From: Greg Kroah-Hartman Date: Mon, 18 Oct 2021 11:52:17 +0000 (+0200) Subject: 5.14-stable patches X-Git-Tag: v4.14.252~5 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ac9eb0c035debb9ce39b69a80e62f30fb9f49eb9;p=thirdparty%2Fkernel%2Fstable-queue.git 5.14-stable patches added patches: acpi-arm64-fix-next_platform_timer-section-mismatch-error.patch ata-ahci_platform-fix-null-ptr-deref-in-ahci_platform_enable_regulators.patch block-rnbd-clt-sysfs-fix-a-couple-uninitialized-variable-bugs.patch drm-edid-in-connector_bad_edid-cap-num_of_ext-by-num_blocks-read.patch drm-msm-a3xx-fix-error-handling-in-a3xx_gpu_init.patch drm-msm-a4xx-fix-error-handling-in-a4xx_gpu_init.patch drm-msm-a6xx-track-current-ctx-by-seqno.patch drm-msm-dsi-dsi_phy_14nm-take-ready-bit-into-account-in-poll_for_ready.patch drm-msm-dsi-fix-an-error-code-in-msm_dsi_modeset_init.patch drm-msm-dsi-fix-off-by-one-in-dsi_bus_clk_enable-error-handling.patch drm-msm-fix-null-pointer-dereference-on-pointer-edp.patch drm-msm-mdp5-fix-cursor-related-warnings.patch drm-msm-submit-fix-overflow-check-on-64-bit-architectures.patch drm-panel-olimex-lcd-olinuxino-select-crc32.patch ice-fix-locking-for-tx-timestamp-tracking-flush.patch ionic-don-t-remove-netdev-dev_addr-when-syncing-uc-list.patch mlxsw-thermal-fix-out-of-bounds-memory-accesses.patch mptcp-fix-possible-stall-on-recvmsg.patch mqprio-correct-stats-in-mqprio_dump_class_stats.patch net-dsa-felix-break-at-first-cpu-port-during-init-and-teardown.patch net-mscc-ocelot-avoid-overflowing-the-ptp-timestamp-fifo.patch net-mscc-ocelot-cross-check-the-sequence-id-from-the-timestamp-fifo-with-the-skb-ptp-header.patch net-mscc-ocelot-deny-tx-timestamping-of-non-ptp-packets.patch net-mscc-ocelot-make-use-of-all-63-ptp-timestamp-identifiers.patch net-mscc-ocelot-warn-when-a-ptp-irq-is-raised-for-an-unknown-skb.patch nfc-digital-fix-possible-memory-leak-in-digital_in_send_sdd_req.patch nfc-digital-fix-possible-memory-leak-in-digital_tg_listen_mdaa.patch nfc-fix-error-handling-of-nfc_proto_register.patch nfp-flow_offload-move-flow_indr_dev_register-from-app-init-to-app-start.patch pata_legacy-fix-a-couple-uninitialized-variable-bugs.patch platform-mellanox-mlxreg-io-fix-argument-base-in-kstrtou32-call.patch platform-mellanox-mlxreg-io-fix-read-access-of-n-bytes-size-attributes.patch platform-x86-intel_scu_ipc-fix-busy-loop-expiry-time.patch qed-fix-missing-error-code-in-qed_slowpath_start.patch r8152-select-crc32-and-crypto-crypto_hash-crypto_sha256.patch spi-bcm-qspi-clear-mspi-spifie-interrupt-during-probe.patch spi-spidev-add-spi-id-table.patch vhost-vdpa-fix-the-wrong-input-in-config_cb.patch --- diff --git a/queue-5.14/acpi-arm64-fix-next_platform_timer-section-mismatch-error.patch b/queue-5.14/acpi-arm64-fix-next_platform_timer-section-mismatch-error.patch new file mode 100644 index 00000000000..b16fea82839 --- /dev/null +++ b/queue-5.14/acpi-arm64-fix-next_platform_timer-section-mismatch-error.patch @@ -0,0 +1,52 @@ +From 596143e3aec35c93508d6b7a05ddc999ee209b61 Mon Sep 17 00:00:00 2001 +From: Jackie Liu +Date: Mon, 23 Aug 2021 17:25:26 +0800 +Subject: acpi/arm64: fix next_platform_timer() section mismatch error + +From: Jackie Liu + +commit 596143e3aec35c93508d6b7a05ddc999ee209b61 upstream. + +Fix modpost Section mismatch error in next_platform_timer(). + + [...] + WARNING: modpost: vmlinux.o(.text.unlikely+0x26e60): Section mismatch in reference from the function next_platform_timer() to the variable .init.data:acpi_gtdt_desc + The function next_platform_timer() references + the variable __initdata acpi_gtdt_desc. + This is often because next_platform_timer lacks a __initdata + annotation or the annotation of acpi_gtdt_desc is wrong. + + WARNING: modpost: vmlinux.o(.text.unlikely+0x26e64): Section mismatch in reference from the function next_platform_timer() to the variable .init.data:acpi_gtdt_desc + The function next_platform_timer() references + the variable __initdata acpi_gtdt_desc. + This is often because next_platform_timer lacks a __initdata + annotation or the annotation of acpi_gtdt_desc is wrong. + + ERROR: modpost: Section mismatches detected. + Set CONFIG_SECTION_MISMATCH_WARN_ONLY=y to allow them. + make[1]: *** [scripts/Makefile.modpost:59: vmlinux.symvers] Error 1 + make[1]: *** Deleting file 'vmlinux.symvers' + make: *** [Makefile:1176: vmlinux] Error 2 + [...] + +Fixes: a712c3ed9b8a ("acpi/arm64: Add memory-mapped timer support in GTDT driver") +Signed-off-by: Jackie Liu +Acked-by: Hanjun Guo +Link: https://lore.kernel.org/r/20210823092526.2407526-1-liu.yun@linux.dev +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/arm64/gtdt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/acpi/arm64/gtdt.c ++++ b/drivers/acpi/arm64/gtdt.c +@@ -36,7 +36,7 @@ struct acpi_gtdt_descriptor { + + static struct acpi_gtdt_descriptor acpi_gtdt_desc __initdata; + +-static inline void *next_platform_timer(void *platform_timer) ++static inline __init void *next_platform_timer(void *platform_timer) + { + struct acpi_gtdt_header *gh = platform_timer; + diff --git a/queue-5.14/ata-ahci_platform-fix-null-ptr-deref-in-ahci_platform_enable_regulators.patch b/queue-5.14/ata-ahci_platform-fix-null-ptr-deref-in-ahci_platform_enable_regulators.patch new file mode 100644 index 00000000000..2ce8bad1bbc --- /dev/null +++ b/queue-5.14/ata-ahci_platform-fix-null-ptr-deref-in-ahci_platform_enable_regulators.patch @@ -0,0 +1,63 @@ +From 776c75010803849c1cc4f11031a2b3960ab05202 Mon Sep 17 00:00:00 2001 +From: Wang Hai +Date: Wed, 13 Oct 2021 14:16:31 +0800 +Subject: ata: ahci_platform: fix null-ptr-deref in ahci_platform_enable_regulators() + +From: Wang Hai + +commit 776c75010803849c1cc4f11031a2b3960ab05202 upstream. + +I got a null-ptr-deref report: + +KASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097] +... +RIP: 0010:regulator_enable+0x84/0x260 +... +Call Trace: + ahci_platform_enable_regulators+0xae/0x320 + ahci_platform_enable_resources+0x1a/0x120 + ahci_probe+0x4f/0x1b9 + platform_probe+0x10b/0x280 +... + entry_SYSCALL_64_after_hwframe+0x44/0xae + +If devm_regulator_get() in ahci_platform_get_resources() fails, +hpriv->phy_regulator will point to NULL, when enabling or disabling it, +null-ptr-deref will occur. + +ahci_probe() + ahci_platform_get_resources() + devm_regulator_get(, "phy") // failed, let phy_regulator = NULL + ahci_platform_enable_resources() + ahci_platform_enable_regulators() + regulator_enable(hpriv->phy_regulator) // null-ptr-deref + +commit 962399bb7fbf ("ata: libahci_platform: Fix regulator_get_optional() +misuse") replaces devm_regulator_get_optional() with devm_regulator_get(), +but PHY regulator omits to delete "hpriv->phy_regulator = NULL;" like AHCI. +Delete it like AHCI regulator to fix this bug. + +Fixes: commit 962399bb7fbf ("ata: libahci_platform: Fix regulator_get_optional() misuse") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Reviewed-by: Hans de Goede +Signed-off-by: Damien Le Moal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libahci_platform.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/drivers/ata/libahci_platform.c ++++ b/drivers/ata/libahci_platform.c +@@ -440,10 +440,7 @@ struct ahci_host_priv *ahci_platform_get + hpriv->phy_regulator = devm_regulator_get(dev, "phy"); + if (IS_ERR(hpriv->phy_regulator)) { + rc = PTR_ERR(hpriv->phy_regulator); +- if (rc == -EPROBE_DEFER) +- goto err_out; +- rc = 0; +- hpriv->phy_regulator = NULL; ++ goto err_out; + } + + if (flags & AHCI_PLATFORM_GET_RESETS) { diff --git a/queue-5.14/block-rnbd-clt-sysfs-fix-a-couple-uninitialized-variable-bugs.patch b/queue-5.14/block-rnbd-clt-sysfs-fix-a-couple-uninitialized-variable-bugs.patch new file mode 100644 index 00000000000..205b2ce6fde --- /dev/null +++ b/queue-5.14/block-rnbd-clt-sysfs-fix-a-couple-uninitialized-variable-bugs.patch @@ -0,0 +1,37 @@ +From 7904022decc260a19dd65b56ac896387f5da6f8c Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 12 Oct 2021 11:44:43 +0300 +Subject: block/rnbd-clt-sysfs: fix a couple uninitialized variable bugs + +From: Dan Carpenter + +commit 7904022decc260a19dd65b56ac896387f5da6f8c upstream. + +These variables are printed on the error path if match_int() fails so +they have to be initialized. + +Fixes: 2958a995edc9 ("block/rnbd-clt: Support polling mode for IO latency optimization") +Fixes: 1eb54f8f5dd8 ("block/rnbd: client: sysfs interface functions") +Signed-off-by: Dan Carpenter +Acked-by: Gioh Kim +Link: https://lore.kernel.org/r/20211012084443.GA31472@kili +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/rnbd/rnbd-clt-sysfs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/block/rnbd/rnbd-clt-sysfs.c ++++ b/drivers/block/rnbd/rnbd-clt-sysfs.c +@@ -71,8 +71,10 @@ static int rnbd_clt_parse_map_options(co + int opt_mask = 0; + int token; + int ret = -EINVAL; +- int i, dest_port, nr_poll_queues; ++ int nr_poll_queues = 0; ++ int dest_port = 0; + int p_cnt = 0; ++ int i; + + options = kstrdup(buf, GFP_KERNEL); + if (!options) diff --git a/queue-5.14/drm-edid-in-connector_bad_edid-cap-num_of_ext-by-num_blocks-read.patch b/queue-5.14/drm-edid-in-connector_bad_edid-cap-num_of_ext-by-num_blocks-read.patch new file mode 100644 index 00000000000..e0b21eab9b8 --- /dev/null +++ b/queue-5.14/drm-edid-in-connector_bad_edid-cap-num_of_ext-by-num_blocks-read.patch @@ -0,0 +1,63 @@ +From 97794170b696856483f74b47bfb6049780d2d3a0 Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Tue, 5 Oct 2021 19:29:08 -0700 +Subject: drm/edid: In connector_bad_edid() cap num_of_ext by num_blocks read +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Douglas Anderson + +commit 97794170b696856483f74b47bfb6049780d2d3a0 upstream. + +In commit e11f5bd8228f ("drm: Add support for DP 1.4 Compliance edid +corruption test") the function connector_bad_edid() started assuming +that the memory for the EDID passed to it was big enough to hold +`edid[0x7e] + 1` blocks of data (1 extra for the base block). It +completely ignored the fact that the function was passed `num_blocks` +which indicated how much memory had been allocated for the EDID. + +Let's fix this by adding a bounds check. + +This is important for handling the case where there's an error in the +first block of the EDID. In that case we will call +connector_bad_edid() without having re-allocated memory based on +`edid[0x7e]`. + +Fixes: e11f5bd8228f ("drm: Add support for DP 1.4 Compliance edid corruption test") +Reported-by: Ville Syrjälä +Signed-off-by: Douglas Anderson +Reviewed-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20211005192905.v2.1.Ib059f9c23c2611cb5a9d760e7d0a700c1295928d@changeid +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_edid.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/drm_edid.c ++++ b/drivers/gpu/drm/drm_edid.c +@@ -1834,11 +1834,20 @@ static void connector_bad_edid(struct dr + u8 *edid, int num_blocks) + { + int i; +- u8 num_of_ext = edid[0x7e]; ++ u8 last_block; ++ ++ /* ++ * 0x7e in the EDID is the number of extension blocks. The EDID ++ * is 1 (base block) + num_ext_blocks big. That means we can think ++ * of 0x7e in the EDID of the _index_ of the last block in the ++ * combined chunk of memory. ++ */ ++ last_block = edid[0x7e]; + + /* Calculate real checksum for the last edid extension block data */ +- connector->real_edid_checksum = +- drm_edid_block_checksum(edid + num_of_ext * EDID_LENGTH); ++ if (last_block < num_blocks) ++ connector->real_edid_checksum = ++ drm_edid_block_checksum(edid + last_block * EDID_LENGTH); + + if (connector->bad_edid_counter++ && !drm_debug_enabled(DRM_UT_KMS)) + return; diff --git a/queue-5.14/drm-msm-a3xx-fix-error-handling-in-a3xx_gpu_init.patch b/queue-5.14/drm-msm-a3xx-fix-error-handling-in-a3xx_gpu_init.patch new file mode 100644 index 00000000000..c0fc03d2e81 --- /dev/null +++ b/queue-5.14/drm-msm-a3xx-fix-error-handling-in-a3xx_gpu_init.patch @@ -0,0 +1,44 @@ +From 3eda901995371d390ef82d0b6462f4ea8efbcfdf Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 1 Oct 2021 15:59:04 +0300 +Subject: drm/msm/a3xx: fix error handling in a3xx_gpu_init() + +From: Dan Carpenter + +commit 3eda901995371d390ef82d0b6462f4ea8efbcfdf upstream. + +These error paths returned 1 on failure, instead of a negative error +code. This would lead to an Oops in the caller. A second problem is +that the check for "if (ret != -ENODATA)" did not work because "ret" was +set to 1. + +Fixes: 5785dd7a8ef0 ("drm/msm: Fix duplicate gpu node in icc summary") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20211001125904.GK2283@kili +Signed-off-by: Rob Clark +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/adreno/a3xx_gpu.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/msm/adreno/a3xx_gpu.c ++++ b/drivers/gpu/drm/msm/adreno/a3xx_gpu.c +@@ -571,13 +571,14 @@ struct msm_gpu *a3xx_gpu_init(struct drm + } + + icc_path = devm_of_icc_get(&pdev->dev, "gfx-mem"); +- ret = IS_ERR(icc_path); +- if (ret) ++ if (IS_ERR(icc_path)) { ++ ret = PTR_ERR(icc_path); + goto fail; ++ } + + ocmem_icc_path = devm_of_icc_get(&pdev->dev, "ocmem"); +- ret = IS_ERR(ocmem_icc_path); +- if (ret) { ++ if (IS_ERR(ocmem_icc_path)) { ++ ret = PTR_ERR(ocmem_icc_path); + /* allow -ENODATA, ocmem icc is optional */ + if (ret != -ENODATA) + goto fail; diff --git a/queue-5.14/drm-msm-a4xx-fix-error-handling-in-a4xx_gpu_init.patch b/queue-5.14/drm-msm-a4xx-fix-error-handling-in-a4xx_gpu_init.patch new file mode 100644 index 00000000000..70567afeaeb --- /dev/null +++ b/queue-5.14/drm-msm-a4xx-fix-error-handling-in-a4xx_gpu_init.patch @@ -0,0 +1,43 @@ +From 980d74e7d03ccf2eaa11d133416946bd880c7c08 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 1 Oct 2021 15:57:59 +0300 +Subject: drm/msm/a4xx: fix error handling in a4xx_gpu_init() + +From: Dan Carpenter + +commit 980d74e7d03ccf2eaa11d133416946bd880c7c08 upstream. + +This code returns 1 on error instead of a negative error. It leads to +an Oops in the caller. A second problem is that the check for +"if (ret != -ENODATA)" cannot be true because "ret" is set to 1. + +Fixes: 5785dd7a8ef0 ("drm/msm: Fix duplicate gpu node in icc summary") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20211001125759.GJ2283@kili +Signed-off-by: Rob Clark +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/adreno/a4xx_gpu.