From: Sasha Levin Date: Sat, 3 Dec 2022 09:21:42 +0000 (-0500) Subject: Fixes for 6.0 X-Git-Tag: v4.9.335~86 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=61e33efff4e9cbdd0fed51b35aabf1f8e295d5db;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.0 Signed-off-by: Sasha Levin --- diff --git a/queue-6.0/afs-fix-fileserver-probe-rtt-handling.patch b/queue-6.0/afs-fix-fileserver-probe-rtt-handling.patch new file mode 100644 index 00000000000..41ae31705b3 --- /dev/null +++ b/queue-6.0/afs-fix-fileserver-probe-rtt-handling.patch @@ -0,0 +1,50 @@ +From c6112e03497bba3c6519823ae038ccb30155c15f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Nov 2022 22:02:56 +0000 +Subject: afs: Fix fileserver probe RTT handling + +From: David Howells + +[ Upstream commit ca57f02295f188d6c65ec02202402979880fa6d8 ] + +The fileserver probing code attempts to work out the best fileserver to +use for a volume by retrieving the RTT calculated by AF_RXRPC for the +probe call sent to each server and comparing them. Sometimes, however, +no RTT estimate is available and rxrpc_kernel_get_srtt() returns false, +leading good fileservers to be given an RTT of UINT_MAX and thus causing +the rotation algorithm to ignore them. + +Fix afs_select_fileserver() to ignore rxrpc_kernel_get_srtt()'s return +value and just take the estimated RTT it provides - which will be capped +at 1 second. + +Fixes: 1d4adfaf6574 ("rxrpc: Make rxrpc_kernel_get_srtt() indicate validity") +Signed-off-by: David Howells +Reviewed-by: Marc Dionne +Tested-by: Marc Dionne +cc: linux-afs@lists.infradead.org +Link: https://lore.kernel.org/r/166965503999.3392585.13954054113218099395.stgit@warthog.procyon.org.uk/ +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/afs/fs_probe.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/afs/fs_probe.c b/fs/afs/fs_probe.c +index c0031a3ab42f..3ac5fcf98d0d 100644 +--- a/fs/afs/fs_probe.c ++++ b/fs/afs/fs_probe.c +@@ -167,8 +167,8 @@ void afs_fileserver_probe_result(struct afs_call *call) + clear_bit(AFS_SERVER_FL_HAS_FS64, &server->flags); + } + +- if (rxrpc_kernel_get_srtt(call->net->socket, call->rxcall, &rtt_us) && +- rtt_us < server->probe.rtt) { ++ rxrpc_kernel_get_srtt(call->net->socket, call->rxcall, &rtt_us); ++ if (rtt_us < server->probe.rtt) { + server->probe.rtt = rtt_us; + server->rtt = rtt_us; + alist->preferred = index; +-- +2.35.1 + diff --git a/queue-6.0/afs-fix-server-active-leak-in-afs_put_server.patch b/queue-6.0/afs-fix-server-active-leak-in-afs_put_server.patch new file mode 100644 index 00000000000..802c4f055d5 --- /dev/null +++ b/queue-6.0/afs-fix-server-active-leak-in-afs_put_server.patch @@ -0,0 +1,41 @@ +From 1aeead7283e04aa94512b984c015c6e7bbf7a3a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Nov 2022 17:55:51 +0000 +Subject: afs: Fix server->active leak in afs_put_server + +From: Marc Dionne + +[ Upstream commit ef4d3ea40565a781c25847e9cb96c1bd9f462bc6 ] + +The atomic_read was accidentally replaced with atomic_inc_return, +which prevents the server from getting cleaned up and causes rmmod +to hang with a warning: + + Can't purge s=00000001 + +Fixes: 2757a4dc1849 ("afs: Fix access after dec in put functions") +Signed-off-by: Marc Dionne +Signed-off-by: David Howells +Link: https://lore.kernel.org/r/20221130174053.2665818-1-marc.dionne@auristor.com/ +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/afs/server.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/afs/server.c b/fs/afs/server.c +index 4981baf97835..b5237206eac3 100644 +--- a/fs/afs/server.c ++++ b/fs/afs/server.c +@@ -406,7 +406,7 @@ void afs_put_server(struct afs_net *net, struct afs_server *server, + if (!server) + return; + +- a = atomic_inc_return(&server->active); ++ a = atomic_read(&server->active); + zero = __refcount_dec_and_test(&server->ref, &r); + trace_afs_server(debug_id, r - 1, a, reason); + if (unlikely(zero)) +-- +2.35.1 + diff --git a/queue-6.0/aquantia-do-not-purge-addresses-when-setting-the-num.patch b/queue-6.0/aquantia-do-not-purge-addresses-when-setting-the-num.patch new file mode 100644 index 00000000000..0e350957d81 --- /dev/null +++ b/queue-6.0/aquantia-do-not-purge-addresses-when-setting-the-num.patch @@ -0,0 +1,91 @@ +From 8658aeb027684346ea8f2d979ffaad9d66ccb439 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 11:10:08 +0100 +Subject: aquantia: Do not purge addresses when setting the number of rings + +From: Izabela Bakollari + +[ Upstream commit 2a83891130512dafb321418a8e7c9c09268d8c59 ] + +IPV6 addresses are purged when setting the number of rx/tx +rings using ethtool -G. The function aq_set_ringparam +calls dev_close, which removes the addresses. As a solution, +call an internal function (aq_ndev_close). + +Fixes: c1af5427954b ("net: aquantia: Ethtool based ring size configuration") +Signed-off-by: Izabela Bakollari +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c | 5 +++-- + drivers/net/ethernet/aquantia/atlantic/aq_main.c | 4 ++-- + drivers/net/ethernet/aquantia/atlantic/aq_main.h | 2 ++ + 3 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c b/drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c +index 1daecd483b8d..9c1378c22a8e 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c +@@ -13,6 +13,7 @@ + #include "aq_ptp.h" + #include "aq_filters.h" + #include "aq_macsec.h" ++#include "aq_main.h" + + #include + +@@ -858,7 +859,7 @@ static int aq_set_ringparam(struct net_device *ndev, + + if (netif_running(ndev)) { + ndev_running = true; +- dev_close(ndev); ++ aq_ndev_close(ndev); + } + + cfg->rxds = max(ring->rx_pending, hw_caps->rxds_min); +@@ -874,7 +875,7 @@ static int aq_set_ringparam(struct net_device *ndev, + goto err_exit; + + if (ndev_running) +- err = dev_open(ndev, NULL); ++ err = aq_ndev_open(ndev); + + err_exit: + return err; +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_main.c b/drivers/net/ethernet/aquantia/atlantic/aq_main.c +index 8a0af371e7dc..77609dc0a08d 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_main.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_main.c +@@ -58,7 +58,7 @@ struct net_device *aq_ndev_alloc(void) + return ndev; + } + +-static int aq_ndev_open(struct net_device *ndev) ++int aq_ndev_open(struct net_device *ndev) + { + struct aq_nic_s *aq_nic = netdev_priv(ndev); + int err = 0; +@@ -88,7 +88,7 @@ static int aq_ndev_open(struct net_device *ndev) + return err; + } + +-static int aq_ndev_close(struct net_device *ndev) ++int aq_ndev_close(struct net_device *ndev) + { + struct aq_nic_s *aq_nic = netdev_priv(ndev); + int err = 0; +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_main.h b/drivers/net/ethernet/aquantia/atlantic/aq_main.h +index 99870865f66d..a78c1a168d8e 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_main.h ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_main.h +@@ -16,5 +16,7 @@ DECLARE_STATIC_KEY_FALSE(aq_xdp_locking_key); + + void aq_ndev_schedule_work(struct work_struct *work); + struct net_device *aq_ndev_alloc(void); ++int aq_ndev_open(struct net_device *ndev); ++int aq_ndev_close(struct net_device *ndev); + + #endif /* AQ_MAIN_H */ +-- +2.35.1 + diff --git a/queue-6.0/arm-at91-rm9200-fix-usb-device-clock-id.patch b/queue-6.0/arm-at91-rm9200-fix-usb-device-clock-id.patch new file mode 100644 index 00000000000..a0526bc0053 --- /dev/null +++ b/queue-6.0/arm-at91-rm9200-fix-usb-device-clock-id.patch @@ -0,0 +1,64 @@ +From 9484e3058e773cc088a6a8ca791ef1ec472202d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 19:59:22 +0100 +Subject: ARM: at91: rm9200: fix usb device clock id + +From: Michael Grzeschik + +[ Upstream commit 57976762428675f259339385d3324d28ee53ec02 ] + +Referring to the datasheet the index 2 is the MCKUDP. When enabled, it +"Enables the automatic disable of the Master Clock of the USB Device +Port when a suspend condition occurs". We fix the index to the real UDP +id which "Enables the 48 MHz clock of the USB Device Port". + +Cc: nicolas.ferre@microchip.com +Cc: ludovic.desroches@microchip.com +Cc: alexandre.belloni@bootlin.com +Cc: mturquette@baylibre.com +Cc: sboyd@kernel.org +Cc: claudiu.beznea@microchip.com +Cc: linux-clk@vger.kernel.org +Cc: linux-arm-kernel@lists.infradead.org +Cc: kernel@pengutronix.de +Fixes: 02ff48e4d7f7 ("clk: at91: add at91rm9200 pmc driver") +Fixes: 0e0e528d8260 ("ARM: dts: at91: rm9200: switch to new clock bindings") +Reviewed-by: Claudiu Beznea +Signed-off-by: Michael Grzeschik +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20221114185923.1023249-2-m.grzeschik@pengutronix.de +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/at91rm9200.dtsi | 2 +- + drivers/clk/at91/at91rm9200.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/at91rm9200.dtsi b/arch/arm/boot/dts/at91rm9200.dtsi +index d1181ead18e5..21344fbc89e5 100644 +--- a/arch/arm/boot/dts/at91rm9200.dtsi ++++ b/arch/arm/boot/dts/at91rm9200.dtsi +@@ -660,7 +660,7 @@ usb1: gadget@fffb0000 { + compatible = "atmel,at91rm9200-udc"; + reg = <0xfffb0000 0x4000>; + interrupts = <11 IRQ_TYPE_LEVEL_HIGH 2>; +- clocks = <&pmc PMC_TYPE_PERIPHERAL 11>, <&pmc PMC_TYPE_SYSTEM 2>; ++ clocks = <&pmc PMC_TYPE_PERIPHERAL 11>, <&pmc PMC_TYPE_SYSTEM 1>; + clock-names = "pclk", "hclk"; + status = "disabled"; + }; +diff --git a/drivers/clk/at91/at91rm9200.c b/drivers/clk/at91/at91rm9200.c +index b174f727a8ef..16870943a13e 100644 +--- a/drivers/clk/at91/at91rm9200.c ++++ b/drivers/clk/at91/at91rm9200.c +@@ -40,7 +40,7 @@ static const struct clk_pll_characteristics rm9200_pll_characteristics = { + }; + + static const struct sck at91rm9200_systemck[] = { +- { .n = "udpck", .p = "usbck", .id = 2 }, ++ { .n = "udpck", .p = "usbck", .id = 1 }, + { .n = "uhpck", .p = "usbck", .id = 4 }, + { .n = "pck0", .p = "prog0", .id = 8 }, + { .n = "pck1", .p = "prog1", .id = 9 }, +-- +2.35.1 + diff --git a/queue-6.0/bpf-do-not-copy-spin-lock-field-from-user-in-bpf_sel.patch b/queue-6.0/bpf-do-not-copy-spin-lock-field-from-user-in-bpf_sel.patch new file mode 100644 index 00000000000..b2b39b192f2 --- /dev/null +++ b/queue-6.0/bpf-do-not-copy-spin-lock-field-from-user-in-bpf_sel.patch @@ -0,0 +1,42 @@ +From 5b23a646df0c3aa531d2396dc414155428a8bb38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 08:47:19 -0500 +Subject: bpf: Do not copy spin lock field from user in bpf_selem_alloc + +From: Xu Kuohai + +[ Upstream commit 836e49e103dfeeff670c934b7d563cbd982fce87 ] + +bpf_selem_alloc function is used by inode_storage, sk_storage and +task_storage maps to set map value, for these map types, there may +be a spin lock in the map value, so if we use memcpy to copy the whole +map value from user, the spin lock field may be initialized incorrectly. + +Since the spin lock field is zeroed by kzalloc, call copy_map_value +instead of memcpy to skip copying the spin lock field to fix it. + +Fixes: 6ac99e8f23d4 ("bpf: Introduce bpf sk local storage") +Signed-off-by: Xu Kuohai +Link: https://lore.kernel.org/r/20221114134720.1057939-2-xukuohai@huawei.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/bpf_local_storage.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/bpf/bpf_local_storage.c b/kernel/bpf/bpf_local_storage.c +index d13ffb00e981..cbe918ba9035 100644 +--- a/kernel/bpf/bpf_local_storage.c ++++ b/kernel/bpf/bpf_local_storage.c +@@ -74,7 +74,7 @@ bpf_selem_alloc(struct bpf_local_storage_map *smap, void *owner, + gfp_flags | __GFP_NOWARN); + if (selem) { + if (value) +- memcpy(SDATA(selem)->data, value, smap->map.value_size); ++ copy_map_value(&smap->map, SDATA(selem)->data, value); + return selem; + } + +-- +2.35.1 + diff --git a/queue-6.0/bpf-perf-use-subprog-name-when-reporting-subprog-ksy.patch b/queue-6.0/bpf-perf-use-subprog-name-when-reporting-subprog-ksy.patch new file mode 100644 index 00000000000..cd62b0a2089 --- /dev/null +++ b/queue-6.0/bpf-perf-use-subprog-name-when-reporting-subprog-ksy.patch @@ -0,0 +1,57 @@ +From de6b38b4fd0db753eab4292567d9bfeda4647032 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 17:57:33 +0800 +Subject: bpf, perf: Use subprog name when reporting subprog ksymbol + +From: Hou Tao + +[ Upstream commit 47df8a2f78bc34ff170d147d05b121f84e252b85 ] + +Since commit bfea9a8574f3 ("bpf: Add name to struct bpf_ksym"), when +reporting subprog ksymbol to perf, prog name instead of subprog name is +used. The backtrace of bpf program with subprogs will be incorrect as +shown below: + + ffffffffc02deace bpf_prog_e44a3057dcb151f8_overwrite+0x66 + ffffffffc02de9f7 bpf_prog_e44a3057dcb151f8_overwrite+0x9f + ffffffffa71d8d4e trace_call_bpf+0xce + ffffffffa71c2938 perf_call_bpf_enter.isra.0+0x48 + +overwrite is the entry program and it invokes the overwrite_htab subprog +through bpf_loop, but in above backtrace, overwrite program just jumps +inside itself. + +Fixing it by using subprog name when reporting subprog ksymbol. After +the fix, the output of perf script will be correct as shown below: + + ffffffffc031aad2 bpf_prog_37c0bec7d7c764a4_overwrite_htab+0x66 + ffffffffc031a9e7 bpf_prog_c7eb827ef4f23e71_overwrite+0x9f + ffffffffa3dd8d4e trace_call_bpf+0xce + ffffffffa3dc2938 perf_call_bpf_enter.isra.0+0x48 + +Fixes: bfea9a8574f3 ("bpf: Add name to struct bpf_ksym") +Signed-off-by: Hou Tao +Signed-off-by: Daniel Borkmann +Acked-by: Jiri Olsa +Link: https://lore.kernel.org/bpf/20221114095733.158588-1-houtao@huaweicloud.com +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index bec18d81b116..8dcbefd90b7f 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -9006,7 +9006,7 @@ static void perf_event_bpf_emit_ksymbols(struct bpf_prog *prog, + PERF_RECORD_KSYMBOL_TYPE_BPF, + (u64)(unsigned long)subprog->bpf_func, + subprog->jited_len, unregister, +- prog->aux->ksym.name); ++ subprog->aux->ksym.name); + } + } + } +-- +2.35.1 + diff --git a/queue-6.0/btrfs-qgroup-fix-sleep-from-invalid-context-bug-in-b.patch b/queue-6.0/btrfs-qgroup-fix-sleep-from-invalid-context-bug-in-b.patch new file mode 100644 index 00000000000..2baba637c26 --- /dev/null +++ b/queue-6.0/btrfs-qgroup-fix-sleep-from-invalid-context-bug-in-b.patch @@ -0,0 +1,65 @@ +From c4427191b5fc32fa04a212e145479707d155009a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 22:23:54 +0800 +Subject: btrfs: qgroup: fix sleep from invalid context bug in + btrfs_qgroup_inherit() + +From: ChenXiaoSong + +[ Upstream commit f7e942b5bb35d8e3af54053d19a6bf04143a3955 ] + +Syzkaller reported BUG as follows: + + BUG: sleeping function called from invalid context at + include/linux/sched/mm.h:274 + Call Trace: + + dump_stack_lvl+0xcd/0x134 + __might_resched.cold+0x222/0x26b + kmem_cache_alloc+0x2e7/0x3c0 + update_qgroup_limit_item+0xe1/0x390 + btrfs_qgroup_inherit+0x147b/0x1ee0 + create_subvol+0x4eb/0x1710 + btrfs_mksubvol+0xfe5/0x13f0 + __btrfs_ioctl_snap_create+0x2b0/0x430 + btrfs_ioctl_snap_create_v2+0x25a/0x520 + btrfs_ioctl+0x2a1c/0x5ce0 + __x64_sys_ioctl+0x193/0x200 + do_syscall_64+0x35/0x80 + +Fix this by calling qgroup_dirty() on @dstqgroup, and update limit item in +btrfs_run_qgroups() later outside of the spinlock context. + +CC: stable@vger.kernel.org # 4.9+ +Reviewed-by: Qu Wenruo +Signed-off-by: ChenXiaoSong +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/qgroup.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c +index ba323dcb0a0b..db56e0c0e9ac 100644 +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -2920,14 +2920,7 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, + dstgroup->rsv_rfer = inherit->lim.rsv_rfer; + dstgroup->rsv_excl = inherit->lim.rsv_excl; + +- ret = update_qgroup_limit_item(trans, dstgroup); +- if (ret) { +- fs_info->qgroup_flags |= BTRFS_QGROUP_STATUS_FLAG_INCONSISTENT; +- btrfs_info(fs_info, +- "unable to update quota limit for %llu", +- dstgroup->qgroupid); +- goto unlock; +- } ++ qgroup_dirty(fs_info, dstgroup); + } + + if (srcid) { +-- +2.35.1 + diff --git a/queue-6.0/can-cc770-cc770_isa_probe-add-missing-free_cc770dev.patch b/queue-6.0/can-cc770-cc770_isa_probe-add-missing-free_cc770dev.patch new file mode 100644 index 00000000000..e225434d686 --- /dev/null +++ b/queue-6.0/can-cc770-cc770_isa_probe-add-missing-free_cc770dev.patch @@ -0,0 +1,59 @@ +From df20ecc8f011ad4c6a984e9698c6747330c55e39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 20:09:16 +0800 +Subject: can: cc770: cc770_isa_probe(): add missing free_cc770dev() + +From: Zhang Changzhong + +[ Upstream commit 62ec89e74099a3d6995988ed9f2f996b368417ec ] + +Add the missing free_cc770dev() before return from cc770_isa_probe() +in the register_cc770dev() error handling case. + +In addition, remove blanks before goto labels. + +Fixes: 7e02e5433e00 ("can: cc770: legacy CC770 ISA bus driver") +Signed-off-by: Zhang Changzhong +Link: https://lore.kernel.org/all/1668168557-6024-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/cc770/cc770_isa.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/can/cc770/cc770_isa.c b/drivers/net/can/cc770/cc770_isa.c +index 194c86e0f340..8f6dccd5a587 100644 +--- a/drivers/net/can/cc770/cc770_isa.c ++++ b/drivers/net/can/cc770/cc770_isa.c +@@ -264,22 +264,24 @@ static int cc770_isa_probe(struct platform_device *pdev) + if (err) { + dev_err(&pdev->dev, + "couldn't register device (err=%d)\n", err); +- goto exit_unmap; ++ goto exit_free; + } + + dev_info(&pdev->dev, "device registered (reg_base=0x%p, irq=%d)\n", + priv->reg_base, dev->irq); + return 0; + +- exit_unmap: ++exit_free: ++ free_cc770dev(dev); ++exit_unmap: + if (mem[idx]) + iounmap(base); +- exit_release: ++exit_release: + if (mem[idx]) + release_mem_region(mem[idx], iosize); + else + release_region(port[idx], iosize); +- exit: ++exit: + return err; + } + +-- +2.35.1 + diff --git a/queue-6.0/can-etas_es58x-es58x_init_netdev-free-netdev-when-re.patch b/queue-6.0/can-etas_es58x-es58x_init_netdev-free-netdev-when-re.patch new file mode 100644 index 00000000000..2114a2668bf --- /dev/null +++ b/queue-6.0/can-etas_es58x-es58x_init_netdev-free-netdev-when-re.patch @@ -0,0 +1,46 @@ +From cb656d3b29dc21b878751caadccec4ea748927d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 16:14:44 +0800 +Subject: can: etas_es58x: es58x_init_netdev(): free netdev when + register_candev() + +From: Zhang Changzhong + +[ Upstream commit 709cb2f9ed2006eb1dc4b36b99d601cd24889ec4 ] + +In case of register_candev() fails, clear +es58x_dev->netdev[channel_idx] and add free_candev(). Otherwise +es58x_free_netdevs() will unregister the netdev that has never been +registered. + +Fixes: 8537257874e9 ("can: etas_es58x: add core support for ETAS ES58X CAN USB interfaces") +Signed-off-by: Zhang Changzhong +Acked-by: Arunachalam Santhanam +Acked-by: Vincent Mailhol +Link: https://lore.kernel.org/all/1668413685-23354-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/etas_es58x/es58x_core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/usb/etas_es58x/es58x_core.c b/drivers/net/can/usb/etas_es58x/es58x_core.c +index 25f863b4f5f0..ddb7c5735c9a 100644 +--- a/drivers/net/can/usb/etas_es58x/es58x_core.c ++++ b/drivers/net/can/usb/etas_es58x/es58x_core.c +@@ -2091,8 +2091,11 @@ static int es58x_init_netdev(struct es58x_device *es58x_dev, int channel_idx) + netdev->dev_port = channel_idx; + + ret = register_candev(netdev); +- if (ret) ++ if (ret) { ++ es58x_dev->netdev[channel_idx] = NULL; ++ free_candev(netdev); + return ret; ++ } + + netdev_queue_set_dql_min_limit(netdev_get_tx_queue(netdev, 0), + es58x_dev->param->dql_min_limit); +-- +2.35.1 + diff --git a/queue-6.0/can-m_can-add-check-for-devm_clk_get.patch b/queue-6.0/can-m_can-add-check-for-devm_clk_get.patch new file mode 100644 index 00000000000..1b3a1c7ea21 --- /dev/null +++ b/queue-6.0/can-m_can-add-check-for-devm_clk_get.patch @@ -0,0 +1,38 @@ +From 58c3bb62a627a0a4e738e7ee8a7d84eee999cec5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 14:36:51 +0800 +Subject: can: m_can: Add check for devm_clk_get + +From: Jiasheng Jiang + +[ Upstream commit 68b4f9e0bdd0f920d7303d07bfe226cd0976961d ] + +Since the devm_clk_get may return error, +it should be better to add check for the cdev->hclk, +as same as cdev->cclk. + +Fixes: f524f829b75a ("can: m_can: Create a m_can platform framework") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/all/20221123063651.26199-1-jiasheng@iscas.ac.cn +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/m_can/m_can.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c +index 4dc67fdfcdb9..153d8fd08bd8 100644 +--- a/drivers/net/can/m_can/m_can.c ++++ b/drivers/net/can/m_can/m_can.c +@@ -1910,7 +1910,7 @@ int m_can_class_get_clocks(struct m_can_classdev *cdev) + cdev->hclk = devm_clk_get(cdev->dev, "hclk"); + cdev->cclk = devm_clk_get(cdev->dev, "cclk"); + +- if (IS_ERR(cdev->cclk)) { ++ if (IS_ERR(cdev->hclk) || IS_ERR(cdev->cclk)) { + dev_err(cdev->dev, "no clock found\n"); + ret = -ENODEV; + } +-- +2.35.1 + diff --git a/queue-6.0/can-m_can-pci-add-missing-m_can_class_free_dev-in-pr.patch b/queue-6.0/can-m_can-pci-add-missing-m_can_class_free_dev-in-pr.patch new file mode 100644 index 00000000000..cd302eab62d --- /dev/null +++ b/queue-6.0/can-m_can-pci-add-missing-m_can_class_free_dev-in-pr.patch @@ -0,0 +1,69 @@ +From d91f0b12cd7bee4eeb9f34d5d12adef9ca013fb7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 20:11:23 +0800 +Subject: can: m_can: pci: add missing m_can_class_free_dev() in probe/remove + methods + +From: Zhang Changzhong + +[ Upstream commit 1eca1d4cc21b6d0fc5f9a390339804c0afce9439 ] + +In m_can_pci_remove() and error handling path of m_can_pci_probe(), +m_can_class_free_dev() should be called to free resource allocated by +m_can_class_allocate_dev(), otherwise there will be memleak. + +Fixes: cab7ffc0324f ("can: m_can: add PCI glue driver for Intel Elkhart Lake") +Signed-off-by: Zhang Changzhong +Reviewed-by: Jarkko Nikula +Link: https://lore.kernel.org/all/1668168684-6390-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/m_can/m_can_pci.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/can/m_can/m_can_pci.c b/drivers/net/can/m_can/m_can_pci.c +index 8f184a852a0a..f2219aa2824b 100644 +--- a/drivers/net/can/m_can/m_can_pci.c ++++ b/drivers/net/can/m_can/m_can_pci.c +@@ -120,7 +120,7 @@ static int m_can_pci_probe(struct pci_dev *pci, const struct pci_device_id *id) + + ret = pci_alloc_irq_vectors(pci, 1, 1, PCI_IRQ_ALL_TYPES); + if (ret < 0) +- return ret; ++ goto err_free_dev; + + mcan_class->dev = &pci->dev; + mcan_class->net->irq = pci_irq_vector(pci, 0); +@@ -132,7 +132,7 @@ static int m_can_pci_probe(struct pci_dev *pci, const struct pci_device_id *id) + + ret = m_can_class_register(mcan_class); + if (ret) +- goto err; ++ goto err_free_irq; + + /* Enable interrupt control at CAN wrapper IP */ + writel(0x1, base + CTL_CSR_INT_CTL_OFFSET); +@@ -144,8 +144,10 @@ static int m_can_pci_probe(struct pci_dev *pci, const struct pci_device_id *id) + + return 0; + +-err: ++err_free_irq: + pci_free_irq_vectors(pci); ++err_free_dev: ++ m_can_class_free_dev(mcan_class->net); + return ret; + } + +@@ -161,6 +163,7 @@ static void m_can_pci_remove(struct pci_dev *pci) + writel(0x0, priv->base + CTL_CSR_INT_CTL_OFFSET); + + m_can_class_unregister(mcan_class); ++ m_can_class_free_dev(mcan_class->net); + pci_free_irq_vectors(pci); + } + +-- +2.35.1 + diff --git a/queue-6.0/can-sja1000_isa-sja1000_isa_probe-add-missing-free_s.patch b/queue-6.0/can-sja1000_isa-sja1000_isa_probe-add-missing-free_s.patch new file mode 100644 index 00000000000..34bc917d171 --- /dev/null +++ b/queue-6.0/can-sja1000_isa-sja1000_isa_probe-add-missing-free_s.patch @@ -0,0 +1,59 @@ +From f2cf35c5fa3eac06cb5380e181fd75f0c8514fe0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 20:08:41 +0800 +Subject: can: sja1000_isa: sja1000_isa_probe(): add missing free_sja1000dev() + +From: Zhang Changzhong + +[ Upstream commit 92dfd9310a71d28cefe6a2d5174d43fab240e631 ] + +Add the missing free_sja1000dev() before return from +sja1000_isa_probe() in the register_sja1000dev() error handling case. + +In addition, remove blanks before goto labels. + +Fixes: 2a6ba39ad6a2 ("can: sja1000: legacy SJA1000 ISA bus driver") +Signed-off-by: Zhang Changzhong +Link: https://lore.kernel.org/all/1668168521-5540-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/sja1000/sja1000_isa.