From: Sasha Levin Date: Wed, 14 Jul 2021 20:03:43 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v5.4.133~68 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=806e16ee1188208d13a031a9d8f514a3ea37ebef;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/atm-iphase-fix-possible-use-after-free-in-ia_module_.patch b/queue-5.10/atm-iphase-fix-possible-use-after-free-in-ia_module_.patch new file mode 100644 index 00000000000..89bb2ec470e --- /dev/null +++ b/queue-5.10/atm-iphase-fix-possible-use-after-free-in-ia_module_.patch @@ -0,0 +1,41 @@ +From 60e5ddcd93214194d629101f59636e298cbe4d00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 May 2021 14:53:36 +0800 +Subject: atm: iphase: fix possible use-after-free in ia_module_exit() + +From: Zou Wei + +[ Upstream commit 1c72e6ab66b9598cac741ed397438a52065a8f1f ] + +This module's remove path calls del_timer(). However, that function +does not wait until the timer handler finishes. This means that the +timer handler may still be running after the driver's remove function +has finished, which would result in a use-after-free. + +Fix by calling del_timer_sync(), which makes sure the timer handler +has finished, and unable to re-schedule itself. + +Reported-by: Hulk Robot +Signed-off-by: Zou Wei +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/atm/iphase.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/atm/iphase.c b/drivers/atm/iphase.c +index eef637fd90b3..a59554e5b8b0 100644 +--- a/drivers/atm/iphase.c ++++ b/drivers/atm/iphase.c +@@ -3279,7 +3279,7 @@ static void __exit ia_module_exit(void) + { + pci_unregister_driver(&ia_driver); + +- del_timer(&ia_timer); ++ del_timer_sync(&ia_timer); + } + + module_init(ia_module_init); +-- +2.30.2 + diff --git a/queue-5.10/atm-nicstar-fix-possible-use-after-free-in-nicstar_c.patch b/queue-5.10/atm-nicstar-fix-possible-use-after-free-in-nicstar_c.patch new file mode 100644 index 00000000000..6b228d9d706 --- /dev/null +++ b/queue-5.10/atm-nicstar-fix-possible-use-after-free-in-nicstar_c.patch @@ -0,0 +1,41 @@ +From 41381f1ffa5a920788aa00755fc84e5dc3567606 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 May 2021 15:00:24 +0800 +Subject: atm: nicstar: Fix possible use-after-free in nicstar_cleanup() + +From: Zou Wei + +[ Upstream commit 34e7434ba4e97f4b85c1423a59b2922ba7dff2ea ] + +This module's remove path calls del_timer(). However, that function +does not wait until the timer handler finishes. This means that the +timer handler may still be running after the driver's remove function +has finished, which would result in a use-after-free. + +Fix by calling del_timer_sync(), which makes sure the timer handler +has finished, and unable to re-schedule itself. + +Reported-by: Hulk Robot +Signed-off-by: Zou Wei +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/atm/nicstar.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/atm/nicstar.c b/drivers/atm/nicstar.c +index 09ad73361879..1351b05a3097 100644 +--- a/drivers/atm/nicstar.c ++++ b/drivers/atm/nicstar.c +@@ -297,7 +297,7 @@ static void __exit nicstar_cleanup(void) + { + XPRINTK("nicstar: nicstar_cleanup() called.\n"); + +- del_timer(&ns_timer); ++ del_timer_sync(&ns_timer); + + pci_unregister_driver(&nicstar_driver); + +-- +2.30.2 + diff --git a/queue-5.10/atm-nicstar-register-the-interrupt-handler-in-the-ri.patch b/queue-5.10/atm-nicstar-register-the-interrupt-handler-in-the-ri.patch new file mode 100644 index 00000000000..3bec2ca2a42 --- /dev/null +++ b/queue-5.10/atm-nicstar-register-the-interrupt-handler-in-the-ri.patch @@ -0,0 +1,166 @@ +From 4c9a77cd36824893dd9751700bc24ed2a7c2c8b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Jun 2021 15:24:15 +0000 +Subject: atm: nicstar: register the interrupt handler in the right place + +From: Zheyu Ma + +[ Upstream commit 70b639dc41ad499384e41e106fce72e36805c9f2 ] + +Because the error handling is sequential, the application of resources +should be carried out in the order of error handling, so the operation +of registering the interrupt handler should be put in front, so as not +to free the unregistered interrupt handler during error handling. + +This log reveals it: + +[ 3.438724] Trying to free already-free IRQ 23 +[ 3.439060] WARNING: CPU: 5 PID: 1 at kernel/irq/manage.c:1825 free_irq+0xfb/0x480 +[ 3.440039] Modules linked in: +[ 3.440257] CPU: 5 PID: 1 Comm: swapper/0 Not tainted 5.12.4-g70e7f0549188-dirty #142 +[ 3.440793] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 +[ 3.441561] RIP: 0010:free_irq+0xfb/0x480 +[ 3.441845] Code: 6e 08 74 6f 4d 89 f4 e8 c3 78 09 00 4d 8b 74 24 18 4d 85 f6 75 e3 e8 b4 78 09 00 8b 75 c8 48 c7 c7 a0 ac d5 85 e8 95 d7 f5 ff <0f> 0b 48 8b 75 c0 4c 89 ff e8 87 c5 90 03 48 8b 43 40 4c 8b a0 80 +[ 3.443121] RSP: 0000:ffffc90000017b50 EFLAGS: 00010086 +[ 3.443483] RAX: 0000000000000000 RBX: ffff888107c6f000 RCX: 0000000000000000 +[ 3.443972] RDX: 0000000000000000 RSI: ffffffff8123f301 RDI: 00000000ffffffff +[ 3.444462] RBP: ffffc90000017b90 R08: 0000000000000001 R09: 0000000000000003 +[ 3.444950] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 +[ 3.444994] R13: ffff888107dc0000 R14: ffff888104f6bf00 R15: ffff888107c6f0a8 +[ 3.444994] FS: 0000000000000000(0000) GS:ffff88817bd40000(0000) knlGS:0000000000000000 +[ 3.444994] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 3.444994] CR2: 0000000000000000 CR3: 000000000642e000 CR4: 00000000000006e0 +[ 3.444994] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 3.444994] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 3.444994] Call Trace: +[ 3.444994] ns_init_card_error+0x18e/0x250 +[ 3.444994] nicstar_init_one+0x10d2/0x1130 +[ 3.444994] local_pci_probe+0x4a/0xb0 +[ 3.444994] pci_device_probe+0x126/0x1d0 +[ 3.444994] ? pci_device_remove+0x100/0x100 +[ 3.444994] really_probe+0x27e/0x650 +[ 3.444994] driver_probe_device+0x84/0x1d0 +[ 3.444994] ? mutex_lock_nested+0x16/0x20 +[ 3.444994] device_driver_attach+0x63/0x70 +[ 3.444994] __driver_attach+0x117/0x1a0 +[ 3.444994] ? device_driver_attach+0x70/0x70 +[ 3.444994] bus_for_each_dev+0xb6/0x110 +[ 3.444994] ? rdinit_setup+0x40/0x40 +[ 3.444994] driver_attach+0x22/0x30 +[ 3.444994] bus_add_driver+0x1e6/0x2a0 +[ 3.444994] driver_register+0xa4/0x180 +[ 3.444994] __pci_register_driver+0x77/0x80 +[ 3.444994] ? uPD98402_module_init+0xd/0xd +[ 3.444994] nicstar_init+0x1f/0x75 +[ 3.444994] do_one_initcall+0x7a/0x3d0 +[ 3.444994] ? rdinit_setup+0x40/0x40 +[ 3.444994] ? rcu_read_lock_sched_held+0x4a/0x70 +[ 3.444994] kernel_init_freeable+0x2a7/0x2f9 +[ 3.444994] ? rest_init+0x2c0/0x2c0 +[ 3.444994] kernel_init+0x13/0x180 +[ 3.444994] ? rest_init+0x2c0/0x2c0 +[ 3.444994] ? rest_init+0x2c0/0x2c0 +[ 3.444994] ret_from_fork+0x1f/0x30 +[ 3.444994] Kernel panic - not syncing: panic_on_warn set ... +[ 3.444994] CPU: 5 PID: 1 Comm: swapper/0 Not tainted 5.12.4-g70e7f0549188-dirty #142 +[ 3.444994] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 +[ 3.444994] Call Trace: +[ 3.444994] dump_stack+0xba/0xf5 +[ 3.444994] ? free_irq+0xfb/0x480 +[ 3.444994] panic+0x155/0x3ed +[ 3.444994] ? __warn+0xed/0x150 +[ 3.444994] ? free_irq+0xfb/0x480 +[ 3.444994] __warn+0x103/0x150 +[ 3.444994] ? free_irq+0xfb/0x480 +[ 3.444994] report_bug+0x119/0x1c0 +[ 3.444994] handle_bug+0x3b/0x80 +[ 3.444994] exc_invalid_op+0x18/0x70 +[ 3.444994] asm_exc_invalid_op+0x12/0x20 +[ 3.444994] RIP: 0010:free_irq+0xfb/0x480 +[ 3.444994] Code: 6e 08 74 6f 4d 89 f4 e8 c3 78 09 00 4d 8b 74 24 18 4d 85 f6 75 e3 e8 b4 78 09 00 8b 75 c8 48 c7 c7 a0 ac d5 85 e8 95 d7 f5 ff <0f> 0b 48 8b 75 c0 4c 89 ff e8 87 c5 90 03 48 8b 43 40 4c 8b a0 80 +[ 3.444994] RSP: 0000:ffffc90000017b50 EFLAGS: 00010086 +[ 3.444994] RAX: 0000000000000000 RBX: ffff888107c6f000 RCX: 0000000000000000 +[ 3.444994] RDX: 0000000000000000 RSI: ffffffff8123f301 RDI: 00000000ffffffff +[ 3.444994] RBP: ffffc90000017b90 R08: 0000000000000001 R09: 0000000000000003 +[ 3.444994] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 +[ 3.444994] R13: ffff888107dc0000 R14: ffff888104f6bf00 R15: ffff888107c6f0a8 +[ 3.444994] ? vprintk_func+0x71/0x110 +[ 3.444994] ns_init_card_error+0x18e/0x250 +[ 3.444994] nicstar_init_one+0x10d2/0x1130 +[ 3.444994] local_pci_probe+0x4a/0xb0 +[ 3.444994] pci_device_probe+0x126/0x1d0 +[ 3.444994] ? pci_device_remove+0x100/0x100 +[ 3.444994] really_probe+0x27e/0x650 +[ 3.444994] driver_probe_device+0x84/0x1d0 +[ 3.444994] ? mutex_lock_nested+0x16/0x20 +[ 3.444994] device_driver_attach+0x63/0x70 +[ 3.444994] __driver_attach+0x117/0x1a0 +[ 3.444994] ? device_driver_attach+0x70/0x70 +[ 3.444994] bus_for_each_dev+0xb6/0x110 +[ 3.444994] ? rdinit_setup+0x40/0x40 +[ 3.444994] driver_attach+0x22/0x30 +[ 3.444994] bus_add_driver+0x1e6/0x2a0 +[ 3.444994] driver_register+0xa4/0x180 +[ 3.444994] __pci_register_driver+0x77/0x80 +[ 3.444994] ? uPD98402_module_init+0xd/0xd +[ 3.444994] nicstar_init+0x1f/0x75 +[ 3.444994] do_one_initcall+0x7a/0x3d0 +[ 3.444994] ? rdinit_setup+0x40/0x40 +[ 3.444994] ? rcu_read_lock_sched_held+0x4a/0x70 +[ 3.444994] kernel_init_freeable+0x2a7/0x2f9 +[ 3.444994] ? rest_init+0x2c0/0x2c0 +[ 3.444994] kernel_init+0x13/0x180 +[ 3.444994] ? rest_init+0x2c0/0x2c0 +[ 3.444994] ? rest_init+0x2c0/0x2c0 +[ 3.444994] ret_from_fork+0x1f/0x30 +[ 3.444994] Dumping ftrace buffer: +[ 3.444994] (ftrace buffer empty) +[ 3.444994] Kernel Offset: disabled +[ 3.444994] Rebooting in 1 seconds.. + +Signed-off-by: Zheyu Ma +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/atm/nicstar.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/atm/nicstar.c b/drivers/atm/nicstar.c +index ce92ee95497a..6eb4ed256a7e 100644 +--- a/drivers/atm/nicstar.c ++++ b/drivers/atm/nicstar.c +@@ -525,6 +525,15 @@ static int ns_init_card(int i, struct pci_dev *pcidev) + /* Set the VPI/VCI MSb mask to zero so we can receive OAM cells */ + writel(0x00000000, card->membase + VPM); + ++ card->intcnt = 0; ++ if (request_irq ++ (pcidev->irq, &ns_irq_handler, IRQF_SHARED, "nicstar", card) != 0) { ++ pr_err("nicstar%d: can't allocate IRQ %d.\n", i, pcidev->irq); ++ error = 9; ++ ns_init_card_error(card, error); ++ return error; ++ } ++ + /* Initialize TSQ */ + card->tsq.org = dma_alloc_coherent(&card->pcidev->dev, + NS_TSQSIZE + NS_TSQ_ALIGNMENT, +@@ -751,15 +760,6 @@ static int ns_init_card(int i, struct pci_dev *pcidev) + + card->efbie = 1; + +- card->intcnt = 0; +- if (request_irq +- (pcidev->irq, &ns_irq_handler, IRQF_SHARED, "nicstar", card) != 0) { +- printk("nicstar%d: can't allocate IRQ %d.\n", i, pcidev->irq); +- error = 9; +- ns_init_card_error(card, error); +- return error; +- } +- + /* Register device */ + card->atmdev = atm_dev_register("nicstar", &card->pcidev->dev, &atm_ops, + -1, NULL); +-- +2.30.2 + diff --git a/queue-5.10/atm-nicstar-use-dma_free_coherent-instead-of-kfree.patch b/queue-5.10/atm-nicstar-use-dma_free_coherent-instead-of-kfree.patch new file mode 100644 index 00000000000..1c1bde6da02 --- /dev/null +++ b/queue-5.10/atm-nicstar-use-dma_free_coherent-instead-of-kfree.patch @@ -0,0 +1,117 @@ +From deb784a0df30abf6b58b47675f86378824900d6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Jun 2021 15:24:14 +0000 +Subject: atm: nicstar: use 'dma_free_coherent' instead of 'kfree' + +From: Zheyu Ma + +[ Upstream commit 6a1e5a4af17e440dd82a58a2c5f40ff17a82b722 ] + +When 'nicstar_init_one' fails, 'ns_init_card_error' will be executed for +error handling, but the correct memory free function should be used, +otherwise it will cause an error. Since 'card->rsq.org' and +'card->tsq.org' are allocated using 'dma_alloc_coherent' function, they +should be freed using 'dma_free_coherent'. + +Fix this by using 'dma_free_coherent' instead of 'kfree' + +This log reveals it: + +[ 3.440294] kernel BUG at mm/slub.c:4206! +[ 3.441059] invalid opcode: 0000 [#1] PREEMPT SMP PTI +[ 3.441430] CPU: 2 PID: 1 Comm: swapper/0 Not tainted 5.12.4-g70e7f0549188-dirty #141 +[ 3.441986] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 +[ 3.442780] RIP: 0010:kfree+0x26a/0x300 +[ 3.443065] Code: e8 3a c3 b9 ff e9 d6 fd ff ff 49 8b 45 00 31 db a9 00 00 01 00 75 4d 49 8b 45 00 a9 00 00 01 00 75 0a 49 8b 45 08 a8 01 75 02 <0f> 0b 89 d9 b8 00 10 00 00 be 06 00 00 00 48 d3 e0 f7 d8 48 63 d0 +[ 3.443396] RSP: 0000:ffffc90000017b70 EFLAGS: 00010246 +[ 3.443396] RAX: dead000000000100 RBX: 0000000000000000 RCX: 0000000000000000 +[ 3.443396] RDX: 0000000000000000 RSI: ffffffff85d3df94 RDI: ffffffff85df38e6 +[ 3.443396] RBP: ffffc90000017b90 R08: 0000000000000001 R09: 0000000000000001 +[ 3.443396] R10: 0000000000000000 R11: 0000000000000001 R12: ffff888107dc0000 +[ 3.443396] R13: ffffea00001f0100 R14: ffff888101a8bf00 R15: ffff888107dc0160 +[ 3.443396] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000) knlGS:0000000000000000 +[ 3.443396] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 3.443396] CR2: 0000000000000000 CR3: 000000000642e000 CR4: 00000000000006e0 +[ 3.443396] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 3.443396] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 3.443396] Call Trace: +[ 3.443396] ns_init_card_error+0x12c/0x220 +[ 3.443396] nicstar_init_one+0x10d2/0x1130 +[ 3.443396] local_pci_probe+0x4a/0xb0 +[ 3.443396] pci_device_probe+0x126/0x1d0 +[ 3.443396] ? pci_device_remove+0x100/0x100 +[ 3.443396] really_probe+0x27e/0x650 +[ 3.443396] driver_probe_device+0x84/0x1d0 +[ 3.443396] ? mutex_lock_nested+0x16/0x20 +[ 3.443396] device_driver_attach+0x63/0x70 +[ 3.443396] __driver_attach+0x117/0x1a0 +[ 3.443396] ? device_driver_attach+0x70/0x70 +[ 3.443396] bus_for_each_dev+0xb6/0x110 +[ 3.443396] ? rdinit_setup+0x40/0x40 +[ 3.443396] driver_attach+0x22/0x30 +[ 3.443396] bus_add_driver+0x1e6/0x2a0 +[ 3.443396] driver_register+0xa4/0x180 +[ 3.443396] __pci_register_driver+0x77/0x80 +[ 3.443396] ? uPD98402_module_init+0xd/0xd +[ 3.443396] nicstar_init+0x1f/0x75 +[ 3.443396] do_one_initcall+0x7a/0x3d0 +[ 3.443396] ? rdinit_setup+0x40/0x40 +[ 3.443396] ? rcu_read_lock_sched_held+0x4a/0x70 +[ 3.443396] kernel_init_freeable+0x2a7/0x2f9 +[ 3.443396] ? rest_init+0x2c0/0x2c0 +[ 3.443396] kernel_init+0x13/0x180 +[ 3.443396] ? rest_init+0x2c0/0x2c0 +[ 3.443396] ? rest_init+0x2c0/0x2c0 +[ 3.443396] ret_from_fork+0x1f/0x30 +[ 3.443396] Modules linked in: +[ 3.443396] Dumping ftrace buffer: +[ 3.443396] (ftrace buffer empty) +[ 3.458593] ---[ end trace 3c6f8f0d8ef59bcd ]--- +[ 3.458922] RIP: 0010:kfree+0x26a/0x300 +[ 3.459198] Code: e8 3a c3 b9 ff e9 d6 fd ff ff 49 8b 45 00 31 db a9 00 00 01 00 75 4d 49 8b 45 00 a9 00 00 01 00 75 0a 49 8b 45 08 a8 01 75 02 <0f> 0b 89 d9 b8 00 10 00 00 be 06 00 00 00 48 d3 e0 f7 d8 48 63 d0 +[ 3.460499] RSP: 0000:ffffc90000017b70 EFLAGS: 00010246 +[ 3.460870] RAX: dead000000000100 RBX: 0000000000000000 RCX: 0000000000000000 +[ 3.461371] RDX: 0000000000000000 RSI: ffffffff85d3df94 RDI: ffffffff85df38e6 +[ 3.461873] RBP: ffffc90000017b90 R08: 0000000000000001 R09: 0000000000000001 +[ 3.462372] R10: 0000000000000000 R11: 0000000000000001 R12: ffff888107dc0000 +[ 3.462871] R13: ffffea00001f0100 R14: ffff888101a8bf00 R15: ffff888107dc0160 +[ 3.463368] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000) knlGS:0000000000000000 +[ 3.463949] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 3.464356] CR2: 0000000000000000 CR3: 000000000642e000 CR4: 00000000000006e0 +[ 3.464856] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 3.465356] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 3.465860] Kernel panic - not syncing: Fatal exception +[ 3.466370] Dumping ftrace buffer: +[ 3.466616] (ftrace buffer empty) +[ 3.466871] Kernel Offset: disabled +[ 3.467122] Rebooting in 1 seconds.. + +Signed-off-by: Zheyu Ma +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/atm/nicstar.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/atm/nicstar.c b/drivers/atm/nicstar.c +index 1351b05a3097..ce92ee95497a 100644 +--- a/drivers/atm/nicstar.c ++++ b/drivers/atm/nicstar.c +@@ -837,10 +837,12 @@ static void ns_init_card_error(ns_dev *card, int error) + dev_kfree_skb_any(hb); + } + if (error >= 12) { +- kfree(card->rsq.org); ++ dma_free_coherent(&card->pcidev->dev, NS_RSQSIZE + NS_RSQ_ALIGNMENT, ++ card->rsq.org, card->rsq.dma); + } + if (error >= 11) { +- kfree(card->tsq.org); ++ dma_free_coherent(&card->pcidev->dev, NS_TSQSIZE + NS_TSQ_ALIGNMENT, ++ card->tsq.org, card->tsq.dma); + } + if (error >= 10) { + free_irq(card->pcidev->irq, card); +-- +2.30.2 + diff --git a/queue-5.10/bluetooth-btusb-add-a-new-qca_rome-device-0cf3-e500.patch b/queue-5.10/bluetooth-btusb-add-a-new-qca_rome-device-0cf3-e500.patch new file mode 100644 index 00000000000..4ee67ae10de --- /dev/null +++ b/queue-5.10/bluetooth-btusb-add-a-new-qca_rome-device-0cf3-e500.patch @@ -0,0 +1,73 @@ +From 324688488f3ac9d25cc46c4c060c1c5dfd33d696 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 May 2021 10:25:46 -0700 +Subject: Bluetooth: btusb: Add a new QCA_ROME device (0cf3:e500) + +From: Daniel Lenski + +[ Upstream commit 0324d19cb99804d99e42c990b8b1e191575a091b ] + +This patch adds the 0cf3:e500 Bluetooth device (from a QCA9377 board) as a +QCA_ROME device. It appears to be functionally identical to another device +ID, also from a QCA9377 board, which was previously marked as QCA_ROME in +0a03f98b98c201191e3ba15a0e33f46d8660e1fd +("Bluetooth: Add a new 04ca:3015 QCA_ROME device"). + +Without this patch, the WiFi side of the QCA9377 board is slow or unusable +when the Bluetooth side is in use. + +See https://askubuntu.com/a/1137852 for another report of QCA_ROME fixing +this issue for this device ID. + +/sys/kernel/debug/usb/devices: + +T: Bus=05 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=12 MxCh= 0 +D: Ver= 2.01 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0cf3 ProdID=e500 Rev= 0.01 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms + +Signed-off-by: Daniel Lenski +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btusb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 8195333e5665..8f38a2a7da8c 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -269,6 +269,8 @@ static const struct usb_device_id blacklist_table[] = { + BTUSB_WIDEBAND_SPEECH }, + { USB_DEVICE(0x0cf3, 0xe360), .driver_info = BTUSB_QCA_ROME | + BTUSB_WIDEBAND_SPEECH }, ++ { USB_DEVICE(0x0cf3, 0xe500), .driver_info = BTUSB_QCA_ROME | ++ BTUSB_WIDEBAND_SPEECH }, + { USB_DEVICE(0x0489, 0xe092), .driver_info = BTUSB_QCA_ROME | + BTUSB_WIDEBAND_SPEECH }, + { USB_DEVICE(0x0489, 0xe09f), .driver_info = BTUSB_QCA_ROME | +-- +2.30.2 + diff --git a/queue-5.10/bluetooth-btusb-add-support-usb-alt-3-for-wbs.patch b/queue-5.10/bluetooth-btusb-add-support-usb-alt-3-for-wbs.patch new file mode 100644 index 00000000000..f94e3fd27ac --- /dev/null +++ b/queue-5.10/bluetooth-btusb-add-support-usb-alt-3-for-wbs.patch @@ -0,0 +1,44 @@ +From 38bb497594f943ab48c933546219f5c69eee47d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 May 2021 11:19:01 +0800 +Subject: Bluetooth: btusb: Add support USB ALT 3 for WBS + +From: Hilda Wu + +[ Upstream commit e848dbd364aca44c9d23c04bef964fab79e2b34f ] + +Because mSBC frames do not need to be aligned to the SCO packet +boundary. Using USB ALT 3 let HCI payload >= 60 bytes, let mSBC +data satisfy 60 Bytes avoid payload unaligned situation and fixed +some headset no voise issue. + +USB Alt 3 supported also need HFP support transparent MTU in 72 Bytes. + +Signed-off-by: Hilda Wu +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btusb.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 8f38a2a7da8c..b3c63e06838d 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -1721,6 +1721,13 @@ static void btusb_work(struct work_struct *work) + * which work with WBS at all. + */ + new_alts = btusb_find_altsetting(data, 6) ? 6 : 1; ++ /* Because mSBC frames do not need to be aligned to the ++ * SCO packet boundary. If support the Alt 3, use the ++ * Alt 3 for HCI payload >= 60 Bytes let air packet ++ * data satisfy 60 bytes. ++ */ ++ if (new_alts == 1 && btusb_find_altsetting(data, 3)) ++ new_alts = 3; + } + + if (btusb_switch_alt_setting(hdev, new_alts) < 0) +-- +2.30.2 + diff --git a/queue-5.10/bluetooth-btusb-fix-bt-fiwmare-downloading-failure-i.patch b/queue-5.10/bluetooth-btusb-fix-bt-fiwmare-downloading-failure-i.patch new file mode 100644 index 00000000000..e6cc317bdc3 --- /dev/null +++ b/queue-5.10/bluetooth-btusb-fix-bt-fiwmare-downloading-failure-i.patch @@ -0,0 +1,40 @@ +From 864d26803c4e078395a4afaa3d7731c28f9452c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jun 2021 17:57:10 +0800 +Subject: Bluetooth: btusb: fix bt fiwmare downloading failure issue for qca + btsoc. + +From: Tim Jiang + +[ Upstream commit 4f00bfb372674d586c4a261bfc595cbce101fbb6 ] + +This is btsoc timing issue, after host start to downloading bt firmware, +ep2 need time to switch from function acl to function dfu, so host add +20ms delay as workaround. + +Signed-off-by: Tim Jiang +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btusb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index b3c63e06838d..afd2b1f12d49 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -3558,6 +3558,11 @@ static int btusb_setup_qca_download_fw(struct hci_dev *hdev, + sent += size; + count -= size; + ++ /* ep2 need time to switch from function acl to function dfu, ++ * so we add 20ms delay here. ++ */ ++ msleep(20); ++ + while (count) { + size = min_t(size_t, count, QCA_DFU_PACKET_LEN); + +-- +2.30.2 + diff --git a/queue-5.10/bluetooth-btusb-fixed-too-many-in-token-issue-for-me.patch b/queue-5.10/bluetooth-btusb-fixed-too-many-in-token-issue-for-me.patch new file mode 100644 index 00000000000..d8c43ee7739 --- /dev/null +++ b/queue-5.10/bluetooth-btusb-fixed-too-many-in-token-issue-for-me.patch @@ -0,0 +1,50 @@ +From 853ac75de7a94295dc77d86d4781e41c9673d284 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Apr 2021 23:06:26 +0800 +Subject: Bluetooth: btusb: Fixed too many in-token issue for Mediatek Chip. + +From: mark-yw.chen + +[ Upstream commit 8454ed9ff9647e31e061fb5eb2e39ce79bc5e960 ] + +This patch reduce in-token during download patch procedure. +Don't submit urb for polling event before sending hci command. + +Signed-off-by: mark-yw.chen +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btusb.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index b1f0b13cc8bc..8195333e5665 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -2963,11 +2963,6 @@ static int btusb_mtk_hci_wmt_sync(struct hci_dev *hdev, + struct btmtk_wmt_hdr *hdr; + int err; + +- /* Submit control IN URB on demand to process the WMT event */ +- err = btusb_mtk_submit_wmt_recv_urb(hdev); +- if (err < 0) +- return err; +- + /* Send the WMT command and wait until the WMT event returns */ + hlen = sizeof(*hdr) + wmt_params->dlen; + if (hlen > 255) +@@ -2989,6 +2984,11 @@ static int btusb_mtk_hci_wmt_sync(struct hci_dev *hdev, + return err; + } + ++ /* Submit control IN URB on demand to process the WMT event */ ++ err = btusb_mtk_submit_wmt_recv_urb(hdev); ++ if (err < 0) ++ return err; ++ + /* The vendor specific WMT commands are all answered by a vendor + * specific event and will have the Command Status or Command + * Complete as with usual HCI command flow control. +-- +2.30.2 + diff --git a/queue-5.10/bluetooth-fix-alt-settings-for-incoming-sco-with-tra.patch b/queue-5.10/bluetooth-fix-alt-settings-for-incoming-sco-with-tra.patch new file mode 100644 index 00000000000..315a6665633 --- /dev/null +++ b/queue-5.10/bluetooth-fix-alt-settings-for-incoming-sco-with-tra.patch @@ -0,0 +1,146 @@ +From d9af2c22f5004b98aadbf63ebfaf8b6498619bd1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Apr 2021 22:31:59 +0530 +Subject: Bluetooth: Fix alt settings for incoming SCO with transparent coding + format + +From: Kiran K + +[ Upstream commit 06d213d8a89a6f55b708422c3dda2b22add10748 ] + +For incoming SCO connection with transparent coding format, alt setting +of CVSD is getting applied instead of Transparent. + +Before fix: +< HCI Command: Accept Synchron.. (0x01|0x0029) plen 21 #2196 [hci0] 321.342548 + Address: 1C:CC:D6:E2:EA:80 (Xiaomi Communications Co Ltd) + Transmit bandwidth: 8000 + Receive bandwidth: 8000 + Max latency: 13 + Setting: 0x0003 + Input Coding: Linear + Input Data Format: 1's complement + Input Sample Size: 8-bit + # of bits padding at MSB: 0 + Air Coding Format: Transparent Data + Retransmission effort: Optimize for link quality (0x02) + Packet type: 0x003f + HV1 may be used + HV2 may be used + HV3 may be used + EV3 may be used + EV4 may be used + EV5 may be used +> HCI Event: Command Status (0x0f) plen 4 #2197 [hci0] 321.343585 + Accept Synchronous Connection Request (0x01|0x0029) ncmd 1 + Status: Success (0x00) +> HCI Event: Synchronous Connect Comp.. (0x2c) plen 17 #2198 [hci0] 321.351666 + Status: Success (0x00) + Handle: 257 + Address: 1C:CC:D6:E2:EA:80 (Xiaomi Communications Co Ltd) + Link type: eSCO (0x02) + Transmission interval: 0x0c + Retransmission window: 0x04 + RX packet length: 60 + TX packet length: 60 + Air mode: Transparent (0x03) +........ +> SCO Data RX: Handle 257 flags 0x00 dlen 48 #2336 [hci0] 321.383655 +< SCO Data TX: Handle 257 flags 0x00 dlen 60 #2337 [hci0] 321.389558 +> SCO Data RX: Handle 257 flags 0x00 dlen 48 #2338 [hci0] 321.393615 +> SCO Data RX: Handle 257 flags 0x00 dlen 48 #2339 [hci0] 321.393618 +> SCO Data RX: Handle 257 flags 0x00 dlen 48 #2340 [hci0] 321.393618 +< SCO Data TX: Handle 257 flags 0x00 dlen 60 #2341 [hci0] 321.397070 +> SCO Data RX: Handle 257 flags 0x00 dlen 48 #2342 [hci0] 321.403622 +> SCO Data RX: Handle 257 flags 0x00 dlen 48 #2343 [hci0] 321.403625 +> SCO Data RX: Handle 257 flags 0x00 dlen 48 #2344 [hci0] 321.403625 +> SCO Data RX: Handle 257 flags 0x00 dlen 48 #2345 [hci0] 321.403625 +< SCO Data TX: Handle 257 flags 0x00 dlen 60 #2346 [hci0] 321.404569 +< SCO Data TX: Handle 257 flags 0x00 dlen 60 #2347 [hci0] 321.412091 +> SCO Data RX: Handle 257 flags 0x00 dlen 48 #2348 [hci0] 321.413626 +> SCO Data RX: Handle 257 flags 0x00 dlen 48 #2349 [hci0] 321.413630 +> SCO Data RX: Handle 257 flags 0x00 dlen 48 #2350 [hci0] 321.413630 +< SCO Data TX: Handle 257 flags 0x00 dlen 60 #2351 [hci0] 321.419674 + +After fix: + +< HCI Command: Accept Synchronou.. (0x01|0x0029) plen 21 #309 [hci0] 49.439693 + Address: 1C:CC:D6:E2:EA:80 (Xiaomi Communications Co Ltd) + Transmit bandwidth: 8000 + Receive bandwidth: 8000 + Max latency: 13 + Setting: 0x0003 + Input Coding: Linear + Input Data Format: 1's complement + Input Sample Size: 8-bit + # of bits padding at MSB: 0 + Air Coding Format: Transparent Data + Retransmission effort: Optimize for link quality (0x02) + Packet type: 0x003f + HV1 may be used + HV2 may be used + HV3 may be used + EV3 may be used + EV4 may be used + EV5 may be used +> HCI Event: Command Status (0x0f) plen 4 #310 [hci0] 49.440308 + Accept Synchronous Connection Request (0x01|0x0029) ncmd 1 + Status: Success (0x00) +> HCI Event: Synchronous Connect Complete (0x2c) plen 17 #311 [hci0] 49.449308 + Status: Success (0x00) + Handle: 257 + Address: 1C:CC:D6:E2:EA:80 (Xiaomi Communications Co Ltd) + Link type: eSCO (0x02) + Transmission interval: 0x0c + Retransmission window: 0x04 + RX packet length: 60 + TX packet length: 60 + Air mode: Transparent (0x03) +< SCO Data TX: Handle 257 flags 0x00 dlen 60 #312 [hci0] 49.450421 +< SCO Data TX: Handle 257 flags 0x00 dlen 60 #313 [hci0] 49.457927 +> HCI Event: Max Slots Change (0x1b) plen 3 #314 [hci0] 49.460345 + Handle: 256 + Max slots: 5 +< SCO Data TX: Handle 257 flags 0x00 dlen 60 #315 [hci0] 49.465453 +> SCO Data RX: Handle 257 flags 0x00 dlen 60 #316 [hci0] 49.470502 +> SCO Data RX: Handle 257 flags 0x00 dlen 60 #317 [hci0] 49.470519 +< SCO Data TX: Handle 257 flags 0x00 dlen 60 #318 [hci0] 49.472996 +> SCO Data RX: Handle 257 flags 0x00 dlen 60 #319 [hci0] 49.480412 +< SCO Data TX: Handle 257 flags 0x00 dlen 60 #320 [hci0] 49.480492 +< SCO Data TX: Handle 257 flags 0x00 dlen 60 #321 [hci0] 49.487989 +> SCO Data RX: Handle 257 flags 0x00 dlen 60 #322 [hci0] 49.490303 +< SCO Data TX: Handle 257 flags 0x00 dlen 60 #323 [hci0] 49.495496 +> SCO Data RX: Handle 257 flags 0x00 dlen 60 #324 [hci0] 49.500304 +> SCO Data RX: Handle 257 flags 0x00 dlen 60 #325 [hci0] 49.500311 + +Signed-off-by: Kiran K +Signed-off-by: Lokendra Singh +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index d62ac4b73709..e59ae24a8f17 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -4360,12 +4360,12 @@ static void hci_sync_conn_complete_evt(struct hci_dev *hdev, + + bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode); + +- switch (conn->setting & SCO_AIRMODE_MASK) { +- case SCO_AIRMODE_CVSD: ++ switch (ev->air_mode) { ++ case 0x02: + if (hdev->notify) + hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD); + break; +- case SCO_AIRMODE_TRANSP: ++ case 0x03: + if (hdev->notify) + hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP); + break; +-- +2.30.2 + diff --git a/queue-5.10/bluetooth-fix-the-hci-to-mgmt-status-conversion-tabl.patch b/queue-5.10/bluetooth-fix-the-hci-to-mgmt-status-conversion-tabl.patch new file mode 100644 index 00000000000..044d24654f6 --- /dev/null +++ b/queue-5.10/bluetooth-fix-the-hci-to-mgmt-status-conversion-tabl.patch @@ -0,0 +1,44 @@ +From ca731a6301b11595d995b3f3c1ac0eacdf7c2fe2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Apr 2021 16:53:30 -0700 +Subject: Bluetooth: Fix the HCI to MGMT status conversion table + +From: Yu Liu + +[ Upstream commit 4ef36a52b0e47c80bbfd69c0cce61c7ae9f541ed ] + +0x2B, 0x31 and 0x33 are reserved for future use but were not present in +the HCI to MGMT conversion table, this caused the conversion to be +incorrect for the HCI status code greater than 0x2A. + +Reviewed-by: Miao-chen Chou +Signed-off-by: Yu Liu +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/mgmt.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c +index 13520c7b4f2f..7dfb96946220 100644 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -247,12 +247,15 @@ static const u8 mgmt_status_table[] = { + MGMT_STATUS_TIMEOUT, /* Instant Passed */ + MGMT_STATUS_NOT_SUPPORTED, /* Pairing Not Supported */ + MGMT_STATUS_FAILED, /* Transaction Collision */ ++ MGMT_STATUS_FAILED, /* Reserved for future use */ + MGMT_STATUS_INVALID_PARAMS, /* Unacceptable Parameter */ + MGMT_STATUS_REJECTED, /* QoS Rejected */ + MGMT_STATUS_NOT_SUPPORTED, /* Classification Not Supported */ + MGMT_STATUS_REJECTED, /* Insufficient Security */ + MGMT_STATUS_INVALID_PARAMS, /* Parameter Out Of Range */ ++ MGMT_STATUS_FAILED, /* Reserved for future use */ + MGMT_STATUS_BUSY, /* Role Switch Pending */ ++ MGMT_STATUS_FAILED, /* Reserved for future use */ + MGMT_STATUS_FAILED, /* Slot Violation */ + MGMT_STATUS_FAILED, /* Role Switch Failed */ + MGMT_STATUS_INVALID_PARAMS, /* EIR Too Large */ +-- +2.30.2 + diff --git a/queue-5.10/bluetooth-l2cap-fix-invalid-access-if-ecred-reconfig.patch b/queue-5.10/bluetooth-l2cap-fix-invalid-access-if-ecred-reconfig.patch new file mode 100644 index 00000000000..ddc96c91b80 --- /dev/null +++ b/queue-5.10/bluetooth-l2cap-fix-invalid-access-if-ecred-reconfig.patch @@ -0,0 +1,45 @@ +From 6c367442e6cc32d56d4cd04c7a8e3c3c7ffc8cde Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 May 2021 13:41:50 -0700 +Subject: Bluetooth: L2CAP: Fix invalid access if ECRED Reconfigure fails + +From: Luiz Augusto von Dentz + +[ Upstream commit 1fa20d7d4aad02206e84b74915819fbe9f81dab3 ] + +The use of l2cap_chan_del is not safe under a loop using +list_for_each_entry. + +Reported-by: Dan Carpenter +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index cdc386337173..17520133093a 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -6237,7 +6237,7 @@ static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn, + struct l2cap_cmd_hdr *cmd, u16 cmd_len, + u8 *data) + { +- struct l2cap_chan *chan; ++ struct l2cap_chan *chan, *tmp; + struct l2cap_ecred_conn_rsp *rsp = (void *) data; + u16 result; + +@@ -6251,7 +6251,7 @@ static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn, + if (!result) + return 0; + +- list_for_each_entry(chan, &conn->chan_l, list) { ++ list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) { + if (chan->ident != cmd->ident) + continue; + +-- +2.30.2 + diff --git a/queue-5.10/bluetooth-l2cap-fix-invalid-access-on-ecred-connecti.patch b/queue-5.10/bluetooth-l2cap-fix-invalid-access-on-ecred-connecti.patch new file mode 100644 index 00000000000..20adb2f2ddc --- /dev/null +++ b/queue-5.10/bluetooth-l2cap-fix-invalid-access-on-ecred-connecti.patch @@ -0,0 +1,44 @@ +From 0dea22401425b58e3a39e24c0b800a0882990380 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 May 2021 13:41:51 -0700 +Subject: Bluetooth: L2CAP: Fix invalid access on ECRED Connection response + +From: Luiz Augusto von Dentz + +[ Upstream commit de895b43932cb47e69480540be7eca289af24f23 ] + +The use of l2cap_chan_del is not safe under a loop using +list_for_each_entry. + +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 17520133093a..0ddbc415ce15 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -6055,7 +6055,7 @@ static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn, + struct l2cap_ecred_conn_rsp *rsp = (void *) data; + struct hci_conn *hcon = conn->hcon; + u16 mtu, mps, credits, result; +- struct l2cap_chan *chan; ++ struct l2cap_chan *chan, *tmp; + int err = 0, sec_level; + int i = 0; + +@@ -6074,7 +6074,7 @@ static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn, + + cmd_len -= sizeof(*rsp); + +- list_for_each_entry(chan, &conn->chan_l, list) { ++ list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) { + u16 dcid; + + if (chan->ident != cmd->ident || +-- +2.30.2 + diff --git a/queue-5.10/bluetooth-mgmt-fix-the-command-returns-garbage-param.patch b/queue-5.10/bluetooth-mgmt-fix-the-command-returns-garbage-param.patch new file mode 100644 index 00000000000..26b73c6c88c --- /dev/null +++ b/queue-5.10/bluetooth-mgmt-fix-the-command-returns-garbage-param.patch @@ -0,0 +1,37 @@ +From ceed3361a0cf10fcd09c28575891feb57a3ad718 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 May 2021 10:36:22 -0700 +Subject: Bluetooth: mgmt: Fix the command returns garbage parameter value + +From: Tedd Ho-Jeong An + +[ Upstream commit 02ce2c2c24024aade65a8d91d6a596651eaf2d0a ] + +When the Get Device Flags command fails, it returns the error status +with the parameters filled with the garbage values. Although the +parameters are not used, it is better to fill with zero than the random +values. + +Signed-off-by: Tedd Ho-Jeong An +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/mgmt.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c +index 7dfb96946220..31a585fe0c7c 100644 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -4038,6 +4038,8 @@ static int get_device_flags(struct sock *sk, struct hci_dev *hdev, void *data, + + hci_dev_lock(hdev); + ++ memset(&rp, 0, sizeof(rp)); ++ + if (cp->addr.type == BDADDR_BREDR) { + br_params = hci_bdaddr_list_lookup_with_flags(&hdev->whitelist, + &cp->addr.bdaddr, +-- +2.30.2 + diff --git a/queue-5.10/bluetooth-shutdown-controller-after-workqueues-are-f.patch b/queue-5.10/bluetooth-shutdown-controller-after-workqueues-are-f.patch new file mode 100644 index 00000000000..675a88ad8f5 --- /dev/null +++ b/queue-5.10/bluetooth-shutdown-controller-after-workqueues-are-f.patch @@ -0,0 +1,116 @@ +From 924858386356ecbf979a9007e4bb9faf933dbb61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 May 2021 15:14:52 +0800 +Subject: Bluetooth: Shutdown controller after workqueues are flushed or + cancelled + +From: Kai-Heng Feng + +[ Upstream commit 0ea9fd001a14ebc294f112b0361a4e601551d508 ] + +Rfkill block and unblock Intel USB Bluetooth [8087:0026] may make it +stops working: +[ 509.691509] Bluetooth: hci0: HCI reset during shutdown failed +[ 514.897584] Bluetooth: hci0: MSFT filter_enable is already on +[ 530.044751] usb 3-10: reset full-speed USB device number 5 using xhci_hcd +[ 545.660350] usb 3-10: device descriptor read/64, error -110 +[ 561.283530] usb 3-10: device descriptor read/64, error -110 +[ 561.519682] usb 3-10: reset full-speed USB device number 5 using xhci_hcd +[ 566.686650] Bluetooth: hci0: unexpected event for opcode 0x0500 +[ 568.752452] Bluetooth: hci0: urb 0000000096cd309b failed to resubmit (113) +[ 578.797955] Bluetooth: hci0: Failed to read MSFT supported features (-110) +[ 586.286565] Bluetooth: hci0: urb 00000000c522f633 failed to resubmit (113) +[ 596.215302] Bluetooth: hci0: Failed to read MSFT supported features (-110) + +Or kernel panics because other workqueues already freed skb: +[ 2048.663763] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 2048.663775] #PF: supervisor read access in kernel mode +[ 2048.663779] #PF: error_code(0x0000) - not-present page +[ 2048.663782] PGD 0 P4D 0 +[ 2048.663787] Oops: 0000 [#1] SMP NOPTI +[ 2048.663793] CPU: 3 PID: 4491 Comm: rfkill Tainted: G W 5.13.0-rc1-next-20210510+ #20 +[ 2048.663799] Hardware name: HP HP EliteBook 850 G8 Notebook PC/8846, BIOS T76 Ver. 01.01.04 12/02/2020 +[ 2048.663801] RIP: 0010:__skb_ext_put+0x6/0x50 +[ 2048.663814] Code: 8b 1b 48 85 db 75 db 5b 41 5c 5d c3 be 01 00 00 00 e8 de 13 c0 ff eb e7 be 02 00 00 00 e8 d2 13 c0 ff eb db 0f 1f 44 00 00 55 <8b> 07 48 89 e5 83 f8 01 74 14 b8 ff ff ff ff f0 0f c1 +07 83 f8 01 +[ 2048.663819] RSP: 0018:ffffc1d105b6fd80 EFLAGS: 00010286 +[ 2048.663824] RAX: 0000000000000000 RBX: ffff9d9ac5649000 RCX: 0000000000000000 +[ 2048.663827] RDX: ffffffffc0d1daf6 RSI: 0000000000000206 RDI: 0000000000000000 +[ 2048.663830] RBP: ffffc1d105b6fd98 R08: 0000000000000001 R09: ffff9d9ace8ceac0 +[ 2048.663834] R10: ffff9d9ace8ceac0 R11: 0000000000000001 R12: ffff9d9ac5649000 +[ 2048.663838] R13: 0000000000000000 R14: 00007ffe0354d650 R15: 0000000000000000 +[ 2048.663843] FS: 00007fe02ab19740(0000) GS:ffff9d9e5f8c0000(0000) knlGS:0000000000000000 +[ 2048.663849] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 2048.663853] CR2: 0000000000000000 CR3: 0000000111a52004 CR4: 0000000000770ee0 +[ 2048.663856] PKRU: 55555554 +[ 2048.663859] Call Trace: +[ 2048.663865] ? skb_release_head_state+0x5e/0x80 +[ 2048.663873] kfree_skb+0x2f/0xb0 +[ 2048.663881] btusb_shutdown_intel_new+0x36/0x60 [btusb] +[ 2048.663905] hci_dev_do_close+0x48c/0x5e0 [bluetooth] +[ 2048.663954] ? __cond_resched+0x1a/0x50 +[ 2048.663962] hci_rfkill_set_block+0x56/0xa0 [bluetooth] +[ 2048.664007] rfkill_set_block+0x98/0x170 +[ 2048.664016] rfkill_fop_write+0x136/0x1e0 +[ 2048.664022] vfs_write+0xc7/0x260 +[ 2048.664030] ksys_write+0xb1/0xe0 +[ 2048.664035] ? exit_to_user_mode_prepare+0x37/0x1c0 +[ 2048.664042] __x64_sys_write+0x1a/0x20 +[ 2048.664048] do_syscall_64+0x40/0xb0 +[ 2048.664055] entry_SYSCALL_64_after_hwframe+0x44/0xae +[ 2048.664060] RIP: 0033:0x7fe02ac23c27 +[ 2048.664066] Code: 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 +[ 2048.664070] RSP: 002b:00007ffe0354d638 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ 2048.664075] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fe02ac23c27 +[ 2048.664078] RDX: 0000000000000008 RSI: 00007ffe0354d650 RDI: 0000000000000003 +[ 2048.664081] RBP: 0000000000000000 R08: 0000559b05998440 R09: 0000559b05998440 +[ 2048.664084] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003 +[ 2048.664086] R13: 0000000000000000 R14: ffffffff00000000 R15: 00000000ffffffff + +So move the shutdown callback to a place where workqueues are either +flushed or cancelled to resolve the issue. + +Signed-off-by: Kai-Heng Feng +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index 86ebfc6ae698..0854f1b35683 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -1713,14 +1713,6 @@ int hci_dev_do_close(struct hci_dev *hdev) + + BT_DBG("%s %p", hdev->name, hdev); + +- if (!hci_dev_test_flag(hdev, HCI_UNREGISTER) && +- !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) && +- test_bit(HCI_UP, &hdev->flags)) { +- /* Execute vendor specific shutdown routine */ +- if (hdev->shutdown) +- hdev->shutdown(hdev); +- } +- + cancel_delayed_work(&hdev->power_off); + + hci_request_cancel_all(hdev); +@@ -1796,6 +1788,14 @@ int hci_dev_do_close(struct hci_dev *hdev) + clear_bit(HCI_INIT, &hdev->flags); + } + ++ if (!hci_dev_test_flag(hdev, HCI_UNREGISTER) && ++ !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) && ++ test_bit(HCI_UP, &hdev->flags)) { ++ /* Execute vendor specific shutdown routine */ ++ if (hdev->shutdown) ++ hdev->shutdown(hdev); ++ } ++ + /* flush cmd work */ + flush_work(&hdev->cmd_work); + +-- +2.30.2 + diff --git a/queue-5.10/bpf-fix-false-positive-kmemleak-report-in-bpf_ringbu.patch b/queue-5.10/bpf-fix-false-positive-kmemleak-report-in-bpf_ringbu.patch new file mode 100644 index 00000000000..72b6f9631fc --- /dev/null +++ b/queue-5.10/bpf-fix-false-positive-kmemleak-report-in-bpf_ringbu.patch @@ -0,0 +1,110 @@ +From 21ff640ec40b953cd38c9e3287cb4629469260d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Jun 2021 11:11:56 -0700 +Subject: bpf: Fix false positive kmemleak report in bpf_ringbuf_area_alloc() + +From: Rustam Kovhaev + +[ Upstream commit ccff81e1d028bbbf8573d3364a87542386c707bf ] + +kmemleak scans struct page, but it does not scan the page content. If we +allocate some memory with kmalloc(), then allocate page with alloc_page(), +and if we put kmalloc pointer somewhere inside that page, kmemleak will +report kmalloc pointer as a false positive. + +We can instruct kmemleak to scan the memory area by calling kmemleak_alloc() +and kmemleak_free(), but part of struct bpf_ringbuf is mmaped to user space, +and if struct bpf_ringbuf changes we would have to revisit and review size +argument in kmemleak_alloc(), because we do not want kmemleak to scan the +user space memory. Let's simplify things and use kmemleak_not_leak() here. + +For posterity, also adding additional prior analysis from Andrii: + + I think either kmemleak or syzbot are misreporting this. I've added a + bunch of printks around all allocations performed by BPF ringbuf. [...] + On repro side I get these two warnings: + + [vmuser@archvm bpf]$ sudo ./repro + BUG: memory leak + unreferenced object 0xffff88810d538c00 (size 64): + comm "repro", pid 2140, jiffies 4294692933 (age 14.540s) + hex dump (first 32 bytes): + 00 af 19 04 00 ea ff ff c0 ae 19 04 00 ea ff ff ................ + 80 ae 19 04 00 ea ff ff c0 29 2e 04 00 ea ff ff .........)...... + backtrace: + [<0000000077bfbfbd>] __bpf_map_area_alloc+0x31/0xc0 + [<00000000587fa522>] ringbuf_map_alloc.cold.4+0x48/0x218 + [<0000000044d49e96>] __do_sys_bpf+0x359/0x1d90 + [<00000000f601d565>] do_syscall_64+0x2d/0x40 + [<0000000043d3112a>] entry_SYSCALL_64_after_hwframe+0x44/0xae + + BUG: memory leak + unreferenced object 0xffff88810d538c80 (size 64): + comm "repro", pid 2143, jiffies 4294699025 (age 8.448s) + hex dump (first 32 bytes): + 80 aa 19 04 00 ea ff ff 00 ab 19 04 00 ea ff ff ................ + c0 ab 19 04 00 ea ff ff 80 44 28 04 00 ea ff ff .........D(..... + backtrace: + [<0000000077bfbfbd>] __bpf_map_area_alloc+0x31/0xc0 + [<00000000587fa522>] ringbuf_map_alloc.cold.4+0x48/0x218 + [<0000000044d49e96>] __do_sys_bpf+0x359/0x1d90 + [<00000000f601d565>] do_syscall_64+0x2d/0x40 + [<0000000043d3112a>] entry_SYSCALL_64_after_hwframe+0x44/0xae + + Note that both reported leaks (ffff88810d538c80 and ffff88810d538c00) + correspond to pages array bpf_ringbuf is allocating and tracking properly + internally. Note also that syzbot repro doesn't close FD of created BPF + ringbufs, and even when ./repro itself exits with error, there are still + two forked processes hanging around in my system. So clearly ringbuf maps + are alive at that point. So reporting any memory leak looks weird at that + point, because that memory is being used by active referenced BPF ringbuf. + + It's also a question why repro doesn't clean up its forks. But if I do a + `pkill repro`, I do see that all the allocated memory is /properly/ cleaned + up [and the] "leaks" are deallocated properly. + + BTW, if I add close() right after bpf() syscall in syzbot repro, I see that + everything is immediately deallocated, like designed. And no memory leak + is reported. So I don't think the problem is anywhere in bpf_ringbuf code, + rather in the leak detection and/or repro itself. + +Reported-by: syzbot+5d895828587f49e7fe9b@syzkaller.appspotmail.com +Signed-off-by: Rustam Kovhaev +[ Daniel: also included analysis from Andrii to the commit log ] +Signed-off-by: Daniel Borkmann +Tested-by: syzbot+5d895828587f49e7fe9b@syzkaller.appspotmail.com +Cc: Dmitry Vyukov +Cc: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/CAEf4BzYk+dqs+jwu6VKXP-RttcTEGFe+ySTGWT9CRNkagDiJVA@mail.gmail.com +Link: https://lore.kernel.org/lkml/YNTAqiE7CWJhOK2M@nuc10 +Link: https://lore.kernel.org/lkml/20210615101515.GC26027@arm.com +Link: https://syzkaller.appspot.com/bug?extid=5d895828587f49e7fe9b +Link: https://lore.kernel.org/bpf/20210626181156.1873604-1-rkovhaev@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/ringbuf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/bpf/ringbuf.c b/kernel/bpf/ringbuf.c +index add0b34f2b34..f9913bc65ef8 100644 +--- a/kernel/bpf/ringbuf.c ++++ b/kernel/bpf/ringbuf.c +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + #include + + #define RINGBUF_CREATE_FLAG_MASK (BPF_F_NUMA_NODE) +@@ -109,6 +110,7 @@ static struct bpf_ringbuf *bpf_ringbuf_area_alloc(size_t data_sz, int numa_node) + rb = vmap(pages, nr_meta_pages + 2 * nr_data_pages, + VM_ALLOC | VM_USERMAP, PAGE_KERNEL); + if (rb) { ++ kmemleak_not_leak(pages); + rb->pages = pages; + rb->nr_pages = nr_pages; + return rb; +-- +2.30.2 + diff --git a/queue-5.10/bpf-fix-up-register-based-shifts-in-interpreter-to-s.patch b/queue-5.10/bpf-fix-up-register-based-shifts-in-interpreter-to-s.patch new file mode 100644 index 00000000000..586c05288e6 --- /dev/null +++ b/queue-5.10/bpf-fix-up-register-based-shifts-in-interpreter-to-s.patch @@ -0,0 +1,204 @@ +From db828581326d3ae206f5a93b7447b4a067cd112f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 11:25:11 +0200 +Subject: bpf: Fix up register-based shifts in interpreter to silence KUBSAN + +From: Daniel Borkmann + +[ Upstream commit 28131e9d933339a92f78e7ab6429f4aaaa07061c ] + +syzbot reported a shift-out-of-bounds that KUBSAN observed in the +interpreter: + + [...] + UBSAN: shift-out-of-bounds in kernel/bpf/core.c:1420:2 + shift exponent 255 is too large for 64-bit type 'long long unsigned int' + CPU: 1 PID: 11097 Comm: syz-executor.4 Not tainted 5.12.0-rc2-syzkaller #0 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + Call Trace: + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x141/0x1d7 lib/dump_stack.c:120 + ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 + __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327 + ___bpf_prog_run.cold+0x19/0x56c kernel/bpf/core.c:1420 + __bpf_prog_run32+0x8f/0xd0 kernel/bpf/core.c:1735 + bpf_dispatcher_nop_func include/linux/bpf.h:644 [inline] + bpf_prog_run_pin_on_cpu include/linux/filter.h:624 [inline] + bpf_prog_run_clear_cb include/linux/filter.h:755 [inline] + run_filter+0x1a1/0x470 net/packet/af_packet.c:2031 + packet_rcv+0x313/0x13e0 net/packet/af_packet.c:2104 + dev_queue_xmit_nit+0x7c2/0xa90 net/core/dev.c:2387 + xmit_one net/core/dev.c:3588 [inline] + dev_hard_start_xmit+0xad/0x920 net/core/dev.c:3609 + __dev_queue_xmit+0x2121/0x2e00 net/core/dev.c:4182 + __bpf_tx_skb net/core/filter.c:2116 [inline] + __bpf_redirect_no_mac net/core/filter.c:2141 [inline] + __bpf_redirect+0x548/0xc80 net/core/filter.c:2164 + ____bpf_clone_redirect net/core/filter.c:2448 [inline] + bpf_clone_redirect+0x2ae/0x420 net/core/filter.c:2420 + ___bpf_prog_run+0x34e1/0x77d0 kernel/bpf/core.c:1523 + __bpf_prog_run512+0x99/0xe0 kernel/bpf/core.c:1737 + bpf_dispatcher_nop_func include/linux/bpf.h:644 [inline] + bpf_test_run+0x3ed/0xc50 net/bpf/test_run.c:50 + bpf_prog_test_run_skb+0xabc/0x1c50 net/bpf/test_run.c:582 + bpf_prog_test_run kernel/bpf/syscall.c:3127 [inline] + __do_sys_bpf+0x1ea9/0x4f00 kernel/bpf/syscall.c:4406 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xae + [...] + +Generally speaking, KUBSAN reports from the kernel should be fixed. +However, in case of BPF, this particular report caused concerns since +the large shift is not wrong from BPF point of view, just undefined. +In the verifier, K-based shifts that are >= {64,32} (depending on the +bitwidth of the instruction) are already rejected. The register-based +cases were not given their content might not be known at verification +time. Ideas such as verifier instruction rewrite with an additional +AND instruction for the source register were brought up, but regularly +rejected due to the additional runtime overhead they incur. + +As Edward Cree rightly put it: + + Shifts by more than insn bitness are legal in the BPF ISA; they are + implementation-defined behaviour [of the underlying architecture], + rather than UB, and have been made legal for performance reasons. + Each of the JIT backends compiles the BPF shift operations to machine + instructions which produce implementation-defined results in such a + case; the resulting contents of the register may be arbitrary but + program behaviour as a whole remains defined. + + Guard checks in the fast path (i.e. affecting JITted code) will thus + not be accepted. + + The case of division by zero is not truly analogous here, as division + instructions on many of the JIT-targeted architectures will raise a + machine exception / fault on division by zero, whereas (to the best + of my knowledge) none will do so on an out-of-bounds shift. + +Given the KUBSAN report only affects the BPF interpreter, but not JITs, +one solution is to add the ANDs with 63 or 31 into ___bpf_prog_run(). +That would make the shifts defined, and thus shuts up KUBSAN, and the +compiler would optimize out the AND on any CPU that interprets the shift +amounts modulo the width anyway (e.g., confirmed from disassembly that +on x86-64 and arm64 the generated interpreter code is the same before +and after this fix). + +The BPF interpreter is slow path, and most likely compiled out anyway +as distros select BPF_JIT_ALWAYS_ON to avoid speculative execution of +BPF instructions by the interpreter. Given the main argument was to +avoid sacrificing performance, the fact that the AND is optimized away +from compiler for mainstream archs helps as well as a solution moving +forward. Also add a comment on LSH/RSH/ARSH translation for JIT authors +to provide guidance when they see the ___bpf_prog_run() interpreter +code and use it as a model for a new JIT backend. + +Reported-by: syzbot+bed360704c521841c85d@syzkaller.appspotmail.com +Reported-by: Kurt Manucredo +Signed-off-by: Eric Biggers +Co-developed-by: Eric Biggers +Signed-off-by: Daniel Borkmann +Acked-by: Alexei Starovoitov +Acked-by: Andrii Nakryiko +Tested-by: syzbot+bed360704c521841c85d@syzkaller.appspotmail.com +Cc: Edward Cree +Link: https://lore.kernel.org/bpf/0000000000008f912605bd30d5d7@google.com +Link: https://lore.kernel.org/bpf/bac16d8d-c174-bdc4-91bd-bfa62b410190@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/core.c | 61 +++++++++++++++++++++++++++++++++-------------- + 1 file changed, 43 insertions(+), 18 deletions(-) + +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index 182e162f8fd0..239c6b3b5993 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -1395,29 +1395,54 @@ static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn, u64 *stack) + select_insn: + goto *jumptable[insn->code]; + +- /* ALU */ +-#define ALU(OPCODE, OP) \ +- ALU64_##OPCODE##_X: \ +- DST = DST OP SRC; \ +- CONT; \ +- ALU_##OPCODE##_X: \ +- DST = (u32) DST OP (u32) SRC; \ +- CONT; \ +- ALU64_##OPCODE##_K: \ +- DST = DST OP IMM; \ +- CONT; \ +- ALU_##OPCODE##_K: \ +- DST = (u32) DST OP (u32) IMM; \ ++ /* Explicitly mask the register-based shift amounts with 63 or 31 ++ * to avoid undefined behavior. Normally this won't affect the ++ * generated code, for example, in case of native 64 bit archs such ++ * as x86-64 or arm64, the compiler is optimizing the AND away for ++ * the interpreter. In case of JITs, each of the JIT backends compiles ++ * the BPF shift operations to machine instructions which produce ++ * implementation-defined results in such a case; the resulting ++ * contents of the register may be arbitrary, but program behaviour ++ * as a whole remains defined. In other words, in case of JIT backends, ++ * the AND must /not/ be added to the emitted LSH/RSH/ARSH translation. ++ */ ++ /* ALU (shifts) */ ++#define SHT(OPCODE, OP) \ ++ ALU64_##OPCODE##_X: \ ++ DST = DST OP (SRC & 63); \ ++ CONT; \ ++ ALU_##OPCODE##_X: \ ++ DST = (u32) DST OP ((u32) SRC & 31); \ ++ CONT; \ ++ ALU64_##OPCODE##_K: \ ++ DST = DST OP IMM; \ ++ CONT; \ ++ ALU_##OPCODE##_K: \ ++ DST = (u32) DST OP (u32) IMM; \ ++ CONT; ++ /* ALU (rest) */ ++#define ALU(OPCODE, OP) \ ++ ALU64_##OPCODE##_X: \ ++ DST = DST OP SRC; \ ++ CONT; \ ++ ALU_##OPCODE##_X: \ ++ DST = (u32) DST OP (u32) SRC; \ ++ CONT; \ ++ ALU64_##OPCODE##_K: \ ++ DST = DST OP IMM; \ ++ CONT; \ ++ ALU_##OPCODE##_K: \ ++ DST = (u32) DST OP (u32) IMM; \ + CONT; +- + ALU(ADD, +) + ALU(SUB, -) + ALU(AND, &) + ALU(OR, |) +- ALU(LSH, <<) +- ALU(RSH, >>) + ALU(XOR, ^) + ALU(MUL, *) ++ SHT(LSH, <<) ++ SHT(RSH, >>) ++#undef SHT + #undef ALU + ALU_NEG: + DST = (u32) -DST; +@@ -1442,13 +1467,13 @@ select_insn: + insn++; + CONT; + ALU_ARSH_X: +- DST = (u64) (u32) (((s32) DST) >> SRC); ++ DST = (u64) (u32) (((s32) DST) >> (SRC & 31)); + CONT; + ALU_ARSH_K: + DST = (u64) (u32) (((s32) DST) >> IMM); + CONT; + ALU64_ARSH_X: +- (*(s64 *) &DST) >>= SRC; ++ (*(s64 *) &DST) >>= (SRC & 63); + CONT; + ALU64_ARSH_K: + (*(s64 *) &DST) >>= IMM; +-- +2.30.2 + diff --git a/queue-5.10/cfg80211-fix-default-he-tx-bitrate-mask-in-2g-band.patch b/queue-5.10/cfg80211-fix-default-he-tx-bitrate-mask-in-2g-band.patch new file mode 100644 index 00000000000..1221f407ba9 --- /dev/null +++ b/queue-5.10/cfg80211-fix-default-he-tx-bitrate-mask-in-2g-band.patch @@ -0,0 +1,44 @@ +From a7da7e3b87b320a9b819023d8b37dffacb4b9e6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jun 2021 15:59:44 +0800 +Subject: cfg80211: fix default HE tx bitrate mask in 2G band + +From: Ping-Ke Shih + +[ Upstream commit 9df66d5b9f45c39b3925d16e8947cc10009b186d ] + +In 2G band, a HE sta can only supports HT and HE, but not supports VHT. +In this case, default HE tx bitrate mask isn't filled, when we use iw to +set bitrates without any parameter. + +Signed-off-by: Ping-Ke Shih +Link: https://lore.kernel.org/r/20210609075944.51130-1-pkshih@realtek.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index daf3f29c7f0c..8fb0478888fb 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -4625,11 +4625,10 @@ static int nl80211_parse_tx_bitrate_mask(struct genl_info *info, + sband->ht_cap.mcs.rx_mask, + sizeof(mask->control[i].ht_mcs)); + +- if (!sband->vht_cap.vht_supported) +- continue; +- +- vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map); +- vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs); ++ if (sband->vht_cap.vht_supported) { ++ vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map); ++ vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs); ++ } + + he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype); + if (!he_cap) +-- +2.30.2 + diff --git a/queue-5.10/clk-renesas-r8a77995-add-za2-clock.patch b/queue-5.10/clk-renesas-r8a77995-add-za2-clock.patch new file mode 100644 index 00000000000..78f1f60d967 --- /dev/null +++ b/queue-5.10/clk-renesas-r8a77995-add-za2-clock.patch @@ -0,0 +1,38 @@ +From 053b48f6deeb6792579bb3792b549d734b728ad1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 May 2021 13:36:38 +0900 +Subject: clk: renesas: r8a77995: Add ZA2 clock + +From: Kuninori Morimoto + +[ Upstream commit 790c06cc5df263cdaff748670cc65958c81b0951 ] + +R-Car D3 ZA2 clock is from PLL0D3 or S0, +and it can be controlled by ZA2CKCR. +It is needed for R-Car Sound, but is not used so far. +Using default settings is very enough at this point. +This patch adds it by DEF_FIXED(). + +Signed-off-by: Kuninori Morimoto +Link: https://lore.kernel.org/r/87pmxclrmy.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + drivers/clk/renesas/r8a77995-cpg-mssr.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/renesas/r8a77995-cpg-mssr.c b/drivers/clk/renesas/r8a77995-cpg-mssr.c +index 5b4691117b47..026e2612c33c 100644 +--- a/drivers/clk/renesas/r8a77995-cpg-mssr.c ++++ b/drivers/clk/renesas/r8a77995-cpg-mssr.c +@@ -75,6 +75,7 @@ static const struct cpg_core_clk r8a77995_core_clks[] __initconst = { + DEF_RATE(".oco", CLK_OCO, 8 * 1000 * 1000), + + /* Core Clock Outputs */ ++ DEF_FIXED("za2", R8A77995_CLK_ZA2, CLK_PLL0D3, 2, 1), + DEF_FIXED("z2", R8A77995_CLK_Z2, CLK_PLL0D3, 1, 1), + DEF_FIXED("ztr", R8A77995_CLK_ZTR, CLK_PLL1, 6, 1), + DEF_FIXED("zt", R8A77995_CLK_ZT, CLK_PLL1, 4, 1), +-- +2.30.2 + diff --git a/queue-5.10/clk-renesas-rcar-usb2-clock-sel-fix-error-handling-i.patch b/queue-5.10/clk-renesas-rcar-usb2-clock-sel-fix-error-handling-i.patch new file mode 100644 index 00000000000..bbd76e1c037 --- /dev/null +++ b/queue-5.10/clk-renesas-rcar-usb2-clock-sel-fix-error-handling-i.patch @@ -0,0 +1,83 @@ +From b32edc53f5fce6fe7eed50967466d6536b7930b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Apr 2021 15:33:38 +0800 +Subject: clk: renesas: rcar-usb2-clock-sel: Fix error handling in .probe() + +From: Dinghao Liu + +[ Upstream commit a20a40a8bbc2cf4b29d7248ea31e974e9103dd7f ] + +The error handling paths after pm_runtime_get_sync() have no refcount +decrement, which leads to refcount leak. + +Signed-off-by: Dinghao Liu +Link: https://lore.kernel.org/r/20210415073338.22287-1-dinghao.liu@zju.edu.cn +[geert: Remove now unused variable priv] +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + drivers/clk/renesas/rcar-usb2-clock-sel.c | 24 ++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +diff --git a/drivers/clk/renesas/rcar-usb2-clock-sel.c b/drivers/clk/renesas/rcar-usb2-clock-sel.c +index d4c02986c34e..0ccc6e709a38 100644 +--- a/drivers/clk/renesas/rcar-usb2-clock-sel.c ++++ b/drivers/clk/renesas/rcar-usb2-clock-sel.c +@@ -128,10 +128,8 @@ static int rcar_usb2_clock_sel_resume(struct device *dev) + static int rcar_usb2_clock_sel_remove(struct platform_device *pdev) + { + struct device *dev = &pdev->dev; +- struct usb2_clock_sel_priv *priv = platform_get_drvdata(pdev); + + of_clk_del_provider(dev->of_node); +- clk_hw_unregister(&priv->hw); + pm_runtime_put(dev); + pm_runtime_disable(dev); + +@@ -164,9 +162,6 @@ static int rcar_usb2_clock_sel_probe(struct platform_device *pdev) + if (IS_ERR(priv->rsts)) + return PTR_ERR(priv->rsts); + +- pm_runtime_enable(dev); +- pm_runtime_get_sync(dev); +- + clk = devm_clk_get(dev, "usb_extal"); + if (!IS_ERR(clk) && !clk_prepare_enable(clk)) { + priv->extal = !!clk_get_rate(clk); +@@ -183,6 +178,8 @@ static int rcar_usb2_clock_sel_probe(struct platform_device *pdev) + return -ENOENT; + } + ++ pm_runtime_enable(dev); ++ pm_runtime_get_sync(dev); + platform_set_drvdata(pdev, priv); + dev_set_drvdata(dev, priv); + +@@ -193,11 +190,20 @@ static int rcar_usb2_clock_sel_probe(struct platform_device *pdev) + init.num_parents = 0; + priv->hw.init = &init; + +- clk = clk_register(NULL, &priv->hw); +- if (IS_ERR(clk)) +- return PTR_ERR(clk); ++ ret = devm_clk_hw_register(NULL, &priv->hw); ++ if (ret) ++ goto pm_put; ++ ++ ret = of_clk_add_hw_provider(np, of_clk_hw_simple_get, &priv->hw); ++ if (ret) ++ goto pm_put; ++ ++ return 0; + +- return of_clk_add_hw_provider(np, of_clk_hw_simple_get, &priv->hw); ++pm_put: ++ pm_runtime_put(dev); ++ pm_runtime_disable(dev); ++ return ret; + } + + static const struct dev_pm_ops rcar_usb2_clock_sel_pm_ops = { +-- +2.30.2 + diff --git a/queue-5.10/clk-tegra-ensure-that-pllu-configuration-is-applied-.patch b/queue-5.10/clk-tegra-ensure-that-pllu-configuration-is-applied-.patch new file mode 100644 index 00000000000..09f0ba1b606 --- /dev/null +++ b/queue-5.10/clk-tegra-ensure-that-pllu-configuration-is-applied-.patch @@ -0,0 +1,61 @@ +From 27f1fdc5943d84e2da00ca3ad0dd7a9d3fa195ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 May 2021 19:30:35 +0300 +Subject: clk: tegra: Ensure that PLLU configuration is applied properly + +From: Dmitry Osipenko + +[ Upstream commit a7196048cd5168096c2c4f44a3939d7a6dcd06b9 ] + +The PLLU (USB) consists of the PLL configuration itself and configuration +of the PLLU outputs. The PLLU programming is inconsistent on T30 vs T114, +where T114 immediately bails out if PLLU is enabled and T30 re-enables +a potentially already enabled PLL (left after bootloader) and then fully +reprograms it, which could be unsafe to do. The correct way should be to +skip enabling of the PLL if it's already enabled and then apply +configuration to the outputs. This patch doesn't fix any known problems, +it's a minor improvement. + +Acked-by: Thierry Reding +Signed-off-by: Dmitry Osipenko +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/clk/tegra/clk-pll.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/clk/tegra/clk-pll.c b/drivers/clk/tegra/clk-pll.c +index c5cc0a2dac6f..d709ecb7d8d7 100644 +--- a/drivers/clk/tegra/clk-pll.c ++++ b/drivers/clk/tegra/clk-pll.c +@@ -1131,7 +1131,8 @@ static int clk_pllu_enable(struct clk_hw *hw) + if (pll->lock) + spin_lock_irqsave(pll->lock, flags); + +- _clk_pll_enable(hw); ++ if (!clk_pll_is_enabled(hw)) ++ _clk_pll_enable(hw); + + ret = clk_pll_wait_for_lock(pll); + if (ret < 0) +@@ -1748,15 +1749,13 @@ static int clk_pllu_tegra114_enable(struct clk_hw *hw) + return -EINVAL; + } + +- if (clk_pll_is_enabled(hw)) +- return 0; +- + input_rate = clk_hw_get_rate(__clk_get_hw(osc)); + + if (pll->lock) + spin_lock_irqsave(pll->lock, flags); + +- _clk_pll_enable(hw); ++ if (!clk_pll_is_enabled(hw)) ++ _clk_pll_enable(hw); + + ret = clk_pll_wait_for_lock(pll); + if (ret < 0) +-- +2.30.2 + diff --git a/queue-5.10/clk-tegra-fix-refcounting-of-gate-clocks.patch b/queue-5.10/clk-tegra-fix-refcounting-of-gate-clocks.patch new file mode 100644 index 00000000000..7c716b32928 --- /dev/null +++ b/queue-5.10/clk-tegra-fix-refcounting-of-gate-clocks.patch @@ -0,0 +1,191 @@ +From 364859f8bcffc9664c76dfa610c43c0d33eccf95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 May 2021 19:30:34 +0300 +Subject: clk: tegra: Fix refcounting of gate clocks + +From: Dmitry Osipenko + +[ Upstream commit c592c8a28f5821e880ac6675781cd8a151b0737c ] + +The refcounting of the gate clocks has a bug causing the enable_refcnt +to underflow when unused clocks are disabled. This happens because clk +provider erroneously bumps the refcount if clock is enabled at a boot +time, which it shouldn't be doing, and it does this only for the gate +clocks, while peripheral clocks are using the same gate ops and the +peripheral clocks are missing the initial bump. Hence the refcount of +the peripheral clocks is 0 when unused clocks are disabled and then the +counter is decremented further by the gate ops, causing the integer +underflow. + +Fix this problem by removing the erroneous bump and by implementing the +disable_unused() callback, which disables the unused gates properly. + +The visible effect of the bug is such that the unused clocks are never +gated if a loaded kernel module grabs the unused clocks and starts to use +them. In practice this shouldn't cause any real problems for the drivers +and boards supported by the kernel today. + +Acked-by: Thierry Reding +Signed-off-by: Dmitry Osipenko +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/clk/tegra/clk-periph-gate.c | 72 +++++++++++++++++++---------- + drivers/clk/tegra/clk-periph.c | 11 +++++ + 2 files changed, 58 insertions(+), 25 deletions(-) + +diff --git a/drivers/clk/tegra/clk-periph-gate.c b/drivers/clk/tegra/clk-periph-gate.c +index 4b31beefc9fc..dc3f92678407 100644 +--- a/drivers/clk/tegra/clk-periph-gate.c ++++ b/drivers/clk/tegra/clk-periph-gate.c +@@ -48,18 +48,9 @@ static int clk_periph_is_enabled(struct clk_hw *hw) + return state; + } + +-static int clk_periph_enable(struct clk_hw *hw) ++static void clk_periph_enable_locked(struct clk_hw *hw) + { + struct tegra_clk_periph_gate *gate = to_clk_periph_gate(hw); +- unsigned long flags = 0; +- +- spin_lock_irqsave(&periph_ref_lock, flags); +- +- gate->enable_refcnt[gate->clk_num]++; +- if (gate->enable_refcnt[gate->clk_num] > 1) { +- spin_unlock_irqrestore(&periph_ref_lock, flags); +- return 0; +- } + + write_enb_set(periph_clk_to_bit(gate), gate); + udelay(2); +@@ -78,6 +69,32 @@ static int clk_periph_enable(struct clk_hw *hw) + udelay(1); + writel_relaxed(0, gate->clk_base + LVL2_CLK_GATE_OVRE); + } ++} ++ ++static void clk_periph_disable_locked(struct clk_hw *hw) ++{ ++ struct tegra_clk_periph_gate *gate = to_clk_periph_gate(hw); ++ ++ /* ++ * If peripheral is in the APB bus then read the APB bus to ++ * flush the write operation in apb bus. This will avoid the ++ * peripheral access after disabling clock ++ */ ++ if (gate->flags & TEGRA_PERIPH_ON_APB) ++ tegra_read_chipid(); ++ ++ write_enb_clr(periph_clk_to_bit(gate), gate); ++} ++ ++static int clk_periph_enable(struct clk_hw *hw) ++{ ++ struct tegra_clk_periph_gate *gate = to_clk_periph_gate(hw); ++ unsigned long flags = 0; ++ ++ spin_lock_irqsave(&periph_ref_lock, flags); ++ ++ if (!gate->enable_refcnt[gate->clk_num]++) ++ clk_periph_enable_locked(hw); + + spin_unlock_irqrestore(&periph_ref_lock, flags); + +@@ -91,21 +108,28 @@ static void clk_periph_disable(struct clk_hw *hw) + + spin_lock_irqsave(&periph_ref_lock, flags); + +- gate->enable_refcnt[gate->clk_num]--; +- if (gate->enable_refcnt[gate->clk_num] > 0) { +- spin_unlock_irqrestore(&periph_ref_lock, flags); +- return; +- } ++ WARN_ON(!gate->enable_refcnt[gate->clk_num]); ++ ++ if (--gate->enable_refcnt[gate->clk_num] == 0) ++ clk_periph_disable_locked(hw); ++ ++ spin_unlock_irqrestore(&periph_ref_lock, flags); ++} ++ ++static void clk_periph_disable_unused(struct clk_hw *hw) ++{ ++ struct tegra_clk_periph_gate *gate = to_clk_periph_gate(hw); ++ unsigned long flags = 0; ++ ++ spin_lock_irqsave(&periph_ref_lock, flags); + + /* +- * If peripheral is in the APB bus then read the APB bus to +- * flush the write operation in apb bus. This will avoid the +- * peripheral access after disabling clock ++ * Some clocks are duplicated and some of them are marked as critical, ++ * like fuse and fuse_burn for example, thus the enable_refcnt will ++ * be non-zero here if the "unused" duplicate is disabled by CCF. + */ +- if (gate->flags & TEGRA_PERIPH_ON_APB) +- tegra_read_chipid(); +- +- write_enb_clr(periph_clk_to_bit(gate), gate); ++ if (!gate->enable_refcnt[gate->clk_num]) ++ clk_periph_disable_locked(hw); + + spin_unlock_irqrestore(&periph_ref_lock, flags); + } +@@ -114,6 +138,7 @@ const struct clk_ops tegra_clk_periph_gate_ops = { + .is_enabled = clk_periph_is_enabled, + .enable = clk_periph_enable, + .disable = clk_periph_disable, ++ .disable_unused = clk_periph_disable_unused, + }; + + struct clk *tegra_clk_register_periph_gate(const char *name, +@@ -148,9 +173,6 @@ struct clk *tegra_clk_register_periph_gate(const char *name, + gate->enable_refcnt = enable_refcnt; + gate->regs = pregs; + +- if (read_enb(gate) & periph_clk_to_bit(gate)) +- enable_refcnt[clk_num]++; +- + /* Data in .init is copied by clk_register(), so stack variable OK */ + gate->hw.init = &init; + +diff --git a/drivers/clk/tegra/clk-periph.c b/drivers/clk/tegra/clk-periph.c +index 67620c7ecd9e..79ca3aa072b7 100644 +--- a/drivers/clk/tegra/clk-periph.c ++++ b/drivers/clk/tegra/clk-periph.c +@@ -100,6 +100,15 @@ static void clk_periph_disable(struct clk_hw *hw) + gate_ops->disable(gate_hw); + } + ++static void clk_periph_disable_unused(struct clk_hw *hw) ++{ ++ struct tegra_clk_periph *periph = to_clk_periph(hw); ++ const struct clk_ops *gate_ops = periph->gate_ops; ++ struct clk_hw *gate_hw = &periph->gate.hw; ++ ++ gate_ops->disable_unused(gate_hw); ++} ++ + static void clk_periph_restore_context(struct clk_hw *hw) + { + struct tegra_clk_periph *periph = to_clk_periph(hw); +@@ -126,6 +135,7 @@ const struct clk_ops tegra_clk_periph_ops = { + .is_enabled = clk_periph_is_enabled, + .enable = clk_periph_enable, + .disable = clk_periph_disable, ++ .disable_unused = clk_periph_disable_unused, + .restore_context = clk_periph_restore_context, + }; + +@@ -135,6 +145,7 @@ static const struct clk_ops tegra_clk_periph_nodiv_ops = { + .is_enabled = clk_periph_is_enabled, + .enable = clk_periph_enable, + .disable = clk_periph_disable, ++ .disable_unused = clk_periph_disable_unused, + .restore_context = clk_periph_restore_context, + }; + +-- +2.30.2 + diff --git a/queue-5.10/cw1200-add-missing-module_device_table.patch b/queue-5.10/cw1200-add-missing-module_device_table.patch new file mode 100644 index 00000000000..1b305132a1a --- /dev/null +++ b/queue-5.10/cw1200-add-missing-module_device_table.patch @@ -0,0 +1,37 @@ +From 05509696ac1d51ebaef73aeddec44052dba675ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 May 2021 11:05:14 +0800 +Subject: cw1200: add missing MODULE_DEVICE_TABLE + +From: Zou Wei + +[ Upstream commit dd778f89225cd258e8f0fed2b7256124982c8bb5 ] + +This patch adds missing MODULE_DEVICE_TABLE definition which generates +correct modalias for automatic loading of this driver when it is built +as an external module. + +Reported-by: Hulk Robot +Signed-off-by: Zou Wei +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1620788714-14300-1-git-send-email-zou_wei@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/st/cw1200/cw1200_sdio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/st/cw1200/cw1200_sdio.c b/drivers/net/wireless/st/cw1200/cw1200_sdio.c +index b65ec14136c7..4c30b5772ce0 100644 +--- a/drivers/net/wireless/st/cw1200/cw1200_sdio.c ++++ b/drivers/net/wireless/st/cw1200/cw1200_sdio.c +@@ -53,6 +53,7 @@ static const struct sdio_device_id cw1200_sdio_ids[] = { + { SDIO_DEVICE(SDIO_VENDOR_ID_STE, SDIO_DEVICE_ID_STE_CW1200) }, + { /* end: all zeroes */ }, + }; ++MODULE_DEVICE_TABLE(sdio, cw1200_sdio_ids); + + /* hwbus_ops implemetation */ + +-- +2.30.2 + diff --git a/queue-5.10/dm-fix-dm_accept_partial_bio-relative-to-zone-manage.patch b/queue-5.10/dm-fix-dm_accept_partial_bio-relative-to-zone-manage.patch new file mode 100644 index 00000000000..584e1782847 --- /dev/null +++ b/queue-5.10/dm-fix-dm_accept_partial_bio-relative-to-zone-manage.patch @@ -0,0 +1,56 @@ +From ab09eba55bea704447654e549c9f3574cf556109 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 May 2021 06:24:54 +0900 +Subject: dm: Fix dm_accept_partial_bio() relative to zone management commands + +From: Damien Le Moal + +[ Upstream commit 6842d264aa5205da338b6dcc6acfa2a6732558f1 ] + +Fix dm_accept_partial_bio() to actually check that zone management +commands are not passed as explained in the function documentation +comment. Also, since a zone append operation cannot be split, add +REQ_OP_ZONE_APPEND as a forbidden command. + +White lines are added around the group of BUG_ON() calls to make the +code more legible. + +Signed-off-by: Damien Le Moal +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/dm.c b/drivers/md/dm.c +index 638c04f9e832..19a70f434029 100644 +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -1230,8 +1230,8 @@ static int dm_dax_zero_page_range(struct dax_device *dax_dev, pgoff_t pgoff, + + /* + * A target may call dm_accept_partial_bio only from the map routine. It is +- * allowed for all bio types except REQ_PREFLUSH, REQ_OP_ZONE_RESET, +- * REQ_OP_ZONE_OPEN, REQ_OP_ZONE_CLOSE and REQ_OP_ZONE_FINISH. ++ * allowed for all bio types except REQ_PREFLUSH, REQ_OP_ZONE_* zone management ++ * operations and REQ_OP_ZONE_APPEND (zone append writes). + * + * dm_accept_partial_bio informs the dm that the target only wants to process + * additional n_sectors sectors of the bio and the rest of the data should be +@@ -1261,9 +1261,13 @@ void dm_accept_partial_bio(struct bio *bio, unsigned n_sectors) + { + struct dm_target_io *tio = container_of(bio, struct dm_target_io, clone); + unsigned bi_size = bio->bi_iter.bi_size >> SECTOR_SHIFT; ++ + BUG_ON(bio->bi_opf & REQ_PREFLUSH); ++ BUG_ON(op_is_zone_mgmt(bio_op(bio))); ++ BUG_ON(bio_op(bio) == REQ_OP_ZONE_APPEND); + BUG_ON(bi_size > *tio->len_ptr); + BUG_ON(n_sectors > bi_size); ++ + *tio->len_ptr -= bi_size - n_sectors; + bio->bi_iter.bi_size = n_sectors << SECTOR_SHIFT; + } +-- +2.30.2 + diff --git a/queue-5.10/dm-space-maps-don-t-reset-space-map-allocation-curso.patch b/queue-5.10/dm-space-maps-don-t-reset-space-map-allocation-curso.patch new file mode 100644 index 00000000000..d3bcfed303b --- /dev/null +++ b/queue-5.10/dm-space-maps-don-t-reset-space-map-allocation-curso.patch @@ -0,0 +1,90 @@ +From 72f26dc9b840b3933a74ec9fa058eb5fa4312d38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Apr 2021 09:03:49 +0100 +Subject: dm space maps: don't reset space map allocation cursor when + committing + +From: Joe Thornber + +[ Upstream commit 5faafc77f7de69147d1e818026b9a0cbf036a7b2 ] + +Current commit code resets the place where the search for free blocks +will begin back to the start of the metadata device. There are a couple +of repercussions to this: + +- The first allocation after the commit is likely to take longer than + normal as it searches for a free block in an area that is likely to + have very few free blocks (if any). + +- Any free blocks it finds will have been recently freed. Reusing them + means we have fewer old copies of the metadata to aid recovery from + hardware error. + +Fix these issues by leaving the cursor alone, only resetting when the +search hits the end of the metadata device. + +Signed-off-by: Joe Thornber +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/persistent-data/dm-space-map-disk.c | 9 ++++++++- + drivers/md/persistent-data/dm-space-map-metadata.c | 9 ++++++++- + 2 files changed, 16 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/persistent-data/dm-space-map-disk.c b/drivers/md/persistent-data/dm-space-map-disk.c +index bf4c5e2ccb6f..e0acae7a3815 100644 +--- a/drivers/md/persistent-data/dm-space-map-disk.c ++++ b/drivers/md/persistent-data/dm-space-map-disk.c +@@ -171,6 +171,14 @@ static int sm_disk_new_block(struct dm_space_map *sm, dm_block_t *b) + * Any block we allocate has to be free in both the old and current ll. + */ + r = sm_ll_find_common_free_block(&smd->old_ll, &smd->ll, smd->begin, smd->ll.nr_blocks, b); ++ if (r == -ENOSPC) { ++ /* ++ * There's no free block between smd->begin and the end of the metadata device. ++ * We search before smd->begin in case something has been freed. ++ */ ++ r = sm_ll_find_common_free_block(&smd->old_ll, &smd->ll, 0, smd->begin, b); ++ } ++ + if (r) + return r; + +@@ -199,7 +207,6 @@ static int sm_disk_commit(struct dm_space_map *sm) + return r; + + memcpy(&smd->old_ll, &smd->ll, sizeof(smd->old_ll)); +- smd->begin = 0; + smd->nr_allocated_this_transaction = 0; + + r = sm_disk_get_nr_free(sm, &nr_free); +diff --git a/drivers/md/persistent-data/dm-space-map-metadata.c b/drivers/md/persistent-data/dm-space-map-metadata.c +index 9e3c64ec2026..da439ac85796 100644 +--- a/drivers/md/persistent-data/dm-space-map-metadata.c ++++ b/drivers/md/persistent-data/dm-space-map-metadata.c +@@ -452,6 +452,14 @@ static int sm_metadata_new_block_(struct dm_space_map *sm, dm_block_t *b) + * Any block we allocate has to be free in both the old and current ll. + */ + r = sm_ll_find_common_free_block(&smm->old_ll, &smm->ll, smm->begin, smm->ll.nr_blocks, b); ++ if (r == -ENOSPC) { ++ /* ++ * There's no free block between smm->begin and the end of the metadata device. ++ * We search before smm->begin in case something has been freed. ++ */ ++ r = sm_ll_find_common_free_block(&smm->old_ll, &smm->ll, 0, smm->begin, b); ++ } ++ + if (r) + return r; + +@@ -503,7 +511,6 @@ static int sm_metadata_commit(struct dm_space_map *sm) + return r; + + memcpy(&smm->old_ll, &smm->ll, sizeof(smm->old_ll)); +- smm->begin = 0; + smm->allocated_this_transaction = 0; + + return 0; +-- +2.30.2 + diff --git a/queue-5.10/dm-writecache-commit-just-one-block-not-a-full-page.patch b/queue-5.10/dm-writecache-commit-just-one-block-not-a-full-page.patch new file mode 100644 index 00000000000..406676fbe34 --- /dev/null +++ b/queue-5.10/dm-writecache-commit-just-one-block-not-a-full-page.patch @@ -0,0 +1,41 @@ +From 34c42101d30248b21181761b44e16ec8c2b7f908 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Jun 2021 16:13:16 -0400 +Subject: dm writecache: commit just one block, not a full page + +From: Mikulas Patocka + +[ Upstream commit 991bd8d7bc78966b4dc427b53a144f276bffcd52 ] + +Some architectures have pages larger than 4k and committing a full +page causes needless overhead. + +Fix this by writing a single block when committing the superblock. + +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-writecache.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/drivers/md/dm-writecache.c b/drivers/md/dm-writecache.c +index 64c2980aaa54..894b58bbe56e 100644 +--- a/drivers/md/dm-writecache.c ++++ b/drivers/md/dm-writecache.c +@@ -532,11 +532,7 @@ static void ssd_commit_superblock(struct dm_writecache *wc) + + region.bdev = wc->ssd_dev->bdev; + region.sector = 0; +- region.count = PAGE_SIZE >> SECTOR_SHIFT; +- +- if (unlikely(region.sector + region.count > wc->metadata_sectors)) +- region.count = wc->metadata_sectors - region.sector; +- ++ region.count = wc->block_size >> SECTOR_SHIFT; + region.sector += wc->start_sector; + + req.bi_op = REQ_OP_WRITE; +-- +2.30.2 + diff --git a/queue-5.10/dm-writecache-don-t-split-bios-when-overwriting-cont.patch b/queue-5.10/dm-writecache-don-t-split-bios-when-overwriting-cont.patch new file mode 100644 index 00000000000..8443be4b493 --- /dev/null +++ b/queue-5.10/dm-writecache-don-t-split-bios-when-overwriting-cont.patch @@ -0,0 +1,91 @@ +From 02c855f35366133b1aded8e63f360e427331be79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 May 2021 10:29:45 -0400 +Subject: dm writecache: don't split bios when overwriting contiguous cache + content + +From: Mikulas Patocka + +[ Upstream commit ee50cc19d80e9b9a8283d1fb517a778faf2f6899 ] + +If dm-writecache overwrites existing cached data, it splits the +incoming bio into many block-sized bios. The I/O scheduler does merge +these bios into one large request but this needless splitting and +merging causes performance degradation. + +Fix this by avoiding bio splitting if the cache target area that is +being overwritten is contiguous. + +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-writecache.c | 38 ++++++++++++++++++++++++++++++-------- + 1 file changed, 30 insertions(+), 8 deletions(-) + +diff --git a/drivers/md/dm-writecache.c b/drivers/md/dm-writecache.c +index 8628c4aa2e85..64c2980aaa54 100644 +--- a/drivers/md/dm-writecache.c ++++ b/drivers/md/dm-writecache.c +@@ -1360,14 +1360,18 @@ read_next_block: + } else { + do { + bool found_entry = false; ++ bool search_used = false; + if (writecache_has_error(wc)) + goto unlock_error; + e = writecache_find_entry(wc, bio->bi_iter.bi_sector, 0); + if (e) { +- if (!writecache_entry_is_committed(wc, e)) ++ if (!writecache_entry_is_committed(wc, e)) { ++ search_used = true; + goto bio_copy; ++ } + if (!WC_MODE_PMEM(wc) && !e->write_in_progress) { + wc->overwrote_committed = true; ++ search_used = true; + goto bio_copy; + } + found_entry = true; +@@ -1404,13 +1408,31 @@ bio_copy: + sector_t current_cache_sec = start_cache_sec + (bio_size >> SECTOR_SHIFT); + + while (bio_size < bio->bi_iter.bi_size) { +- struct wc_entry *f = writecache_pop_from_freelist(wc, current_cache_sec); +- if (!f) +- break; +- write_original_sector_seq_count(wc, f, bio->bi_iter.bi_sector + +- (bio_size >> SECTOR_SHIFT), wc->seq_count); +- writecache_insert_entry(wc, f); +- wc->uncommitted_blocks++; ++ if (!search_used) { ++ struct wc_entry *f = writecache_pop_from_freelist(wc, current_cache_sec); ++ if (!f) ++ break; ++ write_original_sector_seq_count(wc, f, bio->bi_iter.bi_sector + ++ (bio_size >> SECTOR_SHIFT), wc->seq_count); ++ writecache_insert_entry(wc, f); ++ wc->uncommitted_blocks++; ++ } else { ++ struct wc_entry *f; ++ struct rb_node *next = rb_next(&e->rb_node); ++ if (!next) ++ break; ++ f = container_of(next, struct wc_entry, rb_node); ++ if (f != e + 1) ++ break; ++ if (read_original_sector(wc, f) != ++ read_original_sector(wc, e) + (wc->block_size >> SECTOR_SHIFT)) ++ break; ++ if (unlikely(f->write_in_progress)) ++ break; ++ if (writecache_entry_is_committed(wc, f)) ++ wc->overwrote_committed = true; ++ e = f; ++ } + bio_size += wc->block_size; + current_cache_sec += wc->block_size >> SECTOR_SHIFT; + } +-- +2.30.2 + diff --git a/queue-5.10/drm-amd-amdgpu-sriov-disable-all-ip-hw-status-by-def.patch b/queue-5.10/drm-amd-amdgpu-sriov-disable-all-ip-hw-status-by-def.patch new file mode 100644 index 00000000000..5e498e16952 --- /dev/null +++ b/queue-5.10/drm-amd-amdgpu-sriov-disable-all-ip-hw-status-by-def.patch @@ -0,0 +1,41 @@ +From c126b075b2ebf8e445715f856c7d4edb4b442f30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Apr 2021 17:08:47 +0800 +Subject: drm/amd/amdgpu/sriov disable all ip hw status by default + +From: Jack Zhang + +[ Upstream commit 95ea3dbc4e9548d35ab6fbf67675cef8c293e2f5 ] + +Disable all ip's hw status to false before any hw_init. +Only set it to true until its hw_init is executed. + +The old 5.9 branch has this change but somehow the 5.11 kernrel does +not have this fix. + +Without this change, sriov tdr have gfx IB test fail. + +Signed-off-by: Jack Zhang +Review-by: Emily Deng +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index 87c7c45f1bb7..6948ab3c0d99 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -2760,7 +2760,7 @@ static int amdgpu_device_ip_reinit_early_sriov(struct amdgpu_device *adev) + AMD_IP_BLOCK_TYPE_IH, + }; + +- for (i = 0; i < ARRAY_SIZE(ip_order); i++) { ++ for (i = 0; i < adev->num_ip_blocks; i++) { + int j; + struct amdgpu_ip_block *block; + +-- +2.30.2 + diff --git a/queue-5.10/drm-amd-display-avoid-hdcp-over-read-and-corruption.patch b/queue-5.10/drm-amd-display-avoid-hdcp-over-read-and-corruption.patch new file mode 100644 index 00000000000..c9ce4331183 --- /dev/null +++ b/queue-5.10/drm-amd-display-avoid-hdcp-over-read-and-corruption.patch @@ -0,0 +1,41 @@ +From 81d68f86bdad2dcbcb4908bad5f1b03657e02505 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 May 2021 10:53:54 -0700 +Subject: drm/amd/display: Avoid HDCP over-read and corruption + +From: Kees Cook + +[ Upstream commit 06888d571b513cbfc0b41949948def6cb81021b2 ] + +Instead of reading the desired 5 bytes of the actual target field, +the code was reading 8. This could result in a corrupted value if the +trailing 3 bytes were non-zero, so instead use an appropriately sized +and zero-initialized bounce buffer, and read only 5 bytes before casting +to u64. + +Signed-off-by: Kees Cook +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c +index f244b72e74e0..53eab2b8e2c8 100644 +--- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c ++++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c +@@ -29,8 +29,10 @@ static inline enum mod_hdcp_status validate_bksv(struct mod_hdcp *hdcp) + { + uint64_t n = 0; + uint8_t count = 0; ++ u8 bksv[sizeof(n)] = { }; + +- memcpy(&n, hdcp->auth.msg.hdcp1.bksv, sizeof(uint64_t)); ++ memcpy(bksv, hdcp->auth.msg.hdcp1.bksv, sizeof(hdcp->auth.msg.hdcp1.bksv)); ++ n = *(uint64_t *)bksv; + + while (n) { + count++; +-- +2.30.2 + diff --git a/queue-5.10/drm-amd-display-fix-dcn-3.01-dscclk-validation.patch b/queue-5.10/drm-amd-display-fix-dcn-3.01-dscclk-validation.patch new file mode 100644 index 00000000000..0f3cea0f688 --- /dev/null +++ b/queue-5.10/drm-amd-display-fix-dcn-3.01-dscclk-validation.patch @@ -0,0 +1,134 @@ +From 0b02e5eaa9c1da86d1480ead3dccc7bedebded86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 May 2021 12:33:12 -0400 +Subject: drm/amd/display: Fix DCN 3.01 DSCCLK validation + +From: Nikola Cornij + +[ Upstream commit 346cf627fb27c0fea63a041cedbaa4f31784e504 ] + +[why] +DSCCLK validation is not necessary because DSCCLK is derrived from +DISPCLK, therefore if DISPCLK validation passes, DSCCLK is valid, too. +Doing DSCLK validation in addition to DISPCLK leads to modes being +wrongly rejected when DSCCLK was incorrectly set outside of DML. + +[how] +Remove DSCCLK validation because it's implicitly validated under DISPCLK + +Signed-off-by: Nikola Cornij +Reviewed-by: Dmytro Laktyushkin +Acked-by: Stylon Wang +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../dc/dml/dcn30/display_mode_vba_30.c | 64 ++++++------------- + 1 file changed, 21 insertions(+), 43 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c b/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c +index 9e0ae18e71fa..d66e89283c48 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c +@@ -64,6 +64,7 @@ typedef struct { + #define BPP_INVALID 0 + #define BPP_BLENDED_PIPE 0xffffffff + #define DCN30_MAX_DSC_IMAGE_WIDTH 5184 ++#define DCN30_MAX_FMT_420_BUFFER_WIDTH 4096 + + static void DisplayPipeConfiguration(struct display_mode_lib *mode_lib); + static void DISPCLKDPPCLKDCFCLKDeepSleepPrefetchParametersWatermarksAndPerformanceCalculation( +@@ -3987,19 +3988,30 @@ void dml30_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_l + } else if (v->PlaneRequiredDISPCLKWithoutODMCombine > v->MaxDispclkRoundedDownToDFSGranularity) { + v->ODMCombineEnablePerState[i][k] = dm_odm_combine_mode_2to1; + v->PlaneRequiredDISPCLK = v->PlaneRequiredDISPCLKWithODMCombine2To1; +- } else if (v->DSCEnabled[k] && (v->HActive[k] > DCN30_MAX_DSC_IMAGE_WIDTH)) { +- v->ODMCombineEnablePerState[i][k] = dm_odm_combine_mode_2to1; +- v->PlaneRequiredDISPCLK = v->PlaneRequiredDISPCLKWithODMCombine2To1; + } else { + v->ODMCombineEnablePerState[i][k] = dm_odm_combine_mode_disabled; + v->PlaneRequiredDISPCLK = v->PlaneRequiredDISPCLKWithoutODMCombine; +- /*420 format workaround*/ +- if (v->HActive[k] > 4096 && v->OutputFormat[k] == dm_420) { ++ } ++ if (v->DSCEnabled[k] && v->HActive[k] > DCN30_MAX_DSC_IMAGE_WIDTH ++ && v->ODMCombineEnablePerState[i][k] != dm_odm_combine_mode_4to1) { ++ if (v->HActive[k] / 2 > DCN30_MAX_DSC_IMAGE_WIDTH) { ++ v->ODMCombineEnablePerState[i][k] = dm_odm_combine_mode_4to1; ++ v->PlaneRequiredDISPCLK = v->PlaneRequiredDISPCLKWithODMCombine4To1; ++ } else { ++ v->ODMCombineEnablePerState[i][k] = dm_odm_combine_mode_2to1; ++ v->PlaneRequiredDISPCLK = v->PlaneRequiredDISPCLKWithODMCombine2To1; ++ } ++ } ++ if (v->OutputFormat[k] == dm_420 && v->HActive[k] > DCN30_MAX_FMT_420_BUFFER_WIDTH ++ && v->ODMCombineEnablePerState[i][k] != dm_odm_combine_mode_4to1) { ++ if (v->HActive[k] / 2 > DCN30_MAX_FMT_420_BUFFER_WIDTH) { ++ v->ODMCombineEnablePerState[i][k] = dm_odm_combine_mode_4to1; ++ v->PlaneRequiredDISPCLK = v->PlaneRequiredDISPCLKWithODMCombine4To1; ++ } else { + v->ODMCombineEnablePerState[i][k] = dm_odm_combine_mode_2to1; + v->PlaneRequiredDISPCLK = v->PlaneRequiredDISPCLKWithODMCombine2To1; + } + } +- + if (v->ODMCombineEnablePerState[i][k] == dm_odm_combine_mode_4to1) { + v->MPCCombine[i][j][k] = false; + v->NoOfDPP[i][j][k] = 4; +@@ -4281,42 +4293,8 @@ void dml30_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_l + } + } + +- for (i = 0; i < v->soc.num_states; i++) { +- v->DSCCLKRequiredMoreThanSupported[i] = false; +- for (k = 0; k <= v->NumberOfActivePlanes - 1; k++) { +- if (v->BlendingAndTiming[k] == k) { +- if (v->Output[k] == dm_dp || v->Output[k] == dm_edp) { +- if (v->OutputFormat[k] == dm_420) { +- v->DSCFormatFactor = 2; +- } else if (v->OutputFormat[k] == dm_444) { +- v->DSCFormatFactor = 1; +- } else if (v->OutputFormat[k] == dm_n422) { +- v->DSCFormatFactor = 2; +- } else { +- v->DSCFormatFactor = 1; +- } +- if (v->RequiresDSC[i][k] == true) { +- if (v->ODMCombineEnablePerState[i][k] == dm_odm_combine_mode_4to1) { +- if (v->PixelClockBackEnd[k] / 12.0 / v->DSCFormatFactor +- > (1.0 - v->DISPCLKDPPCLKDSCCLKDownSpreading / 100.0) * v->MaxDSCCLK[i]) { +- v->DSCCLKRequiredMoreThanSupported[i] = true; +- } +- } else if (v->ODMCombineEnablePerState[i][k] == dm_odm_combine_mode_2to1) { +- if (v->PixelClockBackEnd[k] / 6.0 / v->DSCFormatFactor +- > (1.0 - v->DISPCLKDPPCLKDSCCLKDownSpreading / 100.0) * v->MaxDSCCLK[i]) { +- v->DSCCLKRequiredMoreThanSupported[i] = true; +- } +- } else { +- if (v->PixelClockBackEnd[k] / 3.0 / v->DSCFormatFactor +- > (1.0 - v->DISPCLKDPPCLKDSCCLKDownSpreading / 100.0) * v->MaxDSCCLK[i]) { +- v->DSCCLKRequiredMoreThanSupported[i] = true; +- } +- } +- } +- } +- } +- } +- } ++ /* Skip dscclk validation: as long as dispclk is supported, dscclk is also implicitly supported */ ++ + for (i = 0; i < v->soc.num_states; i++) { + v->NotEnoughDSCUnits[i] = false; + v->TotalDSCUnitsRequired = 0.0; +@@ -5319,7 +5297,7 @@ void dml30_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_l + for (j = 0; j < 2; j++) { + if (v->ScaleRatioAndTapsSupport == 1 && v->SourceFormatPixelAndScanSupport == 1 && v->ViewportSizeSupport[i][j] == 1 + && v->DIOSupport[i] == 1 && v->ODMCombine4To1SupportCheckOK[i] == 1 +- && v->NotEnoughDSCUnits[i] == 0 && v->DSCCLKRequiredMoreThanSupported[i] == 0 ++ && v->NotEnoughDSCUnits[i] == 0 + && v->DTBCLKRequiredMoreThanSupported[i] == 0 + && v->ROBSupport[i][j] == 1 && v->DISPCLK_DPPCLK_Support[i][j] == 1 && v->TotalAvailablePipesSupport[i][j] == 1 + && EnoughWritebackUnits == 1 && WritebackModeSupport == 1 +-- +2.30.2 + diff --git a/queue-5.10/drm-amd-display-fix-hdcp-reset-sequence-on-reinitial.patch b/queue-5.10/drm-amd-display-fix-hdcp-reset-sequence-on-reinitial.patch new file mode 100644 index 00000000000..0706444788b --- /dev/null +++ b/queue-5.10/drm-amd-display-fix-hdcp-reset-sequence-on-reinitial.patch @@ -0,0 +1,44 @@ +From fe892d924270394295db0c327fe1e686ae71a420 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Apr 2021 14:47:46 +0800 +Subject: drm/amd/display: fix HDCP reset sequence on reinitialize +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Brandon Syu + +[ Upstream commit 99c248c41c2199bd34232ce8e729d18c4b343b64 ] + +[why] +When setup is called after hdcp has already setup, +it would cause to disable HDCP flow won’t execute. + +[how] +Don't clean up hdcp content to be 0. + +Signed-off-by: Brandon Syu +Reviewed-by: Wenjing Liu +Acked-by: Wayne Lin +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c +index 20e554e771d1..fa8aeec304ef 100644 +--- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c ++++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c +@@ -260,7 +260,6 @@ enum mod_hdcp_status mod_hdcp_setup(struct mod_hdcp *hdcp, + struct mod_hdcp_output output; + enum mod_hdcp_status status = MOD_HDCP_STATUS_SUCCESS; + +- memset(hdcp, 0, sizeof(struct mod_hdcp)); + memset(&output, 0, sizeof(output)); + hdcp->config = *config; + HDCP_TOP_INTERFACE_TRACE(hdcp); +-- +2.30.2 + diff --git a/queue-5.10/drm-amd-display-fix-off-by-one-error-in-dml.patch b/queue-5.10/drm-amd-display-fix-off-by-one-error-in-dml.patch new file mode 100644 index 00000000000..e8c37183be7 --- /dev/null +++ b/queue-5.10/drm-amd-display-fix-off-by-one-error-in-dml.patch @@ -0,0 +1,66 @@ +From 7a72a8ad13ace7ce35506b2a21adcdf6afa9fe7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Apr 2021 18:38:54 -0400 +Subject: drm/amd/display: Fix off-by-one error in DML + +From: Wesley Chalmers + +[ Upstream commit e4e3678260e9734f6f41b4325aac0b171833a618 ] + +[WHY] +For DCN30 and later, there is no data in DML arrays indexed by state at +index num_states. + +Signed-off-by: Wesley Chalmers +Reviewed-by: Dmytro Laktyushkin +Acked-by: Stylon Wang +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../amd/display/dc/dml/dcn30/display_mode_vba_30.