From: Sasha Levin Date: Sun, 25 Dec 2022 03:33:09 +0000 (-0500) Subject: Fixes for 5.4 X-Git-Tag: v5.15.86~78 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f0a3dbb3f84b730c655f9152c145814bd91480f0;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/acct-fix-potential-integer-overflow-in-encode_comp_t.patch b/queue-5.4/acct-fix-potential-integer-overflow-in-encode_comp_t.patch new file mode 100644 index 00000000000..2d66255015e --- /dev/null +++ b/queue-5.4/acct-fix-potential-integer-overflow-in-encode_comp_t.patch @@ -0,0 +1,51 @@ +From d9cc91cbd382fa21ee4c49bbf1e96e754ab4bd7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 May 2021 22:06:31 +0800 +Subject: acct: fix potential integer overflow in encode_comp_t() + +From: Zheng Yejian + +[ Upstream commit c5f31c655bcc01b6da53b836ac951c1556245305 ] + +The integer overflow is descripted with following codes: + > 317 static comp_t encode_comp_t(u64 value) + > 318 { + > 319 int exp, rnd; + ...... + > 341 exp <<= MANTSIZE; + > 342 exp += value; + > 343 return exp; + > 344 } + +Currently comp_t is defined as type of '__u16', but the variable 'exp' is +type of 'int', so overflow would happen when variable 'exp' in line 343 is +greater than 65535. + +Link: https://lkml.kernel.org/r/20210515140631.369106-3-zhengyejian1@huawei.com +Signed-off-by: Zheng Yejian +Cc: Hanjun Guo +Cc: Randy Dunlap +Cc: Vlastimil Babka +Cc: Zhang Jinhao +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + kernel/acct.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/acct.c b/kernel/acct.c +index 81f9831a7859..6d98aed403ba 100644 +--- a/kernel/acct.c ++++ b/kernel/acct.c +@@ -331,6 +331,8 @@ static comp_t encode_comp_t(unsigned long value) + exp++; + } + ++ if (exp > (((comp_t) ~0U) >> MANTSIZE)) ++ return (comp_t) ~0U; + /* + * Clean it up and polish it off. + */ +-- +2.35.1 + diff --git a/queue-5.4/acpica-fix-error-code-path-in-acpi_ds_call_control_m.patch b/queue-5.4/acpica-fix-error-code-path-in-acpi_ds_call_control_m.patch new file mode 100644 index 00000000000..2ecef3e427d --- /dev/null +++ b/queue-5.4/acpica-fix-error-code-path-in-acpi_ds_call_control_m.patch @@ -0,0 +1,68 @@ +From 593004d41851dc91df83f700e81a25401078891f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 18:42:36 +0100 +Subject: ACPICA: Fix error code path in acpi_ds_call_control_method() + +From: Rafael J. Wysocki + +[ Upstream commit 404ec60438add1afadaffaed34bb5fe4ddcadd40 ] + +A use-after-free in acpi_ps_parse_aml() after a failing invocaion of +acpi_ds_call_control_method() is reported by KASAN [1] and code +inspection reveals that next_walk_state pushed to the thread by +acpi_ds_create_walk_state() is freed on errors, but it is not popped +from the thread beforehand. Thus acpi_ds_get_current_walk_state() +called by acpi_ps_parse_aml() subsequently returns it as the new +walk state which is incorrect. + +To address this, make acpi_ds_call_control_method() call +acpi_ds_pop_walk_state() to pop next_walk_state from the thread before +returning an error. + +Link: https://lore.kernel.org/linux-acpi/20221019073443.248215-1-chenzhongjin@huawei.com/ # [1] +Reported-by: Chen Zhongjin +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Chen Zhongjin +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/dsmethod.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/acpi/acpica/dsmethod.c b/drivers/acpi/acpica/dsmethod.c +index f59b4d944f7f..603483f8332b 100644 +--- a/drivers/acpi/acpica/dsmethod.c ++++ b/drivers/acpi/acpica/dsmethod.c +@@ -517,7 +517,7 @@ acpi_ds_call_control_method(struct acpi_thread_state *thread, + info = ACPI_ALLOCATE_ZEROED(sizeof(struct acpi_evaluate_info)); + if (!info) { + status = AE_NO_MEMORY; +- goto cleanup; ++ goto pop_walk_state; + } + + info->parameters = &this_walk_state->operands[0]; +@@ -529,7 +529,7 @@ acpi_ds_call_control_method(struct acpi_thread_state *thread, + + ACPI_FREE(info); + if (ACPI_FAILURE(status)) { +- goto cleanup; ++ goto pop_walk_state; + } + + next_walk_state->method_nesting_depth = +@@ -575,6 +575,12 @@ acpi_ds_call_control_method(struct acpi_thread_state *thread, + + return_ACPI_STATUS(status); + ++pop_walk_state: ++ ++ /* On error, pop the walk state to be deleted from thread */ ++ ++ acpi_ds_pop_walk_state(thread); ++ + cleanup: + + /* On error, we must terminate the method properly */ +-- +2.35.1 + diff --git a/queue-5.4/acpica-fix-use-after-free-in-acpi_ut_copy_ipackage_t.patch b/queue-5.4/acpica-fix-use-after-free-in-acpi_ut_copy_ipackage_t.patch new file mode 100644 index 00000000000..a931f8e566d --- /dev/null +++ b/queue-5.4/acpica-fix-use-after-free-in-acpi_ut_copy_ipackage_t.patch @@ -0,0 +1,70 @@ +From ee4ac0c859d922573f56eb1ebb2dde85a8ee6cf9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 16:05:14 +0800 +Subject: ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage() + +From: Li Zetao + +[ Upstream commit 470188b09e92d83c5a997f25f0e8fb8cd2bc3469 ] + +There is an use-after-free reported by KASAN: + + BUG: KASAN: use-after-free in acpi_ut_remove_reference+0x3b/0x82 + Read of size 1 at addr ffff888112afc460 by task modprobe/2111 + CPU: 0 PID: 2111 Comm: modprobe Not tainted 6.1.0-rc7-dirty + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), + Call Trace: + + kasan_report+0xae/0xe0 + acpi_ut_remove_reference+0x3b/0x82 + acpi_ut_copy_iobject_to_iobject+0x3be/0x3d5 + acpi_ds_store_object_to_local+0x15d/0x3a0 + acpi_ex_store+0x78d/0x7fd + acpi_ex_opcode_1A_1T_1R+0xbe4/0xf9b + acpi_ps_parse_aml+0x217/0x8d5 + ... + + +The root cause of the problem is that the acpi_operand_object +is freed when acpi_ut_walk_package_tree() fails in +acpi_ut_copy_ipackage_to_ipackage(), lead to repeated release in +acpi_ut_copy_iobject_to_iobject(). The problem was introduced +by "8aa5e56eeb61" commit, this commit is to fix memory leak in +acpi_ut_copy_iobject_to_iobject(), repeatedly adding remove +operation, lead to "acpi_operand_object" used after free. + +Fix it by removing acpi_ut_remove_reference() in +acpi_ut_copy_ipackage_to_ipackage(). acpi_ut_copy_ipackage_to_ipackage() +is called to copy an internal package object into another internal +package object, when it fails, the memory of acpi_operand_object +should be freed by the caller. + +Fixes: 8aa5e56eeb61 ("ACPICA: Utilities: Fix memory leak in acpi_ut_copy_iobject_to_iobject") +Signed-off-by: Li Zetao +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/utcopy.c | 7 ------- + 1 file changed, 7 deletions(-) + +diff --git a/drivers/acpi/acpica/utcopy.c b/drivers/acpi/acpica/utcopy.c +index 1fb8327f3c3b..9c0b94d1c4ba 100644 +--- a/drivers/acpi/acpica/utcopy.c ++++ b/drivers/acpi/acpica/utcopy.c +@@ -916,13 +916,6 @@ acpi_ut_copy_ipackage_to_ipackage(union acpi_operand_object *source_obj, + status = acpi_ut_walk_package_tree(source_obj, dest_obj, + acpi_ut_copy_ielement_to_ielement, + walk_state); +- if (ACPI_FAILURE(status)) { +- +- /* On failure, delete the destination package object */ +- +- acpi_ut_remove_reference(dest_obj); +- } +- + return_ACPI_STATUS(status); + } + +-- +2.35.1 + diff --git a/queue-5.4/alpha-fix-syscall-entry-in-audut_syscall-case.patch b/queue-5.4/alpha-fix-syscall-entry-in-audut_syscall-case.patch new file mode 100644 index 00000000000..4c4a3f38aea --- /dev/null +++ b/queue-5.4/alpha-fix-syscall-entry-in-audut_syscall-case.patch @@ -0,0 +1,40 @@ +From d43b3e8e2da755d47987f06a4f2ff84b26065afa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Sep 2021 18:18:48 -0400 +Subject: alpha: fix syscall entry in !AUDUT_SYSCALL case + +From: Al Viro + +[ Upstream commit f7b2431a6d22f7a91c567708e071dfcd6d66db14 ] + +We only want to take the slow path if SYSCALL_TRACE or SYSCALL_AUDIT is +set; on !AUDIT_SYSCALL configs the current tree hits it whenever _any_ +thread flag (including NEED_RESCHED, NOTIFY_SIGNAL, etc.) happens to +be set. + +Fixes: a9302e843944 "alpha: Enable system-call auditing support" +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + arch/alpha/kernel/entry.S | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/alpha/kernel/entry.S b/arch/alpha/kernel/entry.S +index 2e09248f8324..c27d01232799 100644 +--- a/arch/alpha/kernel/entry.S ++++ b/arch/alpha/kernel/entry.S +@@ -469,8 +469,10 @@ entSys: + #ifdef CONFIG_AUDITSYSCALL + lda $6, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT + and $3, $6, $3 +-#endif + bne $3, strace ++#else ++ blbs $3, strace /* check for SYSCALL_TRACE in disguise */ ++#endif + beq $4, 1f + ldq $27, 0($5) + 1: jsr $26, ($27), sys_ni_syscall +-- +2.35.1 + diff --git a/queue-5.4/alsa-asihpi-fix-missing-pci_disable_device.patch b/queue-5.4/alsa-asihpi-fix-missing-pci_disable_device.patch new file mode 100644 index 00000000000..e7d0c545b68 --- /dev/null +++ b/queue-5.4/alsa-asihpi-fix-missing-pci_disable_device.patch @@ -0,0 +1,37 @@ +From 5e06cf6d97765e2d5f0d194645e7078681d8aad7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Nov 2022 10:14:29 +0800 +Subject: ALSA: asihpi: fix missing pci_disable_device() + +From: Liu Shixin + +[ Upstream commit 9d86515c3d4c0564a0c31a2df87d735353a1971e ] + +pci_disable_device() need be called while module exiting, switch to use +pcim_enable(), pci_disable_device() will be called in pcim_release(). + +Fixes: 3285ea10e9b0 ("ALSA: asihpi - Interrelated HPI tidy up.") +Signed-off-by: Liu Shixin +Link: https://lore.kernel.org/r/20221126021429.3029562-1-liushixin2@huawei.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/asihpi/hpioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c +index 9790f5108a16..5cab049413fc 100644 +--- a/sound/pci/asihpi/hpioctl.c ++++ b/sound/pci/asihpi/hpioctl.c +@@ -352,7 +352,7 @@ int asihpi_adapter_probe(struct pci_dev *pci_dev, + pci_dev->device, pci_dev->subsystem_vendor, + pci_dev->subsystem_device, pci_dev->devfn); + +- if (pci_enable_device(pci_dev) < 0) { ++ if (pcim_enable_device(pci_dev) < 0) { + dev_err(&pci_dev->dev, + "pci_enable_device failed, disabling device\n"); + return -EIO; +-- +2.35.1 + diff --git a/queue-5.4/alsa-mts64-fix-possible-null-ptr-defer-in-snd_mts64_.patch b/queue-5.4/alsa-mts64-fix-possible-null-ptr-defer-in-snd_mts64_.patch new file mode 100644 index 00000000000..a00ff066b1b --- /dev/null +++ b/queue-5.4/alsa-mts64-fix-possible-null-ptr-defer-in-snd_mts64_.patch @@ -0,0 +1,103 @@ +From f4c1fce2c54342220e48657fe1c7f815bfa50173 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Dec 2022 14:10:04 +0800 +Subject: ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt + +From: Gaosheng Cui + +[ Upstream commit cf2ea3c86ad90d63d1c572b43e1ca9276b0357ad ] + +I got a null-ptr-defer error report when I do the following tests +on the qemu platform: + +make defconfig and CONFIG_PARPORT=m, CONFIG_PARPORT_PC=m, +CONFIG_SND_MTS64=m + +Then making test scripts: +cat>test_mod1.sh< + snd_mts64_interrupt+0x24/0xa0 [snd_mts64] + parport_irq_handler+0x37/0x50 [parport] + __handle_irq_event_percpu+0x39/0x190 + handle_irq_event_percpu+0xa/0x30 + handle_irq_event+0x2f/0x50 + handle_edge_irq+0x99/0x1b0 + __common_interrupt+0x5d/0x100 + common_interrupt+0xa0/0xc0 + + + asm_common_interrupt+0x22/0x40 + RIP: 0010:_raw_write_unlock_irqrestore+0x11/0x30 + parport_claim+0xbd/0x230 [parport] + snd_mts64_probe+0x14a/0x465 [snd_mts64] + platform_probe+0x3f/0xa0 + really_probe+0x129/0x2c0 + __driver_probe_device+0x6d/0xc0 + driver_probe_device+0x1a/0xa0 + __device_attach_driver+0x7a/0xb0 + bus_for_each_drv+0x62/0xb0 + __device_attach+0xe4/0x180 + bus_probe_device+0x82/0xa0 + device_add+0x550/0x920 + platform_device_add+0x106/0x220 + snd_mts64_attach+0x2e/0x80 [snd_mts64] + port_check+0x14/0x20 [parport] + bus_for_each_dev+0x6e/0xc0 + __parport_register_driver+0x7c/0xb0 [parport] + snd_mts64_module_init+0x31/0x1000 [snd_mts64] + do_one_initcall+0x3c/0x1f0 + do_init_module+0x46/0x1c6 + load_module+0x1d8d/0x1e10 + __do_sys_finit_module+0xa2/0xf0 + do_syscall_64+0x37/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + + Kernel panic - not syncing: Fatal exception in interrupt + Rebooting in 1 seconds.. + +The mts wa not initialized during interrupt, we add check for +mts to fix this bug. + +Fixes: 68ab801e32bb ("[ALSA] Add snd-mts64 driver for ESI Miditerminal 4140") +Signed-off-by: Gaosheng Cui +Link: https://lore.kernel.org/r/20221206061004.1222966-1-cuigaosheng1@huawei.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/drivers/mts64.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/drivers/mts64.c b/sound/drivers/mts64.c +index 44776e1463cb..71d0ab1c99b3 100644 +--- a/sound/drivers/mts64.c ++++ b/sound/drivers/mts64.c +@@ -816,6 +816,9 @@ static void snd_mts64_interrupt(void *private) + u8 status, data; + struct snd_rawmidi_substream *substream; + ++ if (!mts) ++ return; ++ + spin_lock(&mts->lock); + ret = mts64_read(mts->pardev->port); + data = ret & 0x00ff; +-- +2.35.1 + diff --git a/queue-5.4/alsa-pcm-fix-undefined-behavior-in-bit-shift-for-snd.patch b/queue-5.4/alsa-pcm-fix-undefined-behavior-in-bit-shift-for-snd.patch new file mode 100644 index 00000000000..acc7cb8b866 --- /dev/null +++ b/queue-5.4/alsa-pcm-fix-undefined-behavior-in-bit-shift-for-snd.patch @@ -0,0 +1,92 @@ +From 2f270a8d7d9384e3992ade0fd108bdf2f418c8b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 19:00:44 +0800 +Subject: ALSA: pcm: fix undefined behavior in bit shift for + SNDRV_PCM_RATE_KNOT + +From: Baisong Zhong + +[ Upstream commit b5172e62458f8e6ff359e5f096044a488db90ac5 ] + +Shifting signed 32-bit value by 31 bits is undefined, so changing +significant bit to unsigned. The UBSAN warning calltrace like below: + +UBSAN: shift-out-of-bounds in sound/core/pcm_native.c:2676:21 +left shift of 1 by 31 places cannot be represented in type 'int' +... +Call Trace: + + dump_stack_lvl+0x8d/0xcf + ubsan_epilogue+0xa/0x44 + __ubsan_handle_shift_out_of_bounds+0x1e7/0x208 + snd_pcm_open_substream+0x9f0/0xa90 + snd_pcm_oss_open.part.26+0x313/0x670 + snd_pcm_oss_open+0x30/0x40 + soundcore_open+0x18b/0x2e0 + chrdev_open+0xe2/0x270 + do_dentry_open+0x2f7/0x620 + path_openat+0xd66/0xe70 + do_filp_open+0xe3/0x170 + do_sys_openat2+0x357/0x4a0 + do_sys_open+0x87/0xd0 + do_syscall_64+0x34/0x80 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Baisong Zhong +Link: https://lore.kernel.org/r/20221121110044.3115686-1-zhongbaisong@huawei.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + include/sound/pcm.h | 36 ++++++++++++++++++------------------ + 1 file changed, 18 insertions(+), 18 deletions(-) + +diff --git a/include/sound/pcm.h b/include/sound/pcm.h +index f0045f842a60..299e35458863 100644 +--- a/include/sound/pcm.h ++++ b/include/sound/pcm.h +@@ -104,24 +104,24 @@ struct snd_pcm_ops { + #define SNDRV_PCM_POS_XRUN ((snd_pcm_uframes_t)-1) + + /* If you change this don't forget to change rates[] table in pcm_native.c */ +-#define SNDRV_PCM_RATE_5512 (1<<0) /* 5512Hz */ +-#define SNDRV_PCM_RATE_8000 (1<<1) /* 8000Hz */ +-#define SNDRV_PCM_RATE_11025 (1<<2) /* 11025Hz */ +-#define SNDRV_PCM_RATE_16000 (1<<3) /* 16000Hz */ +-#define SNDRV_PCM_RATE_22050 (1<<4) /* 22050Hz */ +-#define SNDRV_PCM_RATE_32000 (1<<5) /* 32000Hz */ +-#define SNDRV_PCM_RATE_44100 (1<<6) /* 44100Hz */ +-#define SNDRV_PCM_RATE_48000 (1<<7) /* 48000Hz */ +-#define SNDRV_PCM_RATE_64000 (1<<8) /* 64000Hz */ +-#define SNDRV_PCM_RATE_88200 (1<<9) /* 88200Hz */ +-#define SNDRV_PCM_RATE_96000 (1<<10) /* 96000Hz */ +-#define SNDRV_PCM_RATE_176400 (1<<11) /* 176400Hz */ +-#define SNDRV_PCM_RATE_192000 (1<<12) /* 192000Hz */ +-#define SNDRV_PCM_RATE_352800 (1<<13) /* 352800Hz */ +-#define SNDRV_PCM_RATE_384000 (1<<14) /* 384000Hz */ +- +-#define SNDRV_PCM_RATE_CONTINUOUS (1<<30) /* continuous range */ +-#define SNDRV_PCM_RATE_KNOT (1<<31) /* supports more non-continuos rates */ ++#define SNDRV_PCM_RATE_5512 (1U<<0) /* 5512Hz */ ++#define SNDRV_PCM_RATE_8000 (1U<<1) /* 8000Hz */ ++#define SNDRV_PCM_RATE_11025 (1U<<2) /* 11025Hz */ ++#define SNDRV_PCM_RATE_16000 (1U<<3) /* 16000Hz */ ++#define SNDRV_PCM_RATE_22050 (1U<<4) /* 22050Hz */ ++#define SNDRV_PCM_RATE_32000 (1U<<5) /* 32000Hz */ ++#define SNDRV_PCM_RATE_44100 (1U<<6) /* 44100Hz */ ++#define SNDRV_PCM_RATE_48000 (1U<<7) /* 48000Hz */ ++#define SNDRV_PCM_RATE_64000 (1U<<8) /* 64000Hz */ ++#define SNDRV_PCM_RATE_88200 (1U<<9) /* 88200Hz */ ++#define SNDRV_PCM_RATE_96000 (1U<<10) /* 96000Hz */ ++#define SNDRV_PCM_RATE_176400 (1U<<11) /* 176400Hz */ ++#define SNDRV_PCM_RATE_192000 (1U<<12) /* 192000Hz */ ++#define SNDRV_PCM_RATE_352800 (1U<<13) /* 352800Hz */ ++#define SNDRV_PCM_RATE_384000 (1U<<14) /* 384000Hz */ ++ ++#define SNDRV_PCM_RATE_CONTINUOUS (1U<<30) /* continuous range */ ++#define SNDRV_PCM_RATE_KNOT (1U<<31) /* supports more non-continuos rates */ + + #define SNDRV_PCM_RATE_8000_44100 (SNDRV_PCM_RATE_8000|SNDRV_PCM_RATE_11025|\ + SNDRV_PCM_RATE_16000|SNDRV_PCM_RATE_22050|\ +-- +2.35.1 + diff --git a/queue-5.4/alsa-seq-fix-undefined-behavior-in-bit-shift-for-snd.patch b/queue-5.4/alsa-seq-fix-undefined-behavior-in-bit-shift-for-snd.patch new file mode 100644 index 00000000000..b5011c3fc68 --- /dev/null +++ b/queue-5.4/alsa-seq-fix-undefined-behavior-in-bit-shift-for-snd.patch @@ -0,0 +1,66 @@ +From f15825088dbaf3a176621679370556f8ae07a730 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 19:16:30 +0800 +Subject: ALSA: seq: fix undefined behavior in bit shift for + SNDRV_SEQ_FILTER_USE_EVENT + +From: Baisong Zhong + +[ Upstream commit cf59e1e4c79bf741905484cdb13c130b53576a16 ] + +Shifting signed 32-bit value by 31 bits is undefined, so changing +significant bit to unsigned. The UBSAN warning calltrace like below: + +UBSAN: shift-out-of-bounds in sound/core/seq/seq_clientmgr.c:509:22 +left shift of 1 by 31 places cannot be represented in type 'int' +... +Call Trace: + + dump_stack_lvl+0x8d/0xcf + ubsan_epilogue+0xa/0x44 + __ubsan_handle_shift_out_of_bounds+0x1e7/0x208 + snd_seq_deliver_single_event.constprop.21+0x191/0x2f0 + snd_seq_deliver_event+0x1a2/0x350 + snd_seq_kernel_client_dispatch+0x8b/0xb0 + snd_seq_client_notify_subscription+0x72/0xa0 + snd_seq_ioctl_subscribe_port+0x128/0x160 + snd_seq_kernel_client_ctl+0xce/0xf0 + snd_seq_oss_create_client+0x109/0x15b + alsa_seq_oss_init+0x11c/0x1aa + do_one_initcall+0x80/0x440 + kernel_init_freeable+0x370/0x3c3 + kernel_init+0x1b/0x190 + ret_from_fork+0x1f/0x30 + + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Baisong Zhong +Link: https://lore.kernel.org/r/20221121111630.3119259-1-zhongbaisong@huawei.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + include/uapi/sound/asequencer.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/include/uapi/sound/asequencer.h b/include/uapi/sound/asequencer.h +index a75e14edc957..dbd60f48b4b0 100644 +--- a/include/uapi/sound/asequencer.h ++++ b/include/uapi/sound/asequencer.h +@@ -344,10 +344,10 @@ typedef int __bitwise snd_seq_client_type_t; + #define KERNEL_CLIENT ((__force snd_seq_client_type_t) 2) + + /* event filter flags */ +-#define SNDRV_SEQ_FILTER_BROADCAST (1<<0) /* accept broadcast messages */ +-#define SNDRV_SEQ_FILTER_MULTICAST (1<<1) /* accept multicast messages */ +-#define SNDRV_SEQ_FILTER_BOUNCE (1<<2) /* accept bounce event in error */ +-#define SNDRV_SEQ_FILTER_USE_EVENT (1<<31) /* use event filter */ ++#define SNDRV_SEQ_FILTER_BROADCAST (1U<<0) /* accept broadcast messages */ ++#define SNDRV_SEQ_FILTER_MULTICAST (1U<<1) /* accept multicast messages */ ++#define SNDRV_SEQ_FILTER_BOUNCE (1U<<2) /* accept bounce event in error */ ++#define SNDRV_SEQ_FILTER_USE_EVENT (1U<<31) /* use event filter */ + + struct snd_seq_client_info { + int client; /* client number to inquire */ +-- +2.35.1 + diff --git a/queue-5.4/amdgpu-pm-prevent-array-underflow-in-vega20_odn_edit.patch b/queue-5.4/amdgpu-pm-prevent-array-underflow-in-vega20_odn_edit.patch new file mode 100644 index 00000000000..1372b56cf9d --- /dev/null +++ b/queue-5.4/amdgpu-pm-prevent-array-underflow-in-vega20_odn_edit.patch @@ -0,0 +1,38 @@ +From 37184d3344763583f970bf73a399a650200ed246 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 15:56:57 +0300 +Subject: amdgpu/pm: prevent array underflow in vega20_odn_edit_dpm_table() + +From: Dan Carpenter + +[ Upstream commit d27252b5706e51188aed7647126e44dcf9e940c1 ] + +In the PP_OD_EDIT_VDDC_CURVE case the "input_index" variable is capped at +2 but not checked for negative values so it results in an out of bounds +read. This value comes from the user via sysfs. + +Fixes: d5bf26539494 ("drm/amd/powerplay: added vega20 overdrive support V3") +Signed-off-by: Dan Carpenter +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/powerplay/hwmgr/vega20_hwmgr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/powerplay/hwmgr/vega20_hwmgr.c b/drivers/gpu/drm/amd/powerplay/hwmgr/vega20_hwmgr.c +index 947e4fa3c5e6..d499add3601a 100644 +--- a/drivers/gpu/drm/amd/powerplay/hwmgr/vega20_hwmgr.c ++++ b/drivers/gpu/drm/amd/powerplay/hwmgr/vega20_hwmgr.c +@@ -2894,7 +2894,8 @@ static int vega20_odn_edit_dpm_table(struct pp_hwmgr *hwmgr, + data->od8_settings.od8_settings_array; + OverDriveTable_t *od_table = + &(data->smc_state_table.overdrive_table); +- int32_t input_index, input_clk, input_vol, i; ++ int32_t input_clk, input_vol, i; ++ uint32_t input_index; + int od8_id; + int ret; + +-- +2.35.1 + diff --git a/queue-5.4/apparmor-fix-a-memleak-in-multi_transaction_new.patch b/queue-5.4/apparmor-fix-a-memleak-in-multi_transaction_new.patch new file mode 100644 index 00000000000..906fa018d5b --- /dev/null +++ b/queue-5.4/apparmor-fix-a-memleak-in-multi_transaction_new.patch @@ -0,0 +1,42 @@ +From 83241d725ccf59098946e814176737cf9ec36314 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 09:15:03 +0800 +Subject: apparmor: fix a memleak in multi_transaction_new() + +From: Gaosheng Cui + +[ Upstream commit c73275cf6834787ca090317f1d20dbfa3b7f05aa ] + +In multi_transaction_new(), the variable t is not freed or passed out +on the failure of copy_from_user(t->data, buf, size), which could lead +to a memleak. + +Fix this bug by adding a put_multi_transaction(t) in the error path. + +Fixes: 1dea3b41e84c5 ("apparmor: speed up transactional queries") +Signed-off-by: Gaosheng Cui +Signed-off-by: John Johansen +Signed-off-by: Sasha Levin +--- + security/apparmor/apparmorfs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c +index 84daab8ae062..62736465ac82 100644 +--- a/security/apparmor/apparmorfs.c ++++ b/security/apparmor/apparmorfs.c +@@ -869,8 +869,10 @@ static struct multi_transaction *multi_transaction_new(struct file *file, + if (!t) + return ERR_PTR(-ENOMEM); + kref_init(&t->count); +- if (copy_from_user(t->data, buf, size)) ++ if (copy_from_user(t->data, buf, size)) { ++ put_multi_transaction(t); + return ERR_PTR(-EFAULT); ++ } + + return t; + } +-- +2.35.1 + diff --git a/queue-5.4/apparmor-fix-abi-check-to-include-v8-abi.patch b/queue-5.4/apparmor-fix-abi-check-to-include-v8-abi.patch new file mode 100644 index 00000000000..00f1783a1d4 --- /dev/null +++ b/queue-5.4/apparmor-fix-abi-check-to-include-v8-abi.patch @@ -0,0 +1,42 @@ +From 43803bab4973783abd9a588a5a7be5b099504211 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 May 2022 18:57:12 -0700 +Subject: apparmor: Fix abi check to include v8 abi + +From: John Johansen + +[ Upstream commit 1b5a6198f5a9d0aa5497da0dc4bcd4fc166ee516 ] + +The v8 abi is supported by the kernel but the userspace supported +version check does not allow for it. This was missed when v8 was added +due to a bug in the userspace compiler which was setting an older abi +version for v8 encoding (which is forward compatible except on the +network encoding). However it is possible to detect the network +encoding by checking the policydb network support which the code +does. The end result was that missing the abi flag worked until +userspace was fixed and began correctly checking for the v8 abi +version. + +Fixes: 56974a6fcfef ("apparmor: add base infastructure for socket mediation") +Signed-off-by: John Johansen +Signed-off-by: Sasha Levin +--- + security/apparmor/policy_unpack.