From: Sasha Levin Date: Wed, 29 Nov 2023 02:49:18 +0000 (-0500) Subject: Fixes for 5.15 X-Git-Tag: v5.15.141~43 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e8b8452b13d75134000f95298963d63a0a551d4d;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/afs-fix-afs_server_list-to-be-cleaned-up-with-rcu.patch b/queue-5.15/afs-fix-afs_server_list-to-be-cleaned-up-with-rcu.patch new file mode 100644 index 00000000000..c7fe3bb518a --- /dev/null +++ b/queue-5.15/afs-fix-afs_server_list-to-be-cleaned-up-with-rcu.patch @@ -0,0 +1,52 @@ +From aeb7cdf94718261fc03b5136bac386b27c458597 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Nov 2023 16:26:59 +0000 +Subject: afs: Fix afs_server_list to be cleaned up with RCU + +From: David Howells + +[ Upstream commit e6bace7313d61e31f2b16fa3d774fd8cb3cb869e ] + +afs_server_list is accessed with the rcu_read_lock() held from +volume->servers, so it needs to be cleaned up correctly. + +Fix this by using kfree_rcu() instead of kfree(). + +Fixes: 8a070a964877 ("afs: Detect cell aliases 1 - Cells with root volumes") +Signed-off-by: David Howells +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Signed-off-by: Sasha Levin +--- + fs/afs/internal.h | 1 + + fs/afs/server_list.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/afs/internal.h b/fs/afs/internal.h +index 567e61b553f56..183200c6ce20e 100644 +--- a/fs/afs/internal.h ++++ b/fs/afs/internal.h +@@ -556,6 +556,7 @@ struct afs_server_entry { + }; + + struct afs_server_list { ++ struct rcu_head rcu; + afs_volid_t vids[AFS_MAXTYPES]; /* Volume IDs */ + refcount_t usage; + unsigned char nr_servers; +diff --git a/fs/afs/server_list.c b/fs/afs/server_list.c +index ed9056703505f..b59896b1de0af 100644 +--- a/fs/afs/server_list.c ++++ b/fs/afs/server_list.c +@@ -17,7 +17,7 @@ void afs_put_serverlist(struct afs_net *net, struct afs_server_list *slist) + for (i = 0; i < slist->nr_servers; i++) + afs_unuse_server(net, slist->servers[i].server, + afs_server_trace_put_slist); +- kfree(slist); ++ kfree_rcu(slist, rcu); + } + } + +-- +2.42.0 + diff --git a/queue-5.15/afs-fix-file-locking-on-r-o-volumes-to-operate-in-lo.patch b/queue-5.15/afs-fix-file-locking-on-r-o-volumes-to-operate-in-lo.patch new file mode 100644 index 00000000000..309d01cf127 --- /dev/null +++ b/queue-5.15/afs-fix-file-locking-on-r-o-volumes-to-operate-in-lo.patch @@ -0,0 +1,44 @@ +From 829d24b1728a8a5a3f37a6bf07e7f2a0706f5b03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Nov 2023 22:03:28 +0000 +Subject: afs: Fix file locking on R/O volumes to operate in local mode + +From: David Howells + +[ Upstream commit b590eb41be766c5a63acc7e8896a042f7a4e8293 ] + +AFS doesn't really do locking on R/O volumes as fileservers don't maintain +state with each other and thus a lock on a R/O volume file on one +fileserver will not be be visible to someone looking at the same file on +another fileserver. + +Further, the server may return an error if you try it. + +Fix this by doing what other AFS clients do and handle filelocking on R/O +volume files entirely within the client and don't touch the server. + +Fixes: 6c6c1d63c243 ("afs: Provide mount-time configurable byte-range file locking emulation") +Signed-off-by: David Howells +Reviewed-by: Marc Dionne +cc: linux-afs@lists.infradead.org +Signed-off-by: Sasha Levin +--- + fs/afs/super.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/afs/super.c b/fs/afs/super.c +index 34c68724c98be..910e73bb5a089 100644 +--- a/fs/afs/super.c ++++ b/fs/afs/super.c +@@ -406,6 +406,8 @@ static int afs_validate_fc(struct fs_context *fc) + return PTR_ERR(volume); + + ctx->volume = volume; ++ if (volume->type != AFSVL_RWVOL) ++ ctx->flock_mode = afs_flock_mode_local; + } + + return 0; +-- +2.42.0 + diff --git a/queue-5.15/afs-make-error-on-cell-lookup-failure-consistent-wit.patch b/queue-5.15/afs-make-error-on-cell-lookup-failure-consistent-wit.patch new file mode 100644 index 00000000000..a4ba10787f3 --- /dev/null +++ b/queue-5.15/afs-make-error-on-cell-lookup-failure-consistent-wit.patch @@ -0,0 +1,49 @@ +From 878177e5e16ecad44032b7cb761fc18be1479f68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jun 2023 09:43:54 +0100 +Subject: afs: Make error on cell lookup failure consistent with OpenAFS + +From: David Howells + +[ Upstream commit 2a4ca1b4b77850544408595e2433f5d7811a9daa ] + +When kafs tries to look up a cell in the DNS or the local config, it will +translate a lookup failure into EDESTADDRREQ whereas OpenAFS translates it +into ENOENT. Applications such as West expect the latter behaviour and +fail if they see the former. + +This can be seen by trying to mount an unknown cell: + + # mount -t afs %example.com:cell.root /mnt + mount: /mnt: mount(2) system call failed: Destination address required. + +Fixes: 4d673da14533 ("afs: Support the AFS dynamic root") +Reported-by: Markus Suvanto +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216637 +Signed-off-by: David Howells +Reviewed-by: Jeffrey Altman +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Signed-off-by: Sasha Levin +--- + fs/afs/dynroot.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c +index db832cc931c87..b35c6081dbfe1 100644 +--- a/fs/afs/dynroot.c ++++ b/fs/afs/dynroot.c +@@ -131,8 +131,8 @@ static int afs_probe_cell_name(struct dentry *dentry) + + ret = dns_query(net->net, "afsdb", name, len, "srv=1", + NULL, NULL, false); +- if (ret == -ENODATA) +- ret = -EDESTADDRREQ; ++ if (ret == -ENODATA || ret == -ENOKEY) ++ ret = -ENOENT; + return ret; + } + +-- +2.42.0 + diff --git a/queue-5.15/afs-return-enoent-if-no-cell-dns-record-can-be-found.patch b/queue-5.15/afs-return-enoent-if-no-cell-dns-record-can-be-found.patch new file mode 100644 index 00000000000..0ff90054ec7 --- /dev/null +++ b/queue-5.15/afs-return-enoent-if-no-cell-dns-record-can-be-found.patch @@ -0,0 +1,64 @@ +From dea44c5d4f1b717a9cb92ab872050aaae4d7cea5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Oct 2023 01:25:07 +0100 +Subject: afs: Return ENOENT if no cell DNS record can be found + +From: David Howells + +[ Upstream commit 0167236e7d66c5e1e85d902a6abc2529b7544539 ] + +Make AFS return error ENOENT if no cell SRV or AFSDB DNS record (or +cellservdb config file record) can be found rather than returning +EDESTADDRREQ. + +Also add cell name lookup info to the cursor dump. + +Fixes: d5c32c89b208 ("afs: Fix cell DNS lookup") +Reported-by: Markus Suvanto +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216637 +Signed-off-by: David Howells +Reviewed-by: Marc Dionne +cc: linux-afs@lists.infradead.org +Signed-off-by: Sasha Levin +--- + fs/afs/vl_rotate.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/fs/afs/vl_rotate.c b/fs/afs/vl_rotate.c +index 488e58490b16e..eb415ce563600 100644 +--- a/fs/afs/vl_rotate.c ++++ b/fs/afs/vl_rotate.c +@@ -58,6 +58,12 @@ static bool afs_start_vl_iteration(struct afs_vl_cursor *vc) + } + + /* Status load is ordered after lookup counter load */ ++ if (cell->dns_status == DNS_LOOKUP_GOT_NOT_FOUND) { ++ pr_warn("No record of cell %s\n", cell->name); ++ vc->error = -ENOENT; ++ return false; ++ } ++ + if (cell->dns_source == DNS_RECORD_UNAVAILABLE) { + vc->error = -EDESTADDRREQ; + return false; +@@ -285,6 +291,7 @@ bool afs_select_vlserver(struct afs_vl_cursor *vc) + */ + static void afs_vl_dump_edestaddrreq(const struct afs_vl_cursor *vc) + { ++ struct afs_cell *cell = vc->cell; + static int count; + int i; + +@@ -294,6 +301,9 @@ static void afs_vl_dump_edestaddrreq(const struct afs_vl_cursor *vc) + + rcu_read_lock(); + pr_notice("EDESTADDR occurred\n"); ++ pr_notice("CELL: %s err=%d\n", cell->name, cell->error); ++ pr_notice("DNS: src=%u st=%u lc=%x\n", ++ cell->dns_source, cell->dns_status, cell->dns_lookup_count); + pr_notice("VC: ut=%lx ix=%u ni=%hu fl=%hx err=%hd\n", + vc->untried, vc->index, vc->nr_iterations, vc->flags, vc->error); + +-- +2.42.0 + diff --git a/queue-5.15/amd-xgbe-handle-corner-case-during-sfp-hotplug.patch b/queue-5.15/amd-xgbe-handle-corner-case-during-sfp-hotplug.patch new file mode 100644 index 00000000000..83c0dc0a525 --- /dev/null +++ b/queue-5.15/amd-xgbe-handle-corner-case-during-sfp-hotplug.patch @@ -0,0 +1,55 @@ +From 912d227a6e3e420d11729de003a94dd5522ca5f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Nov 2023 00:44:33 +0530 +Subject: amd-xgbe: handle corner-case during sfp hotplug + +From: Raju Rangoju + +[ Upstream commit 676ec53844cbdf2f47e68a076cdff7f0ec6cbe3f ] + +Force the mode change for SFI in Fixed PHY configurations. Fixed PHY +configurations needs PLL to be enabled while doing mode set. When the +SFP module isn't connected during boot, driver assumes AN is ON and +attempts auto-negotiation. However, if the connected SFP comes up in +Fixed PHY configuration the link will not come up as PLL isn't enabled +while the initial mode set command is issued. So, force the mode change +for SFI in Fixed PHY configuration to fix link issues. + +Fixes: e57f7a3feaef ("amd-xgbe: Prepare for working with more than one type of phy") +Acked-by: Shyam Sundar S K +Signed-off-by: Raju Rangoju +Reviewed-by: Wojciech Drewek +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c +index ca7372369b3e6..60be836b294bb 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c +@@ -1178,7 +1178,19 @@ static int xgbe_phy_config_fixed(struct xgbe_prv_data *pdata) + if (pdata->phy.duplex != DUPLEX_FULL) + return -EINVAL; + +- xgbe_set_mode(pdata, mode); ++ /* Force the mode change for SFI in Fixed PHY config. ++ * Fixed PHY configs needs PLL to be enabled while doing mode set. ++ * When the SFP module isn't connected during boot, driver assumes ++ * AN is ON and attempts autonegotiation. However, if the connected ++ * SFP comes up in Fixed PHY config, the link will not come up as ++ * PLL isn't enabled while the initial mode set command is issued. ++ * So, force the mode change for SFI in Fixed PHY configuration to ++ * fix link issues. ++ */ ++ if (mode == XGBE_MODE_SFI) ++ xgbe_change_mode(pdata, mode); ++ else ++ xgbe_set_mode(pdata, mode); + + return 0; + } +-- +2.42.0 + diff --git a/queue-5.15/amd-xgbe-handle-the-corner-case-during-tx-completion.patch b/queue-5.15/amd-xgbe-handle-the-corner-case-during-tx-completion.patch new file mode 100644 index 00000000000..481efd613ff --- /dev/null +++ b/queue-5.15/amd-xgbe-handle-the-corner-case-during-tx-completion.patch @@ -0,0 +1,61 @@ +From dfb297f882d2109a198326969972d8e875322b55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Nov 2023 00:44:34 +0530 +Subject: amd-xgbe: handle the corner-case during tx completion + +From: Raju Rangoju + +[ Upstream commit 7121205d5330c6a3cb3379348886d47c77b78d06 ] + +The existing implementation uses software logic to accumulate tx +completions until the specified time (1ms) is met and then poll them. +However, there exists a tiny gap which leads to a race between +resetting and checking the tx_activate flag. Due to this the tx +completions are not reported to upper layer and tx queue timeout +kicks-in restarting the device. + +To address this, introduce a tx cleanup mechanism as part of the +periodic maintenance process. + +Fixes: c5aa9e3b8156 ("amd-xgbe: Initial AMD 10GbE platform driver") +Acked-by: Shyam Sundar S K +Signed-off-by: Raju Rangoju +Reviewed-by: Wojciech Drewek +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +index 555db1871ec9f..8d823bc147001 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +@@ -682,10 +682,24 @@ static void xgbe_service(struct work_struct *work) + static void xgbe_service_timer(struct timer_list *t) + { + struct xgbe_prv_data *pdata = from_timer(pdata, t, service_timer); ++ struct xgbe_channel *channel; ++ unsigned int i; + + queue_work(pdata->dev_workqueue, &pdata->service_work); + + mod_timer(&pdata->service_timer, jiffies + HZ); ++ ++ if (!pdata->tx_usecs) ++ return; ++ ++ for (i = 0; i < pdata->channel_count; i++) { ++ channel = pdata->channel[i]; ++ if (!channel->tx_ring || channel->tx_timer_active) ++ break; ++ channel->tx_timer_active = 1; ++ mod_timer(&channel->tx_timer, ++ jiffies + usecs_to_jiffies(pdata->tx_usecs)); ++ } + } + + static void xgbe_init_timers(struct xgbe_prv_data *pdata) +-- +2.42.0 + diff --git a/queue-5.15/amd-xgbe-propagate-the-correct-speed-and-duplex-stat.patch b/queue-5.15/amd-xgbe-propagate-the-correct-speed-and-duplex-stat.patch new file mode 100644 index 00000000000..59f80823964 --- /dev/null +++ b/queue-5.15/amd-xgbe-propagate-the-correct-speed-and-duplex-stat.patch @@ -0,0 +1,51 @@ +From 6d0ff961f23167ec98a9e1a7e3305b960e7c0db4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Nov 2023 00:44:35 +0530 +Subject: amd-xgbe: propagate the correct speed and duplex status + +From: Raju Rangoju + +[ Upstream commit 7a2323ac24a50311f64a3a9b54ed5bef5821ecae ] + +xgbe_get_link_ksettings() does not propagate correct speed and duplex +information to ethtool during cable unplug. Due to which ethtool reports +incorrect values for speed and duplex. + +Address this by propagating correct information. + +Fixes: 7c12aa08779c ("amd-xgbe: Move the PHY support into amd-xgbe") +Acked-by: Shyam Sundar S K +Signed-off-by: Raju Rangoju +Reviewed-by: Wojciech Drewek +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-ethtool.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-ethtool.c b/drivers/net/ethernet/amd/xgbe/xgbe-ethtool.c +index bafc51c34e0be..5bb7b2210b811 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-ethtool.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-ethtool.c +@@ -314,10 +314,15 @@ static int xgbe_get_link_ksettings(struct net_device *netdev, + + cmd->base.phy_address = pdata->phy.address; + +- cmd->base.autoneg = pdata->phy.autoneg; +- cmd->base.speed = pdata->phy.speed; +- cmd->base.duplex = pdata->phy.duplex; ++ if (netif_carrier_ok(netdev)) { ++ cmd->base.speed = pdata->phy.speed; ++ cmd->base.duplex = pdata->phy.duplex; ++ } else { ++ cmd->base.speed = SPEED_UNKNOWN; ++ cmd->base.duplex = DUPLEX_UNKNOWN; ++ } + ++ cmd->base.autoneg = pdata->phy.autoneg; + cmd->base.port = PORT_NONE; + + XGBE_LM_COPY(cmd, supported, lks, supported); +-- +2.42.0 + diff --git a/queue-5.15/arm-xen-fix-xen_vcpu_info-allocation-alignment.patch b/queue-5.15/arm-xen-fix-xen_vcpu_info-allocation-alignment.patch new file mode 100644 index 00000000000..3e57a3266a1 --- /dev/null +++ b/queue-5.15/arm-xen-fix-xen_vcpu_info-allocation-alignment.patch @@ -0,0 +1,47 @@ +From b38c58e955100ede2490e6aa43be8287a02c918e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Nov 2023 15:07:41 -0800 +Subject: arm/xen: fix xen_vcpu_info allocation alignment + +From: Stefano Stabellini + +[ Upstream commit 7bf9a6b46549852a37e6d07e52c601c3c706b562 ] + +xen_vcpu_info is a percpu area than needs to be mapped by Xen. +Currently, it could cross a page boundary resulting in Xen being unable +to map it: + +[ 0.567318] kernel BUG at arch/arm64/xen/../../arm/xen/enlighten.c:164! +[ 0.574002] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP + +Fix the issue by using __alloc_percpu and requesting alignment for the +memory allocation. + +Signed-off-by: Stefano Stabellini + +Link: https://lore.kernel.org/r/alpine.DEB.2.22.394.2311221501340.2053963@ubuntu-linux-20-04-desktop +Fixes: 24d5373dda7c ("arm/xen: Use alloc_percpu rather than __alloc_percpu") +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + arch/arm/xen/enlighten.