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/can/sja1000/sja1000_isa.c b/drivers/net/can/sja1000/sja1000_isa.c +index d513fac50718..db3e767d5320 100644 +--- a/drivers/net/can/sja1000/sja1000_isa.c ++++ b/drivers/net/can/sja1000/sja1000_isa.c +@@ -202,22 +202,24 @@ static int sja1000_isa_probe(struct platform_device *pdev) + if (err) { + dev_err(&pdev->dev, "registering %s failed (err=%d)\n", + DRV_NAME, err); +- goto exit_unmap; ++ goto exit_free; + } + + dev_info(&pdev->dev, "%s device registered (reg_base=0x%p, irq=%d)\n", + DRV_NAME, priv->reg_base, dev->irq); + return 0; + +- exit_unmap: ++exit_free: ++ free_sja1000dev(dev); ++exit_unmap: + if (mem[idx]) + iounmap(base); +- exit_release: ++exit_release: + if (mem[idx]) + release_mem_region(mem[idx], iosize); + else + release_region(port[idx], iosize); +- exit: ++exit: + return err; + } + +-- +2.35.1 + diff --git a/queue-6.0/clk-qcom-gcc-sc8280xp-add-cxo-as-parent-for-three-uf.patch b/queue-6.0/clk-qcom-gcc-sc8280xp-add-cxo-as-parent-for-three-uf.patch new file mode 100644 index 00000000000..cf233bf1f09 --- /dev/null +++ b/queue-6.0/clk-qcom-gcc-sc8280xp-add-cxo-as-parent-for-three-uf.patch @@ -0,0 +1,67 @@ +From 890d079282f573b1b87b1180c7450515913e44ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 20:59:56 +0530 +Subject: clk: qcom: gcc-sc8280xp: add cxo as parent for three ufs ref clks + +From: Shazad Hussain + +[ Upstream commit f6abcc21d94393801937aed808b8f055ffec8579 ] + +The three UFS reference clocks, gcc_ufs_ref_clkref_clk for external +UFS devices, gcc_ufs_card_clkref_clk and gcc_ufs_1_card_clkref_clk for +two PHYs are all sourced from CXO. + +Added parent_data for all three reference clocks described above to +reflect that all three clocks are sourced from CXO to have valid +frequency for the ref clock needed by UFS controller driver. + +Fixes: d65d005f9a6c ("clk: qcom: add sc8280xp GCC driver") +Link: https://lore.kernel.org/lkml/Y2Tber39cHuOSR%2FW@hovoldconsulting.com/ +Signed-off-by: Shazad Hussain +Tested-by: Johan Hovold +Reviewed-by: Johan Hovold +Tested-by: Andrew Halaney +Reviewed-by: Andrew Halaney +Reviewed-by: Brian Masney +Link: https://lore.kernel.org/r/20221115152956.21677-1-quic_shazhuss@quicinc.com +Reviewed-by: Bjorn Andersson +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-sc8280xp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/clk/qcom/gcc-sc8280xp.c b/drivers/clk/qcom/gcc-sc8280xp.c +index a2f3ffcc5849..fd332383527f 100644 +--- a/drivers/clk/qcom/gcc-sc8280xp.c ++++ b/drivers/clk/qcom/gcc-sc8280xp.c +@@ -5364,6 +5364,8 @@ static struct clk_branch gcc_ufs_1_card_clkref_clk = { + .enable_mask = BIT(0), + .hw.init = &(const struct clk_init_data) { + .name = "gcc_ufs_1_card_clkref_clk", ++ .parent_data = &gcc_parent_data_tcxo, ++ .num_parents = 1, + .ops = &clk_branch2_ops, + }, + }, +@@ -5432,6 +5434,8 @@ static struct clk_branch gcc_ufs_card_clkref_clk = { + .enable_mask = BIT(0), + .hw.init = &(const struct clk_init_data) { + .name = "gcc_ufs_card_clkref_clk", ++ .parent_data = &gcc_parent_data_tcxo, ++ .num_parents = 1, + .ops = &clk_branch2_ops, + }, + }, +@@ -5848,6 +5852,8 @@ static struct clk_branch gcc_ufs_ref_clkref_clk = { + .enable_mask = BIT(0), + .hw.init = &(const struct clk_init_data) { + .name = "gcc_ufs_ref_clkref_clk", ++ .parent_data = &gcc_parent_data_tcxo, ++ .num_parents = 1, + .ops = &clk_branch2_ops, + }, + }, +-- +2.35.1 + diff --git a/queue-6.0/clk-qcom-gdsc-add-missing-error-handling.patch b/queue-6.0/clk-qcom-gdsc-add-missing-error-handling.patch new file mode 100644 index 00000000000..cee605a8456 --- /dev/null +++ b/queue-6.0/clk-qcom-gdsc-add-missing-error-handling.patch @@ -0,0 +1,89 @@ +From cf193b732038f6e8cf5da4f4d489e5d8fe1b36b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Sep 2022 17:58:16 +0200 +Subject: clk: qcom: gdsc: add missing error handling + +From: Johan Hovold + +[ Upstream commit eab4c1ebdd657957bf7ae66ffb8849b462db78b3 ] + +Since commit 7eb231c337e0 ("PM / Domains: Convert pm_genpd_init() to +return an error code") pm_genpd_init() can return an error which the +caller must handle. + +The current error handling was also incomplete as the runtime PM and +regulator use counts were not balanced in all error paths. + +Add the missing error handling to the GDSC initialisation to avoid +continuing as if nothing happened on errors. + +Signed-off-by: Johan Hovold +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220929155816.17425-1-johan+linaro@kernel.org +Stable-dep-of: 4cc47e8add63 ("clk: qcom: gdsc: Remove direct runtime PM calls") +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gdsc.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/drivers/clk/qcom/gdsc.c b/drivers/clk/qcom/gdsc.c +index d3244006c661..4b66ce0f1940 100644 +--- a/drivers/clk/qcom/gdsc.c ++++ b/drivers/clk/qcom/gdsc.c +@@ -439,11 +439,8 @@ static int gdsc_init(struct gdsc *sc) + + /* ...and the power-domain */ + ret = gdsc_pm_runtime_get(sc); +- if (ret) { +- if (sc->rsupply) +- regulator_disable(sc->rsupply); +- return ret; +- } ++ if (ret) ++ goto err_disable_supply; + + /* + * Votable GDSCs can be ON due to Vote from other masters. +@@ -452,14 +449,14 @@ static int gdsc_init(struct gdsc *sc) + if (sc->flags & VOTABLE) { + ret = gdsc_update_collapse_bit(sc, false); + if (ret) +- return ret; ++ goto err_put_rpm; + } + + /* Turn on HW trigger mode if supported */ + if (sc->flags & HW_CTRL) { + ret = gdsc_hwctrl(sc, true); + if (ret < 0) +- return ret; ++ goto err_put_rpm; + } + + /* +@@ -486,9 +483,21 @@ static int gdsc_init(struct gdsc *sc) + sc->pd.power_off = gdsc_disable; + if (!sc->pd.power_on) + sc->pd.power_on = gdsc_enable; +- pm_genpd_init(&sc->pd, NULL, !on); ++ ++ ret = pm_genpd_init(&sc->pd, NULL, !on); ++ if (ret) ++ goto err_put_rpm; + + return 0; ++ ++err_put_rpm: ++ if (on) ++ gdsc_pm_runtime_put(sc); ++err_disable_supply: ++ if (on && sc->rsupply) ++ regulator_disable(sc->rsupply); ++ ++ return ret; + } + + int gdsc_register(struct gdsc_desc *desc, +-- +2.35.1 + diff --git a/queue-6.0/clk-qcom-gdsc-remove-direct-runtime-pm-calls.patch b/queue-6.0/clk-qcom-gdsc-remove-direct-runtime-pm-calls.patch new file mode 100644 index 00000000000..0d7c214e6f3 --- /dev/null +++ b/queue-6.0/clk-qcom-gdsc-remove-direct-runtime-pm-calls.patch @@ -0,0 +1,291 @@ +From 42653dc83ef163db191df8daebbe229752070f41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 11:30:30 -0700 +Subject: clk: qcom: gdsc: Remove direct runtime PM calls + +From: Stephen Boyd + +[ Upstream commit 4cc47e8add635408e063c98b52d56b7ceacf0b70 ] + +We shouldn't be calling runtime PM APIs from within the genpd +enable/disable path for a couple reasons. + +First, this causes an AA lockdep splat[1] because genpd can call into +genpd code again while holding the genpd lock. + +WARNING: possible recursive locking detected +5.19.0-rc2-lockdep+ #7 Not tainted +-------------------------------------------- +kworker/2:1/49 is trying to acquire lock: +ffffffeea0370788 (&genpd->mlock){+.+.}-{3:3}, at: genpd_lock_mtx+0x24/0x30 + +but task is already holding lock: +ffffffeea03710a8 (&genpd->mlock){+.+.}-{3:3}, at: genpd_lock_mtx+0x24/0x30 + +other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(&genpd->mlock); + lock(&genpd->mlock); + + *** DEADLOCK *** + + May be due to missing lock nesting notation + +3 locks held by kworker/2:1/49: + #0: 74ffff80811a5748 ((wq_completion)pm){+.+.}-{0:0}, at: process_one_work+0x320/0x5fc + #1: ffffffc008537cf8 ((work_completion)(&genpd->power_off_work)){+.+.}-{0:0}, at: process_one_work+0x354/0x5fc + #2: ffffffeea03710a8 (&genpd->mlock){+.+.}-{3:3}, at: genpd_lock_mtx+0x24/0x30 + +stack backtrace: +CPU: 2 PID: 49 Comm: kworker/2:1 Not tainted 5.19.0-rc2-lockdep+ #7 +Hardware name: Google Lazor (rev3 - 8) with KB Backlight (DT) +Workqueue: pm genpd_power_off_work_fn +Call trace: + dump_backtrace+0x1a0/0x200 + show_stack+0x24/0x30 + dump_stack_lvl+0x7c/0xa0 + dump_stack+0x18/0x44 + __lock_acquire+0xb38/0x3634 + lock_acquire+0x180/0x2d4 + __mutex_lock_common+0x118/0xe30 + mutex_lock_nested+0x70/0x7c + genpd_lock_mtx+0x24/0x30 + genpd_runtime_suspend+0x2f0/0x414 + __rpm_callback+0xdc/0x1b8 + rpm_callback+0x4c/0xcc + rpm_suspend+0x21c/0x5f0 + rpm_idle+0x17c/0x1e0 + __pm_runtime_idle+0x78/0xcc + gdsc_disable+0x24c/0x26c + _genpd_power_off+0xd4/0x1c4 + genpd_power_off+0x2d8/0x41c + genpd_power_off_work_fn+0x60/0x94 + process_one_work+0x398/0x5fc + worker_thread+0x42c/0x6c4 + kthread+0x194/0x1b4 + ret_from_fork+0x10/0x20 + +Second, this confuses runtime PM on CoachZ for the camera devices by +causing the camera clock controller's runtime PM usage_count to go +negative after resuming from suspend. This is because runtime PM is +being used on the clock controller while runtime PM is disabled for the +device. + +The reason for the negative count is because a GDSC is represented as a +genpd and each genpd that is attached to a device is resumed during the +noirq phase of system wide suspend/resume (see the noirq suspend ops +assignment in pm_genpd_init() for more details). The camera GDSCs are +attached to camera devices with the 'power-domains' property in DT. +Every device has runtime PM disabled in the late system suspend phase +via __device_suspend_late(). Runtime PM is not usable until runtime PM +is enabled in device_resume_early(). The noirq phases run after the +'late' and before the 'early' phase of suspend/resume. When the genpds +are resumed in genpd_resume_noirq(), we call down into gdsc_enable() +that calls pm_runtime_resume_and_get() and that returns -EACCES to +indicate failure to resume because runtime PM is disabled for all +devices. + +Upon closer inspection, calling runtime PM APIs like this in the GDSC +driver doesn't make sense. It was intended to make sure the GDSC for the +clock controller providing other GDSCs was enabled, specifically the +MMCX GDSC for the display clk controller on SM8250 (sm8250-dispcc), so +that GDSC register accesses succeeded. That will already happen because +we make the 'dev->pm_domain' a parent domain of each GDSC we register in +gdsc_register() via pm_genpd_add_subdomain(). When any of these GDSCs +are accessed, we'll enable the parent domain (in this specific case +MMCX). + +We also remove any getting of runtime PM during registration, because +when a genpd is registered it increments the count on the parent if the +genpd itself is already enabled. + +Cc: Dmitry Baryshkov +Cc: Johan Hovold +Cc: Ulf Hansson +Cc: Taniya Das +Cc: Satya Priya +Reviewed-by: Douglas Anderson +Tested-by: Douglas Anderson +Cc: Matthias Kaehlcke +Reported-by: Stephen Boyd +Link: https://lore.kernel.org/r/CAE-0n52xbZeJ66RaKwggeRB57fUAwjvxGxfFMKOKJMKVyFTe+w@mail.gmail.com [1] +Fixes: 1b771839de05 ("clk: qcom: gdsc: enable optional power domain support") +Signed-off-by: Stephen Boyd +Link: https://lore.kernel.org/r/20221103183030.3594899-1-swboyd@chromium.org +Tested-by: Johan Hovold +Reviewed-by: Johan Hovold +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gdsc.c | 61 ++++------------------------------------- + drivers/clk/qcom/gdsc.h | 2 -- + 2 files changed, 6 insertions(+), 57 deletions(-) + +diff --git a/drivers/clk/qcom/gdsc.c b/drivers/clk/qcom/gdsc.c +index 4b66ce0f1940..39b35058ad47 100644 +--- a/drivers/clk/qcom/gdsc.c ++++ b/drivers/clk/qcom/gdsc.c +@@ -11,7 +11,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -56,22 +55,6 @@ enum gdsc_status { + GDSC_ON + }; + +-static int gdsc_pm_runtime_get(struct gdsc *sc) +-{ +- if (!sc->dev) +- return 0; +- +- return pm_runtime_resume_and_get(sc->dev); +-} +- +-static int gdsc_pm_runtime_put(struct gdsc *sc) +-{ +- if (!sc->dev) +- return 0; +- +- return pm_runtime_put_sync(sc->dev); +-} +- + /* Returns 1 if GDSC status is status, 0 if not, and < 0 on error */ + static int gdsc_check_status(struct gdsc *sc, enum gdsc_status status) + { +@@ -271,8 +254,9 @@ static void gdsc_retain_ff_on(struct gdsc *sc) + regmap_update_bits(sc->regmap, sc->gdscr, mask, mask); + } + +-static int _gdsc_enable(struct gdsc *sc) ++static int gdsc_enable(struct generic_pm_domain *domain) + { ++ struct gdsc *sc = domain_to_gdsc(domain); + int ret; + + if (sc->pwrsts == PWRSTS_ON) +@@ -328,22 +312,11 @@ static int _gdsc_enable(struct gdsc *sc) + return 0; + } + +-static int gdsc_enable(struct generic_pm_domain *domain) ++static int gdsc_disable(struct generic_pm_domain *domain) + { + struct gdsc *sc = domain_to_gdsc(domain); + int ret; + +- ret = gdsc_pm_runtime_get(sc); +- if (ret) +- return ret; +- +- return _gdsc_enable(sc); +-} +- +-static int _gdsc_disable(struct gdsc *sc) +-{ +- int ret; +- + if (sc->pwrsts == PWRSTS_ON) + return gdsc_assert_reset(sc); + +@@ -378,18 +351,6 @@ static int _gdsc_disable(struct gdsc *sc) + return 0; + } + +-static int gdsc_disable(struct generic_pm_domain *domain) +-{ +- struct gdsc *sc = domain_to_gdsc(domain); +- int ret; +- +- ret = _gdsc_disable(sc); +- +- gdsc_pm_runtime_put(sc); +- +- return ret; +-} +- + static int gdsc_init(struct gdsc *sc) + { + u32 mask, val; +@@ -437,11 +398,6 @@ static int gdsc_init(struct gdsc *sc) + return ret; + } + +- /* ...and the power-domain */ +- ret = gdsc_pm_runtime_get(sc); +- if (ret) +- goto err_disable_supply; +- + /* + * Votable GDSCs can be ON due to Vote from other masters. + * If a Votable GDSC is ON, make sure we have a Vote. +@@ -449,14 +405,14 @@ static int gdsc_init(struct gdsc *sc) + if (sc->flags & VOTABLE) { + ret = gdsc_update_collapse_bit(sc, false); + if (ret) +- goto err_put_rpm; ++ goto err_disable_supply; + } + + /* Turn on HW trigger mode if supported */ + if (sc->flags & HW_CTRL) { + ret = gdsc_hwctrl(sc, true); + if (ret < 0) +- goto err_put_rpm; ++ goto err_disable_supply; + } + + /* +@@ -486,13 +442,10 @@ static int gdsc_init(struct gdsc *sc) + + ret = pm_genpd_init(&sc->pd, NULL, !on); + if (ret) +- goto err_put_rpm; ++ goto err_disable_supply; + + return 0; + +-err_put_rpm: +- if (on) +- gdsc_pm_runtime_put(sc); + err_disable_supply: + if (on && sc->rsupply) + regulator_disable(sc->rsupply); +@@ -531,8 +484,6 @@ int gdsc_register(struct gdsc_desc *desc, + for (i = 0; i < num; i++) { + if (!scs[i]) + continue; +- if (pm_runtime_enabled(dev)) +- scs[i]->dev = dev; + scs[i]->regmap = regmap; + scs[i]->rcdev = rcdev; + ret = gdsc_init(scs[i]); +diff --git a/drivers/clk/qcom/gdsc.h b/drivers/clk/qcom/gdsc.h +index 5de48c9439b2..8d569232bbd6 100644 +--- a/drivers/clk/qcom/gdsc.h ++++ b/drivers/clk/qcom/gdsc.h +@@ -30,7 +30,6 @@ struct reset_controller_dev; + * @resets: ids of resets associated with this gdsc + * @reset_count: number of @resets + * @rcdev: reset controller +- * @dev: the device holding the GDSC, used for pm_runtime calls + */ + struct gdsc { + struct generic_pm_domain pd; +@@ -69,7 +68,6 @@ struct gdsc { + + const char *supply; + struct regulator *rsupply; +- struct device *dev; + }; + + struct gdsc_desc { +-- +2.35.1 + diff --git a/queue-6.0/clk-samsung-exynos7885-correct-div4-clock-parents.patch b/queue-6.0/clk-samsung-exynos7885-correct-div4-clock-parents.patch new file mode 100644 index 00000000000..ef2a4248f87 --- /dev/null +++ b/queue-6.0/clk-samsung-exynos7885-correct-div4-clock-parents.patch @@ -0,0 +1,50 @@ +From 1b03d76c393b98c18398a8e53730a33182da2cd0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Oct 2022 17:13:40 +0200 +Subject: clk: samsung: exynos7885: Correct "div4" clock parents + +From: David Virag + +[ Upstream commit ef80c95c29dc67c3034f32d93c41e2ede398e387 ] + +"div4" DIVs which divide PLLs by 4 are actually dividing "div2" DIVs by +2 to achieve a by 4 division, thus their parents are the respective +"div2" DIVs. These DIVs were mistakenly set to have the PLLs as parents. +This leads to the kernel thinking "div4"s and everything under them run +at 2x the clock speed. Fix this. + +Fixes: 45bd8166a1d8 ("clk: samsung: Add initial Exynos7885 clock driver") +Signed-off-by: David Virag +Acked-by: Chanwoo Choi +Link: https://lore.kernel.org/r/20221013151341.151208-1-virag.david003@gmail.com +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/clk/samsung/clk-exynos7885.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/samsung/clk-exynos7885.c b/drivers/clk/samsung/clk-exynos7885.c +index a7b106302706..368c50badd15 100644 +--- a/drivers/clk/samsung/clk-exynos7885.c ++++ b/drivers/clk/samsung/clk-exynos7885.c +@@ -182,7 +182,7 @@ static const struct samsung_div_clock top_div_clks[] __initconst = { + CLK_CON_DIV_PLL_SHARED0_DIV2, 0, 1), + DIV(CLK_DOUT_SHARED0_DIV3, "dout_shared0_div3", "fout_shared0_pll", + CLK_CON_DIV_PLL_SHARED0_DIV3, 0, 2), +- DIV(CLK_DOUT_SHARED0_DIV4, "dout_shared0_div4", "fout_shared0_pll", ++ DIV(CLK_DOUT_SHARED0_DIV4, "dout_shared0_div4", "dout_shared0_div2", + CLK_CON_DIV_PLL_SHARED0_DIV4, 0, 1), + DIV(CLK_DOUT_SHARED0_DIV5, "dout_shared0_div5", "fout_shared0_pll", + CLK_CON_DIV_PLL_SHARED0_DIV5, 0, 3), +@@ -190,7 +190,7 @@ static const struct samsung_div_clock top_div_clks[] __initconst = { + CLK_CON_DIV_PLL_SHARED1_DIV2, 0, 1), + DIV(CLK_DOUT_SHARED1_DIV3, "dout_shared1_div3", "fout_shared1_pll", + CLK_CON_DIV_PLL_SHARED1_DIV3, 0, 2), +- DIV(CLK_DOUT_SHARED1_DIV4, "dout_shared1_div4", "fout_shared1_pll", ++ DIV(CLK_DOUT_SHARED1_DIV4, "dout_shared1_div4", "dout_shared1_div2", + CLK_CON_DIV_PLL_SHARED1_DIV4, 0, 1), + + /* CORE */ +-- +2.35.1 + diff --git a/queue-6.0/clocksource-drivers-arm_arch_timer-fix-xgene-1-tval-.patch b/queue-6.0/clocksource-drivers-arm_arch_timer-fix-xgene-1-tval-.patch new file mode 100644 index 00000000000..19bb3e2ce28 --- /dev/null +++ b/queue-6.0/clocksource-drivers-arm_arch_timer-fix-xgene-1-tval-.patch @@ -0,0 +1,94 @@ +From 37b5ba5713be78835b7b623ad1f3b89acf51d6d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 14:53:43 +0000 +Subject: clocksource/drivers/arm_arch_timer: Fix XGene-1 TVAL register math + error + +From: Joe Korty + +[ Upstream commit 839a973988a94c15002cbd81536e4af6ced2bd30 ] + +The TVAL register is 32 bit signed. Thus only the lower 31 bits are +available to specify when an interrupt is to occur at some time in the +near future. Attempting to specify a larger interval with TVAL results +in a negative time delta which means the timer fires immediately upon +being programmed, rather than firing at that expected future time. + +The solution is for Linux to declare that TVAL is a 31 bit register rather +than give its true size of 32 bits. This prevents Linux from programming +TVAL with a too-large value. Note that, prior to 5.16, this little trick +was the standard way to handle TVAL in Linux, so there is nothing new +happening here on that front. + +The softlockup detector hides the issue, because it keeps generating +short timer deadlines that are within the scope of the broken timer. + +Disabling it, it starts using NO_HZ with much longer timer deadlines, which +turns into an interrupt flood: + + 11: 1124855130 949168462 758009394 76417474 104782230 30210281 + 310890 1734323687 GICv2 29 Level arch_timer + +And "much longer" isn't that long: it takes less than 43s to underflow +TVAL at 50MHz (the frequency of the counter on XGene-1). + +Some comments on the v1 version of this patch by Marc Zyngier: + + XGene implements CVAL (a 64bit comparator) in terms of TVAL (a countdown + register) instead of the other way around. TVAL being a 32bit register, + the width of the counter should equally be 32. However, TVAL is a + *signed* value, and keeps counting down in the negative range once the + timer fires. + + It means that any TVAL value with bit 31 set will fire immediately, + as it cannot be distinguished from an already expired timer. Reducing + the timer range back to a paltry 31 bits papers over the issue. + + Another problem cannot be fixed though, which is that the timer interrupt + *must* be handled within the negative countdown period, or the interrupt + will be lost (TVAL will rollover to a positive value, indicative of a + new timer deadline). + +Fixes: 012f18850452 ("clocksource/drivers/arm_arch_timer: Work around broken CVAL implementations") +Signed-off-by: Joe Korty +Signed-off-by: Marc Zyngier +Signed-off-by: Thomas Gleixner +Reviewed-by: Marc Zyngier +Link: https://lore.kernel.org/r/20221024165422.GA51107@zipoli.concurrent-rt.com +Link: https://lore.kernel.org/r/20221121145343.896018-1-maz@kernel.org + +[maz: revamped the commit message] + +Signed-off-by: Sasha Levin +--- + drivers/clocksource/arm_arch_timer.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/clocksource/arm_arch_timer.c b/drivers/clocksource/arm_arch_timer.c +index a7ff77550e17..933bb960490d 100644 +--- a/drivers/clocksource/arm_arch_timer.c ++++ b/drivers/clocksource/arm_arch_timer.c +@@ -806,6 +806,9 @@ static u64 __arch_timer_check_delta(void) + /* + * XGene-1 implements CVAL in terms of TVAL, meaning + * that the maximum timer range is 32bit. Shame on them. ++ * ++ * Note that TVAL is signed, thus has only 31 of its ++ * 32 bits to express magnitude. + */ + MIDR_ALL_VERSIONS(MIDR_CPU_MODEL(ARM_CPU_IMP_APM, + APM_CPU_PART_POTENZA)), +@@ -813,8 +816,8 @@ static u64 __arch_timer_check_delta(void) + }; + + if (is_midr_in_range_list(read_cpuid_id(), broken_cval_midrs)) { +- pr_warn_once("Broken CNTx_CVAL_EL1, limiting width to 32bits"); +- return CLOCKSOURCE_MASK(32); ++ pr_warn_once("Broken CNTx_CVAL_EL1, using 31 bit TVAL instead.\n"); ++ return CLOCKSOURCE_MASK(31); + } + #endif + return CLOCKSOURCE_MASK(arch_counter_get_width()); +-- +2.35.1 + diff --git a/queue-6.0/drm-amd-pm-add-smu_v13_0_10-driver-if-version.patch b/queue-6.0/drm-amd-pm-add-smu_v13_0_10-driver-if-version.patch new file mode 100644 index 00000000000..00732f3a1ed --- /dev/null +++ b/queue-6.0/drm-amd-pm-add-smu_v13_0_10-driver-if-version.patch @@ -0,0 +1,50 @@ +From b6a59d200030922cbf5f674b8bf6378cf61393be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Mar 2022 20:05:32 +0800 +Subject: drm/amd/pm: add smu_v13_0_10 driver if version + +From: Yang Wang + +[ Upstream commit 8e039cd176c61a9770e1956038c93738efc800f7 ] + +add smu_v13_0_10 driver if version + +Signed-off-by: Yang Wang +Reviewed-by: Hawking Zhang +Signed-off-by: Alex Deucher +Stable-dep-of: f2e1aa267f12 ("drm/amd/pm: update driver if header for smu_13_0_7") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h | 1 + + drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c | 3 +++ + 2 files changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h b/drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h +index 3e29fe4cc4ae..dd5867561068 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h ++++ b/drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h +@@ -32,6 +32,7 @@ + #define SMU13_DRIVER_IF_VERSION_SMU_V13_0_5 0x04 + #define SMU13_DRIVER_IF_VERSION_SMU_V13_0_0 0x30 + #define SMU13_DRIVER_IF_VERSION_SMU_V13_0_7 0x2C ++#define SMU13_DRIVER_IF_VERSION_SMU_V13_0_10 0x1D + + #define SMU13_MODE1_RESET_WAIT_TIME_IN_MS 500 //500ms + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c +index 33710dcf1eb1..e7380aa4f6be 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c +@@ -304,6 +304,9 @@ int smu_v13_0_check_fw_version(struct smu_context *smu) + case IP_VERSION(13, 0, 5): + smu->smc_driver_if_version = SMU13_DRIVER_IF_VERSION_SMU_V13_0_5; + break; ++ case IP_VERSION(13, 0, 10): ++ smu->smc_driver_if_version = SMU13_DRIVER_IF_VERSION_SMU_V13_0_10; ++ break; + default: + dev_err(adev->dev, "smu unsupported IP version: 0x%x.