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c +index 8cfc9493eefc..7e32c09249b1 100644 +--- a/security/apparmor/policy_unpack.c ++++ b/security/apparmor/policy_unpack.c +@@ -955,7 +955,7 @@ static int verify_header(struct aa_ext *e, int required, const char **ns) + * if not specified use previous version + * Mask off everything that is not kernel abi version + */ +- if (VERSION_LT(e->version, v5) || VERSION_GT(e->version, v7)) { ++ if (VERSION_LT(e->version, v5) || VERSION_GT(e->version, v8)) { + audit_iface(NULL, NULL, NULL, "unsupported interface version", + e, error); + return error; +-- +2.35.1 + diff --git a/queue-5.4/apparmor-fix-lockdep-warning-when-removing-a-namespa.patch b/queue-5.4/apparmor-fix-lockdep-warning-when-removing-a-namespa.patch new file mode 100644 index 00000000000..0434e8eb646 --- /dev/null +++ b/queue-5.4/apparmor-fix-lockdep-warning-when-removing-a-namespa.patch @@ -0,0 +1,56 @@ +From dbfed283c1c03a9ff2dd873a7c8a1db615244946 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Sep 2022 03:39:55 -0700 +Subject: apparmor: fix lockdep warning when removing a namespace + +From: John Johansen + +[ Upstream commit 9c4557efc558a68e4cd973490fd936d6e3414db8 ] + +Fix the following lockdep warning + +[ 1119.158984] ============================================ +[ 1119.158988] WARNING: possible recursive locking detected +[ 1119.158996] 6.0.0-rc1+ #257 Tainted: G E N +[ 1119.158999] -------------------------------------------- +[ 1119.159001] bash/80100 is trying to acquire lock: +[ 1119.159007] ffff88803e79b4a0 (&ns->lock/1){+.+.}-{4:4}, at: destroy_ns.part.0+0x43/0x140 +[ 1119.159028] + but task is already holding lock: +[ 1119.159030] ffff8881009764a0 (&ns->lock/1){+.+.}-{4:4}, at: aa_remove_profiles+0x3f0/0x640 +[ 1119.159040] + other info that might help us debug this: +[ 1119.159042] Possible unsafe locking scenario: + +[ 1119.159043] CPU0 +[ 1119.159045] ---- +[ 1119.159047] lock(&ns->lock/1); +[ 1119.159051] lock(&ns->lock/1); +[ 1119.159055] + *** DEADLOCK *** + +Which is caused by an incorrect lockdep nesting notation + +Fixes: feb3c766a3ab ("apparmor: fix possible recursive lock warning in __aa_create_ns") +Signed-off-by: John Johansen +Signed-off-by: Sasha Levin +--- + security/apparmor/policy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c +index 06355717ee84..e38ceba39200 100644 +--- a/security/apparmor/policy.c ++++ b/security/apparmor/policy.c +@@ -1123,7 +1123,7 @@ ssize_t aa_remove_profiles(struct aa_ns *policy_ns, struct aa_label *subj, + + if (!name) { + /* remove namespace - can only happen if fqname[0] == ':' */ +- mutex_lock_nested(&ns->parent->lock, ns->level); ++ mutex_lock_nested(&ns->parent->lock, ns->parent->level); + __aa_bump_ns_revision(ns); + __aa_remove_ns(ns); + mutex_unlock(&ns->parent->lock); +-- +2.35.1 + diff --git a/queue-5.4/apparmor-use-pointer-to-struct-aa_label-for-lbs_cred.patch b/queue-5.4/apparmor-use-pointer-to-struct-aa_label-for-lbs_cred.patch new file mode 100644 index 00000000000..8407f0ea4f5 --- /dev/null +++ b/queue-5.4/apparmor-use-pointer-to-struct-aa_label-for-lbs_cred.patch @@ -0,0 +1,41 @@ +From e98f4f7831cb49db107637f7fff85083fe14f3cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Oct 2022 08:46:04 +0800 +Subject: apparmor: Use pointer to struct aa_label for lbs_cred + +From: Xiu Jianfeng + +[ Upstream commit 37923d4321b1e38170086da2c117f78f2b0f49c6 ] + +According to the implementations of cred_label() and set_cred_label(), +we should use pointer to struct aa_label for lbs_cred instead of struct +aa_task_ctx, this patch fixes it. + +Fixes: bbd3662a8348 ("Infrastructure management of the cred security blob") +Signed-off-by: Xiu Jianfeng +Signed-off-by: John Johansen +Signed-off-by: Sasha Levin +--- + security/apparmor/lsm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c +index e31965dc6dd1..21e03380dd86 100644 +--- a/security/apparmor/lsm.c ++++ b/security/apparmor/lsm.c +@@ -1148,10 +1148,10 @@ static int apparmor_inet_conn_request(struct sock *sk, struct sk_buff *skb, + #endif + + /* +- * The cred blob is a pointer to, not an instance of, an aa_task_ctx. ++ * The cred blob is a pointer to, not an instance of, an aa_label. + */ + struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = { +- .lbs_cred = sizeof(struct aa_task_ctx *), ++ .lbs_cred = sizeof(struct aa_label *), + .lbs_file = sizeof(struct aa_file_ctx), + .lbs_task = sizeof(struct aa_task_ctx), + }; +-- +2.35.1 + diff --git a/queue-5.4/arm-dts-armada-370-fix-assigned-addresses-for-every-.patch b/queue-5.4/arm-dts-armada-370-fix-assigned-addresses-for-every-.patch new file mode 100644 index 00000000000..8c77620f964 --- /dev/null +++ b/queue-5.4/arm-dts-armada-370-fix-assigned-addresses-for-every-.patch @@ -0,0 +1,40 @@ +From f149c6026cf62e86f40dc2e33d3524810e59a825 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 00:30:49 +0200 +Subject: ARM: dts: armada-370: Fix assigned-addresses for every PCIe Root Port +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit d9208b0fa2e803d16b28d91bf1d46b7ee9ea13c6 ] + +BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port +(PCI-to-PCI bridge) should match BDF in address part in that DT node name +as specified resource belongs to Marvell PCIe Root Port itself. + +Fixes: a09a0b7c6ff1 ("arm: mvebu: add PCIe Device Tree informations for Armada 370") +Signed-off-by: Pali Rohár +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/armada-370.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/armada-370.dtsi b/arch/arm/boot/dts/armada-370.dtsi +index 46e6d3ed8f35..c042c416a94a 100644 +--- a/arch/arm/boot/dts/armada-370.dtsi ++++ b/arch/arm/boot/dts/armada-370.dtsi +@@ -74,7 +74,7 @@ pcie0: pcie@1,0 { + + pcie2: pcie@2,0 { + device_type = "pci"; +- assigned-addresses = <0x82002800 0 0x80000 0 0x2000>; ++ assigned-addresses = <0x82001000 0 0x80000 0 0x2000>; + reg = <0x1000 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +-- +2.35.1 + diff --git a/queue-5.4/arm-dts-armada-375-fix-assigned-addresses-for-every-.patch b/queue-5.4/arm-dts-armada-375-fix-assigned-addresses-for-every-.patch new file mode 100644 index 00000000000..f699b422595 --- /dev/null +++ b/queue-5.4/arm-dts-armada-375-fix-assigned-addresses-for-every-.patch @@ -0,0 +1,40 @@ +From 2b26162f87d211ffc75b3751df1156d5e02aed8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 00:30:51 +0200 +Subject: ARM: dts: armada-375: Fix assigned-addresses for every PCIe Root Port +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 823956d2436f70ced74c0fe8ab99facd8abfc060 ] + +BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port +(PCI-to-PCI bridge) should match BDF in address part in that DT node name +as specified resource belongs to Marvell PCIe Root Port itself. + +Fixes: 4de59085091f ("ARM: mvebu: add Device Tree description of the Armada 375 SoC") +Signed-off-by: Pali Rohár +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/armada-375.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/armada-375.dtsi b/arch/arm/boot/dts/armada-375.dtsi +index 2932a29ae272..230f6dd876a2 100644 +--- a/arch/arm/boot/dts/armada-375.dtsi ++++ b/arch/arm/boot/dts/armada-375.dtsi +@@ -584,7 +584,7 @@ pcie0: pcie@1,0 { + + pcie1: pcie@2,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x44000 0 0x2000>; ++ assigned-addresses = <0x82001000 0 0x44000 0 0x2000>; + reg = <0x1000 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +-- +2.35.1 + diff --git a/queue-5.4/arm-dts-armada-38x-fix-assigned-addresses-for-every-.patch b/queue-5.4/arm-dts-armada-38x-fix-assigned-addresses-for-every-.patch new file mode 100644 index 00000000000..30adeb42b8f --- /dev/null +++ b/queue-5.4/arm-dts-armada-38x-fix-assigned-addresses-for-every-.patch @@ -0,0 +1,81 @@ +From 798b3b0aab580c6b38d7a498950d6b158e6b392b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 00:30:52 +0200 +Subject: ARM: dts: armada-38x: Fix assigned-addresses for every PCIe Root Port +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 44f47b7a8fa4678ce4c38ea74837e4996b9df6d6 ] + +BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port +(PCI-to-PCI bridge) should match BDF in address part in that DT node name +as specified resource belongs to Marvell PCIe Root Port itself. + +Fixes: 0d3d96ab0059 ("ARM: mvebu: add Device Tree description of the Armada 380/385 SoCs") +Signed-off-by: Pali Rohár +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/armada-380.dtsi | 4 ++-- + arch/arm/boot/dts/armada-385.dtsi | 6 +++--- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/arch/arm/boot/dts/armada-380.dtsi b/arch/arm/boot/dts/armada-380.dtsi +index cff1269f3fbf..7146cc8f082a 100644 +--- a/arch/arm/boot/dts/armada-380.dtsi ++++ b/arch/arm/boot/dts/armada-380.dtsi +@@ -79,7 +79,7 @@ pcie@1,0 { + /* x1 port */ + pcie@2,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x40000 0 0x2000>; ++ assigned-addresses = <0x82001000 0 0x40000 0 0x2000>; + reg = <0x1000 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +@@ -98,7 +98,7 @@ pcie@2,0 { + /* x1 port */ + pcie@3,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x44000 0 0x2000>; ++ assigned-addresses = <0x82001800 0 0x44000 0 0x2000>; + reg = <0x1800 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +diff --git a/arch/arm/boot/dts/armada-385.dtsi b/arch/arm/boot/dts/armada-385.dtsi +index f0022d10c715..f081f7cb66e5 100644 +--- a/arch/arm/boot/dts/armada-385.dtsi ++++ b/arch/arm/boot/dts/armada-385.dtsi +@@ -84,7 +84,7 @@ pcie1: pcie@1,0 { + /* x1 port */ + pcie2: pcie@2,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x40000 0 0x2000>; ++ assigned-addresses = <0x82001000 0 0x40000 0 0x2000>; + reg = <0x1000 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +@@ -103,7 +103,7 @@ pcie2: pcie@2,0 { + /* x1 port */ + pcie3: pcie@3,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x44000 0 0x2000>; ++ assigned-addresses = <0x82001800 0 0x44000 0 0x2000>; + reg = <0x1800 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +@@ -125,7 +125,7 @@ pcie3: pcie@3,0 { + */ + pcie4: pcie@4,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x48000 0 0x2000>; ++ assigned-addresses = <0x82002000 0 0x48000 0 0x2000>; + reg = <0x2000 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +-- +2.35.1 + diff --git a/queue-5.4/arm-dts-armada-38x-fix-compatible-string-for-gpios.patch b/queue-5.4/arm-dts-armada-38x-fix-compatible-string-for-gpios.patch new file mode 100644 index 00000000000..49652b8735e --- /dev/null +++ b/queue-5.4/arm-dts-armada-38x-fix-compatible-string-for-gpios.patch @@ -0,0 +1,56 @@ +From 4a990f8c4297e62aaf358a9425f5dfdb2eda698e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Jul 2022 20:33:27 +0200 +Subject: ARM: dts: armada-38x: Fix compatible string for gpios +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit c4de4667f15d04ef5920bacf41e514ec7d1ef03d ] + +Armada 38x supports per CPU interrupts for gpios, like Armada XP. Pre-XP +variants like Armada 370 do not support per CPU interrupts for gpios. + +So change compatible string for Armada 38x from "marvell,armada-370-gpio" +which indicates pre-XP variant to "marvell,armadaxp-gpio" which indicates +XP variant or new. + +Driver gpio-mvebu.c which handles both pre-XP and XP variants already +provides support for per CPU interrupts on XP and newer variants. + +Signed-off-by: Pali Rohár +Fixes: 7cb2acb3fbae ("ARM: dts: mvebu: Add PWM properties for armada-38x") +Acked-by: Uwe Kleine-König +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/armada-38x.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/armada-38x.dtsi b/arch/arm/boot/dts/armada-38x.dtsi +index 5b82e58a1cf0..b5bc0300a8c5 100644 +--- a/arch/arm/boot/dts/armada-38x.dtsi ++++ b/arch/arm/boot/dts/armada-38x.dtsi +@@ -289,7 +289,7 @@ sata3_pins: sata-pins-3 { + }; + + gpio0: gpio@18100 { +- compatible = "marvell,armada-370-gpio", ++ compatible = "marvell,armadaxp-gpio", + "marvell,orion-gpio"; + reg = <0x18100 0x40>, <0x181c0 0x08>; + reg-names = "gpio", "pwm"; +@@ -307,7 +307,7 @@ gpio0: gpio@18100 { + }; + + gpio1: gpio@18140 { +- compatible = "marvell,armada-370-gpio", ++ compatible = "marvell,armadaxp-gpio", + "marvell,orion-gpio"; + reg = <0x18140 0x40>, <0x181c8 0x08>; + reg-names = "gpio", "pwm"; +-- +2.35.1 + diff --git a/queue-5.4/arm-dts-armada-39x-fix-assigned-addresses-for-every-.patch b/queue-5.4/arm-dts-armada-39x-fix-assigned-addresses-for-every-.patch new file mode 100644 index 00000000000..1e81f3daae7 --- /dev/null +++ b/queue-5.4/arm-dts-armada-39x-fix-assigned-addresses-for-every-.patch @@ -0,0 +1,58 @@ +From 0730303c140cf3b13000a41e3b8b36439b332321 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 00:30:53 +0200 +Subject: ARM: dts: armada-39x: Fix assigned-addresses for every PCIe Root Port +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 69236d2391b4d7324b11c3252921571577892e7b ] + +BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port +(PCI-to-PCI bridge) should match BDF in address part in that DT node name +as specified resource belongs to Marvell PCIe Root Port itself. + +Fixes: 538da83ddbea ("ARM: mvebu: add Device Tree files for Armada 39x SoC and board") +Signed-off-by: Pali Rohár +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/armada-39x.dtsi | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/boot/dts/armada-39x.dtsi b/arch/arm/boot/dts/armada-39x.dtsi +index b1b86934c688..cd7a46c48d19 100644 +--- a/arch/arm/boot/dts/armada-39x.dtsi ++++ b/arch/arm/boot/dts/armada-39x.dtsi +@@ -457,7 +457,7 @@ pcie@1,0 { + /* x1 port */ + pcie@2,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x40000 0 0x2000>; ++ assigned-addresses = <0x82001000 0 0x40000 0 0x2000>; + reg = <0x1000 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +@@ -476,7 +476,7 @@ pcie@2,0 { + /* x1 port */ + pcie@3,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x44000 0 0x2000>; ++ assigned-addresses = <0x82001800 0 0x44000 0 0x2000>; + reg = <0x1800 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +@@ -498,7 +498,7 @@ pcie@3,0 { + */ + pcie@4,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x48000 0 0x2000>; ++ assigned-addresses = <0x82002000 0 0x48000 0 0x2000>; + reg = <0x2000 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +-- +2.35.1 + diff --git a/queue-5.4/arm-dts-armada-39x-fix-compatible-string-for-gpios.patch b/queue-5.4/arm-dts-armada-39x-fix-compatible-string-for-gpios.patch new file mode 100644 index 00000000000..889badb7a02 --- /dev/null +++ b/queue-5.4/arm-dts-armada-39x-fix-compatible-string-for-gpios.patch @@ -0,0 +1,52 @@ +From a093eaa190b849e427e42de944ffc9478f59c25c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Jul 2022 20:33:28 +0200 +Subject: ARM: dts: armada-39x: Fix compatible string for gpios +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit d10886a4e6f85ee18d47a1066a52168461370ded ] + +Armada 39x supports per CPU interrupts for gpios, like Armada XP. + +So add compatible string "marvell,armadaxp-gpio" for Armada 39x GPIO nodes. + +Driver gpio-mvebu.c which handles both pre-XP and XP variants already +provides support for per CPU interrupts on XP and newer variants. + +Signed-off-by: Pali Rohár +Fixes: d81a914fc630 ("ARM: dts: mvebu: armada-39x: add missing nodes describing GPIO's") +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/armada-39x.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/armada-39x.dtsi b/arch/arm/boot/dts/armada-39x.dtsi +index cd7a46c48d19..2d3d536c36e1 100644 +--- a/arch/arm/boot/dts/armada-39x.dtsi ++++ b/arch/arm/boot/dts/armada-39x.dtsi +@@ -217,7 +217,7 @@ nand_pins: nand-pins { + }; + + gpio0: gpio@18100 { +- compatible = "marvell,orion-gpio"; ++ compatible = "marvell,armadaxp-gpio", "marvell,orion-gpio"; + reg = <0x18100 0x40>; + ngpios = <32>; + gpio-controller; +@@ -231,7 +231,7 @@ gpio0: gpio@18100 { + }; + + gpio1: gpio@18140 { +- compatible = "marvell,orion-gpio"; ++ compatible = "marvell,armadaxp-gpio", "marvell,orion-gpio"; + reg = <0x18140 0x40>; + ngpios = <28>; + gpio-controller; +-- +2.35.1 + diff --git a/queue-5.4/arm-dts-armada-xp-fix-assigned-addresses-for-every-p.patch b/queue-5.4/arm-dts-armada-xp-fix-assigned-addresses-for-every-p.patch new file mode 100644 index 00000000000..20db3dc6763 --- /dev/null +++ b/queue-5.4/arm-dts-armada-xp-fix-assigned-addresses-for-every-p.patch @@ -0,0 +1,146 @@ +From f036aad7f6cf10000fb2f49745d6af39e720fc37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 00:30:50 +0200 +Subject: ARM: dts: armada-xp: Fix assigned-addresses for every PCIe Root Port +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit eab276787f456cbea89fabea110fe0728673d308 ] + +BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port +(PCI-to-PCI bridge) should match BDF in address part in that DT node name +as specified resource belongs to Marvell PCIe Root Port itself. + +Fixes: 9d8f44f02d4a ("arm: mvebu: add PCIe Device Tree informations for Armada XP") +Fixes: 12b69a599745 ("ARM: mvebu: second PCIe unit of Armada XP mv78230 is only x1 capable") +Fixes: 2163e61c92d9 ("ARM: mvebu: fix second and third PCIe unit of Armada XP mv78260") +Signed-off-by: Pali Rohár +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/armada-xp-mv78230.dtsi | 8 ++++---- + arch/arm/boot/dts/armada-xp-mv78260.dtsi | 16 ++++++++-------- + 2 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/arch/arm/boot/dts/armada-xp-mv78230.dtsi b/arch/arm/boot/dts/armada-xp-mv78230.dtsi +index 8558bf6bb54c..d55fe162fc7f 100644 +--- a/arch/arm/boot/dts/armada-xp-mv78230.dtsi ++++ b/arch/arm/boot/dts/armada-xp-mv78230.dtsi +@@ -97,7 +97,7 @@ pcie1: pcie@1,0 { + + pcie2: pcie@2,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x44000 0 0x2000>; ++ assigned-addresses = <0x82001000 0 0x44000 0 0x2000>; + reg = <0x1000 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +@@ -115,7 +115,7 @@ pcie2: pcie@2,0 { + + pcie3: pcie@3,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x48000 0 0x2000>; ++ assigned-addresses = <0x82001800 0 0x48000 0 0x2000>; + reg = <0x1800 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +@@ -133,7 +133,7 @@ pcie3: pcie@3,0 { + + pcie4: pcie@4,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x4c000 0 0x2000>; ++ assigned-addresses = <0x82002000 0 0x4c000 0 0x2000>; + reg = <0x2000 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +@@ -151,7 +151,7 @@ pcie4: pcie@4,0 { + + pcie5: pcie@5,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x80000 0 0x2000>; ++ assigned-addresses = <0x82002800 0 0x80000 0 0x2000>; + reg = <0x2800 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +diff --git a/arch/arm/boot/dts/armada-xp-mv78260.dtsi b/arch/arm/boot/dts/armada-xp-mv78260.dtsi +index 2d85fe8ac327..fdcc81819940 100644 +--- a/arch/arm/boot/dts/armada-xp-mv78260.dtsi ++++ b/arch/arm/boot/dts/armada-xp-mv78260.dtsi +@@ -112,7 +112,7 @@ pcie1: pcie@1,0 { + + pcie2: pcie@2,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x44000 0 0x2000>; ++ assigned-addresses = <0x82001000 0 0x44000 0 0x2000>; + reg = <0x1000 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +@@ -130,7 +130,7 @@ pcie2: pcie@2,0 { + + pcie3: pcie@3,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x48000 0 0x2000>; ++ assigned-addresses = <0x82001800 0 0x48000 0 0x2000>; + reg = <0x1800 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +@@ -148,7 +148,7 @@ pcie3: pcie@3,0 { + + pcie4: pcie@4,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x4c000 0 0x2000>; ++ assigned-addresses = <0x82002000 0 0x4c000 0 0x2000>; + reg = <0x2000 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +@@ -166,7 +166,7 @@ pcie4: pcie@4,0 { + + pcie5: pcie@5,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x80000 0 0x2000>; ++ assigned-addresses = <0x82002800 0 0x80000 0 0x2000>; + reg = <0x2800 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +@@ -184,7 +184,7 @@ pcie5: pcie@5,0 { + + pcie6: pcie@6,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x84000 0 0x2000>; ++ assigned-addresses = <0x82003000 0 0x84000 0 0x2000>; + reg = <0x3000 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +@@ -202,7 +202,7 @@ pcie6: pcie@6,0 { + + pcie7: pcie@7,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x88000 0 0x2000>; ++ assigned-addresses = <0x82003800 0 0x88000 0 0x2000>; + reg = <0x3800 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +@@ -220,7 +220,7 @@ pcie7: pcie@7,0 { + + pcie8: pcie@8,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x8c000 0 0x2000>; ++ assigned-addresses = <0x82004000 0 0x8c000 0 0x2000>; + reg = <0x4000 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +@@ -238,7 +238,7 @@ pcie8: pcie@8,0 { + + pcie9: pcie@9,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x42000 0 0x2000>; ++ assigned-addresses = <0x82004800 0 0x42000 0 0x2000>; + reg = <0x4800 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +-- +2.35.1 + diff --git a/queue-5.4/arm-dts-dove-fix-assigned-addresses-for-every-pcie-r.patch b/queue-5.4/arm-dts-dove-fix-assigned-addresses-for-every-pcie-r.patch new file mode 100644 index 00000000000..f7748f19249 --- /dev/null +++ b/queue-5.4/arm-dts-dove-fix-assigned-addresses-for-every-pcie-r.patch @@ -0,0 +1,40 @@ +From 70d0befe8fad3e0f11b934ff9bc5f2948391aa57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 00:30:48 +0200 +Subject: ARM: dts: dove: Fix assigned-addresses for every PCIe Root Port +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit dcc7d8c72b64a479b8017e4332d99179deb8802d ] + +BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port +(PCI-to-PCI bridge) should match BDF in address part in that DT node name +as specified resource belongs to Marvell PCIe Root Port itself. + +Fixes: 74ecaa403a74 ("ARM: dove: add PCIe controllers to SoC DT") +Signed-off-by: Pali Rohár +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/dove.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/dove.dtsi b/arch/arm/boot/dts/dove.dtsi +index 2e8a3977219f..347624ea96cd 100644 +--- a/arch/arm/boot/dts/dove.dtsi ++++ b/arch/arm/boot/dts/dove.dtsi +@@ -129,7 +129,7 @@ pcie0: pcie@1 { + pcie1: pcie@2 { + device_type = "pci"; + status = "disabled"; +- assigned-addresses = <0x82002800 0 0x80000 0 0x2000>; ++ assigned-addresses = <0x82001000 0 0x80000 0 0x2000>; + reg = <0x1000 0 0 0 0>; + clocks = <&gate_clk 5>; + marvell,pcie-port = <1>; +-- +2.35.1 + diff --git a/queue-5.4/arm-dts-qcom-apq8064-fix-coresight-compatible.patch b/queue-5.4/arm-dts-qcom-apq8064-fix-coresight-compatible.patch new file mode 100644 index 00000000000..03ed2d54a2b --- /dev/null +++ b/queue-5.4/arm-dts-qcom-apq8064-fix-coresight-compatible.patch @@ -0,0 +1,39 @@ +From 8f38adb5b13e2af9ce14111ce044242e1e938d37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Oct 2022 21:06:57 +0200 +Subject: ARM: dts: qcom: apq8064: fix coresight compatible + +From: Luca Weiss + +[ Upstream commit a42b1ee868361f1cb0492f1bdaefb43e0751e468 ] + +There's a typo missing the arm, prefix of arm,coresight-etb10. Fix it to +make devicetree validation happier. + +Signed-off-by: Luca Weiss +Fixes: 7a5c275fd821 ("ARM: dts: qcom: Add apq8064 CoreSight components") +Reviewed-by: Krzysztof Kozlowski +Reviewed-by: Konrad Dybcio +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20221013190657.48499-3-luca@z3ntu.xyz +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/qcom-apq8064.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/qcom-apq8064.dtsi b/arch/arm/boot/dts/qcom-apq8064.dtsi +index 764984c95c68..8c8a576ab9c0 100644 +--- a/arch/arm/boot/dts/qcom-apq8064.dtsi ++++ b/arch/arm/boot/dts/qcom-apq8064.dtsi +@@ -1570,7 +1570,7 @@ wifi { + }; + + etb@1a01000 { +- compatible = "coresight-etb10", "arm,primecell"; ++ compatible = "arm,coresight-etb10", "arm,primecell"; + reg = <0x1a01000 0x1000>; + + clocks = <&rpmcc RPM_QDSS_CLK>; +-- +2.35.1 + diff --git a/queue-5.4/arm-dts-spear600-fix-clcd-interrupt.patch b/queue-5.4/arm-dts-spear600-fix-clcd-interrupt.patch new file mode 100644 index 00000000000..9915e5add51 --- /dev/null +++ b/queue-5.4/arm-dts-spear600-fix-clcd-interrupt.patch @@ -0,0 +1,37 @@ +From e387c73107c0b82c8d58e22744a1a949064ff814 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 18:10:06 +0100 +Subject: arm: dts: spear600: Fix clcd interrupt + +From: Kory Maincent + +[ Upstream commit 0336e2ce34e7a89832b6c214f924eb7bc58940be ] + +Interrupt 12 of the Interrupt controller belongs to the SMI controller, +the right one for the display controller is the interrupt 13. + +Fixes: 8113ba917dfa ("ARM: SPEAr: DT: Update device nodes") +Signed-off-by: Kory Maincent +Acked-by: Viresh Kumar +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/spear600.