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c b/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c +index d66e89283c48..2663f1b31842 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c +@@ -2053,7 +2053,7 @@ static void DISPCLKDPPCLKDCFCLKDeepSleepPrefetchParametersWatermarksAndPerforman + v->DISPCLKWithoutRamping, + v->DISPCLKDPPCLKVCOSpeed); + v->MaxDispclkRoundedToDFSGranularity = RoundToDFSGranularityDown( +- v->soc.clock_limits[mode_lib->soc.num_states].dispclk_mhz, ++ v->soc.clock_limits[mode_lib->soc.num_states - 1].dispclk_mhz, + v->DISPCLKDPPCLKVCOSpeed); + if (v->DISPCLKWithoutRampingRoundedToDFSGranularity + > v->MaxDispclkRoundedToDFSGranularity) { +@@ -3958,20 +3958,20 @@ void dml30_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_l + for (k = 0; k <= v->NumberOfActivePlanes - 1; k++) { + v->PlaneRequiredDISPCLKWithoutODMCombine = v->PixelClock[k] * (1.0 + v->DISPCLKDPPCLKDSCCLKDownSpreading / 100.0) + * (1.0 + v->DISPCLKRampingMargin / 100.0); +- if ((v->PlaneRequiredDISPCLKWithoutODMCombine >= v->MaxDispclk[i] && v->MaxDispclk[i] == v->MaxDispclk[mode_lib->soc.num_states] +- && v->MaxDppclk[i] == v->MaxDppclk[mode_lib->soc.num_states])) { ++ if ((v->PlaneRequiredDISPCLKWithoutODMCombine >= v->MaxDispclk[i] && v->MaxDispclk[i] == v->MaxDispclk[mode_lib->soc.num_states - 1] ++ && v->MaxDppclk[i] == v->MaxDppclk[mode_lib->soc.num_states - 1])) { + v->PlaneRequiredDISPCLKWithoutODMCombine = v->PixelClock[k] * (1 + v->DISPCLKDPPCLKDSCCLKDownSpreading / 100.0); + } + v->PlaneRequiredDISPCLKWithODMCombine2To1 = v->PixelClock[k] / 2 * (1 + v->DISPCLKDPPCLKDSCCLKDownSpreading / 100.0) + * (1 + v->DISPCLKRampingMargin / 100.0); +- if ((v->PlaneRequiredDISPCLKWithODMCombine2To1 >= v->MaxDispclk[i] && v->MaxDispclk[i] == v->MaxDispclk[mode_lib->soc.num_states] +- && v->MaxDppclk[i] == v->MaxDppclk[mode_lib->soc.num_states])) { ++ if ((v->PlaneRequiredDISPCLKWithODMCombine2To1 >= v->MaxDispclk[i] && v->MaxDispclk[i] == v->MaxDispclk[mode_lib->soc.num_states - 1] ++ && v->MaxDppclk[i] == v->MaxDppclk[mode_lib->soc.num_states - 1])) { + v->PlaneRequiredDISPCLKWithODMCombine2To1 = v->PixelClock[k] / 2 * (1 + v->DISPCLKDPPCLKDSCCLKDownSpreading / 100.0); + } + v->PlaneRequiredDISPCLKWithODMCombine4To1 = v->PixelClock[k] / 4 * (1 + v->DISPCLKDPPCLKDSCCLKDownSpreading / 100.0) + * (1 + v->DISPCLKRampingMargin / 100.0); +- if ((v->PlaneRequiredDISPCLKWithODMCombine4To1 >= v->MaxDispclk[i] && v->MaxDispclk[i] == v->MaxDispclk[mode_lib->soc.num_states] +- && v->MaxDppclk[i] == v->MaxDppclk[mode_lib->soc.num_states])) { ++ if ((v->PlaneRequiredDISPCLKWithODMCombine4To1 >= v->MaxDispclk[i] && v->MaxDispclk[i] == v->MaxDispclk[mode_lib->soc.num_states - 1] ++ && v->MaxDppclk[i] == v->MaxDppclk[mode_lib->soc.num_states - 1])) { + v->PlaneRequiredDISPCLKWithODMCombine4To1 = v->PixelClock[k] / 4 * (1 + v->DISPCLKDPPCLKDSCCLKDownSpreading / 100.0); + } + +-- +2.30.2 + diff --git a/queue-5.10/drm-amd-display-fix-use_max_lb-flag-for-420-pixel-fo.patch b/queue-5.10/drm-amd-display-fix-use_max_lb-flag-for-420-pixel-fo.patch new file mode 100644 index 00000000000..560f443c89b --- /dev/null +++ b/queue-5.10/drm-amd-display-fix-use_max_lb-flag-for-420-pixel-fo.patch @@ -0,0 +1,46 @@ +From 69d8c9e627e61672bb03b23140b0c79b8e2cbc6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Apr 2021 17:50:53 -0400 +Subject: drm/amd/display: fix use_max_lb flag for 420 pixel formats + +From: Dmytro Laktyushkin + +[ Upstream commit 8809a7a4afe90ad9ffb42f72154d27e7c47551ae ] + +Right now the flag simply selects memory config 0 when flag is true +however 420 modes benefit more from memory config 3. + +Signed-off-by: Dmytro Laktyushkin +Reviewed-by: Aric Cyr +Acked-by: Stylon Wang +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn10/dcn10_dpp_dscl.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_dpp_dscl.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_dpp_dscl.c +index fce37c527a0b..8bb5912d837d 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_dpp_dscl.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_dpp_dscl.c +@@ -482,10 +482,13 @@ static enum lb_memory_config dpp1_dscl_find_lb_memory_config(struct dcn10_dpp *d + int vtaps_c = scl_data->taps.v_taps_c; + int ceil_vratio = dc_fixpt_ceil(scl_data->ratios.vert); + int ceil_vratio_c = dc_fixpt_ceil(scl_data->ratios.vert_c); +- enum lb_memory_config mem_cfg = LB_MEMORY_CONFIG_0; + +- if (dpp->base.ctx->dc->debug.use_max_lb) +- return mem_cfg; ++ if (dpp->base.ctx->dc->debug.use_max_lb) { ++ if (scl_data->format == PIXEL_FORMAT_420BPP8 ++ || scl_data->format == PIXEL_FORMAT_420BPP10) ++ return LB_MEMORY_CONFIG_3; ++ return LB_MEMORY_CONFIG_0; ++ } + + dpp->base.caps->dscl_calc_lb_num_partitions( + scl_data, LB_MEMORY_CONFIG_1, &num_part_y, &num_part_c); +-- +2.30.2 + diff --git a/queue-5.10/drm-amd-display-release-mst-resources-on-switch-from.patch b/queue-5.10/drm-amd-display-release-mst-resources-on-switch-from.patch new file mode 100644 index 00000000000..5ff5f6a4770 --- /dev/null +++ b/queue-5.10/drm-amd-display-release-mst-resources-on-switch-from.patch @@ -0,0 +1,45 @@ +From afe4ad2b0faa39fee595764f273575eb20be7cef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 May 2021 13:55:46 -0400 +Subject: drm/amd/display: Release MST resources on switch from MST to SST + +From: Vladimir Stempen + +[ Upstream commit 3f8518b60c10aa96f3efa38a967a0b4eb9211ac0 ] + +[why] +When OS overrides training link training parameters +for MST device to SST mode, MST resources are not +released and leak of the resource may result crash and +incorrect MST discovery during following hot plugs. + +[how] +Retaining sink object to be reused by SST link and +releasing MST resources. + +Signed-off-by: Vladimir Stempen +Reviewed-by: Wenjing Liu +Acked-by: Stylon Wang +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c b/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c +index 32b73ea86673..a7f8caf1086b 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c +@@ -1704,6 +1704,8 @@ static void set_dp_mst_mode(struct dc_link *link, bool mst_enable) + link->type = dc_connection_single; + link->local_sink = link->remote_sinks[0]; + link->local_sink->sink_signal = SIGNAL_TYPE_DISPLAY_PORT; ++ dc_sink_retain(link->local_sink); ++ dm_helpers_dp_mst_stop_top_mgr(link->ctx, link); + } else if (mst_enable == true && + link->type == dc_connection_single && + link->remote_sinks[0] != NULL) { +-- +2.30.2 + diff --git a/queue-5.10/drm-amd-display-set-dispclk_max_errdet_cycles-to-7.patch b/queue-5.10/drm-amd-display-set-dispclk_max_errdet_cycles-to-7.patch new file mode 100644 index 00000000000..b6833717b19 --- /dev/null +++ b/queue-5.10/drm-amd-display-set-dispclk_max_errdet_cycles-to-7.patch @@ -0,0 +1,39 @@ +From fd532739924dc62129d702412b3886bc4ac97110 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 May 2021 12:12:48 -0400 +Subject: drm/amd/display: Set DISPCLK_MAX_ERRDET_CYCLES to 7 + +From: Wesley Chalmers + +[ Upstream commit 3577e1678772ce3ede92af3a75b44a4b76f9b4ad ] + +[WHY] +DISPCLK_MAX_ERRDET_CYCLES must be 7 to prevent connection loss when +changing DENTIST_DISPCLK_WDIVIDER from 126 to 127 and back. + +Signed-off-by: Wesley Chalmers +Reviewed-by: Dmytro Laktyushkin +Acked-by: Stylon Wang +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c +index f1e9b3b06b92..9d3ccdd35582 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c +@@ -243,7 +243,7 @@ void dcn20_dccg_init(struct dce_hwseq *hws) + REG_WRITE(MILLISECOND_TIME_BASE_DIV, 0x1186a0); + + /* This value is dependent on the hardware pipeline delay so set once per SOC */ +- REG_WRITE(DISPCLK_FREQ_CHANGE_CNTL, 0x801003c); ++ REG_WRITE(DISPCLK_FREQ_CHANGE_CNTL, 0xe01003c); + } + + void dcn20_disable_vga( +-- +2.30.2 + diff --git a/queue-5.10/drm-amd-display-update-scaling-settings-on-modeset.patch b/queue-5.10/drm-amd-display-update-scaling-settings-on-modeset.patch new file mode 100644 index 00000000000..bf15e940fb9 --- /dev/null +++ b/queue-5.10/drm-amd-display-update-scaling-settings-on-modeset.patch @@ -0,0 +1,44 @@ +From 3fecd5bd6d84dae5baa5787a5abfa1d9b56e4633 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 May 2021 10:20:25 -0400 +Subject: drm/amd/display: Update scaling settings on modeset + +From: Roman Li + +[ Upstream commit c521fc316d12fb9ea7b7680e301d673bceda922e ] + +[Why] +We update scaling settings when scaling mode has been changed. +However when changing mode from native resolution the scaling mode previously +set gets ignored. + +[How] +Perform scaling settings update on modeset. + +Signed-off-by: Roman Li +Reviewed-by: Nicholas Kazlauskas +Acked-by: Stylon Wang +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index df26c07cb912..b413a7a2e92f 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -8291,7 +8291,8 @@ skip_modeset: + BUG_ON(dm_new_crtc_state->stream == NULL); + + /* Scaling or underscan settings */ +- if (is_scaling_state_different(dm_old_conn_state, dm_new_conn_state)) ++ if (is_scaling_state_different(dm_old_conn_state, dm_new_conn_state) || ++ drm_atomic_crtc_needs_modeset(new_crtc_state)) + update_stream_scaling_settings( + &new_crtc_state->mode, dm_new_conn_state, dm_new_crtc_state->stream); + +-- +2.30.2 + diff --git a/queue-5.10/drm-amd-display-verify-gamma-degamma-lut-sizes-in-am.patch b/queue-5.10/drm-amd-display-verify-gamma-degamma-lut-sizes-in-am.patch new file mode 100644 index 00000000000..f5e89751f65 --- /dev/null +++ b/queue-5.10/drm-amd-display-verify-gamma-degamma-lut-sizes-in-am.patch @@ -0,0 +1,118 @@ +From 9941778e6338be0a50632a598dba9afa4e82c26e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Jun 2021 13:01:07 -0400 +Subject: drm/amd/display: Verify Gamma & Degamma LUT sizes in + amdgpu_dm_atomic_check + +From: Mark Yacoub + +[ Upstream commit 03fc4cf45d30533d54f0f4ebc02aacfa12f52ce2 ] + +For each CRTC state, check the size of Gamma and Degamma LUTs so +unexpected and larger sizes wouldn't slip through. + +TEST: IGT:kms_color::pipe-invalid-gamma-lut-sizes + +v2: fix assignments in if clauses, Mark's email. + +Reviewed-by: Harry Wentland +Signed-off-by: Mark Yacoub +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 4 ++ + .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h | 1 + + .../amd/display/amdgpu_dm/amdgpu_dm_color.c | 41 ++++++++++++++++--- + 3 files changed, 40 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index b413a7a2e92f..bdcec5b3f5e5 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -8745,6 +8745,10 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev, + old_crtc_state->vrr_enabled == new_crtc_state->vrr_enabled) + continue; + ++ ret = amdgpu_dm_verify_lut_sizes(new_crtc_state); ++ if (ret) ++ goto fail; ++ + if (!new_crtc_state->enable) + continue; + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h +index 1df7f1b18049..6c7235bb2f41 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h +@@ -498,6 +498,7 @@ void amdgpu_dm_trigger_timing_sync(struct drm_device *dev); + #define MAX_COLOR_LEGACY_LUT_ENTRIES 256 + + void amdgpu_dm_init_color_mod(void); ++int amdgpu_dm_verify_lut_sizes(const struct drm_crtc_state *crtc_state); + int amdgpu_dm_update_crtc_color_mgmt(struct dm_crtc_state *crtc); + int amdgpu_dm_update_plane_color_mgmt(struct dm_crtc_state *crtc, + struct dc_plane_state *dc_plane_state); +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_color.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_color.c +index 5df05f0d18bc..179ff4b42f20 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_color.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_color.c +@@ -284,6 +284,37 @@ static int __set_input_tf(struct dc_transfer_func *func, + return res ? 0 : -ENOMEM; + } + ++/** ++ * Verifies that the Degamma and Gamma LUTs attached to the |crtc_state| are of ++ * the expected size. ++ * Returns 0 on success. ++ */ ++int amdgpu_dm_verify_lut_sizes(const struct drm_crtc_state *crtc_state) ++{ ++ const struct drm_color_lut *lut = NULL; ++ uint32_t size = 0; ++ ++ lut = __extract_blob_lut(crtc_state->degamma_lut, &size); ++ if (lut && size != MAX_COLOR_LUT_ENTRIES) { ++ DRM_DEBUG_DRIVER( ++ "Invalid Degamma LUT size. Should be %u but got %u.\n", ++ MAX_COLOR_LUT_ENTRIES, size); ++ return -EINVAL; ++ } ++ ++ lut = __extract_blob_lut(crtc_state->gamma_lut, &size); ++ if (lut && size != MAX_COLOR_LUT_ENTRIES && ++ size != MAX_COLOR_LEGACY_LUT_ENTRIES) { ++ DRM_DEBUG_DRIVER( ++ "Invalid Gamma LUT size. Should be %u (or %u for legacy) but got %u.\n", ++ MAX_COLOR_LUT_ENTRIES, MAX_COLOR_LEGACY_LUT_ENTRIES, ++ size); ++ return -EINVAL; ++ } ++ ++ return 0; ++} ++ + /** + * amdgpu_dm_update_crtc_color_mgmt: Maps DRM color management to DC stream. + * @crtc: amdgpu_dm crtc state +@@ -317,14 +348,12 @@ int amdgpu_dm_update_crtc_color_mgmt(struct dm_crtc_state *crtc) + bool is_legacy; + int r; + +- degamma_lut = __extract_blob_lut(crtc->base.degamma_lut, °amma_size); +- if (degamma_lut && degamma_size != MAX_COLOR_LUT_ENTRIES) +- return -EINVAL; ++ r = amdgpu_dm_verify_lut_sizes(&crtc->base); ++ if (r) ++ return r; + ++ degamma_lut = __extract_blob_lut(crtc->base.degamma_lut, °amma_size); + regamma_lut = __extract_blob_lut(crtc->base.gamma_lut, ®amma_size); +- if (regamma_lut && regamma_size != MAX_COLOR_LUT_ENTRIES && +- regamma_size != MAX_COLOR_LEGACY_LUT_ENTRIES) +- return -EINVAL; + + has_degamma = + degamma_lut && !__is_lut_linear(degamma_lut, degamma_size); +-- +2.30.2 + diff --git a/queue-5.10/drm-amdgpu-fix-bad-address-translation-for-sienna_ci.patch b/queue-5.10/drm-amdgpu-fix-bad-address-translation-for-sienna_ci.patch new file mode 100644 index 00000000000..ab017b6c557 --- /dev/null +++ b/queue-5.10/drm-amdgpu-fix-bad-address-translation-for-sienna_ci.patch @@ -0,0 +1,50 @@ +From e6e9df5dbd808e64b428a8eecacbbed3f0b52bc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 21:14:01 +0800 +Subject: drm/amdgpu: fix bad address translation for sienna_cichlid + +From: Stanley.Yang + +[ Upstream commit 6ec598cc9dfbf40433e94a2ed1a622e3ef80268b ] + +Signed-off-by: Stanley.Yang +Reviewed-by: Hawking Zhang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_umc.h | 5 +++++ + drivers/gpu/drm/amd/amdgpu/umc_v8_7.c | 2 +- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_umc.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_umc.h +index 183814493658..bda4438c3925 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_umc.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_umc.h +@@ -21,6 +21,11 @@ + #ifndef __AMDGPU_UMC_H__ + #define __AMDGPU_UMC_H__ + ++/* ++ * (addr / 256) * 4096, the higher 26 bits in ErrorAddr ++ * is the index of 4KB block ++ */ ++#define ADDR_OF_4KB_BLOCK(addr) (((addr) & ~0xffULL) << 4) + /* + * (addr / 256) * 8192, the higher 26 bits in ErrorAddr + * is the index of 8KB block +diff --git a/drivers/gpu/drm/amd/amdgpu/umc_v8_7.c b/drivers/gpu/drm/amd/amdgpu/umc_v8_7.c +index 5665c77a9d58..afbbe9f05d5e 100644 +--- a/drivers/gpu/drm/amd/amdgpu/umc_v8_7.c ++++ b/drivers/gpu/drm/amd/amdgpu/umc_v8_7.c +@@ -233,7 +233,7 @@ static void umc_v8_7_query_error_address(struct amdgpu_device *adev, + err_addr &= ~((0x1ULL << lsb) - 1); + + /* translate umc channel address to soc pa, 3 parts are included */ +- retired_page = ADDR_OF_8KB_BLOCK(err_addr) | ++ retired_page = ADDR_OF_4KB_BLOCK(err_addr) | + ADDR_OF_256B_BLOCK(channel_index) | + OFFSET_IN_256B_BLOCK(err_addr); + +-- +2.30.2 + diff --git a/queue-5.10/drm-amdgpu-remove-unsafe-optimization-to-drop-preamb.patch b/queue-5.10/drm-amdgpu-remove-unsafe-optimization-to-drop-preamb.patch new file mode 100644 index 00000000000..5de757a7dbe --- /dev/null +++ b/queue-5.10/drm-amdgpu-remove-unsafe-optimization-to-drop-preamb.patch @@ -0,0 +1,61 @@ +From 8d5c4118bf552a0ef2dd3bd6f8b57cc57cf6bf98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 May 2021 10:56:50 +0800 +Subject: drm/amdgpu: remove unsafe optimization to drop preamble ib + +From: Jiansong Chen + +[ Upstream commit 7d9c70d23550eb86a1bec1954ccaa8d6ec3a3328 ] + +Take the situation with gfxoff, the optimization may cause +corrupt CE ram contents. In addition emit_cntxcntl callback +has similar optimization which firmware can handle properly +even for power feature. + +Signed-off-by: Jiansong Chen +Reviewed-by: Hawking Zhang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c | 11 +---------- + 1 file changed, 1 insertion(+), 10 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c +index 28f20f0b722f..163188ce02bd 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c +@@ -128,7 +128,7 @@ int amdgpu_ib_schedule(struct amdgpu_ring *ring, unsigned num_ibs, + struct amdgpu_device *adev = ring->adev; + struct amdgpu_ib *ib = &ibs[0]; + struct dma_fence *tmp = NULL; +- bool skip_preamble, need_ctx_switch; ++ bool need_ctx_switch; + unsigned patch_offset = ~0; + struct amdgpu_vm *vm; + uint64_t fence_ctx; +@@ -221,7 +221,6 @@ int amdgpu_ib_schedule(struct amdgpu_ring *ring, unsigned num_ibs, + if (need_ctx_switch) + status |= AMDGPU_HAVE_CTX_SWITCH; + +- skip_preamble = ring->current_ctx == fence_ctx; + if (job && ring->funcs->emit_cntxcntl) { + status |= job->preamble_status; + status |= job->preemption_status; +@@ -239,14 +238,6 @@ int amdgpu_ib_schedule(struct amdgpu_ring *ring, unsigned num_ibs, + for (i = 0; i < num_ibs; ++i) { + ib = &ibs[i]; + +- /* drop preamble IBs if we don't have a context switch */ +- if ((ib->flags & AMDGPU_IB_FLAG_PREAMBLE) && +- skip_preamble && +- !(status & AMDGPU_PREAMBLE_IB_PRESENT_FIRST) && +- !amdgpu_mcbp && +- !amdgpu_sriov_vf(adev)) /* for SRIOV preemption, Preamble CE ib must be inserted anyway */ +- continue; +- + if (job && ring->funcs->emit_frame_cntl) { + if (secure != !!(ib->flags & AMDGPU_IB_FLAGS_SECURE)) { + amdgpu_ring_emit_frame_cntl(ring, false, secure); +-- +2.30.2 + diff --git a/queue-5.10/drm-amdkfd-fix-circular-lock-in-nocpsch-path.patch b/queue-5.10/drm-amdkfd-fix-circular-lock-in-nocpsch-path.patch new file mode 100644 index 00000000000..47921c09e47 --- /dev/null +++ b/queue-5.10/drm-amdkfd-fix-circular-lock-in-nocpsch-path.patch @@ -0,0 +1,90 @@ +From 3b940334926372725290622de9082d137fdc6916 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jun 2021 14:46:21 -0400 +Subject: drm/amdkfd: Fix circular lock in nocpsch path + +From: Amber Lin + +[ Upstream commit a7b2451d31cfa2e8aeccf3b35612ce33f02371fc ] + +Calling free_mqd inside of destroy_queue_nocpsch_locked can cause a +circular lock. destroy_queue_nocpsch_locked is called under a DQM lock, +which is taken in MMU notifiers, potentially in FS reclaim context. +Taking another lock, which is BO reservation lock from free_mqd, while +causing an FS reclaim inside the DQM lock creates a problematic circular +lock dependency. Therefore move free_mqd out of +destroy_queue_nocpsch_locked and call it after unlocking DQM. + +Signed-off-by: Amber Lin +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../drm/amd/amdkfd/kfd_device_queue_manager.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c +index b971532e69eb..ffb3d37881a8 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c +@@ -486,9 +486,6 @@ static int destroy_queue_nocpsch_locked(struct device_queue_manager *dqm, + if (retval == -ETIME) + qpd->reset_wavefronts = true; + +- +- mqd_mgr->free_mqd(mqd_mgr, q->mqd, q->mqd_mem_obj); +- + list_del(&q->list); + if (list_empty(&qpd->queues_list)) { + if (qpd->reset_wavefronts) { +@@ -523,6 +520,8 @@ static int destroy_queue_nocpsch(struct device_queue_manager *dqm, + int retval; + uint64_t sdma_val = 0; + struct kfd_process_device *pdd = qpd_to_pdd(qpd); ++ struct mqd_manager *mqd_mgr = ++ dqm->mqd_mgrs[get_mqd_type_from_queue_type(q->properties.type)]; + + /* Get the SDMA queue stats */ + if ((q->properties.type == KFD_QUEUE_TYPE_SDMA) || +@@ -540,6 +539,8 @@ static int destroy_queue_nocpsch(struct device_queue_manager *dqm, + pdd->sdma_past_activity_counter += sdma_val; + dqm_unlock(dqm); + ++ mqd_mgr->free_mqd(mqd_mgr, q->mqd, q->mqd_mem_obj); ++ + return retval; + } + +@@ -1632,7 +1633,7 @@ static int set_trap_handler(struct device_queue_manager *dqm, + static int process_termination_nocpsch(struct device_queue_manager *dqm, + struct qcm_process_device *qpd) + { +- struct queue *q, *next; ++ struct queue *q; + struct device_process_node *cur, *next_dpn; + int retval = 0; + bool found = false; +@@ -1640,12 +1641,19 @@ static int process_termination_nocpsch(struct device_queue_manager *dqm, + dqm_lock(dqm); + + /* Clear all user mode queues */ +- list_for_each_entry_safe(q, next, &qpd->queues_list, list) { ++ while (!list_empty(&qpd->queues_list)) { ++ struct mqd_manager *mqd_mgr; + int ret; + ++ q = list_first_entry(&qpd->queues_list, struct queue, list); ++ mqd_mgr = dqm->mqd_mgrs[get_mqd_type_from_queue_type( ++ q->properties.type)]; + ret = destroy_queue_nocpsch_locked(dqm, qpd, q); + if (ret) + retval = ret; ++ dqm_unlock(dqm); ++ mqd_mgr->free_mqd(mqd_mgr, q->mqd, q->mqd_mem_obj); ++ dqm_lock(dqm); + } + + /* Unregister process */ +-- +2.30.2 + diff --git a/queue-5.10/drm-amdkfd-fix-circular-locking-on-get_wave_state.patch b/queue-5.10/drm-amdkfd-fix-circular-locking-on-get_wave_state.patch new file mode 100644 index 00000000000..4fdc219f0b4 --- /dev/null +++ b/queue-5.10/drm-amdkfd-fix-circular-locking-on-get_wave_state.patch @@ -0,0 +1,73 @@ +From 90ee2a335ad6eadfd6d00f1e4551fd7a9f937f24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jun 2021 13:36:34 -0400 +Subject: drm/amdkfd: fix circular locking on get_wave_state + +From: Jonathan Kim + +[ Upstream commit 63f6e01237257e7226efc5087f3f0b525d320f54 ] + +get_wave_state acquires the mmap_lock on copy_to_user but so do +mmu_notifiers. mmu_notifiers allows dqm locking so do get_wave_state +outside the dqm_lock to prevent circular locking. + +v2: squash in unused variable removal. + +Signed-off-by: Jonathan Kim +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../drm/amd/amdkfd/kfd_device_queue_manager.c | 28 +++++++++---------- + 1 file changed, 13 insertions(+), 15 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c +index 6ea8a4b6efde..b971532e69eb 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c +@@ -1677,29 +1677,27 @@ static int get_wave_state(struct device_queue_manager *dqm, + u32 *save_area_used_size) + { + struct mqd_manager *mqd_mgr; +- int r; + + dqm_lock(dqm); + +- if (q->properties.type != KFD_QUEUE_TYPE_COMPUTE || +- q->properties.is_active || !q->device->cwsr_enabled) { +- r = -EINVAL; +- goto dqm_unlock; +- } +- + mqd_mgr = dqm->mqd_mgrs[KFD_MQD_TYPE_CP]; + +- if (!mqd_mgr->get_wave_state) { +- r = -EINVAL; +- goto dqm_unlock; ++ if (q->properties.type != KFD_QUEUE_TYPE_COMPUTE || ++ q->properties.is_active || !q->device->cwsr_enabled || ++ !mqd_mgr->get_wave_state) { ++ dqm_unlock(dqm); ++ return -EINVAL; + } + +- r = mqd_mgr->get_wave_state(mqd_mgr, q->mqd, ctl_stack, +- ctl_stack_used_size, save_area_used_size); +- +-dqm_unlock: + dqm_unlock(dqm); +- return r; ++ ++ /* ++ * get_wave_state is outside the dqm lock to prevent circular locking ++ * and the queue should be protected against destruction by the process ++ * lock. ++ */ ++ return mqd_mgr->get_wave_state(mqd_mgr, q->mqd, ctl_stack, ++ ctl_stack_used_size, save_area_used_size); + } + + static int process_termination_cpsch(struct device_queue_manager *dqm, +-- +2.30.2 + diff --git a/queue-5.10/drm-amdkfd-use-allowed-domain-for-vmbo-validation.patch b/queue-5.10/drm-amdkfd-use-allowed-domain-for-vmbo-validation.patch new file mode 100644 index 00000000000..9171dea1eab --- /dev/null +++ b/queue-5.10/drm-amdkfd-use-allowed-domain-for-vmbo-validation.patch @@ -0,0 +1,84 @@ +From 9da050bfd8934aa4e1e4cc99a0fcc236d245549d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jun 2021 13:23:44 +0200 +Subject: drm/amdkfd: use allowed domain for vmbo validation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nirmoy Das + +[ Upstream commit bc05716d4fdd065013633602c5960a2bf1511b9c ] + +Fixes handling when page tables are in system memory. + +v3: remove struct amdgpu_vm_parser. +v2: remove unwanted variable. + change amdgpu_amdkfd_validate instead of amdgpu_amdkfd_bo_validate. + +Signed-off-by: Nirmoy Das +Reviewed-by: Christian König +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 21 ++++--------------- + 1 file changed, 4 insertions(+), 17 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c +index 5da487b64a66..26f8a2138377 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c +@@ -48,12 +48,6 @@ static struct { + spinlock_t mem_limit_lock; + } kfd_mem_limit; + +-/* Struct used for amdgpu_amdkfd_bo_validate */ +-struct amdgpu_vm_parser { +- uint32_t domain; +- bool wait; +-}; +- + static const char * const domain_bit_to_string[] = { + "CPU", + "GTT", +@@ -337,11 +331,9 @@ validate_fail: + return ret; + } + +-static int amdgpu_amdkfd_validate(void *param, struct amdgpu_bo *bo) ++static int amdgpu_amdkfd_validate_vm_bo(void *_unused, struct amdgpu_bo *bo) + { +- struct amdgpu_vm_parser *p = param; +- +- return amdgpu_amdkfd_bo_validate(bo, p->domain, p->wait); ++ return amdgpu_amdkfd_bo_validate(bo, bo->allowed_domains, false); + } + + /* vm_validate_pt_pd_bos - Validate page table and directory BOs +@@ -355,20 +347,15 @@ static int vm_validate_pt_pd_bos(struct amdgpu_vm *vm) + { + struct amdgpu_bo *pd = vm->root.base.bo; + struct amdgpu_device *adev = amdgpu_ttm_adev(pd->tbo.bdev); +- struct amdgpu_vm_parser param; + int ret; + +- param.domain = AMDGPU_GEM_DOMAIN_VRAM; +- param.wait = false; +- +- ret = amdgpu_vm_validate_pt_bos(adev, vm, amdgpu_amdkfd_validate, +- ¶m); ++ ret = amdgpu_vm_validate_pt_bos(adev, vm, amdgpu_amdkfd_validate_vm_bo, NULL); + if (ret) { + pr_err("failed to validate PT BOs\n"); + return ret; + } + +- ret = amdgpu_amdkfd_validate(¶m, pd); ++ ret = amdgpu_amdkfd_validate_vm_bo(NULL, pd); + if (ret) { + pr_err("failed to validate PD\n"); + return ret; +-- +2.30.2 + diff --git a/queue-5.10/drm-amdkfd-walk-through-list-with-dqm-lock-hold.patch b/queue-5.10/drm-amdkfd-walk-through-list-with-dqm-lock-hold.patch new file mode 100644 index 00000000000..b2c61d167ff --- /dev/null +++ b/queue-5.10/drm-amdkfd-walk-through-list-with-dqm-lock-hold.patch @@ -0,0 +1,71 @@ +From d8dcc4499af4ac962ca8fab49d88e14dab7ecac0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jun 2021 15:11:07 +0800 +Subject: drm/amdkfd: Walk through list with dqm lock hold + +From: xinhui pan + +[ Upstream commit 56f221b6389e7ab99c30bbf01c71998ae92fc584 ] + +To avoid any list corruption. + +Signed-off-by: xinhui pan +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../drm/amd/amdkfd/kfd_device_queue_manager.c | 22 ++++++++++--------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c +index ffb3d37881a8..352a32dc609b 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c +@@ -1712,7 +1712,7 @@ static int process_termination_cpsch(struct device_queue_manager *dqm, + struct qcm_process_device *qpd) + { + int retval; +- struct queue *q, *next; ++ struct queue *q; + struct kernel_queue *kq, *kq_next; + struct mqd_manager *mqd_mgr; + struct device_process_node *cur, *next_dpn; +@@ -1769,24 +1769,26 @@ static int process_termination_cpsch(struct device_queue_manager *dqm, + qpd->reset_wavefronts = false; + } + +- dqm_unlock(dqm); +- +- /* Outside the DQM lock because under the DQM lock we can't do +- * reclaim or take other locks that others hold while reclaiming. +- */ +- if (found) +- kfd_dec_compute_active(dqm->dev); +- + /* Lastly, free mqd resources. + * Do free_mqd() after dqm_unlock to avoid circular locking. + */ +- list_for_each_entry_safe(q, next, &qpd->queues_list, list) { ++ while (!list_empty(&qpd->queues_list)) { ++ q = list_first_entry(&qpd->queues_list, struct queue, list); + mqd_mgr = dqm->mqd_mgrs[get_mqd_type_from_queue_type( + q->properties.type)]; + list_del(&q->list); + qpd->queue_count--; ++ dqm_unlock(dqm); + mqd_mgr->free_mqd(mqd_mgr, q->mqd, q->mqd_mem_obj); ++ dqm_lock(dqm); + } ++ dqm_unlock(dqm); ++ ++ /* Outside the DQM lock because under the DQM lock we can't do ++ * reclaim or take other locks that others hold while reclaiming. ++ */ ++ if (found) ++ kfd_dec_compute_active(dqm->dev); + + return retval; + } +-- +2.30.2 + diff --git a/queue-5.10/drm-ast-fixed-cve-for-dp501.patch b/queue-5.10/drm-ast-fixed-cve-for-dp501.patch new file mode 100644 index 00000000000..7e51fe37dc0 --- /dev/null +++ b/queue-5.10/drm-ast-fixed-cve-for-dp501.patch @@ -0,0 +1,266 @@ +From 2d950cca835f21d3f27c7ee4d024c3ce9ab7dcf8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Apr 2021 16:58:59 +0800 +Subject: drm/ast: Fixed CVE for DP501 + +From: KuoHsiang Chou + +[ Upstream commit ba4e0339a6a33e2ba341703ce14ae8ca203cb2f1 ] + +[Bug][DP501] +If ASPEED P2A (PCI to AHB) bridge is disabled and disallowed for +CVE_2019_6260 item3, and then the monitor's EDID is unable read through +Parade DP501. +The reason is the DP501's FW is mapped to BMC addressing space rather +than Host addressing space. +The resolution is that using "pci_iomap_range()" maps to DP501's FW that +stored on the end of FB (Frame Buffer). +In this case, FrameBuffer reserves the last 2MB used for the image of +DP501. + +Signed-off-by: KuoHsiang Chou +Reported-by: kernel test robot +Signed-off-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20210421085859.17761-1-kuohsiang_chou@aspeedtech.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/ast/ast_dp501.c | 139 +++++++++++++++++++++++--------- + drivers/gpu/drm/ast/ast_drv.h | 12 +++ + drivers/gpu/drm/ast/ast_main.c | 10 ++- + 3 files changed, 124 insertions(+), 37 deletions(-) + +diff --git a/drivers/gpu/drm/ast/ast_dp501.c b/drivers/gpu/drm/ast/ast_dp501.c +index 88121c0e0d05..cd93c44f2662 100644 +--- a/drivers/gpu/drm/ast/ast_dp501.c ++++ b/drivers/gpu/drm/ast/ast_dp501.c +@@ -189,6 +189,9 @@ bool ast_backup_fw(struct drm_device *dev, u8 *addr, u32 size) + u32 i, data; + u32 boot_address; + ++ if (ast->config_mode != ast_use_p2a) ++ return false; ++ + data = ast_mindwm(ast, 0x1e6e2100) & 0x01; + if (data) { + boot_address = get_fw_base(ast); +@@ -207,6 +210,9 @@ static bool ast_launch_m68k(struct drm_device *dev) + u8 *fw_addr = NULL; + u8 jreg; + ++ if (ast->config_mode != ast_use_p2a) ++ return false; ++ + data = ast_mindwm(ast, 0x1e6e2100) & 0x01; + if (!data) { + +@@ -271,25 +277,55 @@ u8 ast_get_dp501_max_clk(struct drm_device *dev) + struct ast_private *ast = to_ast_private(dev); + u32 boot_address, offset, data; + u8 linkcap[4], linkrate, linklanes, maxclk = 0xff; ++ u32 *plinkcap; + +- boot_address = get_fw_base(ast); +- +- /* validate FW version */ +- offset = 0xf000; +- data = ast_mindwm(ast, boot_address + offset); +- if ((data & 0xf0) != 0x10) /* version: 1x */ +- return maxclk; +- +- /* Read Link Capability */ +- offset = 0xf014; +- *(u32 *)linkcap = ast_mindwm(ast, boot_address + offset); +- if (linkcap[2] == 0) { +- linkrate = linkcap[0]; +- linklanes = linkcap[1]; +- data = (linkrate == 0x0a) ? (90 * linklanes) : (54 * linklanes); +- if (data > 0xff) +- data = 0xff; +- maxclk = (u8)data; ++ if (ast->config_mode == ast_use_p2a) { ++ boot_address = get_fw_base(ast); ++ ++ /* validate FW version */ ++ offset = AST_DP501_GBL_VERSION; ++ data = ast_mindwm(ast, boot_address + offset); ++ if ((data & AST_DP501_FW_VERSION_MASK) != AST_DP501_FW_VERSION_1) /* version: 1x */ ++ return maxclk; ++ ++ /* Read Link Capability */ ++ offset = AST_DP501_LINKRATE; ++ plinkcap = (u32 *)linkcap; ++ *plinkcap = ast_mindwm(ast, boot_address + offset); ++ if (linkcap[2] == 0) { ++ linkrate = linkcap[0]; ++ linklanes = linkcap[1]; ++ data = (linkrate == 0x0a) ? (90 * linklanes) : (54 * linklanes); ++ if (data > 0xff) ++ data = 0xff; ++ maxclk = (u8)data; ++ } ++ } else { ++ if (!ast->dp501_fw_buf) ++ return AST_DP501_DEFAULT_DCLK; /* 1024x768 as default */ ++ ++ /* dummy read */ ++ offset = 0x0000; ++ data = readl(ast->dp501_fw_buf + offset); ++ ++ /* validate FW version */ ++ offset = AST_DP501_GBL_VERSION; ++ data = readl(ast->dp501_fw_buf + offset); ++ if ((data & AST_DP501_FW_VERSION_MASK) != AST_DP501_FW_VERSION_1) /* version: 1x */ ++ return maxclk; ++ ++ /* Read Link Capability */ ++ offset = AST_DP501_LINKRATE; ++ plinkcap = (u32 *)linkcap; ++ *plinkcap = readl(ast->dp501_fw_buf + offset); ++ if (linkcap[2] == 0) { ++ linkrate = linkcap[0]; ++ linklanes = linkcap[1]; ++ data = (linkrate == 0x0a) ? (90 * linklanes) : (54 * linklanes); ++ if (data > 0xff) ++ data = 0xff; ++ maxclk = (u8)data; ++ } + } + return maxclk; + } +@@ -298,26 +334,57 @@ bool ast_dp501_read_edid(struct drm_device *dev, u8 *ediddata) + { + struct ast_private *ast = to_ast_private(dev); + u32 i, boot_address, offset, data; ++ u32 *pEDIDidx; + +- boot_address = get_fw_base(ast); +- +- /* validate FW version */ +- offset = 0xf000; +- data = ast_mindwm(ast, boot_address + offset); +- if ((data & 0xf0) != 0x10) +- return false; +- +- /* validate PnP Monitor */ +- offset = 0xf010; +- data = ast_mindwm(ast, boot_address + offset); +- if (!(data & 0x01)) +- return false; ++ if (ast->config_mode == ast_use_p2a) { ++ boot_address = get_fw_base(ast); + +- /* Read EDID */ +- offset = 0xf020; +- for (i = 0; i < 128; i += 4) { +- data = ast_mindwm(ast, boot_address + offset + i); +- *(u32 *)(ediddata + i) = data; ++ /* validate FW version */ ++ offset = AST_DP501_GBL_VERSION; ++ data = ast_mindwm(ast, boot_address + offset); ++ if ((data & AST_DP501_FW_VERSION_MASK) != AST_DP501_FW_VERSION_1) ++ return false; ++ ++ /* validate PnP Monitor */ ++ offset = AST_DP501_PNPMONITOR; ++ data = ast_mindwm(ast, boot_address + offset); ++ if (!(data & AST_DP501_PNP_CONNECTED)) ++ return false; ++ ++ /* Read EDID */ ++ offset = AST_DP501_EDID_DATA; ++ for (i = 0; i < 128; i += 4) { ++ data = ast_mindwm(ast, boot_address + offset + i); ++ pEDIDidx = (u32 *)(ediddata + i); ++ *pEDIDidx = data; ++ } ++ } else { ++ if (!ast->dp501_fw_buf) ++ return false; ++ ++ /* dummy read */ ++ offset = 0x0000; ++ data = readl(ast->dp501_fw_buf + offset); ++ ++ /* validate FW version */ ++ offset = AST_DP501_GBL_VERSION; ++ data = readl(ast->dp501_fw_buf + offset); ++ if ((data & AST_DP501_FW_VERSION_MASK) != AST_DP501_FW_VERSION_1) ++ return false; ++ ++ /* validate PnP Monitor */ ++ offset = AST_DP501_PNPMONITOR; ++ data = readl(ast->dp501_fw_buf + offset); ++ if (!(data & AST_DP501_PNP_CONNECTED)) ++ return false; ++ ++ /* Read EDID */ ++ offset = AST_DP501_EDID_DATA; ++ for (i = 0; i < 128; i += 4) { ++ data = readl(ast->dp501_fw_buf + offset + i); ++ pEDIDidx = (u32 *)(ediddata + i); ++ *pEDIDidx = data; ++ } + } + + return true; +diff --git a/drivers/gpu/drm/ast/ast_drv.h b/drivers/gpu/drm/ast/ast_drv.h +index 467049ca8430..b68b1ddfecb7 100644 +--- a/drivers/gpu/drm/ast/ast_drv.h ++++ b/drivers/gpu/drm/ast/ast_drv.h +@@ -120,6 +120,7 @@ struct ast_private { + + void __iomem *regs; + void __iomem *ioregs; ++ void __iomem *dp501_fw_buf; + + enum ast_chip chip; + bool vga2_clone; +@@ -298,6 +299,17 @@ int ast_mode_config_init(struct ast_private *ast); + #define AST_MM_ALIGN_SHIFT 4 + #define AST_MM_ALIGN_MASK ((1 << AST_MM_ALIGN_SHIFT) - 1) + ++#define AST_DP501_FW_VERSION_MASK GENMASK(7, 4) ++#define AST_DP501_FW_VERSION_1 BIT(4) ++#define AST_DP501_PNP_CONNECTED BIT(1) ++ ++#define AST_DP501_DEFAULT_DCLK 65 ++ ++#define AST_DP501_GBL_VERSION 0xf000 ++#define AST_DP501_PNPMONITOR 0xf010 ++#define AST_DP501_LINKRATE 0xf014 ++#define AST_DP501_EDID_DATA 0xf020 ++ + int ast_mm_init(struct ast_private *ast); + + /* ast post */ +diff --git a/drivers/gpu/drm/ast/ast_main.c b/drivers/gpu/drm/ast/ast_main.c +index ee82b2ddf932..0d163511564e 100644 +--- a/drivers/gpu/drm/ast/ast_main.c ++++ b/drivers/gpu/drm/ast/ast_main.c +@@ -98,7 +98,7 @@ static void ast_detect_config_mode(struct drm_device *dev, u32 *scu_rev) + if (!(jregd0 & 0x80) || !(jregd1 & 0x10)) { + /* Double check it's actually working */ + data = ast_read32(ast, 0xf004); +- if (data != 0xFFFFFFFF) { ++ if ((data != 0xFFFFFFFF) && (data != 0x00)) { + /* P2A works, grab silicon revision */ + ast->config_mode = ast_use_p2a; + +@@ -446,6 +446,14 @@ struct ast_private *ast_device_create(struct drm_driver *drv, + if (ret) + return ERR_PTR(ret); + ++ /* map reserved buffer */ ++ ast->dp501_fw_buf = NULL; ++ if (dev->vram_mm->vram_size < pci_resource_len(dev->pdev, 0)) { ++ ast->dp501_fw_buf = pci_iomap_range(dev->pdev, 0, dev->vram_mm->vram_size, 0); ++ if (!ast->dp501_fw_buf) ++ drm_info(dev, "failed to map reserved buffer!