\n", + adev->ip_versions[MP1_HWIP][0]); +-- +2.35.1 + diff --git a/queue-6.0/drm-amd-pm-update-driver-if-header-for-smu_13_0_7.patch b/queue-6.0/drm-amd-pm-update-driver-if-header-for-smu_13_0_7.patch new file mode 100644 index 00000000000..a197335c0e9 --- /dev/null +++ b/queue-6.0/drm-amd-pm-update-driver-if-header-for-smu_13_0_7.patch @@ -0,0 +1,315 @@ +From cdbe3ded21a69f013a5b8aa9593a3610dd58c306 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 09:08:42 +0800 +Subject: drm/amd/pm: update driver if header for smu_13_0_7 + +From: lyndonli + +[ Upstream commit f2e1aa267f12b82e03927d1e918d2844ddd3eea5 ] + +update driver if header for smu_13_0_7 + +Signed-off-by: lyndonli +Reviewed-by: Hawking Zhang +Reviewed-by: Kenneth Feng +Reviewed-by: Evan Quan +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org # 6.0.x +Signed-off-by: Sasha Levin +--- + .../inc/pmfw_if/smu13_driver_if_v13_0_7.h | 117 ++++++++++++------ + drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h | 2 +- + 2 files changed, 80 insertions(+), 39 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/inc/pmfw_if/smu13_driver_if_v13_0_7.h b/drivers/gpu/drm/amd/pm/swsmu/inc/pmfw_if/smu13_driver_if_v13_0_7.h +index 25c08f963f49..d6b13933a98f 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/inc/pmfw_if/smu13_driver_if_v13_0_7.h ++++ b/drivers/gpu/drm/amd/pm/swsmu/inc/pmfw_if/smu13_driver_if_v13_0_7.h +@@ -25,10 +25,10 @@ + + // *** IMPORTANT *** + // PMFW TEAM: Always increment the interface version on any change to this file +-#define SMU13_DRIVER_IF_VERSION 0x2C ++#define SMU13_DRIVER_IF_VERSION 0x35 + + //Increment this version if SkuTable_t or BoardTable_t change +-#define PPTABLE_VERSION 0x20 ++#define PPTABLE_VERSION 0x27 + + #define NUM_GFXCLK_DPM_LEVELS 16 + #define NUM_SOCCLK_DPM_LEVELS 8 +@@ -96,7 +96,7 @@ + #define FEATURE_MEM_TEMP_READ_BIT 47 + #define FEATURE_ATHUB_MMHUB_PG_BIT 48 + #define FEATURE_SOC_PCC_BIT 49 +-#define FEATURE_SPARE_50_BIT 50 ++#define FEATURE_EDC_PWRBRK_BIT 50 + #define FEATURE_SPARE_51_BIT 51 + #define FEATURE_SPARE_52_BIT 52 + #define FEATURE_SPARE_53_BIT 53 +@@ -282,15 +282,15 @@ typedef enum { + } I2cControllerPort_e; + + typedef enum { +- I2C_CONTROLLER_NAME_VR_GFX = 0, +- I2C_CONTROLLER_NAME_VR_SOC, +- I2C_CONTROLLER_NAME_VR_VMEMP, +- I2C_CONTROLLER_NAME_VR_VDDIO, +- I2C_CONTROLLER_NAME_LIQUID0, +- I2C_CONTROLLER_NAME_LIQUID1, +- I2C_CONTROLLER_NAME_PLX, +- I2C_CONTROLLER_NAME_OTHER, +- I2C_CONTROLLER_NAME_COUNT, ++ I2C_CONTROLLER_NAME_VR_GFX = 0, ++ I2C_CONTROLLER_NAME_VR_SOC, ++ I2C_CONTROLLER_NAME_VR_VMEMP, ++ I2C_CONTROLLER_NAME_VR_VDDIO, ++ I2C_CONTROLLER_NAME_LIQUID0, ++ I2C_CONTROLLER_NAME_LIQUID1, ++ I2C_CONTROLLER_NAME_PLX, ++ I2C_CONTROLLER_NAME_FAN_INTAKE, ++ I2C_CONTROLLER_NAME_COUNT, + } I2cControllerName_e; + + typedef enum { +@@ -302,6 +302,7 @@ typedef enum { + I2C_CONTROLLER_THROTTLER_LIQUID0, + I2C_CONTROLLER_THROTTLER_LIQUID1, + I2C_CONTROLLER_THROTTLER_PLX, ++ I2C_CONTROLLER_THROTTLER_FAN_INTAKE, + I2C_CONTROLLER_THROTTLER_INA3221, + I2C_CONTROLLER_THROTTLER_COUNT, + } I2cControllerThrottler_e; +@@ -309,8 +310,9 @@ typedef enum { + typedef enum { + I2C_CONTROLLER_PROTOCOL_VR_XPDE132G5, + I2C_CONTROLLER_PROTOCOL_VR_IR35217, +- I2C_CONTROLLER_PROTOCOL_TMP_TMP102A, ++ I2C_CONTROLLER_PROTOCOL_TMP_MAX31875, + I2C_CONTROLLER_PROTOCOL_INA3221, ++ I2C_CONTROLLER_PROTOCOL_TMP_MAX6604, + I2C_CONTROLLER_PROTOCOL_COUNT, + } I2cControllerProtocol_e; + +@@ -690,6 +692,9 @@ typedef struct { + #define PP_OD_FEATURE_UCLK_BIT 8 + #define PP_OD_FEATURE_ZERO_FAN_BIT 9 + #define PP_OD_FEATURE_TEMPERATURE_BIT 10 ++#define PP_OD_FEATURE_POWER_FEATURE_CTRL_BIT 11 ++#define PP_OD_FEATURE_ASIC_TDC_BIT 12 ++#define PP_OD_FEATURE_COUNT 13 + + typedef enum { + PP_OD_POWER_FEATURE_ALWAYS_ENABLED, +@@ -697,6 +702,11 @@ typedef enum { + PP_OD_POWER_FEATURE_ALWAYS_DISABLED, + } PP_OD_POWER_FEATURE_e; + ++typedef enum { ++ FAN_MODE_AUTO = 0, ++ FAN_MODE_MANUAL_LINEAR, ++} FanMode_e; ++ + typedef struct { + uint32_t FeatureCtrlMask; + +@@ -708,8 +718,8 @@ typedef struct { + uint8_t RuntimePwrSavingFeaturesCtrl; + + //Frequency changes +- int16_t GfxclkFmin; // MHz +- int16_t GfxclkFmax; // MHz ++ int16_t GfxclkFmin; // MHz ++ int16_t GfxclkFmax; // MHz + uint16_t UclkFmin; // MHz + uint16_t UclkFmax; // MHz + +@@ -730,7 +740,12 @@ typedef struct { + uint8_t MaxOpTemp; + uint8_t Padding[4]; + +- uint32_t Spare[12]; ++ uint16_t GfxVoltageFullCtrlMode; ++ uint16_t GfxclkFullCtrlMode; ++ uint16_t UclkFullCtrlMode; ++ int16_t AsicTdc; ++ ++ uint32_t Spare[10]; + uint32_t MmHubPadding[8]; // SMU internal use. Adding here instead of external as a workaround + } OverDriveTable_t; + +@@ -748,8 +763,8 @@ typedef struct { + uint8_t IdlePwrSavingFeaturesCtrl; + uint8_t RuntimePwrSavingFeaturesCtrl; + +- uint16_t GfxclkFmin; // MHz +- uint16_t GfxclkFmax; // MHz ++ int16_t GfxclkFmin; // MHz ++ int16_t GfxclkFmax; // MHz + uint16_t UclkFmin; // MHz + uint16_t UclkFmax; // MHz + +@@ -769,7 +784,12 @@ typedef struct { + uint8_t MaxOpTemp; + uint8_t Padding[4]; + +- uint32_t Spare[12]; ++ uint16_t GfxVoltageFullCtrlMode; ++ uint16_t GfxclkFullCtrlMode; ++ uint16_t UclkFullCtrlMode; ++ int16_t AsicTdc; ++ ++ uint32_t Spare[10]; + + } OverDriveLimits_t; + +@@ -903,7 +923,8 @@ typedef struct { + uint16_t FanStartTempMin; + uint16_t FanStartTempMax; + +- uint32_t Spare[12]; ++ uint16_t PowerMinPpt0[POWER_SOURCE_COUNT]; ++ uint32_t Spare[11]; + + } MsgLimits_t; + +@@ -1086,11 +1107,13 @@ typedef struct { + uint32_t GfxoffSpare[15]; + + // GFX GPO +- float DfllBtcMasterScalerM; ++ uint32_t DfllBtcMasterScalerM; + int32_t DfllBtcMasterScalerB; +- float DfllBtcSlaveScalerM; ++ uint32_t DfllBtcSlaveScalerM; + int32_t DfllBtcSlaveScalerB; +- uint32_t GfxGpoSpare[12]; ++ uint32_t DfllPccAsWaitCtrl; //GDFLL_AS_WAIT_CTRL_PCC register value to be passed to RLC msg ++ uint32_t DfllPccAsStepCtrl; //GDFLL_AS_STEP_CTRL_PCC register value to be passed to RLC msg ++ uint32_t GfxGpoSpare[10]; + + // GFX DCS + +@@ -1106,7 +1129,10 @@ typedef struct { + uint16_t DcsTimeout; //This is the amount of time SMU FW waits for RLC to put GFX into GFXOFF before reverting to the fallback mechanism of throttling GFXCLK to Fmin. + + +- uint32_t DcsSpare[16]; ++ uint32_t DcsSpare[14]; ++ ++ // UCLK section ++ uint16_t ShadowFreqTableUclk[NUM_UCLK_DPM_LEVELS]; // In MHz + + // UCLK section + uint8_t UseStrobeModeOptimizations; //Set to indicate that FW should use strobe mode optimizations +@@ -1163,13 +1189,14 @@ typedef struct { + uint16_t IntakeTempHighIntakeAcousticLimit; + uint16_t IntakeTempAcouticLimitReleaseRate; + +- uint16_t FanStalledTempLimitOffset; ++ int16_t FanAbnormalTempLimitOffset; + uint16_t FanStalledTriggerRpm; +- uint16_t FanAbnormalTriggerRpm; +- uint16_t FanPadding; +- +- uint32_t FanSpare[14]; ++ uint16_t FanAbnormalTriggerRpmCoeff; ++ uint16_t FanAbnormalDetectionEnable; + ++ uint8_t FanIntakeSensorSupport; ++ uint8_t FanIntakePadding[3]; ++ uint32_t FanSpare[13]; + // SECTION: VDD_GFX AVFS + + uint8_t OverrideGfxAvfsFuses; +@@ -1193,7 +1220,6 @@ typedef struct { + uint32_t dGbV_dT_vmin; + uint32_t dGbV_dT_vmax; + +- //Unused: PMFW-9370 + uint32_t V2F_vmin_range_low; + uint32_t V2F_vmin_range_high; + uint32_t V2F_vmax_range_low; +@@ -1238,8 +1264,21 @@ typedef struct { + // SECTION: Advanced Options + uint32_t DebugOverrides; + ++ // Section: Total Board Power idle vs active coefficients ++ uint8_t TotalBoardPowerSupport; ++ uint8_t TotalBoardPowerPadding[3]; ++ ++ int16_t TotalIdleBoardPowerM; ++ int16_t TotalIdleBoardPowerB; ++ int16_t TotalBoardPowerM; ++ int16_t TotalBoardPowerB; ++ ++ QuadraticInt_t qFeffCoeffGameClock[POWER_SOURCE_COUNT]; ++ QuadraticInt_t qFeffCoeffBaseClock[POWER_SOURCE_COUNT]; ++ QuadraticInt_t qFeffCoeffBoostClock[POWER_SOURCE_COUNT]; ++ + // SECTION: Sku Reserved +- uint32_t Spare[64]; ++ uint32_t Spare[43]; + + // Padding for MMHUB - do not modify this + uint32_t MmHubPadding[8]; +@@ -1304,7 +1343,8 @@ typedef struct { + // SECTION: Clock Spread Spectrum + + // UCLK Spread Spectrum +- uint16_t UclkSpreadPadding; ++ uint8_t UclkTrainingModeSpreadPercent; // Q4.4 ++ uint8_t UclkSpreadPadding; + uint16_t UclkSpreadFreq; // kHz + + // UCLK Spread Spectrum +@@ -1317,11 +1357,7 @@ typedef struct { + + // Section: Memory Config + uint8_t DramWidth; // Width of interface to the channel for each DRAM module. See DRAM_BIT_WIDTH_TYPE_e +- uint8_t PaddingMem1[3]; +- +- // Section: Total Board Power +- uint16_t TotalBoardPower; //Only needed for TCP Estimated case, where TCP = TGP+Total Board Power +- uint16_t BoardPowerPadding; ++ uint8_t PaddingMem1[7]; + + // SECTION: UMC feature flags + uint8_t HsrEnabled; +@@ -1423,8 +1459,11 @@ typedef struct { + uint16_t Vcn1ActivityPercentage ; + + uint32_t EnergyAccumulator; +- uint16_t AverageSocketPower ; ++ uint16_t AverageSocketPower; ++ uint16_t AverageTotalBoardPower; ++ + uint16_t AvgTemperature[TEMP_COUNT]; ++ uint16_t AvgTemperatureFanIntake; + + uint8_t PcieRate ; + uint8_t PcieWidth ; +@@ -1592,5 +1631,7 @@ typedef struct { + #define IH_INTERRUPT_CONTEXT_ID_AUDIO_D0 0x5 + #define IH_INTERRUPT_CONTEXT_ID_AUDIO_D3 0x6 + #define IH_INTERRUPT_CONTEXT_ID_THERMAL_THROTTLING 0x7 ++#define IH_INTERRUPT_CONTEXT_ID_FAN_ABNORMAL 0x8 ++#define IH_INTERRUPT_CONTEXT_ID_FAN_RECOVERY 0x9 + + #endif +diff --git a/drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h b/drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h +index b7f4569aff2a..865d6358918d 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h ++++ b/drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h +@@ -31,7 +31,7 @@ + #define SMU13_DRIVER_IF_VERSION_SMU_V13_0_4 0x07 + #define SMU13_DRIVER_IF_VERSION_SMU_V13_0_5 0x04 + #define SMU13_DRIVER_IF_VERSION_SMU_V13_0_0_10 0x32 +-#define SMU13_DRIVER_IF_VERSION_SMU_V13_0_7 0x2C ++#define SMU13_DRIVER_IF_VERSION_SMU_V13_0_7 0x35 + #define SMU13_DRIVER_IF_VERSION_SMU_V13_0_10 0x1D + + #define SMU13_MODE1_RESET_WAIT_TIME_IN_MS 500 //500ms +-- +2.35.1 + diff --git a/queue-6.0/drm-amd-pm-update-driver-if-header-for-smu_v13_0_10.patch b/queue-6.0/drm-amd-pm-update-driver-if-header-for-smu_v13_0_10.patch new file mode 100644 index 00000000000..1eb28ab9253 --- /dev/null +++ b/queue-6.0/drm-amd-pm-update-driver-if-header-for-smu_v13_0_10.patch @@ -0,0 +1,302 @@ +From 6919d199ab957179b4888cb0910a61567a0bd547 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Oct 2022 11:24:05 +0800 +Subject: drm/amd/pm: update driver-if header for smu_v13_0_10 + +From: Kenneth Feng + +[ Upstream commit 09aef0258a327409bb2279a5ba8f82ad2ca099ca ] + +update driver-if header for smu_v13_0_10 and merge with smu_v13_0_0 + +Signed-off-by: Kenneth Feng +Reviewed-by: Hawking Zhang +Signed-off-by: Alex Deucher +Stable-dep-of: f2e1aa267f12 ("drm/amd/pm: update driver if header for smu_13_0_7") +Signed-off-by: Sasha Levin +--- + .../inc/pmfw_if/smu13_driver_if_v13_0_0.h | 111 +++++++++++++----- + drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h | 2 +- + .../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c | 6 +- + 3 files changed, 84 insertions(+), 35 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/inc/pmfw_if/smu13_driver_if_v13_0_0.h b/drivers/gpu/drm/amd/pm/swsmu/inc/pmfw_if/smu13_driver_if_v13_0_0.h +index 063f4a737605..b76f0f7e4299 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/inc/pmfw_if/smu13_driver_if_v13_0_0.h ++++ b/drivers/gpu/drm/amd/pm/swsmu/inc/pmfw_if/smu13_driver_if_v13_0_0.h +@@ -25,7 +25,7 @@ + #define SMU13_DRIVER_IF_V13_0_0_H + + //Increment this version if SkuTable_t or BoardTable_t change +-#define PPTABLE_VERSION 0x24 ++#define PPTABLE_VERSION 0x26 + + #define NUM_GFXCLK_DPM_LEVELS 16 + #define NUM_SOCCLK_DPM_LEVELS 8 +@@ -109,6 +109,22 @@ + #define FEATURE_SPARE_63_BIT 63 + #define NUM_FEATURES 64 + ++#define ALLOWED_FEATURE_CTRL_DEFAULT 0xFFFFFFFFFFFFFFFFULL ++#define ALLOWED_FEATURE_CTRL_SCPM ((1 << FEATURE_DPM_GFXCLK_BIT) | \ ++ (1 << FEATURE_DPM_GFX_POWER_OPTIMIZER_BIT) | \ ++ (1 << FEATURE_DPM_UCLK_BIT) | \ ++ (1 << FEATURE_DPM_FCLK_BIT) | \ ++ (1 << FEATURE_DPM_SOCCLK_BIT) | \ ++ (1 << FEATURE_DPM_MP0CLK_BIT) | \ ++ (1 << FEATURE_DPM_LINK_BIT) | \ ++ (1 << FEATURE_DPM_DCN_BIT) | \ ++ (1 << FEATURE_DS_GFXCLK_BIT) | \ ++ (1 << FEATURE_DS_SOCCLK_BIT) | \ ++ (1 << FEATURE_DS_FCLK_BIT) | \ ++ (1 << FEATURE_DS_LCLK_BIT) | \ ++ (1 << FEATURE_DS_DCFCLK_BIT) | \ ++ (1 << FEATURE_DS_UCLK_BIT)) ++ + //For use with feature control messages + typedef enum { + FEATURE_PWR_ALL, +@@ -133,6 +149,7 @@ typedef enum { + #define DEBUG_OVERRIDE_DISABLE_DFLL 0x00000200 + #define DEBUG_OVERRIDE_ENABLE_RLC_VF_BRINGUP_MODE 0x00000400 + #define DEBUG_OVERRIDE_DFLL_MASTER_MODE 0x00000800 ++#define DEBUG_OVERRIDE_ENABLE_PROFILING_MODE 0x00001000 + + // VR Mapping Bit Defines + #define VR_MAPPING_VR_SELECT_MASK 0x01 +@@ -262,15 +279,15 @@ typedef enum { + } I2cControllerPort_e; + + typedef enum { +- I2C_CONTROLLER_NAME_VR_GFX = 0, +- I2C_CONTROLLER_NAME_VR_SOC, +- I2C_CONTROLLER_NAME_VR_VMEMP, +- I2C_CONTROLLER_NAME_VR_VDDIO, +- I2C_CONTROLLER_NAME_LIQUID0, +- I2C_CONTROLLER_NAME_LIQUID1, +- I2C_CONTROLLER_NAME_PLX, +- I2C_CONTROLLER_NAME_OTHER, +- I2C_CONTROLLER_NAME_COUNT, ++ I2C_CONTROLLER_NAME_VR_GFX = 0, ++ I2C_CONTROLLER_NAME_VR_SOC, ++ I2C_CONTROLLER_NAME_VR_VMEMP, ++ I2C_CONTROLLER_NAME_VR_VDDIO, ++ I2C_CONTROLLER_NAME_LIQUID0, ++ I2C_CONTROLLER_NAME_LIQUID1, ++ I2C_CONTROLLER_NAME_PLX, ++ I2C_CONTROLLER_NAME_FAN_INTAKE, ++ I2C_CONTROLLER_NAME_COUNT, + } I2cControllerName_e; + + typedef enum { +@@ -282,16 +299,17 @@ typedef enum { + I2C_CONTROLLER_THROTTLER_LIQUID0, + I2C_CONTROLLER_THROTTLER_LIQUID1, + I2C_CONTROLLER_THROTTLER_PLX, ++ I2C_CONTROLLER_THROTTLER_FAN_INTAKE, + I2C_CONTROLLER_THROTTLER_INA3221, + I2C_CONTROLLER_THROTTLER_COUNT, + } I2cControllerThrottler_e; + + typedef enum { +- I2C_CONTROLLER_PROTOCOL_VR_XPDE132G5, +- I2C_CONTROLLER_PROTOCOL_VR_IR35217, +- I2C_CONTROLLER_PROTOCOL_TMP_TMP102A, +- I2C_CONTROLLER_PROTOCOL_INA3221, +- I2C_CONTROLLER_PROTOCOL_COUNT, ++ I2C_CONTROLLER_PROTOCOL_VR_XPDE132G5, ++ I2C_CONTROLLER_PROTOCOL_VR_IR35217, ++ I2C_CONTROLLER_PROTOCOL_TMP_MAX31875, ++ I2C_CONTROLLER_PROTOCOL_INA3221, ++ I2C_CONTROLLER_PROTOCOL_COUNT, + } I2cControllerProtocol_e; + + typedef struct { +@@ -658,13 +676,20 @@ typedef struct { + + #define PP_NUM_OD_VF_CURVE_POINTS PP_NUM_RTAVFS_PWL_ZONES + 1 + ++typedef enum { ++ FAN_MODE_AUTO = 0, ++ FAN_MODE_MANUAL_LINEAR, ++} FanMode_e; + + typedef struct { + uint32_t FeatureCtrlMask; + + //Voltage control + int16_t VoltageOffsetPerZoneBoundary[PP_NUM_OD_VF_CURVE_POINTS]; +- uint16_t reserved[2]; ++ uint16_t VddGfxVmax; // in mV ++ ++ uint8_t IdlePwrSavingFeaturesCtrl; ++ uint8_t RuntimePwrSavingFeaturesCtrl; + + //Frequency changes + int16_t GfxclkFmin; // MHz +@@ -674,7 +699,7 @@ typedef struct { + + //PPT + int16_t Ppt; // % +- int16_t reserved1; ++ int16_t Tdc; + + //Fan control + uint8_t FanLinearPwmPoints[NUM_OD_FAN_MAX_POINTS]; +@@ -701,16 +726,19 @@ typedef struct { + uint32_t FeatureCtrlMask; + + int16_t VoltageOffsetPerZoneBoundary; +- uint16_t reserved[2]; ++ uint16_t VddGfxVmax; // in mV ++ ++ uint8_t IdlePwrSavingFeaturesCtrl; ++ uint8_t RuntimePwrSavingFeaturesCtrl; + +- uint16_t GfxclkFmin; // MHz +- uint16_t GfxclkFmax; // MHz ++ int16_t GfxclkFmin; // MHz ++ int16_t GfxclkFmax; // MHz + uint16_t UclkFmin; // MHz + uint16_t UclkFmax; // MHz + + //PPT + int16_t Ppt; // % +- int16_t reserved1; ++ int16_t Tdc; + + uint8_t FanLinearPwmPoints; + uint8_t FanLinearTempPoints; +@@ -857,7 +885,8 @@ typedef struct { + uint16_t FanStartTempMin; + uint16_t FanStartTempMax; + +- uint32_t Spare[12]; ++ uint16_t PowerMinPpt0[POWER_SOURCE_COUNT]; ++ uint32_t Spare[11]; + + } MsgLimits_t; + +@@ -1041,7 +1070,17 @@ typedef struct { + uint32_t GfxoffSpare[15]; + + // GFX GPO +- uint32_t GfxGpoSpare[16]; ++ uint32_t DfllBtcMasterScalerM; ++ int32_t DfllBtcMasterScalerB; ++ uint32_t DfllBtcSlaveScalerM; ++ int32_t DfllBtcSlaveScalerB; ++ ++ uint32_t DfllPccAsWaitCtrl; //GDFLL_AS_WAIT_CTRL_PCC register value to be passed to RLC msg ++ uint32_t DfllPccAsStepCtrl; //GDFLL_AS_STEP_CTRL_PCC register value to be passed to RLC msg ++ ++ uint32_t DfllL2FrequencyBoostM; //Unitless (float) ++ uint32_t DfllL2FrequencyBoostB; //In MHz (integer) ++ uint32_t GfxGpoSpare[8]; + + // GFX DCS + +@@ -1114,12 +1153,14 @@ typedef struct { + uint16_t IntakeTempHighIntakeAcousticLimit; + uint16_t IntakeTempAcouticLimitReleaseRate; + +- uint16_t FanStalledTempLimitOffset; ++ int16_t FanAbnormalTempLimitOffset; + uint16_t FanStalledTriggerRpm; +- uint16_t FanAbnormalTriggerRpm; +- uint16_t FanPadding; ++ uint16_t FanAbnormalTriggerRpmCoeff; ++ uint16_t FanAbnormalDetectionEnable; + +- uint32_t FanSpare[14]; ++ uint8_t FanIntakeSensorSupport; ++ uint8_t FanIntakePadding[3]; ++ uint32_t FanSpare[13]; + + // SECTION: VDD_GFX AVFS + +@@ -1198,8 +1239,13 @@ typedef struct { + int16_t TotalBoardPowerM; + int16_t TotalBoardPowerB; + ++ //PMFW-11158 ++ QuadraticInt_t qFeffCoeffGameClock[POWER_SOURCE_COUNT]; ++ QuadraticInt_t qFeffCoeffBaseClock[POWER_SOURCE_COUNT]; ++ QuadraticInt_t qFeffCoeffBoostClock[POWER_SOURCE_COUNT]; ++ + // SECTION: Sku Reserved +- uint32_t Spare[61]; ++ uint32_t Spare[43]; + + // Padding for MMHUB - do not modify this + uint32_t MmHubPadding[8]; +@@ -1288,8 +1334,11 @@ typedef struct { + uint32_t PostVoltageSetBacoDelay; // in microseconds. Amount of time FW will wait after power good is established or PSI0 command is issued + uint32_t BacoEntryDelay; // in milliseconds. Amount of time FW will wait to trigger BACO entry after receiving entry notification from OS + ++ uint8_t FuseWritePowerMuxPresent; ++ uint8_t FuseWritePadding[3]; ++ + // SECTION: Board Reserved +- uint32_t BoardSpare[64]; ++ uint32_t BoardSpare[63]; + + // SECTION: Structure Padding + +@@ -1381,7 +1430,7 @@ typedef struct { + uint16_t AverageTotalBoardPower; + + uint16_t AvgTemperature[TEMP_COUNT]; +- uint16_t TempPadding; ++ uint16_t AvgTemperatureFanIntake; + + uint8_t PcieRate ; + uint8_t PcieWidth ; +@@ -1550,5 +1599,7 @@ typedef struct { + #define IH_INTERRUPT_CONTEXT_ID_AUDIO_D0 0x5 + #define IH_INTERRUPT_CONTEXT_ID_AUDIO_D3 0x6 + #define IH_INTERRUPT_CONTEXT_ID_THERMAL_THROTTLING 0x7 ++#define IH_INTERRUPT_CONTEXT_ID_FAN_ABNORMAL 0x8 ++#define IH_INTERRUPT_CONTEXT_ID_FAN_RECOVERY 0x9 + + #endif +diff --git a/drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h b/drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h +index dd5867561068..b7f4569aff2a 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h ++++ b/drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h +@@ -30,7 +30,7 @@ + #define SMU13_DRIVER_IF_VERSION_ALDE 0x08 + #define SMU13_DRIVER_IF_VERSION_SMU_V13_0_4 0x07 + #define SMU13_DRIVER_IF_VERSION_SMU_V13_0_5 0x04 +-#define SMU13_DRIVER_IF_VERSION_SMU_V13_0_0 0x30 ++#define SMU13_DRIVER_IF_VERSION_SMU_V13_0_0_10 0x32 + #define SMU13_DRIVER_IF_VERSION_SMU_V13_0_7 0x2C + #define SMU13_DRIVER_IF_VERSION_SMU_V13_0_10 0x1D + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c +index e7380aa4f6be..1983e0d29e9d 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c +@@ -288,7 +288,8 @@ int smu_v13_0_check_fw_version(struct smu_context *smu) + smu->smc_driver_if_version = SMU13_DRIVER_IF_VERSION_ALDE; + break; + case IP_VERSION(13, 0, 0): +- smu->smc_driver_if_version = SMU13_DRIVER_IF_VERSION_SMU_V13_0_0; ++ case IP_VERSION(13, 0, 10): ++ smu->smc_driver_if_version = SMU13_DRIVER_IF_VERSION_SMU_V13_0_0_10; + break; + case IP_VERSION(13, 0, 7): + smu->smc_driver_if_version = SMU13_DRIVER_IF_VERSION_SMU_V13_0_7; +@@ -304,9 +305,6 @@ int smu_v13_0_check_fw_version(struct smu_context *smu) + case IP_VERSION(13, 0, 5): + smu->smc_driver_if_version = SMU13_DRIVER_IF_VERSION_SMU_V13_0_5; + break; +- case IP_VERSION(13, 0, 10): +- smu->smc_driver_if_version = SMU13_DRIVER_IF_VERSION_SMU_V13_0_10; +- break; + default: + dev_err(adev->dev, "smu unsupported IP version: 0x%x.\n", + adev->ip_versions[MP1_HWIP][0]); +-- +2.35.1 + diff --git a/queue-6.0/drm-amdgpu-cleanup-error-handling-in-amdgpu_cs_parse.patch b/queue-6.0/drm-amdgpu-cleanup-error-handling-in-amdgpu_cs_parse.patch new file mode 100644 index 00000000000..e7de7725a57 --- /dev/null +++ b/queue-6.0/drm-amdgpu-cleanup-error-handling-in-amdgpu_cs_parse.patch @@ -0,0 +1,85 @@ +From 4aed28c21b4027da7c1b419c29667f93485305dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Sep 2022 09:52:13 +0200 +Subject: drm/amdgpu: cleanup error handling in amdgpu_cs_parser_bos +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christian König + +[ Upstream commit 4953b6b22ab9d7f64706631a027b1ed1130ce4c8 ] + +Return early on success and so remove all those "if (r)" in the error +path. + +Signed-off-by: Christian König +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Stable-dep-of: 4458da0bb09d ("drm/amdgpu: fix userptr HMM range handling v2") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 37 +++++++++++++------------- + 1 file changed, 18 insertions(+), 19 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c +index aa3ce01cd538..fee99a40804e 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c +@@ -608,35 +608,34 @@ static int amdgpu_cs_parser_bos(struct amdgpu_cs_parser *p, + if (r) + goto error_validate; + +- amdgpu_cs_report_moved_bytes(p->adev, p->bytes_moved, +- p->bytes_moved_vis); +- +- amdgpu_job_set_resources(p->job, p->bo_list->gds_obj, +- p->bo_list->gws_obj, p->bo_list->oa_obj); +- +- if (!r && p->uf_entry.tv.bo) { ++ if (p->uf_entry.tv.bo) { + struct amdgpu_bo *uf = ttm_to_amdgpu_bo(p->uf_entry.tv.bo); + + r = amdgpu_ttm_alloc_gart(&uf->tbo); ++ if (r) ++ goto error_validate; ++ + p->job->uf_addr += amdgpu_bo_gpu_offset(uf); + } + ++ amdgpu_cs_report_moved_bytes(p->adev, p->bytes_moved, ++ p->bytes_moved_vis); ++ amdgpu_job_set_resources(p->job, p->bo_list->gds_obj, ++ p->bo_list->gws_obj, p->bo_list->oa_obj); ++ return 0; ++ + error_validate: +- if (r) +- ttm_eu_backoff_reservation(&p->ticket, &p->validated); ++ ttm_eu_backoff_reservation(&p->ticket, &p->validated); + + out_free_user_pages: +- if (r) { +- amdgpu_bo_list_for_each_userptr_entry(e, p->bo_list) { +- struct amdgpu_bo *bo = ttm_to_amdgpu_bo(e->tv.bo); ++ amdgpu_bo_list_for_each_userptr_entry(e, p->bo_list) { ++ struct amdgpu_bo *bo = ttm_to_amdgpu_bo(e->tv.bo); + +- if (!e->user_pages) +- continue; +- amdgpu_ttm_tt_get_user_pages_done(bo->tbo.ttm); +- kvfree(e->user_pages); +- e->user_pages = NULL; +- } +- mutex_unlock(&p->bo_list->bo_list_mutex); ++ if (!e->user_pages) ++ continue; ++ amdgpu_ttm_tt_get_user_pages_done(bo->tbo.ttm); ++ kvfree(e->user_pages); ++ e->user_pages = NULL; + } + return r; + } +-- +2.35.1 + diff --git a/queue-6.0/drm-amdgpu-fix-userptr-hmm-range-handling-v2.patch b/queue-6.0/drm-amdgpu-fix-userptr-hmm-range-handling-v2.patch new file mode 100644 index 00000000000..85888ff34b3 --- /dev/null +++ b/queue-6.0/drm-amdgpu-fix-userptr-hmm-range-handling-v2.patch @@ -0,0 +1,350 @@ +From ff0ff35201cb8d517a33863ea5ac00e57188de27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 12:31:41 +0100 +Subject: drm/amdgpu: fix userptr HMM range handling v2 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christian König + +[ Upstream commit 4458da0bb09d4435956b4377685e8836935e9b9d ] + +The basic problem here is that it's not allowed to page fault while +holding the reservation lock. + +So it can happen that multiple processes try to validate an userptr +at the same time. + +Work around that by putting the HMM range object into the mutex +protected bo list for now. + +v2: make sure range is set to NULL in case of an error + +Signed-off-by: Christian König +Reviewed-by: Alex Deucher +Reviewed-by: Felix Kuehling +CC: stable@vger.kernel.org +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 12 +++-- + drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c | 1 + + drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.h | 3 ++ + drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 8 +-- + drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 6 ++- + drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 53 ++++++------------- + drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h | 14 +++-- + 7 files changed, 46 insertions(+), 51 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c +index 7db4aef9c45c..5e184952ec98 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c +@@ -985,6 +985,7 @@ static int init_user_pages(struct kgd_mem *mem, uint64_t user_addr, + struct amdkfd_process_info *process_info = mem->process_info; + struct amdgpu_bo *bo = mem->bo; + struct ttm_operation_ctx ctx = { true, false }; ++ struct hmm_range *range; + int ret = 0; + + mutex_lock(&process_info->lock); +@@ -1014,7 +1015,7 @@ static int init_user_pages(struct kgd_mem *mem, uint64_t user_addr, + return 0; + } + +- ret = amdgpu_ttm_tt_get_user_pages(bo, bo->tbo.ttm->pages); ++ ret = amdgpu_ttm_tt_get_user_pages(bo, bo->tbo.ttm->pages, &range); + if (ret) { + pr_err("%s: Failed to get user pages: %d\n", __func__, ret); + goto unregister_out; +@@ -1032,7 +1033,7 @@ static int init_user_pages(struct kgd_mem *mem, uint64_t user_addr, + amdgpu_bo_unreserve(bo); + + release_out: +- amdgpu_ttm_tt_get_user_pages_done(bo->tbo.ttm); ++ amdgpu_ttm_tt_get_user_pages_done(bo->tbo.ttm, range); + unregister_out: + if (ret) + amdgpu_mn_unregister(bo); +@@ -2367,6 +2368,8 @@ static int update_invalid_user_pages(struct amdkfd_process_info *process_info, + /* Go through userptr_inval_list and update any invalid user_pages */ + list_for_each_entry(mem, &process_info->userptr_inval_list, + validate_list.head) { ++ struct hmm_range *range; ++ + invalid = atomic_read(&mem->invalid); + if (!invalid) + /* BO hasn't been invalidated since the last +@@ -2377,7 +2380,8 @@ static int update_invalid_user_pages(struct amdkfd_process_info *process_info, + bo = mem->bo; + + /* Get updated user pages */ +- ret = amdgpu_ttm_tt_get_user_pages(bo, bo->tbo.ttm->pages); ++ ret = amdgpu_ttm_tt_get_user_pages(bo, bo->tbo.ttm->pages, ++ &range); + if (ret) { + pr_debug("Failed %d to get user pages\n", ret); + +@@ -2396,7 +2400,7 @@ static int update_invalid_user_pages(struct amdkfd_process_info *process_info, + * FIXME: Cannot ignore the return code, must hold + * notifier_lock + */ +- amdgpu_ttm_tt_get_user_pages_done(bo->tbo.ttm); ++ amdgpu_ttm_tt_get_user_pages_done(bo->tbo.ttm, range); + } + + /* Mark the BO as valid unless it was invalidated +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c +index 2168163aad2d..252a876b0725 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c +@@ -209,6 +209,7 @@ void amdgpu_bo_list_get_list(struct amdgpu_bo_list *list, + list_add_tail(&e->tv.head, &bucket[priority]); + + e->user_pages = NULL; ++ e->range = NULL; + } + + /* Connect the sorted buckets in the output list. */ +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.h +index 9caea1688fc3..e4d78491bcc7 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.h +@@ -26,6 +26,8 @@ + #include + #include + ++struct hmm_range; ++ + struct amdgpu_device; + struct amdgpu_bo; + struct amdgpu_bo_va; +@@ -36,6 +38,7 @@ struct amdgpu_bo_list_entry { + struct amdgpu_bo_va *bo_va; + uint32_t priority; + struct page **user_pages; ++ struct hmm_range *range; + bool user_invalidated; + }; + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c +index fee99a40804e..7e350ea0368b 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c +@@ -548,7 +548,7 @@ static int amdgpu_cs_parser_bos(struct amdgpu_cs_parser *p, + goto out_free_user_pages; + } + +- r = amdgpu_ttm_tt_get_user_pages(bo, e->user_pages); ++ r = amdgpu_ttm_tt_get_user_pages(bo, e->user_pages, &e->range); + if (r) { + kvfree(e->user_pages); + e->user_pages = NULL; +@@ -633,9 +633,10 @@ static int amdgpu_cs_parser_bos(struct amdgpu_cs_parser *p, + + if (!e->user_pages) + continue; +- amdgpu_ttm_tt_get_user_pages_done(bo->tbo.ttm); ++ amdgpu_ttm_tt_get_user_pages_done(bo->tbo.ttm, e->range); + kvfree(e->user_pages); + e->user_pages = NULL; ++ e->range = NULL; + } + return r; + } +@@ -1230,7 +1231,8 @@ static int amdgpu_cs_submit(struct amdgpu_cs_parser *p, + amdgpu_bo_list_for_each_userptr_entry(e, p->bo_list) { + struct amdgpu_bo *bo = ttm_to_amdgpu_bo(e->tv.bo); + +- r |= !amdgpu_ttm_tt_get_user_pages_done(bo->tbo.ttm); ++ r |= !amdgpu_ttm_tt_get_user_pages_done(bo->tbo.ttm, e->range); ++ e->range = NULL; + } + if (r) { + r = -EAGAIN; +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c +index 111484ceb47d..91571b1324f2 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c +@@ -378,6 +378,7 @@ int amdgpu_gem_userptr_ioctl(struct drm_device *dev, void *data, + struct amdgpu_device *adev = drm_to_adev(dev); + struct drm_amdgpu_gem_userptr *args = data; + struct drm_gem_object *gobj; ++ struct hmm_range *range; + struct amdgpu_bo *bo; + uint32_t handle; + int r; +@@ -418,7 +419,8 @@ int amdgpu_gem_userptr_ioctl(struct drm_device *dev, void *data, + goto release_object; + + if (args->flags & AMDGPU_GEM_USERPTR_VALIDATE) { +- r = amdgpu_ttm_tt_get_user_pages(bo, bo->tbo.ttm->pages); ++ r = amdgpu_ttm_tt_get_user_pages(bo, bo->tbo.ttm->pages, ++ &range); + if (r) + goto release_object; + +@@ -441,7 +443,7 @@ int amdgpu_gem_userptr_ioctl(struct drm_device *dev, void *data, + + user_pages_done: + if (args->flags & AMDGPU_GEM_USERPTR_VALIDATE) +- amdgpu_ttm_tt_get_user_pages_done(bo->tbo.ttm); ++ amdgpu_ttm_tt_get_user_pages_done(bo->tbo.ttm, range); + + release_object: + drm_gem_object_put(gobj); +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +index 9e6c23266a1a..dfb8875e0f28 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +@@ -642,9 +642,6 @@ struct amdgpu_ttm_tt { + struct task_struct *usertask; + uint32_t userflags; + bool bound; +-#if IS_ENABLED(CONFIG_DRM_AMDGPU_USERPTR) +- struct hmm_range *range; +-#endif + }; + + #define ttm_to_amdgpu_ttm_tt(ptr) container_of(ptr, struct amdgpu_ttm_tt, ttm) +@@ -657,7 +654,8 @@ struct amdgpu_ttm_tt { + * Calling function must call amdgpu_ttm_tt_userptr_range_done() once and only + * once afterwards to stop HMM tracking + */ +-int amdgpu_ttm_tt_get_user_pages(struct amdgpu_bo *bo, struct page **pages) ++int amdgpu_ttm_tt_get_user_pages(struct amdgpu_bo *bo, struct page **pages, ++ struct hmm_range **range) + { + struct ttm_tt *ttm = bo->tbo.ttm; + struct amdgpu_ttm_tt *gtt = ttm_to_amdgpu_ttm_tt(ttm); +@@ -667,16 +665,15 @@ int amdgpu_ttm_tt_get_user_pages(struct amdgpu_bo *bo, struct page **pages) + bool readonly; + int r = 0; + ++ /* Make sure get_user_pages_done() can cleanup gracefully */ ++ *range = NULL; ++ + mm = bo->notifier.mm; + if (unlikely(!mm)) { + DRM_DEBUG_DRIVER("BO is not registered?