode, as a +pressure in ->memory can lead to premature reclamation/throttling +in socket. + +While for the default mode (cgroupv2), the socket memory is charged +into ->memory, and ->tcpmem/->tcpmem_pressure are simply not used. + +So {socket,tcpmem}_pressure are only used in default/legacy mode +respectively for indicating socket memory pressure. This patch fixes +the pieces of code that make mixed use of both. + +Fixes: 8e8ae645249b ("mm: memcontrol: hook up vmpressure to socket pressure") +Signed-off-by: Abel Wu +Acked-by: Shakeel Butt +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/memcontrol.h | 9 +++++++-- + mm/vmpressure.c | 8 ++++++++ + 2 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/include/linux/memcontrol.h b/include/linux/memcontrol.h +index 4f189b17dafcc..94df87cb69c3b 100644 +--- a/include/linux/memcontrol.h ++++ b/include/linux/memcontrol.h +@@ -310,6 +310,11 @@ struct mem_cgroup { + atomic_long_t memory_events[MEMCG_NR_MEMORY_EVENTS]; + atomic_long_t memory_events_local[MEMCG_NR_MEMORY_EVENTS]; + ++ /* ++ * Hint of reclaim pressure for socket memroy management. Note ++ * that this indicator should NOT be used in legacy cgroup mode ++ * where socket memory is accounted/charged separately. ++ */ + unsigned long socket_pressure; + + /* Legacy tcp memory accounting */ +@@ -1627,8 +1632,8 @@ void mem_cgroup_sk_alloc(struct sock *sk); + void mem_cgroup_sk_free(struct sock *sk); + static inline bool mem_cgroup_under_socket_pressure(struct mem_cgroup *memcg) + { +- if (!cgroup_subsys_on_dfl(memory_cgrp_subsys) && memcg->tcpmem_pressure) +- return true; ++ if (!cgroup_subsys_on_dfl(memory_cgrp_subsys)) ++ return !!memcg->tcpmem_pressure; + do { + if (time_before(jiffies, memcg->socket_pressure)) + return true; +diff --git a/mm/vmpressure.c b/mm/vmpressure.c +index 76518e4166dc9..383e0463c0258 100644 +--- a/mm/vmpressure.c ++++ b/mm/vmpressure.c +@@ -244,6 +244,14 @@ void vmpressure(gfp_t gfp, struct mem_cgroup *memcg, bool tree, + if (mem_cgroup_disabled()) + return; + ++ /* ++ * The in-kernel users only care about the reclaim efficiency ++ * for this @memcg rather than the whole subtree, and there ++ * isn't and won't be any in-kernel user in a legacy cgroup. ++ */ ++ if (!cgroup_subsys_on_dfl(memory_cgrp_subsys) && !tree) ++ return; ++ + vmpr = memcg_to_vmpressure(memcg); + + /* +-- +2.40.1 + diff --git a/queue-5.15/net-mlx5-use-rmw-accessors-for-changing-lnkctl.patch b/queue-5.15/net-mlx5-use-rmw-accessors-for-changing-lnkctl.patch new file mode 100644 index 00000000000..06e92ed5c3f --- /dev/null +++ b/queue-5.15/net-mlx5-use-rmw-accessors-for-changing-lnkctl.patch @@ -0,0 +1,57 @@ +From c9c96ca184da361080f4770e77270fa22d830183 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 15:04:59 +0300 +Subject: net/mlx5: Use RMW accessors for changing LNKCTL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 30de872537bda526664d7a20b646adfb3e7ce6e6 ] + +Don't assume that only the driver would be accessing LNKCTL of the upstream +bridge. ASPM policy changes can trigger write to LNKCTL outside of driver's +control. + +Use RMW capability accessors which do proper locking to avoid losing +concurrent updates to the register value. + +Suggested-by: Lukas Wunner +Fixes: eabe8e5e88f5 ("net/mlx5: Handle sync reset now event") +Link: https://lore.kernel.org/r/20230717120503.15276-8-ilpo.jarvinen@linux.intel.com +Signed-off-by: Ilpo Järvinen +Signed-off-by: Bjorn Helgaas +Reviewed-by: Moshe Shemesh +Reviewed-by: Simon Horman +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c +index 8c2b249949b97..8ed1549a99c42 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c +@@ -274,16 +274,11 @@ static int mlx5_pci_link_toggle(struct mlx5_core_dev *dev) + pci_cfg_access_lock(sdev); + } + /* PCI link toggle */ +- err = pci_read_config_word(bridge, cap + PCI_EXP_LNKCTL, ®16); +- if (err) +- return err; +- reg16 |= PCI_EXP_LNKCTL_LD; +- err = pci_write_config_word(bridge, cap + PCI_EXP_LNKCTL, reg16); ++ err = pcie_capability_set_word(bridge, PCI_EXP_LNKCTL, PCI_EXP_LNKCTL_LD); + if (err) + return err; + msleep(500); +- reg16 &= ~PCI_EXP_LNKCTL_LD; +- err = pci_write_config_word(bridge, cap + PCI_EXP_LNKCTL, reg16); ++ err = pcie_capability_clear_word(bridge, PCI_EXP_LNKCTL, PCI_EXP_LNKCTL_LD); + if (err) + return err; + +-- +2.40.1 + diff --git a/queue-5.15/net-remove-duplicate-reuseport_lookup-functions.patch b/queue-5.15/net-remove-duplicate-reuseport_lookup-functions.patch new file mode 100644 index 00000000000..3b6f2331d7f --- /dev/null +++ b/queue-5.15/net-remove-duplicate-reuseport_lookup-functions.patch @@ -0,0 +1,365 @@ +From 80dd0a17af4bad8ab1687e60f1a0800d59f41fc3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 17:30:08 +0200 +Subject: net: remove duplicate reuseport_lookup functions + +From: Lorenz Bauer + +[ Upstream commit 0f495f7617229772403e683033abc473f0f0553c ] + +There are currently four copies of reuseport_lookup: one each for +(TCP, UDP)x(IPv4, IPv6). This forces us to duplicate all callers of +those functions as well. This is already the case for sk_lookup +helpers (inet,inet6,udp4,udp6)_lookup_run_bpf. + +There are two differences between the reuseport_lookup helpers: + +1. They call different hash functions depending on protocol +2. UDP reuseport_lookup checks that sk_state != TCP_ESTABLISHED + +Move the check for sk_state into the caller and use the INDIRECT_CALL +infrastructure to cut down the helpers to one per IP version. + +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: Lorenz Bauer +Link: https://lore.kernel.org/r/20230720-so-reuseport-v6-4-7021b683cdae@isovalent.com +Signed-off-by: Martin KaFai Lau +Stable-dep-of: 9c02bec95954 ("bpf, net: Support SO_REUSEPORT sockets with bpf_sk_assign") +Signed-off-by: Sasha Levin +--- + include/net/inet6_hashtables.h | 11 ++++++++- + include/net/inet_hashtables.h | 15 ++++++++----- + net/ipv4/inet_hashtables.c | 20 +++++++++++------ + net/ipv4/udp.c | 34 +++++++++++----------------- + net/ipv6/inet6_hashtables.c | 14 ++++++++---- + net/ipv6/udp.c | 41 +++++++++++++--------------------- + 6 files changed, 72 insertions(+), 63 deletions(-) + +diff --git a/include/net/inet6_hashtables.h b/include/net/inet6_hashtables.h +index 032ddab48f8f8..f89320b6fee31 100644 +--- a/include/net/inet6_hashtables.h ++++ b/include/net/inet6_hashtables.h +@@ -48,12 +48,21 @@ struct sock *__inet6_lookup_established(struct net *net, + const u16 hnum, const int dif, + const int sdif); + ++typedef u32 (inet6_ehashfn_t)(const struct net *net, ++ const struct in6_addr *laddr, const u16 lport, ++ const struct in6_addr *faddr, const __be16 fport); ++ ++inet6_ehashfn_t inet6_ehashfn; ++ ++INDIRECT_CALLABLE_DECLARE(inet6_ehashfn_t udp6_ehashfn); ++ + struct sock *inet6_lookup_reuseport(struct net *net, struct sock *sk, + struct sk_buff *skb, int doff, + const struct in6_addr *saddr, + __be16 sport, + const struct in6_addr *daddr, +- unsigned short hnum); ++ unsigned short hnum, ++ inet6_ehashfn_t *ehashfn); + + struct sock *inet6_lookup_listener(struct net *net, + struct inet_hashinfo *hashinfo, +diff --git a/include/net/inet_hashtables.h b/include/net/inet_hashtables.h +index 6c7606b5cadfd..f4b4102744a50 100644 +--- a/include/net/inet_hashtables.h ++++ b/include/net/inet_hashtables.h +@@ -319,10 +319,19 @@ struct sock *__inet_lookup_established(struct net *net, + const __be32 daddr, const u16 hnum, + const int dif, const int sdif); + ++typedef u32 (inet_ehashfn_t)(const struct net *net, ++ const __be32 laddr, const __u16 lport, ++ const __be32 faddr, const __be16 fport); ++ ++inet_ehashfn_t inet_ehashfn; ++ ++INDIRECT_CALLABLE_DECLARE(inet_ehashfn_t udp_ehashfn); ++ + struct sock *inet_lookup_reuseport(struct net *net, struct sock *sk, + struct sk_buff *skb, int doff, + __be32 saddr, __be16 sport, +- __be32 daddr, unsigned short hnum); ++ __be32 daddr, unsigned short hnum, ++ inet_ehashfn_t *ehashfn); + + static inline struct sock * + inet_lookup_established(struct net *net, struct inet_hashinfo *hashinfo, +@@ -393,10 +402,6 @@ static inline struct sock *__inet_lookup_skb(struct inet_hashinfo *hashinfo, + refcounted); + } + +-u32 inet6_ehashfn(const struct net *net, +- const struct in6_addr *laddr, const u16 lport, +- const struct in6_addr *faddr, const __be16 fport); +- + static inline void sk_daddr_set(struct sock *sk, __be32 addr) + { + sk->sk_daddr = addr; /* alias of inet_daddr */ +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index ce32401567647..0b2b652ad4898 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -28,9 +28,9 @@ + #include + #include + +-static u32 inet_ehashfn(const struct net *net, const __be32 laddr, +- const __u16 lport, const __be32 faddr, +- const __be16 fport) ++u32 inet_ehashfn(const struct net *net, const __be32 laddr, ++ const __u16 lport, const __be32 faddr, ++ const __be16 fport) + { + static u32 inet_ehash_secret __read_mostly; + +@@ -39,6 +39,7 @@ static u32 inet_ehashfn(const struct net *net, const __be32 laddr, + return __inet_ehashfn(laddr, lport, faddr, fport, + inet_ehash_secret + net_hash_mix(net)); + } ++EXPORT_SYMBOL_GPL(inet_ehashfn); + + /* This function handles inet_sock, but also timewait and request sockets + * for IPv4/IPv6. +@@ -252,16 +253,20 @@ static inline int compute_score(struct sock *sk, struct net *net, + return score; + } + ++INDIRECT_CALLABLE_DECLARE(inet_ehashfn_t udp_ehashfn); ++ + struct sock *inet_lookup_reuseport(struct net *net, struct sock *sk, + struct sk_buff *skb, int doff, + __be32 saddr, __be16 sport, +- __be32 daddr, unsigned short hnum) ++ __be32 daddr, unsigned short hnum, ++ inet_ehashfn_t *ehashfn) + { + struct sock *reuse_sk = NULL; + u32 phash; + + if (sk->sk_reuseport) { +- phash = inet_ehashfn(net, daddr, hnum, saddr, sport); ++ phash = INDIRECT_CALL_2(ehashfn, udp_ehashfn, inet_ehashfn, ++ net, daddr, hnum, saddr, sport); + reuse_sk = reuseport_select_sock(sk, phash, skb, doff); + } + return reuse_sk; +@@ -292,7 +297,7 @@ static struct sock *inet_lhash2_lookup(struct net *net, + score = compute_score(sk, net, hnum, daddr, dif, sdif); + if (score > hiscore) { + result = inet_lookup_reuseport(net, sk, skb, doff, +- saddr, sport, daddr, hnum); ++ saddr, sport, daddr, hnum, inet_ehashfn); + if (result) + return result; + +@@ -321,7 +326,8 @@ static inline struct sock *inet_lookup_run_bpf(struct net *net, + if (no_reuseport || IS_ERR_OR_NULL(sk)) + return sk; + +- reuse_sk = inet_lookup_reuseport(net, sk, skb, doff, saddr, sport, daddr, hnum); ++ reuse_sk = inet_lookup_reuseport(net, sk, skb, doff, saddr, sport, daddr, hnum, ++ inet_ehashfn); + if (reuse_sk) + sk = reuse_sk; + return sk; +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index 198d8e07413d3..de672235ceee5 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -398,9 +398,9 @@ static int compute_score(struct sock *sk, struct net *net, + return score; + } + +-static u32 udp_ehashfn(const struct net *net, const __be32 laddr, +- const __u16 lport, const __be32 faddr, +- const __be16 fport) ++INDIRECT_CALLABLE_SCOPE ++u32 udp_ehashfn(const struct net *net, const __be32 laddr, const __u16 lport, ++ const __be32 faddr, const __be16 fport) + { + static u32 udp_ehash_secret __read_mostly; + +@@ -410,22 +410,6 @@ static u32 udp_ehashfn(const struct net *net, const __be32 laddr, + udp_ehash_secret + net_hash_mix(net)); + } + +-static struct sock *lookup_reuseport(struct net *net, struct sock *sk, +- struct sk_buff *skb, +- __be32 saddr, __be16 sport, +- __be32 daddr, unsigned short hnum) +-{ +- struct sock *reuse_sk = NULL; +- u32 hash; +- +- if (sk->sk_reuseport && sk->sk_state != TCP_ESTABLISHED) { +- hash = udp_ehashfn(net, daddr, hnum, saddr, sport); +- reuse_sk = reuseport_select_sock(sk, hash, skb, +- sizeof(struct udphdr)); +- } +- return reuse_sk; +-} +- + /* called with rcu_read_lock() */ + static struct sock *udp4_lib_lookup2(struct net *net, + __be32 saddr, __be16 sport, +@@ -444,7 +428,14 @@ static struct sock *udp4_lib_lookup2(struct net *net, + daddr, hnum, dif, sdif); + if (score > badness) { + badness = score; +- result = lookup_reuseport(net, sk, skb, saddr, sport, daddr, hnum); ++ ++ if (sk->sk_state == TCP_ESTABLISHED) { ++ result = sk; ++ continue; ++ } ++ ++ result = inet_lookup_reuseport(net, sk, skb, sizeof(struct udphdr), ++ saddr, sport, daddr, hnum, udp_ehashfn); + if (!result) { + result = sk; + continue; +@@ -483,7 +474,8 @@ static struct sock *udp4_lookup_run_bpf(struct net *net, + if (no_reuseport || IS_ERR_OR_NULL(sk)) + return sk; + +- reuse_sk = lookup_reuseport(net, sk, skb, saddr, sport, daddr, hnum); ++ reuse_sk = inet_lookup_reuseport(net, sk, skb, sizeof(struct udphdr), ++ saddr, sport, daddr, hnum, udp_ehashfn); + if (reuse_sk) + sk = reuse_sk; + return sk; +diff --git a/net/ipv6/inet6_hashtables.c b/net/ipv6/inet6_hashtables.c +index 2267f973e2df3..21b4fc835487b 100644 +--- a/net/ipv6/inet6_hashtables.c ++++ b/net/ipv6/inet6_hashtables.c +@@ -41,6 +41,7 @@ u32 inet6_ehashfn(const struct net *net, + return __inet6_ehashfn(lhash, lport, fhash, fport, + inet6_ehash_secret + net_hash_mix(net)); + } ++EXPORT_SYMBOL_GPL(inet6_ehashfn); + + /* + * Sockets in TCP_CLOSE state are _always_ taken out of the hash, so +@@ -113,18 +114,22 @@ static inline int compute_score(struct sock *sk, struct net *net, + return score; + } + ++INDIRECT_CALLABLE_DECLARE(inet6_ehashfn_t udp6_ehashfn); ++ + struct sock *inet6_lookup_reuseport(struct net *net, struct sock *sk, + struct sk_buff *skb, int doff, + const struct in6_addr *saddr, + __be16 sport, + const struct in6_addr *daddr, +- unsigned short hnum) ++ unsigned short hnum, ++ inet6_ehashfn_t *ehashfn) + { + struct sock *reuse_sk = NULL; + u32 phash; + + if (sk->sk_reuseport) { +- phash = inet6_ehashfn(net, daddr, hnum, saddr, sport); ++ phash = INDIRECT_CALL_INET(ehashfn, udp6_ehashfn, inet6_ehashfn, ++ net, daddr, hnum, saddr, sport); + reuse_sk = reuseport_select_sock(sk, phash, skb, doff); + } + return reuse_sk; +@@ -148,7 +153,7 @@ static struct sock *inet6_lhash2_lookup(struct net *net, + score = compute_score(sk, net, hnum, daddr, dif, sdif); + if (score > hiscore) { + result = inet6_lookup_reuseport(net, sk, skb, doff, +- saddr, sport, daddr, hnum); ++ saddr, sport, daddr, hnum, inet6_ehashfn); + if (result) + return result; + +@@ -179,7 +184,8 @@ static inline struct sock *inet6_lookup_run_bpf(struct net *net, + if (no_reuseport || IS_ERR_OR_NULL(sk)) + return sk; + +- reuse_sk = inet6_lookup_reuseport(net, sk, skb, doff, saddr, sport, daddr, hnum); ++ reuse_sk = inet6_lookup_reuseport(net, sk, skb, doff, ++ saddr, sport, daddr, hnum, inet6_ehashfn); + if (reuse_sk) + sk = reuse_sk; + return sk; +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index d5d254ca2dfe6..2c653ed1add1f 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -68,11 +68,12 @@ int udpv6_init_sock(struct sock *sk) + return 0; + } + +-static u32 udp6_ehashfn(const struct net *net, +- const struct in6_addr *laddr, +- const u16 lport, +- const struct in6_addr *faddr, +- const __be16 fport) ++INDIRECT_CALLABLE_SCOPE ++u32 udp6_ehashfn(const struct net *net, ++ const struct in6_addr *laddr, ++ const u16 lport, ++ const struct in6_addr *faddr, ++ const __be16 fport) + { + static u32 udp6_ehash_secret __read_mostly; + static u32 udp_ipv6_hash_secret __read_mostly; +@@ -156,24 +157,6 @@ static int compute_score(struct sock *sk, struct net *net, + return score; + } + +-static struct sock *lookup_reuseport(struct net *net, struct sock *sk, +- struct sk_buff *skb, +- const struct in6_addr *saddr, +- __be16 sport, +- const struct in6_addr *daddr, +- unsigned int hnum) +-{ +- struct sock *reuse_sk = NULL; +- u32 hash; +- +- if (sk->sk_reuseport && sk->sk_state != TCP_ESTABLISHED) { +- hash = udp6_ehashfn(net, daddr, hnum, saddr, sport); +- reuse_sk = reuseport_select_sock(sk, hash, skb, +- sizeof(struct udphdr)); +- } +- return reuse_sk; +-} +- + /* called with rcu_read_lock() */ + static struct sock *udp6_lib_lookup2(struct net *net, + const struct in6_addr *saddr, __be16 sport, +@@ -191,7 +174,14 @@ static struct sock *udp6_lib_lookup2(struct net *net, + daddr, hnum, dif, sdif); + if (score > badness) { + badness = score; +- result = lookup_reuseport(net, sk, skb, saddr, sport, daddr, hnum); ++ ++ if (sk->sk_state == TCP_ESTABLISHED) { ++ result = sk; ++ continue; ++ } ++ ++ result = inet6_lookup_reuseport(net, sk, skb, sizeof(struct udphdr), ++ saddr, sport, daddr, hnum, udp6_ehashfn); + if (!result) { + result = sk; + continue; +@@ -231,7 +221,8 @@ static inline struct sock *udp6_lookup_run_bpf(struct net *net, + if (no_reuseport || IS_ERR_OR_NULL(sk)) + return sk; + +- reuse_sk = lookup_reuseport(net, sk, skb, saddr, sport, daddr, hnum); ++ reuse_sk = inet6_lookup_reuseport(net, sk, skb, sizeof(struct udphdr), ++ saddr, sport, daddr, hnum, udp6_ehashfn); + if (reuse_sk) + sk = reuse_sk; + return sk; +-- +2.40.1 + diff --git a/queue-5.15/net-sched-sch_hfsc-ensure-inner-classes-have-fsc-cur.patch b/queue-5.15/net-sched-sch_hfsc-ensure-inner-classes-have-fsc-cur.patch new file mode 100644 index 00000000000..c152cefe212 --- /dev/null +++ b/queue-5.15/net-sched-sch_hfsc-ensure-inner-classes-have-fsc-cur.patch @@ -0,0 +1,44 @@ +From 20d657f773f59e42434392b84acef1234b011e6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Aug 2023 01:49:05 -0700 +Subject: net/sched: sch_hfsc: Ensure inner classes have fsc curve + +From: Budimir Markovic + +[ Upstream commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f ] + +HFSC assumes that inner classes have an fsc curve, but it is currently +possible for classes without an fsc curve to become parents. This leads +to bugs including a use-after-free. + +Don't allow non-root classes without HFSC_FSC to become parents. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Budimir Markovic +Signed-off-by: Budimir Markovic +Acked-by: Jamal Hadi Salim +Link: https://lore.kernel.org/r/20230824084905.422-1-markovicbudimir@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_hfsc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c +index c802a027b4f31..01126e285f94e 100644 +--- a/net/sched/sch_hfsc.c ++++ b/net/sched/sch_hfsc.c +@@ -1012,6 +1012,10 @@ hfsc_change_class(struct Qdisc *sch, u32 classid, u32 parentid, + if (parent == NULL) + return -ENOENT; + } ++ if (!(parent->cl_flags & HFSC_FSC) && parent != &q->root) { ++ NL_SET_ERR_MSG(extack, "Invalid parent - parent class must have FSC"); ++ return -EINVAL; ++ } + + if (classid == 0 || TC_H_MAJ(classid ^ sch->handle) != 0) + return -EINVAL; +-- +2.40.1 + diff --git a/queue-5.15/net-tcp-fix-unexcepted-socket-die-when-snd_wnd-is-0.patch b/queue-5.15/net-tcp-fix-unexcepted-socket-die-when-snd_wnd-is-0.patch new file mode 100644 index 00000000000..5e3eebde24c --- /dev/null +++ b/queue-5.15/net-tcp-fix-unexcepted-socket-die-when-snd_wnd-is-0.patch @@ -0,0 +1,83 @@ +From 095e43e3f54acaa454d0fd26757d2ed9c9f80da3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Aug 2023 10:55:29 +0800 +Subject: net: tcp: fix unexcepted socket die when snd_wnd is 0 + +From: Menglong Dong + +[ Upstream commit e89688e3e97868451a5d05b38a9d2633d6785cd4 ] + +In tcp_retransmit_timer(), a window shrunk connection will be regarded +as timeout if 'tcp_jiffies32 - tp->rcv_tstamp > TCP_RTO_MAX'. This is not +right all the time. + +The retransmits will become zero-window probes in tcp_retransmit_timer() +if the 'snd_wnd==0'. Therefore, the icsk->icsk_rto will come up to +TCP_RTO_MAX sooner or later. + +However, the timer can be delayed and be triggered after 122877ms, not +TCP_RTO_MAX, as I tested. + +Therefore, 'tcp_jiffies32 - tp->rcv_tstamp > TCP_RTO_MAX' is always true +once the RTO come up to TCP_RTO_MAX, and the socket will die. + +Fix this by replacing the 'tcp_jiffies32' with '(u32)icsk->icsk_timeout', +which is exact the timestamp of the timeout. + +However, "tp->rcv_tstamp" can restart from idle, then tp->rcv_tstamp +could already be a long time (minutes or hours) in the past even on the +first RTO. So we double check the timeout with the duration of the +retransmission. + +Meanwhile, making "2 * TCP_RTO_MAX" as the timeout to avoid the socket +dying too soon. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Link: https://lore.kernel.org/netdev/CADxym3YyMiO+zMD4zj03YPM3FBi-1LHi6gSD2XT8pyAMM096pg@mail.gmail.com/ +Signed-off-by: Menglong Dong +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_timer.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c +index a8592c187b321..40a354dcfec5a 100644 +--- a/net/ipv4/tcp_timer.c ++++ b/net/ipv4/tcp_timer.c +@@ -437,6 +437,22 @@ static void tcp_fastopen_synack_timer(struct sock *sk, struct request_sock *req) + TCP_TIMEOUT_INIT << req->num_timeout, TCP_RTO_MAX); + } + ++static bool tcp_rtx_probe0_timed_out(const struct sock *sk, ++ const struct sk_buff *skb) ++{ ++ const struct tcp_sock *tp = tcp_sk(sk); ++ const int timeout = TCP_RTO_MAX * 2; ++ u32 rcv_delta, rtx_delta; ++ ++ rcv_delta = inet_csk(sk)->icsk_timeout - tp->rcv_tstamp; ++ if (rcv_delta <= timeout) ++ return false; ++ ++ rtx_delta = (u32)msecs_to_jiffies(tcp_time_stamp(tp) - ++ (tp->retrans_stamp ?: tcp_skb_timestamp(skb))); ++ ++ return rtx_delta > timeout; ++} + + /** + * tcp_retransmit_timer() - The TCP retransmit timeout handler +@@ -502,7 +518,7 @@ void tcp_retransmit_timer(struct sock *sk) + tp->snd_una, tp->snd_nxt); + } + #endif +- if (tcp_jiffies32 - tp->rcv_tstamp > TCP_RTO_MAX) { ++ if (tcp_rtx_probe0_timed_out(sk, skb)) { + tcp_write_err(sk); + goto out; + } +-- +2.40.1 + diff --git a/queue-5.15/netrom-deny-concurrent-connect.patch b/queue-5.15/netrom-deny-concurrent-connect.patch new file mode 100644 index 00000000000..24539124918 --- /dev/null +++ b/queue-5.15/netrom-deny-concurrent-connect.patch @@ -0,0 +1,139 @@ +From 67a725efd05ace8341c2f1b2f84961926474b79a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Aug 2023 09:50:59 -0700 +Subject: netrom: Deny concurrent connect(). + +From: Kuniyuki Iwashima + +[ Upstream commit c2f8fd7949603efb03908e05abbf7726748c8de3 ] + +syzkaller reported null-ptr-deref [0] related to AF_NETROM. +This is another self-accept issue from the strace log. [1] + +syz-executor creates an AF_NETROM socket and calls connect(), which +is blocked at that time. Then, sk->sk_state is TCP_SYN_SENT and +sock->state is SS_CONNECTING. + + [pid 5059] socket(AF_NETROM, SOCK_SEQPACKET, 0) = 4 + [pid 5059] connect(4, {sa_family=AF_NETROM, sa_data="..." + +Another thread calls connect() concurrently, which finally fails +with -EINVAL. However, the problem here is the socket state is +reset even while the first connect() is blocked. + + [pid 5060] connect(4, NULL, 0 + [pid 5060] <... connect resumed>) = -1 EINVAL (Invalid argument) + +As sk->state is TCP_CLOSE and sock->state is SS_UNCONNECTED, the +following listen() succeeds. Then, the first connect() looks up +itself as a listener and puts skb into the queue with skb->sk itself. +As a result, the next accept() gets another FD of itself as 3, and +the first connect() finishes. + + [pid 5060] listen(4, 0 + [pid 5060] <... listen resumed>) = 0 + [pid 5060] accept(4, NULL, NULL + [pid 5060] <... accept resumed>) = 3 + [pid 5059] <... connect resumed>) = 0 + +Then, accept4() is called but blocked, which causes the general protection +fault later. + + [pid 5059] accept4(4, NULL, 0x20000400, SOCK_NONBLOCK + +After that, another self-accept occurs by accept() and writev(). + + [pid 5060] accept(4, NULL, NULL + [pid 5061] writev(3, [{iov_base=...}] + [pid 5061] <... writev resumed>) = 99 + [pid 5060] <... accept resumed>) = 6 + +Finally, the leader thread close()s all FDs. Since the three FDs +reference the same socket, nr_release() does the cleanup for it +three times, and the remaining accept4() causes the following fault. + + [pid 5058] close(3) = 0 + [pid 5058] close(4) = 0 + [pid 5058] close(5) = -1 EBADF (Bad file descriptor) + [pid 5058] close(6) = 0 + [pid 5058] <... exit_group resumed>) = ? + [ 83.456055][ T5059] general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN + +To avoid the issue, we need to return an error for connect() if +another connect() is in progress, as done in __inet_stream_connect(). + +[0]: +general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] +CPU: 0 PID: 5059 Comm: syz-executor.0 Not tainted 6.5.0-rc5-syzkaller-00194-gace0ab3a4b54 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 +RIP: 0010:__lock_acquire+0x109/0x5de0 kernel/locking/lockdep.c:5012 +Code: 45 85 c9 0f 84 cc 0e 00 00 44 8b 05 11 6e 23 0b 45 85 c0 0f 84 be 0d 00 00 48 ba 00 00 00 00 00 fc ff df 4c 89 d1 48 c1 e9 03 <80> 3c 11 00 0f 85 e8 40 00 00 49 81 3a a0 69 48 90 0f 84 96 0d 00 +RSP: 0018:ffffc90003d6f9e0 EFLAGS: 00010006 +RAX: ffff8880244c8000 RBX: 1ffff920007adf6c RCX: 0000000000000003 +RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 0000000000000018 +RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000001 +R10: 0000000000000018 R11: 0000000000000000 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +FS: 00007f51d519a6c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f51d5158d58 CR3: 000000002943f000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + lock_acquire kernel/locking/lockdep.c:5761 [inline] + lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5726 + __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] + _raw_spin_lock_irqsave+0x3a/0x50 kernel/locking/spinlock.c:162 + prepare_to_wait+0x47/0x380 kernel/sched/wait.c:269 + nr_accept+0x20d/0x650 net/netrom/af_netrom.c:798 + do_accept+0x3a6/0x570 net/socket.c:1872 + __sys_accept4_file net/socket.c:1913 [inline] + __sys_accept4+0x99/0x120 net/socket.c:1943 + __do_sys_accept4 net/socket.c:1954 [inline] + __se_sys_accept4 net/socket.c:1951 [inline] + __x64_sys_accept4+0x96/0x100 net/socket.c:1951 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f51d447cae9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f51d519a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000120 +RAX: ffffffffffffffda RBX: 00007f51d459bf80 RCX: 00007f51d447cae9 +RDX: 0000000020000400 RSI: 0000000000000000 RDI: 0000000000000004 +RBP: 00007f51d44c847a R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000800 R11: 0000000000000246 R12: 0000000000000000 +R13: 000000000000000b R14: 00007f51d459bf80 R15: 00007ffc25c34e48 + + +Link: https://syzkaller.appspot.com/text?tag=CrashLog&x=152cdb63a80000 [1] +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+666c97e4686410e79649@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=666c97e4686410e79649 +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/netrom/af_netrom.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c +index 5c04da4cfbad0..24747163122bb 100644 +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -660,6 +660,11 @@ static int nr_connect(struct socket *sock, struct sockaddr *uaddr, + goto out_release; + } + ++ if (sock->state == SS_CONNECTING) { ++ err = -EALREADY; ++ goto out_release; ++ } ++ + sk->sk_state = TCP_CLOSE; + sock->state = SS_UNCONNECTED; + +-- +2.40.1 + diff --git a/queue-5.15/nfs-blocklayout-use-the-passed-in-gfp-flags.patch b/queue-5.15/nfs-blocklayout-use-the-passed-in-gfp-flags.patch new file mode 100644 index 00000000000..3350cc5c312 --- /dev/null +++ b/queue-5.15/nfs-blocklayout-use-the-passed-in-gfp-flags.patch @@ -0,0 +1,47 @@ +From 0ae1b2488e74a79b3bbd916d477119cfc4c653c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jul 2023 11:08:46 +0300 +Subject: nfs/blocklayout: Use the passed in gfp flags + +From: Dan Carpenter + +[ Upstream commit 08b45fcb2d4675f6182fe0edc0d8b1fe604051fa ] + +This allocation should use the passed in GFP_ flags instead of +GFP_KERNEL. One places where this matters is in filelayout_pg_init_write() +which uses GFP_NOFS as the allocation flags. + +Fixes: 5c83746a0cf2 ("pnfs/blocklayout: in-kernel GETDEVICEINFO XDR parsing") +Signed-off-by: Dan Carpenter +Reviewed-by: Christoph Hellwig +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/blocklayout/dev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/nfs/blocklayout/dev.c b/fs/nfs/blocklayout/dev.c +index acb1d22907daf..16412d6636e86 100644 +--- a/fs/nfs/blocklayout/dev.c ++++ b/fs/nfs/blocklayout/dev.c +@@ -422,7 +422,7 @@ bl_parse_concat(struct nfs_server *server, struct pnfs_block_dev *d, + int ret, i; + + d->children = kcalloc(v->concat.volumes_count, +- sizeof(struct pnfs_block_dev), GFP_KERNEL); ++ sizeof(struct pnfs_block_dev), gfp_mask); + if (!d->children) + return -ENOMEM; + +@@ -451,7 +451,7 @@ bl_parse_stripe(struct nfs_server *server, struct pnfs_block_dev *d, + int ret, i; + + d->children = kcalloc(v->stripe.volumes_count, +- sizeof(struct pnfs_block_dev), GFP_KERNEL); ++ sizeof(struct pnfs_block_dev), gfp_mask); + if (!d->children) + return -ENOMEM; + +-- +2.40.1 + diff --git a/queue-5.15/nfs-guard-against-readdir-loop-when-entry-names-exce.patch b/queue-5.15/nfs-guard-against-readdir-loop-when-entry-names-exce.patch new file mode 100644 index 00000000000..59167ef4547 --- /dev/null +++ b/queue-5.15/nfs-guard-against-readdir-loop-when-entry-names-exce.patch @@ -0,0 +1,57 @@ +From f810a72b9d30748a10083aa548a77e7d27f941cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Aug 2023 14:22:38 -0400 +Subject: NFS: Guard against READDIR loop when entry names exceed MAXNAMELEN + +From: Benjamin Coddington + +[ Upstream commit f67b55b6588bcf9316a1e6e8d529100a5aa3ebe6 ] + +Commit 64cfca85bacd asserts the only valid return values for +nfs2/3_decode_dirent should not include -ENAMETOOLONG, but for a server +that sends a filename3 which exceeds MAXNAMELEN in a READDIR response the +client's behavior will be to endlessly retry the operation. + +We could map -ENAMETOOLONG into -EBADCOOKIE, but that would produce +truncated listings without any error. The client should return an error +for this case to clearly assert that the server implementation must be +corrected. + +Fixes: 64cfca85bacd ("NFS: Return valid errors from nfs2/3_decode_dirent()") +Signed-off-by: Benjamin Coddington +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs2xdr.c | 2 +- + fs/nfs/nfs3xdr.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/nfs/nfs2xdr.c b/fs/nfs/nfs2xdr.c +index 3d5ba43f44bb6..266a4badf1dfc 100644 +--- a/fs/nfs/nfs2xdr.c ++++ b/fs/nfs/nfs2xdr.c +@@ -949,7 +949,7 @@ int nfs2_decode_dirent(struct xdr_stream *xdr, struct nfs_entry *entry, + + error = decode_filename_inline(xdr, &entry->name, &entry->len); + if (unlikely(error)) +- return -EAGAIN; ++ return error == -ENAMETOOLONG ? -ENAMETOOLONG : -EAGAIN; + + /* + * The type (size and byte order) of nfscookie isn't defined in +diff --git a/fs/nfs/nfs3xdr.c b/fs/nfs/nfs3xdr.c +index 7ab60ad98776f..d48db2f6f4f02 100644 +--- a/fs/nfs/nfs3xdr.c ++++ b/fs/nfs/nfs3xdr.c +@@ -1990,7 +1990,7 @@ int nfs3_decode_dirent(struct xdr_stream *xdr, struct nfs_entry *entry, + + error = decode_inline_filename3(xdr, &entry->name, &entry->len); + if (unlikely(error)) +- return -EAGAIN; ++ return error == -ENAMETOOLONG ? -ENAMETOOLONG : -EAGAIN; + + error = decode_cookie3(xdr, &new_cookie); + if (unlikely(error)) +-- +2.40.1 + diff --git a/queue-5.15/nfsd-da_addr_body-field-missing-in-some-getdeviceinf.patch b/queue-5.15/nfsd-da_addr_body-field-missing-in-some-getdeviceinf.patch new file mode 100644 index 00000000000..5418d18f141 --- /dev/null +++ b/queue-5.15/nfsd-da_addr_body-field-missing-in-some-getdeviceinf.patch @@ -0,0 +1,139 @@ +From c64c796787c958ae0806b36c93a8213b6153f57d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Aug 2023 10:20:52 -0400 +Subject: NFSD: da_addr_body field missing in some GETDEVICEINFO replies + +From: Chuck Lever + +[ Upstream commit 6372e2ee629894433fe6107d7048536a3280a284 ] + +The XDR specification in RFC 8881 looks like this: + +struct device_addr4 { + layouttype4 da_layout_type; + opaque da_addr_body<>; +}; + +struct GETDEVICEINFO4resok { + device_addr4 gdir_device_addr; + bitmap4 gdir_notification; +}; + +union GETDEVICEINFO4res switch (nfsstat4 gdir_status) { +case NFS4_OK: + GETDEVICEINFO4resok gdir_resok4; +case NFS4ERR_TOOSMALL: + count4 gdir_mincount; +default: + void; +}; + +Looking at nfsd4_encode_getdeviceinfo() .... + +When the client provides a zero gd_maxcount, then the Linux NFS +server implementation encodes the da_layout_type field and then +skips the da_addr_body field completely, proceeding directly to +encode gdir_notification field. + +There does not appear to be an option in the specification to skip +encoding da_addr_body. Moreover, Section 18.40.3 says: + +> If the client wants to just update or turn off notifications, it +> MAY send a GETDEVICEINFO operation with gdia_maxcount set to zero. +> In that event, if the device ID is valid, the reply's da_addr_body +> field of the gdir_device_addr field will be of zero length. + +Since the layout drivers are responsible for encoding the +da_addr_body field, put this fix inside the ->encode_getdeviceinfo +methods. + +Fixes: 9cf514ccfacb ("nfsd: implement pNFS operations") +Reviewed-by: Christoph Hellwig +Cc: Tom Haynes +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/blocklayoutxdr.c | 9 +++++++++ + fs/nfsd/flexfilelayoutxdr.c | 9 +++++++++ + fs/nfsd/nfs4xdr.c | 25 +++++++++++-------------- + 3 files changed, 29 insertions(+), 14 deletions(-) + +diff --git a/fs/nfsd/blocklayoutxdr.c b/fs/nfsd/blocklayoutxdr.c +index 442543304930b..2455dc8be18a8 100644 +--- a/fs/nfsd/blocklayoutxdr.c ++++ b/fs/nfsd/blocklayoutxdr.c +@@ -82,6 +82,15 @@ nfsd4_block_encode_getdeviceinfo(struct xdr_stream *xdr, + int len = sizeof(__be32), ret, i; + __be32 *p; + ++ /* ++ * See paragraph 5 of RFC 8881 S18.40.3. ++ */ ++ if (!gdp->gd_maxcount) { ++ if (xdr_stream_encode_u32(xdr, 0) != XDR_UNIT) ++ return nfserr_resource; ++ return nfs_ok; ++ } ++ + p = xdr_reserve_space(xdr, len + sizeof(__be32)); + if (!p) + return nfserr_resource; +diff --git a/fs/nfsd/flexfilelayoutxdr.c b/fs/nfsd/flexfilelayoutxdr.c +index e81d2a5cf381e..bb205328e043d 100644 +--- a/fs/nfsd/flexfilelayoutxdr.c ++++ b/fs/nfsd/flexfilelayoutxdr.c +@@ -85,6 +85,15 @@ nfsd4_ff_encode_getdeviceinfo(struct xdr_stream *xdr, + int addr_len; + __be32 *p; + ++ /* ++ * See paragraph 5 of RFC 8881 S18.40.3. ++ */ ++ if (!gdp->gd_maxcount) { ++ if (xdr_stream_encode_u32(xdr, 0) != XDR_UNIT) ++ return nfserr_resource; ++ return nfs_ok; ++ } ++ + /* len + padding for two strings */ + addr_len = 16 + da->netaddr.netid_len + da->netaddr.addr_len; + ver_len = 20; +diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c +index e8132a17eeb3f..d28b75909de89 100644 +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -4533,20 +4533,17 @@ nfsd4_encode_getdeviceinfo(struct nfsd4_compoundres *resp, __be32 nfserr, + + *p++ = cpu_to_be32(gdev->gd_layout_type); + +- /* If maxcount is 0 then just update notifications */ +- if (gdev->gd_maxcount != 0) { +- ops = nfsd4_layout_ops[gdev->gd_layout_type]; +- nfserr = ops->encode_getdeviceinfo(xdr, gdev); +- if (nfserr) { +- /* +- * We don't bother to burden the layout drivers with +- * enforcing gd_maxcount, just tell the client to +- * come back with a bigger buffer if it's not enough. +- */ +- if (xdr->buf->len + 4 > gdev->gd_maxcount) +- goto toosmall; +- return nfserr; +- } ++ ops = nfsd4_layout_ops[gdev->gd_layout_type]; ++ nfserr = ops->encode_getdeviceinfo(xdr, gdev); ++ if (nfserr) { ++ /* ++ * We don't bother to burden the layout drivers with ++ * enforcing gd_maxcount, just tell the client to ++ * come back with a bigger buffer if it's not enough. ++ */ ++ if (xdr->buf->len + 4 > gdev->gd_maxcount) ++ goto toosmall; ++ return nfserr; + } + + if (gdev->gd_notify_types) { +-- +2.40.1 + diff --git a/queue-5.15/nfsv4.2-fix-handling-of-copy-err_offload_no_req.patch b/queue-5.15/nfsv4.2-fix-handling-of-copy-err_offload_no_req.patch new file mode 100644 index 00000000000..ed491674176 --- /dev/null +++ b/queue-5.15/nfsv4.2-fix-handling-of-copy-err_offload_no_req.patch @@ -0,0 +1,40 @@ +From a574afb10ff84ff91e76787da9bc871d392f5932 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Aug 2023 16:43:53 -0400 +Subject: NFSv4.2: fix handling of COPY ERR_OFFLOAD_NO_REQ + +From: Olga Kornievskaia + +[ Upstream commit 5690eed941ab7e33c3c3d6b850100cabf740f075 ] + +If the client sent a synchronous copy and the server replied with +ERR_OFFLOAD_NO_REQ indicating that it wants an asynchronous +copy instead, the client should retry with asynchronous copy. + +Fixes: 539f57b3e0fd ("NFS handle COPY ERR_OFFLOAD_NO_REQS") +Signed-off-by: Olga Kornievskaia +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs42proc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/nfs/nfs42proc.c b/fs/nfs/nfs42proc.c +index bc07012741cb4..2975bbc33d280 100644 +--- a/fs/nfs/nfs42proc.c ++++ b/fs/nfs/nfs42proc.c +@@ -462,8 +462,9 @@ ssize_t nfs42_proc_copy(struct file *src, loff_t pos_src, + continue; + } + break; +- } else if (err == -NFS4ERR_OFFLOAD_NO_REQS && !args.sync) { +- args.sync = true; ++ } else if (err == -NFS4ERR_OFFLOAD_NO_REQS && ++ args.sync != res.synchronous) { ++ args.sync = res.synchronous; + dst_exception.retry = 1; + continue; + } else if ((err == -ESTALE || +-- +2.40.1 + diff --git a/queue-5.15/of-overlay-call-of_changeset_init-early.patch b/queue-5.15/of-overlay-call-of_changeset_init-early.patch new file mode 100644 index 00000000000..bee7dacf414 --- /dev/null +++ b/queue-5.15/of-overlay-call-of_changeset_init-early.patch @@ -0,0 +1,56 @@ +From 80cd242fad2142fb9ef227ac021db769e8438db7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jul 2023 10:50:28 +0200 +Subject: of: overlay: Call of_changeset_init() early + +From: Geert Uytterhoeven + +[ Upstream commit a9515ff4fb142b690a0d2b58782b15903b990dba ] + +When of_overlay_fdt_apply() fails, the changeset may be partially +applied, and the caller is still expected to call of_overlay_remove() to +clean up this partial state. + +However, of_overlay_apply() calls of_resolve_phandles() before +init_overlay_changeset(). Hence if the overlay fails to apply due to an +unresolved symbol, the overlay_changeset.cset.entries list is still +uninitialized, and cleanup will crash with a NULL-pointer dereference in +overlay_removal_is_ok(). + +Fix this by moving the call to of_changeset_init() from +init_overlay_changeset() to of_overlay_fdt_apply(), where all other +early initialization is done. + +Fixes: f948d6d8b792bb90 ("of: overlay: avoid race condition between applying multiple overlays") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/4f1d6d74b61cba2599026adb6d1948ae559ce91f.1690533838.git.geert+renesas@glider.be +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/overlay.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/of/overlay.c b/drivers/of/overlay.c +index 8f2ddba3947e5..ee7f3659b353c 100644 +--- a/drivers/of/overlay.c ++++ b/drivers/of/overlay.c +@@ -752,8 +752,6 @@ static int init_overlay_changeset(struct overlay_changeset *ovcs) + if (!of_node_is_root(ovcs->overlay_root)) + pr_debug("%s() ovcs->overlay_root is not root\n", __func__); + +- of_changeset_init(&ovcs->cset); +- + cnt = 0; + + /* fragment nodes */ +@@ -995,6 +993,7 @@ int of_overlay_fdt_apply(const void *overlay_fdt, u32 overlay_fdt_size, + + INIT_LIST_HEAD(&ovcs->ovcs_list); + list_add_tail(&ovcs->ovcs_list, &ovcs_list); ++ of_changeset_init(&ovcs->cset); + + /* + * Must create permanent copy of FDT because of_fdt_unflatten_tree() +-- +2.40.1 + diff --git a/queue-5.15/of-unittest-fix-null-pointer-dereferencing-in-of_uni.patch b/queue-5.15/of-unittest-fix-null-pointer-dereferencing-in-of_uni.patch new file mode 100644 index 00000000000..be904810deb --- /dev/null +++ b/queue-5.15/of-unittest-fix-null-pointer-dereferencing-in-of_uni.patch @@ -0,0 +1,74 @@ +From 8a1c31901f4cdaf9622da8023de040f1b4ea5220 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jul 2023 16:02:46 +0800 +Subject: of: unittest: fix null pointer dereferencing in + of_unittest_find_node_by_name() + +From: Ruan Jinjie + +[ Upstream commit d6ce4f0ea19c32f10867ed93d8386924326ab474 ] + +when kmalloc() fail to allocate memory in kasprintf(), name +or full_name will be NULL, strcmp() will cause +null pointer dereference. + +Fixes: 0d638a07d3a1 ("of: Convert to using %pOF instead of full_name") +Signed-off-by: Ruan Jinjie +Link: https://lore.kernel.org/r/20230727080246.519539-1-ruanjinjie@huawei.com +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/unittest.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c +index a9871e2f0a0bb..19d3b136aed79 100644 +--- a/drivers/of/unittest.c ++++ b/drivers/of/unittest.c +@@ -70,7 +70,7 @@ static void __init of_unittest_find_node_by_name(void) + + np = of_find_node_by_path("/testcase-data"); + name = kasprintf(GFP_KERNEL, "%pOF", np); +- unittest(np && !strcmp("/testcase-data", name), ++ unittest(np && name && !strcmp("/testcase-data", name), + "find /testcase-data failed\n"); + of_node_put(np); + kfree(name); +@@ -81,14 +81,14 @@ static void __init of_unittest_find_node_by_name(void) + + np = of_find_node_by_path("/testcase-data/phandle-tests/consumer-a"); + name = kasprintf(GFP_KERNEL, "%pOF", np); +- unittest(np && !strcmp("/testcase-data/phandle-tests/consumer-a", name), ++ unittest(np && name && !strcmp("/testcase-data/phandle-tests/consumer-a", name), + "find /testcase-data/phandle-tests/consumer-a failed\n"); + of_node_put(np); + kfree(name); + + np = of_find_node_by_path("testcase-alias"); + name = kasprintf(GFP_KERNEL, "%pOF", np); +- unittest(np && !strcmp("/testcase-data", name), ++ unittest(np && name && !strcmp("/testcase-data", name), + "find testcase-alias failed\n"); + of_node_put(np); + kfree(name); +@@ -99,7 +99,7 @@ static void __init of_unittest_find_node_by_name(void) + + np = of_find_node_by_path("testcase-alias/phandle-tests/consumer-a"); + name = kasprintf(GFP_KERNEL, "%pOF", np); +- unittest(np && !strcmp("/testcase-data/phandle-tests/consumer-a", name), ++ unittest(np && name && !strcmp("/testcase-data/phandle-tests/consumer-a", name), + "find testcase-alias/phandle-tests/consumer-a failed\n"); + of_node_put(np); + kfree(name); +@@ -1373,6 +1373,8 @@ static void attach_node_and_children(struct device_node *np) + const char *full_name; + + full_name = kasprintf(GFP_KERNEL, "%pOF", np); ++ if (!full_name) ++ return; + + if (!strcmp(full_name, "/__local_fixups__") || + !strcmp(full_name, "/__fixups__")) { +-- +2.40.1 + diff --git a/queue-5.15/of-unittest-fix-overlay-type-in-apply-revert-check.patch b/queue-5.15/of-unittest-fix-overlay-type-in-apply-revert-check.patch new file mode 100644 index 00000000000..bfe172578c4 --- /dev/null +++ b/queue-5.15/of-unittest-fix-overlay-type-in-apply-revert-check.patch @@ -0,0 +1,42 @@ +From 9804b772fa079824805251f07d07811380b43601 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jul 2023 10:50:29 +0200 +Subject: of: unittest: Fix overlay type in apply/revert check + +From: Geert Uytterhoeven + +[ Upstream commit 6becf8f845ae1f0b1cfed395bbeccbd23654162d ] + +The removal check in of_unittest_apply_revert_overlay_check() +always uses the platform device overlay type, while it should use the +actual overlay type, as passed as a parameter to the function. + +This has no impact on any current test, as all tests calling +of_unittest_apply_revert_overlay_check() use the platform device overlay +type. + +Fixes: d5e75500ca401d31 ("of: unitest: Add I2C overlay unit tests.") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/ba0234c41ba808f10112094f88792beeb6dbaedf.1690533838.git.geert+renesas@glider.be +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/unittest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c +index 19d3b136aed79..073a3f44c4049 100644 +--- a/drivers/of/unittest.c ++++ b/drivers/of/unittest.c +@@ -2073,7 +2073,7 @@ static int __init of_unittest_apply_revert_overlay_check(int overlay_nr, + of_unittest_untrack_overlay(save_id); + + /* unittest device must be again in before state */ +- if (of_unittest_device_exists(unittest_nr, PDEV_OVERLAY) != before) { ++ if (of_unittest_device_exists(unittest_nr, ovtype) != before) { + unittest(0, "%s with device @\"%s\" %s\n", + overlay_name_from_nr(overlay_nr), + unittest_path(unittest_nr, ovtype), +-- +2.40.1 + diff --git a/queue-5.15/opp-fix-passing-0-to-ptr_err-in-_opp_attach_genpd.patch b/queue-5.15/opp-fix-passing-0-to-ptr_err-in-_opp_attach_genpd.patch new file mode 100644 index 00000000000..273f8af55e2 --- /dev/null +++ b/queue-5.15/opp-fix-passing-0-to-ptr_err-in-_opp_attach_genpd.patch @@ -0,0 +1,41 @@ +From 8ac281056665751da773c4d59b49b4abd30589b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jul 2023 18:16:34 +0530 +Subject: OPP: Fix passing 0 to PTR_ERR in _opp_attach_genpd() + +From: Manivannan Sadhasivam + +[ Upstream commit d920920f85a82c1c806a4143871a0e8f534732f2 ] + +If dev_pm_domain_attach_by_name() returns NULL, then 0 will be passed to +PTR_ERR() as reported by the smatch warning below: + +drivers/opp/core.c:2456 _opp_attach_genpd() warn: passing zero to 'PTR_ERR' + +Fix it by checking for the non-NULL virt_dev pointer before passing it to +PTR_ERR. Otherwise return -ENODEV. + +Fixes: 4ea9496cbc95 ("opp: Fix error check in dev_pm_opp_attach_genpd()") +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/opp/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/opp/core.c b/drivers/opp/core.c +index 4960d5f8c8bcb..dbd69d8e44e42 100644 +--- a/drivers/opp/core.c ++++ b/drivers/opp/core.c +@@ -2392,7 +2392,7 @@ struct opp_table *dev_pm_opp_attach_genpd(struct device *dev, + + virt_dev = dev_pm_domain_attach_by_name(dev, *name); + if (IS_ERR_OR_NULL(virt_dev)) { +- ret = PTR_ERR(virt_dev) ? : -ENODEV; ++ ret = virt_dev ? PTR_ERR(virt_dev) : -ENODEV; + dev_err(dev, "Couldn't attach to pm_domain: %d\n", ret); + goto err; + } +-- +2.40.1 + diff --git a/queue-5.15/pci-aspm-use-rmw-accessors-for-changing-lnkctl.patch b/queue-5.15/pci-aspm-use-rmw-accessors-for-changing-lnkctl.patch new file mode 100644 index 00000000000..04a757110ea --- /dev/null +++ b/queue-5.15/pci-aspm-use-rmw-accessors-for-changing-lnkctl.patch @@ -0,0 +1,105 @@ +From 414fcc188770be1a518ee2522567c935ee0c8afb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 15:04:56 +0300 +Subject: PCI/ASPM: Use RMW accessors for changing LNKCTL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit e09060b3b6b4661278ff8e1b7b81a37d5ea86eae ] + +Don't assume that the device is fully under the control of ASPM and use RMW +capability accessors which do proper locking to avoid losing concurrent +updates to the register values. + +If configuration fails in pcie_aspm_configure_common_clock(), the +function attempts to restore the old PCI_EXP_LNKCTL_CCC settings. Store +only the old PCI_EXP_LNKCTL_CCC bit for the relevant devices rather +than the content of the whole LNKCTL registers. It aligns better with +how pcie_lnkctl_clear_and_set() expects its parameter and makes the +code more obvious to understand. + +Suggested-by: Lukas Wunner +Fixes: 2a42d9dba784 ("PCIe: ASPM: Break out of endless loop waiting for PCI config bits to switch") +Fixes: 7d715a6c1ae5 ("PCI: add PCI Express ASPM support") +Link: https://lore.kernel.org/r/20230717120503.15276-5-ilpo.jarvinen@linux.intel.com +Signed-off-by: Ilpo Järvinen +Signed-off-by: Bjorn Helgaas +Acked-by: "Rafael J. Wysocki" +Signed-off-by: Sasha Levin +--- + drivers/pci/pcie/aspm.c | 30 +++++++++++++----------------- + 1 file changed, 13 insertions(+), 17 deletions(-) + +diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c +index 3078de668f911..4a2c229205fd0 100644 +--- a/drivers/pci/pcie/aspm.c ++++ b/drivers/pci/pcie/aspm.c +@@ -249,7 +249,7 @@ static int pcie_retrain_link(struct pcie_link_state *link) + static void pcie_aspm_configure_common_clock(struct pcie_link_state *link) + { + int same_clock = 1; +- u16 reg16, parent_reg, child_reg[8]; ++ u16 reg16, ccc, parent_old_ccc, child_old_ccc[8]; + struct pci_dev *child, *parent = link->pdev; + struct pci_bus *linkbus = parent->subordinate; + /* +@@ -271,6 +271,7 @@ static void pcie_aspm_configure_common_clock(struct pcie_link_state *link) + + /* Port might be already in common clock mode */ + pcie_capability_read_word(parent, PCI_EXP_LNKCTL, ®16); ++ parent_old_ccc = reg16 & PCI_EXP_LNKCTL_CCC; + if (same_clock && (reg16 & PCI_EXP_LNKCTL_CCC)) { + bool consistent = true; + +@@ -287,34 +288,29 @@ static void pcie_aspm_configure_common_clock(struct pcie_link_state *link) + pci_info(parent, "ASPM: current common clock configuration is inconsistent, reconfiguring\n"); + } + ++ ccc = same_clock ? PCI_EXP_LNKCTL_CCC : 0; + /* Configure downstream component, all functions */ + list_for_each_entry(child, &linkbus->devices, bus_list) { + pcie_capability_read_word(child, PCI_EXP_LNKCTL, ®16); +- child_reg[PCI_FUNC(child->devfn)] = reg16; +- if (same_clock) +- reg16 |= PCI_EXP_LNKCTL_CCC; +- else +- reg16 &= ~PCI_EXP_LNKCTL_CCC; +- pcie_capability_write_word(child, PCI_EXP_LNKCTL, reg16); ++ child_old_ccc[PCI_FUNC(child->devfn)] = reg16 & PCI_EXP_LNKCTL_CCC; ++ pcie_capability_clear_and_set_word(child, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_CCC, ccc); + } + + /* Configure upstream component */ +- pcie_capability_read_word(parent, PCI_EXP_LNKCTL, ®16); +- parent_reg = reg16; +- if (same_clock) +- reg16 |= PCI_EXP_LNKCTL_CCC; +- else +- reg16 &= ~PCI_EXP_LNKCTL_CCC; +- pcie_capability_write_word(parent, PCI_EXP_LNKCTL, reg16); ++ pcie_capability_clear_and_set_word(parent, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_CCC, ccc); + + if (pcie_retrain_link(link)) { + + /* Training failed. Restore common clock configurations */ + pci_err(parent, "ASPM: Could not configure common clock\n"); + list_for_each_entry(child, &linkbus->devices, bus_list) +- pcie_capability_write_word(child, PCI_EXP_LNKCTL, +- child_reg[PCI_FUNC(child->devfn)]); +- pcie_capability_write_word(parent, PCI_EXP_LNKCTL, parent_reg); ++ pcie_capability_clear_and_set_word(child, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_CCC, ++ child_old_ccc[PCI_FUNC(child->devfn)]); ++ pcie_capability_clear_and_set_word(parent, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_CCC, parent_old_ccc); + } + } + +-- +2.40.1 + diff --git a/queue-5.15/pci-dwc-add-start_link-stop_link-inlines.patch b/queue-5.15/pci-dwc-add-start_link-stop_link-inlines.patch new file mode 100644 index 00000000000..238c58799e0 --- /dev/null +++ b/queue-5.15/pci-dwc-add-start_link-stop_link-inlines.patch @@ -0,0 +1,199 @@ +From 38dcefa5a21ff853b16f2074135d975761112122 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jun 2022 17:34:23 +0300 +Subject: PCI: dwc: Add start_link/stop_link inlines + +From: Serge Semin + +[ Upstream commit a37beefbde8802a4eab2545fee1b1780a03f2aa0 ] + +Factor out this pattern: + + if (!pci->ops || !pci->ops->start_link) + return -EINVAL; + + return pci->ops->start_link(pci); + +into a new dw_pcie_start_link() wrapper and do the same for the stop_link() +method. + +Note that dw_pcie_ep_start() previously returned -EINVAL if there was no +platform start_link() method, which didn't make much sense since that is +not an error. It will now return 0 in that case. + +As a side-effect, drop the empty start_link() and dummy dw_pcie_ops +instances from the generic DW PCIe and Layerscape EP platform drivers. + +[bhelgaas: commit log] +Link: https://lore.kernel.org/r/20220624143428.8334-14-Sergey.Semin@baikalelectronics.ru +Signed-off-by: Serge Semin +Signed-off-by: Bjorn Helgaas +Reviewed-by: Rob Herring +Reviewed-by: Manivannan Sadhasivam +Stable-dep-of: 17cf8661ee0f ("PCI: layerscape: Add workaround for lost link capabilities during reset") +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/dwc/pci-layerscape-ep.c | 12 ------------ + drivers/pci/controller/dwc/pcie-designware-ep.c | 8 ++------ + drivers/pci/controller/dwc/pcie-designware-host.c | 10 ++++------ + drivers/pci/controller/dwc/pcie-designware-plat.c | 10 ---------- + drivers/pci/controller/dwc/pcie-designware.h | 14 ++++++++++++++ + 5 files changed, 20 insertions(+), 34 deletions(-) + +diff --git a/drivers/pci/controller/dwc/pci-layerscape-ep.c b/drivers/pci/controller/dwc/pci-layerscape-ep.c +index 39f4664bd84c7..ad99707b3b994 100644 +--- a/drivers/pci/controller/dwc/pci-layerscape-ep.c ++++ b/drivers/pci/controller/dwc/pci-layerscape-ep.c +@@ -32,15 +32,6 @@ struct ls_pcie_ep { + const struct ls_pcie_ep_drvdata *drvdata; + }; + +-static int ls_pcie_establish_link(struct dw_pcie *pci) +-{ +- return 0; +-} +- +-static const struct dw_pcie_ops dw_ls_pcie_ep_ops = { +- .start_link = ls_pcie_establish_link, +-}; +- + static const struct pci_epc_features* + ls_pcie_ep_get_features(struct dw_pcie_ep *ep) + { +@@ -106,19 +97,16 @@ static const struct dw_pcie_ep_ops ls_pcie_ep_ops = { + + static const struct ls_pcie_ep_drvdata ls1_ep_drvdata = { + .ops = &ls_pcie_ep_ops, +- .dw_pcie_ops = &dw_ls_pcie_ep_ops, + }; + + static const struct ls_pcie_ep_drvdata ls2_ep_drvdata = { + .func_offset = 0x20000, + .ops = &ls_pcie_ep_ops, +- .dw_pcie_ops = &dw_ls_pcie_ep_ops, + }; + + static const struct ls_pcie_ep_drvdata lx2_ep_drvdata = { + .func_offset = 0x8000, + .ops = &ls_pcie_ep_ops, +- .dw_pcie_ops = &dw_ls_pcie_ep_ops, + }; + + static const struct of_device_id ls_pcie_ep_of_match[] = { +diff --git a/drivers/pci/controller/dwc/pcie-designware-ep.c b/drivers/pci/controller/dwc/pcie-designware-ep.c +index 2af4ed90e12b3..5023b7f704d2f 100644 +--- a/drivers/pci/controller/dwc/pcie-designware-ep.c ++++ b/drivers/pci/controller/dwc/pcie-designware-ep.c +@@ -434,8 +434,7 @@ static void dw_pcie_ep_stop(struct pci_epc *epc) + struct dw_pcie_ep *ep = epc_get_drvdata(epc); + struct dw_pcie *pci = to_dw_pcie_from_ep(ep); + +- if (pci->ops && pci->ops->stop_link) +- pci->ops->stop_link(pci); ++ dw_pcie_stop_link(pci); + } + + static int dw_pcie_ep_start(struct pci_epc *epc) +@@ -443,10 +442,7 @@ static int dw_pcie_ep_start(struct pci_epc *epc) + struct dw_pcie_ep *ep = epc_get_drvdata(epc); + struct dw_pcie *pci = to_dw_pcie_from_ep(ep); + +- if (!pci->ops || !pci->ops->start_link) +- return -EINVAL; +- +- return pci->ops->start_link(pci); ++ return dw_pcie_start_link(pci); + } + + static const struct pci_epc_features* +diff --git a/drivers/pci/controller/dwc/pcie-designware-host.c b/drivers/pci/controller/dwc/pcie-designware-host.c +index 7cd4593ad12fa..f561e87cd5f6e 100644 +--- a/drivers/pci/controller/dwc/pcie-designware-host.c ++++ b/drivers/pci/controller/dwc/pcie-designware-host.c +@@ -402,8 +402,8 @@ int dw_pcie_host_init(struct pcie_port *pp) + + dw_pcie_setup_rc(pp); + +- if (!dw_pcie_link_up(pci) && pci->ops && pci->ops->start_link) { +- ret = pci->ops->start_link(pci); ++ if (!dw_pcie_link_up(pci)) { ++ ret = dw_pcie_start_link(pci); + if (ret) + goto err_free_msi; + } +@@ -420,8 +420,7 @@ int dw_pcie_host_init(struct pcie_port *pp) + return 0; + + err_stop_link: +- if (pci->ops && pci->ops->stop_link) +- pci->ops->stop_link(pci); ++ dw_pcie_stop_link(pci); + + err_free_msi: + if (pp->has_msi_ctrl) +@@ -437,8 +436,7 @@ void dw_pcie_host_deinit(struct pcie_port *pp) + pci_stop_root_bus(pp->bridge->bus); + pci_remove_root_bus(pp->bridge->bus); + +- if (pci->ops && pci->ops->stop_link) +- pci->ops->stop_link(pci); ++ dw_pcie_stop_link(pci); + + if (pp->has_msi_ctrl) + dw_pcie_free_msi(pp); +diff --git a/drivers/pci/controller/dwc/pcie-designware-plat.c b/drivers/pci/controller/dwc/pcie-designware-plat.c +index 8851eb161a0eb..107318ad22817 100644 +--- a/drivers/pci/controller/dwc/pcie-designware-plat.c ++++ b/drivers/pci/controller/dwc/pcie-designware-plat.c +@@ -36,15 +36,6 @@ static const struct of_device_id dw_plat_pcie_of_match[]; + static const struct dw_pcie_host_ops dw_plat_pcie_host_ops = { + }; + +-static int dw_plat_pcie_establish_link(struct dw_pcie *pci) +-{ +- return 0; +-} +- +-static const struct dw_pcie_ops dw_pcie_ops = { +- .start_link = dw_plat_pcie_establish_link, +-}; +- + static void dw_plat_pcie_ep_init(struct dw_pcie_ep *ep) + { + struct dw_pcie *pci = to_dw_pcie_from_ep(ep); +@@ -142,7 +133,6 @@ static int dw_plat_pcie_probe(struct platform_device *pdev) + return -ENOMEM; + + pci->dev = dev; +- pci->ops = &dw_pcie_ops; + + dw_plat_pcie->pci = pci; + dw_plat_pcie->mode = mode; +diff --git a/drivers/pci/controller/dwc/pcie-designware.h b/drivers/pci/controller/dwc/pcie-designware.h +index 7d6e9b7576be5..8ba2392926346 100644 +--- a/drivers/pci/controller/dwc/pcie-designware.h ++++ b/drivers/pci/controller/dwc/pcie-designware.h +@@ -365,6 +365,20 @@ static inline void dw_pcie_dbi_ro_wr_dis(struct dw_pcie *pci) + dw_pcie_writel_dbi(pci, reg, val); + } + ++static inline int dw_pcie_start_link(struct dw_pcie *pci) ++{ ++ if (pci->ops && pci->ops->start_link) ++ return pci->ops->start_link(pci); ++ ++ return 0; ++} ++ ++static inline void dw_pcie_stop_link(struct dw_pcie *pci) ++{ ++ if (pci->ops && pci->ops->stop_link) ++ pci->ops->stop_link(pci); ++} ++ + #ifdef CONFIG_PCIE_DW_HOST + irqreturn_t dw_handle_msi_irq(struct pcie_port *pp); + void dw_pcie_setup_rc(struct pcie_port *pp); +-- +2.40.1 + diff --git a/queue-5.15/pci-layerscape-add-the-endpoint-linkup-notifier-supp.patch b/queue-5.15/pci-layerscape-add-the-endpoint-linkup-notifier-supp.patch new file mode 100644 index 00000000000..6cc13aaeaeb --- /dev/null +++ b/queue-5.15/pci-layerscape-add-the-endpoint-linkup-notifier-supp.patch @@ -0,0 +1,171 @@ +From 12bdb53dca866ef01fa834addc6d01b97f6dbe3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 11:10:49 -0400 +Subject: PCI: layerscape: Add the endpoint linkup notifier support + +From: Frank Li + +[ Upstream commit 061cbfab09fb35898f2907d42f936cf9ae271d93 ] + +Layerscape has PME interrupt, which can be used as linkup notifier. Set +CFG_READY bit of PEX_PF0_CONFIG to enable accesses from root complex when +linkup detected. + +Link: https://lore.kernel.org/r/20230515151049.2797105-1-Frank.Li@nxp.com +Signed-off-by: Xiaowei Bao +Signed-off-by: Frank Li +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Bjorn Helgaas +Acked-by: Manivannan Sadhasivam +Stable-dep-of: 17cf8661ee0f ("PCI: layerscape: Add workaround for lost link capabilities during reset") +Signed-off-by: Sasha Levin +--- + .../pci/controller/dwc/pci-layerscape-ep.c | 100 +++++++++++++++++- + 1 file changed, 99 insertions(+), 1 deletion(-) + +diff --git a/drivers/pci/controller/dwc/pci-layerscape-ep.c b/drivers/pci/controller/dwc/pci-layerscape-ep.c +index ad99707b3b994..5b27554e071a1 100644 +--- a/drivers/pci/controller/dwc/pci-layerscape-ep.c ++++ b/drivers/pci/controller/dwc/pci-layerscape-ep.c +@@ -18,6 +18,20 @@ + + #include "pcie-designware.h" + ++#define PEX_PF0_CONFIG 0xC0014 ++#define PEX_PF0_CFG_READY BIT(0) ++ ++/* PEX PFa PCIE PME and message interrupt registers*/ ++#define PEX_PF0_PME_MES_DR 0xC0020 ++#define PEX_PF0_PME_MES_DR_LUD BIT(7) ++#define PEX_PF0_PME_MES_DR_LDD BIT(9) ++#define PEX_PF0_PME_MES_DR_HRD BIT(10) ++ ++#define PEX_PF0_PME_MES_IER 0xC0028 ++#define PEX_PF0_PME_MES_IER_LUDIE BIT(7) ++#define PEX_PF0_PME_MES_IER_LDDIE BIT(9) ++#define PEX_PF0_PME_MES_IER_HRDIE BIT(10) ++ + #define to_ls_pcie_ep(x) dev_get_drvdata((x)->dev) + + struct ls_pcie_ep_drvdata { +@@ -30,8 +44,84 @@ struct ls_pcie_ep { + struct dw_pcie *pci; + struct pci_epc_features *ls_epc; + const struct ls_pcie_ep_drvdata *drvdata; ++ int irq; ++ bool big_endian; + }; + ++static u32 ls_lut_readl(struct ls_pcie_ep *pcie, u32 offset) ++{ ++ struct dw_pcie *pci = pcie->pci; ++ ++ if (pcie->big_endian) ++ return ioread32be(pci->dbi_base + offset); ++ else ++ return ioread32(pci->dbi_base + offset); ++} ++ ++static void ls_lut_writel(struct ls_pcie_ep *pcie, u32 offset, u32 value) ++{ ++ struct dw_pcie *pci = pcie->pci; ++ ++ if (pcie->big_endian) ++ iowrite32be(value, pci->dbi_base + offset); ++ else ++ iowrite32(value, pci->dbi_base + offset); ++} ++ ++static irqreturn_t ls_pcie_ep_event_handler(int irq, void *dev_id) ++{ ++ struct ls_pcie_ep *pcie = dev_id; ++ struct dw_pcie *pci = pcie->pci; ++ u32 val, cfg; ++ ++ val = ls_lut_readl(pcie, PEX_PF0_PME_MES_DR); ++ ls_lut_writel(pcie, PEX_PF0_PME_MES_DR, val); ++ ++ if (!val) ++ return IRQ_NONE; ++ ++ if (val & PEX_PF0_PME_MES_DR_LUD) { ++ cfg = ls_lut_readl(pcie, PEX_PF0_CONFIG); ++ cfg |= PEX_PF0_CFG_READY; ++ ls_lut_writel(pcie, PEX_PF0_CONFIG, cfg); ++ dw_pcie_ep_linkup(&pci->ep); ++ ++ dev_dbg(pci->dev, "Link up\n"); ++ } else if (val & PEX_PF0_PME_MES_DR_LDD) { ++ dev_dbg(pci->dev, "Link down\n"); ++ } else if (val & PEX_PF0_PME_MES_DR_HRD) { ++ dev_dbg(pci->dev, "Hot reset\n"); ++ } ++ ++ return IRQ_HANDLED; ++} ++ ++static int ls_pcie_ep_interrupt_init(struct ls_pcie_ep *pcie, ++ struct platform_device *pdev) ++{ ++ u32 val; ++ int ret; ++ ++ pcie->irq = platform_get_irq_byname(pdev, "pme"); ++ if (pcie->irq < 0) ++ return pcie->irq; ++ ++ ret = devm_request_irq(&pdev->dev, pcie->irq, ls_pcie_ep_event_handler, ++ IRQF_SHARED, pdev->name, pcie); ++ if (ret) { ++ dev_err(&pdev->dev, "Can't register PCIe IRQ\n"); ++ return ret; ++ } ++ ++ /* Enable interrupts */ ++ val = ls_lut_readl(pcie, PEX_PF0_PME_MES_IER); ++ val |= PEX_PF0_PME_MES_IER_LDDIE | PEX_PF0_PME_MES_IER_HRDIE | ++ PEX_PF0_PME_MES_IER_LUDIE; ++ ls_lut_writel(pcie, PEX_PF0_PME_MES_IER, val); ++ ++ return 0; ++} ++ + static const struct pci_epc_features* + ls_pcie_ep_get_features(struct dw_pcie_ep *ep) + { +@@ -124,6 +214,7 @@ static int __init ls_pcie_ep_probe(struct platform_device *pdev) + struct ls_pcie_ep *pcie; + struct pci_epc_features *ls_epc; + struct resource *dbi_base; ++ int ret; + + pcie = devm_kzalloc(dev, sizeof(*pcie), GFP_KERNEL); + if (!pcie) +@@ -143,6 +234,7 @@ static int __init ls_pcie_ep_probe(struct platform_device *pdev) + pci->ops = pcie->drvdata->dw_pcie_ops; + + ls_epc->bar_fixed_64bit = (1 << BAR_2) | (1 << BAR_4); ++ ls_epc->linkup_notifier = true; + + pcie->pci = pci; + pcie->ls_epc = ls_epc; +@@ -154,9 +246,15 @@ static int __init ls_pcie_ep_probe(struct platform_device *pdev) + + pci->ep.ops = &ls_pcie_ep_ops; + ++ pcie->big_endian = of_property_read_bool(dev->of_node, "big-endian"); ++ + platform_set_drvdata(pdev, pcie); + +- return dw_pcie_ep_init(&pci->ep); ++ ret = dw_pcie_ep_init(&pci->ep); ++ if (ret) ++ return ret; ++ ++ return ls_pcie_ep_interrupt_init(pcie, pdev); + } + + static struct platform_driver ls_pcie_ep_driver = { +-- +2.40.1 + diff --git a/queue-5.15/pci-layerscape-add-workaround-for-lost-link-capabili.patch b/queue-5.15/pci-layerscape-add-workaround-for-lost-link-capabili.patch new file mode 100644 index 00000000000..4e004bff400 --- /dev/null +++ b/queue-5.15/pci-layerscape-add-workaround-for-lost-link-capabili.patch @@ -0,0 +1,89 @@ +From b10a802e736b499432d38c430edf1f95118853b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 09:58:34 -0400 +Subject: PCI: layerscape: Add workaround for lost link capabilities during + reset + +From: Xiaowei Bao + +[ Upstream commit 17cf8661ee0f065c08152e611a568dd1fb0285f1 ] + +The endpoint controller loses the Maximum Link Width and Supported Link Speed +value from the Link Capabilities Register - initially configured by the Reset +Configuration Word (RCW) - during a link-down or hot reset event. + +Address this issue in the endpoint event handler. + +Link: https://lore.kernel.org/r/20230720135834.1977616-2-Frank.Li@nxp.com +Fixes: a805770d8a22 ("PCI: layerscape: Add EP mode support") +Signed-off-by: Xiaowei Bao +Signed-off-by: Hou Zhiqiang +Signed-off-by: Frank Li +Signed-off-by: Lorenzo Pieralisi +Acked-by: Manivannan Sadhasivam +Signed-off-by: Sasha Levin +--- + .../pci/controller/dwc/pci-layerscape-ep.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/drivers/pci/controller/dwc/pci-layerscape-ep.c b/drivers/pci/controller/dwc/pci-layerscape-ep.c +index 5b27554e071a1..dd7d74fecc48e 100644 +--- a/drivers/pci/controller/dwc/pci-layerscape-ep.c ++++ b/drivers/pci/controller/dwc/pci-layerscape-ep.c +@@ -45,6 +45,7 @@ struct ls_pcie_ep { + struct pci_epc_features *ls_epc; + const struct ls_pcie_ep_drvdata *drvdata; + int irq; ++ u32 lnkcap; + bool big_endian; + }; + +@@ -73,6 +74,7 @@ static irqreturn_t ls_pcie_ep_event_handler(int irq, void *dev_id) + struct ls_pcie_ep *pcie = dev_id; + struct dw_pcie *pci = pcie->pci; + u32 val, cfg; ++ u8 offset; + + val = ls_lut_readl(pcie, PEX_PF0_PME_MES_DR); + ls_lut_writel(pcie, PEX_PF0_PME_MES_DR, val); +@@ -81,6 +83,19 @@ static irqreturn_t ls_pcie_ep_event_handler(int irq, void *dev_id) + return IRQ_NONE; + + if (val & PEX_PF0_PME_MES_DR_LUD) { ++ ++ offset = dw_pcie_find_capability(pci, PCI_CAP_ID_EXP); ++ ++ /* ++ * The values of the Maximum Link Width and Supported Link ++ * Speed from the Link Capabilities Register will be lost ++ * during link down or hot reset. Restore initial value ++ * that configured by the Reset Configuration Word (RCW). ++ */ ++ dw_pcie_dbi_ro_wr_en(pci); ++ dw_pcie_writel_dbi(pci, offset + PCI_EXP_LNKCAP, pcie->lnkcap); ++ dw_pcie_dbi_ro_wr_dis(pci); ++ + cfg = ls_lut_readl(pcie, PEX_PF0_CONFIG); + cfg |= PEX_PF0_CFG_READY; + ls_lut_writel(pcie, PEX_PF0_CONFIG, cfg); +@@ -214,6 +229,7 @@ static int __init ls_pcie_ep_probe(struct platform_device *pdev) + struct ls_pcie_ep *pcie; + struct pci_epc_features *ls_epc; + struct resource *dbi_base; ++ u8 offset; + int ret; + + pcie = devm_kzalloc(dev, sizeof(*pcie), GFP_KERNEL); +@@ -250,6 +266,9 @@ static int __init ls_pcie_ep_probe(struct platform_device *pdev) + + platform_set_drvdata(pdev, pcie); + ++ offset = dw_pcie_find_capability(pci, PCI_CAP_ID_EXP); ++ pcie->lnkcap = dw_pcie_readl_dbi(pci, offset + PCI_EXP_LNKCAP); ++ + ret = dw_pcie_ep_init(&pci->ep); + if (ret) + return ret; +-- +2.40.1 + diff --git a/queue-5.15/pci-mark-nvidia-t4-gpus-to-avoid-bus-reset.patch b/queue-5.15/pci-mark-nvidia-t4-gpus-to-avoid-bus-reset.patch new file mode 100644 index 00000000000..cce4bcda927 --- /dev/null +++ b/queue-5.15/pci-mark-nvidia-t4-gpus-to-avoid-bus-reset.patch @@ -0,0 +1,38 @@ +From 22ea88d09897f3071c2724deef2af31af142b46a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Apr 2023 20:34:11 +0800 +Subject: PCI: Mark NVIDIA T4 GPUs to avoid bus reset + +From: Wu Zongyong + +[ Upstream commit d5af729dc2071273f14cbb94abbc60608142fd83 ] + +NVIDIA T4 GPUs do not work with SBR. This problem is found when the T4 card +is direct attached to a Root Port only. Avoid bus reset by marking T4 GPUs +PCI_DEV_FLAGS_NO_BUS_RESET. + +Fixes: 4c207e7121fa ("PCI: Mark some NVIDIA GPUs to avoid bus reset") +Link: https://lore.kernel.org/r/2dcebea53a6eb9bd212ec6d8974af2e5e0333ef6.1681129861.git.wuzongyong@linux.alibaba.com +Signed-off-by: Wu Zongyong +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/quirks.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index ec17d42c2a155..2f26058178c31 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3606,7 +3606,7 @@ static void quirk_no_bus_reset(struct pci_dev *dev) + */ + static void quirk_nvidia_no_bus_reset(struct pci_dev *dev) + { +- if ((dev->device & 0xffc0) == 0x2340) ++ if ((dev->device & 0xffc0) == 0x2340 || dev->device == 0x1eb8) + quirk_no_bus_reset(dev); + } + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_NVIDIA, PCI_ANY_ID, +-- +2.40.1 + diff --git a/queue-5.15/pci-microchip-correct-the-ded-and-sec-interrupt-bit-.patch b/queue-5.15/pci-microchip-correct-the-ded-and-sec-interrupt-bit-.patch new file mode 100644 index 00000000000..3d4e47f6dc2 --- /dev/null +++ b/queue-5.15/pci-microchip-correct-the-ded-and-sec-interrupt-bit-.patch @@ -0,0 +1,48 @@ +From 0960538f553638a0742768a135ebbb4c0c452ab1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jul 2023 14:13:55 +0100 +Subject: PCI: microchip: Correct the DED and SEC interrupt bit offsets + +From: Daire McNamara + +[ Upstream commit 6d473a5a26136edf55c435a1c433e52910e03926 ] + +The SEC and DED interrupt bits are laid out the wrong way round so the SEC +interrupt handler attempts to mask, unmask, and clear the DED interrupt +and vice versa. Correct the bit offsets so that each interrupt handler +operates properly. + +Link: https://lore.kernel.org/r/20230728131401.1615724-2-daire.mcnamara@microchip.com +Fixes: 6f15a9c9f941 ("PCI: microchip: Add Microchip PolarFire PCIe controller driver") +Signed-off-by: Daire McNamara +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Conor Dooley +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pcie-microchip-host.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/pci/controller/pcie-microchip-host.c b/drivers/pci/controller/pcie-microchip-host.c +index 6e8a6540b377b..8eb049c839ca7 100644 +--- a/drivers/pci/controller/pcie-microchip-host.c ++++ b/drivers/pci/controller/pcie-microchip-host.c +@@ -167,12 +167,12 @@ + #define EVENT_PCIE_DLUP_EXIT 2 + #define EVENT_SEC_TX_RAM_SEC_ERR 3 + #define EVENT_SEC_RX_RAM_SEC_ERR 4 +-#define EVENT_SEC_AXI2PCIE_RAM_SEC_ERR 5 +-#define EVENT_SEC_PCIE2AXI_RAM_SEC_ERR 6 ++#define EVENT_SEC_PCIE2AXI_RAM_SEC_ERR 5 ++#define EVENT_SEC_AXI2PCIE_RAM_SEC_ERR 6 + #define EVENT_DED_TX_RAM_DED_ERR 7 + #define EVENT_DED_RX_RAM_DED_ERR 8 +-#define EVENT_DED_AXI2PCIE_RAM_DED_ERR 9 +-#define EVENT_DED_PCIE2AXI_RAM_DED_ERR 10 ++#define EVENT_DED_PCIE2AXI_RAM_DED_ERR 9 ++#define EVENT_DED_AXI2PCIE_RAM_DED_ERR 10 + #define EVENT_LOCAL_DMA_END_ENGINE_0 11 + #define EVENT_LOCAL_DMA_END_ENGINE_1 12 + #define EVENT_LOCAL_DMA_ERROR_ENGINE_0 13 +-- +2.40.1 + diff --git a/queue-5.15/pci-pciehp-use-rmw-accessors-for-changing-lnkctl.patch b/queue-5.15/pci-pciehp-use-rmw-accessors-for-changing-lnkctl.patch new file mode 100644 index 00000000000..26a6daabb26 --- /dev/null +++ b/queue-5.15/pci-pciehp-use-rmw-accessors-for-changing-lnkctl.patch @@ -0,0 +1,54 @@ +From e88c108d7e73499b26f4a58d4c4778baf04d8d62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 15:04:55 +0300 +Subject: PCI: pciehp: Use RMW accessors for changing LNKCTL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 5f75f96c61039151c193775d776fde42477eace1 ] + +As hotplug is not the only driver touching LNKCTL, use the RMW capability +accessor which handles concurrent changes correctly. + +Suggested-by: Lukas Wunner +Fixes: 7f822999e12a ("PCI: pciehp: Add Disable/enable link functions") +Link: https://lore.kernel.org/r/20230717120503.15276-4-ilpo.jarvinen@linux.intel.com +Signed-off-by: Ilpo Järvinen +Signed-off-by: Bjorn Helgaas +Acked-by: "Rafael J. Wysocki" +Signed-off-by: Sasha Levin +--- + drivers/pci/hotplug/pciehp_hpc.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +diff --git a/drivers/pci/hotplug/pciehp_hpc.c b/drivers/pci/hotplug/pciehp_hpc.c +index 60098a701e83a..7773009b8b32e 100644 +--- a/drivers/pci/hotplug/pciehp_hpc.c ++++ b/drivers/pci/hotplug/pciehp_hpc.c +@@ -332,17 +332,11 @@ int pciehp_check_link_status(struct controller *ctrl) + static int __pciehp_link_set(struct controller *ctrl, bool enable) + { + struct pci_dev *pdev = ctrl_dev(ctrl); +- u16 lnk_ctrl; + +- pcie_capability_read_word(pdev, PCI_EXP_LNKCTL, &lnk_ctrl); ++ pcie_capability_clear_and_set_word(pdev, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_LD, ++ enable ? 0 : PCI_EXP_LNKCTL_LD); + +- if (enable) +- lnk_ctrl &= ~PCI_EXP_LNKCTL_LD; +- else +- lnk_ctrl |= PCI_EXP_LNKCTL_LD; +- +- pcie_capability_write_word(pdev, PCI_EXP_LNKCTL, lnk_ctrl); +- ctrl_dbg(ctrl, "%s: lnk_ctrl = %x\n", __func__, lnk_ctrl); + return 0; + } + +-- +2.40.1 + diff --git a/queue-5.15/perf-imx_ddr-don-t-enable-counter0-if-none-of-4-coun.patch b/queue-5.15/perf-imx_ddr-don-t-enable-counter0-if-none-of-4-coun.patch new file mode 100644 index 00000000000..6b3e1ab471f --- /dev/null +++ b/queue-5.15/perf-imx_ddr-don-t-enable-counter0-if-none-of-4-coun.patch @@ -0,0 +1,90 @@ +From 5f109e1683e64b7c8dfd987d8afc812e74b781f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Aug 2023 09:54:38 +0800 +Subject: perf/imx_ddr: don't enable counter0 if none of 4 counters are used + +From: Xu Yang + +[ Upstream commit f4e2bd91ddf5e8543cbe7ad80b3fba3d2dc63fa3 ] + +In current driver, counter0 will be enabled after ddr_perf_pmu_enable() +is called even though none of the 4 counters are used. This will cause +counter0 continue to count until ddr_perf_pmu_disabled() is called. If +pmu is not disabled all the time, the pmu interrupt will be asserted +from time to time due to counter0 will overflow and irq handler will +clear it. It's not an expected behavior. This patch will not enable +counter0 if none of 4 counters are used. + +Fixes: 9a66d36cc7ac ("drivers/perf: imx_ddr: Add DDR performance counter support to perf") +Signed-off-by: Xu Yang +Reviewed-by: Frank Li +Link: https://lore.kernel.org/r/20230811015438.1999307-2-xu.yang_2@nxp.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/fsl_imx8_ddr_perf.c | 24 +++++++++--------------- + 1 file changed, 9 insertions(+), 15 deletions(-) + +diff --git a/drivers/perf/fsl_imx8_ddr_perf.c b/drivers/perf/fsl_imx8_ddr_perf.c +index b1b2a55de77fc..4daa782c48df0 100644 +--- a/drivers/perf/fsl_imx8_ddr_perf.c ++++ b/drivers/perf/fsl_imx8_ddr_perf.c +@@ -102,6 +102,7 @@ struct ddr_pmu { + const struct fsl_ddr_devtype_data *devtype_data; + int irq; + int id; ++ int active_counter; + }; + + static ssize_t ddr_perf_identifier_show(struct device *dev, +@@ -496,6 +497,10 @@ static void ddr_perf_event_start(struct perf_event *event, int flags) + + ddr_perf_counter_enable(pmu, event->attr.config, counter, true); + ++ if (!pmu->active_counter++) ++ ddr_perf_counter_enable(pmu, EVENT_CYCLES_ID, ++ EVENT_CYCLES_COUNTER, true); ++ + hwc->state = 0; + } + +@@ -550,6 +555,10 @@ static void ddr_perf_event_stop(struct perf_event *event, int flags) + ddr_perf_counter_enable(pmu, event->attr.config, counter, false); + ddr_perf_event_update(event); + ++ if (!--pmu->active_counter) ++ ddr_perf_counter_enable(pmu, EVENT_CYCLES_ID, ++ EVENT_CYCLES_COUNTER, false); ++ + hwc->state |= PERF_HES_STOPPED; + } + +@@ -568,25 +577,10 @@ static void ddr_perf_event_del(struct perf_event *event, int flags) + + static void ddr_perf_pmu_enable(struct pmu *pmu) + { +- struct ddr_pmu *ddr_pmu = to_ddr_pmu(pmu); +- +- /* enable cycle counter if cycle is not active event list */ +- if (ddr_pmu->events[EVENT_CYCLES_COUNTER] == NULL) +- ddr_perf_counter_enable(ddr_pmu, +- EVENT_CYCLES_ID, +- EVENT_CYCLES_COUNTER, +- true); + } + + static void ddr_perf_pmu_disable(struct pmu *pmu) + { +- struct ddr_pmu *ddr_pmu = to_ddr_pmu(pmu); +- +- if (ddr_pmu->events[EVENT_CYCLES_COUNTER] == NULL) +- ddr_perf_counter_enable(ddr_pmu, +- EVENT_CYCLES_ID, +- EVENT_CYCLES_COUNTER, +- false); + } + + static int ddr_perf_init(struct ddr_pmu *pmu, void __iomem *base, +-- +2.40.1 + diff --git a/queue-5.15/phy-rockchip-inno-hdmi-do-not-power-on-rk3328-post-p.patch b/queue-5.15/phy-rockchip-inno-hdmi-do-not-power-on-rk3328-post-p.patch new file mode 100644 index 00000000000..12c7ba43c4e --- /dev/null +++ b/queue-5.15/phy-rockchip-inno-hdmi-do-not-power-on-rk3328-post-p.patch @@ -0,0 +1,55 @@ +From 88bc095fcb889cd7838ae2f37ea1758ae9c32f00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 17:10:21 +0000 +Subject: phy/rockchip: inno-hdmi: do not power on rk3328 post pll on reg write + +From: Jonas Karlman + +[ Upstream commit 19a1d46bd699940a496d3b0d4e142ef99834988c ] + +inno_write is used to configure 0xaa reg, that also hold the +POST_PLL_POWER_DOWN bit. +When POST_PLL_REFCLK_SEL_TMDS is configured the power down bit is not +taken into consideration. + +Fix this by keeping the power down bit until configuration is complete. +Also reorder the reg write order for consistency. + +Fixes: 53706a116863 ("phy: add Rockchip Innosilicon hdmi phy") +Signed-off-by: Jonas Karlman +Link: https://lore.kernel.org/r/20230615171005.2251032-5-jonas@kwiboo.se +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/rockchip/phy-rockchip-inno-hdmi.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/phy/rockchip/phy-rockchip-inno-hdmi.c b/drivers/phy/rockchip/phy-rockchip-inno-hdmi.c +index 15a008a1ac7b9..2556caf475c0c 100644 +--- a/drivers/phy/rockchip/phy-rockchip-inno-hdmi.c ++++ b/drivers/phy/rockchip/phy-rockchip-inno-hdmi.c +@@ -1023,9 +1023,10 @@ inno_hdmi_phy_rk3328_power_on(struct inno_hdmi_phy *inno, + + inno_write(inno, 0xac, RK3328_POST_PLL_FB_DIV_7_0(cfg->fbdiv)); + if (cfg->postdiv == 1) { +- inno_write(inno, 0xaa, RK3328_POST_PLL_REFCLK_SEL_TMDS); + inno_write(inno, 0xab, RK3328_POST_PLL_FB_DIV_8(cfg->fbdiv) | + RK3328_POST_PLL_PRE_DIV(cfg->prediv)); ++ inno_write(inno, 0xaa, RK3328_POST_PLL_REFCLK_SEL_TMDS | ++ RK3328_POST_PLL_POWER_DOWN); + } else { + v = (cfg->postdiv / 2) - 1; + v &= RK3328_POST_PLL_POST_DIV_MASK; +@@ -1033,7 +1034,8 @@ inno_hdmi_phy_rk3328_power_on(struct inno_hdmi_phy *inno, + inno_write(inno, 0xab, RK3328_POST_PLL_FB_DIV_8(cfg->fbdiv) | + RK3328_POST_PLL_PRE_DIV(cfg->prediv)); + inno_write(inno, 0xaa, RK3328_POST_PLL_POST_DIV_ENABLE | +- RK3328_POST_PLL_REFCLK_SEL_TMDS); ++ RK3328_POST_PLL_REFCLK_SEL_TMDS | ++ RK3328_POST_PLL_POWER_DOWN); + } + + for (v = 0; v < 14; v++) +-- +2.40.1 + diff --git a/queue-5.15/phy-rockchip-inno-hdmi-round-fractal-pixclock-in-rk3.patch b/queue-5.15/phy-rockchip-inno-hdmi-round-fractal-pixclock-in-rk3.patch new file mode 100644 index 00000000000..217bed5e0b4 --- /dev/null +++ b/queue-5.15/phy-rockchip-inno-hdmi-round-fractal-pixclock-in-rk3.patch @@ -0,0 +1,50 @@ +From dc4acc049cdc424fce38e26d72574ef77314f2b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 17:10:19 +0000 +Subject: phy/rockchip: inno-hdmi: round fractal pixclock in rk3328 recalc_rate + +From: Zheng Yang + +[ Upstream commit d5ef343c1d62bc4c4c2c393af654a41cb34b449f ] + +inno_hdmi_phy_rk3328_clk_recalc_rate() is returning a rate not found +in the pre pll config table when the fractal divider is used. +This can prevent proper power_on because a tmdsclock for the new rate +is not found in the pre pll config table. + +Fix this by saving and returning a rounded pixel rate that exist +in the pre pll config table. + +Fixes: 53706a116863 ("phy: add Rockchip Innosilicon hdmi phy") +Signed-off-by: Zheng Yang +Signed-off-by: Jonas Karlman +Link: https://lore.kernel.org/r/20230615171005.2251032-3-jonas@kwiboo.se +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/rockchip/phy-rockchip-inno-hdmi.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/phy/rockchip/phy-rockchip-inno-hdmi.c b/drivers/phy/rockchip/phy-rockchip-inno-hdmi.c +index 15339338aae35..15a008a1ac7b9 100644 +--- a/drivers/phy/rockchip/phy-rockchip-inno-hdmi.c ++++ b/drivers/phy/rockchip/phy-rockchip-inno-hdmi.c +@@ -745,10 +745,12 @@ unsigned long inno_hdmi_phy_rk3328_clk_recalc_rate(struct clk_hw *hw, + do_div(vco, (nd * (no_a == 1 ? no_b : no_a) * no_d * 2)); + } + +- inno->pixclock = vco; +- dev_dbg(inno->dev, "%s rate %lu\n", __func__, inno->pixclock); ++ inno->pixclock = DIV_ROUND_CLOSEST((unsigned long)vco, 1000) * 1000; + +- return vco; ++ dev_dbg(inno->dev, "%s rate %lu vco %llu\n", ++ __func__, inno->pixclock, vco); ++ ++ return inno->pixclock; + } + + static long inno_hdmi_phy_rk3328_clk_round_rate(struct clk_hw *hw, +-- +2.40.1 + diff --git a/queue-5.15/phy-rockchip-inno-hdmi-use-correct-vco_div_5-macro-o.patch b/queue-5.15/phy-rockchip-inno-hdmi-use-correct-vco_div_5-macro-o.patch new file mode 100644 index 00000000000..fc7e2e92b70 --- /dev/null +++ b/queue-5.15/phy-rockchip-inno-hdmi-use-correct-vco_div_5-macro-o.patch @@ -0,0 +1,41 @@ +From 2d067770472d53b80bcd708c07344ae92de6c391 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 17:10:17 +0000 +Subject: phy/rockchip: inno-hdmi: use correct vco_div_5 macro on rk3328 + +From: Jonas Karlman + +[ Upstream commit 644c06dfbd0da713f772abf0a8f8581ac78e6264 ] + +inno_hdmi_phy_rk3328_clk_set_rate() is using the RK3228 macro +when configuring vco_div_5 on RK3328. + +Fix this by using correct vco_div_5 macro for RK3328. + +Fixes: 53706a116863 ("phy: add Rockchip Innosilicon hdmi phy") +Signed-off-by: Jonas Karlman +Link: https://lore.kernel.org/r/20230615171005.2251032-2-jonas@kwiboo.se +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/rockchip/phy-rockchip-inno-hdmi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/phy/rockchip/phy-rockchip-inno-hdmi.c b/drivers/phy/rockchip/phy-rockchip-inno-hdmi.c +index 80acca4e9e146..15339338aae35 100644 +--- a/drivers/phy/rockchip/phy-rockchip-inno-hdmi.c ++++ b/drivers/phy/rockchip/phy-rockchip-inno-hdmi.c +@@ -790,8 +790,8 @@ static int inno_hdmi_phy_rk3328_clk_set_rate(struct clk_hw *hw, + RK3328_PRE_PLL_POWER_DOWN); + + /* Configure pre-pll */ +- inno_update_bits(inno, 0xa0, RK3228_PCLK_VCO_DIV_5_MASK, +- RK3228_PCLK_VCO_DIV_5(cfg->vco_div_5_en)); ++ inno_update_bits(inno, 0xa0, RK3328_PCLK_VCO_DIV_5_MASK, ++ RK3328_PCLK_VCO_DIV_5(cfg->vco_div_5_en)); + inno_write(inno, 0xa1, RK3328_PRE_PLL_PRE_DIV(cfg->prediv)); + + val = RK3328_SPREAD_SPECTRUM_MOD_DISABLE; +-- +2.40.1 + diff --git a/queue-5.15/pinctrl-mcp23s08-check-return-value-of-devm_kasprint.patch b/queue-5.15/pinctrl-mcp23s08-check-return-value-of-devm_kasprint.patch new file mode 100644 index 00000000000..34dcf444fd9 --- /dev/null +++ b/queue-5.15/pinctrl-mcp23s08-check-return-value-of-devm_kasprint.patch @@ -0,0 +1,62 @@ +From 5b56d85e5e5efbec8e1c5ac1b9b93d8f517d4645 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 13:04:09 +0300 +Subject: pinctrl: mcp23s08: check return value of devm_kasprintf() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Claudiu Beznea + +[ Upstream commit f941714a7c7698eadb59bc27d34d6d6f38982705 ] + +devm_kasprintf() returns a pointer to dynamically allocated memory. +Pointer could be NULL in case allocation fails. Check pointer validity. +Identified with coccinelle (kmerr.cocci script). + +Fixes: 0f04a81784fe ("pinctrl: mcp23s08: Split to three parts: core, I²C, SPI") +Signed-off-by: Claudiu Beznea +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230621100409.1608395-1-claudiu.beznea@microchip.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-mcp23s08_spi.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/pinctrl/pinctrl-mcp23s08_spi.c b/drivers/pinctrl/pinctrl-mcp23s08_spi.c +index 9ae10318f6f35..ea059b9c5542e 100644 +--- a/drivers/pinctrl/pinctrl-mcp23s08_spi.c ++++ b/drivers/pinctrl/pinctrl-mcp23s08_spi.c +@@ -91,18 +91,28 @@ static int mcp23s08_spi_regmap_init(struct mcp23s08 *mcp, struct device *dev, + mcp->reg_shift = 0; + mcp->chip.ngpio = 8; + mcp->chip.label = devm_kasprintf(dev, GFP_KERNEL, "mcp23s08.%d", addr); ++ if (!mcp->chip.label) ++ return -ENOMEM; + + config = &mcp23x08_regmap; + name = devm_kasprintf(dev, GFP_KERNEL, "%d", addr); ++ if (!name) ++ return -ENOMEM; ++ + break; + + case MCP_TYPE_S17: + mcp->reg_shift = 1; + mcp->chip.ngpio = 16; + mcp->chip.label = devm_kasprintf(dev, GFP_KERNEL, "mcp23s17.%d", addr); ++ if (!mcp->chip.label) ++ return -ENOMEM; + + config = &mcp23x17_regmap; + name = devm_kasprintf(dev, GFP_KERNEL, "%d", addr); ++ if (!name) ++ return -ENOMEM; ++ + break; + + case MCP_TYPE_S18: +-- +2.40.1 + diff --git a/queue-5.15/platform-x86-dell-sysman-fix-reference-leak.patch b/queue-5.15/platform-x86-dell-sysman-fix-reference-leak.patch new file mode 100644 index 00000000000..9a2771940ad --- /dev/null +++ b/queue-5.15/platform-x86-dell-sysman-fix-reference-leak.patch @@ -0,0 +1,56 @@ +From faa974a536779a41c198d096505fe2f8d27828eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Aug 2023 07:36:10 +0200 +Subject: platform/x86: dell-sysman: Fix reference leak + +From: Armin Wolf + +[ Upstream commit 7295a996fdab7bf83dc3d4078fa8b139b8e0a1bf ] + +If a duplicate attribute is found using kset_find_obj(), +a reference to that attribute is returned. This means +that we need to dispose it accordingly. Use kobject_put() +to dispose the duplicate attribute in such a case. + +Compile-tested only. + +Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems") +Signed-off-by: Armin Wolf +Link: https://lore.kernel.org/r/20230805053610.7106-1-W_Armin@gmx.de +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/dell/dell-wmi-sysman/sysman.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c b/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c +index 636bdfa83284d..907fde53e95c4 100644 +--- a/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c ++++ b/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c +@@ -396,6 +396,7 @@ static int init_bios_attributes(int attr_type, const char *guid) + struct kobject *attr_name_kobj; //individual attribute names + union acpi_object *obj = NULL; + union acpi_object *elements; ++ struct kobject *duplicate; + struct kset *tmp_set; + int min_elements; + +@@ -454,9 +455,11 @@ static int init_bios_attributes(int attr_type, const char *guid) + else + tmp_set = wmi_priv.main_dir_kset; + +- if (kset_find_obj(tmp_set, elements[ATTR_NAME].string.pointer)) { +- pr_debug("duplicate attribute name found - %s\n", +- elements[ATTR_NAME].string.pointer); ++ duplicate = kset_find_obj(tmp_set, elements[ATTR_NAME].string.pointer); ++ if (duplicate) { ++ pr_debug("Duplicate attribute name found - %s\n", ++ elements[ATTR_NAME].string.pointer); ++ kobject_put(duplicate); + goto nextobj; + } + +-- +2.40.1 + diff --git a/queue-5.15/pnfs-fix-assignment-of-xprtdata.cred.patch b/queue-5.15/pnfs-fix-assignment-of-xprtdata.cred.patch new file mode 100644 index 00000000000..f7760a0d613 --- /dev/null +++ b/queue-5.15/pnfs-fix-assignment-of-xprtdata.cred.patch @@ -0,0 +1,39 @@ +From 16ff2c1ed4dd58cdccb8d31a82ce57a5cbda3cf6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Aug 2023 14:31:31 -0400 +Subject: pNFS: Fix assignment of xprtdata.cred + +From: Anna Schumaker + +[ Upstream commit c4a123d2e8c4dc91d581ee7d05c0cd51a0273fab ] + +The comma at the end of the line was leftover from an earlier refactor +of the _nfs4_pnfs_v3_ds_connect() function. This is technically valid C, +so the compilers didn't catch it, but if I'm understanding how it works +correctly it assigns the return value of rpc_clnt_add_xprtr() to +xprtdata.cred. + +Reported-by: Olga Kornievskaia +Fixes: a12f996d3413 ("NFSv4/pNFS: Use connections to a DS that are all of the same protocol family") +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/pnfs_nfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/pnfs_nfs.c b/fs/nfs/pnfs_nfs.c +index 657c242a18ff1..6b681f0c5df0d 100644 +--- a/fs/nfs/pnfs_nfs.c ++++ b/fs/nfs/pnfs_nfs.c +@@ -943,7 +943,7 @@ static int _nfs4_pnfs_v4_ds_connect(struct nfs_server *mds_srv, + * Test this address for session trunking and + * add as an alias + */ +- xprtdata.cred = nfs4_get_clid_cred(clp), ++ xprtdata.cred = nfs4_get_clid_cred(clp); + rpc_clnt_add_xprt(clp->cl_rpcclient, &xprt_args, + rpc_clnt_setup_test_and_add_xprt, + &rpcdata); +-- +2.40.1 + diff --git a/queue-5.15/powerpc-don-t-include-lppaca.h-in-paca.h.patch b/queue-5.15/powerpc-don-t-include-lppaca.h-in-paca.h.patch new file mode 100644 index 00000000000..a0712e66c08 --- /dev/null +++ b/queue-5.15/powerpc-don-t-include-lppaca.h-in-paca.h.patch @@ -0,0 +1,134 @@ +From ed2da9ca78c27e5e43bf9e09e5854efdefaf67a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Aug 2023 15:53:16 +1000 +Subject: powerpc: Don't include lppaca.h in paca.h + +From: Michael Ellerman + +[ Upstream commit 1aa000667669fa855853decbb1c69e974d8ff716 ] + +By adding a forward declaration for struct lppaca we can untangle paca.h +and lppaca.h. Also move get_lppaca() into lppaca.h for consistency. + +Add includes of lppaca.h to some files that need it. + +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230823055317.751786-3-mpe@ellerman.id.au +Stable-dep-of: eac030b22ea1 ("powerpc/pseries: Rework lppaca_shared_proc() to avoid DEBUG_PREEMPT") +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/lppaca.h | 4 ++++ + arch/powerpc/include/asm/paca.h | 6 +----- + arch/powerpc/include/asm/paravirt.h | 1 + + arch/powerpc/include/asm/plpar_wrappers.h | 1 + + arch/powerpc/kvm/book3s_hv_ras.c | 1 + + arch/powerpc/mm/book3s64/slb.c | 1 + + arch/powerpc/xmon/xmon.c | 1 + + 7 files changed, 10 insertions(+), 5 deletions(-) + +diff --git a/arch/powerpc/include/asm/lppaca.h b/arch/powerpc/include/asm/lppaca.h +index c390ec377baed..5d509ba0550b5 100644 +--- a/arch/powerpc/include/asm/lppaca.h ++++ b/arch/powerpc/include/asm/lppaca.h +@@ -130,6 +130,10 @@ static inline bool lppaca_shared_proc(struct lppaca *l) + return !!(l->__old_status & LPPACA_OLD_SHARED_PROC); + } + ++#ifdef CONFIG_PPC_PSERIES ++#define get_lppaca() (get_paca()->lppaca_ptr) ++#endif ++ + /* + * SLB shadow buffer structure as defined in the PAPR. The save_area + * contains adjacent ESID and VSID pairs for each shadowed SLB. The +diff --git a/arch/powerpc/include/asm/paca.h b/arch/powerpc/include/asm/paca.h +index c5c9e25153152..02c089c5493ad 100644 +--- a/arch/powerpc/include/asm/paca.h ++++ b/arch/powerpc/include/asm/paca.h +@@ -14,7 +14,6 @@ + + #include + #include +-#include + #include + #include + #ifdef CONFIG_PPC_BOOK3E +@@ -46,14 +45,11 @@ extern unsigned int debug_smp_processor_id(void); /* from linux/smp.h */ + #define get_paca() local_paca + #endif + +-#ifdef CONFIG_PPC_PSERIES +-#define get_lppaca() (get_paca()->lppaca_ptr) +-#endif +- + #define get_slb_shadow() (get_paca()->slb_shadow_ptr) + + struct task_struct; + struct rtas_args; ++struct lppaca; + + /* + * Defines the layout of the paca. +diff --git a/arch/powerpc/include/asm/paravirt.h b/arch/powerpc/include/asm/paravirt.h +index b325022ffa2b0..0a333ac716e0b 100644 +--- a/arch/powerpc/include/asm/paravirt.h ++++ b/arch/powerpc/include/asm/paravirt.h +@@ -6,6 +6,7 @@ + #include + #ifdef CONFIG_PPC64 + #include ++#include + #include + #endif + +diff --git a/arch/powerpc/include/asm/plpar_wrappers.h b/arch/powerpc/include/asm/plpar_wrappers.h +index 83e0f701ebc67..217d8fb246354 100644 +--- a/arch/powerpc/include/asm/plpar_wrappers.h ++++ b/arch/powerpc/include/asm/plpar_wrappers.h +@@ -9,6 +9,7 @@ + + #include + #include ++#include + #include + + static inline long poll_pending(void) +diff --git a/arch/powerpc/kvm/book3s_hv_ras.c b/arch/powerpc/kvm/book3s_hv_ras.c +index d4bca93b79f6d..6fa634599bc90 100644 +--- a/arch/powerpc/kvm/book3s_hv_ras.c ++++ b/arch/powerpc/kvm/book3s_hv_ras.