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/msm/adreno/a4xx_gpu.c ++++ b/drivers/gpu/drm/msm/adreno/a4xx_gpu.c +@@ -699,13 +699,14 @@ struct msm_gpu *a4xx_gpu_init(struct drm + } + + icc_path = devm_of_icc_get(&pdev->dev, "gfx-mem"); +- ret = IS_ERR(icc_path); +- if (ret) ++ if (IS_ERR(icc_path)) { ++ ret = PTR_ERR(icc_path); + goto fail; ++ } + + ocmem_icc_path = devm_of_icc_get(&pdev->dev, "ocmem"); +- ret = IS_ERR(ocmem_icc_path); +- if (ret) { ++ if (IS_ERR(ocmem_icc_path)) { ++ ret = PTR_ERR(ocmem_icc_path); + /* allow -ENODATA, ocmem icc is optional */ + if (ret != -ENODATA) + goto fail; diff --git a/queue-5.14/drm-msm-a6xx-track-current-ctx-by-seqno.patch b/queue-5.14/drm-msm-a6xx-track-current-ctx-by-seqno.patch new file mode 100644 index 00000000000..aaa15d828cb --- /dev/null +++ b/queue-5.14/drm-msm-a6xx-track-current-ctx-by-seqno.patch @@ -0,0 +1,102 @@ +From 14eb0cb4e9a7323c8735cf6c681ed8423ce6ae06 Mon Sep 17 00:00:00 2001 +From: Rob Clark +Date: Thu, 30 Sep 2021 10:43:20 -0700 +Subject: drm/msm/a6xx: Track current ctx by seqno + +From: Rob Clark + +commit 14eb0cb4e9a7323c8735cf6c681ed8423ce6ae06 upstream. + +In theory a context can be destroyed and a new one allocated at the same +address, making the pointer comparision to detect when we don't need to +update the current pagetables invalid. Instead assign a sequence number +to each context on creation, and use this for the check. + +Fixes: 84c31ee16f90 ("drm/msm/a6xx: Add support for per-instance pagetables") +Signed-off-by: Rob Clark +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 6 +++--- + drivers/gpu/drm/msm/adreno/a6xx_gpu.h | 11 ++++++++++- + drivers/gpu/drm/msm/msm_drv.c | 3 +++ + drivers/gpu/drm/msm/msm_drv.h | 1 + + 4 files changed, 17 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu.c ++++ b/drivers/gpu/drm/msm/adreno/a6xx_gpu.c +@@ -102,7 +102,7 @@ static void a6xx_set_pagetable(struct a6 + u32 asid; + u64 memptr = rbmemptr(ring, ttbr0); + +- if (ctx == a6xx_gpu->cur_ctx) ++ if (ctx->seqno == a6xx_gpu->cur_ctx_seqno) + return; + + if (msm_iommu_pagetable_params(ctx->aspace->mmu, &ttbr, &asid)) +@@ -135,7 +135,7 @@ static void a6xx_set_pagetable(struct a6 + OUT_PKT7(ring, CP_EVENT_WRITE, 1); + OUT_RING(ring, 0x31); + +- a6xx_gpu->cur_ctx = ctx; ++ a6xx_gpu->cur_ctx_seqno = ctx->seqno; + } + + static void a6xx_submit(struct msm_gpu *gpu, struct msm_gem_submit *submit) +@@ -1053,7 +1053,7 @@ static int a6xx_hw_init(struct msm_gpu * + /* Always come up on rb 0 */ + a6xx_gpu->cur_ring = gpu->rb[0]; + +- a6xx_gpu->cur_ctx = NULL; ++ a6xx_gpu->cur_ctx_seqno = 0; + + /* Enable the SQE_to start the CP engine */ + gpu_write(gpu, REG_A6XX_CP_SQE_CNTL, 1); +--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu.h ++++ b/drivers/gpu/drm/msm/adreno/a6xx_gpu.h +@@ -19,7 +19,16 @@ struct a6xx_gpu { + uint64_t sqe_iova; + + struct msm_ringbuffer *cur_ring; +- struct msm_file_private *cur_ctx; ++ ++ /** ++ * cur_ctx_seqno: ++ * ++ * The ctx->seqno value of the context with current pgtables ++ * installed. Tracked by seqno rather than pointer value to ++ * avoid dangling pointers, and cases where a ctx can be freed ++ * and a new one created with the same address. ++ */ ++ int cur_ctx_seqno; + + struct a6xx_gmu gmu; + +--- a/drivers/gpu/drm/msm/msm_drv.c ++++ b/drivers/gpu/drm/msm/msm_drv.c +@@ -619,6 +619,7 @@ static void load_gpu(struct drm_device * + + static int context_init(struct drm_device *dev, struct drm_file *file) + { ++ static atomic_t ident = ATOMIC_INIT(0); + struct msm_drm_private *priv = dev->dev_private; + struct msm_file_private *ctx; + +@@ -632,6 +633,8 @@ static int context_init(struct drm_devic + ctx->aspace = msm_gpu_create_private_address_space(priv->gpu, current); + file->driver_priv = ctx; + ++ ctx->seqno = atomic_inc_return(&ident); ++ + return 0; + } + +--- a/drivers/gpu/drm/msm/msm_drv.h ++++ b/drivers/gpu/drm/msm/msm_drv.h +@@ -59,6 +59,7 @@ struct msm_file_private { + int queueid; + struct msm_gem_address_space *aspace; + struct kref ref; ++ int seqno; + }; + + enum msm_mdp_plane_property { diff --git a/queue-5.14/drm-msm-dsi-dsi_phy_14nm-take-ready-bit-into-account-in-poll_for_ready.patch b/queue-5.14/drm-msm-dsi-dsi_phy_14nm-take-ready-bit-into-account-in-poll_for_ready.patch new file mode 100644 index 00000000000..a73d9d8aa7f --- /dev/null +++ b/queue-5.14/drm-msm-dsi-dsi_phy_14nm-take-ready-bit-into-account-in-poll_for_ready.patch @@ -0,0 +1,87 @@ +From 90b7c1c66132c20e8a550006011a3cbfb73dbfc1 Mon Sep 17 00:00:00 2001 +From: Marijn Suijten +Date: Mon, 6 Sep 2021 22:25:51 +0200 +Subject: drm/msm/dsi: dsi_phy_14nm: Take ready-bit into account in poll_for_ready + +From: Marijn Suijten + +commit 90b7c1c66132c20e8a550006011a3cbfb73dbfc1 upstream. + +The downstream driver models this PLL lock check as an if-elseif-else. +The only way to reach the else case where pll_locked=true [1] is by +succeeding both readl_poll_timeout_atomic calls (which return zero on +success) in the if _and_ elseif condition. Hence both the "lock" and +"ready" bit need to be tested in the SM_READY_STATUS register before +considering the PLL locked and ready to go. + +Tested on the Sony Xperia XA2 Ultra (nile-discovery, sdm630). + +[1]: https://source.codeaurora.org/quic/la/kernel/msm-4.19/tree/drivers/clk/qcom/mdss/mdss-dsi-pll-14nm-util.c?h=LA.UM.9.2.1.r1-08000-sdm660.0#n302 + +Fixes: f079f6d999cb ("drm/msm/dsi: Add PHY/PLL for 8x96") +Signed-off-by: Marijn Suijten +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20210906202552.824598-1-marijn.suijten@somainline.org +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Rob Clark +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/dsi/phy/dsi_phy_14nm.c | 30 ++++++++++++++--------------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +--- a/drivers/gpu/drm/msm/dsi/phy/dsi_phy_14nm.c ++++ b/drivers/gpu/drm/msm/dsi/phy/dsi_phy_14nm.c +@@ -110,14 +110,13 @@ static struct dsi_pll_14nm *pll_14nm_lis + static bool pll_14nm_poll_for_ready(struct dsi_pll_14nm *pll_14nm, + u32 nb_tries, u32 timeout_us) + { +- bool pll_locked = false; ++ bool pll_locked = false, pll_ready = false; + void __iomem *base = pll_14nm->phy->pll_base; + u32 tries, val; + + tries = nb_tries; + while (tries--) { +- val = dsi_phy_read(base + +- REG_DSI_14nm_PHY_PLL_RESET_SM_READY_STATUS); ++ val = dsi_phy_read(base + REG_DSI_14nm_PHY_PLL_RESET_SM_READY_STATUS); + pll_locked = !!(val & BIT(5)); + + if (pll_locked) +@@ -126,23 +125,24 @@ static bool pll_14nm_poll_for_ready(stru + udelay(timeout_us); + } + +- if (!pll_locked) { +- tries = nb_tries; +- while (tries--) { +- val = dsi_phy_read(base + +- REG_DSI_14nm_PHY_PLL_RESET_SM_READY_STATUS); +- pll_locked = !!(val & BIT(0)); ++ if (!pll_locked) ++ goto out; + +- if (pll_locked) +- break; ++ tries = nb_tries; ++ while (tries--) { ++ val = dsi_phy_read(base + REG_DSI_14nm_PHY_PLL_RESET_SM_READY_STATUS); ++ pll_ready = !!(val & BIT(0)); + +- udelay(timeout_us); +- } ++ if (pll_ready) ++ break; ++ ++ udelay(timeout_us); + } + +- DBG("DSI PLL is %slocked", pll_locked ? "" : "*not* "); ++out: ++ DBG("DSI PLL is %slocked, %sready", pll_locked ? "" : "*not* ", pll_ready ? "" : "*not* "); + +- return pll_locked; ++ return pll_locked && pll_ready; + } + + static void dsi_pll_14nm_config_init(struct dsi_pll_config *pconf) diff --git a/queue-5.14/drm-msm-dsi-fix-an-error-code-in-msm_dsi_modeset_init.patch b/queue-5.14/drm-msm-dsi-fix-an-error-code-in-msm_dsi_modeset_init.patch new file mode 100644 index 00000000000..b83263a5ca9 --- /dev/null +++ b/queue-5.14/drm-msm-dsi-fix-an-error-code-in-msm_dsi_modeset_init.patch @@ -0,0 +1,37 @@ +From 739b4e7756d3301dd673ca517afca46a5f635562 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 1 Oct 2021 15:33:08 +0300 +Subject: drm/msm/dsi: Fix an error code in msm_dsi_modeset_init() + +From: Dan Carpenter + +commit 739b4e7756d3301dd673ca517afca46a5f635562 upstream. + +Return an error code if msm_dsi_manager_validate_current_config(). +Don't return success. + +Fixes: 8b03ad30e314 ("drm/msm/dsi: Use one connector for dual DSI mode") +Signed-off-by: Dan Carpenter +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20211001123308.GF2283@kili +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Rob Clark +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/dsi/dsi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/msm/dsi/dsi.c ++++ b/drivers/gpu/drm/msm/dsi/dsi.c +@@ -208,8 +208,10 @@ int msm_dsi_modeset_init(struct msm_dsi + goto fail; + } + +- if (!msm_dsi_manager_validate_current_config(msm_dsi->id)) ++ if (!msm_dsi_manager_validate_current_config(msm_dsi->id)) { ++ ret = -EINVAL; + goto fail; ++ } + + msm_dsi->encoder = encoder; + diff --git a/queue-5.14/drm-msm-dsi-fix-off-by-one-in-dsi_bus_clk_enable-error-handling.patch b/queue-5.14/drm-msm-dsi-fix-off-by-one-in-dsi_bus_clk_enable-error-handling.patch new file mode 100644 index 00000000000..858a577171f --- /dev/null +++ b/queue-5.14/drm-msm-dsi-fix-off-by-one-in-dsi_bus_clk_enable-error-handling.patch @@ -0,0 +1,34 @@ +From c8f01ffc83923a91e8087aaa077de13354a7aa59 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 1 Oct 2021 15:34:09 +0300 +Subject: drm/msm/dsi: fix off by one in dsi_bus_clk_enable error handling + +From: Dan Carpenter + +commit c8f01ffc83923a91e8087aaa077de13354a7aa59 upstream. + +This disables a lock which wasn't enabled and it does not disable +the first lock in the array. + +Fixes: 6e0eb52eba9e ("drm/msm/dsi: Parse bus clocks from a list") +Signed-off-by: Dan Carpenter +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20211001123409.GG2283@kili +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Rob Clark +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/dsi/dsi_host.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/msm/dsi/dsi_host.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c +@@ -463,7 +463,7 @@ static int dsi_bus_clk_enable(struct msm + + return 0; + err: +- for (; i > 0; i--) ++ while (--i >= 0) + clk_disable_unprepare(msm_host->bus_clks[i]); + + return ret; diff --git a/queue-5.14/drm-msm-fix-null-pointer-dereference-on-pointer-edp.patch b/queue-5.14/drm-msm-fix-null-pointer-dereference-on-pointer-edp.patch new file mode 100644 index 00000000000..bdcb46730b4 --- /dev/null +++ b/queue-5.14/drm-msm-fix-null-pointer-dereference-on-pointer-edp.patch @@ -0,0 +1,44 @@ +From 2133c4fc8e1348dcb752f267a143fe2254613b34 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Wed, 29 Sep 2021 13:18:57 +0100 +Subject: drm/msm: Fix null pointer dereference on pointer edp + +From: Colin Ian King + +commit 2133c4fc8e1348dcb752f267a143fe2254613b34 upstream. + +The initialization of pointer dev dereferences pointer edp before +edp is null checked, so there is a potential null pointer deference +issue. Fix this by only dereferencing edp after edp has been null +checked. + +Addresses-Coverity: ("Dereference before null check") +Fixes: ab5b0107ccf3 ("drm/msm: Initial add eDP support in msm drm driver (v5)") +Signed-off-by: Colin Ian King +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20210929121857.213922-1-colin.king@canonical.com +Signed-off-by: Rob Clark +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/edp/edp_ctrl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/msm/edp/edp_ctrl.c ++++ b/drivers/gpu/drm/msm/edp/edp_ctrl.c +@@ -1116,7 +1116,7 @@ void msm_edp_ctrl_power(struct edp_ctrl + int msm_edp_ctrl_init(struct msm_edp *edp) + { + struct edp_ctrl *ctrl = NULL; +- struct device *dev = &edp->pdev->dev; ++ struct device *dev; + int ret; + + if (!edp) { +@@ -1124,6 +1124,7 @@ int msm_edp_ctrl_init(struct msm_edp *ed + return -EINVAL; + } + ++ dev = &edp->pdev->dev; + ctrl = devm_kzalloc(dev, sizeof(*ctrl), GFP_KERNEL); + if (!ctrl) + return -ENOMEM; diff --git a/queue-5.14/drm-msm-mdp5-fix-cursor-related-warnings.patch b/queue-5.14/drm-msm-mdp5-fix-cursor-related-warnings.patch new file mode 100644 index 00000000000..e0c387c3702 --- /dev/null +++ b/queue-5.14/drm-msm-mdp5-fix-cursor-related-warnings.patch @@ -0,0 +1,144 @@ +From c491a0c7bbf3a64732cb8414021429d15ec08eec Mon Sep 17 00:00:00 2001 +From: Dmitry Baryshkov +Date: Sat, 25 Sep 2021 22:28:24 +0300 +Subject: drm/msm/mdp5: fix cursor-related warnings + +From: Dmitry Baryshkov + +commit c491a0c7bbf3a64732cb8414021429d15ec08eec upstream. + +Since f35a2a99100f ("drm/encoder: make encoder control functions +optional") drm_mode_config_validate would print warnings if both cursor +plane and cursor functions are provided. Restore separate set of +drm_crtc_funcs to be used if separate cursor plane is provided. + +[ 6.556046] ------------[ cut here ]------------ +[ 6.556071] [CRTC:93:crtc-0] must not have both a cursor plane and a cursor_set func +[ 6.556091] WARNING: CPU: 1 PID: 76 at drivers/gpu/drm/drm_mode_config.c:648 drm_mode_config_validate+0x238/0x4d0 +[ 6.567453] Modules linked in: +[ 6.577604] CPU: 1 PID: 76 Comm: kworker/u8:2 Not tainted 5.15.0-rc1-dirty #43 +[ 6.580557] Hardware name: Qualcomm Technologies, Inc. DB820c (DT) +[ 6.587763] Workqueue: events_unbound deferred_probe_work_func +[ 6.593926] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 6.599740] pc : drm_mode_config_validate+0x238/0x4d0 +[ 6.606596] lr : drm_mode_config_validate+0x238/0x4d0 +[ 6.611804] sp : ffff8000121b3980 +[ 6.616838] x29: ffff8000121b3990 x28: 0000000000000000 x27: 0000000000000001 +[ 6.620140] x26: ffff8000114cde50 x25: ffff8000114cdd40 x24: ffff0000987282d8 +[ 6.627258] x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000001 +[ 6.634376] x20: ffff000098728000 x19: ffff000080a39000 x18: ffffffffffffffff +[ 6.641494] x17: 3136564e3631564e x16: 0000000000000324 x15: ffff800011c78709 +[ 6.648613] x14: 0000000000000000 x13: ffff800011a22850 x12: 00000000000009ab +[ 6.655730] x11: 0000000000000339 x10: ffff800011a22850 x9 : ffff800011a22850 +[ 6.662848] x8 : 00000000ffffefff x7 : ffff800011a7a850 x6 : ffff800011a7a850 +[ 6.669966] x5 : 000000000000bff4 x4 : 40000000fffff339 x3 : 0000000000000000 +[ 6.677084] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00008093b800 +[ 6.684205] Call trace: +[ 6.691319] drm_mode_config_validate+0x238/0x4d0 +[ 6.693577] drm_dev_register+0x17c/0x210 +[ 6.698435] msm_drm_bind+0x4b4/0x694 +[ 6.702429] try_to_bring_up_master+0x164/0x1d0 +[ 6.706075] __component_add+0xa0/0x170 +[ 6.710415] component_add+0x14/0x20 +[ 6.714234] msm_hdmi_dev_probe+0x1c/0x2c +[ 6.718053] platform_probe+0x68/0xe0 +[ 6.721959] really_probe.part.0+0x9c/0x30c +[ 6.725606] __driver_probe_device+0x98/0x144 +[ 6.729600] driver_probe_device+0xc8/0x15c +[ 6.734114] __device_attach_driver+0xb4/0x120 +[ 6.738106] bus_for_each_drv+0x78/0xd0 +[ 6.742619] __device_attach+0xdc/0x184 +[ 6.746351] device_initial_probe+0x14/0x20 +[ 6.750172] bus_probe_device+0x9c/0xa4 +[ 6.754337] deferred_probe_work_func+0x88/0xc0 +[ 6.758158] process_one_work+0x1d0/0x370 +[ 6.762671] worker_thread+0x2c8/0x470 +[ 6.766839] kthread+0x15c/0x170 +[ 6.770483] ret_from_fork+0x10/0x20 +[ 6.773870] ---[ end trace 5884eb76cd26d274 ]--- +[ 6.777500] ------------[ cut