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/xen/enlighten.c b/arch/arm/xen/enlighten.c +index 27277d6bbfa5a..59de416c61a30 100644 +--- a/arch/arm/xen/enlighten.c ++++ b/arch/arm/xen/enlighten.c +@@ -359,7 +359,8 @@ static int __init xen_guest_init(void) + * for secondary CPUs as they are brought up. + * For uniformity we use VCPUOP_register_vcpu_info even on cpu0. + */ +- xen_vcpu_info = alloc_percpu(struct vcpu_info); ++ xen_vcpu_info = __alloc_percpu(sizeof(struct vcpu_info), ++ 1 << fls(sizeof(struct vcpu_info) - 1)); + if (xen_vcpu_info == NULL) + return -ENOMEM; + +-- +2.42.0 + diff --git a/queue-5.15/ata-pata_isapnp-add-missing-error-check-for-devm_iop.patch b/queue-5.15/ata-pata_isapnp-add-missing-error-check-for-devm_iop.patch new file mode 100644 index 00000000000..6bef33214f0 --- /dev/null +++ b/queue-5.15/ata-pata_isapnp-add-missing-error-check-for-devm_iop.patch @@ -0,0 +1,38 @@ +From 28c53d3261cae9cb2884d90c8d243a79eded86ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Oct 2023 04:00:07 +0000 +Subject: ata: pata_isapnp: Add missing error check for devm_ioport_map() + +From: Chen Ni + +[ Upstream commit a6925165ea82b7765269ddd8dcad57c731aa00de ] + +Add missing error return check for devm_ioport_map() and return the +error if this function call fails. + +Fixes: 0d5ff566779f ("libata: convert to iomap") +Signed-off-by: Chen Ni +Reviewed-by: Sergey Shtylyov +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/pata_isapnp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/ata/pata_isapnp.c b/drivers/ata/pata_isapnp.c +index 43bb224430d3c..8892931ea8676 100644 +--- a/drivers/ata/pata_isapnp.c ++++ b/drivers/ata/pata_isapnp.c +@@ -82,6 +82,9 @@ static int isapnp_init_one(struct pnp_dev *idev, const struct pnp_device_id *dev + if (pnp_port_valid(idev, 1)) { + ctl_addr = devm_ioport_map(&idev->dev, + pnp_port_start(idev, 1), 1); ++ if (!ctl_addr) ++ return -ENOMEM; ++ + ap->ioaddr.altstatus_addr = ctl_addr; + ap->ioaddr.ctl_addr = ctl_addr; + ap->ops = &isapnp_port_ops; +-- +2.42.0 + diff --git a/queue-5.15/drm-panel-auo-b101uan08.3-fine-tune-the-panel-power-.patch b/queue-5.15/drm-panel-auo-b101uan08.3-fine-tune-the-panel-power-.patch new file mode 100644 index 00000000000..8d2141b8fd3 --- /dev/null +++ b/queue-5.15/drm-panel-auo-b101uan08.3-fine-tune-the-panel-power-.patch @@ -0,0 +1,37 @@ +From 587092ff90f1823231536925ee605ce708ed58dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Nov 2023 12:42:05 +0800 +Subject: drm/panel: auo,b101uan08.3: Fine tune the panel power sequence + +From: Xuxin Xiong + +[ Upstream commit 6965809e526917b73c8f9178173184dcf13cec4b ] + +For "auo,b101uan08.3" this panel, it is stipulated in the panel spec that +MIPI needs to keep the LP11 state before the lcm_reset pin is pulled high. + +Fixes: 56ad624b4cb5 ("drm/panel: support for auo, b101uan08.3 wuxga dsi video mode panel") +Signed-off-by: Xuxin Xiong +Reviewed-by: Douglas Anderson +Signed-off-by: Douglas Anderson +Link: https://patchwork.freedesktop.org/patch/msgid/20231114044205.613421-1-xuxinxiong@huaqin.corp-partner.google.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c b/drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c +index 3229e5eabbd21..9e518213a54ff 100644 +--- a/drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c ++++ b/drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c +@@ -697,6 +697,7 @@ static const struct panel_desc auo_b101uan08_3_desc = { + .mode_flags = MIPI_DSI_MODE_VIDEO | MIPI_DSI_MODE_VIDEO_SYNC_PULSE | + MIPI_DSI_MODE_LPM, + .init_cmds = auo_b101uan08_3_init_cmd, ++ .lp11_before_reset = true, + }; + + static const struct drm_display_mode boe_tv105wum_nw0_default_mode = { +-- +2.42.0 + diff --git a/queue-5.15/drm-panel-boe-tv101wum-nl6-fine-tune-the-panel-power.patch b/queue-5.15/drm-panel-boe-tv101wum-nl6-fine-tune-the-panel-power.patch new file mode 100644 index 00000000000..c05165b78ef --- /dev/null +++ b/queue-5.15/drm-panel-boe-tv101wum-nl6-fine-tune-the-panel-power.patch @@ -0,0 +1,58 @@ +From 8a74d9e475f0f773bf1a69b7e104c27f1c48a199 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 17:49:55 +0800 +Subject: drm/panel: boe-tv101wum-nl6: Fine tune the panel power sequence + +From: Shuijing Li + +[ Upstream commit 812562b8d881ce6d33fed8052b3a10b718430fb5 ] + +For "boe,tv105wum-nw0" this special panel, it is stipulated in +the panel spec that MIPI needs to keep the LP11 state before +the lcm_reset pin is pulled high. + +Signed-off-by: Shuijing Li +Signed-off-by: Xinlei Lee +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20230515094955.15982-3-shuijing.li@mediatek.com +Stable-dep-of: 6965809e5269 ("drm/panel: auo,b101uan08.3: Fine tune the panel power sequence") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c b/drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c +index db9d0b86d5428..3229e5eabbd21 100644 +--- a/drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c ++++ b/drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c +@@ -36,6 +36,7 @@ struct panel_desc { + const struct panel_init_cmd *init_cmds; + unsigned int lanes; + bool discharge_on_disable; ++ bool lp11_before_reset; + }; + + struct boe_panel { +@@ -551,6 +552,10 @@ static int boe_panel_prepare(struct drm_panel *panel) + + usleep_range(5000, 10000); + ++ if (boe->desc->lp11_before_reset) { ++ mipi_dsi_dcs_nop(boe->dsi); ++ usleep_range(1000, 2000); ++ } + gpiod_set_value(boe->enable_gpio, 1); + usleep_range(1000, 2000); + gpiod_set_value(boe->enable_gpio, 0); +@@ -719,6 +724,7 @@ static const struct panel_desc boe_tv105wum_nw0_desc = { + .mode_flags = MIPI_DSI_MODE_VIDEO | MIPI_DSI_MODE_VIDEO_SYNC_PULSE | + MIPI_DSI_MODE_LPM, + .init_cmds = boe_init_cmd, ++ .lp11_before_reset = true, + }; + + static int boe_panel_get_modes(struct drm_panel *panel, +-- +2.42.0 + diff --git a/queue-5.15/drm-panel-simple-fix-innolux-g101ice-l01-bus-flags.patch b/queue-5.15/drm-panel-simple-fix-innolux-g101ice-l01-bus-flags.patch new file mode 100644 index 00000000000..5d6213b549c --- /dev/null +++ b/queue-5.15/drm-panel-simple-fix-innolux-g101ice-l01-bus-flags.patch @@ -0,0 +1,36 @@ +From a61bd95862d279a91116377b8195a65eb6766180 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Oct 2023 00:33:15 +0200 +Subject: drm/panel: simple: Fix Innolux G101ICE-L01 bus flags + +From: Marek Vasut + +[ Upstream commit 06fc41b09cfbc02977acd9189473593a37d82d9b ] + +Add missing .bus_flags = DRM_BUS_FLAG_DE_HIGH to this panel description, +ones which match both the datasheet and the panel display_timing flags . + +Fixes: 1e29b840af9f ("drm/panel: simple: Add Innolux G101ICE-L01 panel") +Signed-off-by: Marek Vasut +Reviewed-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20231008223315.279215-1-marex@denx.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index e58eb93e9bc9e..28d1e661f99b1 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -2555,6 +2555,7 @@ static const struct panel_desc innolux_g101ice_l01 = { + .disable = 200, + }, + .bus_format = MEDIA_BUS_FMT_RGB888_1X7X4_SPWG, ++ .bus_flags = DRM_BUS_FLAG_DE_HIGH, + .connector_type = DRM_MODE_CONNECTOR_LVDS, + }; + +-- +2.42.0 + diff --git a/queue-5.15/drm-panel-simple-fix-innolux-g101ice-l01-timings.patch b/queue-5.15/drm-panel-simple-fix-innolux-g101ice-l01-timings.patch new file mode 100644 index 00000000000..0b110ab72bf --- /dev/null +++ b/queue-5.15/drm-panel-simple-fix-innolux-g101ice-l01-timings.patch @@ -0,0 +1,56 @@ +From f419012be36b9c99791382d5e62c3edf7713393c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Oct 2023 00:32:56 +0200 +Subject: drm/panel: simple: Fix Innolux G101ICE-L01 timings + +From: Marek Vasut + +[ Upstream commit 3f9a91b6c00e655d27bd785dcda1742dbdc31bda ] + +The Innolux G101ICE-L01 datasheet [1] page 17 table +6.1 INPUT SIGNAL TIMING SPECIFICATIONS +indicates that maximum vertical blanking time is 40 lines. +Currently the driver uses 29 lines. + +Fix it, and since this panel is a DE panel, adjust the timings +to make them less hostile to controllers which cannot do 1 px +HSA/VSA, distribute the delays evenly between all three parts. + +[1] https://www.data-modul.com/sites/default/files/products/G101ICE-L01-C2-specification-12042389.pdf + +Fixes: 1e29b840af9f ("drm/panel: simple: Add Innolux G101ICE-L01 panel") +Signed-off-by: Marek Vasut +Reviewed-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20231008223256.279196-1-marex@denx.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index 28d1e661f99b1..d9f1675c348e5 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -2532,13 +2532,13 @@ static const struct panel_desc innolux_g070y2_l01 = { + static const struct display_timing innolux_g101ice_l01_timing = { + .pixelclock = { 60400000, 71100000, 74700000 }, + .hactive = { 1280, 1280, 1280 }, +- .hfront_porch = { 41, 80, 100 }, +- .hback_porch = { 40, 79, 99 }, +- .hsync_len = { 1, 1, 1 }, ++ .hfront_porch = { 30, 60, 70 }, ++ .hback_porch = { 30, 60, 70 }, ++ .hsync_len = { 22, 40, 60 }, + .vactive = { 800, 800, 800 }, +- .vfront_porch = { 5, 11, 14 }, +- .vback_porch = { 4, 11, 14 }, +- .vsync_len = { 1, 1, 1 }, ++ .vfront_porch = { 3, 8, 14 }, ++ .vback_porch = { 3, 8, 14 }, ++ .vsync_len = { 4, 7, 12 }, + .flags = DISPLAY_FLAGS_DE_HIGH, + }; + +-- +2.42.0 + diff --git a/queue-5.15/drm-rockchip-vop-fix-color-for-rgb888-bgr888-format-.patch b/queue-5.15/drm-rockchip-vop-fix-color-for-rgb888-bgr888-format-.patch new file mode 100644 index 00000000000..e0b5e3b5f48 --- /dev/null +++ b/queue-5.15/drm-rockchip-vop-fix-color-for-rgb888-bgr888-format-.patch @@ -0,0 +1,76 @@ +From 984f5cafc0578e2b38c0c702c81323bd17ac5853 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Oct 2023 19:14:58 +0000 +Subject: drm/rockchip: vop: Fix color for RGB888/BGR888 format on VOP full + +From: Jonas Karlman + +[ Upstream commit bb0a05acd6121ff0e810b44fdc24dbdfaa46b642 ] + +Use of DRM_FORMAT_RGB888 and DRM_FORMAT_BGR888 on e.g. RK3288, RK3328 +and RK3399 result in wrong colors being displayed. + +The issue can be observed using modetest: + + modetest -s @:1920x1080-60@RG24 + modetest -s @:1920x1080-60@BG24 + +Vendor 4.4 kernel apply an inverted rb swap for these formats on VOP +full framework (IP version 3.x) compared to VOP little framework (2.x). + +Fix colors by applying different rb swap for VOP full framework (3.x) +and VOP little framework (2.x) similar to vendor 4.4 kernel. + +Fixes: 85a359f25388 ("drm/rockchip: Add BGR formats to VOP") +Signed-off-by: Jonas Karlman +Tested-by: Diederik de Haas +Reviewed-by: Christopher Obbard +Tested-by: Christopher Obbard +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20231026191500.2994225-1-jonas@kwiboo.se +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c +index e53b1ecbd7bc0..c7106f1165466 100644 +--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c ++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c +@@ -249,14 +249,22 @@ static inline void vop_cfg_done(struct vop *vop) + VOP_REG_SET(vop, common, cfg_done, 1); + } + +-static bool has_rb_swapped(uint32_t format) ++static bool has_rb_swapped(uint32_t version, uint32_t format) + { + switch (format) { + case DRM_FORMAT_XBGR8888: + case DRM_FORMAT_ABGR8888: +- case DRM_FORMAT_BGR888: + case DRM_FORMAT_BGR565: + return true; ++ /* ++ * full framework (IP version 3.x) only need rb swapped for RGB888 and ++ * little framework (IP version 2.x) only need rb swapped for BGR888, ++ * check for 3.x to also only rb swap BGR888 for unknown vop version ++ */ ++ case DRM_FORMAT_RGB888: ++ return VOP_MAJOR(version) == 3; ++ case DRM_FORMAT_BGR888: ++ return VOP_MAJOR(version) != 3; + default: + return false; + } +@@ -998,7 +1006,7 @@ static void vop_plane_atomic_update(struct drm_plane *plane, + VOP_WIN_SET(vop, win, dsp_info, dsp_info); + VOP_WIN_SET(vop, win, dsp_st, dsp_st); + +- rb_swap = has_rb_swapped(fb->format->format); ++ rb_swap = has_rb_swapped(vop->data->version, fb->format->format); + VOP_WIN_SET(vop, win, rb_swap, rb_swap); + + /* +-- +2.42.0 + diff --git a/queue-5.15/ext4-add-a-new-helper-to-check-if-es-must-be-kept.patch b/queue-5.15/ext4-add-a-new-helper-to-check-if-es-must-be-kept.patch new file mode 100644 index 00000000000..70b58159edd --- /dev/null +++ b/queue-5.15/ext4-add-a-new-helper-to-check-if-es-must-be-kept.patch @@ -0,0 +1,111 @@ +From ce55382dc437f6866bb4bfd6e763649a54b88636 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Apr 2023 11:38:36 +0800 +Subject: ext4: add a new helper to check if es must be kept + +From: Baokun Li + +[ Upstream commit 9649eb18c6288f514cacffdd699d5cd999c2f8f6 ] + +In the extent status tree, we have extents which we can just drop without +issues and extents we must not drop - this depends on the extent's status +- currently ext4_es_is_delayed() extents must stay, others may be dropped. + +A helper function is added to help determine if the current extent can +be dropped, although only ext4_es_is_delayed() extents cannot be dropped +currently. + +Suggested-by: Jan Kara +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230424033846.4732-3-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Stable-dep-of: 8e387c89e96b ("ext4: make sure allocate pending entry not fail") +Signed-off-by: Sasha Levin +--- + fs/ext4/extents_status.c | 34 +++++++++++++++++++++------------- + 1 file changed, 21 insertions(+), 13 deletions(-) + +diff --git a/fs/ext4/extents_status.c b/fs/ext4/extents_status.c +index 7806adcc41a7a..cf6a21baddbc4 100644 +--- a/fs/ext4/extents_status.c ++++ b/fs/ext4/extents_status.c +@@ -448,6 +448,19 @@ static void ext4_es_list_del(struct inode *inode) + spin_unlock(&sbi->s_es_lock); + } + ++/* ++ * Returns true if we cannot fail to allocate memory for this extent_status ++ * entry and cannot reclaim it until its status changes. ++ */ ++static inline bool ext4_es_must_keep(struct extent_status *es) ++{ ++ /* fiemap, bigalloc, and seek_data/hole need to use it. */ ++ if (ext4_es_is_delayed(es)) ++ return true; ++ ++ return false; ++} ++ + static struct extent_status * + ext4_es_alloc_extent(struct inode *inode, ext4_lblk_t lblk, ext4_lblk_t len, + ext4_fsblk_t pblk) +@@ -460,10 +473,8 @@ ext4_es_alloc_extent(struct inode *inode, ext4_lblk_t lblk, ext4_lblk_t len, + es->es_len = len; + es->es_pblk = pblk; + +- /* +- * We don't count delayed extent because we never try to reclaim them +- */ +- if (!ext4_es_is_delayed(es)) { ++ /* We never try to reclaim a must kept extent, so we don't count it. */ ++ if (!ext4_es_must_keep(es)) { + if (!EXT4_I(inode)->i_es_shk_nr++) + ext4_es_list_add(inode); + percpu_counter_inc(&EXT4_SB(inode->i_sb)-> +@@ -481,8 +492,8 @@ static void ext4_es_free_extent(struct inode *inode, struct extent_status *es) + EXT4_I(inode)->i_es_all_nr--; + percpu_counter_dec(&EXT4_SB(inode->i_sb)->s_es_stats.es_stats_all_cnt); + +- /* Decrease the shrink counter when this es is not delayed */ +- if (!ext4_es_is_delayed(es)) { ++ /* Decrease the shrink counter when we can reclaim the extent. */ ++ if (!ext4_es_must_keep(es)) { + BUG_ON(EXT4_I(inode)->i_es_shk_nr == 0); + if (!