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/spear600.dtsi b/arch/arm/boot/dts/spear600.dtsi +index fd41243a0b2c..9d5a04a46b14 100644 +--- a/arch/arm/boot/dts/spear600.dtsi ++++ b/arch/arm/boot/dts/spear600.dtsi +@@ -47,7 +47,7 @@ clcd: clcd@fc200000 { + compatible = "arm,pl110", "arm,primecell"; + reg = <0xfc200000 0x1000>; + interrupt-parent = <&vic1>; +- interrupts = <12>; ++ interrupts = <13>; + status = "disabled"; + }; + +-- +2.35.1 + diff --git a/queue-5.4/arm-dts-turris-omnia-add-ethernet-aliases.patch b/queue-5.4/arm-dts-turris-omnia-add-ethernet-aliases.patch new file mode 100644 index 00000000000..63dae1e9a99 --- /dev/null +++ b/queue-5.4/arm-dts-turris-omnia-add-ethernet-aliases.patch @@ -0,0 +1,43 @@ +From dc0dfbba55b06c155106e0d7237fff3151fd1149 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Jul 2022 15:09:26 +0200 +Subject: ARM: dts: turris-omnia: Add ethernet aliases +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit f1f3e530c59a7e8c5f06172f4c28b945a6b4bfb8 ] + +This allows bootloader to correctly pass MAC addresses used by bootloader +to individual interfaces into kernel device tree. + +Signed-off-by: Pali Rohár +Fixes: 26ca8b52d6e1 ("ARM: dts: add support for Turris Omnia") +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/armada-385-turris-omnia.dts | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/arm/boot/dts/armada-385-turris-omnia.dts b/arch/arm/boot/dts/armada-385-turris-omnia.dts +index 92e08486ec81..c0a026ac7be8 100644 +--- a/arch/arm/boot/dts/armada-385-turris-omnia.dts ++++ b/arch/arm/boot/dts/armada-385-turris-omnia.dts +@@ -22,6 +22,12 @@ chosen { + stdout-path = &uart0; + }; + ++ aliases { ++ ethernet0 = ð0; ++ ethernet1 = ð1; ++ ethernet2 = ð2; ++ }; ++ + memory { + device_type = "memory"; + reg = <0x00000000 0x40000000>; /* 1024 MB */ +-- +2.35.1 + diff --git a/queue-5.4/arm-dts-turris-omnia-add-switch-port-6-node.patch b/queue-5.4/arm-dts-turris-omnia-add-switch-port-6-node.patch new file mode 100644 index 00000000000..a8d8ef146ca --- /dev/null +++ b/queue-5.4/arm-dts-turris-omnia-add-switch-port-6-node.patch @@ -0,0 +1,49 @@ +From 53efb5392d5b0facd0643d3fdaf4d0ec80df7cdb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 14:21:02 +0200 +Subject: ARM: dts: turris-omnia: Add switch port 6 node +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit f87db2005f73876602211af0ee156817019b6bda ] + +Switch port 6 is connected to eth0, so add appropriate device tree node for it. + +Fixes: 26ca8b52d6e1 ("ARM: dts: add support for Turris Omnia") +Signed-off-by: Pali Rohár +Reviewed-by: Andrew Lunn +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/armada-385-turris-omnia.dts | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/armada-385-turris-omnia.dts b/arch/arm/boot/dts/armada-385-turris-omnia.dts +index c0a026ac7be8..320c759b4090 100644 +--- a/arch/arm/boot/dts/armada-385-turris-omnia.dts ++++ b/arch/arm/boot/dts/armada-385-turris-omnia.dts +@@ -297,7 +297,17 @@ fixed-link { + }; + }; + +- /* port 6 is connected to eth0 */ ++ ports@6 { ++ reg = <6>; ++ label = "cpu"; ++ ethernet = <ð0>; ++ phy-mode = "rgmii-id"; ++ ++ fixed-link { ++ speed = <1000>; ++ full-duplex; ++ }; ++ }; + }; + }; + }; +-- +2.35.1 + diff --git a/queue-5.4/arm-mmp-fix-timer_read-delay.patch b/queue-5.4/arm-mmp-fix-timer_read-delay.patch new file mode 100644 index 00000000000..9e22f6cc0d7 --- /dev/null +++ b/queue-5.4/arm-mmp-fix-timer_read-delay.patch @@ -0,0 +1,59 @@ +From 671daa9392e99389b54d4c71950254da27de1073 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Dec 2022 16:51:17 -0800 +Subject: ARM: mmp: fix timer_read delay + +From: Doug Brown + +[ Upstream commit e348b4014c31041e13ff370669ba3348c4d385e3 ] + +timer_read() was using an empty 100-iteration loop to wait for the +TMR_CVWR register to capture the latest timer counter value. The delay +wasn't long enough. This resulted in CPU idle time being extremely +underreported on PXA168 with CONFIG_NO_HZ_IDLE=y. + +Switch to the approach used in the vendor kernel, which implements the +capture delay by reading TMR_CVWR a few times instead. + +Fixes: 49cbe78637eb ("[ARM] pxa: add base support for Marvell's PXA168 processor line") +Signed-off-by: Doug Brown +Link: https://lore.kernel.org/r/20221204005117.53452-3-doug@schmorgal.com +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/mach-mmp/time.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/arch/arm/mach-mmp/time.c b/arch/arm/mach-mmp/time.c +index 483df32583be..0bdb872f5018 100644 +--- a/arch/arm/mach-mmp/time.c ++++ b/arch/arm/mach-mmp/time.c +@@ -44,18 +44,21 @@ + static void __iomem *mmp_timer_base = TIMERS_VIRT_BASE; + + /* +- * FIXME: the timer needs some delay to stablize the counter capture ++ * Read the timer through the CVWR register. Delay is required after requesting ++ * a read. The CR register cannot be directly read due to metastability issues ++ * documented in the PXA168 software manual. + */ + static inline uint32_t timer_read(void) + { +- int delay = 100; ++ uint32_t val; ++ int delay = 3; + + __raw_writel(1, mmp_timer_base + TMR_CVWR(1)); + + while (delay--) +- cpu_relax(); ++ val = __raw_readl(mmp_timer_base + TMR_CVWR(1)); + +- return __raw_readl(mmp_timer_base + TMR_CVWR(1)); ++ return val; + } + + static u64 notrace mmp_read_sched_clock(void) +-- +2.35.1 + diff --git a/queue-5.4/arm64-dts-armada-3720-turris-mox-add-missing-interru.patch b/queue-5.4/arm64-dts-armada-3720-turris-mox-add-missing-interru.patch new file mode 100644 index 00000000000..6c3f0a5e537 --- /dev/null +++ b/queue-5.4/arm64-dts-armada-3720-turris-mox-add-missing-interru.patch @@ -0,0 +1,43 @@ +From 27557fd760191d5f3885486b339d525538d3f2c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Sep 2022 13:58:26 +0200 +Subject: arm64: dts: armada-3720-turris-mox: Add missing interrupt for RTC +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 21aad8ba615e9c39cee6c5d0b76726f63791926c ] + +MCP7940MT-I/MNY RTC has connected interrupt line to GPIO2_5. + +Fixes: 7109d817db2e ("arm64: dts: marvell: add DTS for Turris Mox") +Signed-off-by: Pali Rohár +Reviewed-by: Andrew Lunn +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts b/arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts +index 2e8239d489f8..351e211afcf5 100644 +--- a/arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts ++++ b/arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts +@@ -122,9 +122,12 @@ &i2c0 { + /delete-property/ mrvl,i2c-fast-mode; + status = "okay"; + ++ /* MCP7940MT-I/MNY RTC */ + rtc@6f { + compatible = "microchip,mcp7940x"; + reg = <0x6f>; ++ interrupt-parent = <&gpiosb>; ++ interrupts = <5 0>; /* GPIO2_5 */ + }; + }; + +-- +2.35.1 + diff --git a/queue-5.4/arm64-dts-mediatek-mt6797-fix-26m-oscillator-unit-na.patch b/queue-5.4/arm64-dts-mediatek-mt6797-fix-26m-oscillator-unit-na.patch new file mode 100644 index 00000000000..db8230dfe3b --- /dev/null +++ b/queue-5.4/arm64-dts-mediatek-mt6797-fix-26m-oscillator-unit-na.patch @@ -0,0 +1,37 @@ +From 7765c98c65360151b37b23c406a8fa8fb77b1625 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Oct 2022 17:22:12 +0200 +Subject: arm64: dts: mediatek: mt6797: Fix 26M oscillator unit name + +From: AngeloGioacchino Del Regno + +[ Upstream commit 5f535cc583759c9c60d4cc9b8d221762e2d75387 ] + +Update its unit name to oscillator-26m and remove the unneeded unit +address to fix a unit_address_vs_reg warning. + +Fixes: 464c510f60c6 ("arm64: dts: mediatek: add mt6797 support") +Signed-off-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20221013152212.416661-9-angelogioacchino.delregno@collabora.com +Signed-off-by: Matthias Brugger +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt6797.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/mediatek/mt6797.dtsi b/arch/arm64/boot/dts/mediatek/mt6797.dtsi +index 2b2a69c7567f..d4c78c9672ff 100644 +--- a/arch/arm64/boot/dts/mediatek/mt6797.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt6797.dtsi +@@ -102,7 +102,7 @@ cpu9: cpu@201 { + }; + }; + +- clk26m: oscillator@0 { ++ clk26m: oscillator-26m { + compatible = "fixed-clock"; + #clock-cells = <0>; + clock-frequency = <26000000>; +-- +2.35.1 + diff --git a/queue-5.4/arm64-dts-mt2712-evb-fix-usb-vbus-regulators-unit-na.patch b/queue-5.4/arm64-dts-mt2712-evb-fix-usb-vbus-regulators-unit-na.patch new file mode 100644 index 00000000000..e390e60ee5f --- /dev/null +++ b/queue-5.4/arm64-dts-mt2712-evb-fix-usb-vbus-regulators-unit-na.patch @@ -0,0 +1,64 @@ +From b657968a357187cf24658fda4c807092c35c1079 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Oct 2022 17:22:10 +0200 +Subject: arm64: dts: mt2712-evb: Fix usb vbus regulators unit names + +From: AngeloGioacchino Del Regno + +[ Upstream commit ec1ae39a8d25cfb067b5459fac7c5b7b9bce6f6a ] + +Update the names to regulator-usb-p{0-3}-vbus to fix unit_address_vs_reg +warnings for those. + +Fixes: 1724f4cc5133 ("arm64: dts: Add USB3 related nodes for MT2712") +Signed-off-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20221013152212.416661-7-angelogioacchino.delregno@collabora.com +Signed-off-by: Matthias Brugger +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt2712-evb.dts | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arm64/boot/dts/mediatek/mt2712-evb.dts b/arch/arm64/boot/dts/mediatek/mt2712-evb.dts +index e141a9d8cb47..45e37aa67ce7 100644 +--- a/arch/arm64/boot/dts/mediatek/mt2712-evb.dts ++++ b/arch/arm64/boot/dts/mediatek/mt2712-evb.dts +@@ -50,7 +50,7 @@ extcon_usb1: extcon_iddig1 { + id-gpio = <&pio 14 GPIO_ACTIVE_HIGH>; + }; + +- usb_p0_vbus: regulator@2 { ++ usb_p0_vbus: regulator-usb-p0-vbus { + compatible = "regulator-fixed"; + regulator-name = "p0_vbus"; + regulator-min-microvolt = <5000000>; +@@ -59,7 +59,7 @@ usb_p0_vbus: regulator@2 { + enable-active-high; + }; + +- usb_p1_vbus: regulator@3 { ++ usb_p1_vbus: regulator-usb-p1-vbus { + compatible = "regulator-fixed"; + regulator-name = "p1_vbus"; + regulator-min-microvolt = <5000000>; +@@ -68,7 +68,7 @@ usb_p1_vbus: regulator@3 { + enable-active-high; + }; + +- usb_p2_vbus: regulator@4 { ++ usb_p2_vbus: regulator-usb-p2-vbus { + compatible = "regulator-fixed"; + regulator-name = "p2_vbus"; + regulator-min-microvolt = <5000000>; +@@ -77,7 +77,7 @@ usb_p2_vbus: regulator@4 { + enable-active-high; + }; + +- usb_p3_vbus: regulator@5 { ++ usb_p3_vbus: regulator-usb-p3-vbus { + compatible = "regulator-fixed"; + regulator-name = "p3_vbus"; + regulator-min-microvolt = <5000000>; +-- +2.35.1 + diff --git a/queue-5.4/arm64-dts-mt2712-evb-fix-vproc-fixed-regulators-unit.patch b/queue-5.4/arm64-dts-mt2712-evb-fix-vproc-fixed-regulators-unit.patch new file mode 100644 index 00000000000..171cdb5c10a --- /dev/null +++ b/queue-5.4/arm64-dts-mt2712-evb-fix-vproc-fixed-regulators-unit.patch @@ -0,0 +1,45 @@ +From 0e804c76685e579981e01c231e21aad4722cee28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Oct 2022 17:22:09 +0200 +Subject: arm64: dts: mt2712-evb: Fix vproc fixed regulators unit names + +From: AngeloGioacchino Del Regno + +[ Upstream commit 377063156893bf6c088309ac799fe5c6dce2822d ] + +Update the names to regulator-vproc-buck{0,1} to fix unit_addres_vs_reg +warnings for those. + +Fixes: f75dd8bdd344 ("arm64: dts: mediatek: add mt2712 cpufreq related device nodes") +Signed-off-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20221013152212.416661-6-angelogioacchino.delregno@collabora.com +Signed-off-by: Matthias Brugger +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt2712-evb.dts | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/mediatek/mt2712-evb.dts b/arch/arm64/boot/dts/mediatek/mt2712-evb.dts +index 2b91daf5c1a6..e141a9d8cb47 100644 +--- a/arch/arm64/boot/dts/mediatek/mt2712-evb.dts ++++ b/arch/arm64/boot/dts/mediatek/mt2712-evb.dts +@@ -26,14 +26,14 @@ chosen { + stdout-path = "serial0:921600n8"; + }; + +- cpus_fixed_vproc0: fixedregulator@0 { ++ cpus_fixed_vproc0: regulator-vproc-buck0 { + compatible = "regulator-fixed"; + regulator-name = "vproc_buck0"; + regulator-min-microvolt = <1000000>; + regulator-max-microvolt = <1000000>; + }; + +- cpus_fixed_vproc1: fixedregulator@1 { ++ cpus_fixed_vproc1: regulator-vproc-buck1 { + compatible = "regulator-fixed"; + regulator-name = "vproc_buck1"; + regulator-min-microvolt = <1000000>; +-- +2.35.1 + diff --git a/queue-5.4/arm64-dts-mt2712e-fix-unit-address-for-pinctrl-node.patch b/queue-5.4/arm64-dts-mt2712e-fix-unit-address-for-pinctrl-node.patch new file mode 100644 index 00000000000..8cc35eb7821 --- /dev/null +++ b/queue-5.4/arm64-dts-mt2712e-fix-unit-address-for-pinctrl-node.patch @@ -0,0 +1,42 @@ +From 8bce384038a927d3fd5cd9fc3c57b009ea7578fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Oct 2022 17:22:08 +0200 +Subject: arm64: dts: mt2712e: Fix unit address for pinctrl node + +From: AngeloGioacchino Del Regno + +[ Upstream commit 1d4516f53a611b362db7ba7a8889923d469f57e1 ] + +The unit address for the pinctrl node is (0x)1000b000 and not +(0x)10005000, which is the syscfg_pctl_a address instead. + +This fixes the following warning: +arch/arm64/boot/dts/mediatek/mt2712e.dtsi:264.40-267.4: Warning +(unique_unit_address): /syscfg_pctl_a@10005000: duplicate +unit-address (also used in node /pinctrl@10005000) + +Fixes: f0c64340b748 ("arm64: dts: mt2712: add pintcrl device node.") +Signed-off-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20221013152212.416661-5-angelogioacchino.delregno@collabora.com +Signed-off-by: Matthias Brugger +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt2712e.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/mediatek/mt2712e.dtsi b/arch/arm64/boot/dts/mediatek/mt2712e.dtsi +index ff870b638edf..3b12bb313dcd 100644 +--- a/arch/arm64/boot/dts/mediatek/mt2712e.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt2712e.dtsi +@@ -266,7 +266,7 @@ syscfg_pctl_a: syscfg_pctl_a@10005000 { + reg = <0 0x10005000 0 0x1000>; + }; + +- pio: pinctrl@10005000 { ++ pio: pinctrl@1000b000 { + compatible = "mediatek,mt2712-pinctrl"; + reg = <0 0x1000b000 0 0x1000>; + mediatek,pctl-regmap = <&syscfg_pctl_a>; +-- +2.35.1 + diff --git a/queue-5.4/arm64-dts-mt2712e-fix-unit_address_vs_reg-warning-fo.patch b/queue-5.4/arm64-dts-mt2712e-fix-unit_address_vs_reg-warning-fo.patch new file mode 100644 index 00000000000..85950d5dab7 --- /dev/null +++ b/queue-5.4/arm64-dts-mt2712e-fix-unit_address_vs_reg-warning-fo.patch @@ -0,0 +1,110 @@ +From f4ec7e8fa97d885dd103790e2cfd2ec54468478e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Oct 2022 17:22:07 +0200 +Subject: arm64: dts: mt2712e: Fix unit_address_vs_reg warning for oscillators + +From: AngeloGioacchino Del Regno + +[ Upstream commit e4495a0a8b3d84816c9a46edf3ce060bbf267475 ] + +Rename the fixed-clock oscillators to remove the unit address. + +This solves unit_address_vs_reg warnings. + +Fixes: 5d4839709c8e ("arm64: dts: mt2712: Add clock controller device nodes") +Signed-off-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20221013152212.416661-4-angelogioacchino.delregno@collabora.com +Signed-off-by: Matthias Brugger +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt2712e.dtsi | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/arch/arm64/boot/dts/mediatek/mt2712e.dtsi b/arch/arm64/boot/dts/mediatek/mt2712e.dtsi +index 43307bad3f0d..ff870b638edf 100644 +--- a/arch/arm64/boot/dts/mediatek/mt2712e.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt2712e.dtsi +@@ -160,70 +160,70 @@ sys_clk: dummyclk { + #clock-cells = <0>; + }; + +- clk26m: oscillator@0 { ++ clk26m: oscillator-26m { + compatible = "fixed-clock"; + #clock-cells = <0>; + clock-frequency = <26000000>; + clock-output-names = "clk26m"; + }; + +- clk32k: oscillator@1 { ++ clk32k: oscillator-32k { + compatible = "fixed-clock"; + #clock-cells = <0>; + clock-frequency = <32768>; + clock-output-names = "clk32k"; + }; + +- clkfpc: oscillator@2 { ++ clkfpc: oscillator-50m { + compatible = "fixed-clock"; + #clock-cells = <0>; + clock-frequency = <50000000>; + clock-output-names = "clkfpc"; + }; + +- clkaud_ext_i_0: oscillator@3 { ++ clkaud_ext_i_0: oscillator-aud0 { + compatible = "fixed-clock"; + #clock-cells = <0>; + clock-frequency = <6500000>; + clock-output-names = "clkaud_ext_i_0"; + }; + +- clkaud_ext_i_1: oscillator@4 { ++ clkaud_ext_i_1: oscillator-aud1 { + compatible = "fixed-clock"; + #clock-cells = <0>; + clock-frequency = <196608000>; + clock-output-names = "clkaud_ext_i_1"; + }; + +- clkaud_ext_i_2: oscillator@5 { ++ clkaud_ext_i_2: oscillator-aud2 { + compatible = "fixed-clock"; + #clock-cells = <0>; + clock-frequency = <180633600>; + clock-output-names = "clkaud_ext_i_2"; + }; + +- clki2si0_mck_i: oscillator@6 { ++ clki2si0_mck_i: oscillator-i2s0 { + compatible = "fixed-clock"; + #clock-cells = <0>; + clock-frequency = <30000000>; + clock-output-names = "clki2si0_mck_i"; + }; + +- clki2si1_mck_i: oscillator@7 { ++ clki2si1_mck_i: oscillator-i2s1 { + compatible = "fixed-clock"; + #clock-cells = <0>; + clock-frequency = <30000000>; + clock-output-names = "clki2si1_mck_i"; + }; + +- clki2si2_mck_i: oscillator@8 { ++ clki2si2_mck_i: oscillator-i2s2 { + compatible = "fixed-clock"; + #clock-cells = <0>; + clock-frequency = <30000000>; + clock-output-names = "clki2si2_mck_i"; + }; + +- clktdmin_mclk_i: oscillator@9 { ++ clktdmin_mclk_i: oscillator-mclk { + compatible = "fixed-clock"; + #clock-cells = <0>; + clock-frequency = <30000000>; +-- +2.35.1 + diff --git a/queue-5.4/arm64-dts-qcom-sdm845-cheza-fix-ap-suspend-pin-bias.patch b/queue-5.4/arm64-dts-qcom-sdm845-cheza-fix-ap-suspend-pin-bias.patch new file mode 100644 index 00000000000..ccb0cac8159 --- /dev/null +++ b/queue-5.4/arm64-dts-qcom-sdm845-cheza-fix-ap-suspend-pin-bias.patch @@ -0,0 +1,47 @@ +From 425cc1f28c03913341fe724a09bb21da9af46d70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Oct 2022 07:44:14 -0400 +Subject: arm64: dts: qcom: sdm845-cheza: fix AP suspend pin bias + +From: Krzysztof Kozlowski + +[ Upstream commit 9bce41fab14da8f21027dc9847535ef5e22cbe8b ] + +There is no "bias-no-pull" property. Assume intentions were disabling +bias. + +Fixes: 79e7739f7b87 ("arm64: dts: qcom: sdm845-cheza: add initial cheza dt") +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Douglas Anderson +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20221010114417.29859-3-krzysztof.kozlowski@linaro.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sdm845-cheza.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sdm845-cheza.dtsi b/arch/arm64/boot/dts/qcom/sdm845-cheza.dtsi +index 99a28d64ee62..2b7923f1f0ec 100644 +--- a/arch/arm64/boot/dts/qcom/sdm845-cheza.dtsi ++++ b/arch/arm64/boot/dts/qcom/sdm845-cheza.dtsi +@@ -1310,7 +1310,7 @@ ap_suspend_l_assert: ap_suspend_l_assert { + config { + pins = "gpio126"; + function = "gpio"; +- bias-no-pull; ++ bias-disable; + drive-strength = <2>; + output-low; + }; +@@ -1320,7 +1320,7 @@ ap_suspend_l_deassert: ap_suspend_l_deassert { + config { + pins = "gpio126"; + function = "gpio"; +- bias-no-pull; ++ bias-disable; + drive-strength = <2>; + output-high; + }; +-- +2.35.1 + diff --git a/queue-5.4/asoc-codecs-rt298-add-quirk-for-kbl-r-rvp-platform.patch b/queue-5.4/asoc-codecs-rt298-add-quirk-for-kbl-r-rvp-platform.patch new file mode 100644 index 00000000000..0506df4b39e --- /dev/null +++ b/queue-5.4/asoc-codecs-rt298-add-quirk-for-kbl-r-rvp-platform.patch @@ -0,0 +1,45 @@ +From d46dc77403ecb9b100a4fb1318a682d5965d70ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Oct 2022 14:19:43 +0200 +Subject: ASoC: codecs: rt298: Add quirk for KBL-R RVP platform +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Amadeusz Sławiński + +[ Upstream commit 953dbd1cef18ce9ac0d69c1bd735b929fe52a17e ] + +KBL-R RVP platforms also use combojack, so we need to enable that +configuration for them. + +Signed-off-by: Amadeusz Sławiński +Signed-off-by: Cezary Rojewski +Link: https://lore.kernel.org/r/20221010121955.718168-4-cezary.rojewski@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt298.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/sound/soc/codecs/rt298.c b/sound/soc/codecs/rt298.c +index f8c0f977206c..cc7eb34a641d 100644 +--- a/sound/soc/codecs/rt298.c ++++ b/sound/soc/codecs/rt298.c +@@ -1166,6 +1166,13 @@ static const struct dmi_system_id force_combo_jack_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "Geminilake") + } + }, ++ { ++ .ident = "Intel Kabylake R RVP", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Intel Corporation"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Kabylake Client platform") ++ } ++ }, + { } + }; + +-- +2.35.1 + diff --git a/queue-5.4/asoc-dt-bindings-wcd9335-fix-reset-line-polarity-in-.patch b/queue-5.4/asoc-dt-bindings-wcd9335-fix-reset-line-polarity-in-.patch new file mode 100644 index 00000000000..74179f298f3 --- /dev/null +++ b/queue-5.4/asoc-dt-bindings-wcd9335-fix-reset-line-polarity-in-.patch @@ -0,0 +1,39 @@ +From cadec167f62b24b34062e1b1bceed0a8171ef6a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Oct 2022 00:46:48 -0700 +Subject: ASoC: dt-bindings: wcd9335: fix reset line polarity in example + +From: Dmitry Torokhov + +[ Upstream commit 34cb111f8a7b98b5fec809dd194003bca20ef1b2 ] + +When resetting the block, the reset line is being driven low and then +high, which means that the line in DTS should be annotated as "active +low". + +Fixes: 1877c9fda1b7 ("ASoC: dt-bindings: add dt bindings for wcd9335 audio codec") +Signed-off-by: Dmitry Torokhov +Acked-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20221027074652.1044235-2-dmitry.torokhov@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + Documentation/devicetree/bindings/sound/qcom,wcd9335.txt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Documentation/devicetree/bindings/sound/qcom,wcd9335.txt b/Documentation/devicetree/bindings/sound/qcom,wcd9335.txt +index 5d6ea66a863f..1f75feec3dec 100644 +--- a/Documentation/devicetree/bindings/sound/qcom,wcd9335.txt ++++ b/Documentation/devicetree/bindings/sound/qcom,wcd9335.txt +@@ -109,7 +109,7 @@ audio-codec@1{ + reg = <1 0>; + interrupts = <&msmgpio 54 IRQ_TYPE_LEVEL_HIGH>; + interrupt-names = "intr2" +- reset-gpios = <&msmgpio 64 0>; ++ reset-gpios = <&msmgpio 64 GPIO_ACTIVE_LOW>; + slim-ifc-dev = <&wc9335_ifd>; + clock-names = "mclk", "native"; + clocks = <&rpmcc RPM_SMD_DIV_CLK1>, +-- +2.35.1 + diff --git a/queue-5.4/asoc-mediatek-mt8173-enable-irq-when-pdata-is-ready.patch b/queue-5.4/asoc-mediatek-mt8173-enable-irq-when-pdata-is-ready.patch new file mode 100644 index 00000000000..c4c9f9af42d --- /dev/null +++ b/queue-5.4/asoc-mediatek-mt8173-enable-irq-when-pdata-is-ready.patch @@ -0,0 +1,71 @@ +From 2e6104ca9028a9fd8815147c3e7a30c430257186 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Nov 2022 11:49:16 +0100 +Subject: ASoC: mediatek: mt8173: Enable IRQ when pdata is ready + +From: Ricardo Ribalda + +[ Upstream commit 4cbb264d4e9136acab2c8fd39e39ab1b1402b84b ] + +If the device does not come straight from reset, we might receive an IRQ +before we are ready to handle it. + +Fixes: + +[ 2.334737] Unable to handle kernel read from unreadable memory at virtual address 00000000000001e4 +[ 2.522601] Call trace: +[ 2.525040] regmap_read+0x1c/0x80 +[ 2.528434] mt8173_afe_irq_handler+0x40/0xf0 +... +[ 2.598921] start_kernel+0x338/0x42c + +Signed-off-by: Ricardo Ribalda +Fixes: ee0bcaff109f ("ASoC: mediatek: Add AFE platform driver") +Link: https://lore.kernel.org/r/20221128-mt8173-afe-v1-0-70728221628f@chromium.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/mediatek/mt8173/mt8173-afe-pcm.