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + #include + #include + #include +diff --git a/arch/powerpc/mm/book3s64/slb.c b/arch/powerpc/mm/book3s64/slb.c +index f0037bcc47a0e..a4fd2901189c5 100644 +--- a/arch/powerpc/mm/book3s64/slb.c ++++ b/arch/powerpc/mm/book3s64/slb.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include + #include + #include +diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c +index 3c085e1e5232e..8b5277c3b1476 100644 +--- a/arch/powerpc/xmon/xmon.c ++++ b/arch/powerpc/xmon/xmon.c +@@ -59,6 +59,7 @@ + #ifdef CONFIG_PPC64 + #include + #include ++#include + #endif + + #include "nonstdio.h" +-- +2.40.1 + diff --git a/queue-5.15/powerpc-fadump-reset-dump-area-size-if-fadump-memory.patch b/queue-5.15/powerpc-fadump-reset-dump-area-size-if-fadump-memory.patch new file mode 100644 index 00000000000..47a737dedab --- /dev/null +++ b/queue-5.15/powerpc-fadump-reset-dump-area-size-if-fadump-memory.patch @@ -0,0 +1,42 @@ +From 4405031011f6cf7f23516a52c382a457581a1f54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jul 2023 10:37:15 +0530 +Subject: powerpc/fadump: reset dump area size if fadump memory reserve fails + +From: Sourabh Jain + +[ Upstream commit d1eb75e0dfed80d2d85b664e28a39f65b290ab55 ] + +In case fadump_reserve_mem() fails to reserve memory, the +reserve_dump_area_size variable will retain the reserve area size. This +will lead to /sys/kernel/fadump/mem_reserved node displaying an incorrect +memory reserved by fadump. + +To fix this problem, reserve dump area size variable is set to 0 if fadump +failed to reserve memory. + +Fixes: 8255da95e545 ("powerpc/fadump: release all the memory above boot memory size") +Signed-off-by: Sourabh Jain +Acked-by: Mahesh Salgaonkar +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230704050715.203581-1-sourabhjain@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/fadump.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/kernel/fadump.c b/arch/powerpc/kernel/fadump.c +index ad1c4575c61ce..d496dc5151aa1 100644 +--- a/arch/powerpc/kernel/fadump.c ++++ b/arch/powerpc/kernel/fadump.c +@@ -642,6 +642,7 @@ int __init fadump_reserve_mem(void) + return ret; + error_out: + fw_dump.fadump_enabled = 0; ++ fw_dump.reserve_dump_area_size = 0; + return 0; + } + +-- +2.40.1 + diff --git a/queue-5.15/powerpc-iommu-fix-notifiers-being-shared-by-pci-and-.patch b/queue-5.15/powerpc-iommu-fix-notifiers-being-shared-by-pci-and-.patch new file mode 100644 index 00000000000..1afe15a2c37 --- /dev/null +++ b/queue-5.15/powerpc-iommu-fix-notifiers-being-shared-by-pci-and-.patch @@ -0,0 +1,96 @@ +From a8a878b0bc2c55ccae712fbd969124409bea537c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Mar 2023 14:53:22 +1100 +Subject: powerpc/iommu: Fix notifiers being shared by PCI and VIO buses + +From: Russell Currey + +[ Upstream commit c37b6908f7b2bd24dcaaf14a180e28c9132b9c58 ] + +fail_iommu_setup() registers the fail_iommu_bus_notifier struct to both +PCI and VIO buses. struct notifier_block is a linked list node, so this +causes any notifiers later registered to either bus type to also be +registered to the other since they share the same node. + +This causes issues in (at least) the vgaarb code, which registers a +notifier for PCI buses. pci_notify() ends up being called on a vio +device, converted with to_pci_dev() even though it's not a PCI device, +and finally makes a bad access in vga_arbiter_add_pci_device() as +discovered with KASAN: + + BUG: KASAN: slab-out-of-bounds in vga_arbiter_add_pci_device+0x60/0xe00 + Read of size 4 at addr c000000264c26fdc by task swapper/0/1 + + Call Trace: + dump_stack_lvl+0x1bc/0x2b8 (unreliable) + print_report+0x3f4/0xc60 + kasan_report+0x244/0x698 + __asan_load4+0xe8/0x250 + vga_arbiter_add_pci_device+0x60/0xe00 + pci_notify+0x88/0x444 + notifier_call_chain+0x104/0x320 + blocking_notifier_call_chain+0xa0/0x140 + device_add+0xac8/0x1d30 + device_register+0x58/0x80 + vio_register_device_node+0x9ac/0xce0 + vio_bus_scan_register_devices+0xc4/0x13c + __machine_initcall_pseries_vio_device_init+0x94/0xf0 + do_one_initcall+0x12c/0xaa8 + kernel_init_freeable+0xa48/0xba8 + kernel_init+0x64/0x400 + ret_from_kernel_thread+0x5c/0x64 + +Fix this by creating separate notifier_block structs for each bus type. + +Fixes: d6b9a81b2a45 ("powerpc: IOMMU fault injection") +Reported-by: Nageswara R Sastry +Signed-off-by: Russell Currey +Tested-by: Nageswara R Sastry +Reviewed-by: Andrew Donnellan +[mpe: Add #ifdef to fix CONFIG_IBMVIO=n build] +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230322035322.328709-1-ruscur@russell.cc +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/iommu.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/kernel/iommu.c b/arch/powerpc/kernel/iommu.c +index 8bea336fa5b70..b858f186e9a70 100644 +--- a/arch/powerpc/kernel/iommu.c ++++ b/arch/powerpc/kernel/iommu.c +@@ -172,17 +172,28 @@ static int fail_iommu_bus_notify(struct notifier_block *nb, + return 0; + } + +-static struct notifier_block fail_iommu_bus_notifier = { ++/* ++ * PCI and VIO buses need separate notifier_block structs, since they're linked ++ * list nodes. Sharing a notifier_block would mean that any notifiers later ++ * registered for PCI buses would also get called by VIO buses and vice versa. ++ */ ++static struct notifier_block fail_iommu_pci_bus_notifier = { + .notifier_call = fail_iommu_bus_notify + }; + ++#ifdef CONFIG_IBMVIO ++static struct notifier_block fail_iommu_vio_bus_notifier = { ++ .notifier_call = fail_iommu_bus_notify ++}; ++#endif ++ + static int __init fail_iommu_setup(void) + { + #ifdef CONFIG_PCI +- bus_register_notifier(&pci_bus_type, &fail_iommu_bus_notifier); ++ bus_register_notifier(&pci_bus_type, &fail_iommu_pci_bus_notifier); + #endif + #ifdef CONFIG_IBMVIO +- bus_register_notifier(&vio_bus_type, &fail_iommu_bus_notifier); ++ bus_register_notifier(&vio_bus_type, &fail_iommu_vio_bus_notifier); + #endif + + return 0; +-- +2.40.1 + diff --git a/queue-5.15/powerpc-perf-convert-fsl_emb-notifier-to-state-machi.patch b/queue-5.15/powerpc-perf-convert-fsl_emb-notifier-to-state-machi.patch new file mode 100644 index 00000000000..7ac02b18cbe --- /dev/null +++ b/queue-5.15/powerpc-perf-convert-fsl_emb-notifier-to-state-machi.patch @@ -0,0 +1,84 @@ +From 188bba74c6f5dc54444ceb7c728de5d6663ffcdc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Aug 2023 10:59:44 +0200 +Subject: powerpc/perf: Convert fsl_emb notifier to state machine callbacks + +From: Christophe Leroy + +[ Upstream commit 34daf445f82bd3a4df852bb5f1dffd792ac830a0 ] + + CC arch/powerpc/perf/core-fsl-emb.o +arch/powerpc/perf/core-fsl-emb.c:675:6: error: no previous prototype for 'hw_perf_event_setup' [-Werror=missing-prototypes] + 675 | void hw_perf_event_setup(int cpu) + | ^~~~~~~~~~~~~~~~~~~ + +Looks like fsl_emb was completely missed by commit 3f6da3905398 ("perf: +Rework and fix the arch CPU-hotplug hooks") + +So, apply same changes as commit 3f6da3905398 ("perf: Rework and fix +the arch CPU-hotplug hooks") then commit 57ecde42cc74 ("powerpc/perf: +Convert book3s notifier to state machine callbacks") + +While at it, also fix following error: + +arch/powerpc/perf/core-fsl-emb.c: In function 'perf_event_interrupt': +arch/powerpc/perf/core-fsl-emb.c:648:13: error: variable 'found' set but not used [-Werror=unused-but-set-variable] + 648 | int found = 0; + | ^~~~~ + +Fixes: 3f6da3905398 ("perf: Rework and fix the arch CPU-hotplug hooks") +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://msgid.link/603e1facb32608f88f40b7d7b9094adc50e7b2dc.1692349125.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/perf/core-fsl-emb.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/perf/core-fsl-emb.c b/arch/powerpc/perf/core-fsl-emb.c +index ee721f420a7ba..1a53ab08447cb 100644 +--- a/arch/powerpc/perf/core-fsl-emb.c ++++ b/arch/powerpc/perf/core-fsl-emb.c +@@ -645,7 +645,6 @@ static void perf_event_interrupt(struct pt_regs *regs) + struct cpu_hw_events *cpuhw = this_cpu_ptr(&cpu_hw_events); + struct perf_event *event; + unsigned long val; +- int found = 0; + + for (i = 0; i < ppmu->n_counter; ++i) { + event = cpuhw->event[i]; +@@ -654,7 +653,6 @@ static void perf_event_interrupt(struct pt_regs *regs) + if ((int)val < 0) { + if (event) { + /* event has overflowed */ +- found = 1; + record_and_restart(event, val, regs); + } else { + /* +@@ -672,11 +670,13 @@ static void perf_event_interrupt(struct pt_regs *regs) + isync(); + } + +-void hw_perf_event_setup(int cpu) ++static int fsl_emb_pmu_prepare_cpu(unsigned int cpu) + { + struct cpu_hw_events *cpuhw = &per_cpu(cpu_hw_events, cpu); + + memset(cpuhw, 0, sizeof(*cpuhw)); ++ ++ return 0; + } + + int register_fsl_emb_pmu(struct fsl_emb_pmu *pmu) +@@ -689,6 +689,8 @@ int register_fsl_emb_pmu(struct fsl_emb_pmu *pmu) + pmu->name); + + perf_pmu_register(&fsl_emb_pmu, "cpu", PERF_TYPE_RAW); ++ cpuhp_setup_state(CPUHP_PERF_POWER, "perf/powerpc:prepare", ++ fsl_emb_pmu_prepare_cpu, NULL); + + return 0; + } +-- +2.40.1 + diff --git a/queue-5.15/powerpc-pseries-rework-lppaca_shared_proc-to-avoid-d.patch b/queue-5.15/powerpc-pseries-rework-lppaca_shared_proc-to-avoid-d.patch new file mode 100644 index 00000000000..9f261641261 --- /dev/null +++ b/queue-5.15/powerpc-pseries-rework-lppaca_shared_proc-to-avoid-d.patch @@ -0,0 +1,160 @@ +From 01eb9c18408807158908f006d5ac32926496ba14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Aug 2023 15:53:17 +1000 +Subject: powerpc/pseries: Rework lppaca_shared_proc() to avoid DEBUG_PREEMPT + +From: Russell Currey + +[ Upstream commit eac030b22ea12cdfcbb2e941c21c03964403c63f ] + +lppaca_shared_proc() takes a pointer to the lppaca which is typically +accessed through get_lppaca(). With DEBUG_PREEMPT enabled, this leads +to checking if preemption is enabled, for example: + + BUG: using smp_processor_id() in preemptible [00000000] code: grep/10693 + caller is lparcfg_data+0x408/0x19a0 + CPU: 4 PID: 10693 Comm: grep Not tainted 6.5.0-rc3 #2 + Call Trace: + dump_stack_lvl+0x154/0x200 (unreliable) + check_preemption_disabled+0x214/0x220 + lparcfg_data+0x408/0x19a0 + ... + +This isn't actually a problem however, as it does not matter which +lppaca is accessed, the shared proc state will be the same. +vcpudispatch_stats_procfs_init() already works around this by disabling +preemption, but the lparcfg code does not, erroring any time +/proc/powerpc/lparcfg is accessed with DEBUG_PREEMPT enabled. + +Instead of disabling preemption on the caller side, rework +lppaca_shared_proc() to not take a pointer and instead directly access +the lppaca, bypassing any potential preemption checks. + +Fixes: f13c13a00512 ("powerpc: Stop using non-architected shared_proc field in lppaca") +Signed-off-by: Russell Currey +[mpe: Rework to avoid needing a definition in paca.h and lppaca.h] +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230823055317.751786-4-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/lppaca.h | 11 +++++++++-- + arch/powerpc/platforms/pseries/lpar.c | 10 +--------- + arch/powerpc/platforms/pseries/lparcfg.c | 4 ++-- + arch/powerpc/platforms/pseries/setup.c | 2 +- + drivers/cpuidle/cpuidle-pseries.c | 8 +------- + 5 files changed, 14 insertions(+), 21 deletions(-) + +diff --git a/arch/powerpc/include/asm/lppaca.h b/arch/powerpc/include/asm/lppaca.h +index 5d509ba0550b5..1412e643122e4 100644 +--- a/arch/powerpc/include/asm/lppaca.h ++++ b/arch/powerpc/include/asm/lppaca.h +@@ -45,6 +45,7 @@ + #include + #include + #include ++#include + + /* + * The lppaca is the "virtual processor area" registered with the hypervisor, +@@ -123,14 +124,20 @@ struct lppaca { + */ + #define LPPACA_OLD_SHARED_PROC 2 + +-static inline bool lppaca_shared_proc(struct lppaca *l) ++#ifdef CONFIG_PPC_PSERIES ++/* ++ * All CPUs should have the same shared proc value, so directly access the PACA ++ * to avoid false positives from DEBUG_PREEMPT. ++ */ ++static inline bool lppaca_shared_proc(void) + { ++ struct lppaca *l = local_paca->lppaca_ptr; ++ + if (!firmware_has_feature(FW_FEATURE_SPLPAR)) + return false; + return !!(l->__old_status & LPPACA_OLD_SHARED_PROC); + } + +-#ifdef CONFIG_PPC_PSERIES + #define get_lppaca() (get_paca()->lppaca_ptr) + #endif + +diff --git a/arch/powerpc/platforms/pseries/lpar.c b/arch/powerpc/platforms/pseries/lpar.c +index 3df6bdfea475a..d133597a84ca0 100644 +--- a/arch/powerpc/platforms/pseries/lpar.c ++++ b/arch/powerpc/platforms/pseries/lpar.c +@@ -638,16 +638,8 @@ static const struct proc_ops vcpudispatch_stats_freq_proc_ops = { + + static int __init vcpudispatch_stats_procfs_init(void) + { +- /* +- * Avoid smp_processor_id while preemptible. All CPUs should have +- * the same value for lppaca_shared_proc. +- */ +- preempt_disable(); +- if (!lppaca_shared_proc(get_lppaca())) { +- preempt_enable(); ++ if (!lppaca_shared_proc()) + return 0; +- } +- preempt_enable(); + + if (!proc_create("powerpc/vcpudispatch_stats", 0600, NULL, + &vcpudispatch_stats_proc_ops)) +diff --git a/arch/powerpc/platforms/pseries/lparcfg.c b/arch/powerpc/platforms/pseries/lparcfg.c +index f71eac74ea92a..19503a8797823 100644 +--- a/arch/powerpc/platforms/pseries/lparcfg.c ++++ b/arch/powerpc/platforms/pseries/lparcfg.c +@@ -205,7 +205,7 @@ static void parse_ppp_data(struct seq_file *m) + ppp_data.active_system_procs); + + /* pool related entries are appropriate for shared configs */ +- if (lppaca_shared_proc(get_lppaca())) { ++ if (lppaca_shared_proc()) { + unsigned long pool_idle_time, pool_procs; + + seq_printf(m, "pool=%d\n", ppp_data.pool_num); +@@ -529,7 +529,7 @@ static int pseries_lparcfg_data(struct seq_file *m, void *v) + partition_potential_processors); + + seq_printf(m, "shared_processor_mode=%d\n", +- lppaca_shared_proc(get_lppaca())); ++ lppaca_shared_proc()); + + #ifdef CONFIG_PPC_BOOK3S_64 + seq_printf(m, "slb_size=%d\n", mmu_slb_size); +diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c +index c2b3752684b5f..d25053755c8b8 100644 +--- a/arch/powerpc/platforms/pseries/setup.c ++++ b/arch/powerpc/platforms/pseries/setup.c +@@ -816,7 +816,7 @@ static void __init pSeries_setup_arch(void) + if (firmware_has_feature(FW_FEATURE_LPAR)) { + vpa_init(boot_cpuid); + +- if (lppaca_shared_proc(get_lppaca())) { ++ if (lppaca_shared_proc()) { + static_branch_enable(&shared_processor); + pv_spinlocks_init(); + } +diff --git a/drivers/cpuidle/cpuidle-pseries.c b/drivers/cpuidle/cpuidle-pseries.c +index 7e7ab5597d7ac..0590001db6532 100644 +--- a/drivers/cpuidle/cpuidle-pseries.c ++++ b/drivers/cpuidle/cpuidle-pseries.c +@@ -410,13 +410,7 @@ static int __init pseries_idle_probe(void) + return -ENODEV; + + if (firmware_has_feature(FW_FEATURE_SPLPAR)) { +- /* +- * Use local_paca instead of get_lppaca() since +- * preemption is not disabled, and it is not required in +- * fact, since lppaca_ptr does not need to be the value +- * associated to the current CPU, it can be from any CPU. +- */ +- if (lppaca_shared_proc(local_paca->lppaca_ptr)) { ++ if (lppaca_shared_proc()) { + cpuidle_state_table = shared_states; + max_idle_state = ARRAY_SIZE(shared_states); + } else { +-- +2.40.1 + diff --git a/queue-5.15/powerpc-radix-move-some-functions-into-ifdef-config_.patch b/queue-5.15/powerpc-radix-move-some-functions-into-ifdef-config_.patch new file mode 100644 index 00000000000..2b88687bf84 --- /dev/null +++ b/queue-5.15/powerpc-radix-move-some-functions-into-ifdef-config_.patch @@ -0,0 +1,346 @@ +From 5d78065eb43c0311d6d81e92338a95ce76f3bf73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Aug 2023 10:01:43 +0200 +Subject: powerpc/radix: Move some functions into #ifdef + CONFIG_KVM_BOOK3S_HV_POSSIBLE + +From: Christophe Leroy + +[ Upstream commit 4a9dd8f292efd614f0a18452e6474fe19ae17b47 ] + +With skiboot_defconfig, Clang reports: + + CC arch/powerpc/mm/book3s64/radix_tlb.o +arch/powerpc/mm/book3s64/radix_tlb.c:419:20: error: unused function '_tlbie_pid_lpid' [-Werror,-Wunused-function] +static inline void _tlbie_pid_lpid(unsigned long pid, unsigned long lpid, + ^ +arch/powerpc/mm/book3s64/radix_tlb.c:663:20: error: unused function '_tlbie_va_range_lpid' [-Werror,-Wunused-function] +static inline void _tlbie_va_range_lpid(unsigned long start, unsigned long end, + ^ + +This is because those functions are only called from functions +enclosed in a #ifdef CONFIG_KVM_BOOK3S_HV_POSSIBLE + +Move below functions inside that #ifdef +* __tlbie_pid_lpid(unsigned long pid, +* __tlbie_va_lpid(unsigned long va, unsigned long pid, +* fixup_tlbie_pid_lpid(unsigned long pid, unsigned long lpid) +* _tlbie_pid_lpid(unsigned long pid, unsigned long lpid, +* fixup_tlbie_va_range_lpid(unsigned long va, +* __tlbie_va_range_lpid(unsigned long start, unsigned long end, +* _tlbie_va_range_lpid(unsigned long start, unsigned long end, + +Fixes: f0c6fbbb9050 ("KVM: PPC: Book3S HV: Add support for H_RPT_INVALIDATE") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202307260802.Mjr99P5O-lkp@intel.com/ +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://msgid.link/3d72efd39f986ee939d068af69fdce28bd600766.1691568093.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/mm/book3s64/radix_tlb.c | 240 ++++++++++++++------------- + 1 file changed, 121 insertions(+), 119 deletions(-) + +diff --git a/arch/powerpc/mm/book3s64/radix_tlb.c b/arch/powerpc/mm/book3s64/radix_tlb.c +index 5172d5cec2c06..6972fd5d423c0 100644 +--- a/arch/powerpc/mm/book3s64/radix_tlb.c ++++ b/arch/powerpc/mm/book3s64/radix_tlb.c +@@ -127,21 +127,6 @@ static __always_inline void __tlbie_pid(unsigned long pid, unsigned long ric) + trace_tlbie(0, 0, rb, rs, ric, prs, r); + } + +-static __always_inline void __tlbie_pid_lpid(unsigned long pid, +- unsigned long lpid, +- unsigned long ric) +-{ +- unsigned long rb, rs, prs, r; +- +- rb = PPC_BIT(53); /* IS = 1 */ +- rs = (pid << PPC_BITLSHIFT(31)) | (lpid & ~(PPC_BITMASK(0, 31))); +- prs = 1; /* process scoped */ +- r = 1; /* radix format */ +- +- asm volatile(PPC_TLBIE_5(%0, %4, %3, %2, %1) +- : : "r"(rb), "i"(r), "i"(prs), "i"(ric), "r"(rs) : "memory"); +- trace_tlbie(0, 0, rb, rs, ric, prs, r); +-} + static __always_inline void __tlbie_lpid(unsigned long lpid, unsigned long ric) + { + unsigned long rb,rs,prs,r; +@@ -202,23 +187,6 @@ static __always_inline void __tlbie_va(unsigned long va, unsigned long pid, + trace_tlbie(0, 0, rb, rs, ric, prs, r); + } + +-static __always_inline void __tlbie_va_lpid(unsigned long va, unsigned long pid, +- unsigned long lpid, +- unsigned long ap, unsigned long ric) +-{ +- unsigned long rb, rs, prs, r; +- +- rb = va & ~(PPC_BITMASK(52, 63)); +- rb |= ap << PPC_BITLSHIFT(58); +- rs = (pid << PPC_BITLSHIFT(31)) | (lpid & ~(PPC_BITMASK(0, 31))); +- prs = 1; /* process scoped */ +- r = 1; /* radix format */ +- +- asm volatile(PPC_TLBIE_5(%0, %4, %3, %2, %1) +- : : "r"(rb), "i"(r), "i"(prs), "i"(ric), "r"(rs) : "memory"); +- trace_tlbie(0, 0, rb, rs, ric, prs, r); +-} +- + static __always_inline void __tlbie_lpid_va(unsigned long va, unsigned long lpid, + unsigned long ap, unsigned long ric) + { +@@ -264,22 +232,6 @@ static inline void fixup_tlbie_va_range(unsigned long va, unsigned long pid, + } + } + +-static inline void fixup_tlbie_va_range_lpid(unsigned long va, +- unsigned long pid, +- unsigned long lpid, +- unsigned long ap) +-{ +- if (cpu_has_feature(CPU_FTR_P9_TLBIE_ERAT_BUG)) { +- asm volatile("ptesync" : : : "memory"); +- __tlbie_pid_lpid(0, lpid, RIC_FLUSH_TLB); +- } +- +- if (cpu_has_feature(CPU_FTR_P9_TLBIE_STQ_BUG)) { +- asm volatile("ptesync" : : : "memory"); +- __tlbie_va_lpid(va, pid, lpid, ap, RIC_FLUSH_TLB); +- } +-} +- + static inline void fixup_tlbie_pid(unsigned long pid) + { + /* +@@ -299,26 +251,6 @@ static inline void fixup_tlbie_pid(unsigned long pid) + } + } + +-static inline void fixup_tlbie_pid_lpid(unsigned long pid, unsigned long lpid) +-{ +- /* +- * We can use any address for the invalidation, pick one which is +- * probably unused as an optimisation. +- */ +- unsigned long va = ((1UL << 52) - 1); +- +- if (cpu_has_feature(CPU_FTR_P9_TLBIE_ERAT_BUG)) { +- asm volatile("ptesync" : : : "memory"); +- __tlbie_pid_lpid(0, lpid, RIC_FLUSH_TLB); +- } +- +- if (cpu_has_feature(CPU_FTR_P9_TLBIE_STQ_BUG)) { +- asm volatile("ptesync" : : : "memory"); +- __tlbie_va_lpid(va, pid, lpid, mmu_get_ap(MMU_PAGE_64K), +- RIC_FLUSH_TLB); +- } +-} +- + static inline void fixup_tlbie_lpid_va(unsigned long va, unsigned long lpid, + unsigned long ap) + { +@@ -416,31 +348,6 @@ static inline void _tlbie_pid(unsigned long pid, unsigned long ric) + asm volatile("eieio; tlbsync; ptesync": : :"memory"); + } + +-static inline void _tlbie_pid_lpid(unsigned long pid, unsigned long lpid, +- unsigned long ric) +-{ +- asm volatile("ptesync" : : : "memory"); +- +- /* +- * Workaround the fact that the "ric" argument to __tlbie_pid +- * must be a compile-time contraint to match the "i" constraint +- * in the asm statement. +- */ +- switch (ric) { +- case RIC_FLUSH_TLB: +- __tlbie_pid_lpid(pid, lpid, RIC_FLUSH_TLB); +- fixup_tlbie_pid_lpid(pid, lpid); +- break; +- case RIC_FLUSH_PWC: +- __tlbie_pid_lpid(pid, lpid, RIC_FLUSH_PWC); +- break; +- case RIC_FLUSH_ALL: +- default: +- __tlbie_pid_lpid(pid, lpid, RIC_FLUSH_ALL); +- fixup_tlbie_pid_lpid(pid, lpid); +- } +- asm volatile("eieio; tlbsync; ptesync" : : : "memory"); +-} + struct tlbiel_pid { + unsigned long pid; + unsigned long ric; +@@ -566,20 +473,6 @@ static inline void __tlbie_va_range(unsigned long start, unsigned long end, + fixup_tlbie_va_range(addr - page_size, pid, ap); + } + +-static inline void __tlbie_va_range_lpid(unsigned long start, unsigned long end, +- unsigned long pid, unsigned long lpid, +- unsigned long page_size, +- unsigned long psize) +-{ +- unsigned long addr; +- unsigned long ap = mmu_get_ap(psize); +- +- for (addr = start; addr < end; addr += page_size) +- __tlbie_va_lpid(addr, pid, lpid, ap, RIC_FLUSH_TLB); +- +- fixup_tlbie_va_range_lpid(addr - page_size, pid, lpid, ap); +-} +- + static __always_inline void _tlbie_va(unsigned long va, unsigned long pid, + unsigned long psize, unsigned long ric) + { +@@ -660,18 +553,6 @@ static inline void _tlbie_va_range(unsigned long start, unsigned long end, + asm volatile("eieio; tlbsync; ptesync": : :"memory"); + } + +-static inline void _tlbie_va_range_lpid(unsigned long start, unsigned long end, +- unsigned long pid, unsigned long lpid, +- unsigned long page_size, +- unsigned long psize, bool also_pwc) +-{ +- asm volatile("ptesync" : : : "memory"); +- if (also_pwc) +- __tlbie_pid_lpid(pid, lpid, RIC_FLUSH_PWC); +- __tlbie_va_range_lpid(start, end, pid, lpid, page_size, psize); +- asm volatile("eieio; tlbsync; ptesync" : : : "memory"); +-} +- + static inline void _tlbiel_va_range_multicast(struct mm_struct *mm, + unsigned long start, unsigned long end, + unsigned long pid, unsigned long page_size, +@@ -1468,6 +1349,127 @@ void radix__flush_tlb_all(void) + } + + #ifdef CONFIG_KVM_BOOK3S_HV_POSSIBLE ++static __always_inline void __tlbie_pid_lpid(unsigned long pid, ++ unsigned long lpid, ++ unsigned long ric) ++{ ++ unsigned long rb, rs, prs, r; ++ ++ rb = PPC_BIT(53); /* IS = 1 */ ++ rs = (pid << PPC_BITLSHIFT(31)) | (lpid & ~(PPC_BITMASK(0, 31))); ++ prs = 1; /* process scoped */ ++ r = 1; /* radix format */ ++ ++ asm volatile(PPC_TLBIE_5(%0, %4, %3, %2, %1) ++ : : "r"(rb), "i"(r), "i"(prs), "i"(ric), "r"(rs) : "memory"); ++ trace_tlbie(0, 0, rb, rs, ric, prs, r); ++} ++ ++static __always_inline void __tlbie_va_lpid(unsigned long va, unsigned long pid, ++ unsigned long lpid, ++ unsigned long ap, unsigned long ric) ++{ ++ unsigned long rb, rs, prs, r; ++ ++ rb = va & ~(PPC_BITMASK(52, 63)); ++ rb |= ap << PPC_BITLSHIFT(58); ++ rs = (pid << PPC_BITLSHIFT(31)) | (lpid & ~(PPC_BITMASK(0, 31))); ++ prs = 1; /* process scoped */ ++ r = 1; /* radix format */ ++ ++ asm volatile(PPC_TLBIE_5(%0, %4, %3, %2, %1) ++ : : "r"(rb), "i"(r), "i"(prs), "i"(ric), "r"(rs) : "memory"); ++ trace_tlbie(0, 0, rb, rs, ric, prs, r); ++} ++ ++static inline void fixup_tlbie_pid_lpid(unsigned long pid, unsigned long lpid) ++{ ++ /* ++ * We can use any address for the invalidation, pick one which is ++ * probably unused as an optimisation. ++ */ ++ unsigned long va = ((1UL << 52) - 1); ++ ++ if (cpu_has_feature(CPU_FTR_P9_TLBIE_ERAT_BUG)) { ++ asm volatile("ptesync" : : : "memory"); ++ __tlbie_pid_lpid(0, lpid, RIC_FLUSH_TLB); ++ } ++ ++ if (cpu_has_feature(CPU_FTR_P9_TLBIE_STQ_BUG)) { ++ asm volatile("ptesync" : : : "memory"); ++ __tlbie_va_lpid(va, pid, lpid, mmu_get_ap(MMU_PAGE_64K), ++ RIC_FLUSH_TLB); ++ } ++} ++ ++static inline void _tlbie_pid_lpid(unsigned long pid, unsigned long lpid, ++ unsigned long ric) ++{ ++ asm volatile("ptesync" : : : "memory"); ++ ++ /* ++ * Workaround the fact that the "ric" argument to __tlbie_pid ++ * must be a compile-time contraint to match the "i" constraint ++ * in the asm statement. ++ */ ++ switch (ric) { ++ case RIC_FLUSH_TLB: ++ __tlbie_pid_lpid(pid, lpid, RIC_FLUSH_TLB); ++ fixup_tlbie_pid_lpid(pid, lpid); ++ break; ++ case RIC_FLUSH_PWC: ++ __tlbie_pid_lpid(pid, lpid, RIC_FLUSH_PWC); ++ break; ++ case RIC_FLUSH_ALL: ++ default: ++ __tlbie_pid_lpid(pid, lpid, RIC_FLUSH_ALL); ++ fixup_tlbie_pid_lpid(pid, lpid); ++ } ++ asm volatile("eieio; tlbsync; ptesync" : : : "memory"); ++} ++ ++static inline void fixup_tlbie_va_range_lpid(unsigned long va, ++ unsigned long pid, ++ unsigned long lpid, ++ unsigned long ap) ++{ ++ if (cpu_has_feature(CPU_FTR_P9_TLBIE_ERAT_BUG)) { ++ asm volatile("ptesync" : : : "memory"); ++ __tlbie_pid_lpid(0, lpid, RIC_FLUSH_TLB); ++ } ++ ++ if (cpu_has_feature(CPU_FTR_P9_TLBIE_STQ_BUG)) { ++ asm volatile("ptesync" : : : "memory"); ++ __tlbie_va_lpid(va, pid, lpid, ap, RIC_FLUSH_TLB); ++ } ++} ++ ++static inline void __tlbie_va_range_lpid(unsigned long start, unsigned long end, ++ unsigned long pid, unsigned long lpid, ++ unsigned long page_size, ++ unsigned long psize) ++{ ++ unsigned long addr; ++ unsigned long ap = mmu_get_ap(psize); ++ ++ for (addr = start; addr < end; addr += page_size) ++ __tlbie_va_lpid(addr, pid, lpid, ap, RIC_FLUSH_TLB); ++ ++ fixup_tlbie_va_range_lpid(addr - page_size, pid, lpid, ap); ++} ++ ++static inline void _tlbie_va_range_lpid(unsigned long start, unsigned long end, ++ unsigned long pid, unsigned long lpid, ++ unsigned long page_size, ++ unsigned long psize, bool also_pwc) ++{ ++ asm volatile("ptesync" : : : "memory"); ++ if (also_pwc) ++ __tlbie_pid_lpid(pid, lpid, RIC_FLUSH_PWC); ++ __tlbie_va_range_lpid(start, end, pid, lpid, page_size, psize); ++ asm volatile("eieio; tlbsync; ptesync" : : : "memory"); ++} ++ + /* + * Performs process-scoped invalidations for a given LPID + * as part of H_RPT_INVALIDATE hcall. +-- +2.40.1 + diff --git a/queue-5.15/quota-add-new-helper-dquot_active.patch b/queue-5.15/quota-add-new-helper-dquot_active.patch new file mode 100644 index 00000000000..44199d2a113 --- /dev/null +++ b/queue-5.15/quota-add-new-helper-dquot_active.patch @@ -0,0 +1,119 @@ +From 8c872673c52b6c1fd88dff08e02690042e2ab56b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jun 2023 19:08:20 +0800 +Subject: quota: add new helper dquot_active() + +From: Baokun Li + +[ Upstream commit 33bcfafc48cb186bc4bbcea247feaa396594229e ] + +Add new helper function dquot_active() to make the code more concise. + +Signed-off-by: Baokun Li +Signed-off-by: Jan Kara +Message-Id: <20230630110822.3881712-4-libaokun1@huawei.com> +Stable-dep-of: dabc8b207566 ("quota: fix dqput() to follow the guarantees dquot_srcu should provide") +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index 305771b682047..2069453e88e4f 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -336,6 +336,11 @@ static void wait_on_dquot(struct dquot *dquot) + mutex_unlock(&dquot->dq_lock); + } + ++static inline int dquot_active(struct dquot *dquot) ++{ ++ return test_bit(DQ_ACTIVE_B, &dquot->dq_flags); ++} ++ + static inline int dquot_dirty(struct dquot *dquot) + { + return test_bit(DQ_MOD_B, &dquot->dq_flags); +@@ -351,14 +356,14 @@ int dquot_mark_dquot_dirty(struct dquot *dquot) + { + int ret = 1; + +- if (!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) ++ if (!dquot_active(dquot)) + return 0; + + if (sb_dqopt(dquot->dq_sb)->flags & DQUOT_NOLIST_DIRTY) + return test_and_set_bit(DQ_MOD_B, &dquot->dq_flags); + + /* If quota is dirty already, we don't have to acquire dq_list_lock */ +- if (test_bit(DQ_MOD_B, &dquot->dq_flags)) ++ if (dquot_dirty(dquot)) + return 1; + + spin_lock(&dq_list_lock); +@@ -440,7 +445,7 @@ int dquot_acquire(struct dquot *dquot) + smp_mb__before_atomic(); + set_bit(DQ_READ_B, &dquot->dq_flags); + /* Instantiate dquot if needed */ +- if (!test_bit(DQ_ACTIVE_B, &dquot->dq_flags) && !dquot->dq_off) { ++ if (!dquot_active(dquot) && !dquot->dq_off) { + ret = dqopt->ops[dquot->dq_id.type]->commit_dqblk(dquot); + /* Write the info if needed */ + if (info_dirty(&dqopt->info[dquot->dq_id.type])) { +@@ -482,7 +487,7 @@ int dquot_commit(struct dquot *dquot) + goto out_lock; + /* Inactive dquot can be only if there was error during read/init + * => we have better not writing it */ +- if (test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) ++ if (dquot_active(dquot)) + ret = dqopt->ops[dquot->dq_id.type]->commit_dqblk(dquot); + else + ret = -EIO; +@@ -597,7 +602,7 @@ int dquot_scan_active(struct super_block *sb, + + spin_lock(&dq_list_lock); + list_for_each_entry(dquot, &inuse_list, dq_inuse) { +- if (!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) ++ if (!dquot_active(dquot)) + continue; + if (dquot->dq_sb != sb) + continue; +@@ -612,7 +617,7 @@ int dquot_scan_active(struct super_block *sb, + * outstanding call and recheck the DQ_ACTIVE_B after that. + */ + wait_on_dquot(dquot); +- if (test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) { ++ if (dquot_active(dquot)) { + ret = fn(dquot, priv); + if (ret < 0) + goto out; +@@ -663,7 +668,7 @@ int dquot_writeback_dquots(struct super_block *sb, int type) + dquot = list_first_entry(&dirty, struct dquot, + dq_dirty); + +- WARN_ON(!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)); ++ WARN_ON(!dquot_active(dquot)); + + /* Now we have active dquot from which someone is + * holding reference so we can safely just increase +@@ -800,7 +805,7 @@ void dqput(struct dquot *dquot) + dquot_write_dquot(dquot); + goto we_slept; + } +- if (test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) { ++ if (dquot_active(dquot)) { + spin_unlock(&dq_list_lock); + dquot->dq_sb->dq_op->release_dquot(dquot); + goto we_slept; +@@ -901,7 +906,7 @@ struct dquot *dqget(struct super_block *sb, struct kqid qid) + * already finished or it will be canceled due to dq_count > 1 test */ + wait_on_dquot(dquot); + /* Read the dquot / allocate space in quota file */ +- if (!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) { ++ if (!dquot_active(dquot)) { + int err; + + err = sb->dq_op->acquire_dquot(dquot); +-- +2.40.1 + diff --git a/queue-5.15/quota-factor-out-dquot_write_dquot.patch b/queue-5.15/quota-factor-out-dquot_write_dquot.patch new file mode 100644 index 00000000000..db00bcd401b --- /dev/null +++ b/queue-5.15/quota-factor-out-dquot_write_dquot.patch @@ -0,0 +1,94 @@ +From da41f34343fe12aa0955f0370e360b232b1b7feb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jun 2023 19:08:18 +0800 +Subject: quota: factor out dquot_write_dquot() + +From: Baokun Li + +[ Upstream commit 024128477809f8073d870307c8157b8826ebfd08 ] + +Refactor out dquot_write_dquot() to reduce duplicate code. + +Signed-off-by: Baokun Li +Signed-off-by: Jan Kara +Message-Id: <20230630110822.3881712-2-libaokun1@huawei.com> +Stable-dep-of: dabc8b207566 ("quota: fix dqput() to follow the guarantees dquot_srcu should provide") +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 39 ++++++++++++++++----------------------- + 1 file changed, 16 insertions(+), 23 deletions(-) + +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index b88f5a2f6032b..fae2dbd663020 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -628,6 +628,18 @@ int dquot_scan_active(struct super_block *sb, + } + EXPORT_SYMBOL(dquot_scan_active); + ++static inline int dquot_write_dquot(struct dquot *dquot) ++{ ++ int ret = dquot->dq_sb->dq_op->write_dquot(dquot); ++ if (ret < 0) { ++ quota_error(dquot->dq_sb, "Can't write quota structure " ++ "(error %d). Quota may get out of sync!", ret); ++ /* Clear dirty bit anyway to avoid infinite loop. */ ++ clear_dquot_dirty(dquot); ++ } ++ return ret; ++} ++ + /* Write all dquot structures to quota files */ + int dquot_writeback_dquots(struct super_block *sb, int type) + { +@@ -658,16 +670,9 @@ int dquot_writeback_dquots(struct super_block *sb, int type) + * use count */ + dqgrab(dquot); + spin_unlock(&dq_list_lock); +- err = sb->dq_op->write_dquot(dquot); +- if (err) { +- /* +- * Clear dirty bit anyway to avoid infinite +- * loop here. +- */ +- clear_dquot_dirty(dquot); +- if (!ret) +- ret = err; +- } ++ err = dquot_write_dquot(dquot); ++ if (err && !ret) ++ ret = err; + dqput(dquot); + spin_lock(&dq_list_lock); + } +@@ -765,8 +770,6 @@ static struct shrinker dqcache_shrinker = { + */ + void dqput(struct dquot *dquot) + { +- int ret; +- + if (!dquot) + return; + #ifdef CONFIG_QUOTA_DEBUG +@@ -794,17 +797,7 @@ void dqput(struct dquot *dquot) + if (dquot_dirty(dquot)) { + spin_unlock(&dq_list_lock); + /* Commit dquot before releasing */ +- ret = dquot->dq_sb->dq_op->write_dquot(dquot); +- if (ret < 0) { +- quota_error(dquot->dq_sb, "Can't write quota structure" +- " (error %d). Quota may get out of sync!", +- ret); +- /* +- * We clear dirty bit anyway, so that we avoid +- * infinite loop here +- */ +- clear_dquot_dirty(dquot); +- } ++ dquot_write_dquot(dquot); + goto we_slept; + } + if (test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) { +-- +2.40.1 + diff --git a/queue-5.15/quota-fix-dqput-to-follow-the-guarantees-dquot_srcu-.patch b/queue-5.15/quota-fix-dqput-to-follow-the-guarantees-dquot_srcu-.patch new file mode 100644 index 00000000000..d4c5afb5bc1 --- /dev/null +++ b/queue-5.15/quota-fix-dqput-to-follow-the-guarantees-dquot_srcu-.patch @@ -0,0 +1,249 @@ +From 60095ea0cea7f6a15115294dcc309a994ff4d632 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jun 2023 19:08:21 +0800 +Subject: quota: fix dqput() to follow the guarantees dquot_srcu should provide + +From: Baokun Li + +[ Upstream commit dabc8b20756601b9e1cc85a81d47d3f98ed4d13a ] + +The dquot_mark_dquot_dirty() using dquot references from the inode +should be protected by dquot_srcu. quota_off code takes care to call +synchronize_srcu(&dquot_srcu) to not drop dquot references while they +are used by other users. But dquot_transfer() breaks this assumption. +We call dquot_transfer() to drop the last reference of dquot and add +it to free_dquots, but there may still be other users using the dquot +at this time, as shown in the function graph below: + + cpu1 cpu2 +_________________|_________________ +wb_do_writeback CHOWN(1) + ... + ext4_da_update_reserve_space + dquot_claim_block + ... + dquot_mark_dquot_dirty // try to dirty old quota + test_bit(DQ_ACTIVE_B, &dquot->dq_flags) // still ACTIVE + if (test_bit(DQ_MOD_B, &dquot->dq_flags)) + // test no dirty, wait dq_list_lock + ... + dquot_transfer + __dquot_transfer + dqput_all(transfer_from) // rls old dquot + dqput // last dqput + dquot_release + clear_bit(DQ_ACTIVE_B, &dquot->dq_flags) + atomic_dec(&dquot->dq_count) + put_dquot_last(dquot) + list_add_tail(&dquot->dq_free, &free_dquots) + // add the dquot to free_dquots + if (!test_and_set_bit(DQ_MOD_B, &dquot->dq_flags)) + add dqi_dirty_list // add released dquot to dirty_list + +This can cause various issues, such as dquot being destroyed by +dqcache_shrink_scan() after being added to free_dquots, which can trigger +a UAF in dquot_mark_dquot_dirty(); or after dquot is added to free_dquots +and then to dirty_list, it is added to free_dquots again after +dquot_writeback_dquots() is executed, which causes the free_dquots list to +be corrupted and triggers a UAF when dqcache_shrink_scan() is called for +freeing dquot twice. + +As Honza said, we need to fix dquot_transfer() to follow the guarantees +dquot_srcu should provide. But calling synchronize_srcu() directly from +dquot_transfer() is too expensive (and mostly unnecessary). So we add +dquot whose last reference should be dropped to the new global dquot +list releasing_dquots, and then queue work item which would call +synchronize_srcu() and after that perform the final cleanup of all the +dquots on releasing_dquots. + +Fixes: 4580b30ea887 ("quota: Do not dirty bad dquots") +Suggested-by: Jan Kara +Signed-off-by: Baokun Li +Signed-off-by: Jan Kara +Message-Id: <20230630110822.3881712-5-libaokun1@huawei.com> +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 96 +++++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 78 insertions(+), 18 deletions(-) + +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index 2069453e88e4f..889eaea56a784 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -225,13 +225,22 @@ static void put_quota_format(struct quota_format_type *fmt) + + /* + * Dquot List Management: +- * The quota code uses four lists for dquot management: the inuse_list, +- * free_dquots, dqi_dirty_list, and dquot_hash[] array. A single dquot +- * structure may be on some of those lists, depending on its current state. ++ * The quota code uses five lists for dquot management: the inuse_list, ++ * releasing_dquots, free_dquots, dqi_dirty_list, and dquot_hash[] array. ++ * A single dquot structure may be on some of those lists, depending on ++ * its current state. + * + * All dquots are placed to the end of inuse_list when first created, and this + * list is used for invalidate operation, which must look at every dquot. + * ++ * When the last reference of a dquot will be dropped, the dquot will be ++ * added to releasing_dquots. We'd then queue work item which would call ++ * synchronize_srcu() and after that perform the final cleanup of all the ++ * dquots on the list. Both releasing_dquots and free_dquots use the ++ * dq_free list_head in the dquot struct. When a dquot is removed from ++ * releasing_dquots, a reference count is always subtracted, and if ++ * dq_count == 0 at that point, the dquot will be added to the free_dquots. ++ * + * Unused dquots (dq_count == 0) are added to the free_dquots list when freed, + * and this list is searched whenever we need an available dquot. Dquots are + * removed from the list as soon as they are used again, and +@@ -250,6 +259,7 @@ static void put_quota_format(struct quota_format_type *fmt) + + static LIST_HEAD(inuse_list); + static LIST_HEAD(free_dquots); ++static LIST_HEAD(releasing_dquots); + static unsigned int dq_hash_bits, dq_hash_mask; + static struct hlist_head *dquot_hash; + +@@ -260,6 +270,9 @@ static qsize_t inode_get_rsv_space(struct inode *inode); + static qsize_t __inode_get_rsv_space(struct inode *inode); + static int __dquot_initialize(struct inode *inode, int type); + ++static void quota_release_workfn(struct work_struct *work); ++static DECLARE_DELAYED_WORK(quota_release_work, quota_release_workfn); ++ + static inline unsigned int + hashfn(const struct super_block *sb, struct kqid qid) + { +@@ -305,12 +318,18 @@ static inline void put_dquot_last(struct dquot *dquot) + dqstats_inc(DQST_FREE_DQUOTS); + } + ++static inline void put_releasing_dquots(struct dquot *dquot) ++{ ++ list_add_tail(&dquot->dq_free, &releasing_dquots); ++} ++ + static inline void remove_free_dquot(struct dquot *dquot) + { + if (list_empty(&dquot->dq_free)) + return; + list_del_init(&dquot->dq_free); +- dqstats_dec(DQST_FREE_DQUOTS); ++ if (!atomic_read(&dquot->dq_count)) ++ dqstats_dec(DQST_FREE_DQUOTS); + } + + static inline void put_inuse(struct dquot *dquot) +@@ -552,6 +571,8 @@ static void invalidate_dquots(struct super_block *sb, int type) + struct dquot *dquot, *tmp; + + restart: ++ flush_delayed_work("a_release_work); ++ + spin_lock(&dq_list_lock); + list_for_each_entry_safe(dquot, tmp, &inuse_list, dq_inuse) { + if (dquot->dq_sb != sb) +@@ -560,6 +581,12 @@ static void invalidate_dquots(struct super_block *sb, int type) + continue; + /* Wait for dquot users */ + if (atomic_read(&dquot->dq_count)) { ++ /* dquot in releasing_dquots, flush and retry */ ++ if (!list_empty(&dquot->dq_free)) { ++ spin_unlock(&dq_list_lock); ++ goto restart; ++ } ++ + atomic_inc(&dquot->dq_count); + spin_unlock(&dq_list_lock); + /* +@@ -770,6 +797,49 @@ static struct shrinker dqcache_shrinker = { + .seeks = DEFAULT_SEEKS, + }; + ++/* ++ * Safely release dquot and put reference to dquot. ++ */ ++static void quota_release_workfn(struct work_struct *work) ++{ ++ struct dquot *dquot; ++ struct list_head rls_head; ++ ++ spin_lock(&dq_list_lock); ++ /* Exchange the list head to avoid livelock. */ ++ list_replace_init(&releasing_dquots, &rls_head); ++ spin_unlock(&dq_list_lock); ++ ++restart: ++ synchronize_srcu(&dquot_srcu); ++ spin_lock(&dq_list_lock); ++ while (!list_empty(&rls_head)) { ++ dquot = list_first_entry(&rls_head, struct dquot, dq_free); ++ /* Dquot got used again? */ ++ if (atomic_read(&dquot->dq_count) > 1) { ++ remove_free_dquot(dquot); ++ atomic_dec(&dquot->dq_count); ++ continue; ++ } ++ if (dquot_dirty(dquot)) { ++ spin_unlock(&dq_list_lock); ++ /* Commit dquot before releasing */ ++ dquot_write_dquot(dquot); ++ goto restart; ++ } ++ if (dquot_active(dquot)) { ++ spin_unlock(&dq_list_lock); ++ dquot->dq_sb->dq_op->release_dquot(dquot); ++ goto restart; ++ } ++ /* Dquot is inactive and clean, now move it to free list */ ++ remove_free_dquot(dquot); ++ atomic_dec(&dquot->dq_count); ++ put_dquot_last(dquot); ++ } ++ spin_unlock(&dq_list_lock); ++} ++ + /* + * Put reference to dquot + */ +@@ -786,7 +856,7 @@ void dqput(struct dquot *dquot) + } + #endif + dqstats_inc(DQST_DROPS); +-we_slept: ++ + spin_lock(&dq_list_lock); + if (atomic_read(&dquot->dq_count) > 1) { + /* We have more than one user... nothing to do */ +@@ -798,25 +868,15 @@ void dqput(struct dquot *dquot) + spin_unlock(&dq_list_lock); + return; + } ++ + /* Need to release dquot? */ +- if (dquot_dirty(dquot)) { +- spin_unlock(&dq_list_lock); +- /* Commit dquot before releasing */ +- dquot_write_dquot(dquot); +- goto we_slept; +- } +- if (dquot_active(dquot)) { +- spin_unlock(&dq_list_lock); +- dquot->dq_sb->dq_op->release_dquot(dquot); +- goto we_slept; +- } +- atomic_dec(&dquot->dq_count); + #ifdef CONFIG_QUOTA_DEBUG + /* sanity check */ + BUG_ON(!list_empty(&dquot->dq_free)); + #endif +- put_dquot_last(dquot); ++ put_releasing_dquots(dquot); + spin_unlock(&dq_list_lock); ++ queue_delayed_work(system_unbound_wq, "a_release_work, 1); + } + EXPORT_SYMBOL(dqput); + +-- +2.40.1 + diff --git a/queue-5.15/quota-rename-dquot_active-to-inode_quota_active.patch b/queue-5.15/quota-rename-dquot_active-to-inode_quota_active.patch new file mode 100644 index 00000000000..e05abc46395 --- /dev/null +++ b/queue-5.15/quota-rename-dquot_active-to-inode_quota_active.patch @@ -0,0 +1,121 @@ +From aeaa7b4298f667be8e58e142da26c28bd324bf06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jun 2023 19:08:19 +0800 +Subject: quota: rename dquot_active() to inode_quota_active() + +From: Baokun Li + +[ Upstream commit 4b9bdfa16535de8f49bf954aeed0f525ee2fc322 ] + +Now we have a helper function dquot_dirty() to determine if dquot has +DQ_MOD_B bit. dquot_active() can easily be misunderstood as a helper +function to determine if dquot has DQ_ACTIVE_B bit. So we avoid this by +renaming it to inode_quota_active() and later on we will add the helper +function dquot_active() to determine if dquot has DQ_ACTIVE_B bit. + +Signed-off-by: Baokun Li +Signed-off-by: Jan Kara +Message-Id: <20230630110822.3881712-3-libaokun1@huawei.com> +Stable-dep-of: dabc8b207566 ("quota: fix dqput() to follow the guarantees dquot_srcu should provide") +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index fae2dbd663020..305771b682047 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -1418,7 +1418,7 @@ static int info_bdq_free(struct dquot *dquot, qsize_t space) + return QUOTA_NL_NOWARN; + } + +-static int dquot_active(const struct inode *inode) ++static int inode_quota_active(const struct inode *inode) + { + struct super_block *sb = inode->i_sb; + +@@ -1441,7 +1441,7 @@ static int __dquot_initialize(struct inode *inode, int type) + qsize_t rsv; + int ret = 0; + +- if (!dquot_active(inode)) ++ if (!inode_quota_active(inode)) + return 0; + + dquots = i_dquot(inode); +@@ -1549,7 +1549,7 @@ bool dquot_initialize_needed(struct inode *inode) + struct dquot **dquots; + int i; + +- if (!dquot_active(inode)) ++ if (!inode_quota_active(inode)) + return false; + + dquots = i_dquot(inode); +@@ -1660,7 +1660,7 @@ int __dquot_alloc_space(struct inode *inode, qsize_t number, int flags) + int reserve = flags & DQUOT_SPACE_RESERVE; + struct dquot **dquots; + +- if (!dquot_active(inode)) { ++ if (!inode_quota_active(inode)) { + if (reserve) { + spin_lock(&inode->i_lock); + *inode_reserved_space(inode) += number; +@@ -1730,7 +1730,7 @@ int dquot_alloc_inode(struct inode *inode) + struct dquot_warn warn[MAXQUOTAS]; + struct dquot * const *dquots; + +- if (!dquot_active(inode)) ++ if (!inode_quota_active(inode)) + return 0; + for (cnt = 0; cnt < MAXQUOTAS; cnt++) + warn[cnt].w_type = QUOTA_NL_NOWARN; +@@ -1773,7 +1773,7 @@ int dquot_claim_space_nodirty(struct inode *inode, qsize_t number) + struct dquot **dquots; + int cnt, index; + +- if (!dquot_active(inode)) { ++ if (!inode_quota_active(inode)) { + spin_lock(&inode->i_lock); + *inode_reserved_space(inode) -= number; + __inode_add_bytes(inode, number); +@@ -1815,7 +1815,7 @@ void dquot_reclaim_space_nodirty(struct inode *inode, qsize_t number) + struct dquot **dquots; + int cnt, index; + +- if (!dquot_active(inode)) { ++ if (!inode_quota_active(inode)) { + spin_lock(&inode->i_lock); + *inode_reserved_space(inode) += number; + __inode_sub_bytes(inode, number); +@@ -1859,7 +1859,7 @@ void __dquot_free_space(struct inode *inode, qsize_t number, int flags) + struct dquot **dquots; + int reserve = flags & DQUOT_SPACE_RESERVE, index; + +- if (!dquot_active(inode)) { ++ if (!inode_quota_active(inode)) { + if (reserve) { + spin_lock(&inode->i_lock); + *inode_reserved_space(inode) -= number; +@@ -1914,7 +1914,7 @@ void dquot_free_inode(struct inode *inode) + struct dquot * const *dquots; + int index; + +- if (!dquot_active(inode)) ++ if (!inode_quota_active(inode)) + return; + + dquots = i_dquot(inode); +@@ -2085,7 +2085,7 @@ int dquot_transfer(struct inode *inode, struct iattr *iattr) + struct super_block *sb = inode->i_sb; + int ret; + +- if (!dquot_active(inode)) ++ if (!inode_quota_active(inode)) + return 0; + + if (iattr->ia_valid & ATTR_UID && !uid_eq(iattr->ia_uid, inode->i_uid)){ +-- +2.40.1 + diff --git a/queue-5.15/rdma-hns-fix-cq-and-qp-cache-affinity.patch b/queue-5.15/rdma-hns-fix-cq-and-qp-cache-affinity.patch new file mode 100644 index 00000000000..eb078de526f --- /dev/null +++ b/queue-5.15/rdma-hns-fix-cq-and-qp-cache-affinity.patch @@ -0,0 +1,106 @@ +From d6b17c87303aab6bbdf69628b7b33e1d6c5e37a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Aug 2023 09:27:11 +0800 +Subject: RDMA/hns: Fix CQ and QP cache affinity + +From: Chengchang Tang + +[ Upstream commit 9e03dbea2b0634b21a45946b4f8097e0dc86ebe1 ] + +Currently, the affinity between QP cache and CQ cache is not +considered when assigning QPN, it will affect the message rate of HW. + +Allocate QPN from QP cache with better CQ affinity to get better +performance. + +Fixes: 71586dd20010 ("RDMA/hns: Create QP with selected QPN for bank load balance") +Signed-off-by: Chengchang Tang +Signed-off-by: Junxian Huang +Link: https://lore.kernel.org/r/20230804012711.808069-5-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_device.h | 1 + + drivers/infiniband/hw/hns/hns_roce_qp.c | 28 ++++++++++++++++----- + 2 files changed, 23 insertions(+), 6 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_device.h b/drivers/infiniband/hw/hns/hns_roce_device.h +index c94991356a2e8..e02107123c970 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_device.h ++++ b/drivers/infiniband/hw/hns/hns_roce_device.h +@@ -121,6 +121,7 @@ + #define HNS_ROCE_CQ_BANK_NUM 4 + + #define CQ_BANKID_SHIFT 2 ++#define CQ_BANKID_MASK GENMASK(1, 0) + + /* The chip implementation of the consumer index is calculated + * according to twice the actual EQ depth +diff --git a/drivers/infiniband/hw/hns/hns_roce_qp.c b/drivers/infiniband/hw/hns/hns_roce_qp.c +index 5d50d2d1deca9..00dade1cfff20 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_qp.c ++++ b/drivers/infiniband/hw/hns/hns_roce_qp.c +@@ -172,14 +172,29 @@ static void hns_roce_ib_qp_event(struct hns_roce_qp *hr_qp, + } + } + +-static u8 get_least_load_bankid_for_qp(struct hns_roce_bank *bank) ++static u8 get_affinity_cq_bank(u8 qp_bank) + { +- u32 least_load = bank[0].inuse; ++ return (qp_bank >> 1) & CQ_BANKID_MASK; ++} ++ ++static u8 get_least_load_bankid_for_qp(struct ib_qp_init_attr *init_attr, ++ struct hns_roce_bank *bank) ++{ ++#define INVALID_LOAD_QPNUM 0xFFFFFFFF ++ struct ib_cq *scq = init_attr->send_cq; ++ u32 least_load = INVALID_LOAD_QPNUM; ++ unsigned long cqn = 0; + u8 bankid = 0; + u32 bankcnt; + u8 i; + +- for (i = 1; i < HNS_ROCE_QP_BANK_NUM; i++) { ++ if (scq) ++ cqn = to_hr_cq(scq)->cqn; ++ ++ for (i = 0; i < HNS_ROCE_QP_BANK_NUM; i++) { ++ if (scq && (get_affinity_cq_bank(i) != (cqn & CQ_BANKID_MASK))) ++ continue; ++ + bankcnt = bank[i].inuse; + if (bankcnt < least_load) { + least_load = bankcnt; +@@ -211,7 +226,8 @@ static int alloc_qpn_with_bankid(struct hns_roce_bank *bank, u8 bankid, + + return 0; + } +-static int alloc_qpn(struct hns_roce_dev *hr_dev, struct hns_roce_qp *hr_qp) ++static int alloc_qpn(struct hns_roce_dev *hr_dev, struct hns_roce_qp *hr_qp, ++ struct ib_qp_init_attr *init_attr) + { + struct hns_roce_qp_table *qp_table = &hr_dev->qp_table; + unsigned long num = 0; +@@ -229,7 +245,7 @@ static int alloc_qpn(struct hns_roce_dev *hr_dev, struct hns_roce_qp *hr_qp) + hr_qp->doorbell_qpn = 1; + } else { + mutex_lock(&qp_table->bank_mutex); +- bankid = get_least_load_bankid_for_qp(qp_table->bank); ++ bankid = get_least_load_bankid_for_qp(init_attr, qp_table->bank); + + ret = alloc_qpn_with_bankid(&qp_table->bank[bankid], bankid, + &num); +@@ -1067,7 +1083,7 @@ static int hns_roce_create_qp_common(struct hns_roce_dev *hr_dev, + goto err_buf; + } + +- ret = alloc_qpn(hr_dev, hr_qp); ++ ret = alloc_qpn(hr_dev, hr_qp, init_attr); + if (ret) { + ibdev_err(ibdev, "failed to alloc QPN, ret = %d.