\n"); ++ } ++ + ret = ast_mode_config_init(ast); + if (ret) + return ERR_PTR(ret); +-- +2.30.2 + diff --git a/queue-5.10/drm-bridge-cdns-fix-pm-reference-leak-in-cdns_dsi_tr.patch b/queue-5.10/drm-bridge-cdns-fix-pm-reference-leak-in-cdns_dsi_tr.patch new file mode 100644 index 00000000000..49d81e60f6f --- /dev/null +++ b/queue-5.10/drm-bridge-cdns-fix-pm-reference-leak-in-cdns_dsi_tr.patch @@ -0,0 +1,40 @@ +From 29f0eae82f1d469f701223bdfa596b38f00b38af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 May 2021 15:21:02 +0800 +Subject: drm/bridge: cdns: Fix PM reference leak in cdns_dsi_transfer() + +From: Zou Wei + +[ Upstream commit 33f90f27e1c5ccd648d3e78a1c28be9ee8791cf1 ] + +pm_runtime_get_sync will increment pm usage counter even it failed. +Forgetting to putting operation will result in reference leak here. +Fix it by replacing it with pm_runtime_resume_and_get to keep usage +counter balanced. + +Reported-by: Hulk Robot +Signed-off-by: Zou Wei +Reviewed-by: Robert Foss +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/1621840862-106024-1-git-send-email-zou_wei@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/cdns-dsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bridge/cdns-dsi.c b/drivers/gpu/drm/bridge/cdns-dsi.c +index 76373e31df92..b31281f76117 100644 +--- a/drivers/gpu/drm/bridge/cdns-dsi.c ++++ b/drivers/gpu/drm/bridge/cdns-dsi.c +@@ -1028,7 +1028,7 @@ static ssize_t cdns_dsi_transfer(struct mipi_dsi_host *host, + struct mipi_dsi_packet packet; + int ret, i, tx_len, rx_len; + +- ret = pm_runtime_get_sync(host->dev); ++ ret = pm_runtime_resume_and_get(host->dev); + if (ret < 0) + return ret; + +-- +2.30.2 + diff --git a/queue-5.10/drm-bridge-cdns-mhdp8546-fix-pm-reference-leak-in.patch b/queue-5.10/drm-bridge-cdns-mhdp8546-fix-pm-reference-leak-in.patch new file mode 100644 index 00000000000..181f5b1803f --- /dev/null +++ b/queue-5.10/drm-bridge-cdns-mhdp8546-fix-pm-reference-leak-in.patch @@ -0,0 +1,43 @@ +From dc85fb184775a4aec4b84ddefab01bf119cfb293 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 May 2021 21:56:22 +0800 +Subject: drm: bridge: cdns-mhdp8546: Fix PM reference leak in + +From: Yu Kuai + +[ Upstream commit f674555ee5444c8987dfea0922f1cf6bf0c12847 ] + +pm_runtime_get_sync will increment pm usage counter even it failed. +Forgetting to putting operation will result in reference leak here. +Fix it by replacing it with pm_runtime_resume_and_get to keep usage +counter balanced. + +Reported-by: Hulk Robot +Signed-off-by: Yu Kuai +Reviewed-by: Robert Foss +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20210531135622.3348252-1-yukuai3@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c +index d0c65610ebb5..f56ff97c9899 100644 +--- a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c ++++ b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c +@@ -2369,9 +2369,9 @@ static int cdns_mhdp_probe(struct platform_device *pdev) + clk_prepare_enable(clk); + + pm_runtime_enable(dev); +- ret = pm_runtime_get_sync(dev); ++ ret = pm_runtime_resume_and_get(dev); + if (ret < 0) { +- dev_err(dev, "pm_runtime_get_sync failed\n"); ++ dev_err(dev, "pm_runtime_resume_and_get failed\n"); + pm_runtime_disable(dev); + goto clk_disable; + } +-- +2.30.2 + diff --git a/queue-5.10/drm-bridge-lt9611-add-missing-module_device_table.patch b/queue-5.10/drm-bridge-lt9611-add-missing-module_device_table.patch new file mode 100644 index 00000000000..d9bd6a4c464 --- /dev/null +++ b/queue-5.10/drm-bridge-lt9611-add-missing-module_device_table.patch @@ -0,0 +1,38 @@ +From 90b24170907b99573dcd7c4304f4a74543bd923a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 May 2021 14:45:55 +0800 +Subject: drm/bridge: lt9611: Add missing MODULE_DEVICE_TABLE + +From: Zou Wei + +[ Upstream commit 8d0b1fe81e18eb66a2d4406386760795fe0d77d9 ] + +This patch adds missing MODULE_DEVICE_TABLE definition which generates +correct modalias for automatic loading of this driver when it is built +as an external module. + +Reported-by: Hulk Robot +Signed-off-by: Zou Wei +Reviewed-by: Robert Foss +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/1620801955-19188-1-git-send-email-zou_wei@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/lontium-lt9611.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/bridge/lontium-lt9611.c b/drivers/gpu/drm/bridge/lontium-lt9611.c +index d734d9402c35..c1926154eda8 100644 +--- a/drivers/gpu/drm/bridge/lontium-lt9611.c ++++ b/drivers/gpu/drm/bridge/lontium-lt9611.c +@@ -1209,6 +1209,7 @@ static struct i2c_device_id lt9611_id[] = { + { "lontium,lt9611", 0 }, + {} + }; ++MODULE_DEVICE_TABLE(i2c, lt9611_id); + + static const struct of_device_id lt9611_match_table[] = { + { .compatible = "lontium,lt9611" }, +-- +2.30.2 + diff --git a/queue-5.10/drm-bridge-nwl-dsi-force-a-full-modeset-when-crtc_st.patch b/queue-5.10/drm-bridge-nwl-dsi-force-a-full-modeset-when-crtc_st.patch new file mode 100644 index 00000000000..732b5ef0145 --- /dev/null +++ b/queue-5.10/drm-bridge-nwl-dsi-force-a-full-modeset-when-crtc_st.patch @@ -0,0 +1,159 @@ +From 81d9b16e20d40abd1326e5ce5431c74a2994973b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Apr 2021 17:26:41 +0800 +Subject: drm/bridge: nwl-dsi: Force a full modeset when crtc_state->active is + changed to be true +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Liu Ying + +[ Upstream commit 3afb2a28fa2404d11cce1956a003f2aaca4da421 ] + +This patch replaces ->mode_fixup() with ->atomic_check() so that +a full modeset can be requested from there when crtc_state->active +is changed to be true(which implies only connector's DPMS is brought +out of "Off" status, though not necessarily). Bridge functions are +added or changed to accommodate the ->atomic_check() callback. That +full modeset is needed by the up-coming patch which gets MIPI DSI +controller and PHY ready in ->mode_set(), because it makes sure +->mode_set() and ->atomic_disable() are called in pairs. + +Cc: Andrzej Hajda +Cc: Neil Armstrong +Cc: Robert Foss +Cc: Laurent Pinchart +Cc: Jonas Karlman +Cc: Jernej Skrabec +Cc: David Airlie +Cc: Daniel Vetter +Cc: Guido Günther +Cc: Robert Chiras +Cc: NXP Linux Team +Signed-off-by: Liu Ying +Reviewed-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/1619170003-4817-2-git-send-email-victor.liu@nxp.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/nwl-dsi.c | 61 ++++++++++++++++++++------------ + 1 file changed, 39 insertions(+), 22 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/nwl-dsi.c b/drivers/gpu/drm/bridge/nwl-dsi.c +index 66b67402f1ac..c65ca860712d 100644 +--- a/drivers/gpu/drm/bridge/nwl-dsi.c ++++ b/drivers/gpu/drm/bridge/nwl-dsi.c +@@ -21,6 +21,7 @@ + #include + #include + ++#include + #include + #include + #include +@@ -742,7 +743,9 @@ static int nwl_dsi_disable(struct nwl_dsi *dsi) + return 0; + } + +-static void nwl_dsi_bridge_disable(struct drm_bridge *bridge) ++static void ++nwl_dsi_bridge_atomic_disable(struct drm_bridge *bridge, ++ struct drm_bridge_state *old_bridge_state) + { + struct nwl_dsi *dsi = bridge_to_dsi(bridge); + int ret; +@@ -803,17 +806,6 @@ static int nwl_dsi_get_dphy_params(struct nwl_dsi *dsi, + return 0; + } + +-static bool nwl_dsi_bridge_mode_fixup(struct drm_bridge *bridge, +- const struct drm_display_mode *mode, +- struct drm_display_mode *adjusted_mode) +-{ +- /* At least LCDIF + NWL needs active high sync */ +- adjusted_mode->flags |= (DRM_MODE_FLAG_PHSYNC | DRM_MODE_FLAG_PVSYNC); +- adjusted_mode->flags &= ~(DRM_MODE_FLAG_NHSYNC | DRM_MODE_FLAG_NVSYNC); +- +- return true; +-} +- + static enum drm_mode_status + nwl_dsi_bridge_mode_valid(struct drm_bridge *bridge, + const struct drm_display_info *info, +@@ -831,6 +823,24 @@ nwl_dsi_bridge_mode_valid(struct drm_bridge *bridge, + return MODE_OK; + } + ++static int nwl_dsi_bridge_atomic_check(struct drm_bridge *bridge, ++ struct drm_bridge_state *bridge_state, ++ struct drm_crtc_state *crtc_state, ++ struct drm_connector_state *conn_state) ++{ ++ struct drm_display_mode *adjusted_mode = &crtc_state->adjusted_mode; ++ ++ /* At least LCDIF + NWL needs active high sync */ ++ adjusted_mode->flags |= (DRM_MODE_FLAG_PHSYNC | DRM_MODE_FLAG_PVSYNC); ++ adjusted_mode->flags &= ~(DRM_MODE_FLAG_NHSYNC | DRM_MODE_FLAG_NVSYNC); ++ ++ /* Do a full modeset if crtc_state->active is changed to be true. */ ++ if (crtc_state->active_changed && crtc_state->active) ++ crtc_state->mode_changed = true; ++ ++ return 0; ++} ++ + static void + nwl_dsi_bridge_mode_set(struct drm_bridge *bridge, + const struct drm_display_mode *mode, +@@ -862,7 +872,9 @@ nwl_dsi_bridge_mode_set(struct drm_bridge *bridge, + drm_mode_debug_printmodeline(adjusted_mode); + } + +-static void nwl_dsi_bridge_pre_enable(struct drm_bridge *bridge) ++static void ++nwl_dsi_bridge_atomic_pre_enable(struct drm_bridge *bridge, ++ struct drm_bridge_state *old_bridge_state) + { + struct nwl_dsi *dsi = bridge_to_dsi(bridge); + int ret; +@@ -897,7 +909,9 @@ static void nwl_dsi_bridge_pre_enable(struct drm_bridge *bridge) + } + } + +-static void nwl_dsi_bridge_enable(struct drm_bridge *bridge) ++static void ++nwl_dsi_bridge_atomic_enable(struct drm_bridge *bridge, ++ struct drm_bridge_state *old_bridge_state) + { + struct nwl_dsi *dsi = bridge_to_dsi(bridge); + int ret; +@@ -942,14 +956,17 @@ static void nwl_dsi_bridge_detach(struct drm_bridge *bridge) + } + + static const struct drm_bridge_funcs nwl_dsi_bridge_funcs = { +- .pre_enable = nwl_dsi_bridge_pre_enable, +- .enable = nwl_dsi_bridge_enable, +- .disable = nwl_dsi_bridge_disable, +- .mode_fixup = nwl_dsi_bridge_mode_fixup, +- .mode_set = nwl_dsi_bridge_mode_set, +- .mode_valid = nwl_dsi_bridge_mode_valid, +- .attach = nwl_dsi_bridge_attach, +- .detach = nwl_dsi_bridge_detach, ++ .atomic_duplicate_state = drm_atomic_helper_bridge_duplicate_state, ++ .atomic_destroy_state = drm_atomic_helper_bridge_destroy_state, ++ .atomic_reset = drm_atomic_helper_bridge_reset, ++ .atomic_check = nwl_dsi_bridge_atomic_check, ++ .atomic_pre_enable = nwl_dsi_bridge_atomic_pre_enable, ++ .atomic_enable = nwl_dsi_bridge_atomic_enable, ++ .atomic_disable = nwl_dsi_bridge_atomic_disable, ++ .mode_set = nwl_dsi_bridge_mode_set, ++ .mode_valid = nwl_dsi_bridge_mode_valid, ++ .attach = nwl_dsi_bridge_attach, ++ .detach = nwl_dsi_bridge_detach, + }; + + static int nwl_dsi_parse_dt(struct nwl_dsi *dsi) +-- +2.30.2 + diff --git a/queue-5.10/drm-mediatek-fix-pm-reference-leak-in-mtk_crtc_ddp_h.patch b/queue-5.10/drm-mediatek-fix-pm-reference-leak-in-mtk_crtc_ddp_h.patch new file mode 100644 index 00000000000..06fef142c51 --- /dev/null +++ b/queue-5.10/drm-mediatek-fix-pm-reference-leak-in-mtk_crtc_ddp_h.patch @@ -0,0 +1,38 @@ +From a0d252f9691f44228a5e4ebcb78cf4b35c143691 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Apr 2021 03:48:41 +0000 +Subject: drm/mediatek: Fix PM reference leak in mtk_crtc_ddp_hw_init() + +From: Wang Li + +[ Upstream commit 69777e6ca396f0a7e1baff40fcad4a9d3d445b7a ] + +pm_runtime_get_sync will increment pm usage counter even it failed. +Forgetting to putting operation will result in reference leak here. +Fix it by replacing it with pm_runtime_resume_and_get to keep usage +counter balanced. + +Reported-by: Hulk Robot +Signed-off-by: Wang Li +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c +index ac038572164d..dfd5ed15a7f4 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c +@@ -274,7 +274,7 @@ static int mtk_crtc_ddp_hw_init(struct mtk_drm_crtc *mtk_crtc) + drm_connector_list_iter_end(&conn_iter); + } + +- ret = pm_runtime_get_sync(crtc->dev->dev); ++ ret = pm_runtime_resume_and_get(crtc->dev->dev); + if (ret < 0) { + DRM_ERROR("Failed to enable power domain: %d\n", ret); + return ret; +-- +2.30.2 + diff --git a/queue-5.10/drm-mxsfb-don-t-select-drm_kms_fb_helper.patch b/queue-5.10/drm-mxsfb-don-t-select-drm_kms_fb_helper.patch new file mode 100644 index 00000000000..6dca131283d --- /dev/null +++ b/queue-5.10/drm-mxsfb-don-t-select-drm_kms_fb_helper.patch @@ -0,0 +1,36 @@ +From 91a1b258c108f752ed6f35efd01a85440d943407 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Apr 2021 13:00:38 +0200 +Subject: drm/mxsfb: Don't select DRM_KMS_FB_HELPER + +From: Thomas Zimmermann + +[ Upstream commit 13b29cc3a722c2c0bc9ab9f72f9047d55d08a2f9 ] + +Selecting DRM_FBDEV_EMULATION will include the correct settings for +fbdev emulation. Drivers should not override this. + +Signed-off-by: Thomas Zimmermann +Acked-by: Stefan Agner +Acked-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20210415110040.23525-3-tzimmermann@suse.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mxsfb/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/gpu/drm/mxsfb/Kconfig b/drivers/gpu/drm/mxsfb/Kconfig +index 0143d539f8f8..ee22cd25d3e3 100644 +--- a/drivers/gpu/drm/mxsfb/Kconfig ++++ b/drivers/gpu/drm/mxsfb/Kconfig +@@ -10,7 +10,6 @@ config DRM_MXSFB + depends on COMMON_CLK + select DRM_MXS + select DRM_KMS_HELPER +- select DRM_KMS_FB_HELPER + select DRM_KMS_CMA_HELPER + select DRM_PANEL + select DRM_PANEL_BRIDGE +-- +2.30.2 + diff --git a/queue-5.10/drm-rockchip-add-missing-registers-for-rk3066.patch b/queue-5.10/drm-rockchip-add-missing-registers-for-rk3066.patch new file mode 100644 index 00000000000..3d399ca4580 --- /dev/null +++ b/queue-5.10/drm-rockchip-add-missing-registers-for-rk3066.patch @@ -0,0 +1,80 @@ +From e2e3fcf7f5064c4d90b922e0437cd914b7b787e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 May 2021 15:05:52 +0200 +Subject: drm: rockchip: add missing registers for RK3066 + +From: Alex Bee + +[ Upstream commit 742203cd56d150eb7884eb45abb7d9dbc2bdbf04 ] + +Add dither_up, dsp_lut_en and data_blank registers to enable their +respective functionality for RK3066's VOP. + +While at that also fix .rb_swap and .format registers for all windows, +which have to be set though RK3066_SYS_CTRL1 register. +Also remove .scl from win1: Scaling is only supported on the primary +plane. + +Signed-off-by: Alex Bee +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20210528130554.72191-4-knaerzche@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/rockchip_vop_reg.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/rockchip/rockchip_vop_reg.c b/drivers/gpu/drm/rockchip/rockchip_vop_reg.c +index b8dcee64a1f7..a6fe03c3748a 100644 +--- a/drivers/gpu/drm/rockchip/rockchip_vop_reg.c ++++ b/drivers/gpu/drm/rockchip/rockchip_vop_reg.c +@@ -349,8 +349,8 @@ static const struct vop_win_phy rk3066_win0_data = { + .nformats = ARRAY_SIZE(formats_win_full), + .format_modifiers = format_modifiers_win_full, + .enable = VOP_REG(RK3066_SYS_CTRL1, 0x1, 0), +- .format = VOP_REG(RK3066_SYS_CTRL0, 0x7, 4), +- .rb_swap = VOP_REG(RK3066_SYS_CTRL0, 0x1, 19), ++ .format = VOP_REG(RK3066_SYS_CTRL1, 0x7, 4), ++ .rb_swap = VOP_REG(RK3066_SYS_CTRL1, 0x1, 19), + .act_info = VOP_REG(RK3066_WIN0_ACT_INFO, 0x1fff1fff, 0), + .dsp_info = VOP_REG(RK3066_WIN0_DSP_INFO, 0x0fff0fff, 0), + .dsp_st = VOP_REG(RK3066_WIN0_DSP_ST, 0x1fff1fff, 0), +@@ -361,13 +361,12 @@ static const struct vop_win_phy rk3066_win0_data = { + }; + + static const struct vop_win_phy rk3066_win1_data = { +- .scl = &rk3066_win_scl, + .data_formats = formats_win_full, + .nformats = ARRAY_SIZE(formats_win_full), + .format_modifiers = format_modifiers_win_full, + .enable = VOP_REG(RK3066_SYS_CTRL1, 0x1, 1), +- .format = VOP_REG(RK3066_SYS_CTRL0, 0x7, 7), +- .rb_swap = VOP_REG(RK3066_SYS_CTRL0, 0x1, 23), ++ .format = VOP_REG(RK3066_SYS_CTRL1, 0x7, 7), ++ .rb_swap = VOP_REG(RK3066_SYS_CTRL1, 0x1, 23), + .act_info = VOP_REG(RK3066_WIN1_ACT_INFO, 0x1fff1fff, 0), + .dsp_info = VOP_REG(RK3066_WIN1_DSP_INFO, 0x0fff0fff, 0), + .dsp_st = VOP_REG(RK3066_WIN1_DSP_ST, 0x1fff1fff, 0), +@@ -382,8 +381,8 @@ static const struct vop_win_phy rk3066_win2_data = { + .nformats = ARRAY_SIZE(formats_win_lite), + .format_modifiers = format_modifiers_win_lite, + .enable = VOP_REG(RK3066_SYS_CTRL1, 0x1, 2), +- .format = VOP_REG(RK3066_SYS_CTRL0, 0x7, 10), +- .rb_swap = VOP_REG(RK3066_SYS_CTRL0, 0x1, 27), ++ .format = VOP_REG(RK3066_SYS_CTRL1, 0x7, 10), ++ .rb_swap = VOP_REG(RK3066_SYS_CTRL1, 0x1, 27), + .dsp_info = VOP_REG(RK3066_WIN2_DSP_INFO, 0x0fff0fff, 0), + .dsp_st = VOP_REG(RK3066_WIN2_DSP_ST, 0x1fff1fff, 0), + .yrgb_mst = VOP_REG(RK3066_WIN2_MST, 0xffffffff, 0), +@@ -408,6 +407,9 @@ static const struct vop_common rk3066_common = { + .dither_down_en = VOP_REG(RK3066_DSP_CTRL0, 0x1, 11), + .dither_down_mode = VOP_REG(RK3066_DSP_CTRL0, 0x1, 10), + .dsp_blank = VOP_REG(RK3066_DSP_CTRL1, 0x1, 24), ++ .dither_up = VOP_REG(RK3066_DSP_CTRL0, 0x1, 9), ++ .dsp_lut_en = VOP_REG(RK3066_SYS_CTRL1, 0x1, 31), ++ .data_blank = VOP_REG(RK3066_DSP_CTRL1, 0x1, 25), + }; + + static const struct vop_win_data rk3066_vop_win_data[] = { +-- +2.30.2 + diff --git a/queue-5.10/drm-rockchip-add-missing-registers-for-rk3188.patch b/queue-5.10/drm-rockchip-add-missing-registers-for-rk3188.patch new file mode 100644 index 00000000000..f1eaac7eb7b --- /dev/null +++ b/queue-5.10/drm-rockchip-add-missing-registers-for-rk3188.patch @@ -0,0 +1,41 @@ +From 268c27aa5423c9c590c3982e2944159b84a6b958 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 May 2021 15:05:51 +0200 +Subject: drm: rockchip: add missing registers for RK3188 + +From: Alex Bee + +[ Upstream commit ab64b448a175b8a5a4bd323b8f74758c2574482c ] + +Add dither_up, dsp_lut_en and data_blank registers to enable their +respective functionality for RK3188's VOP. +While at that also fix .dsp_blank register which is (only) set with +BIT24 (same as RK3066) + +Signed-off-by: Alex Bee +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20210528130554.72191-3-knaerzche@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/rockchip_vop_reg.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/rockchip/rockchip_vop_reg.c b/drivers/gpu/drm/rockchip/rockchip_vop_reg.c +index 80053d91a301..b8dcee64a1f7 100644 +--- a/drivers/gpu/drm/rockchip/rockchip_vop_reg.c ++++ b/drivers/gpu/drm/rockchip/rockchip_vop_reg.c +@@ -505,7 +505,10 @@ static const struct vop_common rk3188_common = { + .dither_down_sel = VOP_REG(RK3188_DSP_CTRL0, 0x1, 27), + .dither_down_en = VOP_REG(RK3188_DSP_CTRL0, 0x1, 11), + .dither_down_mode = VOP_REG(RK3188_DSP_CTRL0, 0x1, 10), +- .dsp_blank = VOP_REG(RK3188_DSP_CTRL1, 0x3, 24), ++ .dsp_blank = VOP_REG(RK3188_DSP_CTRL1, 0x1, 24), ++ .dither_up = VOP_REG(RK3188_DSP_CTRL0, 0x1, 9), ++ .dsp_lut_en = VOP_REG(RK3188_SYS_CTRL, 0x1, 28), ++ .data_blank = VOP_REG(RK3188_DSP_CTRL1, 0x1, 25), + }; + + static const struct vop_win_data rk3188_vop_win_data[] = { +-- +2.30.2 + diff --git a/queue-5.10/drm-sched-avoid-data-corruptions.patch b/queue-5.10/drm-sched-avoid-data-corruptions.patch new file mode 100644 index 00000000000..a495ae3acb3 --- /dev/null +++ b/queue-5.10/drm-sched-avoid-data-corruptions.patch @@ -0,0 +1,47 @@ +From 1bffb9e432240d4d4c3fa7e0f5be07d6eb9f8a70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 May 2021 10:14:07 -0400 +Subject: drm/sched: Avoid data corruptions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andrey Grodzovsky + +[ Upstream commit 0b10ab80695d61422337ede6ff496552d8ace99d ] + +Wait for all dependencies of a job to complete before +killing it to avoid data corruptions. + +Signed-off-by: Andrey Grodzovsky +Reviewed-by: Christian König +Link: https://patchwork.freedesktop.org/patch/msgid/20210519141407.88444-1-andrey.grodzovsky@amd.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/scheduler/sched_entity.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/scheduler/sched_entity.c b/drivers/gpu/drm/scheduler/sched_entity.c +index 2006cc057f99..3f7f761df4cd 100644 +--- a/drivers/gpu/drm/scheduler/sched_entity.c ++++ b/drivers/gpu/drm/scheduler/sched_entity.c +@@ -219,11 +219,16 @@ static void drm_sched_entity_kill_jobs_cb(struct dma_fence *f, + static void drm_sched_entity_kill_jobs(struct drm_sched_entity *entity) + { + struct drm_sched_job *job; ++ struct dma_fence *f; + int r; + + while ((job = to_drm_sched_job(spsc_queue_pop(&entity->job_queue)))) { + struct drm_sched_fence *s_fence = job->s_fence; + ++ /* Wait for all dependencies to avoid data corruptions */ ++ while ((f = job->sched->ops->dependency(job, entity))) ++ dma_fence_wait(f, false); ++ + drm_sched_fence_scheduled(s_fence); + dma_fence_set_error(&s_fence->finished, -ESRCH); + +-- +2.30.2 + diff --git a/queue-5.10/drm-scheduler-fix-hang-when-sched_entity-released.patch b/queue-5.10/drm-scheduler-fix-hang-when-sched_entity-released.patch new file mode 100644 index 00000000000..2f85abf8ec4 --- /dev/null +++ b/queue-5.10/drm-scheduler-fix-hang-when-sched_entity-released.patch @@ -0,0 +1,95 @@ +From d3da1c6673f9553459fa0a2660719a313eca1aeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 May 2021 10:26:45 -0400 +Subject: drm/scheduler: Fix hang when sched_entity released +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andrey Grodzovsky + +[ Upstream commit c61cdbdbffc169dc7f1e6fe94dfffaf574fe672a ] + +Problem: If scheduler is already stopped by the time sched_entity +is released and entity's job_queue not empty I encountred +a hang in drm_sched_entity_flush. This is because drm_sched_entity_is_idle +never becomes false. + +Fix: In drm_sched_fini detach all sched_entities from the +scheduler's run queues. This will satisfy drm_sched_entity_is_idle. +Also wakeup all those processes stuck in sched_entity flushing +as the scheduler main thread which wakes them up is stopped by now. + +v2: +Reverse order of drm_sched_rq_remove_entity and marking +s_entity as stopped to prevent reinserion back to rq due +to race. + +v3: +Drop drm_sched_rq_remove_entity, only modify entity->stopped +and check for it in drm_sched_entity_is_idle + +Signed-off-by: Andrey Grodzovsky +Reviewed-by: Christian König +Link: https://patchwork.freedesktop.org/patch/msgid/20210512142648.666476-14-andrey.grodzovsky@amd.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/scheduler/sched_entity.c | 3 ++- + drivers/gpu/drm/scheduler/sched_main.c | 24 ++++++++++++++++++++++++ + 2 files changed, 26 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/scheduler/sched_entity.c b/drivers/gpu/drm/scheduler/sched_entity.c +index 146380118962..2006cc057f99 100644 +--- a/drivers/gpu/drm/scheduler/sched_entity.c ++++ b/drivers/gpu/drm/scheduler/sched_entity.c +@@ -113,7 +113,8 @@ static bool drm_sched_entity_is_idle(struct drm_sched_entity *entity) + rmb(); /* for list_empty to work without lock */ + + if (list_empty(&entity->list) || +- spsc_queue_count(&entity->job_queue) == 0) ++ spsc_queue_count(&entity->job_queue) == 0 || ++ entity->stopped) + return true; + + return false; +diff --git a/drivers/gpu/drm/scheduler/sched_main.c b/drivers/gpu/drm/scheduler/sched_main.c +index 7111e0f527b0..b6c2757c3d83 100644 +--- a/drivers/gpu/drm/scheduler/sched_main.c ++++ b/drivers/gpu/drm/scheduler/sched_main.c +@@ -887,9 +887,33 @@ EXPORT_SYMBOL(drm_sched_init); + */ + void drm_sched_fini(struct drm_gpu_scheduler *sched) + { ++ struct drm_sched_entity *s_entity; ++ int i; ++ + if (sched->thread) + kthread_stop(sched->thread); + ++ for (i = DRM_SCHED_PRIORITY_COUNT - 1; i >= DRM_SCHED_PRIORITY_MIN; i--) { ++ struct drm_sched_rq *rq = &sched->sched_rq[i]; ++ ++ if (!rq) ++ continue; ++ ++ spin_lock(&rq->lock); ++ list_for_each_entry(s_entity, &rq->entities, list) ++ /* ++ * Prevents reinsertion and marks job_queue as idle, ++ * it will removed from rq in drm_sched_entity_fini ++ * eventually ++ */ ++ s_entity->stopped = true; ++ spin_unlock(&rq->lock); ++ ++ } ++ ++ /* Wakeup everyone stuck in drm_sched_entity_flush for this scheduler */ ++ wake_up_all(&sched->job_scheduled); ++ + /* Confirm no work left behind accessing device structures */ + cancel_delayed_work_sync(&sched->work_tdr); + +-- +2.30.2 + diff --git a/queue-5.10/drm-vc4-fix-argument-ordering-in-vc4_crtc_get_margin.patch b/queue-5.10/drm-vc4-fix-argument-ordering-in-vc4_crtc_get_margin.patch new file mode 100644 index 00000000000..1b3eb318655 --- /dev/null +++ b/queue-5.10/drm-vc4-fix-argument-ordering-in-vc4_crtc_get_margin.patch @@ -0,0 +1,39 @@ +From 87d0253d68bc1dcc38d0bb00a5680b95838dae2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Apr 2021 13:18:03 +0300 +Subject: drm/vc4: fix argument ordering in vc4_crtc_get_margins() + +From: Dan Carpenter + +[ Upstream commit e590c2b03a6143ba93ddad306bc9eaafa838c020 ] + +Cppcheck complains that the declaration doesn't match the function +definition. Obviously "left" should come before "right". The caller +and the function implementation are done this way, it's just the +declaration which is wrong so this doesn't affect runtime. + +Reported-by: kernel test robot +Signed-off-by: Dan Carpenter +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/YH/720FD978TPhHp@mwanda +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_drv.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_drv.h b/drivers/gpu/drm/vc4/vc4_drv.h +index c5f2944d5bc6..9809c3a856c6 100644 +--- a/drivers/gpu/drm/vc4/vc4_drv.h ++++ b/drivers/gpu/drm/vc4/vc4_drv.h +@@ -837,7 +837,7 @@ void vc4_crtc_destroy_state(struct drm_crtc *crtc, + void vc4_crtc_reset(struct drm_crtc *crtc); + void vc4_crtc_handle_vblank(struct vc4_crtc *crtc); + void vc4_crtc_get_margins(struct drm_crtc_state *state, +- unsigned int *right, unsigned int *left, ++ unsigned int *left, unsigned int *right, + unsigned int *top, unsigned int *bottom); + + /* vc4_debugfs.c */ +-- +2.30.2 + diff --git a/queue-5.10/drm-vc4-fix-clock-source-for-vec-pixelvalve-on-bcm27.patch b/queue-5.10/drm-vc4-fix-clock-source-for-vec-pixelvalve-on-bcm27.patch new file mode 100644 index 00000000000..43c92063b4e --- /dev/null +++ b/queue-5.10/drm-vc4-fix-clock-source-for-vec-pixelvalve-on-bcm27.patch @@ -0,0 +1,40 @@ +From dafebd817ccfa1a2ae139fe836de50c66987da6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 May 2021 17:03:41 +0200 +Subject: drm/vc4: Fix clock source for VEC PixelValve on BCM2711 + +From: Mateusz Kwiatkowski + +[ Upstream commit fc7a8abcee2225d6279ff785d33e24d70c738c6e ] + +On the BCM2711 (Raspberry Pi 4), the VEC is actually connected to +output 2 of pixelvalve3. + +NOTE: This contradicts the Broadcom docs, but has been empirically +tested and confirmed by Raspberry Pi firmware devs. + +Signed-off-by: Mateusz Kwiatkowski +Signed-off-by: Maxime Ripard +Reviewed-by: Dave Stevenson +Link: https://patchwork.freedesktop.org/patch/msgid/20210520150344.273900-2-maxime@cerno.tech +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_crtc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_crtc.c b/drivers/gpu/drm/vc4/vc4_crtc.c +index 1d2416d466a3..7062d0e6fe76 100644 +--- a/drivers/gpu/drm/vc4/vc4_crtc.c ++++ b/drivers/gpu/drm/vc4/vc4_crtc.c +@@ -1001,7 +1001,7 @@ static const struct vc4_pv_data bcm2711_pv3_data = { + .fifo_depth = 64, + .pixels_per_clock = 1, + .encoder_types = { +- [0] = VC4_ENCODER_TYPE_VEC, ++ [PV_CONTROL_CLK_SELECT_VEC] = VC4_ENCODER_TYPE_VEC, + }, + }; + +-- +2.30.2 + diff --git a/queue-5.10/drm-vc4-hdmi-fix-pm-reference-leak-in-vc4_hdmi_encod.patch b/queue-5.10/drm-vc4-hdmi-fix-pm-reference-leak-in-vc4_hdmi_encod.patch new file mode 100644 index 00000000000..6af200064d6 --- /dev/null +++ b/queue-5.10/drm-vc4-hdmi-fix-pm-reference-leak-in-vc4_hdmi_encod.patch @@ -0,0 +1,40 @@ +From df41ded210ed8a3807a17c818f8e751b0d044c89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 May 2021 15:20:54 +0800 +Subject: drm/vc4: hdmi: Fix PM reference leak in + vc4_hdmi_encoder_pre_crtc_co() + +From: Zou Wei + +[ Upstream commit 5e4322a8b266bc9f5ee7ea4895f661c01dbd7cb3 ] + +pm_runtime_get_sync will increment pm usage counter even it failed. +Forgetting to putting operation will result in reference leak here. +Fix it by replacing it with pm_runtime_resume_and_get to keep usage +counter balanced. + +Reported-by: Hulk Robot +Signed-off-by: Zou Wei +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/1621840854-105978-1-git-send-email-zou_wei@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_hdmi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c +index 25a09aaf5883..6a19a3de3962 100644 +--- a/drivers/gpu/drm/vc4/vc4_hdmi.c ++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c +@@ -627,7 +627,7 @@ static void vc4_hdmi_encoder_pre_crtc_configure(struct drm_encoder *encoder) + unsigned long pixel_rate, hsm_rate; + int ret; + +- ret = pm_runtime_get_sync(&vc4_hdmi->pdev->dev); ++ ret = pm_runtime_resume_and_get(&vc4_hdmi->pdev->dev); + if (ret < 0) { + DRM_ERROR("Failed to retain power domain: %d\n", ret); + return; +-- +2.30.2 + diff --git a/queue-5.10/drm-virtio-fix-double-free-on-probe-failure.patch b/queue-5.10/drm-virtio-fix-double-free-on-probe-failure.patch new file mode 100644 index 00000000000..814ab2b1b51 --- /dev/null +++ b/queue-5.10/drm-virtio-fix-double-free-on-probe-failure.patch @@ -0,0 +1,38 @@ +From 679ece35ae3373bd992f6d506c4661862f229811 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 May 2021 16:49:12 +0800 +Subject: drm/virtio: Fix double free on probe failure + +From: Xie Yongji + +[ Upstream commit cec7f1774605a5ef47c134af62afe7c75c30b0ee ] + +The virtio_gpu_init() will free vgdev and vgdev->vbufs on failure. +But such failure will be caught by virtio_gpu_probe() and then +virtio_gpu_release() will be called to do some cleanup which +will free vgdev and vgdev->vbufs again. So let's set dev->dev_private +to NULL to avoid double free. + +Signed-off-by: Xie Yongji +Link: http://patchwork.freedesktop.org/patch/msgid/20210517084913.403-2-xieyongji@bytedance.com +Signed-off-by: Gerd Hoffmann +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/virtio/virtgpu_kms.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/virtio/virtgpu_kms.c b/drivers/gpu/drm/virtio/virtgpu_kms.c +index eed57a931309..a28b01f92793 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_kms.c ++++ b/drivers/gpu/drm/virtio/virtgpu_kms.c +@@ -209,6 +209,7 @@ err_scanouts: + err_vbufs: + vgdev->vdev->config->del_vqs(vgdev->vdev); + err_vqs: ++ dev->dev_private = NULL; + kfree(vgdev); + return ret; + } +-- +2.30.2 + diff --git a/queue-5.10/drm-zte-don-t-select-drm_kms_fb_helper.patch b/queue-5.10/drm-zte-don-t-select-drm_kms_fb_helper.patch new file mode 100644 index 00000000000..8ab9069bf8a --- /dev/null +++ b/queue-5.10/drm-zte-don-t-select-drm_kms_fb_helper.patch @@ -0,0 +1,35 @@ +From 4a21008f250d4dc4c61fc27ef2f709f1dc4dbbde Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Apr 2021 13:00:39 +0200 +Subject: drm/zte: Don't select DRM_KMS_FB_HELPER + +From: Thomas Zimmermann + +[ Upstream commit a50e74bec1d17e95275909660c6b43ffe11ebcf0 ] + +Selecting DRM_FBDEV_EMULATION will include the correct settings for +fbdev emulation. Drivers should not override this. + +Signed-off-by: Thomas Zimmermann +Acked-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20210415110040.23525-4-tzimmermann@suse.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/zte/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/gpu/drm/zte/Kconfig b/drivers/gpu/drm/zte/Kconfig +index 90ebaedc11fd..aa8594190b50 100644 +--- a/drivers/gpu/drm/zte/Kconfig ++++ b/drivers/gpu/drm/zte/Kconfig +@@ -3,7 +3,6 @@ config DRM_ZTE + tristate "DRM Support for ZTE SoCs" + depends on DRM && ARCH_ZX + select DRM_KMS_CMA_HELPER +- select DRM_KMS_FB_HELPER + select DRM_KMS_HELPER + select SND_SOC_HDMI_CODEC if SND_SOC + select VIDEOMODE_HELPERS +-- +2.30.2 + diff --git a/queue-5.10/e100-handle-eeprom-as-little-endian.patch b/queue-5.10/e100-handle-eeprom-as-little-endian.patch new file mode 100644 index 00000000000..86ae26a0ff6 --- /dev/null +++ b/queue-5.10/e100-handle-eeprom-as-little-endian.patch @@ -0,0 +1,69 @@ +From 9939eac0a61d31c7f717fc614bd665813bb077d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Mar 2021 17:38:24 -0700 +Subject: e100: handle eeprom as little endian + +From: Jesse Brandeburg + +[ Upstream commit d4ef55288aa2e1b76033717242728ac98ddc4721 ] + +Sparse tool was warning on some implicit conversions from +little endian data read from the EEPROM on the e100 cards. + +Fix these by being explicit about the conversions using +le16_to_cpu(). + +Signed-off-by: Jesse Brandeburg +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e100.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e100.c b/drivers/net/ethernet/intel/e100.c +index 8cc651d37a7f..609e47b8287d 100644 +--- a/drivers/net/ethernet/intel/e100.c ++++ b/drivers/net/ethernet/intel/e100.c +@@ -1395,7 +1395,7 @@ static int e100_phy_check_without_mii(struct nic *nic) + u8 phy_type; + int without_mii; + +- phy_type = (nic->eeprom[eeprom_phy_iface] >> 8) & 0x0f; ++ phy_type = (le16_to_cpu(nic->eeprom[eeprom_phy_iface]) >> 8) & 0x0f; + + switch (phy_type) { + case NoSuchPhy: /* Non-MII PHY; UNTESTED! */ +@@ -1515,7 +1515,7 @@ static int e100_phy_init(struct nic *nic) + mdio_write(netdev, nic->mii.phy_id, MII_BMCR, bmcr); + } else if ((nic->mac >= mac_82550_D102) || ((nic->flags & ich) && + (mdio_read(netdev, nic->mii.phy_id, MII_TPISTATUS) & 0x8000) && +- (nic->eeprom[eeprom_cnfg_mdix] & eeprom_mdix_enabled))) { ++ (le16_to_cpu(nic->eeprom[eeprom_cnfg_mdix]) & eeprom_mdix_enabled))) { + /* enable/disable MDI/MDI-X auto-switching. */ + mdio_write(netdev, nic->mii.phy_id, MII_NCONFIG, + nic->mii.force_media ? 0 : NCONFIG_AUTO_SWITCH); +@@ -2263,9 +2263,9 @@ static int e100_asf(struct nic *nic) + { + /* ASF can be enabled from eeprom */ + return (nic->pdev->device >= 0x1050) && (nic->pdev->device <= 0x1057) && +- (nic->eeprom[eeprom_config_asf] & eeprom_asf) && +- !(nic->eeprom[eeprom_config_asf] & eeprom_gcl) && +- ((nic->eeprom[eeprom_smbus_addr] & 0xFF) != 0xFE); ++ (le16_to_cpu(nic->eeprom[eeprom_config_asf]) & eeprom_asf) && ++ !(le16_to_cpu(nic->eeprom[eeprom_config_asf]) & eeprom_gcl) && ++ ((le16_to_cpu(nic->eeprom[eeprom_smbus_addr]) & 0xFF) != 0xFE); + } + + static int e100_up(struct nic *nic) +@@ -2920,7 +2920,7 @@ static int e100_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + /* Wol magic packet can be enabled from eeprom */ + if ((nic->mac >= mac_82558_D101_A4) && +- (nic->eeprom[eeprom_id] & eeprom_id_wol)) { ++ (le16_to_cpu(nic->eeprom[eeprom_id]) & eeprom_id_wol)) { + nic->flags |= wol_magic; + device_set_wakeup_enable(&pdev->dev, true); + } +-- +2.30.2 + diff --git a/queue-5.10/fjes-check-return-value-after-calling-platform_get_r.patch b/queue-5.10/fjes-check-return-value-after-calling-platform_get_r.patch new file mode 100644 index 00000000000..1cc089984bd --- /dev/null +++ b/queue-5.10/fjes-check-return-value-after-calling-platform_get_r.patch @@ -0,0 +1,37 @@ +From a3fe2a035b097993f1f1d76ef5b8538d14f869b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jun 2021 16:02:43 +0800 +Subject: fjes: check return value after calling platform_get_resource() + +From: Yang Yingliang + +[ Upstream commit f18c11812c949553d2b2481ecaa274dd51bed1e7 ] + +It will cause null-ptr-deref if platform_get_resource() returns NULL, +we need check the return value. + +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/fjes/fjes_main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/fjes/fjes_main.c b/drivers/net/fjes/fjes_main.c +index 466622664424..e449d9466122 100644 +--- a/drivers/net/fjes/fjes_main.c ++++ b/drivers/net/fjes/fjes_main.c +@@ -1262,6 +1262,10 @@ static int fjes_probe(struct platform_device *plat_dev) + adapter->interrupt_watch_enable = false; + + res = platform_get_resource(plat_dev, IORESOURCE_MEM, 0); ++ if (!res) { ++ err = -EINVAL; ++ goto err_free_control_wq; ++ } + hw->hw_res.start = res->start; + hw->hw_res.size = resource_size(res); + hw->hw_res.irq = platform_get_irq(plat_dev, 0); +-- +2.30.2 + diff --git a/queue-5.10/flow_offload-action-should-not-be-null-when-it-is-re.patch b/queue-5.10/flow_offload-action-should-not-be-null-when-it-is-re.patch new file mode 100644 index 00000000000..8e9165d8fbc --- /dev/null +++ b/queue-5.10/flow_offload-action-should-not-be-null-when-it-is-re.patch @@ -0,0 +1,46 @@ +From c1cee195a49370dd4cecb6764742006f4f0896a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Jun 2021 04:56:06 -0700 +Subject: flow_offload: action should not be NULL when it is referenced + +From: gushengxian + +[ Upstream commit 9ea3e52c5bc8bb4a084938dc1e3160643438927a ] + +"action" should not be NULL when it is referenced. + +Signed-off-by: gushengxian <13145886936@163.com> +Signed-off-by: gushengxian +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/flow_offload.h | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/include/net/flow_offload.h b/include/net/flow_offload.h +index 123b1e9ea304..161b90979038 100644 +--- a/include/net/flow_offload.h ++++ b/include/net/flow_offload.h +@@ -312,12 +312,14 @@ flow_action_mixed_hw_stats_check(const struct flow_action *action, + if (flow_offload_has_one_action(action)) + return true; + +- flow_action_for_each(i, action_entry, action) { +- if (i && action_entry->hw_stats != last_hw_stats) { +- NL_SET_ERR_MSG_MOD(extack, "Mixing HW stats types for actions is not supported"); +- return false; ++ if (action) { ++ flow_action_for_each(i, action_entry, action) { ++ if (i && action_entry->hw_stats != last_hw_stats) { ++ NL_SET_ERR_MSG_MOD(extack, "Mixing HW stats types for actions is not supported"); ++ return false; ++ } ++ last_hw_stats = action_entry->hw_stats; + } +- last_hw_stats = action_entry->hw_stats; + } + return true; + } +-- +2.30.2 + diff --git a/queue-5.10/hugetlb-clear-huge-pte-during-flush-function-on-mips.patch b/queue-5.10/hugetlb-clear-huge-pte-during-flush-function-on-mips.patch new file mode 100644 index 00000000000..4631f6ed44b --- /dev/null +++ b/queue-5.10/hugetlb-clear-huge-pte-during-flush-function-on-mips.patch @@ -0,0 +1,49 @@ +From 69d424809b6808f5d7e26765d53583cf93379cc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jun 2020 21:15:32 +0800 +Subject: hugetlb: clear huge pte during flush function on mips platform + +From: Bibo Mao + +[ Upstream commit 33ae8f801ad8bec48e886d368739feb2816478f2 ] + +If multiple threads are accessing the same huge page at the same +time, hugetlb_cow will be called if one thread write the COW huge +page. And function huge_ptep_clear_flush is called to notify other +threads to clear the huge pte tlb entry. The other threads clear +the huge pte tlb entry and reload it from page table, the reload +huge pte entry may be old. + +This patch fixes this issue on mips platform, and it clears huge +pte entry before notifying other threads to flush current huge +page entry, it is similar with other architectures. + +Signed-off-by: Bibo Mao +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/hugetlb.h | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/arch/mips/include/asm/hugetlb.h b/arch/mips/include/asm/hugetlb.h +index 10e3be870df7..c2144409c0c4 100644 +--- a/arch/mips/include/asm/hugetlb.h ++++ b/arch/mips/include/asm/hugetlb.h +@@ -46,7 +46,13 @@ static inline pte_t huge_ptep_get_and_clear(struct mm_struct *mm, + static inline void huge_ptep_clear_flush(struct vm_area_struct *vma, + unsigned long addr, pte_t *ptep) + { +- flush_tlb_page(vma, addr & huge_page_mask(hstate_vma(vma))); ++ /* ++ * clear the huge pte entry firstly, so that the other smp threads will ++ * not get old pte entry after finishing flush_tlb_page and before ++ * setting new huge pte entry ++ */ ++ huge_ptep_get_and_clear(vma->vm_mm, addr, ptep); ++ flush_tlb_page(vma, addr); + } + + #define __HAVE_ARCH_HUGE_PTE_NONE +-- +2.30.2 + diff --git a/queue-5.10/ib-isert-align-target-max-i-o-size-to-initiator-size.patch b/queue-5.10/ib-isert-align-target-max-i-o-size-to-initiator-size.patch new file mode 100644 index 00000000000..1bb0b2ce020 --- /dev/null +++ b/queue-5.10/ib-isert-align-target-max-i-o-size-to-initiator-size.patch @@ -0,0 +1,62 @@ +From 627d763841fe95c992528200b1391f62973d74f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 May 2021 11:52:15 +0300 +Subject: IB/isert: Align target max I/O size to initiator size + +From: Max Gurtovoy + +[ Upstream commit 109d19a5eb3ddbdb87c43bfd4bcf644f4569da64 ] + +Since the Linux iser initiator default max I/O size set to 512KB and since +there is no handshake procedure for this size in iser protocol, set the +default max IO size of the target to 512KB as well. + +For changing the default values, there is a module parameter for both +drivers. + +Link: https://lore.kernel.org/r/20210524085215.29005-1-mgurtovoy@nvidia.com +Reviewed-by: Alaa Hleihel +Reviewed-by: Israel Rukshin +Signed-off-by: Max Gurtovoy +Acked-by: Sagi Grimberg +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/isert/ib_isert.c | 4 ++-- + drivers/infiniband/ulp/isert/ib_isert.h | 3 --- + 2 files changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/ulp/isert/ib_isert.c +index e653c83f8a35..edea37da8a5b 100644 +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -35,10 +35,10 @@ static const struct kernel_param_ops sg_tablesize_ops = { + .get = param_get_int, + }; + +-static int isert_sg_tablesize = ISCSI_ISER_DEF_SG_TABLESIZE; ++static int isert_sg_tablesize = ISCSI_ISER_MIN_SG_TABLESIZE; + module_param_cb(sg_tablesize, &sg_tablesize_ops, &isert_sg_tablesize, 0644); + MODULE_PARM_DESC(sg_tablesize, +- "Number of gather/scatter entries in a single scsi command, should >= 128 (default: 256, max: 4096)"); ++ "Number of gather/scatter entries in a single scsi command, should >= 128 (default: 128, max: 4096)"); + + static DEFINE_MUTEX(device_list_mutex); + static LIST_HEAD(device_list); +diff --git a/drivers/infiniband/ulp/isert/ib_isert.h b/drivers/infiniband/ulp/isert/ib_isert.h +index 6c5af13db4e0..ca8cfebe26ca 100644 +--- a/drivers/infiniband/ulp/isert/ib_isert.h ++++ b/drivers/infiniband/ulp/isert/ib_isert.h +@@ -65,9 +65,6 @@ + */ + #define ISER_RX_SIZE (ISCSI_DEF_MAX_RECV_SEG_LEN + 1024) + +-/* Default I/O size is 1MB */ +-#define ISCSI_ISER_DEF_SG_TABLESIZE 256 +- + /* Minimum I/O size is 512KB */ + #define ISCSI_ISER_MIN_SG_TABLESIZE 128 + +-- +2.30.2 + diff --git a/queue-5.10/ice-fix-clang-warning-regarding-deadcode.deadstores.patch b/queue-5.10/ice-fix-clang-warning-regarding-deadcode.deadstores.patch new file mode 100644 index 00000000000..46575742293 --- /dev/null +++ b/queue-5.10/ice-fix-clang-warning-regarding-deadcode.deadstores.patch @@ -0,0 +1,51 @@ +From 347c958c679747b697d04c009f3f5b177f859620 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Mar 2021 14:17:06 -0700 +Subject: ice: fix clang warning regarding deadcode.DeadStores + +From: Paul M Stillwell Jr + +[ Upstream commit 7e94090ae13e1ae5fe8bd3a9cd08136260bb7039 ] + +clang generates deadcode.DeadStores warnings when a variable +is used to read a value, but then that value isn't used later +in the code. Fix this warning. + +Signed-off-by: Paul M Stillwell Jr +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_ethtool.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c +index a7975afecf70..14eba9bc174d 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c ++++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c +@@ -3492,13 +3492,9 @@ static int + ice_get_rc_coalesce(struct ethtool_coalesce *ec, enum ice_container_type c_type, + struct ice_ring_container *rc) + { +- struct ice_pf *pf; +- + if (!rc->ring) + return -EINVAL; + +- pf = rc->ring->vsi->back; +- + switch (c_type) { + case ICE_RX_CONTAINER: + ec->use_adaptive_rx_coalesce = ITR_IS_DYNAMIC(rc->itr_setting); +@@ -3510,7 +3506,7 @@ ice_get_rc_coalesce(struct ethtool_coalesce *ec, enum ice_container_type c_type, + ec->tx_coalesce_usecs = rc->itr_setting & ~ICE_ITR_DYNAMIC; + break; + default: +- dev_dbg(ice_pf_to_dev(pf), "Invalid c_type %d\n", c_type); ++ dev_dbg(ice_pf_to_dev(rc->ring->vsi->back), "Invalid c_type %d\n", c_type); + return -EINVAL; + } + +-- +2.30.2 + diff --git a/queue-5.10/ice-fix-incorrect-payload-indicator-on-ptype.patch b/queue-5.10/ice-fix-incorrect-payload-indicator-on-ptype.patch new file mode 100644 index 00000000000..46fa6b3cdd5 --- /dev/null +++ b/queue-5.10/ice-fix-incorrect-payload-indicator-on-ptype.patch @@ -0,0 +1,39 @@ +From 9a1d8fea6129a2ead9ab55f51c9758eb478a1a20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 May 2021 08:40:04 -0700 +Subject: ice: fix incorrect payload indicator on PTYPE + +From: Jacob Keller + +[ Upstream commit 638a0c8c8861cb8a3b54203e632ea5dcc23d8ca5 ] + +The entry for PTYPE 90 indicates that the payload is layer 3. This does +not match the specification in the datasheet which indicates the packet +is a MAC, IPv6, UDP packet, with a payload in layer 4. + +Fix the lookup table to match the data sheet. + +Signed-off-by: Jacob Keller +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_lan_tx_rx.