\n"); + return -EFAULT; + } + +- /* Another get_user_pages is running at the same time?? */ +- if (WARN_ON(gtt->range)) +- return -EFAULT; +- + if (!mmget_not_zero(mm)) /* Happens during process shutdown */ + return -ESRCH; + +@@ -694,7 +691,7 @@ int amdgpu_ttm_tt_get_user_pages(struct amdgpu_bo *bo, struct page **pages) + + readonly = amdgpu_ttm_tt_is_readonly(ttm); + r = amdgpu_hmm_range_get_pages(&bo->notifier, mm, pages, start, +- ttm->num_pages, >t->range, readonly, ++ ttm->num_pages, range, readonly, + true, NULL); + out_unlock: + mmap_read_unlock(mm); +@@ -712,30 +709,24 @@ int amdgpu_ttm_tt_get_user_pages(struct amdgpu_bo *bo, struct page **pages) + * + * Returns: true if pages are still valid + */ +-bool amdgpu_ttm_tt_get_user_pages_done(struct ttm_tt *ttm) ++bool amdgpu_ttm_tt_get_user_pages_done(struct ttm_tt *ttm, ++ struct hmm_range *range) + { + struct amdgpu_ttm_tt *gtt = ttm_to_amdgpu_ttm_tt(ttm); +- bool r = false; + +- if (!gtt || !gtt->userptr) ++ if (!gtt || !gtt->userptr || !range) + return false; + + DRM_DEBUG_DRIVER("user_pages_done 0x%llx pages 0x%x\n", + gtt->userptr, ttm->num_pages); + +- WARN_ONCE(!gtt->range || !gtt->range->hmm_pfns, +- "No user pages to check\n"); ++ WARN_ONCE(!range->hmm_pfns, "No user pages to check\n"); + +- if (gtt->range) { +- /* +- * FIXME: Must always hold notifier_lock for this, and must +- * not ignore the return code. +- */ +- r = amdgpu_hmm_range_get_pages_done(gtt->range); +- gtt->range = NULL; +- } +- +- return !r; ++ /* ++ * FIXME: Must always hold notifier_lock for this, and must ++ * not ignore the return code. ++ */ ++ return !amdgpu_hmm_range_get_pages_done(range); + } + #endif + +@@ -812,20 +803,6 @@ static void amdgpu_ttm_tt_unpin_userptr(struct ttm_device *bdev, + /* unmap the pages mapped to the device */ + dma_unmap_sgtable(adev->dev, ttm->sg, direction, 0); + sg_free_table(ttm->sg); +- +-#if IS_ENABLED(CONFIG_DRM_AMDGPU_USERPTR) +- if (gtt->range) { +- unsigned long i; +- +- for (i = 0; i < ttm->num_pages; i++) { +- if (ttm->pages[i] != +- hmm_pfn_to_page(gtt->range->hmm_pfns[i])) +- break; +- } +- +- WARN((i == ttm->num_pages), "Missing get_user_page_done\n"); +- } +-#endif + } + + static void amdgpu_ttm_gart_bind(struct amdgpu_device *adev, +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h +index 6a70818039dd..a37207011a69 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h +@@ -39,6 +39,8 @@ + + #define AMDGPU_POISON 0xd0bed0be + ++struct hmm_range; ++ + struct amdgpu_gtt_mgr { + struct ttm_resource_manager manager; + struct drm_mm mm; +@@ -149,15 +151,19 @@ void amdgpu_ttm_recover_gart(struct ttm_buffer_object *tbo); + uint64_t amdgpu_ttm_domain_start(struct amdgpu_device *adev, uint32_t type); + + #if IS_ENABLED(CONFIG_DRM_AMDGPU_USERPTR) +-int amdgpu_ttm_tt_get_user_pages(struct amdgpu_bo *bo, struct page **pages); +-bool amdgpu_ttm_tt_get_user_pages_done(struct ttm_tt *ttm); ++int amdgpu_ttm_tt_get_user_pages(struct amdgpu_bo *bo, struct page **pages, ++ struct hmm_range **range); ++bool amdgpu_ttm_tt_get_user_pages_done(struct ttm_tt *ttm, ++ struct hmm_range *range); + #else + static inline int amdgpu_ttm_tt_get_user_pages(struct amdgpu_bo *bo, +- struct page **pages) ++ struct page **pages, ++ struct hmm_range **range) + { + return -EPERM; + } +-static inline bool amdgpu_ttm_tt_get_user_pages_done(struct ttm_tt *ttm) ++static inline bool amdgpu_ttm_tt_get_user_pages_done(struct ttm_tt *ttm, ++ struct hmm_range *range) + { + return false; + } +-- +2.35.1 + diff --git a/queue-6.0/drm-amdgpu-move-setting-the-job-resources.patch b/queue-6.0/drm-amdgpu-move-setting-the-job-resources.patch new file mode 100644 index 00000000000..4a07728da64 --- /dev/null +++ b/queue-6.0/drm-amdgpu-move-setting-the-job-resources.patch @@ -0,0 +1,110 @@ +From ac24019d70845bf8f3bdf198dbc2c2df5ff8171b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Mar 2022 10:59:14 +0100 +Subject: drm/amdgpu: move setting the job resources +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christian König + +[ Upstream commit 736ec9fadd7a1fde8480df7e5cfac465c07ff6f3 ] + +Move setting the job resources into amdgpu_job.c + +Signed-off-by: Christian König +Reviewed-by: Andrey Grodzovsky +Reviewed-by: Luben Tuikov +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Stable-dep-of: 4458da0bb09d ("drm/amdgpu: fix userptr HMM range handling v2") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 21 ++------------------- + drivers/gpu/drm/amd/amdgpu/amdgpu_job.c | 17 +++++++++++++++++ + drivers/gpu/drm/amd/amdgpu/amdgpu_job.h | 2 ++ + 3 files changed, 21 insertions(+), 19 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c +index b7bae833c804..aa3ce01cd538 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c +@@ -495,9 +495,6 @@ static int amdgpu_cs_parser_bos(struct amdgpu_cs_parser *p, + struct amdgpu_vm *vm = &fpriv->vm; + struct amdgpu_bo_list_entry *e; + struct list_head duplicates; +- struct amdgpu_bo *gds; +- struct amdgpu_bo *gws; +- struct amdgpu_bo *oa; + int r; + + INIT_LIST_HEAD(&p->validated); +@@ -614,22 +611,8 @@ static int amdgpu_cs_parser_bos(struct amdgpu_cs_parser *p, + amdgpu_cs_report_moved_bytes(p->adev, p->bytes_moved, + p->bytes_moved_vis); + +- gds = p->bo_list->gds_obj; +- gws = p->bo_list->gws_obj; +- oa = p->bo_list->oa_obj; +- +- if (gds) { +- p->job->gds_base = amdgpu_bo_gpu_offset(gds) >> PAGE_SHIFT; +- p->job->gds_size = amdgpu_bo_size(gds) >> PAGE_SHIFT; +- } +- if (gws) { +- p->job->gws_base = amdgpu_bo_gpu_offset(gws) >> PAGE_SHIFT; +- p->job->gws_size = amdgpu_bo_size(gws) >> PAGE_SHIFT; +- } +- if (oa) { +- p->job->oa_base = amdgpu_bo_gpu_offset(oa) >> PAGE_SHIFT; +- p->job->oa_size = amdgpu_bo_size(oa) >> PAGE_SHIFT; +- } ++ amdgpu_job_set_resources(p->job, p->bo_list->gds_obj, ++ p->bo_list->gws_obj, p->bo_list->oa_obj); + + if (!r && p->uf_entry.tv.bo) { + struct amdgpu_bo *uf = ttm_to_amdgpu_bo(p->uf_entry.tv.bo); +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c +index c2fd6f3076a6..3b025aace283 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c +@@ -129,6 +129,23 @@ int amdgpu_job_alloc_with_ib(struct amdgpu_device *adev, unsigned size, + return r; + } + ++void amdgpu_job_set_resources(struct amdgpu_job *job, struct amdgpu_bo *gds, ++ struct amdgpu_bo *gws, struct amdgpu_bo *oa) ++{ ++ if (gds) { ++ job->gds_base = amdgpu_bo_gpu_offset(gds) >> PAGE_SHIFT; ++ job->gds_size = amdgpu_bo_size(gds) >> PAGE_SHIFT; ++ } ++ if (gws) { ++ job->gws_base = amdgpu_bo_gpu_offset(gws) >> PAGE_SHIFT; ++ job->gws_size = amdgpu_bo_size(gws) >> PAGE_SHIFT; ++ } ++ if (oa) { ++ job->oa_base = amdgpu_bo_gpu_offset(oa) >> PAGE_SHIFT; ++ job->oa_size = amdgpu_bo_size(oa) >> PAGE_SHIFT; ++ } ++} ++ + void amdgpu_job_free_resources(struct amdgpu_job *job) + { + struct amdgpu_ring *ring = to_amdgpu_ring(job->base.sched); +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_job.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_job.h +index babc0af751c2..2a1961bf1194 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_job.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_job.h +@@ -76,6 +76,8 @@ int amdgpu_job_alloc(struct amdgpu_device *adev, unsigned num_ibs, + struct amdgpu_job **job, struct amdgpu_vm *vm); + int amdgpu_job_alloc_with_ib(struct amdgpu_device *adev, unsigned size, + enum amdgpu_ib_pool_type pool, struct amdgpu_job **job); ++void amdgpu_job_set_resources(struct amdgpu_job *job, struct amdgpu_bo *gds, ++ struct amdgpu_bo *gws, struct amdgpu_bo *oa); + void amdgpu_job_free_resources(struct amdgpu_job *job); + void amdgpu_job_free(struct amdgpu_job *job); + int amdgpu_job_submit(struct amdgpu_job *job, struct drm_sched_entity *entity, +-- +2.35.1 + diff --git a/queue-6.0/dsa-lan9303-correct-stat-name.patch b/queue-6.0/dsa-lan9303-correct-stat-name.patch new file mode 100644 index 00000000000..d867aa4cf9c --- /dev/null +++ b/queue-6.0/dsa-lan9303-correct-stat-name.patch @@ -0,0 +1,43 @@ +From 82bf46d8d2e5f6dd904fc4604c7b1bf09b3dd067 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Nov 2022 13:35:59 -0600 +Subject: dsa: lan9303: Correct stat name + +From: Jerry Ray + +[ Upstream commit 39f59bca275d2d819a8788c0f962e9e89843efc9 ] + +This patch changes the reported ethtool statistics for the lan9303 +family of parts covered by this driver. + +The TxUnderRun statistic label is renamed to RxShort to accurately +reflect what stat the device is reporting. I did not reorder the +statistics as that might cause problems with existing user code that +are expecting the stats at a certain offset. + +Fixes: a1292595e006 ("net: dsa: add new DSA switch driver for the SMSC-LAN9303") +Signed-off-by: Jerry Ray +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20221128193559.6572-1-jerry.ray@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/lan9303-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/lan9303-core.c b/drivers/net/dsa/lan9303-core.c +index e03ff1f267bb..1de62604434d 100644 +--- a/drivers/net/dsa/lan9303-core.c ++++ b/drivers/net/dsa/lan9303-core.c +@@ -959,7 +959,7 @@ static const struct lan9303_mib_desc lan9303_mib[] = { + { .offset = LAN9303_MAC_TX_BRDCST_CNT_0, .name = "TxBroad", }, + { .offset = LAN9303_MAC_TX_PAUSE_CNT_0, .name = "TxPause", }, + { .offset = LAN9303_MAC_TX_MULCST_CNT_0, .name = "TxMulti", }, +- { .offset = LAN9303_MAC_RX_UNDSZE_CNT_0, .name = "TxUnderRun", }, ++ { .offset = LAN9303_MAC_RX_UNDSZE_CNT_0, .name = "RxShort", }, + { .offset = LAN9303_MAC_TX_64_CNT_0, .name = "Tx64Byte", }, + { .offset = LAN9303_MAC_TX_127_CNT_0, .name = "Tx128Byte", }, + { .offset = LAN9303_MAC_TX_255_CNT_0, .name = "Tx256Byte", }, +-- +2.35.1 + diff --git a/queue-6.0/e100-fix-possible-use-after-free-in-e100_xmit_prepar.patch b/queue-6.0/e100-fix-possible-use-after-free-in-e100_xmit_prepar.patch new file mode 100644 index 00000000000..55a7b475a27 --- /dev/null +++ b/queue-6.0/e100-fix-possible-use-after-free-in-e100_xmit_prepar.patch @@ -0,0 +1,45 @@ +From 06d53eaed4409c281f8928eae5968fbc9b538d27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 01:24:07 +0800 +Subject: e100: Fix possible use after free in e100_xmit_prepare + +From: Wang Hai + +[ Upstream commit 45605c75c52c7ae7bfe902214343aabcfe5ba0ff ] + +In e100_xmit_prepare(), if we can't map the skb, then return -ENOMEM, so +e100_xmit_frame() will return NETDEV_TX_BUSY and the upper layer will +resend the skb. But the skb is already freed, which will cause UAF bug +when the upper layer resends the skb. + +Remove the harmful free. + +Fixes: 5e5d49422dfb ("e100: Release skb when DMA mapping is failed in e100_xmit_prepare") +Signed-off-by: Wang Hai +Reviewed-by: Alexander Duyck +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e100.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e100.c b/drivers/net/ethernet/intel/e100.c +index 11a884aa5082..90a2ba20e902 100644 +--- a/drivers/net/ethernet/intel/e100.c ++++ b/drivers/net/ethernet/intel/e100.c +@@ -1741,11 +1741,8 @@ static int e100_xmit_prepare(struct nic *nic, struct cb *cb, + dma_addr = dma_map_single(&nic->pdev->dev, skb->data, skb->len, + DMA_TO_DEVICE); + /* If we can't map the skb, have the upper layer try later */ +- if (dma_mapping_error(&nic->pdev->dev, dma_addr)) { +- dev_kfree_skb_any(skb); +- skb = NULL; ++ if (dma_mapping_error(&nic->pdev->dev, dma_addr)) + return -ENOMEM; +- } + + /* + * Use the last 4 bytes of the SKB payload packet as the CRC, used for +-- +2.35.1 + diff --git a/queue-6.0/fm10k-fix-error-handling-in-fm10k_init_module.patch b/queue-6.0/fm10k-fix-error-handling-in-fm10k_init_module.patch new file mode 100644 index 00000000000..b35f2043c26 --- /dev/null +++ b/queue-6.0/fm10k-fix-error-handling-in-fm10k_init_module.patch @@ -0,0 +1,76 @@ +From 5031932e18dc3cd8589351ae92643f6c6404b0a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 08:26:39 +0000 +Subject: fm10k: Fix error handling in fm10k_init_module() + +From: Yuan Can + +[ Upstream commit 771a794c0a3c3e7f0d86cc34be4f9537e8c0a20c ] + +A problem about modprobe fm10k failed is triggered with the following log +given: + + Intel(R) Ethernet Switch Host Interface Driver + Copyright(c) 2013 - 2019 Intel Corporation. + debugfs: Directory 'fm10k' with parent '/' already present! + +The reason is that fm10k_init_module() returns fm10k_register_pci_driver() +directly without checking its return value, if fm10k_register_pci_driver() +failed, it returns without removing debugfs and destroy workqueue, +resulting the debugfs of fm10k can never be created later and leaks the +workqueue. + + fm10k_init_module() + alloc_workqueue() + fm10k_dbg_init() # create debugfs + fm10k_register_pci_driver() + pci_register_driver() + driver_register() + bus_add_driver() + priv = kzalloc(...) # OOM happened + # return without remove debugfs and destroy workqueue + +Fix by remove debugfs and destroy workqueue when +fm10k_register_pci_driver() returns error. + +Fixes: 7461fd913afe ("fm10k: Add support for debugfs") +Fixes: b382bb1b3e2d ("fm10k: use separate workqueue for fm10k driver") +Signed-off-by: Yuan Can +Reviewed-by: Jacob Keller +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/fm10k/fm10k_main.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/fm10k/fm10k_main.c b/drivers/net/ethernet/intel/fm10k/fm10k_main.c +index 3362f26d7f99..1b273446621c 100644 +--- a/drivers/net/ethernet/intel/fm10k/fm10k_main.c ++++ b/drivers/net/ethernet/intel/fm10k/fm10k_main.c +@@ -32,6 +32,8 @@ struct workqueue_struct *fm10k_workqueue; + **/ + static int __init fm10k_init_module(void) + { ++ int ret; ++ + pr_info("%s\n", fm10k_driver_string); + pr_info("%s\n", fm10k_copyright); + +@@ -43,7 +45,13 @@ static int __init fm10k_init_module(void) + + fm10k_dbg_init(); + +- return fm10k_register_pci_driver(); ++ ret = fm10k_register_pci_driver(); ++ if (ret) { ++ fm10k_dbg_exit(); ++ destroy_workqueue(fm10k_workqueue); ++ } ++ ++ return ret; + } + module_init(fm10k_init_module); + +-- +2.35.1 + diff --git a/queue-6.0/hwmon-asus-ec-sensors-add-checks-for-devm_kcalloc.patch b/queue-6.0/hwmon-asus-ec-sensors-add-checks-for-devm_kcalloc.patch new file mode 100644 index 00000000000..cd242daab5a --- /dev/null +++ b/queue-6.0/hwmon-asus-ec-sensors-add-checks-for-devm_kcalloc.patch @@ -0,0 +1,37 @@ +From 4e7e4199a3ca8fa40d4f686cc5fc0ec38f723c6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 01:43:29 +0000 +Subject: hwmon: (asus-ec-sensors) Add checks for devm_kcalloc + +From: Yuan Can + +[ Upstream commit 9bdc112be727cf1ba65be79541147f960c3349d8 ] + +As the devm_kcalloc may return NULL, the return value needs to be checked +to avoid NULL poineter dereference. + +Fixes: d0ddfd241e57 ("hwmon: (asus-ec-sensors) add driver for ASUS EC") +Signed-off-by: Yuan Can +Link: https://lore.kernel.org/r/20221125014329.121560-1-yuancan@huawei.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/asus-ec-sensors.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/hwmon/asus-ec-sensors.c b/drivers/hwmon/asus-ec-sensors.c +index 81e688975c6a..a901e4e33d81 100644 +--- a/drivers/hwmon/asus-ec-sensors.c ++++ b/drivers/hwmon/asus-ec-sensors.c +@@ -938,6 +938,8 @@ static int asus_ec_probe(struct platform_device *pdev) + ec_data->nr_sensors = hweight_long(ec_data->board_info->sensors); + ec_data->sensors = devm_kcalloc(dev, ec_data->nr_sensors, + sizeof(struct ec_sensor), GFP_KERNEL); ++ if (!ec_data->sensors) ++ return -ENOMEM; + + status = setup_lock_data(dev); + if (status) { +-- +2.35.1 + diff --git a/queue-6.0/hwmon-coretemp-check-for-null-before-removing-sysfs-.patch b/queue-6.0/hwmon-coretemp-check-for-null-before-removing-sysfs-.patch new file mode 100644 index 00000000000..4f2f85f8dc2 --- /dev/null +++ b/queue-6.0/hwmon-coretemp-check-for-null-before-removing-sysfs-.patch @@ -0,0 +1,64 @@ +From a6dd9a68c78d0a3c6c1d2fc31efe1446c50616e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 11:23:13 -0500 +Subject: hwmon: (coretemp) Check for null before removing sysfs attrs + +From: Phil Auld + +[ Upstream commit a89ff5f5cc64b9fe7a992cf56988fd36f56ca82a ] + +If coretemp_add_core() gets an error then pdata->core_data[indx] +is already NULL and has been kfreed. Don't pass that to +sysfs_remove_group() as that will crash in sysfs_remove_group(). + +[Shortened for readability] +[91854.020159] sysfs: cannot create duplicate filename '/devices/platform/coretemp.0/hwmon/hwmon2/temp20_label' + +[91855.126115] BUG: kernel NULL pointer dereference, address: 0000000000000188 +[91855.165103] #PF: supervisor read access in kernel mode +[91855.194506] #PF: error_code(0x0000) - not-present page +[91855.224445] PGD 0 P4D 0 +[91855.238508] Oops: 0000 [#1] PREEMPT SMP PTI +... +[91855.342716] RIP: 0010:sysfs_remove_group+0xc/0x80 +... +[91855.796571] Call Trace: +[91855.810524] coretemp_cpu_offline+0x12b/0x1dd [coretemp] +[91855.841738] ? coretemp_cpu_online+0x180/0x180 [coretemp] +[91855.871107] cpuhp_invoke_callback+0x105/0x4b0 +[91855.893432] cpuhp_thread_fun+0x8e/0x150 +... + +Fix this by checking for NULL first. + +Signed-off-by: Phil Auld +Cc: linux-hwmon@vger.kernel.org +Cc: Fenghua Yu +Cc: Jean Delvare +Cc: Guenter Roeck +Link: https://lore.kernel.org/r/20221117162313.3164803-1-pauld@redhat.com +Fixes: 199e0de7f5df3 ("hwmon: (coretemp) Merge pkgtemp with coretemp") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/coretemp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c +index 8bf32c6c85d9..30a19d711f89 100644 +--- a/drivers/hwmon/coretemp.c ++++ b/drivers/hwmon/coretemp.c +@@ -533,6 +533,10 @@ static void coretemp_remove_core(struct platform_data *pdata, int indx) + { + struct temp_data *tdata = pdata->core_data[indx]; + ++ /* if we errored on add then this is already gone */ ++ if (!tdata) ++ return; ++ + /* Remove the sysfs attributes */ + sysfs_remove_group(&pdata->hwmon_dev->kobj, &tdata->attr_group); + +-- +2.35.1 + diff --git a/queue-6.0/hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch b/queue-6.0/hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch new file mode 100644 index 00000000000..59f0ce7012f --- /dev/null +++ b/queue-6.0/hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch @@ -0,0 +1,45 @@ +From 6316a659122c708340d0930e525d65858ec16093 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 17:33:03 +0800 +Subject: hwmon: (coretemp) fix pci device refcount leak in nv1a_ram_new() + +From: Yang Yingliang + +[ Upstream commit 7dec14537c5906b8bf40fd6fd6d9c3850f8df11d ] + +As comment of pci_get_domain_bus_and_slot() says, it returns +a pci device with refcount increment, when finish using it, +the caller must decrement the reference count by calling +pci_dev_put(). So call it after using to avoid refcount leak. + +Fixes: 14513ee696a0 ("hwmon: (coretemp) Use PCI host bridge ID to identify CPU if necessary") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221118093303.214163-1-yangyingliang@huawei.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/coretemp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c +index 30a19d711f89..9bee4d33fbdf 100644 +--- a/drivers/hwmon/coretemp.c ++++ b/drivers/hwmon/coretemp.c +@@ -242,10 +242,13 @@ static int adjust_tjmax(struct cpuinfo_x86 *c, u32 id, struct device *dev) + */ + if (host_bridge && host_bridge->vendor == PCI_VENDOR_ID_INTEL) { + for (i = 0; i < ARRAY_SIZE(tjmax_pci_table); i++) { +- if (host_bridge->device == tjmax_pci_table[i].device) ++ if (host_bridge->device == tjmax_pci_table[i].device) { ++ pci_dev_put(host_bridge); + return tjmax_pci_table[i].tjmax; ++ } + } + } ++ pci_dev_put(host_bridge); + + for (i = 0; i < ARRAY_SIZE(tjmax_table); i++) { + if (strstr(c->x86_model_id, tjmax_table[i].id)) +-- +2.35.1 + diff --git a/queue-6.0/hwmon-i5500_temp-fix-missing-pci_disable_device.patch b/queue-6.0/hwmon-i5500_temp-fix-missing-pci_disable_device.patch new file mode 100644 index 00000000000..5e188ca369a --- /dev/null +++ b/queue-6.0/hwmon-i5500_temp-fix-missing-pci_disable_device.patch @@ -0,0 +1,37 @@ +From 6a57f5a8fe71dfdd485ae6a8498e85a6ea81dc60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Nov 2022 20:56:06 +0800 +Subject: hwmon: (i5500_temp) fix missing pci_disable_device() + +From: Yang Yingliang + +[ Upstream commit 3b7f98f237528c496ea0b689bace0e35eec3e060 ] + +pci_disable_device() need be called while module exiting, switch to use +pcim_enable(), pci_disable_device() will be called in pcim_release(). + +Fixes: ada072816be1 ("hwmon: (i5500_temp) New driver for the Intel 5500/5520/X58 chipsets") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221112125606.3751430-1-yangyingliang@huawei.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/i5500_temp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/i5500_temp.c b/drivers/hwmon/i5500_temp.c +index 05f68e9c9477..23b9f94fe0a9 100644 +--- a/drivers/hwmon/i5500_temp.c ++++ b/drivers/hwmon/i5500_temp.c +@@ -117,7 +117,7 @@ static int i5500_temp_probe(struct pci_dev *pdev, + u32 tstimer; + s8 tsfsc; + +- err = pci_enable_device(pdev); ++ err = pcim_enable_device(pdev); + if (err) { + dev_err(&pdev->dev, "Failed to enable device\n"); + return err; +-- +2.35.1 + diff --git a/queue-6.0/hwmon-ibmpex-fix-possible-uaf-when-ibmpex_register_b.patch b/queue-6.0/hwmon-ibmpex-fix-possible-uaf-when-ibmpex_register_b.patch new file mode 100644 index 00000000000..3cd065f8624 --- /dev/null +++ b/queue-6.0/hwmon-ibmpex-fix-possible-uaf-when-ibmpex_register_b.patch @@ -0,0 +1,44 @@ +From 58778645ad718852f00c369ee605cd94c22954ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 11:44:23 +0800 +Subject: hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails + +From: Gaosheng Cui + +[ Upstream commit e2a87785aab0dac190ac89be6a9ba955e2c634f2 ] + +Smatch report warning as follows: + +drivers/hwmon/ibmpex.c:509 ibmpex_register_bmc() warn: + '&data->list' not removed from list + +If ibmpex_find_sensors() fails in ibmpex_register_bmc(), data will +be freed, but data->list will not be removed from driver_data.bmc_data, +then list traversal may cause UAF. + +Fix by removeing it from driver_data.bmc_data before free(). + +Fixes: 57c7c3a0fdea ("hwmon: IBM power meter driver") +Signed-off-by: Gaosheng Cui +Link: https://lore.kernel.org/r/20221117034423.2935739-1-cuigaosheng1@huawei.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/ibmpex.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hwmon/ibmpex.c b/drivers/hwmon/ibmpex.c +index f6ec165c0fa8..1837cccd993c 100644 +--- a/drivers/hwmon/ibmpex.c ++++ b/drivers/hwmon/ibmpex.c +@@ -502,6 +502,7 @@ static void ibmpex_register_bmc(int iface, struct device *dev) + return; + + out_register: ++ list_del(&data->list); + hwmon_device_unregister(data->hwmon_dev); + out_user: + ipmi_destroy_user(data->user); +-- +2.35.1 + diff --git a/queue-6.0/hwmon-ina3221-fix-shunt-sum-critical-calculation.patch b/queue-6.0/hwmon-ina3221-fix-shunt-sum-critical-calculation.patch new file mode 100644 index 00000000000..124defafc39 --- /dev/null +++ b/queue-6.0/hwmon-ina3221-fix-shunt-sum-critical-calculation.patch @@ -0,0 +1,47 @@ +From f10f650a1bbebb9fec05a6e595ee53fbf2e2d806 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 12:45:08 +0800 +Subject: hwmon: (ina3221) Fix shunt sum critical calculation + +From: Ninad Malwade + +[ Upstream commit b8d27d2ce8dfc207e4b67b929a86f2be76fbc6ef ] + +The shunt sum critical limit register value should be left shifted +by one bit as its LSB-0 is a reserved bit. + +Fixes: 2057bdfb7184 ("hwmon: (ina3221) Add summation feature support") +Signed-off-by: Ninad Malwade +Reviewed-by: Thierry Reding +Link: https://lore.kernel.org/r/20221108044508.23463-1-nmalwade@nvidia.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/ina3221.