--EXT4_I(inode)->i_es_shk_nr) + ext4_es_list_del(inode); +@@ -854,7 +865,7 @@ int ext4_es_insert_extent(struct inode *inode, ext4_lblk_t lblk, + if (err == -ENOMEM && __es_shrink(EXT4_SB(inode->i_sb), + 128, EXT4_I(inode))) + goto retry; +- if (err == -ENOMEM && !ext4_es_is_delayed(&newes)) ++ if (err == -ENOMEM && !ext4_es_must_keep(&newes)) + err = 0; + + if (sbi->s_cluster_ratio > 1 && test_opt(inode->i_sb, DELALLOC) && +@@ -1704,11 +1715,8 @@ static int es_do_reclaim_extents(struct ext4_inode_info *ei, ext4_lblk_t end, + + (*nr_to_scan)--; + node = rb_next(&es->rb_node); +- /* +- * We can't reclaim delayed extent from status tree because +- * fiemap, bigallic, and seek_data/hole need to use it. +- */ +- if (ext4_es_is_delayed(es)) ++ ++ if (ext4_es_must_keep(es)) + goto next; + if (ext4_es_is_referenced(es)) { + ext4_es_clear_referenced(es); +@@ -1772,7 +1780,7 @@ void ext4_clear_inode_es(struct inode *inode) + while (node) { + es = rb_entry(node, struct extent_status, rb_node); + node = rb_next(node); +- if (!ext4_es_is_delayed(es)) { ++ if (!ext4_es_must_keep(es)) { + rb_erase(&es->rb_node, &tree->root); + ext4_es_free_extent(inode, es); + } +-- +2.42.0 + diff --git a/queue-5.15/ext4-factor-out-__es_alloc_extent-and-__es_free_exte.patch b/queue-5.15/ext4-factor-out-__es_alloc_extent-and-__es_free_exte.patch new file mode 100644 index 00000000000..b8b70ec1e2a --- /dev/null +++ b/queue-5.15/ext4-factor-out-__es_alloc_extent-and-__es_free_exte.patch @@ -0,0 +1,100 @@ +From f1d2a3280fd475afe458865e4e0f676469953529 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Apr 2023 11:38:37 +0800 +Subject: ext4: factor out __es_alloc_extent() and __es_free_extent() + +From: Baokun Li + +[ Upstream commit 73a2f033656be11298912201ad50615307b4477a ] + +Factor out __es_alloc_extent() and __es_free_extent(), which only allocate +and free extent_status in these two helpers. + +The ext4_es_alloc_extent() function is split into __es_alloc_extent() +and ext4_es_init_extent(). In __es_alloc_extent() we allocate memory using +GFP_KERNEL | __GFP_NOFAIL | __GFP_ZERO if the memory allocation cannot +fail, otherwise we use GFP_ATOMIC. and the ext4_es_init_extent() is used to +initialize extent_status and update related variables after a successful +allocation. + +This is to prepare for the use of pre-allocated extent_status later. + +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230424033846.4732-4-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Stable-dep-of: 8e387c89e96b ("ext4: make sure allocate pending entry not fail") +Signed-off-by: Sasha Levin +--- + fs/ext4/extents_status.c | 30 +++++++++++++++++++----------- + 1 file changed, 19 insertions(+), 11 deletions(-) + +diff --git a/fs/ext4/extents_status.c b/fs/ext4/extents_status.c +index cf6a21baddbc4..012033db41062 100644 +--- a/fs/ext4/extents_status.c ++++ b/fs/ext4/extents_status.c +@@ -461,14 +461,17 @@ static inline bool ext4_es_must_keep(struct extent_status *es) + return false; + } + +-static struct extent_status * +-ext4_es_alloc_extent(struct inode *inode, ext4_lblk_t lblk, ext4_lblk_t len, +- ext4_fsblk_t pblk) ++static inline struct extent_status *__es_alloc_extent(bool nofail) ++{ ++ if (!nofail) ++ return kmem_cache_alloc(ext4_es_cachep, GFP_ATOMIC); ++ ++ return kmem_cache_zalloc(ext4_es_cachep, GFP_KERNEL | __GFP_NOFAIL); ++} ++ ++static void ext4_es_init_extent(struct inode *inode, struct extent_status *es, ++ ext4_lblk_t lblk, ext4_lblk_t len, ext4_fsblk_t pblk) + { +- struct extent_status *es; +- es = kmem_cache_alloc(ext4_es_cachep, GFP_ATOMIC); +- if (es == NULL) +- return NULL; + es->es_lblk = lblk; + es->es_len = len; + es->es_pblk = pblk; +@@ -483,8 +486,11 @@ ext4_es_alloc_extent(struct inode *inode, ext4_lblk_t lblk, ext4_lblk_t len, + + EXT4_I(inode)->i_es_all_nr++; + percpu_counter_inc(&EXT4_SB(inode->i_sb)->s_es_stats.es_stats_all_cnt); ++} + +- return es; ++static inline void __es_free_extent(struct extent_status *es) ++{ ++ kmem_cache_free(ext4_es_cachep, es); + } + + static void ext4_es_free_extent(struct inode *inode, struct extent_status *es) +@@ -501,7 +507,7 @@ static void ext4_es_free_extent(struct inode *inode, struct extent_status *es) + s_es_stats.es_stats_shk_cnt); + } + +- kmem_cache_free(ext4_es_cachep, es); ++ __es_free_extent(es); + } + + /* +@@ -803,10 +809,12 @@ static int __es_insert_extent(struct inode *inode, struct extent_status *newes) + } + } + +- es = ext4_es_alloc_extent(inode, newes->es_lblk, newes->es_len, +- newes->es_pblk); ++ es = __es_alloc_extent(false); + if (!es) + return -ENOMEM; ++ ext4_es_init_extent(inode, es, newes->es_lblk, newes->es_len, ++ newes->es_pblk); ++ + rb_link_node(&es->rb_node, parent, p); + rb_insert_color(&es->rb_node, &tree->root); + +-- +2.42.0 + diff --git a/queue-5.15/ext4-fix-slab-use-after-free-in-ext4_es_insert_exten.patch b/queue-5.15/ext4-fix-slab-use-after-free-in-ext4_es_insert_exten.patch new file mode 100644 index 00000000000..6d4626e2e3c --- /dev/null +++ b/queue-5.15/ext4-fix-slab-use-after-free-in-ext4_es_insert_exten.patch @@ -0,0 +1,182 @@ +From 1fcf051e479a11979397dfbf206ebacbf609cd68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Aug 2023 15:08:08 +0800 +Subject: ext4: fix slab-use-after-free in ext4_es_insert_extent() + +From: Baokun Li + +[ Upstream commit 768d612f79822d30a1e7d132a4d4b05337ce42ec ] + +Yikebaer reported an issue: +================================================================== +BUG: KASAN: slab-use-after-free in ext4_es_insert_extent+0xc68/0xcb0 +fs/ext4/extents_status.c:894 +Read of size 4 at addr ffff888112ecc1a4 by task syz-executor/8438 + +CPU: 1 PID: 8438 Comm: syz-executor Not tainted 6.5.0-rc5 #1 +Call Trace: + [...] + kasan_report+0xba/0xf0 mm/kasan/report.c:588 + ext4_es_insert_extent+0xc68/0xcb0 fs/ext4/extents_status.c:894 + ext4_map_blocks+0x92a/0x16f0 fs/ext4/inode.c:680 + ext4_alloc_file_blocks.isra.0+0x2df/0xb70 fs/ext4/extents.c:4462 + ext4_zero_range fs/ext4/extents.c:4622 [inline] + ext4_fallocate+0x251c/0x3ce0 fs/ext4/extents.c:4721 + [...] + +Allocated by task 8438: + [...] + kmem_cache_zalloc include/linux/slab.h:693 [inline] + __es_alloc_extent fs/ext4/extents_status.c:469 [inline] + ext4_es_insert_extent+0x672/0xcb0 fs/ext4/extents_status.c:873 + ext4_map_blocks+0x92a/0x16f0 fs/ext4/inode.c:680 + ext4_alloc_file_blocks.isra.0+0x2df/0xb70 fs/ext4/extents.c:4462 + ext4_zero_range fs/ext4/extents.c:4622 [inline] + ext4_fallocate+0x251c/0x3ce0 fs/ext4/extents.c:4721 + [...] + +Freed by task 8438: + [...] + kmem_cache_free+0xec/0x490 mm/slub.c:3823 + ext4_es_try_to_merge_right fs/ext4/extents_status.c:593 [inline] + __es_insert_extent+0x9f4/0x1440 fs/ext4/extents_status.c:802 + ext4_es_insert_extent+0x2ca/0xcb0 fs/ext4/extents_status.c:882 + ext4_map_blocks+0x92a/0x16f0 fs/ext4/inode.c:680 + ext4_alloc_file_blocks.isra.0+0x2df/0xb70 fs/ext4/extents.c:4462 + ext4_zero_range fs/ext4/extents.c:4622 [inline] + ext4_fallocate+0x251c/0x3ce0 fs/ext4/extents.c:4721 + [...] +================================================================== + +The flow of issue triggering is as follows: +1. remove es + raw es es removed es1 +|-------------------| -> |----|.......|------| + +2. insert es + es insert es1 merge with es es1 merge with es and free es1 +|----|.......|------| -> |------------|------| -> |-------------------| + +es merges with newes, then merges with es1, frees es1, then determines +if es1->es_len is 0 and triggers a UAF. + +The code flow is as follows: +ext4_es_insert_extent + es1 = __es_alloc_extent(true); + es2 = __es_alloc_extent(true); + __es_remove_extent(inode, lblk, end, NULL, es1) + __es_insert_extent(inode, &newes, es1) ---> insert es1 to es tree + __es_insert_extent(inode, &newes, es2) + ext4_es_try_to_merge_right + ext4_es_free_extent(inode, es1) ---> es1 is freed + if (es1 && !es1->es_len) + // Trigger UAF by determining if es1 is used. + +We determine whether es1 or es2 is used immediately after calling +__es_remove_extent() or __es_insert_extent() to avoid triggering a +UAF if es1 or es2 is freed. + +Reported-by: Yikebaer Aizezi +Closes: https://lore.kernel.org/lkml/CALcu4raD4h9coiyEBL4Bm0zjDwxC2CyPiTwsP3zFuhot6y9Beg@mail.gmail.com +Fixes: 2a69c450083d ("ext4: using nofail preallocation in ext4_es_insert_extent()") +Cc: stable@kernel.org +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230815070808.3377171-1-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Stable-dep-of: 8e387c89e96b ("ext4: make sure allocate pending entry not fail") +Signed-off-by: Sasha Levin +--- + fs/ext4/extents_status.c | 44 +++++++++++++++++++++++++++------------- + 1 file changed, 30 insertions(+), 14 deletions(-) + +diff --git a/fs/ext4/extents_status.c b/fs/ext4/extents_status.c +index 1327cd9505db7..6c55ab427e650 100644 +--- a/fs/ext4/extents_status.c ++++ b/fs/ext4/extents_status.c +@@ -883,23 +883,29 @@ int ext4_es_insert_extent(struct inode *inode, ext4_lblk_t lblk, + err1 = __es_remove_extent(inode, lblk, end, NULL, es1); + if (err1 != 0) + goto error; ++ /* Free preallocated extent if it didn't get used. */ ++ if (es1) { ++ if (!es1->es_len) ++ __es_free_extent(es1); ++ es1 = NULL; ++ } + + err2 = __es_insert_extent(inode, &newes, es2); + if (err2 == -ENOMEM && !ext4_es_must_keep(&newes)) + err2 = 0; + if (err2 != 0) + goto error; ++ /* Free preallocated extent if it didn't get used. */ ++ if (es2) { ++ if (!es2->es_len) ++ __es_free_extent(es2); ++ es2 = NULL; ++ } + + if (sbi->s_cluster_ratio > 1 && test_opt(inode->i_sb, DELALLOC) && + (status & EXTENT_STATUS_WRITTEN || + status & EXTENT_STATUS_UNWRITTEN)) + __revise_pending(inode, lblk, len); +- +- /* es is pre-allocated but not used, free it. */ +- if (es1 && !es1->es_len) +- __es_free_extent(es1); +- if (es2 && !es2->es_len) +- __es_free_extent(es2); + error: + write_unlock(&EXT4_I(inode)->i_es_lock); + if (err1 || err2) +@@ -1496,8 +1502,12 @@ int ext4_es_remove_extent(struct inode *inode, ext4_lblk_t lblk, + */ + write_lock(&EXT4_I(inode)->i_es_lock); + err = __es_remove_extent(inode, lblk, end, &reserved, es); +- if (es && !es->es_len) +- __es_free_extent(es); ++ /* Free preallocated extent if it didn't get used. */ ++ if (es) { ++ if (!es->es_len) ++ __es_free_extent(es); ++ es = NULL; ++ } + write_unlock(&EXT4_I(inode)->i_es_lock); + if (err) + goto retry; +@@ -2055,19 +2065,25 @@ int ext4_es_insert_delayed_block(struct inode *inode, ext4_lblk_t lblk, + err1 = __es_remove_extent(inode, lblk, lblk, NULL, es1); + if (err1 != 0) + goto error; ++ /* Free preallocated extent if it didn't get used. */ ++ if (es1) { ++ if (!es1->es_len) ++ __es_free_extent(es1); ++ es1 = NULL; ++ } + + err2 = __es_insert_extent(inode, &newes, es2); + if (err2 != 0) + goto error; ++ /* Free preallocated extent if it didn't get used. */ ++ if (es2) { ++ if (!es2->es_len) ++ __es_free_extent(es2); ++ es2 = NULL; ++ } + + if (allocated) + __insert_pending(inode, lblk); +- +- /* es is pre-allocated but not used, free it. */ +- if (es1 && !es1->es_len) +- __es_free_extent(es1); +- if (es2 && !es2->es_len) +- __es_free_extent(es2); + error: + write_unlock(&EXT4_I(inode)->i_es_lock); + if (err1 || err2) +-- +2.42.0 + diff --git a/queue-5.15/ext4-make-sure-allocate-pending-entry-not-fail.patch b/queue-5.15/ext4-make-sure-allocate-pending-entry-not-fail.patch new file mode 100644 index 00000000000..fee9b03939b --- /dev/null +++ b/queue-5.15/ext4-make-sure-allocate-pending-entry-not-fail.patch @@ -0,0 +1,305 @@ +From ac30d7f610d05a8d36f976f53726e74e3baedcaa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Aug 2023 17:26:05 +0800 +Subject: ext4: make sure allocate pending entry not fail + +From: Zhang Yi + +[ Upstream commit 8e387c89e96b9543a339f84043cf9df15fed2632 ] + +__insert_pending() allocate memory in atomic context, so the allocation +could fail, but we are not handling that failure now. It could lead +ext4_es_remove_extent() to get wrong reserved clusters, and the global +data blocks reservation count will be incorrect. The same to +extents_status entry preallocation, preallocate pending entry out of the +i_es_lock with __GFP_NOFAIL, make sure __insert_pending() and +__revise_pending() always succeeds. + +Signed-off-by: Zhang Yi +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20230824092619.1327976-3-yi.zhang@huaweicloud.com +Reviewed-by: Jan Kara +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/extents_status.c | 123 ++++++++++++++++++++++++++++----------- + 1 file changed, 89 insertions(+), 34 deletions(-) + +diff --git a/fs/ext4/extents_status.c b/fs/ext4/extents_status.c +index 6c55ab427e650..cccbdfd49a86b 100644 +--- a/fs/ext4/extents_status.c ++++ b/fs/ext4/extents_status.c +@@ -152,8 +152,9 @@ static int __es_remove_extent(struct inode *inode, ext4_lblk_t lblk, + static int es_reclaim_extents(struct ext4_inode_info *ei, int *nr_to_scan); + static int __es_shrink(struct ext4_sb_info *sbi, int nr_to_scan, + struct ext4_inode_info *locked_ei); +-static void __revise_pending(struct inode *inode, ext4_lblk_t lblk, +- ext4_lblk_t len); ++static int __revise_pending(struct inode *inode, ext4_lblk_t lblk, ++ ext4_lblk_t len, ++ struct pending_reservation **prealloc); + + int __init ext4_init_es(void) + { +@@ -450,6 +451,19 @@ static void ext4_es_list_del(struct inode *inode) + spin_unlock(&sbi->s_es_lock); + } + ++static inline struct pending_reservation *__alloc_pending(bool nofail) ++{ ++ if (!nofail) ++ return kmem_cache_alloc(ext4_pending_cachep, GFP_ATOMIC); ++ ++ return kmem_cache_zalloc(ext4_pending_cachep, GFP_KERNEL | __GFP_NOFAIL); ++} ++ ++static inline void __free_pending(struct pending_reservation *pr) ++{ ++ kmem_cache_free(ext4_pending_cachep, pr); ++} ++ + /* + * Returns true if we cannot fail to allocate memory for this extent_status + * entry and cannot reclaim it until its status changes. +@@ -841,11 +855,12 @@ int ext4_es_insert_extent(struct inode *inode, ext4_lblk_t lblk, + { + struct extent_status newes; + ext4_lblk_t end = lblk + len - 1; +- int err1 = 0; +- int err2 = 0; ++ int err1 = 0, err2 = 0, err3 = 0; + struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb); + struct extent_status *es1 = NULL; + struct extent_status *es2 = NULL; ++ struct pending_reservation *pr = NULL; ++ bool revise_pending = false; + + if (EXT4_SB(inode->i_sb)->s_mount_state & EXT4_FC_REPLAY) + return 0; +@@ -873,11 +888,17 @@ int ext4_es_insert_extent(struct inode *inode, ext4_lblk_t lblk, + + ext4_es_insert_extent_check(inode, &newes); + ++ revise_pending = sbi->s_cluster_ratio > 1 && ++ test_opt(inode->i_sb, DELALLOC) && ++ (status & (EXTENT_STATUS_WRITTEN | ++ EXTENT_STATUS_UNWRITTEN)); + retry: + if (err1 && !es1) + es1 = __es_alloc_extent(true); + if ((err1 || err2) && !es2) + es2 = __es_alloc_extent(true); ++ if ((err1 || err2 || err3) && revise_pending && !pr) ++ pr = __alloc_pending(true); + write_lock(&EXT4_I(inode)->i_es_lock); + + err1 = __es_remove_extent(inode, lblk, end, NULL, es1); +@@ -902,13 +923,18 @@ int ext4_es_insert_extent(struct inode *inode, ext4_lblk_t lblk, + es2 = NULL; + } + +- if (sbi->s_cluster_ratio > 1 && test_opt(inode->i_sb, DELALLOC) && +- (status & EXTENT_STATUS_WRITTEN || +- status & EXTENT_STATUS_UNWRITTEN)) +- __revise_pending(inode, lblk, len); ++ if (revise_pending) { ++ err3 = __revise_pending(inode, lblk, len, &pr); ++ if (err3 != 0) ++ goto error; ++ if (pr) { ++ __free_pending(pr); ++ pr = NULL; ++ } ++ } + error: + write_unlock(&EXT4_I(inode)->i_es_lock); +- if (err1 || err2) ++ if (err1 || err2 || err3) + goto retry; + + ext4_es_print_tree(inode); +@@ -1316,7 +1342,7 @@ static unsigned int get_rsvd(struct inode *inode, ext4_lblk_t end, + rc->ndelonly--; + node = rb_next(&pr->rb_node); + rb_erase(&pr->rb_node, &tree->root); +- kmem_cache_free(ext4_pending_cachep, pr); ++ __free_pending(pr); + if (!node) + break; + pr = rb_entry(node, struct pending_reservation, +@@ -1913,11 +1939,13 @@ static struct pending_reservation *__get_pending(struct inode *inode, + * + * @inode - file containing the cluster + * @lblk - logical block in the cluster to be added ++ * @prealloc - preallocated pending entry + * + * Returns 0 on successful insertion and -ENOMEM on failure. If the + * pending reservation is already in the set, returns successfully. + */ +-static int __insert_pending(struct inode *inode, ext4_lblk_t lblk) ++static int __insert_pending(struct inode *inode, ext4_lblk_t lblk, ++ struct pending_reservation **prealloc) + { + struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb); + struct ext4_pending_tree *tree = &EXT4_I(inode)->i_pending_tree; +@@ -1943,10 +1971,15 @@ static int __insert_pending(struct inode *inode, ext4_lblk_t lblk) + } + } + +- pr = kmem_cache_alloc(ext4_pending_cachep, GFP_ATOMIC); +- if (pr == NULL) { +- ret = -ENOMEM; +- goto out; ++ if (likely(*prealloc == NULL)) { ++ pr = __alloc_pending(false); ++ if (!pr) { ++ ret = -ENOMEM; ++ goto out; ++ } ++ } else { ++ pr = *prealloc; ++ *prealloc = NULL; + } + pr->lclu = lclu; + +@@ -1976,7 +2009,7 @@ static void __remove_pending(struct inode *inode, ext4_lblk_t lblk) + if (pr != NULL) { + tree = &EXT4_I(inode)->i_pending_tree; + rb_erase(&pr->rb_node, &tree->root); +- kmem_cache_free(ext4_pending_cachep, pr); ++ __free_pending(pr); + } + } + +@@ -2037,10 +2070,10 @@ int ext4_es_insert_delayed_block(struct inode *inode, ext4_lblk_t lblk, + bool allocated) + { + struct extent_status newes; +- int err1 = 0; +- int err2 = 0; ++ int err1 = 0, err2 = 0, err3 = 0; + struct extent_status *es1 = NULL; + struct extent_status *es2 = NULL; ++ struct pending_reservation *pr = NULL; + + if (EXT4_SB(inode->i_sb)->s_mount_state & EXT4_FC_REPLAY) + return 0; +@@ -2060,6 +2093,8 @@ int ext4_es_insert_delayed_block(struct inode *inode, ext4_lblk_t lblk, + es1 = __es_alloc_extent(true); + if ((err1 || err2) && !es2) + es2 = __es_alloc_extent(true); ++ if ((err1 || err2 || err3) && allocated && !pr) ++ pr = __alloc_pending(true); + write_lock(&EXT4_I(inode)->i_es_lock); + + err1 = __es_remove_extent(inode, lblk, lblk, NULL, es1); +@@ -2082,11 +2117,18 @@ int ext4_es_insert_delayed_block(struct inode *inode, ext4_lblk_t lblk, + es2 = NULL; + } + +- if (allocated) +- __insert_pending(inode, lblk); ++ if (allocated) { ++ err3 = __insert_pending(inode, lblk, &pr); ++ if (err3 != 0) ++ goto error; ++ if (pr) { ++ __free_pending(pr); ++ pr = NULL; ++ } ++ } + error: + write_unlock(&EXT4_I(inode)->i_es_lock); +- if (err1 || err2) ++ if (err1 || err2 || err3) + goto retry; + + ext4_es_print_tree(inode); +@@ -2192,21 +2234,24 @@ unsigned int ext4_es_delayed_clu(struct inode *inode, ext4_lblk_t lblk, + * @inode - file containing the range + * @lblk - logical block defining the start of range + * @len - length of range in blocks ++ * @prealloc - preallocated pending entry + * + * Used after a newly allocated extent is added to the extents status tree. + * Requires that the extents in the range have either written or unwritten + * status. Must be called while holding i_es_lock. + */ +-static void __revise_pending(struct inode *inode, ext4_lblk_t lblk, +- ext4_lblk_t len) ++static int __revise_pending(struct inode *inode, ext4_lblk_t lblk, ++ ext4_lblk_t len, ++ struct pending_reservation **prealloc) + { + struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb); + ext4_lblk_t end = lblk + len - 1; + ext4_lblk_t first, last; + bool f_del = false, l_del = false; ++ int ret = 0; + + if (len == 0) +- return; ++ return 0; + + /* + * Two cases - block range within single cluster and block range +@@ -2227,7 +2272,9 @@ static void __revise_pending(struct inode *inode, ext4_lblk_t lblk, + f_del = __es_scan_range(inode, &ext4_es_is_delonly, + first, lblk - 1); + if (f_del) { +- __insert_pending(inode, first); ++ ret = __insert_pending(inode, first, prealloc); ++ if (ret < 0) ++ goto out; + } else { + last = EXT4_LBLK_CMASK(sbi, end) + + sbi->s_cluster_ratio - 1; +@@ -2235,9 +2282,11 @@ static void __revise_pending(struct inode *inode, ext4_lblk_t lblk, + l_del = __es_scan_range(inode, + &ext4_es_is_delonly, + end + 1, last); +- if (l_del) +- __insert_pending(inode, last); +- else ++ if (l_del) { ++ ret = __insert_pending(inode, last, prealloc); ++ if (ret < 0) ++ goto out; ++ } else + __remove_pending(inode, last); + } + } else { +@@ -2245,18 +2294,24 @@ static void __revise_pending(struct inode *inode, ext4_lblk_t lblk, + if (first != lblk) + f_del = __es_scan_range(inode, &ext4_es_is_delonly, + first, lblk - 1); +- if (f_del) +- __insert_pending(inode, first); +- else ++ if (f_del) { ++ ret = __insert_pending(inode, first, prealloc); ++ if (ret < 0) ++ goto out; ++ } else + __remove_pending(inode, first); + + last = EXT4_LBLK_CMASK(sbi, end) + sbi->s_cluster_ratio - 1; + if (last != end) + l_del = __es_scan_range(inode, &ext4_es_is_delonly, + end + 1, last); +- if (l_del) +- __insert_pending(inode, last); +- else ++ if (l_del) { ++ ret = __insert_pending(inode, last, prealloc); ++ if (ret < 0) ++ goto out; ++ } else + __remove_pending(inode, last); + } ++out: ++ return ret; + } +-- +2.42.0 + diff --git a/queue-5.15/ext4-use-pre-allocated-es-in-__es_insert_extent.patch b/queue-5.15/ext4-use-pre-allocated-es-in-__es_insert_extent.patch new file mode 100644 index 00000000000..395b63f70d6 --- /dev/null +++ b/queue-5.15/ext4-use-pre-allocated-es-in-__es_insert_extent.patch @@ -0,0 +1,99 @@ +From 295a1afaaee5f8f997d64a0cbeed47e40c10c151 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Apr 2023 11:38:38 +0800 +Subject: ext4: use pre-allocated es in __es_insert_extent() + +From: Baokun Li + +[ Upstream commit 95f0b320339a977cf69872eac107122bf536775d ] + +Pass a extent_status pointer prealloc to __es_insert_extent(). If the +pointer is non-null, it is used directly when a new extent_status is +needed to avoid memory allocation failures. + +Suggested-by: Jan Kara +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230424033846.4732-5-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Stable-dep-of: 8e387c89e96b ("ext4: make sure allocate pending entry not fail") +Signed-off-by: Sasha Levin +--- + fs/ext4/extents_status.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/fs/ext4/extents_status.c b/fs/ext4/extents_status.c +index 012033db41062..0d810ce7580d1 100644 +--- a/fs/ext4/extents_status.c ++++ b/fs/ext4/extents_status.c +@@ -144,7 +144,8 @@ + static struct kmem_cache *ext4_es_cachep; + static struct kmem_cache *ext4_pending_cachep; + +-static int __es_insert_extent(struct inode *inode, struct extent_status *newes); ++static int __es_insert_extent(struct inode *inode, struct extent_status *newes, ++ struct extent_status *prealloc); + static int __es_remove_extent(struct inode *inode, ext4_lblk_t lblk, + ext4_lblk_t end, int *reserved); + static int es_reclaim_extents(struct ext4_inode_info *ei, int *nr_to_scan); +@@ -769,7 +770,8 @@ static inline void ext4_es_insert_extent_check(struct inode *inode, + } + #endif + +-static int __es_insert_extent(struct inode *inode, struct extent_status *newes) ++static int __es_insert_extent(struct inode *inode, struct extent_status *newes, ++ struct extent_status *prealloc) + { + struct ext4_es_tree *tree = &EXT4_I(inode)->i_es_tree; + struct rb_node **p = &tree->root.rb_node; +@@ -809,7 +811,10 @@ static int __es_insert_extent(struct inode *inode, struct extent_status *newes) + } + } + +- es = __es_alloc_extent(false); ++ if (prealloc) ++ es = prealloc; ++ else ++ es = __es_alloc_extent(false); + if (!es) + return -ENOMEM; + ext4_es_init_extent(inode, es, newes->es_lblk, newes->es_len, +@@ -869,7 +874,7 @@ int ext4_es_insert_extent(struct inode *inode, ext4_lblk_t lblk, + if (err != 0) + goto error; + retry: +- err = __es_insert_extent(inode, &newes); ++ err = __es_insert_extent(inode, &newes, NULL); + if (err == -ENOMEM && __es_shrink(EXT4_SB(inode->i_sb), + 128, EXT4_I(inode))) + goto retry; +@@ -919,7 +924,7 @@ void ext4_es_cache_extent(struct inode *inode, ext4_lblk_t lblk, + + es = __es_tree_search(&EXT4_I(inode)->i_es_tree.root, lblk); + if (!es || es->es_lblk > end) +- __es_insert_extent(inode, &newes); ++ __es_insert_extent(inode, &newes, NULL); + write_unlock(&EXT4_I(inode)->i_es_lock); + } + +@@ -1365,7 +1370,7 @@ static int __es_remove_extent(struct inode *inode, ext4_lblk_t lblk, + orig_es.es_len - len2; + ext4_es_store_pblock_status(&newes, block, + ext4_es_status(&orig_es)); +- err = __es_insert_extent(inode, &newes); ++ err = __es_insert_extent(inode, &newes, NULL); + if (err) { + es->es_lblk = orig_es.es_lblk; + es->es_len = orig_es.es_len; +@@ -2020,7 +2025,7 @@ int ext4_es_insert_delayed_block(struct inode *inode, ext4_lblk_t lblk, + if (err != 0) + goto error; + retry: +- err = __es_insert_extent(inode, &newes); ++ err = __es_insert_extent(inode, &newes, NULL); + if (err == -ENOMEM && __es_shrink(EXT4_SB(inode->i_sb), + 128, EXT4_I(inode))) + goto retry; +-- +2.42.0 + diff --git a/queue-5.15/ext4-use-pre-allocated-es-in-__es_remove_extent.patch b/queue-5.15/ext4-use-pre-allocated-es-in-__es_remove_extent.patch new file mode 100644 index 00000000000..f8f96da5af6 --- /dev/null +++ b/queue-5.15/ext4-use-pre-allocated-es-in-__es_remove_extent.patch @@ -0,0 +1,127 @@ +From b673cbde8bde03735cf6049935a49becc784ffe8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Apr 2023 11:38:39 +0800 +Subject: ext4: use pre-allocated es in __es_remove_extent() + +From: Baokun Li + +[ Upstream commit bda3efaf774fb687c2b7a555aaec3006b14a8857 ] + +When splitting extent, if the second extent can not be dropped, we return +-ENOMEM and use GFP_NOFAIL to preallocate an extent_status outside of +i_es_lock and pass it to __es_remove_extent() to be used as the second +extent. This ensures that __es_remove_extent() is executed successfully, +thus ensuring consistency in the extent status tree. If the second extent +is not undroppable, we simply drop it and return 0. Then retry is no longer +necessary, remove it. + +Now, __es_remove_extent() will always remove what it should, maybe more. + +Suggested-by: Jan Kara +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230424033846.4732-6-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Stable-dep-of: 8e387c89e96b ("ext4: make sure allocate pending entry not fail") +Signed-off-by: Sasha Levin +--- + fs/ext4/extents_status.c | 26 +++++++++++++------------- + 1 file changed, 13 insertions(+), 13 deletions(-) + +diff --git a/fs/ext4/extents_status.c b/fs/ext4/extents_status.c +index 0d810ce7580d1..10550d62a6763 100644 +--- a/fs/ext4/extents_status.c ++++ b/fs/ext4/extents_status.c +@@ -147,7 +147,8 @@ static struct kmem_cache *ext4_pending_cachep; + static int __es_insert_extent(struct inode *inode, struct extent_status *newes, + struct extent_status *prealloc); + static int __es_remove_extent(struct inode *inode, ext4_lblk_t lblk, +- ext4_lblk_t end, int *reserved); ++ ext4_lblk_t end, int *reserved, ++ struct extent_status *prealloc); + static int es_reclaim_extents(struct ext4_inode_info *ei, int *nr_to_scan); + static int __es_shrink(struct ext4_sb_info *sbi, int nr_to_scan, + struct ext4_inode_info *locked_ei); +@@ -870,7 +871,7 @@ int ext4_es_insert_extent(struct inode *inode, ext4_lblk_t lblk, + ext4_es_insert_extent_check(inode, &newes); + + write_lock(&EXT4_I(inode)->i_es_lock); +- err = __es_remove_extent(inode, lblk, end, NULL); ++ err = __es_remove_extent(inode, lblk, end, NULL, NULL); + if (err != 0) + goto error; + retry: +@@ -1314,6 +1315,7 @@ static unsigned int get_rsvd(struct inode *inode, ext4_lblk_t end, + * @lblk - first block in range + * @end - last block in range + * @reserved - number of cluster reservations released ++ * @prealloc - pre-allocated es to avoid memory allocation failures + * + * If @reserved is not NULL and delayed allocation is enabled, counts + * block/cluster reservations freed by removing range and if bigalloc +@@ -1321,7 +1323,8 @@ static unsigned int get_rsvd(struct inode *inode, ext4_lblk_t end, + * error code on failure. + */ + static int __es_remove_extent(struct inode *inode, ext4_lblk_t lblk, +- ext4_lblk_t end, int *reserved) ++ ext4_lblk_t end, int *reserved, ++ struct extent_status *prealloc) + { + struct ext4_es_tree *tree = &EXT4_I(inode)->i_es_tree; + struct rb_node *node; +@@ -1329,14 +1332,12 @@ static int __es_remove_extent(struct inode *inode, ext4_lblk_t lblk, + struct extent_status orig_es; + ext4_lblk_t len1, len2; + ext4_fsblk_t block; +- int err; ++ int err = 0; + bool count_reserved = true; + struct rsvd_count rc; + + if (reserved == NULL || !test_opt(inode->i_sb, DELALLOC)) + count_reserved = false; +-retry: +- err = 0; + + es = __es_tree_search(&tree->root, lblk); + if (!es) +@@ -1370,14 +1371,13 @@ static int __es_remove_extent(struct inode *inode, ext4_lblk_t lblk, + orig_es.es_len - len2; + ext4_es_store_pblock_status(&newes, block, + ext4_es_status(&orig_es)); +- err = __es_insert_extent(inode, &newes, NULL); ++ err = __es_insert_extent(inode, &newes, prealloc); + if (err) { ++ if (!ext4_es_must_keep(&newes)) ++ return 0; ++ + es->es_lblk = orig_es.es_lblk; + es->es_len = orig_es.es_len; +- if ((err == -ENOMEM) && +- __es_shrink(EXT4_SB(inode->i_sb), +- 128, EXT4_I(inode))) +- goto retry; + goto out; + } + } else { +@@ -1477,7 +1477,7 @@ int ext4_es_remove_extent(struct inode *inode, ext4_lblk_t lblk, + * is reclaimed. + */ + write_lock(&EXT4_I(inode)->i_es_lock); +- err = __es_remove_extent(inode, lblk, end, &reserved); ++ err = __es_remove_extent(inode, lblk, end, &reserved, NULL); + write_unlock(&EXT4_I(inode)->i_es_lock); + ext4_es_print_tree(inode); + ext4_da_release_space(inode, reserved); +@@ -2021,7 +2021,7 @@ int ext4_es_insert_delayed_block(struct inode *inode, ext4_lblk_t lblk, + + write_lock(&EXT4_I(inode)->i_es_lock); + +- err = __es_remove_extent(inode, lblk, lblk, NULL); ++ err = __es_remove_extent(inode, lblk, lblk, NULL, NULL); + if (err != 0) + goto error; + retry: +-- +2.42.0 + diff --git a/queue-5.15/ext4-using-nofail-preallocation-in-ext4_es_insert_de.patch b/queue-5.15/ext4-using-nofail-preallocation-in-ext4_es_insert_de.patch new file mode 100644 index 00000000000..12c4aca3437 --- /dev/null +++ b/queue-5.15/ext4-using-nofail-preallocation-in-ext4_es_insert_de.patch @@ -0,0 +1,91 @@ +From bd61f6478c8dc17613736fd425a59885ae733326 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Apr 2023 11:38:41 +0800 +Subject: ext4: using nofail preallocation in ext4_es_insert_delayed_block() + +From: Baokun Li + +[ Upstream commit 4a2d98447b37bcb68a7f06a1078edcb4f7e6ce7e ] + +Similar to in ext4_es_remove_extent(), we use a no-fail preallocation +to avoid inconsistencies, except that here we may have to preallocate +two extent_status. + +Suggested-by: Jan Kara +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230424033846.4732-8-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Stable-dep-of: 8e387c89e96b ("ext4: make sure allocate pending entry not fail") +Signed-off-by: Sasha Levin +--- + fs/ext4/extents_status.c | 33 ++++++++++++++++++++++----------- + 1 file changed, 22 insertions(+), 11 deletions(-) + +diff --git a/fs/ext4/extents_status.c b/fs/ext4/extents_status.c +index 4af825eb0cb45..4163a4801f969 100644 +--- a/fs/ext4/extents_status.c ++++ b/fs/ext4/extents_status.c +@@ -2013,7 +2013,10 @@ int ext4_es_insert_delayed_block(struct inode *inode, ext4_lblk_t lblk, + bool allocated) + { + struct extent_status newes; +- int err = 0; ++ int err1 = 0; ++ int err2 = 0; ++ struct extent_status *es1 = NULL; ++ struct extent_status *es2 = NULL; + + if (EXT4_SB(inode->i_sb)->s_mount_state & EXT4_FC_REPLAY) + return 0; +@@ -2028,29 +2031,37 @@ int ext4_es_insert_delayed_block(struct inode *inode, ext4_lblk_t lblk, + + ext4_es_insert_extent_check(inode, &newes); + ++retry: ++ if (err1 && !es1) ++ es1 = __es_alloc_extent(true); ++ if ((err1 || err2) && !es2) ++ es2 = __es_alloc_extent(true); + write_lock(&EXT4_I(inode)->i_es_lock); + +- err = __es_remove_extent(inode, lblk, lblk, NULL, NULL); +- if (err != 0) ++ err1 = __es_remove_extent(inode, lblk, lblk, NULL, es1); ++ if (err1 != 0) + goto error; +-retry: +- err = __es_insert_extent(inode, &newes, NULL); +- if (err == -ENOMEM && __es_shrink(EXT4_SB(inode->i_sb), +- 128, EXT4_I(inode))) +- goto retry; +- if (err != 0) ++ ++ err2 = __es_insert_extent(inode, &newes, es2); ++ if (err2 != 0) + goto error; + + if (allocated) + __insert_pending(inode, lblk); + ++ /* es is pre-allocated but not used, free it. */ ++ if (es1 && !es1->es_len) ++ __es_free_extent(es1); ++ if (es2 && !es2->es_len) ++ __es_free_extent(es2); + error: + write_unlock(&EXT4_I(inode)->i_es_lock); ++ if (err1 || err2) ++ goto retry; + + ext4_es_print_tree(inode); + ext4_print_pending_tree(inode); +- +- return err; ++ return 0; + } + + /* +-- +2.42.0 + diff --git a/queue-5.15/ext4-using-nofail-preallocation-in-ext4_es_insert_ex.patch b/queue-5.15/ext4-using-nofail-preallocation-in-ext4_es_insert_ex.patch new file mode 100644 index 00000000000..bef814730d4 --- /dev/null +++ b/queue-5.15/ext4-using-nofail-preallocation-in-ext4_es_insert_ex.patch @@ -0,0 +1,96 @@ +From 6a7ddfa60c78e553ebe22b987a4b8c9788ba2080 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Apr 2023 11:38:42 +0800 +Subject: ext4: using nofail preallocation in ext4_es_insert_extent() + +From: Baokun Li + +[ Upstream commit 2a69c450083db164596c75c0f5b4d9c4c0e18eba ] + +Similar to in ext4_es_insert_delayed_block(), we use preallocations that +do not fail to avoid inconsistencies, but we do not care about es that are +not must be kept, and we return 0 even if such es memory allocation fails. + +Suggested-by: Jan Kara +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230424033846.4732-9-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Stable-dep-of: 8e387c89e96b ("ext4: make sure allocate pending entry not fail") +Signed-off-by: Sasha Levin +--- + fs/ext4/extents_status.c | 38 ++++++++++++++++++++++++++------------ + 1 file changed, 26 insertions(+), 12 deletions(-) + +diff --git a/fs/ext4/extents_status.c b/fs/ext4/extents_status.c +index 4163a4801f969..1327cd9505db7 100644 +--- a/fs/ext4/extents_status.c ++++ b/fs/ext4/extents_status.c +@@ -841,8 +841,11 @@ int ext4_es_insert_extent(struct inode *inode, ext4_lblk_t lblk, + { + struct extent_status newes; + ext4_lblk_t end = lblk + len - 1; +- int err = 0; ++ int err1 = 0; ++ int err2 = 0; + struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb); ++ struct extent_status *es1 = NULL; ++ struct extent_status *es2 = NULL; + + if (EXT4_SB(inode->i_sb)->s_mount_state & EXT4_FC_REPLAY) + return 0; +@@ -870,29 +873,40 @@ int ext4_es_insert_extent(struct inode *inode, ext4_lblk_t