here ]------------ +[ 6.782043] [CRTC:93:crtc-0] must not have both a cursor plane and a cursor_move func +[ 6.782063] WARNING: CPU: 1 PID: 76 at drivers/gpu/drm/drm_mode_config.c:654 drm_mode_config_validate+0x290/0x4d0 +[ 6.794362] Modules linked in: +[ 6.804600] CPU: 1 PID: 76 Comm: kworker/u8:2 Tainted: G W 5.15.0-rc1-dirty #43 +[ 6.807555] Hardware name: Qualcomm Technologies, Inc. DB820c (DT) +[ 6.816148] Workqueue: events_unbound deferred_probe_work_func +[ 6.822311] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 6.828126] pc : drm_mode_config_validate+0x290/0x4d0 +[ 6.834981] lr : drm_mode_config_validate+0x290/0x4d0 +[ 6.840189] sp : ffff8000121b3980 +[ 6.845223] x29: ffff8000121b3990 x28: 0000000000000000 x27: 0000000000000001 +[ 6.848525] x26: ffff8000114cde50 x25: ffff8000114cdd40 x24: ffff0000987282d8 +[ 6.855643] x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000001 +[ 6.862763] x20: ffff000098728000 x19: ffff000080a39000 x18: ffffffffffffffff +[ 6.869879] x17: 3136564e3631564e x16: 0000000000000324 x15: ffff800011c790c2 +[ 6.876998] x14: 0000000000000000 x13: ffff800011a22850 x12: 0000000000000a2f +[ 6.884116] x11: 0000000000000365 x10: ffff800011a22850 x9 : ffff800011a22850 +[ 6.891234] x8 : 00000000ffffefff x7 : ffff800011a7a850 x6 : ffff800011a7a850 +[ 6.898351] x5 : 000000000000bff4 x4 : 40000000fffff365 x3 : 0000000000000000 +[ 6.905470] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00008093b800 +[ 6.912590] Call trace: +[ 6.919702] drm_mode_config_validate+0x290/0x4d0 +[ 6.921960] drm_dev_register+0x17c/0x210 +[ 6.926821] msm_drm_bind+0x4b4/0x694 +[ 6.930813] try_to_bring_up_master+0x164/0x1d0 +[ 6.934459] __component_add+0xa0/0x170 +[ 6.938799] component_add+0x14/0x20 +[ 6.942619] msm_hdmi_dev_probe+0x1c/0x2c +[ 6.946438] platform_probe+0x68/0xe0 +[ 6.950345] really_probe.part.0+0x9c/0x30c +[ 6.953991] __driver_probe_device+0x98/0x144 +[ 6.957984] driver_probe_device+0xc8/0x15c +[ 6.962498] __device_attach_driver+0xb4/0x120 +[ 6.966492] bus_for_each_drv+0x78/0xd0 +[ 6.971004] __device_attach+0xdc/0x184 +[ 6.974737] device_initial_probe+0x14/0x20 +[ 6.978556] bus_probe_device+0x9c/0xa4 +[ 6.982722] deferred_probe_work_func+0x88/0xc0 +[ 6.986543] process_one_work+0x1d0/0x370 +[ 6.991057] worker_thread+0x2c8/0x470 +[ 6.995223] kthread+0x15c/0x170 +[ 6.998869] ret_from_fork+0x10/0x20 +[ 7.002255] ---[ end trace 5884eb76cd26d275 ]--- + +Fixes: aa649e875daf ("drm/msm/mdp5: mdp5_crtc: Restore cursor state only if LM cursors are enabled") +Signed-off-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20210925192824.3416259-1-dmitry.baryshkov@linaro.org +Signed-off-by: Rob Clark +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c ++++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c +@@ -1125,6 +1125,20 @@ static void mdp5_crtc_reset(struct drm_c + __drm_atomic_helper_crtc_reset(crtc, &mdp5_cstate->base); + } + ++static const struct drm_crtc_funcs mdp5_crtc_no_lm_cursor_funcs = { ++ .set_config = drm_atomic_helper_set_config, ++ .destroy = mdp5_crtc_destroy, ++ .page_flip = drm_atomic_helper_page_flip, ++ .reset = mdp5_crtc_reset, ++ .atomic_duplicate_state = mdp5_crtc_duplicate_state, ++ .atomic_destroy_state = mdp5_crtc_destroy_state, ++ .atomic_print_state = mdp5_crtc_atomic_print_state, ++ .get_vblank_counter = mdp5_crtc_get_vblank_counter, ++ .enable_vblank = msm_crtc_enable_vblank, ++ .disable_vblank = msm_crtc_disable_vblank, ++ .get_vblank_timestamp = drm_crtc_vblank_helper_get_vblank_timestamp, ++}; ++ + static const struct drm_crtc_funcs mdp5_crtc_funcs = { + .set_config = drm_atomic_helper_set_config, + .destroy = mdp5_crtc_destroy, +@@ -1313,6 +1327,8 @@ struct drm_crtc *mdp5_crtc_init(struct d + mdp5_crtc->lm_cursor_enabled = cursor_plane ? false : true; + + drm_crtc_init_with_planes(dev, crtc, plane, cursor_plane, ++ cursor_plane ? ++ &mdp5_crtc_no_lm_cursor_funcs : + &mdp5_crtc_funcs, NULL); + + drm_flip_work_init(&mdp5_crtc->unref_cursor_work, diff --git a/queue-5.14/drm-msm-submit-fix-overflow-check-on-64-bit-architectures.patch b/queue-5.14/drm-msm-submit-fix-overflow-check-on-64-bit-architectures.patch new file mode 100644 index 00000000000..5ad61197f3a --- /dev/null +++ b/queue-5.14/drm-msm-submit-fix-overflow-check-on-64-bit-architectures.patch @@ -0,0 +1,39 @@ +From 95c58291ee709424557996891926a05a32c5b13a Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 27 Sep 2021 13:36:23 +0200 +Subject: drm/msm/submit: fix overflow check on 64-bit architectures + +From: Arnd Bergmann + +commit 95c58291ee709424557996891926a05a32c5b13a upstream. + +The overflow check does causes a warning from clang-14 when 'sz' is a type +that is smaller than size_t: + +drivers/gpu/drm/msm/msm_gem_submit.c:217:10: error: result of comparison of constant 18446744073709551615 with expression of type 'unsigned int' is always false [-Werror,-Wtautological-constant-out-of-range-compare] + if (sz == SIZE_MAX) { + +Change the type accordingly. + +Fixes: 20224d715a88 ("drm/msm/submit: Move copy_from_user ahead of locking bos") +Signed-off-by: Arnd Bergmann +Reviewed-by: Stephen Boyd +Link: https://lore.kernel.org/r/20210927113632.3849987-1-arnd@kernel.org +Signed-off-by: Rob Clark +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/msm_gem_submit.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/msm/msm_gem_submit.c ++++ b/drivers/gpu/drm/msm/msm_gem_submit.c +@@ -161,7 +161,8 @@ out: + static int submit_lookup_cmds(struct msm_gem_submit *submit, + struct drm_msm_gem_submit *args, struct drm_file *file) + { +- unsigned i, sz; ++ unsigned i; ++ size_t sz; + int ret = 0; + + for (i = 0; i < args->nr_cmds; i++) { diff --git a/queue-5.14/drm-panel-olimex-lcd-olinuxino-select-crc32.patch b/queue-5.14/drm-panel-olimex-lcd-olinuxino-select-crc32.patch new file mode 100644 index 00000000000..df3d7bc1840 --- /dev/null +++ b/queue-5.14/drm-panel-olimex-lcd-olinuxino-select-crc32.patch @@ -0,0 +1,36 @@ +From a14bc107edd0c108bda2245e50daa22f91c95d20 Mon Sep 17 00:00:00 2001 +From: Vegard Nossum +Date: Tue, 12 Oct 2021 13:52:42 +0200 +Subject: drm/panel: olimex-lcd-olinuxino: select CRC32 + +From: Vegard Nossum + +commit a14bc107edd0c108bda2245e50daa22f91c95d20 upstream. + +Fix the following build/link error by adding a dependency on the CRC32 +routines: + + ld: drivers/gpu/drm/panel/panel-olimex-lcd-olinuxino.o: in function `lcd_olinuxino_probe': + panel-olimex-lcd-olinuxino.c:(.text+0x303): undefined reference to `crc32_le' + +Fixes: 17fd7a9d324fd ("drm/panel: Add support for Olimex LCD-OLinuXino panel") +Cc: Arnd Bergmann +Signed-off-by: Vegard Nossum +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20211012115242.10325-1-vegard.nossum@oracle.com +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/panel/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/panel/Kconfig ++++ b/drivers/gpu/drm/panel/Kconfig +@@ -273,6 +273,7 @@ config DRM_PANEL_OLIMEX_LCD_OLINUXINO + depends on OF + depends on I2C + depends on BACKLIGHT_CLASS_DEVICE ++ select CRC32 + help + The panel is used with different sizes LCDs, from 480x272 to + 1280x800, and 24 bit per pixel. diff --git a/queue-5.14/ice-fix-locking-for-tx-timestamp-tracking-flush.patch b/queue-5.14/ice-fix-locking-for-tx-timestamp-tracking-flush.patch new file mode 100644 index 00000000000..23107ed9cef --- /dev/null +++ b/queue-5.14/ice-fix-locking-for-tx-timestamp-tracking-flush.patch @@ -0,0 +1,148 @@ +From 4d4a223a86afe658cd878800f09458e8bb54415d Mon Sep 17 00:00:00 2001 +From: Jacob Keller +Date: Mon, 11 Oct 2021 13:48:06 -0700 +Subject: ice: fix locking for Tx timestamp tracking flush + +From: Jacob Keller + +commit 4d4a223a86afe658cd878800f09458e8bb54415d upstream. + +Commit 4dd0d5c33c3e ("ice: add lock around Tx timestamp tracker flush") +added a lock around the Tx timestamp tracker flow which is used to +cleanup any left over SKBs and prepare for device removal. + +This lock is problematic because it is being held around a call to +ice_clear_phy_tstamp. The clear function takes a mutex to send a PHY +write command to firmware. This could lead to a deadlock if the mutex +actually sleeps, and causes the following warning on a kernel with +preemption debugging enabled: + +[ 715.419426] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:573 +[ 715.427900] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 3100, name: rmmod +[ 715.435652] INFO: lockdep is turned off. +[ 715.439591] Preemption disabled at: +[ 715.439594] [<0000000000000000>] 0x0 +[ 715.446678] CPU: 52 PID: 3100 Comm: rmmod Tainted: G W OE 5.15.0-rc4+ #42 bdd7ec3018e725f159ca0d372ce8c2c0e784891c +[ 715.458058] Hardware name: Intel Corporation S2600STQ/S2600STQ, BIOS SE5C620.86B.02.01.0010.010620200716 01/06/2020 +[ 715.468483] Call Trace: +[ 715.470940] dump_stack_lvl+0x6a/0x9a +[ 715.474613] ___might_sleep.cold+0x224/0x26a +[ 715.478895] __mutex_lock+0xb3/0x1440 +[ 715.482569] ? stack_depot_save+0x378/0x500 +[ 715.486763] ? ice_sq_send_cmd+0x78/0x14c0 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d] +[ 715.494979] ? kfree+0xc1/0x520 +[ 715.498128] ? mutex_lock_io_nested+0x12a0/0x12a0 +[ 715.502837] ? kasan_set_free_info+0x20/0x30 +[ 715.507110] ? __kasan_slab_free+0x10b/0x140 +[ 715.511385] ? slab_free_freelist_hook+0xc7/0x220 +[ 715.516092] ? kfree+0xc1/0x520 +[ 715.519235] ? ice_deinit_lag+0x16c/0x220 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d] +[ 715.527359] ? ice_remove+0x1cf/0x6a0 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d] +[ 715.535133] ? pci_device_remove+0xab/0x1d0 +[ 715.539318] ? __device_release_driver+0x35b/0x690 +[ 715.544110] ? driver_detach+0x214/0x2f0 +[ 715.548035] ? bus_remove_driver+0x11d/0x2f0 +[ 715.552309] ? pci_unregister_driver+0x26/0x250 +[ 715.556840] ? ice_module_exit+0xc/0x2f [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d] +[ 715.564799] ? __do_sys_delete_module.constprop.0+0x2d8/0x4e0 +[ 715.570554] ? do_syscall_64+0x3b/0x90 +[ 715.574303] ? entry_SYSCALL_64_after_hwframe+0x44/0xae +[ 715.579529] ? start_flush_work+0x542/0x8f0 +[ 715.583719] ? ice_sq_send_cmd+0x78/0x14c0 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d] +[ 715.591923] ice_sq_send_cmd+0x78/0x14c0 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d] +[ 715.599960] ? wait_for_completion_io+0x250/0x250 +[ 715.604662] ? lock_acquire+0x196/0x200 +[ 715.608504] ? do_raw_spin_trylock+0xa5/0x160 +[ 715.612864] ice_sbq_rw_reg+0x1e6/0x2f0 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d] +[ 715.620813] ? ice_reset+0x130/0x130 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d] +[ 715.628497] ? __debug_check_no_obj_freed+0x1e8/0x3c0 +[ 715.633550] ? trace_hardirqs_on+0x1c/0x130 +[ 715.637748] ice_write_phy_reg_e810+0x70/0xf0 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d] +[ 715.646220] ? do_raw_spin_trylock+0xa5/0x160 +[ 715.650581] ? ice_ptp_release+0x910/0x910 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d] +[ 715.658797] ? ice_ptp_release+0x255/0x910 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d] +[ 715.667013] ice_clear_phy_tstamp+0x2c/0x110 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d] +[ 715.675403] ice_ptp_release+0x408/0x910 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d] +[ 715.683440] ice_remove+0x560/0x6a0 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d] +[ 715.691037] ? _raw_spin_unlock_irqrestore+0x46/0x73 +[ 715.696005] pci_device_remove+0xab/0x1d0 +[ 715.700018] __device_release_driver+0x35b/0x690 +[ 715.704637] driver_detach+0x214/0x2f0 +[ 715.708389] bus_remove_driver+0x11d/0x2f0 +[ 715.712489] pci_unregister_driver+0x26/0x250 +[ 715.716857] ice_module_exit+0xc/0x2f [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d] +[ 715.724637] __do_sys_delete_module.constprop.0+0x2d8/0x4e0 +[ 715.730210] ? free_module+0x6d0/0x6d0 +[ 715.733963] ? task_work_run+0xe1/0x170 +[ 715.737803] ? exit_to_user_mode_loop+0x17f/0x1d0 +[ 715.742509] ? rcu_read_lock_sched_held+0x12/0x80 +[ 715.747215] ? trace_hardirqs_on+0x1c/0x130 +[ 715.751401] do_syscall_64+0x3b/0x90 +[ 715.754981] entry_SYSCALL_64_after_hwframe+0x44/0xae +[ 715.760033] RIP: 0033:0x7f4dfe59000b +[ 715.763612] Code: 73 01 c3 48 8b 0d 6d 1e 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 3d 1e 0c 00 f7 d8 64 89 01 48 +[ 715.782357] RSP: 002b:00007ffe8c891708 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 +[ 715.789923] RAX: ffffffffffffffda RBX: 00005558a20468b0 RCX: 00007f4dfe59000b +[ 715.797054] RDX: 000000000000000a RSI: 0000000000000800 RDI: 00005558a2046918 +[ 715.804189] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +[ 715.811319] R10: 00007f4dfe603ac0 R11: 0000000000000206 R12: 00007ffe8c891940 +[ 715.818455] R13: 00007ffe8c8920a3 R14: 00005558a20462a0 R15: 00005558a20468b0 + +Notice that this is the only case where we use the lock in this way. In +the cleanup kthread and work kthread the lock is only taken around the +bit accesses. This was done intentionally to avoid this kind of issue. +The way the lock is used, we only protect ordering of bit sets vs bit +clears. The Tx writers in the hot path don't need to be protected +against the entire kthread loop. The Tx queues threads only need to +ensure that they do not re-use an index that is currently in use. The +cleanup loop does not need to block all new set bits, since it will +re-queue itself if new timestamps are present. + +Fix the tracker flow so that it uses the same flow as the standard +cleanup thread. In addition, ensure the in_use bitmap actually gets +cleared properly. + +This fixes the warning and also avoids the potential deadlock that might +have occurred otherwise. + +Fixes: 4dd0d5c33c3e ("ice: add lock around Tx timestamp tracker flush") +Signed-off-by: Jacob Keller +Signed-off-by: Tony Nguyen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ice/ice_ptp.