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/ina3221.c b/drivers/hwmon/ina3221.c +index 58d3828e2ec0..14586b2fb17d 100644 +--- a/drivers/hwmon/ina3221.c ++++ b/drivers/hwmon/ina3221.c +@@ -228,7 +228,7 @@ static int ina3221_read_value(struct ina3221_data *ina, unsigned int reg, + * Shunt Voltage Sum register has 14-bit value with 1-bit shift + * Other Shunt Voltage registers have 12 bits with 3-bit shift + */ +- if (reg == INA3221_SHUNT_SUM) ++ if (reg == INA3221_SHUNT_SUM || reg == INA3221_CRIT_SUM) + *val = sign_extend32(regval >> 1, 14); + else + *val = sign_extend32(regval >> 3, 12); +@@ -465,7 +465,7 @@ static int ina3221_write_curr(struct device *dev, u32 attr, + * SHUNT_SUM: (1 / 40uV) << 1 = 1 / 20uV + * SHUNT[1-3]: (1 / 40uV) << 3 = 1 / 5uV + */ +- if (reg == INA3221_SHUNT_SUM) ++ if (reg == INA3221_SHUNT_SUM || reg == INA3221_CRIT_SUM) + regval = DIV_ROUND_CLOSEST(voltage_uv, 20) & 0xfffe; + else + regval = DIV_ROUND_CLOSEST(voltage_uv, 5) & 0xfff8; +-- +2.35.1 + diff --git a/queue-6.0/hwmon-ltc2947-fix-temperature-scaling.patch b/queue-6.0/hwmon-ltc2947-fix-temperature-scaling.patch new file mode 100644 index 00000000000..fa16a845342 --- /dev/null +++ b/queue-6.0/hwmon-ltc2947-fix-temperature-scaling.patch @@ -0,0 +1,43 @@ +From 5382bc01381403488696ea4f250b6bb5ec301222 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 13:21:08 -0600 +Subject: hwmon: (ltc2947) fix temperature scaling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Derek Nguyen + +[ Upstream commit 07e06193ead86d4812f431b4d87bbd4161222e3f ] + +The LTC2947 datasheet (Rev. B) calls out in the section "Register +Description: Non-Accumulated Result Registers" (pg. 30) that "To +calculate temperature, multiply the TEMP register value by 0.204°C +and add 5.5°C". Fix to add 5.5C and not 0.55C. + +Fixes: 9f90fd652bed ("hwmon: Add support for ltc2947") +Signed-off-by: Derek Nguyen +Signed-off-by: Brandon Maier +Link: https://lore.kernel.org/r/20221110192108.20624-1-brandon.maier@collins.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/ltc2947-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/ltc2947-core.c b/drivers/hwmon/ltc2947-core.c +index 5423466de697..e918490f3ff7 100644 +--- a/drivers/hwmon/ltc2947-core.c ++++ b/drivers/hwmon/ltc2947-core.c +@@ -396,7 +396,7 @@ static int ltc2947_read_temp(struct device *dev, const u32 attr, long *val, + return ret; + + /* in milidegrees celcius, temp is given by: */ +- *val = (__val * 204) + 550; ++ *val = (__val * 204) + 5500; + + return 0; + } +-- +2.35.1 + diff --git a/queue-6.0/i40e-fix-error-handling-in-i40e_init_module.patch b/queue-6.0/i40e-fix-error-handling-in-i40e_init_module.patch new file mode 100644 index 00000000000..fb659aee1dc --- /dev/null +++ b/queue-6.0/i40e-fix-error-handling-in-i40e_init_module.patch @@ -0,0 +1,59 @@ +From f2606b8f21c52e369d37a94297bab2acc2c13bf1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 09:27:25 +0800 +Subject: i40e: Fix error handling in i40e_init_module() + +From: Shang XiaoJing + +[ Upstream commit 479dd06149425b9e00477f52200872587af76a48 ] + +i40e_init_module() won't free the debugfs directory created by +i40e_dbg_init() when pci_register_driver() failed. Add fail path to +call i40e_dbg_exit() to remove the debugfs entries to prevent the bug. + +i40e: Intel(R) Ethernet Connection XL710 Network Driver +i40e: Copyright (c) 2013 - 2019 Intel Corporation. +debugfs: Directory 'i40e' with parent '/' already present! + +Fixes: 41c445ff0f48 ("i40e: main driver core") +Signed-off-by: Shang XiaoJing +Reviewed-by: Leon Romanovsky +Tested-by: Gurucharan G (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index b3336d31f8a9..023685cca2c1 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -16652,6 +16652,8 @@ static struct pci_driver i40e_driver = { + **/ + static int __init i40e_init_module(void) + { ++ int err; ++ + pr_info("%s: %s\n", i40e_driver_name, i40e_driver_string); + pr_info("%s: %s\n", i40e_driver_name, i40e_copyright); + +@@ -16669,7 +16671,14 @@ static int __init i40e_init_module(void) + } + + i40e_dbg_init(); +- return pci_register_driver(&i40e_driver); ++ err = pci_register_driver(&i40e_driver); ++ if (err) { ++ destroy_workqueue(i40e_wq); ++ i40e_dbg_exit(); ++ return err; ++ } ++ ++ return 0; + } + module_init(i40e_init_module); + +-- +2.35.1 + diff --git a/queue-6.0/iavf-fix-error-handling-in-iavf_init_module.patch b/queue-6.0/iavf-fix-error-handling-in-iavf_init_module.patch new file mode 100644 index 00000000000..e053d6a0c74 --- /dev/null +++ b/queue-6.0/iavf-fix-error-handling-in-iavf_init_module.patch @@ -0,0 +1,55 @@ +From 295ec05b117e74c1ad5f8be12725dba7cb3c36bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 08:26:40 +0000 +Subject: iavf: Fix error handling in iavf_init_module() + +From: Yuan Can + +[ Upstream commit 227d8d2f7f2278b8468c5531b0cd0f2a905b4486 ] + +The iavf_init_module() won't destroy workqueue when pci_register_driver() +failed. Call destroy_workqueue() when pci_register_driver() failed to +prevent the resource leak. + +Similar to the handling of u132_hcd_init in commit f276e002793c +("usb: u132-hcd: fix resource leak") + +Fixes: 2803b16c10ea ("i40e/i40evf: Use private workqueue") +Signed-off-by: Yuan Can +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index cff03723f4f9..4e03712726f2 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -5196,6 +5196,8 @@ static struct pci_driver iavf_driver = { + **/ + static int __init iavf_init_module(void) + { ++ int ret; ++ + pr_info("iavf: %s\n", iavf_driver_string); + + pr_info("%s\n", iavf_copyright); +@@ -5206,7 +5208,12 @@ static int __init iavf_init_module(void) + pr_err("%s: Failed to create workqueue\n", iavf_driver_name); + return -ENOMEM; + } +- return pci_register_driver(&iavf_driver); ++ ++ ret = pci_register_driver(&iavf_driver); ++ if (ret) ++ destroy_workqueue(iavf_wq); ++ ++ return ret; + } + + module_init(iavf_init_module); +-- +2.35.1 + diff --git a/queue-6.0/iio-health-afe4403-fix-oob-read-in-afe4403_read_raw.patch b/queue-6.0/iio-health-afe4403-fix-oob-read-in-afe4403_read_raw.patch new file mode 100644 index 00000000000..0d547e5676f --- /dev/null +++ b/queue-6.0/iio-health-afe4403-fix-oob-read-in-afe4403_read_raw.patch @@ -0,0 +1,72 @@ +From f3d539779ea4995758d53f18939b96576c5abbff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 15:19:46 +0000 +Subject: iio: health: afe4403: Fix oob read in afe4403_read_raw + +From: Wei Yongjun + +[ Upstream commit 58143c1ed5882c138a3cd2251a336fc8755f23d9 ] + +KASAN report out-of-bounds read as follows: + +BUG: KASAN: global-out-of-bounds in afe4403_read_raw+0x42e/0x4c0 +Read of size 4 at addr ffffffffc02ac638 by task cat/279 + +Call Trace: + afe4403_read_raw + iio_read_channel_info + dev_attr_show + +The buggy address belongs to the variable: + afe4403_channel_leds+0x18/0xffffffffffffe9e0 + +This issue can be reproduced by singe command: + + $ cat /sys/bus/spi/devices/spi0.0/iio\:device0/in_intensity6_raw + +The array size of afe4403_channel_leds is less than channels, so access +with chan->address cause OOB read in afe4403_read_raw. Fix it by moving +access before use it. + +Fixes: b36e8257641a ("iio: health/afe440x: Use regmap fields") +Signed-off-by: Wei Yongjun +Acked-by: Andrew Davis +Link: https://lore.kernel.org/r/20221107151946.89260-1-weiyongjun@huaweicloud.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/health/afe4403.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/iio/health/afe4403.c b/drivers/iio/health/afe4403.c +index 3bb4028c5d74..df3bc5c3d378 100644 +--- a/drivers/iio/health/afe4403.c ++++ b/drivers/iio/health/afe4403.c +@@ -245,14 +245,14 @@ static int afe4403_read_raw(struct iio_dev *indio_dev, + int *val, int *val2, long mask) + { + struct afe4403_data *afe = iio_priv(indio_dev); +- unsigned int reg = afe4403_channel_values[chan->address]; +- unsigned int field = afe4403_channel_leds[chan->address]; ++ unsigned int reg, field; + int ret; + + switch (chan->type) { + case IIO_INTENSITY: + switch (mask) { + case IIO_CHAN_INFO_RAW: ++ reg = afe4403_channel_values[chan->address]; + ret = afe4403_read(afe, reg, val); + if (ret) + return ret; +@@ -262,6 +262,7 @@ static int afe4403_read_raw(struct iio_dev *indio_dev, + case IIO_CURRENT: + switch (mask) { + case IIO_CHAN_INFO_RAW: ++ field = afe4403_channel_leds[chan->address]; + ret = regmap_field_read(afe->fields[field], val); + if (ret) + return ret; +-- +2.35.1 + diff --git a/queue-6.0/iio-health-afe4404-fix-oob-read-in-afe4404_-read-wri.patch b/queue-6.0/iio-health-afe4404-fix-oob-read-in-afe4404_-read-wri.patch new file mode 100644 index 00000000000..cffc85d9d8b --- /dev/null +++ b/queue-6.0/iio-health-afe4404-fix-oob-read-in-afe4404_-read-wri.patch @@ -0,0 +1,102 @@ +From ce69a9a7c7f275746591febb1f06f5f67d7797de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 15:20:10 +0000 +Subject: iio: health: afe4404: Fix oob read in afe4404_[read|write]_raw + +From: Wei Yongjun + +[ Upstream commit fc92d9e3de0b2d30a3ccc08048a5fad533e4672b ] + +KASAN report out-of-bounds read as follows: + +BUG: KASAN: global-out-of-bounds in afe4404_read_raw+0x2ce/0x380 +Read of size 4 at addr ffffffffc00e4658 by task cat/278 + +Call Trace: + afe4404_read_raw + iio_read_channel_info + dev_attr_show + +The buggy address belongs to the variable: + afe4404_channel_leds+0x18/0xffffffffffffe9c0 + +This issue can be reproduce by singe command: + + $ cat /sys/bus/i2c/devices/0-0058/iio\:device0/in_intensity6_raw + +The array size of afe4404_channel_leds and afe4404_channel_offdacs +are less than channels, so access with chan->address cause OOB read +in afe4404_[read|write]_raw. Fix it by moving access before use them. + +Fixes: b36e8257641a ("iio: health/afe440x: Use regmap fields") +Signed-off-by: Wei Yongjun +Acked-by: Andrew Davis +Link: https://lore.kernel.org/r/20221107152010.95937-1-weiyongjun@huaweicloud.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/health/afe4404.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/iio/health/afe4404.c b/drivers/iio/health/afe4404.c +index dd7800159051..f03c466c9385 100644 +--- a/drivers/iio/health/afe4404.c ++++ b/drivers/iio/health/afe4404.c +@@ -250,20 +250,20 @@ static int afe4404_read_raw(struct iio_dev *indio_dev, + int *val, int *val2, long mask) + { + struct afe4404_data *afe = iio_priv(indio_dev); +- unsigned int value_reg = afe4404_channel_values[chan->address]; +- unsigned int led_field = afe4404_channel_leds[chan->address]; +- unsigned int offdac_field = afe4404_channel_offdacs[chan->address]; ++ unsigned int value_reg, led_field, offdac_field; + int ret; + + switch (chan->type) { + case IIO_INTENSITY: + switch (mask) { + case IIO_CHAN_INFO_RAW: ++ value_reg = afe4404_channel_values[chan->address]; + ret = regmap_read(afe->regmap, value_reg, val); + if (ret) + return ret; + return IIO_VAL_INT; + case IIO_CHAN_INFO_OFFSET: ++ offdac_field = afe4404_channel_offdacs[chan->address]; + ret = regmap_field_read(afe->fields[offdac_field], val); + if (ret) + return ret; +@@ -273,6 +273,7 @@ static int afe4404_read_raw(struct iio_dev *indio_dev, + case IIO_CURRENT: + switch (mask) { + case IIO_CHAN_INFO_RAW: ++ led_field = afe4404_channel_leds[chan->address]; + ret = regmap_field_read(afe->fields[led_field], val); + if (ret) + return ret; +@@ -295,19 +296,20 @@ static int afe4404_write_raw(struct iio_dev *indio_dev, + int val, int val2, long mask) + { + struct afe4404_data *afe = iio_priv(indio_dev); +- unsigned int led_field = afe4404_channel_leds[chan->address]; +- unsigned int offdac_field = afe4404_channel_offdacs[chan->address]; ++ unsigned int led_field, offdac_field; + + switch (chan->type) { + case IIO_INTENSITY: + switch (mask) { + case IIO_CHAN_INFO_OFFSET: ++ offdac_field = afe4404_channel_offdacs[chan->address]; + return regmap_field_write(afe->fields[offdac_field], val); + } + break; + case IIO_CURRENT: + switch (mask) { + case IIO_CHAN_INFO_RAW: ++ led_field = afe4404_channel_leds[chan->address]; + return regmap_field_write(afe->fields[led_field], val); + } + break; +-- +2.35.1 + diff --git a/queue-6.0/iio-light-rpr0521-add-missing-kconfig-dependencies.patch b/queue-6.0/iio-light-rpr0521-add-missing-kconfig-dependencies.patch new file mode 100644 index 00000000000..0525cb68f4a --- /dev/null +++ b/queue-6.0/iio-light-rpr0521-add-missing-kconfig-dependencies.patch @@ -0,0 +1,47 @@ +From c389f96649818ab45f942d2c853314094c672dee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 16:47:29 -0500 +Subject: iio: light: rpr0521: add missing Kconfig dependencies + +From: Paul Gazzillo + +[ Upstream commit 6ac12303572ef9ace5603c2c07f5f1b00a33f580 ] + +Fix an implicit declaration of function error for rpr0521 under some configs + +When CONFIG_RPR0521 is enabled without CONFIG_IIO_TRIGGERED_BUFFER, +the build results in "implicit declaration of function" errors, e.g., + drivers/iio/light/rpr0521.c:434:3: error: implicit declaration of function + 'iio_trigger_poll_chained' [-Werror=implicit-function-declaration] + 434 | iio_trigger_poll_chained(data->drdy_trigger0); + | ^~~~~~~~~~~~~~~~~~~~~~~~ + +This fix adds select dependencies to RPR0521's configuration declaration. + +Fixes: e12ffd241c00 ("iio: light: rpr0521 triggered buffer") +Signed-off-by: Paul Gazzillo +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216678 +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20221110214729.ls5ixav5kxpeftk7@device +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/light/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/iio/light/Kconfig b/drivers/iio/light/Kconfig +index 8537e88f02e3..c02393009a2c 100644 +--- a/drivers/iio/light/Kconfig ++++ b/drivers/iio/light/Kconfig +@@ -293,6 +293,8 @@ config RPR0521 + tristate "ROHM RPR0521 ALS and proximity sensor driver" + depends on I2C + select REGMAP_I2C ++ select IIO_BUFFER ++ select IIO_TRIGGERED_BUFFER + help + Say Y here if you want to build support for ROHM's RPR0521 + ambient light and proximity sensor device. +-- +2.35.1 + diff --git a/queue-6.0/ixgbevf-fix-resource-leak-in-ixgbevf_init_module.patch b/queue-6.0/ixgbevf-fix-resource-leak-in-ixgbevf_init_module.patch new file mode 100644 index 00000000000..6d42017b9f8 --- /dev/null +++ b/queue-6.0/ixgbevf-fix-resource-leak-in-ixgbevf_init_module.patch @@ -0,0 +1,57 @@ +From 390ccc57a269ff3955ade14ce1234e8860f43e61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 10:57:58 +0800 +Subject: ixgbevf: Fix resource leak in ixgbevf_init_module() + +From: Shang XiaoJing + +[ Upstream commit 8cfa238a48f34038464b99d0b4825238c2687181 ] + +ixgbevf_init_module() won't destroy the workqueue created by +create_singlethread_workqueue() when pci_register_driver() failed. Add +destroy_workqueue() in fail path to prevent the resource leak. + +Similar to the handling of u132_hcd_init in commit f276e002793c +("usb: u132-hcd: fix resource leak") + +Fixes: 40a13e2493c9 ("ixgbevf: Use a private workqueue to avoid certain possible hangs") +Signed-off-by: Shang XiaoJing +Reviewed-by: Saeed Mahameed +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c +index 2f12fbe229c1..624b8aa4508c 100644 +--- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c ++++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c +@@ -4869,6 +4869,8 @@ static struct pci_driver ixgbevf_driver = { + **/ + static int __init ixgbevf_init_module(void) + { ++ int err; ++ + pr_info("%s\n", ixgbevf_driver_string); + pr_info("%s\n", ixgbevf_copyright); + ixgbevf_wq = create_singlethread_workqueue(ixgbevf_driver_name); +@@ -4877,7 +4879,13 @@ static int __init ixgbevf_init_module(void) + return -ENOMEM; + } + +- return pci_register_driver(&ixgbevf_driver); ++ err = pci_register_driver(&ixgbevf_driver); ++ if (err) { ++ destroy_workqueue(ixgbevf_wq); ++ return err; ++ } ++ ++ return 0; + } + + module_init(ixgbevf_init_module); +-- +2.35.1 + diff --git a/queue-6.0/kbuild-fix-wimplicit-function-declaration-in-license.patch b/queue-6.0/kbuild-fix-wimplicit-function-declaration-in-license.patch new file mode 100644 index 00000000000..f53409a358e --- /dev/null +++ b/queue-6.0/kbuild-fix-wimplicit-function-declaration-in-license.patch @@ -0,0 +1,50 @@ +From ef268e57b665da9aaed9278c6a1e3aad17d9659c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 18:26:34 +0000 +Subject: kbuild: fix -Wimplicit-function-declaration in + license_is_gpl_compatible + +From: Sam James + +[ Upstream commit 50c697215a8cc22f0e58c88f06f2716c05a26e85 ] + +Add missing include for strcmp. + +Clang 16 makes -Wimplicit-function-declaration an error by default. +Unfortunately, out of tree modules may use this in configure scripts, +which means failure might cause silent miscompilation or misconfiguration. + +For more information, see LWN.net [0] or LLVM's Discourse [1], gentoo-dev@ [2], +or the (new) c-std-porting mailing list [3]. + +[0] https://lwn.net/Articles/913505/ +[1] https://discourse.llvm.org/t/configure-script-breakage-with-the-new-werror-implicit-function-declaration/65213 +[2] https://archives.gentoo.org/gentoo-dev/message/dd9f2d3082b8b6f8dfbccb0639e6e240 +[3] hosted at lists.linux.dev. + +[akpm@linux-foundation.org: remember "linux/"] +Link: https://lkml.kernel.org/r/20221116182634.2823136-1-sam@gentoo.org +Signed-off-by: Sam James +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/license.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/linux/license.h b/include/linux/license.h +index 7cce390f120b..ad937f57f2cb 100644 +--- a/include/linux/license.h ++++ b/include/linux/license.h +@@ -2,6 +2,8 @@ + #ifndef __LICENSE_H + #define __LICENSE_H + ++#include ++ + static inline int license_is_gpl_compatible(const char *license) + { + return (strcmp(license, "GPL") == 0 +-- +2.35.1 + diff --git a/queue-6.0/libbpf-handle-size-overflow-for-ringbuf-mmap.patch b/queue-6.0/libbpf-handle-size-overflow-for-ringbuf-mmap.patch new file mode 100644 index 00000000000..61d148a6143 --- /dev/null +++ b/queue-6.0/libbpf-handle-size-overflow-for-ringbuf-mmap.patch @@ -0,0 +1,67 @@ +From e7ecda7886f83441ac523087ea6ec2730e81ccfd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 15:23:49 +0800 +Subject: libbpf: Handle size overflow for ringbuf mmap + +From: Hou Tao + +[ Upstream commit 927cbb478adf917e0a142b94baa37f06279cc466 ] + +The maximum size of ringbuf is 2GB on x86-64 host, so 2 * max_entries +will overflow u32 when mapping producer page and data pages. Only +casting max_entries to size_t is not enough, because for 32-bits +application on 64-bits kernel the size of read-only mmap region +also could overflow size_t. + +So fixing it by casting the size of read-only mmap region into a __u64 +and checking whether or not there will be overflow during mmap. + +Fixes: bf99c936f947 ("libbpf: Add BPF ring buffer support") +Signed-off-by: Hou Tao +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20221116072351.1168938-3-houtao@huaweicloud.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/ringbuf.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/tools/lib/bpf/ringbuf.c b/tools/lib/bpf/ringbuf.c +index 8bc117bcc7bc..c42ba9358d8c 100644 +--- a/tools/lib/bpf/ringbuf.c ++++ b/tools/lib/bpf/ringbuf.c +@@ -59,6 +59,7 @@ int ring_buffer__add(struct ring_buffer *rb, int map_fd, + __u32 len = sizeof(info); + struct epoll_event *e; + struct ring *r; ++ __u64 mmap_sz; + void *tmp; + int err; + +@@ -97,8 +98,7 @@ int ring_buffer__add(struct ring_buffer *rb, int map_fd, + r->mask = info.max_entries - 1; + + /* Map writable consumer page */ +- tmp = mmap(NULL, rb->page_size, PROT_READ | PROT_WRITE, MAP_SHARED, +- map_fd, 0); ++ tmp = mmap(NULL, rb->page_size, PROT_READ | PROT_WRITE, MAP_SHARED, map_fd, 0); + if (tmp == MAP_FAILED) { + err = -errno; + pr_warn("ringbuf: failed to mmap consumer page for map fd=%d: %d\n", +@@ -111,8 +111,12 @@ int ring_buffer__add(struct ring_buffer *rb, int map_fd, + * data size to allow simple reading of samples that wrap around the + * end of a ring buffer. See kernel implementation for details. + * */ +- tmp = mmap(NULL, rb->page_size + 2 * info.max_entries, PROT_READ, +- MAP_SHARED, map_fd, rb->page_size); ++ mmap_sz = rb->page_size + 2 * (__u64)info.max_entries; ++ if (mmap_sz != (__u64)(size_t)mmap_sz) { ++ pr_warn("ringbuf: ring buffer size (%u) is too big\n", info.max_entries); ++ return libbpf_err(-E2BIG); ++ } ++ tmp = mmap(NULL, (size_t)mmap_sz, PROT_READ, MAP_SHARED, map_fd, rb->page_size); + if (tmp == MAP_FAILED) { + err = -errno; + ringbuf_unmap_ring(rb, r); +-- +2.35.1 + diff --git a/queue-6.0/libbpf-use-correct-return-pointer-in-attach_raw_tp.patch b/queue-6.0/libbpf-use-correct-return-pointer-in-attach_raw_tp.patch new file mode 100644 index 00000000000..cba02bb2f72 --- /dev/null +++ b/queue-6.0/libbpf-use-correct-return-pointer-in-attach_raw_tp.patch @@ -0,0 +1,37 @@ +From 562ebc4b373c9f1dcb2df3f8bbfa6438c007ae91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 15:52:57 +0100 +Subject: libbpf: Use correct return pointer in attach_raw_tp + +From: Jiri Olsa + +[ Upstream commit 5fd2a60aecf3a42b14fa371c55b3dbb18b229230 ] + +We need to pass '*link' to final libbpf_get_error, +because that one holds the return value, not 'link'. + +Fixes: 4fa5bcfe07f7 ("libbpf: Allow BPF program auto-attach handlers to bail out") +Signed-off-by: Jiri Olsa +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20221114145257.882322-1-jolsa@kernel.org +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index e36c44090720..79ea83be21ce 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -11143,7 +11143,7 @@ static int attach_raw_tp(const struct bpf_program *prog, long cookie, struct bpf + } + + *link = bpf_program__attach_raw_tracepoint(prog, tp_name); +- return libbpf_get_error(link); ++ return libbpf_get_error(*link); + } + + /* Common logic for all BPF program types that attach to a btf_id */ +-- +2.35.1 + diff --git a/queue-6.0/mptcp-don-t-orphan-ssk-in-mptcp_close.patch b/queue-6.0/mptcp-don-t-orphan-ssk-in-mptcp_close.patch new file mode 100644 index 00000000000..30468ed181d --- /dev/null +++ b/queue-6.0/mptcp-don-t-orphan-ssk-in-mptcp_close.patch @@ -0,0 +1,68 @@ +From 9b9deffc3157520332a896598747bf1d265ed226 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Nov 2022 16:42:37 +0100 +Subject: mptcp: don't orphan ssk in mptcp_close() + +From: Menglong Dong + +[ Upstream commit fe94800184f22d4778628f1321dce5acb7513d84 ] + +All of the subflows of a msk will be orphaned in mptcp_close(), which +means the subflows are in DEAD state. After then, DATA_FIN will be sent, +and the other side will response with a DATA_ACK for this DATA_FIN. + +However, if the other side still has pending data, the data that received +on these subflows will not be passed to the msk, as they are DEAD and +subflow_data_ready() will not be called in tcp_data_ready(). Therefore, +these data can't be acked, and they will be retransmitted again and again, +until timeout. + +Fix this by setting ssk->sk_socket and ssk->sk_wq to 'NULL', instead of +orphaning the subflows in __mptcp_close(), as Paolo suggested. + +Fixes: e16163b6e2b7 ("mptcp: refactor shutdown and close") +Reviewed-by: Biao Jiang +Reviewed-by: Mengen Sun +Signed-off-by: Menglong Dong +Reviewed-by: Paolo Abeni +Signed-off-by: Matthieu Baerts +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/protocol.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c +index b568f55998f3..42d5e0a7952a 100644 +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -2297,12 +2297,7 @@ static void __mptcp_close_ssk(struct sock *sk, struct sock *ssk, + goto out; + } + +- /* if we are invoked by the msk cleanup code, the subflow is +- * already orphaned +- */ +- if (ssk->sk_socket) +- sock_orphan(ssk); +- ++ sock_orphan(ssk); + subflow->disposable = 1; + + /* if ssk hit tcp_done(), tcp_cleanup_ulp() cleared the related ops +@@ -2833,7 +2828,11 @@ bool __mptcp_close(struct sock *sk, long timeout) + if (ssk == msk->first) + subflow->fail_tout = 0; + +- sock_orphan(ssk); ++ /* detach from the parent socket, but allow data_ready to ++ * push incoming data into the mptcp stack, to properly ack it ++ */ ++ ssk->sk_socket = NULL; ++ ssk->sk_wq = NULL; + unlock_sock_fast(ssk, slow); + } + sock_orphan(sk); +-- +2.35.1 + diff --git a/queue-6.0/mptcp-fix-sleep-in-atomic-at-close-time.patch b/queue-6.0/mptcp-fix-sleep-in-atomic-at-close-time.patch new file mode 100644 index 00000000000..03e2de5a203 --- /dev/null +++ b/queue-6.0/mptcp-fix-sleep-in-atomic-at-close-time.patch @@ -0,0 +1,90 @@ +From 6ae13ed2327aecb5600c45ce7e842e3a85686458 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Nov 2022 16:42:38 +0100 +Subject: mptcp: fix sleep in atomic at close time + +From: Paolo Abeni + +[ Upstream commit b4f166651d03b5484fa179817ba8ad4899a5a6ac ] + +Matt reported a splat at msk close time: + + BUG: sleeping function called from invalid context at net/mptcp/protocol.c:2877 + in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 155, name: packetdrill + preempt_count: 201, expected: 0 + RCU nest depth: 0, expected: 0 + 4 locks held by packetdrill/155: + #0: ffff888001536990 (&sb->s_type->i_mutex_key#6){+.+.}-{3:3}, at: __sock_release (net/socket.c:650) + #1: ffff88800b498130 (sk_lock-AF_INET){+.+.}-{0:0}, at: mptcp_close (net/mptcp/protocol.c:2973) + #2: ffff88800b49a130 (sk_lock-AF_INET/1){+.+.}-{0:0}, at: __mptcp_close_ssk (net/mptcp/protocol.c:2363) + #3: ffff88800b49a0b0 (slock-AF_INET){+...