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/sound/soc/mediatek/mt8173/mt8173-afe-pcm.c b/sound/soc/mediatek/mt8173/mt8173-afe-pcm.c +index 0ee29255e731..f3dbd8164b86 100644 +--- a/sound/soc/mediatek/mt8173/mt8173-afe-pcm.c ++++ b/sound/soc/mediatek/mt8173/mt8173-afe-pcm.c +@@ -1073,16 +1073,6 @@ static int mt8173_afe_pcm_dev_probe(struct platform_device *pdev) + + afe->dev = &pdev->dev; + +- irq_id = platform_get_irq(pdev, 0); +- if (irq_id <= 0) +- return irq_id < 0 ? irq_id : -ENXIO; +- ret = devm_request_irq(afe->dev, irq_id, mt8173_afe_irq_handler, +- 0, "Afe_ISR_Handle", (void *)afe); +- if (ret) { +- dev_err(afe->dev, "could not request_irq\n"); +- return ret; +- } +- + afe->base_addr = devm_platform_ioremap_resource(pdev, 0); + if (IS_ERR(afe->base_addr)) + return PTR_ERR(afe->base_addr); +@@ -1158,6 +1148,16 @@ static int mt8173_afe_pcm_dev_probe(struct platform_device *pdev) + if (ret) + goto err_pm_disable; + ++ irq_id = platform_get_irq(pdev, 0); ++ if (irq_id <= 0) ++ return irq_id < 0 ? irq_id : -ENXIO; ++ ret = devm_request_irq(afe->dev, irq_id, mt8173_afe_irq_handler, ++ 0, "Afe_ISR_Handle", (void *)afe); ++ if (ret) { ++ dev_err(afe->dev, "could not request_irq\n"); ++ goto err_pm_disable; ++ } ++ + dev_info(&pdev->dev, "MT8173 AFE driver initialized.\n"); + return 0; + +-- +2.35.1 + diff --git a/queue-5.4/asoc-mediatek-mtk-btcvsd-add-checks-for-write-and-re.patch b/queue-5.4/asoc-mediatek-mtk-btcvsd-add-checks-for-write-and-re.patch new file mode 100644 index 00000000000..d43d3591579 --- /dev/null +++ b/queue-5.4/asoc-mediatek-mtk-btcvsd-add-checks-for-write-and-re.patch @@ -0,0 +1,43 @@ +From 0ab65d219cdbbff8886fb9cfc10adeb78b764b43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 11:07:50 +0800 +Subject: ASoC: mediatek: mtk-btcvsd: Add checks for write and read of + mtk_btcvsd_snd + +From: Jiasheng Jiang + +[ Upstream commit d067b3378a78c9c3048ac535e31c171b6f5b5846 ] + +As the mtk_btcvsd_snd_write and mtk_btcvsd_snd_read may return error, +it should be better to catch the exception. + +Fixes: 4bd8597dc36c ("ASoC: mediatek: add btcvsd driver") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20221116030750.40500-1-jiasheng@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/mediatek/common/mtk-btcvsd.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/sound/soc/mediatek/common/mtk-btcvsd.c b/sound/soc/mediatek/common/mtk-btcvsd.c +index b66f7dee1e14..f6ec6937a71b 100644 +--- a/sound/soc/mediatek/common/mtk-btcvsd.c ++++ b/sound/soc/mediatek/common/mtk-btcvsd.c +@@ -1054,11 +1054,9 @@ static int mtk_pcm_btcvsd_copy(struct snd_pcm_substream *substream, + struct mtk_btcvsd_snd *bt = snd_soc_component_get_drvdata(component); + + if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) +- mtk_btcvsd_snd_write(bt, buf, count); ++ return mtk_btcvsd_snd_write(bt, buf, count); + else +- mtk_btcvsd_snd_read(bt, buf, count); +- +- return 0; ++ return mtk_btcvsd_snd_read(bt, buf, count); + } + + static struct snd_pcm_ops mtk_btcvsd_ops = { +-- +2.35.1 + diff --git a/queue-5.4/asoc-pcm512x-fix-pm-disable-depth-imbalance-in-pcm51.patch b/queue-5.4/asoc-pcm512x-fix-pm-disable-depth-imbalance-in-pcm51.patch new file mode 100644 index 00000000000..ea29aa0dd55 --- /dev/null +++ b/queue-5.4/asoc-pcm512x-fix-pm-disable-depth-imbalance-in-pcm51.patch @@ -0,0 +1,64 @@ +From f748674664058c21ecbeb8e84677ea4b9ba1222c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Sep 2022 00:04:02 +0800 +Subject: ASoC: pcm512x: Fix PM disable depth imbalance in pcm512x_probe + +From: Zhang Qilong + +[ Upstream commit 97b801be6f8e53676b9f2b105f54e35c745c1b22 ] + +The pm_runtime_enable will increase power disable depth. Thus +a pairing decrement is needed on the error handling path to +keep it balanced according to context. We fix it by going to +err_pm instead of err_clk. + +Fixes:f086ba9d5389c ("ASoC: pcm512x: Support mastering BCLK/LRCLK using the PLL") + +Signed-off-by: Zhang Qilong +Link: https://lore.kernel.org/r/20220928160402.126140-1-zhangqilong3@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/pcm512x.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/sound/soc/codecs/pcm512x.c b/sound/soc/codecs/pcm512x.c +index 4cbef9affffd..feb590a20544 100644 +--- a/sound/soc/codecs/pcm512x.c ++++ b/sound/soc/codecs/pcm512x.c +@@ -1598,7 +1598,7 @@ int pcm512x_probe(struct device *dev, struct regmap *regmap) + if (val > 6) { + dev_err(dev, "Invalid pll-in\n"); + ret = -EINVAL; +- goto err_clk; ++ goto err_pm; + } + pcm512x->pll_in = val; + } +@@ -1607,7 +1607,7 @@ int pcm512x_probe(struct device *dev, struct regmap *regmap) + if (val > 6) { + dev_err(dev, "Invalid pll-out\n"); + ret = -EINVAL; +- goto err_clk; ++ goto err_pm; + } + pcm512x->pll_out = val; + } +@@ -1616,12 +1616,12 @@ int pcm512x_probe(struct device *dev, struct regmap *regmap) + dev_err(dev, + "Error: both pll-in and pll-out, or none\n"); + ret = -EINVAL; +- goto err_clk; ++ goto err_pm; + } + if (pcm512x->pll_in && pcm512x->pll_in == pcm512x->pll_out) { + dev_err(dev, "Error: pll-in == pll-out\n"); + ret = -EINVAL; +- goto err_clk; ++ goto err_pm; + } + } + #endif +-- +2.35.1 + diff --git a/queue-5.4/asoc-pxa-fix-null-pointer-dereference-in-filter.patch b/queue-5.4/asoc-pxa-fix-null-pointer-dereference-in-filter.patch new file mode 100644 index 00000000000..a13d0f46983 --- /dev/null +++ b/queue-5.4/asoc-pxa-fix-null-pointer-dereference-in-filter.patch @@ -0,0 +1,37 @@ +From aaae62a33889621004a7d95f28d4964ac2ad4f9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 16:56:29 +0800 +Subject: ASoC: pxa: fix null-pointer dereference in filter() + +From: Zeng Heng + +[ Upstream commit ec7bf231aaa1bdbcb69d23bc50c753c80fb22429 ] + +kasprintf() would return NULL pointer when kmalloc() fail to allocate. +Need to check the return pointer before calling strcmp(). + +Fixes: 7a824e214e25 ("ASoC: mmp: add audio dma support") +Signed-off-by: Zeng Heng +Link: https://lore.kernel.org/r/20221114085629.1910435-1-zengheng4@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/pxa/mmp-pcm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/pxa/mmp-pcm.c b/sound/soc/pxa/mmp-pcm.c +index 7096b5263e25..e9f9642e988f 100644 +--- a/sound/soc/pxa/mmp-pcm.c ++++ b/sound/soc/pxa/mmp-pcm.c +@@ -85,7 +85,7 @@ static bool filter(struct dma_chan *chan, void *param) + + devname = kasprintf(GFP_KERNEL, "%s.%d", dma_data->dma_res->name, + dma_data->ssp_id); +- if ((strcmp(dev_name(chan->device->dev), devname) == 0) && ++ if (devname && (strcmp(dev_name(chan->device->dev), devname) == 0) && + (chan->chan_id == dma_data->dma_res->start)) { + found = true; + } +-- +2.35.1 + diff --git a/queue-5.4/binfmt_misc-fix-shift-out-of-bounds-in-check_special.patch b/queue-5.4/binfmt_misc-fix-shift-out-of-bounds-in-check_special.patch new file mode 100644 index 00000000000..c1b65034471 --- /dev/null +++ b/queue-5.4/binfmt_misc-fix-shift-out-of-bounds-in-check_special.patch @@ -0,0 +1,61 @@ +From d790a65cf196a4d8f40ba48b2e0b3b274a0c5354 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 10:51:23 +0800 +Subject: binfmt_misc: fix shift-out-of-bounds in check_special_flags + +From: Liu Shixin + +[ Upstream commit 6a46bf558803dd2b959ca7435a5c143efe837217 ] + +UBSAN reported a shift-out-of-bounds warning: + + left shift of 1 by 31 places cannot be represented in type 'int' + Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x8d/0xcf lib/dump_stack.c:106 + ubsan_epilogue+0xa/0x44 lib/ubsan.c:151 + __ubsan_handle_shift_out_of_bounds+0x1e7/0x208 lib/ubsan.c:322 + check_special_flags fs/binfmt_misc.c:241 [inline] + create_entry fs/binfmt_misc.c:456 [inline] + bm_register_write+0x9d3/0xa20 fs/binfmt_misc.c:654 + vfs_write+0x11e/0x580 fs/read_write.c:582 + ksys_write+0xcf/0x120 fs/read_write.c:637 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x34/0x80 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + RIP: 0033:0x4194e1 + +Since the type of Node's flags is unsigned long, we should define these +macros with same type too. + +Signed-off-by: Liu Shixin +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20221102025123.1117184-1-liushixin2@huawei.com +Signed-off-by: Sasha Levin +--- + fs/binfmt_misc.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c +index 056a68292e15..23b563ff0dd7 100644 +--- a/fs/binfmt_misc.c ++++ b/fs/binfmt_misc.c +@@ -44,10 +44,10 @@ static LIST_HEAD(entries); + static int enabled = 1; + + enum {Enabled, Magic}; +-#define MISC_FMT_PRESERVE_ARGV0 (1 << 31) +-#define MISC_FMT_OPEN_BINARY (1 << 30) +-#define MISC_FMT_CREDENTIALS (1 << 29) +-#define MISC_FMT_OPEN_FILE (1 << 28) ++#define MISC_FMT_PRESERVE_ARGV0 (1UL << 31) ++#define MISC_FMT_OPEN_BINARY (1UL << 30) ++#define MISC_FMT_CREDENTIALS (1UL << 29) ++#define MISC_FMT_OPEN_FILE (1UL << 28) + + typedef struct { + struct list_head list; +-- +2.35.1 + diff --git a/queue-5.4/blk-mq-fix-possible-memleak-when-register-hctx-faile.patch b/queue-5.4/blk-mq-fix-possible-memleak-when-register-hctx-faile.patch new file mode 100644 index 00000000000..09b5df55b48 --- /dev/null +++ b/queue-5.4/blk-mq-fix-possible-memleak-when-register-hctx-faile.patch @@ -0,0 +1,86 @@ +From 5504ac84c760a93357cbc9eaf4c6e6b1258311df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 10:29:40 +0800 +Subject: blk-mq: fix possible memleak when register 'hctx' failed + +From: Ye Bin + +[ Upstream commit 4b7a21c57b14fbcd0e1729150189e5933f5088e9 ] + +There's issue as follows when do fault injection test: +unreferenced object 0xffff888132a9f400 (size 512): + comm "insmod", pid 308021, jiffies 4324277909 (age 509.733s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 08 f4 a9 32 81 88 ff ff ...........2.... + 08 f4 a9 32 81 88 ff ff 00 00 00 00 00 00 00 00 ...2............ + backtrace: + [<00000000e8952bb4>] kmalloc_node_trace+0x22/0xa0 + [<00000000f9980e0f>] blk_mq_alloc_and_init_hctx+0x3f1/0x7e0 + [<000000002e719efa>] blk_mq_realloc_hw_ctxs+0x1e6/0x230 + [<000000004f1fda40>] blk_mq_init_allocated_queue+0x27e/0x910 + [<00000000287123ec>] __blk_mq_alloc_disk+0x67/0xf0 + [<00000000a2a34657>] 0xffffffffa2ad310f + [<00000000b173f718>] 0xffffffffa2af824a + [<0000000095a1dabb>] do_one_initcall+0x87/0x2a0 + [<00000000f32fdf93>] do_init_module+0xdf/0x320 + [<00000000cbe8541e>] load_module+0x3006/0x3390 + [<0000000069ed1bdb>] __do_sys_finit_module+0x113/0x1b0 + [<00000000a1a29ae8>] do_syscall_64+0x35/0x80 + [<000000009cd878b0>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Fault injection context as follows: + kobject_add + blk_mq_register_hctx + blk_mq_sysfs_register + blk_register_queue + device_add_disk + null_add_dev.part.0 [null_blk] + +As 'blk_mq_register_hctx' may already add some objects when failed halfway, +but there isn't do fallback, caller don't know which objects add failed. +To solve above issue just do fallback when add objects failed halfway in +'blk_mq_register_hctx'. + +Signed-off-by: Ye Bin +Reviewed-by: Ming Lei +Link: https://lore.kernel.org/r/20221117022940.873959-1-yebin@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq-sysfs.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/block/blk-mq-sysfs.c b/block/blk-mq-sysfs.c +index 5dafd7a8ec91..7abd66d1228a 100644 +--- a/block/blk-mq-sysfs.c ++++ b/block/blk-mq-sysfs.c +@@ -250,7 +250,7 @@ static int blk_mq_register_hctx(struct blk_mq_hw_ctx *hctx) + { + struct request_queue *q = hctx->queue; + struct blk_mq_ctx *ctx; +- int i, ret; ++ int i, j, ret; + + if (!hctx->nr_ctx) + return 0; +@@ -262,9 +262,16 @@ static int blk_mq_register_hctx(struct blk_mq_hw_ctx *hctx) + hctx_for_each_ctx(hctx, ctx, i) { + ret = kobject_add(&ctx->kobj, &hctx->kobj, "cpu%u", ctx->cpu); + if (ret) +- break; ++ goto out; + } + ++ return 0; ++out: ++ hctx_for_each_ctx(hctx, ctx, j) { ++ if (j < i) ++ kobject_del(&ctx->kobj); ++ } ++ kobject_del(&hctx->kobj); + return ret; + } + +-- +2.35.1 + diff --git a/queue-5.4/blktrace-fix-output-non-blktrace-event-when-blk_clas.patch b/queue-5.4/blktrace-fix-output-non-blktrace-event-when-blk_clas.patch new file mode 100644 index 00000000000..23b9b766c34 --- /dev/null +++ b/queue-5.4/blktrace-fix-output-non-blktrace-event-when-blk_clas.patch @@ -0,0 +1,47 @@ +From a3b01dab2f23eabbc9856f65039a67ac43c8f433 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 12:04:10 +0800 +Subject: blktrace: Fix output non-blktrace event when blk_classic option + enabled + +From: Yang Jihong + +[ Upstream commit f596da3efaf4130ff61cd029558845808df9bf99 ] + +When the blk_classic option is enabled, non-blktrace events must be +filtered out. Otherwise, events of other types are output in the blktrace +classic format, which is unexpected. + +The problem can be triggered in the following ways: + + # echo 1 > /sys/kernel/debug/tracing/options/blk_classic + # echo 1 > /sys/kernel/debug/tracing/events/enable + # echo blk > /sys/kernel/debug/tracing/current_tracer + # cat /sys/kernel/debug/tracing/trace_pipe + +Fixes: c71a89615411 ("blktrace: add ftrace plugin") +Signed-off-by: Yang Jihong +Link: https://lore.kernel.org/r/20221122040410.85113-1-yangjihong1@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + kernel/trace/blktrace.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c +index 749b27851f45..abf5cbbb743b 100644 +--- a/kernel/trace/blktrace.c ++++ b/kernel/trace/blktrace.c +@@ -1589,7 +1589,8 @@ blk_trace_event_print_binary(struct trace_iterator *iter, int flags, + + static enum print_line_t blk_tracer_print_line(struct trace_iterator *iter) + { +- if (!(blk_tracer_flags.val & TRACE_BLK_OPT_CLASSIC)) ++ if ((iter->ent->type != TRACE_BLK) || ++ !(blk_tracer_flags.val & TRACE_BLK_OPT_CLASSIC)) + return TRACE_TYPE_UNHANDLED; + + return print_one_line(iter, true); +-- +2.35.1 + diff --git a/queue-5.4/bluetooth-btusb-don-t-call-kfree_skb-under-spin_lock.patch b/queue-5.4/bluetooth-btusb-don-t-call-kfree_skb-under-spin_lock.patch new file mode 100644 index 00000000000..87359c22bdb --- /dev/null +++ b/queue-5.4/bluetooth-btusb-don-t-call-kfree_skb-under-spin_lock.patch @@ -0,0 +1,45 @@ +From 317d811d4358ca5122de156308979eb5f4636938 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Dec 2022 20:59:10 +0800 +Subject: Bluetooth: btusb: don't call kfree_skb() under spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit b15a6bd3c80c77faec8317319b97f976b1a08332 ] + +It is not allowed to call kfree_skb() from hardware interrupt +context or with interrupts being disabled. So replace kfree_skb() +with dev_kfree_skb_irq() under spin_lock_irqsave(). + +Fixes: 803b58367ffb ("Bluetooth: btusb: Implement driver internal packet reassembly") +Signed-off-by: Yang Yingliang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btusb.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index c8f2b991e9cf..79f77315854f 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -563,13 +563,13 @@ static inline void btusb_free_frags(struct btusb_data *data) + + spin_lock_irqsave(&data->rxlock, flags); + +- kfree_skb(data->evt_skb); ++ dev_kfree_skb_irq(data->evt_skb); + data->evt_skb = NULL; + +- kfree_skb(data->acl_skb); ++ dev_kfree_skb_irq(data->acl_skb); + data->acl_skb = NULL; + +- kfree_skb(data->sco_skb); ++ dev_kfree_skb_irq(data->sco_skb); + data->sco_skb = NULL; + + spin_unlock_irqrestore(&data->rxlock, flags); +-- +2.35.1 + diff --git a/queue-5.4/bluetooth-hci_bcsp-don-t-call-kfree_skb-under-spin_l.patch b/queue-5.4/bluetooth-hci_bcsp-don-t-call-kfree_skb-under-spin_l.patch new file mode 100644 index 00000000000..d8e1f90e4ac --- /dev/null +++ b/queue-5.4/bluetooth-hci_bcsp-don-t-call-kfree_skb-under-spin_l.patch @@ -0,0 +1,37 @@ +From 0107aede7620afcf874d2c81a09e6ed1d3767988 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 10:18:33 +0800 +Subject: Bluetooth: hci_bcsp: don't call kfree_skb() under spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 7b503e339c1a80bf0051ec2d19c3bc777014ac61 ] + +It is not allowed to call kfree_skb() from hardware interrupt +context or with interrupts being disabled. So replace kfree_skb() +with dev_kfree_skb_irq() under spin_lock_irqsave(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yang Yingliang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_bcsp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c +index cf4a56095817..8055f63603f4 100644 +--- a/drivers/bluetooth/hci_bcsp.c ++++ b/drivers/bluetooth/hci_bcsp.c +@@ -378,7 +378,7 @@ static void bcsp_pkt_cull(struct bcsp_struct *bcsp) + i++; + + __skb_unlink(skb, &bcsp->unack); +- kfree_skb(skb); ++ dev_kfree_skb_irq(skb); + } + + if (skb_queue_empty(&bcsp->unack)) +-- +2.35.1 + diff --git a/queue-5.4/bluetooth-hci_core-don-t-call-kfree_skb-under-spin_l.patch b/queue-5.4/bluetooth-hci_core-don-t-call-kfree_skb-under-spin_l.patch new file mode 100644 index 00000000000..94f336e93ec --- /dev/null +++ b/queue-5.4/bluetooth-hci_core-don-t-call-kfree_skb-under-spin_l.patch @@ -0,0 +1,37 @@ +From 217390868f8a91c3db3c567c4c69abd991d83558 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 10:18:34 +0800 +Subject: Bluetooth: hci_core: don't call kfree_skb() under spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 39c1eb6fcbae8ce9bb71b2ac5cb609355a2b181b ] + +It is not allowed to call kfree_skb() from hardware interrupt +context or with interrupts being disabled. So replace kfree_skb() +with dev_kfree_skb_irq() under spin_lock_irqsave(). + +Fixes: 9238f36a5a50 ("Bluetooth: Add request cmd_complete and cmd_status functions") +Signed-off-by: Yang Yingliang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index 2ebb6480b6ec..e5e1c139f211 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -4455,7 +4455,7 @@ void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status, + *req_complete_skb = bt_cb(skb)->hci.req_complete_skb; + else + *req_complete = bt_cb(skb)->hci.req_complete; +- kfree_skb(skb); ++ dev_kfree_skb_irq(skb); + } + spin_unlock_irqrestore(&hdev->cmd_q.lock, flags); + } +-- +2.35.1 + diff --git a/queue-5.4/bluetooth-hci_h5-don-t-call-kfree_skb-under-spin_loc.patch b/queue-5.4/bluetooth-hci_h5-don-t-call-kfree_skb-under-spin_loc.patch new file mode 100644 index 00000000000..6192d939069 --- /dev/null +++ b/queue-5.4/bluetooth-hci_h5-don-t-call-kfree_skb-under-spin_loc.patch @@ -0,0 +1,37 @@ +From 2b4f79eea3e50455d886cd7228c2e70201f601d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 10:18:32 +0800 +Subject: Bluetooth: hci_h5: don't call kfree_skb() under spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 383630cc6758d619874c2e8bb2f68a61f3f9ef6e ] + +It is not allowed to call kfree_skb() from hardware interrupt +context or with interrupts being disabled. So replace kfree_skb() +with dev_kfree_skb_irq() under spin_lock_irqsave(). + +Fixes: 43eb12d78960 ("Bluetooth: Fix/implement Three-wire reliable packet sending") +Signed-off-by: Yang Yingliang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_h5.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/hci_h5.c b/drivers/bluetooth/hci_h5.c +index bf3e23104194..e77da593f290 100644 +--- a/drivers/bluetooth/hci_h5.c ++++ b/drivers/bluetooth/hci_h5.c +@@ -298,7 +298,7 @@ static void h5_pkt_cull(struct h5 *h5) + break; + + __skb_unlink(skb, &h5->unack); +- kfree_skb(skb); ++ dev_kfree_skb_irq(skb); + } + + if (skb_queue_empty(&h5->unack)) +-- +2.35.1 + diff --git a/queue-5.4/bluetooth-hci_ll-don-t-call-kfree_skb-under-spin_loc.patch b/queue-5.4/bluetooth-hci_ll-don-t-call-kfree_skb-under-spin_loc.patch new file mode 100644 index 00000000000..b9848448aca --- /dev/null +++ b/queue-5.4/bluetooth-hci_ll-don-t-call-kfree_skb-under-spin_loc.patch @@ -0,0 +1,37 @@ +From 8b6324df82dfbddb1b0f64fa1cac58fd68a7c188 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 10:18:31 +0800 +Subject: Bluetooth: hci_ll: don't call kfree_skb() under spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 8f458f783dfbb19c1f1cb58ed06eeb701f52091b ] + +It is not allowed to call kfree_skb() from hardware interrupt +context or with interrupts being disabled. So replace kfree_skb() +with dev_kfree_skb_irq() under spin_lock_irqsave(). + +Fixes: 166d2f6a4332 ("[Bluetooth] Add UART driver for Texas Instruments' BRF63xx chips") +Signed-off-by: Yang Yingliang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_ll.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/hci_ll.c b/drivers/bluetooth/hci_ll.c +index d9a4c6c691e0..aeb3e670c4f5 100644 +--- a/drivers/bluetooth/hci_ll.c ++++ b/drivers/bluetooth/hci_ll.c +@@ -345,7 +345,7 @@ static int ll_enqueue(struct hci_uart *hu, struct sk_buff *skb) + default: + BT_ERR("illegal hcill state: %ld (losing packet)", + ll->hcill_state); +- kfree_skb(skb); ++ dev_kfree_skb_irq(skb); + break; + } + +-- +2.35.1 + diff --git a/queue-5.4/bluetooth-hci_qca-don-t-call-kfree_skb-under-spin_lo.patch b/queue-5.4/bluetooth-hci_qca-don-t-call-kfree_skb-under-spin_lo.patch new file mode 100644 index 00000000000..994a974bf87 --- /dev/null +++ b/queue-5.4/bluetooth-hci_qca-don-t-call-kfree_skb-under-spin_lo.patch @@ -0,0 +1,37 @@ +From ecb9399d64b1ca7a160c4690366409c44be65b7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 10:18:30 +0800 +Subject: Bluetooth: hci_qca: don't call kfree_skb() under spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit df4cfc91208e0a98f078223793f5871b1a82cc54 ] + +It is not allowed to call kfree_skb() from hardware interrupt +context or with interrupts being disabled. So replace kfree_skb() +with dev_kfree_skb_irq() under spin_lock_irqsave(). + +Fixes: 0ff252c1976d ("Bluetooth: hciuart: Add support QCA chipset for UART") +Signed-off-by: Yang Yingliang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_qca.