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/drivers/net/ethernet/intel/ice/ice_ptp.c ++++ b/drivers/net/ethernet/intel/ice/ice_ptp.c +@@ -1324,22 +1324,21 @@ ice_ptp_flush_tx_tracker(struct ice_pf * + { + u8 idx; + +- spin_lock(&tx->lock); +- + for (idx = 0; idx < tx->len; idx++) { + u8 phy_idx = idx + tx->quad_offset; + +- /* Clear any potential residual timestamp in the PHY block */ +- if (!pf->hw.reset_ongoing) +- ice_clear_phy_tstamp(&pf->hw, tx->quad, phy_idx); +- ++ spin_lock(&tx->lock); + if (tx->tstamps[idx].skb) { + dev_kfree_skb_any(tx->tstamps[idx].skb); + tx->tstamps[idx].skb = NULL; + } +- } ++ clear_bit(idx, tx->in_use); ++ spin_unlock(&tx->lock); + +- spin_unlock(&tx->lock); ++ /* Clear any potential residual timestamp in the PHY block */ ++ if (!pf->hw.reset_ongoing) ++ ice_clear_phy_tstamp(&pf->hw, tx->quad, phy_idx); ++ } + } + + /** diff --git a/queue-5.14/ionic-don-t-remove-netdev-dev_addr-when-syncing-uc-list.patch b/queue-5.14/ionic-don-t-remove-netdev-dev_addr-when-syncing-uc-list.patch new file mode 100644 index 00000000000..4c53c1a5469 --- /dev/null +++ b/queue-5.14/ionic-don-t-remove-netdev-dev_addr-when-syncing-uc-list.patch @@ -0,0 +1,46 @@ +From 5c976a56570f29aaf4a2f9a1bf99789c252183c9 Mon Sep 17 00:00:00 2001 +From: Shannon Nelson +Date: Fri, 8 Oct 2021 12:38:01 -0700 +Subject: ionic: don't remove netdev->dev_addr when syncing uc list + +From: Shannon Nelson + +commit 5c976a56570f29aaf4a2f9a1bf99789c252183c9 upstream. + +Bridging, and possibly other upper stack gizmos, adds the +lower device's netdev->dev_addr to its own uc list, and +then requests it be deleted when the upper bridge device is +removed. This delete request also happens with the bridging +vlan_filtering is enabled and then disabled. + +Bonding has a similar behavior with the uc list, but since it +also uses set_mac to manage netdev->dev_addr, it doesn't have +the same the failure case. + +Because we store our netdev->dev_addr in our uc list, we need +to ignore the delete request from dev_uc_sync so as to not +lose the address and all hope of communicating. Note that +ndo_set_mac_address is expressly changing netdev->dev_addr, +so no limitation is set there. + +Fixes: 2a654540be10 ("ionic: Add Rx filter and rx_mode ndo support") +Signed-off-by: Shannon Nelson +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/pensando/ionic/ionic_lif.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +@@ -1357,6 +1357,10 @@ static int ionic_addr_add(struct net_dev + + static int ionic_addr_del(struct net_device *netdev, const u8 *addr) + { ++ /* Don't delete our own address from the uc list */ ++ if (ether_addr_equal(addr, netdev->dev_addr)) ++ return 0; ++ + return ionic_lif_addr(netdev_priv(netdev), addr, DEL_ADDR); + } + diff --git a/queue-5.14/mlxsw-thermal-fix-out-of-bounds-memory-accesses.patch b/queue-5.14/mlxsw-thermal-fix-out-of-bounds-memory-accesses.patch new file mode 100644 index 00000000000..16b6990dc38 --- /dev/null +++ b/queue-5.14/mlxsw-thermal-fix-out-of-bounds-memory-accesses.patch @@ -0,0 +1,201 @@ +From 332fdf951df8b870e3da86b122ae304e2aabe88c Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Tue, 12 Oct 2021 20:49:55 +0300 +Subject: mlxsw: thermal: Fix out-of-bounds memory accesses + +From: Ido Schimmel + +commit 332fdf951df8b870e3da86b122ae304e2aabe88c upstream. + +Currently, mlxsw allows cooling states to be set above the maximum +cooling state supported by the driver: + + # cat /sys/class/thermal/thermal_zone2/cdev0/type + mlxsw_fan + # cat /sys/class/thermal/thermal_zone2/cdev0/max_state + 10 + # echo 18 > /sys/class/thermal/thermal_zone2/cdev0/cur_state + # echo $? + 0 + +This results in out-of-bounds memory accesses when thermal state +transition statistics are enabled (CONFIG_THERMAL_STATISTICS=y), as the +transition table is accessed with a too large index (state) [1]. + +According to the thermal maintainer, it is the responsibility of the +driver to reject such operations [2]. + +Therefore, return an error when the state to be set exceeds the maximum +cooling state supported by the driver. + +To avoid dead code, as suggested by the thermal maintainer [3], +partially revert commit a421ce088ac8 ("mlxsw: core: Extend cooling +device with cooling levels") that tried to interpret these invalid +cooling states (above the maximum) in a special way. The cooling levels +array is not removed in order to prevent the fans going below 20% PWM, +which would cause them to get stuck at 0% PWM. + +[1] +BUG: KASAN: slab-out-of-bounds in thermal_cooling_device_stats_update+0x271/0x290 +Read of size 4 at addr ffff8881052f7bf8 by task kworker/0:0/5 + +CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.15.0-rc3-custom-45935-gce1adf704b14 #122 +Hardware name: Mellanox Technologies Ltd. "MSN2410-CB2FO"/"SA000874", BIOS 4.6.5 03/08/2016 +Workqueue: events_freezable_power_ thermal_zone_device_check +Call Trace: + dump_stack_lvl+0x8b/0xb3 + print_address_description.constprop.0+0x1f/0x140 + kasan_report.cold+0x7f/0x11b + thermal_cooling_device_stats_update+0x271/0x290 + __thermal_cdev_update+0x15e/0x4e0 + thermal_cdev_update+0x9f/0xe0 + step_wise_throttle+0x770/0xee0 + thermal_zone_device_update+0x3f6/0xdf0 + process_one_work+0xa42/0x1770 + worker_thread+0x62f/0x13e0 + kthread+0x3ee/0x4e0 + ret_from_fork+0x1f/0x30 + +Allocated by task 1: + kasan_save_stack+0x1b/0x40 + __kasan_kmalloc+0x7c/0x90 + thermal_cooling_device_setup_sysfs+0x153/0x2c0 + __thermal_cooling_device_register.part.0+0x25b/0x9c0 + thermal_cooling_device_register+0xb3/0x100 + mlxsw_thermal_init+0x5c5/0x7e0 + __mlxsw_core_bus_device_register+0xcb3/0x19c0 + mlxsw_core_bus_device_register+0x56/0xb0 + mlxsw_pci_probe+0x54f/0x710 + local_pci_probe+0xc6/0x170 + pci_device_probe+0x2b2/0x4d0 + really_probe+0x293/0xd10 + __driver_probe_device+0x2af/0x440 + driver_probe_device+0x51/0x1e0 + __driver_attach+0x21b/0x530 + bus_for_each_dev+0x14c/0x1d0 + bus_add_driver+0x3ac/0x650 + driver_register+0x241/0x3d0 + mlxsw_sp_module_init+0xa2/0x174 + do_one_initcall+0xee/0x5f0 + kernel_init_freeable+0x45a/0x4de + kernel_init+0x1f/0x210 + ret_from_fork+0x1f/0x30 + +The buggy address belongs to the object at ffff8881052f7800 + which belongs to the cache kmalloc-1k of size 1024 +The buggy address is located 1016 bytes inside of + 1024-byte region [ffff8881052f7800, ffff8881052f7c00) +The buggy address belongs to the page: +page:0000000052355272 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1052f0 +head:0000000052355272 order:3 compound_mapcount:0 compound_pincount:0 +flags: 0x200000000010200(slab|head|node=0|zone=2) +raw: 0200000000010200 ffffea0005034800 0000000300000003 ffff888100041dc0 +raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8881052f7a80: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc + ffff8881052f7b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +>ffff8881052f7b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff8881052f7c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff8881052f7c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + +[2] https://lore.kernel.org/linux-pm/9aca37cb-1629-5c67-1895-1fdc45c0244e@linaro.org/ +[3] https://lore.kernel.org/linux-pm/af9857f2-578e-de3a-e62b-6baff7e69fd4@linaro.org/ + +CC: Daniel Lezcano +Fixes: a50c1e35650b ("mlxsw: core: Implement thermal zone") +Fixes: a421ce088ac8 ("mlxsw: core: Extend cooling device with cooling levels") +Signed-off-by: Ido Schimmel +Tested-by: Vadim Pasternak +Link: https://lore.kernel.org/r/20211012174955.472928-1-idosch@idosch.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlxsw/core_thermal.c | 52 ++------------------- + 1 file changed, 5 insertions(+), 47 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/core_thermal.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/core_thermal.c +@@ -24,16 +24,8 @@ + #define MLXSW_THERMAL_ZONE_MAX_NAME 16 + #define MLXSW_THERMAL_TEMP_SCORE_MAX GENMASK(31, 0) + #define MLXSW_THERMAL_MAX_STATE 10 ++#define MLXSW_THERMAL_MIN_STATE 2 + #define MLXSW_THERMAL_MAX_DUTY 255 +-/* Minimum and maximum fan allowed speed in percent: from 20% to 100%. Values +- * MLXSW_THERMAL_MAX_STATE + x, where x is between 2 and 10 are used for +- * setting fan speed dynamic minimum. For example, if value is set to 14 (40%) +- * cooling levels vector will be set to 4, 4, 4, 4, 4, 5, 6, 7, 8, 9, 10 to +- * introduce PWM speed in percent: 40, 40, 40, 40, 40, 50, 60. 70, 80, 90, 100. +- */ +-#define MLXSW_THERMAL_SPEED_MIN (MLXSW_THERMAL_MAX_STATE + 2) +-#define MLXSW_THERMAL_SPEED_MAX (MLXSW_THERMAL_MAX_STATE * 2) +-#define MLXSW_THERMAL_SPEED_MIN_LEVEL 2 /* 20% */ + + /* External cooling devices, allowed for binding to mlxsw thermal zones. */ + static char * const mlxsw_thermal_external_allowed_cdev[] = { +@@ -646,49 +638,16 @@ static int mlxsw_thermal_set_cur_state(s + struct mlxsw_thermal *thermal = cdev->devdata; + struct device *dev = thermal->bus_info->dev; + char mfsc_pl[MLXSW_REG_MFSC_LEN]; +- unsigned long cur_state, i; + int idx; +- u8 duty; + int err; + ++ if (state > MLXSW_THERMAL_MAX_STATE) ++ return -EINVAL; ++ + idx = mlxsw_get_cooling_device_idx(thermal, cdev); + if (idx < 0) + return idx; + +- /* Verify if this request is for changing allowed fan dynamical +- * minimum. If it is - update cooling levels accordingly and update +- * state, if current state is below the newly requested minimum state. +- * For example, if current state is 5, and minimal state is to be +- * changed from 4 to 6, thermal->cooling_levels[0 to 5] will be changed +- * all from 4 to 6. And state 5 (thermal->cooling_levels[4]) should be +- * overwritten. +- */ +- if (state >= MLXSW_THERMAL_SPEED_MIN && +- state <= MLXSW_THERMAL_SPEED_MAX) { +- state -= MLXSW_THERMAL_MAX_STATE; +- for (i = 0; i <= MLXSW_THERMAL_MAX_STATE; i++) +- thermal->cooling_levels[i] = max(state, i); +- +- mlxsw_reg_mfsc_pack(mfsc_pl, idx, 0); +- err = mlxsw_reg_query(thermal->core, MLXSW_REG(mfsc), mfsc_pl); +- if (err) +- return err; +- +- duty = mlxsw_reg_mfsc_pwm_duty_cycle_get(mfsc_pl); +- cur_state = mlxsw_duty_to_state(duty); +- +- /* If current fan state is lower than requested dynamical +- * minimum, increase fan speed up to dynamical minimum. +- */ +- if (state < cur_state) +- return 0; +- +- state = cur_state; +- } +- +- if (state > MLXSW_THERMAL_MAX_STATE) +- return -EINVAL; +- + /* Normalize the state to the valid speed range. */ + state = thermal->cooling_levels[state]; + mlxsw_reg_mfsc_pack(mfsc_pl, idx, mlxsw_state_to_duty(state)); +@@ -998,8 +957,7 @@ int mlxsw_thermal_init(struct mlxsw_core + + /* Initialize cooling levels per PWM state. */ + for (i = 0; i < MLXSW_THERMAL_MAX_STATE; i++) +- thermal->cooling_levels[i] = max(MLXSW_THERMAL_SPEED_MIN_LEVEL, +- i); ++ thermal->cooling_levels[i] = max(MLXSW_THERMAL_MIN_STATE, i); + + thermal->polling_delay = bus_info->low_frequency ? + MLXSW_THERMAL_SLOW_POLL_INT : diff --git a/queue-5.14/mptcp-fix-possible-stall-on-recvmsg.patch b/queue-5.14/mptcp-fix-possible-stall-on-recvmsg.patch new file mode 100644 index 00000000000..c491b67e6d3 --- /dev/null +++ b/queue-5.14/mptcp-fix-possible-stall-on-recvmsg.patch @@ -0,0 +1,220 @@ +From 612f71d7328c14369924384ad2170aae2a6abd92 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Thu, 7 Oct 2021 15:05:00 -0700 +Subject: mptcp: fix possible stall on recvmsg() + +From: Paolo Abeni + +commit 612f71d7328c14369924384ad2170aae2a6abd92 upstream. + +recvmsg() can enter an infinite loop if the caller provides the +MSG_WAITALL, the data present in the receive queue is not sufficient to +fulfill the request, and no more data is received by the peer. + +When the above happens, mptcp_wait_data() will always return with +no wait, as the MPTCP_DATA_READY flag checked by such function is +set and never cleared in such code path. + +Leveraging the above syzbot was able to trigger an RCU stall: + +rcu: INFO: rcu_preempt self-detected stall on CPU +rcu: 0-...!: (10499 ticks this GP) idle=0af/1/0x4000000000000000 softirq=10678/10678 fqs=1 + (t=10500 jiffies g=13089 q=109) +rcu: rcu_preempt kthread starved for 10497 jiffies! g13089 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=1 +rcu: Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior. +rcu: RCU grace-period kthread stack dump: +task:rcu_preempt state:R running task stack:28696 pid: 14 ppid: 2 flags:0x00004000 +Call Trace: + context_switch kernel/sched/core.c:4955 [inline] + __schedule+0x940/0x26f0 kernel/sched/core.c:6236 + schedule+0xd3/0x270 kernel/sched/core.c:6315 + schedule_timeout+0x14a/0x2a0 kernel/time/timer.c:1881 + rcu_gp_fqs_loop+0x186/0x810 kernel/rcu/tree.c:1955 + rcu_gp_kthread+0x1de/0x320 kernel/rcu/tree.c:2128 + kthread+0x405/0x4f0 kernel/kthread.c:327 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 +rcu: Stack dump where RCU GP kthread last ran: +Sending NMI from CPU 0 to CPUs 1: +NMI backtrace for cpu 1 +CPU: 1 PID: 8510 Comm: syz-executor827 Not tainted 5.15.0-rc2-next-20210920-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:84 [inline] +RIP: 0010:memory_is_nonzero mm/kasan/generic.c:102 [inline] +RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:128 [inline] +RIP: 0010:memory_is_poisoned mm/kasan/generic.c:159 [inline] +RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline] +RIP: 0010:kasan_check_range+0xc8/0x180 mm/kasan/generic.c:189 +Code: 38 00 74 ed 48 8d 50 08 eb 09 48 83 c0 01 48 39 d0 74 7a 80 38 00 74 f2 48 89 c2 b8 01 00 00 00 48 85 d2 75 56 5b 5d 41 5c c3 <48> 85 d2 74 5e 48 01 ea eb 09 48 83 c0 01 48 39 d0 74 50 80 38 00 +RSP: 0018:ffffc9000cd676c8 EFLAGS: 00000283 +RAX: ffffed100e9a110e RBX: ffffed100e9a110f RCX: ffffffff88ea062a +RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff888074d08870 +RBP: ffffed100e9a110e R08: 0000000000000001 R09: ffff888074d08877 +R10: ffffed100e9a110e R11: 0000000000000000 R12: ffff888074d08000 +R13: ffff888074d08000 R14: ffff888074d08088 R15: ffff888074d08000 +FS: 0000555556d8e300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 +S: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000020000180 CR3: 0000000068909000 CR4: 00000000001506e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + instrument_atomic_read_write include/linux/instrumented.h:101 [inline] + test_and_clear_bit include/asm-generic/bitops/instrumented-atomic.h:83 [inline] + mptcp_release_cb+0x14a/0x210 net/mptcp/protocol.c:3016 + release_sock+0xb4/0x1b0 net/core/sock.c:3204 + mptcp_wait_data net/mptcp/protocol.c:1770 [inline] + mptcp_recvmsg+0xfd1/0x27b0 net/mptcp/protocol.c:2080 + inet6_recvmsg+0x11b/0x5e0 net/ipv6/af_inet6.c:659 + sock_recvmsg_nosec net/socket.c:944 [inline] + ____sys_recvmsg+0x527/0x600 net/socket.c:2626 + ___sys_recvmsg+0x127/0x200 net/socket.c:2670 + do_recvmmsg+0x24d/0x6d0 net/socket.c:2764 + __sys_recvmmsg net/socket.c:2843 [inline] + __do_sys_recvmmsg net/socket.c:2866 [inline] + __se_sys_recvmmsg net/socket.c:2859 [inline] + __x64_sys_recvmmsg+0x20b/0x260 net/socket.c:2859 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x7fc200d2dc39 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffc5758e5a8 EFLAGS: 00000246 ORIG_RAX: 000000000000012b +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fc200d2dc39 +RDX: 0000000000000002 RSI: 00000000200017c0 RDI: 0000000000000003 +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000f0b5ff +R10: 0000000000000100 R11: 0000000000000246 R12: 0000000000000003 +R13: 00007ffc5758e5d0 R14: 00007ffc5758e5c0 R15: 0000000000000003 + +Fix the issue by replacing the MPTCP_DATA_READY bit with direct +inspection of the msk