\n", ret); + goto err_qpn; +-- +2.40.1 + diff --git a/queue-5.15/rdma-hns-fix-incorrect-post-send-with-direct-wqe-of-.patch b/queue-5.15/rdma-hns-fix-incorrect-post-send-with-direct-wqe-of-.patch new file mode 100644 index 00000000000..dd4b1276883 --- /dev/null +++ b/queue-5.15/rdma-hns-fix-incorrect-post-send-with-direct-wqe-of-.patch @@ -0,0 +1,49 @@ +From 3918912d1636dcb0c50e5488d301a5e5c23baaa5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Aug 2023 09:27:09 +0800 +Subject: RDMA/hns: Fix incorrect post-send with direct wqe of wr-list + +From: Junxian Huang + +[ Upstream commit 706efac4477cdb8be857f6322457de524acc02ff ] + +Currently, direct wqe is not supported for wr-list. RoCE driver excludes +direct wqe for wr-list by judging whether the number of wr is 1. + +For a wr-list where the second wr is a length-error atomic wr, the +post-send driver handles the first wr and adds 1 to the wr number counter +firstly. While handling the second wr, the driver finds out a length error +and terminates the wr handle process, remaining the counter at 1. This +causes the driver mistakenly judges there is only 1 wr and thus enters +the direct wqe process, carrying the current length-error atomic wqe. + +This patch fixes the error by adding a judgement whether the current wr +is a bad wr. If so, use the normal doorbell process but not direct wqe +despite the wr number is 1. + +Fixes: 01584a5edcc4 ("RDMA/hns: Add support of direct wqe") +Signed-off-by: Junxian Huang +Link: https://lore.kernel.org/r/20230804012711.808069-3-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index 8c02b51c8bffc..4554d3e78b37b 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -731,7 +731,8 @@ static int hns_roce_v2_post_send(struct ib_qp *ibqp, + qp->sq.head += nreq; + qp->next_sge = sge_idx; + +- if (nreq == 1 && (qp->en_flags & HNS_ROCE_QP_CAP_DIRECT_WQE)) ++ if (nreq == 1 && !ret && ++ (qp->en_flags & HNS_ROCE_QP_CAP_DIRECT_WQE)) + write_dwqe(hr_dev, qp, wqe); + else + update_sq_db(hr_dev, qp); +-- +2.40.1 + diff --git a/queue-5.15/rdma-hns-fix-port-active-speed.patch b/queue-5.15/rdma-hns-fix-port-active-speed.patch new file mode 100644 index 00000000000..94958c5fca3 --- /dev/null +++ b/queue-5.15/rdma-hns-fix-port-active-speed.patch @@ -0,0 +1,52 @@ +From c0740b232995bfd7bf880ff3c47bcc1ac2d6cfe9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Aug 2023 09:27:08 +0800 +Subject: RDMA/hns: Fix port active speed + +From: Chengchang Tang + +[ Upstream commit df1bcf90a66a10967a3a43510b42cb3566208011 ] + +HW supports a variety of different speed, but the current speed +is fixed. + +The real speed should be querried from ethernet. + +Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver") +Signed-off-by: Chengchang Tang +Signed-off-by: Junxian Huang +Link: https://lore.kernel.org/r/20230804012711.808069-2-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_main.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c +index 13c8195b5c3a6..80b9a9a45c68e 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_main.c ++++ b/drivers/infiniband/hw/hns/hns_roce_main.c +@@ -222,6 +222,7 @@ static int hns_roce_query_port(struct ib_device *ib_dev, u32 port_num, + unsigned long flags; + enum ib_mtu mtu; + u32 port; ++ int ret; + + port = port_num - 1; + +@@ -234,8 +235,10 @@ static int hns_roce_query_port(struct ib_device *ib_dev, u32 port_num, + IB_PORT_BOOT_MGMT_SUP; + props->max_msg_sz = HNS_ROCE_MAX_MSG_LEN; + props->pkey_tbl_len = 1; +- props->active_width = IB_WIDTH_4X; +- props->active_speed = 1; ++ ret = ib_get_eth_speed(ib_dev, port_num, &props->active_speed, ++ &props->active_width); ++ if (ret) ++ ibdev_warn(ib_dev, "failed to get speed, ret = %d.\n", ret); + + spin_lock_irqsave(&hr_dev->iboe.lock, flags); + +-- +2.40.1 + diff --git a/queue-5.15/rdma-irdma-replace-one-element-array-with-flexible-a.patch b/queue-5.15/rdma-irdma-replace-one-element-array-with-flexible-a.patch new file mode 100644 index 00000000000..5f86192d176 --- /dev/null +++ b/queue-5.15/rdma-irdma-replace-one-element-array-with-flexible-a.patch @@ -0,0 +1,74 @@ +From c803961c79342476a921b5cf42a349f6257ac842 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 08:46:26 -0600 +Subject: RDMA/irdma: Replace one-element array with flexible-array member + +From: Gustavo A. R. Silva + +[ Upstream commit 38313c6d2a02c28162e06753b01bd885caf9386d ] + +One-element and zero-length arrays are deprecated. So, replace +one-element array in struct irdma_qvlist_info with flexible-array +member. + +A patch for this was sent a while ago[1]. However, it seems that, at +the time, the changes were partially folded[2][3], and the actual +flexible-array transformation was omitted. This patch fixes that. + +The only binary difference seen before/after changes is shown below: + +| drivers/infiniband/hw/irdma/hw.o +| @@ -868,7 +868,7 @@ +| drivers/infiniband/hw/irdma/hw.c:484 (discriminator 2) +| size += struct_size(iw_qvlist, qv_info, rf->msix_count); +| 55b: imul $0x45c,%rdi,%rdi +|- 562: add $0x10,%rdi +|+ 562: add $0x4,%rdi + +which is, of course, expected as it reflects the mistake made +while folding the patch I've mentioned above. + +Worth mentioning is the fact that with this change we save 12 bytes +of memory, as can be inferred from the diff snapshot above. Notice +that: + +$ pahole -C rdma_qv_info idrivers/infiniband/hw/irdma/hw.o +struct irdma_qv_info { + u32 v_idx; /* 0 4 */ + u16 ceq_idx; /* 4 2 */ + u16 aeq_idx; /* 6 2 */ + u8 itr_idx; /* 8 1 */ + + /* size: 12, cachelines: 1, members: 4 */ + /* padding: 3 */ + /* last cacheline: 12 bytes */ +}; + +Link: https://lore.kernel.org/linux-hardening/20210525230038.GA175516@embeddedor/ [1] +Link: https://lore.kernel.org/linux-hardening/bf46b428deef4e9e89b0ea1704b1f0e5@intel.com/ [2] +Link: https://lore.kernel.org/linux-rdma/20210520143809.819-1-shiraz.saleem@intel.com/T/#u [3] +Fixes: 44d9e52977a1 ("RDMA/irdma: Implement device initialization definitions") +Signed-off-by: Gustavo A. R. Silva +Link: https://lore.kernel.org/r/ZMpsQrZadBaJGkt4@work +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/irdma/main.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/irdma/main.h b/drivers/infiniband/hw/irdma/main.h +index f2e2bc50c6f7b..bd13cc38e5ae1 100644 +--- a/drivers/infiniband/hw/irdma/main.h ++++ b/drivers/infiniband/hw/irdma/main.h +@@ -237,7 +237,7 @@ struct irdma_qv_info { + + struct irdma_qvlist_info { + u32 num_vectors; +- struct irdma_qv_info qv_info[1]; ++ struct irdma_qv_info qv_info[]; + }; + + struct irdma_gen_ops { +-- +2.40.1 + diff --git a/queue-5.15/rdma-qedr-remove-a-duplicate-assignment-in-irdma_que.patch b/queue-5.15/rdma-qedr-remove-a-duplicate-assignment-in-irdma_que.patch new file mode 100644 index 00000000000..74fec11c4f9 --- /dev/null +++ b/queue-5.15/rdma-qedr-remove-a-duplicate-assignment-in-irdma_que.patch @@ -0,0 +1,36 @@ +From 323831a61c0210c1fb74c840e60b81703bdfabca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jul 2023 10:27:03 +0800 +Subject: RDMA/qedr: Remove a duplicate assignment in irdma_query_ah() + +From: Minjie Du + +[ Upstream commit 65e02e840847158c7ee48ca8e6e91062b0f78662 ] + +Delete a duplicate statement from this function implementation. + +Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs") +Signed-off-by: Minjie Du +Acked-by: Alok Prasad +Link: https://lore.kernel.org/r/20230706022704.1260-1-duminjie@vivo.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/irdma/verbs.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c +index 60cf83c4119e7..8ccbe761b8607 100644 +--- a/drivers/infiniband/hw/irdma/verbs.c ++++ b/drivers/infiniband/hw/irdma/verbs.c +@@ -4310,7 +4310,6 @@ static int irdma_query_ah(struct ib_ah *ibah, struct rdma_ah_attr *ah_attr) + ah_attr->grh.traffic_class = ah->sc_ah.ah_info.tc_tos; + ah_attr->grh.hop_limit = ah->sc_ah.ah_info.hop_ttl; + ah_attr->grh.sgid_index = ah->sgid_index; +- ah_attr->grh.sgid_index = ah->sgid_index; + memcpy(&ah_attr->grh.dgid, &ah->dgid, + sizeof(ah_attr->grh.dgid)); + } +-- +2.40.1 + diff --git a/queue-5.15/refscale-fix-uninitalized-use-of-wait_queue_head_t.patch b/queue-5.15/refscale-fix-uninitalized-use-of-wait_queue_head_t.patch new file mode 100644 index 00000000000..51a0c22558c --- /dev/null +++ b/queue-5.15/refscale-fix-uninitalized-use-of-wait_queue_head_t.patch @@ -0,0 +1,83 @@ +From 52c8f39f2443d502be0e05012fa633e4b1b47945 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 13:53:55 -0400 +Subject: refscale: Fix uninitalized use of wait_queue_head_t + +From: Waiman Long + +[ Upstream commit f5063e8948dad7f31adb007284a5d5038ae31bb8 ] + +Running the refscale test occasionally crashes the kernel with the +following error: + +[ 8569.952896] BUG: unable to handle page fault for address: ffffffffffffffe8 +[ 8569.952900] #PF: supervisor read access in kernel mode +[ 8569.952902] #PF: error_code(0x0000) - not-present page +[ 8569.952904] PGD c4b048067 P4D c4b049067 PUD c4b04b067 PMD 0 +[ 8569.952910] Oops: 0000 [#1] PREEMPT_RT SMP NOPTI +[ 8569.952916] Hardware name: Dell Inc. PowerEdge R750/0WMWCR, BIOS 1.2.4 05/28/2021 +[ 8569.952917] RIP: 0010:prepare_to_wait_event+0x101/0x190 + : +[ 8569.952940] Call Trace: +[ 8569.952941] +[ 8569.952944] ref_scale_reader+0x380/0x4a0 [refscale] +[ 8569.952959] kthread+0x10e/0x130 +[ 8569.952966] ret_from_fork+0x1f/0x30 +[ 8569.952973] + +The likely cause is that init_waitqueue_head() is called after the call to +the torture_create_kthread() function that creates the ref_scale_reader +kthread. Although this init_waitqueue_head() call will very likely +complete before this kthread is created and starts running, it is +possible that the calling kthread will be delayed between the calls to +torture_create_kthread() and init_waitqueue_head(). In this case, the +new kthread will use the waitqueue head before it is properly initialized, +which is not good for the kernel's health and well-being. + +The above crash happened here: + + static inline void __add_wait_queue(...) + { + : + if (!(wq->flags & WQ_FLAG_PRIORITY)) <=== Crash here + +The offset of flags from list_head entry in wait_queue_entry is +-0x18. If reader_tasks[i].wq.head.next is NULL as allocated reader_task +structure is zero initialized, the instruction will try to access address +0xffffffffffffffe8, which is exactly the fault address listed above. + +This commit therefore invokes init_waitqueue_head() before creating +the kthread. + +Fixes: 653ed64b01dc ("refperf: Add a test to measure performance of read-side synchronization") +Signed-off-by: Waiman Long +Reviewed-by: Qiuxu Zhuo +Reviewed-by: Davidlohr Bueso +Acked-by: Joel Fernandes (Google) +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + kernel/rcu/refscale.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/kernel/rcu/refscale.c b/kernel/rcu/refscale.c +index 5abb0cf52803a..fda220e2c0426 100644 +--- a/kernel/rcu/refscale.c ++++ b/kernel/rcu/refscale.c +@@ -849,12 +849,11 @@ ref_scale_init(void) + VERBOSE_SCALEOUT("Starting %d reader threads\n", nreaders); + + for (i = 0; i < nreaders; i++) { ++ init_waitqueue_head(&reader_tasks[i].wq); + firsterr = torture_create_kthread(ref_scale_reader, (void *)i, + reader_tasks[i].task); + if (firsterr) + goto unwind; +- +- init_waitqueue_head(&(reader_tasks[i].wq)); + } + + // Main Task +-- +2.40.1 + diff --git a/queue-5.15/regmap-rbtree-use-alloc_flags-for-memory-allocations.patch b/queue-5.15/regmap-rbtree-use-alloc_flags-for-memory-allocations.patch new file mode 100644 index 00000000000..46369ec1213 --- /dev/null +++ b/queue-5.15/regmap-rbtree-use-alloc_flags-for-memory-allocations.patch @@ -0,0 +1,98 @@ +From 6c27458a265bec342e30fa4ec50ba70ac62388b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jul 2023 17:55:33 +0300 +Subject: regmap: rbtree: Use alloc_flags for memory allocations + +From: Dan Carpenter + +[ Upstream commit 0c8b0bf42c8cef56f7cd9cd876fbb7ece9217064 ] + +The kunit tests discovered a sleeping in atomic bug. The allocations +in the regcache-rbtree code should use the map->alloc_flags instead of +GFP_KERNEL. + +[ 5.005510] BUG: sleeping function called from invalid context at include/linux/sched/mm.h:306 +[ 5.005960] in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 117, name: kunit_try_catch +[ 5.006219] preempt_count: 1, expected: 0 +[ 5.006414] 1 lock held by kunit_try_catch/117: +[ 5.006590] #0: 833b9010 (regmap_kunit:86:(config)->lock){....}-{2:2}, at: regmap_lock_spinlock+0x14/0x1c +[ 5.007493] irq event stamp: 162 +[ 5.007627] hardirqs last enabled at (161): [<80786738>] crng_make_state+0x1a0/0x294 +[ 5.007871] hardirqs last disabled at (162): [<80c531ec>] _raw_spin_lock_irqsave+0x7c/0x80 +[ 5.008119] softirqs last enabled at (0): [<801110ac>] copy_process+0x810/0x2138 +[ 5.008356] softirqs last disabled at (0): [<00000000>] 0x0 +[ 5.008688] CPU: 0 PID: 117 Comm: kunit_try_catch Tainted: G N 6.4.4-rc3-g0e8d2fdfb188 #1 +[ 5.009011] Hardware name: Generic DT based system +[ 5.009277] unwind_backtrace from show_stack+0x18/0x1c +[ 5.009497] show_stack from dump_stack_lvl+0x38/0x5c +[ 5.009676] dump_stack_lvl from __might_resched+0x188/0x2d0 +[ 5.009860] __might_resched from __kmem_cache_alloc_node+0x1dc/0x25c +[ 5.010061] __kmem_cache_alloc_node from kmalloc_trace+0x30/0xc8 +[ 5.010254] kmalloc_trace from regcache_rbtree_write+0x26c/0x468 +[ 5.010446] regcache_rbtree_write from _regmap_write+0x88/0x140 +[ 5.010634] _regmap_write from regmap_write+0x44/0x68 +[ 5.010803] regmap_write from basic_read_write+0x8c/0x270 +[ 5.010980] basic_read_write from kunit_try_run_case+0x48/0xa0 + +Fixes: 28644c809f44 ("regmap: Add the rbtree cache support") +Reported-by: Guenter Roeck +Closes: https://lore.kernel.org/all/ee59d128-413c-48ad-a3aa-d9d350c80042@roeck-us.net/ +Signed-off-by: Dan Carpenter +Tested-by: Guenter Roeck +Link: https://lore.kernel.org/r/58f12a07-5f4b-4a8f-ab84-0a42d1908cb9@moroto.mountain +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regcache-rbtree.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/base/regmap/regcache-rbtree.c b/drivers/base/regmap/regcache-rbtree.c +index fabf87058d80b..ae6b8788d5f3f 100644 +--- a/drivers/base/regmap/regcache-rbtree.c ++++ b/drivers/base/regmap/regcache-rbtree.c +@@ -277,7 +277,7 @@ static int regcache_rbtree_insert_to_block(struct regmap *map, + + blk = krealloc(rbnode->block, + blklen * map->cache_word_size, +- GFP_KERNEL); ++ map->alloc_flags); + if (!blk) + return -ENOMEM; + +@@ -286,7 +286,7 @@ static int regcache_rbtree_insert_to_block(struct regmap *map, + if (BITS_TO_LONGS(blklen) > BITS_TO_LONGS(rbnode->blklen)) { + present = krealloc(rbnode->cache_present, + BITS_TO_LONGS(blklen) * sizeof(*present), +- GFP_KERNEL); ++ map->alloc_flags); + if (!present) + return -ENOMEM; + +@@ -320,7 +320,7 @@ regcache_rbtree_node_alloc(struct regmap *map, unsigned int reg) + const struct regmap_range *range; + int i; + +- rbnode = kzalloc(sizeof(*rbnode), GFP_KERNEL); ++ rbnode = kzalloc(sizeof(*rbnode), map->alloc_flags); + if (!rbnode) + return NULL; + +@@ -346,13 +346,13 @@ regcache_rbtree_node_alloc(struct regmap *map, unsigned int reg) + } + + rbnode->block = kmalloc_array(rbnode->blklen, map->cache_word_size, +- GFP_KERNEL); ++ map->alloc_flags); + if (!rbnode->block) + goto err_free; + + rbnode->cache_present = kcalloc(BITS_TO_LONGS(rbnode->blklen), + sizeof(*rbnode->cache_present), +- GFP_KERNEL); ++ map->alloc_flags); + if (!rbnode->cache_present) + goto err_free_block; + +-- +2.40.1 + diff --git a/queue-5.15/reiserfs-check-the-return-value-from-__getblk.patch b/queue-5.15/reiserfs-check-the-return-value-from-__getblk.patch new file mode 100644 index 00000000000..60b9ce74d3d --- /dev/null +++ b/queue-5.15/reiserfs-check-the-return-value-from-__getblk.patch @@ -0,0 +1,49 @@ +From 99a3f9e2903c6e770a7b8e92ca3785c1565857bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jun 2023 12:16:06 +0100 +Subject: reiserfs: Check the return value from __getblk() + +From: Matthew Wilcox + +[ Upstream commit ba38980add7ffc9e674ada5b4ded4e7d14e76581 ] + +__getblk() can return a NULL pointer if we run out of memory or if we +try to access beyond the end of the device; check it and handle it +appropriately. + +Signed-off-by: Matthew Wilcox (Oracle) +Link: https://lore.kernel.org/lkml/CAFcO6XOacq3hscbXevPQP7sXRoYFz34ZdKPYjmd6k5sZuhGFDw@mail.gmail.com/ +Tested-by: butt3rflyh4ck +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") # probably introduced in 2002 +Acked-by: Edward Shishkin +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/reiserfs/journal.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/reiserfs/journal.c b/fs/reiserfs/journal.c +index 0834b101c316d..86a1dee6e2e7d 100644 +--- a/fs/reiserfs/journal.c ++++ b/fs/reiserfs/journal.c +@@ -2323,7 +2323,7 @@ static struct buffer_head *reiserfs_breada(struct block_device *dev, + int i, j; + + bh = __getblk(dev, block, bufsize); +- if (buffer_uptodate(bh)) ++ if (!bh || buffer_uptodate(bh)) + return (bh); + + if (block + BUFNR > max_block) { +@@ -2333,6 +2333,8 @@ static struct buffer_head *reiserfs_breada(struct block_device *dev, + j = 1; + for (i = 1; i < blocks; i++) { + bh = __getblk(dev, block + i, bufsize); ++ if (!bh) ++ break; + if (buffer_uptodate(bh)) { + brelse(bh); + break; +-- +2.40.1 + diff --git a/queue-5.15/revert-ib-isert-fix-incorrect-release-of-isert-conne.patch b/queue-5.15/revert-ib-isert-fix-incorrect-release-of-isert-conne.patch new file mode 100644 index 00000000000..1a1dbb2b7ba --- /dev/null +++ b/queue-5.15/revert-ib-isert-fix-incorrect-release-of-isert-conne.patch @@ -0,0 +1,124 @@ +From c52b7d07d01fba29a8d7cca8fd9df6e152343d8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Aug 2023 10:57:14 +0300 +Subject: Revert "IB/isert: Fix incorrect release of isert connection" + +From: Leon Romanovsky + +[ Upstream commit dfe261107c080709459c32695847eec96238852b ] + +Commit: 699826f4e30a ("IB/isert: Fix incorrect release of isert connection") is +causing problems on OPA when DEVICE_REMOVAL is happening. + + ------------[ cut here ]------------ + WARNING: CPU: 52 PID: 2117247 at drivers/infiniband/core/cq.c:359 +ib_cq_pool_cleanup+0xac/0xb0 [ib_core] + Modules linked in: nfsd nfs_acl target_core_user uio tcm_fc libfc +scsi_transport_fc tcm_loop target_core_pscsi target_core_iblock target_core_file +rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs +rfkill rpcrdma rdma_ucm ib_srpt sunrpc ib_isert iscsi_target_mod target_core_mod +opa_vnic ib_iser libiscsi ib_umad scsi_transport_iscsi rdma_cm ib_ipoib iw_cm +ib_cm hfi1(-) rdmavt ib_uverbs intel_rapl_msr intel_rapl_common sb_edac ib_core +x86_pkg_temp_thermal intel_powerclamp coretemp i2c_i801 mxm_wmi rapl iTCO_wdt +ipmi_si iTCO_vendor_support mei_me ipmi_devintf mei intel_cstate ioatdma +intel_uncore i2c_smbus joydev pcspkr lpc_ich ipmi_msghandler acpi_power_meter +acpi_pad xfs libcrc32c sr_mod sd_mod cdrom t10_pi sg crct10dif_pclmul +crc32_pclmul crc32c_intel drm_kms_helper drm_shmem_helper ahci libahci +ghash_clmulni_intel igb drm libata dca i2c_algo_bit wmi fuse + CPU: 52 PID: 2117247 Comm: modprobe Not tainted 6.5.0-rc1+ #1 + Hardware name: Intel Corporation S2600CWR/S2600CW, BIOS +SE5C610.86B.01.01.0014.121820151719 12/18/2015 + RIP: 0010:ib_cq_pool_cleanup+0xac/0xb0 [ib_core] + Code: ff 48 8b 43 40 48 8d 7b 40 48 83 e8 40 4c 39 e7 75 b3 49 83 +c4 10 4d 39 fc 75 94 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc <0f> 0b eb a1 +90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f + RSP: 0018:ffffc10bea13fc80 EFLAGS: 00010206 + RAX: 000000000000010c RBX: ffff9bf5c7e66c00 RCX: 000000008020001d + RDX: 000000008020001e RSI: fffff175221f9900 RDI: ffff9bf5c7e67640 + RBP: ffff9bf5c7e67600 R08: ffff9bf5c7e64400 R09: 000000008020001d + R10: 0000000040000000 R11: 0000000000000000 R12: ffff9bee4b1e8a18 + R13: dead000000000122 R14: dead000000000100 R15: ffff9bee4b1e8a38 + FS: 00007ff1e6d38740(0000) GS:ffff9bfd9fb00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00005652044ecc68 CR3: 0000000889b5c005 CR4: 00000000001706e0 + Call Trace: + + ? __warn+0x80/0x130 + ? ib_cq_pool_cleanup+0xac/0xb0 [ib_core] + ? report_bug+0x195/0x1a0 + ? handle_bug+0x3c/0x70 + ? exc_invalid_op+0x14/0x70 + ? asm_exc_invalid_op+0x16/0x20 + ? ib_cq_pool_cleanup+0xac/0xb0 [ib_core] + disable_device+0x9d/0x160 [ib_core] + __ib_unregister_device+0x42/0xb0 [ib_core] + ib_unregister_device+0x22/0x30 [ib_core] + rvt_unregister_device+0x20/0x90 [rdmavt] + hfi1_unregister_ib_device+0x16/0xf0 [hfi1] + remove_one+0x55/0x1a0 [hfi1] + pci_device_remove+0x36/0xa0 + device_release_driver_internal+0x193/0x200 + driver_detach+0x44/0x90 + bus_remove_driver+0x69/0xf0 + pci_unregister_driver+0x2a/0xb0 + hfi1_mod_cleanup+0xc/0x3c [hfi1] + __do_sys_delete_module.constprop.0+0x17a/0x2f0 + ? exit_to_user_mode_prepare+0xc4/0xd0 + ? syscall_trace_enter.constprop.0+0x126/0x1a0 + do_syscall_64+0x5c/0x90 + ? syscall_exit_to_user_mode+0x12/0x30 + ? do_syscall_64+0x69/0x90 + ? syscall_exit_work+0x103/0x130 + ? syscall_exit_to_user_mode+0x12/0x30 + ? do_syscall_64+0x69/0x90 + ? exc_page_fault+0x65/0x150 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + RIP: 0033:0x7ff1e643f5ab + Code: 73 01 c3 48 8b 0d 75 a8 1b 00 f7 d8 64 89 01 48 83 c8 ff c3 +66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 +ff ff 73 01 c3 48 8b 0d 45 a8 1b 00 f7 d8 64 89 01 48 + RSP: 002b:00007ffec9103cc8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 + RAX: ffffffffffffffda RBX: 00005615267fdc50 RCX: 00007ff1e643f5ab + RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005615267fdcb8 + RBP: 00005615267fdc50 R08: 0000000000000000 R09: 0000000000000000 + R10: 00007ff1e659eac0 R11: 0000000000000206 R12: 00005615267fdcb8 + R13: 0000000000000000 R14: 00005615267fdcb8 R15: 00007ffec9105ff8 + + ---[ end trace 0000000000000000 ]--- + +And... + + restrack: ------------[ cut here ]------------ + infiniband hfi1_0: BUG: RESTRACK detected leak of resources + restrack: Kernel PD object allocated by ib_isert is not freed + restrack: Kernel CQ object allocated by ib_core is not freed + restrack: Kernel QP object allocated by rdma_cm is not freed + restrack: ------------[ cut here ]------------ + +Fixes: 699826f4e30a ("IB/isert: Fix incorrect release of isert connection") +Reported-by: Dennis Dalessandro +Closes: https://lore.kernel.org/all/921cd1d9-2879-f455-1f50-0053fe6a6655@cornelisnetworks.com +Link: https://lore.kernel.org/r/a27982d3235005c58f6d321f3fad5eb6e1beaf9e.1692604607.git.leonro@nvidia.com +Tested-by: Dennis Dalessandro +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/isert/ib_isert.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/ulp/isert/ib_isert.c +index b71711defb81d..6082695a02d88 100644 +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -2570,6 +2570,8 @@ static void isert_wait_conn(struct iscsi_conn *conn) + isert_put_unsol_pending_cmds(conn); + isert_wait4cmds(conn); + isert_wait4logout(isert_conn); ++ ++ queue_work(isert_release_wq, &isert_conn->release_work); + } + + static void isert_free_conn(struct iscsi_conn *conn) +-- +2.40.1 + diff --git a/queue-5.15/rpmsg-glink-add-check-for-kstrdup.patch b/queue-5.15/rpmsg-glink-add-check-for-kstrdup.patch new file mode 100644 index 00000000000..cc514deac73 --- /dev/null +++ b/queue-5.15/rpmsg-glink-add-check-for-kstrdup.patch @@ -0,0 +1,39 @@ +From c486e43ebe332fa8c919af9a9dfce20d2ee2e667 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jun 2023 11:06:31 +0800 +Subject: rpmsg: glink: Add check for kstrdup + +From: Jiasheng Jiang + +[ Upstream commit b5c9ee8296a3760760c7b5d2e305f91412adc795 ] + +Add check for the return value of kstrdup() and return the error +if it fails in order to avoid NULL pointer dereference. + +Fixes: b4f8e52b89f6 ("rpmsg: Introduce Qualcomm RPM glink driver") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20230619030631.12361-1-jiasheng@iscas.ac.cn +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/rpmsg/qcom_glink_native.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c +index fd4c2f0fa4b1f..d37fd1f431fe4 100644 +--- a/drivers/rpmsg/qcom_glink_native.c ++++ b/drivers/rpmsg/qcom_glink_native.c +@@ -222,6 +222,10 @@ static struct glink_channel *qcom_glink_alloc_channel(struct qcom_glink *glink, + + channel->glink = glink; + channel->name = kstrdup(name, GFP_KERNEL); ++ if (!channel->name) { ++ kfree(channel); ++ return ERR_PTR(-ENOMEM); ++ } + + init_completion(&channel->open_req); + init_completion(&channel->open_ack); +-- +2.40.1 + diff --git a/queue-5.15/s390-paes-fix-pkey_type_ep11_aes-handling-for-secure.patch b/queue-5.15/s390-paes-fix-pkey_type_ep11_aes-handling-for-secure.patch new file mode 100644 index 00000000000..52433d5be49 --- /dev/null +++ b/queue-5.15/s390-paes-fix-pkey_type_ep11_aes-handling-for-secure.patch @@ -0,0 +1,40 @@ +From 60e712a902635f95a3a4beb4fda5b3599295c6a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Aug 2023 14:23:45 +0200 +Subject: s390/paes: fix PKEY_TYPE_EP11_AES handling for secure keyblobs + +From: Holger Dengler + +[ Upstream commit cba33db3fc4dbf2e54294b0e499d2335a3a00d78 ] + +Commit 'fa6999e326fe ("s390/pkey: support CCA and EP11 secure ECC +private keys")' introduced PKEY_TYPE_EP11_AES securekey blobs as a +supplement to the PKEY_TYPE_EP11 (which won't work in environments +with session-bound keys). This new keyblobs has a different maximum +size, so fix paes crypto module to accept also these larger keyblobs. + +Fixes: fa6999e326fe ("s390/pkey: support CCA and EP11 secure ECC private keys") +Signed-off-by: Holger Dengler +Reviewed-by: Ingo Franzki +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/crypto/paes_s390.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/crypto/paes_s390.c b/arch/s390/crypto/paes_s390.c +index a279b7d23a5e2..621322eb0e681 100644 +--- a/arch/s390/crypto/paes_s390.c ++++ b/arch/s390/crypto/paes_s390.c +@@ -35,7 +35,7 @@ + * and padding is also possible, the limits need to be generous. + */ + #define PAES_MIN_KEYSIZE 16 +-#define PAES_MAX_KEYSIZE 320 ++#define PAES_MAX_KEYSIZE MAXEP11AESKEYBLOBSIZE + + static u8 *ctrblk; + static DEFINE_MUTEX(ctrblk_lock); +-- +2.40.1 + diff --git a/queue-5.15/s390-pkey-fix-harmonize-internal-keyblob-headers.patch b/queue-5.15/s390-pkey-fix-harmonize-internal-keyblob-headers.patch new file mode 100644 index 00000000000..6b16c75e5c8 --- /dev/null +++ b/queue-5.15/s390-pkey-fix-harmonize-internal-keyblob-headers.patch @@ -0,0 +1,89 @@ +From 7ebfda37979ef734efabec34b0e4fa32b31a204d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jul 2023 11:33:45 +0200 +Subject: s390/pkey: fix/harmonize internal keyblob headers + +From: Holger Dengler + +[ Upstream commit 37a08f010b7c423b5e4c9ed3b187d21166553007 ] + +Commit 'fa6999e326fe ("s390/pkey: support CCA and EP11 secure ECC +private keys")' introduced PKEY_TYPE_EP11_AES as a supplement to +PKEY_TYPE_EP11. All pkeys have an internal header/payload structure, +which is opaque to the userspace. The header structures for +PKEY_TYPE_EP11 and PKEY_TYPE_EP11_AES are nearly identical and there +is no reason, why different structures are used. In preparation to fix +the keyversion handling in the broken PKEY IOCTLs, the same header +structure is used for PKEY_TYPE_EP11 and PKEY_TYPE_EP11_AES. This +reduces the number of different code paths and increases the +readability. + +Fixes: fa6999e326fe ("s390/pkey: support CCA and EP11 secure ECC private keys") +Signed-off-by: Holger Dengler +Reviewed-by: Ingo Franzki +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + drivers/s390/crypto/pkey_api.c | 2 +- + drivers/s390/crypto/zcrypt_ep11misc.c | 4 ++-- + drivers/s390/crypto/zcrypt_ep11misc.h | 9 +-------- + 3 files changed, 4 insertions(+), 11 deletions(-) + +diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c +index 83b335f962c89..34e1d1b339c12 100644 +--- a/drivers/s390/crypto/pkey_api.c ++++ b/drivers/s390/crypto/pkey_api.c +@@ -744,7 +744,7 @@ static int pkey_verifykey2(const u8 *key, size_t keylen, + if (ktype) + *ktype = PKEY_TYPE_EP11; + if (ksize) +- *ksize = kb->head.keybitlen; ++ *ksize = kb->head.bitlen; + + rc = ep11_findcard2(&_apqns, &_nr_apqns, *cardnr, *domain, + ZCRYPT_CEX7, EP11_API_V, kb->wkvp); +diff --git a/drivers/s390/crypto/zcrypt_ep11misc.c b/drivers/s390/crypto/zcrypt_ep11misc.c +index 9ce5a71da69b8..3daf259ba10e7 100644 +--- a/drivers/s390/crypto/zcrypt_ep11misc.c ++++ b/drivers/s390/crypto/zcrypt_ep11misc.c +@@ -788,7 +788,7 @@ int ep11_genaeskey(u16 card, u16 domain, u32 keybitsize, u32 keygenflags, + kb->head.type = TOKTYPE_NON_CCA; + kb->head.len = rep_pl->data_len; + kb->head.version = TOKVER_EP11_AES; +- kb->head.keybitlen = keybitsize; ++ kb->head.bitlen = keybitsize; + + out: + kfree(req); +@@ -1056,7 +1056,7 @@ static int ep11_unwrapkey(u16 card, u16 domain, + kb->head.type = TOKTYPE_NON_CCA; + kb->head.len = rep_pl->data_len; + kb->head.version = TOKVER_EP11_AES; +- kb->head.keybitlen = keybitsize; ++ kb->head.bitlen = keybitsize; + + out: + kfree(req); +diff --git a/drivers/s390/crypto/zcrypt_ep11misc.h b/drivers/s390/crypto/zcrypt_ep11misc.h +index 1e02b197c0035..d424fa901f1b0 100644 +--- a/drivers/s390/crypto/zcrypt_ep11misc.h ++++ b/drivers/s390/crypto/zcrypt_ep11misc.h +@@ -29,14 +29,7 @@ struct ep11keyblob { + union { + u8 session[32]; + /* only used for PKEY_TYPE_EP11: */ +- struct { +- u8 type; /* 0x00 (TOKTYPE_NON_CCA) */ +- u8 res0; /* unused */ +- u16 len; /* total length in bytes of this blob */ +- u8 version; /* 0x03 (TOKVER_EP11_AES) */ +- u8 res1; /* unused */ +- u16 keybitlen; /* clear key bit len, 0 for unknown */ +- } head; ++ struct ep11kblob_header head; + }; + u8 wkvp[16]; /* wrapping key verification pattern */ + u64 attr; /* boolean key attributes */ +-- +2.40.1 + diff --git a/queue-5.15/samples-bpf-fix-broken-map-lookup-probe.patch b/queue-5.15/samples-bpf-fix-broken-map-lookup-probe.patch new file mode 100644 index 00000000000..71fe61499d1 --- /dev/null +++ b/queue-5.15/samples-bpf-fix-broken-map-lookup-probe.patch @@ -0,0 +1,71 @@ +From 29c99fa352ec24fbdd0e0d9a8907ba7bf0bd27db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Aug 2023 18:01:17 +0900 +Subject: samples/bpf: fix broken map lookup probe + +From: Daniel T. Lee + +[ Upstream commit d93a7cf6ca2cfcd7de5d06f753ce8d5e863316ac ] + +In the commit 7c4cd051add3 ("bpf: Fix syscall's stackmap lookup +potential deadlock"), a potential deadlock issue was addressed, which +resulted in *_map_lookup_elem not triggering BPF programs. +(prior to lookup, bpf_disable_instrumentation() is used) + +To resolve the broken map lookup probe using "htab_map_lookup_elem", +this commit introduces an alternative approach. Instead, it utilize +"bpf_map_copy_value" and apply a filter specifically for the hash table +with map_type. + +Signed-off-by: Daniel T. Lee +Fixes: 7c4cd051add3 ("bpf: Fix syscall's stackmap lookup potential deadlock") +Link: https://lore.kernel.org/r/20230818090119.477441-8-danieltimlee@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + samples/bpf/tracex6_kern.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/samples/bpf/tracex6_kern.c b/samples/bpf/tracex6_kern.c +index acad5712d8b4f..fd602c2774b8b 100644 +--- a/samples/bpf/tracex6_kern.c ++++ b/samples/bpf/tracex6_kern.c +@@ -2,6 +2,8 @@ + #include + #include + #include ++#include ++#include + + struct { + __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY); +@@ -45,13 +47,24 @@ int bpf_prog1(struct pt_regs *ctx) + return 0; + } + +-SEC("kprobe/htab_map_lookup_elem") +-int bpf_prog2(struct pt_regs *ctx) ++/* ++ * Since *_map_lookup_elem can't be expected to trigger bpf programs ++ * due to potential deadlocks (bpf_disable_instrumentation), this bpf ++ * program will be attached to bpf_map_copy_value (which is called ++ * from map_lookup_elem) and will only filter the hashtable type. ++ */ ++SEC("kprobe/bpf_map_copy_value") ++int BPF_KPROBE(bpf_prog2, struct bpf_map *map) + { + u32 key = bpf_get_smp_processor_id(); + struct bpf_perf_event_value *val, buf; ++ enum bpf_map_type type; + int error; + ++ type = BPF_CORE_READ(map, map_type); ++ if (type != BPF_MAP_TYPE_HASH) ++ return 0; ++ + error = bpf_perf_event_read_value(&counters, key, &buf, sizeof(buf)); + if (error) + return 0; +-- +2.40.1 + diff --git a/queue-5.15/scsi-be2iscsi-add-length-check-when-parsing-nlattrs.patch b/queue-5.15/scsi-be2iscsi-add-length-check-when-parsing-nlattrs.patch new file mode 100644 index 00000000000..74ca0afba7b --- /dev/null +++ b/queue-5.15/scsi-be2iscsi-add-length-check-when-parsing-nlattrs.patch @@ -0,0 +1,46 @@ +From 2a74465182ad35aae2be91942b05ad0e9dc33554 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Jul 2023 15:59:38 +0800 +Subject: scsi: be2iscsi: Add length check when parsing nlattrs + +From: Lin Ma + +[ Upstream commit ee0268f230f66cb472df3424f380ea668da2749a ] + +beiscsi_iface_set_param() parses nlattr with nla_for_each_attr and assumes +every attributes can be viewed as struct iscsi_iface_param_info. + +This is not true because there is no any nla_policy to validate the +attributes passed from the upper function iscsi_set_iface_params(). + +Add the nla_len check before accessing the nlattr data and return EINVAL if +the length check fails. + +Fixes: 0e43895ec1f4 ("[SCSI] be2iscsi: adding functionality to change network settings using iscsiadm") +Signed-off-by: Lin Ma +Link: https://lore.kernel.org/r/20230723075938.3713864-1-linma@zju.edu.cn +Reviewed-by: Chris Leech +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/be2iscsi/be_iscsi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/scsi/be2iscsi/be_iscsi.c b/drivers/scsi/be2iscsi/be_iscsi.c +index 8aeaddc93b167..8d374ae863ba2 100644 +--- a/drivers/scsi/be2iscsi/be_iscsi.c ++++ b/drivers/scsi/be2iscsi/be_iscsi.c +@@ -450,6 +450,10 @@ int beiscsi_iface_set_param(struct Scsi_Host *shost, + } + + nla_for_each_attr(attrib, data, dt_len, rm_len) { ++ /* ignore nla_type as it is never used */ ++ if (nla_len(attrib) < sizeof(*iface_param)) ++ return -EINVAL; ++ + iface_param = nla_data(attrib); + + if (iface_param->param_type != ISCSI_NET_PARAM) +-- +2.40.1 + diff --git a/queue-5.15/scsi-core-use-32-bit-hostnum-in-scsi_host_lookup.patch b/queue-5.15/scsi-core-use-32-bit-hostnum-in-scsi_host_lookup.patch new file mode 100644 index 00000000000..b8eb68cbf99 --- /dev/null +++ b/queue-5.15/scsi-core-use-32-bit-hostnum-in-scsi_host_lookup.patch @@ -0,0 +1,61 @@ +From b28fc4b23396856e19bcf8d91dfcd58057a2c6f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Aug 2023 10:03:25 -0400 +Subject: scsi: core: Use 32-bit hostnum in scsi_host_lookup() + +From: Tony Battersby + +[ Upstream commit 62ec2092095b678ff89ce4ba51c2938cd1e8e630 ] + +Change scsi_host_lookup() hostnum argument type from unsigned short to +unsigned int to match the type used everywhere else. + +Fixes: 6d49f63b415c ("[SCSI] Make host_no an unsigned int") +Signed-off-by: Tony Battersby +Link: https://lore.kernel.org/r/a02497e7-c12b-ef15-47fc-3f0a0b00ffce@cybernetics.com +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hosts.c | 4 ++-- + include/scsi/scsi_host.h | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c +index 7dc42d0e2a0dd..1b285ce62f8ae 100644 +--- a/drivers/scsi/hosts.c ++++ b/drivers/scsi/hosts.c +@@ -518,7 +518,7 @@ EXPORT_SYMBOL(scsi_host_alloc); + static int __scsi_host_match(struct device *dev, const void *data) + { + struct Scsi_Host *p; +- const unsigned short *hostnum = data; ++ const unsigned int *hostnum = data; + + p = class_to_shost(dev); + return p->host_no == *hostnum; +@@ -535,7 +535,7 @@ static int __scsi_host_match(struct device *dev, const void *data) + * that scsi_host_get() took. The put_device() below dropped + * the reference from class_find_device(). + **/ +-struct Scsi_Host *scsi_host_lookup(unsigned short hostnum) ++struct Scsi_Host *scsi_host_lookup(unsigned int hostnum) + { + struct device *cdev; + struct Scsi_Host *shost = NULL; +diff --git a/include/scsi/scsi_host.h b/include/scsi/scsi_host.h +index 1a02e58eb4e44..f50861e4e88a1 100644 +--- a/include/scsi/scsi_host.h ++++ b/include/scsi/scsi_host.h +@@ -762,7 +762,7 @@ extern void scsi_remove_host(struct Scsi_Host *); + extern struct Scsi_Host *scsi_host_get(struct Scsi_Host *); + extern int scsi_host_busy(struct Scsi_Host *shost); + extern void scsi_host_put(struct Scsi_Host *t); +-extern struct Scsi_Host *scsi_host_lookup(unsigned short); ++extern struct Scsi_Host *scsi_host_lookup(unsigned int hostnum); + extern const char *scsi_host_state_name(enum scsi_host_state); + extern void scsi_host_complete_all_commands(struct Scsi_Host *shost, + enum scsi_host_status status); +-- +2.40.1 + diff --git a/queue-5.15/scsi-fcoe-fix-potential-deadlock-on-fip-ctlr_lock.patch b/queue-5.15/scsi-fcoe-fix-potential-deadlock-on-fip-ctlr_lock.patch new file mode 100644 index 00000000000..757cdf790e2 --- /dev/null +++ b/queue-5.15/scsi-fcoe-fix-potential-deadlock-on-fip-ctlr_lock.patch @@ -0,0 +1,156 @@ +From af3e273de2cfcea08c4122c6ecac348fc02705f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Aug 2023 07:47:08 +0000 +Subject: scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock + +From: Chengfeng Ye + +[ Upstream commit 1a1975551943f681772720f639ff42fbaa746212 ] + +There is a long call chain that &fip->ctlr_lock is acquired by isr +fnic_isr_msix_wq_copy() under hard IRQ context. Thus other process context +code acquiring the lock should disable IRQ, otherwise deadlock could happen +if the IRQ preempts the execution while the lock is held in process context +on the same CPU. + +[ISR] +fnic_isr_msix_wq_copy() + -> fnic_wq_copy_cmpl_handler() + -> fnic_fcpio_cmpl_handler() + -> fnic_fcpio_flogi_reg_cmpl_handler() + -> fnic_flush_tx() + -> fnic_send_frame() + -> fcoe_ctlr_els_send() + -> spin_lock_bh(&fip->ctlr_lock) + +[Process Context] +1. fcoe_ctlr_timer_work() + -> fcoe_ctlr_flogi_send() + -> spin_lock_bh(&fip->ctlr_lock) + +2. fcoe_ctlr_recv_work() + -> fcoe_ctlr_recv_handler() + -> fcoe_ctlr_recv_els() + -> fcoe_ctlr_announce() + -> spin_lock_bh(&fip->ctlr_lock) + +3. fcoe_ctlr_recv_work() + -> fcoe_ctlr_recv_handler() + -> fcoe_ctlr_recv_els() + -> fcoe_ctlr_flogi_retry() + -> spin_lock_bh(&fip->ctlr_lock) + +4. -> fcoe_xmit() + -> fcoe_ctlr_els_send() + -> spin_lock_bh(&fip->ctlr_lock) + +spin_lock_bh() is not enough since fnic_isr_msix_wq_copy() is a +hardirq. + +These flaws were found by an experimental static analysis tool I am +developing for irq-related deadlock. + +The patch fix the potential deadlocks by spin_lock_irqsave() to disable +hard irq. + +Fixes: 794d98e77f59 ("[SCSI] libfcoe: retry rejected FLOGI to another FCF if possible") +Signed-off-by: Chengfeng Ye +Link: https://lore.kernel.org/r/20230817074708.7509-1-dg573847474@gmail.com +Reviewed-by: Davidlohr Bueso +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/fcoe/fcoe_ctlr.