lblk, + + ext4_es_insert_extent_check(inode, &newes); + ++retry: ++ if (err1 && !es1) ++ es1 = __es_alloc_extent(true); ++ if ((err1 || err2) && !es2) ++ es2 = __es_alloc_extent(true); + write_lock(&EXT4_I(inode)->i_es_lock); +- err = __es_remove_extent(inode, lblk, end, NULL, NULL); +- if (err != 0) ++ ++ err1 = __es_remove_extent(inode, lblk, end, NULL, es1); ++ if (err1 != 0) ++ goto error; ++ ++ err2 = __es_insert_extent(inode, &newes, es2); ++ if (err2 == -ENOMEM && !ext4_es_must_keep(&newes)) ++ err2 = 0; ++ if (err2 != 0) + goto error; +-retry: +- err = __es_insert_extent(inode, &newes, NULL); +- if (err == -ENOMEM && __es_shrink(EXT4_SB(inode->i_sb), +- 128, EXT4_I(inode))) +- goto retry; +- if (err == -ENOMEM && !ext4_es_must_keep(&newes)) +- err = 0; + + if (sbi->s_cluster_ratio > 1 && test_opt(inode->i_sb, DELALLOC) && + (status & EXTENT_STATUS_WRITTEN || + status & EXTENT_STATUS_UNWRITTEN)) + __revise_pending(inode, lblk, len); + ++ /* es is pre-allocated but not used, free it. */ ++ if (es1 && !es1->es_len) ++ __es_free_extent(es1); ++ if (es2 && !es2->es_len) ++ __es_free_extent(es2); + error: + write_unlock(&EXT4_I(inode)->i_es_lock); ++ if (err1 || err2) ++ goto retry; + + ext4_es_print_tree(inode); +- +- return err; ++ return 0; + } + + /* +-- +2.42.0 + diff --git a/queue-5.15/ext4-using-nofail-preallocation-in-ext4_es_remove_ex.patch b/queue-5.15/ext4-using-nofail-preallocation-in-ext4_es_remove_ex.patch new file mode 100644 index 00000000000..15f35c29ece --- /dev/null +++ b/queue-5.15/ext4-using-nofail-preallocation-in-ext4_es_remove_ex.patch @@ -0,0 +1,74 @@ +From 221a9154e12c49ccdd40c8f7594625f51c1dd608 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Apr 2023 11:38:40 +0800 +Subject: ext4: using nofail preallocation in ext4_es_remove_extent() + +From: Baokun Li + +[ Upstream commit e9fe2b882bd5b26b987c9ba110c2222796f72af5 ] + +If __es_remove_extent() returns an error it means that when splitting +extent, allocating an extent that must be kept failed, where returning +an error directly would cause the extent tree to be inconsistent. So we +use GFP_NOFAIL to pre-allocate an extent_status and pass it to +__es_remove_extent() to avoid this problem. + +In addition, since the allocated memory is outside the i_es_lock, the +extent_status tree may change and the pre-allocated extent_status is +no longer needed, so we release the pre-allocated extent_status when +es->es_len is not initialized. + +Suggested-by: Jan Kara +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230424033846.4732-7-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Stable-dep-of: 8e387c89e96b ("ext4: make sure allocate pending entry not fail") +Signed-off-by: Sasha Levin +--- + fs/ext4/extents_status.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/fs/ext4/extents_status.c b/fs/ext4/extents_status.c +index 10550d62a6763..4af825eb0cb45 100644 +--- a/fs/ext4/extents_status.c ++++ b/fs/ext4/extents_status.c +@@ -1457,6 +1457,7 @@ int ext4_es_remove_extent(struct inode *inode, ext4_lblk_t lblk, + ext4_lblk_t end; + int err = 0; + int reserved = 0; ++ struct extent_status *es = NULL; + + if (EXT4_SB(inode->i_sb)->s_mount_state & EXT4_FC_REPLAY) + return 0; +@@ -1471,17 +1472,25 @@ int ext4_es_remove_extent(struct inode *inode, ext4_lblk_t lblk, + end = lblk + len - 1; + BUG_ON(end < lblk); + ++retry: ++ if (err && !es) ++ es = __es_alloc_extent(true); + /* + * ext4_clear_inode() depends on us taking i_es_lock unconditionally + * so that we are sure __es_shrink() is done with the inode before it + * is reclaimed. + */ + write_lock(&EXT4_I(inode)->i_es_lock); +- err = __es_remove_extent(inode, lblk, end, &reserved, NULL); ++ err = __es_remove_extent(inode, lblk, end, &reserved, es); ++ if (es && !es->es_len) ++ __es_free_extent(es); + write_unlock(&EXT4_I(inode)->i_es_lock); ++ if (err) ++ goto retry; ++ + ext4_es_print_tree(inode); + ext4_da_release_space(inode, reserved); +- return err; ++ return 0; + } + + static int __es_shrink(struct ext4_sb_info *sbi, int nr_to_scan, +-- +2.42.0 + diff --git a/queue-5.15/hid-core-store-the-unique-system-identifier-in-hid_d.patch b/queue-5.15/hid-core-store-the-unique-system-identifier-in-hid_d.patch new file mode 100644 index 00000000000..08376e4f28a --- /dev/null +++ b/queue-5.15/hid-core-store-the-unique-system-identifier-in-hid_d.patch @@ -0,0 +1,60 @@ +From 9fc8f1117cb811b82494e066c45dfb9c212f6e6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 15:29:23 +0200 +Subject: HID: core: store the unique system identifier in hid_device + +From: Benjamin Tissoires + +[ Upstream commit 1e839143d674603b0bbbc4c513bca35404967dbc ] + +This unique identifier is currently used only for ensuring uniqueness in +sysfs. However, this could be handful for userspace to refer to a specific +hid_device by this id. + +2 use cases are in my mind: LEDs (and their naming convention), and +HID-BPF. + +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Benjamin Tissoires +Link: https://lore.kernel.org/r/20220902132938.2409206-9-benjamin.tissoires@redhat.com +Stable-dep-of: fc43e9c857b7 ("HID: fix HID device resource race between HID core and debugging support") +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-core.c | 4 +++- + include/linux/hid.h | 2 ++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index d941023c56289..35046adf1294e 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -2442,10 +2442,12 @@ int hid_add_device(struct hid_device *hdev) + hid_warn(hdev, "bad device descriptor (%d)\n", ret); + } + ++ hdev->id = atomic_inc_return(&id); ++ + /* XXX hack, any other cleaner solution after the driver core + * is converted to allow more than 20 bytes as the device name? */ + dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus, +- hdev->vendor, hdev->product, atomic_inc_return(&id)); ++ hdev->vendor, hdev->product, hdev->id); + + hid_debug_register(hdev, dev_name(&hdev->dev)); + ret = device_add(&hdev->dev); +diff --git a/include/linux/hid.h b/include/linux/hid.h +index c3478e396829e..4fa40d2e821f2 100644 +--- a/include/linux/hid.h ++++ b/include/linux/hid.h +@@ -630,6 +630,8 @@ struct hid_device { /* device report descriptor */ + struct list_head debug_list; + spinlock_t debug_list_lock; + wait_queue_head_t debug_wait; ++ ++ unsigned int id; /* system unique id */ + }; + + #define to_hid_device(pdev) \ +-- +2.42.0 + diff --git a/queue-5.15/hid-fix-hid-device-resource-race-between-hid-core-an.patch b/queue-5.15/hid-fix-hid-device-resource-race-between-hid-core-an.patch new file mode 100644 index 00000000000..ff8a3269cbf --- /dev/null +++ b/queue-5.15/hid-fix-hid-device-resource-race-between-hid-core-an.patch @@ -0,0 +1,149 @@ +From 10704522fb58e81002be8efd4946b23ab70ff73a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Oct 2023 12:32:39 +0800 +Subject: HID: fix HID device resource race between HID core and debugging + support + +From: Charles Yi + +[ Upstream commit fc43e9c857b7aa55efba9398419b14d9e35dcc7d ] + +hid_debug_events_release releases resources bound to the HID device instance. +hid_device_release releases the underlying HID device instance potentially +before hid_debug_events_release has completed releasing debug resources bound +to the same HID device instance. + +Reference count to prevent the HID device instance from being torn down +preemptively when HID debugging support is used. When count reaches zero, +release core resources of HID device instance using hiddev_free. + +The crash: + +[ 120.728477][ T4396] kernel BUG at lib/list_debug.c:53! +[ 120.728505][ T4396] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP +[ 120.739806][ T4396] Modules linked in: bcmdhd dhd_static_buf 8822cu pcie_mhi r8168 +[ 120.747386][ T4396] CPU: 1 PID: 4396 Comm: hidt_bridge Not tainted 5.10.110 #257 +[ 120.754771][ T4396] Hardware name: Rockchip RK3588 EVB4 LP4 V10 Board (DT) +[ 120.761643][ T4396] pstate: 60400089 (nZCv daIf +PAN -UAO -TCO BTYPE=--) +[ 120.768338][ T4396] pc : __list_del_entry_valid+0x98/0xac +[ 120.773730][ T4396] lr : __list_del_entry_valid+0x98/0xac +[ 120.779120][ T4396] sp : ffffffc01e62bb60 +[ 120.783126][ T4396] x29: ffffffc01e62bb60 x28: ffffff818ce3a200 +[ 120.789126][ T4396] x27: 0000000000000009 x26: 0000000000980000 +[ 120.795126][ T4396] x25: ffffffc012431000 x24: ffffff802c6d4e00 +[ 120.801125][ T4396] x23: ffffff8005c66f00 x22: ffffffc01183b5b8 +[ 120.807125][ T4396] x21: ffffff819df2f100 x20: 0000000000000000 +[ 120.813124][ T4396] x19: ffffff802c3f0700 x18: ffffffc01d2cd058 +[ 120.819124][ T4396] x17: 0000000000000000 x16: 0000000000000000 +[ 120.825124][ T4396] x15: 0000000000000004 x14: 0000000000003fff +[ 120.831123][ T4396] x13: ffffffc012085588 x12: 0000000000000003 +[ 120.837123][ T4396] x11: 00000000ffffbfff x10: 0000000000000003 +[ 120.843123][ T4396] x9 : 455103d46b329300 x8 : 455103d46b329300 +[ 120.849124][ T4396] x7 : 74707572726f6320 x6 : ffffffc0124b8cb5 +[ 120.855124][ T4396] x5 : ffffffffffffffff x4 : 0000000000000000 +[ 120.861123][ T4396] x3 : ffffffc011cf4f90 x2 : ffffff81fee7b948 +[ 120.867122][ T4396] x1 : ffffffc011cf4f90 x0 : 0000000000000054 +[ 120.873122][ T4396] Call trace: +[ 120.876259][ T4396] __list_del_entry_valid+0x98/0xac +[ 120.881304][ T4396] hid_debug_events_release+0x48/0x12c +[ 120.886617][ T4396] full_proxy_release+0x50/0xbc +[ 120.891323][ T4396] __fput+0xdc/0x238 +[ 120.895075][ T4396] ____fput+0x14/0x24 +[ 120.898911][ T4396] task_work_run+0x90/0x148 +[ 120.903268][ T4396] do_exit+0x1bc/0x8a4 +[ 120.907193][ T4396] do_group_exit+0x8c/0xa4 +[ 120.911458][ T4396] get_signal+0x468/0x744 +[ 120.915643][ T4396] do_signal+0x84/0x280 +[ 120.919650][ T4396] do_notify_resume+0xd0/0x218 +[ 120.924262][ T4396] work_pending+0xc/0x3f0 + +[ Rahul Rameshbabu : rework changelog ] +Fixes: cd667ce24796 ("HID: use debugfs for events/reports dumping") +Signed-off-by: Charles Yi +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-core.c | 12 ++++++++++-- + drivers/hid/hid-debug.c | 3 +++ + include/linux/hid.h | 3 +++ + 3 files changed, 16 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index 35046adf1294e..7b76405df8c47 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -702,15 +702,22 @@ static void hid_close_report(struct hid_device *device) + * Free a device structure, all reports, and all fields. + */ + +-static void hid_device_release(struct device *dev) ++void hiddev_free(struct kref *ref) + { +- struct hid_device *hid = to_hid_device(dev); ++ struct hid_device *hid = container_of(ref, struct hid_device, ref); + + hid_close_report(hid); + kfree(hid->dev_rdesc); + kfree(hid); + } + ++static void hid_device_release(struct device *dev) ++{ ++ struct hid_device *hid = to_hid_device(dev); ++ ++ kref_put(&hid->ref, hiddev_free); ++} ++ + /* + * Fetch a report description item from the data stream. We support long + * items, though they are not used yet. +@@ -2490,6 +2497,7 @@ struct hid_device *hid_allocate_device(void) + spin_lock_init(&hdev->debug_list_lock); + sema_init(&hdev->driver_input_lock, 1); + mutex_init(&hdev->ll_open_lock); ++ kref_init(&hdev->ref); + + return hdev; + } +diff --git a/drivers/hid/hid-debug.c b/drivers/hid/hid-debug.c +index 03da865e423c7..b8274bdd7d27f 100644 +--- a/drivers/hid/hid-debug.c ++++ b/drivers/hid/hid-debug.c +@@ -1096,6 +1096,7 @@ static int hid_debug_events_open(struct inode *inode, struct file *file) + goto out; + } + list->hdev = (struct hid_device *) inode->i_private; ++ kref_get(&list->hdev->ref); + file->private_data = list; + mutex_init(&list->read_mutex); + +@@ -1188,6 +1189,8 @@ static int hid_debug_events_release(struct inode *inode, struct file *file) + list_del(&list->node); + spin_unlock_irqrestore(&list->hdev->debug_list_lock, flags); + kfifo_free(&list->hid_debug_fifo); ++ ++ kref_put(&list->hdev->ref, hiddev_free); + kfree(list); + + return 0; +diff --git a/include/linux/hid.h b/include/linux/hid.h +index 4fa40d2e821f2..ad97435d8e01d 100644 +--- a/include/linux/hid.h ++++ b/include/linux/hid.h +@@ -630,10 +630,13 @@ struct hid_device { /* device report descriptor */ + struct list_head debug_list; + spinlock_t debug_list_lock; + wait_queue_head_t debug_wait; ++ struct kref ref; + + unsigned int id; /* system unique id */ + }; + ++void hiddev_free(struct kref *ref); ++ + #define to_hid_device(pdev) \ + container_of(pdev, struct hid_device, dev) + +-- +2.42.0 + diff --git a/queue-5.15/ipv4-correct-silence-an-endian-warning-in-__ip_do_re.patch b/queue-5.15/ipv4-correct-silence-an-endian-warning-in-__ip_do_re.patch new file mode 100644 index 00000000000..9bafea3f050 --- /dev/null +++ b/queue-5.15/ipv4-correct-silence-an-endian-warning-in-__ip_do_re.patch @@ -0,0 +1,39 @@ +From 8a4091712a7e2bdc91c7dac0990d5111ecdba0d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Nov 2023 22:17:59 +0800 +Subject: ipv4: Correct/silence an endian warning in __ip_do_redirect + +From: Kunwu Chan + +[ Upstream commit c0e2926266af3b5acf28df0a8fc6e4d90effe0bb ] + +net/ipv4/route.c:783:46: warning: incorrect type in argument 2 (different base types) +net/ipv4/route.c:783:46: expected unsigned int [usertype] key +net/ipv4/route.c:783:46: got restricted __be32 [usertype] new_gw + +Fixes: 969447f226b4 ("ipv4: use new_gw for redirect neigh lookup") +Suggested-by: Eric Dumazet +Signed-off-by: Kunwu Chan +Link: https://lore.kernel.org/r/20231119141759.420477-1-chentao@kylinos.cn +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index ea5329cb0fce2..12c59d700942f 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -786,7 +786,7 @@ static void __ip_do_redirect(struct rtable *rt, struct sk_buff *skb, struct flow + goto reject_redirect; + } + +- n = __ipv4_neigh_lookup(rt->dst.dev, new_gw); ++ n = __ipv4_neigh_lookup(rt->dst.dev, (__force u32)new_gw); + if (!n) + n = neigh_create(&arp_tbl, &new_gw, rt->dst.dev); + if (!IS_ERR(n)) { +-- +2.42.0 + diff --git a/queue-5.15/lockdep-fix-block-chain-corruption.patch b/queue-5.15/lockdep-fix-block-chain-corruption.patch new file mode 100644 index 00000000000..fd58f282fa7 --- /dev/null +++ b/queue-5.15/lockdep-fix-block-chain-corruption.patch @@ -0,0 +1,52 @@ +From b27368bd6507bbe1de51580967bbc3fb3b61b89e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Nov 2023 12:41:26 +0100 +Subject: lockdep: Fix block chain corruption + +From: Peter Zijlstra + +[ Upstream commit bca4104b00fec60be330cd32818dd5c70db3d469 ] + +Kent reported an occasional KASAN splat in lockdep. Mark then noted: + +> I suspect the dodgy access is to chain_block_buckets[-1], which hits the last 4 +> bytes of the redzone and gets (incorrectly/misleadingly) attributed to +> nr_large_chain_blocks. + +That would mean @size == 0, at which point size_to_bucket() returns -1 +and the above happens. + +alloc_chain_hlocks() has 'size - req', for the first with the +precondition 'size >= rq', which allows the 0. + +This code is trying to split a block, del_chain_block() takes what we +need, and add_chain_block() puts back the remainder, except in the +above case the remainder is 0 sized and things go sideways. + +Fixes: 810507fe6fd5 ("locking/lockdep: Reuse freed chain_hlocks entries") +Reported-by: Kent Overstreet +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: Kent Overstreet +Link: https://lkml.kernel.org/r/20231121114126.GH8262@noisy.programming.kicks-ass.net +Signed-off-by: Sasha Levin +--- + kernel/locking/lockdep.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c +index e6a282bc16652..770ff5bf14878 100644 +--- a/kernel/locking/lockdep.c ++++ b/kernel/locking/lockdep.c +@@ -3416,7 +3416,8 @@ static int alloc_chain_hlocks(int req) + size = chain_block_size(curr); + if (likely(size >= req)) { + del_chain_block(0, size, chain_block_next(curr)); +- add_chain_block(curr + req, size - req); ++ if (size > req) ++ add_chain_block(curr + req, size - req); + return curr; + } + } +-- +2.42.0 + diff --git a/queue-5.15/media-camss-replace-hard-coded-value-with-parameter.patch b/queue-5.15/media-camss-replace-hard-coded-value-with-parameter.patch new file mode 100644 index 00000000000..91eca6bcafc --- /dev/null +++ b/queue-5.15/media-camss-replace-hard-coded-value-with-parameter.patch @@ -0,0 +1,42 @@ +From ddb1498832c71883c203ff626b38540cb668a8db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Mar 2022 11:35:30 +0530 +Subject: media: camss: Replace hard coded value with parameter + +From: Souptick Joarder (HPE) + +[ Upstream commit a312f8982632fb1a882a8dc3c9fd127d082c1c02 ] + +Kernel test robot reported below warning -> +drivers/media/platform/qcom/camss/camss-csid-gen2.c:407:3: +warning: Value stored to 'val' is never read +[clang-analyzer-deadcode.DeadStores] + +Replace hard coded value with val. + +Reported-by: kernel test robot +Signed-off-by: Souptick Joarder (HPE) +Reviewed-by: Robert Foss +Signed-off-by: Hans Verkuil +Stable-dep-of: e655d1ae9703 ("media: qcom: camss: Fix set CSI2_RX_CFG1_VC_MODE when VC is greater than 3") +Signed-off-by: Sasha Levin +--- + drivers/media/platform/qcom/camss/camss-csid-170.