receive queue. + +Reported-and-tested-by: syzbot+3360da629681aa0d22fe@syzkaller.appspotmail.com +Fixes: 7a6a6cbc3e59 ("mptcp: recvmsg() can drain data from multiple subflow") +Signed-off-by: Paolo Abeni +Signed-off-by: Mat Martineau +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 55 +++++++++++++-------------------------------------- + 1 file changed, 15 insertions(+), 40 deletions(-) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -515,7 +515,6 @@ static bool mptcp_check_data_fin(struct + + sk->sk_shutdown |= RCV_SHUTDOWN; + smp_mb__before_atomic(); /* SHUTDOWN must be visible first */ +- set_bit(MPTCP_DATA_READY, &msk->flags); + + switch (sk->sk_state) { + case TCP_ESTABLISHED: +@@ -730,10 +729,9 @@ void mptcp_data_ready(struct sock *sk, s + + /* Wake-up the reader only for in-sequence data */ + mptcp_data_lock(sk); +- if (move_skbs_to_msk(msk, ssk)) { +- set_bit(MPTCP_DATA_READY, &msk->flags); ++ if (move_skbs_to_msk(msk, ssk)) + sk->sk_data_ready(sk); +- } ++ + mptcp_data_unlock(sk); + } + +@@ -838,7 +836,6 @@ static void mptcp_check_for_eof(struct m + sk->sk_shutdown |= RCV_SHUTDOWN; + + smp_mb__before_atomic(); /* SHUTDOWN must be visible first */ +- set_bit(MPTCP_DATA_READY, &msk->flags); + sk->sk_data_ready(sk); + } + +@@ -1701,21 +1698,6 @@ out: + return copied ? : ret; + } + +-static void mptcp_wait_data(struct sock *sk, long *timeo) +-{ +- DEFINE_WAIT_FUNC(wait, woken_wake_function); +- struct mptcp_sock *msk = mptcp_sk(sk); +- +- add_wait_queue(sk_sleep(sk), &wait); +- sk_set_bit(SOCKWQ_ASYNC_WAITDATA, sk); +- +- sk_wait_event(sk, timeo, +- test_bit(MPTCP_DATA_READY, &msk->flags), &wait); +- +- sk_clear_bit(SOCKWQ_ASYNC_WAITDATA, sk); +- remove_wait_queue(sk_sleep(sk), &wait); +-} +- + static int __mptcp_recvmsg_mskq(struct mptcp_sock *msk, + struct msghdr *msg, + size_t len, int flags, +@@ -2019,19 +2001,7 @@ static int mptcp_recvmsg(struct sock *sk + } + + pr_debug("block timeout %ld", timeo); +- mptcp_wait_data(sk, &timeo); +- } +- +- if (skb_queue_empty_lockless(&sk->sk_receive_queue) && +- skb_queue_empty(&msk->receive_queue)) { +- /* entire backlog drained, clear DATA_READY. */ +- clear_bit(MPTCP_DATA_READY, &msk->flags); +- +- /* .. race-breaker: ssk might have gotten new data +- * after last __mptcp_move_skbs() returned false. +- */ +- if (unlikely(__mptcp_move_skbs(msk))) +- set_bit(MPTCP_DATA_READY, &msk->flags); ++ sk_wait_data(sk, &timeo, NULL); + } + + out_err: +@@ -2040,9 +2010,9 @@ out_err: + tcp_recv_timestamp(msg, sk, &tss); + } + +- pr_debug("msk=%p data_ready=%d rx queue empty=%d copied=%d", +- msk, test_bit(MPTCP_DATA_READY, &msk->flags), +- skb_queue_empty_lockless(&sk->sk_receive_queue), copied); ++ pr_debug("msk=%p rx queue empty=%d:%d copied=%d", ++ msk, skb_queue_empty_lockless(&sk->sk_receive_queue), ++ skb_queue_empty(&msk->receive_queue), copied); + if (!(flags & MSG_PEEK)) + mptcp_rcv_space_adjust(msk, copied); + +@@ -2255,7 +2225,6 @@ static void mptcp_check_fastclose(struct + inet_sk_state_store(sk, TCP_CLOSE); + sk->sk_shutdown = SHUTDOWN_MASK; + smp_mb__before_atomic(); /* SHUTDOWN must be visible first */ +- set_bit(MPTCP_DATA_READY, &msk->flags); + set_bit(MPTCP_WORK_CLOSE_SUBFLOW, &msk->flags); + + mptcp_close_wake_up(sk); +@@ -3272,8 +3241,14 @@ unlock_fail: + + static __poll_t mptcp_check_readable(struct mptcp_sock *msk) + { +- return test_bit(MPTCP_DATA_READY, &msk->flags) ? EPOLLIN | EPOLLRDNORM : +- 0; ++ /* Concurrent splices from sk_receive_queue into receive_queue will ++ * always show at least one non-empty queue when checked in this order. ++ */ ++ if (skb_queue_empty_lockless(&((struct sock *)msk)->sk_receive_queue) && ++ skb_queue_empty_lockless(&msk->receive_queue)) ++ return 0; ++ ++ return EPOLLIN | EPOLLRDNORM; + } + + static __poll_t mptcp_check_writeable(struct mptcp_sock *msk) +@@ -3308,7 +3283,7 @@ static __poll_t mptcp_poll(struct file * + state = inet_sk_state_load(sk); + pr_debug("msk=%p state=%d flags=%lx", msk, state, msk->flags); + if (state == TCP_LISTEN) +- return mptcp_check_readable(msk); ++ return test_bit(MPTCP_DATA_READY, &msk->flags) ? EPOLLIN | EPOLLRDNORM : 0; + + if (state != TCP_SYN_SENT && state != TCP_SYN_RECV) { + mask |= mptcp_check_readable(msk); diff --git a/queue-5.14/mqprio-correct-stats-in-mqprio_dump_class_stats.patch b/queue-5.14/mqprio-correct-stats-in-mqprio_dump_class_stats.patch new file mode 100644 index 00000000000..4451d5ea6f0 --- /dev/null +++ b/queue-5.14/mqprio-correct-stats-in-mqprio_dump_class_stats.patch @@ -0,0 +1,80 @@ +From 14132690860e4d06aa3e1c4d7d8e9866ba7756dd Mon Sep 17 00:00:00 2001 +From: Sebastian Andrzej Siewior +Date: Thu, 7 Oct 2021 19:49:57 +0200 +Subject: mqprio: Correct stats in mqprio_dump_class_stats(). + +From: Sebastian Andrzej Siewior + +commit 14132690860e4d06aa3e1c4d7d8e9866ba7756dd upstream. + +Introduction of lockless subqueues broke the class statistics. +Before the change stats were accumulated in `bstats' and `qstats' +on the stack which was then copied to struct gnet_dump. + +After the change the `bstats' and `qstats' are initialized to 0 +and never updated, yet still fed to gnet_dump. The code updates +the global qdisc->cpu_bstats and qdisc->cpu_qstats instead, +clobbering them. Most likely a copy-paste error from the code in +mqprio_dump(). + +__gnet_stats_copy_basic() and __gnet_stats_copy_queue() accumulate +the values for per-CPU case but for global stats they overwrite +the value, so only stats from the last loop iteration / tc end up +in sch->[bq]stats. + +Use the on-stack [bq]stats variables again and add the stats manually +in the global case. + +Fixes: ce679e8df7ed2 ("net: sched: add support for TCQ_F_NOLOCK subqueues to sch_mqprio") +Cc: John Fastabend +Signed-off-by: Sebastian Andrzej Siewior +https://lore.kernel.org/all/20211007175000.2334713-2-bigeasy@linutronix.de/ +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_mqprio.c | 30 ++++++++++++++++++------------ + 1 file changed, 18 insertions(+), 12 deletions(-) + +--- a/net/sched/sch_mqprio.c ++++ b/net/sched/sch_mqprio.c +@@ -529,22 +529,28 @@ static int mqprio_dump_class_stats(struc + for (i = tc.offset; i < tc.offset + tc.count; i++) { + struct netdev_queue *q = netdev_get_tx_queue(dev, i); + struct Qdisc *qdisc = rtnl_dereference(q->qdisc); +- struct gnet_stats_basic_cpu __percpu *cpu_bstats = NULL; +- struct gnet_stats_queue __percpu *cpu_qstats = NULL; + + spin_lock_bh(qdisc_lock(qdisc)); ++ + if (qdisc_is_percpu_stats(qdisc)) { +- cpu_bstats = qdisc->cpu_bstats; +- cpu_qstats = qdisc->cpu_qstats; +- } ++ qlen = qdisc_qlen_sum(qdisc); + +- qlen = qdisc_qlen_sum(qdisc); +- __gnet_stats_copy_basic(NULL, &sch->bstats, +- cpu_bstats, &qdisc->bstats); +- __gnet_stats_copy_queue(&sch->qstats, +- cpu_qstats, +- &qdisc->qstats, +- qlen); ++ __gnet_stats_copy_basic(NULL, &bstats, ++ qdisc->cpu_bstats, ++ &qdisc->bstats); ++ __gnet_stats_copy_queue(&qstats, ++ qdisc->cpu_qstats, ++ &qdisc->qstats, ++ qlen); ++ } else { ++ qlen += qdisc->q.qlen; ++ bstats.bytes += qdisc->bstats.bytes; ++ bstats.packets += qdisc->bstats.packets; ++ qstats.backlog += qdisc->qstats.backlog; ++ qstats.drops += qdisc->qstats.drops; ++ qstats.requeues += qdisc->qstats.requeues; ++ qstats.overlimits += qdisc->qstats.overlimits; ++ } + spin_unlock_bh(qdisc_lock(qdisc)); + } + diff --git a/queue-5.14/net-dsa-felix-break-at-first-cpu-port-during-init-and-teardown.patch b/queue-5.14/net-dsa-felix-break-at-first-cpu-port-during-init-and-teardown.patch new file mode 100644 index 00000000000..04c3a2d818e --- /dev/null +++ b/queue-5.14/net-dsa-felix-break-at-first-cpu-port-during-init-and-teardown.patch @@ -0,0 +1,99 @@ +From 8d5f7954b7c8de54902a8beda141064a7e2e6ee0 Mon Sep 17 00:00:00 2001 +From: Vladimir Oltean +Date: Tue, 12 Oct 2021 14:40:44 +0300 +Subject: net: dsa: felix: break at first CPU port during init and teardown + +From: Vladimir Oltean + +commit 8d5f7954b7c8de54902a8beda141064a7e2e6ee0 upstream. + +The NXP LS1028A switch has two Ethernet ports towards the CPU, but only +one of them is capable of acting as an NPI port at a time (inject and +extract packets using DSA tags). + +However, using the alternative ocelot-8021q tagging protocol, it should +be possible to use both CPU ports symmetrically, but for that we need to +mark both ports in the device tree as DSA masters. + +In the process of doing that, it can be seen that traffic to/from the +network stack gets broken, and this is because the Felix driver iterates +through all DSA CPU ports and configures them as NPI ports. But since +there can only be a single NPI port, we effectively end up in a +situation where DSA thinks the default CPU port is the first one, but +the hardware port configured to be an NPI is the last one. + +I would like to treat this as a bug, because if the updated device trees +are going to start circulating, it would be really good for existing +kernels to support them, too. + +Fixes: adb3dccf090b ("net: dsa: felix: convert to the new .change_tag_protocol DSA API") +Signed-off-by: Vladimir Oltean +Reviewed-by: Florian Fainelli +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/ocelot/felix.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +--- a/drivers/net/dsa/ocelot/felix.c ++++ b/drivers/net/dsa/ocelot/felix.c +@@ -271,12 +271,12 @@ static void felix_8021q_cpu_port_deinit( + */ + static int felix_setup_mmio_filtering(struct felix *felix) + { +- unsigned long user_ports = 0, cpu_ports = 0; ++ unsigned long user_ports = dsa_user_ports(felix->ds); + struct ocelot_vcap_filter *redirect_rule; + struct ocelot_vcap_filter *tagging_rule; + struct ocelot *ocelot = &felix->ocelot; + struct dsa_switch *ds = felix->ds; +- int port, ret; ++ int cpu = -1, port, ret; + + tagging_rule = kzalloc(sizeof(struct ocelot_vcap_filter), GFP_KERNEL); + if (!tagging_rule) +@@ -289,12 +289,15 @@ static int felix_setup_mmio_filtering(st + } + + for (port = 0; port < ocelot->num_phys_ports; port++) { +- if (dsa_is_user_port(ds, port)) +- user_ports |= BIT(port); +- if (dsa_is_cpu_port(ds, port)) +- cpu_ports |= BIT(port); ++ if (dsa_is_cpu_port(ds, port)) { ++ cpu = port; ++ break; ++ } + } + ++ if (cpu < 0) ++ return -EINVAL; ++ + tagging_rule->key_type = OCELOT_VCAP_KEY_ETYPE; + *(__be16 *)tagging_rule->key.etype.etype.value = htons(ETH_P_1588); + *(__be16 *)tagging_rule->key.etype.etype.mask = htons(0xffff); +@@ -330,7 +333,7 @@ static int felix_setup_mmio_filtering(st + * the CPU port module + */ + redirect_rule->action.mask_mode = OCELOT_MASK_MODE_REDIRECT; +- redirect_rule->action.port_mask = cpu_ports; ++ redirect_rule->action.port_mask = BIT(cpu); + } else { + /* Trap PTP packets only to the CPU port module (which is + * redirected to the NPI port) +@@ -1241,6 +1244,7 @@ static int felix_setup(struct dsa_switch + * there's no real point in checking for errors. + */ + felix_set_tag_protocol(ds, port, felix->tag_proto); ++ break; + } + + ds->mtu_enforcement_ingress = true; +@@ -1277,6 +1281,7 @@ static void felix_teardown(struct dsa_sw + continue; + + felix_del_tag_protocol(ds, port, felix->tag_proto); ++ break; + } + + ocelot_devlink_sb_unregister(ocelot); diff --git a/queue-5.14/net-mscc-ocelot-avoid-overflowing-the-ptp-timestamp-fifo.patch b/queue-5.14/net-mscc-ocelot-avoid-overflowing-the-ptp-timestamp-fifo.patch new file mode 100644 index 00000000000..a574cceb611 --- /dev/null +++ b/queue-5.14/net-mscc-ocelot-avoid-overflowing-the-ptp-timestamp-fifo.patch @@ -0,0 +1,181 @@ +From 52849bcf0029ccc553be304e4f804938a39112e2 Mon Sep 17 00:00:00 2001 +From: Vladimir Oltean +Date: Tue, 12 Oct 2021 14:40:36 +0300 +Subject: net: mscc: ocelot: avoid overflowing the PTP timestamp FIFO + +From: Vladimir Oltean + +commit 52849bcf0029ccc553be304e4f804938a39112e2 upstream. + +PTP packets with 2-step TX timestamp requests are matched to packets +based on the egress port number and a 6-bit timestamp identifier. +All PTP timestamps are held in a common FIFO that is 128 entry deep. + +This patch ensures that back-to-back timestamping requests cannot exceed +the hardware FIFO capacity. If that happens, simply send the packets +without requesting a TX timestamp to be taken (in the case of felix, +since the DSA API has a void return code in ds->ops->port_txtstamp) or +drop them (in the case of ocelot). + +I've moved the ts_id_lock from a per-port basis to a per-switch basis, +because we need separate accounting for both numbers of PTP frames in +flight. And since we need locking to inc/dec the per-switch counter, +that also offers protection for the per-port counter and hence there is +no reason to have a per-port counter anymore. + +Fixes: 4e3b0468e6d7 ("net: mscc: PTP Hardware Clock (PHC) support") +Signed-off-by: Vladimir Oltean +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/ocelot/felix.c | 6 +++++- + drivers/net/ethernet/mscc/ocelot.c | 37 ++++++++++++++++++++++++++++++------- + include/soc/mscc/ocelot.h | 5 ++++- + include/soc/mscc/ocelot_ptp.h | 1 + + 4 files changed, 40 insertions(+), 9 deletions(-) + +--- a/drivers/net/dsa/ocelot/felix.c ++++ b/drivers/net/dsa/ocelot/felix.c +@@ -1406,8 +1406,12 @@ static void felix_txtstamp(struct dsa_sw + if (!ocelot->ptp) + return; + +- if (ocelot_port_txtstamp_request(ocelot, port, skb, &clone)) ++ if (ocelot_port_txtstamp_request(ocelot, port, skb, &clone)) { ++ dev_err_ratelimited(ds->dev, ++ "port %d delivering skb without TX timestamp\n", ++ port); + return; ++ } + + if (clone) + OCELOT_SKB_CB(skb)->clone = clone; +--- a/drivers/net/ethernet/mscc/ocelot.c ++++ b/drivers/net/ethernet/mscc/ocelot.c +@@ -536,22 +536,36 @@ void ocelot_port_disable(struct ocelot * + } + EXPORT_SYMBOL(ocelot_port_disable); + +-static void ocelot_port_add_txtstamp_skb(struct ocelot *ocelot, int port, +- struct sk_buff *clone) ++static int ocelot_port_add_txtstamp_skb(struct ocelot *ocelot, int port, ++ struct sk_buff *clone) + { + struct ocelot_port *ocelot_port = ocelot->ports[port]; ++ unsigned long flags; ++ ++ spin_lock_irqsave(&ocelot->ts_id_lock, flags); + +- spin_lock(&ocelot_port->ts_id_lock); ++ if (ocelot_port->ptp_skbs_in_flight == OCELOT_MAX_PTP_ID || ++ ocelot->ptp_skbs_in_flight == OCELOT_PTP_FIFO_SIZE) { ++ spin_unlock_irqrestore(&ocelot->ts_id_lock, flags); ++ return -EBUSY; ++ } + + skb_shinfo(clone)->tx_flags |= SKBTX_IN_PROGRESS; + /* Store timestamp ID in OCELOT_SKB_CB(clone)->ts_id */ + OCELOT_SKB_CB(clone)->ts_id = ocelot_port->ts_id; ++ + ocelot_port->ts_id++; + if (ocelot_port->ts_id == OCELOT_MAX_PTP_ID) + ocelot_port->ts_id = 0; ++ ++ ocelot_port->ptp_skbs_in_flight++; ++ ocelot->ptp_skbs_in_flight++; ++ + skb_queue_tail(&ocelot_port->tx_skbs, clone); + +- spin_unlock(&ocelot_port->ts_id_lock); ++ spin_unlock_irqrestore(&ocelot->ts_id_lock, flags); ++ ++ return 0; + } + + u32 ocelot_ptp_rew_op(struct sk_buff *skb) +@@ -600,6 +614,7 @@ int ocelot_port_txtstamp_request(struct + { + struct ocelot_port *ocelot_port = ocelot->ports[port]; + u8 ptp_cmd = ocelot_port->ptp_cmd; ++ int err; + + /* Store ptp_cmd in OCELOT_SKB_CB(skb)->ptp_cmd */ + if (ptp_cmd == IFH_REW_OP_ORIGIN_PTP) { +@@ -617,7 +632,10 @@ int ocelot_port_txtstamp_request(struct + if (!