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c +index e3164c200eac..467137c47e4f 100644 +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -816,7 +816,7 @@ static int qca_enqueue(struct hci_uart *hu, struct sk_buff *skb) + default: + BT_ERR("Illegal tx state: %d (losing packet)", + qca->tx_ibs_state); +- kfree_skb(skb); ++ dev_kfree_skb_irq(skb); + break; + } + +-- +2.35.1 + diff --git a/queue-5.4/bluetooth-rfcomm-don-t-call-kfree_skb-under-spin_loc.patch b/queue-5.4/bluetooth-rfcomm-don-t-call-kfree_skb-under-spin_loc.patch new file mode 100644 index 00000000000..99124c09b95 --- /dev/null +++ b/queue-5.4/bluetooth-rfcomm-don-t-call-kfree_skb-under-spin_loc.patch @@ -0,0 +1,37 @@ +From 1190dea251719623adb4877fc644123bddb880e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 10:18:35 +0800 +Subject: Bluetooth: RFCOMM: don't call kfree_skb() under spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 0ba18967d4544955b2eff2fbc4f2a8750c4df90a ] + +It is not allowed to call kfree_skb() from hardware interrupt +context or with interrupts being disabled. So replace kfree_skb() +with dev_kfree_skb_irq() under spin_lock_irqsave(). + +Fixes: 81be03e026dc ("Bluetooth: RFCOMM: Replace use of memcpy_from_msg with bt_skb_sendmmsg") +Signed-off-by: Yang Yingliang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/rfcomm/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c +index 83a8c48dfaa8..2db9e285215c 100644 +--- a/net/bluetooth/rfcomm/core.c ++++ b/net/bluetooth/rfcomm/core.c +@@ -594,7 +594,7 @@ int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb) + + ret = rfcomm_dlc_send_frag(d, frag); + if (ret < 0) { +- kfree_skb(frag); ++ dev_kfree_skb_irq(frag); + goto unlock; + } + +-- +2.35.1 + diff --git a/queue-5.4/bonding-export-skip-slave-logic-to-function.patch b/queue-5.4/bonding-export-skip-slave-logic-to-function.patch new file mode 100644 index 00000000000..a396a91c1bc --- /dev/null +++ b/queue-5.4/bonding-export-skip-slave-logic-to-function.patch @@ -0,0 +1,91 @@ +From 1fb0e3083f65013f326be78e760cf95b6da2ec30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Apr 2020 22:21:32 +0300 +Subject: bonding: Export skip slave logic to function + +From: Maor Gottlieb + +[ Upstream commit 119d48fd4298594beccf4f2ecd00627826ce2646 ] + +As a preparation for following change that add array of +all slaves, extract code that skip slave to function. + +Signed-off-by: Maor Gottlieb +Reviewed-by: Jiri Pirko +Reviewed-by: Jay Vosburgh +Acked-by: David S. Miller +Signed-off-by: Saeed Mahameed +Stable-dep-of: f8a65ab2f3ff ("bonding: fix link recovery in mode 2 when updelay is nonzero") +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 47 ++++++++++++++++++--------------- + 1 file changed, 26 insertions(+), 21 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 246bcbd650b4..0e797730bab3 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -4040,6 +4040,29 @@ static void bond_slave_arr_handler(struct work_struct *work) + bond_slave_arr_work_rearm(bond, 1); + } + ++static void bond_skip_slave(struct bond_up_slave *slaves, ++ struct slave *skipslave) ++{ ++ int idx; ++ ++ /* Rare situation where caller has asked to skip a specific ++ * slave but allocation failed (most likely!). BTW this is ++ * only possible when the call is initiated from ++ * __bond_release_one(). In this situation; overwrite the ++ * skipslave entry in the array with the last entry from the ++ * array to avoid a situation where the xmit path may choose ++ * this to-be-skipped slave to send a packet out. ++ */ ++ for (idx = 0; slaves && idx < slaves->count; idx++) { ++ if (skipslave == slaves->arr[idx]) { ++ slaves->arr[idx] = ++ slaves->arr[slaves->count - 1]; ++ slaves->count--; ++ break; ++ } ++ } ++} ++ + /* Build the usable slaves array in control path for modes that use xmit-hash + * to determine the slave interface - + * (a) BOND_MODE_8023AD +@@ -4109,27 +4132,9 @@ int bond_update_slave_arr(struct bonding *bond, struct slave *skipslave) + if (old_arr) + kfree_rcu(old_arr, rcu); + out: +- if (ret != 0 && skipslave) { +- int idx; +- +- /* Rare situation where caller has asked to skip a specific +- * slave but allocation failed (most likely!). BTW this is +- * only possible when the call is initiated from +- * __bond_release_one(). In this situation; overwrite the +- * skipslave entry in the array with the last entry from the +- * array to avoid a situation where the xmit path may choose +- * this to-be-skipped slave to send a packet out. +- */ +- old_arr = rtnl_dereference(bond->slave_arr); +- for (idx = 0; old_arr != NULL && idx < old_arr->count; idx++) { +- if (skipslave == old_arr->arr[idx]) { +- old_arr->arr[idx] = +- old_arr->arr[old_arr->count-1]; +- old_arr->count--; +- break; +- } +- } +- } ++ if (ret != 0 && skipslave) ++ bond_skip_slave(rtnl_dereference(bond->slave_arr), skipslave); ++ + return ret; + } + +-- +2.35.1 + diff --git a/queue-5.4/bonding-fix-link-recovery-in-mode-2-when-updelay-is-.patch b/queue-5.4/bonding-fix-link-recovery-in-mode-2-when-updelay-is-.patch new file mode 100644 index 00000000000..69dad602251 --- /dev/null +++ b/queue-5.4/bonding-fix-link-recovery-in-mode-2-when-updelay-is-.patch @@ -0,0 +1,49 @@ +From 6780808afd92efe9979d95618e73d6330a02cb9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 16:24:29 -0500 +Subject: bonding: fix link recovery in mode 2 when updelay is nonzero + +From: Jonathan Toppins + +[ Upstream commit f8a65ab2f3ff7410921ebbf0dc55453102c33c56 ] + +Before this change when a bond in mode 2 lost link, all of its slaves +lost link, the bonding device would never recover even after the +expiration of updelay. This change removes the updelay when the bond +currently has no usable links. Conforming to bonding.txt section 13.1 +paragraph 4. + +Fixes: 41f891004063 ("bonding: ignore updelay param when there is no active slave") +Signed-off-by: Jonathan Toppins +Acked-by: Jay Vosburgh +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index dc351832b108..0b7994cb9380 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2107,7 +2107,16 @@ static int bond_miimon_inspect(struct bonding *bond) + struct slave *slave; + bool ignore_updelay; + +- ignore_updelay = !rcu_dereference(bond->curr_active_slave); ++ if (BOND_MODE(bond) == BOND_MODE_ACTIVEBACKUP) { ++ ignore_updelay = !rcu_dereference(bond->curr_active_slave); ++ } else { ++ struct bond_up_slave *usable_slaves; ++ ++ usable_slaves = rcu_dereference(bond->usable_slaves); ++ ++ if (usable_slaves && usable_slaves->count == 0) ++ ignore_updelay = true; ++ } + + bond_for_each_slave_rcu(bond, slave, iter) { + bond_propose_link_state(slave, BOND_LINK_NOCHANGE); +-- +2.35.1 + diff --git a/queue-5.4/bonding-rename-slave_arr-to-usable_slaves.patch b/queue-5.4/bonding-rename-slave_arr-to-usable_slaves.patch new file mode 100644 index 00000000000..bf7f5d383fc --- /dev/null +++ b/queue-5.4/bonding-rename-slave_arr-to-usable_slaves.patch @@ -0,0 +1,161 @@ +From 4e220fd057c4433f3f4fb20bbdb4569749204bf3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Apr 2020 22:21:33 +0300 +Subject: bonding: Rename slave_arr to usable_slaves + +From: Maor Gottlieb + +[ Upstream commit ed7d4f023b1a9b0578f20d66557c66452ab845ec ] + +Rename slave_arr to usable_slaves, since we will have two arrays, +one for the usable slaves and the other to all slaves. + +Signed-off-by: Maor Gottlieb +Reviewed-by: Jiri Pirko +Reviewed-by: Jay Vosburgh +Acked-by: David S. Miller +Signed-off-by: Saeed Mahameed +Stable-dep-of: f8a65ab2f3ff ("bonding: fix link recovery in mode 2 when updelay is nonzero") +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_alb.c | 4 ++-- + drivers/net/bonding/bond_main.c | 40 ++++++++++++++++----------------- + include/net/bonding.h | 2 +- + 3 files changed, 23 insertions(+), 23 deletions(-) + +diff --git a/drivers/net/bonding/bond_alb.c b/drivers/net/bonding/bond_alb.c +index 8bee935c8f90..20114e1dde77 100644 +--- a/drivers/net/bonding/bond_alb.c ++++ b/drivers/net/bonding/bond_alb.c +@@ -1360,7 +1360,7 @@ netdev_tx_t bond_tlb_xmit(struct sk_buff *skb, struct net_device *bond_dev) + struct bond_up_slave *slaves; + unsigned int count; + +- slaves = rcu_dereference(bond->slave_arr); ++ slaves = rcu_dereference(bond->usable_slaves); + count = slaves ? READ_ONCE(slaves->count) : 0; + if (likely(count)) + tx_slave = slaves->arr[hash_index % +@@ -1494,7 +1494,7 @@ netdev_tx_t bond_alb_xmit(struct sk_buff *skb, struct net_device *bond_dev) + struct bond_up_slave *slaves; + unsigned int count; + +- slaves = rcu_dereference(bond->slave_arr); ++ slaves = rcu_dereference(bond->usable_slaves); + count = slaves ? READ_ONCE(slaves->count) : 0; + if (likely(count)) + tx_slave = slaves->arr[bond_xmit_hash(bond, skb) % +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 0e797730bab3..dc351832b108 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -4073,9 +4073,9 @@ static void bond_skip_slave(struct bond_up_slave *slaves, + */ + int bond_update_slave_arr(struct bonding *bond, struct slave *skipslave) + { ++ struct bond_up_slave *usable_slaves, *old_usable_slaves; + struct slave *slave; + struct list_head *iter; +- struct bond_up_slave *new_arr, *old_arr; + int agg_id = 0; + int ret = 0; + +@@ -4083,11 +4083,10 @@ int bond_update_slave_arr(struct bonding *bond, struct slave *skipslave) + WARN_ON(lockdep_is_held(&bond->mode_lock)); + #endif + +- new_arr = kzalloc(offsetof(struct bond_up_slave, arr[bond->slave_cnt]), +- GFP_KERNEL); +- if (!new_arr) { ++ usable_slaves = kzalloc(struct_size(usable_slaves, arr, ++ bond->slave_cnt), GFP_KERNEL); ++ if (!usable_slaves) { + ret = -ENOMEM; +- pr_err("Failed to build slave-array.\n"); + goto out; + } + if (BOND_MODE(bond) == BOND_MODE_8023AD) { +@@ -4095,14 +4094,14 @@ int bond_update_slave_arr(struct bonding *bond, struct slave *skipslave) + + if (bond_3ad_get_active_agg_info(bond, &ad_info)) { + pr_debug("bond_3ad_get_active_agg_info failed\n"); +- kfree_rcu(new_arr, rcu); ++ kfree_rcu(usable_slaves, rcu); + /* No active aggragator means it's not safe to use + * the previous array. + */ +- old_arr = rtnl_dereference(bond->slave_arr); +- if (old_arr) { +- RCU_INIT_POINTER(bond->slave_arr, NULL); +- kfree_rcu(old_arr, rcu); ++ old_usable_slaves = rtnl_dereference(bond->usable_slaves); ++ if (old_usable_slaves) { ++ RCU_INIT_POINTER(bond->usable_slaves, NULL); ++ kfree_rcu(old_usable_slaves, rcu); + } + goto out; + } +@@ -4122,18 +4121,19 @@ int bond_update_slave_arr(struct bonding *bond, struct slave *skipslave) + continue; + + slave_dbg(bond->dev, slave->dev, "Adding slave to tx hash array[%d]\n", +- new_arr->count); ++ usable_slaves->count); + +- new_arr->arr[new_arr->count++] = slave; ++ usable_slaves->arr[usable_slaves->count++] = slave; + } + +- old_arr = rtnl_dereference(bond->slave_arr); +- rcu_assign_pointer(bond->slave_arr, new_arr); +- if (old_arr) +- kfree_rcu(old_arr, rcu); ++ old_usable_slaves = rtnl_dereference(bond->usable_slaves); ++ rcu_assign_pointer(bond->usable_slaves, usable_slaves); ++ if (old_usable_slaves) ++ kfree_rcu(old_usable_slaves, rcu); + out: + if (ret != 0 && skipslave) +- bond_skip_slave(rtnl_dereference(bond->slave_arr), skipslave); ++ bond_skip_slave(rtnl_dereference(bond->usable_slaves), ++ skipslave); + + return ret; + } +@@ -4150,7 +4150,7 @@ static netdev_tx_t bond_3ad_xor_xmit(struct sk_buff *skb, + struct bond_up_slave *slaves; + unsigned int count; + +- slaves = rcu_dereference(bond->slave_arr); ++ slaves = rcu_dereference(bond->usable_slaves); + count = slaves ? READ_ONCE(slaves->count) : 0; + if (likely(count)) { + slave = slaves->arr[bond_xmit_hash(bond, skb) % count]; +@@ -4457,9 +4457,9 @@ static void bond_uninit(struct net_device *bond_dev) + __bond_release_one(bond_dev, slave->dev, true, true); + netdev_info(bond_dev, "Released all slaves\n"); + +- arr = rtnl_dereference(bond->slave_arr); ++ arr = rtnl_dereference(bond->usable_slaves); + if (arr) { +- RCU_INIT_POINTER(bond->slave_arr, NULL); ++ RCU_INIT_POINTER(bond->usable_slaves, NULL); + kfree_rcu(arr, rcu); + } + +diff --git a/include/net/bonding.h b/include/net/bonding.h +index 1bee8fdff7db..69ceb5b4a8d6 100644 +--- a/include/net/bonding.h ++++ b/include/net/bonding.h +@@ -205,7 +205,7 @@ struct bonding { + struct slave __rcu *curr_active_slave; + struct slave __rcu *current_arp_slave; + struct slave __rcu *primary_slave; +- struct bond_up_slave __rcu *slave_arr; /* Array of usable slaves */ ++ struct bond_up_slave __rcu *usable_slaves; /* Array of usable slaves */ + bool force_primary; + s32 slave_cnt; /* never change this value outside the attach/detach wrappers */ + int (*recv_probe)(const struct sk_buff *, struct bonding *, +-- +2.35.1 + diff --git a/queue-5.4/bonding-uninitialized-variable-in-bond_miimon_inspec.patch b/queue-5.4/bonding-uninitialized-variable-in-bond_miimon_inspec.patch new file mode 100644 index 00000000000..b25a3f859a8 --- /dev/null +++ b/queue-5.4/bonding-uninitialized-variable-in-bond_miimon_inspec.patch @@ -0,0 +1,41 @@ +From 5aba83155bed44c9f5bbef07242d15e6d4296966 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Nov 2022 14:06:14 +0300 +Subject: bonding: uninitialized variable in bond_miimon_inspect() + +From: Dan Carpenter + +[ Upstream commit e5214f363dabca240446272dac54d404501ad5e5 ] + +The "ignore_updelay" variable needs to be initialized to false. + +Fixes: f8a65ab2f3ff ("bonding: fix link recovery in mode 2 when updelay is nonzero") +Signed-off-by: Dan Carpenter +Reviewed-by: Pavan Chebbi +Acked-by: Jay Vosburgh +Link: https://lore.kernel.org/r/Y4SWJlh3ohJ6EPTL@kili +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 0b7994cb9380..0885991347d0 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2102,10 +2102,10 @@ static int bond_slave_info_query(struct net_device *bond_dev, struct ifslave *in + /* called with rcu_read_lock() */ + static int bond_miimon_inspect(struct bonding *bond) + { ++ bool ignore_updelay = false; + int link_state, commit = 0; + struct list_head *iter; + struct slave *slave; +- bool ignore_updelay; + + if (BOND_MODE(bond) == BOND_MODE_ACTIVEBACKUP) { + ignore_updelay = !rcu_dereference(bond->curr_active_slave); +-- +2.35.1 + diff --git a/queue-5.4/bpf-make-sure-skb-len-0-when-redirecting-to-a-tunnel.patch b/queue-5.4/bpf-make-sure-skb-len-0-when-redirecting-to-a-tunnel.patch new file mode 100644 index 00000000000..d7584df92f2 --- /dev/null +++ b/queue-5.4/bpf-make-sure-skb-len-0-when-redirecting-to-a-tunnel.patch @@ -0,0 +1,73 @@ +From 9e12bceac0bc00cedec58028ddb67d9c7e7f6c4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Oct 2022 15:55:37 -0700 +Subject: bpf: make sure skb->len != 0 when redirecting to a tunneling device + +From: Stanislav Fomichev + +[ Upstream commit 07ec7b502800ba9f7b8b15cb01dd6556bb41aaca ] + +syzkaller managed to trigger another case where skb->len == 0 +when we enter __dev_queue_xmit: + +WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 skb_assert_len include/linux/skbuff.h:2576 [inline] +WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 __dev_queue_xmit+0x2069/0x35e0 net/core/dev.c:4295 + +Call Trace: + dev_queue_xmit+0x17/0x20 net/core/dev.c:4406 + __bpf_tx_skb net/core/filter.c:2115 [inline] + __bpf_redirect_no_mac net/core/filter.c:2140 [inline] + __bpf_redirect+0x5fb/0xda0 net/core/filter.c:2163 + ____bpf_clone_redirect net/core/filter.c:2447 [inline] + bpf_clone_redirect+0x247/0x390 net/core/filter.c:2419 + bpf_prog_48159a89cb4a9a16+0x59/0x5e + bpf_dispatcher_nop_func include/linux/bpf.h:897 [inline] + __bpf_prog_run include/linux/filter.h:596 [inline] + bpf_prog_run include/linux/filter.h:603 [inline] + bpf_test_run+0x46c/0x890 net/bpf/test_run.c:402 + bpf_prog_test_run_skb+0xbdc/0x14c0 net/bpf/test_run.c:1170 + bpf_prog_test_run+0x345/0x3c0 kernel/bpf/syscall.c:3648 + __sys_bpf+0x43a/0x6c0 kernel/bpf/syscall.c:5005 + __do_sys_bpf kernel/bpf/syscall.c:5091 [inline] + __se_sys_bpf kernel/bpf/syscall.c:5089 [inline] + __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5089 + do_syscall_64+0x54/0x70 arch/x86/entry/common.c:48 + entry_SYSCALL_64_after_hwframe+0x61/0xc6 + +The reproducer doesn't really reproduce outside of syzkaller +environment, so I'm taking a guess here. It looks like we +do generate correct ETH_HLEN-sized packet, but we redirect +the packet to the tunneling device. Before we do so, we +__skb_pull l2 header and arrive again at skb->len == 0. +Doesn't seem like we can do anything better than having +an explicit check after __skb_pull? + +Cc: Eric Dumazet +Reported-by: syzbot+f635e86ec3fa0a37e019@syzkaller.appspotmail.com +Signed-off-by: Stanislav Fomichev +Link: https://lore.kernel.org/r/20221027225537.353077-1-sdf@google.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + net/core/filter.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/core/filter.c b/net/core/filter.c +index 6fd9173e18b7..ec4f7e68b21a 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -2078,6 +2078,10 @@ static int __bpf_redirect_no_mac(struct sk_buff *skb, struct net_device *dev, + + if (mlen) { + __skb_pull(skb, mlen); ++ if (unlikely(!skb->len)) { ++ kfree_skb(skb); ++ return -ERANGE; ++ } + + /* At ingress, the mac header has already been pulled once. + * At egress, skb_pospull_rcsum has to be done in case that +-- +2.35.1 + diff --git a/queue-5.4/bpf-move-skb-len-0-checks-into-__bpf_redirect.patch b/queue-5.4/bpf-move-skb-len-0-checks-into-__bpf_redirect.patch new file mode 100644 index 00000000000..49fdff282bb --- /dev/null +++ b/queue-5.4/bpf-move-skb-len-0-checks-into-__bpf_redirect.patch @@ -0,0 +1,66 @@ +From 521307b884a2278105b6060d4508432bf8ab6fcb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 10:03:39 -0800 +Subject: bpf: Move skb->len == 0 checks into __bpf_redirect + +From: Stanislav Fomichev + +[ Upstream commit 114039b342014680911c35bd6b72624180fd669a ] + +To avoid potentially breaking existing users. + +Both mac/no-mac cases have to be amended; mac_header >= network_header +is not enough (verified with a new test, see next patch). + +Fixes: fd1894224407 ("bpf: Don't redirect packets with invalid pkt_len") +Signed-off-by: Stanislav Fomichev +Link: https://lore.kernel.org/r/20221121180340.1983627-1-sdf@google.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + net/bpf/test_run.c | 3 --- + net/core/filter.c | 7 ++++++- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c +index d78c4cc30a28..591d146a5308 100644 +--- a/net/bpf/test_run.c ++++ b/net/bpf/test_run.c +@@ -201,9 +201,6 @@ static int convert___skb_to_skb(struct sk_buff *skb, struct __sk_buff *__skb) + { + struct qdisc_skb_cb *cb = (struct qdisc_skb_cb *)skb->cb; + +- if (!skb->len) +- return -EINVAL; +- + if (!__skb) + return 0; + +diff --git a/net/core/filter.c b/net/core/filter.c +index e81f7772161a..6fd9173e18b7 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -2071,6 +2071,11 @@ static int __bpf_redirect_no_mac(struct sk_buff *skb, struct net_device *dev, + { + unsigned int mlen = skb_network_offset(skb); + ++ if (unlikely(skb->len <= mlen)) { ++ kfree_skb(skb); ++ return -ERANGE; ++ } ++ + if (mlen) { + __skb_pull(skb, mlen); + +@@ -2092,7 +2097,7 @@ static int __bpf_redirect_common(struct sk_buff *skb, struct net_device *dev, + u32 flags) + { + /* Verify that a link layer header is carried */ +- if (unlikely(skb->mac_header >= skb->network_header)) { ++ if (unlikely(skb->mac_header >= skb->network_header || skb->len == 0)) { + kfree_skb(skb); + return -ERANGE; + } +-- +2.35.1 + diff --git a/queue-5.4/bpf-prevent-decl_tag-from-being-referenced-in-func_p.patch b/queue-5.4/bpf-prevent-decl_tag-from-being-referenced-in-func_p.patch new file mode 100644 index 00000000000..76891e462f0 --- /dev/null +++ b/queue-5.4/bpf-prevent-decl_tag-from-being-referenced-in-func_p.patch @@ -0,0 +1,55 @@ +From 9fe3fde7380607a22661e3f72a4f47e76316cd4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 19:54:22 -0800 +Subject: bpf: Prevent decl_tag from being referenced in func_proto arg + +From: Stanislav Fomichev + +[ Upstream commit f17472d4599697d701aa239b4c475a506bccfd19 ] + +Syzkaller managed to hit another decl_tag issue: + + btf_func_proto_check kernel/bpf/btf.c:4506 [inline] + btf_check_all_types kernel/bpf/btf.c:4734 [inline] + btf_parse_type_sec+0x1175/0x1980 kernel/bpf/btf.c:4763 + btf_parse kernel/bpf/btf.c:5042 [inline] + btf_new_fd+0x65a/0xb00 kernel/bpf/btf.c:6709 + bpf_btf_load+0x6f/0x90 kernel/bpf/syscall.c:4342 + __sys_bpf+0x50a/0x6c0 kernel/bpf/syscall.c:5034 + __do_sys_bpf kernel/bpf/syscall.c:5093 [inline] + __se_sys_bpf kernel/bpf/syscall.c:5091 [inline] + __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5091 + do_syscall_64+0x54/0x70 arch/x86/entry/common.c:48 + +This seems similar to commit ea68376c8bed ("bpf: prevent decl_tag from being +referenced in func_proto") but for the argument. + +Reported-by: syzbot+8dd0551dda6020944c5d@syzkaller.appspotmail.com +Signed-off-by: Stanislav Fomichev +Signed-off-by: Daniel Borkmann +Acked-by: Yonghong Song +Link: https://lore.kernel.org/bpf/20221123035422.872531-2-sdf@google.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/btf.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c +index a28bbec8c59f..8fd65a0eb7f3 100644 +--- a/kernel/bpf/btf.c ++++ b/kernel/bpf/btf.c +@@ -2849,6 +2849,11 @@ static int btf_func_proto_check(struct btf_verifier_env *env, + break; + } + ++ if (btf_type_is_resolve_source_only(arg_type)) { ++ btf_verifier_log_type(env, t, "Invalid arg#%u", i + 1); ++ return -EINVAL; ++ } ++ + if (args[i].name_off && + (!btf_name_offset_valid(btf, args[i].name_off) || + !btf_name_valid_identifier(btf, args[i].name_off))) { +-- +2.35.1 + diff --git a/queue-5.4/bpf-propagate-precision-in-alu-alu64-operations.patch b/queue-5.4/bpf-propagate-precision-in-alu-alu64-operations.patch new file mode 100644 index 00000000000..145f32428f5 --- /dev/null +++ b/queue-5.4/bpf-propagate-precision-in-alu-alu64-operations.patch @@ -0,0 +1,89 @@ +From 22172f33af1ec72c9b8f56c0b95ba2690d18b090 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Nov 2022 09:36:44 -0700 +Subject: bpf: propagate precision in ALU/ALU64 operations + +From: Andrii Nakryiko + +[ Upstream commit a3b666bfa9c9edc05bca62a87abafe0936bd7f97 ] + +When processing ALU/ALU64 operations (apart from BPF_MOV, which is +handled correctly already; and BPF_NEG and BPF_END are special and don't +have source register), if destination register is already marked +precise, this causes problem with potentially missing precision tracking +for the source register. E.g., when we have r1 >>= r5 and r1 is marked +precise, but r5 isn't, this will lead to r5 staying as imprecise. This +is due to the precision backtracking logic stopping early when it sees +r1 is already marked precise. If r1 wasn't precise, we'd keep +backtracking and would add r5 to the set of registers that need to be +marked precise. So there is a discrepancy here which can lead to invalid +and incompatible states matched due to lack of precision marking on r5. +If r1 wasn't precise, precision backtracking would correctly mark both +r1 and r5 as precise. + +This is simple to fix, though. During the forward instruction simulation +pass, for arithmetic operations of `scalar = scalar` form (where + is ALU or ALU64 operations), if destination register is already +precise, mark source register as precise. This applies only when both +involved registers are SCALARs. `ptr += scalar` and `scalar += ptr` +cases are already handled correctly. + +This does have (negative) effect on some selftest programs and few +Cilium programs. ~/baseline-tmp-results.csv are veristat results with +this patch, while ~/baseline-results.csv is without it. See post +scriptum for instructions on how to make Cilium programs testable with +veristat. Correctness has a price. + +$ ./veristat -C -e file,prog,insns,states ~/baseline-results.csv ~/baseline-tmp-results.csv | grep -v '+0' +File Program Total insns (A) Total insns (B) Total insns (DIFF) Total states (A) Total states (B) Total states (DIFF) +----------------------- -------------------- --------------- --------------- ------------------ ---------------- ---------------- ------------------- +bpf_cubic.bpf.linked1.o bpf_cubic_cong_avoid 997 1700 +703 (+70.51%) 62 90 +28 (+45.16%) +test_l4lb.bpf.linked1.o balancer_ingress 4559 5469 +910 (+19.96%) 118 126 +8 (+6.78%) +----------------------- -------------------- --------------- --------------- ------------------ ---------------- ---------------- ------------------- + +$ ./veristat -C -e file,prog,verdict,insns,states ~/baseline-results-cilium.csv ~/baseline-tmp-results-cilium.csv | grep -v '+0' +File Program Total insns (A) Total insns (B) Total insns (DIFF) Total states (A) Total states (B) Total states (DIFF) +------------- ------------------------------ --------------- --------------- ------------------ ---------------- ---------------- ------------------- +bpf_host.o tail_nodeport_nat_ingress_ipv6 4448 5261 +813 (+18.28%) 234 247 +13 (+5.56%) +bpf_host.o tail_nodeport_nat_ipv6_egress 3396 3446 +50 (+1.47%) 201 203 +2 (+1.00%) +bpf_lxc.o tail_nodeport_nat_ingress_ipv6 4448 5261 +813 (+18.28%) 234 247 +13 (+5.56%) +bpf_overlay.o tail_nodeport_nat_ingress_ipv6 4448 5261 +813 (+18.28%) 234 247 +13 (+5.56%) +bpf_xdp.o tail_lb_ipv4 71736 73442 +1706 (+2.38%) 4295 4370 +75 (+1.75%) +------------- ------------------------------ --------------- --------------- ------------------ ---------------- ---------------- ------------------- + +P.S. To make Cilium ([0]) programs libbpf-compatible and thus +veristat-loadable, apply changes from topmost commit in [1], which does +minimal changes to Cilium source code, mostly around SEC() annotations +and BPF map definitions. + + [0] https://github.com/cilium/cilium/ + [1] https://github.com/anakryiko/cilium/commits/libbpf-friendliness + +Fixes: b5dc0163d8fd ("bpf: precise scalar_value tracking") +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/r/20221104163649.121784-2-andrii@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index f705d3752fe0..32b32ecad770 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -5140,6 +5140,11 @@ static int adjust_reg_min_max_vals(struct bpf_verifier_env *env, + return err; + return adjust_ptr_min_max_vals(env, insn, + dst_reg, src_reg); ++ } else if (dst_reg->precise) { ++ /* if dst_reg is precise, src_reg should be precise as well */ ++ err = mark_chain_precision(env, insn->src_reg); ++ if (err) ++ return err; + } + } else { + /* Pretend the src is a reg with a known value, since we only +-- +2.35.1 + diff --git a/queue-5.4/bpf-sockmap-fix-data-loss-caused-by-using-apply_byte.patch b/queue-5.4/bpf-sockmap-fix-data-loss-caused-by-using-apply_byte.patch new file mode 100644 index 00000000000..e9489f4292d --- /dev/null +++ b/queue-5.4/bpf-sockmap-fix-data-loss-caused-by-using-apply_byte.patch @@ -0,0 +1,47 @@ +From 94e978b674088a927c4dbf134d462ee8df0ca8dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Nov 2022 18:40:40 +0800 +Subject: bpf, sockmap: Fix data loss caused by using apply_bytes on ingress + redirect + +From: Pengcheng Yang + +[ Upstream commit 9072931f020bfd907d6d89ee21ff1481cd78b407 ] + +Use apply_bytes on ingress redirect, when apply_bytes is less than +the length of msg data, some data may be skipped and lost in +bpf_tcp_ingress(). + +If there is still data in the scatterlist that has not been consumed, +we cannot move the msg iter. + +Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") +Signed-off-by: Pengcheng Yang +Signed-off-by: Daniel Borkmann +Acked-by: Jakub Sitnicki +Link: https://lore.kernel.org/bpf/1669718441-2654-4-git-send-email-yangpc@wangsu.com +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_bpf.