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/drivers/scsi/fcoe/fcoe_ctlr.c b/drivers/scsi/fcoe/fcoe_ctlr.c +index 558f3f4e18593..303ecbd86b68a 100644 +--- a/drivers/scsi/fcoe/fcoe_ctlr.c ++++ b/drivers/scsi/fcoe/fcoe_ctlr.c +@@ -319,16 +319,17 @@ static void fcoe_ctlr_announce(struct fcoe_ctlr *fip) + { + struct fcoe_fcf *sel; + struct fcoe_fcf *fcf; ++ unsigned long flags; + + mutex_lock(&fip->ctlr_mutex); +- spin_lock_bh(&fip->ctlr_lock); ++ spin_lock_irqsave(&fip->ctlr_lock, flags); + + kfree_skb(fip->flogi_req); + fip->flogi_req = NULL; + list_for_each_entry(fcf, &fip->fcfs, list) + fcf->flogi_sent = 0; + +- spin_unlock_bh(&fip->ctlr_lock); ++ spin_unlock_irqrestore(&fip->ctlr_lock, flags); + sel = fip->sel_fcf; + + if (sel && ether_addr_equal(sel->fcf_mac, fip->dest_addr)) +@@ -699,6 +700,7 @@ int fcoe_ctlr_els_send(struct fcoe_ctlr *fip, struct fc_lport *lport, + { + struct fc_frame *fp; + struct fc_frame_header *fh; ++ unsigned long flags; + u16 old_xid; + u8 op; + u8 mac[ETH_ALEN]; +@@ -732,11 +734,11 @@ int fcoe_ctlr_els_send(struct fcoe_ctlr *fip, struct fc_lport *lport, + op = FIP_DT_FLOGI; + if (fip->mode == FIP_MODE_VN2VN) + break; +- spin_lock_bh(&fip->ctlr_lock); ++ spin_lock_irqsave(&fip->ctlr_lock, flags); + kfree_skb(fip->flogi_req); + fip->flogi_req = skb; + fip->flogi_req_send = 1; +- spin_unlock_bh(&fip->ctlr_lock); ++ spin_unlock_irqrestore(&fip->ctlr_lock, flags); + schedule_work(&fip->timer_work); + return -EINPROGRESS; + case ELS_FDISC: +@@ -1713,10 +1715,11 @@ static int fcoe_ctlr_flogi_send_locked(struct fcoe_ctlr *fip) + static int fcoe_ctlr_flogi_retry(struct fcoe_ctlr *fip) + { + struct fcoe_fcf *fcf; ++ unsigned long flags; + int error; + + mutex_lock(&fip->ctlr_mutex); +- spin_lock_bh(&fip->ctlr_lock); ++ spin_lock_irqsave(&fip->ctlr_lock, flags); + LIBFCOE_FIP_DBG(fip, "re-sending FLOGI - reselect\n"); + fcf = fcoe_ctlr_select(fip); + if (!fcf || fcf->flogi_sent) { +@@ -1727,7 +1730,7 @@ static int fcoe_ctlr_flogi_retry(struct fcoe_ctlr *fip) + fcoe_ctlr_solicit(fip, NULL); + error = fcoe_ctlr_flogi_send_locked(fip); + } +- spin_unlock_bh(&fip->ctlr_lock); ++ spin_unlock_irqrestore(&fip->ctlr_lock, flags); + mutex_unlock(&fip->ctlr_mutex); + return error; + } +@@ -1744,8 +1747,9 @@ static int fcoe_ctlr_flogi_retry(struct fcoe_ctlr *fip) + static void fcoe_ctlr_flogi_send(struct fcoe_ctlr *fip) + { + struct fcoe_fcf *fcf; ++ unsigned long flags; + +- spin_lock_bh(&fip->ctlr_lock); ++ spin_lock_irqsave(&fip->ctlr_lock, flags); + fcf = fip->sel_fcf; + if (!fcf || !fip->flogi_req_send) + goto unlock; +@@ -1772,7 +1776,7 @@ static void fcoe_ctlr_flogi_send(struct fcoe_ctlr *fip) + } else /* XXX */ + LIBFCOE_FIP_DBG(fip, "No FCF selected - defer send\n"); + unlock: +- spin_unlock_bh(&fip->ctlr_lock); ++ spin_unlock_irqrestore(&fip->ctlr_lock, flags); + } + + /** +-- +2.40.1 + diff --git a/queue-5.15/scsi-hisi_sas-fix-normally-completed-i-o-analysed-as.patch b/queue-5.15/scsi-hisi_sas-fix-normally-completed-i-o-analysed-as.patch new file mode 100644 index 00000000000..2e0972d2c8f --- /dev/null +++ b/queue-5.15/scsi-hisi_sas-fix-normally-completed-i-o-analysed-as.patch @@ -0,0 +1,90 @@ +From c8da2a43571e74307fd0778f6c9db18145316b48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jul 2023 11:14:58 +0800 +Subject: scsi: hisi_sas: Fix normally completed I/O analysed as failed + +From: Xingui Yang + +[ Upstream commit f5393a5602cacfda2014e0ff8220e5a7564e7cd1 ] + +The PIO read command has no response frame and the struct iu[1024] won't be +filled. I/Os which are normally completed will be treated as failed in +sas_ata_task_done() when iu contains abnormal dirty data. + +Consequently ending_fis should not be filled by iu when the response frame +hasn't been written to memory. + +Fixes: d380f55503ed ("scsi: hisi_sas: Don't bother clearing status buffer IU in task prep") +Signed-off-by: Xingui Yang +Signed-off-by: Xiang Chen +Link: https://lore.kernel.org/r/1689045300-44318-2-git-send-email-chenxiang66@hisilicon.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hisi_sas/hisi_sas_v2_hw.c | 11 +++++++++-- + drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 6 ++++-- + 2 files changed, 13 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c +index b0b2361e63fef..c40588ed68a54 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c +@@ -2026,6 +2026,11 @@ static void slot_err_v2_hw(struct hisi_hba *hisi_hba, + u16 dma_tx_err_type = le16_to_cpu(err_record->dma_tx_err_type); + u16 sipc_rx_err_type = le16_to_cpu(err_record->sipc_rx_err_type); + u32 dma_rx_err_type = le32_to_cpu(err_record->dma_rx_err_type); ++ struct hisi_sas_complete_v2_hdr *complete_queue = ++ hisi_hba->complete_hdr[slot->cmplt_queue]; ++ struct hisi_sas_complete_v2_hdr *complete_hdr = ++ &complete_queue[slot->cmplt_queue_slot]; ++ u32 dw0 = le32_to_cpu(complete_hdr->dw0); + int error = -1; + + if (err_phase == 1) { +@@ -2310,7 +2315,8 @@ static void slot_err_v2_hw(struct hisi_hba *hisi_hba, + break; + } + } +- hisi_sas_sata_done(task, slot); ++ if (dw0 & CMPLT_HDR_RSPNS_XFRD_MSK) ++ hisi_sas_sata_done(task, slot); + } + break; + default: +@@ -2442,7 +2448,8 @@ static void slot_complete_v2_hw(struct hisi_hba *hisi_hba, + case SAS_PROTOCOL_SATA | SAS_PROTOCOL_STP: + { + ts->stat = SAS_SAM_STAT_GOOD; +- hisi_sas_sata_done(task, slot); ++ if (dw0 & CMPLT_HDR_RSPNS_XFRD_MSK) ++ hisi_sas_sata_done(task, slot); + break; + } + default: +diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +index d26b2c9b7c874..b8a12d3ad5f27 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +@@ -2196,7 +2196,8 @@ slot_err_v3_hw(struct hisi_hba *hisi_hba, struct sas_task *task, + ts->stat = SAS_OPEN_REJECT; + ts->open_rej_reason = SAS_OREJ_RSVD_RETRY; + } +- hisi_sas_sata_done(task, slot); ++ if (dw0 & CMPLT_HDR_RSPNS_XFRD_MSK) ++ hisi_sas_sata_done(task, slot); + break; + case SAS_PROTOCOL_SMP: + ts->stat = SAS_SAM_STAT_CHECK_CONDITION; +@@ -2322,7 +2323,8 @@ static void slot_complete_v3_hw(struct hisi_hba *hisi_hba, + case SAS_PROTOCOL_STP: + case SAS_PROTOCOL_SATA | SAS_PROTOCOL_STP: + ts->stat = SAS_SAM_STAT_GOOD; +- hisi_sas_sata_done(task, slot); ++ if (dw0 & CMPLT_HDR_RSPNS_XFRD_MSK) ++ hisi_sas_sata_done(task, slot); + break; + default: + ts->stat = SAS_SAM_STAT_CHECK_CONDITION; +-- +2.40.1 + diff --git a/queue-5.15/scsi-hisi_sas-fix-warnings-detected-by-sparse.patch b/queue-5.15/scsi-hisi_sas-fix-warnings-detected-by-sparse.patch new file mode 100644 index 00000000000..8285da015af --- /dev/null +++ b/queue-5.15/scsi-hisi_sas-fix-warnings-detected-by-sparse.patch @@ -0,0 +1,60 @@ +From fc0c00b16c7087e7a4cec4835d29e7e36f449994 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 10:41:21 +0800 +Subject: scsi: hisi_sas: Fix warnings detected by sparse + +From: Xingui Yang + +[ Upstream commit c0328cc595124579328462fc45d7a29a084cf357 ] + +This patch fixes the following warning: + +drivers/scsi/hisi_sas/hisi_sas_v3_hw.c:2168:43: sparse: sparse: restricted __le32 degrades to integer + +Reported-by: kernel test robot +Link: https://lore.kernel.org/oe-kbuild-all/202304161254.NztCVZIO-lkp@intel.com/ +Signed-off-by: Xingui Yang +Signed-off-by: Xiang Chen +Link: https://lore.kernel.org/r/1684118481-95908-4-git-send-email-chenxiang66@hisilicon.com +Signed-off-by: Martin K. Petersen +Stable-dep-of: f5393a5602ca ("scsi: hisi_sas: Fix normally completed I/O analysed as failed") +Signed-off-by: Sasha Levin +--- + drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +index 7204666c04076..d26b2c9b7c874 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +@@ -2156,6 +2156,7 @@ slot_err_v3_hw(struct hisi_hba *hisi_hba, struct sas_task *task, + u32 trans_tx_fail_type = le32_to_cpu(record->trans_tx_fail_type); + u16 sipc_rx_err_type = le16_to_cpu(record->sipc_rx_err_type); + u32 dw3 = le32_to_cpu(complete_hdr->dw3); ++ u32 dw0 = le32_to_cpu(complete_hdr->dw0); + + switch (task->task_proto) { + case SAS_PROTOCOL_SSP: +@@ -2165,8 +2166,8 @@ slot_err_v3_hw(struct hisi_hba *hisi_hba, struct sas_task *task, + * but I/O information has been written to the host memory, we examine + * response IU. + */ +- if (!(complete_hdr->dw0 & CMPLT_HDR_RSPNS_GOOD_MSK) && +- (complete_hdr->dw0 & CMPLT_HDR_RSPNS_XFRD_MSK)) ++ if (!(dw0 & CMPLT_HDR_RSPNS_GOOD_MSK) && ++ (dw0 & CMPLT_HDR_RSPNS_XFRD_MSK)) + return false; + + ts->residual = trans_tx_fail_type; +@@ -2182,7 +2183,7 @@ slot_err_v3_hw(struct hisi_hba *hisi_hba, struct sas_task *task, + case SAS_PROTOCOL_SATA: + case SAS_PROTOCOL_STP: + case SAS_PROTOCOL_SATA | SAS_PROTOCOL_STP: +- if ((complete_hdr->dw0 & CMPLT_HDR_RSPNS_XFRD_MSK) && ++ if ((dw0 & CMPLT_HDR_RSPNS_XFRD_MSK) && + (sipc_rx_err_type & RX_FIS_STATUS_ERR_MSK)) { + ts->stat = SAS_PROTO_RESPONSE; + } else if (dma_rx_err_type & RX_DATA_LEN_UNDERFLOW_MSK) { +-- +2.40.1 + diff --git a/queue-5.15/scsi-hisi_sas-modify-v3-hw-sata-completion-error-pro.patch b/queue-5.15/scsi-hisi_sas-modify-v3-hw-sata-completion-error-pro.patch new file mode 100644 index 00000000000..588564e9d69 --- /dev/null +++ b/queue-5.15/scsi-hisi_sas-modify-v3-hw-sata-completion-error-pro.patch @@ -0,0 +1,61 @@ +From 3321c0eaebbc8df6b66bace9a1127fdad0c4beea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jul 2022 02:23:21 +0800 +Subject: scsi: hisi_sas: Modify v3 HW SATA completion error processing + +From: Xingui Yang + +[ Upstream commit 7e15334f5d256367fb4c77f4ee0003e1e3d9bf9d ] + +If the I/O completion response frame returned by the target device has been +written to the host memory and the err bit in the status field of the +received fis is 1, ts->stat should set to SAS_PROTO_RESPONSE, and this will +let EH analyze and further determine cause of failure. + +Link: https://lore.kernel.org/r/1657823002-139010-5-git-send-email-john.garry@huawei.com +Signed-off-by: Xingui Yang +Signed-off-by: John Garry +Signed-off-by: Martin K. Petersen +Stable-dep-of: f5393a5602ca ("scsi: hisi_sas: Fix normally completed I/O analysed as failed") +Signed-off-by: Sasha Levin +--- + drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +index 00f0847e1487a..7204666c04076 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +@@ -480,6 +480,9 @@ struct hisi_sas_err_record_v3 { + #define RX_DATA_LEN_UNDERFLOW_OFF 6 + #define RX_DATA_LEN_UNDERFLOW_MSK (1 << RX_DATA_LEN_UNDERFLOW_OFF) + ++#define RX_FIS_STATUS_ERR_OFF 0 ++#define RX_FIS_STATUS_ERR_MSK (1 << RX_FIS_STATUS_ERR_OFF) ++ + #define HISI_SAS_COMMAND_ENTRIES_V3_HW 4096 + #define HISI_SAS_MSI_COUNT_V3_HW 32 + +@@ -2151,6 +2154,7 @@ slot_err_v3_hw(struct hisi_hba *hisi_hba, struct sas_task *task, + hisi_sas_status_buf_addr_mem(slot); + u32 dma_rx_err_type = le32_to_cpu(record->dma_rx_err_type); + u32 trans_tx_fail_type = le32_to_cpu(record->trans_tx_fail_type); ++ u16 sipc_rx_err_type = le16_to_cpu(record->sipc_rx_err_type); + u32 dw3 = le32_to_cpu(complete_hdr->dw3); + + switch (task->task_proto) { +@@ -2178,7 +2182,10 @@ slot_err_v3_hw(struct hisi_hba *hisi_hba, struct sas_task *task, + case SAS_PROTOCOL_SATA: + case SAS_PROTOCOL_STP: + case SAS_PROTOCOL_SATA | SAS_PROTOCOL_STP: +- if (dma_rx_err_type & RX_DATA_LEN_UNDERFLOW_MSK) { ++ if ((complete_hdr->dw0 & CMPLT_HDR_RSPNS_XFRD_MSK) && ++ (sipc_rx_err_type & RX_FIS_STATUS_ERR_MSK)) { ++ ts->stat = SAS_PROTO_RESPONSE; ++ } else if (dma_rx_err_type & RX_DATA_LEN_UNDERFLOW_MSK) { + ts->residual = trans_tx_fail_type; + ts->stat = SAS_DATA_UNDERRUN; + } else if (dw3 & CMPLT_HDR_IO_IN_TARGET_MSK) { +-- +2.40.1 + diff --git a/queue-5.15/scsi-hisi_sas-modify-v3-hw-ssp-underflow-error-proce.patch b/queue-5.15/scsi-hisi_sas-modify-v3-hw-ssp-underflow-error-proce.patch new file mode 100644 index 00000000000..bf7826f6c0d --- /dev/null +++ b/queue-5.15/scsi-hisi_sas-modify-v3-hw-ssp-underflow-error-proce.patch @@ -0,0 +1,113 @@ +From 53c9a9e35222339e4bd32f4936948fba25c0f9ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Feb 2022 19:51:29 +0800 +Subject: scsi: hisi_sas: Modify v3 HW SSP underflow error processing + +From: Xingui Yang + +[ Upstream commit 62413199cd6d2906c121c2dfa3d7b82fd05f08db ] + +In case of SSP underflow allow the response frame IU to be examined for +setting the response stat value rather than always setting +SAS_DATA_UNDERRUN. + +This will mean that we call sas_ssp_task_response() in those scenarios and +may send sense data to upper layer. + +Such a condition would be for bad blocks were we just reporting an +underflow error to upper layer, but now the sense data will tell +immediately that the media is faulty. + +Link: https://lore.kernel.org/r/1645703489-87194-7-git-send-email-john.garry@huawei.com +Signed-off-by: Xingui Yang +Signed-off-by: Qi Liu +Signed-off-by: John Garry +Signed-off-by: Martin K. Petersen +Stable-dep-of: f5393a5602ca ("scsi: hisi_sas: Fix normally completed I/O analysed as failed") +Signed-off-by: Sasha Levin +--- + drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 39 +++++++++++++++++--------- + 1 file changed, 26 insertions(+), 13 deletions(-) + +diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +index 9515ab66a7789..00f0847e1487a 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +@@ -405,6 +405,8 @@ + #define CMPLT_HDR_ERROR_PHASE_MSK (0xff << CMPLT_HDR_ERROR_PHASE_OFF) + #define CMPLT_HDR_RSPNS_XFRD_OFF 10 + #define CMPLT_HDR_RSPNS_XFRD_MSK (0x1 << CMPLT_HDR_RSPNS_XFRD_OFF) ++#define CMPLT_HDR_RSPNS_GOOD_OFF 11 ++#define CMPLT_HDR_RSPNS_GOOD_MSK (0x1 << CMPLT_HDR_RSPNS_GOOD_OFF) + #define CMPLT_HDR_ERX_OFF 12 + #define CMPLT_HDR_ERX_MSK (0x1 << CMPLT_HDR_ERX_OFF) + #define CMPLT_HDR_ABORT_STAT_OFF 13 +@@ -2136,7 +2138,7 @@ static irqreturn_t fatal_axi_int_v3_hw(int irq_no, void *p) + return IRQ_HANDLED; + } + +-static void ++static bool + slot_err_v3_hw(struct hisi_hba *hisi_hba, struct sas_task *task, + struct hisi_sas_slot *slot) + { +@@ -2154,6 +2156,15 @@ slot_err_v3_hw(struct hisi_hba *hisi_hba, struct sas_task *task, + switch (task->task_proto) { + case SAS_PROTOCOL_SSP: + if (dma_rx_err_type & RX_DATA_LEN_UNDERFLOW_MSK) { ++ /* ++ * If returned response frame is incorrect because of data underflow, ++ * but I/O information has been written to the host memory, we examine ++ * response IU. ++ */ ++ if (!(complete_hdr->dw0 & CMPLT_HDR_RSPNS_GOOD_MSK) && ++ (complete_hdr->dw0 & CMPLT_HDR_RSPNS_XFRD_MSK)) ++ return false; ++ + ts->residual = trans_tx_fail_type; + ts->stat = SAS_DATA_UNDERRUN; + } else if (dw3 & CMPLT_HDR_IO_IN_TARGET_MSK) { +@@ -2185,6 +2196,7 @@ slot_err_v3_hw(struct hisi_hba *hisi_hba, struct sas_task *task, + default: + break; + } ++ return true; + } + + static void slot_complete_v3_hw(struct hisi_hba *hisi_hba, +@@ -2259,19 +2271,20 @@ static void slot_complete_v3_hw(struct hisi_hba *hisi_hba, + if ((dw0 & CMPLT_HDR_CMPLT_MSK) == 0x3) { + u32 *error_info = hisi_sas_status_buf_addr_mem(slot); + +- slot_err_v3_hw(hisi_hba, task, slot); +- if (ts->stat != SAS_DATA_UNDERRUN) +- dev_info(dev, "erroneous completion iptt=%d task=%pK dev id=%d addr=%016llx CQ hdr: 0x%x 0x%x 0x%x 0x%x Error info: 0x%x 0x%x 0x%x 0x%x\n", +- slot->idx, task, sas_dev->device_id, +- SAS_ADDR(device->sas_addr), +- dw0, dw1, complete_hdr->act, dw3, +- error_info[0], error_info[1], +- error_info[2], error_info[3]); +- if (unlikely(slot->abort)) { +- sas_task_abort(task); +- return; ++ if (slot_err_v3_hw(hisi_hba, task, slot)) { ++ if (ts->stat != SAS_DATA_UNDERRUN) ++ dev_info(dev, "erroneous completion iptt=%d task=%pK dev id=%d addr=%016llx CQ hdr: 0x%x 0x%x 0x%x 0x%x Error info: 0x%x 0x%x 0x%x 0x%x\n", ++ slot->idx, task, sas_dev->device_id, ++ SAS_ADDR(device->sas_addr), ++ dw0, dw1, complete_hdr->act, dw3, ++ error_info[0], error_info[1], ++ error_info[2], error_info[3]); ++ if (unlikely(slot->abort)) { ++ sas_task_abort(task); ++ return; ++ } ++ goto out; + } +- goto out; + } + + switch (task->task_proto) { +-- +2.40.1 + diff --git a/queue-5.15/scsi-iscsi-add-length-check-for-nlattr-payload.patch b/queue-5.15/scsi-iscsi-add-length-check-for-nlattr-payload.patch new file mode 100644 index 00000000000..97148a34f36 --- /dev/null +++ b/queue-5.15/scsi-iscsi-add-length-check-for-nlattr-payload.patch @@ -0,0 +1,306 @@ +From 8105080db1511c9e6369213a5ea019ab7a5b809a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jul 2023 10:45:29 +0800 +Subject: scsi: iscsi: Add length check for nlattr payload + +From: Lin Ma + +[ Upstream commit 971dfcb74a800047952f5288512b9c7ddedb050a ] + +The current NETLINK_ISCSI netlink parsing loop checks every nlmsg to make +sure the length is bigger than sizeof(struct iscsi_uevent) and then calls +iscsi_if_recv_msg(). + + nlh = nlmsg_hdr(skb); + if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) || + skb->len < nlh->nlmsg_len) { + break; + } + ... + err = iscsi_if_recv_msg(skb, nlh, &group); + +Hence, in iscsi_if_recv_msg() the nlmsg_data can be safely converted to +iscsi_uevent as the length is already checked. + +However, in other cases the length of nlattr payload is not checked before +the payload is converted to other data structures. One example is +iscsi_set_path() which converts the payload to type iscsi_path without any +checks: + + params = (struct iscsi_path *)((char *)ev + sizeof(*ev)); + +Whereas iscsi_if_transport_conn() correctly checks the pdu_len: + + pdu_len = nlh->nlmsg_len - sizeof(*nlh) - sizeof(*ev); + if ((ev->u.send_pdu.hdr_size > pdu_len) .. + err = -EINVAL; + +To sum up, some code paths called in iscsi_if_recv_msg() do not check the +length of the data (see below picture) and directly convert the data to +another data structure. This could result in an out-of-bound reads and heap +dirty data leakage. + + _________ nlmsg_len(nlh) _______________ + / \ ++----------+--------------+---------------------------+ +| nlmsghdr | iscsi_uevent | data | ++----------+--------------+---------------------------+ + \ / + iscsi_uevent->u.set_param.len + +Fix the issue by adding the length check before accessing it. To clean up +the code, an additional parameter named rlen is added. The rlen is +calculated at the beginning of iscsi_if_recv_msg() which avoids duplicated +calculation. + +Fixes: ac20c7bf070d ("[SCSI] iscsi_transport: Added Ping support") +Fixes: 43514774ff40 ("[SCSI] iscsi class: Add new NETLINK_ISCSI messages for cnic/bnx2i driver.") +Fixes: 1d9bf13a9cf9 ("[SCSI] iscsi class: add iscsi host set param event") +Fixes: 01cb225dad8d ("[SCSI] iscsi: add target discvery event to transport class") +Fixes: 264faaaa1254 ("[SCSI] iscsi: add transport end point callbacks") +Fixes: fd7255f51a13 ("[SCSI] iscsi: add sysfs attrs for uspace sync up") +Signed-off-by: Lin Ma +Link: https://lore.kernel.org/r/20230725024529.428311-1-linma@zju.edu.cn +Reviewed-by: Chris Leech +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 72 +++++++++++++++++------------ + 1 file changed, 43 insertions(+), 29 deletions(-) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index 2d237246281fb..70a58b3ad5621 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -3034,14 +3034,15 @@ iscsi_if_destroy_conn(struct iscsi_transport *transport, struct iscsi_uevent *ev + } + + static int +-iscsi_if_set_param(struct iscsi_transport *transport, struct iscsi_uevent *ev) ++iscsi_if_set_param(struct iscsi_transport *transport, struct iscsi_uevent *ev, u32 rlen) + { + char *data = (char*)ev + sizeof(*ev); + struct iscsi_cls_conn *conn; + struct iscsi_cls_session *session; + int err = 0, value = 0, state; + +- if (ev->u.set_param.len > PAGE_SIZE) ++ if (ev->u.set_param.len > rlen || ++ ev->u.set_param.len > PAGE_SIZE) + return -EINVAL; + + session = iscsi_session_lookup(ev->u.set_param.sid); +@@ -3138,7 +3139,7 @@ static int iscsi_if_ep_disconnect(struct iscsi_transport *transport, + + static int + iscsi_if_transport_ep(struct iscsi_transport *transport, +- struct iscsi_uevent *ev, int msg_type) ++ struct iscsi_uevent *ev, int msg_type, u32 rlen) + { + struct iscsi_endpoint *ep; + int rc = 0; +@@ -3146,7 +3147,10 @@ iscsi_if_transport_ep(struct iscsi_transport *transport, + switch (msg_type) { + case ISCSI_UEVENT_TRANSPORT_EP_CONNECT_THROUGH_HOST: + case ISCSI_UEVENT_TRANSPORT_EP_CONNECT: +- rc = iscsi_if_ep_connect(transport, ev, msg_type); ++ if (rlen < sizeof(struct sockaddr)) ++ rc = -EINVAL; ++ else ++ rc = iscsi_if_ep_connect(transport, ev, msg_type); + break; + case ISCSI_UEVENT_TRANSPORT_EP_POLL: + if (!transport->ep_poll) +@@ -3170,12 +3174,15 @@ iscsi_if_transport_ep(struct iscsi_transport *transport, + + static int + iscsi_tgt_dscvr(struct iscsi_transport *transport, +- struct iscsi_uevent *ev) ++ struct iscsi_uevent *ev, u32 rlen) + { + struct Scsi_Host *shost; + struct sockaddr *dst_addr; + int err; + ++ if (rlen < sizeof(*dst_addr)) ++ return -EINVAL; ++ + if (!transport->tgt_dscvr) + return -EINVAL; + +@@ -3196,7 +3203,7 @@ iscsi_tgt_dscvr(struct iscsi_transport *transport, + + static int + iscsi_set_host_param(struct iscsi_transport *transport, +- struct iscsi_uevent *ev) ++ struct iscsi_uevent *ev, u32 rlen) + { + char *data = (char*)ev + sizeof(*ev); + struct Scsi_Host *shost; +@@ -3205,7 +3212,8 @@ iscsi_set_host_param(struct iscsi_transport *transport, + if (!transport->set_host_param) + return -ENOSYS; + +- if (ev->u.set_host_param.len > PAGE_SIZE) ++ if (ev->u.set_host_param.len > rlen || ++ ev->u.set_host_param.len > PAGE_SIZE) + return -EINVAL; + + shost = scsi_host_lookup(ev->u.set_host_param.host_no); +@@ -3222,12 +3230,15 @@ iscsi_set_host_param(struct iscsi_transport *transport, + } + + static int +-iscsi_set_path(struct iscsi_transport *transport, struct iscsi_uevent *ev) ++iscsi_set_path(struct iscsi_transport *transport, struct iscsi_uevent *ev, u32 rlen) + { + struct Scsi_Host *shost; + struct iscsi_path *params; + int err; + ++ if (rlen < sizeof(*params)) ++ return -EINVAL; ++ + if (!transport->set_path) + return -ENOSYS; + +@@ -3287,12 +3298,15 @@ iscsi_set_iface_params(struct iscsi_transport *transport, + } + + static int +-iscsi_send_ping(struct iscsi_transport *transport, struct iscsi_uevent *ev) ++iscsi_send_ping(struct iscsi_transport *transport, struct iscsi_uevent *ev, u32 rlen) + { + struct Scsi_Host *shost; + struct sockaddr *dst_addr; + int err; + ++ if (rlen < sizeof(*dst_addr)) ++ return -EINVAL; ++ + if (!transport->send_ping) + return -ENOSYS; + +@@ -3790,13 +3804,12 @@ iscsi_get_host_stats(struct iscsi_transport *transport, struct nlmsghdr *nlh) + } + + static int iscsi_if_transport_conn(struct iscsi_transport *transport, +- struct nlmsghdr *nlh) ++ struct nlmsghdr *nlh, u32 pdu_len) + { + struct iscsi_uevent *ev = nlmsg_data(nlh); + struct iscsi_cls_session *session; + struct iscsi_cls_conn *conn = NULL; + struct iscsi_endpoint *ep; +- uint32_t pdu_len; + int err = 0; + + switch (nlh->nlmsg_type) { +@@ -3881,8 +3894,6 @@ static int iscsi_if_transport_conn(struct iscsi_transport *transport, + + break; + case ISCSI_UEVENT_SEND_PDU: +- pdu_len = nlh->nlmsg_len - sizeof(*nlh) - sizeof(*ev); +- + if ((ev->u.send_pdu.hdr_size > pdu_len) || + (ev->u.send_pdu.data_size > (pdu_len - ev->u.send_pdu.hdr_size))) { + err = -EINVAL; +@@ -3912,6 +3923,7 @@ iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group) + struct iscsi_internal *priv; + struct iscsi_cls_session *session; + struct iscsi_endpoint *ep = NULL; ++ u32 rlen; + + if (!netlink_capable(skb, CAP_SYS_ADMIN)) + return -EPERM; +@@ -3931,6 +3943,13 @@ iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group) + + portid = NETLINK_CB(skb).portid; + ++ /* ++ * Even though the remaining payload may not be regarded as nlattr, ++ * (like address or something else), calculate the remaining length ++ * here to ease following length checks. ++ */ ++ rlen = nlmsg_attrlen(nlh, sizeof(*ev)); ++ + switch (nlh->nlmsg_type) { + case ISCSI_UEVENT_CREATE_SESSION: + err = iscsi_if_create_session(priv, ep, ev, +@@ -3988,7 +4007,7 @@ iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group) + err = -EINVAL; + break; + case ISCSI_UEVENT_SET_PARAM: +- err = iscsi_if_set_param(transport, ev); ++ err = iscsi_if_set_param(transport, ev, rlen); + break; + case ISCSI_UEVENT_CREATE_CONN: + case ISCSI_UEVENT_DESTROY_CONN: +@@ -3996,7 +4015,7 @@ iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group) + case ISCSI_UEVENT_START_CONN: + case ISCSI_UEVENT_BIND_CONN: + case ISCSI_UEVENT_SEND_PDU: +- err = iscsi_if_transport_conn(transport, nlh); ++ err = iscsi_if_transport_conn(transport, nlh, rlen); + break; + case ISCSI_UEVENT_GET_STATS: + err = iscsi_if_get_stats(transport, nlh); +@@ -4005,23 +4024,22 @@ iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group) + case ISCSI_UEVENT_TRANSPORT_EP_POLL: + case ISCSI_UEVENT_TRANSPORT_EP_DISCONNECT: + case ISCSI_UEVENT_TRANSPORT_EP_CONNECT_THROUGH_HOST: +- err = iscsi_if_transport_ep(transport, ev, nlh->nlmsg_type); ++ err = iscsi_if_transport_ep(transport, ev, nlh->nlmsg_type, rlen); + break; + case ISCSI_UEVENT_TGT_DSCVR: +- err = iscsi_tgt_dscvr(transport, ev); ++ err = iscsi_tgt_dscvr(transport, ev, rlen); + break; + case ISCSI_UEVENT_SET_HOST_PARAM: +- err = iscsi_set_host_param(transport, ev); ++ err = iscsi_set_host_param(transport, ev, rlen); + break; + case ISCSI_UEVENT_PATH_UPDATE: +- err = iscsi_set_path(transport, ev); ++ err = iscsi_set_path(transport, ev, rlen); + break; + case ISCSI_UEVENT_SET_IFACE_PARAMS: +- err = iscsi_set_iface_params(transport, ev, +- nlmsg_attrlen(nlh, sizeof(*ev))); ++ err = iscsi_set_iface_params(transport, ev, rlen); + break; + case ISCSI_UEVENT_PING: +- err = iscsi_send_ping(transport, ev); ++ err = iscsi_send_ping(transport, ev, rlen); + break; + case ISCSI_UEVENT_GET_CHAP: + err = iscsi_get_chap(transport, nlh); +@@ -4030,13 +4048,10 @@ iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group) + err = iscsi_delete_chap(transport, ev); + break; + case ISCSI_UEVENT_SET_FLASHNODE_PARAMS: +- err = iscsi_set_flashnode_param(transport, ev, +- nlmsg_attrlen(nlh, +- sizeof(*ev))); ++ err = iscsi_set_flashnode_param(transport, ev, rlen); + break; + case ISCSI_UEVENT_NEW_FLASHNODE: +- err = iscsi_new_flashnode(transport, ev, +- nlmsg_attrlen(nlh, sizeof(*ev))); ++ err = iscsi_new_flashnode(transport, ev, rlen); + break; + case ISCSI_UEVENT_DEL_FLASHNODE: + err = iscsi_del_flashnode(transport, ev); +@@ -4051,8 +4066,7 @@ iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group) + err = iscsi_logout_flashnode_sid(transport, ev); + break; + case ISCSI_UEVENT_SET_CHAP: +- err = iscsi_set_chap(transport, ev, +- nlmsg_attrlen(nlh, sizeof(*ev))); ++ err = iscsi_set_chap(transport, ev, rlen); + break; + case ISCSI_UEVENT_GET_HOST_STATS: + err = iscsi_get_host_stats(transport, nlh); +-- +2.40.1 + diff --git a/queue-5.15/scsi-iscsi-add-strlen-check-in-iscsi_if_set-_host-_p.patch b/queue-5.15/scsi-iscsi-add-strlen-check-in-iscsi_if_set-_host-_p.patch new file mode 100644 index 00000000000..ed84c360211 --- /dev/null +++ b/queue-5.15/scsi-iscsi-add-strlen-check-in-iscsi_if_set-_host-_p.patch @@ -0,0 +1,79 @@ +From 0554ea67f65f5b6b15981eaa43b175fab87e8904 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Jul 2023 15:58:20 +0800 +Subject: scsi: iscsi: Add strlen() check in iscsi_if_set{_host}_param() + +From: Lin Ma + +[ Upstream commit ce51c817008450ef4188471db31639d42d37a5e1 ] + +The functions iscsi_if_set_param() and iscsi_if_set_host_param() convert an +nlattr payload to type char* and then call C string handling functions like +sscanf and kstrdup: + + char *data = (char*)ev + sizeof(*ev); + ... + sscanf(data, "%d", &value); + +However, since the nlattr is provided by the user-space program and the +nlmsg skb is allocated with GFP_KERNEL instead of GFP_ZERO flag (see +netlink_alloc_large_skb() in netlink_sendmsg()), dirty data on the heap can +lead to an OOB access for those string handling functions. + +By investigating how the bug is introduced, we find it is really +interesting as the old version parsing code starting from commit +fd7255f51a13 ("[SCSI] iscsi: add sysfs attrs for uspace sync up") treated +the nlattr as integer bytes instead of string and had length check in +iscsi_copy_param(): + + if (ev->u.set_param.len != sizeof(uint32_t)) + BUG(); + +But, since the commit a54a52caad4b ("[SCSI] iscsi: fixup set/get param +functions"), the code treated the nlattr as C string while forgetting to +add any strlen checks(), opening the possibility of an OOB access. + +Fix the potential OOB by adding the strlen() check before accessing the +buf. If the data passes this check, all low-level set_param handlers can +safely treat this buf as legal C string. + +Fixes: fd7255f51a13 ("[SCSI] iscsi: add sysfs attrs for uspace sync up") +Fixes: 1d9bf13a9cf9 ("[SCSI] iscsi class: add iscsi host set param event") +Signed-off-by: Lin Ma +Link: https://lore.kernel.org/r/20230723075820.3713119-1-linma@zju.edu.cn +Reviewed-by: Chris Leech +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index 70a58b3ad5621..e044b65ee0d08 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -3050,6 +3050,10 @@ iscsi_if_set_param(struct iscsi_transport *transport, struct iscsi_uevent *ev, u + if (!conn || !session) + return -EINVAL; + ++ /* data will be regarded as NULL-ended string, do length check */ ++ if (strlen(data) > ev->u.set_param.len) ++ return -EINVAL; ++ + switch (ev->u.set_param.param) { + case ISCSI_PARAM_SESS_RECOVERY_TMO: + sscanf(data, "%d", &value); +@@ -3223,6 +3227,10 @@ iscsi_set_host_param(struct iscsi_transport *transport, + return -ENODEV; + } + ++ /* see similar check in iscsi_if_set_param() */ ++ if (strlen(data) > ev->u.set_host_param.len) ++ return -EINVAL; ++ + err = transport->set_host_param(shost, ev->u.set_host_param.param, + data, ev->u.set_host_param.len); + scsi_host_put(shost); +-- +2.40.1 + diff --git a/queue-5.15/scsi-iscsi-rename-iscsi_set_param-to-iscsi_if_set_pa.patch b/queue-5.15/scsi-iscsi-rename-iscsi_set_param-to-iscsi_if_set_pa.patch new file mode 100644 index 00000000000..43d839e4f47 --- /dev/null +++ b/queue-5.15/scsi-iscsi-rename-iscsi_set_param-to-iscsi_if_set_pa.patch @@ -0,0 +1,50 @@ +From a6ff4d63432e8a9ad0f516d1d7828de02332703b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 18:11:05 +0000 +Subject: scsi: iscsi: Rename iscsi_set_param() to iscsi_if_set_param() + +From: Wenchao Hao + +[ Upstream commit 0c26a2d7c98039e913e63f9250fde738a3f88a60 ] + +There are two iscsi_set_param() functions defined in libiscsi.c and +scsi_transport_iscsi.c respectively which is confusing. + +Rename the one in scsi_transport_iscsi.c to iscsi_if_set_param(). + +Signed-off-by: Wenchao Hao +Link: https://lore.kernel.org/r/20221122181105.4123935-1-haowenchao@huawei.com +Reviewed-by: Mike Christie +Reviewed-by: Lee Duncan +Signed-off-by: Martin K. Petersen +Stable-dep-of: 971dfcb74a80 ("scsi: iscsi: Add length check for nlattr payload") +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index 4d23e5af20d30..2d237246281fb 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -3034,7 +3034,7 @@ iscsi_if_destroy_conn(struct iscsi_transport *transport, struct iscsi_uevent *ev + } + + static int +-iscsi_set_param(struct iscsi_transport *transport, struct iscsi_uevent *ev) ++iscsi_if_set_param(struct iscsi_transport *transport, struct iscsi_uevent *ev) + { + char *data = (char*)ev + sizeof(*ev); + struct iscsi_cls_conn *conn; +@@ -3988,7 +3988,7 @@ iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group) + err = -EINVAL; + break; + case ISCSI_UEVENT_SET_PARAM: +- err = iscsi_set_param(transport, ev); ++ err = iscsi_if_set_param(transport, ev); + break; + case ISCSI_UEVENT_CREATE_CONN: + case ISCSI_UEVENT_DESTROY_CONN: +-- +2.40.1 + diff --git a/queue-5.15/scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_de.patch b/queue-5.15/scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_de.patch new file mode 100644 index 00000000000..23f73d88870 --- /dev/null +++ b/queue-5.15/scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_de.patch @@ -0,0 +1,67 @@ +From d52423a768a2fccb33329af3033b43e79d45bf4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jul 2023 10:40:33 +0200 +Subject: scsi: qedf: Do not touch __user pointer in qedf_dbg_debug_cmd_read() + directly + +From: Oleksandr Natalenko + +[ Upstream commit 31b5991a9a91ba97237ac9da509d78eec453ff72 ] + +The qedf_dbg_debug_cmd_read() function invokes sprintf() directly on a +__user pointer, which may crash the kernel. + +Avoid doing that by using a small on-stack buffer for scnprintf() and then +calling simple_read_from_buffer() which does a proper copy_to_user() call. + +Fixes: 61d8658b4a43 ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.") +Link: https://lore.kernel.org/lkml/20230724120241.40495-1-oleksandr@redhat.com/ +Link: https://lore.kernel.org/linux-scsi/20230726101236.11922-1-skashyap@marvell.com/ +Cc: Saurav Kashyap +Cc: Rob Evers +Cc: Johannes Thumshirn +Cc: David Laight +Cc: Jozef Bacik +Cc: Laurence Oberman +Cc: "James E.J. Bottomley" +Cc: "Martin K. Petersen" +Cc: GR-QLogic-Storage-Upstream@marvell.com +Cc: linux-scsi@vger.kernel.org +Reviewed-by: Laurence Oberman +Reviewed-by: Johannes Thumshirn +Tested-by: Laurence Oberman +Acked-by: Saurav Kashyap +Signed-off-by: Oleksandr Natalenko +Link: https://lore.kernel.org/r/20230731084034.37021-3-oleksandr@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedf/qedf_debugfs.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/qedf/qedf_debugfs.c b/drivers/scsi/qedf/qedf_debugfs.c +index 3eb4334ac6a32..1c5716540e465 100644 +--- a/drivers/scsi/qedf/qedf_debugfs.c ++++ b/drivers/scsi/qedf/qedf_debugfs.c +@@ -138,15 +138,14 @@ qedf_dbg_debug_cmd_read(struct file *filp, char __user *buffer, size_t count, + loff_t *ppos) + { + int cnt; ++ char cbuf[32]; + struct qedf_dbg_ctx *qedf_dbg = + (struct qedf_dbg_ctx *)filp->private_data; + + QEDF_INFO(qedf_dbg, QEDF_LOG_DEBUGFS, "debug mask=0x%x\n", qedf_debug); +- cnt = sprintf(buffer, "debug mask = 0x%x\n", qedf_debug); ++ cnt = scnprintf(cbuf, sizeof(cbuf), "debug mask = 0x%x\n", qedf_debug); + +- cnt = min_t(int, count, cnt - *ppos); +- *ppos += cnt; +- return cnt; ++ return simple_read_from_buffer(buffer, count, ppos, cbuf, cnt); + } + + static ssize_t +-- +2.40.1 + diff --git a/queue-5.15/scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_fp.patch b/queue-5.15/scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_fp.patch new file mode 100644 index 00000000000..901d5e73ee8 --- /dev/null +++ b/queue-5.15/scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_fp.patch @@ -0,0 +1,112 @@ +From e47324279c51163fc3c6805838d2c8c5e1827f85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jul 2023 10:40:34 +0200 +Subject: scsi: qedf: Do not touch __user pointer in qedf_dbg_fp_int_cmd_read() + directly + +From: Oleksandr Natalenko + +[ Upstream commit 25dbc20deab5165f847b4eb42f376f725a986ee8 ] + +The qedf_dbg_fp_int_cmd_read() function invokes sprintf() directly on a +__user pointer, which may crash the kernel. + +Avoid doing that by vmalloc()'ating a buffer for scnprintf() and then +calling simple_read_from_buffer() which does a proper copy_to_user() call. + +Fixes: 61d8658b4a43 ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.") +Link: https://lore.kernel.org/lkml/20230724120241.40495-1-oleksandr@redhat.com/ +Link: https://lore.kernel.org/linux-scsi/20230726101236.11922-1-skashyap@marvell.com/ +Cc: Saurav Kashyap +Cc: Rob Evers +Cc: Johannes Thumshirn +Cc: David Laight +Cc: Jozef Bacik +Cc: Laurence Oberman +Cc: "James E.J. Bottomley" +Cc: "Martin K. Petersen" +Cc: GR-QLogic-Storage-Upstream@marvell.com +Cc: linux-scsi@vger.kernel.org +Reviewed-by: Laurence Oberman +Reviewed-by: Johannes Thumshirn +Tested-by: Laurence Oberman +Acked-by: Saurav Kashyap +Signed-off-by: Oleksandr Natalenko +Link: https://lore.kernel.org/r/20230731084034.37021-4-oleksandr@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedf/qedf_dbg.h | 2 ++ + drivers/scsi/qedf/qedf_debugfs.c | 21 +++++++++++++++------ + 2 files changed, 17 insertions(+), 6 deletions(-) + +diff --git a/drivers/scsi/qedf/qedf_dbg.h b/drivers/scsi/qedf/qedf_dbg.h +index f4d81127239eb..5ec2b817c694a 100644 +--- a/drivers/scsi/qedf/qedf_dbg.h ++++ b/drivers/scsi/qedf/qedf_dbg.h +@@ -59,6 +59,8 @@ extern uint qedf_debug; + #define QEDF_LOG_NOTICE 0x40000000 /* Notice logs */ + #define QEDF_LOG_WARN 0x80000000 /* Warning logs */ + ++#define QEDF_DEBUGFS_LOG_LEN (2 * PAGE_SIZE) ++ + /* Debug context structure */ + struct qedf_dbg_ctx { + unsigned int host_no; +diff --git a/drivers/scsi/qedf/qedf_debugfs.c b/drivers/scsi/qedf/qedf_debugfs.c +index 1c5716540e465..451fd236bfd05 100644 +--- a/drivers/scsi/qedf/qedf_debugfs.c ++++ b/drivers/scsi/qedf/qedf_debugfs.c +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + + #include "qedf.h" + #include "qedf_dbg.h" +@@ -98,7 +99,9 @@ static ssize_t + qedf_dbg_fp_int_cmd_read(struct file *filp, char __user *buffer, size_t count, + loff_t *ppos) + { ++ ssize_t ret; + size_t cnt = 0; ++ char *cbuf; + int id; + struct qedf_fastpath *fp = NULL; + struct qedf_dbg_ctx *qedf_dbg = +@@ -108,19 +111,25 @@ qedf_dbg_fp_int_cmd_read(struct file *filp, char __user *buffer, size_t count, + + QEDF_INFO(qedf_dbg, QEDF_LOG_DEBUGFS, "entered\n"); + +- cnt = sprintf(buffer, "\nFastpath I/O completions\n\n"); ++ cbuf = vmalloc(QEDF_DEBUGFS_LOG_LEN); ++ if (!cbuf) ++ return 0; ++ ++ cnt += scnprintf(cbuf + cnt, QEDF_DEBUGFS_LOG_LEN - cnt, "\nFastpath I/O completions\n\n"); + + for (id = 0; id < qedf->num_queues; id++) { + fp = &(qedf->fp_array[id]); + if (fp->sb_id == QEDF_SB_ID_NULL) + continue; +- cnt += sprintf((buffer + cnt), "#%d: %lu\n", id, +- fp->completions); ++ cnt += scnprintf(cbuf + cnt, QEDF_DEBUGFS_LOG_LEN - cnt, ++ "#%d: %lu\n", id, fp->completions); + } + +- cnt = min_t(int, count, cnt - *ppos); +- *ppos += cnt; +- return cnt; ++ ret = simple_read_from_buffer(buffer, count, ppos, cbuf, cnt); ++ ++ vfree(cbuf); ++ ++ return ret; + } + + static ssize_t +-- +2.40.1 + diff --git a/queue-5.15/scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_st.patch b/queue-5.15/scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_st.patch new file mode 100644 index 00000000000..12aa578d692 --- /dev/null +++ b/queue-5.15/scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_st.patch @@ -0,0 +1,70 @@ +From 03c9aff678a3a73394cbc8bf96d40d1bd1de06bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jul 2023 10:40:32 +0200 +Subject: scsi: qedf: Do not touch __user pointer in + qedf_dbg_stop_io_on_error_cmd_read() directly + +From: Oleksandr Natalenko + +[ Upstream commit 7d3d20dee4f648ec44e9717d5f647d594d184433 ] + +The qedf_dbg_stop_io_on_error_cmd_read() function invokes sprintf() +directly on a __user pointer, which may crash the kernel. + +Avoid doing that by using a small on-stack buffer for scnprintf() and then +calling simple_read_from_buffer() which does a proper copy_to_user() call. + +Fixes: 61d8658b4a43 ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.") +Link: https://lore.kernel.org/lkml/20230724120241.40495-1-oleksandr@redhat.com/ +Link: https://lore.kernel.org/linux-scsi/20230726101236.11922-1-skashyap@marvell.com/ +Cc: Saurav Kashyap +Cc: Rob Evers +Cc: Johannes Thumshirn +Cc: David Laight +Cc: Jozef Bacik +Cc: Laurence Oberman +Cc: "James E.J. Bottomley" +Cc: "Martin K. Petersen" +Cc: GR-QLogic-Storage-Upstream@marvell.com +Cc: linux-scsi@vger.kernel.org +Reviewed-by: Laurence Oberman +Reviewed-by: Johannes Thumshirn +Tested-by: Laurence Oberman +Acked-by: Saurav Kashyap +Signed-off-by: Oleksandr Natalenko +Link: https://lore.kernel.org/r/20230731084034.37021-2-oleksandr@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedf/qedf_debugfs.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/qedf/qedf_debugfs.c b/drivers/scsi/qedf/qedf_debugfs.c +index a3ed681c8ce3f..3eb4334ac6a32 100644 +--- a/drivers/scsi/qedf/qedf_debugfs.c ++++ b/drivers/scsi/qedf/qedf_debugfs.c +@@ -185,18 +185,17 @@ qedf_dbg_stop_io_on_error_cmd_read(struct file *filp, char __user *buffer, + size_t count, loff_t *ppos) + { + int cnt; ++ char cbuf[7]; + struct qedf_dbg_ctx *qedf_dbg = + (struct qedf_dbg_ctx *)filp->private_data; + struct qedf_ctx *qedf = container_of(qedf_dbg, + struct qedf_ctx, dbg_ctx); + + QEDF_INFO(qedf_dbg, QEDF_LOG_DEBUGFS, "entered\n"); +- cnt = sprintf(buffer, "%s\n", ++ cnt = scnprintf(cbuf, sizeof(cbuf), "%s\n", + qedf->stop_io_on_error ? "true" : "false"); + +- cnt = min_t(int, count, cnt - *ppos); +- *ppos += cnt; +- return cnt; ++ return simple_read_from_buffer(buffer, count, ppos, cbuf, cnt); + } + + static ssize_t +-- +2.40.1 + diff --git a/queue-5.15/scsi-qla4xxx-add-length-check-when-parsing-nlattrs.patch b/queue-5.15/scsi-qla4xxx-add-length-check-when-parsing-nlattrs.patch new file mode 100644 index 00000000000..9fe76ce387c --- /dev/null +++ b/queue-5.15/scsi-qla4xxx-add-length-check-when-parsing-nlattrs.patch @@ -0,0 +1,80 @@ +From bf3871a6be7b35e3c9234a9978d1543be9137f4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Jul 2023 16:00:53 +0800 +Subject: scsi: qla4xxx: Add length check when parsing nlattrs + +From: Lin Ma + +[ Upstream commit 47cd3770e31df942e2bb925a9a855c79ed0662eb ] + +There are three places that qla4xxx parses nlattrs: + + - qla4xxx_set_chap_entry() + + - qla4xxx_iface_set_param() + + - qla4xxx_sysfs_ddb_set_param() + +and each of them directly converts the nlattr to specific pointer of +structure without length checking. This could be dangerous as those +attributes are not validated and a malformed nlattr (e.g., length 0) could +result in an OOB read that leaks heap dirty data. + +Add the nla_len check before accessing the nlattr data and return EINVAL if +the length check fails. + +Fixes: 26ffd7b45fe9 ("[SCSI] qla4xxx: Add support to set CHAP entries") +Fixes: 1e9e2be3ee03 ("[SCSI] qla4xxx: Add flash node mgmt support") +Fixes: 00c31889f751 ("[SCSI] qla4xxx: fix data alignment and use nl helpers") +Signed-off-by: Lin Ma +Link: https://lore.kernel.org/r/20230723080053.3714534-1-linma@zju.edu.cn +Reviewed-by: Chris Leech +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla4xxx/ql4_os.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c +index f1ea65c6e5f5d..dc466a364fb1f 100644 +--- a/drivers/scsi/qla4xxx/ql4_os.c ++++ b/drivers/scsi/qla4xxx/ql4_os.c +@@ -968,6 +968,11 @@ static int qla4xxx_set_chap_entry(struct Scsi_Host *shost, void *data, int len) + memset(&chap_rec, 0, sizeof(chap_rec)); + + nla_for_each_attr(attr, data, len, rem) { ++ if (nla_len(attr) < sizeof(*param_info)) { ++ rc = -EINVAL; ++ goto exit_set_chap; ++ } ++ + param_info = nla_data(attr); + + switch (param_info->param) { +@@ -2750,6 +2755,11 @@ qla4xxx_iface_set_param(struct Scsi_Host *shost, void *data, uint32_t len) + } + + nla_for_each_attr(attr, data, len, rem) { ++ if (nla_len(attr) < sizeof(*iface_param)) { ++ rval = -EINVAL; ++ goto exit_init_fw_cb; ++ } ++ + iface_param = nla_data(attr); + + if (iface_param->param_type == ISCSI_NET_PARAM) { +@@ -8105,6 +8115,11 @@ qla4xxx_sysfs_ddb_set_param(struct iscsi_bus_flash_session *fnode_sess, + + memset((void *)&chap_tbl, 0, sizeof(chap_tbl)); + nla_for_each_attr(attr, data, len, rem) { ++ if (nla_len(attr) < sizeof(*fnode_param)) { ++ rc = -EINVAL; ++ goto exit_set_param; ++ } ++ + fnode_param = nla_data(attr); + + switch (fnode_param->param) { +-- +2.40.1 + diff --git a/queue-5.15/scsi-rdma-srp-fix-residual-handling.patch b/queue-5.15/scsi-rdma-srp-fix-residual-handling.patch new file mode 100644 index 00000000000..e52cc7a2e51 --- /dev/null +++ b/queue-5.15/scsi-rdma-srp-fix-residual-handling.patch @@ -0,0 +1,49 @@ +From 381449ecf7231101455287ba4848cf15096f50ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jul 2023 13:08:30 -0700 +Subject: scsi: RDMA/srp: Fix residual handling + +From: Bart Van Assche + +[ Upstream commit 89e637c19b2441aabc8dbf22a8745b932fd6996e ] + +Although the code for residual handling in the SRP initiator follows the +SCSI documentation, that documentation has never been correct. Because +scsi_finish_command() starts from the data buffer length and subtracts the +residual, scsi_set_resid() must not be called if a residual overflow +occurs. Hence remove the scsi_set_resid() calls from the SRP initiator if a +residual overflow occurrs. + +Cc: Leon Romanovsky +Cc: Jason Gunthorpe +Fixes: 9237f04e12cc ("scsi: core: Fix scsi_get/set_resid() interface") +Fixes: e714531a349f ("IB/srp: Fix residual handling") +Signed-off-by: Bart Van Assche +Link: https://lore.kernel.org/r/20230724200843.3376570-3-bvanassche@acm.org +Acked-by: Leon Romanovsky +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/srp/ib_srp.