(*clone)) + return -ENOMEM; + +- ocelot_port_add_txtstamp_skb(ocelot, port, *clone); ++ err = ocelot_port_add_txtstamp_skb(ocelot, port, *clone); ++ if (err) ++ return err; ++ + OCELOT_SKB_CB(skb)->ptp_cmd = ptp_cmd; + } + +@@ -676,9 +694,14 @@ void ocelot_get_txtstamp(struct ocelot * + id = SYS_PTP_STATUS_PTP_MESS_ID_X(val); + txport = SYS_PTP_STATUS_PTP_MESS_TXPORT_X(val); + +- /* Retrieve its associated skb */ + port = ocelot->ports[txport]; + ++ spin_lock(&ocelot->ts_id_lock); ++ port->ptp_skbs_in_flight--; ++ ocelot->ptp_skbs_in_flight--; ++ spin_unlock(&ocelot->ts_id_lock); ++ ++ /* Retrieve its associated skb */ + spin_lock_irqsave(&port->tx_skbs.lock, flags); + + skb_queue_walk_safe(&port->tx_skbs, skb, skb_tmp) { +@@ -1917,7 +1940,6 @@ void ocelot_init_port(struct ocelot *oce + struct ocelot_port *ocelot_port = ocelot->ports[port]; + + skb_queue_head_init(&ocelot_port->tx_skbs); +- spin_lock_init(&ocelot_port->ts_id_lock); + + /* Basic L2 initialization */ + +@@ -2041,6 +2063,7 @@ int ocelot_init(struct ocelot *ocelot) + mutex_init(&ocelot->stats_lock); + mutex_init(&ocelot->ptp_lock); + spin_lock_init(&ocelot->ptp_clock_lock); ++ spin_lock_init(&ocelot->ts_id_lock); + snprintf(queue_name, sizeof(queue_name), "%s-stats", + dev_name(ocelot->dev)); + ocelot->stats_queue = create_singlethread_workqueue(queue_name); +--- a/include/soc/mscc/ocelot.h ++++ b/include/soc/mscc/ocelot.h +@@ -600,10 +600,10 @@ struct ocelot_port { + /* The VLAN ID that will be transmitted as untagged, on egress */ + struct ocelot_vlan native_vlan; + ++ unsigned int ptp_skbs_in_flight; + u8 ptp_cmd; + struct sk_buff_head tx_skbs; + u8 ts_id; +- spinlock_t ts_id_lock; + + phy_interface_t phy_mode; + +@@ -677,6 +677,9 @@ struct ocelot { + struct ptp_clock *ptp_clock; + struct ptp_clock_info ptp_info; + struct hwtstamp_config hwtstamp_config; ++ unsigned int ptp_skbs_in_flight; ++ /* Protects the 2-step TX timestamp ID logic */ ++ spinlock_t ts_id_lock; + /* Protects the PTP interface state */ + struct mutex ptp_lock; + /* Protects the PTP clock */ +--- a/include/soc/mscc/ocelot_ptp.h ++++ b/include/soc/mscc/ocelot_ptp.h +@@ -14,6 +14,7 @@ + #include + + #define OCELOT_MAX_PTP_ID 63 ++#define OCELOT_PTP_FIFO_SIZE 128 + + #define PTP_PIN_CFG_RSZ 0x20 + #define PTP_PIN_TOD_SEC_MSB_RSZ PTP_PIN_CFG_RSZ diff --git a/queue-5.14/net-mscc-ocelot-cross-check-the-sequence-id-from-the-timestamp-fifo-with-the-skb-ptp-header.patch b/queue-5.14/net-mscc-ocelot-cross-check-the-sequence-id-from-the-timestamp-fifo-with-the-skb-ptp-header.patch new file mode 100644 index 00000000000..e82caa350fd --- /dev/null +++ b/queue-5.14/net-mscc-ocelot-cross-check-the-sequence-id-from-the-timestamp-fifo-with-the-skb-ptp-header.patch @@ -0,0 +1,136 @@ +From ebb4c6a990f786d7e0e4618a0d3766cd660125d8 Mon Sep 17 00:00:00 2001 +From: Vladimir Oltean +Date: Tue, 12 Oct 2021 14:40:39 +0300 +Subject: net: mscc: ocelot: cross-check the sequence id from the timestamp FIFO with the skb PTP header + +From: Vladimir Oltean + +commit ebb4c6a990f786d7e0e4618a0d3766cd660125d8 upstream. + +The sad reality is that when a PTP frame with a TX timestamping request +is transmitted, it isn't guaranteed that it will make it all the way to +the wire (due to congestion inside the switch), and that a timestamp +will be taken by the hardware and placed in the timestamp FIFO where an +IRQ will be raised for it. + +The implication is that if enough PTP frames are silently dropped by the +hardware such that the timestamp ID has rolled over, it is possible to +match a timestamp to an old skb. + +Furthermore, nobody will match on the real skb corresponding to this +timestamp, since we stupidly matched on a previous one that was stale in +the queue, and stopped there. + +So PTP timestamping will be broken and there will be no way to recover. + +It looks like the hardware parses the sequenceID from the PTP header, +and also provides that metadata for each timestamp. The driver currently +ignores this, but it shouldn't. + +As an extra resiliency measure, do the following: + +- check whether the PTP sequenceID also matches between the skb and the + timestamp, treat the skb as stale otherwise and free it + +- if we see a stale skb, don't stop there and try to match an skb one + more time, chances are there's one more skb in the queue with the same + timestamp ID, otherwise we wouldn't have ever found the stale one (it + is by timestamp ID that we matched it). + +While this does not prevent PTP packet drops, it at least prevents +the catastrophic consequences of incorrect timestamp matching. + +Since we already call ptp_classify_raw in the TX path, save the result +in the skb->cb of the clone, and just use that result in the interrupt +code path. + +Fixes: 4e3b0468e6d7 ("net: mscc: PTP Hardware Clock (PHC) support") +Signed-off-by: Vladimir Oltean +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mscc/ocelot.c | 24 +++++++++++++++++++++++- + include/soc/mscc/ocelot.h | 1 + + 2 files changed, 24 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mscc/ocelot.c ++++ b/drivers/net/ethernet/mscc/ocelot.c +@@ -642,6 +642,7 @@ int ocelot_port_txtstamp_request(struct + return err; + + OCELOT_SKB_CB(skb)->ptp_cmd = ptp_cmd; ++ OCELOT_SKB_CB(*clone)->ptp_class = ptp_class; + } + + return 0; +@@ -675,6 +676,17 @@ static void ocelot_get_hwtimestamp(struc + spin_unlock_irqrestore(&ocelot->ptp_clock_lock, flags); + } + ++static bool ocelot_validate_ptp_skb(struct sk_buff *clone, u16 seqid) ++{ ++ struct ptp_header *hdr; ++ ++ hdr = ptp_parse_header(clone, OCELOT_SKB_CB(clone)->ptp_class); ++ if (WARN_ON(!hdr)) ++ return false; ++ ++ return seqid == ntohs(hdr->sequence_id); ++} ++ + void ocelot_get_txtstamp(struct ocelot *ocelot) + { + int budget = OCELOT_PTP_QUEUE_SZ; +@@ -682,10 +694,10 @@ void ocelot_get_txtstamp(struct ocelot * + while (budget--) { + struct sk_buff *skb, *skb_tmp, *skb_match = NULL; + struct skb_shared_hwtstamps shhwtstamps; ++ u32 val, id, seqid, txport; + struct ocelot_port *port; + struct timespec64 ts; + unsigned long flags; +- u32 val, id, txport; + + val = ocelot_read(ocelot, SYS_PTP_STATUS); + +@@ -698,6 +710,7 @@ void ocelot_get_txtstamp(struct ocelot * + /* Retrieve the ts ID and Tx port */ + id = SYS_PTP_STATUS_PTP_MESS_ID_X(val); + txport = SYS_PTP_STATUS_PTP_MESS_TXPORT_X(val); ++ seqid = SYS_PTP_STATUS_PTP_MESS_SEQ_ID(val); + + port = ocelot->ports[txport]; + +@@ -707,6 +720,7 @@ void ocelot_get_txtstamp(struct ocelot * + spin_unlock(&ocelot->ts_id_lock); + + /* Retrieve its associated skb */ ++try_again: + spin_lock_irqsave(&port->tx_skbs.lock, flags); + + skb_queue_walk_safe(&port->tx_skbs, skb, skb_tmp) { +@@ -722,6 +736,14 @@ void ocelot_get_txtstamp(struct ocelot * + if (WARN_ON(!skb_match)) + continue; + ++ if (!ocelot_validate_ptp_skb(skb_match, seqid)) { ++ dev_err_ratelimited(ocelot->dev, ++ "port %d received stale TX timestamp for seqid %d, discarding\n", ++ txport, seqid); ++ dev_kfree_skb_any(skb); ++ goto try_again; ++ } ++ + /* Get the h/w timestamp */ + ocelot_get_hwtimestamp(ocelot, &ts); + +--- a/include/soc/mscc/ocelot.h ++++ b/include/soc/mscc/ocelot.h +@@ -694,6 +694,7 @@ struct ocelot_policer { + + struct ocelot_skb_cb { + struct sk_buff *clone; ++ unsigned int ptp_class; /* valid only for clones */ + u8 ptp_cmd; + u8 ts_id; + }; diff --git a/queue-5.14/net-mscc-ocelot-deny-tx-timestamping-of-non-ptp-packets.patch b/queue-5.14/net-mscc-ocelot-deny-tx-timestamping-of-non-ptp-packets.patch new file mode 100644 index 00000000000..1c3ad91796e --- /dev/null +++ b/queue-5.14/net-mscc-ocelot-deny-tx-timestamping-of-non-ptp-packets.patch @@ -0,0 +1,71 @@ +From fba01283d85a09e0e2ef552c6e764b903111d90a Mon Sep 17 00:00:00 2001 +From: Vladimir Oltean +Date: Tue, 12 Oct 2021 14:40:38 +0300 +Subject: net: mscc: ocelot: deny TX timestamping of non-PTP packets + +From: Vladimir Oltean + +commit fba01283d85a09e0e2ef552c6e764b903111d90a upstream. + +It appears that Ocelot switches cannot timestamp non-PTP frames, +I tested this using the isochron program at: +https://github.com/vladimiroltean/tsn-scripts + +with the result that the driver increments the ocelot_port->ts_id +counter as expected, puts it in the REW_OP, but the hardware seems to +not timestamp these packets at all, since no IRQ is emitted. + +Therefore check whether we are sending PTP frames, and refuse to +populate REW_OP otherwise. + +Fixes: 4e3b0468e6d7 ("net: mscc: PTP Hardware Clock (PHC) support") +Signed-off-by: Vladimir Oltean +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mscc/ocelot.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +--- a/drivers/net/ethernet/mscc/ocelot.c ++++ b/drivers/net/ethernet/mscc/ocelot.c +@@ -585,16 +585,12 @@ u32 ocelot_ptp_rew_op(struct sk_buff *sk + } + EXPORT_SYMBOL(ocelot_ptp_rew_op); + +-static bool ocelot_ptp_is_onestep_sync(struct sk_buff *skb) ++static bool ocelot_ptp_is_onestep_sync(struct sk_buff *skb, ++ unsigned int ptp_class) + { + struct ptp_header *hdr; +- unsigned int ptp_class; + u8 msgtype, twostep; + +- ptp_class = ptp_classify_raw(skb); +- if (ptp_class == PTP_CLASS_NONE) +- return false; +- + hdr = ptp_parse_header(skb, ptp_class); + if (!hdr) + return false; +@@ -614,11 +610,20 @@ int ocelot_port_txtstamp_request(struct + { + struct ocelot_port *ocelot_port = ocelot->ports[port]; + u8 ptp_cmd = ocelot_port->ptp_cmd; ++ unsigned int ptp_class; + int err; + ++ /* Don't do anything if PTP timestamping not enabled */ ++ if (!ptp_cmd) ++ return 0; ++ ++ ptp_class = ptp_classify_raw(skb); ++ if (ptp_class == PTP_CLASS_NONE) ++ return -EINVAL; ++ + /* Store ptp_cmd in OCELOT_SKB_CB(skb)->ptp_cmd */ + if (ptp_cmd == IFH_REW_OP_ORIGIN_PTP) { +- if (ocelot_ptp_is_onestep_sync(skb)) { ++ if (ocelot_ptp_is_onestep_sync(skb, ptp_class)) { + OCELOT_SKB_CB(skb)->ptp_cmd = ptp_cmd; + return 0; + } diff --git a/queue-5.14/net-mscc-ocelot-make-use-of-all-63-ptp-timestamp-identifiers.patch b/queue-5.14/net-mscc-ocelot-make-use-of-all-63-ptp-timestamp-identifiers.patch new file mode 100644 index 00000000000..4f46affaf77 --- /dev/null +++ b/queue-5.14/net-mscc-ocelot-make-use-of-all-63-ptp-timestamp-identifiers.patch @@ -0,0 +1,68 @@ +From c57fe0037a4e3863d9b740f8c14df9c51ac31aa1 Mon Sep 17 00:00:00 2001 +From: Vladimir Oltean +Date: Tue, 12 Oct 2021 14:40:35 +0300 +Subject: net: mscc: ocelot: make use of all 63 PTP timestamp identifiers + +From: Vladimir Oltean + +commit c57fe0037a4e3863d9b740f8c14df9c51ac31aa1 upstream. + +At present, there is a problem when user space bombards a port with PTP +event frames which have TX timestamping requests (or when a tc-taprio +offload is installed on a port, which delays the TX timestamps by a +significant amount of time). The driver will happily roll over the 2-bit +timestamp ID and this will cause incorrect matches between an skb and +the TX timestamp collected from the FIFO. + +The Ocelot switches have a 6-bit PTP timestamp identifier, and the value +63 is reserved, so that leaves identifiers 0-62 to be used. + +The timestamp identifiers are selected by the REW_OP packet field, and +are actually shared between CPU-injected frames and frames which match a +VCAP IS2 rule that modifies the REW_OP. The hardware supports +partitioning between the two uses of the REW_OP field through the +PTP_ID_LOW and PTP_ID_HIGH registers, and by default reserves the PTP +IDs 0-3 for CPU-injected traffic and the rest for VCAP IS2. + +The driver does not use VCAP IS2 to set REW_OP for 2-step timestamping, +and it also writes 0xffffffff to both PTP_ID_HIGH and PTP_ID_LOW in +ocelot_init_timestamp() which makes all timestamp identifiers available +to CPU injection. + +Therefore, we can make use of all 63 timestamp identifiers, which should +allow more timestampable packets to be in flight on each port. This is +only part of the solution, more issues will be addressed in future changes. + +Fixes: 4e3b0468e6d7 ("net: mscc: PTP Hardware Clock (PHC) support") +Signed-off-by: Vladimir Oltean +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mscc/ocelot.c | 4 +++- + include/soc/mscc/ocelot_ptp.h | 2 ++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mscc/ocelot.c ++++ b/drivers/net/ethernet/mscc/ocelot.c +@@ -546,7 +546,9 @@ static void ocelot_port_add_txtstamp_skb + skb_shinfo(clone)->tx_flags |= SKBTX_IN_PROGRESS; + /* Store timestamp ID in OCELOT_SKB_CB(clone)->ts_id */ + OCELOT_SKB_CB(clone)->ts_id = ocelot_port->ts_id; +- ocelot_port->ts_id = (ocelot_port->ts_id + 1) % 4; ++ ocelot_port->ts_id++; ++ if (ocelot_port->ts_id == OCELOT_MAX_PTP_ID) ++ ocelot_port->ts_id = 0; + skb_queue_tail(&ocelot_port->tx_skbs, clone); + + spin_unlock(&ocelot_port->ts_id_lock); +--- a/include/soc/mscc/ocelot_ptp.h ++++ b/include/soc/mscc/ocelot_ptp.h +@@ -13,6 +13,8 @@ + #include + #include + ++#define OCELOT_MAX_PTP_ID 63 ++ + #define PTP_PIN_CFG_RSZ 0x20 + #define PTP_PIN_TOD_SEC_MSB_RSZ PTP_PIN_CFG_RSZ + #define PTP_PIN_TOD_SEC_LSB_RSZ PTP_PIN_CFG_RSZ diff --git a/queue-5.14/net-mscc-ocelot-warn-when-a-ptp-irq-is-raised-for-an-unknown-skb.patch b/queue-5.14/net-mscc-ocelot-warn-when-a-ptp-irq-is-raised-for-an-unknown-skb.patch new file mode 100644 index 00000000000..c1be4974f6c --- /dev/null +++ b/queue-5.14/net-mscc-ocelot-warn-when-a-ptp-irq-is-raised-for-an-unknown-skb.patch @@ -0,0 +1,47 @@ +From 9fde506e0c53b8309f69b18b4b8144c544b4b3b1 Mon Sep 17 00:00:00 2001 +From: Vladimir Oltean +Date: Tue, 12 Oct 2021 14:40:37 +0300 +Subject: net: mscc: ocelot: warn when a PTP IRQ is raised for an unknown skb + +From: Vladimir Oltean + +commit 9fde506e0c53b8309f69b18b4b8144c544b4b3b1 upstream. + +When skb_match is NULL, it means we received a PTP IRQ for a timestamp +ID that the kernel has no idea about, since there is no skb in the +timestamping queue with that timestamp ID. + +This is a grave error and not something to just "continue" over. +So print a big warning in case this happens. + +Also, move the check above ocelot_get_hwtimestamp(), there is no point +in reading the full 64-bit current PTP time if we're not going to do +anything with it anyway for this skb. + +Fixes: 4e3b0468e6d7 ("net: mscc: PTP Hardware Clock (PHC) support") +Signed-off-by: Vladimir Oltean +Reviewed-by: Florian Fainelli +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mscc/ocelot.