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c +index 229fa1f2b381..ca49d68a0e04 100644 +--- a/net/ipv4/tcp_bpf.c ++++ b/net/ipv4/tcp_bpf.c +@@ -203,8 +203,11 @@ static int bpf_tcp_ingress(struct sock *sk, struct sk_psock *psock, + tmp->sg.end = i; + if (apply) { + apply_bytes -= size; +- if (!apply_bytes) ++ if (!apply_bytes) { ++ if (sge->length) ++ sk_msg_iter_var_prev(i); + break; ++ } + } + } while (i != msg->sg.end); + +-- +2.35.1 + diff --git a/queue-5.4/bpf-sockmap-fix-race-in-sock_map_free.patch b/queue-5.4/bpf-sockmap-fix-race-in-sock_map_free.patch new file mode 100644 index 00000000000..a7209a4845c --- /dev/null +++ b/queue-5.4/bpf-sockmap-fix-race-in-sock_map_free.patch @@ -0,0 +1,87 @@ +From f7eb976c74ed1fa80e7405719d72e574a3c9422e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 11:16:40 +0000 +Subject: bpf, sockmap: fix race in sock_map_free() + +From: Eric Dumazet + +[ Upstream commit 0a182f8d607464911756b4dbef5d6cad8de22469 ] + +sock_map_free() calls release_sock(sk) without owning a reference +on the socket. This can cause use-after-free as syzbot found [1] + +Jakub Sitnicki already took care of a similar issue +in sock_hash_free() in commit 75e68e5bf2c7 ("bpf, sockhash: +Synchronize delete from bucket list on map free") + +[1] +refcount_t: decrement hit 0; leaking memory. +WARNING: CPU: 0 PID: 3785 at lib/refcount.c:31 refcount_warn_saturate+0x17c/0x1a0 lib/refcount.c:31 +Modules linked in: +CPU: 0 PID: 3785 Comm: kworker/u4:6 Not tainted 6.1.0-rc7-syzkaller-00103-gef4d3ea40565 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 +Workqueue: events_unbound bpf_map_free_deferred +RIP: 0010:refcount_warn_saturate+0x17c/0x1a0 lib/refcount.c:31 +Code: 68 8b 31 c0 e8 75 71 15 fd 0f 0b e9 64 ff ff ff e8 d9 6e 4e fd c6 05 62 9c 3d 0a 01 48 c7 c7 80 bb 68 8b 31 c0 e8 54 71 15 fd <0f> 0b e9 43 ff ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c a2 fe ff +RSP: 0018:ffffc9000456fb60 EFLAGS: 00010246 +RAX: eae59bab72dcd700 RBX: 0000000000000004 RCX: ffff8880207057c0 +RDX: 0000000000000000 RSI: 0000000000000201 RDI: 0000000000000000 +RBP: 0000000000000004 R08: ffffffff816fdabd R09: fffff520008adee5 +R10: fffff520008adee5 R11: 1ffff920008adee4 R12: 0000000000000004 +R13: dffffc0000000000 R14: ffff88807b1c6c00 R15: 1ffff1100f638dcf +FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000001b30c30000 CR3: 000000000d08e000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + +__refcount_dec include/linux/refcount.h:344 [inline] +refcount_dec include/linux/refcount.h:359 [inline] +__sock_put include/net/sock.h:779 [inline] +tcp_release_cb+0x2d0/0x360 net/ipv4/tcp_output.c:1092 +release_sock+0xaf/0x1c0 net/core/sock.c:3468 +sock_map_free+0x219/0x2c0 net/core/sock_map.c:356 +process_one_work+0x81c/0xd10 kernel/workqueue.c:2289 +worker_thread+0xb14/0x1330 kernel/workqueue.c:2436 +kthread+0x266/0x300 kernel/kthread.c:376 +ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 + + +Fixes: 7e81a3530206 ("bpf: Sockmap, ensure sock lock held during tear down") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Jakub Sitnicki +Cc: John Fastabend +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Cc: Song Liu +Acked-by: John Fastabend +Link: https://lore.kernel.org/r/20221202111640.2745533-1-edumazet@google.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + net/core/sock_map.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/core/sock_map.c b/net/core/sock_map.c +index 2646e8f98f67..5bce6d4d2057 100644 +--- a/net/core/sock_map.c ++++ b/net/core/sock_map.c +@@ -279,11 +279,13 @@ static void sock_map_free(struct bpf_map *map) + + sk = xchg(psk, NULL); + if (sk) { ++ sock_hold(sk); + lock_sock(sk); + rcu_read_lock(); + sock_map_unref(sk, psk); + rcu_read_unlock(); + release_sock(sk); ++ sock_put(sk); + } + } + +-- +2.35.1 + diff --git a/queue-5.4/bpf-sockmap-fix-repeated-calls-to-sock_put-when-msg-.patch b/queue-5.4/bpf-sockmap-fix-repeated-calls-to-sock_put-when-msg-.patch new file mode 100644 index 00000000000..1f925dedea6 --- /dev/null +++ b/queue-5.4/bpf-sockmap-fix-repeated-calls-to-sock_put-when-msg-.patch @@ -0,0 +1,80 @@ +From 58e8683162ad3130cf5e6fcccc47096127779b0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Nov 2022 18:40:38 +0800 +Subject: bpf, sockmap: Fix repeated calls to sock_put() when msg has more_data + +From: Pengcheng Yang + +[ Upstream commit 7a9841ca025275b5b0edfb0b618934abb6ceec15 ] + +In tcp_bpf_send_verdict() redirection, the eval variable is assigned to +__SK_REDIRECT after the apply_bytes data is sent, if msg has more_data, +sock_put() will be called multiple times. + +We should reset the eval variable to __SK_NONE every time more_data +starts. + +This causes: + +IPv4: Attempt to release TCP socket in state 1 00000000b4c925d7 +------------[ cut here ]------------ +refcount_t: addition on 0; use-after-free. +WARNING: CPU: 5 PID: 4482 at lib/refcount.c:25 refcount_warn_saturate+0x7d/0x110 +Modules linked in: +CPU: 5 PID: 4482 Comm: sockhash_bypass Kdump: loaded Not tainted 6.0.0 #1 +Hardware name: Red Hat KVM, BIOS 1.11.0-2.el7 04/01/2014 +Call Trace: + + __tcp_transmit_skb+0xa1b/0xb90 + ? __alloc_skb+0x8c/0x1a0 + ? __kmalloc_node_track_caller+0x184/0x320 + tcp_write_xmit+0x22a/0x1110 + __tcp_push_pending_frames+0x32/0xf0 + do_tcp_sendpages+0x62d/0x640 + tcp_bpf_push+0xae/0x2c0 + tcp_bpf_sendmsg_redir+0x260/0x410 + ? preempt_count_add+0x70/0xa0 + tcp_bpf_send_verdict+0x386/0x4b0 + tcp_bpf_sendmsg+0x21b/0x3b0 + sock_sendmsg+0x58/0x70 + __sys_sendto+0xfa/0x170 + ? xfd_validate_state+0x1d/0x80 + ? switch_fpu_return+0x59/0xe0 + __x64_sys_sendto+0x24/0x30 + do_syscall_64+0x37/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Fixes: cd9733f5d75c ("tcp_bpf: Fix one concurrency problem in the tcp_bpf_send_verdict function") +Signed-off-by: Pengcheng Yang +Signed-off-by: Daniel Borkmann +Acked-by: Jakub Sitnicki +Link: https://lore.kernel.org/bpf/1669718441-2654-2-git-send-email-yangpc@wangsu.com +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_bpf.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c +index f69dcd3c7797..229fa1f2b381 100644 +--- a/net/ipv4/tcp_bpf.c ++++ b/net/ipv4/tcp_bpf.c +@@ -312,7 +312,7 @@ static int tcp_bpf_send_verdict(struct sock *sk, struct sk_psock *psock, + bool cork = false, enospc = sk_msg_full(msg); + struct sock *sk_redir; + u32 tosend, origsize, sent, delta = 0; +- u32 eval = __SK_NONE; ++ u32 eval; + int ret; + + more_data: +@@ -343,6 +343,7 @@ static int tcp_bpf_send_verdict(struct sock *sk, struct sk_psock *psock, + tosend = msg->sg.size; + if (psock->apply_bytes && psock->apply_bytes < tosend) + tosend = psock->apply_bytes; ++ eval = __SK_NONE; + + switch (psock->eval) { + case __SK_PASS: +-- +2.35.1 + diff --git a/queue-5.4/brcmfmac-return-error-when-getting-invalid-max_flowr.patch b/queue-5.4/brcmfmac-return-error-when-getting-invalid-max_flowr.patch new file mode 100644 index 00000000000..9aaf8d3cfdc --- /dev/null +++ b/queue-5.4/brcmfmac-return-error-when-getting-invalid-max_flowr.patch @@ -0,0 +1,43 @@ +From 6dcc82d5baa5286d95e8083cf1de7c64bef72403 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Sep 2022 22:10:00 -0500 +Subject: brcmfmac: return error when getting invalid max_flowrings from dongle + +From: Wright Feng + +[ Upstream commit 2aca4f3734bd717e04943ddf340d49ab62299a00 ] + +When firmware hit trap at initialization, host will read abnormal +max_flowrings number from dongle, and it will cause kernel panic when +doing iowrite to initialize dongle ring. +To detect this error at early stage, we directly return error when getting +invalid max_flowrings(>256). + +Signed-off-by: Wright Feng +Signed-off-by: Chi-hsien Lin +Signed-off-by: Ian Lin +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220929031001.9962-3-ian.lin@infineon.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c +index c3ea31ca857a..092501eee9aa 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c +@@ -1109,6 +1109,10 @@ static int brcmf_pcie_init_ringbuffers(struct brcmf_pciedev_info *devinfo) + BRCMF_NROF_H2D_COMMON_MSGRINGS; + max_completionrings = BRCMF_NROF_D2H_COMMON_MSGRINGS; + } ++ if (max_flowrings > 256) { ++ brcmf_err(bus, "invalid max_flowrings(%d)\n", max_flowrings); ++ return -EIO; ++ } + + if (devinfo->dma_idx_sz != 0) { + bufsz = (max_submissionrings + max_completionrings) * +-- +2.35.1 + diff --git a/queue-5.4/can-kvaser_usb-add-struct-kvaser_usb_busparams.patch b/queue-5.4/can-kvaser_usb-add-struct-kvaser_usb_busparams.patch new file mode 100644 index 00000000000..70827bdd198 --- /dev/null +++ b/queue-5.4/can-kvaser_usb-add-struct-kvaser_usb_busparams.patch @@ -0,0 +1,143 @@ +From 87b9c1c0d160ffbd1c4ef914fc8c5b1bcb44c127 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Oct 2022 20:52:36 +0200 +Subject: can: kvaser_usb: Add struct kvaser_usb_busparams + +From: Jimmy Assarsson + +[ Upstream commit 00e5786177649c1e3110f9454fdd34e336597265 ] + +Add struct kvaser_usb_busparams containing the busparameters used in +CMD_{SET,GET}_BUSPARAMS* commands. + +Tested-by: Anssi Hannula +Signed-off-by: Jimmy Assarsson +Link: https://lore.kernel.org/all/20221010185237.319219-11-extja@kvaser.com +Signed-off-by: Marc Kleine-Budde +Stable-dep-of: 39d3df6b0ea8 ("can: kvaser_usb: Compare requested bittiming parameters with actual parameters in do_set_{,data}_bittiming") +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/kvaser_usb/kvaser_usb.h | 8 +++++ + .../net/can/usb/kvaser_usb/kvaser_usb_hydra.c | 32 +++++++------------ + .../net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 18 ++++------- + 3 files changed, 27 insertions(+), 31 deletions(-) + +diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb.h b/drivers/net/can/usb/kvaser_usb/kvaser_usb.h +index 1f4583f1dae2..cb8018723748 100644 +--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb.h ++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb.h +@@ -76,6 +76,14 @@ struct kvaser_usb_tx_urb_context { + int dlc; + }; + ++struct kvaser_usb_busparams { ++ __le32 bitrate; ++ u8 tseg1; ++ u8 tseg2; ++ u8 sjw; ++ u8 nsamples; ++} __packed; ++ + struct kvaser_usb { + struct usb_device *udev; + struct usb_interface *intf; +diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c +index 9588efbfae71..72c37dc50b6b 100644 +--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c ++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c +@@ -193,17 +193,9 @@ struct kvaser_cmd_chip_state_event { + #define KVASER_USB_HYDRA_BUS_MODE_CANFD_ISO 0x01 + #define KVASER_USB_HYDRA_BUS_MODE_NONISO 0x02 + struct kvaser_cmd_set_busparams { +- __le32 bitrate; +- u8 tseg1; +- u8 tseg2; +- u8 sjw; +- u8 nsamples; ++ struct kvaser_usb_busparams busparams_arb; + u8 reserved0[4]; +- __le32 bitrate_d; +- u8 tseg1_d; +- u8 tseg2_d; +- u8 sjw_d; +- u8 nsamples_d; ++ struct kvaser_usb_busparams busparams_data; + u8 canfd_mode; + u8 reserved1[7]; + } __packed; +@@ -1515,11 +1507,11 @@ static int kvaser_usb_hydra_set_bittiming(struct net_device *netdev) + return -ENOMEM; + + cmd->header.cmd_no = CMD_SET_BUSPARAMS_REQ; +- cmd->set_busparams_req.bitrate = cpu_to_le32(bt->bitrate); +- cmd->set_busparams_req.sjw = (u8)sjw; +- cmd->set_busparams_req.tseg1 = (u8)tseg1; +- cmd->set_busparams_req.tseg2 = (u8)tseg2; +- cmd->set_busparams_req.nsamples = 1; ++ cmd->set_busparams_req.busparams_arb.bitrate = cpu_to_le32(bt->bitrate); ++ cmd->set_busparams_req.busparams_arb.sjw = (u8)sjw; ++ cmd->set_busparams_req.busparams_arb.tseg1 = (u8)tseg1; ++ cmd->set_busparams_req.busparams_arb.tseg2 = (u8)tseg2; ++ cmd->set_busparams_req.busparams_arb.nsamples = 1; + + kvaser_usb_hydra_set_cmd_dest_he + (cmd, dev->card_data.hydra.channel_to_he[priv->channel]); +@@ -1549,11 +1541,11 @@ static int kvaser_usb_hydra_set_data_bittiming(struct net_device *netdev) + return -ENOMEM; + + cmd->header.cmd_no = CMD_SET_BUSPARAMS_FD_REQ; +- cmd->set_busparams_req.bitrate_d = cpu_to_le32(dbt->bitrate); +- cmd->set_busparams_req.sjw_d = (u8)sjw; +- cmd->set_busparams_req.tseg1_d = (u8)tseg1; +- cmd->set_busparams_req.tseg2_d = (u8)tseg2; +- cmd->set_busparams_req.nsamples_d = 1; ++ cmd->set_busparams_req.busparams_data.bitrate = cpu_to_le32(dbt->bitrate); ++ cmd->set_busparams_req.busparams_data.sjw = (u8)sjw; ++ cmd->set_busparams_req.busparams_data.tseg1 = (u8)tseg1; ++ cmd->set_busparams_req.busparams_data.tseg2 = (u8)tseg2; ++ cmd->set_busparams_req.busparams_data.nsamples = 1; + + if (priv->can.ctrlmode & CAN_CTRLMODE_FD) { + if (priv->can.ctrlmode & CAN_CTRLMODE_FD_NON_ISO) +diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c +index d1877ff2ff71..1e2f727a1efb 100644 +--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c ++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c +@@ -163,11 +163,7 @@ struct usbcan_cmd_softinfo { + struct kvaser_cmd_busparams { + u8 tid; + u8 channel; +- __le32 bitrate; +- u8 tseg1; +- u8 tseg2; +- u8 sjw; +- u8 no_samp; ++ struct kvaser_usb_busparams busparams; + } __packed; + + struct kvaser_cmd_tx_can { +@@ -1703,15 +1699,15 @@ static int kvaser_usb_leaf_set_bittiming(struct net_device *netdev) + cmd->len = CMD_HEADER_LEN + sizeof(struct kvaser_cmd_busparams); + cmd->u.busparams.channel = priv->channel; + cmd->u.busparams.tid = 0xff; +- cmd->u.busparams.bitrate = cpu_to_le32(bt->bitrate); +- cmd->u.busparams.sjw = bt->sjw; +- cmd->u.busparams.tseg1 = bt->prop_seg + bt->phase_seg1; +- cmd->u.busparams.tseg2 = bt->phase_seg2; ++ cmd->u.busparams.busparams.bitrate = cpu_to_le32(bt->bitrate); ++ cmd->u.busparams.busparams.sjw = bt->sjw; ++ cmd->u.busparams.busparams.tseg1 = bt->prop_seg + bt->phase_seg1; ++ cmd->u.busparams.busparams.tseg2 = bt->phase_seg2; + + if (priv->can.ctrlmode & CAN_CTRLMODE_3_SAMPLES) +- cmd->u.busparams.no_samp = 3; ++ cmd->u.busparams.busparams.nsamples = 3; + else +- cmd->u.busparams.no_samp = 1; ++ cmd->u.busparams.busparams.nsamples = 1; + + rc = kvaser_usb_send_cmd(dev, cmd, cmd->len); + +-- +2.35.1 + diff --git a/queue-5.4/can-kvaser_usb-compare-requested-bittiming-parameter.patch b/queue-5.4/can-kvaser_usb-compare-requested-bittiming-parameter.patch new file mode 100644 index 00000000000..d17a61a7202 --- /dev/null +++ b/queue-5.4/can-kvaser_usb-compare-requested-bittiming-parameter.patch @@ -0,0 +1,598 @@ +From b2118b98e9283e4b725971ad0698692ace6cdcdf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Oct 2022 20:52:37 +0200 +Subject: can: kvaser_usb: Compare requested bittiming parameters with actual + parameters in do_set_{,data}_bittiming + +From: Jimmy Assarsson + +[ Upstream commit 39d3df6b0ea80f9b515c632ca07b39b1c156edee ] + +The device will respond with a CMD_ERROR_EVENT command, with error_code +KVASER_USB_{LEAF,HYDRA}_ERROR_EVENT_PARAM, if the CMD_SET_BUSPARAMS_REQ +contains invalid bittiming parameters. +However, this command does not contain any channel reference. + +To check if the CMD_SET_BUSPARAMS_REQ was successful, redback and compare +the requested bittiming parameters with the device reported parameters. + +Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices") +Fixes: aec5fb2268b7 ("can: kvaser_usb: Add support for Kvaser USB hydra family") +Tested-by: Anssi Hannula +Co-developed-by: Anssi Hannula +Signed-off-by: Anssi Hannula +Signed-off-by: Jimmy Assarsson +Link: https://lore.kernel.org/all/20221010185237.319219-12-extja@kvaser.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/kvaser_usb/kvaser_usb.h | 15 +- + .../net/can/usb/kvaser_usb/kvaser_usb_core.c | 96 ++++++++++- + .../net/can/usb/kvaser_usb/kvaser_usb_hydra.c | 150 +++++++++++++++--- + .../net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 64 ++++++-- + 4 files changed, 284 insertions(+), 41 deletions(-) + +diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb.h b/drivers/net/can/usb/kvaser_usb/kvaser_usb.h +index cb8018723748..5699531f8787 100644 +--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb.h ++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb.h +@@ -119,9 +119,12 @@ struct kvaser_usb_net_priv { + struct net_device *netdev; + int channel; + +- struct completion start_comp, stop_comp, flush_comp; ++ struct completion start_comp, stop_comp, flush_comp, ++ get_busparams_comp; + struct usb_anchor tx_submitted; + ++ struct kvaser_usb_busparams busparams_nominal, busparams_data; ++ + spinlock_t tx_contexts_lock; /* lock for active_tx_contexts */ + int active_tx_contexts; + struct kvaser_usb_tx_urb_context tx_contexts[]; +@@ -131,7 +134,9 @@ struct kvaser_usb_net_priv { + * struct kvaser_usb_dev_ops - Device specific functions + * @dev_set_mode: used for can.do_set_mode + * @dev_set_bittiming: used for can.do_set_bittiming ++ * @dev_get_busparams: readback arbitration busparams + * @dev_set_data_bittiming: used for can.do_set_data_bittiming ++ * @dev_get_data_busparams: readback data busparams + * @dev_get_berr_counter: used for can.do_get_berr_counter + * + * @dev_setup_endpoints: setup USB in and out endpoints +@@ -153,8 +158,12 @@ struct kvaser_usb_net_priv { + */ + struct kvaser_usb_dev_ops { + int (*dev_set_mode)(struct net_device *netdev, enum can_mode mode); +- int (*dev_set_bittiming)(struct net_device *netdev); +- int (*dev_set_data_bittiming)(struct net_device *netdev); ++ int (*dev_set_bittiming)(const struct net_device *netdev, ++ const struct kvaser_usb_busparams *busparams); ++ int (*dev_get_busparams)(struct kvaser_usb_net_priv *priv); ++ int (*dev_set_data_bittiming)(const struct net_device *netdev, ++ const struct kvaser_usb_busparams *busparams); ++ int (*dev_get_data_busparams)(struct kvaser_usb_net_priv *priv); + int (*dev_get_berr_counter)(const struct net_device *netdev, + struct can_berr_counter *bec); + int (*dev_setup_endpoints)(struct kvaser_usb *dev); +diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c +index 2c816d8929da..1f015b496a47 100644 +--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c ++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c +@@ -416,10 +416,6 @@ static int kvaser_usb_open(struct net_device *netdev) + if (err) + return err; + +- err = kvaser_usb_setup_rx_urbs(dev); +- if (err) +- goto error; +- + err = ops->dev_set_opt_mode(priv); + if (err) + goto error; +@@ -510,6 +506,93 @@ static int kvaser_usb_close(struct net_device *netdev) + return 0; + } + ++static int kvaser_usb_set_bittiming(struct net_device *netdev) ++{ ++ struct kvaser_usb_net_priv *priv = netdev_priv(netdev); ++ struct kvaser_usb *dev = priv->dev; ++ const struct kvaser_usb_dev_ops *ops = dev->driver_info->ops; ++ struct can_bittiming *bt = &priv->can.bittiming; ++ ++ struct kvaser_usb_busparams busparams; ++ int tseg1 = bt->prop_seg + bt->phase_seg1; ++ int tseg2 = bt->phase_seg2; ++ int sjw = bt->sjw; ++ int err = -EOPNOTSUPP; ++ ++ busparams.bitrate = cpu_to_le32(bt->bitrate); ++ busparams.sjw = (u8)sjw; ++ busparams.tseg1 = (u8)tseg1; ++ busparams.tseg2 = (u8)tseg2; ++ if (priv->can.ctrlmode & CAN_CTRLMODE_3_SAMPLES) ++ busparams.nsamples = 3; ++ else ++ busparams.nsamples = 1; ++ ++ err = ops->dev_set_bittiming(netdev, &busparams); ++ if (err) ++ return err; ++ ++ err = kvaser_usb_setup_rx_urbs(priv->dev); ++ if (err) ++ return err; ++ ++ err = ops->dev_get_busparams(priv); ++ if (err) { ++ /* Treat EOPNOTSUPP as success */ ++ if (err == -EOPNOTSUPP) ++ err = 0; ++ return err; ++ } ++ ++ if (memcmp(&busparams, &priv->busparams_nominal, ++ sizeof(priv->busparams_nominal)) != 0) ++ err = -EINVAL; ++ ++ return err; ++} ++ ++static int kvaser_usb_set_data_bittiming(struct net_device *netdev) ++{ ++ struct kvaser_usb_net_priv *priv = netdev_priv(netdev); ++ struct kvaser_usb *dev = priv->dev; ++ const struct kvaser_usb_dev_ops *ops = dev->driver_info->ops; ++ struct can_bittiming *dbt = &priv->can.data_bittiming; ++ ++ struct kvaser_usb_busparams busparams; ++ int tseg1 = dbt->prop_seg + dbt->phase_seg1; ++ int tseg2 = dbt->phase_seg2; ++ int sjw = dbt->sjw; ++ int err; ++ ++ if (!ops->dev_set_data_bittiming || ++ !ops->dev_get_data_busparams) ++ return -EOPNOTSUPP; ++ ++ busparams.bitrate = cpu_to_le32(dbt->bitrate); ++ busparams.sjw = (u8)sjw; ++ busparams.tseg1 = (u8)tseg1; ++ busparams.tseg2 = (u8)tseg2; ++ busparams.nsamples = 1; ++ ++ err = ops->dev_set_data_bittiming(netdev, &busparams); ++ if (err) ++ return err; ++ ++ err = kvaser_usb_setup_rx_urbs(priv->dev); ++ if (err) ++ return err; ++ ++ err = ops->dev_get_data_busparams(priv); ++ if (err) ++ return err; ++ ++ if (memcmp(&busparams, &priv->busparams_data, ++ sizeof(priv->busparams_data)) != 0) ++ err = -EINVAL; ++ ++ return err; ++} ++ + static void kvaser_usb_write_bulk_callback(struct urb *urb) + { + struct kvaser_usb_tx_urb_context *context = urb->context; +@@ -695,6 +778,7 @@ static int kvaser_usb_init_one(struct kvaser_usb *dev, int channel) + init_completion(&priv->start_comp); + init_completion(&priv->stop_comp); + init_completion(&priv->flush_comp); ++ init_completion(&priv->get_busparams_comp); + priv->can.ctrlmode_supported = 0; + + priv->dev = dev; +@@ -707,7 +791,7 @@ static int kvaser_usb_init_one(struct kvaser_usb *dev, int channel) + priv->can.state = CAN_STATE_STOPPED; + priv->can.clock.freq = dev->cfg->clock.freq; + priv->can.bittiming_const = dev->cfg->bittiming_const; +- priv->can.do_set_bittiming = ops->dev_set_bittiming; ++ priv->can.do_set_bittiming = kvaser_usb_set_bittiming; + priv->can.do_set_mode = ops->dev_set_mode; + if ((driver_info->quirks & KVASER_USB_QUIRK_HAS_TXRX_ERRORS) || + (priv->dev->card_data.capabilities & KVASER_USB_CAP_BERR_CAP)) +@@ -719,7 +803,7 @@ static int kvaser_usb_init_one(struct kvaser_usb *dev, int channel) + + if (priv->can.ctrlmode_supported & CAN_CTRLMODE_FD) { + priv->can.data_bittiming_const = dev->cfg->data_bittiming_const; +- priv->can.do_set_data_bittiming = ops->dev_set_data_bittiming; ++ priv->can.do_set_data_bittiming = kvaser_usb_set_data_bittiming; + } + + netdev->flags |= IFF_ECHO; +diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c +index 72c37dc50b6b..2764fdd7e84b 100644 +--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c ++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c +@@ -43,6 +43,8 @@ static const struct kvaser_usb_dev_cfg kvaser_usb_hydra_dev_cfg_flexc; + + /* Minihydra command IDs */ + #define CMD_SET_BUSPARAMS_REQ 16 ++#define CMD_GET_BUSPARAMS_REQ 17 ++#define CMD_GET_BUSPARAMS_RESP 18 + #define CMD_GET_CHIP_STATE_REQ 19 + #define CMD_CHIP_STATE_EVENT 20 + #define CMD_SET_DRIVERMODE_REQ 21 +@@ -193,13 +195,26 @@ struct kvaser_cmd_chip_state_event { + #define KVASER_USB_HYDRA_BUS_MODE_CANFD_ISO 0x01 + #define KVASER_USB_HYDRA_BUS_MODE_NONISO 0x02 + struct kvaser_cmd_set_busparams { +- struct kvaser_usb_busparams busparams_arb; ++ struct kvaser_usb_busparams busparams_nominal; + u8 reserved0[4]; + struct kvaser_usb_busparams busparams_data; + u8 canfd_mode; + u8 reserved1[7]; + } __packed; + ++/* Busparam type */ ++#define KVASER_USB_HYDRA_BUSPARAM_TYPE_CAN 0x00 ++#define KVASER_USB_HYDRA_BUSPARAM_TYPE_CANFD 0x01 ++struct kvaser_cmd_get_busparams_req { ++ u8 type; ++ u8 reserved[27]; ++} __packed; ++ ++struct kvaser_cmd_get_busparams_res { ++ struct kvaser_usb_busparams busparams; ++ u8 reserved[20]; ++} __packed; ++ + /* Ctrl modes */ + #define KVASER_USB_HYDRA_CTRLMODE_NORMAL 0x01 + #define KVASER_USB_HYDRA_CTRLMODE_LISTEN 0x02 +@@ -270,6 +285,8 @@ struct