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c +index a6117a7d0ab17..7701204fe5423 100644 +--- a/drivers/infiniband/ulp/srp/ib_srp.c ++++ b/drivers/infiniband/ulp/srp/ib_srp.c +@@ -1978,12 +1978,8 @@ static void srp_process_rsp(struct srp_rdma_ch *ch, struct srp_rsp *rsp) + + if (unlikely(rsp->flags & SRP_RSP_FLAG_DIUNDER)) + scsi_set_resid(scmnd, be32_to_cpu(rsp->data_in_res_cnt)); +- else if (unlikely(rsp->flags & SRP_RSP_FLAG_DIOVER)) +- scsi_set_resid(scmnd, -be32_to_cpu(rsp->data_in_res_cnt)); + else if (unlikely(rsp->flags & SRP_RSP_FLAG_DOUNDER)) + scsi_set_resid(scmnd, be32_to_cpu(rsp->data_out_res_cnt)); +- else if (unlikely(rsp->flags & SRP_RSP_FLAG_DOOVER)) +- scsi_set_resid(scmnd, -be32_to_cpu(rsp->data_out_res_cnt)); + + srp_free_req(ch, req, scmnd, + be32_to_cpu(rsp->req_lim_delta)); +-- +2.40.1 + diff --git a/queue-5.15/selftests-bpf-clean-up-fmod_ret-in-bench_rename-test.patch b/queue-5.15/selftests-bpf-clean-up-fmod_ret-in-bench_rename-test.patch new file mode 100644 index 00000000000..c3bf98864eb --- /dev/null +++ b/queue-5.15/selftests-bpf-clean-up-fmod_ret-in-bench_rename-test.patch @@ -0,0 +1,52 @@ +From 18972bafd63b2439fef2d0e60567d023cabfaf38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Aug 2023 11:07:27 +0800 +Subject: selftests/bpf: Clean up fmod_ret in bench_rename test script +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yipeng Zou + +[ Upstream commit 83a89c4b6ae93481d3f618aba6a29d89208d26ed ] + +Running the bench_rename test script, the following error occurs: + + # ./benchs/run_bench_rename.sh + base : 0.819 ± 0.012M/s + kprobe : 0.538 ± 0.009M/s + kretprobe : 0.503 ± 0.004M/s + rawtp : 0.779 ± 0.020M/s + fentry : 0.726 ± 0.007M/s + fexit : 0.691 ± 0.007M/s + benchmark 'rename-fmodret' not found + +The bench_rename_fmodret has been removed in commit b000def2e052 +("selftests: Remove fmod_ret from test_overhead"), thus remove it +from the runners in the test script. + +Fixes: b000def2e052 ("selftests: Remove fmod_ret from test_overhead") +Signed-off-by: Yipeng Zou +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20230814030727.3010390-1-zouyipeng@huawei.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/benchs/run_bench_rename.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/benchs/run_bench_rename.sh b/tools/testing/selftests/bpf/benchs/run_bench_rename.sh +index 16f774b1cdbed..7b281dbe41656 100755 +--- a/tools/testing/selftests/bpf/benchs/run_bench_rename.sh ++++ b/tools/testing/selftests/bpf/benchs/run_bench_rename.sh +@@ -2,7 +2,7 @@ + + set -eufo pipefail + +-for i in base kprobe kretprobe rawtp fentry fexit fmodret ++for i in base kprobe kretprobe rawtp fentry fexit + do + summary=$(sudo ./bench -w2 -d5 -a rename-$i | tail -n1 | cut -d'(' -f1 | cut -d' ' -f3-) + printf "%-10s: %s\n" $i "$summary" +-- +2.40.1 + diff --git a/queue-5.15/selftests-bpf-fix-static-assert-compilation-issue-fo.patch b/queue-5.15/selftests-bpf-fix-static-assert-compilation-issue-fo.patch new file mode 100644 index 00000000000..526ede4d773 --- /dev/null +++ b/queue-5.15/selftests-bpf-fix-static-assert-compilation-issue-fo.patch @@ -0,0 +1,82 @@ +From 184ca781972037d588fdf001d5a1e1519d62f38e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 08:39:06 +0100 +Subject: selftests/bpf: fix static assert compilation issue for test_cls_*.c + +From: Alan Maguire + +[ Upstream commit 416c6d01244ecbf0abfdb898fd091b50ef951b48 ] + +commit bdeeed3498c7 ("libbpf: fix offsetof() and container_of() to work with CO-RE") + +...was backported to stable trees such as 5.15. The problem is that with older +LLVM/clang (14/15) - which is often used for older kernels - we see compilation +failures in BPF selftests now: + +In file included from progs/test_cls_redirect_subprogs.c:2: +progs/test_cls_redirect.c:90:2: error: static assertion expression is not an integral constant expression + sizeof(flow_ports_t) != + ^~~~~~~~~~~~~~~~~~~~~~~ +progs/test_cls_redirect.c:91:3: note: cast that performs the conversions of a reinterpret_cast is not allowed in a constant expression + offsetofend(struct bpf_sock_tuple, ipv4.dport) - + ^ +progs/test_cls_redirect.c:32:3: note: expanded from macro 'offsetofend' + (offsetof(TYPE, MEMBER) + sizeof((((TYPE *)0)->MEMBER))) + ^ +tools/testing/selftests/bpf/tools/include/bpf/bpf_helpers.h:86:33: note: expanded from macro 'offsetof' + ^ +In file included from progs/test_cls_redirect_subprogs.c:2: +progs/test_cls_redirect.c:95:2: error: static assertion expression is not an integral constant expression + sizeof(flow_ports_t) != + ^~~~~~~~~~~~~~~~~~~~~~~ +progs/test_cls_redirect.c:96:3: note: cast that performs the conversions of a reinterpret_cast is not allowed in a constant expression + offsetofend(struct bpf_sock_tuple, ipv6.dport) - + ^ +progs/test_cls_redirect.c:32:3: note: expanded from macro 'offsetofend' + (offsetof(TYPE, MEMBER) + sizeof((((TYPE *)0)->MEMBER))) + ^ +tools/testing/selftests/bpf/tools/include/bpf/bpf_helpers.h:86:33: note: expanded from macro 'offsetof' + ^ +2 errors generated. +make: *** [Makefile:594: tools/testing/selftests/bpf/test_cls_redirect_subprogs.bpf.o] Error 1 + +The problem is the new offsetof() does not play nice with static asserts. +Given that the context is a static assert (and CO-RE relocation is not +needed at compile time), offsetof() usage can be replaced by restoring +the original offsetof() definition as __builtin_offsetof(). + +Fixes: bdeeed3498c7 ("libbpf: fix offsetof() and container_of() to work with CO-RE") +Reported-by: Colm Harrington +Signed-off-by: Alan Maguire +Tested-by: Yipeng Zou +Acked-by: Yonghong Song +Link: https://lore.kernel.org/r/20230802073906.3197480-1-alan.maguire@oracle.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/progs/test_cls_redirect.h | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/tools/testing/selftests/bpf/progs/test_cls_redirect.h b/tools/testing/selftests/bpf/progs/test_cls_redirect.h +index 76eab0aacba0c..233b089d1fbac 100644 +--- a/tools/testing/selftests/bpf/progs/test_cls_redirect.h ++++ b/tools/testing/selftests/bpf/progs/test_cls_redirect.h +@@ -12,6 +12,15 @@ + #include + #include + ++/* offsetof() is used in static asserts, and the libbpf-redefined CO-RE ++ * friendly version breaks compilation for older clang versions <= 15 ++ * when invoked in a static assert. Restore original here. ++ */ ++#ifdef offsetof ++#undef offsetof ++#define offsetof(type, member) __builtin_offsetof(type, member) ++#endif ++ + struct gre_base_hdr { + uint16_t flags; + uint16_t protocol; +-- +2.40.1 + diff --git a/queue-5.15/selftests-futex-order-calls-to-futex_lock_pi.patch b/queue-5.15/selftests-futex-order-calls-to-futex_lock_pi.patch new file mode 100644 index 00000000000..6349cb099db --- /dev/null +++ b/queue-5.15/selftests-futex-order-calls-to-futex_lock_pi.patch @@ -0,0 +1,76 @@ +From 9041aec48330a6872dcf98956cb70de9fb07fe41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Aug 2023 13:39:27 +0530 +Subject: selftests/futex: Order calls to futex_lock_pi + +From: Nysal Jan K.A + +[ Upstream commit fbf4dec702774286db409815ffb077711a96b824 ] + +Observed occassional failures in the futex_wait_timeout test: + +ok 1 futex_wait relative succeeds +ok 2 futex_wait_bitset realtime succeeds +ok 3 futex_wait_bitset monotonic succeeds +ok 4 futex_wait_requeue_pi realtime succeeds +ok 5 futex_wait_requeue_pi monotonic succeeds +not ok 6 futex_lock_pi realtime returned 0 +...... + +The test expects the child thread to complete some steps before +the parent thread gets to run. There is an implicit expectation +of the order of invocation of futex_lock_pi between the child thread +and the parent thread. Make this order explicit. If the order is +not met, the futex_lock_pi call in the parent thread succeeds and +will not timeout. + +Fixes: f4addd54b161 ("selftests: futex: Expand timeout test") +Signed-off-by: Nysal Jan K.A +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + .../selftests/futex/functional/futex_wait_timeout.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/tools/testing/selftests/futex/functional/futex_wait_timeout.c b/tools/testing/selftests/futex/functional/futex_wait_timeout.c +index 1f8f6daaf1e70..86ac205ea8e18 100644 +--- a/tools/testing/selftests/futex/functional/futex_wait_timeout.c ++++ b/tools/testing/selftests/futex/functional/futex_wait_timeout.c +@@ -23,6 +23,7 @@ + + static long timeout_ns = 100000; /* 100us default timeout */ + static futex_t futex_pi; ++static pthread_barrier_t barrier; + + void usage(char *prog) + { +@@ -47,6 +48,8 @@ void *get_pi_lock(void *arg) + if (ret != 0) + error("futex_lock_pi failed\n", ret); + ++ pthread_barrier_wait(&barrier); ++ + /* Blocks forever */ + ret = futex_wait(&lock, 0, NULL, 0); + error("futex_wait failed\n", ret); +@@ -123,6 +126,7 @@ int main(int argc, char *argv[]) + basename(argv[0])); + ksft_print_msg("\tArguments: timeout=%ldns\n", timeout_ns); + ++ pthread_barrier_init(&barrier, NULL, 2); + pthread_create(&thread, NULL, get_pi_lock, NULL); + + /* initialize relative timeout */ +@@ -156,6 +160,9 @@ int main(int argc, char *argv[]) + res = futex_wait_requeue_pi(&f1, f1, &futex_pi, &to, 0); + test_timeout(res, &ret, "futex_wait_requeue_pi monotonic", ETIMEDOUT); + ++ /* Wait until the other thread calls futex_lock_pi() */ ++ pthread_barrier_wait(&barrier); ++ pthread_barrier_destroy(&barrier); + /* + * FUTEX_LOCK_PI with CLOCK_REALTIME + * Due to historical reasons, FUTEX_LOCK_PI supports only realtime +-- +2.40.1 + diff --git a/queue-5.15/selftests-harness-actually-report-skip-for-signal-te.patch b/queue-5.15/selftests-harness-actually-report-skip-for-signal-te.patch new file mode 100644 index 00000000000..c3ce5bce78b --- /dev/null +++ b/queue-5.15/selftests-harness-actually-report-skip-for-signal-te.patch @@ -0,0 +1,56 @@ +From a74e346e8f1a7132d9a60807d1300330eec46c23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Aug 2023 10:43:58 -0700 +Subject: selftests/harness: Actually report SKIP for signal tests + +From: Kees Cook + +[ Upstream commit b3d46e11fec0c5a8972e5061bb1462119ae5736d ] + +Tests that were expecting a signal were not correctly checking for a +SKIP condition. Move the check before the signal checking when +processing test result. + +Cc: Shuah Khan +Cc: Andy Lutomirski +Cc: Will Drewry +Cc: linux-kselftest@vger.kernel.org +Fixes: 9847d24af95c ("selftests/harness: Refactor XFAIL into SKIP") +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/kselftest_harness.h | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/tools/testing/selftests/kselftest_harness.h b/tools/testing/selftests/kselftest_harness.h +index 11779405dc804..a6ea2bd63a831 100644 +--- a/tools/testing/selftests/kselftest_harness.h ++++ b/tools/testing/selftests/kselftest_harness.h +@@ -916,7 +916,11 @@ void __wait_for_test(struct __test_metadata *t) + fprintf(TH_LOG_STREAM, + "# %s: Test terminated by timeout\n", t->name); + } else if (WIFEXITED(status)) { +- if (t->termsig != -1) { ++ if (WEXITSTATUS(status) == 255) { ++ /* SKIP */ ++ t->passed = 1; ++ t->skip = 1; ++ } else if (t->termsig != -1) { + t->passed = 0; + fprintf(TH_LOG_STREAM, + "# %s: Test exited normally instead of by signal (code: %d)\n", +@@ -928,11 +932,6 @@ void __wait_for_test(struct __test_metadata *t) + case 0: + t->passed = 1; + break; +- /* SKIP */ +- case 255: +- t->passed = 1; +- t->skip = 1; +- break; + /* Other failure, assume step report. */ + default: + t->passed = 0; +-- +2.40.1 + diff --git a/queue-5.15/selftests-resctrl-add-resctrl.h-into-build-deps.patch b/queue-5.15/selftests-resctrl-add-resctrl.h-into-build-deps.patch new file mode 100644 index 00000000000..2aa75cc1a93 --- /dev/null +++ b/queue-5.15/selftests-resctrl-add-resctrl.h-into-build-deps.patch @@ -0,0 +1,41 @@ +From 9a7b3b91ded508cabd484bbefb43965e08c32f4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 16:14:49 +0300 +Subject: selftests/resctrl: Add resctrl.h into build deps +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 8e289f4542890168705219e54f0231dccfabddbe ] + +Makefile only lists *.c as build dependencies for the resctrl_tests +executable which excludes resctrl.h. + +Add *.h to wildcard() to include resctrl.h. + +Fixes: 591a6e8588fc ("selftests/resctrl: Add basic resctrl file system operations and data") +Signed-off-by: Ilpo Järvinen +Reviewed-by: Reinette Chatre +Tested-by: Babu Moger +Tested-by: Shaopeng Tan (Fujitsu) +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/resctrl/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/resctrl/Makefile b/tools/testing/selftests/resctrl/Makefile +index bee5fa8f1ac9d..9cc7e0108c8b0 100644 +--- a/tools/testing/selftests/resctrl/Makefile ++++ b/tools/testing/selftests/resctrl/Makefile +@@ -5,4 +5,4 @@ TEST_GEN_PROGS := resctrl_tests + + include ../lib.mk + +-$(OUTPUT)/resctrl_tests: $(wildcard *.c) ++$(OUTPUT)/resctrl_tests: $(wildcard *.[ch]) +-- +2.40.1 + diff --git a/queue-5.15/selftests-resctrl-close-perf-value-read-fd-on-errors.patch b/queue-5.15/selftests-resctrl-close-perf-value-read-fd-on-errors.patch new file mode 100644 index 00000000000..9ab7415ffbf --- /dev/null +++ b/queue-5.15/selftests-resctrl-close-perf-value-read-fd-on-errors.patch @@ -0,0 +1,87 @@ +From 6de69e18d55a888ca5ca0118e682d6e50c2e817f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 16:14:52 +0300 +Subject: selftests/resctrl: Close perf value read fd on errors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 51a0c3b7f028169e40db930575dd01fe81c3e765 ] + +Perf event fd (fd_lm) is not closed when run_fill_buf() returns error. + +Close fd_lm only in cat_val() to make it easier to track it is always +closed. + +Fixes: 790bf585b0ee ("selftests/resctrl: Add Cache Allocation Technology (CAT) selftest") +Signed-off-by: Ilpo Järvinen +Tested-by: Babu Moger +Tested-by: Shaopeng Tan (Fujitsu) +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/resctrl/cache.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/tools/testing/selftests/resctrl/cache.c b/tools/testing/selftests/resctrl/cache.c +index 0485863a169f2..338f714453935 100644 +--- a/tools/testing/selftests/resctrl/cache.c ++++ b/tools/testing/selftests/resctrl/cache.c +@@ -89,21 +89,19 @@ static int reset_enable_llc_perf(pid_t pid, int cpu_no) + static int get_llc_perf(unsigned long *llc_perf_miss) + { + __u64 total_misses; ++ int ret; + + /* Stop counters after one span to get miss rate */ + + ioctl(fd_lm, PERF_EVENT_IOC_DISABLE, 0); + +- if (read(fd_lm, &rf_cqm, sizeof(struct read_format)) == -1) { ++ ret = read(fd_lm, &rf_cqm, sizeof(struct read_format)); ++ if (ret == -1) { + perror("Could not get llc misses through perf"); +- + return -1; + } + + total_misses = rf_cqm.values[0].value; +- +- close(fd_lm); +- + *llc_perf_miss = total_misses; + + return 0; +@@ -258,19 +256,25 @@ int cat_val(struct resctrl_val_param *param) + memflush, operation, resctrl_val)) { + fprintf(stderr, "Error-running fill buffer\n"); + ret = -1; +- break; ++ goto pe_close; + } + + sleep(1); + ret = measure_cache_vals(param, bm_pid); + if (ret) +- break; ++ goto pe_close; ++ ++ close(fd_lm); + } else { + break; + } + } + + return ret; ++ ++pe_close: ++ close(fd_lm); ++ return ret; + } + + /* +-- +2.40.1 + diff --git a/queue-5.15/selftests-resctrl-don-t-leak-buffer-in-fill_cache.patch b/queue-5.15/selftests-resctrl-don-t-leak-buffer-in-fill_cache.patch new file mode 100644 index 00000000000..485ac11fce9 --- /dev/null +++ b/queue-5.15/selftests-resctrl-don-t-leak-buffer-in-fill_cache.patch @@ -0,0 +1,55 @@ +From 166e0700104fd9e3d1bd114ba55840eaa41440c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 16:14:50 +0300 +Subject: selftests/resctrl: Don't leak buffer in fill_cache() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 2d320b1029ee7329ee0638181be967789775b962 ] + +The error path in fill_cache() does return before the allocated buffer +is freed leaking the buffer. + +The leak was introduced when fill_cache_read() started to return errors +in commit c7b607fa9325 ("selftests/resctrl: Fix null pointer +dereference on open failed"), before that both fill functions always +returned 0. + +Move free() earlier to prevent the mem leak. + +Fixes: c7b607fa9325 ("selftests/resctrl: Fix null pointer dereference on open failed") +Signed-off-by: Ilpo Järvinen +Reviewed-by: Reinette Chatre +Tested-by: Babu Moger +Tested-by: Shaopeng Tan (Fujitsu) +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/resctrl/fill_buf.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/resctrl/fill_buf.c b/tools/testing/selftests/resctrl/fill_buf.c +index c20d0a7ecbe63..ab1d91328d67b 100644 +--- a/tools/testing/selftests/resctrl/fill_buf.c ++++ b/tools/testing/selftests/resctrl/fill_buf.c +@@ -184,12 +184,13 @@ fill_cache(unsigned long long buf_size, int malloc_and_init, int memflush, + else + ret = fill_cache_write(start_ptr, end_ptr, resctrl_val); + ++ free(startptr); ++ + if (ret) { + printf("\n Error in fill cache read/write...\n"); + return -1; + } + +- free(startptr); + + return 0; + } +-- +2.40.1 + diff --git a/queue-5.15/selftests-resctrl-make-resctrl_tests-run-using-kself.patch b/queue-5.15/selftests-resctrl-make-resctrl_tests-run-using-kself.patch new file mode 100644 index 00000000000..072f1632f98 --- /dev/null +++ b/queue-5.15/selftests-resctrl-make-resctrl_tests-run-using-kself.patch @@ -0,0 +1,79 @@ +From b87596537d2ced169309ae3c616c0a892c4b0fde Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Mar 2022 17:12:25 +0900 +Subject: selftests/resctrl: Make resctrl_tests run using kselftest framework + +From: Shaopeng Tan + +[ Upstream commit b733143cc455bf83fa5fbd2e0eac63fb2d302461 ] + +In kselftest framework, all tests can be build/run at a time, +and a sub test also can be build/run individually. As follows: +$ make kselftest-all TARGETS=resctrl +$ make -C tools/testing/selftests run_tests +$ make -C tools/testing/selftests TARGETS=resctrl run_tests + +However, resctrl_tests cannot be run using kselftest framework, +users have to change directory to tools/testing/selftests/resctrl/, +run "make" to build executable file "resctrl_tests", +and run "sudo ./resctrl_tests" to execute the test. + +To build/run resctrl_tests using kselftest framework. +Modify tools/testing/selftests/Makefile +and tools/testing/selftests/resctrl/Makefile. + +Even after this change, users can still build/run resctrl_tests +without using framework as before. + +Reviewed-by: Reinette Chatre # resctrl changes +Reviewed-by: Fenghua Yu +Signed-off-by: Shaopeng Tan +Signed-off-by: Shuah Khan +Stable-dep-of: 8e289f454289 ("selftests/resctrl: Add resctrl.h into build deps") +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/Makefile | 1 + + tools/testing/selftests/resctrl/Makefile | 17 ++++------------- + 2 files changed, 5 insertions(+), 13 deletions(-) + +diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile +index 56a4873a343cf..c16e4da988257 100644 +--- a/tools/testing/selftests/Makefile ++++ b/tools/testing/selftests/Makefile +@@ -52,6 +52,7 @@ TARGETS += proc + TARGETS += pstore + TARGETS += ptrace + TARGETS += openat2 ++TARGETS += resctrl + TARGETS += rlimits + TARGETS += rseq + TARGETS += rtc +diff --git a/tools/testing/selftests/resctrl/Makefile b/tools/testing/selftests/resctrl/Makefile +index 6bcee2ec91a9c..bee5fa8f1ac9d 100644 +--- a/tools/testing/selftests/resctrl/Makefile ++++ b/tools/testing/selftests/resctrl/Makefile +@@ -1,17 +1,8 @@ +-CC = $(CROSS_COMPILE)gcc + CFLAGS = -g -Wall -O2 -D_FORTIFY_SOURCE=2 +-SRCS=$(wildcard *.c) +-OBJS=$(SRCS:.c=.o) ++CFLAGS += $(KHDR_INCLUDES) + +-all: resctrl_tests ++TEST_GEN_PROGS := resctrl_tests + +-$(OBJS): $(SRCS) +- $(CC) $(CFLAGS) -c $(SRCS) ++include ../lib.mk + +-resctrl_tests: $(OBJS) +- $(CC) $(CFLAGS) -o $@ $^ +- +-.PHONY: clean +- +-clean: +- $(RM) $(OBJS) resctrl_tests ++$(OUTPUT)/resctrl_tests: $(wildcard *.c) +-- +2.40.1 + diff --git a/queue-5.15/selftests-resctrl-unmount-resctrl-fs-if-child-fails-.patch b/queue-5.15/selftests-resctrl-unmount-resctrl-fs-if-child-fails-.patch new file mode 100644 index 00000000000..5d19c6d2fa2 --- /dev/null +++ b/queue-5.15/selftests-resctrl-unmount-resctrl-fs-if-child-fails-.patch @@ -0,0 +1,44 @@ +From 5e68d2444fd9ed9ace63d4382cf9a63138687d72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 16:14:51 +0300 +Subject: selftests/resctrl: Unmount resctrl FS if child fails to run benchmark +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit f99e413eb54652e2436cc56d081176bc9a34cd8d ] + +A child calls PARENT_EXIT() when it fails to run a benchmark to kill +the parent process. PARENT_EXIT() lacks unmount for the resctrl FS and +the parent won't be there to unmount it either after it gets killed. + +Add the resctrl FS unmount also to PARENT_EXIT(). + +Fixes: 591a6e8588fc ("selftests/resctrl: Add basic resctrl file system operations and data") +Signed-off-by: Ilpo Järvinen +Reviewed-by: Reinette Chatre +Tested-by: Babu Moger +Tested-by: Shaopeng Tan (Fujitsu) +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/resctrl/resctrl.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/resctrl/resctrl.h b/tools/testing/selftests/resctrl/resctrl.h +index f44fa2de4d986..dbe5cfb545585 100644 +--- a/tools/testing/selftests/resctrl/resctrl.h ++++ b/tools/testing/selftests/resctrl/resctrl.h +@@ -43,6 +43,7 @@ + do { \ + perror(err_msg); \ + kill(ppid, SIGKILL); \ ++ umount_resctrlfs(); \ + exit(EXIT_FAILURE); \ + } while (0) + +-- +2.40.1 + diff --git a/queue-5.15/serial-sprd-assign-sprd_port-after-initialized-to-av.patch b/queue-5.15/serial-sprd-assign-sprd_port-after-initialized-to-av.patch new file mode 100644 index 00000000000..a5a5c0441cf --- /dev/null +++ b/queue-5.15/serial-sprd-assign-sprd_port-after-initialized-to-av.patch @@ -0,0 +1,118 @@ +From 466eb44ea658d465b5ca293e9b10447ab8809808 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jul 2023 14:40:52 +0800 +Subject: serial: sprd: Assign sprd_port after initialized to avoid wrong + access + +From: Chunyan Zhang + +[ Upstream commit f9608f1887568b728839d006024585ab02ef29e5 ] + +The global pointer 'sprd_port' may not zero when sprd_probe returns +failure, that is a risk for sprd_port to be accessed afterward, and +may lead to unexpected errors. + +For example: + +There are two UART ports, UART1 is used for console and configured in +kernel command line, i.e. "console="; + +The UART1 probe failed and the memory allocated to sprd_port[1] was +released, but sprd_port[1] was not set to NULL; + +In UART2 probe, the same virtual address was allocated to sprd_port[2], +and UART2 probe process finally will go into sprd_console_setup() to +register UART1 as console since it is configured as preferred console +(filled to console_cmdline[]), but the console parameters (sprd_port[1]) +belong to UART2. + +So move the sprd_port[] assignment to where the port already initialized +can avoid the above issue. + +Fixes: b7396a38fb28 ("tty/serial: Add Spreadtrum sc9836-uart driver support") +Signed-off-by: Chunyan Zhang +Link: https://lore.kernel.org/r/20230725064053.235448-1-chunyan.zhang@unisoc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/sprd_serial.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/drivers/tty/serial/sprd_serial.c b/drivers/tty/serial/sprd_serial.c +index 9a7ae6384edfa..144c03ca3366a 100644 +--- a/drivers/tty/serial/sprd_serial.c ++++ b/drivers/tty/serial/sprd_serial.c +@@ -1133,7 +1133,7 @@ static bool sprd_uart_is_console(struct uart_port *uport) + static int sprd_clk_init(struct uart_port *uport) + { + struct clk *clk_uart, *clk_parent; +- struct sprd_uart_port *u = sprd_port[uport->line]; ++ struct sprd_uart_port *u = container_of(uport, struct sprd_uart_port, port); + + clk_uart = devm_clk_get(uport->dev, "uart"); + if (IS_ERR(clk_uart)) { +@@ -1176,22 +1176,22 @@ static int sprd_probe(struct platform_device *pdev) + { + struct resource *res; + struct uart_port *up; ++ struct sprd_uart_port *sport; + int irq; + int index; + int ret; + + index = of_alias_get_id(pdev->dev.of_node, "serial"); +- if (index < 0 || index >= ARRAY_SIZE(sprd_port)) { ++ if (index < 0 || index >= UART_NR_MAX) { + dev_err(&pdev->dev, "got a wrong serial alias id %d\n", index); + return -EINVAL; + } + +- sprd_port[index] = devm_kzalloc(&pdev->dev, sizeof(*sprd_port[index]), +- GFP_KERNEL); +- if (!sprd_port[index]) ++ sport = devm_kzalloc(&pdev->dev, sizeof(*sport), GFP_KERNEL); ++ if (!sport) + return -ENOMEM; + +- up = &sprd_port[index]->port; ++ up = &sport->port; + up->dev = &pdev->dev; + up->line = index; + up->type = PORT_SPRD; +@@ -1222,7 +1222,7 @@ static int sprd_probe(struct platform_device *pdev) + * Allocate one dma buffer to prepare for receive transfer, in case + * memory allocation failure at runtime. + */ +- ret = sprd_rx_alloc_buf(sprd_port[index]); ++ ret = sprd_rx_alloc_buf(sport); + if (ret) + return ret; + +@@ -1233,14 +1233,23 @@ static int sprd_probe(struct platform_device *pdev) + return ret; + } + } ++ + sprd_ports_num++; ++ sprd_port[index] = sport; + + ret = uart_add_one_port(&sprd_uart_driver, up); + if (ret) +- sprd_remove(pdev); ++ goto clean_port; + + platform_set_drvdata(pdev, up); + ++ return 0; ++ ++clean_port: ++ sprd_port[index] = NULL; ++ if (--sprd_ports_num == 0) ++ uart_unregister_driver(&sprd_uart_driver); ++ sprd_rx_free_buf(sport); + return ret; + } + +-- +2.40.1 + diff --git a/queue-5.15/serial-sprd-fix-dma-buffer-leak-issue.patch b/queue-5.15/serial-sprd-fix-dma-buffer-leak-issue.patch new file mode 100644 index 00000000000..a358d9e6835 --- /dev/null +++ b/queue-5.15/serial-sprd-fix-dma-buffer-leak-issue.patch @@ -0,0 +1,54 @@ +From 7e40c0f4cb68309b97c78df9846b8f56f8cf7c57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jul 2023 14:40:53 +0800 +Subject: serial: sprd: Fix DMA buffer leak issue + +From: Chunyan Zhang + +[ Upstream commit cd119fdc3ee1450fbf7f78862b5de44c42b6e47f ] + +Release DMA buffer when _probe() returns failure to avoid memory leak. + +Fixes: f4487db58eb7 ("serial: sprd: Add DMA mode support") +Signed-off-by: Chunyan Zhang +Reviewed-by: Baolin Wang +Link: https://lore.kernel.org/r/20230725064053.235448-2-chunyan.zhang@unisoc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/sprd_serial.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/serial/sprd_serial.c b/drivers/tty/serial/sprd_serial.c +index 144c03ca3366a..a1952e4f1fcbb 100644 +--- a/drivers/tty/serial/sprd_serial.c ++++ b/drivers/tty/serial/sprd_serial.c +@@ -367,7 +367,7 @@ static void sprd_rx_free_buf(struct sprd_uart_port *sp) + if (sp->rx_dma.virt) + dma_free_coherent(sp->port.dev, SPRD_UART_RX_SIZE, + sp->rx_dma.virt, sp->rx_dma.phys_addr); +- ++ sp->rx_dma.virt = NULL; + } + + static int sprd_rx_dma_config(struct uart_port *port, u32 burst) +@@ -1230,7 +1230,7 @@ static int sprd_probe(struct platform_device *pdev) + ret = uart_register_driver(&sprd_uart_driver); + if (ret < 0) { + pr_err("Failed to register SPRD-UART driver\n"); +- return ret; ++ goto free_rx_buf; + } + } + +@@ -1249,6 +1249,7 @@ static int sprd_probe(struct platform_device *pdev) + sprd_port[index] = NULL; + if (--sprd_ports_num == 0) + uart_unregister_driver(&sprd_uart_driver); ++free_rx_buf: + sprd_rx_free_buf(sport); + return ret; + } +-- +2.40.1 + diff --git a/queue-5.15/serial-tegra-handle-clk-prepare-error-in-tegra_uart_.patch b/queue-5.15/serial-tegra-handle-clk-prepare-error-in-tegra_uart_.patch new file mode 100644 index 00000000000..ad9993aeddb --- /dev/null +++ b/queue-5.15/serial-tegra-handle-clk-prepare-error-in-tegra_uart_.patch @@ -0,0 +1,41 @@ +From 1a446d4688f9649e4a5658d350893b5f075c8bf2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Aug 2023 18:54:06 +0800 +Subject: serial: tegra: handle clk prepare error in tegra_uart_hw_init() + +From: Yi Yang + +[ Upstream commit 5abd01145d0cc6cd1b7c2fe6ee0b9ea0fa13671e ] + +In tegra_uart_hw_init(), the return value of clk_prepare_enable() should +be checked since it might fail. + +Fixes: e9ea096dd225 ("serial: tegra: add serial driver") +Signed-off-by: Yi Yang +Link: https://lore.kernel.org/r/20230817105406.228674-1-yiyang13@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/serial-tegra.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/serial-tegra.c b/drivers/tty/serial/serial-tegra.c +index 25f34f86a0852..52d5c72227e79 100644 +--- a/drivers/tty/serial/serial-tegra.c ++++ b/drivers/tty/serial/serial-tegra.c +@@ -999,7 +999,11 @@ static int tegra_uart_hw_init(struct tegra_uart_port *tup) + tup->ier_shadow = 0; + tup->current_baud = 0; + +- clk_prepare_enable(tup->uart_clk); ++ ret = clk_prepare_enable(tup->uart_clk); ++ if (ret) { ++ dev_err(tup->uport.dev, "could not enable clk\n"); ++ return ret; ++ } + + /* Reset the UART controller to clear all previous status.*/ + reset_control_assert(tup->rst); +-- +2.40.1 + diff --git a/queue-5.15/series b/queue-5.15/series index a4a485e52ff..2a1cc1b666e 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -53,3 +53,270 @@ of-kexec-mark-ima_-free-stable-_kexec_buffer-as-__init.patch udf-check-consistency-of-space-bitmap-descriptor.patch udf-handle-error-when-adding-extent-to-a-file.patch revert-net-macsec-preserve-ingress-frame-ordering.patch +reiserfs-check-the-return-value-from-__getblk.patch +eventfd-prevent-underflow-for-eventfd-semaphores.patch +fs-fix-error-checking-for-d_hash_and_lookup.patch +tmpfs-verify-g-u-id-mount-options-correctly.patch +selftests-harness-actually-report-skip-for-signal-te.patch +arm-ptrace-restore-syscall-restart-tracing.patch +arm-ptrace-restore-syscall-skipping-for-tracers.patch +refscale-fix-uninitalized-use-of-wait_queue_head_t.patch +opp-fix-passing-0-to-ptr_err-in-_opp_attach_genpd.patch +selftests-resctrl-make-resctrl_tests-run-using-kself.patch +selftests-resctrl-add-resctrl.h-into-build-deps.patch +selftests-resctrl-don-t-leak-buffer-in-fill_cache.patch +selftests-resctrl-unmount-resctrl-fs-if-child-fails-.patch +selftests-resctrl-close-perf-value-read-fd-on-errors.patch +x86-decompressor-don-t-rely-on-upper-32-bits-of-gprs.patch +perf-imx_ddr-don-t-enable-counter0-if-none-of-4-coun.patch +selftests-futex-order-calls-to-futex_lock_pi.patch +s390-pkey-fix-harmonize-internal-keyblob-headers.patch +s390-paes-fix-pkey_type_ep11_aes-handling-for-secure.patch +acpi-x86-s2idle-post-increment-variables-when-gettin.patch +acpi-x86-s2idle-fix-a-logic-error-parsing-amd-constr.patch +x86-efistub-fix-pci-rom-preservation-in-mixed-mode.patch +cpufreq-powernow-k8-use-related_cpus-instead-of-cpus.patch +bpftool-use-a-local-bpf_perf_event_value-to-fix-acce.patch +bpf-clear-the-probe_addr-for-uprobe.patch +tcp-tcp_enter_quickack_mode-should-be-static.patch +hwrng-nomadik-keep-clock-enabled-while-hwrng-is-regi.patch +hwrng-pic32-use-devm_clk_get_enabled.patch +regmap-rbtree-use-alloc_flags-for-memory-allocations.patch +udp-re-score-reuseport-groups-when-connected-sockets.patch +bpf-reject-unhashed-sockets-in-bpf_sk_assign.patch +ipv6-add-reasons-for-skb-drops-to-__udp6_lib_rcv.patch +net-export-inet_lookup_reuseport-and-inet6_lookup_re.patch +net-remove-duplicate-reuseport_lookup-functions.patch +bpf-net-support-so_reuseport-sockets-with-bpf_sk_ass.patch +wifi-mt76-testmode-add-nla_policy-for-mt76_tm_attr_t.patch +spi-tegra20-sflash-fix-to-check-return-value-of-plat.patch +can-gs_usb-gs_usb_receive_bulk_callback-count-rx-ove.patch +wifi-mt76-mt7915-fix-power-limits-while-chan_switch.patch +wifi-mwifiex-fix-oob-and-integer-underflow-when-rx-p.patch +wifi-mwifiex-fix-error-recovery-in-pcie-buffer-descr.patch +selftests-bpf-fix-static-assert-compilation-issue-fo.patch +crypto-stm32-properly-handle-pm_runtime_get-failing.patch +crypto-api-use-work-queue-in-crypto_destroy_instance.patch +bluetooth-nokia-fix-value-check-in-nokia_bluetooth_s.patch +bluetooth-fix-potential-use-after-free-when-clear-ke.patch +net-tcp-fix-unexcepted-socket-die-when-snd_wnd-is-0.patch +selftests-bpf-clean-up-fmod_ret-in-bench_rename-test.patch +spi-tegra114-remove-unnecessary-null-pointer-checks.patch +net-fix-slab-out-of-bounds-in-inet-6-_steal_sock.patch +net-memcg-fix-scope-of-sockmem-pressure-indicators.patch +ice-ice_aq_check_events-fix-off-by-one-check-when-fi.patch +crypto-caam-fix-unchecked-return-value-error.patch +hwrng-iproc-rng200-implement-suspend-and-resume-call.patch +lwt-fix-return-values-of-bpf-xmit-ops.patch +lwt-check-lwtunnel_xmit_continue-strictly.patch +fs-ocfs2-namei-check-return-value-of-ocfs2_add_entry.patch +wifi-mwifiex-fix-memory-leak-in-mwifiex_histogram_re.patch +wifi-mwifiex-fix-missed-return-in-oob-checks-failed-.patch +samples-bpf-fix-broken-map-lookup-probe.patch +wifi-ath9k-fix-races-between-ath9k_wmi_cmd-and-ath9k.patch +wifi-ath9k-protect-wmi-command-response-buffer-repla.patch +wifi-nl80211-cfg80211-add-forgotten-nla_policy-for-b.patch +wifi-mwifiex-avoid-possible-null-skb-pointer-derefer.patch +bluetooth-btusb-do-not-call-kfree_skb-under-spin_loc.patch +wifi-ath9k-use-is_err-with-debugfs_create_dir.patch +net-arcnet-do-not-call-kfree_skb-under-local_irq_dis.patch +mlxsw-i2c-fix-chunk-size-setting-in-output-mailbox-b.patch +mlxsw-i2c-limit-single-transaction-buffer-size.patch +hwmon-tmp513-fix-the-channel-number-in-tmp51x_is_vis.patch +net-sched-sch_hfsc-ensure-inner-classes-have-fsc-cur.patch +netrom-deny-concurrent-connect.patch +drm-bridge-tc358764-fix-debug-print-parameter-order.patch +quota-factor-out-dquot_write_dquot.patch +quota-rename-dquot_active-to-inode_quota_active.patch +quota-add-new-helper-dquot_active.patch +quota-fix-dqput-to-follow-the-guarantees-dquot_srcu-.patch +asoc-stac9766-fix-build-errors-with-regmap_ac97.patch +soc-qcom-ocmem-add-ocmem-hardware-version-print.patch +soc-qcom-ocmem-fix-num_ports-num_macros-macros.patch +arm64-dts-qcom-sm8250-correct-dynamic-power-coeffici.patch +arm64-dts-qcom-sm8250-edo-add-gpio-line-names-for-tl.patch +arm64-dts-qcom-sm8250-edo-add-gpio-line-names-for-pm.patch +arm64-dts-qcom-sm8250-edo-rectify-gpio-keys.patch +arm64-dts-qcom-msm8996-add-missing-interrupt-to-the-.patch +arm64-dts-qcom-sm8350-add-missing-lmh-interrupts-to-.patch +arm64-dts-qcom-sm8350-use-proper-cpu-compatibles.patch +arm64-dts-qcom-pmk8350-fix-adc-tm-compatible-string.patch +arm64-dts-qcom-sm8250-mark-pcie-hosts-as-dma-coheren.patch +drm-amdgpu-avoid-integer-overflow-warning-in-amdgpu_.patch +arm-dts-bcm53573-add-cells-sizes-to-pcie-node.patch +arm-dts-bcm53573-use-updated-spi-gpio-binding-proper.patch +arm64-dts-qcom-sm8250-sony-xperia-correct-gpio-keys-.patch +arm64-dts-qcom-pmi8998-add-node-for-wled.patch +arm64-dts-qcom-correct-spmi-wled-register-range-enco.patch +arm64-dts-qcom-pm660l-add-missing-short-interrupt.patch +arm64-dts-qcom-pmi8994-remove-hardcoded-linear-wled-.patch +arm64-dts-qcom-move-wled-num-strings-from-pmi8994-to.patch +arm64-dts-qcom-pmi8994-add-missing-ovp-interrupt.patch +drm-etnaviv-fix-dumping-of-active-mmu-context.patch +x86-mm-fix-pat-bit-missing-from-page-protection-modi.patch +arm-dts-s3c64xx-align-pinctrl-with-dtschema.patch +arm-dts-samsung-s3c6410-mini6410-correct-ethernet-re.patch +arm-dts-s5pv210-add-dummy-5v-regulator-for-backlight.patch +arm-dts-samsung-s5pv210-smdkv210-correct-ethernet-re.patch +drm-adv7511-fix-low-refresh-rate-register-for-adv753.patch +arm-dts-bcm53573-fix-ethernet-info-for-luxul-devices.patch +arm64-dts-qcom-sdm845-add-missing-rpmh-power-domain-.patch +arm64-dts-qcom-sdm845-fix-the-min-frequency-of-ice_c.patch +drm-amdgpu-update-min-to-min_t-in-amdgpu_info_ioctl.patch +md-raid10-factor-out-dereference_rdev_and_rrdev.patch +md-raid10-use-dereference_rdev_and_rrdev-to-get-devi.patch +md-bitmap-don-t-set-max_write_behind-if-there-is-no-.patch +md-md-bitmap-hold-reconfig_mutex-in-backlog_store.patch +drm-msm-update-dev-core-dump-to-not-print-backwards.patch +drm-tegra-dpaux-fix-incorrect-return-value-of-platfo.patch +of-unittest-fix-null-pointer-dereferencing-in-of_uni.patch +arm64-dts-qcom-sm8150-fix-the-i2c7-interrupt.patch +drm-armada-fix-off-by-one-error-in-armada_overlay_ge.patch +drm-panel-simple-add-missing-connector-type-and-pixe.patch +ima-remove-deprecated-ima_trusted_keyring-kconfig.patch +drm-xlnx-zynqmp_dpsub-add-missing-check-for-dma_set_.patch +drm-msm-mdp5-don-t-leak-some-plane-state.patch +firmware-meson_sm-fix-to-avoid-potential-null-pointe.patch +smackfs-prevent-underflow-in-smk_set_cipso.patch +drm-amd-pm-fix-variable-dereferenced-issue-in-amdgpu.patch +drm-msm-a2xx-call-adreno_gpu_init-earlier.patch +audit-fix-possible-soft-lockup-in-__audit_inode_chil.patch +io_uring-fix-drain-stalls-by-invalid-sqe.patch +bus-ti-sysc-fix-build-warning-for-64-bit-build.patch +drm-mediatek-remove-freeing-not-dynamic-allocated-me.patch +drm-mediatek-fix-potential-memory-leak-if-vmap-fail.patch +arm64-dts-qcom-apq8016-sbc-fix-ov5640-regulator-supp.patch +bus-ti-sysc-fix-cast-to-enum-warning.patch +md-raid1-free-the-r1bio-before-waiting-for-blocked-r.patch +md-raid1-hold-the-barrier-until-handle_read_error-fi.patch +md-set-md_broken-for-raid1-and-raid10.patch +md-add-error_handlers-for-raid0-and-linear.patch +md-raid0-factor-out-helper-for-mapping-and-submittin.patch +md-raid0-fix-performance-regression-for-large-sequen.patch +md-raid0-account-for-split-bio-in-iostat-accounting.patch +of-overlay-call-of_changeset_init-early.patch +of-unittest-fix-overlay-type-in-apply-revert-check.patch +alsa-ac97-fix-possible-error-value-of-rac97.patch +ipmi-ssif-add-check-for-kstrdup.patch +ipmi-ssif-fix-a-memory-leak-when-scanning-for-an-ada.patch +drivers-clk-keystone-fix-parameter-judgment-in-_of_p.patch +clk-sunxi-ng-modify-mismatched-function-name.patch +clk-qcom-gcc-sc7180-fix-up-gcc_sdcc2_apps_clk_src.patch +edac-igen6-fix-the-issue-of-no-error-events.patch +ext4-correct-grp-validation-in-ext4_mb_good_group.patch +ext4-avoid-potential-data-overflow-in-next_linear_gr.patch +clk-qcom-gcc-sm8250-fix-gcc_sdcc2_apps_clk_src.patch +clk-qcom-reset-use-the-correct-type-of-sleep-delay-b.patch +clk-qcom-gcc-sm6350-fix-gcc_sdcc2_apps_clk_src.patch +pci-microchip-correct-the-ded-and-sec-interrupt-bit-.patch +pci-mark-nvidia-t4-gpus-to-avoid-bus-reset.patch +pinctrl-mcp23s08-check-return-value-of-devm_kasprint.patch +pci-pciehp-use-rmw-accessors-for-changing-lnkctl.patch +pci-aspm-use-rmw-accessors-for-changing-lnkctl.patch +clk-imx8mp-fix-sai4-clock.patch +clk-imx-composite-8m-fix-clock-pauses-when-set_rate-.patch +powerpc-radix-move-some-functions-into-ifdef-config_.patch +vfio-type1-fix-cap_migration-information-leak.patch +powerpc-fadump-reset-dump-area-size-if-fadump-memory.patch +powerpc-perf-convert-fsl_emb-notifier-to-state-machi.patch +drm-amdgpu-use-rmw-accessors-for-changing-lnkctl.patch +drm-radeon-use-rmw-accessors-for-changing-lnkctl.patch +net-mlx5-use-rmw-accessors-for-changing-lnkctl.patch +wifi-ath11k-use-rmw-accessors-for-changing-lnkctl.patch +wifi-ath10k-use-rmw-accessors-for-changing-lnkctl.patch +pci-dwc-add-start_link-stop_link-inlines.patch +pci-layerscape-add-the-endpoint-linkup-notifier-supp.patch +pci-layerscape-add-workaround-for-lost-link-capabili.patch +powerpc-don-t-include-lppaca.h-in-paca.h.patch +powerpc-pseries-rework-lppaca_shared_proc-to-avoid-d.patch +nfs-blocklayout-use-the-passed-in-gfp-flags.patch +powerpc-iommu-fix-notifiers-being-shared-by-pci-and-.patch +ext4-fix-unttached-inode-after-power-cut-with-orphan.patch +jfs-validate-max-amount-of-blocks-before-allocation.patch +fs-lockd-avoid-possible-wrong-null-parameter.patch +nfsd-da_addr_body-field-missing-in-some-getdeviceinf.patch +nfs-guard-against-readdir-loop-when-entry-names-exce.patch +nfsv4.2-fix-handling-of-copy-err_offload_no_req.patch +pnfs-fix-assignment-of-xprtdata.cred.patch +rdma-qedr-remove-a-duplicate-assignment-in-irdma_que.patch +media-ad5820-drop-unsupported-ad5823-from-i2c_-and-o.patch +media-i2c-tvp5150-check-return-value-of-devm_kasprin.patch +media-v4l2-core-fix-a-potential-resource-leak-in-v4l.patch +iommu-amd-iommu_v2-fix-pasid_state-refcount-dec-hit-.patch +iommu-rockchip-fix-directory-table-address-encoding.patch +drivers-usb-smsusb-fix-error-handling-code-in-smsusb.patch +media-dib7000p-fix-potential-division-by-zero.patch +media-dvb-usb-m920x-fix-a-potential-memory-leak-in-m.patch +media-cx24120-add-retval-check-for-cx24120_message_s.patch +scsi-hisi_sas-modify-v3-hw-ssp-underflow-error-proce.patch +scsi-hisi_sas-modify-v3-hw-sata-completion-error-pro.patch +scsi-hisi_sas-fix-warnings-detected-by-sparse.patch +scsi-hisi_sas-fix-normally-completed-i-o-analysed-as.patch +media-rkvdec-increase-max-supported-height-for-h.264.patch +media-mediatek-vcodec-return-null-if-no-vdec_fb-is-f.patch +usb-phy-mxs-fix-getting-wrong-state-with-mxs_phy_is_.patch +scsi-rdma-srp-fix-residual-handling.patch +scsi-iscsi-rename-iscsi_set_param-to-iscsi_if_set_pa.patch +scsi-iscsi-add-length-check-for-nlattr-payload.patch +scsi-iscsi-add-strlen-check-in-iscsi_if_set-_host-_p.patch +scsi-be2iscsi-add-length-check-when-parsing-nlattrs.patch +scsi-qla4xxx-add-length-check-when-parsing-nlattrs.patch +serial-sprd-assign-sprd_port-after-initialized-to-av.patch +serial-sprd-fix-dma-buffer-leak-issue.patch +x86-apm-drop-the-duplicate-apm_minor_dev-macro.patch +scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_st.patch +scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_de.patch +scsi-qedf-do-not-touch-__user-pointer-in-qedf_dbg_fp.patch +rdma-irdma-replace-one-element-array-with-flexible-a.patch +coresight-tmc-explicit-type-conversions-to-prevent-i.patch +dma-buf-sync_file-fix-docs-syntax.patch +driver-core-test_async-fix-an-error-code.patch +iommu-sprd-add-missing-force_aperture.patch +rdma-hns-fix-port-active-speed.patch +rdma-hns-fix-incorrect-post-send-with-direct-wqe-of-.patch +rdma-hns-fix-cq-and-qp-cache-affinity.patch +ib-uverbs-fix-an-potential-error-pointer-dereference.patch +fsi-aspeed-reset-master-errors-after-cfam-reset.patch +iommu-qcom-disable-and-reset-context-bank-before-pro.patch +iommu-vt-d-fix-to-flush-cache-of-pasid-directory-tab.patch +platform-x86-dell-sysman-fix-reference-leak.patch +media-go7007-remove-redundant-if-statement.patch +media-venus-hfi_venus-only-consider-sys_idle_indicat.patch +usb-gadget-f_mass_storage-fix-unused-variable-warnin.patch +media-ov5640-enable-mipi-interface-in-ov5640_set_pow.patch +media-i2c-ov2680-set-v4l2_ctrl_flag_modify_layout-on.patch +media-ov2680-remove-auto-gain-and-auto-exposure-cont.patch +media-ov2680-fix-ov2680_bayer_order.patch +media-ov2680-fix-vflip-hflip-set-functions.patch +media-ov2680-remove-video_v4l2_subdev_api-ifdef-s.patch +media-ov2680-don-t-take-the-lock-for-try_fmt-calls.patch +media-ov2680-add-ov2680_fill_format-helper-function.patch +media-ov2680-fix-ov2680_set_fmt-which-v4l2_subdev_fo.patch +media-ov2680-fix-regulators-being-left-enabled-on-ov.patch +media-i2c-rdacm21-fix-uninitialized-value.patch +cgroup-namespace-remove-unused-cgroup_namespaces_ini.patch +scsi-core-use-32-bit-hostnum-in-scsi_host_lookup.patch +scsi-fcoe-fix-potential-deadlock-on-fip-ctlr_lock.patch +serial-tegra-handle-clk-prepare-error-in-tegra_uart_.patch +amba-bus-fix-refcount-leak.patch +revert-ib-isert-fix-incorrect-release-of-isert-conne.patch +hid-logitech-dj-fix-error-handling-in-logi_dj_recv_s.patch +hid-multitouch-correct-devm-device-reference-for-hid.patch +x86-speculation-mark-all-skylake-cpus-as-vulnerable-.patch +tracing-remove-extra-space-at-the-end-of-hwlat_detec.patch +tracing-fix-race-issue-between-cpu-buffer-write-and-.patch +mtd-rawnand-brcmnand-fix-mtd-oobsize.patch +phy-rockchip-inno-hdmi-use-correct-vco_div_5-macro-o.patch +phy-rockchip-inno-hdmi-round-fractal-pixclock-in-rk3.patch +phy-rockchip-inno-hdmi-do-not-power-on-rk3328-post-p.patch +rpmsg-glink-add-check-for-kstrdup.patch +leds-pwm-fix-error-code-in-led_pwm_create_fwnode.patch +leds-multicolor-use-rounded-division-when-calculatin.patch +leds-fix-bug_on-check-for-led_color_id_multi-that-is.patch +leds-trigger-tty-do-not-use-led_on-off-constants-use.patch +mtd-spi-nor-check-bus-width-while-setting-qe-bit.patch +mtd-rawnand-fsmc-handle-clk-prepare-error-in-fsmc_na.patch +um-fix-hostaudio-build-errors.patch +dmaengine-ste_dma40-add-missing-irq-check-in-d40_pro.patch +cpufreq-fix-the-race-condition-while-updating-the-tr.patch +virtio_ring-fix-avail_wrap_counter-in-virtqueue_add_.patch diff --git a/queue-5.15/smackfs-prevent-underflow-in-smk_set_cipso.patch b/queue-5.15/smackfs-prevent-underflow-in-smk_set_cipso.patch new file mode 100644 index 00000000000..b44ab3c0b77 --- /dev/null +++ b/queue-5.15/smackfs-prevent-underflow-in-smk_set_cipso.patch @@ -0,0 +1,37 @@ +From 5bffae8edfc6466738a7e9d75d19e057372f4993 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jul 2023 08:52:39 +0300 +Subject: smackfs: Prevent underflow in smk_set_cipso() + +From: Dan Carpenter + +[ Upstream commit 3ad49d37cf5759c3b8b68d02e3563f633d9c1aee ] + +There is a upper bound to "catlen" but no lower bound to prevent +negatives. I don't see that this necessarily causes a problem but we +may as well be safe. + +Fixes: e114e473771c ("Smack: Simplified Mandatory Access Control Kernel") +Signed-off-by: Dan Carpenter +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +--- + security/smack/smackfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c +index 658eab05599e6..27fd7744e0fc0 100644 +--- a/security/smack/smackfs.c ++++ b/security/smack/smackfs.c +@@ -895,7 +895,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, + } + + ret = sscanf(rule, "%d", &catlen); +- if (ret != 1 || catlen > SMACK_CIPSO_MAXCATNUM) ++ if (ret != 1 || catlen < 0 || catlen > SMACK_CIPSO_MAXCATNUM) + goto out; + + if (format == SMK_FIXED24_FMT && +-- +2.40.1 + diff --git a/queue-5.15/soc-qcom-ocmem-add-ocmem-hardware-version-print.patch b/queue-5.15/soc-qcom-ocmem-add-ocmem-hardware-version-print.patch new file mode 100644 index 00000000000..64b060f0364 --- /dev/null +++ b/queue-5.15/soc-qcom-ocmem-add-ocmem-hardware-version-print.patch @@ -0,0 +1,53 @@ +From d17bbe4ec8ef0de7000b6ccac3738732d6e5b11a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 May 2023 10:41:15 +0200 +Subject: soc: qcom: ocmem: Add OCMEM hardware version print + +From: Luca Weiss + +[ Upstream commit e81a16e77259294cd4ff0a9c1fbe5aa0e311a47d ] + +It might be useful to know what hardware version of the OCMEM block the +SoC contains. Add a debug print for that. + +Signed-off-by: Luca Weiss +Reviewed-by: Konrad Dybcio +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20230509-ocmem-hwver-v3-1-e51f3488e0f4@z3ntu.xyz +Stable-dep-of: a7b484b1c933 ("soc: qcom: ocmem: Fix NUM_PORTS & NUM_MACROS macros") +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/ocmem.