}-{2:2}, at: __lock_sock_fast (include/net/sock.h:1820) + Preemption disabled at: + 0x0 + CPU: 1 PID: 155 Comm: packetdrill Not tainted 6.1.0-rc5 #365 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 + Call Trace: + + dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4)) + __might_resched.cold (kernel/sched/core.c:9891) + __mptcp_destroy_sock (include/linux/kernel.h:110) + __mptcp_close (net/mptcp/protocol.c:2959) + mptcp_subflow_queue_clean (include/net/sock.h:1777) + __mptcp_close_ssk (net/mptcp/protocol.c:2363) + mptcp_destroy_common (net/mptcp/protocol.c:3170) + mptcp_destroy (include/net/sock.h:1495) + __mptcp_destroy_sock (net/mptcp/protocol.c:2886) + __mptcp_close (net/mptcp/protocol.c:2959) + mptcp_close (net/mptcp/protocol.c:2974) + inet_release (net/ipv4/af_inet.c:432) + __sock_release (net/socket.c:651) + sock_close (net/socket.c:1367) + __fput (fs/file_table.c:320) + task_work_run (kernel/task_work.c:181 (discriminator 1)) + exit_to_user_mode_prepare (include/linux/resume_user_mode.h:49) + syscall_exit_to_user_mode (kernel/entry/common.c:130) + do_syscall_64 (arch/x86/entry/common.c:87) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) + +We can't call mptcp_close under the 'fast' socket lock variant, replace +it with a sock_lock_nested() as the relevant code is already under the +listening msk socket lock protection. + +Reported-by: Matthieu Baerts +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/316 +Fixes: 30e51b923e43 ("mptcp: fix unreleased socket in accept queue") +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts +Signed-off-by: Matthieu Baerts +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/subflow.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c +index 02a54d59697b..2159b5f9988f 100644 +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -1745,16 +1745,16 @@ void mptcp_subflow_queue_clean(struct sock *listener_ssk) + + for (msk = head; msk; msk = next) { + struct sock *sk = (struct sock *)msk; +- bool slow, do_cancel_work; ++ bool do_cancel_work; + + sock_hold(sk); +- slow = lock_sock_fast_nested(sk); ++ lock_sock_nested(sk, SINGLE_DEPTH_NESTING); + next = msk->dl_next; + msk->first = NULL; + msk->dl_next = NULL; + + do_cancel_work = __mptcp_close(sk, 0); +- unlock_sock_fast(sk, slow); ++ release_sock(sk); + if (do_cancel_work) + mptcp_cancel_work(sk); + sock_put(sk); +-- +2.35.1 + diff --git a/queue-6.0/net-9p-fix-a-potential-socket-leak-in-p9_socket_open.patch b/queue-6.0/net-9p-fix-a-potential-socket-leak-in-p9_socket_open.patch new file mode 100644 index 00000000000..7061dc3ea25 --- /dev/null +++ b/queue-6.0/net-9p-fix-a-potential-socket-leak-in-p9_socket_open.patch @@ -0,0 +1,45 @@ +From b39519a0fefd7e850abc974c9838bd1184de2e57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 16:10:05 +0800 +Subject: net/9p: Fix a potential socket leak in p9_socket_open + +From: Wang Hai + +[ Upstream commit dcc14cfd7debe11b825cb077e75d91d2575b4cb8 ] + +Both p9_fd_create_tcp() and p9_fd_create_unix() will call +p9_socket_open(). If the creation of p9_trans_fd fails, +p9_fd_create_tcp() and p9_fd_create_unix() will return an +error directly instead of releasing the cscoket, which will +result in a socket leak. + +This patch adds sock_release() to fix the leak issue. + +Fixes: 6b18662e239a ("9p connect fixes") +Signed-off-by: Wang Hai +ACKed-by: Al Viro +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/9p/trans_fd.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c +index 8487321c1fc7..3e056fb043bb 100644 +--- a/net/9p/trans_fd.c ++++ b/net/9p/trans_fd.c +@@ -862,8 +862,10 @@ static int p9_socket_open(struct p9_client *client, struct socket *csocket) + struct file *file; + + p = kzalloc(sizeof(struct p9_trans_fd), GFP_KERNEL); +- if (!p) ++ if (!p) { ++ sock_release(csocket); + return -ENOMEM; ++ } + + csocket->sk->sk_allocation = GFP_NOIO; + file = sock_alloc_file(csocket, 0, NULL); +-- +2.35.1 + diff --git a/queue-6.0/net-ethernet-nixge-fix-null-dereference.patch b/queue-6.0/net-ethernet-nixge-fix-null-dereference.patch new file mode 100644 index 00000000000..b24e6adcb4d --- /dev/null +++ b/queue-6.0/net-ethernet-nixge-fix-null-dereference.patch @@ -0,0 +1,75 @@ +From 65fc2ede8e27c10e9af25ddf15e8fff9e0bc8551 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 11:43:03 +0300 +Subject: net: ethernet: nixge: fix NULL dereference + +From: Yuri Karpov + +[ Upstream commit 9256db4e45e8b497b0e993cc3ed4ad08eb2389b6 ] + +In function nixge_hw_dma_bd_release() dereference of NULL pointer +priv->rx_bd_v is possible for the case of its allocation failure in +nixge_hw_dma_bd_init(). + +Move for() loop with priv->rx_bd_v dereference under the check for +its validity. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 492caffa8a1a ("net: ethernet: nixge: Add support for National Instruments XGE netdev") +Signed-off-by: Yuri Karpov +Reviewed-by: Maciej Fijalkowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ni/nixge.c | 29 +++++++++++++++-------------- + 1 file changed, 15 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/ethernet/ni/nixge.c b/drivers/net/ethernet/ni/nixge.c +index 4fc279a17562..bef3f0506487 100644 +--- a/drivers/net/ethernet/ni/nixge.c ++++ b/drivers/net/ethernet/ni/nixge.c +@@ -249,25 +249,26 @@ static void nixge_hw_dma_bd_release(struct net_device *ndev) + struct sk_buff *skb; + int i; + +- for (i = 0; i < RX_BD_NUM; i++) { +- phys_addr = nixge_hw_dma_bd_get_addr(&priv->rx_bd_v[i], +- phys); +- +- dma_unmap_single(ndev->dev.parent, phys_addr, +- NIXGE_MAX_JUMBO_FRAME_SIZE, +- DMA_FROM_DEVICE); +- +- skb = (struct sk_buff *)(uintptr_t) +- nixge_hw_dma_bd_get_addr(&priv->rx_bd_v[i], +- sw_id_offset); +- dev_kfree_skb(skb); +- } ++ if (priv->rx_bd_v) { ++ for (i = 0; i < RX_BD_NUM; i++) { ++ phys_addr = nixge_hw_dma_bd_get_addr(&priv->rx_bd_v[i], ++ phys); ++ ++ dma_unmap_single(ndev->dev.parent, phys_addr, ++ NIXGE_MAX_JUMBO_FRAME_SIZE, ++ DMA_FROM_DEVICE); ++ ++ skb = (struct sk_buff *)(uintptr_t) ++ nixge_hw_dma_bd_get_addr(&priv->rx_bd_v[i], ++ sw_id_offset); ++ dev_kfree_skb(skb); ++ } + +- if (priv->rx_bd_v) + dma_free_coherent(ndev->dev.parent, + sizeof(*priv->rx_bd_v) * RX_BD_NUM, + priv->rx_bd_v, + priv->rx_bd_p); ++ } + + if (priv->tx_skb) + devm_kfree(ndev->dev.parent, priv->tx_skb); +-- +2.35.1 + diff --git a/queue-6.0/net-ethernet-renesas-ravb-fix-promiscuous-mode-after.patch b/queue-6.0/net-ethernet-renesas-ravb-fix-promiscuous-mode-after.patch new file mode 100644 index 00000000000..050568aa738 --- /dev/null +++ b/queue-6.0/net-ethernet-renesas-ravb-fix-promiscuous-mode-after.patch @@ -0,0 +1,41 @@ +From f0b536829b39a64a0bff20fd5eca9cd26f09b40e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Nov 2022 15:56:04 +0900 +Subject: net: ethernet: renesas: ravb: Fix promiscuous mode after system + resumed + +From: Yoshihiro Shimoda + +[ Upstream commit d66233a312ec9013af3e37e4030b479a20811ec3 ] + +After system resumed on some environment board, the promiscuous mode +is disabled because the SoC turned off. So, call ravb_set_rx_mode() in +the ravb_resume() to fix the issue. + +Reported-by: Tho Vu +Fixes: 0184165b2f42 ("ravb: add sleep PM suspend/resume support") +Signed-off-by: Yoshihiro Shimoda +Reviewed-by: Pavan Chebbi +Reviewed-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/20221128065604.1864391-1-yoshihiro.shimoda.uh@renesas.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/ravb_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index 7e32b04eb0c7..44f9b31f8b99 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -3013,6 +3013,7 @@ static int __maybe_unused ravb_resume(struct device *dev) + ret = ravb_open(ndev); + if (ret < 0) + return ret; ++ ravb_set_rx_mode(ndev); + netif_device_attach(ndev); + } + +-- +2.35.1 + diff --git a/queue-6.0/net-ethernet-ti-am65-cpsw-fix-error-handling-in-am65.patch b/queue-6.0/net-ethernet-ti-am65-cpsw-fix-error-handling-in-am65.patch new file mode 100644 index 00000000000..cd8db1fbefd --- /dev/null +++ b/queue-6.0/net-ethernet-ti-am65-cpsw-fix-error-handling-in-am65.patch @@ -0,0 +1,42 @@ +From fc2d03f0271ae20ca50987b5ea961fee6a54bbed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 11:03:08 +0800 +Subject: net: ethernet: ti: am65-cpsw: fix error handling in + am65_cpsw_nuss_probe() + +From: Zhang Changzhong + +[ Upstream commit 46fb6512538d201d9a5b2bd7138b6751c37fdf0b ] + +The am65_cpsw_nuss_cleanup_ndev() function calls unregister_netdev() +even if register_netdev() fails, which triggers WARN_ON(1) in +unregister_netdevice_many(). To fix it, make sure that +unregister_netdev() is called only on registered netdev. + +Compile tested only. + +Fixes: 84b4aa493249 ("net: ethernet: ti: am65-cpsw: add multi port support in mac-only mode") +Signed-off-by: Zhang Changzhong +Reviewed-by: Maciej Fijalkowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/am65-cpsw-nuss.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ti/am65-cpsw-nuss.c b/drivers/net/ethernet/ti/am65-cpsw-nuss.c +index 348201e10d49..95baacd6c761 100644 +--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c ++++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c +@@ -2061,7 +2061,7 @@ static void am65_cpsw_nuss_cleanup_ndev(struct am65_cpsw_common *common) + + for (i = 0; i < common->port_num; i++) { + port = &common->ports[i]; +- if (port->ndev) ++ if (port->ndev && port->ndev->reg_state == NETREG_REGISTERED) + unregister_netdev(port->ndev); + } + } +-- +2.35.1 + diff --git a/queue-6.0/net-hsr-fix-potential-use-after-free.patch b/queue-6.0/net-hsr-fix-potential-use-after-free.patch new file mode 100644 index 00000000000..30754af2b88 --- /dev/null +++ b/queue-6.0/net-hsr-fix-potential-use-after-free.patch @@ -0,0 +1,49 @@ +From 8c210559043a1d06ff6e6e43dcda04b97dfb2958 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 15:57:24 +0800 +Subject: net: hsr: Fix potential use-after-free + +From: YueHaibing + +[ Upstream commit 7e177d32442b7ed08a9fa61b61724abc548cb248 ] + +The skb is delivered to netif_rx() which may free it, after calling this, +dereferencing skb may trigger use-after-free. + +Fixes: f421436a591d ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)") +Signed-off-by: YueHaibing +Link: https://lore.kernel.org/r/20221125075724.27912-1-yuehaibing@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/hsr/hsr_forward.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c +index a50429a62f74..56bb27d67a2e 100644 +--- a/net/hsr/hsr_forward.c ++++ b/net/hsr/hsr_forward.c +@@ -351,17 +351,18 @@ static void hsr_deliver_master(struct sk_buff *skb, struct net_device *dev, + struct hsr_node *node_src) + { + bool was_multicast_frame; +- int res; ++ int res, recv_len; + + was_multicast_frame = (skb->pkt_type == PACKET_MULTICAST); + hsr_addr_subst_source(node_src, skb); + skb_pull(skb, ETH_HLEN); ++ recv_len = skb->len; + res = netif_rx(skb); + if (res == NET_RX_DROP) { + dev->stats.rx_dropped++; + } else { + dev->stats.rx_packets++; +- dev->stats.rx_bytes += skb->len; ++ dev->stats.rx_bytes += recv_len; + if (was_multicast_frame) + dev->stats.multicast++; + } +-- +2.35.1 + diff --git a/queue-6.0/net-mdiobus-fix-unbalanced-node-reference-count.patch b/queue-6.0/net-mdiobus-fix-unbalanced-node-reference-count.patch new file mode 100644 index 00000000000..ee73926920b --- /dev/null +++ b/queue-6.0/net-mdiobus-fix-unbalanced-node-reference-count.patch @@ -0,0 +1,64 @@ +From b0b5d1fb8537bcb7e834295968bbb6a697c990e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 23:01:30 +0800 +Subject: net: mdiobus: fix unbalanced node reference count + +From: Yang Yingliang + +[ Upstream commit cdde1560118f82498fc9e9a7c1ef7f0ef7755891 ] + +I got the following report while doing device(mscc-miim) load test +with CONFIG_OF_UNITTEST and CONFIG_OF_DYNAMIC enabled: + + OF: ERROR: memory leak, expected refcount 1 instead of 2, + of_node_get()/of_node_put() unbalanced - destroy cset entry: + attach overlay node /spi/soc@0/mdio@7107009c/ethernet-phy@0 + +If the 'fwnode' is not an acpi node, the refcount is get in +fwnode_mdiobus_phy_device_register(), but it has never been +put when the device is freed in the normal path. So call +fwnode_handle_put() in phy_device_release() to avoid leak. + +If it's an acpi node, it has never been get, but it's put +in the error path, so call fwnode_handle_get() before +phy_device_register() to keep get/put operation balanced. + +Fixes: bc1bee3b87ee ("net: mdiobus: Introduce fwnode_mdiobus_register_phy()") +Signed-off-by: Yang Yingliang +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20221124150130.609420-1-yangyingliang@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/mdio/fwnode_mdio.c | 2 +- + drivers/net/phy/phy_device.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/mdio/fwnode_mdio.c b/drivers/net/mdio/fwnode_mdio.c +index 1c1584fca632..40e745a1d185 100644 +--- a/drivers/net/mdio/fwnode_mdio.c ++++ b/drivers/net/mdio/fwnode_mdio.c +@@ -120,7 +120,7 @@ int fwnode_mdiobus_register_phy(struct mii_bus *bus, + /* Associate the fwnode with the device structure so it + * can be looked up later. + */ +- phy->mdio.dev.fwnode = child; ++ phy->mdio.dev.fwnode = fwnode_handle_get(child); + + /* All data is now stored in the phy struct, so register it */ + rc = phy_device_register(phy); +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c +index 70c4d48f32c6..3607077cf86f 100644 +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -216,6 +216,7 @@ static void phy_mdio_device_free(struct mdio_device *mdiodev) + + static void phy_device_release(struct device *dev) + { ++ fwnode_handle_put(dev->fwnode); + kfree(to_phy_device(dev)); + } + +-- +2.35.1 + diff --git a/queue-6.0/net-mlx5-dr-fix-uninitialized-var-warning.patch b/queue-6.0/net-mlx5-dr-fix-uninitialized-var-warning.patch new file mode 100644 index 00000000000..2e6d0a50494 --- /dev/null +++ b/queue-6.0/net-mlx5-dr-fix-uninitialized-var-warning.patch @@ -0,0 +1,51 @@ +From 6b0e1ed571870888bac2e68297e0da10a2651c2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 21:47:07 +0800 +Subject: net/mlx5: DR, Fix uninitialized var warning + +From: YueHaibing + +[ Upstream commit 52f7cf70eb8fac6111786c59ae9dfc5cf2bee710 ] + +Smatch warns this: + +drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c:81 + mlx5dr_table_set_miss_action() error: uninitialized symbol 'ret'. + +Initializing ret with -EOPNOTSUPP and fix missing action case. + +Fixes: 7838e1725394 ("net/mlx5: DR, Expose steering table functionality") +Signed-off-by: YueHaibing +Reviewed-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c +index 31d443dd8386..f68461b13391 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c +@@ -46,7 +46,7 @@ static int dr_table_set_miss_action_nic(struct mlx5dr_domain *dmn, + int mlx5dr_table_set_miss_action(struct mlx5dr_table *tbl, + struct mlx5dr_action *action) + { +- int ret; ++ int ret = -EOPNOTSUPP; + + if (action && action->action_type != DR_ACTION_TYP_FT) + return -EOPNOTSUPP; +@@ -67,6 +67,9 @@ int mlx5dr_table_set_miss_action(struct mlx5dr_table *tbl, + goto out; + } + ++ if (ret) ++ goto out; ++ + /* Release old action */ + if (tbl->miss_action) + refcount_dec(&tbl->miss_action->refcount); +-- +2.35.1 + diff --git a/queue-6.0/net-mlx5-e-switch-destroy-legacy-fdb-table-when-need.patch b/queue-6.0/net-mlx5-e-switch-destroy-legacy-fdb-table-when-need.patch new file mode 100644 index 00000000000..9302432e3b0 --- /dev/null +++ b/queue-6.0/net-mlx5-e-switch-destroy-legacy-fdb-table-when-need.patch @@ -0,0 +1,64 @@ +From 96d4ea214b10cf02e918c2dd07c34d75962f7d4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 09:48:13 +0200 +Subject: net/mlx5: E-switch, Destroy legacy fdb table when needed + +From: Chris Mi + +[ Upstream commit 2318b8bb94a3a21363cd0d49cad5934bd1e2d60e ] + +The cited commit removes eswitch mode none. But when disabling +sriov in legacy mode or changing from switchdev to legacy mode +without sriov enabled, the legacy fdb table is not destroyed. + +It is not the right behavior. Destroy legacy fdb table in above +two caes. + +Fixes: f019679ea5f2 ("net/mlx5: E-switch, Remove dependency between sriov and eswitch mode") +Signed-off-by: Chris Mi +Reviewed-by: Roi Dayan +Reviewed-by: Eli Cohen +Reviewed-by: Mark Bloch +Reviewed-by: Vlad Buslov +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 3 +++ + drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c | 7 +++++++ + 2 files changed, 10 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +index 4d8b8f6143cc..59cffa49e4b5 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +@@ -1363,6 +1363,9 @@ void mlx5_eswitch_disable_sriov(struct mlx5_eswitch *esw, bool clear_vf) + esw_offloads_del_send_to_vport_meta_rules(esw); + devl_rate_nodes_destroy(devlink); + } ++ /* Destroy legacy fdb when disabling sriov in legacy mode. */ ++ if (esw->mode == MLX5_ESWITCH_LEGACY) ++ mlx5_eswitch_disable_locked(esw); + + esw->esw_funcs.num_vfs = 0; + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +index 061ac8799354..11cb7d28e1f8 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +@@ -3270,6 +3270,13 @@ static int esw_offloads_stop(struct mlx5_eswitch *esw, + int err; + + esw->mode = MLX5_ESWITCH_LEGACY; ++ ++ /* If changing from switchdev to legacy mode without sriov enabled, ++ * no need to create legacy fdb. ++ */ ++ if (!mlx5_sriov_is_enabled(esw->dev)) ++ return 0; ++ + err = mlx5_eswitch_enable_locked(esw, MLX5_ESWITCH_IGNORE_NUM_VFS); + if (err) + NL_SET_ERR_MSG_MOD(extack, "Failed setting eswitch to legacy"); +-- +2.35.1 + diff --git a/queue-6.0/net-mlx5-e-switch-fix-duplicate-lag-creation.patch b/queue-6.0/net-mlx5-e-switch-fix-duplicate-lag-creation.patch new file mode 100644 index 00000000000..7358f8d6032 --- /dev/null +++ b/queue-6.0/net-mlx5-e-switch-fix-duplicate-lag-creation.patch @@ -0,0 +1,73 @@ +From e006e8b90f589f69f12f4723e0bb4c2cfdda48f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Aug 2022 05:09:07 +0300 +Subject: net/mlx5: E-switch, Fix duplicate lag creation + +From: Chris Mi + +[ Upstream commit e87c6a832f889c093c055a30a7b8c6843e6573bf ] + +If creating bond first and then enabling sriov in switchdev mode, +will hit the following syndrome: + +mlx5_core 0000:08:00.0: mlx5_cmd_out_err:778:(pid 25543): CREATE_LAG(0x840) op_mod(0x0) failed, status bad parameter(0x3), syndrome (0x7d49cb), err(-22) + +The reason is because the offending patch removes eswitch mode +none. In vf lag, the checking of eswitch mode none is replaced +by checking if sriov is enabled. But when driver enables sriov, +it triggers the bond workqueue task first and then setting sriov +number in pci_enable_sriov(). So the check fails. + +Fix it by checking if sriov is enabled using eswitch internal +counter that is set before triggering the bond workqueue task. + +Fixes: f019679ea5f2 ("net/mlx5: E-switch, Remove dependency between sriov and eswitch mode") +Signed-off-by: Chris Mi +Reviewed-by: Roi Dayan +Reviewed-by: Mark Bloch +Reviewed-by: Vlad Buslov +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/eswitch.h | 8 ++++++++ + drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c | 5 +++-- + 2 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h +index 87ce5a208cb5..5ceed4e6c658 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h +@@ -731,6 +731,14 @@ void mlx5_eswitch_offloads_destroy_single_fdb(struct mlx5_eswitch *master_esw, + struct mlx5_eswitch *slave_esw); + int mlx5_eswitch_reload_reps(struct mlx5_eswitch *esw); + ++static inline int mlx5_eswitch_num_vfs(struct mlx5_eswitch *esw) ++{ ++ if (mlx5_esw_allowed(esw)) ++ return esw->esw_funcs.num_vfs; ++ ++ return 0; ++} ++ + #else /* CONFIG_MLX5_ESWITCH */ + /* eswitch API stubs */ + static inline int mlx5_eswitch_init(struct mlx5_core_dev *dev) { return 0; } +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c b/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c +index 065102278cb8..a879e0b0f702 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c +@@ -649,8 +649,9 @@ static bool mlx5_lag_check_prereq(struct mlx5_lag *ldev) + + #ifdef CONFIG_MLX5_ESWITCH + dev = ldev->pf[MLX5_LAG_P1].dev; +- if ((mlx5_sriov_is_enabled(dev)) && !is_mdev_switchdev_mode(dev)) +- return false; ++ for (i = 0; i < ldev->ports; i++) ++ if (mlx5_eswitch_num_vfs(dev->priv.eswitch) && !is_mdev_switchdev_mode(dev)) ++ return false; + + mode = mlx5_eswitch_mode(dev); + for (i = 0; i < ldev->ports; i++) +-- +2.35.1 + diff --git a/queue-6.0/net-mlx5-fix-uninitialized-variable-bug-in-outlen_wr.patch b/queue-6.0/net-mlx5-fix-uninitialized-variable-bug-in-outlen_wr.patch new file mode 100644 index 00000000000..6754b08a382 --- /dev/null +++ b/queue-6.0/net-mlx5-fix-uninitialized-variable-bug-in-outlen_wr.patch @@ -0,0 +1,39 @@ +From eb9b86fbeed453fbb8c9653f19e978f8fb83ff3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 19:22:04 +0800 +Subject: net/mlx5: Fix uninitialized variable bug in outlen_write() + +From: YueHaibing + +[ Upstream commit 3f5769a074c13d8f08455e40586600419e02a880 ] + +If sscanf() return 0, outlen is uninitialized and used in kzalloc(), +this is unexpected. We should return -EINVAL if the string is invalid. + +Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") +Signed-off-by: YueHaibing +Reviewed-by: Leon Romanovsky +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +index 74bd05e5dda2..e7a894ba5c3e 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -1497,8 +1497,8 @@ static ssize_t outlen_write(struct file *filp, const char __user *buf, + return -EFAULT; + + err = sscanf(outlen_str, "%d", &outlen); +- if (err < 0) +- return err; ++ if (err != 1) ++ return -EINVAL; + + ptr = kzalloc(outlen, GFP_KERNEL); + if (!ptr) +-- +2.35.1 + diff --git a/queue-6.0/net-mlx5-lag-fix-for-loop-when-checking-lag.patch b/queue-6.0/net-mlx5-lag-fix-for-loop-when-checking-lag.patch new file mode 100644 index 00000000000..d53fc5267d3 --- /dev/null +++ b/queue-6.0/net-mlx5-lag-fix-for-loop-when-checking-lag.patch @@ -0,0 +1,47 @@ +From 59b248e2e9757e440a5e96f1f1106b4f88af976d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Nov 2022 01:30:06 -0800 +Subject: net/mlx5: Lag, Fix for loop when checking lag + +From: Chris Mi + +[ Upstream commit 0e682f04b4b59eac0b0a030251513589c4607458 ] + +The cited commit adds a for loop to check if each port supports lag +or not. But dev is not initialized correctly. Fix it by initializing +dev for each iteration. + +Fixes: e87c6a832f88 ("net/mlx5: E-switch, Fix duplicate lag creation") +Signed-off-by: Chris Mi +Reported-by: Jacob Keller +Signed-off-by: Saeed Mahameed +Link: https://lore.kernel.org/r/20221129093006.378840-2-saeed@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c b/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c +index a879e0b0f702..48f86e12f5c0 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c +@@ -648,11 +648,13 @@ static bool mlx5_lag_check_prereq(struct mlx5_lag *ldev) + return false; + + #ifdef CONFIG_MLX5_ESWITCH +- dev = ldev->pf[MLX5_LAG_P1].dev; +- for (i = 0; i < ldev->ports; i++) ++ for (i = 0; i < ldev->ports; i++) { ++ dev = ldev->pf[i].dev; + if (mlx5_eswitch_num_vfs(dev->priv.eswitch) && !is_mdev_switchdev_mode(dev)) + return false; ++ } + ++ dev = ldev->pf[MLX5_LAG_P1].dev; + mode = mlx5_eswitch_mode(dev); + for (i = 0; i < ldev->ports; i++) + if (mlx5_eswitch_mode(ldev->pf[i].dev) != mode) +-- +2.35.1 + diff --git a/queue-6.0/net-mlx5e-fix-use-after-free-when-reverting-terminat.patch b/queue-6.0/net-mlx5e-fix-use-after-free-when-reverting-terminat.patch new file mode 100644 index 00000000000..a6c7aee4657 --- /dev/null +++ b/queue-6.0/net-mlx5e-fix-use-after-free-when-reverting-terminat.patch @@ -0,0 +1,40 @@ +From 2663600782dae20a81f917ca8126de60f40eec5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 20:04:29 +0200 +Subject: net/mlx5e: Fix use-after-free when reverting termination table + +From: Roi Dayan + +[ Upstream commit 52c795af04441d76f565c4634f893e5b553df2ae ] + +When having multiple dests with termination tables and second one +or afterwards fails the driver reverts usage of term tables but +doesn't reset the assignment in attr->dests[num_vport_dests].termtbl +which case a use-after-free when releasing the rule. +Fix by resetting the assignment of termtbl to null. + +Fixes: 10caabdaad5a ("net/mlx5e: Use termination table for VLAN push actions") +Signed-off-by: Roi Dayan +Reviewed-by: Maor Dickman +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c +index 108a3503f413..edd910258314 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c +@@ -312,6 +312,8 @@ mlx5_eswitch_add_termtbl_rule(struct mlx5_eswitch *esw, + for (curr_dest = 0; curr_dest < num_vport_dests; curr_dest++) { + struct mlx5_termtbl_handle *tt = attr->dests[curr_dest].termtbl; + ++ attr->dests[curr_dest].termtbl = NULL; ++ + /* search for the destination associated with the + * current term table + */ +-- +2.35.1 + diff --git a/queue-6.0/net-net_netdev-fix-error-handling-in-ntb_netdev_init.patch b/queue-6.0/net-net_netdev-fix-error-handling-in-ntb_netdev_init.patch new file mode 100644 index 00000000000..c8515abe12b --- /dev/null +++ b/queue-6.0/net-net_netdev-fix-error-handling-in-ntb_netdev_init.patch @@ -0,0 +1,48 @@ +From ebe4606066cc0da19e913b64e8389130f4b1af35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 07:09:17 +0000 +Subject: net: net_netdev: Fix error handling in ntb_netdev_init_module() + +From: Yuan Can + +[ Upstream commit b8f79dccd38edf7db4911c353d9cd792ab13a327 ] + +The ntb_netdev_init_module() returns the ntb_transport_register_client() +directly without checking its return value, if +ntb_transport_register_client() failed, the NTB client device is not +unregistered. + +Fix by unregister NTB client device when ntb_transport_register_client() +failed. + +Fixes: 548c237c0a99 ("net: Add support for NTB virtual ethernet device") +Signed-off-by: Yuan Can +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ntb_netdev.