kvaser_cmd { + struct kvaser_cmd_error_event error_event; + + struct kvaser_cmd_set_busparams set_busparams_req; ++ struct kvaser_cmd_get_busparams_req get_busparams_req; ++ struct kvaser_cmd_get_busparams_res get_busparams_res; + + struct kvaser_cmd_chip_state_event chip_state_event; + +@@ -352,6 +369,10 @@ struct kvaser_cmd_ext { + } __packed; + } __packed; + ++struct kvaser_usb_net_hydra_priv { ++ int pending_get_busparams_type; ++}; ++ + static const struct can_bittiming_const kvaser_usb_hydra_kcan_bittiming_c = { + .name = "kvaser_usb_kcan", + .tseg1_min = 1, +@@ -805,6 +826,39 @@ static void kvaser_usb_hydra_flush_queue_reply(const struct kvaser_usb *dev, + complete(&priv->flush_comp); + } + ++static void kvaser_usb_hydra_get_busparams_reply(const struct kvaser_usb *dev, ++ const struct kvaser_cmd *cmd) ++{ ++ struct kvaser_usb_net_priv *priv; ++ struct kvaser_usb_net_hydra_priv *hydra; ++ ++ priv = kvaser_usb_hydra_net_priv_from_cmd(dev, cmd); ++ if (!priv) ++ return; ++ ++ hydra = priv->sub_priv; ++ if (!hydra) ++ return; ++ ++ switch (hydra->pending_get_busparams_type) { ++ case KVASER_USB_HYDRA_BUSPARAM_TYPE_CAN: ++ memcpy(&priv->busparams_nominal, &cmd->get_busparams_res.busparams, ++ sizeof(priv->busparams_nominal)); ++ break; ++ case KVASER_USB_HYDRA_BUSPARAM_TYPE_CANFD: ++ memcpy(&priv->busparams_data, &cmd->get_busparams_res.busparams, ++ sizeof(priv->busparams_nominal)); ++ break; ++ default: ++ dev_warn(&dev->intf->dev, "Unknown get_busparams_type %d\n", ++ hydra->pending_get_busparams_type); ++ break; ++ } ++ hydra->pending_get_busparams_type = -1; ++ ++ complete(&priv->get_busparams_comp); ++} ++ + static void + kvaser_usb_hydra_bus_status_to_can_state(const struct kvaser_usb_net_priv *priv, + u8 bus_status, +@@ -1291,6 +1345,10 @@ static void kvaser_usb_hydra_handle_cmd_std(const struct kvaser_usb *dev, + kvaser_usb_hydra_state_event(dev, cmd); + break; + ++ case CMD_GET_BUSPARAMS_RESP: ++ kvaser_usb_hydra_get_busparams_reply(dev, cmd); ++ break; ++ + case CMD_ERROR_EVENT: + kvaser_usb_hydra_error_event(dev, cmd); + break; +@@ -1491,15 +1549,58 @@ static int kvaser_usb_hydra_set_mode(struct net_device *netdev, + return err; + } + +-static int kvaser_usb_hydra_set_bittiming(struct net_device *netdev) ++static int kvaser_usb_hydra_get_busparams(struct kvaser_usb_net_priv *priv, ++ int busparams_type) ++{ ++ struct kvaser_usb *dev = priv->dev; ++ struct kvaser_usb_net_hydra_priv *hydra = priv->sub_priv; ++ struct kvaser_cmd *cmd; ++ int err; ++ ++ if (!hydra) ++ return -EINVAL; ++ ++ cmd = kcalloc(1, sizeof(struct kvaser_cmd), GFP_KERNEL); ++ if (!cmd) ++ return -ENOMEM; ++ ++ cmd->header.cmd_no = CMD_GET_BUSPARAMS_REQ; ++ kvaser_usb_hydra_set_cmd_dest_he ++ (cmd, dev->card_data.hydra.channel_to_he[priv->channel]); ++ kvaser_usb_hydra_set_cmd_transid ++ (cmd, kvaser_usb_hydra_get_next_transid(dev)); ++ cmd->get_busparams_req.type = busparams_type; ++ hydra->pending_get_busparams_type = busparams_type; ++ ++ reinit_completion(&priv->get_busparams_comp); ++ ++ err = kvaser_usb_send_cmd(dev, cmd, kvaser_usb_hydra_cmd_size(cmd)); ++ if (err) ++ return err; ++ ++ if (!wait_for_completion_timeout(&priv->get_busparams_comp, ++ msecs_to_jiffies(KVASER_USB_TIMEOUT))) ++ return -ETIMEDOUT; ++ ++ return err; ++} ++ ++static int kvaser_usb_hydra_get_nominal_busparams(struct kvaser_usb_net_priv *priv) ++{ ++ return kvaser_usb_hydra_get_busparams(priv, KVASER_USB_HYDRA_BUSPARAM_TYPE_CAN); ++} ++ ++static int kvaser_usb_hydra_get_data_busparams(struct kvaser_usb_net_priv *priv) ++{ ++ return kvaser_usb_hydra_get_busparams(priv, KVASER_USB_HYDRA_BUSPARAM_TYPE_CANFD); ++} ++ ++static int kvaser_usb_hydra_set_bittiming(const struct net_device *netdev, ++ const struct kvaser_usb_busparams *busparams) + { + struct kvaser_cmd *cmd; + struct kvaser_usb_net_priv *priv = netdev_priv(netdev); +- struct can_bittiming *bt = &priv->can.bittiming; + struct kvaser_usb *dev = priv->dev; +- int tseg1 = bt->prop_seg + bt->phase_seg1; +- int tseg2 = bt->phase_seg2; +- int sjw = bt->sjw; + int err; + + cmd = kcalloc(1, sizeof(struct kvaser_cmd), GFP_KERNEL); +@@ -1507,11 +1608,8 @@ static int kvaser_usb_hydra_set_bittiming(struct net_device *netdev) + return -ENOMEM; + + cmd->header.cmd_no = CMD_SET_BUSPARAMS_REQ; +- cmd->set_busparams_req.busparams_arb.bitrate = cpu_to_le32(bt->bitrate); +- cmd->set_busparams_req.busparams_arb.sjw = (u8)sjw; +- cmd->set_busparams_req.busparams_arb.tseg1 = (u8)tseg1; +- cmd->set_busparams_req.busparams_arb.tseg2 = (u8)tseg2; +- cmd->set_busparams_req.busparams_arb.nsamples = 1; ++ memcpy(&cmd->set_busparams_req.busparams_nominal, busparams, ++ sizeof(cmd->set_busparams_req.busparams_nominal)); + + kvaser_usb_hydra_set_cmd_dest_he + (cmd, dev->card_data.hydra.channel_to_he[priv->channel]); +@@ -1525,15 +1623,12 @@ static int kvaser_usb_hydra_set_bittiming(struct net_device *netdev) + return err; + } + +-static int kvaser_usb_hydra_set_data_bittiming(struct net_device *netdev) ++static int kvaser_usb_hydra_set_data_bittiming(const struct net_device *netdev, ++ const struct kvaser_usb_busparams *busparams) + { + struct kvaser_cmd *cmd; + struct kvaser_usb_net_priv *priv = netdev_priv(netdev); +- struct can_bittiming *dbt = &priv->can.data_bittiming; + struct kvaser_usb *dev = priv->dev; +- int tseg1 = dbt->prop_seg + dbt->phase_seg1; +- int tseg2 = dbt->phase_seg2; +- int sjw = dbt->sjw; + int err; + + cmd = kcalloc(1, sizeof(struct kvaser_cmd), GFP_KERNEL); +@@ -1541,11 +1636,8 @@ static int kvaser_usb_hydra_set_data_bittiming(struct net_device *netdev) + return -ENOMEM; + + cmd->header.cmd_no = CMD_SET_BUSPARAMS_FD_REQ; +- cmd->set_busparams_req.busparams_data.bitrate = cpu_to_le32(dbt->bitrate); +- cmd->set_busparams_req.busparams_data.sjw = (u8)sjw; +- cmd->set_busparams_req.busparams_data.tseg1 = (u8)tseg1; +- cmd->set_busparams_req.busparams_data.tseg2 = (u8)tseg2; +- cmd->set_busparams_req.busparams_data.nsamples = 1; ++ memcpy(&cmd->set_busparams_req.busparams_data, busparams, ++ sizeof(cmd->set_busparams_req.busparams_data)); + + if (priv->can.ctrlmode & CAN_CTRLMODE_FD) { + if (priv->can.ctrlmode & CAN_CTRLMODE_FD_NON_ISO) +@@ -1652,6 +1744,19 @@ static int kvaser_usb_hydra_init_card(struct kvaser_usb *dev) + return 0; + } + ++static int kvaser_usb_hydra_init_channel(struct kvaser_usb_net_priv *priv) ++{ ++ struct kvaser_usb_net_hydra_priv *hydra; ++ ++ hydra = devm_kzalloc(&priv->dev->intf->dev, sizeof(*hydra), GFP_KERNEL); ++ if (!hydra) ++ return -ENOMEM; ++ ++ priv->sub_priv = hydra; ++ ++ return 0; ++} ++ + static int kvaser_usb_hydra_get_software_info(struct kvaser_usb *dev) + { + struct kvaser_cmd cmd; +@@ -1994,10 +2099,13 @@ kvaser_usb_hydra_frame_to_cmd(const struct kvaser_usb_net_priv *priv, + const struct kvaser_usb_dev_ops kvaser_usb_hydra_dev_ops = { + .dev_set_mode = kvaser_usb_hydra_set_mode, + .dev_set_bittiming = kvaser_usb_hydra_set_bittiming, ++ .dev_get_busparams = kvaser_usb_hydra_get_nominal_busparams, + .dev_set_data_bittiming = kvaser_usb_hydra_set_data_bittiming, ++ .dev_get_data_busparams = kvaser_usb_hydra_get_data_busparams, + .dev_get_berr_counter = kvaser_usb_hydra_get_berr_counter, + .dev_setup_endpoints = kvaser_usb_hydra_setup_endpoints, + .dev_init_card = kvaser_usb_hydra_init_card, ++ .dev_init_channel = kvaser_usb_hydra_init_channel, + .dev_get_software_info = kvaser_usb_hydra_get_software_info, + .dev_get_software_details = kvaser_usb_hydra_get_software_details, + .dev_get_card_info = kvaser_usb_hydra_get_card_info, +diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c +index 1e2f727a1efb..f06d63db9077 100644 +--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c ++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c +@@ -56,6 +56,8 @@ + #define CMD_RX_EXT_MESSAGE 14 + #define CMD_TX_EXT_MESSAGE 15 + #define CMD_SET_BUS_PARAMS 16 ++#define CMD_GET_BUS_PARAMS 17 ++#define CMD_GET_BUS_PARAMS_REPLY 18 + #define CMD_GET_CHIP_STATE 19 + #define CMD_CHIP_STATE_EVENT 20 + #define CMD_SET_CTRL_MODE 21 +@@ -375,6 +377,7 @@ static const u8 kvaser_usb_leaf_cmd_sizes_leaf[] = { + [CMD_CHIP_STATE_EVENT] = kvaser_fsize(u.leaf.chip_state_event), + [CMD_CAN_ERROR_EVENT] = kvaser_fsize(u.leaf.can_error_event), + [CMD_GET_CAPABILITIES_RESP] = kvaser_fsize(u.leaf.cap_res), ++ [CMD_GET_BUS_PARAMS_REPLY] = kvaser_fsize(u.busparams), + [CMD_ERROR_EVENT] = kvaser_fsize(u.leaf.error_event), + /* ignored events: */ + [CMD_FLUSH_QUEUE_REPLY] = CMD_SIZE_ANY, +@@ -1467,6 +1470,25 @@ static void kvaser_usb_leaf_stop_chip_reply(const struct kvaser_usb *dev, + complete(&priv->stop_comp); + } + ++static void kvaser_usb_leaf_get_busparams_reply(const struct kvaser_usb *dev, ++ const struct kvaser_cmd *cmd) ++{ ++ struct kvaser_usb_net_priv *priv; ++ u8 channel = cmd->u.busparams.channel; ++ ++ if (channel >= dev->nchannels) { ++ dev_err(&dev->intf->dev, ++ "Invalid channel number (%d)\n", channel); ++ return; ++ } ++ ++ priv = dev->nets[channel]; ++ memcpy(&priv->busparams_nominal, &cmd->u.busparams.busparams, ++ sizeof(priv->busparams_nominal)); ++ ++ complete(&priv->get_busparams_comp); ++} ++ + static void kvaser_usb_leaf_handle_command(const struct kvaser_usb *dev, + const struct kvaser_cmd *cmd) + { +@@ -1509,6 +1531,10 @@ static void kvaser_usb_leaf_handle_command(const struct kvaser_usb *dev, + kvaser_usb_leaf_error_event(dev, cmd); + break; + ++ case CMD_GET_BUS_PARAMS_REPLY: ++ kvaser_usb_leaf_get_busparams_reply(dev, cmd); ++ break; ++ + /* Ignored commands */ + case CMD_USBCAN_CLOCK_OVERFLOW_EVENT: + if (dev->driver_info->family != KVASER_USBCAN) +@@ -1683,10 +1709,10 @@ static void kvaser_usb_leaf_remove_channel(struct kvaser_usb_net_priv *priv) + cancel_delayed_work_sync(&leaf->chip_state_req_work); + } + +-static int kvaser_usb_leaf_set_bittiming(struct net_device *netdev) ++static int kvaser_usb_leaf_set_bittiming(const struct net_device *netdev, ++ const struct kvaser_usb_busparams *busparams) + { + struct kvaser_usb_net_priv *priv = netdev_priv(netdev); +- struct can_bittiming *bt = &priv->can.bittiming; + struct kvaser_usb *dev = priv->dev; + struct kvaser_cmd *cmd; + int rc; +@@ -1699,15 +1725,8 @@ static int kvaser_usb_leaf_set_bittiming(struct net_device *netdev) + cmd->len = CMD_HEADER_LEN + sizeof(struct kvaser_cmd_busparams); + cmd->u.busparams.channel = priv->channel; + cmd->u.busparams.tid = 0xff; +- cmd->u.busparams.busparams.bitrate = cpu_to_le32(bt->bitrate); +- cmd->u.busparams.busparams.sjw = bt->sjw; +- cmd->u.busparams.busparams.tseg1 = bt->prop_seg + bt->phase_seg1; +- cmd->u.busparams.busparams.tseg2 = bt->phase_seg2; +- +- if (priv->can.ctrlmode & CAN_CTRLMODE_3_SAMPLES) +- cmd->u.busparams.busparams.nsamples = 3; +- else +- cmd->u.busparams.busparams.nsamples = 1; ++ memcpy(&cmd->u.busparams.busparams, busparams, ++ sizeof(cmd->u.busparams.busparams)); + + rc = kvaser_usb_send_cmd(dev, cmd, cmd->len); + +@@ -1715,6 +1734,27 @@ static int kvaser_usb_leaf_set_bittiming(struct net_device *netdev) + return rc; + } + ++static int kvaser_usb_leaf_get_busparams(struct kvaser_usb_net_priv *priv) ++{ ++ int err; ++ ++ if (priv->dev->driver_info->family == KVASER_USBCAN) ++ return -EOPNOTSUPP; ++ ++ reinit_completion(&priv->get_busparams_comp); ++ ++ err = kvaser_usb_leaf_send_simple_cmd(priv->dev, CMD_GET_BUS_PARAMS, ++ priv->channel); ++ if (err) ++ return err; ++ ++ if (!wait_for_completion_timeout(&priv->get_busparams_comp, ++ msecs_to_jiffies(KVASER_USB_TIMEOUT))) ++ return -ETIMEDOUT; ++ ++ return 0; ++} ++ + static int kvaser_usb_leaf_set_mode(struct net_device *netdev, + enum can_mode mode) + { +@@ -1776,7 +1816,9 @@ static int kvaser_usb_leaf_setup_endpoints(struct kvaser_usb *dev) + const struct kvaser_usb_dev_ops kvaser_usb_leaf_dev_ops = { + .dev_set_mode = kvaser_usb_leaf_set_mode, + .dev_set_bittiming = kvaser_usb_leaf_set_bittiming, ++ .dev_get_busparams = kvaser_usb_leaf_get_busparams, + .dev_set_data_bittiming = NULL, ++ .dev_get_data_busparams = NULL, + .dev_get_berr_counter = kvaser_usb_leaf_get_berr_counter, + .dev_setup_endpoints = kvaser_usb_leaf_setup_endpoints, + .dev_init_card = kvaser_usb_leaf_init_card, +-- +2.35.1 + diff --git a/queue-5.4/can-kvaser_usb-do-not-increase-tx-statistics-when-se.patch b/queue-5.4/can-kvaser_usb-do-not-increase-tx-statistics-when-se.patch new file mode 100644 index 00000000000..dfd9ee9bb76 --- /dev/null +++ b/queue-5.4/can-kvaser_usb-do-not-increase-tx-statistics-when-se.patch @@ -0,0 +1,76 @@ +From 661869308a73293bd4618f430c89eff3440a569f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Dec 2021 21:15:28 +0900 +Subject: can: kvaser_usb: do not increase tx statistics when sending error + message frames + +From: Vincent Mailhol + +[ Upstream commit 0b0ce2c67795672115ac6ca28351a78799cd114b ] + +The CAN error message frames (i.e. error skb) are an interface +specific to socket CAN. The payload of the CAN error message frames +does not correspond to any actual data sent on the wire. Only an error +flag and a delimiter are transmitted when an error occurs (c.f. ISO +11898-1 section 10.4.4.2 "Error flag"). + +For this reason, it makes no sense to increment the tx_packets and +tx_bytes fields of struct net_device_stats when sending an error +message frame because no actual payload will be transmitted on the +wire. + +N.B. Sending error message frames is a very specific feature which, at +the moment, is only supported by the Kvaser Hydra hardware. Please +refer to [1] for more details on the topic. + +[1] https://lore.kernel.org/linux-can/CAMZ6RqK0rTNg3u3mBpZOoY51jLZ-et-J01tY6-+mWsM4meVw-A@mail.gmail.com/t/#u + +Link: https://lore.kernel.org/all/20211207121531.42941-3-mailhol.vincent@wanadoo.fr +Co-developed-by: Jimmy Assarsson +Signed-off-by: Jimmy Assarsson +Signed-off-by: Vincent Mailhol +Signed-off-by: Marc Kleine-Budde +Stable-dep-of: 35364f5b41a4 ("can: kvaser_usb: kvaser_usb_leaf: Get capabilities from device") +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c +index 45d278724883..9588efbfae71 100644 +--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c ++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c +@@ -293,6 +293,7 @@ struct kvaser_cmd { + #define KVASER_USB_HYDRA_CF_FLAG_OVERRUN BIT(1) + #define KVASER_USB_HYDRA_CF_FLAG_REMOTE_FRAME BIT(4) + #define KVASER_USB_HYDRA_CF_FLAG_EXTENDED_ID BIT(5) ++#define KVASER_USB_HYDRA_CF_FLAG_TX_ACK BIT(6) + /* CAN frame flags. Used in ext_rx_can and ext_tx_can */ + #define KVASER_USB_HYDRA_CF_FLAG_OSM_NACK BIT(12) + #define KVASER_USB_HYDRA_CF_FLAG_ABL BIT(13) +@@ -1099,6 +1100,7 @@ static void kvaser_usb_hydra_tx_acknowledge(const struct kvaser_usb *dev, + struct kvaser_usb_net_priv *priv; + unsigned long irq_flags; + bool one_shot_fail = false; ++ bool is_err_frame = false; + u16 transid = kvaser_usb_hydra_get_cmd_transid(cmd); + + priv = kvaser_usb_hydra_net_priv_from_cmd(dev, cmd); +@@ -1117,10 +1119,13 @@ static void kvaser_usb_hydra_tx_acknowledge(const struct kvaser_usb *dev, + kvaser_usb_hydra_one_shot_fail(priv, cmd_ext); + one_shot_fail = true; + } ++ ++ is_err_frame = flags & KVASER_USB_HYDRA_CF_FLAG_TX_ACK && ++ flags & KVASER_USB_HYDRA_CF_FLAG_ERROR_FRAME; + } + + context = &priv->tx_contexts[transid % dev->max_tx_urbs]; +- if (!one_shot_fail) { ++ if (!one_shot_fail && !is_err_frame) { + struct net_device_stats *stats = &priv->netdev->stats; + + stats->tx_packets++; +-- +2.35.1 + diff --git a/queue-5.4/can-kvaser_usb-kvaser_usb_leaf-get-capabilities-from.patch b/queue-5.4/can-kvaser_usb-kvaser_usb_leaf-get-capabilities-from.patch new file mode 100644 index 00000000000..c48572e9c18 --- /dev/null +++ b/queue-5.4/can-kvaser_usb-kvaser_usb_leaf-get-capabilities-from.patch @@ -0,0 +1,231 @@ +From 68bbb2b87f965dd94827672759e872bbd597647c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Oct 2022 20:52:28 +0200 +Subject: can: kvaser_usb: kvaser_usb_leaf: Get capabilities from device + +From: Jimmy Assarsson + +[ Upstream commit 35364f5b41a4917fe94a3f393d149b63ec583297 ] + +Use the CMD_GET_CAPABILITIES_REQ command to query the device for certain +capabilities. We are only interested in LISTENONLY mode and wither the +device reports CAN error counters. + +Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices") +Reported-by: Anssi Hannula +Tested-by: Anssi Hannula +Signed-off-by: Jimmy Assarsson +Link: https://lore.kernel.org/all/20221010185237.319219-3-extja@kvaser.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + .../net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 144 +++++++++++++++++- + 1 file changed, 143 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c +index 15380cc08ee6..26f32828f905 100644 +--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c ++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c +@@ -73,6 +73,8 @@ + #define CMD_TX_ACKNOWLEDGE 50 + #define CMD_CAN_ERROR_EVENT 51 + #define CMD_FLUSH_QUEUE_REPLY 68 ++#define CMD_GET_CAPABILITIES_REQ 95 ++#define CMD_GET_CAPABILITIES_RESP 96 + + #define CMD_LEAF_LOG_MESSAGE 106 + +@@ -82,6 +84,8 @@ + #define KVASER_USB_LEAF_SWOPTION_FREQ_32_MHZ_CLK BIT(5) + #define KVASER_USB_LEAF_SWOPTION_FREQ_24_MHZ_CLK BIT(6) + ++#define KVASER_USB_LEAF_SWOPTION_EXT_CAP BIT(12) ++ + /* error factors */ + #define M16C_EF_ACKE BIT(0) + #define M16C_EF_CRCE BIT(1) +@@ -277,6 +281,28 @@ struct leaf_cmd_log_message { + u8 data[8]; + } __packed; + ++/* Sub commands for cap_req and cap_res */ ++#define KVASER_USB_LEAF_CAP_CMD_LISTEN_MODE 0x02 ++#define KVASER_USB_LEAF_CAP_CMD_ERR_REPORT 0x05 ++struct kvaser_cmd_cap_req { ++ __le16 padding0; ++ __le16 cap_cmd; ++ __le16 padding1; ++ __le16 channel; ++} __packed; ++ ++/* Status codes for cap_res */ ++#define KVASER_USB_LEAF_CAP_STAT_OK 0x00 ++#define KVASER_USB_LEAF_CAP_STAT_NOT_IMPL 0x01 ++#define KVASER_USB_LEAF_CAP_STAT_UNAVAIL 0x02 ++struct kvaser_cmd_cap_res { ++ __le16 padding; ++ __le16 cap_cmd; ++ __le16 status; ++ __le32 mask; ++ __le32 value; ++} __packed; ++ + struct kvaser_cmd { + u8 len; + u8 id; +@@ -294,6 +320,8 @@ struct kvaser_cmd { + struct leaf_cmd_chip_state_event chip_state_event; + struct leaf_cmd_error_event error_event; + struct leaf_cmd_log_message log_message; ++ struct kvaser_cmd_cap_req cap_req; ++ struct kvaser_cmd_cap_res cap_res; + } __packed leaf; + + union { +@@ -323,6 +351,7 @@ static const u8 kvaser_usb_leaf_cmd_sizes_leaf[] = { + [CMD_LEAF_LOG_MESSAGE] = kvaser_fsize(u.leaf.log_message), + [CMD_CHIP_STATE_EVENT] = kvaser_fsize(u.leaf.chip_state_event), + [CMD_CAN_ERROR_EVENT] = kvaser_fsize(u.leaf.error_event), ++ [CMD_GET_CAPABILITIES_RESP] = kvaser_fsize(u.leaf.cap_res), + /* ignored events: */ + [CMD_FLUSH_QUEUE_REPLY] = CMD_SIZE_ANY, + }; +@@ -607,6 +636,9 @@ static void kvaser_usb_leaf_get_software_info_leaf(struct kvaser_usb *dev, + dev->fw_version = le32_to_cpu(softinfo->fw_version); + dev->max_tx_urbs = le16_to_cpu(softinfo->max_outstanding_tx); + ++ if (sw_options & KVASER_USB_LEAF_SWOPTION_EXT_CAP) ++ dev->card_data.capabilities |= KVASER_USB_CAP_EXT_CAP; ++ + if (dev->driver_info->quirks & KVASER_USB_QUIRK_IGNORE_CLK_FREQ) { + /* Firmware expects bittiming parameters calculated for 16MHz + * clock, regardless of the actual clock +@@ -694,6 +726,116 @@ static int kvaser_usb_leaf_get_card_info(struct kvaser_usb *dev) + return 0; + } + ++static int kvaser_usb_leaf_get_single_capability(struct kvaser_usb *dev, ++ u16 cap_cmd_req, u16 *status) ++{ ++ struct kvaser_usb_dev_card_data *card_data = &dev->card_data; ++ struct kvaser_cmd *cmd; ++ u32 value = 0; ++ u32 mask = 0; ++ u16 cap_cmd_res; ++ int err; ++ int i; ++ ++ cmd = kzalloc(sizeof(*cmd), GFP_KERNEL); ++ if (!cmd) ++ return -ENOMEM; ++ ++ cmd->id = CMD_GET_CAPABILITIES_REQ; ++ cmd->u.leaf.cap_req.cap_cmd = cpu_to_le16(cap_cmd_req); ++ cmd->len = CMD_HEADER_LEN + sizeof(struct kvaser_cmd_cap_req); ++ ++ err = kvaser_usb_send_cmd(dev, cmd, cmd->len); ++ if (err) ++ goto end; ++ ++ err = kvaser_usb_leaf_wait_cmd(dev, CMD_GET_CAPABILITIES_RESP, cmd); ++ if (err) ++ goto end; ++ ++ *status = le16_to_cpu(cmd->u.leaf.cap_res.status); ++ ++ if (*status != KVASER_USB_LEAF_CAP_STAT_OK) ++ goto end; ++ ++ cap_cmd_res = le16_to_cpu(cmd->u.leaf.cap_res.cap_cmd); ++ switch (cap_cmd_res) { ++ case KVASER_USB_LEAF_CAP_CMD_LISTEN_MODE: ++ case KVASER_USB_LEAF_CAP_CMD_ERR_REPORT: ++ value = le32_to_cpu(cmd->u.leaf.cap_res.value); ++ mask = le32_to_cpu(cmd->u.leaf.cap_res.mask); ++ break; ++ default: ++ dev_warn(&dev->intf->dev, "Unknown capability command %u\n", ++ cap_cmd_res); ++ break; ++ } ++ ++ for (i = 0; i < dev->nchannels; i++) { ++ if (BIT(i) & (value & mask)) { ++ switch (cap_cmd_res) { ++ case KVASER_USB_LEAF_CAP_CMD_LISTEN_MODE: ++ card_data->ctrlmode_supported |= ++ CAN_CTRLMODE_LISTENONLY; ++ break; ++ case KVASER_USB_LEAF_CAP_CMD_ERR_REPORT: ++ card_data->capabilities |= ++ KVASER_USB_CAP_BERR_CAP; ++ break; ++ } ++ } ++ } ++ ++end: ++ kfree(cmd); ++ ++ return err; ++} ++ ++static int kvaser_usb_leaf_get_capabilities_leaf(struct kvaser_usb *dev) ++{ ++ int err; ++ u16 status; ++ ++ if (!(dev->card_data.capabilities & KVASER_USB_CAP_EXT_CAP)) { ++ dev_info(&dev->intf->dev, ++ "No extended capability support. Upgrade device firmware.\n"); ++ return 0; ++ } ++ ++ err = kvaser_usb_leaf_get_single_capability(dev, ++ KVASER_USB_LEAF_CAP_CMD_LISTEN_MODE, ++ &status); ++ if (err) ++ return err; ++ if (status) ++ dev_info(&dev->intf->dev, ++ "KVASER_USB_LEAF_CAP_CMD_LISTEN_MODE failed %u\n", ++ status); ++ ++ err = kvaser_usb_leaf_get_single_capability(dev, ++ KVASER_USB_LEAF_CAP_CMD_ERR_REPORT, ++ &status); ++ if (err) ++ return err; ++ if (status) ++ dev_info(&dev->intf->dev, ++ "KVASER_USB_LEAF_CAP_CMD_ERR_REPORT failed %u\n", ++ status); ++ ++ return 0; ++} ++ ++static int kvaser_usb_leaf_get_capabilities(struct kvaser_usb *dev) ++{ ++ int err = 0; ++ ++ if (dev->driver_info->family == KVASER_LEAF) ++ err = kvaser_usb_leaf_get_capabilities_leaf(dev); ++ ++ return err; ++} ++ + static void kvaser_usb_leaf_tx_acknowledge(const struct kvaser_usb *dev, + const struct kvaser_cmd *cmd) + { +@@ -1490,7 +1632,7 @@ const struct kvaser_usb_dev_ops kvaser_usb_leaf_dev_ops = { + .dev_get_software_info = kvaser_usb_leaf_get_software_info, + .dev_get_software_details = NULL, + .dev_get_card_info = kvaser_usb_leaf_get_card_info, +- .dev_get_capabilities = NULL, ++ .dev_get_capabilities = kvaser_usb_leaf_get_capabilities, + .dev_set_opt_mode = kvaser_usb_leaf_set_opt_mode, + .dev_start_chip = kvaser_usb_leaf_start_chip, + .dev_stop_chip = kvaser_usb_leaf_stop_chip, +-- +2.35.1 + diff --git a/queue-5.4/can-kvaser_usb-kvaser_usb_leaf-handle-cmd_error_even.patch b/queue-5.4/can-kvaser_usb-kvaser_usb_leaf-handle-cmd_error_even.patch new file mode 100644 index 00000000000..6a8c592f0f4 --- /dev/null +++ b/queue-5.4/can-kvaser_usb-kvaser_usb_leaf-handle-cmd_error_even.patch @@ -0,0 +1,186 @@ +From 36b9c9c9e18966f07cd4ad95a4eae8e83fe54d44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Oct 2022 20:52:30 +0200 +Subject: can: kvaser_usb: kvaser_usb_leaf: Handle CMD_ERROR_EVENT + +From: Jimmy Assarsson + +[ Upstream commit b24cb2d169e0c9dce664a959e1f2aa9781285dc9 ] + +The device will send an error event command, to indicate certain errors. +This indicates a misbehaving driver, and should never occur. + +Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices") +Tested-by: Anssi Hannula +Co-developed-by: Anssi Hannula +Signed-off-by: Anssi Hannula +Signed-off-by: Jimmy Assarsson +Link: https://lore.kernel.org/all/20221010185237.319219-5-extja@kvaser.