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_lan_tx_rx.h b/drivers/net/ethernet/intel/ice/ice_lan_tx_rx.h +index 4ec24c3e813f..98a7f27c532b 100644 +--- a/drivers/net/ethernet/intel/ice/ice_lan_tx_rx.h ++++ b/drivers/net/ethernet/intel/ice/ice_lan_tx_rx.h +@@ -722,7 +722,7 @@ static const struct ice_rx_ptype_decoded ice_ptype_lkup[] = { + /* Non Tunneled IPv6 */ + ICE_PTT(88, IP, IPV6, FRG, NONE, NONE, NOF, NONE, PAY3), + ICE_PTT(89, IP, IPV6, NOF, NONE, NONE, NOF, NONE, PAY3), +- ICE_PTT(90, IP, IPV6, NOF, NONE, NONE, NOF, UDP, PAY3), ++ ICE_PTT(90, IP, IPV6, NOF, NONE, NONE, NOF, UDP, PAY4), + ICE_PTT_UNUSED_ENTRY(91), + ICE_PTT(92, IP, IPV6, NOF, NONE, NONE, NOF, TCP, PAY4), + ICE_PTT(93, IP, IPV6, NOF, NONE, NONE, NOF, SCTP, PAY4), +-- +2.30.2 + diff --git a/queue-5.10/ice-mark-ptype-2-as-reserved.patch b/queue-5.10/ice-mark-ptype-2-as-reserved.patch new file mode 100644 index 00000000000..4f70b9d2e85 --- /dev/null +++ b/queue-5.10/ice-mark-ptype-2-as-reserved.patch @@ -0,0 +1,40 @@ +From 104283581781013db2ddf5b15eedfa5c28a84d40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 May 2021 08:40:05 -0700 +Subject: ice: mark PTYPE 2 as reserved + +From: Jacob Keller + +[ Upstream commit 0c526d440f76676733cb470b454db9d5507a3a50 ] + +The entry for PTYPE 2 in the ice_ptype_lkup table incorrectly states +that this is an L2 packet with no payload. According to the datasheet, +this PTYPE is actually unused and reserved. + +Fix the lookup entry to indicate this is an unused entry that is +reserved. + +Signed-off-by: Jacob Keller +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_lan_tx_rx.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_lan_tx_rx.h b/drivers/net/ethernet/intel/ice/ice_lan_tx_rx.h +index 98a7f27c532b..c0ee0541e53f 100644 +--- a/drivers/net/ethernet/intel/ice/ice_lan_tx_rx.h ++++ b/drivers/net/ethernet/intel/ice/ice_lan_tx_rx.h +@@ -608,7 +608,7 @@ static const struct ice_rx_ptype_decoded ice_ptype_lkup[] = { + /* L2 Packet types */ + ICE_PTT_UNUSED_ENTRY(0), + ICE_PTT(1, L2, NONE, NOF, NONE, NONE, NOF, NONE, PAY2), +- ICE_PTT(2, L2, NONE, NOF, NONE, NONE, NOF, NONE, NONE), ++ ICE_PTT_UNUSED_ENTRY(2), + ICE_PTT_UNUSED_ENTRY(3), + ICE_PTT_UNUSED_ENTRY(4), + ICE_PTT_UNUSED_ENTRY(5), +-- +2.30.2 + diff --git a/queue-5.10/ice-set-the-value-of-global-config-lock-timeout-long.patch b/queue-5.10/ice-set-the-value-of-global-config-lock-timeout-long.patch new file mode 100644 index 00000000000..7b697c07d0c --- /dev/null +++ b/queue-5.10/ice-set-the-value-of-global-config-lock-timeout-long.patch @@ -0,0 +1,44 @@ +From 8789737901f42ced8f88e838d078b730676fdcd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Apr 2021 17:31:06 +0800 +Subject: ice: set the value of global config lock timeout longer + +From: Liwei Song + +[ Upstream commit fb3612840d4f587a0af9511a11d7989d1fa48206 ] + +It may need hold Global Config Lock a longer time when download DDP +package file, extend the timeout value to 5000ms to ensure that +download can be finished before other AQ command got time to run, +this will fix the issue below when probe the device, 5000ms is a test +value that work with both Backplane and BreakoutCable NVM image: + +ice 0000:f4:00.0: VSI 12 failed lan queue config, error ICE_ERR_CFG +ice 0000:f4:00.0: Failed to delete VSI 12 in FW - error: ICE_ERR_AQ_TIMEOUT +ice 0000:f4:00.0: probe failed due to setup PF switch: -12 +ice: probe of 0000:f4:00.0 failed with error -12 + +Signed-off-by: Liwei Song +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_type.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_type.h b/drivers/net/ethernet/intel/ice/ice_type.h +index 1bed183d96a0..ee3497d25464 100644 +--- a/drivers/net/ethernet/intel/ice/ice_type.h ++++ b/drivers/net/ethernet/intel/ice/ice_type.h +@@ -63,7 +63,7 @@ enum ice_aq_res_ids { + /* FW update timeout definitions are in milliseconds */ + #define ICE_NVM_TIMEOUT 180000 + #define ICE_CHANGE_LOCK_TIMEOUT 1000 +-#define ICE_GLOBAL_CFG_LOCK_TIMEOUT 3000 ++#define ICE_GLOBAL_CFG_LOCK_TIMEOUT 5000 + + enum ice_aq_res_access_type { + ICE_RES_READ = 1, +-- +2.30.2 + diff --git a/queue-5.10/igb-fix-assignment-on-big-endian-machines.patch b/queue-5.10/igb-fix-assignment-on-big-endian-machines.patch new file mode 100644 index 00000000000..9b261e23eb6 --- /dev/null +++ b/queue-5.10/igb-fix-assignment-on-big-endian-machines.patch @@ -0,0 +1,50 @@ +From 4c9e0316c7e893f78065294e95f20b7ba93abf4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Mar 2021 17:38:29 -0700 +Subject: igb: fix assignment on big endian machines + +From: Jesse Brandeburg + +[ Upstream commit b514958dd1a3bd57638b0e63b8e5152b1960e6aa ] + +The igb driver was trying hard to be sparse correct, but somehow +ended up converting a variable into little endian order and then +tries to OR something with it. + +A much plainer way of doing things is to leave all variables and +OR operations in CPU (non-endian) mode, and then convert to +little endian only once, which is what this change does. + +This probably fixes a bug that might have been seen only on +big endian systems. + +Signed-off-by: Jesse Brandeburg +Tested-by: Dave Switzer +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 157683fbf61c..4b9b5148c916 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -6289,12 +6289,12 @@ int igb_xmit_xdp_ring(struct igb_adapter *adapter, + cmd_type |= len | IGB_TXD_DCMD; + tx_desc->read.cmd_type_len = cpu_to_le32(cmd_type); + +- olinfo_status = cpu_to_le32(len << E1000_ADVTXD_PAYLEN_SHIFT); ++ olinfo_status = len << E1000_ADVTXD_PAYLEN_SHIFT; + /* 82575 requires a unique index per ring */ + if (test_bit(IGB_RING_FLAG_TX_CTX_IDX, &tx_ring->flags)) + olinfo_status |= tx_ring->reg_idx << 4; + +- tx_desc->read.olinfo_status = olinfo_status; ++ tx_desc->read.olinfo_status = cpu_to_le32(olinfo_status); + + netdev_tx_sent_queue(txring_txq(tx_ring), tx_buffer->bytecount); + +-- +2.30.2 + diff --git a/queue-5.10/igb-handle-vlan-types-with-checker-enabled.patch b/queue-5.10/igb-handle-vlan-types-with-checker-enabled.patch new file mode 100644 index 00000000000..c1dd22abd52 --- /dev/null +++ b/queue-5.10/igb-handle-vlan-types-with-checker-enabled.patch @@ -0,0 +1,75 @@ +From 2eb16aa37d49d9280daa02ae5a077d79eddf1873 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Mar 2021 17:38:28 -0700 +Subject: igb: handle vlan types with checker enabled + +From: Jesse Brandeburg + +[ Upstream commit c7cbfb028b95360403d579c47aaaeef1ff140964 ] + +The sparse build (C=2) finds some issues with how the driver +dealt with the (very difficult) hardware that in some generations +uses little-endian, and in others uses big endian, for the VLAN +field. The code as written picks __le16 as a type and for some +hardware revisions we override it to __be16 as done in this +patch. This impacted the VF driver as well so fix it there too. + +Also change the vlan_tci assignment to override the sparse +warning without changing functionality. + +Signed-off-by: Jesse Brandeburg +Tested-by: Dave Switzer +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 5 +++-- + drivers/net/ethernet/intel/igbvf/netdev.c | 4 ++-- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 5c87c0a7ce3d..157683fbf61c 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -2643,7 +2643,8 @@ static int igb_parse_cls_flower(struct igb_adapter *adapter, + } + + input->filter.match_flags |= IGB_FILTER_FLAG_VLAN_TCI; +- input->filter.vlan_tci = match.key->vlan_priority; ++ input->filter.vlan_tci = ++ (__force __be16)match.key->vlan_priority; + } + } + +@@ -8617,7 +8618,7 @@ static void igb_process_skb_fields(struct igb_ring *rx_ring, + + if (igb_test_staterr(rx_desc, E1000_RXDEXT_STATERR_LB) && + test_bit(IGB_RING_FLAG_RX_LB_VLAN_BSWAP, &rx_ring->flags)) +- vid = be16_to_cpu(rx_desc->wb.upper.vlan); ++ vid = be16_to_cpu((__force __be16)rx_desc->wb.upper.vlan); + else + vid = le16_to_cpu(rx_desc->wb.upper.vlan); + +diff --git a/drivers/net/ethernet/intel/igbvf/netdev.c b/drivers/net/ethernet/intel/igbvf/netdev.c +index ee9f8c1dca83..07c9e9e0546f 100644 +--- a/drivers/net/ethernet/intel/igbvf/netdev.c ++++ b/drivers/net/ethernet/intel/igbvf/netdev.c +@@ -83,14 +83,14 @@ static int igbvf_desc_unused(struct igbvf_ring *ring) + static void igbvf_receive_skb(struct igbvf_adapter *adapter, + struct net_device *netdev, + struct sk_buff *skb, +- u32 status, u16 vlan) ++ u32 status, __le16 vlan) + { + u16 vid; + + if (status & E1000_RXD_STAT_VP) { + if ((adapter->flags & IGBVF_FLAG_RX_LB_VLAN_BSWAP) && + (status & E1000_RXDEXT_STATERR_LB)) +- vid = be16_to_cpu(vlan) & E1000_RXD_SPC_VLAN_MASK; ++ vid = be16_to_cpu((__force __be16)vlan) & E1000_RXD_SPC_VLAN_MASK; + else + vid = le16_to_cpu(vlan) & E1000_RXD_SPC_VLAN_MASK; + if (test_bit(vid, adapter->active_vlans)) +-- +2.30.2 + diff --git a/queue-5.10/io_uring-fix-false-warn_once.patch b/queue-5.10/io_uring-fix-false-warn_once.patch new file mode 100644 index 00000000000..047c5be0200 --- /dev/null +++ b/queue-5.10/io_uring-fix-false-warn_once.patch @@ -0,0 +1,50 @@ +From 89341e898345ed660578dd76abea9068e8807280 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jun 2021 18:13:59 +0100 +Subject: io_uring: fix false WARN_ONCE + +From: Pavel Begunkov + +[ Upstream commit e6ab8991c5d0b0deae0961dc22c0edd1dee328f5 ] + +WARNING: CPU: 1 PID: 11749 at fs/io-wq.c:244 io_wqe_wake_worker fs/io-wq.c:244 [inline] +WARNING: CPU: 1 PID: 11749 at fs/io-wq.c:244 io_wqe_enqueue+0x7f6/0x910 fs/io-wq.c:751 + +A WARN_ON_ONCE() in io_wqe_wake_worker() can be triggered by a valid +userspace setup. Replace it with pr_warn. + +Reported-by: syzbot+ea2f1484cffe5109dc10@syzkaller.appspotmail.com +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/f7ede342c3342c4c26668f5168e2993e38bbd99c.1623949695.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/io-wq.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/io-wq.c b/fs/io-wq.c +index f72d53848dcb..8bb17b6d4de3 100644 +--- a/fs/io-wq.c ++++ b/fs/io-wq.c +@@ -299,7 +299,8 @@ static void io_wqe_wake_worker(struct io_wqe *wqe, struct io_wqe_acct *acct) + * Most likely an attempt to queue unbounded work on an io_wq that + * wasn't setup with any unbounded workers. + */ +- WARN_ON_ONCE(!acct->max_workers); ++ if (unlikely(!acct->max_workers)) ++ pr_warn_once("io-wq is not configured for unbound workers"); + + rcu_read_lock(); + ret = io_wqe_activate_free_worker(wqe); +@@ -1085,6 +1086,8 @@ struct io_wq *io_wq_create(unsigned bounded, struct io_wq_data *data) + + if (WARN_ON_ONCE(!data->free_work || !data->do_work)) + return ERR_PTR(-EINVAL); ++ if (WARN_ON_ONCE(!bounded)) ++ return ERR_PTR(-EINVAL); + + wq = kzalloc(sizeof(*wq), GFP_KERNEL); + if (!wq) +-- +2.30.2 + diff --git a/queue-5.10/ipv6-use-prandom_u32-for-id-generation.patch b/queue-5.10/ipv6-use-prandom_u32-for-id-generation.patch new file mode 100644 index 00000000000..c626c0363a7 --- /dev/null +++ b/queue-5.10/ipv6-use-prandom_u32-for-id-generation.patch @@ -0,0 +1,94 @@ +From 15590a824b5e9c74c9732d9ea236bbfd54cab3c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 May 2021 13:07:46 +0200 +Subject: ipv6: use prandom_u32() for ID generation + +From: Willy Tarreau + +[ Upstream commit 62f20e068ccc50d6ab66fdb72ba90da2b9418c99 ] + +This is a complement to commit aa6dd211e4b1 ("inet: use bigger hash +table for IP ID generation"), but focusing on some specific aspects +of IPv6. + +Contary to IPv4, IPv6 only uses packet IDs with fragments, and with a +minimum MTU of 1280, it's much less easy to force a remote peer to +produce many fragments to explore its ID sequence. In addition packet +IDs are 32-bit in IPv6, which further complicates their analysis. On +the other hand, it is often easier to choose among plenty of possible +source addresses and partially work around the bigger hash table the +commit above permits, which leaves IPv6 partially exposed to some +possibilities of remote analysis at the risk of weakening some +protocols like DNS if some IDs can be predicted with a good enough +probability. + +Given the wide range of permitted IDs, the risk of collision is extremely +low so there's no need to rely on the positive increment algorithm that +is shared with the IPv4 code via ip_idents_reserve(). We have a fast +PRNG, so let's simply call prandom_u32() and be done with it. + +Performance measurements at 10 Gbps couldn't show any difference with +the previous code, even when using a single core, because due to the +large fragments, we're limited to only ~930 kpps at 10 Gbps and the cost +of the random generation is completely offset by other operations and by +the network transfer time. In addition, this change removes the need to +update a shared entry in the idents table so it may even end up being +slightly faster on large scale systems where this matters. + +The risk of at least one collision here is about 1/80 million among +10 IDs, 1/850k among 100 IDs, and still only 1/8.5k among 1000 IDs, +which remains very low compared to IPv4 where all IDs are reused +every 4 to 80ms on a 10 Gbps flow depending on packet sizes. + +Reported-by: Amit Klein +Signed-off-by: Willy Tarreau +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20210529110746.6796-1-w@1wt.eu +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/output_core.c | 28 +++++----------------------- + 1 file changed, 5 insertions(+), 23 deletions(-) + +diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c +index af36acc1a644..2880dc7d9a49 100644 +--- a/net/ipv6/output_core.c ++++ b/net/ipv6/output_core.c +@@ -15,29 +15,11 @@ static u32 __ipv6_select_ident(struct net *net, + const struct in6_addr *dst, + const struct in6_addr *src) + { +- const struct { +- struct in6_addr dst; +- struct in6_addr src; +- } __aligned(SIPHASH_ALIGNMENT) combined = { +- .dst = *dst, +- .src = *src, +- }; +- u32 hash, id; +- +- /* Note the following code is not safe, but this is okay. */ +- if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key))) +- get_random_bytes(&net->ipv4.ip_id_key, +- sizeof(net->ipv4.ip_id_key)); +- +- hash = siphash(&combined, sizeof(combined), &net->ipv4.ip_id_key); +- +- /* Treat id of 0 as unset and if we get 0 back from ip_idents_reserve, +- * set the hight order instead thus minimizing possible future +- * collisions. +- */ +- id = ip_idents_reserve(hash, 1); +- if (unlikely(!id)) +- id = 1 << 31; ++ u32 id; ++ ++ do { ++ id = prandom_u32(); ++ } while (!id); + + return id; + } +-- +2.30.2 + diff --git a/queue-5.10/iwlwifi-mvm-don-t-change-band-on-bound-phy-contexts.patch b/queue-5.10/iwlwifi-mvm-don-t-change-band-on-bound-phy-contexts.patch new file mode 100644 index 00000000000..6db0327bbe7 --- /dev/null +++ b/queue-5.10/iwlwifi-mvm-don-t-change-band-on-bound-phy-contexts.patch @@ -0,0 +1,83 @@ +From 5a3c27e4dfeee47b28bf54b93f0a72d00e7b6a0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Jun 2021 14:32:38 +0300 +Subject: iwlwifi: mvm: don't change band on bound PHY contexts + +From: Johannes Berg + +[ Upstream commit 8835a64f74c46baebfc946cd5a2c861b866ebcee ] + +When we have a P2P Device active, we attempt to only change the +PHY context it uses when we get a new remain-on-channel, if the +P2P Device is the only user of the PHY context. + +This is fine if we're switching within a band, but if we're +switching bands then the switch implies a removal and re-add +of the PHY context, which isn't permitted by the firmware while +it's bound to an interface. + +Fix the code to skip the unbind/release/... cycle only if the +band doesn't change (or we have old devices that can switch the +band on the fly as well.) + +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20210612142637.e9ac313f70f3.I713b9d109957df7e7d9ed0861d5377ce3f8fccd3@changeid +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + .../net/wireless/intel/iwlwifi/mvm/mac80211.c | 24 ++++++++++++++----- + 1 file changed, 18 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +index d42165559df6..8cba923b1ec6 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +@@ -3794,6 +3794,7 @@ static int iwl_mvm_roc(struct ieee80211_hw *hw, + struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif); + struct cfg80211_chan_def chandef; + struct iwl_mvm_phy_ctxt *phy_ctxt; ++ bool band_change_removal; + int ret, i; + + IWL_DEBUG_MAC80211(mvm, "enter (%d, %d, %d)\n", channel->hw_value, +@@ -3874,19 +3875,30 @@ static int iwl_mvm_roc(struct ieee80211_hw *hw, + cfg80211_chandef_create(&chandef, channel, NL80211_CHAN_NO_HT); + + /* +- * Change the PHY context configuration as it is currently referenced +- * only by the P2P Device MAC ++ * Check if the remain-on-channel is on a different band and that ++ * requires context removal, see iwl_mvm_phy_ctxt_changed(). If ++ * so, we'll need to release and then re-configure here, since we ++ * must not remove a PHY context that's part of a binding. + */ +- if (mvmvif->phy_ctxt->ref == 1) { ++ band_change_removal = ++ fw_has_capa(&mvm->fw->ucode_capa, ++ IWL_UCODE_TLV_CAPA_BINDING_CDB_SUPPORT) && ++ mvmvif->phy_ctxt->channel->band != chandef.chan->band; ++ ++ if (mvmvif->phy_ctxt->ref == 1 && !band_change_removal) { ++ /* ++ * Change the PHY context configuration as it is currently ++ * referenced only by the P2P Device MAC (and we can modify it) ++ */ + ret = iwl_mvm_phy_ctxt_changed(mvm, mvmvif->phy_ctxt, + &chandef, 1, 1); + if (ret) + goto out_unlock; + } else { + /* +- * The PHY context is shared with other MACs. Need to remove the +- * P2P Device from the binding, allocate an new PHY context and +- * create a new binding ++ * The PHY context is shared with other MACs (or we're trying to ++ * switch bands), so remove the P2P Device from the binding, ++ * allocate an new PHY context and create a new binding. + */ + phy_ctxt = iwl_mvm_get_free_phy_ctxt(mvm); + if (!phy_ctxt) { +-- +2.30.2 + diff --git a/queue-5.10/iwlwifi-mvm-fix-error-print-when-session-protection-.patch b/queue-5.10/iwlwifi-mvm-fix-error-print-when-session-protection-.patch new file mode 100644 index 00000000000..ebc167e8e68 --- /dev/null +++ b/queue-5.10/iwlwifi-mvm-fix-error-print-when-session-protection-.patch @@ -0,0 +1,49 @@ +From 81e643ccc7327550f4e6201408b61e9889101499 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jun 2021 10:08:45 +0300 +Subject: iwlwifi: mvm: fix error print when session protection ends + +From: Shaul Triebitz + +[ Upstream commit 976ac0af7ba2c5424bc305b926c0807d96fdcc83 ] + +When the session protection ends and the Driver is not +associated or a beacon was not heard, the Driver +prints "No beacons heard...". +That's confusing for the case where not associated. +Change the print when not associated to "Not associated...". + +Signed-off-by: Shaul Triebitz +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20210617100544.41a5a5a894fa.I9eabb76e7a3a7f4abbed8f2ef918f1df8e825726@changeid +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/time-event.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c b/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c +index 3939eccd3d5a..394598b14a17 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c +@@ -345,6 +345,8 @@ static void iwl_mvm_te_handle_notif(struct iwl_mvm *mvm, + * and know the dtim period. + */ + iwl_mvm_te_check_disconnect(mvm, te_data->vif, ++ !te_data->vif->bss_conf.assoc ? ++ "Not associated and the time event is over already..." : + "No beacon heard and the time event is over already..."); + break; + default: +@@ -843,6 +845,8 @@ void iwl_mvm_rx_session_protect_notif(struct iwl_mvm *mvm, + * and know the dtim period. + */ + iwl_mvm_te_check_disconnect(mvm, vif, ++ !vif->bss_conf.assoc ? ++ "Not associated and the session protection is over already..." : + "No beacon heard and the session protection is over already..."); + spin_lock_bh(&mvm->time_event_lock); + iwl_mvm_te_clear_data(mvm, te_data); +-- +2.30.2 + diff --git a/queue-5.10/iwlwifi-pcie-fix-context-info-freeing.patch b/queue-5.10/iwlwifi-pcie-fix-context-info-freeing.patch new file mode 100644 index 00000000000..b60f46e61e5 --- /dev/null +++ b/queue-5.10/iwlwifi-pcie-fix-context-info-freeing.patch @@ -0,0 +1,43 @@ +From 12bd71034101bab20b6e4fe99ca87359d1a26983 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 11:01:17 +0300 +Subject: iwlwifi: pcie: fix context info freeing + +From: Johannes Berg + +[ Upstream commit 26d18c75a7496c4c52b0b6789e713dc76ebfbc87 ] + +After firmware alive, iwl_trans_pcie_gen2_fw_alive() is called +to free the context info. However, on gen3 that will then free +the context info with the wrong size. + +Since we free this allocation later, let it stick around until +the device is stopped for now, freeing some of it earlier is a +separate change. + +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20210618105614.afb63fb8cbc1.If4968db8e09f4ce2a1d27a6d750bca3d132d7d70@changeid +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c b/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c +index 4c3ca2a37696..b031e9304983 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c +@@ -269,7 +269,8 @@ void iwl_trans_pcie_gen2_fw_alive(struct iwl_trans *trans, u32 scd_addr) + /* now that we got alive we can free the fw image & the context info. + * paging memory cannot be freed included since FW will still use it + */ +- iwl_pcie_ctxt_info_free(trans); ++ if (trans->trans_cfg->device_family < IWL_DEVICE_FAMILY_AX210) ++ iwl_pcie_ctxt_info_free(trans); + + /* + * Re-enable all the interrupts, including the RF-Kill one, now that +-- +2.30.2 + diff --git a/queue-5.10/iwlwifi-pcie-free-iml-dma-memory-allocation.patch b/queue-5.10/iwlwifi-pcie-free-iml-dma-memory-allocation.patch new file mode 100644 index 00000000000..4bb86660bcb --- /dev/null +++ b/queue-5.10/iwlwifi-pcie-free-iml-dma-memory-allocation.patch @@ -0,0 +1,91 @@ +From 3ca5fc08aad82a11bfb3537aa398a93738f4d7c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 11:01:16 +0300 +Subject: iwlwifi: pcie: free IML DMA memory allocation + +From: Johannes Berg + +[ Upstream commit 310f60f53a86eba680d9bc20a371e13b06a5f903 ] + +In the case of gen3 devices with image loader (IML) support, +we were leaking the IML DMA allocation and never freeing it. +Fix that. + +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20210618105614.07e117dbedb7.I7bb9ebbe0617656986c2a598ea5e827b533bd3b9@changeid +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + .../wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c | 15 ++++++++++----- + .../net/wireless/intel/iwlwifi/pcie/internal.h | 3 +++ + 2 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c b/drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c +index ec1d6025081d..56f63f5f5dd3 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c +@@ -126,7 +126,6 @@ int iwl_pcie_ctxt_info_gen3_init(struct iwl_trans *trans, + struct iwl_prph_scratch *prph_scratch; + struct iwl_prph_scratch_ctrl_cfg *prph_sc_ctrl; + struct iwl_prph_info *prph_info; +- void *iml_img; + u32 control_flags = 0; + int ret; + int cmdq_size = max_t(u32, IWL_CMD_QUEUE_SIZE, +@@ -234,14 +233,15 @@ int iwl_pcie_ctxt_info_gen3_init(struct iwl_trans *trans, + trans_pcie->prph_scratch = prph_scratch; + + /* Allocate IML */ +- iml_img = dma_alloc_coherent(trans->dev, trans->iml_len, +- &trans_pcie->iml_dma_addr, GFP_KERNEL); +- if (!iml_img) { ++ trans_pcie->iml = dma_alloc_coherent(trans->dev, trans->iml_len, ++ &trans_pcie->iml_dma_addr, ++ GFP_KERNEL); ++ if (!trans_pcie->iml) { + ret = -ENOMEM; + goto err_free_ctxt_info; + } + +- memcpy(iml_img, trans->iml, trans->iml_len); ++ memcpy(trans_pcie->iml, trans->iml, trans->iml_len); + + iwl_enable_fw_load_int_ctx_info(trans); + +@@ -290,6 +290,11 @@ void iwl_pcie_ctxt_info_gen3_free(struct iwl_trans *trans) + trans_pcie->ctxt_info_dma_addr = 0; + trans_pcie->ctxt_info_gen3 = NULL; + ++ dma_free_coherent(trans->dev, trans->iml_len, trans_pcie->iml, ++ trans_pcie->iml_dma_addr); ++ trans_pcie->iml_dma_addr = 0; ++ trans_pcie->iml = NULL; ++ + iwl_pcie_ctxt_info_free_fw_img(trans); + + dma_free_coherent(trans->dev, sizeof(*trans_pcie->prph_scratch), +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/internal.h b/drivers/net/wireless/intel/iwlwifi/pcie/internal.h +index ff542d2f0054..f05025e8d11d 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/internal.h ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/internal.h +@@ -336,6 +336,8 @@ struct cont_rec { + * Context information addresses will be taken from here. + * This is driver's local copy for keeping track of size and + * count for allocating and freeing the memory. ++ * @iml: image loader image virtual address ++ * @iml_dma_addr: image loader image DMA address + * @trans: pointer to the generic transport area + * @scd_base_addr: scheduler sram base address in SRAM + * @kw: keep warm address +@@ -388,6 +390,7 @@ struct iwl_trans_pcie { + }; + struct iwl_prph_info *prph_info; + struct iwl_prph_scratch *prph_scratch; ++ void *iml; + dma_addr_t ctxt_info_dma_addr; + dma_addr_t prph_info_dma_addr; + dma_addr_t prph_scratch_dma_addr; +-- +2.30.2 + diff --git a/queue-5.10/mac80211-consider-per-cpu-statistics-if-present.patch b/queue-5.10/mac80211-consider-per-cpu-statistics-if-present.patch new file mode 100644 index 00000000000..49d8b9ea040 --- /dev/null +++ b/queue-5.10/mac80211-consider-per-cpu-statistics-if-present.patch @@ -0,0 +1,76 @@ +From 483f646939a5c33781c8e8927ae748a1d5f2b6eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jun 2021 22:08:16 +0200 +Subject: mac80211: consider per-CPU statistics if present + +From: Johannes Berg + +[ Upstream commit d656a4c6ead6c3f252b2f2532bc9735598f7e317 ] + +If we have been keeping per-CPU statistics, consider them +regardless of USES_RSS, because we may not actually fill +those, for example in non-fast-RX cases when the connection +is not compatible with fast-RX. If we didn't fill them, the +additional data will be zero and not affect anything, and +if we did fill them then it's more correct to consider them. + +This fixes an issue in mesh mode where some statistics are +not updated due to USES_RSS being set, but fast-RX isn't +used. + +Reported-by: Thiraviyam Mariyappan +Link: https://lore.kernel.org/r/20210610220814.13b35f5797c5.I511e9b33c5694e0d6cef4b6ae755c873d7c22124@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/sta_info.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c +index 13250cadb420..e18c3855f616 100644 +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -2088,10 +2088,9 @@ static struct ieee80211_sta_rx_stats * + sta_get_last_rx_stats(struct sta_info *sta) + { + struct ieee80211_sta_rx_stats *stats = &sta->rx_stats; +- struct ieee80211_local *local = sta->local; + int cpu; + +- if (!ieee80211_hw_check(&local->hw, USES_RSS)) ++ if (!sta->pcpu_rx_stats) + return stats; + + for_each_possible_cpu(cpu) { +@@ -2191,9 +2190,7 @@ static void sta_set_tidstats(struct sta_info *sta, + int cpu; + + if (!(tidstats->filled & BIT(NL80211_TID_STATS_RX_MSDU))) { +- if (!ieee80211_hw_check(&local->hw, USES_RSS)) +- tidstats->rx_msdu += +- sta_get_tidstats_msdu(&sta->rx_stats, tid); ++ tidstats->rx_msdu += sta_get_tidstats_msdu(&sta->rx_stats, tid); + + if (sta->pcpu_rx_stats) { + for_each_possible_cpu(cpu) { +@@ -2272,7 +2269,6 @@ void sta_set_sinfo(struct sta_info *sta, struct station_info *sinfo, + sinfo->rx_beacon = sdata->u.mgd.count_beacon_signal; + + drv_sta_statistics(local, sdata, &sta->sta, sinfo); +- + sinfo->filled |= BIT_ULL(NL80211_STA_INFO_INACTIVE_TIME) | + BIT_ULL(NL80211_STA_INFO_STA_FLAGS) | + BIT_ULL(NL80211_STA_INFO_BSS_PARAM) | +@@ -2307,8 +2303,7 @@ void sta_set_sinfo(struct sta_info *sta, struct station_info *sinfo, + + if (!(sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES64) | + BIT_ULL(NL80211_STA_INFO_RX_BYTES)))) { +- if (!ieee80211_hw_check(&local->hw, USES_RSS)) +- sinfo->rx_bytes += sta_get_stats_bytes(&sta->rx_stats); ++ sinfo->rx_bytes += sta_get_stats_bytes(&sta->rx_stats); + + if (sta->pcpu_rx_stats) { + for_each_possible_cpu(cpu) { +-- +2.30.2 + diff --git a/queue-5.10/mac80211_hwsim-add-concurrent-channels-scanning-supp.patch b/queue-5.10/mac80211_hwsim-add-concurrent-channels-scanning-supp.patch new file mode 100644 index 00000000000..f6f030bf72f --- /dev/null +++ b/queue-5.10/mac80211_hwsim-add-concurrent-channels-scanning-supp.patch @@ -0,0 +1,173 @@ +From e0d33275d6dc8f35098cbe7b2a459e3eca875f69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 May 2021 11:05:29 -0700 +Subject: mac80211_hwsim: add concurrent channels scanning support over virtio + +From: Weilun Du + +[ Upstream commit 626c30f9e77354301ff9162c3bdddaf92d9b5cf3 ] + +This fixed the crash when setting channels to 2 or more when +communicating over virtio. + +Signed-off-by: Weilun Du +Link: https://lore.kernel.org/r/20210506180530.3418576-1-wdu@google.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mac80211_hwsim.c | 48 +++++++++++++++++++++------ + 1 file changed, 38 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index f147d4feedb9..4ca0b06d09ad 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -557,6 +557,7 @@ struct mac80211_hwsim_data { + u32 ciphers[ARRAY_SIZE(hwsim_ciphers)]; + + struct mac_address addresses[2]; ++ struct ieee80211_chanctx_conf *chanctx; + int channels, idx; + bool use_chanctx; + bool destroy_on_close; +@@ -1187,7 +1188,8 @@ static inline u16 trans_tx_rate_flags_ieee2hwsim(struct ieee80211_tx_rate *rate) + + static void mac80211_hwsim_tx_frame_nl(struct ieee80211_hw *hw, + struct sk_buff *my_skb, +- int dst_portid) ++ int dst_portid, ++ struct ieee80211_channel *channel) + { + struct sk_buff *skb; + struct mac80211_hwsim_data *data = hw->priv; +@@ -1242,7 +1244,7 @@ static void mac80211_hwsim_tx_frame_nl(struct ieee80211_hw *hw, + if (nla_put_u32(skb, HWSIM_ATTR_FLAGS, hwsim_flags)) + goto nla_put_failure; + +- if (nla_put_u32(skb, HWSIM_ATTR_FREQ, data->channel->center_freq)) ++ if (nla_put_u32(skb, HWSIM_ATTR_FREQ, channel->center_freq)) + goto nla_put_failure; + + /* We get the tx control (rate and retries) info*/ +@@ -1589,7 +1591,7 @@ static void mac80211_hwsim_tx(struct ieee80211_hw *hw, + _portid = READ_ONCE(data->wmediumd); + + if (_portid || hwsim_virtio_enabled) +- return mac80211_hwsim_tx_frame_nl(hw, skb, _portid); ++ return mac80211_hwsim_tx_frame_nl(hw, skb, _portid, channel); + + /* NO wmediumd detected, perfect medium simulation */ + data->tx_pkts++; +@@ -1705,7 +1707,7 @@ static void mac80211_hwsim_tx_frame(struct ieee80211_hw *hw, + mac80211_hwsim_monitor_rx(hw, skb, chan); + + if (_pid || hwsim_virtio_enabled) +- return mac80211_hwsim_tx_frame_nl(hw, skb, _pid); ++ return mac80211_hwsim_tx_frame_nl(hw, skb, _pid, chan); + + mac80211_hwsim_tx_frame_no_nl(hw, skb, chan); + dev_kfree_skb(skb); +@@ -2444,6 +2446,11 @@ static int mac80211_hwsim_croc(struct ieee80211_hw *hw, + static int mac80211_hwsim_add_chanctx(struct ieee80211_hw *hw, + struct ieee80211_chanctx_conf *ctx) + { ++ struct mac80211_hwsim_data *hwsim = hw->priv; ++ ++ mutex_lock(&hwsim->mutex); ++ hwsim->chanctx = ctx; ++ mutex_unlock(&hwsim->mutex); + hwsim_set_chanctx_magic(ctx); + wiphy_dbg(hw->wiphy, + "add channel context control: %d MHz/width: %d/cfreqs:%d/%d MHz\n", +@@ -2455,6 +2462,11 @@ static int mac80211_hwsim_add_chanctx(struct ieee80211_hw *hw, + static void mac80211_hwsim_remove_chanctx(struct ieee80211_hw *hw, + struct ieee80211_chanctx_conf *ctx) + { ++ struct mac80211_hwsim_data *hwsim = hw->priv; ++ ++ mutex_lock(&hwsim->mutex); ++ hwsim->chanctx = NULL; ++ mutex_unlock(&hwsim->mutex); + wiphy_dbg(hw->wiphy, + "remove channel context control: %d MHz/width: %d/cfreqs:%d/%d MHz\n", + ctx->def.chan->center_freq, ctx->def.width, +@@ -2467,6 +2479,11 @@ static void mac80211_hwsim_change_chanctx(struct ieee80211_hw *hw, + struct ieee80211_chanctx_conf *ctx, + u32 changed) + { ++ struct mac80211_hwsim_data *hwsim = hw->priv; ++ ++ mutex_lock(&hwsim->mutex); ++ hwsim->chanctx = ctx; ++ mutex_unlock(&hwsim->mutex); + hwsim_check_chanctx_magic(ctx); + wiphy_dbg(hw->wiphy, + "change channel context control: %d MHz/width: %d/cfreqs:%d/%d MHz\n", +@@ -3059,6 +3076,7 @@ static int mac80211_hwsim_new_radio(struct genl_info *info, + hw->wiphy->max_remain_on_channel_duration = 1000; + data->if_combination.radar_detect_widths = 0; + data->if_combination.num_different_channels = data->channels; ++ data->chanctx = NULL; + } else { + data->if_combination.num_different_channels = 1; + data->if_combination.radar_detect_widths = +@@ -3566,6 +3584,7 @@ static int hwsim_cloned_frame_received_nl(struct sk_buff *skb_2, + int frame_data_len; + void *frame_data; + struct sk_buff *skb = NULL; ++ struct ieee80211_channel *channel = NULL; + + if (!info->attrs[HWSIM_ATTR_ADDR_RECEIVER] || + !info->attrs[HWSIM_ATTR_FRAME] || +@@ -3592,6 +3611,17 @@ static int hwsim_cloned_frame_received_nl(struct sk_buff *skb_2, + if (!data2) + goto out; + ++ if (data2->use_chanctx) { ++ if (data2->tmp_chan) ++ channel = data2->tmp_chan; ++ else if (data2->chanctx) ++ channel = data2->chanctx->def.chan; ++ } else { ++ channel = data2->channel; ++ } ++ if (!channel) ++ goto out; ++ + if (!hwsim_virtio_enabled) { + if (hwsim_net_get_netgroup(genl_info_net(info)) != + data2->netgroup) +@@ -3603,7 +3633,7 @@ static int hwsim_cloned_frame_received_nl(struct sk_buff *skb_2, + + /* check if radio is configured properly */ + +- if (data2->idle || !data2->started) ++ if ((data2->idle && !data2->tmp_chan) || !data2->started) + goto out; + + /* A frame is received from user space */ +@@ -3616,18 +3646,16 @@ static int hwsim_cloned_frame_received_nl(struct sk_buff *skb_2, + mutex_lock(&data2->mutex); + rx_status.freq = nla_get_u32(info->attrs[HWSIM_ATTR_FREQ]); + +- if (rx_status.freq != data2->channel->center_freq && +- (!data2->tmp_chan || +- rx_status.freq != data2->tmp_chan->center_freq)) { ++ if (rx_status.freq != channel->center_freq) { + mutex_unlock(&data2->mutex); + goto out; + } + mutex_unlock(&data2->mutex); + } else { +- rx_status.freq = data2->channel->center_freq; ++ rx_status.freq = channel->center_freq; + } + +- rx_status.band = data2->channel->band; ++ rx_status.band = channel->band; + rx_status.rate_idx = nla_get_u32(info->attrs[HWSIM_ATTR_RX_RATE]); + rx_status.signal = nla_get_u32(info->attrs[HWSIM_ATTR_SIGNAL]); + +-- +2.30.2 + diff --git a/queue-5.10/media-bpf-do-not-copy-more-entries-than-user-space-r.patch b/queue-5.10/media-bpf-do-not-copy-more-entries-than-user-space-r.patch new file mode 100644 index 00000000000..c8dcfd0e458 --- /dev/null +++ b/queue-5.10/media-bpf-do-not-copy-more-entries-than-user-space-r.patch @@ -0,0 +1,43 @@ +From b8f711294236f33f1041df25a55f93f2920814b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jun 2021 22:37:54 +0100 +Subject: media, bpf: Do not copy more entries than user space requested + +From: Sean Young + +[ Upstream commit 647d446d66e493d23ca1047fa8492b0269674530 ] + +The syscall bpf(BPF_PROG_QUERY, &attr) should use the prog_cnt field to +see how many entries user space provided and return ENOSPC if there are +more programs than that. Before this patch, this is not checked and +ENOSPC is never returned. + +Note that one lirc device is limited to 64 bpf programs, and user space +I'm aware of -- ir-keytable -- always gives enough space for 64 entries +already. However, we should not copy program ids than are requested. + +Signed-off-by: Sean Young +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20210623213754.632-1-sean@mess.org +Signed-off-by: Sasha Levin +--- + drivers/media/rc/bpf-lirc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/rc/bpf-lirc.c b/drivers/media/rc/bpf-lirc.c +index 3fe3edd80876..afae0afe3f81 100644 +--- a/drivers/media/rc/bpf-lirc.c ++++ b/drivers/media/rc/bpf-lirc.c +@@ -326,7 +326,8 @@ int lirc_prog_query(const union bpf_attr *attr, union bpf_attr __user *uattr) + } + + if (attr->query.prog_cnt != 0 && prog_ids && cnt) +- ret = bpf_prog_array_copy_to_user(progs, prog_ids, cnt); ++ ret = bpf_prog_array_copy_to_user(progs, prog_ids, ++ attr->query.prog_cnt); + + unlock: + mutex_unlock(&ir_raw_handler_lock); +-- +2.30.2 + diff --git a/queue-5.10/mips-add-pmd-table-accounting-into-mips-pmd_alloc_on.patch b/queue-5.10/mips-add-pmd-table-accounting-into-mips-pmd_alloc_on.patch new file mode 100644 index 00000000000..643f1b9c1d8 --- /dev/null +++ b/queue-5.10/mips-add-pmd-table-accounting-into-mips-pmd_alloc_on.patch @@ -0,0 +1,50 @@ +From 364915888d06e4e203b3bff4b63e1507f29ac746 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jun 2021 15:09:46 +0800 +Subject: MIPS: add PMD table accounting into MIPS'pmd_alloc_one + +From: Huang Pei + +[ Upstream commit ed914d48b6a1040d1039d371b56273d422c0081e ] + +This fixes Page Table accounting bug. + +MIPS is the ONLY arch just defining __HAVE_ARCH_PMD_ALLOC_ONE alone. +Since commit b2b29d6d011944 (mm: account PMD tables like PTE tables), +"pmd_free" in asm-generic with PMD table accounting and "pmd_alloc_one" +in MIPS without PMD table accounting causes PageTable accounting number +negative, which read by global_zone_page_state(), always returns 0. + +Signed-off-by: Huang Pei +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/pgalloc.h | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/arch/mips/include/asm/pgalloc.h b/arch/mips/include/asm/pgalloc.h +index 8b18424b3120..d0cf997b4ba8 100644 +--- a/arch/mips/include/asm/pgalloc.h ++++ b/arch/mips/include/asm/pgalloc.h +@@ -59,11 +59,15 @@ do { \ + + static inline pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long address) + { +- pmd_t *pmd; ++ pmd_t *pmd = NULL; ++ struct page *pg; + +- pmd = (pmd_t *) __get_free_pages(GFP_KERNEL, PMD_ORDER); +- if (pmd) ++ pg = alloc_pages(GFP_KERNEL | __GFP_ACCOUNT, PMD_ORDER); ++ if (pg) { ++ pgtable_pmd_page_ctor(pg); ++ pmd = (pmd_t *)page_address(pg); + pmd_init((unsigned long)pmd, (unsigned long)invalid_pte_table); ++ } + return pmd; + } + +-- +2.30.2 + diff --git a/queue-5.10/mips-cpu-probe-fix-fpu-detection-on-ingenic-jz4760-b.patch b/queue-5.10/mips-cpu-probe-fix-fpu-detection-on-ingenic-jz4760-b.patch new file mode 100644 index 00000000000..a667ab626a2 --- /dev/null +++ b/queue-5.10/mips-cpu-probe-fix-fpu-detection-on-ingenic-jz4760-b.patch @@ -0,0 +1,39 @@ +From b46f22867dd58d431d457e0786a46f768946a3e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 May 2021 18:17:57 +0100 +Subject: MIPS: cpu-probe: Fix FPU detection on Ingenic JZ4760(B) + +From: Paul Cercueil + +[ Upstream commit fc52f92a653215fbd6bc522ac5311857b335e589 ] + +Ingenic JZ4760 and JZ4760B do have a FPU, but the config registers don't +report it. Force the FPU detection in case the processor ID match the +JZ4760(B) one. + +Signed-off-by: Paul Cercueil +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/kernel/cpu-probe.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/mips/kernel/cpu-probe.c b/arch/mips/kernel/cpu-probe.c +index e6ae2bcdbeda..067cb3eb1614 100644 +--- a/arch/mips/kernel/cpu-probe.c ++++ b/arch/mips/kernel/cpu-probe.c +@@ -1827,6 +1827,11 @@ static inline void cpu_probe_ingenic(struct cpuinfo_mips *c, unsigned int cpu) + */ + case PRID_COMP_INGENIC_D0: + c->isa_level &= ~MIPS_CPU_ISA_M32R2; ++ ++ /* FPU is not properly detected on JZ4760(B). */ ++ if (c->processor_id == 0x2ed0024f) ++ c->options |= MIPS_CPU_FPU; ++ + fallthrough; + + /* +-- +2.30.2 + diff --git a/queue-5.10/mips-ingenic-select-cpu_supports_cpufreq-mips_extern.patch b/queue-5.10/mips-ingenic-select-cpu_supports_cpufreq-mips_extern.patch new file mode 100644 index 00000000000..be60f9bb50d --- /dev/null +++ b/queue-5.10/mips-ingenic-select-cpu_supports_cpufreq-mips_extern.patch @@ -0,0 +1,40 @@ +From d007ad5984aac6220a0b5276cdbaf9f4963a38ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 May 2021 18:17:59 +0100 +Subject: MIPS: ingenic: Select CPU_SUPPORTS_CPUFREQ && MIPS_EXTERNAL_TIMER + +From: Paul Cercueil + +[ Upstream commit eb3849370ae32b571e1f9a63ba52c61adeaf88f7 ] + +The clock driving the XBurst CPUs in Ingenic SoCs is integer divided +from the main PLL. As such, it is possible to control the frequency of +the CPU, either by changing the divider, or by changing the rate of the +main PLL. + +The XBurst CPUs also lack the CP0 timer; the TCU, a separate piece of +hardware in the SoC, provides this functionality. + +Signed-off-by: Paul Cercueil +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig +index 1917ccd39256..1a63f592034e 100644 +--- a/arch/mips/Kconfig ++++ b/arch/mips/Kconfig +@@ -418,6 +418,8 @@ config MACH_INGENIC_SOC + select MIPS_GENERIC + select MACH_INGENIC + select SYS_SUPPORTS_ZBOOT_UART16550 ++ select CPU_SUPPORTS_CPUFREQ ++ select MIPS_EXTERNAL_TIMER + + config LANTIQ + bool "Lantiq based platforms" +-- +2.30.2 + diff --git a/queue-5.10/mips-loongsoon64-reserve-memory-below-starting-pfn-t.patch b/queue-5.10/mips-loongsoon64-reserve-memory-below-starting-pfn-t.patch new file mode 100644 index 00000000000..7c1b451e46a --- /dev/null +++ b/queue-5.10/mips-loongsoon64-reserve-memory-below-starting-pfn-t.patch @@ -0,0 +1,48 @@ +From 3dc7b5d45385d9ada595dabfc156a3d0f4b55bb5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Jun 2021 17:11:05 +0800 +Subject: MIPS: loongsoon64: Reserve memory below starting pfn to prevent Oops + +From: zhanglianjie + +[ Upstream commit 6817c944430d00f71ccaa9c99ff5b0096aeb7873 ] + +The cause of the problem is as follows: +1. when cat /sys/devices/system/memory/memory0/valid_zones, + test_pages_in_a_zone() will be called. +2. test_pages_in_a_zone() finds the zone according to stat_pfn = 0. + The smallest pfn of the numa node in the mips architecture is 128, + and the page corresponding to the previous 0~127 pfn is not + initialized (page->flags is 0xFFFFFFFF) +3. The nid and zonenum obtained using page_zone(pfn_to_page(0)) are out + of bounds in the corresponding array, + &NODE_DATA(page_to_nid(page))->node_zones[page_zonenum(page)], + access to the out-of-bounds zone member variables appear abnormal, + resulting in Oops. +Therefore, it is necessary to keep the page between 0 and the minimum +pfn to prevent Oops from appearing. + +Signed-off-by: zhanglianjie +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/loongson64/numa.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/mips/loongson64/numa.c b/arch/mips/loongson64/numa.c +index cf9459f79f9b..e4c461df3ee6 100644 +--- a/arch/mips/loongson64/numa.c ++++ b/arch/mips/loongson64/numa.c +@@ -182,6 +182,9 @@ static void __init node_mem_init(unsigned int node) + if (node_end_pfn(0) >= (0xffffffff >> PAGE_SHIFT)) + memblock_reserve((node_addrspace_offset | 0xfe000000), + 32 << 20); ++ ++ /* Reserve pfn range 0~node[0]->node_start_pfn */ ++ memblock_reserve(0, PAGE_SIZE * start_pfn); + } + } + +-- +2.30.2 + diff --git a/queue-5.10/mips-set-mips32r5-for-virt-extensions.patch b/queue-5.10/mips-set-mips32r5-for-virt-extensions.patch new file mode 100644 index 00000000000..779fc8e58b6 --- /dev/null +++ b/queue-5.10/mips-set-mips32r5-for-virt-extensions.patch @@ -0,0 +1,65 @@ +From d08533519ce0200c90b57207b916ff00ac84f5e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Jun 2021 14:50:26 -0700 +Subject: MIPS: set mips32r5 for virt extensions + +From: Nick Desaulniers + +[ Upstream commit c994a3ec7ecc8bd2a837b2061e8a76eb8efc082b ] + +Clang's integrated assembler only accepts these instructions when the +cpu is set to mips32r5. With this change, we can assemble +malta_defconfig with Clang via `make LLVM_IAS=1`. + +Link: https://github.com/ClangBuiltLinux/linux/issues/763 +Reported-by: Dmitry Golovin +Signed-off-by: Nick Desaulniers +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/mipsregs.