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ntb_netdev.c b/drivers/net/ntb_netdev.c +index 80bdc07f2cd3..dd7e273c90cb 100644 +--- a/drivers/net/ntb_netdev.c ++++ b/drivers/net/ntb_netdev.c +@@ -484,7 +484,14 @@ static int __init ntb_netdev_init_module(void) + rc = ntb_transport_register_client_dev(KBUILD_MODNAME); + if (rc) + return rc; +- return ntb_transport_register_client(&ntb_netdev_client); ++ ++ rc = ntb_transport_register_client(&ntb_netdev_client); ++ if (rc) { ++ ntb_transport_unregister_client_dev(KBUILD_MODNAME); ++ return rc; ++ } ++ ++ return 0; + } + module_init(ntb_netdev_init_module); + +-- +2.35.1 + diff --git a/queue-6.0/net-phy-fix-null-ptr-deref-while-probe-failed.patch b/queue-6.0/net-phy-fix-null-ptr-deref-while-probe-failed.patch new file mode 100644 index 00000000000..a673c7755c1 --- /dev/null +++ b/queue-6.0/net-phy-fix-null-ptr-deref-while-probe-failed.patch @@ -0,0 +1,73 @@ +From 5fe0de08748706c620fedaaf89e52891fbfb9e3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 21:28:08 +0800 +Subject: net: phy: fix null-ptr-deref while probe() failed + +From: Yang Yingliang + +[ Upstream commit 369eb2c9f1f72adbe91e0ea8efb130f0a2ba11a6 ] + +I got a null-ptr-deref report as following when doing fault injection test: + +BUG: kernel NULL pointer dereference, address: 0000000000000058 +Oops: 0000 [#1] PREEMPT SMP KASAN PTI +CPU: 1 PID: 253 Comm: 507-spi-dm9051 Tainted: G B N 6.1.0-rc3+ +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 +RIP: 0010:klist_put+0x2d/0xd0 +Call Trace: + + klist_remove+0xf1/0x1c0 + device_release_driver_internal+0x23e/0x2d0 + bus_remove_device+0x1bd/0x240 + device_del+0x357/0x770 + phy_device_remove+0x11/0x30 + mdiobus_unregister+0xa5/0x140 + release_nodes+0x6a/0xa0 + devres_release_all+0xf8/0x150 + device_unbind_cleanup+0x19/0xd0 + +//probe path: +phy_device_register() + device_add() + +phy_connect + phy_attach_direct() //set device driver + probe() //it's failed, driver is not bound + device_bind_driver() // probe failed, it's not called + +//remove path: +phy_device_remove() + device_del() + device_release_driver_internal() + __device_release_driver() //dev->drv is not NULL + klist_remove() <- knode_driver is not added yet, cause null-ptr-deref + +In phy_attach_direct(), after setting the 'dev->driver', probe() fails, +device_bind_driver() is not called, so the knode_driver->n_klist is not +set, then it causes null-ptr-deref in __device_release_driver() while +deleting device. Fix this by setting dev->driver to NULL in the error +path in phy_attach_direct(). + +Fixes: e13934563db0 ("[PATCH] PHY Layer fixup") +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phy_device.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c +index 4df8c337221b..70c4d48f32c6 100644 +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -1518,6 +1518,7 @@ int phy_attach_direct(struct net_device *dev, struct phy_device *phydev, + + error_module_put: + module_put(d->driver->owner); ++ d->driver = NULL; + error_put_device: + put_device(d); + if (ndev_owner != bus->owner) +-- +2.35.1 + diff --git a/queue-6.0/net-tun-fix-use-after-free-in-tun_detach.patch b/queue-6.0/net-tun-fix-use-after-free-in-tun_detach.patch new file mode 100644 index 00000000000..90b627b77cf --- /dev/null +++ b/queue-6.0/net-tun-fix-use-after-free-in-tun_detach.patch @@ -0,0 +1,90 @@ +From 646928fda18681c89b034ca060c8642d4b2e7916 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 02:51:34 +0900 +Subject: net: tun: Fix use-after-free in tun_detach() + +From: Shigeru Yoshida + +[ Upstream commit 5daadc86f27ea4d691e2131c04310d0418c6cd12 ] + +syzbot reported use-after-free in tun_detach() [1]. This causes call +trace like below: + +================================================================== +BUG: KASAN: use-after-free in notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75 +Read of size 8 at addr ffff88807324e2a8 by task syz-executor.0/3673 + +CPU: 0 PID: 3673 Comm: syz-executor.0 Not tainted 6.1.0-rc5-syzkaller-00044-gcc675d22e422 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:284 [inline] + print_report+0x15e/0x461 mm/kasan/report.c:395 + kasan_report+0xbf/0x1f0 mm/kasan/report.c:495 + notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75 + call_netdevice_notifiers_info+0x86/0x130 net/core/dev.c:1942 + call_netdevice_notifiers_extack net/core/dev.c:1983 [inline] + call_netdevice_notifiers net/core/dev.c:1997 [inline] + netdev_wait_allrefs_any net/core/dev.c:10237 [inline] + netdev_run_todo+0xbc6/0x1100 net/core/dev.c:10351 + tun_detach drivers/net/tun.c:704 [inline] + tun_chr_close+0xe4/0x190 drivers/net/tun.c:3467 + __fput+0x27c/0xa90 fs/file_table.c:320 + task_work_run+0x16f/0x270 kernel/task_work.c:179 + exit_task_work include/linux/task_work.h:38 [inline] + do_exit+0xb3d/0x2a30 kernel/exit.c:820 + do_group_exit+0xd4/0x2a0 kernel/exit.c:950 + get_signal+0x21b1/0x2440 kernel/signal.c:2858 + arch_do_signal_or_restart+0x86/0x2300 arch/x86/kernel/signal.c:869 + exit_to_user_mode_loop kernel/entry/common.c:168 [inline] + exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 + __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] + syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 + do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +The cause of the issue is that sock_put() from __tun_detach() drops +last reference count for struct net, and then notifier_call_chain() +from netdev_state_change() accesses that struct net. + +This patch fixes the issue by calling sock_put() from tun_detach() +after all necessary accesses for the struct net has done. + +Fixes: 83c1f36f9880 ("tun: send netlink notification when the device is modified") +Reported-by: syzbot+106f9b687cd64ee70cd1@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=96eb7f1ce75ef933697f24eeab928c4a716edefe [1] +Signed-off-by: Shigeru Yoshida +Link: https://lore.kernel.org/r/20221124175134.1589053-1-syoshida@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/tun.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index 3387074a2bdb..167e6a3784ca 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -686,7 +686,6 @@ static void __tun_detach(struct tun_file *tfile, bool clean) + if (tun) + xdp_rxq_info_unreg(&tfile->xdp_rxq); + ptr_ring_cleanup(&tfile->tx_ring, tun_ptr_free); +- sock_put(&tfile->sk); + } + } + +@@ -702,6 +701,9 @@ static void tun_detach(struct tun_file *tfile, bool clean) + if (dev) + netdev_state_change(dev); + rtnl_unlock(); ++ ++ if (clean) ++ sock_put(&tfile->sk); + } + + static void tun_detach_all(struct net_device *dev) +-- +2.35.1 + diff --git a/queue-6.0/net-wwan-iosm-fix-crash-in-peek-throughput-test.patch b/queue-6.0/net-wwan-iosm-fix-crash-in-peek-throughput-test.patch new file mode 100644 index 00000000000..8302b93ea2c --- /dev/null +++ b/queue-6.0/net-wwan-iosm-fix-crash-in-peek-throughput-test.patch @@ -0,0 +1,46 @@ +From abff31ad9b8ae90983eebac658ba1b991d525dda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 16:08:17 +0530 +Subject: net: wwan: iosm: fix crash in peek throughput test + +From: M Chetan Kumar + +[ Upstream commit 2290a1d46bf30f9e0bcf49ad20d5c30d0e099989 ] + +Peek throughput UL test is resulting in crash. If the UL +transfer block free list is exhaust, the peeked skb is freed. +In the next transfer freed skb is referred from UL list which +results in crash. + +Don't free the skb if UL transfer blocks are unavailable. The +pending skb will be picked for transfer on UL transfer block +available. + +Fixes: 1f52d7b62285 ("net: wwan: iosm: Enable M.2 7360 WWAN card support") +Signed-off-by: M Chetan Kumar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wwan/iosm/iosm_ipc_mux_codec.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wwan/iosm/iosm_ipc_mux_codec.c b/drivers/net/wwan/iosm/iosm_ipc_mux_codec.c +index c16365123660..738420bd14af 100644 +--- a/drivers/net/wwan/iosm/iosm_ipc_mux_codec.c ++++ b/drivers/net/wwan/iosm/iosm_ipc_mux_codec.c +@@ -1207,10 +1207,9 @@ static int mux_ul_dg_update_tbl_index(struct iosm_mux *ipc_mux, + qlth_n_ql_size, ul_list); + ipc_mux_ul_adb_finish(ipc_mux); + if (ipc_mux_ul_adb_allocate(ipc_mux, adb, &ipc_mux->size_needed, +- IOSM_AGGR_MUX_SIG_ADBH)) { +- dev_kfree_skb(src_skb); ++ IOSM_AGGR_MUX_SIG_ADBH)) + return -ENOMEM; +- } ++ + ipc_mux->size_needed = le32_to_cpu(adb->adbh->block_length); + + ipc_mux->size_needed += offsetof(struct mux_adth, dg); +-- +2.35.1 + diff --git a/queue-6.0/net-wwan-iosm-fix-dma_alloc_coherent-incompatible-po.patch b/queue-6.0/net-wwan-iosm-fix-dma_alloc_coherent-incompatible-po.patch new file mode 100644 index 00000000000..c86af030184 --- /dev/null +++ b/queue-6.0/net-wwan-iosm-fix-dma_alloc_coherent-incompatible-po.patch @@ -0,0 +1,42 @@ +From c3a5cdea07482f3db53a59d850fa555514903741 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 16:08:03 +0530 +Subject: net: wwan: iosm: fix dma_alloc_coherent incompatible pointer type + +From: M Chetan Kumar + +[ Upstream commit 4a99e3c8ed888577b947cbed97d88c9706896105 ] + +Fix build error reported on armhf while preparing 6.1-rc5 +for Debian. + +iosm_ipc_protocol.c:244:36: error: passing argument 3 of +'dma_alloc_coherent' from incompatible pointer type. + +Change phy_ap_shm type from phys_addr_t to dma_addr_t. + +Fixes: faed4c6f6f48 ("net: iosm: shared memory protocol") +Reported-by: Bonaccorso Salvatore +Signed-off-by: M Chetan Kumar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wwan/iosm/iosm_ipc_protocol.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wwan/iosm/iosm_ipc_protocol.h b/drivers/net/wwan/iosm/iosm_ipc_protocol.h +index 9b3a6d86ece7..289397c4ea6c 100644 +--- a/drivers/net/wwan/iosm/iosm_ipc_protocol.h ++++ b/drivers/net/wwan/iosm/iosm_ipc_protocol.h +@@ -122,7 +122,7 @@ struct iosm_protocol { + struct iosm_imem *imem; + struct ipc_rsp *rsp_ring[IPC_MEM_MSG_ENTRIES]; + struct device *dev; +- phys_addr_t phy_ap_shm; ++ dma_addr_t phy_ap_shm; + u32 old_msg_tail; + }; + +-- +2.35.1 + diff --git a/queue-6.0/net-wwan-iosm-fix-incorrect-skb-length.patch b/queue-6.0/net-wwan-iosm-fix-incorrect-skb-length.patch new file mode 100644 index 00000000000..c8b71e91d1e --- /dev/null +++ b/queue-6.0/net-wwan-iosm-fix-incorrect-skb-length.patch @@ -0,0 +1,101 @@ +From f61bb51bee284f7580ef47aa2ce98449e0d6ef64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 16:08:32 +0530 +Subject: net: wwan: iosm: fix incorrect skb length + +From: M Chetan Kumar + +[ Upstream commit c34ca4f32c24bf748493b49085e43cd714cf8357 ] + +skb passed to network layer contains incorrect length. + +In mux aggregation protocol, the datagram block received +from device contains block signature, packet & datagram +header. The right skb len to be calculated by subracting +datagram pad len from datagram length. + +Whereas in mux lite protocol, the skb contains single +datagram so skb len is calculated by subtracting the +packet offset from datagram header. + +Fixes: 1f52d7b62285 ("net: wwan: iosm: Enable M.2 7360 WWAN card support") +Signed-off-by: M Chetan Kumar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wwan/iosm/iosm_ipc_mux_codec.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/wwan/iosm/iosm_ipc_mux_codec.c b/drivers/net/wwan/iosm/iosm_ipc_mux_codec.c +index 738420bd14af..d6b166fc5c0e 100644 +--- a/drivers/net/wwan/iosm/iosm_ipc_mux_codec.c ++++ b/drivers/net/wwan/iosm/iosm_ipc_mux_codec.c +@@ -365,7 +365,8 @@ static void ipc_mux_dl_cmd_decode(struct iosm_mux *ipc_mux, struct sk_buff *skb) + /* Pass the DL packet to the netif layer. */ + static int ipc_mux_net_receive(struct iosm_mux *ipc_mux, int if_id, + struct iosm_wwan *wwan, u32 offset, +- u8 service_class, struct sk_buff *skb) ++ u8 service_class, struct sk_buff *skb, ++ u32 pkt_len) + { + struct sk_buff *dest_skb = skb_clone(skb, GFP_ATOMIC); + +@@ -373,7 +374,7 @@ static int ipc_mux_net_receive(struct iosm_mux *ipc_mux, int if_id, + return -ENOMEM; + + skb_pull(dest_skb, offset); +- skb_set_tail_pointer(dest_skb, dest_skb->len); ++ skb_trim(dest_skb, pkt_len); + /* Pass the packet to the netif layer. */ + dest_skb->priority = service_class; + +@@ -429,7 +430,7 @@ static void ipc_mux_dl_fcth_decode(struct iosm_mux *ipc_mux, + static void ipc_mux_dl_adgh_decode(struct iosm_mux *ipc_mux, + struct sk_buff *skb) + { +- u32 pad_len, packet_offset; ++ u32 pad_len, packet_offset, adgh_len; + struct iosm_wwan *wwan; + struct mux_adgh *adgh; + u8 *block = skb->data; +@@ -470,10 +471,12 @@ static void ipc_mux_dl_adgh_decode(struct iosm_mux *ipc_mux, + packet_offset = sizeof(*adgh) + pad_len; + + if_id += ipc_mux->wwan_q_offset; ++ adgh_len = le16_to_cpu(adgh->length); + + /* Pass the packet to the netif layer */ + rc = ipc_mux_net_receive(ipc_mux, if_id, wwan, packet_offset, +- adgh->service_class, skb); ++ adgh->service_class, skb, ++ adgh_len - packet_offset); + if (rc) { + dev_err(ipc_mux->dev, "mux adgh decoding error"); + return; +@@ -547,7 +550,7 @@ static int mux_dl_process_dg(struct iosm_mux *ipc_mux, struct mux_adbh *adbh, + int if_id, int nr_of_dg) + { + u32 dl_head_pad_len = ipc_mux->session[if_id].dl_head_pad_len; +- u32 packet_offset, i, rc; ++ u32 packet_offset, i, rc, dg_len; + + for (i = 0; i < nr_of_dg; i++, dg++) { + if (le32_to_cpu(dg->datagram_index) +@@ -562,11 +565,12 @@ static int mux_dl_process_dg(struct iosm_mux *ipc_mux, struct mux_adbh *adbh, + packet_offset = + le32_to_cpu(dg->datagram_index) + + dl_head_pad_len; ++ dg_len = le16_to_cpu(dg->datagram_length); + /* Pass the packet to the netif layer. */ + rc = ipc_mux_net_receive(ipc_mux, if_id, ipc_mux->wwan, + packet_offset, +- dg->service_class, +- skb); ++ dg->service_class, skb, ++ dg_len - dl_head_pad_len); + if (rc) + goto dg_error; + } +-- +2.35.1 + diff --git a/queue-6.0/net-wwan-iosm-fix-kernel-test-robot-reported-error.patch b/queue-6.0/net-wwan-iosm-fix-kernel-test-robot-reported-error.patch new file mode 100644 index 00000000000..2831c465081 --- /dev/null +++ b/queue-6.0/net-wwan-iosm-fix-kernel-test-robot-reported-error.patch @@ -0,0 +1,40 @@ +From 3e633a93fc5bbe8b6091005590ea14e60f545d0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 16:07:46 +0530 +Subject: net: wwan: iosm: fix kernel test robot reported error + +From: M Chetan Kumar + +[ Upstream commit 985a02e75881b73a43c9433a718b49d272a9dd6b ] + +sparse warnings - iosm_ipc_mux_codec.c:1474 using plain +integer as NULL pointer. + +Use skb_trim() to reset skb tail & len. + +Fixes: 9413491e20e1 ("net: iosm: encode or decode datagram") +Reported-by: kernel test robot +Signed-off-by: M Chetan Kumar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wwan/iosm/iosm_ipc_mux_codec.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/wwan/iosm/iosm_ipc_mux_codec.c b/drivers/net/wwan/iosm/iosm_ipc_mux_codec.c +index d41e373f9c0a..c16365123660 100644 +--- a/drivers/net/wwan/iosm/iosm_ipc_mux_codec.c ++++ b/drivers/net/wwan/iosm/iosm_ipc_mux_codec.c +@@ -1471,8 +1471,7 @@ void ipc_mux_ul_encoded_process(struct iosm_mux *ipc_mux, struct sk_buff *skb) + ipc_mux->ul_data_pend_bytes); + + /* Reset the skb settings. */ +- skb->tail = 0; +- skb->len = 0; ++ skb_trim(skb, 0); + + /* Add the consumed ADB to the free list. */ + skb_queue_tail((&ipc_mux->ul_adb.free_list), skb); +-- +2.35.1 + diff --git a/queue-6.0/nvmem-rmem-fix-return-value-check-in-rmem_read.patch b/queue-6.0/nvmem-rmem-fix-return-value-check-in-rmem_read.patch new file mode 100644 index 00000000000..d6d54d218c8 --- /dev/null +++ b/queue-6.0/nvmem-rmem-fix-return-value-check-in-rmem_read.patch @@ -0,0 +1,46 @@ +From 9546987a5728bc98d4870916926c07cdf5dbaf4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 06:38:38 +0000 +Subject: nvmem: rmem: Fix return value check in rmem_read() + +From: Wei Yongjun + +[ Upstream commit 58e92c4a496b27156020a59a98c7f4a92c2b1533 ] + +In case of error, the function memremap() returns NULL pointer +not ERR_PTR(). The IS_ERR() test in the return value check +should be replaced with NULL test. + +Fixes: 5a3fa75a4d9c ("nvmem: Add driver to expose reserved memory as nvmem") +Cc: Srinivas Kandagatla +Cc: Nicolas Saenz Julienne +Signed-off-by: Wei Yongjun +Acked-by: Nicolas Saenz Julienne +Signed-off-by: Yang Yingliang +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20221118063840.6357-3-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/nvmem/rmem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvmem/rmem.c b/drivers/nvmem/rmem.c +index b11c3c974b3d..80cb187f1481 100644 +--- a/drivers/nvmem/rmem.c ++++ b/drivers/nvmem/rmem.c +@@ -37,9 +37,9 @@ static int rmem_read(void *context, unsigned int offset, + * but as of Dec 2020 this isn't possible on arm64. + */ + addr = memremap(priv->mem->base, available, MEMREMAP_WB); +- if (IS_ERR(addr)) { ++ if (!addr) { + dev_err(priv->dev, "Failed to remap memory region\n"); +- return PTR_ERR(addr); ++ return -ENOMEM; + } + + count = memory_read_from_buffer(val, bytes, &off, addr, available); +-- +2.35.1 + diff --git a/queue-6.0/of-property-decrement-node-refcount-in-of_fwnode_get.patch b/queue-6.0/of-property-decrement-node-refcount-in-of_fwnode_get.patch new file mode 100644 index 00000000000..376a50e4e02 --- /dev/null +++ b/queue-6.0/of-property-decrement-node-refcount-in-of_fwnode_get.patch @@ -0,0 +1,47 @@ +From 4bc917c56469a332b55307191416bd053fe28214 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 10:32:09 +0800 +Subject: of: property: decrement node refcount in + of_fwnode_get_reference_args() + +From: Yang Yingliang + +[ Upstream commit 60d865bd5a9b15a3961eb1c08bd4155682a3c81e ] + +In of_fwnode_get_reference_args(), the refcount of of_args.np has +been incremented in the case of successful return from +of_parse_phandle_with_args() or of_parse_phandle_with_fixed_args(). + +Decrement the refcount if of_args is not returned to the caller of +of_fwnode_get_reference_args(). + +Fixes: 3e3119d3088f ("device property: Introduce fwnode_property_get_reference_args") +Signed-off-by: Yang Yingliang +Reviewed-by: Sakari Ailus +Reviewed-by: Frank Rowand +Link: https://lore.kernel.org/r/20221121023209.3909759-1-yangyingliang@huawei.com +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/property.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/of/property.c b/drivers/of/property.c +index 967f79b59016..134cfc980b70 100644 +--- a/drivers/of/property.c ++++ b/drivers/of/property.c +@@ -993,8 +993,10 @@ of_fwnode_get_reference_args(const struct fwnode_handle *fwnode, + nargs, index, &of_args); + if (ret < 0) + return ret; +- if (!args) ++ if (!args) { ++ of_node_put(of_args.np); + return 0; ++ } + + args->nargs = of_args.args_count; + args->fwnode = of_fwnode_handle(of_args.np); +-- +2.35.1 + diff --git a/queue-6.0/packet-do-not-set-tp_status_csum_valid-on-checksum_c.patch b/queue-6.0/packet-do-not-set-tp_status_csum_valid-on-checksum_c.patch new file mode 100644 index 00000000000..76eda6b880d --- /dev/null +++ b/queue-6.0/packet-do-not-set-tp_status_csum_valid-on-checksum_c.patch @@ -0,0 +1,49 @@ +From 29dbb974f5e14a1dd4f870cfa3fa20d0c892f920 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Nov 2022 11:18:12 -0500 +Subject: packet: do not set TP_STATUS_CSUM_VALID on CHECKSUM_COMPLETE + +From: Willem de Bruijn + +[ Upstream commit b85f628aa158a653c006e9c1405a117baef8c868 ] + +CHECKSUM_COMPLETE signals that skb->csum stores the sum over the +entire packet. It does not imply that an embedded l4 checksum +field has been validated. + +Fixes: 682f048bd494 ("af_packet: pass checksum validation status to the user") +Signed-off-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20221128161812.640098-1-willemdebruijn.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 5cbe07116e04..5727cb7ec174 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2293,8 +2293,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, + if (skb->ip_summed == CHECKSUM_PARTIAL) + status |= TP_STATUS_CSUMNOTREADY; + else if (skb->pkt_type != PACKET_OUTGOING && +- (skb->ip_summed == CHECKSUM_COMPLETE || +- skb_csum_unnecessary(skb))) ++ skb_csum_unnecessary(skb)) + status |= TP_STATUS_CSUM_VALID; + + if (snaplen > res) +@@ -3520,8 +3519,7 @@ static int packet_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, + if (skb->ip_summed == CHECKSUM_PARTIAL) + aux.tp_status |= TP_STATUS_CSUMNOTREADY; + else if (skb->pkt_type != PACKET_OUTGOING && +- (skb->ip_summed == CHECKSUM_COMPLETE || +- skb_csum_unnecessary(skb))) ++ skb_csum_unnecessary(skb)) + aux.tp_status |= TP_STATUS_CSUM_VALID; + + aux.tp_len = origlen; +-- +2.35.1 + diff --git a/queue-6.0/qlcnic-fix-sleep-in-atomic-context-bugs-caused-by-ms.patch b/queue-6.0/qlcnic-fix-sleep-in-atomic-context-bugs-caused-by-ms.patch new file mode 100644 index 00000000000..b9cb9bdbe9f --- /dev/null +++ b/queue-6.0/qlcnic-fix-sleep-in-atomic-context-bugs-caused-by-ms.patch @@ -0,0 +1,70 @@ +From bc8f916fe37c35ea7a74e2f1e1dcbe1e04d5de58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 18:06:42 +0800 +Subject: qlcnic: fix sleep-in-atomic-context bugs caused by msleep + +From: Duoming Zhou + +[ Upstream commit 8dbd6e4ce1b9c527921643d9e34f188a10d4e893 ] + +The watchdog timer is used to monitor whether the process +of transmitting data is timeout. If we use qlcnic driver, +the dev_watchdog() that is the timer handler of watchdog +timer will call qlcnic_tx_timeout() to process the timeout. +But the qlcnic_tx_timeout() calls msleep(), as a result, +the sleep-in-atomic-context bugs will happen. The processes +are shown below: + + (atomic context) +dev_watchdog + qlcnic_tx_timeout + qlcnic_83xx_idc_request_reset + qlcnic_83xx_lock_driver + msleep + +--------------------------- + + (atomic context) +dev_watchdog + qlcnic_tx_timeout + qlcnic_83xx_idc_request_reset + qlcnic_83xx_lock_driver + qlcnic_83xx_recover_driver_lock + msleep + +Fix by changing msleep() to mdelay(), the mdelay() is +busy-waiting and the bugs could be mitigated. + +Fixes: 629263acaea3 ("qlcnic: 83xx CNA inter driver communication mechanism") +Signed-off-by: Duoming Zhou +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c +index bd0607680329..2fd5c6fdb500 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c +@@ -2991,7 +2991,7 @@ static void qlcnic_83xx_recover_driver_lock(struct qlcnic_adapter *adapter) + QLCWRX(adapter->ahw, QLC_83XX_RECOVER_DRV_LOCK, val); + dev_info(&adapter->pdev->dev, + "%s: lock recovery initiated\n", __func__); +- msleep(QLC_83XX_DRV_LOCK_RECOVERY_DELAY); ++ mdelay(QLC_83XX_DRV_LOCK_RECOVERY_DELAY); + val = QLCRDX(adapter->ahw, QLC_83XX_RECOVER_DRV_LOCK); + id = ((val >> 2) & 0xF); + if (id == adapter->portnum) { +@@ -3027,7 +3027,7 @@ int qlcnic_83xx_lock_driver(struct qlcnic_adapter *adapter) + if (status) + break; + +- msleep(QLC_83XX_DRV_LOCK_WAIT_DELAY); ++ mdelay(QLC_83XX_DRV_LOCK_WAIT_DELAY); + i++; + + if (i == 1) +-- +2.35.1 + diff --git a/queue-6.0/scripts-faddr2line-fix-regression-in-name-resolution.patch b/queue-6.0/scripts-faddr2line-fix-regression-in-name-resolution.patch new file mode 100644 index 00000000000..cee69736e02 --- /dev/null +++ b/queue-6.0/scripts-faddr2line-fix-regression-in-name-resolution.patch @@ -0,0 +1,79 @@ +From f25154acf7a4c19f32e15f959fe675ee46525310 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Sep 2022 13:22:11 +0530 +Subject: scripts/faddr2line: Fix regression in name resolution on ppc64le + +From: Srikar Dronamraju + +[ Upstream commit 2d77de1581bb5b470486edaf17a7d70151131afd ] + +Commit 1d1a0e7c5100 ("scripts/faddr2line: Fix overlapping text section +failures") can cause faddr2line to fail on ppc64le on some +distributions, while it works fine on other distributions. The failure +can be attributed to differences in the readelf output. + + $ ./scripts/faddr2line vmlinux find_busiest_group+0x00 + no match for find_busiest_group+0x00 + +On ppc64le, readelf adds the localentry tag before the symbol name on +some distributions, and adds the localentry tag after the symbol name on +other distributions. This problem has been discussed previously: + + https://lore.kernel.org/bpf/20191211160133.GB4580@calabresa/ + +This problem can be overcome by filtering out the localentry tags in the +readelf output. Similar fixes are already present in the kernel by way +of the following commits: + + 1fd6cee127e2 ("libbpf: Fix VERSIONED_SYM_COUNT number parsing") + aa915931ac3e ("libbpf: Fix readelf output parsing for Fedora") + +[jpoimboe: rework commit log] + +Fixes: 1d1a0e7c5100 ("scripts/faddr2line: Fix overlapping text section failures") +Signed-off-by: Srikar Dronamraju +Acked-by: Naveen N. Rao +Reviewed-by: Thadeu Lima de Souza Cascardo +Link: https://lore.kernel.org/r/20220927075211.897152-1-srikar@linux.vnet.ibm.com +Signed-off-by: Josh Poimboeuf +Signed-off-by: Peter Zijlstra +Signed-off-by: Sasha Levin +--- + scripts/faddr2line | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/scripts/faddr2line b/scripts/faddr2line +index 5514c23f45c2..0e73aca4f908 100755 +--- a/scripts/faddr2line ++++ b/scripts/faddr2line +@@ -74,7 +74,8 @@ command -v ${ADDR2LINE} >/dev/null 2>&1 || die "${ADDR2LINE} isn't installed" + find_dir_prefix() { + local objfile=$1 + +- local start_kernel_addr=$(${READELF} --symbols --wide $objfile | ${AWK} '$8 == "start_kernel" {printf "0x%s", $2}') ++ local start_kernel_addr=$(${READELF} --symbols --wide $objfile | sed 's/\[.*\]//' | ++ ${AWK} '$8 == "start_kernel" {printf "0x%s", $2}') + [[ -z $start_kernel_addr ]] && return + + local file_line=$(${ADDR2LINE} -e $objfile $start_kernel_addr) +@@ -178,7 +179,7 @@ __faddr2line() { + found=2 + break + fi +- done < <(${READELF} --symbols --wide $objfile | ${AWK} -v sec=$sym_sec '$7 == sec' | sort --key=2) ++ done < <(${READELF} --symbols --wide $objfile | sed 's/\[.*\]//' | ${AWK} -v sec=$sym_sec '$7 == sec' | sort --key=2) + + if [[ $found = 0 ]]; then + warn "can't find symbol: sym_name: $sym_name sym_sec: $sym_sec sym_addr: $sym_addr sym_elf_size: $sym_elf_size" +@@ -259,7 +260,7 @@ __faddr2line() { + + DONE=1 + +- done < <(${READELF} --symbols --wide $objfile | ${AWK} -v fn=$sym_name '$4 == "FUNC" && $8 == fn') ++ done < <(${READELF} --symbols --wide $objfile | sed 's/\[.