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/platform/qcom/camss/camss-csid-170.c b/drivers/media/platform/qcom/camss/camss-csid-170.c +index 82f59933ad7b3..c234b8d67bc59 100644 +--- a/drivers/media/platform/qcom/camss/camss-csid-170.c ++++ b/drivers/media/platform/qcom/camss/camss-csid-170.c +@@ -398,7 +398,7 @@ static void csid_configure_stream(struct csid_device *csid, u8 enable) + writel_relaxed(val, csid->base + CSID_RDI_FRM_DROP_PERIOD(0)); + + val = 0; +- writel_relaxed(0, csid->base + CSID_RDI_FRM_DROP_PATTERN(0)); ++ writel_relaxed(val, csid->base + CSID_RDI_FRM_DROP_PATTERN(0)); + + val = 1; + writel_relaxed(val, csid->base + CSID_RDI_IRQ_SUBSAMPLE_PERIOD(0)); +-- +2.42.0 + diff --git a/queue-5.15/media-camss-sm8250-virtual-channels-for-csid.patch b/queue-5.15/media-camss-sm8250-virtual-channels-for-csid.patch new file mode 100644 index 00000000000..a8582050814 --- /dev/null +++ b/queue-5.15/media-camss-sm8250-virtual-channels-for-csid.patch @@ -0,0 +1,307 @@ +From 3ab3b7c95c9db7b8daddff7a3ac61dc81394071d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Dec 2022 11:40:34 +0200 +Subject: media: camss: sm8250: Virtual channels for CSID + +From: Milen Mitkov + +[ Upstream commit 3c4ed72a16bc6733cda9c65048af74a2e8eaa0eb ] + +CSID hardware on SM8250 can demux up to 4 simultaneous streams +based on virtual channel (vc) or datatype (dt). +The CSID subdevice entity now has 4 source ports that can be +enabled/disabled and thus can control which virtual channels +are enabled. Datatype demuxing not tested. + +In order to keep a valid internal state of the subdevice, +implicit format propagation from the sink to the source pads +has been preserved. However, the format on each source pad +can be different and in that case it must be configured explicitly. + +CSID's s_stream is called when any stream is started or stopped. +It will call configure_streams() that will rewrite IRQ settings to HW. +When multiple streams are running simultaneously there is an issue +when writing IRQ settings for one stream while another is still +running, thus avoid re-writing settings if they were not changed +in link setup, or by fully powering off the CSID hardware. + +Signed-off-by: Milen Mitkov +Reviewed-by: Robert Foss +Tested-by: Bryan O'Donoghue +Acked-by: Robert Foss +Signed-off-by: Hans Verkuil +Stable-dep-of: e655d1ae9703 ("media: qcom: camss: Fix set CSI2_RX_CFG1_VC_MODE when VC is greater than 3") +Signed-off-by: Sasha Levin +--- + .../platform/qcom/camss/camss-csid-170.c | 54 ++++++++++++------- + .../media/platform/qcom/camss/camss-csid.c | 44 ++++++++++----- + .../media/platform/qcom/camss/camss-csid.h | 11 +++- + 3 files changed, 74 insertions(+), 35 deletions(-) + +diff --git a/drivers/media/platform/qcom/camss/camss-csid-170.c b/drivers/media/platform/qcom/camss/camss-csid-170.c +index c234b8d67bc59..7ccf0c11a1a21 100644 +--- a/drivers/media/platform/qcom/camss/camss-csid-170.c ++++ b/drivers/media/platform/qcom/camss/camss-csid-170.c +@@ -327,13 +327,14 @@ static const struct csid_format csid_formats[] = { + }, + }; + +-static void csid_configure_stream(struct csid_device *csid, u8 enable) ++static void __csid_configure_stream(struct csid_device *csid, u8 enable, u8 vc) + { + struct csid_testgen_config *tg = &csid->testgen; + u32 val; + u32 phy_sel = 0; + u8 lane_cnt = csid->phy.lane_cnt; +- struct v4l2_mbus_framefmt *input_format = &csid->fmt[MSM_CSID_PAD_SRC]; ++ /* Source pads matching RDI channels on hardware. Pad 1 -> RDI0, Pad 2 -> RDI1, etc. */ ++ struct v4l2_mbus_framefmt *input_format = &csid->fmt[MSM_CSID_PAD_FIRST_SRC + vc]; + const struct csid_format *format = csid_get_fmt_entry(csid->formats, csid->nformats, + input_format->code); + +@@ -344,8 +345,7 @@ static void csid_configure_stream(struct csid_device *csid, u8 enable) + phy_sel = csid->phy.csiphy_id; + + if (enable) { +- u8 vc = 0; /* Virtual Channel 0 */ +- u8 dt_id = vc * 4; ++ u8 dt_id = vc; + + if (tg->enabled) { + /* Config Test Generator */ +@@ -388,42 +388,42 @@ static void csid_configure_stream(struct csid_device *csid, u8 enable) + val |= format->data_type << RDI_CFG0_DATA_TYPE; + val |= vc << RDI_CFG0_VIRTUAL_CHANNEL; + val |= dt_id << RDI_CFG0_DT_ID; +- writel_relaxed(val, csid->base + CSID_RDI_CFG0(0)); ++ writel_relaxed(val, csid->base + CSID_RDI_CFG0(vc)); + + /* CSID_TIMESTAMP_STB_POST_IRQ */ + val = 2 << RDI_CFG1_TIMESTAMP_STB_SEL; +- writel_relaxed(val, csid->base + CSID_RDI_CFG1(0)); ++ writel_relaxed(val, csid->base + CSID_RDI_CFG1(vc)); + + val = 1; +- writel_relaxed(val, csid->base + CSID_RDI_FRM_DROP_PERIOD(0)); ++ writel_relaxed(val, csid->base + CSID_RDI_FRM_DROP_PERIOD(vc)); + + val = 0; +- writel_relaxed(val, csid->base + CSID_RDI_FRM_DROP_PATTERN(0)); ++ writel_relaxed(val, csid->base + CSID_RDI_FRM_DROP_PATTERN(vc)); + + val = 1; +- writel_relaxed(val, csid->base + CSID_RDI_IRQ_SUBSAMPLE_PERIOD(0)); ++ writel_relaxed(val, csid->base + CSID_RDI_IRQ_SUBSAMPLE_PERIOD(vc)); + + val = 0; +- writel_relaxed(val, csid->base + CSID_RDI_IRQ_SUBSAMPLE_PATTERN(0)); ++ writel_relaxed(val, csid->base + CSID_RDI_IRQ_SUBSAMPLE_PATTERN(vc)); + + val = 1; +- writel_relaxed(val, csid->base + CSID_RDI_RPP_PIX_DROP_PERIOD(0)); ++ writel_relaxed(val, csid->base + CSID_RDI_RPP_PIX_DROP_PERIOD(vc)); + + val = 0; +- writel_relaxed(val, csid->base + CSID_RDI_RPP_PIX_DROP_PATTERN(0)); ++ writel_relaxed(val, csid->base + CSID_RDI_RPP_PIX_DROP_PATTERN(vc)); + + val = 1; +- writel_relaxed(val, csid->base + CSID_RDI_RPP_LINE_DROP_PERIOD(0)); ++ writel_relaxed(val, csid->base + CSID_RDI_RPP_LINE_DROP_PERIOD(vc)); + + val = 0; +- writel_relaxed(val, csid->base + CSID_RDI_RPP_LINE_DROP_PATTERN(0)); ++ writel_relaxed(val, csid->base + CSID_RDI_RPP_LINE_DROP_PATTERN(vc)); + + val = 0; +- writel_relaxed(val, csid->base + CSID_RDI_CTRL(0)); ++ writel_relaxed(val, csid->base + CSID_RDI_CTRL(vc)); + +- val = readl_relaxed(csid->base + CSID_RDI_CFG0(0)); ++ val = readl_relaxed(csid->base + CSID_RDI_CFG0(vc)); + val |= 1 << RDI_CFG0_ENABLE; +- writel_relaxed(val, csid->base + CSID_RDI_CFG0(0)); ++ writel_relaxed(val, csid->base + CSID_RDI_CFG0(vc)); + } + + if (tg->enabled) { +@@ -449,7 +449,16 @@ static void csid_configure_stream(struct csid_device *csid, u8 enable) + val = HALT_CMD_RESUME_AT_FRAME_BOUNDARY << RDI_CTRL_HALT_CMD; + else + val = HALT_CMD_HALT_AT_FRAME_BOUNDARY << RDI_CTRL_HALT_CMD; +- writel_relaxed(val, csid->base + CSID_RDI_CTRL(0)); ++ writel_relaxed(val, csid->base + CSID_RDI_CTRL(vc)); ++} ++ ++static void csid_configure_stream(struct csid_device *csid, u8 enable) ++{ ++ u8 i; ++ /* Loop through all enabled VCs and configure stream for each */ ++ for (i = 0; i < MSM_CSID_MAX_SRC_STREAMS; i++) ++ if (csid->phy.en_vc & BIT(i)) ++ __csid_configure_stream(csid, enable, i); + } + + static int csid_configure_testgen_pattern(struct csid_device *csid, s32 val) +@@ -495,6 +504,7 @@ static irqreturn_t csid_isr(int irq, void *dev) + struct csid_device *csid = dev; + u32 val; + u8 reset_done; ++ int i; + + val = readl_relaxed(csid->base + CSID_TOP_IRQ_STATUS); + writel_relaxed(val, csid->base + CSID_TOP_IRQ_CLEAR); +@@ -503,8 +513,12 @@ static irqreturn_t csid_isr(int irq, void *dev) + val = readl_relaxed(csid->base + CSID_CSI2_RX_IRQ_STATUS); + writel_relaxed(val, csid->base + CSID_CSI2_RX_IRQ_CLEAR); + +- val = readl_relaxed(csid->base + CSID_CSI2_RDIN_IRQ_STATUS(0)); +- writel_relaxed(val, csid->base + CSID_CSI2_RDIN_IRQ_CLEAR(0)); ++ /* Read and clear IRQ status for each enabled RDI channel */ ++ for (i = 0; i < MSM_CSID_MAX_SRC_STREAMS; i++) ++ if (csid->phy.en_vc & BIT(i)) { ++ val = readl_relaxed(csid->base + CSID_CSI2_RDIN_IRQ_STATUS(i)); ++ writel_relaxed(val, csid->base + CSID_CSI2_RDIN_IRQ_CLEAR(i)); ++ } + + val = 1 << IRQ_CMD_CLEAR; + writel_relaxed(val, csid->base + CSID_IRQ_CMD); +diff --git a/drivers/media/platform/qcom/camss/camss-csid.c b/drivers/media/platform/qcom/camss/camss-csid.c +index a1637b78568b2..2a294587ec9d9 100644 +--- a/drivers/media/platform/qcom/camss/camss-csid.c ++++ b/drivers/media/platform/qcom/camss/camss-csid.c +@@ -180,6 +180,8 @@ static int csid_set_power(struct v4l2_subdev *sd, int on) + return ret; + } + ++ csid->phy.need_vc_update = true; ++ + enable_irq(csid->irq); + + ret = csid->ops->reset(csid); +@@ -229,7 +231,10 @@ static int csid_set_stream(struct v4l2_subdev *sd, int enable) + return -ENOLINK; + } + +- csid->ops->configure_stream(csid, enable); ++ if (csid->phy.need_vc_update) { ++ csid->ops->configure_stream(csid, enable); ++ csid->phy.need_vc_update = false; ++ } + + return 0; + } +@@ -440,6 +445,7 @@ static int csid_set_format(struct v4l2_subdev *sd, + { + struct csid_device *csid = v4l2_get_subdevdata(sd); + struct v4l2_mbus_framefmt *format; ++ int i; + + format = __csid_get_format(csid, sd_state, fmt->pad, fmt->which); + if (format == NULL) +@@ -448,14 +454,14 @@ static int csid_set_format(struct v4l2_subdev *sd, + csid_try_format(csid, sd_state, fmt->pad, &fmt->format, fmt->which); + *format = fmt->format; + +- /* Propagate the format from sink to source */ ++ /* Propagate the format from sink to source pads */ + if (fmt->pad == MSM_CSID_PAD_SINK) { +- format = __csid_get_format(csid, sd_state, MSM_CSID_PAD_SRC, +- fmt->which); ++ for (i = MSM_CSID_PAD_FIRST_SRC; i < MSM_CSID_PADS_NUM; ++i) { ++ format = __csid_get_format(csid, sd_state, i, fmt->which); + +- *format = fmt->format; +- csid_try_format(csid, sd_state, MSM_CSID_PAD_SRC, format, +- fmt->which); ++ *format = fmt->format; ++ csid_try_format(csid, sd_state, i, format, fmt->which); ++ } + } + + return 0; +@@ -695,7 +701,6 @@ static int csid_link_setup(struct media_entity *entity, + struct csid_device *csid; + struct csiphy_device *csiphy; + struct csiphy_lanes_cfg *lane_cfg; +- struct v4l2_subdev_format format = { 0 }; + + sd = media_entity_to_v4l2_subdev(entity); + csid = v4l2_get_subdevdata(sd); +@@ -718,11 +723,22 @@ static int csid_link_setup(struct media_entity *entity, + lane_cfg = &csiphy->cfg.csi2->lane_cfg; + csid->phy.lane_cnt = lane_cfg->num_data; + csid->phy.lane_assign = csid_get_lane_assign(lane_cfg); ++ } ++ /* Decide which virtual channels to enable based on which source pads are enabled */ ++ if (local->flags & MEDIA_PAD_FL_SOURCE) { ++ struct v4l2_subdev *sd = media_entity_to_v4l2_subdev(entity); ++ struct csid_device *csid = v4l2_get_subdevdata(sd); ++ struct device *dev = csid->camss->dev; ++ ++ if (flags & MEDIA_LNK_FL_ENABLED) ++ csid->phy.en_vc |= BIT(local->index - 1); ++ else ++ csid->phy.en_vc &= ~BIT(local->index - 1); + +- /* Reset format on source pad to sink pad format */ +- format.pad = MSM_CSID_PAD_SRC; +- format.which = V4L2_SUBDEV_FORMAT_ACTIVE; +- csid_set_format(&csid->subdev, NULL, &format); ++ csid->phy.need_vc_update = true; ++ ++ dev_dbg(dev, "%s: Enabled CSID virtual channels mask 0x%x\n", ++ __func__, csid->phy.en_vc); + } + + return 0; +@@ -773,6 +789,7 @@ int msm_csid_register_entity(struct csid_device *csid, + struct v4l2_subdev *sd = &csid->subdev; + struct media_pad *pads = csid->pads; + struct device *dev = csid->camss->dev; ++ int i; + int ret; + + v4l2_subdev_init(sd, &csid_v4l2_ops); +@@ -809,7 +826,8 @@ int msm_csid_register_entity(struct csid_device *csid, + } + + pads[MSM_CSID_PAD_SINK].flags = MEDIA_PAD_FL_SINK; +- pads[MSM_CSID_PAD_SRC].flags = MEDIA_PAD_FL_SOURCE; ++ for (i = MSM_CSID_PAD_FIRST_SRC; i < MSM_CSID_PADS_NUM; ++i) ++ pads[i].flags = MEDIA_PAD_FL_SOURCE; + + sd->entity.function = MEDIA_ENT_F_PROC_VIDEO_PIXEL_FORMATTER; + sd->entity.ops = &csid_media_ops; +diff --git a/drivers/media/platform/qcom/camss/camss-csid.h b/drivers/media/platform/qcom/camss/camss-csid.h +index 814ebc7c29d65..6b5485fe18332 100644 +--- a/drivers/media/platform/qcom/camss/camss-csid.h ++++ b/drivers/media/platform/qcom/camss/camss-csid.h +@@ -19,8 +19,13 @@ + #include + + #define MSM_CSID_PAD_SINK 0 +-#define MSM_CSID_PAD_SRC 1 +-#define MSM_CSID_PADS_NUM 2 ++#define MSM_CSID_PAD_FIRST_SRC 1 ++#define MSM_CSID_PADS_NUM 5 ++ ++#define MSM_CSID_PAD_SRC (MSM_CSID_PAD_FIRST_SRC) ++ ++/* CSID hardware can demultiplex up to 4 outputs */ ++#define MSM_CSID_MAX_SRC_STREAMS 4 + + #define DATA_TYPE_EMBEDDED_DATA_8BIT 0x12 + #define DATA_TYPE_YUV420_8BIT 0x18 +@@ -81,6 +86,8 @@ struct csid_phy_config { + u8 csiphy_id; + u8 lane_cnt; + u32 lane_assign; ++ u32 en_vc; ++ u8 need_vc_update; + }; + + struct csid_device; +-- +2.42.0 + diff --git a/queue-5.15/media-qcom-camss-fix-csid-gen2-for-test-pattern-gene.patch b/queue-5.15/media-qcom-camss-fix-csid-gen2-for-test-pattern-gene.patch new file mode 100644 index 00000000000..dd92511b575 --- /dev/null +++ b/queue-5.15/media-qcom-camss-fix-csid-gen2-for-test-pattern-gene.patch @@ -0,0 +1,93 @@ +From 40fe33146f58af3f58e9517290550845142c81cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Aug 2023 16:16:15 +0100 +Subject: media: qcom: camss: Fix csid-gen2 for test pattern generator + +From: Andrey Konovalov + +[ Upstream commit 87889f1b7ea40d2544b49c62092e6ef2792dced7 ] + +In the current driver csid Test Pattern Generator (TPG) doesn't work. +This change: +- fixes writing frame width and height values into CSID_TPG_DT_n_CFG_0 +- fixes the shift by one between test_pattern control value and the + actual pattern. +- drops fixed VC of 0x0a which testing showed prohibited some test + patterns in the CSID to produce output. +So that TPG starts working, but with the below limitations: +- only test_pattern=9 works as it should +- test_pattern=8 and test_pattern=7 produce black frame (all zeroes) +- the rest of test_pattern's don't work (yavta doesn't get the data) +- regardless of the CFA pattern set by 'media-ctl -V' the actual pixel + order is always the same (RGGB for any RAW8 or RAW10P format in + 4608x2592 resolution). + +Tested with: + +RAW10P format, VC0: + media-ctl -V '"msm_csid0":0[fmt:SRGGB10/4608x2592 field:none]' + media-ctl -V '"msm_vfe0_rdi0":0[fmt:SRGGB10/4608x2592 field:none]' + media-ctl -l '"msm_csid0":1->"msm_vfe0_rdi0":0[1]' + v4l2-ctl -d /dev/v4l-subdev6 -c test_pattern=9 + yavta -B capture-mplane --capture=3 -n 3 -f SRGGB10P -s 4608x2592 /dev/video0 + +RAW10P format, VC1: + media-ctl -V '"msm_csid0":2[fmt:SRGGB10/4608x2592 field:none]' + media-ctl -V '"msm_vfe0_rdi1":0[fmt:SRGGB10/4608x2592 field:none]' + media-ctl -l '"msm_csid0":2->"msm_vfe0_rdi1":0[1]' + v4l2-ctl -d /dev/v4l-subdev6 -c test_pattern=9 + yavta -B capture-mplane --capture=3 -n 3 -f SRGGB10P -s 4608x2592 /dev/video1 + +RAW8 format, VC0: + media-ctl --reset + media-ctl -V '"msm_csid0":0[fmt:SRGGB8/4608x2592 field:none]' + media-ctl -V '"msm_vfe0_rdi0":0[fmt:SRGGB8/4608x2592 field:none]' + media-ctl -l '"msm_csid0":1->"msm_vfe0_rdi0":0[1]' + yavta -B capture-mplane --capture=3 -n 3 -f SRGGB8 -s 4608x2592 /dev/video0 + +Fixes: eebe6d00e9bf ("media: camss: Add support for CSID hardware version Titan 170") +Cc: stable@vger.kernel.org +Signed-off-by: Andrey Konovalov +Signed-off-by: Bryan O'Donoghue +Reviewed-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/qcom/camss/camss-csid-170.