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/mscc/ocelot.c ++++ b/drivers/net/ethernet/mscc/ocelot.c +@@ -714,12 +714,12 @@ void ocelot_get_txtstamp(struct ocelot * + + spin_unlock_irqrestore(&port->tx_skbs.lock, flags); + ++ if (WARN_ON(!skb_match)) ++ continue; ++ + /* Get the h/w timestamp */ + ocelot_get_hwtimestamp(ocelot, &ts); + +- if (unlikely(!skb_match)) +- continue; +- + /* Set the timestamp into the skb */ + memset(&shhwtstamps, 0, sizeof(shhwtstamps)); + shhwtstamps.hwtstamp = ktime_set(ts.tv_sec, ts.tv_nsec); diff --git a/queue-5.14/nfc-digital-fix-possible-memory-leak-in-digital_in_send_sdd_req.patch b/queue-5.14/nfc-digital-fix-possible-memory-leak-in-digital_in_send_sdd_req.patch new file mode 100644 index 00000000000..257f8de371e --- /dev/null +++ b/queue-5.14/nfc-digital-fix-possible-memory-leak-in-digital_in_send_sdd_req.patch @@ -0,0 +1,39 @@ +From 291c932fc3692e4d211a445ba8aa35663831bac7 Mon Sep 17 00:00:00 2001 +From: Ziyang Xuan +Date: Wed, 13 Oct 2021 15:50:32 +0800 +Subject: NFC: digital: fix possible memory leak in digital_in_send_sdd_req() + +From: Ziyang Xuan + +commit 291c932fc3692e4d211a445ba8aa35663831bac7 upstream. + +'skb' is allocated in digital_in_send_sdd_req(), but not free when +digital_in_send_cmd() failed, which will cause memory leak. Fix it +by freeing 'skb' if digital_in_send_cmd() return failed. + +Fixes: 2c66daecc409 ("NFC Digital: Add NFC-A technology support") +Signed-off-by: Ziyang Xuan +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/digital_technology.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/nfc/digital_technology.c ++++ b/net/nfc/digital_technology.c +@@ -465,8 +465,12 @@ static int digital_in_send_sdd_req(struc + skb_put_u8(skb, sel_cmd); + skb_put_u8(skb, DIGITAL_SDD_REQ_SEL_PAR); + +- return digital_in_send_cmd(ddev, skb, 30, digital_in_recv_sdd_res, +- target); ++ rc = digital_in_send_cmd(ddev, skb, 30, digital_in_recv_sdd_res, ++ target); ++ if (rc) ++ kfree_skb(skb); ++ ++ return rc; + } + + static void digital_in_recv_sens_res(struct nfc_digital_dev *ddev, void *arg, diff --git a/queue-5.14/nfc-digital-fix-possible-memory-leak-in-digital_tg_listen_mdaa.patch b/queue-5.14/nfc-digital-fix-possible-memory-leak-in-digital_tg_listen_mdaa.patch new file mode 100644 index 00000000000..d10289e5155 --- /dev/null +++ b/queue-5.14/nfc-digital-fix-possible-memory-leak-in-digital_tg_listen_mdaa.patch @@ -0,0 +1,47 @@ +From 58e7dcc9ca29c14e44267a4d0ea61e3229124907 Mon Sep 17 00:00:00 2001 +From: Ziyang Xuan +Date: Wed, 13 Oct 2021 15:50:12 +0800 +Subject: NFC: digital: fix possible memory leak in digital_tg_listen_mdaa() + +From: Ziyang Xuan + +commit 58e7dcc9ca29c14e44267a4d0ea61e3229124907 upstream. + +'params' is allocated in digital_tg_listen_mdaa(), but not free when +digital_send_cmd() failed, which will cause memory leak. Fix it by +freeing 'params' if digital_send_cmd() return failed. + +Fixes: 1c7a4c24fbfd ("NFC Digital: Add target NFC-DEP support") +Signed-off-by: Ziyang Xuan +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/digital_core.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/net/nfc/digital_core.c ++++ b/net/nfc/digital_core.c +@@ -277,6 +277,7 @@ int digital_tg_configure_hw(struct nfc_d + static int digital_tg_listen_mdaa(struct nfc_digital_dev *ddev, u8 rf_tech) + { + struct digital_tg_mdaa_params *params; ++ int rc; + + params = kzalloc(sizeof(*params), GFP_KERNEL); + if (!params) +@@ -291,8 +292,12 @@ static int digital_tg_listen_mdaa(struct + get_random_bytes(params->nfcid2 + 2, NFC_NFCID2_MAXSIZE - 2); + params->sc = DIGITAL_SENSF_FELICA_SC; + +- return digital_send_cmd(ddev, DIGITAL_CMD_TG_LISTEN_MDAA, NULL, params, +- 500, digital_tg_recv_atr_req, NULL); ++ rc = digital_send_cmd(ddev, DIGITAL_CMD_TG_LISTEN_MDAA, NULL, params, ++ 500, digital_tg_recv_atr_req, NULL); ++ if (rc) ++ kfree(params); ++ ++ return rc; + } + + static int digital_tg_listen_md(struct nfc_digital_dev *ddev, u8 rf_tech) diff --git a/queue-5.14/nfc-fix-error-handling-of-nfc_proto_register.patch b/queue-5.14/nfc-fix-error-handling-of-nfc_proto_register.patch new file mode 100644 index 00000000000..5dfa02af58c --- /dev/null +++ b/queue-5.14/nfc-fix-error-handling-of-nfc_proto_register.patch @@ -0,0 +1,35 @@ +From 0911ab31896f0e908540746414a77dd63912748d Mon Sep 17 00:00:00 2001 +From: Ziyang Xuan +Date: Wed, 13 Oct 2021 11:49:32 +0800 +Subject: nfc: fix error handling of nfc_proto_register() + +From: Ziyang Xuan + +commit 0911ab31896f0e908540746414a77dd63912748d upstream. + +When nfc proto id is using, nfc_proto_register() return -EBUSY error +code, but forgot to unregister proto. Fix it by adding proto_unregister() +in the error handling case. + +Fixes: c7fe3b52c128 ("NFC: add NFC socket family") +Signed-off-by: Ziyang Xuan +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20211013034932.2833737-1-william.xuanziyang@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/af_nfc.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/nfc/af_nfc.c ++++ b/net/nfc/af_nfc.c +@@ -60,6 +60,9 @@ int nfc_proto_register(const struct nfc_ + proto_tab[nfc_proto->id] = nfc_proto; + write_unlock(&proto_tab_lock); + ++ if (rc) ++ proto_unregister(nfc_proto->proto); ++ + return rc; + } + EXPORT_SYMBOL(nfc_proto_register); diff --git a/queue-5.14/nfp-flow_offload-move-flow_indr_dev_register-from-app-init-to-app-start.patch b/queue-5.14/nfp-flow_offload-move-flow_indr_dev_register-from-app-init-to-app-start.patch new file mode 100644 index 00000000000..74fdcf972d4 --- /dev/null +++ b/queue-5.14/nfp-flow_offload-move-flow_indr_dev_register-from-app-init-to-app-start.patch @@ -0,0 +1,94 @@ +From 60d950f443a52d950126ad664fbd4a1eb8353dc9 Mon Sep 17 00:00:00 2001 +From: Baowen Zheng +Date: Tue, 12 Oct 2021 14:48:50 +0200 +Subject: nfp: flow_offload: move flow_indr_dev_register from app init to app start + +From: Baowen Zheng + +commit 60d950f443a52d950126ad664fbd4a1eb8353dc9 upstream. + +In commit 74fc4f828769 ("net: Fix offloading indirect devices dependency +on qdisc order creation"), it adds a process to trigger the callback to +setup the bo callback when the driver regists a callback. + +In our current implement, we are not ready to run the callback when nfp +call the function flow_indr_dev_register, then there will be error +message as: + +kernel: Oops: 0000 [#1] SMP PTI +kernel: CPU: 0 PID: 14119 Comm: kworker/0:0 Tainted: G +kernel: Workqueue: events work_for_cpu_fn +kernel: RIP: 0010:nfp_flower_indr_setup_tc_cb+0x258/0x410 +kernel: RSP: 0018:ffffbc1e02c57bf8 EFLAGS: 00010286 +kernel: RAX: 0000000000000000 RBX: ffff9c761fabc000 RCX: 0000000000000001 +kernel: RDX: 0000000000000001 RSI: fffffffffffffff0 RDI: ffffffffc0be9ef1 +kernel: RBP: ffffbc1e02c57c58 R08: ffffffffc08f33aa R09: ffff9c6db7478800 +kernel: R10: 0000009c003f6e00 R11: ffffbc1e02800000 R12: ffffbc1e000d9000 +kernel: R13: ffffbc1e000db428 R14: ffff9c6db7478800 R15: ffff9c761e884e80 +kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +kernel: CR2: fffffffffffffff0 CR3: 00000009e260a004 CR4: 00000000007706f0 +kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +kernel: DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +kernel: PKRU: 55555554 +kernel: Call Trace: +kernel: ? flow_indr_dev_register+0xab/0x210 +kernel: ? __cond_resched+0x15/0x30 +kernel: ? kmem_cache_alloc_trace+0x44/0x4b0 +kernel: ? nfp_flower_setup_tc+0x1d0/0x1d0 [nfp] +kernel: flow_indr_dev_register+0x158/0x210 +kernel: ? tcf_block_unbind+0xe0/0xe0 +kernel: nfp_flower_init+0x40b/0x650 [nfp] +kernel: nfp_net_pci_probe+0x25f/0x960 [nfp] +kernel: ? nfp_rtsym_read_le+0x76/0x130 [nfp] +kernel: nfp_pci_probe+0x6a9/0x820 [nfp] +kernel: local_pci_probe+0x45/0x80 + +So we need to call flow_indr_dev_register in app start process instead of +init stage. + +Fixes: 74fc4f828769 ("net: Fix offloading indirect devices dependency on qdisc order creation") +Signed-off-by: Baowen Zheng +Signed-off-by: Simon Horman +Signed-off-by: Louis Peens +Link: https://lore.kernel.org/r/20211012124850.13025-1-louis.peens@corigine.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/netronome/nfp/flower/main.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/netronome/nfp/flower/main.c ++++ b/drivers/net/ethernet/netronome/nfp/flower/main.c +@@ -830,10 +830,6 @@ static int nfp_flower_init(struct nfp_ap + if (err) + goto err_cleanup; + +- err = flow_indr_dev_register(nfp_flower_indr_setup_tc_cb, app); +- if (err) +- goto err_cleanup; +- + if (app_priv->flower_ext_feats & NFP_FL_FEATS_VF_RLIM) + nfp_flower_qos_init(app); + +@@ -942,7 +938,20 @@ static int nfp_flower_start(struct nfp_a + return err; + } + +- return nfp_tunnel_config_start(app); ++ err = flow_indr_dev_register(nfp_flower_indr_setup_tc_cb, app); ++ if (err) ++ return err; ++ ++ err = nfp_tunnel_config_start(app); ++ if (err) ++ goto err_tunnel_config; ++ ++ return 0; ++ ++err_tunnel_config: ++ flow_indr_dev_unregister(nfp_flower_indr_setup_tc_cb, app, ++ nfp_flower_setup_indr_tc_release); ++ return err; + } + + static void nfp_flower_stop(struct nfp_app *app) diff --git a/queue-5.14/pata_legacy-fix-a-couple-uninitialized-variable-bugs.patch b/queue-5.14/pata_legacy-fix-a-couple-uninitialized-variable-bugs.patch new file mode 100644 index 00000000000..04ddb07d21d --- /dev/null +++ b/queue-5.14/pata_legacy-fix-a-couple-uninitialized-variable-bugs.patch @@ -0,0 +1,41 @@ +From 013923477cb311293df9079332cf8b806ed0e6f2 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 6 Oct 2021 10:34:19 +0300 +Subject: pata_legacy: fix a couple uninitialized variable bugs + +From: Dan Carpenter + +commit 013923477cb311293df9079332cf8b806ed0e6f2 upstream. + +The last byte of "pad" is used without being initialized. + +Fixes: 55dba3120fbc ("libata: update ->data_xfer hook for ATAPI") +Signed-off-by: Dan Carpenter +Signed-off-by: Damien Le Moal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/pata_legacy.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/ata/pata_legacy.c ++++ b/drivers/ata/pata_legacy.c +@@ -352,7 +352,8 @@ static unsigned int pdc_data_xfer_vlb(st + iowrite32_rep(ap->ioaddr.data_addr, buf, buflen >> 2); + + if (unlikely(slop)) { +- __le32 pad; ++ __le32 pad = 0; ++ + if (rw == READ) { + pad = cpu_to_le32(ioread32(ap->ioaddr.data_addr)); + memcpy(buf + buflen - slop, &pad, slop); +@@ -742,7 +743,8 @@ static unsigned int vlb32_data_xfer(stru + ioread32_rep(ap->ioaddr.data_addr, buf, buflen >> 2); + + if (unlikely(slop)) { +- __le32 pad; ++ __le32 pad = 0; ++ + if (rw == WRITE) { + memcpy(&pad, buf + buflen - slop, slop); + iowrite32(le32_to_cpu(pad), ap->ioaddr.data_addr); diff --git a/queue-5.14/platform-mellanox-mlxreg-io-fix-argument-base-in-kstrtou32-call.patch b/queue-5.14/platform-mellanox-mlxreg-io-fix-argument-base-in-kstrtou32-call.patch new file mode 100644 index 00000000000..28afdbae1fe --- /dev/null +++ b/queue-5.14/platform-mellanox-mlxreg-io-fix-argument-base-in-kstrtou32-call.patch @@ -0,0 +1,65 @@ +From 9b024201693e397441668cca0d2df7055fe572eb Mon Sep 17 00:00:00 2001 +From: Vadim Pasternak +Date: Mon, 27 Sep 2021 17:22:13 +0300 +Subject: platform/mellanox: mlxreg-io: Fix argument base in kstrtou32() call + +From: Vadim Pasternak + +commit 9b024201693e397441668cca0d2df7055fe572eb upstream. + +Change kstrtou32() argument 'base' to be zero instead of 'len'. +It works by chance for setting one bit value, but it is not supposed to +work in case value passed to mlxreg_io_attr_store() is greater than 1. + +It works for example, for: +echo 1 > /sys/devices/platform/mlxplat/mlxreg-io/hwmon/.../jtag_enable +But it will fail for: +echo n > /sys/devices/platform/mlxplat/mlxreg-io/hwmon/.../jtag_enable, +where n > 1. + +The flow for input buffer conversion is as below: +_kstrtoull(const char *s, unsigned int base, unsigned long long *res) +calls: +rv = _parse_integer(s, base, &_res); + +For the second case, where n > 1: +- _parse_integer() converts 's' to 'val'. + For n=2, 'len' is set to 2 (string buffer is 0x32 0x0a), for n=3 + 'len' is set to 3 (string buffer 0x33 0x0a), etcetera. +- 'base' is equal or greater then '2' (length of input buffer). + +As a result, _parse_integer() exits with result zero (rv): + rv = 0; + while (1) { + ... + if (val >= base)-> (2 >= 2) + break; + ... + rv++; + ... + } + +And _kstrtoull() in their turn will fail: + if (rv == 0) + return -EINVAL; + +Fixes: 5ec4a8ace06c ("platform/mellanox: Introduce support for Mellanox register access driver") +Signed-off-by: Vadim Pasternak +Link: https://lore.kernel.org/r/20210927142214.2613929-2-vadimp@nvidia.com +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/mellanox/mlxreg-io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/platform/mellanox/mlxreg-io.c ++++ b/drivers/platform/mellanox/mlxreg-io.c +@@ -141,7 +141,7 @@ mlxreg_io_attr_store(struct device *dev, + return -EINVAL; + + /* Convert buffer to input value. */ +- ret = kstrtou32(buf, len, &input_val); ++ ret = kstrtou32(buf, 0, &input_val); + if (ret) + return ret; + diff --git a/queue-5.14/platform-mellanox-mlxreg-io-fix-read-access-of-n-bytes-size-attributes.patch b/queue-5.14/platform-mellanox-mlxreg-io-fix-read-access-of-n-bytes-size-attributes.patch new file mode 100644 index 00000000000..162864af9d3 --- /dev/null +++ b/queue-5.14/platform-mellanox-mlxreg-io-fix-read-access-of-n-bytes-size-attributes.patch @@ -0,0 +1,32 @@ +From db9cc7d6f95e7d89b0ce57e785cfd9d67a7505d8 Mon Sep 17 00:00:00 2001 +From: Vadim Pasternak +Date: Mon, 27 Sep 2021 17:22:14 +0300 +Subject: platform/mellanox: mlxreg-io: Fix read access of n-bytes size attributes + +From: Vadim Pasternak + +commit db9cc7d6f95e7d89b0ce57e785cfd9d67a7505d8 upstream. + +Fix shift argument for function rol32(). It should be provided in bits, +while was provided in bytes. + +Fixes: 86148190a7db ("platform/mellanox: mlxreg-io: Add support for complex attributes") +Signed-off-by: Vadim Pasternak +Link: https://lore.kernel.org/r/20210927142214.2613929-3-vadimp@nvidia.com +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/mellanox/mlxreg-io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/platform/mellanox/mlxreg-io.c ++++ b/drivers/platform/mellanox/mlxreg-io.c +@@ -98,7 +98,7 @@ mlxreg_io_get_reg(void *regmap, struct m + if (ret) + goto access_error; + +- *regval |= rol32(val, regsize * i); ++ *regval |= rol32(val, regsize * i * 8); + } + } + diff --git a/queue-5.14/platform-x86-intel_scu_ipc-fix-busy-loop-expiry-time.patch b/queue-5.14/platform-x86-intel_scu_ipc-fix-busy-loop-expiry-time.patch new file mode 100644 index 00000000000..f14babd6c34 --- /dev/null +++ b/queue-5.14/platform-x86-intel_scu_ipc-fix-busy-loop-expiry-time.patch @@ -0,0 +1,39 @@ +From 41512e4dc0b84525495e784295092592adb87f1b Mon Sep 17 00:00:00 2001 +From: Prashant Malani +Date: Tue, 28 Sep 2021 03:19:30 -0700 +Subject: platform/x86: intel_scu_ipc: Fix busy loop expiry time +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Prashant Malani + +commit 41512e4dc0b84525495e784295092592adb87f1b upstream. + +The macro IPC_TIMEOUT is already in jiffies (it is also used like that +elsewhere in the file when calling wait_for_completion_timeout()). Don’t +convert it using helper functions for the purposes of calculating the +busy loop expiry time. + +Fixes: e7b7ab3847c9 (“platform/x86: intel_scu_ipc: Sleeping is fine when polling”) +Signed-off-by: Prashant Malani +Cc: Benson Leung +Reviewed-by: Mika Westerberg +Link: https://lore.kernel.org/r/20210928101932.2543937-2-pmalani@chromium.org +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/intel_scu_ipc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/platform/x86/intel_scu_ipc.c ++++ b/drivers/platform/x86/intel_scu_ipc.c +@@ -232,7 +232,7 @@ static inline u32 ipc_data_readl(struct + /* Wait till scu status is busy */ + static inline int busy_loop(struct intel_scu_ipc_dev *scu) + { +- unsigned long end = jiffies + msecs_to_jiffies(IPC_TIMEOUT); ++ unsigned long end = jiffies + IPC_TIMEOUT; + + do { + u32 status; diff --git a/queue-5.14/qed-fix-missing-error-code-in-qed_slowpath_start.patch b/queue-5.14/qed-fix-missing-error-code-in-qed_slowpath_start.patch new file mode 100644 index 00000000000..268cd84722c --- /dev/null +++ b/queue-5.14/qed-fix-missing-error-code-in-qed_slowpath_start.patch @@ -0,0 +1,36 @@ +From a5a14ea7b4e55604acb0dc9d88fdb4cb6945bc77 Mon Sep 17 00:00:00 2001 +From: chongjiapeng +Date: Sat, 9 Oct 2021 16:09:26 +0800 +Subject: qed: Fix missing error code in qed_slowpath_start() + +From: chongjiapeng + +commit a5a14ea7b4e55604acb0dc9d88fdb4cb6945bc77 upstream. + +The error code is missing in this code scenario, add the error code +'-EINVAL' to the return value 'rc'. + +Eliminate the follow smatch warning: + +drivers/net/ethernet/qlogic/qed/qed_main.c:1298 qed_slowpath_start() +warn: missing error code 'rc'. + +Reported-by: Abaci Robot +Fixes: d51e4af5c209 ("qed: aRFS infrastructure support") +Signed-off-by: chongjiapeng +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qed/qed_main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/qlogic/qed/qed_main.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_main.c +@@ -1295,6 +1295,7 @@ static int qed_slowpath_start(struct qed + } else { + DP_NOTICE(cdev, + "Failed to acquire PTT for aRFS\n"); ++ rc = -EINVAL; + goto err; + } + } diff --git a/queue-5.14/r8152-select-crc32-and-crypto-crypto_hash-crypto_sha256.patch b/queue-5.14/r8152-select-crc32-and-crypto-crypto_hash-crypto_sha256.patch new file mode 100644 index 00000000000..f5fd54a3489 --- /dev/null +++ b/queue-5.14/r8152-select-crc32-and-crypto-crypto_hash-crypto_sha256.patch @@ -0,0 +1,41 @@ +From 9973a43012b6ad1720dbc4d5faf5302c28635b8c Mon Sep 17 00:00:00 2001 +From: Vegard Nossum +Date: Mon, 11 Oct 2021 17:22:49 +0200 +Subject: r8152: select CRC32 and CRYPTO/CRYPTO_HASH/CRYPTO_SHA256 + +From: Vegard Nossum + +commit 9973a43012b6ad1720dbc4d5faf5302c28635b8c upstream. + +Fix the following build/link errors by adding a dependency on +CRYPTO, CRYPTO_HASH, CRYPTO_SHA256 and CRC32: + + ld: drivers/net/usb/r8152.o: in function `rtl8152_fw_verify_checksum': + r8152.c:(.text+0x2b2a): undefined reference to `crypto_alloc_shash' + ld: r8152.c:(.text+0x2bed): undefined reference to `crypto_shash_digest' + ld: r8152.c:(.text+0x2c50): undefined reference to `crypto_destroy_tfm' + ld: drivers/net/usb/r8152.o: in function `_rtl8152_set_rx_mode': + r8152.c:(.text+0xdcb0): undefined reference to `crc32_le' + +Fixes: 9370f2d05a2a1 ("r8152: support request_firmware for RTL8153") +Fixes: ac718b69301c7 ("net/usb: new driver for RTL8152") +Signed-off-by: Vegard Nossum +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/Kconfig | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/usb/Kconfig ++++ b/drivers/net/usb/Kconfig +@@ -99,6 +99,10 @@ config USB_RTL8150 + config USB_RTL8152 + tristate "Realtek RTL8152/RTL8153 Based USB Ethernet Adapters" + select MII ++ select CRC32 ++ select CRYPTO ++ select CRYPTO_HASH ++ select CRYPTO_SHA256 + help + This option adds support for Realtek RTL8152 based USB 2.0 + 10/100 Ethernet adapters and RTL8153 based USB 3.0 10/100/1000 diff --git a/queue-5.14/series b/queue-5.14/series index dd1ad423288..00f3414a9f3 100644 --- a/queue-5.14/series +++ b/queue-5.14/series @@ -111,3 +111,41 @@ net-dsa-microchip-added-the-condition-for-scheduling-ksz_mib_read_work.patch net-dsa-fix-spurious-error-message-when-unoffloaded-port-leaves-bridge.patch net-encx24j600-check-error-in-devm_regmap_init_encx24j600.patch ethernet-s2io-fix-setting-mac-address-during-resume.patch +vhost-vdpa-fix-the-wrong-input-in-config_cb.patch +nfc-fix-error-handling-of-nfc_proto_register.patch +nfc-digital-fix-possible-memory-leak-in-digital_tg_listen_mdaa.patch +nfc-digital-fix-possible-memory-leak-in-digital_in_send_sdd_req.patch +pata_legacy-fix-a-couple-uninitialized-variable-bugs.patch +ata-ahci_platform-fix-null-ptr-deref-in-ahci_platform_enable_regulators.patch +mlxsw-thermal-fix-out-of-bounds-memory-accesses.patch +platform-mellanox-mlxreg-io-fix-argument-base-in-kstrtou32-call.patch +platform-mellanox-mlxreg-io-fix-read-access-of-n-bytes-size-attributes.patch +spi-spidev-add-spi-id-table.patch +spi-bcm-qspi-clear-mspi-spifie-interrupt-during-probe.patch +drm-panel-olimex-lcd-olinuxino-select-crc32.patch +drm-edid-in-connector_bad_edid-cap-num_of_ext-by-num_blocks-read.patch +drm-msm-fix-null-pointer-dereference-on-pointer-edp.patch +drm-msm-mdp5-fix-cursor-related-warnings.patch +drm-msm-submit-fix-overflow-check-on-64-bit-architectures.patch +drm-msm-a6xx-track-current-ctx-by-seqno.patch +drm-msm-a4xx-fix-error-handling-in-a4xx_gpu_init.patch +drm-msm-a3xx-fix-error-handling-in-a3xx_gpu_init.patch +drm-msm-dsi-dsi_phy_14nm-take-ready-bit-into-account-in-poll_for_ready.patch +drm-msm-dsi-fix-an-error-code-in-msm_dsi_modeset_init.patch +drm-msm-dsi-fix-off-by-one-in-dsi_bus_clk_enable-error-handling.patch +acpi-arm64-fix-next_platform_timer-section-mismatch-error.patch +platform-x86-intel_scu_ipc-fix-busy-loop-expiry-time.patch +mqprio-correct-stats-in-mqprio_dump_class_stats.patch +mptcp-fix-possible-stall-on-recvmsg.patch +qed-fix-missing-error-code-in-qed_slowpath_start.patch +r8152-select-crc32-and-crypto-crypto_hash-crypto_sha256.patch +ice-fix-locking-for-tx-timestamp-tracking-flush.patch +block-rnbd-clt-sysfs-fix-a-couple-uninitialized-variable-bugs.patch +nfp-flow_offload-move-flow_indr_dev_register-from-app-init-to-app-start.patch +net-mscc-ocelot-make-use-of-all-63-ptp-timestamp-identifiers.patch +net-mscc-ocelot-avoid-overflowing-the-ptp-timestamp-fifo.patch +net-mscc-ocelot-warn-when-a-ptp-irq-is-raised-for-an-unknown-skb.patch +net-mscc-ocelot-deny-tx-timestamping-of-non-ptp-packets.patch +net-mscc-ocelot-cross-check-the-sequence-id-from-the-timestamp-fifo-with-the-skb-ptp-header.patch +net-dsa-felix-break-at-first-cpu-port-during-init-and-teardown.patch +ionic-don-t-remove-netdev-dev_addr-when-syncing-uc-list.patch diff --git a/queue-5.14/spi-bcm-qspi-clear-mspi-spifie-interrupt-during-probe.patch b/queue-5.14/spi-bcm-qspi-clear-mspi-spifie-interrupt-during-probe.patch new file mode 100644 index 00000000000..0a569fee3cb --- /dev/null +++ b/queue-5.14/spi-bcm-qspi-clear-mspi-spifie-interrupt-during-probe.patch @@ -0,0 +1,130 @@ +From 75b3cb97eb1f05042745c0655a7145b0262d4c5c Mon Sep 17 00:00:00 2001 +From: Kamal Dasu +Date: Fri, 8 Oct 2021 16:36:02 -0400 +Subject: spi: bcm-qspi: clear MSPI spifie interrupt during probe + +From: Kamal Dasu + +commit 75b3cb97eb1f05042745c0655a7145b0262d4c5c upstream. + +Intermittent Kernel crash has been observed on probe in +bcm_qspi_mspi_l2_isr() handler when the MSPI spifie interrupt bit +has not been cleared before registering for interrupts. +Fix the driver to move SoC specific custom interrupt handling code +before we register IRQ in probe. Also clear MSPI interrupt status +resgiter prior to registering IRQ handlers. + +Fixes: cc20a38612db ("spi: iproc-qspi: Add Broadcom iProc SoCs support") +Signed-off-by: Kamal Dasu +Acked-by: Florian Fainelli +Link: https://lore.kernel.org/r/20211008203603.40915-3-kdasu.kdev@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-bcm-qspi.c | 77 ++++++++++++++++++++++++++------------------- + 1 file changed, 45 insertions(+), 32 deletions(-) + +--- a/drivers/spi/spi-bcm-qspi.c ++++ b/drivers/spi/spi-bcm-qspi.c +@@ -1250,10 +1250,14 @@ static void bcm_qspi_hw_init(struct bcm_ + + static void bcm_qspi_hw_uninit(struct bcm_qspi *qspi) + { ++ u32 status = bcm_qspi_read(qspi, MSPI, MSPI_MSPI_STATUS); ++ + bcm_qspi_write(qspi, MSPI, MSPI_SPCR2, 0); + if (has_bspi(qspi)) + bcm_qspi_write(qspi, MSPI, MSPI_WRITE_LOCK, 0); + ++ /* clear interrupt */ ++ bcm_qspi_write(qspi, MSPI, MSPI_MSPI_STATUS, status & ~1); + } + + static const struct spi_controller_mem_ops bcm_qspi_mem_ops = { +@@ -1397,6 +1401,47 @@ int bcm_qspi_probe(struct platform_devic + if (!qspi->dev_ids) + return -ENOMEM; + ++ /* ++ * Some SoCs integrate spi controller (e.g., its interrupt bits) ++ * in specific ways ++ */ ++ if (soc_intc) { ++ qspi->soc_intc = soc_intc; ++ soc_intc->bcm_qspi_int_set(soc_intc, MSPI_DONE, true); ++ } else { ++ qspi->soc_intc = NULL; ++ } ++ ++ if (qspi->clk) { ++ ret = clk_prepare_enable(qspi->clk); ++ if (ret) { ++ dev_err(dev, "failed to prepare clock\n"); ++ goto qspi_probe_err; ++ } ++ qspi->base_clk = clk_get_rate(qspi->clk); ++ } else { ++ qspi->base_clk = MSPI_BASE_FREQ; ++ } ++ ++ if (data->has_mspi_rev) { ++ rev = bcm_qspi_read(qspi, MSPI, MSPI_REV); ++ /* some older revs do not have a MSPI_REV register */ ++ if ((rev & 0xff) == 0xff) ++ rev = 0; ++ } ++ ++ qspi->mspi_maj_rev = (rev >> 4) & 0xf; ++ qspi->mspi_min_rev = rev & 0xf; ++ qspi->mspi_spcr3_sysclk = data->has_spcr3_sysclk; ++ ++ qspi->max_speed_hz = qspi->base_clk / (bcm_qspi_spbr_min(qspi) * 2); ++ ++ /* ++ * On SW resets it is possible to have the mask still enabled ++ * Need to disable the mask and clear the status while we init ++ */ ++ bcm_qspi_hw_uninit(qspi); ++ + for (val = 0; val < num_irqs; val++) { + irq = -1; + name = qspi_irq_tab[val].irq_name; +@@ -1433,38 +1478,6 @@ int bcm_qspi_probe(struct platform_devic + goto qspi_probe_err; + } + +- /* +- * Some SoCs integrate spi controller (e.g., its interrupt bits) +- * in specific ways +- */ +- if (soc_intc) { +- qspi->soc_intc = soc_intc; +- soc_intc->bcm_qspi_int_set(soc_intc, MSPI_DONE, true); +- } else { +- qspi->soc_intc = NULL; +- } +- +- ret = clk_prepare_enable(qspi->clk); +- if (ret) { +- dev_err(dev, "failed to prepare clock\n"); +- goto qspi_probe_err; +- } +- +- qspi->base_clk = clk_get_rate(qspi->clk); +- +- if (data->has_mspi_rev) { +- rev = bcm_qspi_read(qspi, MSPI, MSPI_REV); +- /* some older revs do not have a MSPI_REV register */ +- if ((rev & 0xff) == 0xff) +- rev = 0; +- } +- +- qspi->mspi_maj_rev = (rev >> 4) & 0xf; +- qspi->mspi_min_rev = rev & 0xf; +- qspi->mspi_spcr3_sysclk = data->has_spcr3_sysclk; +- +- qspi->max_speed_hz = qspi->base_clk / (bcm_qspi_spbr_min(qspi) * 2); +- + bcm_qspi_hw_init(qspi); + init_completion(&qspi->mspi_done); + init_completion(&qspi->bspi_done); diff --git a/queue-5.14/spi-spidev-add-spi-id-table.patch b/queue-5.14/spi-spidev-add-spi-id-table.patch new file mode 100644 index 00000000000..0c24bdd498f --- /dev/null +++ b/queue-5.14/spi-spidev-add-spi-id-table.patch @@ -0,0 +1,54 @@ +From 6840615f85f6046039ebc4989870ddb12892b7fc Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Thu, 23 Sep 2021 18:00:23 +0100 +Subject: spi: spidev: Add SPI ID table + +From: Mark Brown + +commit 6840615f85f6046039ebc4989870ddb12892b7fc upstream. + +Currently autoloading for SPI devices does not use the DT ID table, it uses +SPI modalises. Supporting OF modalises is going to be difficult if not +impractical, an attempt was made but has been reverted, so ensure that +module autoloading works for this driver by adding an id_table listing the +SPI IDs for everything. + +Fixes: 96c8395e2166 ("spi: Revert modalias changes") +Signed-off-by: Mark Brown +Link: https://lore.kernel.org/r/20210923170023.1683-1-broonie@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spidev.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/spi/spidev.c ++++ b/drivers/spi/spidev.c +@@ -673,6 +673,19 @@ static const struct file_operations spid + + static struct class *spidev_class; + ++static const struct spi_device_id spidev_spi_ids[] = { ++ { .name = "dh2228fv" }, ++ { .name = "ltc2488" }, ++ { .name = "sx1301" }, ++ { .name = "bk4" }, ++ { .name = "dhcom-board" }, ++ { .name = "m53cpld" }, ++ { .name = "spi-petra" }, ++ { .name = "spi-authenta" }, ++ {}, ++}; ++MODULE_DEVICE_TABLE(spi, spidev_spi_ids); ++ + #ifdef CONFIG_OF + static const struct of_device_id spidev_dt_ids[] = { + { .compatible = "rohm,dh2228fv" }, +@@ -819,6 +832,7 @@ static struct spi_driver spidev_spi_driv + }, + .probe = spidev_probe, + .remove = spidev_remove, ++ .id_table = spidev_spi_ids, + + /* NOTE: suspend/resume methods are not necessary here. + * We don't do anything except pass the requests to/from diff --git a/queue-5.14/vhost-vdpa-fix-the-wrong-input-in-config_cb.patch b/queue-5.14/vhost-vdpa-fix-the-wrong-input-in-config_cb.patch new file mode 100644 index 00000000000..3aad3ffb6b6 --- /dev/null +++ b/queue-5.14/vhost-vdpa-fix-the-wrong-input-in-config_cb.patch @@ -0,0 +1,33 @@ +From bcef9356fc2e1302daf373c83c826aa27954d128 Mon Sep 17 00:00:00 2001 +From: Cindy Lu +Date: Wed, 29 Sep 2021 17:09:33 +0800 +Subject: vhost-vdpa: Fix the wrong input in config_cb + +From: Cindy Lu + +commit bcef9356fc2e1302daf373c83c826aa27954d128 upstream. + +Fix the wrong input in for config_cb. In function vhost_vdpa_config_cb, +the input cb.private was used as struct vhost_vdpa, so the input was +wrong here, fix this issue + +Fixes: 776f395004d8 ("vhost_vdpa: Support config interrupt in vdpa") +Signed-off-by: Cindy Lu +Link: https://lore.kernel.org/r/20210929090933.20465-1-lulu@redhat.com +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/vdpa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/vhost/vdpa.c ++++ b/drivers/vhost/vdpa.c +@@ -316,7 +316,7 @@ static long vhost_vdpa_set_config_call(s + struct eventfd_ctx *ctx; + + cb.callback = vhost_vdpa_config_cb; +- cb.private = v->vdpa; ++ cb.private = v; + if (copy_from_user(&fd, argp, sizeof(fd))) + return -EFAULT; +