*\]//' | ${AWK} -v fn=$sym_name '$4 == "FUNC" && $8 == fn') + } + + [[ $# -lt 2 ]] && usage +-- +2.35.1 + diff --git a/queue-6.0/sctp-fix-memory-leak-in-sctp_stream_outq_migrate.patch b/queue-6.0/sctp-fix-memory-leak-in-sctp_stream_outq_migrate.patch new file mode 100644 index 00000000000..060538c9c3d --- /dev/null +++ b/queue-6.0/sctp-fix-memory-leak-in-sctp_stream_outq_migrate.patch @@ -0,0 +1,202 @@ +From a25cc4e69b61f0c708101b2409f17e1d58d6a30c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Nov 2022 11:17:20 +0800 +Subject: sctp: fix memory leak in sctp_stream_outq_migrate() + +From: Zhengchao Shao + +[ Upstream commit 9ed7bfc79542119ac0a9e1ce8a2a5285e43433e9 ] + +When sctp_stream_outq_migrate() is called to release stream out resources, +the memory pointed to by prio_head in stream out is not released. + +The memory leak information is as follows: + unreferenced object 0xffff88801fe79f80 (size 64): + comm "sctp_repo", pid 7957, jiffies 4294951704 (age 36.480s) + hex dump (first 32 bytes): + 80 9f e7 1f 80 88 ff ff 80 9f e7 1f 80 88 ff ff ................ + 90 9f e7 1f 80 88 ff ff 90 9f e7 1f 80 88 ff ff ................ + backtrace: + [] kmalloc_trace+0x26/0x60 + [] sctp_sched_prio_set+0x4cc/0x770 + [] sctp_stream_init_ext+0xd2/0x1b0 + [] sctp_sendmsg_to_asoc+0x1614/0x1a30 + [] sctp_sendmsg+0xda1/0x1ef0 + [] inet_sendmsg+0x9d/0xe0 + [] sock_sendmsg+0xd3/0x120 + [] __sys_sendto+0x23a/0x340 + [] __x64_sys_sendto+0xe1/0x1b0 + [] do_syscall_64+0x39/0xb0 + [] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Link: https://syzkaller.appspot.com/bug?exrid=29c402e56c4760763cc0 +Fixes: 637784ade221 ("sctp: introduce priority based stream scheduler") +Reported-by: syzbot+29c402e56c4760763cc0@syzkaller.appspotmail.com +Signed-off-by: Zhengchao Shao +Reviewed-by: Xin Long +Link: https://lore.kernel.org/r/20221126031720.378562-1-shaozhengchao@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/sctp/stream_sched.h | 2 ++ + net/sctp/stream.c | 25 ++++++++++++++++++------- + net/sctp/stream_sched.c | 5 +++++ + net/sctp/stream_sched_prio.c | 19 +++++++++++++++++++ + net/sctp/stream_sched_rr.c | 5 +++++ + 5 files changed, 49 insertions(+), 7 deletions(-) + +diff --git a/include/net/sctp/stream_sched.h b/include/net/sctp/stream_sched.h +index 01a70b27e026..65058faea4db 100644 +--- a/include/net/sctp/stream_sched.h ++++ b/include/net/sctp/stream_sched.h +@@ -26,6 +26,8 @@ struct sctp_sched_ops { + int (*init)(struct sctp_stream *stream); + /* Init a stream */ + int (*init_sid)(struct sctp_stream *stream, __u16 sid, gfp_t gfp); ++ /* free a stream */ ++ void (*free_sid)(struct sctp_stream *stream, __u16 sid); + /* Frees the entire thing */ + void (*free)(struct sctp_stream *stream); + +diff --git a/net/sctp/stream.c b/net/sctp/stream.c +index ef9fceadef8d..ee6514af830f 100644 +--- a/net/sctp/stream.c ++++ b/net/sctp/stream.c +@@ -52,6 +52,19 @@ static void sctp_stream_shrink_out(struct sctp_stream *stream, __u16 outcnt) + } + } + ++static void sctp_stream_free_ext(struct sctp_stream *stream, __u16 sid) ++{ ++ struct sctp_sched_ops *sched; ++ ++ if (!SCTP_SO(stream, sid)->ext) ++ return; ++ ++ sched = sctp_sched_ops_from_stream(stream); ++ sched->free_sid(stream, sid); ++ kfree(SCTP_SO(stream, sid)->ext); ++ SCTP_SO(stream, sid)->ext = NULL; ++} ++ + /* Migrates chunks from stream queues to new stream queues if needed, + * but not across associations. Also, removes those chunks to streams + * higher than the new max. +@@ -70,16 +83,14 @@ static void sctp_stream_outq_migrate(struct sctp_stream *stream, + * sctp_stream_update will swap ->out pointers. + */ + for (i = 0; i < outcnt; i++) { +- kfree(SCTP_SO(new, i)->ext); ++ sctp_stream_free_ext(new, i); + SCTP_SO(new, i)->ext = SCTP_SO(stream, i)->ext; + SCTP_SO(stream, i)->ext = NULL; + } + } + +- for (i = outcnt; i < stream->outcnt; i++) { +- kfree(SCTP_SO(stream, i)->ext); +- SCTP_SO(stream, i)->ext = NULL; +- } ++ for (i = outcnt; i < stream->outcnt; i++) ++ sctp_stream_free_ext(stream, i); + } + + static int sctp_stream_alloc_out(struct sctp_stream *stream, __u16 outcnt, +@@ -174,9 +185,9 @@ void sctp_stream_free(struct sctp_stream *stream) + struct sctp_sched_ops *sched = sctp_sched_ops_from_stream(stream); + int i; + +- sched->free(stream); ++ sched->unsched_all(stream); + for (i = 0; i < stream->outcnt; i++) +- kfree(SCTP_SO(stream, i)->ext); ++ sctp_stream_free_ext(stream, i); + genradix_free(&stream->out); + genradix_free(&stream->in); + } +diff --git a/net/sctp/stream_sched.c b/net/sctp/stream_sched.c +index 1ad565ed5627..7c8f9d89e16a 100644 +--- a/net/sctp/stream_sched.c ++++ b/net/sctp/stream_sched.c +@@ -46,6 +46,10 @@ static int sctp_sched_fcfs_init_sid(struct sctp_stream *stream, __u16 sid, + return 0; + } + ++static void sctp_sched_fcfs_free_sid(struct sctp_stream *stream, __u16 sid) ++{ ++} ++ + static void sctp_sched_fcfs_free(struct sctp_stream *stream) + { + } +@@ -96,6 +100,7 @@ static struct sctp_sched_ops sctp_sched_fcfs = { + .get = sctp_sched_fcfs_get, + .init = sctp_sched_fcfs_init, + .init_sid = sctp_sched_fcfs_init_sid, ++ .free_sid = sctp_sched_fcfs_free_sid, + .free = sctp_sched_fcfs_free, + .enqueue = sctp_sched_fcfs_enqueue, + .dequeue = sctp_sched_fcfs_dequeue, +diff --git a/net/sctp/stream_sched_prio.c b/net/sctp/stream_sched_prio.c +index 80b5a2c4cbc7..4fc9f2923ed1 100644 +--- a/net/sctp/stream_sched_prio.c ++++ b/net/sctp/stream_sched_prio.c +@@ -204,6 +204,24 @@ static int sctp_sched_prio_init_sid(struct sctp_stream *stream, __u16 sid, + return sctp_sched_prio_set(stream, sid, 0, gfp); + } + ++static void sctp_sched_prio_free_sid(struct sctp_stream *stream, __u16 sid) ++{ ++ struct sctp_stream_priorities *prio = SCTP_SO(stream, sid)->ext->prio_head; ++ int i; ++ ++ if (!prio) ++ return; ++ ++ SCTP_SO(stream, sid)->ext->prio_head = NULL; ++ for (i = 0; i < stream->outcnt; i++) { ++ if (SCTP_SO(stream, i)->ext && ++ SCTP_SO(stream, i)->ext->prio_head == prio) ++ return; ++ } ++ ++ kfree(prio); ++} ++ + static void sctp_sched_prio_free(struct sctp_stream *stream) + { + struct sctp_stream_priorities *prio, *n; +@@ -323,6 +341,7 @@ static struct sctp_sched_ops sctp_sched_prio = { + .get = sctp_sched_prio_get, + .init = sctp_sched_prio_init, + .init_sid = sctp_sched_prio_init_sid, ++ .free_sid = sctp_sched_prio_free_sid, + .free = sctp_sched_prio_free, + .enqueue = sctp_sched_prio_enqueue, + .dequeue = sctp_sched_prio_dequeue, +diff --git a/net/sctp/stream_sched_rr.c b/net/sctp/stream_sched_rr.c +index ff425aed62c7..cc444fe0d67c 100644 +--- a/net/sctp/stream_sched_rr.c ++++ b/net/sctp/stream_sched_rr.c +@@ -90,6 +90,10 @@ static int sctp_sched_rr_init_sid(struct sctp_stream *stream, __u16 sid, + return 0; + } + ++static void sctp_sched_rr_free_sid(struct sctp_stream *stream, __u16 sid) ++{ ++} ++ + static void sctp_sched_rr_free(struct sctp_stream *stream) + { + sctp_sched_rr_unsched_all(stream); +@@ -177,6 +181,7 @@ static struct sctp_sched_ops sctp_sched_rr = { + .get = sctp_sched_rr_get, + .init = sctp_sched_rr_init, + .init_sid = sctp_sched_rr_init_sid, ++ .free_sid = sctp_sched_rr_free_sid, + .free = sctp_sched_rr_free, + .enqueue = sctp_sched_rr_enqueue, + .dequeue = sctp_sched_rr_dequeue, +-- +2.35.1 + diff --git a/queue-6.0/series b/queue-6.0/series new file mode 100644 index 00000000000..964a6490401 --- /dev/null +++ b/queue-6.0/series @@ -0,0 +1,74 @@ +btrfs-qgroup-fix-sleep-from-invalid-context-bug-in-b.patch +drm-amdgpu-move-setting-the-job-resources.patch +drm-amdgpu-cleanup-error-handling-in-amdgpu_cs_parse.patch +drm-amdgpu-fix-userptr-hmm-range-handling-v2.patch +kbuild-fix-wimplicit-function-declaration-in-license.patch +drm-amd-pm-add-smu_v13_0_10-driver-if-version.patch +drm-amd-pm-update-driver-if-header-for-smu_v13_0_10.patch +drm-amd-pm-update-driver-if-header-for-smu_13_0_7.patch +clk-samsung-exynos7885-correct-div4-clock-parents.patch +clk-qcom-gdsc-add-missing-error-handling.patch +clk-qcom-gdsc-remove-direct-runtime-pm-calls.patch +iio-health-afe4403-fix-oob-read-in-afe4403_read_raw.patch +iio-health-afe4404-fix-oob-read-in-afe4404_-read-wri.patch +iio-light-rpr0521-add-missing-kconfig-dependencies.patch +libbpf-use-correct-return-pointer-in-attach_raw_tp.patch +bpf-perf-use-subprog-name-when-reporting-subprog-ksy.patch +scripts-faddr2line-fix-regression-in-name-resolution.patch +arm-at91-rm9200-fix-usb-device-clock-id.patch +libbpf-handle-size-overflow-for-ringbuf-mmap.patch +hwmon-ltc2947-fix-temperature-scaling.patch +hwmon-ina3221-fix-shunt-sum-critical-calculation.patch +hwmon-i5500_temp-fix-missing-pci_disable_device.patch +hwmon-ibmpex-fix-possible-uaf-when-ibmpex_register_b.patch +clocksource-drivers-arm_arch_timer-fix-xgene-1-tval-.patch +bpf-do-not-copy-spin-lock-field-from-user-in-bpf_sel.patch +nvmem-rmem-fix-return-value-check-in-rmem_read.patch +of-property-decrement-node-refcount-in-of_fwnode_get.patch +clk-qcom-gcc-sc8280xp-add-cxo-as-parent-for-three-uf.patch +ixgbevf-fix-resource-leak-in-ixgbevf_init_module.patch +i40e-fix-error-handling-in-i40e_init_module.patch +fm10k-fix-error-handling-in-fm10k_init_module.patch +iavf-fix-error-handling-in-iavf_init_module.patch +e100-fix-possible-use-after-free-in-e100_xmit_prepar.patch +net-mlx5-dr-fix-uninitialized-var-warning.patch +net-mlx5-e-switch-destroy-legacy-fdb-table-when-need.patch +net-mlx5-e-switch-fix-duplicate-lag-creation.patch +net-mlx5-fix-uninitialized-variable-bug-in-outlen_wr.patch +net-mlx5e-fix-use-after-free-when-reverting-terminat.patch +can-sja1000_isa-sja1000_isa_probe-add-missing-free_s.patch +can-cc770-cc770_isa_probe-add-missing-free_cc770dev.patch +can-etas_es58x-es58x_init_netdev-free-netdev-when-re.patch +can-m_can-pci-add-missing-m_can_class_free_dev-in-pr.patch +can-m_can-add-check-for-devm_clk_get.patch +vfs-fix-copy_file_range-averts-filesystem-freeze-pro.patch +qlcnic-fix-sleep-in-atomic-context-bugs-caused-by-ms.patch +aquantia-do-not-purge-addresses-when-setting-the-num.patch +wifi-cfg80211-fix-buffer-overflow-in-elem-comparison.patch +wifi-cfg80211-don-t-allow-multi-bssid-in-s1g.patch +wifi-mac8021-fix-possible-oob-access-in-ieee80211_ge.patch +net-phy-fix-null-ptr-deref-while-probe-failed.patch +net-ethernet-ti-am65-cpsw-fix-error-handling-in-am65.patch +net-net_netdev-fix-error-handling-in-ntb_netdev_init.patch +net-9p-fix-a-potential-socket-leak-in-p9_socket_open.patch +net-ethernet-nixge-fix-null-dereference.patch +net-wwan-iosm-fix-kernel-test-robot-reported-error.patch +net-wwan-iosm-fix-dma_alloc_coherent-incompatible-po.patch +net-wwan-iosm-fix-crash-in-peek-throughput-test.patch +net-wwan-iosm-fix-incorrect-skb-length.patch +dsa-lan9303-correct-stat-name.patch +mptcp-don-t-orphan-ssk-in-mptcp_close.patch +mptcp-fix-sleep-in-atomic-at-close-time.patch +tipc-re-fetch-skb-cb-after-tipc_msg_validate.patch +net-hsr-fix-potential-use-after-free.patch +net-mdiobus-fix-unbalanced-node-reference-count.patch +afs-fix-fileserver-probe-rtt-handling.patch +net-tun-fix-use-after-free-in-tun_detach.patch +net-mlx5-lag-fix-for-loop-when-checking-lag.patch +packet-do-not-set-tp_status_csum_valid-on-checksum_c.patch +sctp-fix-memory-leak-in-sctp_stream_outq_migrate.patch +net-ethernet-renesas-ravb-fix-promiscuous-mode-after.patch +afs-fix-server-active-leak-in-afs_put_server.patch +hwmon-coretemp-check-for-null-before-removing-sysfs-.patch +hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch +hwmon-asus-ec-sensors-add-checks-for-devm_kcalloc.patch diff --git a/queue-6.0/tipc-re-fetch-skb-cb-after-tipc_msg_validate.patch b/queue-6.0/tipc-re-fetch-skb-cb-after-tipc_msg_validate.patch new file mode 100644 index 00000000000..fd7b607ae68 --- /dev/null +++ b/queue-6.0/tipc-re-fetch-skb-cb-after-tipc_msg_validate.patch @@ -0,0 +1,65 @@ +From 78c870220945c1dc48f4f48d220cb7e1071b85d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 12:46:43 -0500 +Subject: tipc: re-fetch skb cb after tipc_msg_validate + +From: Xin Long + +[ Upstream commit 3067bc61fcfe3081bf4807ce65560f499e895e77 ] + +As the call trace shows, the original skb was freed in tipc_msg_validate(), +and dereferencing the old skb cb would cause an use-after-free crash. + + BUG: KASAN: use-after-free in tipc_crypto_rcv_complete+0x1835/0x2240 [tipc] + Call Trace: + + tipc_crypto_rcv_complete+0x1835/0x2240 [tipc] + tipc_crypto_rcv+0xd32/0x1ec0 [tipc] + tipc_rcv+0x744/0x1150 [tipc] + ... + Allocated by task 47078: + kmem_cache_alloc_node+0x158/0x4d0 + __alloc_skb+0x1c1/0x270 + tipc_buf_acquire+0x1e/0xe0 [tipc] + tipc_msg_create+0x33/0x1c0 [tipc] + tipc_link_build_proto_msg+0x38a/0x2100 [tipc] + tipc_link_timeout+0x8b8/0xef0 [tipc] + tipc_node_timeout+0x2a1/0x960 [tipc] + call_timer_fn+0x2d/0x1c0 + ... + Freed by task 47078: + tipc_msg_validate+0x7b/0x440 [tipc] + tipc_crypto_rcv_complete+0x4b5/0x2240 [tipc] + tipc_crypto_rcv+0xd32/0x1ec0 [tipc] + tipc_rcv+0x744/0x1150 [tipc] + +This patch fixes it by re-fetching the skb cb from the new allocated skb +after calling tipc_msg_validate(). + +Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication") +Reported-by: Shuang Li +Signed-off-by: Xin Long +Link: https://lore.kernel.org/r/1b1cdba762915325bd8ef9a98d0276eb673df2a5.1669398403.git.lucien.xin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/crypto.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c +index f09316a9035f..d67440de011e 100644 +--- a/net/tipc/crypto.c ++++ b/net/tipc/crypto.c +@@ -1971,6 +1971,9 @@ static void tipc_crypto_rcv_complete(struct net *net, struct tipc_aead *aead, + /* Ok, everything's fine, try to synch own keys according to peers' */ + tipc_crypto_key_synch(rx, *skb); + ++ /* Re-fetch skb cb as skb might be changed in tipc_msg_validate */ ++ skb_cb = TIPC_SKB_CB(*skb); ++ + /* Mark skb decrypted */ + skb_cb->decrypted = 1; + +-- +2.35.1 + diff --git a/queue-6.0/vfs-fix-copy_file_range-averts-filesystem-freeze-pro.patch b/queue-6.0/vfs-fix-copy_file_range-averts-filesystem-freeze-pro.patch new file mode 100644 index 00000000000..9ea1bdb80bf --- /dev/null +++ b/queue-6.0/vfs-fix-copy_file_range-averts-filesystem-freeze-pro.patch @@ -0,0 +1,167 @@ +From 8aa4ecdc3287ff2602086ea137ba46d0fae50960 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 22:52:49 +0200 +Subject: vfs: fix copy_file_range() averts filesystem freeze protection + +From: Amir Goldstein + +[ Upstream commit 10bc8e4af65946b727728d7479c028742321b60a ] + +Commit 868f9f2f8e00 ("vfs: fix copy_file_range() regression in cross-fs +copies") removed fallback to generic_copy_file_range() for cross-fs +cases inside vfs_copy_file_range(). + +To preserve behavior of nfsd and ksmbd server-side-copy, the fallback to +generic_copy_file_range() was added in nfsd and ksmbd code, but that +call is missing sb_start_write(), fsnotify hooks and more. + +Ideally, nfsd and ksmbd would pass a flag to vfs_copy_file_range() that +will take care of the fallback, but that code would be subtle and we got +vfs_copy_file_range() logic wrong too many times already. + +Instead, add a flag to explicitly request vfs_copy_file_range() to +perform only generic_copy_file_range() and let nfsd and ksmbd use this +flag only in the fallback path. + +This choise keeps the logic changes to minimum in the non-nfsd/ksmbd code +paths to reduce the risk of further regressions. + +Fixes: 868f9f2f8e00 ("vfs: fix copy_file_range() regression in cross-fs copies") +Tested-by: Namjae Jeon +Tested-by: Luis Henriques +Signed-off-by: Amir Goldstein +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/ksmbd/vfs.c | 6 +++--- + fs/nfsd/vfs.c | 4 ++-- + fs/read_write.c | 19 +++++++++++++++---- + include/linux/fs.h | 8 ++++++++ + 4 files changed, 28 insertions(+), 9 deletions(-) + +diff --git a/fs/ksmbd/vfs.c b/fs/ksmbd/vfs.c +index 78d01033604c..c5c801e38b63 100644 +--- a/fs/ksmbd/vfs.c ++++ b/fs/ksmbd/vfs.c +@@ -1784,9 +1784,9 @@ int ksmbd_vfs_copy_file_ranges(struct ksmbd_work *work, + ret = vfs_copy_file_range(src_fp->filp, src_off, + dst_fp->filp, dst_off, len, 0); + if (ret == -EOPNOTSUPP || ret == -EXDEV) +- ret = generic_copy_file_range(src_fp->filp, src_off, +- dst_fp->filp, dst_off, +- len, 0); ++ ret = vfs_copy_file_range(src_fp->filp, src_off, ++ dst_fp->filp, dst_off, len, ++ COPY_FILE_SPLICE); + if (ret < 0) + return ret; + +diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c +index f3cd614e1f1e..dc24d67d0ca4 100644 +--- a/fs/nfsd/vfs.c ++++ b/fs/nfsd/vfs.c +@@ -572,8 +572,8 @@ ssize_t nfsd_copy_file_range(struct file *src, u64 src_pos, struct file *dst, + ret = vfs_copy_file_range(src, src_pos, dst, dst_pos, count, 0); + + if (ret == -EOPNOTSUPP || ret == -EXDEV) +- ret = generic_copy_file_range(src, src_pos, dst, dst_pos, +- count, 0); ++ ret = vfs_copy_file_range(src, src_pos, dst, dst_pos, count, ++ COPY_FILE_SPLICE); + return ret; + } + +diff --git a/fs/read_write.c b/fs/read_write.c +index 328ce8cf9a85..24b9668d6377 100644 +--- a/fs/read_write.c ++++ b/fs/read_write.c +@@ -1388,6 +1388,8 @@ ssize_t generic_copy_file_range(struct file *file_in, loff_t pos_in, + struct file *file_out, loff_t pos_out, + size_t len, unsigned int flags) + { ++ lockdep_assert(sb_write_started(file_inode(file_out)->i_sb)); ++ + return do_splice_direct(file_in, &pos_in, file_out, &pos_out, + len > MAX_RW_COUNT ? MAX_RW_COUNT : len, 0); + } +@@ -1424,7 +1426,9 @@ static int generic_copy_file_checks(struct file *file_in, loff_t pos_in, + * and several different sets of file_operations, but they all end up + * using the same ->copy_file_range() function pointer. + */ +- if (file_out->f_op->copy_file_range) { ++ if (flags & COPY_FILE_SPLICE) { ++ /* cross sb splice is allowed */ ++ } else if (file_out->f_op->copy_file_range) { + if (file_in->f_op->copy_file_range != + file_out->f_op->copy_file_range) + return -EXDEV; +@@ -1474,8 +1478,9 @@ ssize_t vfs_copy_file_range(struct file *file_in, loff_t pos_in, + size_t len, unsigned int flags) + { + ssize_t ret; ++ bool splice = flags & COPY_FILE_SPLICE; + +- if (flags != 0) ++ if (flags & ~COPY_FILE_SPLICE) + return -EINVAL; + + ret = generic_copy_file_checks(file_in, pos_in, file_out, pos_out, &len, +@@ -1501,14 +1506,14 @@ ssize_t vfs_copy_file_range(struct file *file_in, loff_t pos_in, + * same sb using clone, but for filesystems where both clone and copy + * are supported (e.g. nfs,cifs), we only call the copy method. + */ +- if (file_out->f_op->copy_file_range) { ++ if (!splice && file_out->f_op->copy_file_range) { + ret = file_out->f_op->copy_file_range(file_in, pos_in, + file_out, pos_out, + len, flags); + goto done; + } + +- if (file_in->f_op->remap_file_range && ++ if (!splice && file_in->f_op->remap_file_range && + file_inode(file_in)->i_sb == file_inode(file_out)->i_sb) { + ret = file_in->f_op->remap_file_range(file_in, pos_in, + file_out, pos_out, +@@ -1528,6 +1533,8 @@ ssize_t vfs_copy_file_range(struct file *file_in, loff_t pos_in, + * consistent story about which filesystems support copy_file_range() + * and which filesystems do not, that will allow userspace tools to + * make consistent desicions w.r.t using copy_file_range(). ++ * ++ * We also get here if caller (e.g. nfsd) requested COPY_FILE_SPLICE. + */ + ret = generic_copy_file_range(file_in, pos_in, file_out, pos_out, len, + flags); +@@ -1582,6 +1589,10 @@ SYSCALL_DEFINE6(copy_file_range, int, fd_in, loff_t __user *, off_in, + pos_out = f_out.file->f_pos; + } + ++ ret = -EINVAL; ++ if (flags != 0) ++ goto out; ++ + ret = vfs_copy_file_range(f_in.file, pos_in, f_out.file, pos_out, len, + flags); + if (ret > 0) { +diff --git a/include/linux/fs.h b/include/linux/fs.h +index 7203f5582fd4..be074b6895b9 100644 +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -2087,6 +2087,14 @@ struct dir_context { + */ + #define REMAP_FILE_ADVISORY (REMAP_FILE_CAN_SHORTEN) + ++/* ++ * These flags control the behavior of vfs_copy_file_range(). ++ * They are not available to the user via syscall. ++ * ++ * COPY_FILE_SPLICE: call splice direct instead of fs clone/copy ops ++ */ ++#define COPY_FILE_SPLICE (1 << 0) ++ + struct iov_iter; + struct io_uring_cmd; + +-- +2.35.1 + diff --git a/queue-6.0/wifi-cfg80211-don-t-allow-multi-bssid-in-s1g.patch b/queue-6.0/wifi-cfg80211-don-t-allow-multi-bssid-in-s1g.patch new file mode 100644 index 00000000000..1e1ff8bcf76 --- /dev/null +++ b/queue-6.0/wifi-cfg80211-don-t-allow-multi-bssid-in-s1g.patch @@ -0,0 +1,52 @@ +From 5c77b52ffb5807534ac9b6410ce7d57d1c5fc3dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 12:36:58 +0100 +Subject: wifi: cfg80211: don't allow multi-BSSID in S1G +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Johannes Berg + +[ Upstream commit acd3c92acc7aaec50a94d0a7faf7ccd74e952493 ] + +In S1G beacon frames there shouldn't be multi-BSSID elements +since that's not supported, remove that to avoid a potential +integer underflow and/or misparsing the frames due to the +different length of the fixed part of the frame. + +While at it, initialize non_tx_data so we don't send garbage +values to the user (even if it doesn't seem to matter now.) + +Reported-and-tested-by: Sönke Huster +Fixes: 9eaffe5078ca ("cfg80211: convert S1G beacon to scan results") +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index 56db0f12ca7c..b4d788572992 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -2527,10 +2527,15 @@ cfg80211_inform_bss_frame_data(struct wiphy *wiphy, + const struct cfg80211_bss_ies *ies1, *ies2; + size_t ielen = len - offsetof(struct ieee80211_mgmt, + u.probe_resp.variable); +- struct cfg80211_non_tx_bss non_tx_data; ++ struct cfg80211_non_tx_bss non_tx_data = {}; + + res = cfg80211_inform_single_bss_frame_data(wiphy, data, mgmt, + len, gfp); ++ ++ /* don't do any further MBSSID handling for S1G */ ++ if (ieee80211_is_s1g_beacon(mgmt->frame_control)) ++ return res; ++ + if (!res || !wiphy->support_mbssid || + !cfg80211_find_elem(WLAN_EID_MULTIPLE_BSSID, ie, ielen)) + return res; +-- +2.35.1 + diff --git a/queue-6.0/wifi-cfg80211-fix-buffer-overflow-in-elem-comparison.patch b/queue-6.0/wifi-cfg80211-fix-buffer-overflow-in-elem-comparison.patch new file mode 100644 index 00000000000..4fb3ba718f9 --- /dev/null +++ b/queue-6.0/wifi-cfg80211-fix-buffer-overflow-in-elem-comparison.patch @@ -0,0 +1,41 @@ +From 89bba7876286ba61d4611e484631a1cd5931ae47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 12:36:57 +0100 +Subject: wifi: cfg80211: fix buffer overflow in elem comparison +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Johannes Berg + +[ Upstream commit 9f16b5c82a025cd4c864737409234ddc44fb166a ] + +For vendor elements, the code here assumes that 5 octets +are present without checking. Since the element itself is +already checked to fit, we only need to check the length. + +Reported-and-tested-by: Sönke Huster +Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index 9067e4b70855..56db0f12ca7c 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -330,7 +330,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen, + * determine if they are the same ie. + */ + if (tmp_old[0] == WLAN_EID_VENDOR_SPECIFIC) { +- if (!memcmp(tmp_old + 2, tmp + 2, 5)) { ++ if (tmp_old[1] >= 5 && tmp[1] >= 5 && ++ !memcmp(tmp_old + 2, tmp + 2, 5)) { + /* same vendor ie, copy from + * subelement + */ +-- +2.35.1 + diff --git a/queue-6.0/wifi-mac8021-fix-possible-oob-access-in-ieee80211_ge.patch b/queue-6.0/wifi-mac8021-fix-possible-oob-access-in-ieee80211_ge.patch new file mode 100644 index 00000000000..9d59a16fc8d --- /dev/null +++ b/queue-6.0/wifi-mac8021-fix-possible-oob-access-in-ieee80211_ge.patch @@ -0,0 +1,67 @@ +From 689dc269038367aed63c440ec4efba573139faa4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 16:19:26 +0100 +Subject: wifi: mac8021: fix possible oob access in ieee80211_get_rate_duration +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lorenzo Bianconi + +[ Upstream commit 3e8f7abcc3473bc9603323803aeaed4ffcc3a2ab ] + +Fix possible out-of-bound access in ieee80211_get_rate_duration routine +as reported by the following UBSAN report: + +UBSAN: array-index-out-of-bounds in net/mac80211/airtime.c:455:47 +index 15 is out of range for type 'u16 [12]' +CPU: 2 PID: 217 Comm: kworker/u32:10 Not tainted 6.1.0-060100rc3-generic +Hardware name: Acer Aspire TC-281/Aspire TC-281, BIOS R01-A2 07/18/2017 +Workqueue: mt76 mt76u_tx_status_data [mt76_usb] +Call Trace: + + show_stack+0x4e/0x61 + dump_stack_lvl+0x4a/0x6f + dump_stack+0x10/0x18 + ubsan_epilogue+0x9/0x43 + __ubsan_handle_out_of_bounds.cold+0x42/0x47 +ieee80211_get_rate_duration.constprop.0+0x22f/0x2a0 [mac80211] + ? ieee80211_tx_status_ext+0x32e/0x640 [mac80211] + ieee80211_calc_rx_airtime+0xda/0x120 [mac80211] + ieee80211_calc_tx_airtime+0xb4/0x100 [mac80211] + mt76x02_send_tx_status+0x266/0x480 [mt76x02_lib] + mt76x02_tx_status_data+0x52/0x80 [mt76x02_lib] + mt76u_tx_status_data+0x67/0xd0 [mt76_usb] + process_one_work+0x225/0x400 + worker_thread+0x50/0x3e0 + ? process_one_work+0x400/0x400 + kthread+0xe9/0x110 + ? kthread_complete_and_exit+0x20/0x20 + ret_from_fork+0x22/0x30 + +Fixes: db3e1c40cf2f ("mac80211: Import airtime calculation code from mt76") +Signed-off-by: Lorenzo Bianconi +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/airtime.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/mac80211/airtime.c b/net/mac80211/airtime.c +index 2e66598fac79..e8ebd343e2bf 100644 +--- a/net/mac80211/airtime.c ++++ b/net/mac80211/airtime.c +@@ -452,6 +452,9 @@ static u32 ieee80211_get_rate_duration(struct ieee80211_hw *hw, + (status->encoding == RX_ENC_HE && streams > 8))) + return 0; + ++ if (idx >= MCS_GROUP_RATES) ++ return 0; ++ + duration = airtime_mcs_groups[group].duration[idx]; + duration <<= airtime_mcs_groups[group].shift; + *overhead = 36 + (streams << 2); +-- +2.35.1 +