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/drivers/media/platform/qcom/camss/camss-csid-170.c b/drivers/media/platform/qcom/camss/camss-csid-170.c +index 270a960165b53..f7839e994bda6 100644 +--- a/drivers/media/platform/qcom/camss/camss-csid-170.c ++++ b/drivers/media/platform/qcom/camss/camss-csid-170.c +@@ -348,9 +348,6 @@ static void __csid_configure_stream(struct csid_device *csid, u8 enable, u8 vc) + u8 dt_id = vc; + + if (tg->enabled) { +- /* Config Test Generator */ +- vc = 0xa; +- + /* configure one DT, infinite frames */ + val = vc << TPG_VC_CFG0_VC_NUM; + val |= INTELEAVING_MODE_ONE_SHOT << TPG_VC_CFG0_LINE_INTERLEAVING_MODE; +@@ -363,14 +360,14 @@ static void __csid_configure_stream(struct csid_device *csid, u8 enable, u8 vc) + + writel_relaxed(0x12345678, csid->base + CSID_TPG_LFSR_SEED); + +- val = input_format->height & 0x1fff << TPG_DT_n_CFG_0_FRAME_HEIGHT; +- val |= input_format->width & 0x1fff << TPG_DT_n_CFG_0_FRAME_WIDTH; ++ val = (input_format->height & 0x1fff) << TPG_DT_n_CFG_0_FRAME_HEIGHT; ++ val |= (input_format->width & 0x1fff) << TPG_DT_n_CFG_0_FRAME_WIDTH; + writel_relaxed(val, csid->base + CSID_TPG_DT_n_CFG_0(0)); + + val = format->data_type << TPG_DT_n_CFG_1_DATA_TYPE; + writel_relaxed(val, csid->base + CSID_TPG_DT_n_CFG_1(0)); + +- val = tg->mode << TPG_DT_n_CFG_2_PAYLOAD_MODE; ++ val = (tg->mode - 1) << TPG_DT_n_CFG_2_PAYLOAD_MODE; + val |= 0xBE << TPG_DT_n_CFG_2_USER_SPECIFIED_PAYLOAD; + val |= format->decode_format << TPG_DT_n_CFG_2_ENCODE_FORMAT; + writel_relaxed(val, csid->base + CSID_TPG_DT_n_CFG_2(0)); +-- +2.42.0 + diff --git a/queue-5.15/media-qcom-camss-fix-set-csi2_rx_cfg1_vc_mode-when-v.patch b/queue-5.15/media-qcom-camss-fix-set-csi2_rx_cfg1_vc_mode-when-v.patch new file mode 100644 index 00000000000..5036118ac76 --- /dev/null +++ b/queue-5.15/media-qcom-camss-fix-set-csi2_rx_cfg1_vc_mode-when-v.patch @@ -0,0 +1,39 @@ +From 336977f691a85e7e41063f395d58c7b0732989a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Aug 2023 16:16:14 +0100 +Subject: media: qcom: camss: Fix set CSI2_RX_CFG1_VC_MODE when VC is greater + than 3 + +From: Bryan O'Donoghue + +[ Upstream commit e655d1ae9703286cef7fda8675cad62f649dc183 ] + +VC_MODE = 0 implies a two bit VC address. +VC_MODE = 1 is required for VCs with a larger address than two bits. + +Fixes: eebe6d00e9bf ("media: camss: Add support for CSID hardware version Titan 170") +Cc: stable@vger.kernel.org +Signed-off-by: Bryan O'Donoghue +Reviewed-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/qcom/camss/camss-csid-170.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/platform/qcom/camss/camss-csid-170.c b/drivers/media/platform/qcom/camss/camss-csid-170.c +index 7ccf0c11a1a21..270a960165b53 100644 +--- a/drivers/media/platform/qcom/camss/camss-csid-170.c ++++ b/drivers/media/platform/qcom/camss/camss-csid-170.c +@@ -442,6 +442,8 @@ static void __csid_configure_stream(struct csid_device *csid, u8 enable, u8 vc) + writel_relaxed(val, csid->base + CSID_CSI2_RX_CFG0); + + val = 1 << CSI2_RX_CFG1_PACKET_ECC_CORRECTION_EN; ++ if (vc > 3) ++ val |= 1 << CSI2_RX_CFG1_VC_MODE; + val |= 1 << CSI2_RX_CFG1_MISR_EN; + writel_relaxed(val, csid->base + CSID_CSI2_RX_CFG1); // csi2_vc_mode_shift_val ? + +-- +2.42.0 + diff --git a/queue-5.15/mips-kvm-fix-a-build-warning-about-variable-set-but-.patch b/queue-5.15/mips-kvm-fix-a-build-warning-about-variable-set-but-.patch new file mode 100644 index 00000000000..8790b3737c9 --- /dev/null +++ b/queue-5.15/mips-kvm-fix-a-build-warning-about-variable-set-but-.patch @@ -0,0 +1,57 @@ +From 0d6c1e5d7e64c2df96dde047a8db6bea9837aa54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Oct 2023 16:54:34 +0800 +Subject: MIPS: KVM: Fix a build warning about variable set but not used +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Huacai Chen + +[ Upstream commit 83767a67e7b6a0291cde5681ec7e3708f3f8f877 ] + +After commit 411740f5422a ("KVM: MIPS/MMU: Implement KVM_CAP_SYNC_MMU") +old_pte is no longer used in kvm_mips_map_page(). So remove it to fix a +build warning about variable set but not used: + + arch/mips/kvm/mmu.c: In function 'kvm_mips_map_page': +>> arch/mips/kvm/mmu.c:701:29: warning: variable 'old_pte' set but not used [-Wunused-but-set-variable] + 701 | pte_t *ptep, entry, old_pte; + | ^~~~~~~ + +Cc: stable@vger.kernel.org +Fixes: 411740f5422a960 ("KVM: MIPS/MMU: Implement KVM_CAP_SYNC_MMU") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202310070530.aARZCSfh-lkp@intel.com/ +Signed-off-by: Huacai Chen +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/kvm/mmu.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/arch/mips/kvm/mmu.c b/arch/mips/kvm/mmu.c +index 1bfd1b501d823..72b5249452273 100644 +--- a/arch/mips/kvm/mmu.c ++++ b/arch/mips/kvm/mmu.c +@@ -593,7 +593,7 @@ static int kvm_mips_map_page(struct kvm_vcpu *vcpu, unsigned long gpa, + gfn_t gfn = gpa >> PAGE_SHIFT; + int srcu_idx, err; + kvm_pfn_t pfn; +- pte_t *ptep, entry, old_pte; ++ pte_t *ptep, entry; + bool writeable; + unsigned long prot_bits; + unsigned long mmu_seq; +@@ -665,7 +665,6 @@ static int kvm_mips_map_page(struct kvm_vcpu *vcpu, unsigned long gpa, + entry = pfn_pte(pfn, __pgprot(prot_bits)); + + /* Write the PTE */ +- old_pte = *ptep; + set_pte(ptep, entry); + + err = 0; +-- +2.42.0 + diff --git a/queue-5.15/net-axienet-fix-check-for-partial-tx-checksum.patch b/queue-5.15/net-axienet-fix-check-for-partial-tx-checksum.patch new file mode 100644 index 00000000000..b28fc3d0ae5 --- /dev/null +++ b/queue-5.15/net-axienet-fix-check-for-partial-tx-checksum.patch @@ -0,0 +1,38 @@ +From 1ab49fb9ba6a6d6dcd68bfb93031a9ee9fde4c4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Nov 2023 16:42:17 -0800 +Subject: net: axienet: Fix check for partial TX checksum + +From: Samuel Holland + +[ Upstream commit fd0413bbf8b11f56e8aa842783b0deda0dfe2926 ] + +Due to a typo, the code checked the RX checksum feature in the TX path. + +Fixes: 8a3b7a252dca ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver") +Signed-off-by: Samuel Holland +Reviewed-by: Andrew Lunn +Reviewed-by: Radhey Shyam Pandey +Link: https://lore.kernel.org/r/20231122004219.3504219-1-samuel.holland@sifive.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +index e7f6c29b8dd82..63f33126d02fe 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +@@ -763,7 +763,7 @@ axienet_start_xmit(struct sk_buff *skb, struct net_device *ndev) + if (lp->features & XAE_FEATURE_FULL_TX_CSUM) { + /* Tx Full Checksum Offload Enabled */ + cur_p->app0 |= 2; +- } else if (lp->features & XAE_FEATURE_PARTIAL_RX_CSUM) { ++ } else if (lp->features & XAE_FEATURE_PARTIAL_TX_CSUM) { + csum_start_off = skb_transport_offset(skb); + csum_index_off = csum_start_off + skb->csum_offset; + /* Tx Partial Checksum Offload Enabled */ +-- +2.42.0 + diff --git a/queue-5.15/net-smc-avoid-data-corruption-caused-by-decline.patch b/queue-5.15/net-smc-avoid-data-corruption-caused-by-decline.patch new file mode 100644 index 00000000000..693df594c67 --- /dev/null +++ b/queue-5.15/net-smc-avoid-data-corruption-caused-by-decline.patch @@ -0,0 +1,95 @@ +From cf13e1fdd3ad410d8d71aa7bb4ad91b9c0e140aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Nov 2023 10:37:05 +0800 +Subject: net/smc: avoid data corruption caused by decline +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: D. Wythe + +[ Upstream commit e6d71b437abc2f249e3b6a1ae1a7228e09c6e563 ] + +We found a data corruption issue during testing of SMC-R on Redis +applications. + +The benchmark has a low probability of reporting a strange error as +shown below. + +"Error: Protocol error, got "\xe2" as reply type byte" + +Finally, we found that the retrieved error data was as follows: + +0xE2 0xD4 0xC3 0xD9 0x04 0x00 0x2C 0x20 0xA6 0x56 0x00 0x16 0x3E 0x0C +0xCB 0x04 0x02 0x01 0x00 0x00 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00 +0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xE2 + +It is quite obvious that this is a SMC DECLINE message, which means that +the applications received SMC protocol message. +We found that this was caused by the following situations: + +client server + ¦ clc proposal + -------------> + ¦ clc accept + <------------- + ¦ clc confirm + -------------> +wait llc confirm + send llc confirm + ¦failed llc confirm + ¦ x------ +(after 2s)timeout + wait llc confirm rsp + +wait decline + +(after 1s) timeout + (after 2s) timeout + ¦ decline + --------------> + ¦ decline + <-------------- + +As a result, a decline message was sent in the implementation, and this +message was read from TCP by the already-fallback connection. + +This patch double the client timeout as 2x of the server value, +With this simple change, the Decline messages should never cross or +collide (during Confirm link timeout). + +This issue requires an immediate solution, since the protocol updates +involve a more long-term solution. + +Fixes: 0fb0b02bd6fd ("net/smc: adapt SMC client code to use the LLC flow") +Signed-off-by: D. Wythe +Reviewed-by: Wen Gu +Reviewed-by: Wenjia Zhang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index 49cf523a783a2..8c11eb70c0f69 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -398,8 +398,12 @@ static int smcr_clnt_conf_first_link(struct smc_sock *smc) + struct smc_llc_qentry *qentry; + int rc; + +- /* receive CONFIRM LINK request from server over RoCE fabric */ +- qentry = smc_llc_wait(link->lgr, NULL, SMC_LLC_WAIT_TIME, ++ /* Receive CONFIRM LINK request from server over RoCE fabric. ++ * Increasing the client's timeout by twice as much as the server's ++ * timeout by default can temporarily avoid decline messages of ++ * both sides crossing or colliding ++ */ ++ qentry = smc_llc_wait(link->lgr, NULL, 2 * SMC_LLC_WAIT_TIME, + SMC_LLC_CONFIRM_LINK); + if (!qentry) { + struct smc_clc_msg_decline dclc; +-- +2.42.0 + diff --git a/queue-5.15/net-usb-ax88179_178a-fix-failed-operations-during-ax.patch b/queue-5.15/net-usb-ax88179_178a-fix-failed-operations-during-ax.patch new file mode 100644 index 00000000000..fd6f4eb3f03 --- /dev/null +++ b/queue-5.15/net-usb-ax88179_178a-fix-failed-operations-during-ax.patch @@ -0,0 +1,66 @@ +From 92cb614315c3c0b8dde84c1bf26377aa378bcff1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Nov 2023 13:06:29 +0100 +Subject: net: usb: ax88179_178a: fix failed operations during ax88179_reset + +From: Jose Ignacio Tornos Martinez + +[ Upstream commit 0739af07d1d947af27c877f797cb82ceee702515 ] + +Using generic ASIX Electronics Corp. AX88179 Gigabit Ethernet device, +the following test cycle has been implemented: + - power on + - check logs + - shutdown + - after detecting the system shutdown, disconnect power + - after approximately 60 seconds of sleep, power is restored +Running some cycles, sometimes error logs like this appear: + kernel: ax88179_178a 2-9:1.0 (unnamed net_device) (uninitialized): Failed to write reg index 0x0001: -19 + kernel: ax88179_178a 2-9:1.0 (unnamed net_device) (uninitialized): Failed to read reg index 0x0001: -19 + ... +These failed operation are happening during ax88179_reset execution, so +the initialization could not be correct. + +In order to avoid this, we need to increase the delay after reset and +clock initial operations. By using these larger values, many cycles +have been run and no failed operations appear. + +It would be better to check some status register to verify when the +operation has finished, but I do not have found any available information +(neither in the public datasheets nor in the manufacturer's driver). The +only available information for the necessary delays is the maufacturer's +driver (original values) but the proposed values are not enough for the +tested devices. + +Fixes: e2ca90c276e1f ("ax88179_178a: ASIX AX88179_178A USB 3.0/2.0 to gigabit ethernet adapter driver") +Reported-by: Herb Wei +Tested-by: Herb Wei +Signed-off-by: Jose Ignacio Tornos Martinez +Link: https://lore.kernel.org/r/20231120120642.54334-1-jtornosm@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/ax88179_178a.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/ax88179_178a.c b/drivers/net/usb/ax88179_178a.c +index 0a2c3860179e7..c419baf478134 100644 +--- a/drivers/net/usb/ax88179_178a.c ++++ b/drivers/net/usb/ax88179_178a.c +@@ -1700,11 +1700,11 @@ static int ax88179_reset(struct usbnet *dev) + + *tmp16 = AX_PHYPWR_RSTCTL_IPRL; + ax88179_write_cmd(dev, AX_ACCESS_MAC, AX_PHYPWR_RSTCTL, 2, 2, tmp16); +- msleep(200); ++ msleep(500); + + *tmp = AX_CLK_SELECT_ACS | AX_CLK_SELECT_BCS; + ax88179_write_cmd(dev, AX_ACCESS_MAC, AX_CLK_SELECT, 1, 1, tmp); +- msleep(100); ++ msleep(200); + + /* Ethernet PHY Auto Detach*/ + ax88179_auto_detach(dev, 0); +-- +2.42.0 + diff --git a/queue-5.15/nvmet-nul-terminate-the-nqns-passed-in-the-connect-c.patch b/queue-5.15/nvmet-nul-terminate-the-nqns-passed-in-the-connect-c.patch new file mode 100644 index 00000000000..2062b806da1 --- /dev/null +++ b/queue-5.15/nvmet-nul-terminate-the-nqns-passed-in-the-connect-c.patch @@ -0,0 +1,48 @@ +From 542251a1cf600d96f0a0f7b97c54ad084f939449 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Nov 2023 08:13:36 -0500 +Subject: nvmet: nul-terminate the NQNs passed in the connect command + +From: Christoph Hellwig + +[ Upstream commit 1c22e0295a5eb571c27b53c7371f95699ef705ff ] + +The host and subsystem NQNs are passed in the connect command payload and +interpreted as nul-terminated strings. Ensure they actually are +nul-terminated before using them. + +Fixes: a07b4970f464 "nvmet: add a generic NVMe target") +Reported-by: Alon Zahavi +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/fabrics-cmd.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/nvme/target/fabrics-cmd.c b/drivers/nvme/target/fabrics-cmd.c +index 7d0454cee9205..e5ee3d3ce1649 100644 +--- a/drivers/nvme/target/fabrics-cmd.c ++++ b/drivers/nvme/target/fabrics-cmd.c +@@ -206,6 +206,8 @@ static void nvmet_execute_admin_connect(struct nvmet_req *req) + goto out; + } + ++ d->subsysnqn[NVMF_NQN_FIELD_LEN - 1] = '\0'; ++ d->hostnqn[NVMF_NQN_FIELD_LEN - 1] = '\0'; + status = nvmet_alloc_ctrl(d->subsysnqn, d->hostnqn, req, + le32_to_cpu(c->kato), &ctrl); + if (status) +@@ -263,6 +265,8 @@ static void nvmet_execute_io_connect(struct nvmet_req *req) + goto out; + } + ++ d->subsysnqn[NVMF_NQN_FIELD_LEN - 1] = '\0'; ++ d->hostnqn[NVMF_NQN_FIELD_LEN - 1] = '\0'; + ctrl = nvmet_ctrl_find_get(d->subsysnqn, d->hostnqn, + le16_to_cpu(d->cntlid), req); + if (!ctrl) { +-- +2.42.0 + diff --git a/queue-5.15/octeontx2-pf-fix-memory-leak-during-interface-down.patch b/queue-5.15/octeontx2-pf-fix-memory-leak-during-interface-down.patch new file mode 100644 index 00000000000..cbe4d026aa2 --- /dev/null +++ b/queue-5.15/octeontx2-pf-fix-memory-leak-during-interface-down.patch @@ -0,0 +1,37 @@ +From 2e967e99c33d7d2a6550c823d6131749bf58aa08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Nov 2023 16:10:18 +0530 +Subject: octeontx2-pf: Fix memory leak during interface down + +From: Suman Ghosh + +[ Upstream commit 5f228d7c8a539714c1e9b7e7534f76bb7979f268 ] + +During 'ifconfig down' one RSS memory was not getting freed. +This patch fixes the same. + +Fixes: 81a4362016e7 ("octeontx2-pf: Add RSS multi group support") +Signed-off-by: Suman Ghosh +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +index a718d42daeb5e..8cb4b16ffad77 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +@@ -1838,6 +1838,8 @@ int otx2_stop(struct net_device *netdev) + /* Clear RSS enable flag */ + rss = &pf->hw.rss_info; + rss->enable = false; ++ if (!netif_is_rxfh_configured(netdev)) ++ kfree(rss->rss_ctx[DEFAULT_RSS_CONTEXT_GROUP]); + + /* Cleanup Queue IRQ */ + vec = pci_irq_vector(pf->pdev, +-- +2.42.0 + diff --git a/queue-5.15/octeontx2-pf-fix-ntuple-rule-creation-to-direct-pack.patch b/queue-5.15/octeontx2-pf-fix-ntuple-rule-creation-to-direct-pack.patch new file mode 100644 index 00000000000..e0c226f6a07 --- /dev/null +++ b/queue-5.15/octeontx2-pf-fix-ntuple-rule-creation-to-direct-pack.patch @@ -0,0 +1,79 @@ +From dc48792ade0a38f5542376a001da74b6f64bde3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Nov 2023 22:26:24 +0530 +Subject: octeontx2-pf: Fix ntuple rule creation to direct packet to VF with + higher Rx queue than its PF + +From: Suman Ghosh + +[ Upstream commit 4aa1d8f89b10cdc25a231dabf808d8935e0b137a ] + +It is possible to add a ntuple rule which would like to direct packet to +a VF whose number of queues are greater/less than its PF's queue numbers. +For example a PF can have 2 Rx queues but a VF created on that PF can have +8 Rx queues. As of today, ntuple rule will reject rule because it is +checking the requested queue number against PF's number of Rx queues. +As a part of this fix if the action of a ntuple rule is to move a packet +to a VF's queue then the check is removed. Also, a debug information is +printed to aware user that it is user's responsibility to cross check if +the requested queue number on that VF is a valid one. + +Fixes: f0a1913f8a6f ("octeontx2-pf: Add support for ethtool ntuple filters") +Signed-off-by: Suman Ghosh +Reviewed-by: Wojciech Drewek +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20231121165624.3664182-1-sumang@marvell.