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/soc/qcom/ocmem.c b/drivers/soc/qcom/ocmem.c +index 1dfdd0b9ba24d..ae023bef81b6f 100644 +--- a/drivers/soc/qcom/ocmem.c ++++ b/drivers/soc/qcom/ocmem.c +@@ -76,6 +76,10 @@ struct ocmem { + #define OCMEM_REG_GFX_MPU_START 0x00001004 + #define OCMEM_REG_GFX_MPU_END 0x00001008 + ++#define OCMEM_HW_VERSION_MAJOR(val) FIELD_GET(GENMASK(31, 28), val) ++#define OCMEM_HW_VERSION_MINOR(val) FIELD_GET(GENMASK(27, 16), val) ++#define OCMEM_HW_VERSION_STEP(val) FIELD_GET(GENMASK(15, 0), val) ++ + #define OCMEM_HW_PROFILE_NUM_PORTS(val) FIELD_PREP(0x0000000f, (val)) + #define OCMEM_HW_PROFILE_NUM_MACROS(val) FIELD_PREP(0x00003f00, (val)) + +@@ -357,6 +361,12 @@ static int ocmem_dev_probe(struct platform_device *pdev) + } + } + ++ reg = ocmem_read(ocmem, OCMEM_REG_HW_VERSION); ++ dev_dbg(dev, "OCMEM hardware version: %lu.%lu.%lu\n", ++ OCMEM_HW_VERSION_MAJOR(reg), ++ OCMEM_HW_VERSION_MINOR(reg), ++ OCMEM_HW_VERSION_STEP(reg)); ++ + reg = ocmem_read(ocmem, OCMEM_REG_HW_PROFILE); + ocmem->num_ports = OCMEM_HW_PROFILE_NUM_PORTS(reg); + ocmem->num_macros = OCMEM_HW_PROFILE_NUM_MACROS(reg); +-- +2.40.1 + diff --git a/queue-5.15/soc-qcom-ocmem-fix-num_ports-num_macros-macros.patch b/queue-5.15/soc-qcom-ocmem-fix-num_ports-num_macros-macros.patch new file mode 100644 index 00000000000..827ee60a3e6 --- /dev/null +++ b/queue-5.15/soc-qcom-ocmem-fix-num_ports-num_macros-macros.patch @@ -0,0 +1,50 @@ +From 6347265f8f9a1435e3305810cf9f474b70968b53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 18:35:47 +0200 +Subject: soc: qcom: ocmem: Fix NUM_PORTS & NUM_MACROS macros + +From: Luca Weiss + +[ Upstream commit a7b484b1c9332a1ee12e8799d62a11ee3f8e0801 ] + +Since we're using these two macros to read a value from a register, we +need to use the FIELD_GET instead of the FIELD_PREP macro, otherwise +we're getting wrong values. + +So instead of: + + [ 3.111779] ocmem fdd00000.sram: 2 ports, 1 regions, 512 macros, not interleaved + +we now get the correct value of: + + [ 3.129672] ocmem fdd00000.sram: 2 ports, 1 regions, 2 macros, not interleaved + +Fixes: 88c1e9404f1d ("soc: qcom: add OCMEM driver") +Reviewed-by: Caleb Connolly +Reviewed-by: Konrad Dybcio +Signed-off-by: Luca Weiss +Link: https://lore.kernel.org/r/20230506-msm8226-ocmem-v3-1-79da95a2581f@z3ntu.xyz +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/ocmem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/soc/qcom/ocmem.c b/drivers/soc/qcom/ocmem.c +index ae023bef81b6f..8b80c8e94c77a 100644 +--- a/drivers/soc/qcom/ocmem.c ++++ b/drivers/soc/qcom/ocmem.c +@@ -80,8 +80,8 @@ struct ocmem { + #define OCMEM_HW_VERSION_MINOR(val) FIELD_GET(GENMASK(27, 16), val) + #define OCMEM_HW_VERSION_STEP(val) FIELD_GET(GENMASK(15, 0), val) + +-#define OCMEM_HW_PROFILE_NUM_PORTS(val) FIELD_PREP(0x0000000f, (val)) +-#define OCMEM_HW_PROFILE_NUM_MACROS(val) FIELD_PREP(0x00003f00, (val)) ++#define OCMEM_HW_PROFILE_NUM_PORTS(val) FIELD_GET(0x0000000f, (val)) ++#define OCMEM_HW_PROFILE_NUM_MACROS(val) FIELD_GET(0x00003f00, (val)) + + #define OCMEM_HW_PROFILE_LAST_REGN_HALFSIZE 0x00010000 + #define OCMEM_HW_PROFILE_INTERLEAVING 0x00020000 +-- +2.40.1 + diff --git a/queue-5.15/spi-tegra114-remove-unnecessary-null-pointer-checks.patch b/queue-5.15/spi-tegra114-remove-unnecessary-null-pointer-checks.patch new file mode 100644 index 00000000000..2362c920606 --- /dev/null +++ b/queue-5.15/spi-tegra114-remove-unnecessary-null-pointer-checks.patch @@ -0,0 +1,73 @@ +From 610a0364955625d2396971763585c37a3ef0bd76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Aug 2023 12:20:58 +0300 +Subject: spi: tegra114: Remove unnecessary NULL-pointer checks + +From: Alexander Danilenko + +[ Upstream commit 373c36bf7914e3198ac2654dede499f340c52950 ] + +cs_setup, cs_hold and cs_inactive points to fields of spi_device struct, +so there is no sense in checking them for NULL. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 04e6bb0d6bb1 ("spi: modify set_cs_timing parameter") +Signed-off-by: Alexander Danilenko +Link: https://lore.kernel.org/r/20230815092058.4083-1-al.b.danilenko@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-tegra114.c | 18 +++++++----------- + 1 file changed, 7 insertions(+), 11 deletions(-) + +diff --git a/drivers/spi/spi-tegra114.c b/drivers/spi/spi-tegra114.c +index 8f345247a8c32..b6f081227cbd4 100644 +--- a/drivers/spi/spi-tegra114.c ++++ b/drivers/spi/spi-tegra114.c +@@ -723,27 +723,23 @@ static int tegra_spi_set_hw_cs_timing(struct spi_device *spi) + struct spi_delay *setup = &spi->cs_setup; + struct spi_delay *hold = &spi->cs_hold; + struct spi_delay *inactive = &spi->cs_inactive; +- u8 setup_dly, hold_dly, inactive_dly; ++ u8 setup_dly, hold_dly; + u32 setup_hold; + u32 spi_cs_timing; + u32 inactive_cycles; + u8 cs_state; + +- if ((setup && setup->unit != SPI_DELAY_UNIT_SCK) || +- (hold && hold->unit != SPI_DELAY_UNIT_SCK) || +- (inactive && inactive->unit != SPI_DELAY_UNIT_SCK)) { ++ if (setup->unit != SPI_DELAY_UNIT_SCK || ++ hold->unit != SPI_DELAY_UNIT_SCK || ++ inactive->unit != SPI_DELAY_UNIT_SCK) { + dev_err(&spi->dev, + "Invalid delay unit %d, should be SPI_DELAY_UNIT_SCK\n", + SPI_DELAY_UNIT_SCK); + return -EINVAL; + } + +- setup_dly = setup ? setup->value : 0; +- hold_dly = hold ? hold->value : 0; +- inactive_dly = inactive ? inactive->value : 0; +- +- setup_dly = min_t(u8, setup_dly, MAX_SETUP_HOLD_CYCLES); +- hold_dly = min_t(u8, hold_dly, MAX_SETUP_HOLD_CYCLES); ++ setup_dly = min_t(u8, setup->value, MAX_SETUP_HOLD_CYCLES); ++ hold_dly = min_t(u8, hold->value, MAX_SETUP_HOLD_CYCLES); + if (setup_dly && hold_dly) { + setup_hold = SPI_SETUP_HOLD(setup_dly - 1, hold_dly - 1); + spi_cs_timing = SPI_CS_SETUP_HOLD(tspi->spi_cs_timing1, +@@ -755,7 +751,7 @@ static int tegra_spi_set_hw_cs_timing(struct spi_device *spi) + } + } + +- inactive_cycles = min_t(u8, inactive_dly, MAX_INACTIVE_CYCLES); ++ inactive_cycles = min_t(u8, inactive->value, MAX_INACTIVE_CYCLES); + if (inactive_cycles) + inactive_cycles--; + cs_state = inactive_cycles ? 0 : 1; +-- +2.40.1 + diff --git a/queue-5.15/spi-tegra20-sflash-fix-to-check-return-value-of-plat.patch b/queue-5.15/spi-tegra20-sflash-fix-to-check-return-value-of-plat.patch new file mode 100644 index 00000000000..eec0b5000a4 --- /dev/null +++ b/queue-5.15/spi-tegra20-sflash-fix-to-check-return-value-of-plat.patch @@ -0,0 +1,44 @@ +From f09aca2a317c5222125abcfcc8c8d62dd9cd252d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Jul 2023 23:49:09 +0800 +Subject: spi: tegra20-sflash: fix to check return value of platform_get_irq() + in tegra_sflash_probe() + +From: Zhang Shurong + +[ Upstream commit 29a449e765ff70a5bd533be94babb6d36985d096 ] + +The platform_get_irq might be failed and return a negative result. So +there should have an error handling code. + +Fixed this by adding an error handling code. + +Fixes: 8528547bcc33 ("spi: tegra: add spi driver for sflash controller") +Signed-off-by: Zhang Shurong +Link: https://lore.kernel.org/r/tencent_71FC162D589E4788C2152AAC84CD8D5C6D06@qq.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-tegra20-sflash.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-tegra20-sflash.c b/drivers/spi/spi-tegra20-sflash.c +index 2888d8a8dc6d5..6915451cc93e2 100644 +--- a/drivers/spi/spi-tegra20-sflash.c ++++ b/drivers/spi/spi-tegra20-sflash.c +@@ -455,7 +455,11 @@ static int tegra_sflash_probe(struct platform_device *pdev) + goto exit_free_master; + } + +- tsd->irq = platform_get_irq(pdev, 0); ++ ret = platform_get_irq(pdev, 0); ++ if (ret < 0) ++ goto exit_free_master; ++ tsd->irq = ret; ++ + ret = request_irq(tsd->irq, tegra_sflash_isr, 0, + dev_name(&pdev->dev), tsd); + if (ret < 0) { +-- +2.40.1 + diff --git a/queue-5.15/tcp-tcp_enter_quickack_mode-should-be-static.patch b/queue-5.15/tcp-tcp_enter_quickack_mode-should-be-static.patch new file mode 100644 index 00000000000..ba9c89ea3f0 --- /dev/null +++ b/queue-5.15/tcp-tcp_enter_quickack_mode-should-be-static.patch @@ -0,0 +1,60 @@ +From fe7e20cfbe13285a4e9f46b4f845818911e05401 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jul 2023 16:20:49 +0000 +Subject: tcp: tcp_enter_quickack_mode() should be static + +From: Eric Dumazet + +[ Upstream commit 03b123debcbc8db987bda17ed8412cc011064c22 ] + +After commit d2ccd7bc8acd ("tcp: avoid resetting ACK timer in DCTCP"), +tcp_enter_quickack_mode() is only used from net/ipv4/tcp_input.c. + +Fixes: d2ccd7bc8acd ("tcp: avoid resetting ACK timer in DCTCP") +Signed-off-by: Eric Dumazet +Cc: Yuchung Cheng +Cc: Neal Cardwell +Link: https://lore.kernel.org/r/20230718162049.1444938-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 1 - + net/ipv4/tcp_input.c | 3 +-- + 2 files changed, 1 insertion(+), 3 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index d8920f84f0a8d..4aafda05a6466 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -340,7 +340,6 @@ ssize_t tcp_splice_read(struct socket *sk, loff_t *ppos, + struct pipe_inode_info *pipe, size_t len, + unsigned int flags); + +-void tcp_enter_quickack_mode(struct sock *sk, unsigned int max_quickacks); + static inline void tcp_dec_quickack_mode(struct sock *sk, + const unsigned int pkts) + { +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 6849094e5e5e8..94633f499e148 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -287,7 +287,7 @@ static void tcp_incr_quickack(struct sock *sk, unsigned int max_quickacks) + icsk->icsk_ack.quick = quickacks; + } + +-void tcp_enter_quickack_mode(struct sock *sk, unsigned int max_quickacks) ++static void tcp_enter_quickack_mode(struct sock *sk, unsigned int max_quickacks) + { + struct inet_connection_sock *icsk = inet_csk(sk); + +@@ -295,7 +295,6 @@ void tcp_enter_quickack_mode(struct sock *sk, unsigned int max_quickacks) + inet_csk_exit_pingpong_mode(sk); + icsk->icsk_ack.ato = TCP_ATO_MIN; + } +-EXPORT_SYMBOL(tcp_enter_quickack_mode); + + /* Send ACKs quickly, if "quick" count is not exhausted + * and the session is not interactive. +-- +2.40.1 + diff --git a/queue-5.15/tmpfs-verify-g-u-id-mount-options-correctly.patch b/queue-5.15/tmpfs-verify-g-u-id-mount-options-correctly.patch new file mode 100644 index 00000000000..7f18fdaf160 --- /dev/null +++ b/queue-5.15/tmpfs-verify-g-u-id-mount-options-correctly.patch @@ -0,0 +1,98 @@ +From 4e5d127da077e98610ada5b1ab69d69c2a998e25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Aug 2023 18:17:04 +0200 +Subject: tmpfs: verify {g,u}id mount options correctly + +From: Christian Brauner + +[ Upstream commit 0200679fc7953177941e41c2a4241d0b6c2c5de8 ] + +A while ago we received the following report: + +"The other outstanding issue I noticed comes from the fact that +fsconfig syscalls may occur in a different userns than that which +called fsopen. That means that resolving the uid/gid via +current_user_ns() can save a kuid that isn't mapped in the associated +namespace when the filesystem is finally mounted. This means that it +is possible for an unprivileged user to create files owned by any +group in a tmpfs mount (since we can set the SUID bit on the tmpfs +directory), or a tmpfs that is owned by any user, including the root +group/user." + +The contract for {g,u}id mount options and {g,u}id values in general set +from userspace has always been that they are translated according to the +caller's idmapping. In so far, tmpfs has been doing the correct thing. +But since tmpfs is mountable in unprivileged contexts it is also +necessary to verify that the resulting {k,g}uid is representable in the +namespace of the superblock to avoid such bugs as above. + +The new mount api's cross-namespace delegation abilities are already +widely used. After having talked to a bunch of userspace this is the +most faithful solution with minimal regression risks. I know of one +users - systemd - that makes use of the new mount api in this way and +they don't set unresolable {g,u}ids. So the regression risk is minimal. + +Link: https://lore.kernel.org/lkml/CALxfFW4BXhEwxR0Q5LSkg-8Vb4r2MONKCcUCVioehXQKr35eHg@mail.gmail.com +Fixes: f32356261d44 ("vfs: Convert ramfs, shmem, tmpfs, devtmpfs, rootfs to use the new mount API") +Reviewed-by: "Seth Forshee (DigitalOcean)" +Reported-by: Seth Jenkins +Message-Id: <20230801-vfs-fs_context-uidgid-v1-1-daf46a050bbf@kernel.org> +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + mm/shmem.c | 28 ++++++++++++++++++++++++---- + 1 file changed, 24 insertions(+), 4 deletions(-) + +diff --git a/mm/shmem.c b/mm/shmem.c +index 41efb92c4e38f..663fb117cd877 100644 +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -3394,6 +3394,8 @@ static int shmem_parse_one(struct fs_context *fc, struct fs_parameter *param) + unsigned long long size; + char *rest; + int opt; ++ kuid_t kuid; ++ kgid_t kgid; + + opt = fs_parse(fc, shmem_fs_parameters, param, &result); + if (opt < 0) +@@ -3429,14 +3431,32 @@ static int shmem_parse_one(struct fs_context *fc, struct fs_parameter *param) + ctx->mode = result.uint_32 & 07777; + break; + case Opt_uid: +- ctx->uid = make_kuid(current_user_ns(), result.uint_32); +- if (!uid_valid(ctx->uid)) ++ kuid = make_kuid(current_user_ns(), result.uint_32); ++ if (!uid_valid(kuid)) + goto bad_value; ++ ++ /* ++ * The requested uid must be representable in the ++ * filesystem's idmapping. ++ */ ++ if (!kuid_has_mapping(fc->user_ns, kuid)) ++ goto bad_value; ++ ++ ctx->uid = kuid; + break; + case Opt_gid: +- ctx->gid = make_kgid(current_user_ns(), result.uint_32); +- if (!gid_valid(ctx->gid)) ++ kgid = make_kgid(current_user_ns(), result.uint_32); ++ if (!gid_valid(kgid)) + goto bad_value; ++ ++ /* ++ * The requested gid must be representable in the ++ * filesystem's idmapping. ++ */ ++ if (!kgid_has_mapping(fc->user_ns, kgid)) ++ goto bad_value; ++ ++ ctx->gid = kgid; + break; + case Opt_huge: + ctx->huge = result.uint_32; +-- +2.40.1 + diff --git a/queue-5.15/tracing-fix-race-issue-between-cpu-buffer-write-and-.patch b/queue-5.15/tracing-fix-race-issue-between-cpu-buffer-write-and-.patch new file mode 100644 index 00000000000..e2b78ccbe98 --- /dev/null +++ b/queue-5.15/tracing-fix-race-issue-between-cpu-buffer-write-and-.patch @@ -0,0 +1,141 @@ +From 3087c839d0addc13b5d0c6274f1542ba76a77238 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Aug 2023 21:27:39 +0800 +Subject: tracing: Fix race issue between cpu buffer write and swap + +From: Zheng Yejian + +[ Upstream commit 3163f635b20e9e1fb4659e74f47918c9dddfe64e ] + +Warning happened in rb_end_commit() at code: + if (RB_WARN_ON(cpu_buffer, !local_read(&cpu_buffer->committing))) + + WARNING: CPU: 0 PID: 139 at kernel/trace/ring_buffer.c:3142 + rb_commit+0x402/0x4a0 + Call Trace: + ring_buffer_unlock_commit+0x42/0x250 + trace_buffer_unlock_commit_regs+0x3b/0x250 + trace_event_buffer_commit+0xe5/0x440 + trace_event_buffer_reserve+0x11c/0x150 + trace_event_raw_event_sched_switch+0x23c/0x2c0 + __traceiter_sched_switch+0x59/0x80 + __schedule+0x72b/0x1580 + schedule+0x92/0x120 + worker_thread+0xa0/0x6f0 + +It is because the race between writing event into cpu buffer and swapping +cpu buffer through file per_cpu/cpu0/snapshot: + + Write on CPU 0 Swap buffer by per_cpu/cpu0/snapshot on CPU 1 + -------- -------- + tracing_snapshot_write() + [...] + + ring_buffer_lock_reserve() + cpu_buffer = buffer->buffers[cpu]; // 1. Suppose find 'cpu_buffer_a'; + [...] + rb_reserve_next_event() + [...] + + ring_buffer_swap_cpu() + if (local_read(&cpu_buffer_a->committing)) + goto out_dec; + if (local_read(&cpu_buffer_b->committing)) + goto out_dec; + buffer_a->buffers[cpu] = cpu_buffer_b; + buffer_b->buffers[cpu] = cpu_buffer_a; + // 2. cpu_buffer has swapped here. + + rb_start_commit(cpu_buffer); + if (unlikely(READ_ONCE(cpu_buffer->buffer) + != buffer)) { // 3. This check passed due to 'cpu_buffer->buffer' + [...] // has not changed here. + return NULL; + } + cpu_buffer_b->buffer = buffer_a; + cpu_buffer_a->buffer = buffer_b; + [...] + + // 4. Reserve event from 'cpu_buffer_a'. + + ring_buffer_unlock_commit() + [...] + cpu_buffer = buffer->buffers[cpu]; // 5. Now find 'cpu_buffer_b' !!! + rb_commit(cpu_buffer) + rb_end_commit() // 6. WARN for the wrong 'committing' state !!! + +Based on above analysis, we can easily reproduce by following testcase: + ``` bash + #!/bin/bash + + dmesg -n 7 + sysctl -w kernel.panic_on_warn=1 + TR=/sys/kernel/tracing + echo 7 > ${TR}/buffer_size_kb + echo "sched:sched_switch" > ${TR}/set_event + while [ true ]; do + echo 1 > ${TR}/per_cpu/cpu0/snapshot + done & + while [ true ]; do + echo 1 > ${TR}/per_cpu/cpu0/snapshot + done & + while [ true ]; do + echo 1 > ${TR}/per_cpu/cpu0/snapshot + done & + ``` + +To fix it, IIUC, we can use smp_call_function_single() to do the swap on +the target cpu where the buffer is located, so that above race would be +avoided. + +Link: https://lore.kernel.org/linux-trace-kernel/20230831132739.4070878-1-zhengyejian1@huawei.com + +Cc: +Fixes: f1affcaaa861 ("tracing: Add snapshot in the per_cpu trace directories") +Signed-off-by: Zheng Yejian +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 92b381aab8f2b..380ae34a9a0b3 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -7496,6 +7496,11 @@ static int tracing_snapshot_open(struct inode *inode, struct file *file) + return ret; + } + ++static void tracing_swap_cpu_buffer(void *tr) ++{ ++ update_max_tr_single((struct trace_array *)tr, current, smp_processor_id()); ++} ++ + static ssize_t + tracing_snapshot_write(struct file *filp, const char __user *ubuf, size_t cnt, + loff_t *ppos) +@@ -7554,13 +7559,15 @@ tracing_snapshot_write(struct file *filp, const char __user *ubuf, size_t cnt, + ret = tracing_alloc_snapshot_instance(tr); + if (ret < 0) + break; +- local_irq_disable(); + /* Now, we're going to swap */ +- if (iter->cpu_file == RING_BUFFER_ALL_CPUS) ++ if (iter->cpu_file == RING_BUFFER_ALL_CPUS) { ++ local_irq_disable(); + update_max_tr(tr, current, smp_processor_id(), NULL); +- else +- update_max_tr_single(tr, current, iter->cpu_file); +- local_irq_enable(); ++ local_irq_enable(); ++ } else { ++ smp_call_function_single(iter->cpu_file, tracing_swap_cpu_buffer, ++ (void *)tr, 1); ++ } + break; + default: + if (tr->allocated_snapshot) { +-- +2.40.1 + diff --git a/queue-5.15/tracing-remove-extra-space-at-the-end-of-hwlat_detec.patch b/queue-5.15/tracing-remove-extra-space-at-the-end-of-hwlat_detec.patch new file mode 100644 index 00000000000..23a24c14651 --- /dev/null +++ b/queue-5.15/tracing-remove-extra-space-at-the-end-of-hwlat_detec.patch @@ -0,0 +1,44 @@ +From 2b1644fd81c06ef32d0994e8332607bda3a5d90b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Aug 2023 13:34:30 +0300 +Subject: tracing: Remove extra space at the end of hwlat_detector/mode + +From: Mikhail Kobuk + +[ Upstream commit 2cf0dee989a8b2501929eaab29473b6b1fa11057 ] + +Space is printed after each mode value including the last one: +$ echo \"$(sudo cat /sys/kernel/tracing/hwlat_detector/mode)\" +"none [round-robin] per-cpu " + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Link: https://lore.kernel.org/linux-trace-kernel/20230825103432.7750-1-m.kobuk@ispras.ru + +Cc: Masami Hiramatsu +Fixes: 8fa826b7344d ("trace/hwlat: Implement the mode config option") +Signed-off-by: Mikhail Kobuk +Reviewed-by: Alexey Khoroshilov +Acked-by: Daniel Bristot de Oliveira +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_hwlat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/trace_hwlat.c b/kernel/trace/trace_hwlat.c +index 9ec032f22531c..3a994bd8520ca 100644 +--- a/kernel/trace/trace_hwlat.c ++++ b/kernel/trace/trace_hwlat.c +@@ -635,7 +635,7 @@ static int s_mode_show(struct seq_file *s, void *v) + else + seq_printf(s, "%s", thread_mode_str[mode]); + +- if (mode != MODE_MAX) ++ if (mode < MODE_MAX - 1) /* if mode is any but last */ + seq_puts(s, " "); + + return 0; +-- +2.40.1 + diff --git a/queue-5.15/udp-re-score-reuseport-groups-when-connected-sockets.patch b/queue-5.15/udp-re-score-reuseport-groups-when-connected-sockets.patch new file mode 100644 index 00000000000..4df4867a6dd --- /dev/null +++ b/queue-5.15/udp-re-score-reuseport-groups-when-connected-sockets.patch @@ -0,0 +1,114 @@ +From 3b2f4c435dafc5b753c4156f97b1bc0cca944447 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 17:30:05 +0200 +Subject: udp: re-score reuseport groups when connected sockets are present + +From: Lorenz Bauer + +[ Upstream commit f0ea27e7bfe1c34e1f451a63eb68faa1d4c3a86d ] + +Contrary to TCP, UDP reuseport groups can contain TCP_ESTABLISHED +sockets. To support these properly we remember whether a group has +a connected socket and skip the fast reuseport early-return. In +effect we continue scoring all reuseport sockets and then choose the +one with the highest score. + +The current code fails to re-calculate the score for the result of +lookup_reuseport. According to Kuniyuki Iwashima: + + 1) SO_INCOMING_CPU is set + -> selected sk might have +1 score + + 2) BPF prog returns ESTABLISHED and/or SO_INCOMING_CPU sk + -> selected sk will have more than 8 + + Using the old score could trigger more lookups depending on the + order that sockets are created. + + sk -> sk (SO_INCOMING_CPU) -> sk (ESTABLISHED) + | | + `-> select the next SO_INCOMING_CPU sk + | + `-> select itself (We should save this lookup) + +Fixes: efc6b6f6c311 ("udp: Improve load balancing for SO_REUSEPORT.") +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: Lorenz Bauer +Link: https://lore.kernel.org/r/20230720-so-reuseport-v6-1-7021b683cdae@isovalent.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + net/ipv4/udp.c | 20 +++++++++++++++----- + net/ipv6/udp.c | 19 ++++++++++++++----- + 2 files changed, 29 insertions(+), 10 deletions(-) + +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index 73bf63d719f84..198d8e07413d3 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -443,14 +443,24 @@ static struct sock *udp4_lib_lookup2(struct net *net, + score = compute_score(sk, net, saddr, sport, + daddr, hnum, dif, sdif); + if (score > badness) { +- result = lookup_reuseport(net, sk, skb, +- saddr, sport, daddr, hnum); ++ badness = score; ++ result = lookup_reuseport(net, sk, skb, saddr, sport, daddr, hnum); ++ if (!result) { ++ result = sk; ++ continue; ++ } ++ + /* Fall back to scoring if group has connections */ +- if (result && !reuseport_has_conns(sk)) ++ if (!reuseport_has_conns(sk)) + return result; + +- result = result ? : sk; +- badness = score; ++ /* Reuseport logic returned an error, keep original score. */ ++ if (IS_ERR(result)) ++ continue; ++ ++ badness = compute_score(result, net, saddr, sport, ++ daddr, hnum, dif, sdif); ++ + } + } + return result; +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index a746abbe81b5f..2dab9aab551c3 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -190,14 +190,23 @@ static struct sock *udp6_lib_lookup2(struct net *net, + score = compute_score(sk, net, saddr, sport, + daddr, hnum, dif, sdif); + if (score > badness) { +- result = lookup_reuseport(net, sk, skb, +- saddr, sport, daddr, hnum); ++ badness = score; ++ result = lookup_reuseport(net, sk, skb, saddr, sport, daddr, hnum); ++ if (!result) { ++ result = sk; ++ continue; ++ } ++ + /* Fall back to scoring if group has connections */ +- if (result && !reuseport_has_conns(sk)) ++ if (!reuseport_has_conns(sk)) + return result; + +- result = result ? : sk; +- badness = score; ++ /* Reuseport logic returned an error, keep original score. */ ++ if (IS_ERR(result)) ++ continue; ++ ++ badness = compute_score(sk, net, saddr, sport, ++ daddr, hnum, dif, sdif); + } + } + return result; +-- +2.40.1 + diff --git a/queue-5.15/um-fix-hostaudio-build-errors.patch b/queue-5.15/um-fix-hostaudio-build-errors.patch new file mode 100644 index 00000000000..fb83ac444b9 --- /dev/null +++ b/queue-5.15/um-fix-hostaudio-build-errors.patch @@ -0,0 +1,148 @@ +From 7d3f2cd4d9ed39563cd81869a6814fd6d637694c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Aug 2023 22:15:00 -0700 +Subject: um: Fix hostaudio build errors + +From: Randy Dunlap + +[ Upstream commit db4bfcba7bb8d10f00bba2a3da6b9a9c2a1d7b71 ] + +Use "select" to ensure that the required kconfig symbols are set +as expected. +Drop HOSTAUDIO since it is now equivalent to UML_SOUND. + +Set CONFIG_SOUND=m in ARCH=um defconfig files to maintain the +status quo of the default configs. + +Allow SOUND with UML regardless of HAS_IOMEM. Otherwise there is a +kconfig warning for unmet dependencies. (This was not an issue when +SOUND was defined in arch/um/drivers/Kconfig. I have done 50 randconfig +builds and didn't find any issues.) + +This fixes build errors when CONFIG_SOUND is not set: + +ld: arch/um/drivers/hostaudio_kern.o: in function `hostaudio_cleanup_module': +hostaudio_kern.c:(.exit.text+0xa): undefined reference to `unregister_sound_mixer' +ld: hostaudio_kern.c:(.exit.text+0x15): undefined reference to `unregister_sound_dsp' +ld: arch/um/drivers/hostaudio_kern.o: in function `hostaudio_init_module': +hostaudio_kern.c:(.init.text+0x19): undefined reference to `register_sound_dsp' +ld: hostaudio_kern.c:(.init.text+0x31): undefined reference to `register_sound_mixer' +ld: hostaudio_kern.c:(.init.text+0x49): undefined reference to `unregister_sound_dsp' + +and this kconfig warning: +WARNING: unmet direct dependencies detected for SOUND + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Fixes: d886e87cb82b ("sound: make OSS sound core optional") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Closes: lore.kernel.org/r/202307141416.vxuRVpFv-lkp@intel.com +Cc: Richard Weinberger +Cc: Anton Ivanov +Cc: Johannes Berg +Cc: linux-um@lists.infradead.org +Cc: Tejun Heo +Cc: Takashi Iwai +Cc: Jaroslav Kysela +Cc: Masahiro Yamada +Cc: Nathan Chancellor +Cc: Nick Desaulniers +Cc: Nicolas Schier +Cc: linux-kbuild@vger.kernel.org +Cc: alsa-devel@alsa-project.org +Reviewed-by: Masahiro Yamada +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/configs/i386_defconfig | 1 + + arch/um/configs/x86_64_defconfig | 1 + + arch/um/drivers/Kconfig | 16 +++------------- + arch/um/drivers/Makefile | 2 +- + sound/Kconfig | 2 +- + 5 files changed, 7 insertions(+), 15 deletions(-) + +diff --git a/arch/um/configs/i386_defconfig b/arch/um/configs/i386_defconfig +index fb51bd206dbed..4d7f99a02c1eb 100644 +--- a/arch/um/configs/i386_defconfig ++++ b/arch/um/configs/i386_defconfig +@@ -35,6 +35,7 @@ CONFIG_TTY_CHAN=y + CONFIG_XTERM_CHAN=y + CONFIG_CON_CHAN="pts" + CONFIG_SSL_CHAN="pts" ++CONFIG_SOUND=m + CONFIG_UML_SOUND=m + CONFIG_DEVTMPFS=y + CONFIG_DEVTMPFS_MOUNT=y +diff --git a/arch/um/configs/x86_64_defconfig b/arch/um/configs/x86_64_defconfig +index 477b873174243..4bdd83008f623 100644 +--- a/arch/um/configs/x86_64_defconfig ++++ b/arch/um/configs/x86_64_defconfig +@@ -33,6 +33,7 @@ CONFIG_TTY_CHAN=y + CONFIG_XTERM_CHAN=y + CONFIG_CON_CHAN="pts" + CONFIG_SSL_CHAN="pts" ++CONFIG_SOUND=m + CONFIG_UML_SOUND=m + CONFIG_DEVTMPFS=y + CONFIG_DEVTMPFS_MOUNT=y +diff --git a/arch/um/drivers/Kconfig b/arch/um/drivers/Kconfig +index f145842c40b94..3dd74d369f995 100644 +--- a/arch/um/drivers/Kconfig ++++ b/arch/um/drivers/Kconfig +@@ -104,24 +104,14 @@ config SSL_CHAN + + config UML_SOUND + tristate "Sound support" ++ depends on SOUND ++ select SOUND_OSS_CORE + help + This option enables UML sound support. If enabled, it will pull in +- soundcore and the UML hostaudio relay, which acts as a intermediary ++ the UML hostaudio relay, which acts as a intermediary + between the host's dsp and mixer devices and the UML sound system. + It is safe to say 'Y' here. + +-config SOUND +- tristate +- default UML_SOUND +- +-config SOUND_OSS_CORE +- bool +- default UML_SOUND +- +-config HOSTAUDIO +- tristate +- default UML_SOUND +- + endmenu + + menu "UML Network Devices" +diff --git a/arch/um/drivers/Makefile b/arch/um/drivers/Makefile +index cd1a58bb3e9cd..dc0e6fe77de10 100644 +--- a/arch/um/drivers/Makefile ++++ b/arch/um/drivers/Makefile +@@ -54,7 +54,7 @@ obj-$(CONFIG_UML_NET) += net.o + obj-$(CONFIG_MCONSOLE) += mconsole.o + obj-$(CONFIG_MMAPPER) += mmapper_kern.o + obj-$(CONFIG_BLK_DEV_UBD) += ubd.o +-obj-$(CONFIG_HOSTAUDIO) += hostaudio.o ++obj-$(CONFIG_UML_SOUND) += hostaudio.o + obj-$(CONFIG_NULL_CHAN) += null.o + obj-$(CONFIG_PORT_CHAN) += port.o + obj-$(CONFIG_PTY_CHAN) += pty.o +diff --git a/sound/Kconfig b/sound/Kconfig +index e56d96d2b11ca..1903c35d799e1 100644 +--- a/sound/Kconfig ++++ b/sound/Kconfig +@@ -1,7 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0-only + menuconfig SOUND + tristate "Sound card support" +- depends on HAS_IOMEM ++ depends on HAS_IOMEM || UML + help + If you have a sound card in your computer, i.e. if it can say more + than an occasional beep, say Y. +-- +2.40.1 + diff --git a/queue-5.15/usb-gadget-f_mass_storage-fix-unused-variable-warnin.patch b/queue-5.15/usb-gadget-f_mass_storage-fix-unused-variable-warnin.patch new file mode 100644 index 00000000000..9222616700d --- /dev/null +++ b/queue-5.15/usb-gadget-f_mass_storage-fix-unused-variable-warnin.patch @@ -0,0 +1,37 @@ +From 57725072b9e0775ef9e40c314a3f5ef952310d22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Aug 2023 13:47:04 -0400 +Subject: USB: gadget: f_mass_storage: Fix unused variable warning + +From: Alan Stern + +[ Upstream commit 55c3e571d2a0aabef4f1354604443f1c415d2e85 ] + +Fix a "variable set but not used" warning in f_mass_storage.c. rc is +used if verbose debugging is enabled but not otherwise. + +Signed-off-by: Alan Stern +Fixes: d5e2b67aae79 ("USB: g_mass_storage: template f_mass_storage.c file created") +Link: https://lore.kernel.org/r/cfed16c7-aa46-494b-ba84-b0e0dc99be3a@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_mass_storage.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/function/f_mass_storage.c b/drivers/usb/gadget/function/f_mass_storage.c +index 6ad669dde41c8..5bd76c6d38e74 100644 +--- a/drivers/usb/gadget/function/f_mass_storage.c ++++ b/drivers/usb/gadget/function/f_mass_storage.c +@@ -919,7 +919,7 @@ static void invalidate_sub(struct fsg_lun *curlun) + { + struct file *filp = curlun->filp; + struct inode *inode = file_inode(filp); +- unsigned long rc; ++ unsigned long __maybe_unused rc; + + rc = invalidate_mapping_pages(inode->i_mapping, 0, -1); + VLDBG(curlun, "invalidate_mapping_pages -> %ld\n", rc); +-- +2.40.1 + diff --git a/queue-5.15/usb-phy-mxs-fix-getting-wrong-state-with-mxs_phy_is_.patch b/queue-5.15/usb-phy-mxs-fix-getting-wrong-state-with-mxs_phy_is_.patch new file mode 100644 index 00000000000..05e73126b24 --- /dev/null +++ b/queue-5.15/usb-phy-mxs-fix-getting-wrong-state-with-mxs_phy_is_.patch @@ -0,0 +1,50 @@ +From cb47b2daf49df7f435855d350c7992344e54e3f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jun 2023 19:03:52 +0800 +Subject: usb: phy: mxs: fix getting wrong state with mxs_phy_is_otg_host() + +From: Xu Yang + +[ Upstream commit 5eda42aebb7668b4dcff025cd3ccb0d3d7c53da6 ] + +The function mxs_phy_is_otg_host() will return true if OTG_ID_VALUE is +0 at USBPHY_CTRL register. However, OTG_ID_VALUE will not reflect the real +state if the ID pin is float, such as Host-only or Type-C cases. The value +of OTG_ID_VALUE is always 1 which means device mode. +This patch will fix the issue by judging the current mode based on +last_event. The controller will update last_event in time. + +Fixes: 7b09e67639d6 ("usb: phy: mxs: refine mxs_phy_disconnect_line") +Signed-off-by: Xu Yang +Acked-by: Peter Chen +Link: https://lore.kernel.org/r/20230627110353.1879477-2-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/phy/phy-mxs-usb.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +diff --git a/drivers/usb/phy/phy-mxs-usb.c b/drivers/usb/phy/phy-mxs-usb.c +index 8a262c5a0408f..7a7eb8af60448 100644 +--- a/drivers/usb/phy/phy-mxs-usb.c ++++ b/drivers/usb/phy/phy-mxs-usb.c +@@ -388,14 +388,8 @@ static void __mxs_phy_disconnect_line(struct mxs_phy *mxs_phy, bool disconnect) + + static bool mxs_phy_is_otg_host(struct mxs_phy *mxs_phy) + { +- void __iomem *base = mxs_phy->phy.io_priv; +- u32 phyctrl = readl(base + HW_USBPHY_CTRL); +- +- if (IS_ENABLED(CONFIG_USB_OTG) && +- !(phyctrl & BM_USBPHY_CTRL_OTG_ID_VALUE)) +- return true; +- +- return false; ++ return IS_ENABLED(CONFIG_USB_OTG) && ++ mxs_phy->phy.last_event == USB_EVENT_ID; + } + + static void mxs_phy_disconnect_line(struct mxs_phy *mxs_phy, bool on) +-- +2.40.1 + diff --git a/queue-5.15/vfio-type1-fix-cap_migration-information-leak.patch b/queue-5.15/vfio-type1-fix-cap_migration-information-leak.patch new file mode 100644 index 00000000000..af639cdf234 --- /dev/null +++ b/queue-5.15/vfio-type1-fix-cap_migration-information-leak.patch @@ -0,0 +1,93 @@ +From 283d9fd608e7bf1316aa183c0246c5198fcd5ab7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Aug 2023 11:53:52 -0400 +Subject: vfio/type1: fix cap_migration information leak + +From: Stefan Hajnoczi + +[ Upstream commit cd24e2a60af633f157d7e59c0a6dba64f131c0b1 ] + +Fix an information leak where an uninitialized hole in struct +vfio_iommu_type1_info_cap_migration on the stack is exposed to userspace. + +The definition of struct vfio_iommu_type1_info_cap_migration contains a hole as +shown in this pahole(1) output: + + struct vfio_iommu_type1_info_cap_migration { + struct vfio_info_cap_header header; /* 0 8 */ + __u32 flags; /* 8 4 */ + + /* XXX 4 bytes hole, try to pack */ + + __u64 pgsize_bitmap; /* 16 8 */ + __u64 max_dirty_bitmap_size; /* 24 8 */ + + /* size: 32, cachelines: 1, members: 4 */ + /* sum members: 28, holes: 1, sum holes: 4 */ + /* last cacheline: 32 bytes */ + }; + +The cap_mig variable is filled in without initializing the hole: + + static int vfio_iommu_migration_build_caps(struct vfio_iommu *iommu, + struct vfio_info_cap *caps) + { + struct vfio_iommu_type1_info_cap_migration cap_mig; + + cap_mig.header.id = VFIO_IOMMU_TYPE1_INFO_CAP_MIGRATION; + cap_mig.header.version = 1; + + cap_mig.flags = 0; + /* support minimum pgsize */ + cap_mig.pgsize_bitmap = (size_t)1 << __ffs(iommu->pgsize_bitmap); + cap_mig.max_dirty_bitmap_size = DIRTY_BITMAP_SIZE_MAX; + + return vfio_info_add_capability(caps, &cap_mig.header, sizeof(cap_mig)); + } + +The structure is then copied to a temporary location on the heap. At this point +it's already too late and ioctl(VFIO_IOMMU_GET_INFO) copies it to userspace +later: + + int vfio_info_add_capability(struct vfio_info_cap *caps, + struct vfio_info_cap_header *cap, size_t size) + { + struct vfio_info_cap_header *header; + + header = vfio_info_cap_add(caps, size, cap->id, cap->version); + if (IS_ERR(header)) + return PTR_ERR(header); + + memcpy(header + 1, cap + 1, size - sizeof(*header)); + + return 0; + } + +This issue was found by code inspection. + +Signed-off-by: Stefan Hajnoczi +Reviewed-by: Kevin Tian +Fixes: ad721705d09c ("vfio iommu: Add migration capability to report supported features") +Link: https://lore.kernel.org/r/20230801155352.1391945-1-stefanha@redhat.com +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/vfio_iommu_type1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c +index 5623fc28b1ea8..66bbb125d7615 100644 +--- a/drivers/vfio/vfio_iommu_type1.c ++++ b/drivers/vfio/vfio_iommu_type1.c +@@ -2866,7 +2866,7 @@ static int vfio_iommu_iova_build_caps(struct vfio_iommu *iommu, + static int vfio_iommu_migration_build_caps(struct vfio_iommu *iommu, + struct vfio_info_cap *caps) + { +- struct vfio_iommu_type1_info_cap_migration cap_mig; ++ struct vfio_iommu_type1_info_cap_migration cap_mig = {}; + + cap_mig.header.id = VFIO_IOMMU_TYPE1_INFO_CAP_MIGRATION; + cap_mig.header.version = 1; +-- +2.40.1 + diff --git a/queue-5.15/virtio_ring-fix-avail_wrap_counter-in-virtqueue_add_.patch b/queue-5.15/virtio_ring-fix-avail_wrap_counter-in-virtqueue_add_.patch new file mode 100644 index 00000000000..4986fb0cd1a --- /dev/null +++ b/queue-5.15/virtio_ring-fix-avail_wrap_counter-in-virtqueue_add_.patch @@ -0,0 +1,80 @@ +From 1c1c6d4d3fd3592d475b65a1f531f0ef236c86aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Aug 2023 05:10:59 +0000 +Subject: virtio_ring: fix avail_wrap_counter in virtqueue_add_packed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yuan Yao + +[ Upstream commit 1acfe2c1225899eab5ab724c91b7e1eb2881b9ab ] + +In current packed virtqueue implementation, the avail_wrap_counter won't +flip, in the case when the driver supplies a descriptor chain with a +length equals to the queue size; total_sg == vq->packed.vring.num. + +Let’s assume the following situation: +vq->packed.vring.num=4 +vq->packed.next_avail_idx: 1 +vq->packed.avail_wrap_counter: 0 + +Then the driver adds a descriptor chain containing 4 descriptors. + +We expect the following result with avail_wrap_counter flipped: +vq->packed.next_avail_idx: 1 +vq->packed.avail_wrap_counter: 1 + +But, the current implementation gives the following result: +vq->packed.next_avail_idx: 1 +vq->packed.avail_wrap_counter: 0 + +To reproduce the bug, you can set a packed queue size as small as +possible, so that the driver is more likely to provide a descriptor +chain with a length equal to the packed queue size. For example, in +qemu run following commands: +sudo qemu-system-x86_64 \ +-enable-kvm \ +-nographic \ +-kernel "path/to/kernel_image" \ +-m 1G \ +-drive file="path/to/rootfs",if=none,id=disk \ +-device virtio-blk,drive=disk \ +-drive file="path/to/disk_image",if=none,id=rwdisk \ +-device virtio-blk,drive=rwdisk,packed=on,queue-size=4,\ +indirect_desc=off \ +-append "console=ttyS0 root=/dev/vda rw init=/bin/bash" + +Inside the VM, create a directory and mount the rwdisk device on it. The +rwdisk will hang and mount operation will not complete. + +This commit fixes the wrap counter error by flipping the +packed.avail_wrap_counter, when start of descriptor chain equals to the +end of descriptor chain (head == i). + +Fixes: 1ce9e6055fa0 ("virtio_ring: introduce packed ring support") +Signed-off-by: Yuan Yao +Message-Id: <20230808051110.3492693-1-yuanyaogoog@chromium.org> +Acked-by: Jason Wang +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/virtio/virtio_ring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c +index 800df63c58692..067b68168f93e 100644 +--- a/drivers/virtio/virtio_ring.c ++++ b/drivers/virtio/virtio_ring.c +@@ -1271,7 +1271,7 @@ static inline int virtqueue_add_packed(struct virtqueue *_vq, + } + } + +- if (i < head) ++ if (i <= head) + vq->packed.avail_wrap_counter ^= 1; + + /* We're using some buffers from the free list. */ +-- +2.40.1 + diff --git a/queue-5.15/wifi-ath10k-use-rmw-accessors-for-changing-lnkctl.patch b/queue-5.15/wifi-ath10k-use-rmw-accessors-for-changing-lnkctl.patch new file mode 100644 index 00000000000..e6790f23252 --- /dev/null +++ b/queue-5.15/wifi-ath10k-use-rmw-accessors-for-changing-lnkctl.patch @@ -0,0 +1,61 @@ +From d890a8ae851c779c5310bc2c79fc975adbc13b0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 15:05:02 +0300 +Subject: wifi: ath10k: Use RMW accessors for changing LNKCTL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit f139492a09f15254fa261245cdbd65555cdf39e3 ] + +Don't assume that only the driver would be accessing LNKCTL. ASPM policy +changes can trigger write to LNKCTL outside of driver's control. + +Use RMW capability accessors which does proper locking to avoid losing +concurrent updates to the register value. On restore, clear the ASPMC field +properly. + +Suggested-by: Lukas Wunner +Fixes: 76d870ed09ab ("ath10k: enable ASPM") +Link: https://lore.kernel.org/r/20230717120503.15276-11-ilpo.jarvinen@linux.intel.com +Signed-off-by: Ilpo Järvinen +Signed-off-by: Bjorn Helgaas +Reviewed-by: Simon Horman +Acked-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/pci.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c +index 85a30c301dad7..3a62f66973137 100644 +--- a/drivers/net/wireless/ath/ath10k/pci.c ++++ b/drivers/net/wireless/ath/ath10k/pci.c +@@ -1963,8 +1963,9 @@ static int ath10k_pci_hif_start(struct ath10k *ar) + ath10k_pci_irq_enable(ar); + ath10k_pci_rx_post(ar); + +- pcie_capability_write_word(ar_pci->pdev, PCI_EXP_LNKCTL, +- ar_pci->link_ctl); ++ pcie_capability_clear_and_set_word(ar_pci->pdev, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_ASPMC, ++ ar_pci->link_ctl & PCI_EXP_LNKCTL_ASPMC); + + return 0; + } +@@ -2821,8 +2822,8 @@ static int ath10k_pci_hif_power_up(struct ath10k *ar, + + pcie_capability_read_word(ar_pci->pdev, PCI_EXP_LNKCTL, + &ar_pci->link_ctl); +- pcie_capability_write_word(ar_pci->pdev, PCI_EXP_LNKCTL, +- ar_pci->link_ctl & ~PCI_EXP_LNKCTL_ASPMC); ++ pcie_capability_clear_word(ar_pci->pdev, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_ASPMC); + + /* + * Bring the target up cleanly. +-- +2.40.1 + diff --git a/queue-5.15/wifi-ath11k-use-rmw-accessors-for-changing-lnkctl.patch b/queue-5.15/wifi-ath11k-use-rmw-accessors-for-changing-lnkctl.patch new file mode 100644 index 00000000000..b2037ecb2b4 --- /dev/null +++ b/queue-5.15/wifi-ath11k-use-rmw-accessors-for-changing-lnkctl.patch @@ -0,0 +1,62 @@ +From c9be9f46c8f9470e0750f1bd3f39c6810535eaca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 15:05:00 +0300 +Subject: wifi: ath11k: Use RMW accessors for changing LNKCTL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 6c1b6bdb34aaf8f94f65a9cae1d63490320c11bc ] + +Don't assume that only the driver would be accessing LNKCTL. ASPM policy +changes can trigger write to LNKCTL outside of driver's control. + +Use RMW capability accessors which do proper locking to avoid losing +concurrent updates to the register value. On restore, clear the ASPMC field +properly. + +Suggested-by: Lukas Wunner +Fixes: e9603f4bdcc0 ("ath11k: pci: disable ASPM L0sLs before downloading firmware") +Link: https://lore.kernel.org/r/20230717120503.15276-9-ilpo.jarvinen@linux.intel.com +Signed-off-by: Ilpo Järvinen +Signed-off-by: Bjorn Helgaas +Reviewed-by: Simon Horman +Acked-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/pci.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/pci.c b/drivers/net/wireless/ath/ath11k/pci.c +index bfa7f8d96d82f..b8e4c74254642 100644 +--- a/drivers/net/wireless/ath/ath11k/pci.c ++++ b/drivers/net/wireless/ath/ath11k/pci.c +@@ -1000,8 +1000,8 @@ static void ath11k_pci_aspm_disable(struct ath11k_pci *ab_pci) + u16_get_bits(ab_pci->link_ctl, PCI_EXP_LNKCTL_ASPM_L1)); + + /* disable L0s and L1 */ +- pcie_capability_write_word(ab_pci->pdev, PCI_EXP_LNKCTL, +- ab_pci->link_ctl & ~PCI_EXP_LNKCTL_ASPMC); ++ pcie_capability_clear_word(ab_pci->pdev, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_ASPMC); + + set_bit(ATH11K_PCI_ASPM_RESTORE, &ab_pci->flags); + } +@@ -1009,8 +1009,10 @@ static void ath11k_pci_aspm_disable(struct ath11k_pci *ab_pci) + static void ath11k_pci_aspm_restore(struct ath11k_pci *ab_pci) + { + if (test_and_clear_bit(ATH11K_PCI_ASPM_RESTORE, &ab_pci->flags)) +- pcie_capability_write_word(ab_pci->pdev, PCI_EXP_LNKCTL, +- ab_pci->link_ctl); ++ pcie_capability_clear_and_set_word(ab_pci->pdev, PCI_EXP_LNKCTL, ++ PCI_EXP_LNKCTL_ASPMC, ++ ab_pci->link_ctl & ++ PCI_EXP_LNKCTL_ASPMC); + } + + static int ath11k_pci_power_up(struct ath11k_base *ab) +-- +2.40.1 + diff --git a/queue-5.15/wifi-ath9k-fix-races-between-ath9k_wmi_cmd-and-ath9k.patch b/queue-5.15/wifi-ath9k-fix-races-between-ath9k_wmi_cmd-and-ath9k.patch new file mode 100644 index 00000000000..1bc07609adb --- /dev/null +++ b/queue-5.15/wifi-ath9k-fix-races-between-ath9k_wmi_cmd-and-ath9k.patch @@ -0,0 +1,129 @@ +From 7620b756d7cdcecb6b9e048521567b88ed7db319 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Apr 2023 22:26:06 +0300 +Subject: wifi: ath9k: fix races between ath9k_wmi_cmd and ath9k_wmi_ctrl_rx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fedor Pchelkin + +[ Upstream commit b674fb513e2e7a514fcde287c0f73915d393fdb6 ] + +Currently, the synchronization between ath9k_wmi_cmd() and +ath9k_wmi_ctrl_rx() is exposed to a race condition which, although being +rather unlikely, can lead to invalid behaviour of ath9k_wmi_cmd(). + +Consider the following scenario: + +CPU0 CPU1 + +ath9k_wmi_cmd(...) + mutex_lock(&wmi->op_mutex) + ath9k_wmi_cmd_issue(...) + wait_for_completion_timeout(...) + --- + timeout + --- + /* the callback is being processed + * before last_seq_id became zero + */ + ath9k_wmi_ctrl_rx(...) + spin_lock_irqsave(...) + /* wmi->last_seq_id check here + * doesn't detect timeout yet + */ + spin_unlock_irqrestore(...) + /* last_seq_id is zeroed to + * indicate there was a timeout + */ + wmi->last_seq_id = 0 + mutex_unlock(&wmi->op_mutex) + return -ETIMEDOUT + +ath9k_wmi_cmd(...) + mutex_lock(&wmi->op_mutex) + /* the buffer is replaced with + * another one + */ + wmi->cmd_rsp_buf = rsp_buf + wmi->cmd_rsp_len = rsp_len + ath9k_wmi_cmd_issue(...) + spin_lock_irqsave(...) + spin_unlock_irqrestore(...) + wait_for_completion_timeout(...) + /* the continuation of the + * callback left after the first + * ath9k_wmi_cmd call + */ + ath9k_wmi_rsp_callback(...) + /* copying data designated + * to already timeouted + * WMI command into an + * inappropriate wmi_cmd_buf + */ + memcpy(...) + complete(&wmi->cmd_wait) + /* awakened by the bogus callback + * => invalid return result + */ + mutex_unlock(&wmi->op_mutex) + return 0 + +To fix this, update last_seq_id on timeout path inside ath9k_wmi_cmd() +under the wmi_lock. Move ath9k_wmi_rsp_callback() under wmi_lock inside +ath9k_wmi_ctrl_rx() so that the wmi->cmd_wait can be completed only for +initially designated wmi_cmd call, otherwise the path would be rejected +with last_seq_id check. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") +Signed-off-by: Fedor Pchelkin +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230425192607.18015-1-pchelkin@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/wmi.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c +index d652c647d56b5..04f363cb90fe5 100644 +--- a/drivers/net/wireless/ath/ath9k/wmi.c ++++ b/drivers/net/wireless/ath/ath9k/wmi.c +@@ -242,10 +242,10 @@ static void ath9k_wmi_ctrl_rx(void *priv, struct sk_buff *skb, + spin_unlock_irqrestore(&wmi->wmi_lock, flags); + goto free_skb; + } +- spin_unlock_irqrestore(&wmi->wmi_lock, flags); + + /* WMI command response */ + ath9k_wmi_rsp_callback(wmi, skb); ++ spin_unlock_irqrestore(&wmi->wmi_lock, flags); + + free_skb: + kfree_skb(skb); +@@ -308,8 +308,8 @@ int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id, + struct ath_common *common = ath9k_hw_common(ah); + u16 headroom = sizeof(struct htc_frame_hdr) + + sizeof(struct wmi_cmd_hdr); ++ unsigned long time_left, flags; + struct sk_buff *skb; +- unsigned long time_left; + int ret = 0; + + if (ah->ah_flags & AH_UNPLUGGED) +@@ -345,7 +345,9 @@ int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id, + if (!time_left) { + ath_dbg(common, WMI, "Timeout waiting for WMI command: %s\n", + wmi_cmd_to_name(cmd_id)); ++ spin_lock_irqsave(&wmi->wmi_lock, flags); + wmi->last_seq_id = 0; ++ spin_unlock_irqrestore(&wmi->wmi_lock, flags); + mutex_unlock(&wmi->op_mutex); + return -ETIMEDOUT; + } +-- +2.40.1 + diff --git a/queue-5.15/wifi-ath9k-protect-wmi-command-response-buffer-repla.patch b/queue-5.15/wifi-ath9k-protect-wmi-command-response-buffer-repla.patch new file mode 100644 index 00000000000..74bb4a74368 --- /dev/null +++ b/queue-5.15/wifi-ath9k-protect-wmi-command-response-buffer-repla.patch @@ -0,0 +1,78 @@ +From c3662817bfccf66bec02ac32b13f548b554d8d86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Apr 2023 22:26:07 +0300 +Subject: wifi: ath9k: protect WMI command response buffer replacement with a + lock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fedor Pchelkin + +[ Upstream commit 454994cfa9e4c18b6df9f78b60db8eadc20a6c25 ] + +If ath9k_wmi_cmd() has exited with a timeout, it is possible that during +next ath9k_wmi_cmd() call the wmi_rsp callback for previous wmi command +writes to new wmi->cmd_rsp_buf and makes a completion. This results in an +invalid ath9k_wmi_cmd() return value. + +Move the replacement of WMI command response buffer and length under +wmi_lock. Note that last_seq_id value is updated there, too. + +Thus, the buffer cannot be written to by a belated wmi_rsp callback +because that path is properly rejected by the last_seq_id check. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") +Signed-off-by: Fedor Pchelkin +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230425192607.18015-2-pchelkin@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/wmi.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c +index 04f363cb90fe5..1476b42b52a91 100644 +--- a/drivers/net/wireless/ath/ath9k/wmi.c ++++ b/drivers/net/wireless/ath/ath9k/wmi.c +@@ -283,7 +283,8 @@ int ath9k_wmi_connect(struct htc_target *htc, struct wmi *wmi, + + static int ath9k_wmi_cmd_issue(struct wmi *wmi, + struct sk_buff *skb, +- enum wmi_cmd_id cmd, u16 len) ++ enum wmi_cmd_id cmd, u16 len, ++ u8 *rsp_buf, u32 rsp_len) + { + struct wmi_cmd_hdr *hdr; + unsigned long flags; +@@ -293,6 +294,11 @@ static int ath9k_wmi_cmd_issue(struct wmi *wmi, + hdr->seq_no = cpu_to_be16(++wmi->tx_seq_id); + + spin_lock_irqsave(&wmi->wmi_lock, flags); ++ ++ /* record the rsp buffer and length */ ++ wmi->cmd_rsp_buf = rsp_buf; ++ wmi->cmd_rsp_len = rsp_len; ++ + wmi->last_seq_id = wmi->tx_seq_id; + spin_unlock_irqrestore(&wmi->wmi_lock, flags); + +@@ -333,11 +339,7 @@ int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id, + goto out; + } + +- /* record the rsp buffer and length */ +- wmi->cmd_rsp_buf = rsp_buf; +- wmi->cmd_rsp_len = rsp_len; +- +- ret = ath9k_wmi_cmd_issue(wmi, skb, cmd_id, cmd_len); ++ ret = ath9k_wmi_cmd_issue(wmi, skb, cmd_id, cmd_len, rsp_buf, rsp_len); + if (ret) + goto out; + +-- +2.40.1 + diff --git a/queue-5.15/wifi-ath9k-use-is_err-with-debugfs_create_dir.patch b/queue-5.15/wifi-ath9k-use-is_err-with-debugfs_create_dir.patch new file mode 100644 index 00000000000..c26791bb9be --- /dev/null +++ b/queue-5.15/wifi-ath9k-use-is_err-with-debugfs_create_dir.patch @@ -0,0 +1,44 @@ +From 535e2f43e8083d974da9680c2002be0a05bf2b3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 11:03:44 +0800 +Subject: wifi: ath9k: use IS_ERR() with debugfs_create_dir() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wang Ming + +[ Upstream commit 1e4134610d93271535ecf900a676e1f094e9944c ] + +The debugfs_create_dir() function returns error pointers, +it never returns NULL. Most incorrect error checks were fixed, +but the one in ath9k_htc_init_debug() was forgotten. + +Fix the remaining error check. + +Fixes: e5facc75fa91 ("ath9k_htc: Cleanup HTC debugfs") +Signed-off-by: Wang Ming +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230713030358.12379-1-machel@vivo.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_drv_debug.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_debug.c b/drivers/net/wireless/ath/ath9k/htc_drv_debug.c +index b3ed65e5c4da8..c55aab01fff5d 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_drv_debug.c ++++ b/drivers/net/wireless/ath/ath9k/htc_drv_debug.c +@@ -491,7 +491,7 @@ int ath9k_htc_init_debug(struct ath_hw *ah) + + priv->debug.debugfs_phy = debugfs_create_dir(KBUILD_MODNAME, + priv->hw->wiphy->debugfsdir); +- if (!priv->debug.debugfs_phy) ++ if (IS_ERR(priv->debug.debugfs_phy)) + return -ENOMEM; + + ath9k_cmn_spectral_init_debug(&priv->spec_priv, priv->debug.debugfs_phy); +-- +2.40.1 + diff --git a/queue-5.15/wifi-mt76-mt7915-fix-power-limits-while-chan_switch.patch b/queue-5.15/wifi-mt76-mt7915-fix-power-limits-while-chan_switch.patch new file mode 100644 index 00000000000..30ba9069dcc --- /dev/null +++ b/queue-5.15/wifi-mt76-mt7915-fix-power-limits-while-chan_switch.patch @@ -0,0 +1,45 @@ +From f8791bf7f465b1f1b7d8186f404fd9bc75c9d2d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jul 2023 02:35:06 +0800 +Subject: wifi: mt76: mt7915: fix power-limits while chan_switch + +From: Ryder Lee + +[ Upstream commit 6c0570bc21ec2073890aa252c8420ca7bec402e4 ] + +If user changes the channel without completely disabling the interface the +txpower_sku values reported track the old channel the device was operating on. +If user bounces the interface the correct power tables are applied. + +mt7915_sku_group_len array gets updated before the channel switch happens so it +uses data from the old channel. + +Fixes: ecb187a74e18 ("mt76: mt7915: rework the flow of txpower setting") +Fixes: f1d962369d56 ("mt76: mt7915: implement HE per-rate tx power support") +Reported-By: Chad Monroe +Tested-by: Chad Monroe +Signed-off-by: Allen Ye +Signed-off-by: Ryder Lee +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7915/main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/main.c b/drivers/net/wireless/mediatek/mt76/mt7915/main.c +index 7a4f277a16223..09ea97a81fb4f 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7915/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7915/main.c +@@ -441,7 +441,8 @@ static int mt7915_config(struct ieee80211_hw *hw, u32 changed) + ieee80211_wake_queues(hw); + } + +- if (changed & IEEE80211_CONF_CHANGE_POWER) { ++ if (changed & (IEEE80211_CONF_CHANGE_POWER | ++ IEEE80211_CONF_CHANGE_CHANNEL)) { + ret = mt7915_mcu_set_txpower_sku(phy); + if (ret) + return ret; +-- +2.40.1 + diff --git a/queue-5.15/wifi-mt76-testmode-add-nla_policy-for-mt76_tm_attr_t.patch b/queue-5.15/wifi-mt76-testmode-add-nla_policy-for-mt76_tm_attr_t.patch new file mode 100644 index 00000000000..ce4595c39e8 --- /dev/null +++ b/queue-5.15/wifi-mt76-testmode-add-nla_policy-for-mt76_tm_attr_t.patch @@ -0,0 +1,41 @@ +From 812a6b28426a5f7660823ad8c6ad56825ac32cac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Jul 2023 16:03:50 +0800 +Subject: wifi: mt76: testmode: add nla_policy for MT76_TM_ATTR_TX_LENGTH + +From: Lin Ma + +[ Upstream commit 74f12d511625e603fac8c0c2b6872e687e56dd61 ] + +It seems that the nla_policy in mt76_tm_policy is missed for attribute +MT76_TM_ATTR_TX_LENGTH. This patch adds the correct description to make +sure the + + u32 val = nla_get_u32(tb[MT76_TM_ATTR_TX_LENGTH]); + +in function mt76_testmode_cmd() is safe and will not result in +out-of-attribute read. + +Fixes: f0efa8621550 ("mt76: add API for testmode support") +Signed-off-by: Lin Ma +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/testmode.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/mediatek/mt76/testmode.c b/drivers/net/wireless/mediatek/mt76/testmode.c +index f73ffbd6e622d..0109433e8c2fe 100644 +--- a/drivers/net/wireless/mediatek/mt76/testmode.c ++++ b/drivers/net/wireless/mediatek/mt76/testmode.c +@@ -6,6 +6,7 @@ static const struct nla_policy mt76_tm_policy[NUM_MT76_TM_ATTRS] = { + [MT76_TM_ATTR_RESET] = { .type = NLA_FLAG }, + [MT76_TM_ATTR_STATE] = { .type = NLA_U8 }, + [MT76_TM_ATTR_TX_COUNT] = { .type = NLA_U32 }, ++ [MT76_TM_ATTR_TX_LENGTH] = { .type = NLA_U32 }, + [MT76_TM_ATTR_TX_RATE_MODE] = { .type = NLA_U8 }, + [MT76_TM_ATTR_TX_RATE_NSS] = { .type = NLA_U8 }, + [MT76_TM_ATTR_TX_RATE_IDX] = { .type = NLA_U8 }, +-- +2.40.1 + diff --git a/queue-5.15/wifi-mwifiex-avoid-possible-null-skb-pointer-derefer.patch b/queue-5.15/wifi-mwifiex-avoid-possible-null-skb-pointer-derefer.patch new file mode 100644 index 00000000000..7b334782751 --- /dev/null +++ b/queue-5.15/wifi-mwifiex-avoid-possible-null-skb-pointer-derefer.patch @@ -0,0 +1,50 @@ +From 11f6374d8b1d14fffbb8e86ea99172ccf6b1b83c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Aug 2023 12:49:57 +0300 +Subject: wifi: mwifiex: avoid possible NULL skb pointer dereference + +From: Dmitry Antipov + +[ Upstream commit 35a7a1ce7c7d61664ee54f5239a1f120ab95a87e ] + +In 'mwifiex_handle_uap_rx_forward()', always check the value +returned by 'skb_copy()' to avoid potential NULL pointer +dereference in 'mwifiex_uap_queue_bridged_pkt()', and drop +original skb in case of copying failure. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 838e4f449297 ("mwifiex: improve uAP RX handling") +Acked-by: Brian Norris +Signed-off-by: Dmitry Antipov +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230814095041.16416-1-dmantipov@yandex.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/uap_txrx.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c +index d6493638e7028..8a5d0125a1abd 100644 +--- a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c ++++ b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c +@@ -265,7 +265,15 @@ int mwifiex_handle_uap_rx_forward(struct mwifiex_private *priv, + + if (is_multicast_ether_addr(ra)) { + skb_uap = skb_copy(skb, GFP_ATOMIC); +- mwifiex_uap_queue_bridged_pkt(priv, skb_uap); ++ if (likely(skb_uap)) { ++ mwifiex_uap_queue_bridged_pkt(priv, skb_uap); ++ } else { ++ mwifiex_dbg(adapter, ERROR, ++ "failed to copy skb for uAP\n"); ++ priv->stats.rx_dropped++; ++ dev_kfree_skb_any(skb); ++ return -1; ++ } + } else { + if (mwifiex_get_sta_entry(priv, ra)) { + /* Requeue Intra-BSS packet */ +-- +2.40.1 + diff --git a/queue-5.15/wifi-mwifiex-fix-error-recovery-in-pcie-buffer-descr.patch b/queue-5.15/wifi-mwifiex-fix-error-recovery-in-pcie-buffer-descr.patch new file mode 100644 index 00000000000..9c15007c97e --- /dev/null +++ b/queue-5.15/wifi-mwifiex-fix-error-recovery-in-pcie-buffer-descr.patch @@ -0,0 +1,121 @@ +From 012aefd20c6a4bf8c2b75513f649a7b55800f41f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jul 2023 10:43:07 +0300 +Subject: wifi: mwifiex: fix error recovery in PCIE buffer descriptor + management + +From: Dmitry Antipov + +[ Upstream commit 288c63d5cb4667a51a04668b3e2bb0ea499bc5f4 ] + +Add missing 'kfree_skb()' in 'mwifiex_init_rxq_ring()' and never do +'kfree(card->rxbd_ring_vbase)' because this area is DMAed and should +be released with 'dma_free_coherent()'. The latter is performed in +'mwifiex_pcie_delete_rxbd_ring()', which is now called to recover +from possible errors in 'mwifiex_pcie_create_rxbd_ring()'. Likewise +for 'mwifiex_pcie_init_evt_ring()', 'kfree(card->evtbd_ring_vbase)' +'mwifiex_pcie_delete_evtbd_ring()' and 'mwifiex_pcie_create_rxbd_ring()'. + +Fixes: d930faee141b ("mwifiex: add support for Marvell pcie8766 chipset") +Signed-off-by: Dmitry Antipov +Acked-by: Brian Norris +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230731074334.56463-1-dmantipov@yandex.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/pcie.c | 25 ++++++++++++++------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/pcie.c b/drivers/net/wireless/marvell/mwifiex/pcie.c +index 94a6bbcae2d38..8b3f46586654a 100644 +--- a/drivers/net/wireless/marvell/mwifiex/pcie.c ++++ b/drivers/net/wireless/marvell/mwifiex/pcie.c +@@ -201,6 +201,8 @@ static int mwifiex_pcie_probe_of(struct device *dev) + } + + static void mwifiex_pcie_work(struct work_struct *work); ++static int mwifiex_pcie_delete_rxbd_ring(struct mwifiex_adapter *adapter); ++static int mwifiex_pcie_delete_evtbd_ring(struct mwifiex_adapter *adapter); + + static int + mwifiex_map_pci_memory(struct mwifiex_adapter *adapter, struct sk_buff *skb, +@@ -804,14 +806,15 @@ static int mwifiex_init_rxq_ring(struct mwifiex_adapter *adapter) + if (!skb) { + mwifiex_dbg(adapter, ERROR, + "Unable to allocate skb for RX ring.\n"); +- kfree(card->rxbd_ring_vbase); + return -ENOMEM; + } + + if (mwifiex_map_pci_memory(adapter, skb, + MWIFIEX_RX_DATA_BUF_SIZE, +- DMA_FROM_DEVICE)) +- return -1; ++ DMA_FROM_DEVICE)) { ++ kfree_skb(skb); ++ return -ENOMEM; ++ } + + buf_pa = MWIFIEX_SKB_DMA_ADDR(skb); + +@@ -861,7 +864,6 @@ static int mwifiex_pcie_init_evt_ring(struct mwifiex_adapter *adapter) + if (!skb) { + mwifiex_dbg(adapter, ERROR, + "Unable to allocate skb for EVENT buf.\n"); +- kfree(card->evtbd_ring_vbase); + return -ENOMEM; + } + skb_put(skb, MAX_EVENT_SIZE); +@@ -869,8 +871,7 @@ static int mwifiex_pcie_init_evt_ring(struct mwifiex_adapter *adapter) + if (mwifiex_map_pci_memory(adapter, skb, MAX_EVENT_SIZE, + DMA_FROM_DEVICE)) { + kfree_skb(skb); +- kfree(card->evtbd_ring_vbase); +- return -1; ++ return -ENOMEM; + } + + buf_pa = MWIFIEX_SKB_DMA_ADDR(skb); +@@ -1070,6 +1071,7 @@ static int mwifiex_pcie_delete_txbd_ring(struct mwifiex_adapter *adapter) + */ + static int mwifiex_pcie_create_rxbd_ring(struct mwifiex_adapter *adapter) + { ++ int ret; + struct pcie_service_card *card = adapter->card; + const struct mwifiex_pcie_card_reg *reg = card->pcie.reg; + +@@ -1108,7 +1110,10 @@ static int mwifiex_pcie_create_rxbd_ring(struct mwifiex_adapter *adapter) + (u32)((u64)card->rxbd_ring_pbase >> 32), + card->rxbd_ring_size); + +- return mwifiex_init_rxq_ring(adapter); ++ ret = mwifiex_init_rxq_ring(adapter); ++ if (ret) ++ mwifiex_pcie_delete_rxbd_ring(adapter); ++ return ret; + } + + /* +@@ -1139,6 +1144,7 @@ static int mwifiex_pcie_delete_rxbd_ring(struct mwifiex_adapter *adapter) + */ + static int mwifiex_pcie_create_evtbd_ring(struct mwifiex_adapter *adapter) + { ++ int ret; + struct pcie_service_card *card = adapter->card; + const struct mwifiex_pcie_card_reg *reg = card->pcie.reg; + +@@ -1173,7 +1179,10 @@ static int mwifiex_pcie_create_evtbd_ring(struct mwifiex_adapter *adapter) + (u32)((u64)card->evtbd_ring_pbase >> 32), + card->evtbd_ring_size); + +- return mwifiex_pcie_init_evt_ring(adapter); ++ ret = mwifiex_pcie_init_evt_ring(adapter); ++ if (ret) ++ mwifiex_pcie_delete_evtbd_ring(adapter); ++ return ret; + } + + /* +-- +2.40.1 + diff --git a/queue-5.15/wifi-mwifiex-fix-memory-leak-in-mwifiex_histogram_re.patch b/queue-5.15/wifi-mwifiex-fix-memory-leak-in-mwifiex_histogram_re.patch new file mode 100644 index 00000000000..77c7081cf71 --- /dev/null +++ b/queue-5.15/wifi-mwifiex-fix-memory-leak-in-mwifiex_histogram_re.patch @@ -0,0 +1,52 @@ +From 2d0ecdd2efaec1446c6acde84fe1416b4af3403c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 19:07:15 +0300 +Subject: wifi: mwifiex: fix memory leak in mwifiex_histogram_read() + +From: Dmitry Antipov + +[ Upstream commit 9c8fd72a5c2a031cbc680a2990107ecd958ffcdb ] + +Always free the zeroed page on return from 'mwifiex_histogram_read()'. + +Fixes: cbf6e05527a7 ("mwifiex: add rx histogram statistics support") + +Acked-by: Brian Norris +Signed-off-by: Dmitry Antipov +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230802160726.85545-1-dmantipov@yandex.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/debugfs.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/debugfs.c b/drivers/net/wireless/marvell/mwifiex/debugfs.c +index dded92db1f373..1e7dc724c6a94 100644 +--- a/drivers/net/wireless/marvell/mwifiex/debugfs.c ++++ b/drivers/net/wireless/marvell/mwifiex/debugfs.c +@@ -265,8 +265,11 @@ mwifiex_histogram_read(struct file *file, char __user *ubuf, + if (!p) + return -ENOMEM; + +- if (!priv || !priv->hist_data) +- return -EFAULT; ++ if (!priv || !priv->hist_data) { ++ ret = -EFAULT; ++ goto free_and_exit; ++ } ++ + phist_data = priv->hist_data; + + p += sprintf(p, "\n" +@@ -321,6 +324,8 @@ mwifiex_histogram_read(struct file *file, char __user *ubuf, + ret = simple_read_from_buffer(ubuf, count, ppos, (char *)page, + (unsigned long)p - page); + ++free_and_exit: ++ free_page(page); + return ret; + } + +-- +2.40.1 + diff --git a/queue-5.15/wifi-mwifiex-fix-missed-return-in-oob-checks-failed-.patch b/queue-5.15/wifi-mwifiex-fix-missed-return-in-oob-checks-failed-.patch new file mode 100644 index 00000000000..ed1e2adbe7a --- /dev/null +++ b/queue-5.15/wifi-mwifiex-fix-missed-return-in-oob-checks-failed-.patch @@ -0,0 +1,51 @@ +From 73547a503a30b90941ba5f734cd149fbba31e222 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Aug 2023 08:39:11 +0000 +Subject: wifi: mwifiex: Fix missed return in oob checks failed path + +From: Polaris Pi + +[ Upstream commit 2785851c627f2db05f9271f7f63661b5dbd95c4c ] + +Add missed return in mwifiex_uap_queue_bridged_pkt() and +mwifiex_process_rx_packet(). + +Fixes: 119585281617 ("wifi: mwifiex: Fix OOB and integer underflow when rx packets") +Signed-off-by: Polaris Pi +Reported-by: Dmitry Antipov +Acked-by: Brian Norris +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230810083911.3725248-1-pinkperfect2021@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/sta_rx.c | 1 + + drivers/net/wireless/marvell/mwifiex/uap_txrx.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/marvell/mwifiex/sta_rx.c b/drivers/net/wireless/marvell/mwifiex/sta_rx.c +index 685a5b6697046..3c555946cb2cc 100644 +--- a/drivers/net/wireless/marvell/mwifiex/sta_rx.c ++++ b/drivers/net/wireless/marvell/mwifiex/sta_rx.c +@@ -104,6 +104,7 @@ int mwifiex_process_rx_packet(struct mwifiex_private *priv, + skb->len, rx_pkt_off); + priv->stats.rx_dropped++; + dev_kfree_skb_any(skb); ++ return -1; + } + + if ((!memcmp(&rx_pkt_hdr->rfc1042_hdr, bridge_tunnel_header, +diff --git a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c +index b3915bfd38693..d6493638e7028 100644 +--- a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c ++++ b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c +@@ -122,6 +122,7 @@ static void mwifiex_uap_queue_bridged_pkt(struct mwifiex_private *priv, + skb->len, le16_to_cpu(uap_rx_pd->rx_pkt_offset)); + priv->stats.rx_dropped++; + dev_kfree_skb_any(skb); ++ return; + } + + if ((!memcmp(&rx_pkt_hdr->rfc1042_hdr, bridge_tunnel_header, +-- +2.40.1 + diff --git a/queue-5.15/wifi-mwifiex-fix-oob-and-integer-underflow-when-rx-p.patch b/queue-5.15/wifi-mwifiex-fix-oob-and-integer-underflow-when-rx-p.patch new file mode 100644 index 00000000000..ba807605212 --- /dev/null +++ b/queue-5.15/wifi-mwifiex-fix-oob-and-integer-underflow-when-rx-p.patch @@ -0,0 +1,127 @@ +From a069e6b3248b6a14158334fc93a11a7996f68a42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Jul 2023 07:07:41 +0000 +Subject: wifi: mwifiex: Fix OOB and integer underflow when rx packets + +From: Polaris Pi + +[ Upstream commit 11958528161731c58e105b501ed60b83a91ea941 ] + +Make sure mwifiex_process_mgmt_packet, +mwifiex_process_sta_rx_packet and mwifiex_process_uap_rx_packet, +mwifiex_uap_queue_bridged_pkt and mwifiex_process_rx_packet +not out-of-bounds access the skb->data buffer. + +Fixes: 2dbaf751b1de ("mwifiex: report received management frames to cfg80211") +Signed-off-by: Polaris Pi +Reviewed-by: Matthew Wang +Reviewed-by: Brian Norris +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230723070741.1544662-1-pinkperfect2021@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/sta_rx.c | 11 ++++++++++- + .../net/wireless/marvell/mwifiex/uap_txrx.c | 19 +++++++++++++++++++ + drivers/net/wireless/marvell/mwifiex/util.c | 10 +++++++--- + 3 files changed, 36 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/sta_rx.c b/drivers/net/wireless/marvell/mwifiex/sta_rx.c +index 0d2adf8879005..685a5b6697046 100644 +--- a/drivers/net/wireless/marvell/mwifiex/sta_rx.c ++++ b/drivers/net/wireless/marvell/mwifiex/sta_rx.c +@@ -98,6 +98,14 @@ int mwifiex_process_rx_packet(struct mwifiex_private *priv, + rx_pkt_len = le16_to_cpu(local_rx_pd->rx_pkt_length); + rx_pkt_hdr = (void *)local_rx_pd + rx_pkt_off; + ++ if (sizeof(*rx_pkt_hdr) + rx_pkt_off > skb->len) { ++ mwifiex_dbg(priv->adapter, ERROR, ++ "wrong rx packet offset: len=%d, rx_pkt_off=%d\n", ++ skb->len, rx_pkt_off); ++ priv->stats.rx_dropped++; ++ dev_kfree_skb_any(skb); ++ } ++ + if ((!memcmp(&rx_pkt_hdr->rfc1042_hdr, bridge_tunnel_header, + sizeof(bridge_tunnel_header))) || + (!memcmp(&rx_pkt_hdr->rfc1042_hdr, rfc1042_header, +@@ -206,7 +214,8 @@ int mwifiex_process_sta_rx_packet(struct mwifiex_private *priv, + + rx_pkt_hdr = (void *)local_rx_pd + rx_pkt_offset; + +- if ((rx_pkt_offset + rx_pkt_length) > (u16) skb->len) { ++ if ((rx_pkt_offset + rx_pkt_length) > skb->len || ++ sizeof(rx_pkt_hdr->eth803_hdr) + rx_pkt_offset > skb->len) { + mwifiex_dbg(adapter, ERROR, + "wrong rx packet: len=%d, rx_pkt_offset=%d, rx_pkt_length=%d\n", + skb->len, rx_pkt_offset, rx_pkt_length); +diff --git a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c +index 245ff644f81e3..b3915bfd38693 100644 +--- a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c ++++ b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c +@@ -115,6 +115,15 @@ static void mwifiex_uap_queue_bridged_pkt(struct mwifiex_private *priv, + return; + } + ++ if (sizeof(*rx_pkt_hdr) + ++ le16_to_cpu(uap_rx_pd->rx_pkt_offset) > skb->len) { ++ mwifiex_dbg(adapter, ERROR, ++ "wrong rx packet offset: len=%d,rx_pkt_offset=%d\n", ++ skb->len, le16_to_cpu(uap_rx_pd->rx_pkt_offset)); ++ priv->stats.rx_dropped++; ++ dev_kfree_skb_any(skb); ++ } ++ + if ((!memcmp(&rx_pkt_hdr->rfc1042_hdr, bridge_tunnel_header, + sizeof(bridge_tunnel_header))) || + (!memcmp(&rx_pkt_hdr->rfc1042_hdr, rfc1042_header, +@@ -379,6 +388,16 @@ int mwifiex_process_uap_rx_packet(struct mwifiex_private *priv, + rx_pkt_type = le16_to_cpu(uap_rx_pd->rx_pkt_type); + rx_pkt_hdr = (void *)uap_rx_pd + le16_to_cpu(uap_rx_pd->rx_pkt_offset); + ++ if (le16_to_cpu(uap_rx_pd->rx_pkt_offset) + ++ sizeof(rx_pkt_hdr->eth803_hdr) > skb->len) { ++ mwifiex_dbg(adapter, ERROR, ++ "wrong rx packet for struct ethhdr: len=%d, offset=%d\n", ++ skb->len, le16_to_cpu(uap_rx_pd->rx_pkt_offset)); ++ priv->stats.rx_dropped++; ++ dev_kfree_skb_any(skb); ++ return 0; ++ } ++ + ether_addr_copy(ta, rx_pkt_hdr->eth803_hdr.h_source); + + if ((le16_to_cpu(uap_rx_pd->rx_pkt_offset) + +diff --git a/drivers/net/wireless/marvell/mwifiex/util.c b/drivers/net/wireless/marvell/mwifiex/util.c +index d583fa600a296..1f5a6dab9ce55 100644 +--- a/drivers/net/wireless/marvell/mwifiex/util.c ++++ b/drivers/net/wireless/marvell/mwifiex/util.c +@@ -405,11 +405,15 @@ mwifiex_process_mgmt_packet(struct mwifiex_private *priv, + } + + rx_pd = (struct rxpd *)skb->data; ++ pkt_len = le16_to_cpu(rx_pd->rx_pkt_length); ++ if (pkt_len < sizeof(struct ieee80211_hdr) + sizeof(pkt_len)) { ++ mwifiex_dbg(priv->adapter, ERROR, "invalid rx_pkt_length"); ++ return -1; ++ } + + skb_pull(skb, le16_to_cpu(rx_pd->rx_pkt_offset)); + skb_pull(skb, sizeof(pkt_len)); +- +- pkt_len = le16_to_cpu(rx_pd->rx_pkt_length); ++ pkt_len -= sizeof(pkt_len); + + ieee_hdr = (void *)skb->data; + if (ieee80211_is_mgmt(ieee_hdr->frame_control)) { +@@ -422,7 +426,7 @@ mwifiex_process_mgmt_packet(struct mwifiex_private *priv, + skb->data + sizeof(struct ieee80211_hdr), + pkt_len - sizeof(struct ieee80211_hdr)); + +- pkt_len -= ETH_ALEN + sizeof(pkt_len); ++ pkt_len -= ETH_ALEN; + rx_pd->rx_pkt_length = cpu_to_le16(pkt_len); + + cfg80211_rx_mgmt(&priv->wdev, priv->roc_cfg.chan.center_freq, +-- +2.40.1 + diff --git a/queue-5.15/wifi-nl80211-cfg80211-add-forgotten-nla_policy-for-b.patch b/queue-5.15/wifi-nl80211-cfg80211-add-forgotten-nla_policy-for-b.patch new file mode 100644 index 00000000000..d02668b2888 --- /dev/null +++ b/queue-5.15/wifi-nl80211-cfg80211-add-forgotten-nla_policy-for-b.patch @@ -0,0 +1,44 @@ +From ee43eee22194ce4feb026eb5685bd37516ded973 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Aug 2023 11:31:51 +0800 +Subject: wifi: nl80211/cfg80211: add forgotten nla_policy for BSS color + attribute + +From: Lin Ma + +[ Upstream commit 218d690c49b7e9c94ad0d317adbdd4af846ea0dc ] + +The previous commit dd3e4fc75b4a ("nl80211/cfg80211: add BSS color to +NDP ranging parameters") adds a parameter for NDP ranging by introducing +a new attribute type named NL80211_PMSR_FTM_REQ_ATTR_BSS_COLOR. + +However, the author forgot to also describe the nla_policy at +nl80211_pmsr_ftm_req_attr_policy (net/wireless/nl80211.c). Just +complement it to avoid malformed attribute that causes out-of-attribute +access. + +Fixes: dd3e4fc75b4a ("nl80211/cfg80211: add BSS color to NDP ranging parameters") +Signed-off-by: Lin Ma +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230809033151.768910-1-linma@zju.edu.cn +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 1b91a9c208969..ed3ec7e320ced 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -314,6 +314,7 @@ nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = { + [NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG }, + [NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG }, + [NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG }, ++ [NL80211_PMSR_FTM_REQ_ATTR_BSS_COLOR] = { .type = NLA_U8 }, + }; + + static const struct nla_policy +-- +2.40.1 + diff --git a/queue-5.15/x86-apm-drop-the-duplicate-apm_minor_dev-macro.patch b/queue-5.15/x86-apm-drop-the-duplicate-apm_minor_dev-macro.patch new file mode 100644 index 00000000000..426c67c7731 --- /dev/null +++ b/queue-5.15/x86-apm-drop-the-duplicate-apm_minor_dev-macro.patch @@ -0,0 +1,46 @@ +From bc268c2ae87c2f3c814cd4dd738de83af5efc4bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jul 2023 18:11:20 -0700 +Subject: x86/APM: drop the duplicate APM_MINOR_DEV macro + +From: Randy Dunlap + +[ Upstream commit 4ba2909638a29630a346d6c4907a3105409bee7d ] + +This source file already includes , which contains +the same macro. It doesn't need to be defined here again. + +Fixes: 874bcd00f520 ("apm-emulation: move APM_MINOR_DEV to include/linux/miscdevice.h") +Signed-off-by: Randy Dunlap +Cc: Jiri Kosina +Cc: x86@kernel.org +Cc: Sohil Mehta +Cc: Corentin Labbe +Reviewed-by: Sohil Mehta +Link: https://lore.kernel.org/r/20230728011120.759-1-rdunlap@infradead.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/apm_32.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/arch/x86/kernel/apm_32.c b/arch/x86/kernel/apm_32.c +index 241dda687eb9f..06978a1194f24 100644 +--- a/arch/x86/kernel/apm_32.c ++++ b/arch/x86/kernel/apm_32.c +@@ -237,12 +237,6 @@ + extern int (*console_blank_hook)(int); + #endif + +-/* +- * The apm_bios device is one of the misc char devices. +- * This is its minor number. +- */ +-#define APM_MINOR_DEV 134 +- + /* + * Various options can be changed at boot time as follows: + * (We allow underscores for compatibility with the modules code) +-- +2.40.1 + diff --git a/queue-5.15/x86-decompressor-don-t-rely-on-upper-32-bits-of-gprs.patch b/queue-5.15/x86-decompressor-don-t-rely-on-upper-32-bits-of-gprs.patch new file mode 100644 index 00000000000..2cad4362c0d --- /dev/null +++ b/queue-5.15/x86-decompressor-don-t-rely-on-upper-32-bits-of-gprs.patch @@ -0,0 +1,113 @@ +From ea5d3ca3914ec1df6bea08bf306a857ce70f579a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Aug 2023 18:26:58 +0200 +Subject: x86/decompressor: Don't rely on upper 32 bits of GPRs being preserved +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ard Biesheuvel + +[ Upstream commit 264b82fdb4989cf6a44a2bcd0c6ea05e8026b2ac ] + +The 4-to-5 level mode switch trampoline disables long mode and paging in +order to be able to flick the LA57 bit. According to section 3.4.1.1 of +the x86 architecture manual [0], 64-bit GPRs might not retain the upper +32 bits of their contents across such a mode switch. + +Given that RBP, RBX and RSI are live at this point, preserve them on the +stack, along with the return address that might be above 4G as well. + +[0] Intel® 64 and IA-32 Architectures Software Developer’s Manual, Volume 1: Basic Architecture + + "Because the upper 32 bits of 64-bit general-purpose registers are + undefined in 32-bit modes, the upper 32 bits of any general-purpose + register are not preserved when switching from 64-bit mode to a 32-bit + mode (to protected mode or compatibility mode). Software must not + depend on these bits to maintain a value after a 64-bit to 32-bit + mode switch." + +Fixes: 194a9749c73d650c ("x86/boot/compressed/64: Handle 5-level paging boot if kernel is above 4G") +Signed-off-by: Ard Biesheuvel +Signed-off-by: Borislav Petkov (AMD) +Link: https://lore.kernel.org/r/20230807162720.545787-2-ardb@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/boot/compressed/head_64.S | 30 +++++++++++++++++++++++------- + 1 file changed, 23 insertions(+), 7 deletions(-) + +diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S +index fd9441f404570..c3d427c817c73 100644 +--- a/arch/x86/boot/compressed/head_64.S ++++ b/arch/x86/boot/compressed/head_64.S +@@ -468,11 +468,25 @@ SYM_CODE_START(startup_64) + /* Save the trampoline address in RCX */ + movq %rax, %rcx + ++ /* Set up 32-bit addressable stack */ ++ leaq TRAMPOLINE_32BIT_STACK_END(%rcx), %rsp ++ ++ /* ++ * Preserve live 64-bit registers on the stack: this is necessary ++ * because the architecture does not guarantee that GPRs will retain ++ * their full 64-bit values across a 32-bit mode switch. ++ */ ++ pushq %rbp ++ pushq %rbx ++ pushq %rsi ++ + /* +- * Load the address of trampoline_return() into RDI. +- * It will be used by the trampoline to return to the main code. ++ * Push the 64-bit address of trampoline_return() onto the new stack. ++ * It will be used by the trampoline to return to the main code. Due to ++ * the 32-bit mode switch, it cannot be kept it in a register either. + */ + leaq trampoline_return(%rip), %rdi ++ pushq %rdi + + /* Switch to compatibility mode (CS.L = 0 CS.D = 1) via far return */ + pushq $__KERNEL32_CS +@@ -480,6 +494,11 @@ SYM_CODE_START(startup_64) + pushq %rax + lretq + trampoline_return: ++ /* Restore live 64-bit registers */ ++ popq %rsi ++ popq %rbx ++ popq %rbp ++ + /* Restore the stack, the 32-bit trampoline uses its own stack */ + leaq rva(boot_stack_end)(%rbx), %rsp + +@@ -600,7 +619,7 @@ SYM_FUNC_END(.Lrelocated) + /* + * This is the 32-bit trampoline that will be copied over to low memory. + * +- * RDI contains the return address (might be above 4G). ++ * Return address is at the top of the stack (might be above 4G). + * ECX contains the base address of the trampoline memory. + * Non zero RDX means trampoline needs to enable 5-level paging. + */ +@@ -610,9 +629,6 @@ SYM_CODE_START(trampoline_32bit_src) + movl %eax, %ds + movl %eax, %ss + +- /* Set up new stack */ +- leal TRAMPOLINE_32BIT_STACK_END(%ecx), %esp +- + /* Disable paging */ + movl %cr0, %eax + btrl $X86_CR0_PG_BIT, %eax +@@ -672,7 +688,7 @@ SYM_CODE_END(trampoline_32bit_src) + .code64 + SYM_FUNC_START_LOCAL_NOALIGN(.Lpaging_enabled) + /* Return from the trampoline */ +- jmp *%rdi ++ retq + SYM_FUNC_END(.Lpaging_enabled) + + /* +-- +2.40.1 + diff --git a/queue-5.15/x86-efistub-fix-pci-rom-preservation-in-mixed-mode.patch b/queue-5.15/x86-efistub-fix-pci-rom-preservation-in-mixed-mode.patch new file mode 100644 index 00000000000..e32ddd97cc3 --- /dev/null +++ b/queue-5.15/x86-efistub-fix-pci-rom-preservation-in-mixed-mode.patch @@ -0,0 +1,38 @@ +From fa572f6c41f636ea42b512eea9bd102b1b8a660c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Aug 2023 17:51:58 -0400 +Subject: x86/efistub: Fix PCI ROM preservation in mixed mode + +From: Mikel Rychliski + +[ Upstream commit 8b94da92559f7e403dc7ab81937cc50f949ee2fd ] + +preserve_pci_rom_image() was accessing the romsize field in +efi_pci_io_protocol_t directly instead of using the efi_table_attr() +helper. This prevents the ROM image from being saved correctly during a +mixed mode boot. + +Fixes: 2c3625cb9fa2 ("efi/x86: Fold __setup_efi_pci32() and __setup_efi_pci64() into one function") +Signed-off-by: Mikel Rychliski +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/libstub/x86-stub.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firmware/efi/libstub/x86-stub.c b/drivers/firmware/efi/libstub/x86-stub.c +index 72162645b553e..1cb4466e3c108 100644 +--- a/drivers/firmware/efi/libstub/x86-stub.c ++++ b/drivers/firmware/efi/libstub/x86-stub.c +@@ -60,7 +60,7 @@ preserve_pci_rom_image(efi_pci_io_protocol_t *pci, struct pci_setup_rom **__rom) + rom->data.type = SETUP_PCI; + rom->data.len = size - sizeof(struct setup_data); + rom->data.next = 0; +- rom->pcilen = pci->romsize; ++ rom->pcilen = romsize; + *__rom = rom; + + status = efi_call_proto(pci, pci.read, EfiPciIoWidthUint16, +-- +2.40.1 + diff --git a/queue-5.15/x86-mm-fix-pat-bit-missing-from-page-protection-modi.patch b/queue-5.15/x86-mm-fix-pat-bit-missing-from-page-protection-modi.patch new file mode 100644 index 00000000000..9a8dbca83d3 --- /dev/null +++ b/queue-5.15/x86-mm-fix-pat-bit-missing-from-page-protection-modi.patch @@ -0,0 +1,107 @@ +From bf84177444710250efb2ca74d820dede52ca17f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jul 2023 09:36:14 +0200 +Subject: x86/mm: Fix PAT bit missing from page protection modify mask +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Janusz Krzysztofik + +[ Upstream commit 548cb932051fb6232ac983ed6673dae7bdf3cf4c ] + +Visible glitches have been observed when running graphics applications on +Linux under Xen hypervisor. Those observations have been confirmed with +failures from kms_pwrite_crc Intel GPU test that verifies data coherency +of DRM frame buffer objects using hardware CRC checksums calculated by +display controllers, exposed to userspace via debugfs. Affected +processing paths have then been identified with new IGT test variants that +mmap the objects using different methods and caching modes [1]. + +When running as a Xen PV guest, Linux uses Xen provided PAT configuration +which is different from its native one. In particular, Xen specific PTE +encoding of write-combining caching, likely used by graphics applications, +differs from the Linux default one found among statically defined minimal +set of supported modes. Since Xen defines PTE encoding of the WC mode as +_PAGE_PAT, it no longer belongs to the minimal set, depends on correct +handling of _PAGE_PAT bit, and can be mismatched with write-back caching. + +When a user calls mmap() for a DRM buffer object, DRM device specific +.mmap file operation, called from mmap_region(), takes care of setting PTE +encoding bits in a vm_page_prot field of an associated virtual memory area +structure. Unfortunately, _PAGE_PAT bit is not preserved when the vma's +.vm_flags are then applied to .vm_page_prot via vm_set_page_prot(). Bits +to be preserved are determined with _PAGE_CHG_MASK symbol that doesn't +cover _PAGE_PAT. As a consequence, WB caching is requested instead of WC +when running under Xen (also, WP is silently changed to WT, and UC +downgraded to UC_MINUS). When running on bare metal, WC is not affected, +but WP and WT extra modes are unintentionally replaced with WC and UC, +respectively. + +WP and WT modes, encoded with _PAGE_PAT bit set, were introduced by commit +281d4078bec3 ("x86: Make page cache mode a real type"). Care was taken +to extend _PAGE_CACHE_MASK symbol with that additional bit, but that +symbol has never been used for identification of bits preserved when +applying page protection flags. Support for all cache modes under Xen, +including the problematic WC mode, was then introduced by commit +47591df50512 ("xen: Support Xen pv-domains using PAT"). + +The issue needs to be fixed by including _PAGE_PAT bit into a bitmask used +by pgprot_modify() for selecting bits to be preserved. We can do that +either internally to pgprot_modify() (as initially proposed), or by making +_PAGE_PAT a part of _PAGE_CHG_MASK. If we go for the latter then, since +_PAGE_PAT is the same as _PAGE_PSE, we need to note that _HPAGE_CHG_MASK +-- a huge pmds' counterpart of _PAGE_CHG_MASK, introduced by commit +c489f1257b8c ("thp: add pmd_modify"), defined as (_PAGE_CHG_MASK | +_PAGE_PSE) -- will no longer differ from _PAGE_CHG_MASK. If such +modification of _PAGE_CHG_MASK was irrelevant to its users then one might +wonder why that new _HPAGE_CHG_MASK symbol was introduced instead of +reusing the existing one with that otherwise irrelevant bit (_PAGE_PSE in +that case) added. + +Add _PAGE_PAT to _PAGE_CHG_MASK and _PAGE_PAT_LARGE to _HPAGE_CHG_MASK for +symmetry. Split out common bits from both symbols to a common symbol for +clarity. + +[ dhansen: tweak the solution changelog description ] + +[1] https://gitlab.freedesktop.org/drm/igt-gpu-tools/-/commit/0f0754413f14 + +Fixes: 281d4078bec3 ("x86: Make page cache mode a real type") +Signed-off-by: Janusz Krzysztofik +Signed-off-by: Dave Hansen +Reviewed-by: Andi Shyti +Reviewed-by: Juergen Gross +Tested-by: Marek Marczykowski-Górecki +Link: https://gitlab.freedesktop.org/drm/intel/-/issues/7648 +Link: https://lore.kernel.org/all/20230710073613.8006-2-janusz.krzysztofik%40linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/pgtable_types.h | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/arch/x86/include/asm/pgtable_types.h b/arch/x86/include/asm/pgtable_types.h +index 40497a9020c6e..28e59576c75be 100644 +--- a/arch/x86/include/asm/pgtable_types.h ++++ b/arch/x86/include/asm/pgtable_types.h +@@ -123,11 +123,12 @@ + * instance, and is *not* included in this mask since + * pte_modify() does modify it. + */ +-#define _PAGE_CHG_MASK (PTE_PFN_MASK | _PAGE_PCD | _PAGE_PWT | \ +- _PAGE_SPECIAL | _PAGE_ACCESSED | _PAGE_DIRTY | \ +- _PAGE_SOFT_DIRTY | _PAGE_DEVMAP | _PAGE_ENC | \ +- _PAGE_UFFD_WP) +-#define _HPAGE_CHG_MASK (_PAGE_CHG_MASK | _PAGE_PSE) ++#define _COMMON_PAGE_CHG_MASK (PTE_PFN_MASK | _PAGE_PCD | _PAGE_PWT | \ ++ _PAGE_SPECIAL | _PAGE_ACCESSED | _PAGE_DIRTY |\ ++ _PAGE_SOFT_DIRTY | _PAGE_DEVMAP | _PAGE_ENC | \ ++ _PAGE_UFFD_WP) ++#define _PAGE_CHG_MASK (_COMMON_PAGE_CHG_MASK | _PAGE_PAT) ++#define _HPAGE_CHG_MASK (_COMMON_PAGE_CHG_MASK | _PAGE_PSE | _PAGE_PAT_LARGE) + + /* + * The cache modes defined here are used to translate between pure SW usage +-- +2.40.1 + diff --git a/queue-5.15/x86-speculation-mark-all-skylake-cpus-as-vulnerable-.patch b/queue-5.15/x86-speculation-mark-all-skylake-cpus-as-vulnerable-.patch new file mode 100644 index 00000000000..0fe95863bd4 --- /dev/null +++ b/queue-5.15/x86-speculation-mark-all-skylake-cpus-as-vulnerable-.patch @@ -0,0 +1,76 @@ +From c000bad7917f840cba7ca3d6c03a0750e6d012be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Aug 2023 08:07:25 -0700 +Subject: x86/speculation: Mark all Skylake CPUs as vulnerable to GDS + +From: Dave Hansen + +[ Upstream commit c9f4c45c8ec3f07f4f083f9750032a1ec3eab6b2 ] + +The Gather Data Sampling (GDS) vulnerability is common to all Skylake +processors. However, the "client" Skylakes* are now in this list: + + https://www.intel.com/content/www/us/en/support/articles/000022396/processors.html + +which means they are no longer included for new vulnerabilities here: + + https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html + +or in other GDS documentation. Thus, they were not included in the +original GDS mitigation patches. + +Mark SKYLAKE and SKYLAKE_L as vulnerable to GDS to match all the +other Skylake CPUs (which include Kaby Lake). Also group the CPUs +so that the ones that share the exact same vulnerabilities are next +to each other. + +Last, move SRBDS to the end of each line. This makes it clear at a +glance that SKYLAKE_X is unique. Of the five Skylakes, it is the +only "server" CPU and has a different implementation from the +clients of the "special register" hardware, making it immune to SRBDS. + +This makes the diff much harder to read, but the resulting table is +worth it. + +I very much appreciate the report from Michael Zhivich about this +issue. Despite what level of support a hardware vendor is providing, +the kernel very much needs an accurate and up-to-date list of +vulnerable CPUs. More reports like this are very welcome. + +* Client Skylakes are CPUID 406E3/506E3 which is family 6, models + 0x4E and 0x5E, aka INTEL_FAM6_SKYLAKE and INTEL_FAM6_SKYLAKE_L. + +Reported-by: Michael Zhivich +Fixes: 8974eb588283 ("x86/speculation: Add Gather Data Sampling mitigation") +Signed-off-by: Dave Hansen +Signed-off-by: Ingo Molnar +Reviewed-by: Daniel Sneddon +Cc: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/common.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index 54a0b3833ffea..3151c08bb54a5 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -1149,11 +1149,11 @@ static const struct x86_cpu_id cpu_vuln_blacklist[] __initconst = { + VULNBL_INTEL_STEPPINGS(BROADWELL_G, X86_STEPPING_ANY, SRBDS), + VULNBL_INTEL_STEPPINGS(BROADWELL_X, X86_STEPPING_ANY, MMIO), + VULNBL_INTEL_STEPPINGS(BROADWELL, X86_STEPPING_ANY, SRBDS), +- VULNBL_INTEL_STEPPINGS(SKYLAKE_L, X86_STEPPING_ANY, SRBDS | MMIO | RETBLEED), + VULNBL_INTEL_STEPPINGS(SKYLAKE_X, X86_STEPPING_ANY, MMIO | RETBLEED | GDS), +- VULNBL_INTEL_STEPPINGS(SKYLAKE, X86_STEPPING_ANY, SRBDS | MMIO | RETBLEED), +- VULNBL_INTEL_STEPPINGS(KABYLAKE_L, X86_STEPPING_ANY, SRBDS | MMIO | RETBLEED | GDS), +- VULNBL_INTEL_STEPPINGS(KABYLAKE, X86_STEPPING_ANY, SRBDS | MMIO | RETBLEED | GDS), ++ VULNBL_INTEL_STEPPINGS(SKYLAKE_L, X86_STEPPING_ANY, MMIO | RETBLEED | GDS | SRBDS), ++ VULNBL_INTEL_STEPPINGS(SKYLAKE, X86_STEPPING_ANY, MMIO | RETBLEED | GDS | SRBDS), ++ VULNBL_INTEL_STEPPINGS(KABYLAKE_L, X86_STEPPING_ANY, MMIO | RETBLEED | GDS | SRBDS), ++ VULNBL_INTEL_STEPPINGS(KABYLAKE, X86_STEPPING_ANY, MMIO | RETBLEED | GDS | SRBDS), + VULNBL_INTEL_STEPPINGS(CANNONLAKE_L, X86_STEPPING_ANY, RETBLEED), + VULNBL_INTEL_STEPPINGS(ICELAKE_L, X86_STEPPING_ANY, MMIO | MMIO_SBDS | RETBLEED | GDS), + VULNBL_INTEL_STEPPINGS(ICELAKE_D, X86_STEPPING_ANY, MMIO | GDS), +-- +2.40.1 +