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/mips/include/asm/mipsregs.h b/arch/mips/include/asm/mipsregs.h +index a0e8ae5497b6..7a7467d3f7f0 100644 +--- a/arch/mips/include/asm/mipsregs.h ++++ b/arch/mips/include/asm/mipsregs.h +@@ -2073,7 +2073,7 @@ _ASM_MACRO_0(tlbginvf, _ASM_INSN_IF_MIPS(0x4200000c) + ({ int __res; \ + __asm__ __volatile__( \ + ".set\tpush\n\t" \ +- ".set\tmips32r2\n\t" \ ++ ".set\tmips32r5\n\t" \ + _ASM_SET_VIRT \ + "mfgc0\t%0, " #source ", %1\n\t" \ + ".set\tpop" \ +@@ -2086,7 +2086,7 @@ _ASM_MACRO_0(tlbginvf, _ASM_INSN_IF_MIPS(0x4200000c) + ({ unsigned long long __res; \ + __asm__ __volatile__( \ + ".set\tpush\n\t" \ +- ".set\tmips64r2\n\t" \ ++ ".set\tmips64r5\n\t" \ + _ASM_SET_VIRT \ + "dmfgc0\t%0, " #source ", %1\n\t" \ + ".set\tpop" \ +@@ -2099,7 +2099,7 @@ _ASM_MACRO_0(tlbginvf, _ASM_INSN_IF_MIPS(0x4200000c) + do { \ + __asm__ __volatile__( \ + ".set\tpush\n\t" \ +- ".set\tmips32r2\n\t" \ ++ ".set\tmips32r5\n\t" \ + _ASM_SET_VIRT \ + "mtgc0\t%z0, " #register ", %1\n\t" \ + ".set\tpop" \ +@@ -2111,7 +2111,7 @@ do { \ + do { \ + __asm__ __volatile__( \ + ".set\tpush\n\t" \ +- ".set\tmips64r2\n\t" \ ++ ".set\tmips64r5\n\t" \ + _ASM_SET_VIRT \ + "dmtgc0\t%z0, " #register ", %1\n\t" \ + ".set\tpop" \ +-- +2.30.2 + diff --git a/queue-5.10/misdn-fix-possible-use-after-free-in-hfc_cleanup.patch b/queue-5.10/misdn-fix-possible-use-after-free-in-hfc_cleanup.patch new file mode 100644 index 00000000000..2b138e11e89 --- /dev/null +++ b/queue-5.10/misdn-fix-possible-use-after-free-in-hfc_cleanup.patch @@ -0,0 +1,41 @@ +From 105823b943eef0eaae7a200c0120b0b1f664f1b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 May 2021 14:58:53 +0800 +Subject: mISDN: fix possible use-after-free in HFC_cleanup() + +From: Zou Wei + +[ Upstream commit 009fc857c5f6fda81f2f7dd851b2d54193a8e733 ] + +This module's remove path calls del_timer(). However, that function +does not wait until the timer handler finishes. This means that the +timer handler may still be running after the driver's remove function +has finished, which would result in a use-after-free. + +Fix by calling del_timer_sync(), which makes sure the timer handler +has finished, and unable to re-schedule itself. + +Reported-by: Hulk Robot +Signed-off-by: Zou Wei +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/isdn/hardware/mISDN/hfcpci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/isdn/hardware/mISDN/hfcpci.c b/drivers/isdn/hardware/mISDN/hfcpci.c +index 56bd2e9db6ed..e501cb03f211 100644 +--- a/drivers/isdn/hardware/mISDN/hfcpci.c ++++ b/drivers/isdn/hardware/mISDN/hfcpci.c +@@ -2342,7 +2342,7 @@ static void __exit + HFC_cleanup(void) + { + if (timer_pending(&hfc_tl)) +- del_timer(&hfc_tl); ++ del_timer_sync(&hfc_tl); + + pci_unregister_driver(&hfc_driver); + } +-- +2.30.2 + diff --git a/queue-5.10/mt76-mt7615-fix-fixed-rate-tx-status-reporting.patch b/queue-5.10/mt76-mt7615-fix-fixed-rate-tx-status-reporting.patch new file mode 100644 index 00000000000..8664cfb500b --- /dev/null +++ b/queue-5.10/mt76-mt7615-fix-fixed-rate-tx-status-reporting.patch @@ -0,0 +1,59 @@ +From 31856ab9302fe4cec71014aabd16b2b617fe645b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 May 2021 14:07:53 +0200 +Subject: mt76: mt7615: fix fixed-rate tx status reporting + +From: Felix Fietkau + +[ Upstream commit ec8f1a90d006f7cedcf86ef19fd034a406a213d6 ] + +Rely on the txs fixed-rate bit instead of info->control.rates + +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c +index 5795e44f8a52..f44f478bb970 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c +@@ -1177,22 +1177,20 @@ static bool mt7615_fill_txs(struct mt7615_dev *dev, struct mt7615_sta *sta, + int first_idx = 0, last_idx; + int i, idx, count; + bool fixed_rate, ack_timeout; +- bool probe, ampdu, cck = false; ++ bool ampdu, cck = false; + bool rs_idx; + u32 rate_set_tsf; + u32 final_rate, final_rate_flags, final_nss, txs; + +- fixed_rate = info->status.rates[0].count; +- probe = !!(info->flags & IEEE80211_TX_CTL_RATE_CTRL_PROBE); +- + txs = le32_to_cpu(txs_data[1]); +- ampdu = !fixed_rate && (txs & MT_TXS1_AMPDU); ++ ampdu = txs & MT_TXS1_AMPDU; + + txs = le32_to_cpu(txs_data[3]); + count = FIELD_GET(MT_TXS3_TX_COUNT, txs); + last_idx = FIELD_GET(MT_TXS3_LAST_TX_RATE, txs); + + txs = le32_to_cpu(txs_data[0]); ++ fixed_rate = txs & MT_TXS0_FIXED_RATE; + final_rate = FIELD_GET(MT_TXS0_TX_RATE, txs); + ack_timeout = txs & MT_TXS0_ACK_TIMEOUT; + +@@ -1214,7 +1212,7 @@ static bool mt7615_fill_txs(struct mt7615_dev *dev, struct mt7615_sta *sta, + + first_idx = max_t(int, 0, last_idx - (count - 1) / MT7615_RATE_RETRY); + +- if (fixed_rate && !probe) { ++ if (fixed_rate) { + info->status.rates[0].count = count; + i = 0; + goto out; +-- +2.30.2 + diff --git a/queue-5.10/mt76-mt7915-fix-ieee80211_he_phy_cap7_max_nc-for-sta.patch b/queue-5.10/mt76-mt7915-fix-ieee80211_he_phy_cap7_max_nc-for-sta.patch new file mode 100644 index 00000000000..6f98c10d1f4 --- /dev/null +++ b/queue-5.10/mt76-mt7915-fix-ieee80211_he_phy_cap7_max_nc-for-sta.patch @@ -0,0 +1,46 @@ +From ff72d2f66ac525988b37652f8dbffe674fd7da11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Jun 2021 02:04:20 +0800 +Subject: mt76: mt7915: fix IEEE80211_HE_PHY_CAP7_MAX_NC for station mode + +From: Ryder Lee + +[ Upstream commit 2707ff4dd7b1479dbd44ebb3c74788084cc95245 ] + +The value of station mode is always 0. + +Fixed: 00b2e16e0063 ("mt76: mt7915: add TxBF capabilities") +Signed-off-by: Ryder Lee +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7915/init.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/init.c b/drivers/net/wireless/mediatek/mt76/mt7915/init.c +index 0232b66acb4f..8f01ca1694bc 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7915/init.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7915/init.c +@@ -335,6 +335,9 @@ mt7915_set_stream_he_txbf_caps(struct ieee80211_sta_he_cap *he_cap, + if (nss < 2) + return; + ++ /* the maximum cap is 4 x 3, (Nr, Nc) = (3, 2) */ ++ elem->phy_cap_info[7] |= min_t(int, nss - 1, 2) << 3; ++ + if (vif != NL80211_IFTYPE_AP) + return; + +@@ -348,9 +351,6 @@ mt7915_set_stream_he_txbf_caps(struct ieee80211_sta_he_cap *he_cap, + c = IEEE80211_HE_PHY_CAP6_TRIG_SU_BEAMFORMER_FB | + IEEE80211_HE_PHY_CAP6_TRIG_MU_BEAMFORMER_FB; + elem->phy_cap_info[6] |= c; +- +- /* the maximum cap is 4 x 3, (Nr, Nc) = (3, 2) */ +- elem->phy_cap_info[7] |= min_t(int, nss - 1, 2) << 3; + } + + static void +-- +2.30.2 + diff --git a/queue-5.10/net-bcmgenet-check-return-value-after-calling-platfo.patch b/queue-5.10/net-bcmgenet-check-return-value-after-calling-platfo.patch new file mode 100644 index 00000000000..478d014227a --- /dev/null +++ b/queue-5.10/net-bcmgenet-check-return-value-after-calling-platfo.patch @@ -0,0 +1,39 @@ +From 8d9fd370da86e0f24b2e267a6ee2483bbb2d9fbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jun 2021 21:38:37 +0800 +Subject: net: bcmgenet: check return value after calling + platform_get_resource() + +From: Yang Yingliang + +[ Upstream commit 74325bf0104573c6dfce42837139aeef3f34be76 ] + +It will cause null-ptr-deref if platform_get_resource() returns NULL, +we need check the return value. + +Signed-off-by: Yang Yingliang +Acked-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmmii.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmmii.c b/drivers/net/ethernet/broadcom/genet/bcmmii.c +index 6fb6c3556285..f9e91304d232 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c +@@ -423,6 +423,10 @@ static int bcmgenet_mii_register(struct bcmgenet_priv *priv) + int id, ret; + + pres = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ if (!pres) { ++ dev_err(&pdev->dev, "Invalid resource\n"); ++ return -EINVAL; ++ } + memset(&res, 0, sizeof(res)); + memset(&ppd, 0, sizeof(ppd)); + +-- +2.30.2 + diff --git a/queue-5.10/net-bridge-mrp-update-ring-transitions.patch b/queue-5.10/net-bridge-mrp-update-ring-transitions.patch new file mode 100644 index 00000000000..b85d4ddcd25 --- /dev/null +++ b/queue-5.10/net-bridge-mrp-update-ring-transitions.patch @@ -0,0 +1,49 @@ +From 168907a59285c417beee0c7fbeedab5d7999c4ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Jun 2021 12:37:47 +0200 +Subject: net: bridge: mrp: Update ring transitions. + +From: Horatiu Vultur + +[ Upstream commit fcb34635854a5a5814227628867ea914a9805384 ] + +According to the standard IEC 62439-2, the number of transitions needs +to be counted for each transition 'between' ring state open and ring +state closed and not from open state to closed state. + +Therefore fix this for both ring and interconnect ring. + +Signed-off-by: Horatiu Vultur +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/bridge/br_mrp.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/net/bridge/br_mrp.c b/net/bridge/br_mrp.c +index d1336a7ad7ff..3259f5480127 100644 +--- a/net/bridge/br_mrp.c ++++ b/net/bridge/br_mrp.c +@@ -607,8 +607,7 @@ int br_mrp_set_ring_state(struct net_bridge *br, + if (!mrp) + return -EINVAL; + +- if (mrp->ring_state == BR_MRP_RING_STATE_CLOSED && +- state->ring_state != BR_MRP_RING_STATE_CLOSED) ++ if (mrp->ring_state != state->ring_state) + mrp->ring_transitions++; + + mrp->ring_state = state->ring_state; +@@ -690,8 +689,7 @@ int br_mrp_set_in_state(struct net_bridge *br, struct br_mrp_in_state *state) + if (!mrp) + return -EINVAL; + +- if (mrp->in_state == BR_MRP_IN_STATE_CLOSED && +- state->in_state != BR_MRP_IN_STATE_CLOSED) ++ if (mrp->in_state != state->in_state) + mrp->in_transitions++; + + mrp->in_state = state->in_state; +-- +2.30.2 + diff --git a/queue-5.10/net-fec-add-ndo_select_queue-to-fix-tx-bandwidth-flu.patch b/queue-5.10/net-fec-add-ndo_select_queue-to-fix-tx-bandwidth-flu.patch new file mode 100644 index 00000000000..e13667dc69c --- /dev/null +++ b/queue-5.10/net-fec-add-ndo_select_queue-to-fix-tx-bandwidth-flu.patch @@ -0,0 +1,106 @@ +From c0aa37edc8b4ef705f6e4055f63c30567881ff28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jun 2021 14:27:37 +0800 +Subject: net: fec: add ndo_select_queue to fix TX bandwidth fluctuations + +From: Fugang Duan + +[ Upstream commit 52c4a1a85f4b346c39c896c0168f4a843b3385ff ] + +As we know that AVB is enabled by default, and the ENET IP design is +queue 0 for best effort, queue 1&2 for AVB Class A&B. Bandwidth of each +queue 1&2 set in driver is 50%, TX bandwidth fluctuated when selecting +tx queues randomly with FEC_QUIRK_HAS_AVB quirk available. + +This patch adds ndo_select_queue callback to select queues for +transmitting to fix this issue. It will always return queue 0 if this is +not a vlan packet, and return queue 1 or 2 based on priority of vlan +packet. + +You may complain that in fact we only use single queue for trasmitting +if we are not targeted to VLAN. Yes, but seems we have no choice, since +AVB is enabled when the driver probed, we can't switch this feature +dynamicly. After compare multiple queues to single queue, TX throughput +almost no improvement. + +One way we can implemet is to configure the driver to multiple queues +with Round-robin scheme by default. Then add ndo_setup_tc callback to +enable/disable AVB feature for users. Unfortunately, ENET AVB IP seems +not follow the standard 802.1Qav spec. We only can program +DMAnCFG[IDLE_SLOPE] field to calculate bandwidth fraction. And idle +slope is restricted to certain valus (a total of 19). It's far away from +CBS QDisc implemented in Linux TC framework. If you strongly suggest to do +this, I think we only can support limited numbers of bandwidth and reject +others, but it's really urgly and wried. + +With this patch, VLAN tagged packets route to queue 0/1/2 based on vlan +priority; VLAN untagged packets route to queue 0. + +Tested-by: Frieder Schrempf +Reported-by: Frieder Schrempf +Signed-off-by: Fugang Duan +Signed-off-by: Joakim Zhang +Reported-by: kernel test robot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_main.c | 32 +++++++++++++++++++++++ + 1 file changed, 32 insertions(+) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index 960def41cc55..2cb73e850a32 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -75,6 +75,8 @@ static void fec_enet_itr_coal_init(struct net_device *ndev); + + #define DRIVER_NAME "fec" + ++static const u16 fec_enet_vlan_pri_to_queue[8] = {0, 0, 1, 1, 1, 2, 2, 2}; ++ + /* Pause frame feild and FIFO threshold */ + #define FEC_ENET_FCE (1 << 5) + #define FEC_ENET_RSEM_V 0x84 +@@ -3222,10 +3224,40 @@ static int fec_set_features(struct net_device *netdev, + return 0; + } + ++static u16 fec_enet_get_raw_vlan_tci(struct sk_buff *skb) ++{ ++ struct vlan_ethhdr *vhdr; ++ unsigned short vlan_TCI = 0; ++ ++ if (skb->protocol == htons(ETH_P_ALL)) { ++ vhdr = (struct vlan_ethhdr *)(skb->data); ++ vlan_TCI = ntohs(vhdr->h_vlan_TCI); ++ } ++ ++ return vlan_TCI; ++} ++ ++static u16 fec_enet_select_queue(struct net_device *ndev, struct sk_buff *skb, ++ struct net_device *sb_dev) ++{ ++ struct fec_enet_private *fep = netdev_priv(ndev); ++ u16 vlan_tag; ++ ++ if (!(fep->quirks & FEC_QUIRK_HAS_AVB)) ++ return netdev_pick_tx(ndev, skb, NULL); ++ ++ vlan_tag = fec_enet_get_raw_vlan_tci(skb); ++ if (!vlan_tag) ++ return vlan_tag; ++ ++ return fec_enet_vlan_pri_to_queue[vlan_tag >> 13]; ++} ++ + static const struct net_device_ops fec_netdev_ops = { + .ndo_open = fec_enet_open, + .ndo_stop = fec_enet_close, + .ndo_start_xmit = fec_enet_start_xmit, ++ .ndo_select_queue = fec_enet_select_queue, + .ndo_set_rx_mode = set_multicast_list, + .ndo_validate_addr = eth_validate_addr, + .ndo_tx_timeout = fec_timeout, +-- +2.30.2 + diff --git a/queue-5.10/net-fix-mistake-path-for-netdev_features_strings.patch b/queue-5.10/net-fix-mistake-path-for-netdev_features_strings.patch new file mode 100644 index 00000000000..6a8bc813887 --- /dev/null +++ b/queue-5.10/net-fix-mistake-path-for-netdev_features_strings.patch @@ -0,0 +1,59 @@ +From 8e5a3669380a5616c6a967415627864d72cf4925 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jun 2021 11:37:11 +0800 +Subject: net: fix mistake path for netdev_features_strings + +From: Jian Shen + +[ Upstream commit 2d8ea148e553e1dd4e80a87741abdfb229e2b323 ] + +Th_strings arrays netdev_features_strings, tunable_strings, and +phy_tunable_strings has been moved to file net/ethtool/common.c. +So fixes the comment. + +Signed-off-by: Jian Shen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/netdev_features.h | 2 +- + include/uapi/linux/ethtool.h | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/linux/netdev_features.h b/include/linux/netdev_features.h +index 0b17c4322b09..f96b7f8d82e5 100644 +--- a/include/linux/netdev_features.h ++++ b/include/linux/netdev_features.h +@@ -87,7 +87,7 @@ enum { + + /* + * Add your fresh new feature above and remember to update +- * netdev_features_strings[] in net/core/ethtool.c and maybe ++ * netdev_features_strings[] in net/ethtool/common.c and maybe + * some feature mask #defines below. Please also describe it + * in Documentation/networking/netdev-features.rst. + */ +diff --git a/include/uapi/linux/ethtool.h b/include/uapi/linux/ethtool.h +index cde753bb2093..13772f039c8d 100644 +--- a/include/uapi/linux/ethtool.h ++++ b/include/uapi/linux/ethtool.h +@@ -223,7 +223,7 @@ enum tunable_id { + ETHTOOL_PFC_PREVENTION_TOUT, /* timeout in msecs */ + /* + * Add your fresh new tunable attribute above and remember to update +- * tunable_strings[] in net/core/ethtool.c ++ * tunable_strings[] in net/ethtool/common.c + */ + __ETHTOOL_TUNABLE_COUNT, + }; +@@ -287,7 +287,7 @@ enum phy_tunable_id { + ETHTOOL_PHY_EDPD, + /* + * Add your fresh new phy tunable attribute above and remember to update +- * phy_tunable_strings[] in net/core/ethtool.c ++ * phy_tunable_strings[] in net/ethtool/common.c + */ + __ETHTOOL_PHY_TUNABLE_COUNT, + }; +-- +2.30.2 + diff --git a/queue-5.10/net-ip-avoid-oom-kills-with-large-udp-sends-over-loo.patch b/queue-5.10/net-ip-avoid-oom-kills-with-large-udp-sends-over-loo.patch new file mode 100644 index 00000000000..7fe921e2c07 --- /dev/null +++ b/queue-5.10/net-ip-avoid-oom-kills-with-large-udp-sends-over-loo.patch @@ -0,0 +1,186 @@ +From 93fa5ebe812e6efc6f330d294f343d7e582ae835 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jun 2021 14:44:38 -0700 +Subject: net: ip: avoid OOM kills with large UDP sends over loopback + +From: Jakub Kicinski + +[ Upstream commit 6d123b81ac615072a8525c13c6c41b695270a15d ] + +Dave observed number of machines hitting OOM on the UDP send +path. The workload seems to be sending large UDP packets over +loopback. Since loopback has MTU of 64k kernel will try to +allocate an skb with up to 64k of head space. This has a good +chance of failing under memory pressure. What's worse if +the message length is <32k the allocation may trigger an +OOM killer. + +This is entirely avoidable, we can use an skb with page frags. + +af_unix solves a similar problem by limiting the head +length to SKB_MAX_ALLOC. This seems like a good and simple +approach. It means that UDP messages > 16kB will now +use fragments if underlying device supports SG, if extra +allocator pressure causes regressions in real workloads +we can switch to trying the large allocation first and +falling back. + +v4: pre-calculate all the additions to alloclen so + we can be sure it won't go over order-2 + +Reported-by: Dave Jones +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_output.c | 32 ++++++++++++++++++-------------- + net/ipv6/ip6_output.c | 32 +++++++++++++++++--------------- + 2 files changed, 35 insertions(+), 29 deletions(-) + +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index 97975bed491a..560d5dc43562 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -1053,7 +1053,7 @@ static int __ip_append_data(struct sock *sk, + unsigned int datalen; + unsigned int fraglen; + unsigned int fraggap; +- unsigned int alloclen; ++ unsigned int alloclen, alloc_extra; + unsigned int pagedlen; + struct sk_buff *skb_prev; + alloc_new_skb: +@@ -1073,35 +1073,39 @@ alloc_new_skb: + fraglen = datalen + fragheaderlen; + pagedlen = 0; + ++ alloc_extra = hh_len + 15; ++ alloc_extra += exthdrlen; ++ ++ /* The last fragment gets additional space at tail. ++ * Note, with MSG_MORE we overallocate on fragments, ++ * because we have no idea what fragment will be ++ * the last. ++ */ ++ if (datalen == length + fraggap) ++ alloc_extra += rt->dst.trailer_len; ++ + if ((flags & MSG_MORE) && + !(rt->dst.dev->features&NETIF_F_SG)) + alloclen = mtu; +- else if (!paged) ++ else if (!paged && ++ (fraglen + alloc_extra < SKB_MAX_ALLOC || ++ !(rt->dst.dev->features & NETIF_F_SG))) + alloclen = fraglen; + else { + alloclen = min_t(int, fraglen, MAX_HEADER); + pagedlen = fraglen - alloclen; + } + +- alloclen += exthdrlen; +- +- /* The last fragment gets additional space at tail. +- * Note, with MSG_MORE we overallocate on fragments, +- * because we have no idea what fragment will be +- * the last. +- */ +- if (datalen == length + fraggap) +- alloclen += rt->dst.trailer_len; ++ alloclen += alloc_extra; + + if (transhdrlen) { +- skb = sock_alloc_send_skb(sk, +- alloclen + hh_len + 15, ++ skb = sock_alloc_send_skb(sk, alloclen, + (flags & MSG_DONTWAIT), &err); + } else { + skb = NULL; + if (refcount_read(&sk->sk_wmem_alloc) + wmem_alloc_delta <= + 2 * sk->sk_sndbuf) +- skb = alloc_skb(alloclen + hh_len + 15, ++ skb = alloc_skb(alloclen, + sk->sk_allocation); + if (unlikely(!skb)) + err = -ENOBUFS; +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index 077d43af8226..e889655ca0e2 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1554,7 +1554,7 @@ emsgsize: + unsigned int datalen; + unsigned int fraglen; + unsigned int fraggap; +- unsigned int alloclen; ++ unsigned int alloclen, alloc_extra; + unsigned int pagedlen; + alloc_new_skb: + /* There's no room in the current skb */ +@@ -1581,17 +1581,28 @@ alloc_new_skb: + fraglen = datalen + fragheaderlen; + pagedlen = 0; + ++ alloc_extra = hh_len; ++ alloc_extra += dst_exthdrlen; ++ alloc_extra += rt->dst.trailer_len; ++ ++ /* We just reserve space for fragment header. ++ * Note: this may be overallocation if the message ++ * (without MSG_MORE) fits into the MTU. ++ */ ++ alloc_extra += sizeof(struct frag_hdr); ++ + if ((flags & MSG_MORE) && + !(rt->dst.dev->features&NETIF_F_SG)) + alloclen = mtu; +- else if (!paged) ++ else if (!paged && ++ (fraglen + alloc_extra < SKB_MAX_ALLOC || ++ !(rt->dst.dev->features & NETIF_F_SG))) + alloclen = fraglen; + else { + alloclen = min_t(int, fraglen, MAX_HEADER); + pagedlen = fraglen - alloclen; + } +- +- alloclen += dst_exthdrlen; ++ alloclen += alloc_extra; + + if (datalen != length + fraggap) { + /* +@@ -1601,30 +1612,21 @@ alloc_new_skb: + datalen += rt->dst.trailer_len; + } + +- alloclen += rt->dst.trailer_len; + fraglen = datalen + fragheaderlen; + +- /* +- * We just reserve space for fragment header. +- * Note: this may be overallocation if the message +- * (without MSG_MORE) fits into the MTU. +- */ +- alloclen += sizeof(struct frag_hdr); +- + copy = datalen - transhdrlen - fraggap - pagedlen; + if (copy < 0) { + err = -EINVAL; + goto error; + } + if (transhdrlen) { +- skb = sock_alloc_send_skb(sk, +- alloclen + hh_len, ++ skb = sock_alloc_send_skb(sk, alloclen, + (flags & MSG_DONTWAIT), &err); + } else { + skb = NULL; + if (refcount_read(&sk->sk_wmem_alloc) + wmem_alloc_delta <= + 2 * sk->sk_sndbuf) +- skb = alloc_skb(alloclen + hh_len, ++ skb = alloc_skb(alloclen, + sk->sk_allocation); + if (unlikely(!skb)) + err = -ENOBUFS; +-- +2.30.2 + diff --git a/queue-5.10/net-ipa-add-missing-of_node_put-in-ipa_firmware_load.patch b/queue-5.10/net-ipa-add-missing-of_node_put-in-ipa_firmware_load.patch new file mode 100644 index 00000000000..0ff6f2c7cdc --- /dev/null +++ b/queue-5.10/net-ipa-add-missing-of_node_put-in-ipa_firmware_load.patch @@ -0,0 +1,37 @@ +From 24729143d9a17bc9f88a57b07ae51cfa9e1ba41c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jun 2021 13:11:19 +0800 +Subject: net: ipa: Add missing of_node_put() in ipa_firmware_load() + +From: Yang Yingliang + +[ Upstream commit b244163f2c45c12053cb0291c955f892e79ed8a9 ] + +This node pointer is returned by of_parse_phandle() with refcount +incremented in this function. of_node_put() on it before exiting +this function. + +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Acked-by: Alex Elder +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ipa/ipa_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ipa/ipa_main.c b/drivers/net/ipa/ipa_main.c +index cd4d993b0bbb..4162a608a3bf 100644 +--- a/drivers/net/ipa/ipa_main.c ++++ b/drivers/net/ipa/ipa_main.c +@@ -589,6 +589,7 @@ static int ipa_firmware_load(struct device *dev) + } + + ret = of_address_to_resource(node, 0, &res); ++ of_node_put(node); + if (ret) { + dev_err(dev, "error %d getting \"memory-region\" resource\n", + ret); +-- +2.30.2 + diff --git a/queue-5.10/net-mdio-ipq8064-add-regmap-config-to-disable-regcac.patch b/queue-5.10/net-mdio-ipq8064-add-regmap-config-to-disable-regcac.patch new file mode 100644 index 00000000000..9598e1c54f1 --- /dev/null +++ b/queue-5.10/net-mdio-ipq8064-add-regmap-config-to-disable-regcac.patch @@ -0,0 +1,90 @@ +From f6c3fca04ceca41a48956e5b4ded9bc8c69a5d51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 May 2021 23:03:50 +0200 +Subject: net: mdio: ipq8064: add regmap config to disable REGCACHE + +From: Ansuel Smith + +[ Upstream commit b097bea10215315e8ee17f88b4c1bbb521b1878c ] + +mdio drivers should not use REGCHACHE. Also disable locking since it's +handled by the mdio users and regmap is always accessed atomically. + +Signed-off-by: Ansuel Smith +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/mdio/mdio-ipq8064.c | 33 ++++++++++++++++++++++++--------- + 1 file changed, 24 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/mdio/mdio-ipq8064.c b/drivers/net/mdio/mdio-ipq8064.c +index 1bd18857e1c5..f0a6bfa61645 100644 +--- a/drivers/net/mdio/mdio-ipq8064.c ++++ b/drivers/net/mdio/mdio-ipq8064.c +@@ -10,7 +10,7 @@ + #include + #include + #include +-#include ++#include + #include + #include + +@@ -96,14 +96,34 @@ ipq8064_mdio_write(struct mii_bus *bus, int phy_addr, int reg_offset, u16 data) + return ipq8064_mdio_wait_busy(priv); + } + ++static const struct regmap_config ipq8064_mdio_regmap_config = { ++ .reg_bits = 32, ++ .reg_stride = 4, ++ .val_bits = 32, ++ .can_multi_write = false, ++ /* the mdio lock is used by any user of this mdio driver */ ++ .disable_locking = true, ++ ++ .cache_type = REGCACHE_NONE, ++}; ++ + static int + ipq8064_mdio_probe(struct platform_device *pdev) + { + struct device_node *np = pdev->dev.of_node; + struct ipq8064_mdio *priv; ++ struct resource res; + struct mii_bus *bus; ++ void __iomem *base; + int ret; + ++ if (of_address_to_resource(np, 0, &res)) ++ return -ENOMEM; ++ ++ base = ioremap(res.start, resource_size(&res)); ++ if (!base) ++ return -ENOMEM; ++ + bus = devm_mdiobus_alloc_size(&pdev->dev, sizeof(*priv)); + if (!bus) + return -ENOMEM; +@@ -115,15 +135,10 @@ ipq8064_mdio_probe(struct platform_device *pdev) + bus->parent = &pdev->dev; + + priv = bus->priv; +- priv->base = device_node_to_regmap(np); +- if (IS_ERR(priv->base)) { +- if (priv->base == ERR_PTR(-EPROBE_DEFER)) +- return -EPROBE_DEFER; +- +- dev_err(&pdev->dev, "error getting device regmap, error=%pe\n", +- priv->base); ++ priv->base = devm_regmap_init_mmio(&pdev->dev, base, ++ &ipq8064_mdio_regmap_config); ++ if (IS_ERR(priv->base)) + return PTR_ERR(priv->base); +- } + + ret = of_mdiobus_register(bus, np); + if (ret) +-- +2.30.2 + diff --git a/queue-5.10/net-mdio-provide-shim-implementation-of-devm_of_mdio.patch b/queue-5.10/net-mdio-provide-shim-implementation-of-devm_of_mdio.patch new file mode 100644 index 00000000000..574abd60878 --- /dev/null +++ b/queue-5.10/net-mdio-provide-shim-implementation-of-devm_of_mdio.patch @@ -0,0 +1,49 @@ +From b2dc110ca7667530cabed0fc2a0eeb3ee365ec27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 May 2021 20:49:24 +0300 +Subject: net: mdio: provide shim implementation of devm_of_mdiobus_register + +From: Vladimir Oltean + +[ Upstream commit 86544c3de6a2185409c5a3d02f674ea223a14217 ] + +Similar to the way in which of_mdiobus_register() has a fallback to the +non-DT based mdiobus_register() when CONFIG_OF is not set, we can create +a shim for the device-managed devm_of_mdiobus_register() which calls +devm_mdiobus_register() and discards the struct device_node *. + +In particular, this solves a build issue with the qca8k DSA driver which +uses devm_of_mdiobus_register and can be compiled without CONFIG_OF. + +Reported-by: Randy Dunlap +Signed-off-by: Vladimir Oltean +Acked-by: Randy Dunlap # build-tested +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/of_mdio.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/include/linux/of_mdio.h b/include/linux/of_mdio.h +index cfe8c607a628..f56c6a9230ac 100644 +--- a/include/linux/of_mdio.h ++++ b/include/linux/of_mdio.h +@@ -75,6 +75,13 @@ static inline int of_mdiobus_register(struct mii_bus *mdio, struct device_node * + return mdiobus_register(mdio); + } + ++static inline int devm_of_mdiobus_register(struct device *dev, ++ struct mii_bus *mdio, ++ struct device_node *np) ++{ ++ return devm_mdiobus_register(dev, mdio); ++} ++ + static inline struct mdio_device *of_mdio_find_device(struct device_node *np) + { + return NULL; +-- +2.30.2 + diff --git a/queue-5.10/net-micrel-check-return-value-after-calling-platform.patch b/queue-5.10/net-micrel-check-return-value-after-calling-platform.patch new file mode 100644 index 00000000000..25d32db16de --- /dev/null +++ b/queue-5.10/net-micrel-check-return-value-after-calling-platform.patch @@ -0,0 +1,37 @@ +From a34dd8c168d78c9cb3482e8a54782bc79db1660d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jun 2021 22:55:21 +0800 +Subject: net: micrel: check return value after calling platform_get_resource() + +From: Yang Yingliang + +[ Upstream commit 20f1932e2282c58cb5ac59517585206cf5b385ae ] + +It will cause null-ptr-deref if platform_get_resource() returns NULL, +we need check the return value. + +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/micrel/ks8842.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/micrel/ks8842.c b/drivers/net/ethernet/micrel/ks8842.c +index caa251d0e381..b27713906d3a 100644 +--- a/drivers/net/ethernet/micrel/ks8842.c ++++ b/drivers/net/ethernet/micrel/ks8842.c +@@ -1135,6 +1135,10 @@ static int ks8842_probe(struct platform_device *pdev) + unsigned i; + + iomem = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ if (!iomem) { ++ dev_err(&pdev->dev, "Invalid resource\n"); ++ return -EINVAL; ++ } + if (!request_mem_region(iomem->start, resource_size(iomem), DRV_NAME)) + goto err_mem_region; + +-- +2.30.2 + diff --git a/queue-5.10/net-mlx5-fix-lag-port-remapping-logic.patch b/queue-5.10/net-mlx5-fix-lag-port-remapping-logic.patch new file mode 100644 index 00000000000..3a502ef0df6 --- /dev/null +++ b/queue-5.10/net-mlx5-fix-lag-port-remapping-logic.patch @@ -0,0 +1,60 @@ +From 8da7f9ab3d96a6b38777f4491720907f9b1bdaa5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 May 2021 14:39:58 +0300 +Subject: net/mlx5: Fix lag port remapping logic + +From: Eli Cohen + +[ Upstream commit 8613641063617c1dfc731b403b3ee4935ef15f87 ] + +Fix the logic so that if both ports netdevices are enabled or disabled, +use the trivial mapping without swapping. + +If only one of the netdevice's tx is enabled, use it to remap traffic to +that port. + +Signed-off-by: Eli Cohen +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/lag.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag.c b/drivers/net/ethernet/mellanox/mlx5/core/lag.c +index 9025e5f38bb6..fe5476a76464 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lag.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag.c +@@ -118,17 +118,24 @@ static bool __mlx5_lag_is_sriov(struct mlx5_lag *ldev) + static void mlx5_infer_tx_affinity_mapping(struct lag_tracker *tracker, + u8 *port1, u8 *port2) + { ++ bool p1en; ++ bool p2en; ++ ++ p1en = tracker->netdev_state[MLX5_LAG_P1].tx_enabled && ++ tracker->netdev_state[MLX5_LAG_P1].link_up; ++ ++ p2en = tracker->netdev_state[MLX5_LAG_P2].tx_enabled && ++ tracker->netdev_state[MLX5_LAG_P2].link_up; ++ + *port1 = 1; + *port2 = 2; +- if (!tracker->netdev_state[MLX5_LAG_P1].tx_enabled || +- !tracker->netdev_state[MLX5_LAG_P1].link_up) { +- *port1 = 2; ++ if ((!p1en && !p2en) || (p1en && p2en)) + return; +- } + +- if (!tracker->netdev_state[MLX5_LAG_P2].tx_enabled || +- !tracker->netdev_state[MLX5_LAG_P2].link_up) ++ if (p1en) + *port2 = 1; ++ else ++ *port1 = 2; + } + + void mlx5_modify_lag(struct mlx5_lag *ldev, +-- +2.30.2 + diff --git a/queue-5.10/net-mlx5e-ipsec-rep_tc-fix-rep_tc_update_skb-drops-i.patch b/queue-5.10/net-mlx5e-ipsec-rep_tc-fix-rep_tc_update_skb-drops-i.patch new file mode 100644 index 00000000000..62fa63c1aba --- /dev/null +++ b/queue-5.10/net-mlx5e-ipsec-rep_tc-fix-rep_tc_update_skb-drops-i.patch @@ -0,0 +1,51 @@ +From 5c8f9465df455aa89ae3b59d41cba3f074028bd1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Dec 2020 10:58:54 -0600 +Subject: net/mlx5e: IPsec/rep_tc: Fix rep_tc_update_skb drops IPsec packet + +From: Huy Nguyen + +[ Upstream commit c07274ab1ab2c38fb128e32643c22c89cb319384 ] + +rep_tc copy REG_C1 to REG_B. IPsec crypto utilizes the whole REG_B +register with BIT31 as IPsec marker. rep_tc_update_skb drops +IPsec because it thought REG_B contains bad value. + +In previous patch, BIT 31 of REG_C1 is reserved for IPsec. +Skip the rep_tc_update_skb if BIT31 of REG_B is set. + +Signed-off-by: Huy Nguyen +Signed-off-by: Raed Salem +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +index 7e1f8660dfec..f327b78261ec 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +@@ -1318,7 +1318,8 @@ static void mlx5e_handle_rx_cqe_rep(struct mlx5e_rq *rq, struct mlx5_cqe64 *cqe) + if (rep->vlan && skb_vlan_tag_present(skb)) + skb_vlan_pop(skb); + +- if (!mlx5e_rep_tc_update_skb(cqe, skb, &tc_priv)) { ++ if (unlikely(!mlx5_ipsec_is_rx_flow(cqe) && ++ !mlx5e_rep_tc_update_skb(cqe, skb, &tc_priv))) { + dev_kfree_skb_any(skb); + goto free_wqe; + } +@@ -1375,7 +1376,8 @@ static void mlx5e_handle_rx_cqe_mpwrq_rep(struct mlx5e_rq *rq, struct mlx5_cqe64 + + mlx5e_complete_rx_cqe(rq, cqe, cqe_bcnt, skb); + +- if (!mlx5e_rep_tc_update_skb(cqe, skb, &tc_priv)) { ++ if (unlikely(!mlx5_ipsec_is_rx_flow(cqe) && ++ !mlx5e_rep_tc_update_skb(cqe, skb, &tc_priv))) { + dev_kfree_skb_any(skb); + goto mpwrq_cqe_out; + } +-- +2.30.2 + diff --git a/queue-5.10/net-moxa-use-devm_platform_get_and_ioremap_resource.patch b/queue-5.10/net-moxa-use-devm_platform_get_and_ioremap_resource.patch new file mode 100644 index 00000000000..89eff86164f --- /dev/null +++ b/queue-5.10/net-moxa-use-devm_platform_get_and_ioremap_resource.patch @@ -0,0 +1,43 @@ +From c94ead7e452562a7ecaeea31153871f9e8cb2c18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jun 2021 23:02:59 +0800 +Subject: net: moxa: Use devm_platform_get_and_ioremap_resource() + +From: Yang Yingliang + +[ Upstream commit 35cba15a504bf4f585bb9d78f47b22b28a1a06b2 ] + +Use devm_platform_get_and_ioremap_resource() to simplify +code and avoid a null-ptr-deref by checking 'res' in it. + +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/moxa/moxart_ether.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/moxa/moxart_ether.c b/drivers/net/ethernet/moxa/moxart_ether.c +index 49fd843c4c8a..a4380c45f668 100644 +--- a/drivers/net/ethernet/moxa/moxart_ether.c ++++ b/drivers/net/ethernet/moxa/moxart_ether.c +@@ -481,14 +481,13 @@ static int moxart_mac_probe(struct platform_device *pdev) + priv->ndev = ndev; + priv->pdev = pdev; + +- res = platform_get_resource(pdev, IORESOURCE_MEM, 0); +- ndev->base_addr = res->start; +- priv->base = devm_ioremap_resource(p_dev, res); ++ priv->base = devm_platform_get_and_ioremap_resource(pdev, 0, &res); + if (IS_ERR(priv->base)) { + dev_err(p_dev, "devm_ioremap_resource failed\n"); + ret = PTR_ERR(priv->base); + goto init_fail; + } ++ ndev->base_addr = res->start; + + spin_lock_init(&priv->txlock); + +-- +2.30.2 + diff --git a/queue-5.10/net-mscc-ocelot-check-return-value-after-calling-pla.patch b/queue-5.10/net-mscc-ocelot-check-return-value-after-calling-pla.patch new file mode 100644 index 00000000000..de5b7c728a5 --- /dev/null +++ b/queue-5.10/net-mscc-ocelot-check-return-value-after-calling-pla.patch @@ -0,0 +1,40 @@ +From 62e07020022663b0799be7026c652baca661186f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Jun 2021 10:31:48 +0800 +Subject: net: mscc: ocelot: check return value after calling + platform_get_resource() + +From: Yang Yingliang + +[ Upstream commit f1fe19c2cb3fdc92a614cf330ced1613f8f1a681 ] + +It will cause null-ptr-deref if platform_get_resource() returns NULL, +we need check the return value. + +Signed-off-by: Yang Yingliang +Reviewed-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/ocelot/seville_vsc9953.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/dsa/ocelot/seville_vsc9953.c b/drivers/net/dsa/ocelot/seville_vsc9953.c +index ebbaf6817ec8..7026523f886c 100644 +--- a/drivers/net/dsa/ocelot/seville_vsc9953.c ++++ b/drivers/net/dsa/ocelot/seville_vsc9953.c +@@ -1214,6 +1214,11 @@ static int seville_probe(struct platform_device *pdev) + felix->info = &seville_info_vsc9953; + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ if (!res) { ++ err = -EINVAL; ++ dev_err(&pdev->dev, "Invalid resource\n"); ++ goto err_alloc_felix; ++ } + felix->switch_base = res->start; + + ds = kzalloc(sizeof(struct dsa_switch), GFP_KERNEL); +-- +2.30.2 + diff --git a/queue-5.10/net-mvpp2-check-return-value-after-calling-platform_.patch b/queue-5.10/net-mvpp2-check-return-value-after-calling-platform_.patch new file mode 100644 index 00000000000..614fea6faf2 --- /dev/null +++ b/queue-5.10/net-mvpp2-check-return-value-after-calling-platform_.patch @@ -0,0 +1,37 @@ +From 1463e3cfb8ad778ebaf6d80fcea4d40399fffc7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jun 2021 22:36:02 +0800 +Subject: net: mvpp2: check return value after calling platform_get_resource() + +From: Yang Yingliang + +[ Upstream commit 0bb51a3a385790a4be20085494cf78f70dadf646 ] + +It will cause null-ptr-deref if platform_get_resource() returns NULL, +we need check the return value. + +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +index a9f65d667761..ec9b6c564300 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -6871,6 +6871,10 @@ static int mvpp2_probe(struct platform_device *pdev) + return PTR_ERR(priv->lms_base); + } else { + res = platform_get_resource(pdev, IORESOURCE_MEM, 1); ++ if (!res) { ++ dev_err(&pdev->dev, "Invalid resource\n"); ++ return -EINVAL; ++ } + if (has_acpi_companion(&pdev->dev)) { + /* In case the MDIO memory region is declared in + * the ACPI, it can already appear as 'in-use' +-- +2.30.2 + diff --git a/queue-5.10/net-pch_gbe-use-proper-accessors-to-be-data-in-pch_p.patch b/queue-5.10/net-pch_gbe-use-proper-accessors-to-be-data-in-pch_p.patch new file mode 100644 index 00000000000..32d0d97ea32 --- /dev/null +++ b/queue-5.10/net-pch_gbe-use-proper-accessors-to-be-data-in-pch_p.patch @@ -0,0 +1,87 @@ +From 87c15f1ea33aa1ec240e42386f1400dd48aa22a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 May 2021 19:39:30 +0300 +Subject: net: pch_gbe: Use proper accessors to BE data in pch_ptp_match() + +From: Andy Shevchenko + +[ Upstream commit 443ef39b499cc9c6635f83238101f1bb923e9326 ] + +Sparse is not happy about handling of strict types in pch_ptp_match(): + + .../pch_gbe_main.c:158:33: warning: incorrect type in argument 2 (different base types) + .../pch_gbe_main.c:158:33: expected unsigned short [usertype] uid_hi + .../pch_gbe_main.c:158:33: got restricted __be16 [usertype] + .../pch_gbe_main.c:158:45: warning: incorrect type in argument 3 (different base types) + .../pch_gbe_main.c:158:45: expected unsigned int [usertype] uid_lo + .../pch_gbe_main.c:158:45: got restricted __be32 [usertype] + .../pch_gbe_main.c:158:56: warning: incorrect type in argument 4 (different base types) + .../pch_gbe_main.c:158:56: expected unsigned short [usertype] seqid + .../pch_gbe_main.c:158:56: got restricted __be16 [usertype] + +Fix that by switching to use proper accessors to BE data. + +Reported-by: kernel test robot +Signed-off-by: Andy Shevchenko +Tested-by: Flavio Suligoi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../ethernet/oki-semi/pch_gbe/pch_gbe_main.c | 19 ++++++------------- + 1 file changed, 6 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c +index 9a0870dc2f03..2942102efd48 100644 +--- a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c ++++ b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c +@@ -107,7 +107,7 @@ static int pch_ptp_match(struct sk_buff *skb, u16 uid_hi, u32 uid_lo, u16 seqid) + { + u8 *data = skb->data; + unsigned int offset; +- u16 *hi, *id; ++ u16 hi, id; + u32 lo; + + if (ptp_classify_raw(skb) == PTP_CLASS_NONE) +@@ -118,14 +118,11 @@ static int pch_ptp_match(struct sk_buff *skb, u16 uid_hi, u32 uid_lo, u16 seqid) + if (skb->len < offset + OFF_PTP_SEQUENCE_ID + sizeof(seqid)) + return 0; + +- hi = (u16 *)(data + offset + OFF_PTP_SOURCE_UUID); +- id = (u16 *)(data + offset + OFF_PTP_SEQUENCE_ID); ++ hi = get_unaligned_be16(data + offset + OFF_PTP_SOURCE_UUID + 0); ++ lo = get_unaligned_be32(data + offset + OFF_PTP_SOURCE_UUID + 2); ++ id = get_unaligned_be16(data + offset + OFF_PTP_SEQUENCE_ID); + +- memcpy(&lo, &hi[1], sizeof(lo)); +- +- return (uid_hi == *hi && +- uid_lo == lo && +- seqid == *id); ++ return (uid_hi == hi && uid_lo == lo && seqid == id); + } + + static void +@@ -135,7 +132,6 @@ pch_rx_timestamp(struct pch_gbe_adapter *adapter, struct sk_buff *skb) + struct pci_dev *pdev; + u64 ns; + u32 hi, lo, val; +- u16 uid, seq; + + if (!adapter->hwts_rx_en) + return; +@@ -151,10 +147,7 @@ pch_rx_timestamp(struct pch_gbe_adapter *adapter, struct sk_buff *skb) + lo = pch_src_uuid_lo_read(pdev); + hi = pch_src_uuid_hi_read(pdev); + +- uid = hi & 0xffff; +- seq = (hi >> 16) & 0xffff; +- +- if (!pch_ptp_match(skb, htons(uid), htonl(lo), htons(seq))) ++ if (!pch_ptp_match(skb, hi, lo, hi >> 16)) + goto out; + + ns = pch_rx_snap_read(pdev); +-- +2.30.2 + diff --git a/queue-5.10/net-phy-realtek-add-delay-to-fix-rxc-generation-issu.patch b/queue-5.10/net-phy-realtek-add-delay-to-fix-rxc-generation-issu.patch new file mode 100644 index 00000000000..efbb75c2592 --- /dev/null +++ b/queue-5.10/net-phy-realtek-add-delay-to-fix-rxc-generation-issu.patch @@ -0,0 +1,57 @@ +From cc34b172d297f13f2329a4a05dc323c683ab9955 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jun 2021 11:15:35 +0800 +Subject: net: phy: realtek: add delay to fix RXC generation issue + +From: Joakim Zhang + +[ Upstream commit 6813cc8cfdaf401476e1a007cec8ae338cefa573 ] + +PHY will delay about 11.5ms to generate RXC clock when switching from +power down to normal operation. Read/write registers would also cause RXC +become unstable and stop for a while during this process. Realtek engineer +suggests 15ms or more delay can workaround this issue. + +Signed-off-by: Joakim Zhang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/realtek.