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../marvell/octeontx2/nic/otx2_flows.c | 20 ++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_flows.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_flows.c +index 483f660cebc40..c3e5ebc416676 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_flows.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_flows.c +@@ -1002,6 +1002,7 @@ int otx2_add_flow(struct otx2_nic *pfvf, struct ethtool_rxnfc *nfc) + struct ethhdr *eth_hdr; + bool new = false; + int err = 0; ++ u64 vf_num; + u32 ring; + + if (!flow_cfg->max_flows) { +@@ -1014,7 +1015,21 @@ int otx2_add_flow(struct otx2_nic *pfvf, struct ethtool_rxnfc *nfc) + if (!(pfvf->flags & OTX2_FLAG_NTUPLE_SUPPORT)) + return -ENOMEM; + +- if (ring >= pfvf->hw.rx_queues && fsp->ring_cookie != RX_CLS_FLOW_DISC) ++ /* Number of queues on a VF can be greater or less than ++ * the PF's queue. Hence no need to check for the ++ * queue count. Hence no need to check queue count if PF ++ * is installing for its VF. Below is the expected vf_num value ++ * based on the ethtool commands. ++ * ++ * e.g. ++ * 1. ethtool -U ... action -1 ==> vf_num:255 ++ * 2. ethtool -U ... action ==> vf_num:0 ++ * 3. ethtool -U ... vf queue ==> ++ * vf_num:vf_idx+1 ++ */ ++ vf_num = ethtool_get_flow_spec_ring_vf(fsp->ring_cookie); ++ if (!is_otx2_vf(pfvf->pcifunc) && !vf_num && ++ ring >= pfvf->hw.rx_queues && fsp->ring_cookie != RX_CLS_FLOW_DISC) + return -EINVAL; + + if (fsp->location >= otx2_get_maxflows(flow_cfg)) +@@ -1096,6 +1111,9 @@ int otx2_add_flow(struct otx2_nic *pfvf, struct ethtool_rxnfc *nfc) + flow_cfg->nr_flows++; + } + ++ if (flow->is_vf) ++ netdev_info(pfvf->netdev, ++ "Make sure that VF's queue number is within its queue limit\n"); + return 0; + } + +-- +2.42.0 + diff --git a/queue-5.15/series b/queue-5.15/series new file mode 100644 index 00000000000..33e79c0eea3 --- /dev/null +++ b/queue-5.15/series @@ -0,0 +1,41 @@ +afs-fix-afs_server_list-to-be-cleaned-up-with-rcu.patch +afs-make-error-on-cell-lookup-failure-consistent-wit.patch +drm-panel-boe-tv101wum-nl6-fine-tune-the-panel-power.patch +drm-panel-auo-b101uan08.3-fine-tune-the-panel-power-.patch +drm-panel-simple-fix-innolux-g101ice-l01-bus-flags.patch +drm-panel-simple-fix-innolux-g101ice-l01-timings.patch +wireguard-use-dev_stats_inc.patch +octeontx2-pf-fix-memory-leak-during-interface-down.patch +ata-pata_isapnp-add-missing-error-check-for-devm_iop.patch +drm-rockchip-vop-fix-color-for-rgb888-bgr888-format-.patch +hid-core-store-the-unique-system-identifier-in-hid_d.patch +hid-fix-hid-device-resource-race-between-hid-core-an.patch +ipv4-correct-silence-an-endian-warning-in-__ip_do_re.patch +net-usb-ax88179_178a-fix-failed-operations-during-ax.patch +net-smc-avoid-data-corruption-caused-by-decline.patch +arm-xen-fix-xen_vcpu_info-allocation-alignment.patch +octeontx2-pf-fix-ntuple-rule-creation-to-direct-pack.patch +amd-xgbe-handle-corner-case-during-sfp-hotplug.patch +amd-xgbe-handle-the-corner-case-during-tx-completion.patch +amd-xgbe-propagate-the-correct-speed-and-duplex-stat.patch +net-axienet-fix-check-for-partial-tx-checksum.patch +afs-return-enoent-if-no-cell-dns-record-can-be-found.patch +afs-fix-file-locking-on-r-o-volumes-to-operate-in-lo.patch +nvmet-nul-terminate-the-nqns-passed-in-the-connect-c.patch +usb-dwc3-qcom-fix-resource-leaks-on-probe-deferral.patch +usb-dwc3-qcom-fix-acpi-platform-device-leak.patch +lockdep-fix-block-chain-corruption.patch +mips-kvm-fix-a-build-warning-about-variable-set-but-.patch +media-camss-replace-hard-coded-value-with-parameter.patch +media-camss-sm8250-virtual-channels-for-csid.patch +media-qcom-camss-fix-set-csi2_rx_cfg1_vc_mode-when-v.patch +media-qcom-camss-fix-csid-gen2-for-test-pattern-gene.patch +ext4-add-a-new-helper-to-check-if-es-must-be-kept.patch +ext4-factor-out-__es_alloc_extent-and-__es_free_exte.patch +ext4-use-pre-allocated-es-in-__es_insert_extent.patch +ext4-use-pre-allocated-es-in-__es_remove_extent.patch +ext4-using-nofail-preallocation-in-ext4_es_remove_ex.patch +ext4-using-nofail-preallocation-in-ext4_es_insert_de.patch +ext4-using-nofail-preallocation-in-ext4_es_insert_ex.patch +ext4-fix-slab-use-after-free-in-ext4_es_insert_exten.patch +ext4-make-sure-allocate-pending-entry-not-fail.patch diff --git a/queue-5.15/usb-dwc3-qcom-fix-acpi-platform-device-leak.patch b/queue-5.15/usb-dwc3-qcom-fix-acpi-platform-device-leak.patch new file mode 100644 index 00000000000..6441a03bfca --- /dev/null +++ b/queue-5.15/usb-dwc3-qcom-fix-acpi-platform-device-leak.patch @@ -0,0 +1,119 @@ +From c51888852f8a68bca97d576abf3de34c580ea42b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Nov 2023 18:36:50 +0100 +Subject: USB: dwc3: qcom: fix ACPI platform device leak + +From: Johan Hovold + +[ Upstream commit 9cf87666fc6e08572341fe08ecd909935998fbbd ] + +Make sure to free the "urs" platform device, which is created for some +ACPI platforms, on probe errors and on driver unbind. + +Compile-tested only. + +Fixes: c25c210f590e ("usb: dwc3: qcom: add URS Host support for sdm845 ACPI boot") +Cc: Shawn Guo +Signed-off-by: Johan Hovold +Acked-by: Andrew Halaney +Acked-by: Shawn Guo +Link: https://lore.kernel.org/r/20231117173650.21161-4-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-qcom.c | 37 +++++++++++++++++++++++++++++------- + 1 file changed, 30 insertions(+), 7 deletions(-) + +diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c +index d7240cdca07c1..5d67378bd77ce 100644 +--- a/drivers/usb/dwc3/dwc3-qcom.c ++++ b/drivers/usb/dwc3/dwc3-qcom.c +@@ -704,9 +704,9 @@ static int dwc3_qcom_of_register_core(struct platform_device *pdev) + return ret; + } + +-static struct platform_device * +-dwc3_qcom_create_urs_usb_platdev(struct device *dev) ++static struct platform_device *dwc3_qcom_create_urs_usb_platdev(struct device *dev) + { ++ struct platform_device *urs_usb = NULL; + struct fwnode_handle *fwh; + struct acpi_device *adev; + char name[8]; +@@ -726,9 +726,26 @@ dwc3_qcom_create_urs_usb_platdev(struct device *dev) + + adev = to_acpi_device_node(fwh); + if (!adev) +- return NULL; ++ goto err_put_handle; ++ ++ urs_usb = acpi_create_platform_device(adev, NULL); ++ if (IS_ERR_OR_NULL(urs_usb)) ++ goto err_put_handle; ++ ++ return urs_usb; + +- return acpi_create_platform_device(adev, NULL); ++err_put_handle: ++ fwnode_handle_put(fwh); ++ ++ return urs_usb; ++} ++ ++static void dwc3_qcom_destroy_urs_usb_platdev(struct platform_device *urs_usb) ++{ ++ struct fwnode_handle *fwh = urs_usb->dev.fwnode; ++ ++ platform_device_unregister(urs_usb); ++ fwnode_handle_put(fwh); + } + + static int dwc3_qcom_probe(struct platform_device *pdev) +@@ -812,13 +829,13 @@ static int dwc3_qcom_probe(struct platform_device *pdev) + qcom->qscratch_base = devm_ioremap_resource(dev, parent_res); + if (IS_ERR(qcom->qscratch_base)) { + ret = PTR_ERR(qcom->qscratch_base); +- goto clk_disable; ++ goto free_urs; + } + + ret = dwc3_qcom_setup_irq(pdev); + if (ret) { + dev_err(dev, "failed to setup IRQs, err=%d\n", ret); +- goto clk_disable; ++ goto free_urs; + } + + /* +@@ -837,7 +854,7 @@ static int dwc3_qcom_probe(struct platform_device *pdev) + + if (ret) { + dev_err(dev, "failed to register DWC3 Core, err=%d\n", ret); +- goto clk_disable; ++ goto free_urs; + } + + ret = dwc3_qcom_interconnect_init(qcom); +@@ -871,6 +888,9 @@ static int dwc3_qcom_probe(struct platform_device *pdev) + else + platform_device_del(qcom->dwc3); + platform_device_put(qcom->dwc3); ++free_urs: ++ if (qcom->urs_usb) ++ dwc3_qcom_destroy_urs_usb_platdev(qcom->urs_usb); + clk_disable: + for (i = qcom->num_clocks - 1; i >= 0; i--) { + clk_disable_unprepare(qcom->clks[i]); +@@ -896,6 +916,9 @@ static int dwc3_qcom_remove(struct platform_device *pdev) + platform_device_del(qcom->dwc3); + platform_device_put(qcom->dwc3); + ++ if (qcom->urs_usb) ++ dwc3_qcom_destroy_urs_usb_platdev(qcom->urs_usb); ++ + for (i = qcom->num_clocks - 1; i >= 0; i--) { + clk_disable_unprepare(qcom->clks[i]); + clk_put(qcom->clks[i]); +-- +2.42.0 + diff --git a/queue-5.15/usb-dwc3-qcom-fix-resource-leaks-on-probe-deferral.patch b/queue-5.15/usb-dwc3-qcom-fix-resource-leaks-on-probe-deferral.patch new file mode 100644 index 00000000000..0c43b6b3333 --- /dev/null +++ b/queue-5.15/usb-dwc3-qcom-fix-resource-leaks-on-probe-deferral.patch @@ -0,0 +1,80 @@ +From 47a23ce2f7c6e87e74e7814c3246b85f3c2293ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Nov 2023 18:36:48 +0100 +Subject: USB: dwc3: qcom: fix resource leaks on probe deferral + +From: Johan Hovold + +[ Upstream commit 51392a1879ff06dc21b68aef4825f6ef68a7be42 ] + +The driver needs to deregister and free the newly allocated dwc3 core +platform device on ACPI probe errors (e.g. probe deferral) and on driver +unbind but instead it leaked those resources while erroneously dropping +a reference to the parent platform device which is still in use. + +For OF probing the driver takes a reference to the dwc3 core platform +device which has also always been leaked. + +Fix the broken ACPI tear down and make sure to drop the dwc3 core +reference for both OF and ACPI. + +Fixes: 8fd95da2cfb5 ("usb: dwc3: qcom: Release the correct resources in dwc3_qcom_remove()") +Fixes: 2bc02355f8ba ("usb: dwc3: qcom: Add support for booting with ACPI") +Fixes: a4333c3a6ba9 ("usb: dwc3: Add Qualcomm DWC3 glue driver") +Cc: stable@vger.kernel.org # 4.18 +Cc: Christophe JAILLET +Cc: Lee Jones +Signed-off-by: Johan Hovold +Acked-by: Andrew Halaney +Link: https://lore.kernel.org/r/20231117173650.21161-2-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 9cf87666fc6e ("USB: dwc3: qcom: fix ACPI platform device leak") +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-qcom.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c +index 0180350a2c95c..d7240cdca07c1 100644 +--- a/drivers/usb/dwc3/dwc3-qcom.c ++++ b/drivers/usb/dwc3/dwc3-qcom.c +@@ -695,6 +695,7 @@ static int dwc3_qcom_of_register_core(struct platform_device *pdev) + if (!qcom->dwc3) { + ret = -ENODEV; + dev_err(dev, "failed to get dwc3 platform device\n"); ++ of_platform_depopulate(dev); + } + + node_put: +@@ -836,7 +837,7 @@ static int dwc3_qcom_probe(struct platform_device *pdev) + + if (ret) { + dev_err(dev, "failed to register DWC3 Core, err=%d\n", ret); +- goto depopulate; ++ goto clk_disable; + } + + ret = dwc3_qcom_interconnect_init(qcom); +@@ -868,7 +869,8 @@ static int dwc3_qcom_probe(struct platform_device *pdev) + if (np) + of_platform_depopulate(&pdev->dev); + else +- platform_device_put(pdev); ++ platform_device_del(qcom->dwc3); ++ platform_device_put(qcom->dwc3); + clk_disable: + for (i = qcom->num_clocks - 1; i >= 0; i--) { + clk_disable_unprepare(qcom->clks[i]); +@@ -891,7 +893,8 @@ static int dwc3_qcom_remove(struct platform_device *pdev) + if (np) + of_platform_depopulate(&pdev->dev); + else +- platform_device_put(pdev); ++ platform_device_del(qcom->dwc3); ++ platform_device_put(qcom->dwc3); + + for (i = qcom->num_clocks - 1; i >= 0; i--) { + clk_disable_unprepare(qcom->clks[i]); +-- +2.42.0 + diff --git a/queue-5.15/wireguard-use-dev_stats_inc.patch b/queue-5.15/wireguard-use-dev_stats_inc.patch new file mode 100644 index 00000000000..d3dcb395737 --- /dev/null +++ b/queue-5.15/wireguard-use-dev_stats_inc.patch @@ -0,0 +1,121 @@ +From 8b8af0d78894d2149461592c5c5c01440d0bae8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Nov 2023 14:17:33 +0000 +Subject: wireguard: use DEV_STATS_INC() + +From: Eric Dumazet + +[ Upstream commit 93da8d75a66568ba4bb5b14ad2833acd7304cd02 ] + +wg_xmit() can be called concurrently, KCSAN reported [1] +some device stats updates can be lost. + +Use DEV_STATS_INC() for this unlikely case. + +[1] +BUG: KCSAN: data-race in wg_xmit / wg_xmit + +read-write to 0xffff888104239160 of 8 bytes by task 1375 on cpu 0: +wg_xmit+0x60f/0x680 drivers/net/wireguard/device.c:231 +__netdev_start_xmit include/linux/netdevice.h:4918 [inline] +netdev_start_xmit include/linux/netdevice.h:4932 [inline] +xmit_one net/core/dev.c:3543 [inline] +dev_hard_start_xmit+0x11b/0x3f0 net/core/dev.c:3559 +... + +read-write to 0xffff888104239160 of 8 bytes by task 1378 on cpu 1: +wg_xmit+0x60f/0x680 drivers/net/wireguard/device.c:231 +__netdev_start_xmit include/linux/netdevice.h:4918 [inline] +netdev_start_xmit include/linux/netdevice.h:4932 [inline] +xmit_one net/core/dev.c:3543 [inline] +dev_hard_start_xmit+0x11b/0x3f0 net/core/dev.c:3559 +... + +v2: also change wg_packet_consume_data_done() (Hangbin Liu) + and wg_packet_purge_staged_packets() + +Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Jason A. Donenfeld +Cc: Hangbin Liu +Signed-off-by: Jason A. Donenfeld +Reviewed-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wireguard/device.c | 4 ++-- + drivers/net/wireguard/receive.c | 12 ++++++------ + drivers/net/wireguard/send.c | 3 ++- + 3 files changed, 10 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/wireguard/device.c b/drivers/net/wireguard/device.c +index 5eaef79c06e16..e5e344af34237 100644 +--- a/drivers/net/wireguard/device.c ++++ b/drivers/net/wireguard/device.c +@@ -193,7 +193,7 @@ static netdev_tx_t wg_xmit(struct sk_buff *skb, struct net_device *dev) + */ + while (skb_queue_len(&peer->staged_packet_queue) > MAX_STAGED_PACKETS) { + dev_kfree_skb(__skb_dequeue(&peer->staged_packet_queue)); +- ++dev->stats.tx_dropped; ++ DEV_STATS_INC(dev, tx_dropped); + } + skb_queue_splice_tail(&packets, &peer->staged_packet_queue); + spin_unlock_bh(&peer->staged_packet_queue.lock); +@@ -211,7 +211,7 @@ static netdev_tx_t wg_xmit(struct sk_buff *skb, struct net_device *dev) + else if (skb->protocol == htons(ETH_P_IPV6)) + icmpv6_ndo_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_ADDR_UNREACH, 0); + err: +- ++dev->stats.tx_errors; ++ DEV_STATS_INC(dev, tx_errors); + kfree_skb(skb); + return ret; + } +diff --git a/drivers/net/wireguard/receive.c b/drivers/net/wireguard/receive.c +index f500aaf678370..d38b24339a1f9 100644 +--- a/drivers/net/wireguard/receive.c ++++ b/drivers/net/wireguard/receive.c +@@ -423,20 +423,20 @@ static void wg_packet_consume_data_done(struct wg_peer *peer, + net_dbg_skb_ratelimited("%s: Packet has unallowed src IP (%pISc) from peer %llu (%pISpfsc)\n", + dev->name, skb, peer->internal_id, + &peer->endpoint.addr); +- ++dev->stats.rx_errors; +- ++dev->stats.rx_frame_errors; ++ DEV_STATS_INC(dev, rx_errors); ++ DEV_STATS_INC(dev, rx_frame_errors); + goto packet_processed; + dishonest_packet_type: + net_dbg_ratelimited("%s: Packet is neither ipv4 nor ipv6 from peer %llu (%pISpfsc)\n", + dev->name, peer->internal_id, &peer->endpoint.addr); +- ++dev->stats.rx_errors; +- ++dev->stats.rx_frame_errors; ++ DEV_STATS_INC(dev, rx_errors); ++ DEV_STATS_INC(dev, rx_frame_errors); + goto packet_processed; + dishonest_packet_size: + net_dbg_ratelimited("%s: Packet has incorrect size from peer %llu (%pISpfsc)\n", + dev->name, peer->internal_id, &peer->endpoint.addr); +- ++dev->stats.rx_errors; +- ++dev->stats.rx_length_errors; ++ DEV_STATS_INC(dev, rx_errors); ++ DEV_STATS_INC(dev, rx_length_errors); + goto packet_processed; + packet_processed: + dev_kfree_skb(skb); +diff --git a/drivers/net/wireguard/send.c b/drivers/net/wireguard/send.c +index 95c853b59e1da..0d48e0f4a1ba3 100644 +--- a/drivers/net/wireguard/send.c ++++ b/drivers/net/wireguard/send.c +@@ -333,7 +333,8 @@ static void wg_packet_create_data(struct wg_peer *peer, struct sk_buff *first) + void wg_packet_purge_staged_packets(struct wg_peer *peer) + { + spin_lock_bh(&peer->staged_packet_queue.lock); +- peer->device->dev->stats.tx_dropped += peer->staged_packet_queue.qlen; ++ DEV_STATS_ADD(peer->device->dev, tx_dropped, ++ peer->staged_packet_queue.qlen); + __skb_queue_purge(&peer->staged_packet_queue); + spin_unlock_bh(&peer->staged_packet_queue.lock); + } +-- +2.42.0 +