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/realtek.c b/drivers/net/phy/realtek.c +index 575580d3ffe0..b4879306bb8a 100644 +--- a/drivers/net/phy/realtek.c ++++ b/drivers/net/phy/realtek.c +@@ -246,6 +246,19 @@ static int rtl8211f_config_init(struct phy_device *phydev) + return 0; + } + ++static int rtl821x_resume(struct phy_device *phydev) ++{ ++ int ret; ++ ++ ret = genphy_resume(phydev); ++ if (ret < 0) ++ return ret; ++ ++ msleep(20); ++ ++ return 0; ++} ++ + static int rtl8211e_config_init(struct phy_device *phydev) + { + int ret = 0, oldpage; +@@ -624,7 +637,7 @@ static struct phy_driver realtek_drvs[] = { + .ack_interrupt = &rtl8211f_ack_interrupt, + .config_intr = &rtl8211f_config_intr, + .suspend = genphy_suspend, +- .resume = genphy_resume, ++ .resume = rtl821x_resume, + .read_page = rtl821x_read_page, + .write_page = rtl821x_write_page, + }, { +-- +2.30.2 + diff --git a/queue-5.10/net-sched-cls_api-increase-max_reclassify_loop.patch b/queue-5.10/net-sched-cls_api-increase-max_reclassify_loop.patch new file mode 100644 index 00000000000..b29c64ba84e --- /dev/null +++ b/queue-5.10/net-sched-cls_api-increase-max_reclassify_loop.patch @@ -0,0 +1,39 @@ +From 83669c47f13e5da0558b00ab8347014f44c85fa8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 May 2021 15:17:21 +0200 +Subject: net/sched: cls_api: increase max_reclassify_loop + +From: Davide Caratti + +[ Upstream commit 05ff8435e50569a0a6b95e5ceaea43696e8827ab ] + +modern userspace applications, like OVN, can configure the TC datapath to +"recirculate" packets several times. If more than 4 "recirculation" rules +are configured, packets can be dropped by __tcf_classify(). +Changing the maximum number of reclassifications (from 4 to 16) should be +sufficient to prevent drops in most use cases, and guard against loops at +the same time. + +Signed-off-by: Davide Caratti +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c +index a281da07bb1d..30090794b791 100644 +--- a/net/sched/cls_api.c ++++ b/net/sched/cls_api.c +@@ -1532,7 +1532,7 @@ static inline int __tcf_classify(struct sk_buff *skb, + u32 *last_executed_chain) + { + #ifdef CONFIG_NET_CLS_ACT +- const int max_reclassify_loop = 4; ++ const int max_reclassify_loop = 16; + const struct tcf_proto *first_tp; + int limit = 0; + +-- +2.30.2 + diff --git a/queue-5.10/net-sched-fix-error-return-code-in-tcf_del_walker.patch b/queue-5.10/net-sched-fix-error-return-code-in-tcf_del_walker.patch new file mode 100644 index 00000000000..1c7aab7f68a --- /dev/null +++ b/queue-5.10/net-sched-fix-error-return-code-in-tcf_del_walker.patch @@ -0,0 +1,37 @@ +From 54714919a1a27949fa5a236cda600b0a662848f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jun 2021 16:02:07 +0800 +Subject: net: sched: fix error return code in tcf_del_walker() + +From: Yang Yingliang + +[ Upstream commit 55d96f72e8ddc0a294e0b9c94016edbb699537e1 ] + +When nla_put_u32() fails, 'ret' could be 0, it should +return error code in tcf_del_walker(). + +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/act_api.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/sched/act_api.c b/net/sched/act_api.c +index 88e14cfeb5d5..f613299ca7f0 100644 +--- a/net/sched/act_api.c ++++ b/net/sched/act_api.c +@@ -333,7 +333,8 @@ static int tcf_del_walker(struct tcf_idrinfo *idrinfo, struct sk_buff *skb, + } + mutex_unlock(&idrinfo->lock); + +- if (nla_put_u32(skb, TCA_FCNT, n_i)) ++ ret = nla_put_u32(skb, TCA_FCNT, n_i); ++ if (ret) + goto nla_put_failure; + nla_nest_end(skb, nest); + +-- +2.30.2 + diff --git a/queue-5.10/net-sgi-ioc3-eth-check-return-value-after-calling-pl.patch b/queue-5.10/net-sgi-ioc3-eth-check-return-value-after-calling-pl.patch new file mode 100644 index 00000000000..2688510fe52 --- /dev/null +++ b/queue-5.10/net-sgi-ioc3-eth-check-return-value-after-calling-pl.patch @@ -0,0 +1,38 @@ +From db58dafe2bb90da430aa0fe587d23b1819f1da0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jun 2021 21:25:15 +0800 +Subject: net: sgi: ioc3-eth: check return value after calling + platform_get_resource() + +From: Yang Yingliang + +[ Upstream commit db8f7be1e1d64fbf113a456ef94534fbf5e9a9af ] + +It will cause null-ptr-deref if platform_get_resource() returns NULL, +we need check the return value. + +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sgi/ioc3-eth.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/sgi/ioc3-eth.c b/drivers/net/ethernet/sgi/ioc3-eth.c +index 6eef0f45b133..2b29fd4cbdf4 100644 +--- a/drivers/net/ethernet/sgi/ioc3-eth.c ++++ b/drivers/net/ethernet/sgi/ioc3-eth.c +@@ -835,6 +835,10 @@ static int ioc3eth_probe(struct platform_device *pdev) + int err; + + regs = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ if (!regs) { ++ dev_err(&pdev->dev, "Invalid resource\n"); ++ return -EINVAL; ++ } + /* get mac addr from one wire prom */ + if (ioc3eth_get_mac_addr(regs, mac_addr)) + return -EPROBE_DEFER; /* not available yet */ +-- +2.30.2 + diff --git a/queue-5.10/net-stmmac-the-xpcs-obscures-a-potential-phy-not-fou.patch b/queue-5.10/net-stmmac-the-xpcs-obscures-a-potential-phy-not-fou.patch new file mode 100644 index 00000000000..60689c3baff --- /dev/null +++ b/queue-5.10/net-stmmac-the-xpcs-obscures-a-potential-phy-not-fou.patch @@ -0,0 +1,101 @@ +From 08f7ad611b5834b623a058348f664c49e2eacb42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 May 2021 18:59:59 +0300 +Subject: net: stmmac: the XPCS obscures a potential "PHY not found" error + +From: Vladimir Oltean + +[ Upstream commit 4751d2aa321f2828d8c5d2f7ce4ed18a01e47f46 ] + +stmmac_mdio_register() has logic to search for PHYs on the MDIO bus and +assign them IRQ lines, as well as to set priv->plat->phy_addr. + +If no PHY is found, the "found" variable remains set to 0 and the +function errors out. + +After the introduction of commit f213bbe8a9d6 ("net: stmmac: Integrate +it with DesignWare XPCS"), the "found" variable was immediately reused +for searching for a PCS on the same MDIO bus. + +This can result in 2 types of potential problems (none of them seems to +be seen on the only Intel system that sets has_xpcs = true, otherwise it +would have been reported): + +1. If a PCS is found but a PHY is not, then the code happily exits with + no error. One might say "yes, but this is not possible, because + of_mdiobus_register will probe a PHY for all MDIO addresses, + including for the XPCS, so if an XPCS exists, then a PHY certainly + exists too". Well, that is not true, see intel_mgbe_common_data(): + + /* Ensure mdio bus scan skips intel serdes and pcs-xpcs */ + plat->mdio_bus_data->phy_mask = 1 << INTEL_MGBE_ADHOC_ADDR; + plat->mdio_bus_data->phy_mask |= 1 << INTEL_MGBE_XPCS_ADDR; + +2. A PHY is found but an MDIO device with the XPCS PHY ID isn't, and in + that case, the error message will be "No PHY found". Confusing. + +Signed-off-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20210527155959.3270478-1-olteanv@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/stmicro/stmmac/stmmac_mdio.c | 21 +++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c +index b2a707e2ef43..678726c62a8a 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c +@@ -441,6 +441,12 @@ int stmmac_mdio_register(struct net_device *ndev) + found = 1; + } + ++ if (!found && !mdio_node) { ++ dev_warn(dev, "No PHY found\n"); ++ err = -ENODEV; ++ goto no_phy_found; ++ } ++ + /* Try to probe the XPCS by scanning all addresses. */ + if (priv->hw->xpcs) { + struct mdio_xpcs_args *xpcs = &priv->hw->xpcs_args; +@@ -449,6 +455,7 @@ int stmmac_mdio_register(struct net_device *ndev) + + xpcs->bus = new_bus; + ++ found = 0; + for (addr = 0; addr < max_addr; addr++) { + xpcs->addr = addr; + +@@ -458,13 +465,12 @@ int stmmac_mdio_register(struct net_device *ndev) + break; + } + } +- } + +- if (!found && !mdio_node) { +- dev_warn(dev, "No PHY found\n"); +- mdiobus_unregister(new_bus); +- mdiobus_free(new_bus); +- return -ENODEV; ++ if (!found && !mdio_node) { ++ dev_warn(dev, "No XPCS found\n"); ++ err = -ENODEV; ++ goto no_xpcs_found; ++ } + } + + bus_register_done: +@@ -472,6 +478,9 @@ bus_register_done: + + return 0; + ++no_xpcs_found: ++no_phy_found: ++ mdiobus_unregister(new_bus); + bus_register_fail: + mdiobus_free(new_bus); + return err; +-- +2.30.2 + diff --git a/queue-5.10/net-tcp-better-handling-of-reordering-then-loss-case.patch b/queue-5.10/net-tcp-better-handling-of-reordering-then-loss-case.patch new file mode 100644 index 00000000000..cb8c0e93d12 --- /dev/null +++ b/queue-5.10/net-tcp-better-handling-of-reordering-then-loss-case.patch @@ -0,0 +1,118 @@ +From faaac733e16934eecec74c0dbc4ce51325b4bf89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jun 2021 17:51:21 -0700 +Subject: net: tcp better handling of reordering then loss cases + +From: Yuchung Cheng + +[ Upstream commit a29cb6914681a55667436a9eb7a42e28da8cf387 ] + +This patch aims to improve the situation when reordering and loss are +ocurring in the same flight of packets. + +Previously the reordering would first induce a spurious recovery, then +the subsequent ACK may undo the cwnd (based on the timestamps e.g.). +However the current loss recovery does not proceed to invoke +RACK to install a reordering timer. If some packets are also lost, this +may lead to a long RTO-based recovery. An example is +https://groups.google.com/g/bbr-dev/c/OFHADvJbTEI + +The solution is to after reverting the recovery, always invoke RACK +to either mount the RACK timer to fast retransmit after the reordering +window, or restarts the recovery if new loss is identified. Hence +it is possible the sender may go from Recovery to Disorder/Open to +Recovery again in one ACK. + +Reported-by: mingkun bian +Signed-off-by: Yuchung Cheng +Signed-off-by: Neal Cardwell +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 45 +++++++++++++++++++++++++------------------- + 1 file changed, 26 insertions(+), 19 deletions(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index fac5c1469cee..4d4b641c204d 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -2802,8 +2802,17 @@ static void tcp_process_loss(struct sock *sk, int flag, int num_dupack, + *rexmit = REXMIT_LOST; + } + ++static bool tcp_force_fast_retransmit(struct sock *sk) ++{ ++ struct tcp_sock *tp = tcp_sk(sk); ++ ++ return after(tcp_highest_sack_seq(tp), ++ tp->snd_una + tp->reordering * tp->mss_cache); ++} ++ + /* Undo during fast recovery after partial ACK. */ +-static bool tcp_try_undo_partial(struct sock *sk, u32 prior_snd_una) ++static bool tcp_try_undo_partial(struct sock *sk, u32 prior_snd_una, ++ bool *do_lost) + { + struct tcp_sock *tp = tcp_sk(sk); + +@@ -2828,7 +2837,9 @@ static bool tcp_try_undo_partial(struct sock *sk, u32 prior_snd_una) + tcp_undo_cwnd_reduction(sk, true); + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPPARTIALUNDO); + tcp_try_keep_open(sk); +- return true; ++ } else { ++ /* Partial ACK arrived. Force fast retransmit. */ ++ *do_lost = tcp_force_fast_retransmit(sk); + } + return false; + } +@@ -2852,14 +2863,6 @@ static void tcp_identify_packet_loss(struct sock *sk, int *ack_flag) + } + } + +-static bool tcp_force_fast_retransmit(struct sock *sk) +-{ +- struct tcp_sock *tp = tcp_sk(sk); +- +- return after(tcp_highest_sack_seq(tp), +- tp->snd_una + tp->reordering * tp->mss_cache); +-} +- + /* Process an event, which can update packets-in-flight not trivially. + * Main goal of this function is to calculate new estimate for left_out, + * taking into account both packets sitting in receiver's buffer and +@@ -2929,17 +2932,21 @@ static void tcp_fastretrans_alert(struct sock *sk, const u32 prior_snd_una, + if (!(flag & FLAG_SND_UNA_ADVANCED)) { + if (tcp_is_reno(tp)) + tcp_add_reno_sack(sk, num_dupack, ece_ack); +- } else { +- if (tcp_try_undo_partial(sk, prior_snd_una)) +- return; +- /* Partial ACK arrived. Force fast retransmit. */ +- do_lost = tcp_force_fast_retransmit(sk); +- } +- if (tcp_try_undo_dsack(sk)) { +- tcp_try_keep_open(sk); ++ } else if (tcp_try_undo_partial(sk, prior_snd_una, &do_lost)) + return; +- } ++ ++ if (tcp_try_undo_dsack(sk)) ++ tcp_try_keep_open(sk); ++ + tcp_identify_packet_loss(sk, ack_flag); ++ if (icsk->icsk_ca_state != TCP_CA_Recovery) { ++ if (!tcp_time_to_recover(sk, flag)) ++ return; ++ /* Undo reverts the recovery state. If loss is evident, ++ * starts a new recovery (e.g. reordering then loss); ++ */ ++ tcp_enter_recovery(sk, ece_ack); ++ } + break; + case TCP_CA_Loss: + tcp_process_loss(sk, flag, num_dupack, rexmit); +-- +2.30.2 + diff --git a/queue-5.10/net-treat-__napi_schedule_irqoff-as-__napi_schedule-.patch b/queue-5.10/net-treat-__napi_schedule_irqoff-as-__napi_schedule-.patch new file mode 100644 index 00000000000..231a9cac279 --- /dev/null +++ b/queue-5.10/net-treat-__napi_schedule_irqoff-as-__napi_schedule-.patch @@ -0,0 +1,65 @@ +From 3735ec7a192bb9be71c6693dccb50afe7b3cfea2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 May 2021 23:43:24 +0200 +Subject: net: Treat __napi_schedule_irqoff() as __napi_schedule() on + PREEMPT_RT + +From: Sebastian Andrzej Siewior + +[ Upstream commit 8380c81d5c4fced6f4397795a5ae65758272bbfd ] + +__napi_schedule_irqoff() is an optimized version of __napi_schedule() +which can be used where it is known that interrupts are disabled, +e.g. in interrupt-handlers, spin_lock_irq() sections or hrtimer +callbacks. + +On PREEMPT_RT enabled kernels this assumptions is not true. Force- +threaded interrupt handlers and spinlocks are not disabling interrupts +and the NAPI hrtimer callback is forced into softirq context which runs +with interrupts enabled as well. + +Chasing all usage sites of __napi_schedule_irqoff() is a whack-a-mole +game so make __napi_schedule_irqoff() invoke __napi_schedule() for +PREEMPT_RT kernels. + +The callers of ____napi_schedule() in the networking core have been +audited and are correct on PREEMPT_RT kernels as well. + +Reported-by: Juri Lelli +Signed-off-by: Sebastian Andrzej Siewior +Reviewed-by: Thomas Gleixner +Reviewed-by: Juri Lelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 0c9ce36afc8c..2fdf30eefc59 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -6433,11 +6433,18 @@ EXPORT_SYMBOL(napi_schedule_prep); + * __napi_schedule_irqoff - schedule for receive + * @n: entry to schedule + * +- * Variant of __napi_schedule() assuming hard irqs are masked ++ * Variant of __napi_schedule() assuming hard irqs are masked. ++ * ++ * On PREEMPT_RT enabled kernels this maps to __napi_schedule() ++ * because the interrupt disabled assumption might not be true ++ * due to force-threaded interrupts and spinlock substitution. + */ + void __napi_schedule_irqoff(struct napi_struct *n) + { +- ____napi_schedule(this_cpu_ptr(&softnet_data), n); ++ if (!IS_ENABLED(CONFIG_PREEMPT_RT)) ++ ____napi_schedule(this_cpu_ptr(&softnet_data), n); ++ else ++ __napi_schedule(n); + } + EXPORT_SYMBOL(__napi_schedule_irqoff); + +-- +2.30.2 + diff --git a/queue-5.10/pinctrl-equilibrium-add-missing-module_device_table.patch b/queue-5.10/pinctrl-equilibrium-add-missing-module_device_table.patch new file mode 100644 index 00000000000..88659950c5a --- /dev/null +++ b/queue-5.10/pinctrl-equilibrium-add-missing-module_device_table.patch @@ -0,0 +1,37 @@ +From 79706da858467e88177e58e939db8de6c7ab9809 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 May 2021 11:15:02 +0800 +Subject: pinctrl: equilibrium: Add missing MODULE_DEVICE_TABLE + +From: Bixuan Cui + +[ Upstream commit d7f444499d6faf9a6ae3b27ec094109528d2b9a7 ] + +This patch adds missing MODULE_DEVICE_TABLE definition which generates +correct modalias for automatic loading of this driver when it is built +as an external module. + +Reported-by: Hulk Robot +Signed-off-by: Bixuan Cui +Link: https://lore.kernel.org/r/20210508031502.53637-1-cuibixuan@huawei.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-equilibrium.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/pinctrl-equilibrium.c b/drivers/pinctrl/pinctrl-equilibrium.c +index 067271b7d35a..ac1c47f542c1 100644 +--- a/drivers/pinctrl/pinctrl-equilibrium.c ++++ b/drivers/pinctrl/pinctrl-equilibrium.c +@@ -929,6 +929,7 @@ static const struct of_device_id eqbr_pinctrl_dt_match[] = { + { .compatible = "intel,lgm-io" }, + {} + }; ++MODULE_DEVICE_TABLE(of, eqbr_pinctrl_dt_match); + + static struct platform_driver eqbr_pinctrl_driver = { + .probe = eqbr_pinctrl_probe, +-- +2.30.2 + diff --git a/queue-5.10/pinctrl-mcp23s08-fix-race-condition-in-irq-handler.patch b/queue-5.10/pinctrl-mcp23s08-fix-race-condition-in-irq-handler.patch new file mode 100644 index 00000000000..d23f7daa7cc --- /dev/null +++ b/queue-5.10/pinctrl-mcp23s08-fix-race-condition-in-irq-handler.patch @@ -0,0 +1,59 @@ +From 4f27011351bbb9d42d4648b2f698838a98c337d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jun 2021 10:48:18 +0000 +Subject: pinctrl: mcp23s08: fix race condition in irq handler + +From: Radim Pavlik + +[ Upstream commit 897120d41e7afd9da435cb00041a142aeeb53c07 ] + +Checking value of MCP_INTF in mcp23s08_irq suggests that the handler may be +called even when there is no interrupt pending. + +But the actual interrupt could happened between reading MCP_INTF and MCP_GPIO. +In this situation we got nothing from MCP_INTF, but the event gets acknowledged +on the expander by reading MCP_GPIO. This leads to losing events. + +Fix the problem by not reading any register until we see something in MCP_INTF. + +The error was reproduced and fix tested on MCP23017. + +Signed-off-by: Radim Pavlik +Link: https://lore.kernel.org/r/AM7PR06MB6769E1183F68DEBB252F665ABA3E9@AM7PR06MB6769.eurprd06.prod.outlook.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-mcp23s08.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/pinctrl/pinctrl-mcp23s08.c b/drivers/pinctrl/pinctrl-mcp23s08.c +index ce2d8014b7e0..799d596a1a4b 100644 +--- a/drivers/pinctrl/pinctrl-mcp23s08.c ++++ b/drivers/pinctrl/pinctrl-mcp23s08.c +@@ -351,6 +351,11 @@ static irqreturn_t mcp23s08_irq(int irq, void *data) + if (mcp_read(mcp, MCP_INTF, &intf)) + goto unlock; + ++ if (intf == 0) { ++ /* There is no interrupt pending */ ++ return IRQ_HANDLED; ++ } ++ + if (mcp_read(mcp, MCP_INTCAP, &intcap)) + goto unlock; + +@@ -368,11 +373,6 @@ static irqreturn_t mcp23s08_irq(int irq, void *data) + mcp->cached_gpio = gpio; + mutex_unlock(&mcp->lock); + +- if (intf == 0) { +- /* There is no interrupt pending */ +- return IRQ_HANDLED; +- } +- + dev_dbg(mcp->chip.parent, + "intcap 0x%04X intf 0x%04X gpio_orig 0x%04X gpio 0x%04X\n", + intcap, intf, gpio_orig, gpio); +-- +2.30.2 + diff --git a/queue-5.10/r8169-avoid-link-up-interrupt-issue-on-rtl8106e-if-u.patch b/queue-5.10/r8169-avoid-link-up-interrupt-issue-on-rtl8106e-if-u.patch new file mode 100644 index 00000000000..405be9e0700 --- /dev/null +++ b/queue-5.10/r8169-avoid-link-up-interrupt-issue-on-rtl8106e-if-u.patch @@ -0,0 +1,39 @@ +From 4f46c95d172d8a1c170daa836543cc68e2825b2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jun 2021 22:56:59 +0200 +Subject: r8169: avoid link-up interrupt issue on RTL8106e if user enables ASPM + +From: Heiner Kallweit + +[ Upstream commit 1ee8856de82faec9bc8bd0f2308a7f27e30ba207 ] + +It has been reported that on RTL8106e the link-up interrupt may be +significantly delayed if the user enables ASPM L1. Per default ASPM +is disabled. The change leaves L1 enabled on the PCIe link (thus still +allowing to reach higher package power saving states), but the +NIC won't actively trigger it. + +Reported-by: Koba Ko +Tested-by: Koba Ko +Signed-off-by: Heiner Kallweit +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/realtek/r8169_main.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c +index a6bf80b52967..9010aabd9782 100644 +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -3547,7 +3547,6 @@ static void rtl_hw_start_8106(struct rtl8169_private *tp) + rtl_eri_write(tp, 0x1b0, ERIAR_MASK_0011, 0x0000); + + rtl_pcie_state_l2l3_disable(tp); +- rtl_hw_aspm_clkreq_enable(tp, true); + } + + DECLARE_RTL_COND(rtl_mac_ocp_e00e_cond) +-- +2.30.2 + diff --git a/queue-5.10/rdma-cma-fix-rdma_resolve_route-memory-leak.patch b/queue-5.10/rdma-cma-fix-rdma_resolve_route-memory-leak.patch new file mode 100644 index 00000000000..bca33397caa --- /dev/null +++ b/queue-5.10/rdma-cma-fix-rdma_resolve_route-memory-leak.patch @@ -0,0 +1,41 @@ +From 718d5626694152927d59648a12e3a768be3e876b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Jun 2021 11:55:31 -0700 +Subject: RDMA/cma: Fix rdma_resolve_route() memory leak + +From: Gerd Rausch + +[ Upstream commit 74f160ead74bfe5f2b38afb4fcf86189f9ff40c9 ] + +Fix a memory leak when "mda_resolve_route() is called more than once on +the same "rdma_cm_id". + +This is possible if cma_query_handler() triggers the +RDMA_CM_EVENT_ROUTE_ERROR flow which puts the state machine back and +allows rdma_resolve_route() to be called again. + +Link: https://lore.kernel.org/r/f6662b7b-bdb7-2706-1e12-47c61d3474b6@oracle.com +Signed-off-by: Gerd Rausch +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cma.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index 0c879e40bd18..34b94e525390 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -2793,7 +2793,8 @@ static int cma_resolve_ib_route(struct rdma_id_private *id_priv, + + cma_init_resolve_route_work(work, id_priv); + +- route->path_rec = kmalloc(sizeof *route->path_rec, GFP_KERNEL); ++ if (!route->path_rec) ++ route->path_rec = kmalloc(sizeof *route->path_rec, GFP_KERNEL); + if (!route->path_rec) { + ret = -ENOMEM; + goto err1; +-- +2.30.2 + diff --git a/queue-5.10/rdma-cxgb4-fix-missing-error-code-in-create_qp.patch b/queue-5.10/rdma-cxgb4-fix-missing-error-code-in-create_qp.patch new file mode 100644 index 00000000000..dceab2d0eb3 --- /dev/null +++ b/queue-5.10/rdma-cxgb4-fix-missing-error-code-in-create_qp.patch @@ -0,0 +1,40 @@ +From d98d5b89584e3ed0dc7c33f52d923b2885821fcc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jun 2021 19:07:49 +0800 +Subject: RDMA/cxgb4: Fix missing error code in create_qp() + +From: Jiapeng Chong + +[ Upstream commit aeb27bb76ad8197eb47890b1ff470d5faf8ec9a5 ] + +The error code is missing in this code scenario so 0 will be returned. Add +the error code '-EINVAL' to the return value 'ret'. + +Eliminates the follow smatch warning: + +drivers/infiniband/hw/cxgb4/qp.c:298 create_qp() warn: missing error code 'ret'. + +Link: https://lore.kernel.org/r/1622545669-20625-1-git-send-email-jiapeng.chong@linux.alibaba.com +Reported-by: Abaci Robot +Signed-off-by: Jiapeng Chong +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/cxgb4/qp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/hw/cxgb4/qp.c b/drivers/infiniband/hw/cxgb4/qp.c +index 5df4bb52bb10..861e19fdfeb4 100644 +--- a/drivers/infiniband/hw/cxgb4/qp.c ++++ b/drivers/infiniband/hw/cxgb4/qp.c +@@ -295,6 +295,7 @@ static int create_qp(struct c4iw_rdev *rdev, struct t4_wq *wq, + if (user && (!wq->sq.bar2_pa || (need_rq && !wq->rq.bar2_pa))) { + pr_warn("%s: sqid %u or rqid %u not in BAR2 range\n", + pci_name(rdev->lldi.pdev), wq->sq.qid, wq->rq.qid); ++ ret = -EINVAL; + goto free_dma; + } + +-- +2.30.2 + diff --git a/queue-5.10/rdma-rtrs-change-max_sess_queue_depth.patch b/queue-5.10/rdma-rtrs-change-max_sess_queue_depth.patch new file mode 100644 index 00000000000..eac1f3d16be --- /dev/null +++ b/queue-5.10/rdma-rtrs-change-max_sess_queue_depth.patch @@ -0,0 +1,51 @@ +From e5dbd328d9c4ee0f473c598e8a6c53d8fdede357 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 May 2021 13:30:03 +0200 +Subject: RDMA/rtrs: Change MAX_SESS_QUEUE_DEPTH + +From: Gioh Kim + +[ Upstream commit 3a98ea7041b7d18ac356da64823c2ba2f8391b3e ] + +Max IB immediate data size is 2^28 (MAX_IMM_PAYL_BITS) +and the minimum chunk size is 4096 (2^12). +Therefore the maximum sess_queue_depth is 65536 (2^16). + +Link: https://lore.kernel.org/r/20210528113018.52290-6-jinpu.wang@ionos.com +Signed-off-by: Gioh Kim +Signed-off-by: Jack Wang +Reported-by: kernel test robot +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/rtrs/rtrs-pri.h | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/infiniband/ulp/rtrs/rtrs-pri.h b/drivers/infiniband/ulp/rtrs/rtrs-pri.h +index 8caad0a2322b..51c60f542876 100644 +--- a/drivers/infiniband/ulp/rtrs/rtrs-pri.h ++++ b/drivers/infiniband/ulp/rtrs/rtrs-pri.h +@@ -47,12 +47,15 @@ enum { + MAX_PATHS_NUM = 128, + + /* +- * With the size of struct rtrs_permit allocated on the client, 4K +- * is the maximum number of rtrs_permits we can allocate. This number is +- * also used on the client to allocate the IU for the user connection +- * to receive the RDMA addresses from the server. ++ * Max IB immediate data size is 2^28 (MAX_IMM_PAYL_BITS) ++ * and the minimum chunk size is 4096 (2^12). ++ * So the maximum sess_queue_depth is 65536 (2^16) in theory. ++ * But mempool_create, create_qp and ib_post_send fail with ++ * "cannot allocate memory" error if sess_queue_depth is too big. ++ * Therefore the pratical max value of sess_queue_depth is ++ * somewhere between 1 and 65536 and it depends on the system. + */ +- MAX_SESS_QUEUE_DEPTH = 4096, ++ MAX_SESS_QUEUE_DEPTH = 65536, + + RTRS_HB_INTERVAL_MS = 5000, + RTRS_HB_MISSED_MAX = 5, +-- +2.30.2 + diff --git a/queue-5.10/rdma-rxe-don-t-overwrite-errno-from-ib_umem_get.patch b/queue-5.10/rdma-rxe-don-t-overwrite-errno-from-ib_umem_get.patch new file mode 100644 index 00000000000..05078b95b15 --- /dev/null +++ b/queue-5.10/rdma-rxe-don-t-overwrite-errno-from-ib_umem_get.patch @@ -0,0 +1,40 @@ +From 3bd51c9553057aea1e8dfa9233474553092a76a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jun 2021 15:14:56 +0800 +Subject: RDMA/rxe: Don't overwrite errno from ib_umem_get() + +From: Xiao Yang + +[ Upstream commit 20ec0a6d6016aa28b9b3299be18baef1a0f91cd2 ] + +rxe_mr_init_user() always returns the fixed -EINVAL when ib_umem_get() +fails so it's hard for user to know which actual error happens in +ib_umem_get(). For example, ib_umem_get() will return -EOPNOTSUPP when +trying to pin pages on a DAX file. + +Return actual error as mlx4/mlx5 does. + +Link: https://lore.kernel.org/r/20210621071456.4259-1-ice_yangxiao@163.com +Signed-off-by: Xiao Yang +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_mr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_mr.c b/drivers/infiniband/sw/rxe/rxe_mr.c +index d2ce852447c1..026285f7f36a 100644 +--- a/drivers/infiniband/sw/rxe/rxe_mr.c ++++ b/drivers/infiniband/sw/rxe/rxe_mr.c +@@ -139,7 +139,7 @@ int rxe_mem_init_user(struct rxe_pd *pd, u64 start, + if (IS_ERR(umem)) { + pr_warn("err %d from rxe_umem_get\n", + (int)PTR_ERR(umem)); +- err = -EINVAL; ++ err = PTR_ERR(umem); + goto err1; + } + +-- +2.30.2 + diff --git a/queue-5.10/reiserfs-add-check-for-invalid-1st-journal-block.patch b/queue-5.10/reiserfs-add-check-for-invalid-1st-journal-block.patch new file mode 100644 index 00000000000..7206b37f64c --- /dev/null +++ b/queue-5.10/reiserfs-add-check-for-invalid-1st-journal-block.patch @@ -0,0 +1,57 @@ +From 169681acbd6c0d985181ad11d8f34418b08eee68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 May 2021 15:15:45 +0300 +Subject: reiserfs: add check for invalid 1st journal block + +From: Pavel Skripkin + +[ Upstream commit a149127be52fa7eaf5b3681a0317a2bbb772d5a9 ] + +syzbot reported divide error in reiserfs. +The problem was in incorrect journal 1st block. + +Syzbot's reproducer manualy generated wrong superblock +with incorrect 1st block. In journal_init() wasn't +any checks about this particular case. + +For example, if 1st journal block is before superblock +1st block, it can cause zeroing important superblock members +in do_journal_end(). + +Link: https://lore.kernel.org/r/20210517121545.29645-1-paskripkin@gmail.com +Reported-by: syzbot+0ba9909df31c6a36974d@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/reiserfs/journal.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/fs/reiserfs/journal.c b/fs/reiserfs/journal.c +index e98f99338f8f..df5fc12a6cee 100644 +--- a/fs/reiserfs/journal.c ++++ b/fs/reiserfs/journal.c +@@ -2760,6 +2760,20 @@ int journal_init(struct super_block *sb, const char *j_dev_name, + goto free_and_return; + } + ++ /* ++ * Sanity check to see if journal first block is correct. ++ * If journal first block is invalid it can cause ++ * zeroing important superblock members. ++ */ ++ if (!SB_ONDISK_JOURNAL_DEVICE(sb) && ++ SB_ONDISK_JOURNAL_1st_BLOCK(sb) < SB_JOURNAL_1st_RESERVED_BLOCK(sb)) { ++ reiserfs_warning(sb, "journal-1393", ++ "journal 1st super block is invalid: 1st reserved block %d, but actual 1st block is %d", ++ SB_JOURNAL_1st_RESERVED_BLOCK(sb), ++ SB_ONDISK_JOURNAL_1st_BLOCK(sb)); ++ goto free_and_return; ++ } ++ + if (journal_init_dev(sb, journal, j_dev_name) != 0) { + reiserfs_warning(sb, "sh-462", + "unable to initialize journal device"); +-- +2.30.2 + diff --git a/queue-5.10/rtl8xxxu-fix-device-info-for-rtl8192eu-devices.patch b/queue-5.10/rtl8xxxu-fix-device-info-for-rtl8192eu-devices.patch new file mode 100644 index 00000000000..54cceee7008 --- /dev/null +++ b/queue-5.10/rtl8xxxu-fix-device-info-for-rtl8192eu-devices.patch @@ -0,0 +1,147 @@ +From 6eb03c8574ea4eaab7fe1025f2e5a20c1b106e3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Apr 2021 18:29:59 +0100 +Subject: rtl8xxxu: Fix device info for RTL8192EU devices + +From: Pascal Terjan + +[ Upstream commit c240b044edefa3c3af4014a4030e017dd95b59a1 ] + +Based on 2001:3319 and 2357:0109 which I used to test the fix and +0bda:818b and 2357:0108 for which I found efuse dumps online. + +== 2357:0109 == +=== Before === +Vendor: Realtek +Product: \x03802.11n NI +Serial: +=== After === +Vendor: Realtek +Product: 802.11n NIC +Serial not available. + +== 2001:3319 == +=== Before === +Vendor: Realtek +Product: Wireless N +Serial: no USB Adap +=== After === +Vendor: Realtek +Product: Wireless N Nano USB Adapter +Serial not available. + +Signed-off-by: Pascal Terjan +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210424172959.1559890-1-pterjan@google.com +Signed-off-by: Sasha Levin +--- + .../net/wireless/realtek/rtl8xxxu/rtl8xxxu.h | 11 +--- + .../realtek/rtl8xxxu/rtl8xxxu_8192e.c | 59 +++++++++++++++++-- + 2 files changed, 56 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h +index d6d1be4169e5..acb6b0cd3667 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h +@@ -853,15 +853,10 @@ struct rtl8192eu_efuse { + u8 usb_optional_function; + u8 res9[2]; + u8 mac_addr[ETH_ALEN]; /* 0xd7 */ +- u8 res10[2]; +- u8 vendor_name[7]; +- u8 res11[2]; +- u8 device_name[0x0b]; /* 0xe8 */ +- u8 res12[2]; +- u8 serial[0x0b]; /* 0xf5 */ +- u8 res13[0x30]; ++ u8 device_info[80]; ++ u8 res11[3]; + u8 unknown[0x0d]; /* 0x130 */ +- u8 res14[0xc3]; ++ u8 res12[0xc3]; + }; + + struct rtl8xxxu_reg8val { +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8192e.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8192e.c +index 9f1f93d04145..199e7e031d7d 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8192e.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8192e.c +@@ -554,9 +554,43 @@ rtl8192e_set_tx_power(struct rtl8xxxu_priv *priv, int channel, bool ht40) + } + } + ++static void rtl8192eu_log_next_device_info(struct rtl8xxxu_priv *priv, ++ char *record_name, ++ char *device_info, ++ unsigned int *record_offset) ++{ ++ char *record = device_info + *record_offset; ++ ++ /* A record is [ total length | 0x03 | value ] */ ++ unsigned char l = record[0]; ++ ++ /* ++ * The whole device info section seems to be 80 characters, make sure ++ * we don't read further. ++ */ ++ if (*record_offset + l > 80) { ++ dev_warn(&priv->udev->dev, ++ "invalid record length %d while parsing \"%s\" at offset %u.\n", ++ l, record_name, *record_offset); ++ return; ++ } ++ ++ if (l >= 2) { ++ char value[80]; ++ ++ memcpy(value, &record[2], l - 2); ++ value[l - 2] = '\0'; ++ dev_info(&priv->udev->dev, "%s: %s\n", record_name, value); ++ *record_offset = *record_offset + l; ++ } else { ++ dev_info(&priv->udev->dev, "%s not available.\n", record_name); ++ } ++} ++ + static int rtl8192eu_parse_efuse(struct rtl8xxxu_priv *priv) + { + struct rtl8192eu_efuse *efuse = &priv->efuse_wifi.efuse8192eu; ++ unsigned int record_offset; + int i; + + if (efuse->rtl_id != cpu_to_le16(0x8129)) +@@ -604,12 +638,25 @@ static int rtl8192eu_parse_efuse(struct rtl8xxxu_priv *priv) + priv->has_xtalk = 1; + priv->xtalk = priv->efuse_wifi.efuse8192eu.xtal_k & 0x3f; + +- dev_info(&priv->udev->dev, "Vendor: %.7s\n", efuse->vendor_name); +- dev_info(&priv->udev->dev, "Product: %.11s\n", efuse->device_name); +- if (memchr_inv(efuse->serial, 0xff, 11)) +- dev_info(&priv->udev->dev, "Serial: %.11s\n", efuse->serial); +- else +- dev_info(&priv->udev->dev, "Serial not available.\n"); ++ /* ++ * device_info section seems to be laid out as records ++ * [ total length | 0x03 | value ] so: ++ * - vendor length + 2 ++ * - 0x03 ++ * - vendor string (not null terminated) ++ * - product length + 2 ++ * - 0x03 ++ * - product string (not null terminated) ++ * Then there is one or 2 0x00 on all the 4 devices I own or found ++ * dumped online. ++ * As previous version of the code handled an optional serial ++ * string, I now assume there may be a third record if the ++ * length is not 0. ++ */ ++ record_offset = 0; ++ rtl8192eu_log_next_device_info(priv, "Vendor", efuse->device_info, &record_offset); ++ rtl8192eu_log_next_device_info(priv, "Product", efuse->device_info, &record_offset); ++ rtl8192eu_log_next_device_info(priv, "Serial", efuse->device_info, &record_offset); + + if (rtl8xxxu_debug & RTL8XXXU_DEBUG_EFUSE) { + unsigned char *raw = priv->efuse_wifi.raw; +-- +2.30.2 + diff --git a/queue-5.10/sched-fair-ensure-_sum-and-_avg-values-stay-consiste.patch b/queue-5.10/sched-fair-ensure-_sum-and-_avg-values-stay-consiste.patch new file mode 100644 index 00000000000..95e73536748 --- /dev/null +++ b/queue-5.10/sched-fair-ensure-_sum-and-_avg-values-stay-consiste.patch @@ -0,0 +1,64 @@ +From 1d1ea92e3af733f0c41e47594d507a815a871a71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Jun 2021 13:18:15 +0200 +Subject: sched/fair: Ensure _sum and _avg values stay consistent + +From: Odin Ugedal + +[ Upstream commit 1c35b07e6d3986474e5635be566e7bc79d97c64d ] + +The _sum and _avg values are in general sync together with the PELT +divider. They are however not always completely in perfect sync, +resulting in situations where _sum gets to zero while _avg stays +positive. Such situations are undesirable. + +This comes from the fact that PELT will increase period_contrib, also +increasing the PELT divider, without updating _sum and _avg values to +stay in perfect sync where (_sum == _avg * divider). However, such PELT +change will never lower _sum, making it impossible to end up in a +situation where _sum is zero and _avg is not. + +Therefore, we need to ensure that when subtracting load outside PELT, +that when _sum is zero, _avg is also set to zero. This occurs when +(_sum < _avg * divider), and the subtracted (_avg * divider) is bigger +or equal to the current _sum, while the subtracted _avg is smaller than +the current _avg. + +Reported-by: Sachin Sant +Reported-by: Naresh Kamboju +Signed-off-by: Odin Ugedal +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Vincent Guittot +Tested-by: Sachin Sant +Link: https://lore.kernel.org/r/20210624111815.57937-1-odin@uged.al +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 3d92de7909bf..32c0905bca84 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -3672,15 +3672,15 @@ update_cfs_rq_load_avg(u64 now, struct cfs_rq *cfs_rq) + + r = removed_load; + sub_positive(&sa->load_avg, r); +- sub_positive(&sa->load_sum, r * divider); ++ sa->load_sum = sa->load_avg * divider; + + r = removed_util; + sub_positive(&sa->util_avg, r); +- sub_positive(&sa->util_sum, r * divider); ++ sa->util_sum = sa->util_avg * divider; + + r = removed_runnable; + sub_positive(&sa->runnable_avg, r); +- sub_positive(&sa->runnable_sum, r * divider); ++ sa->runnable_sum = sa->runnable_avg * divider; + + /* + * removed_runnable is the unweighted version of removed_load so we +-- +2.30.2 + diff --git a/queue-5.10/sctp-add-size-validation-when-walking-chunks.patch b/queue-5.10/sctp-add-size-validation-when-walking-chunks.patch new file mode 100644 index 00000000000..32d2b200094 --- /dev/null +++ b/queue-5.10/sctp-add-size-validation-when-walking-chunks.patch @@ -0,0 +1,42 @@ +From 9f76624076f61748a04d0d19313413e7ba60b2f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Jun 2021 16:13:42 -0300 +Subject: sctp: add size validation when walking chunks + +From: Marcelo Ricardo Leitner + +[ Upstream commit 50619dbf8db77e98d821d615af4f634d08e22698 ] + +The first chunk in a packet is ensured to be present at the beginning of +sctp_rcv(), as a packet needs to have at least 1 chunk. But the second +one, may not be completely available and ch->length can be over +uninitialized memory. + +Fix here is by only trying to walk on the next chunk if there is enough to +hold at least the header, and then proceed with the ch->length validation +that is already there. + +Reported-by: Ilja Van Sprundel +Signed-off-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sctp/input.c b/net/sctp/input.c +index 8924e2e142c8..f72bff93745c 100644 +--- a/net/sctp/input.c ++++ b/net/sctp/input.c +@@ -1247,7 +1247,7 @@ static struct sctp_association *__sctp_rcv_walk_lookup(struct net *net, + + ch = (struct sctp_chunkhdr *)ch_end; + chunk_num++; +- } while (ch_end < skb_tail_pointer(skb)); ++ } while (ch_end + sizeof(*ch) < skb_tail_pointer(skb)); + + return asoc; + } +-- +2.30.2 + diff --git a/queue-5.10/sctp-validate-from_addr_param-return.patch b/queue-5.10/sctp-validate-from_addr_param-return.patch new file mode 100644 index 00000000000..460352aa3d4 --- /dev/null +++ b/queue-5.10/sctp-validate-from_addr_param-return.patch @@ -0,0 +1,240 @@ +From 40586cd17bb28dc752a8788029ba6029f8527ccb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Jun 2021 16:13:41 -0300 +Subject: sctp: validate from_addr_param return + +From: Marcelo Ricardo Leitner + +[ Upstream commit 0c5dc070ff3d6246d22ddd931f23a6266249e3db ] + +Ilja reported that, simply putting it, nothing was validating that +from_addr_param functions were operating on initialized memory. That is, +the parameter itself was being validated by sctp_walk_params, but it +doesn't check for types and their specific sizes and it could be a 0-length +one, causing from_addr_param to potentially work over the next parameter or +even uninitialized memory. + +The fix here is to, in all calls to from_addr_param, check if enough space +is there for the wanted IP address type. + +Reported-by: Ilja Van Sprundel +Signed-off-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/sctp/structs.h | 2 +- + net/sctp/bind_addr.c | 19 +++++++++++-------- + net/sctp/input.c | 6 ++++-- + net/sctp/ipv6.c | 7 ++++++- + net/sctp/protocol.c | 7 ++++++- + net/sctp/sm_make_chunk.c | 29 ++++++++++++++++------------- + 6 files changed, 44 insertions(+), 26 deletions(-) + +diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h +index 0bdff38eb4bb..51d698f2656f 100644 +--- a/include/net/sctp/structs.h ++++ b/include/net/sctp/structs.h +@@ -458,7 +458,7 @@ struct sctp_af { + int saddr); + void (*from_sk) (union sctp_addr *, + struct sock *sk); +- void (*from_addr_param) (union sctp_addr *, ++ bool (*from_addr_param) (union sctp_addr *, + union sctp_addr_param *, + __be16 port, int iif); + int (*to_addr_param) (const union sctp_addr *, +diff --git a/net/sctp/bind_addr.c b/net/sctp/bind_addr.c +index 53e5ed79f63f..59e653b528b1 100644 +--- a/net/sctp/bind_addr.c ++++ b/net/sctp/bind_addr.c +@@ -270,22 +270,19 @@ int sctp_raw_to_bind_addrs(struct sctp_bind_addr *bp, __u8 *raw_addr_list, + rawaddr = (union sctp_addr_param *)raw_addr_list; + + af = sctp_get_af_specific(param_type2af(param->type)); +- if (unlikely(!af)) { ++ if (unlikely(!af) || ++ !af->from_addr_param(&addr, rawaddr, htons(port), 0)) { + retval = -EINVAL; +- sctp_bind_addr_clean(bp); +- break; ++ goto out_err; + } + +- af->from_addr_param(&addr, rawaddr, htons(port), 0); + if (sctp_bind_addr_state(bp, &addr) != -1) + goto next; + retval = sctp_add_bind_addr(bp, &addr, sizeof(addr), + SCTP_ADDR_SRC, gfp); +- if (retval) { ++ if (retval) + /* Can't finish building the list, clean up. */ +- sctp_bind_addr_clean(bp); +- break; +- } ++ goto out_err; + + next: + len = ntohs(param->length); +@@ -294,6 +291,12 @@ next: + } + + return retval; ++ ++out_err: ++ if (retval) ++ sctp_bind_addr_clean(bp); ++ ++ return retval; + } + + /******************************************************************** +diff --git a/net/sctp/input.c b/net/sctp/input.c +index d508f6f3dd08..8924e2e142c8 100644 +--- a/net/sctp/input.c ++++ b/net/sctp/input.c +@@ -1131,7 +1131,8 @@ static struct sctp_association *__sctp_rcv_init_lookup(struct net *net, + if (!af) + continue; + +- af->from_addr_param(paddr, params.addr, sh->source, 0); ++ if (!af->from_addr_param(paddr, params.addr, sh->source, 0)) ++ continue; + + asoc = __sctp_lookup_association(net, laddr, paddr, transportp); + if (asoc) +@@ -1174,7 +1175,8 @@ static struct sctp_association *__sctp_rcv_asconf_lookup( + if (unlikely(!af)) + return NULL; + +- af->from_addr_param(&paddr, param, peer_port, 0); ++ if (af->from_addr_param(&paddr, param, peer_port, 0)) ++ return NULL; + + return __sctp_lookup_association(net, laddr, &paddr, transportp); + } +diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c +index c8074f435d3e..d594b949ae82 100644 +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -530,15 +530,20 @@ static void sctp_v6_to_sk_daddr(union sctp_addr *addr, struct sock *sk) + } + + /* Initialize a sctp_addr from an address parameter. */ +-static void sctp_v6_from_addr_param(union sctp_addr *addr, ++static bool sctp_v6_from_addr_param(union sctp_addr *addr, + union sctp_addr_param *param, + __be16 port, int iif) + { ++ if (ntohs(param->v6.param_hdr.length) < sizeof(struct sctp_ipv6addr_param)) ++ return false; ++ + addr->v6.sin6_family = AF_INET6; + addr->v6.sin6_port = port; + addr->v6.sin6_flowinfo = 0; /* BUG */ + addr->v6.sin6_addr = param->v6.addr; + addr->v6.sin6_scope_id = iif; ++ ++ return true; + } + + /* Initialize an address parameter from a sctp_addr and return the length +diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c +index 25833238fe93..47fb87ce489f 100644 +--- a/net/sctp/protocol.c ++++ b/net/sctp/protocol.c +@@ -253,14 +253,19 @@ static void sctp_v4_to_sk_daddr(union sctp_addr *addr, struct sock *sk) + } + + /* Initialize a sctp_addr from an address parameter. */ +-static void sctp_v4_from_addr_param(union sctp_addr *addr, ++static bool sctp_v4_from_addr_param(union sctp_addr *addr, + union sctp_addr_param *param, + __be16 port, int iif) + { ++ if (ntohs(param->v4.param_hdr.length) < sizeof(struct sctp_ipv4addr_param)) ++ return false; ++ + addr->v4.sin_family = AF_INET; + addr->v4.sin_port = port; + addr->v4.sin_addr.s_addr = param->v4.addr.s_addr; + memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero)); ++ ++ return true; + } + + /* Initialize an address parameter from a sctp_addr and return the length +diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c +index b9d6babe2870..7411fa442821 100644 +--- a/net/sctp/sm_make_chunk.c ++++ b/net/sctp/sm_make_chunk.c +@@ -2329,11 +2329,13 @@ int sctp_process_init(struct sctp_association *asoc, struct sctp_chunk *chunk, + + /* Process the initialization parameters. */ + sctp_walk_params(param, peer_init, init_hdr.params) { +- if (!src_match && (param.p->type == SCTP_PARAM_IPV4_ADDRESS || +- param.p->type == SCTP_PARAM_IPV6_ADDRESS)) { ++ if (!src_match && ++ (param.p->type == SCTP_PARAM_IPV4_ADDRESS || ++ param.p->type == SCTP_PARAM_IPV6_ADDRESS)) { + af = sctp_get_af_specific(param_type2af(param.p->type)); +- af->from_addr_param(&addr, param.addr, +- chunk->sctp_hdr->source, 0); ++ if (!af->from_addr_param(&addr, param.addr, ++ chunk->sctp_hdr->source, 0)) ++ continue; + if (sctp_cmp_addr_exact(sctp_source(chunk), &addr)) + src_match = 1; + } +@@ -2514,7 +2516,8 @@ static int sctp_process_param(struct sctp_association *asoc, + break; + do_addr_param: + af = sctp_get_af_specific(param_type2af(param.p->type)); +- af->from_addr_param(&addr, param.addr, htons(asoc->peer.port), 0); ++ if (!af->from_addr_param(&addr, param.addr, htons(asoc->peer.port), 0)) ++ break; + scope = sctp_scope(peer_addr); + if (sctp_in_scope(net, &addr, scope)) + if (!sctp_assoc_add_peer(asoc, &addr, gfp, SCTP_UNCONFIRMED)) +@@ -2615,15 +2618,13 @@ do_addr_param: + addr_param = param.v + sizeof(struct sctp_addip_param); + + af = sctp_get_af_specific(param_type2af(addr_param->p.type)); +- if (af == NULL) ++ if (!af) + break; + +- af->from_addr_param(&addr, addr_param, +- htons(asoc->peer.port), 0); ++ if (!af->from_addr_param(&addr, addr_param, ++ htons(asoc->peer.port), 0)) ++ break; + +- /* if the address is invalid, we can't process it. +- * XXX: see spec for what to do. +- */ + if (!af->addr_valid(&addr, NULL, NULL)) + break; + +@@ -3037,7 +3038,8 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc, + if (unlikely(!af)) + return SCTP_ERROR_DNS_FAILED; + +- af->from_addr_param(&addr, addr_param, htons(asoc->peer.port), 0); ++ if (!af->from_addr_param(&addr, addr_param, htons(asoc->peer.port), 0)) ++ return SCTP_ERROR_DNS_FAILED; + + /* ADDIP 4.2.1 This parameter MUST NOT contain a broadcast + * or multicast address. +@@ -3314,7 +3316,8 @@ static void sctp_asconf_param_success(struct sctp_association *asoc, + + /* We have checked the packet before, so we do not check again. */ + af = sctp_get_af_specific(param_type2af(addr_param->p.type)); +- af->from_addr_param(&addr, addr_param, htons(bp->port), 0); ++ if (!af->from_addr_param(&addr, addr_param, htons(bp->port), 0)) ++ return; + + switch (asconf_param->param_hdr.type) { + case SCTP_PARAM_ADD_IP: +-- +2.30.2 + diff --git a/queue-5.10/selftests-clean-forgotten-resources-as-part-of-clean.patch b/queue-5.10/selftests-clean-forgotten-resources-as-part-of-clean.patch new file mode 100644 index 00000000000..77b8a370810 --- /dev/null +++ b/queue-5.10/selftests-clean-forgotten-resources-as-part-of-clean.patch @@ -0,0 +1,118 @@ +From dff9fbae38dcce2c817b9fb50873f7b448dcc30e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jun 2021 15:44:09 +0300 +Subject: selftests: Clean forgotten resources as part of cleanup() + +From: Amit Cohen + +[ Upstream commit e67dfb8d15deb33c425d0b0ee22f2e5eef54c162 ] + +Several tests do not set some ports down as part of their cleanup(), +resulting in IPv6 link-local addresses and associated routes not being +deleted. + +These leaks were found using a BPF tool that monitors ASIC resources. + +Solve this by setting the ports down at the end of the tests. + +Signed-off-by: Amit Cohen +Reviewed-by: Petr Machata +Signed-off-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../selftests/drivers/net/mlxsw/devlink_trap_l3_drops.sh | 3 +++ + .../selftests/drivers/net/mlxsw/devlink_trap_l3_exceptions.sh | 3 +++ + tools/testing/selftests/drivers/net/mlxsw/qos_dscp_bridge.sh | 2 ++ + tools/testing/selftests/net/forwarding/pedit_dsfield.sh | 2 ++ + tools/testing/selftests/net/forwarding/pedit_l4port.sh | 2 ++ + tools/testing/selftests/net/forwarding/skbedit_priority.sh | 2 ++ + 6 files changed, 14 insertions(+) + +diff --git a/tools/testing/selftests/drivers/net/mlxsw/devlink_trap_l3_drops.sh b/tools/testing/selftests/drivers/net/mlxsw/devlink_trap_l3_drops.sh +index f5abb1ebd392..269b2680611b 100755 +--- a/tools/testing/selftests/drivers/net/mlxsw/devlink_trap_l3_drops.sh ++++ b/tools/testing/selftests/drivers/net/mlxsw/devlink_trap_l3_drops.sh +@@ -108,6 +108,9 @@ router_destroy() + __addr_add_del $rp1 del 192.0.2.2/24 2001:db8:1::2/64 + + tc qdisc del dev $rp2 clsact ++ ++ ip link set dev $rp2 down ++ ip link set dev $rp1 down + } + + setup_prepare() +diff --git a/tools/testing/selftests/drivers/net/mlxsw/devlink_trap_l3_exceptions.sh b/tools/testing/selftests/drivers/net/mlxsw/devlink_trap_l3_exceptions.sh +index 1fedfc9da434..1d157b1bd838 100755 +--- a/tools/testing/selftests/drivers/net/mlxsw/devlink_trap_l3_exceptions.sh ++++ b/tools/testing/selftests/drivers/net/mlxsw/devlink_trap_l3_exceptions.sh +@@ -111,6 +111,9 @@ router_destroy() + __addr_add_del $rp1 del 192.0.2.2/24 2001:db8:1::2/64 + + tc qdisc del dev $rp2 clsact ++ ++ ip link set dev $rp2 down ++ ip link set dev $rp1 down + } + + setup_prepare() +diff --git a/tools/testing/selftests/drivers/net/mlxsw/qos_dscp_bridge.sh b/tools/testing/selftests/drivers/net/mlxsw/qos_dscp_bridge.sh +index 5cbff8038f84..28a570006d4d 100755 +--- a/tools/testing/selftests/drivers/net/mlxsw/qos_dscp_bridge.sh ++++ b/tools/testing/selftests/drivers/net/mlxsw/qos_dscp_bridge.sh +@@ -93,7 +93,9 @@ switch_destroy() + lldptool -T -i $swp1 -V APP -d $(dscp_map 10) >/dev/null + lldpad_app_wait_del + ++ ip link set dev $swp2 down + ip link set dev $swp2 nomaster ++ ip link set dev $swp1 down + ip link set dev $swp1 nomaster + ip link del dev br1 + } +diff --git a/tools/testing/selftests/net/forwarding/pedit_dsfield.sh b/tools/testing/selftests/net/forwarding/pedit_dsfield.sh +index 55eeacf59241..64fbd211d907 100755 +--- a/tools/testing/selftests/net/forwarding/pedit_dsfield.sh ++++ b/tools/testing/selftests/net/forwarding/pedit_dsfield.sh +@@ -75,7 +75,9 @@ switch_destroy() + tc qdisc del dev $swp2 clsact + tc qdisc del dev $swp1 clsact + ++ ip link set dev $swp2 down + ip link set dev $swp2 nomaster ++ ip link set dev $swp1 down + ip link set dev $swp1 nomaster + ip link del dev br1 + } +diff --git a/tools/testing/selftests/net/forwarding/pedit_l4port.sh b/tools/testing/selftests/net/forwarding/pedit_l4port.sh +index 5f20d289ee43..10e594c55117 100755 +--- a/tools/testing/selftests/net/forwarding/pedit_l4port.sh ++++ b/tools/testing/selftests/net/forwarding/pedit_l4port.sh +@@ -71,7 +71,9 @@ switch_destroy() + tc qdisc del dev $swp2 clsact + tc qdisc del dev $swp1 clsact + ++ ip link set dev $swp2 down + ip link set dev $swp2 nomaster ++ ip link set dev $swp1 down + ip link set dev $swp1 nomaster + ip link del dev br1 + } +diff --git a/tools/testing/selftests/net/forwarding/skbedit_priority.sh b/tools/testing/selftests/net/forwarding/skbedit_priority.sh +index e3bd8a6bb8b4..bde11dc27873 100755 +--- a/tools/testing/selftests/net/forwarding/skbedit_priority.sh ++++ b/tools/testing/selftests/net/forwarding/skbedit_priority.sh +@@ -72,7 +72,9 @@ switch_destroy() + tc qdisc del dev $swp2 clsact + tc qdisc del dev $swp1 clsact + ++ ip link set dev $swp2 down + ip link set dev $swp2 nomaster ++ ip link set dev $swp1 down + ip link set dev $swp1 nomaster + ip link del dev br1 + } +-- +2.30.2 + diff --git a/queue-5.10/selinux-use-__gfp_nowarn-with-gfp_nowait-in-the-avc.patch b/queue-5.10/selinux-use-__gfp_nowarn-with-gfp_nowait-in-the-avc.patch new file mode 100644 index 00000000000..b0cede6e8ac --- /dev/null +++ b/queue-5.10/selinux-use-__gfp_nowarn-with-gfp_nowait-in-the-avc.patch @@ -0,0 +1,132 @@ +From 7d47011b9417a65ef6e517923035f41b255a3716 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jun 2021 09:37:17 -0700 +Subject: selinux: use __GFP_NOWARN with GFP_NOWAIT in the AVC + +From: Minchan Kim + +[ Upstream commit 648f2c6100cfa18e7dfe43bc0b9c3b73560d623c ] + +In the field, we have seen lots of allocation failure from the call +path below. + +06-03 13:29:12.999 1010315 31557 31557 W Binder : 31542_2: page allocation failure: order:0, mode:0x800(GFP_NOWAIT), nodemask=(null),cpuset=background,mems_allowed=0 +... +... +06-03 13:29:12.999 1010315 31557 31557 W Call trace: +06-03 13:29:12.999 1010315 31557 31557 W : dump_backtrace.cfi_jt+0x0/0x8 +06-03 13:29:12.999 1010315 31557 31557 W : dump_stack+0xc8/0x14c +06-03 13:29:12.999 1010315 31557 31557 W : warn_alloc+0x158/0x1c8 +06-03 13:29:12.999 1010315 31557 31557 W : __alloc_pages_slowpath+0x9d8/0xb80 +06-03 13:29:12.999 1010315 31557 31557 W : __alloc_pages_nodemask+0x1c4/0x430 +06-03 13:29:12.999 1010315 31557 31557 W : allocate_slab+0xb4/0x390 +06-03 13:29:12.999 1010315 31557 31557 W : ___slab_alloc+0x12c/0x3a4 +06-03 13:29:12.999 1010315 31557 31557 W : kmem_cache_alloc+0x358/0x5e4 +06-03 13:29:12.999 1010315 31557 31557 W : avc_alloc_node+0x30/0x184 +06-03 13:29:12.999 1010315 31557 31557 W : avc_update_node+0x54/0x4f0 +06-03 13:29:12.999 1010315 31557 31557 W : avc_has_extended_perms+0x1a4/0x460 +06-03 13:29:12.999 1010315 31557 31557 W : selinux_file_ioctl+0x320/0x3d0 +06-03 13:29:12.999 1010315 31557 31557 W : __arm64_sys_ioctl+0xec/0x1fc +06-03 13:29:12.999 1010315 31557 31557 W : el0_svc_common+0xc0/0x24c +06-03 13:29:12.999 1010315 31557 31557 W : el0_svc+0x28/0x88 +06-03 13:29:12.999 1010315 31557 31557 W : el0_sync_handler+0x8c/0xf0 +06-03 13:29:12.999 1010315 31557 31557 W : el0_sync+0x1a4/0x1c0 +.. +.. +06-03 13:29:12.999 1010315 31557 31557 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO) +06-03 13:29:12.999 1010315 31557 31557 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0 +06-03 13:29:12.999 1010315 31557 31557 W node 0 : slabs: 57, objs: 2907, free: 0 +06-03 13:29:12.999 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO) +06-03 13:29:12.999 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0 +06-03 13:29:12.999 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0 +06-03 13:29:12.999 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO) +06-03 13:29:12.999 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0 +06-03 13:29:12.999 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0 +06-03 13:29:12.999 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO) +06-03 13:29:12.999 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0 +06-03 13:29:12.999 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0 +06-03 13:29:13.000 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO) +06-03 13:29:13.000 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0 +06-03 13:29:13.000 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0 +06-03 13:29:13.000 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO) +06-03 13:29:13.000 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0 +06-03 13:29:13.000 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0 +06-03 13:29:13.000 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO) +06-03 13:29:13.000 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0 +06-03 13:29:13.000 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0 +06-03 13:29:13.000 10230 30892 30892 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO) +06-03 13:29:13.000 10230 30892 30892 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0 +06-03 13:29:13.000 10230 30892 30892 W node 0 : slabs: 57, objs: 2907, free: 0 +06-03 13:29:13.000 10230 30892 30892 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO) +06-03 13:29:13.000 10230 30892 30892 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0 + +Based on [1], selinux is tolerate for failure of memory allocation. +Then, use __GFP_NOWARN together. + +[1] 476accbe2f6e ("selinux: use GFP_NOWAIT in the AVC kmem_caches") + +Signed-off-by: Minchan Kim +[PM: subj fix, line wraps, normalized commit refs] +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + security/selinux/avc.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/security/selinux/avc.c b/security/selinux/avc.c +index 3c05827608b6..884a014ce2b8 100644 +--- a/security/selinux/avc.c ++++ b/security/selinux/avc.c +@@ -297,26 +297,27 @@ static struct avc_xperms_decision_node + struct avc_xperms_decision_node *xpd_node; + struct extended_perms_decision *xpd; + +- xpd_node = kmem_cache_zalloc(avc_xperms_decision_cachep, GFP_NOWAIT); ++ xpd_node = kmem_cache_zalloc(avc_xperms_decision_cachep, ++ GFP_NOWAIT | __GFP_NOWARN); + if (!xpd_node) + return NULL; + + xpd = &xpd_node->xpd; + if (which & XPERMS_ALLOWED) { + xpd->allowed = kmem_cache_zalloc(avc_xperms_data_cachep, +- GFP_NOWAIT); ++ GFP_NOWAIT | __GFP_NOWARN); + if (!xpd->allowed) + goto error; + } + if (which & XPERMS_AUDITALLOW) { + xpd->auditallow = kmem_cache_zalloc(avc_xperms_data_cachep, +- GFP_NOWAIT); ++ GFP_NOWAIT | __GFP_NOWARN); + if (!xpd->auditallow) + goto error; + } + if (which & XPERMS_DONTAUDIT) { + xpd->dontaudit = kmem_cache_zalloc(avc_xperms_data_cachep, +- GFP_NOWAIT); ++ GFP_NOWAIT | __GFP_NOWARN); + if (!xpd->dontaudit) + goto error; + } +@@ -344,7 +345,7 @@ static struct avc_xperms_node *avc_xperms_alloc(void) + { + struct avc_xperms_node *xp_node; + +- xp_node = kmem_cache_zalloc(avc_xperms_cachep, GFP_NOWAIT); ++ xp_node = kmem_cache_zalloc(avc_xperms_cachep, GFP_NOWAIT | __GFP_NOWARN); + if (!xp_node) + return xp_node; + INIT_LIST_HEAD(&xp_node->xpd_head); +@@ -500,7 +501,7 @@ static struct avc_node *avc_alloc_node(struct selinux_avc *avc) + { + struct avc_node *node; + +- node = kmem_cache_zalloc(avc_node_cachep, GFP_NOWAIT); ++ node = kmem_cache_zalloc(avc_node_cachep, GFP_NOWAIT | __GFP_NOWARN); + if (!node) + goto out; + +-- +2.30.2 + diff --git a/queue-5.10/series b/queue-5.10/series new file mode 100644 index 00000000000..82b5013ce2b --- /dev/null +++ b/queue-5.10/series @@ -0,0 +1,132 @@ +drm-mxsfb-don-t-select-drm_kms_fb_helper.patch +drm-zte-don-t-select-drm_kms_fb_helper.patch +drm-ast-fixed-cve-for-dp501.patch +drm-amd-display-fix-hdcp-reset-sequence-on-reinitial.patch +drm-amd-amdgpu-sriov-disable-all-ip-hw-status-by-def.patch +drm-vc4-fix-argument-ordering-in-vc4_crtc_get_margin.patch +drm-bridge-nwl-dsi-force-a-full-modeset-when-crtc_st.patch +net-pch_gbe-use-proper-accessors-to-be-data-in-pch_p.patch +drm-amd-display-fix-use_max_lb-flag-for-420-pixel-fo.patch +clk-renesas-rcar-usb2-clock-sel-fix-error-handling-i.patch +hugetlb-clear-huge-pte-during-flush-function-on-mips.patch +atm-iphase-fix-possible-use-after-free-in-ia_module_.patch +misdn-fix-possible-use-after-free-in-hfc_cleanup.patch +atm-nicstar-fix-possible-use-after-free-in-nicstar_c.patch +net-treat-__napi_schedule_irqoff-as-__napi_schedule-.patch +drm-mediatek-fix-pm-reference-leak-in-mtk_crtc_ddp_h.patch +net-mdio-ipq8064-add-regmap-config-to-disable-regcac.patch +drm-bridge-lt9611-add-missing-module_device_table.patch +reiserfs-add-check-for-invalid-1st-journal-block.patch +drm-virtio-fix-double-free-on-probe-failure.patch +net-mdio-provide-shim-implementation-of-devm_of_mdio.patch +net-sched-cls_api-increase-max_reclassify_loop.patch +pinctrl-equilibrium-add-missing-module_device_table.patch +drm-scheduler-fix-hang-when-sched_entity-released.patch +drm-sched-avoid-data-corruptions.patch +udf-fix-null-pointer-dereference-in-udf_symlink-func.patch +drm-vc4-fix-clock-source-for-vec-pixelvalve-on-bcm27.patch +drm-vc4-hdmi-fix-pm-reference-leak-in-vc4_hdmi_encod.patch +e100-handle-eeprom-as-little-endian.patch +igb-handle-vlan-types-with-checker-enabled.patch +igb-fix-assignment-on-big-endian-machines.patch +drm-bridge-cdns-fix-pm-reference-leak-in-cdns_dsi_tr.patch +clk-renesas-r8a77995-add-za2-clock.patch +net-mlx5e-ipsec-rep_tc-fix-rep_tc_update_skb-drops-i.patch +net-mlx5-fix-lag-port-remapping-logic.patch +drm-rockchip-add-missing-registers-for-rk3188.patch +drm-rockchip-add-missing-registers-for-rk3066.patch +net-stmmac-the-xpcs-obscures-a-potential-phy-not-fou.patch +rdma-rtrs-change-max_sess_queue_depth.patch +clk-tegra-fix-refcounting-of-gate-clocks.patch +clk-tegra-ensure-that-pllu-configuration-is-applied-.patch +drm-bridge-cdns-mhdp8546-fix-pm-reference-leak-in.patch +virtio-net-add-validation-for-used-length.patch +ipv6-use-prandom_u32-for-id-generation.patch +mips-cpu-probe-fix-fpu-detection-on-ingenic-jz4760-b.patch +mips-ingenic-select-cpu_supports_cpufreq-mips_extern.patch +drm-amd-display-avoid-hdcp-over-read-and-corruption.patch +drm-amdgpu-remove-unsafe-optimization-to-drop-preamb.patch +net-tcp-better-handling-of-reordering-then-loss-case.patch +rdma-cxgb4-fix-missing-error-code-in-create_qp.patch +dm-space-maps-don-t-reset-space-map-allocation-curso.patch +dm-writecache-don-t-split-bios-when-overwriting-cont.patch +dm-fix-dm_accept_partial_bio-relative-to-zone-manage.patch +net-bridge-mrp-update-ring-transitions.patch +pinctrl-mcp23s08-fix-race-condition-in-irq-handler.patch +ice-set-the-value-of-global-config-lock-timeout-long.patch +ice-fix-clang-warning-regarding-deadcode.deadstores.patch +virtio_net-remove-bug-to-avoid-machine-dead.patch +net-mscc-ocelot-check-return-value-after-calling-pla.patch +net-bcmgenet-check-return-value-after-calling-platfo.patch +net-mvpp2-check-return-value-after-calling-platform_.patch +net-micrel-check-return-value-after-calling-platform.patch +net-moxa-use-devm_platform_get_and_ioremap_resource.patch +drm-amd-display-fix-dcn-3.01-dscclk-validation.patch +drm-amd-display-update-scaling-settings-on-modeset.patch +drm-amd-display-release-mst-resources-on-switch-from.patch +drm-amd-display-set-dispclk_max_errdet_cycles-to-7.patch +drm-amd-display-fix-off-by-one-error-in-dml.patch +net-phy-realtek-add-delay-to-fix-rxc-generation-issu.patch +selftests-clean-forgotten-resources-as-part-of-clean.patch +net-sgi-ioc3-eth-check-return-value-after-calling-pl.patch +drm-amdkfd-use-allowed-domain-for-vmbo-validation.patch +fjes-check-return-value-after-calling-platform_get_r.patch +selinux-use-__gfp_nowarn-with-gfp_nowait-in-the-avc.patch +r8169-avoid-link-up-interrupt-issue-on-rtl8106e-if-u.patch +drm-amd-display-verify-gamma-degamma-lut-sizes-in-am.patch +xfrm-fix-error-reporting-in-xfrm_state_construct.patch +dm-writecache-commit-just-one-block-not-a-full-page.patch +wlcore-wl12xx-fix-wl12xx-get_mac-error-if-device-is-.patch +wl1251-fix-possible-buffer-overflow-in-wl1251_cmd_sc.patch +cw1200-add-missing-module_device_table.patch +drm-amdkfd-fix-circular-locking-on-get_wave_state.patch +drm-amdkfd-fix-circular-lock-in-nocpsch-path.patch +bpf-fix-up-register-based-shifts-in-interpreter-to-s.patch +ice-fix-incorrect-payload-indicator-on-ptype.patch +ice-mark-ptype-2-as-reserved.patch +mt76-mt7615-fix-fixed-rate-tx-status-reporting.patch +net-fix-mistake-path-for-netdev_features_strings.patch +net-ipa-add-missing-of_node_put-in-ipa_firmware_load.patch +net-sched-fix-error-return-code-in-tcf_del_walker.patch +io_uring-fix-false-warn_once.patch +drm-amdgpu-fix-bad-address-translation-for-sienna_ci.patch +drm-amdkfd-walk-through-list-with-dqm-lock-hold.patch +mt76-mt7915-fix-ieee80211_he_phy_cap7_max_nc-for-sta.patch +rtl8xxxu-fix-device-info-for-rtl8192eu-devices.patch +mips-add-pmd-table-accounting-into-mips-pmd_alloc_on.patch +net-fec-add-ndo_select_queue-to-fix-tx-bandwidth-flu.patch +atm-nicstar-use-dma_free_coherent-instead-of-kfree.patch +atm-nicstar-register-the-interrupt-handler-in-the-ri.patch +vsock-notify-server-to-shutdown-when-client-has-pend.patch +rdma-rxe-don-t-overwrite-errno-from-ib_umem_get.patch +iwlwifi-mvm-don-t-change-band-on-bound-phy-contexts.patch +iwlwifi-mvm-fix-error-print-when-session-protection-.patch +iwlwifi-pcie-free-iml-dma-memory-allocation.patch +iwlwifi-pcie-fix-context-info-freeing.patch +sfc-avoid-double-pci_remove-of-vfs.patch +sfc-error-code-if-sriov-cannot-be-disabled.patch +wireless-wext-spy-fix-out-of-bounds-warning.patch +cfg80211-fix-default-he-tx-bitrate-mask-in-2g-band.patch +mac80211-consider-per-cpu-statistics-if-present.patch +mac80211_hwsim-add-concurrent-channels-scanning-supp.patch +ib-isert-align-target-max-i-o-size-to-initiator-size.patch +media-bpf-do-not-copy-more-entries-than-user-space-r.patch +net-ip-avoid-oom-kills-with-large-udp-sends-over-loo.patch +rdma-cma-fix-rdma_resolve_route-memory-leak.patch +bluetooth-btusb-fixed-too-many-in-token-issue-for-me.patch +bluetooth-fix-the-hci-to-mgmt-status-conversion-tabl.patch +bluetooth-fix-alt-settings-for-incoming-sco-with-tra.patch +bluetooth-shutdown-controller-after-workqueues-are-f.patch +bluetooth-btusb-add-a-new-qca_rome-device-0cf3-e500.patch +bluetooth-l2cap-fix-invalid-access-if-ecred-reconfig.patch +bluetooth-l2cap-fix-invalid-access-on-ecred-connecti.patch +bluetooth-btusb-add-support-usb-alt-3-for-wbs.patch +bluetooth-mgmt-fix-the-command-returns-garbage-param.patch +bluetooth-btusb-fix-bt-fiwmare-downloading-failure-i.patch +sched-fair-ensure-_sum-and-_avg-values-stay-consiste.patch +bpf-fix-false-positive-kmemleak-report-in-bpf_ringbu.patch +flow_offload-action-should-not-be-null-when-it-is-re.patch +sctp-validate-from_addr_param-return.patch +sctp-add-size-validation-when-walking-chunks.patch +mips-loongsoon64-reserve-memory-below-starting-pfn-t.patch +mips-set-mips32r5-for-virt-extensions.patch diff --git a/queue-5.10/sfc-avoid-double-pci_remove-of-vfs.patch b/queue-5.10/sfc-avoid-double-pci_remove-of-vfs.patch new file mode 100644 index 00000000000..76af7d6d909 --- /dev/null +++ b/queue-5.10/sfc-avoid-double-pci_remove-of-vfs.patch @@ -0,0 +1,97 @@ +From 4b87a7f05440b45e982c0f23191ad0dbf4d7ef5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jun 2021 17:32:35 +0200 +Subject: sfc: avoid double pci_remove of VFs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Íñigo Huguet + +[ Upstream commit 45423cff1db66cf0993e8a9bd0ac93e740149e49 ] + +If pci_remove was called for a PF with VFs, the removal of the VFs was +called twice from efx_ef10_sriov_fini: one directly with pci_driver->remove +and another implicit by calling pci_disable_sriov, which also perform +the VFs remove. This was leading to crashing the kernel on the second +attempt. + +Given that pci_disable_sriov already calls to pci remove function, get +rid of the direct call to pci_driver->remove from the driver. + +2 different ways to trigger the bug: +- Create one or more VFs, then attach the PF to a virtual machine (at + least with qemu/KVM) +- Create one or more VFs, then remove the PF with: + echo 1 > /sys/bus/pci/devices/PF_PCI_ID/remove + +Removing sfc module does not trigger the error, at least for me, because +it removes the VF first, and then the PF. + +Example of a log with the error: + list_del corruption, ffff967fd20a8ad0->next is LIST_POISON1 (dead000000000100) + ------------[ cut here ]------------ + kernel BUG at lib/list_debug.c:47! + [...trimmed...] + RIP: 0010:__list_del_entry_valid.cold.1+0x12/0x4c + [...trimmed...] + Call Trace: + efx_dissociate+0x1f/0x140 [sfc] + efx_pci_remove+0x27/0x150 [sfc] + pci_device_remove+0x3b/0xc0 + device_release_driver_internal+0x103/0x1f0 + pci_stop_bus_device+0x69/0x90 + pci_stop_and_remove_bus_device+0xe/0x20 + pci_iov_remove_virtfn+0xba/0x120 + sriov_disable+0x2f/0xe0 + efx_ef10_pci_sriov_disable+0x52/0x80 [sfc] + ? pcie_aer_is_native+0x12/0x40 + efx_ef10_sriov_fini+0x72/0x110 [sfc] + efx_pci_remove+0x62/0x150 [sfc] + pci_device_remove+0x3b/0xc0 + device_release_driver_internal+0x103/0x1f0 + unbind_store+0xf6/0x130 + kernfs_fop_write+0x116/0x190 + vfs_write+0xa5/0x1a0 + ksys_write+0x4f/0xb0 + do_syscall_64+0x5b/0x1a0 + entry_SYSCALL_64_after_hwframe+0x65/0xca + +Signed-off-by: Íñigo Huguet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/ef10_sriov.c | 10 +--------- + 1 file changed, 1 insertion(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/sfc/ef10_sriov.c b/drivers/net/ethernet/sfc/ef10_sriov.c +index 21fa6c0e8873..a5d28b0f75ba 100644 +--- a/drivers/net/ethernet/sfc/ef10_sriov.c ++++ b/drivers/net/ethernet/sfc/ef10_sriov.c +@@ -439,7 +439,6 @@ int efx_ef10_sriov_init(struct efx_nic *efx) + void efx_ef10_sriov_fini(struct efx_nic *efx) + { + struct efx_ef10_nic_data *nic_data = efx->nic_data; +- unsigned int i; + int rc; + + if (!nic_data->vf) { +@@ -449,14 +448,7 @@ void efx_ef10_sriov_fini(struct efx_nic *efx) + return; + } + +- /* Remove any VFs in the host */ +- for (i = 0; i < efx->vf_count; ++i) { +- struct efx_nic *vf_efx = nic_data->vf[i].efx; +- +- if (vf_efx) +- vf_efx->pci_dev->driver->remove(vf_efx->pci_dev); +- } +- ++ /* Disable SRIOV and remove any VFs in the host */ + rc = efx_ef10_pci_sriov_disable(efx, true); + if (rc) + netif_dbg(efx, drv, efx->net_dev, +-- +2.30.2 + diff --git a/queue-5.10/sfc-error-code-if-sriov-cannot-be-disabled.patch b/queue-5.10/sfc-error-code-if-sriov-cannot-be-disabled.patch new file mode 100644 index 00000000000..882f1073d75 --- /dev/null +++ b/queue-5.10/sfc-error-code-if-sriov-cannot-be-disabled.patch @@ -0,0 +1,74 @@ +From 97cae4175448c3de08276737249bdb000eb923dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jun 2021 17:32:36 +0200 +Subject: sfc: error code if SRIOV cannot be disabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Íñigo Huguet + +[ Upstream commit 1ebe4feb8b442884f5a28d2437040096723dd1ea ] + +If SRIOV cannot be disabled during device removal or module unloading, +return error code so it can be logged properly in the calling function. + +Note that this can only happen if any VF is currently attached to a +guest using Xen, but not with vfio/KVM. Despite that in that case the +VFs won't work properly with PF removed and/or the module unloaded, I +have let it as is because I don't know what side effects may have +changing it, and also it seems to be the same that other drivers are +doing in this situation. + +In the case of being called during SRIOV reconfiguration, the behavior +hasn't changed because the function is called with force=false. + +Signed-off-by: Íñigo Huguet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/ef10_sriov.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/sfc/ef10_sriov.c b/drivers/net/ethernet/sfc/ef10_sriov.c +index a5d28b0f75ba..84041cd587d7 100644 +--- a/drivers/net/ethernet/sfc/ef10_sriov.c ++++ b/drivers/net/ethernet/sfc/ef10_sriov.c +@@ -402,12 +402,17 @@ fail1: + return rc; + } + ++/* Disable SRIOV and remove VFs ++ * If some VFs are attached to a guest (using Xen, only) nothing is ++ * done if force=false, and vports are freed if force=true (for the non ++ * attachedc ones, only) but SRIOV is not disabled and VFs are not ++ * removed in either case. ++ */ + static int efx_ef10_pci_sriov_disable(struct efx_nic *efx, bool force) + { + struct pci_dev *dev = efx->pci_dev; +- unsigned int vfs_assigned = 0; +- +- vfs_assigned = pci_vfs_assigned(dev); ++ unsigned int vfs_assigned = pci_vfs_assigned(dev); ++ int rc = 0; + + if (vfs_assigned && !force) { + netif_info(efx, drv, efx->net_dev, "VFs are assigned to guests; " +@@ -417,10 +422,12 @@ static int efx_ef10_pci_sriov_disable(struct efx_nic *efx, bool force) + + if (!vfs_assigned) + pci_disable_sriov(dev); ++ else ++ rc = -EBUSY; + + efx_ef10_sriov_free_vf_vswitching(efx); + efx->vf_count = 0; +- return 0; ++ return rc; + } + + int efx_ef10_sriov_configure(struct efx_nic *efx, int num_vfs) +-- +2.30.2 + diff --git a/queue-5.10/udf-fix-null-pointer-dereference-in-udf_symlink-func.patch b/queue-5.10/udf-fix-null-pointer-dereference-in-udf_symlink-func.patch new file mode 100644 index 00000000000..6613cc9f8dd --- /dev/null +++ b/queue-5.10/udf-fix-null-pointer-dereference-in-udf_symlink-func.patch @@ -0,0 +1,43 @@ +From 360bb1f3aab7eed4968054767cece5d1611ef145 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 May 2021 12:34:57 +0200 +Subject: udf: Fix NULL pointer dereference in udf_symlink function + +From: Arturo Giusti + +[ Upstream commit fa236c2b2d4436d9f19ee4e5d5924e90ffd7bb43 ] + +In function udf_symlink, epos.bh is assigned with the value returned +by udf_tgetblk. The function udf_tgetblk is defined in udf/misc.c +and returns the value of sb_getblk function that could be NULL. +Then, epos.bh is used without any check, causing a possible +NULL pointer dereference when sb_getblk fails. + +This fix adds a check to validate the value of epos.bh. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=213083 +Signed-off-by: Arturo Giusti +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/namei.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/udf/namei.c b/fs/udf/namei.c +index e169d8fe35b5..f4a72ff8cf95 100644 +--- a/fs/udf/namei.c ++++ b/fs/udf/namei.c +@@ -932,6 +932,10 @@ static int udf_symlink(struct inode *dir, struct dentry *dentry, + iinfo->i_location.partitionReferenceNum, + 0); + epos.bh = udf_tgetblk(sb, block); ++ if (unlikely(!epos.bh)) { ++ err = -ENOMEM; ++ goto out_no_entry; ++ } + lock_buffer(epos.bh); + memset(epos.bh->b_data, 0x00, bsize); + set_buffer_uptodate(epos.bh); +-- +2.30.2 + diff --git a/queue-5.10/virtio-net-add-validation-for-used-length.patch b/queue-5.10/virtio-net-add-validation-for-used-length.patch new file mode 100644 index 00000000000..6ef5689ad8a --- /dev/null +++ b/queue-5.10/virtio-net-add-validation-for-used-length.patch @@ -0,0 +1,77 @@ +From 5e3f5f30e88b0280da477075d12dfdb9289556df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 May 2021 21:58:52 +0800 +Subject: virtio-net: Add validation for used length + +From: Xie Yongji + +[ Upstream commit ad993a95c508417acdeb15244109e009e50d8758 ] + +This adds validation for used length (might come +from an untrusted device) to avoid data corruption +or loss. + +Signed-off-by: Xie Yongji +Acked-by: Jason Wang +Link: https://lore.kernel.org/r/20210531135852.113-1-xieyongji@bytedance.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/virtio_net.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index 286f836a53bf..e2c6c5675ec6 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -660,6 +660,12 @@ static struct sk_buff *receive_small(struct net_device *dev, + len -= vi->hdr_len; + stats->bytes += len; + ++ if (unlikely(len > GOOD_PACKET_LEN)) { ++ pr_debug("%s: rx error: len %u exceeds max size %d\n", ++ dev->name, len, GOOD_PACKET_LEN); ++ dev->stats.rx_length_errors++; ++ goto err_len; ++ } + rcu_read_lock(); + xdp_prog = rcu_dereference(rq->xdp_prog); + if (xdp_prog) { +@@ -763,6 +769,7 @@ err: + err_xdp: + rcu_read_unlock(); + stats->xdp_drops++; ++err_len: + stats->drops++; + put_page(page); + xdp_xmit: +@@ -816,6 +823,12 @@ static struct sk_buff *receive_mergeable(struct net_device *dev, + head_skb = NULL; + stats->bytes += len - vi->hdr_len; + ++ if (unlikely(len > truesize)) { ++ pr_debug("%s: rx error: len %u exceeds truesize %lu\n", ++ dev->name, len, (unsigned long)ctx); ++ dev->stats.rx_length_errors++; ++ goto err_skb; ++ } + rcu_read_lock(); + xdp_prog = rcu_dereference(rq->xdp_prog); + if (xdp_prog) { +@@ -943,13 +956,6 @@ static struct sk_buff *receive_mergeable(struct net_device *dev, + } + rcu_read_unlock(); + +- if (unlikely(len > truesize)) { +- pr_debug("%s: rx error: len %u exceeds truesize %lu\n", +- dev->name, len, (unsigned long)ctx); +- dev->stats.rx_length_errors++; +- goto err_skb; +- } +- + head_skb = page_to_skb(vi, rq, page, offset, len, truesize, !xdp_prog, + metasize); + curr_skb = head_skb; +-- +2.30.2 + diff --git a/queue-5.10/virtio_net-remove-bug-to-avoid-machine-dead.patch b/queue-5.10/virtio_net-remove-bug-to-avoid-machine-dead.patch new file mode 100644 index 00000000000..0c0c9e87d84 --- /dev/null +++ b/queue-5.10/virtio_net-remove-bug-to-avoid-machine-dead.patch @@ -0,0 +1,37 @@ +From a65f3c2ef35a952b23d667254472c01ca05cf87a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Jun 2021 11:31:00 -0400 +Subject: virtio_net: Remove BUG() to avoid machine dead + +From: Xianting Tian + +[ Upstream commit 85eb1389458d134bdb75dad502cc026c3753a619 ] + +We should not directly BUG() when there is hdr error, it is +better to output a print when such error happens. Currently, +the caller of xmit_skb() already did it. + +Signed-off-by: Xianting Tian +Reviewed-by: Leon Romanovsky +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/virtio_net.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index e2c6c5675ec6..91e0e6254a01 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -1563,7 +1563,7 @@ static int xmit_skb(struct send_queue *sq, struct sk_buff *skb) + if (virtio_net_hdr_from_skb(skb, &hdr->hdr, + virtio_is_little_endian(vi->vdev), false, + 0)) +- BUG(); ++ return -EPROTO; + + if (vi->mergeable_rx_bufs) + hdr->num_buffers = 0; +-- +2.30.2 + diff --git a/queue-5.10/vsock-notify-server-to-shutdown-when-client-has-pend.patch b/queue-5.10/vsock-notify-server-to-shutdown-when-client-has-pend.patch new file mode 100644 index 00000000000..e1038864ab0 --- /dev/null +++ b/queue-5.10/vsock-notify-server-to-shutdown-when-client-has-pend.patch @@ -0,0 +1,72 @@ +From 544451c5a7c72cddbf71bd039f356db37fd1f501 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jun 2021 14:26:01 +0800 +Subject: vsock: notify server to shutdown when client has pending signal + +From: Longpeng(Mike) + +[ Upstream commit c7ff9cff70601ea19245d997bb977344663434c7 ] + +The client's sk_state will be set to TCP_ESTABLISHED if the server +replay the client's connect request. + +However, if the client has pending signal, its sk_state will be set +to TCP_CLOSE without notify the server, so the server will hold the +corrupt connection. + + client server + +1. sk_state=TCP_SYN_SENT | +2. call ->connect() | +3. wait reply | + | 4. sk_state=TCP_ESTABLISHED + | 5. insert to connected list + | 6. reply to the client +7. sk_state=TCP_ESTABLISHED | +8. insert to connected list | +9. *signal pending* <--------------------- the user kill client +10. sk_state=TCP_CLOSE | +client is exiting... | +11. call ->release() | + virtio_transport_close + if (!(sk->sk_state == TCP_ESTABLISHED || + sk->sk_state == TCP_CLOSING)) + return true; *return at here, the server cannot notice the connection is corrupt* + +So the client should notify the peer in this case. + +Cc: David S. Miller +Cc: Jakub Kicinski +Cc: Jorgen Hansen +Cc: Norbert Slusarek +Cc: Andra Paraschiv +Cc: Colin Ian King +Cc: David Brazdil +Cc: Alexander Popov +Suggested-by: Stefano Garzarella +Link: https://lkml.org/lkml/2021/5/17/418 +Signed-off-by: lixianming +Signed-off-by: Longpeng(Mike) +Reviewed-by: Stefano Garzarella +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/af_vsock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index cf86c1376b1a..326250513570 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1352,7 +1352,7 @@ static int vsock_stream_connect(struct socket *sock, struct sockaddr *addr, + + if (signal_pending(current)) { + err = sock_intr_errno(timeout); +- sk->sk_state = TCP_CLOSE; ++ sk->sk_state = sk->sk_state == TCP_ESTABLISHED ? TCP_CLOSING : TCP_CLOSE; + sock->state = SS_UNCONNECTED; + vsock_transport_cancel_pkt(vsk); + goto out_wait; +-- +2.30.2 + diff --git a/queue-5.10/wireless-wext-spy-fix-out-of-bounds-warning.patch b/queue-5.10/wireless-wext-spy-fix-out-of-bounds-warning.patch new file mode 100644 index 00000000000..d961bd8655e --- /dev/null +++ b/queue-5.10/wireless-wext-spy-fix-out-of-bounds-warning.patch @@ -0,0 +1,78 @@ +From 1cc5e7121147f48a1c2d081d801d00012a240da3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Apr 2021 15:00:32 -0500 +Subject: wireless: wext-spy: Fix out-of-bounds warning + +From: Gustavo A. R. Silva + +[ Upstream commit e93bdd78406da9ed01554c51e38b2a02c8ef8025 ] + +Fix the following out-of-bounds warning: + +net/wireless/wext-spy.c:178:2: warning: 'memcpy' offset [25, 28] from the object at 'threshold' is out of the bounds of referenced subobject 'low' with type 'struct iw_quality' at offset 20 [-Warray-bounds] + +The problem is that the original code is trying to copy data into a +couple of struct members adjacent to each other in a single call to +memcpy(). This causes a legitimate compiler warning because memcpy() +overruns the length of &threshold.low and &spydata->spy_thr_low. As +these are just a couple of struct members, fix this by using direct +assignments, instead of memcpy(). + +This helps with the ongoing efforts to globally enable -Warray-bounds +and get us closer to being able to tighten the FORTIFY_SOURCE routines +on memcpy(). + +Link: https://github.com/KSPP/linux/issues/109 +Reported-by: kernel test robot +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Kees Cook +Link: https://lore.kernel.org/r/20210422200032.GA168995@embeddedor +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/wext-spy.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/net/wireless/wext-spy.c b/net/wireless/wext-spy.c +index 33bef22e44e9..b379a0371653 100644 +--- a/net/wireless/wext-spy.c ++++ b/net/wireless/wext-spy.c +@@ -120,8 +120,8 @@ int iw_handler_set_thrspy(struct net_device * dev, + return -EOPNOTSUPP; + + /* Just do it */ +- memcpy(&(spydata->spy_thr_low), &(threshold->low), +- 2 * sizeof(struct iw_quality)); ++ spydata->spy_thr_low = threshold->low; ++ spydata->spy_thr_high = threshold->high; + + /* Clear flag */ + memset(spydata->spy_thr_under, '\0', sizeof(spydata->spy_thr_under)); +@@ -147,8 +147,8 @@ int iw_handler_get_thrspy(struct net_device * dev, + return -EOPNOTSUPP; + + /* Just do it */ +- memcpy(&(threshold->low), &(spydata->spy_thr_low), +- 2 * sizeof(struct iw_quality)); ++ threshold->low = spydata->spy_thr_low; ++ threshold->high = spydata->spy_thr_high; + + return 0; + } +@@ -173,10 +173,10 @@ static void iw_send_thrspy_event(struct net_device * dev, + memcpy(threshold.addr.sa_data, address, ETH_ALEN); + threshold.addr.sa_family = ARPHRD_ETHER; + /* Copy stats */ +- memcpy(&(threshold.qual), wstats, sizeof(struct iw_quality)); ++ threshold.qual = *wstats; + /* Copy also thresholds */ +- memcpy(&(threshold.low), &(spydata->spy_thr_low), +- 2 * sizeof(struct iw_quality)); ++ threshold.low = spydata->spy_thr_low; ++ threshold.high = spydata->spy_thr_high; + + /* Send event to user space */ + wireless_send_event(dev, SIOCGIWTHRSPY, &wrqu, (char *) &threshold); +-- +2.30.2 + diff --git a/queue-5.10/wl1251-fix-possible-buffer-overflow-in-wl1251_cmd_sc.patch b/queue-5.10/wl1251-fix-possible-buffer-overflow-in-wl1251_cmd_sc.patch new file mode 100644 index 00000000000..6bca01c8353 --- /dev/null +++ b/queue-5.10/wl1251-fix-possible-buffer-overflow-in-wl1251_cmd_sc.patch @@ -0,0 +1,43 @@ +From 4185e7b8fedf54462fef69c9695927228feea50a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Apr 2021 12:55:08 +0100 +Subject: wl1251: Fix possible buffer overflow in wl1251_cmd_scan + +From: Lee Gibson + +[ Upstream commit d10a87a3535cce2b890897914f5d0d83df669c63 ] + +Function wl1251_cmd_scan calls memcpy without checking the length. +Harden by checking the length is within the maximum allowed size. + +Signed-off-by: Lee Gibson +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210428115508.25624-1-leegib@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wl1251/cmd.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ti/wl1251/cmd.c b/drivers/net/wireless/ti/wl1251/cmd.c +index 9547aea01b0f..ea0215246c5c 100644 +--- a/drivers/net/wireless/ti/wl1251/cmd.c ++++ b/drivers/net/wireless/ti/wl1251/cmd.c +@@ -466,9 +466,12 @@ int wl1251_cmd_scan(struct wl1251 *wl, u8 *ssid, size_t ssid_len, + cmd->channels[i].channel = channels[i]->hw_value; + } + +- cmd->params.ssid_len = ssid_len; +- if (ssid) +- memcpy(cmd->params.ssid, ssid, ssid_len); ++ if (ssid) { ++ int len = clamp_val(ssid_len, 0, IEEE80211_MAX_SSID_LEN); ++ ++ cmd->params.ssid_len = len; ++ memcpy(cmd->params.ssid, ssid, len); ++ } + + ret = wl1251_cmd_send(wl, CMD_SCAN, cmd, sizeof(*cmd)); + if (ret < 0) { +-- +2.30.2 + diff --git a/queue-5.10/wlcore-wl12xx-fix-wl12xx-get_mac-error-if-device-is-.patch b/queue-5.10/wlcore-wl12xx-fix-wl12xx-get_mac-error-if-device-is-.patch new file mode 100644 index 00000000000..4a611f0de2f --- /dev/null +++ b/queue-5.10/wlcore-wl12xx-fix-wl12xx-get_mac-error-if-device-is-.patch @@ -0,0 +1,57 @@ +From b262c4d652ca3803ad36aaa6921ed48e2e8ba4b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jun 2021 09:28:14 +0300 +Subject: wlcore/wl12xx: Fix wl12xx get_mac error if device is in ELP + +From: Tony Lindgren + +[ Upstream commit 11ef6bc846dcdce838f0b00c5f6a562c57e5d43b ] + +At least on wl12xx, reading the MAC after boot can fail with a warning +at drivers/net/wireless/ti/wlcore/sdio.c:78 wl12xx_sdio_raw_read. +The failed call comes from wl12xx_get_mac() that wlcore_nvs_cb() calls +after request_firmware_work_func(). + +After the error, no wireless interface is created. Reloading the wl12xx +module makes the interface work. + +Turns out the wlan controller can be in a low-power ELP state after the +boot from the bootloader or kexec, and needs to be woken up first. + +Let's wake the hardware and add a sleep after that similar to +wl12xx_pre_boot() is already doing. + +Note that a similar issue could exist for wl18xx, but I have not seen it +so far. And a search for wl18xx_get_mac and wl12xx_sdio_raw_read did not +produce similar errors. + +Cc: Carl Philipp Klemm +Signed-off-by: Tony Lindgren +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210603062814.19464-1-tony@atomide.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wl12xx/main.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/wireless/ti/wl12xx/main.c b/drivers/net/wireless/ti/wl12xx/main.c +index 9d7dbfe7fe0c..c6da0cfb4afb 100644 +--- a/drivers/net/wireless/ti/wl12xx/main.c ++++ b/drivers/net/wireless/ti/wl12xx/main.c +@@ -1503,6 +1503,13 @@ static int wl12xx_get_fuse_mac(struct wl1271 *wl) + u32 mac1, mac2; + int ret; + ++ /* Device may be in ELP from the bootloader or kexec */ ++ ret = wlcore_write32(wl, WL12XX_WELP_ARM_COMMAND, WELP_ARM_COMMAND_VAL); ++ if (ret < 0) ++ goto out; ++ ++ usleep_range(500000, 700000); ++ + ret = wlcore_set_partition(wl, &wl->ptable[PART_DRPW]); + if (ret < 0) + goto out; +-- +2.30.2 + diff --git a/queue-5.10/xfrm-fix-error-reporting-in-xfrm_state_construct.patch b/queue-5.10/xfrm-fix-error-reporting-in-xfrm_state_construct.patch new file mode 100644 index 00000000000..a092008912c --- /dev/null +++ b/queue-5.10/xfrm-fix-error-reporting-in-xfrm_state_construct.patch @@ -0,0 +1,74 @@ +From d0d8bb9bba359eec017c671d212ca5547d117a6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jun 2021 15:21:49 +0200 +Subject: xfrm: Fix error reporting in xfrm_state_construct. + +From: Steffen Klassert + +[ Upstream commit 6fd06963fa74197103cdbb4b494763127b3f2f34 ] + +When memory allocation for XFRMA_ENCAP or XFRMA_COADDR fails, +the error will not be reported because the -ENOMEM assignment +to the err variable is overwritten before. Fix this by moving +these two in front of the function so that memory allocation +failures will be reported. + +Reported-by: Tobias Brunner +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 28 ++++++++++++++-------------- + 1 file changed, 14 insertions(+), 14 deletions(-) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index d0c32a8fcc4a..45f86a97eaf2 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -580,6 +580,20 @@ static struct xfrm_state *xfrm_state_construct(struct net *net, + + copy_from_user_state(x, p); + ++ if (attrs[XFRMA_ENCAP]) { ++ x->encap = kmemdup(nla_data(attrs[XFRMA_ENCAP]), ++ sizeof(*x->encap), GFP_KERNEL); ++ if (x->encap == NULL) ++ goto error; ++ } ++ ++ if (attrs[XFRMA_COADDR]) { ++ x->coaddr = kmemdup(nla_data(attrs[XFRMA_COADDR]), ++ sizeof(*x->coaddr), GFP_KERNEL); ++ if (x->coaddr == NULL) ++ goto error; ++ } ++ + if (attrs[XFRMA_SA_EXTRA_FLAGS]) + x->props.extra_flags = nla_get_u32(attrs[XFRMA_SA_EXTRA_FLAGS]); + +@@ -600,23 +614,9 @@ static struct xfrm_state *xfrm_state_construct(struct net *net, + attrs[XFRMA_ALG_COMP]))) + goto error; + +- if (attrs[XFRMA_ENCAP]) { +- x->encap = kmemdup(nla_data(attrs[XFRMA_ENCAP]), +- sizeof(*x->encap), GFP_KERNEL); +- if (x->encap == NULL) +- goto error; +- } +- + if (attrs[XFRMA_TFCPAD]) + x->tfcpad = nla_get_u32(attrs[XFRMA_TFCPAD]); + +- if (attrs[XFRMA_COADDR]) { +- x->coaddr = kmemdup(nla_data(attrs[XFRMA_COADDR]), +- sizeof(*x->coaddr), GFP_KERNEL); +- if (x->coaddr == NULL) +- goto error; +- } +- + xfrm_mark_get(attrs, &x->mark); + + xfrm_smark_init(attrs, &x->props.smark); +-- +2.30.2 +