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + .../net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 99 +++++++++++++++++++ + 1 file changed, 99 insertions(+) + +diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c +index 4f3d1150b2b2..3c3e78992b55 100644 +--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c ++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c +@@ -69,6 +69,7 @@ + #define CMD_GET_CARD_INFO_REPLY 35 + #define CMD_GET_SOFTWARE_INFO 38 + #define CMD_GET_SOFTWARE_INFO_REPLY 39 ++#define CMD_ERROR_EVENT 45 + #define CMD_FLUSH_QUEUE 48 + #define CMD_TX_ACKNOWLEDGE 50 + #define CMD_CAN_ERROR_EVENT 51 +@@ -257,6 +258,28 @@ struct usbcan_cmd_can_error_event { + __le16 time; + } __packed; + ++/* CMD_ERROR_EVENT error codes */ ++#define KVASER_USB_LEAF_ERROR_EVENT_TX_QUEUE_FULL 0x8 ++#define KVASER_USB_LEAF_ERROR_EVENT_PARAM 0x9 ++ ++struct leaf_cmd_error_event { ++ u8 tid; ++ u8 error_code; ++ __le16 timestamp[3]; ++ __le16 padding; ++ __le16 info1; ++ __le16 info2; ++} __packed; ++ ++struct usbcan_cmd_error_event { ++ u8 tid; ++ u8 error_code; ++ __le16 info1; ++ __le16 info2; ++ __le16 timestamp; ++ __le16 padding; ++} __packed; ++ + struct kvaser_cmd_ctrl_mode { + u8 tid; + u8 channel; +@@ -320,6 +343,7 @@ struct kvaser_cmd { + struct leaf_cmd_chip_state_event chip_state_event; + struct leaf_cmd_can_error_event can_error_event; + struct leaf_cmd_log_message log_message; ++ struct leaf_cmd_error_event error_event; + struct kvaser_cmd_cap_req cap_req; + struct kvaser_cmd_cap_res cap_res; + } __packed leaf; +@@ -329,6 +353,7 @@ struct kvaser_cmd { + struct usbcan_cmd_rx_can rx_can; + struct usbcan_cmd_chip_state_event chip_state_event; + struct usbcan_cmd_can_error_event can_error_event; ++ struct usbcan_cmd_error_event error_event; + } __packed usbcan; + + struct kvaser_cmd_tx_can tx_can; +@@ -352,6 +377,7 @@ static const u8 kvaser_usb_leaf_cmd_sizes_leaf[] = { + [CMD_CHIP_STATE_EVENT] = kvaser_fsize(u.leaf.chip_state_event), + [CMD_CAN_ERROR_EVENT] = kvaser_fsize(u.leaf.can_error_event), + [CMD_GET_CAPABILITIES_RESP] = kvaser_fsize(u.leaf.cap_res), ++ [CMD_ERROR_EVENT] = kvaser_fsize(u.leaf.error_event), + /* ignored events: */ + [CMD_FLUSH_QUEUE_REPLY] = CMD_SIZE_ANY, + }; +@@ -366,6 +392,7 @@ static const u8 kvaser_usb_leaf_cmd_sizes_usbcan[] = { + [CMD_RX_EXT_MESSAGE] = kvaser_fsize(u.usbcan.rx_can), + [CMD_CHIP_STATE_EVENT] = kvaser_fsize(u.usbcan.chip_state_event), + [CMD_CAN_ERROR_EVENT] = kvaser_fsize(u.usbcan.can_error_event), ++ [CMD_ERROR_EVENT] = kvaser_fsize(u.usbcan.error_event), + /* ignored events: */ + [CMD_USBCAN_CLOCK_OVERFLOW_EVENT] = CMD_SIZE_ANY, + }; +@@ -1308,6 +1335,74 @@ static void kvaser_usb_leaf_rx_can_msg(const struct kvaser_usb *dev, + netif_rx(skb); + } + ++static void kvaser_usb_leaf_error_event_parameter(const struct kvaser_usb *dev, ++ const struct kvaser_cmd *cmd) ++{ ++ u16 info1 = 0; ++ ++ switch (dev->driver_info->family) { ++ case KVASER_LEAF: ++ info1 = le16_to_cpu(cmd->u.leaf.error_event.info1); ++ break; ++ case KVASER_USBCAN: ++ info1 = le16_to_cpu(cmd->u.usbcan.error_event.info1); ++ break; ++ } ++ ++ /* info1 will contain the offending cmd_no */ ++ switch (info1) { ++ case CMD_SET_CTRL_MODE: ++ dev_warn(&dev->intf->dev, ++ "CMD_SET_CTRL_MODE error in parameter\n"); ++ break; ++ ++ case CMD_SET_BUS_PARAMS: ++ dev_warn(&dev->intf->dev, ++ "CMD_SET_BUS_PARAMS error in parameter\n"); ++ break; ++ ++ default: ++ dev_warn(&dev->intf->dev, ++ "Unhandled parameter error event cmd_no (%u)\n", ++ info1); ++ break; ++ } ++} ++ ++static void kvaser_usb_leaf_error_event(const struct kvaser_usb *dev, ++ const struct kvaser_cmd *cmd) ++{ ++ u8 error_code = 0; ++ ++ switch (dev->driver_info->family) { ++ case KVASER_LEAF: ++ error_code = cmd->u.leaf.error_event.error_code; ++ break; ++ case KVASER_USBCAN: ++ error_code = cmd->u.usbcan.error_event.error_code; ++ break; ++ } ++ ++ switch (error_code) { ++ case KVASER_USB_LEAF_ERROR_EVENT_TX_QUEUE_FULL: ++ /* Received additional CAN message, when firmware TX queue is ++ * already full. Something is wrong with the driver. ++ * This should never happen! ++ */ ++ dev_err(&dev->intf->dev, ++ "Received error event TX_QUEUE_FULL\n"); ++ break; ++ case KVASER_USB_LEAF_ERROR_EVENT_PARAM: ++ kvaser_usb_leaf_error_event_parameter(dev, cmd); ++ break; ++ ++ default: ++ dev_warn(&dev->intf->dev, ++ "Unhandled error event (%d)\n", error_code); ++ break; ++ } ++} ++ + static void kvaser_usb_leaf_start_chip_reply(const struct kvaser_usb *dev, + const struct kvaser_cmd *cmd) + { +@@ -1386,6 +1481,10 @@ static void kvaser_usb_leaf_handle_command(const struct kvaser_usb *dev, + kvaser_usb_leaf_tx_acknowledge(dev, cmd); + break; + ++ case CMD_ERROR_EVENT: ++ kvaser_usb_leaf_error_event(dev, cmd); ++ break; ++ + /* Ignored commands */ + case CMD_USBCAN_CLOCK_OVERFLOW_EVENT: + if (dev->driver_info->family != KVASER_USBCAN) +-- +2.35.1 + diff --git a/queue-5.4/can-kvaser_usb-kvaser_usb_leaf-rename-leaf-usbcan-_c.patch b/queue-5.4/can-kvaser_usb-kvaser_usb_leaf-rename-leaf-usbcan-_c.patch new file mode 100644 index 00000000000..2a759e16cf7 --- /dev/null +++ b/queue-5.4/can-kvaser_usb-kvaser_usb_leaf-rename-leaf-usbcan-_c.patch @@ -0,0 +1,136 @@ +From 1fd66e1f9a2637f92711da66fbd48409e808009f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Oct 2022 20:52:29 +0200 +Subject: can: kvaser_usb: kvaser_usb_leaf: Rename + {leaf,usbcan}_cmd_error_event to {leaf,usbcan}_cmd_can_error_event + +From: Jimmy Assarsson + +[ Upstream commit 7ea56128dbf904a3359bcf9289cccdfa3c85c7e8 ] + +Prepare for handling CMD_ERROR_EVENT. Rename struct +{leaf,usbcan}_cmd_error_event to {leaf,usbcan}_cmd_can_error_event. + +Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices") +Reported-by: Anssi Hannula +Tested-by: Anssi Hannula +Signed-off-by: Jimmy Assarsson +Link: https://lore.kernel.org/all/20221010185237.319219-4-extja@kvaser.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + .../net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 38 +++++++++---------- + 1 file changed, 19 insertions(+), 19 deletions(-) + +diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c +index 26f32828f905..4f3d1150b2b2 100644 +--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c ++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c +@@ -233,7 +233,7 @@ struct kvaser_cmd_tx_acknowledge_header { + u8 tid; + } __packed; + +-struct leaf_cmd_error_event { ++struct leaf_cmd_can_error_event { + u8 tid; + u8 flags; + __le16 time[3]; +@@ -245,7 +245,7 @@ struct leaf_cmd_error_event { + u8 error_factor; + } __packed; + +-struct usbcan_cmd_error_event { ++struct usbcan_cmd_can_error_event { + u8 tid; + u8 padding; + u8 tx_errors_count_ch0; +@@ -318,7 +318,7 @@ struct kvaser_cmd { + struct leaf_cmd_softinfo softinfo; + struct leaf_cmd_rx_can rx_can; + struct leaf_cmd_chip_state_event chip_state_event; +- struct leaf_cmd_error_event error_event; ++ struct leaf_cmd_can_error_event can_error_event; + struct leaf_cmd_log_message log_message; + struct kvaser_cmd_cap_req cap_req; + struct kvaser_cmd_cap_res cap_res; +@@ -328,7 +328,7 @@ struct kvaser_cmd { + struct usbcan_cmd_softinfo softinfo; + struct usbcan_cmd_rx_can rx_can; + struct usbcan_cmd_chip_state_event chip_state_event; +- struct usbcan_cmd_error_event error_event; ++ struct usbcan_cmd_can_error_event can_error_event; + } __packed usbcan; + + struct kvaser_cmd_tx_can tx_can; +@@ -350,7 +350,7 @@ static const u8 kvaser_usb_leaf_cmd_sizes_leaf[] = { + [CMD_RX_EXT_MESSAGE] = kvaser_fsize(u.leaf.rx_can), + [CMD_LEAF_LOG_MESSAGE] = kvaser_fsize(u.leaf.log_message), + [CMD_CHIP_STATE_EVENT] = kvaser_fsize(u.leaf.chip_state_event), +- [CMD_CAN_ERROR_EVENT] = kvaser_fsize(u.leaf.error_event), ++ [CMD_CAN_ERROR_EVENT] = kvaser_fsize(u.leaf.can_error_event), + [CMD_GET_CAPABILITIES_RESP] = kvaser_fsize(u.leaf.cap_res), + /* ignored events: */ + [CMD_FLUSH_QUEUE_REPLY] = CMD_SIZE_ANY, +@@ -365,7 +365,7 @@ static const u8 kvaser_usb_leaf_cmd_sizes_usbcan[] = { + [CMD_RX_STD_MESSAGE] = kvaser_fsize(u.usbcan.rx_can), + [CMD_RX_EXT_MESSAGE] = kvaser_fsize(u.usbcan.rx_can), + [CMD_CHIP_STATE_EVENT] = kvaser_fsize(u.usbcan.chip_state_event), +- [CMD_CAN_ERROR_EVENT] = kvaser_fsize(u.usbcan.error_event), ++ [CMD_CAN_ERROR_EVENT] = kvaser_fsize(u.usbcan.can_error_event), + /* ignored events: */ + [CMD_USBCAN_CLOCK_OVERFLOW_EVENT] = CMD_SIZE_ANY, + }; +@@ -1137,11 +1137,11 @@ static void kvaser_usb_leaf_usbcan_rx_error(const struct kvaser_usb *dev, + + case CMD_CAN_ERROR_EVENT: + es.channel = 0; +- es.status = cmd->u.usbcan.error_event.status_ch0; +- es.txerr = cmd->u.usbcan.error_event.tx_errors_count_ch0; +- es.rxerr = cmd->u.usbcan.error_event.rx_errors_count_ch0; ++ es.status = cmd->u.usbcan.can_error_event.status_ch0; ++ es.txerr = cmd->u.usbcan.can_error_event.tx_errors_count_ch0; ++ es.rxerr = cmd->u.usbcan.can_error_event.rx_errors_count_ch0; + es.usbcan.other_ch_status = +- cmd->u.usbcan.error_event.status_ch1; ++ cmd->u.usbcan.can_error_event.status_ch1; + kvaser_usb_leaf_usbcan_conditionally_rx_error(dev, &es); + + /* The USBCAN firmware supports up to 2 channels. +@@ -1149,13 +1149,13 @@ static void kvaser_usb_leaf_usbcan_rx_error(const struct kvaser_usb *dev, + */ + if (dev->nchannels == MAX_USBCAN_NET_DEVICES) { + es.channel = 1; +- es.status = cmd->u.usbcan.error_event.status_ch1; ++ es.status = cmd->u.usbcan.can_error_event.status_ch1; + es.txerr = +- cmd->u.usbcan.error_event.tx_errors_count_ch1; ++ cmd->u.usbcan.can_error_event.tx_errors_count_ch1; + es.rxerr = +- cmd->u.usbcan.error_event.rx_errors_count_ch1; ++ cmd->u.usbcan.can_error_event.rx_errors_count_ch1; + es.usbcan.other_ch_status = +- cmd->u.usbcan.error_event.status_ch0; ++ cmd->u.usbcan.can_error_event.status_ch0; + kvaser_usb_leaf_usbcan_conditionally_rx_error(dev, &es); + } + break; +@@ -1172,11 +1172,11 @@ static void kvaser_usb_leaf_leaf_rx_error(const struct kvaser_usb *dev, + + switch (cmd->id) { + case CMD_CAN_ERROR_EVENT: +- es.channel = cmd->u.leaf.error_event.channel; +- es.status = cmd->u.leaf.error_event.status; +- es.txerr = cmd->u.leaf.error_event.tx_errors_count; +- es.rxerr = cmd->u.leaf.error_event.rx_errors_count; +- es.leaf.error_factor = cmd->u.leaf.error_event.error_factor; ++ es.channel = cmd->u.leaf.can_error_event.channel; ++ es.status = cmd->u.leaf.can_error_event.status; ++ es.txerr = cmd->u.leaf.can_error_event.tx_errors_count; ++ es.rxerr = cmd->u.leaf.can_error_event.rx_errors_count; ++ es.leaf.error_factor = cmd->u.leaf.can_error_event.error_factor; + break; + case CMD_LEAF_LOG_MESSAGE: + es.channel = cmd->u.leaf.log_message.channel; +-- +2.35.1 + diff --git a/queue-5.4/can-kvaser_usb_leaf-fix-bogus-restart-events.patch b/queue-5.4/can-kvaser_usb_leaf-fix-bogus-restart-events.patch new file mode 100644 index 00000000000..8ec1a6c62d3 --- /dev/null +++ b/queue-5.4/can-kvaser_usb_leaf-fix-bogus-restart-events.patch @@ -0,0 +1,66 @@ +From 155936c03b949ca4dc7c18184c6012aa2e58a11f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Oct 2022 20:52:35 +0200 +Subject: can: kvaser_usb_leaf: Fix bogus restart events + +From: Anssi Hannula + +[ Upstream commit 90904d326269a38fe5dd895fb2db7c03199654c4 ] + +When auto-restart is enabled, the kvaser_usb_leaf driver considers +transition from any state >= CAN_STATE_BUS_OFF as a bus-off recovery +event (restart). + +However, these events may occur at interface startup time before +kvaser_usb_open() has set the state to CAN_STATE_ERROR_ACTIVE, causing +restarts counter to increase and CAN_ERR_RESTARTED to be sent despite no +actual restart having occurred. + +Fix that by making the auto-restart condition checks more strict so that +they only trigger when the interface was actually in the BUS_OFF state. + +Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices") +Tested-by: Jimmy Assarsson +Signed-off-by: Anssi Hannula +Signed-off-by: Jimmy Assarsson +Link: https://lore.kernel.org/all/20221010185237.319219-10-extja@kvaser.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c +index 52ac6446634d..d1877ff2ff71 100644 +--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c ++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c +@@ -899,7 +899,7 @@ static void kvaser_usb_leaf_tx_acknowledge(const struct kvaser_usb *dev, + context = &priv->tx_contexts[tid % dev->max_tx_urbs]; + + /* Sometimes the state change doesn't come after a bus-off event */ +- if (priv->can.restart_ms && priv->can.state >= CAN_STATE_BUS_OFF) { ++ if (priv->can.restart_ms && priv->can.state == CAN_STATE_BUS_OFF) { + struct sk_buff *skb; + struct can_frame *cf; + +@@ -1002,7 +1002,7 @@ kvaser_usb_leaf_rx_error_update_can_state(struct kvaser_usb_net_priv *priv, + } + + if (priv->can.restart_ms && +- cur_state >= CAN_STATE_BUS_OFF && ++ cur_state == CAN_STATE_BUS_OFF && + new_state < CAN_STATE_BUS_OFF) + priv->can.can_stats.restarts++; + +@@ -1092,7 +1092,7 @@ static void kvaser_usb_leaf_rx_error(const struct kvaser_usb *dev, + } + + if (priv->can.restart_ms && +- old_state >= CAN_STATE_BUS_OFF && ++ old_state == CAN_STATE_BUS_OFF && + new_state < CAN_STATE_BUS_OFF) { + cf->can_id |= CAN_ERR_RESTARTED; + netif_carrier_on(priv->netdev); +-- +2.35.1 + diff --git a/queue-5.4/can-kvaser_usb_leaf-fix-improved-state-not-being-rep.patch b/queue-5.4/can-kvaser_usb_leaf-fix-improved-state-not-being-rep.patch new file mode 100644 index 00000000000..f6b774237d6 --- /dev/null +++ b/queue-5.4/can-kvaser_usb_leaf-fix-improved-state-not-being-rep.patch @@ -0,0 +1,259 @@ +From 75b170c9010b0b3f3196837a71e4db766fdbb383 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Oct 2022 20:52:32 +0200 +Subject: can: kvaser_usb_leaf: Fix improved state not being reported + +From: Anssi Hannula + +[ Upstream commit 8d21f5927ae604881f98587fabf6753f88730968 ] + +The tested 0bfd:0017 Kvaser Memorator Professional HS/HS FW 2.0.50 and +0bfd:0124 Kvaser Mini PCI Express 2xHS FW 4.18.778 do not seem to send +any unsolicited events when error counters decrease or when the device +transitions from ERROR_PASSIVE to ERROR_ACTIVE (or WARNING). + +This causes the interface to e.g. indefinitely stay in the ERROR_PASSIVE +state. + +Fix that by asking for chip state (inc. counters) event every 0.5 secs +when error counters are non-zero. + +Since there are non-error-counter devices, also always poll in +ERROR_PASSIVE even if the counters show zero. + +Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices") +Tested-by: Jimmy Assarsson +Signed-off-by: Anssi Hannula +Signed-off-by: Jimmy Assarsson +Link: https://lore.kernel.org/all/20221010185237.319219-7-extja@kvaser.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/kvaser_usb/kvaser_usb.h | 7 +++ + .../net/can/usb/kvaser_usb/kvaser_usb_core.c | 19 +++++- + .../net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 58 +++++++++++++++++++ + 3 files changed, 81 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb.h b/drivers/net/can/usb/kvaser_usb/kvaser_usb.h +index 62958f04a2f2..1f4583f1dae2 100644 +--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb.h ++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb.h +@@ -104,6 +104,9 @@ struct kvaser_usb_net_priv { + struct can_priv can; + struct can_berr_counter bec; + ++ /* subdriver-specific data */ ++ void *sub_priv; ++ + struct kvaser_usb *dev; + struct net_device *netdev; + int channel; +@@ -125,6 +128,8 @@ struct kvaser_usb_net_priv { + * + * @dev_setup_endpoints: setup USB in and out endpoints + * @dev_init_card: initialize card ++ * @dev_init_channel: initialize channel ++ * @dev_remove_channel: uninitialize channel + * @dev_get_software_info: get software info + * @dev_get_software_details: get software details + * @dev_get_card_info: get card info +@@ -146,6 +151,8 @@ struct kvaser_usb_dev_ops { + struct can_berr_counter *bec); + int (*dev_setup_endpoints)(struct kvaser_usb *dev); + int (*dev_init_card)(struct kvaser_usb *dev); ++ int (*dev_init_channel)(struct kvaser_usb_net_priv *priv); ++ void (*dev_remove_channel)(struct kvaser_usb_net_priv *priv); + int (*dev_get_software_info)(struct kvaser_usb *dev); + int (*dev_get_software_details)(struct kvaser_usb *dev); + int (*dev_get_card_info)(struct kvaser_usb *dev); +diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c +index 7491f85e85b3..2c816d8929da 100644 +--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c ++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c +@@ -645,6 +645,7 @@ static const struct net_device_ops kvaser_usb_netdev_ops = { + + static void kvaser_usb_remove_interfaces(struct kvaser_usb *dev) + { ++ const struct kvaser_usb_dev_ops *ops = dev->driver_info->ops; + int i; + + for (i = 0; i < dev->nchannels; i++) { +@@ -660,6 +661,9 @@ static void kvaser_usb_remove_interfaces(struct kvaser_usb *dev) + if (!dev->nets[i]) + continue; + ++ if (ops->dev_remove_channel) ++ ops->dev_remove_channel(dev->nets[i]); ++ + free_candev(dev->nets[i]->netdev); + } + } +@@ -727,17 +731,26 @@ static int kvaser_usb_init_one(struct kvaser_usb *dev, int channel) + + dev->nets[channel] = priv; + ++ if (ops->dev_init_channel) { ++ err = ops->dev_init_channel(priv); ++ if (err) ++ goto err; ++ } ++ + err = register_candev(netdev); + if (err) { + dev_err(&dev->intf->dev, "Failed to register CAN device\n"); +- free_candev(netdev); +- dev->nets[channel] = NULL; +- return err; ++ goto err; + } + + netdev_dbg(netdev, "device registered\n"); + + return 0; ++ ++err: ++ free_candev(netdev); ++ dev->nets[channel] = NULL; ++ return err; + } + + static int kvaser_usb_probe(struct usb_interface *intf, +diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c +index b43631eaccf1..6d45ae6f2a08 100644 +--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c ++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -55,6 +56,7 @@ + #define CMD_RX_EXT_MESSAGE 14 + #define CMD_TX_EXT_MESSAGE 15 + #define CMD_SET_BUS_PARAMS 16 ++#define CMD_GET_CHIP_STATE 19 + #define CMD_CHIP_STATE_EVENT 20 + #define CMD_SET_CTRL_MODE 21 + #define CMD_RESET_CHIP 24 +@@ -420,6 +422,12 @@ struct kvaser_usb_err_summary { + }; + }; + ++struct kvaser_usb_net_leaf_priv { ++ struct kvaser_usb_net_priv *net; ++ ++ struct delayed_work chip_state_req_work; ++}; ++ + static const struct can_bittiming_const kvaser_usb_leaf_m16c_bittiming_const = { + .name = "kvaser_usb_ucii", + .tseg1_min = 4, +@@ -947,6 +955,16 @@ static int kvaser_usb_leaf_simple_cmd_async(struct kvaser_usb_net_priv *priv, + return err; + } + ++static void kvaser_usb_leaf_chip_state_req_work(struct work_struct *work) ++{ ++ struct kvaser_usb_net_leaf_priv *leaf = ++ container_of(work, struct kvaser_usb_net_leaf_priv, ++ chip_state_req_work.work); ++ struct kvaser_usb_net_priv *priv = leaf->net; ++ ++ kvaser_usb_leaf_simple_cmd_async(priv, CMD_GET_CHIP_STATE); ++} ++ + static void + kvaser_usb_leaf_rx_error_update_can_state(struct kvaser_usb_net_priv *priv, + const struct kvaser_usb_err_summary *es, +@@ -1018,6 +1036,7 @@ static void kvaser_usb_leaf_rx_error(const struct kvaser_usb *dev, + struct sk_buff *skb; + struct net_device_stats *stats; + struct kvaser_usb_net_priv *priv; ++ struct kvaser_usb_net_leaf_priv *leaf; + enum can_state old_state, new_state; + + if (es->channel >= dev->nchannels) { +@@ -1027,6 +1046,7 @@ static void kvaser_usb_leaf_rx_error(const struct kvaser_usb *dev, + } + + priv = dev->nets[es->channel]; ++ leaf = priv->sub_priv; + stats = &priv->netdev->stats; + + /* Update all of the CAN interface's state and error counters before +@@ -1043,6 +1063,14 @@ static void kvaser_usb_leaf_rx_error(const struct kvaser_usb *dev, + kvaser_usb_leaf_rx_error_update_can_state(priv, es, &tmp_cf); + new_state = priv->can.state; + ++ /* If there are errors, request status updates periodically as we do ++ * not get automatic notifications of improved state. ++ */ ++ if (new_state < CAN_STATE_BUS_OFF && ++ (es->rxerr || es->txerr || new_state == CAN_STATE_ERROR_PASSIVE)) ++ schedule_delayed_work(&leaf->chip_state_req_work, ++ msecs_to_jiffies(500)); ++ + skb = alloc_can_err_skb(priv->netdev, &cf); + if (!skb) { + stats->rx_dropped++; +@@ -1577,10 +1605,13 @@ static int kvaser_usb_leaf_start_chip(struct kvaser_usb_net_priv *priv) + + static int kvaser_usb_leaf_stop_chip(struct kvaser_usb_net_priv *priv) + { ++ struct kvaser_usb_net_leaf_priv *leaf = priv->sub_priv; + int err; + + reinit_completion(&priv->stop_comp); + ++ cancel_delayed_work(&leaf->chip_state_req_work); ++ + err = kvaser_usb_leaf_send_simple_cmd(priv->dev, CMD_STOP_CHIP, + priv->channel); + if (err) +@@ -1627,6 +1658,31 @@ static int kvaser_usb_leaf_init_card(struct kvaser_usb *dev) + return 0; + } + ++static int kvaser_usb_leaf_init_channel(struct kvaser_usb_net_priv *priv) ++{ ++ struct kvaser_usb_net_leaf_priv *leaf; ++ ++ leaf = devm_kzalloc(&priv->dev->intf->dev, sizeof(*leaf), GFP_KERNEL); ++ if (!leaf) ++ return -ENOMEM; ++ ++ leaf->net = priv; ++ INIT_DELAYED_WORK(&leaf->chip_state_req_work, ++ kvaser_usb_leaf_chip_state_req_work); ++ ++ priv->sub_priv = leaf; ++ ++ return 0; ++} ++ ++static void kvaser_usb_leaf_remove_channel(struct kvaser_usb_net_priv *priv) ++{ ++ struct kvaser_usb_net_leaf_priv *leaf = priv->sub_priv; ++ ++ if (leaf) ++ cancel_delayed_work_sync(&leaf->chip_state_req_work); ++} ++ + static int kvaser_usb_leaf_set_bittiming(struct net_device *netdev) + { + struct kvaser_usb_net_priv *priv = netdev_priv(netdev); +@@ -1724,6 +1780,8 @@ const struct kvaser_usb_dev_ops kvaser_usb_leaf_dev_ops = { + .dev_get_berr_counter = kvaser_usb_leaf_get_berr_counter, + .dev_setup_endpoints = kvaser_usb_leaf_setup_endpoints, + .dev_init_card = kvaser_usb_leaf_init_card, ++ .dev_init_channel = kvaser_usb_leaf_init_channel, ++ .dev_remove_channel = kvaser_usb_leaf_remove_channel, + .dev_get_software_info = kvaser_usb_leaf_get_software_info, + .dev_get_software_details = NULL, + .dev_get_card_info = kvaser_usb_leaf_get_card_info, +-- +2.35.1 + diff --git a/queue-5.4/can-kvaser_usb_leaf-fix-wrong-can-state-after-stoppi.patch b/queue-5.4/can-kvaser_usb_leaf-fix-wrong-can-state-after-stoppi.patch new file mode 100644 index 00000000000..8efa093a4a3 --- /dev/null +++ b/queue-5.4/can-kvaser_usb_leaf-fix-wrong-can-state-after-stoppi.patch @@ -0,0 +1,45 @@ +From fc8048bb922fab965e4c4b8cdadad050977b8378 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Oct 2022 20:52:33 +0200 +Subject: can: kvaser_usb_leaf: Fix wrong CAN state after stopping + +From: Anssi Hannula + +[ Upstream commit a11249acf802341294557895d8e5f6aef080253f ] + +0bfd:0124 Kvaser Mini PCI Express 2xHS FW 4.18.778 sends a +CMD_CHIP_STATE_EVENT indicating bus-off after stopping the device, +causing a stopped device to appear as CAN_STATE_BUS_OFF instead of +CAN_STATE_STOPPED. + +Fix that by not handling error events on stopped devices. + +Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices") +Tested-by: Jimmy Assarsson +Signed-off-by: Anssi Hannula +Signed-off-by: Jimmy Assarsson +Link: https://lore.kernel.org/all/20221010185237.319219-8-extja@kvaser.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c +index 6d45ae6f2a08..52ac6446634d 100644 +--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c ++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c +@@ -1049,6 +1049,10 @@ static void kvaser_usb_leaf_rx_error(const struct kvaser_usb *dev, + leaf = priv->sub_priv; + stats = &priv->netdev->stats; + ++ /* Ignore e.g. state change to bus-off reported just after stopping */ ++ if (!netif_running(priv->netdev)) ++ return; ++ + /* Update all of the CAN interface's state and error counters before + * trying any memory allocation that can actually fail with -ENOMEM. + * +-- +2.35.1 + diff --git a/queue-5.4/can-kvaser_usb_leaf-set-warning-state-even-without-b.patch b/queue-5.4/can-kvaser_usb_leaf-set-warning-state-even-without-b.patch new file mode 100644 index 00000000000..7aacea6648a --- /dev/null +++ b/queue-5.4/can-kvaser_usb_leaf-set-warning-state-even-without-b.patch @@ -0,0 +1,76 @@ +From 4dbd7e230eb4b650e0a7878bba9bdb9b680172fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Oct 2022 20:52:31 +0200 +Subject: can: kvaser_usb_leaf: Set Warning state even without bus errors + +From: Anssi Hannula + +[ Upstream commit df1b7af2761b935f63b4a53e789d41ed859edf61 ] + +kvaser_usb_leaf_rx_error_update_can_state() sets error state according +to error counters when the hardware does not indicate a specific state +directly. + +However, this is currently gated behind a check for +M16C_STATE_BUS_ERROR which does not always seem to be set when error +counters are increasing, and may not be set when error counters are +decreasing. + +This causes the CAN_STATE_ERROR_WARNING state to not be set in some +cases even when appropriate. + +Change the code to set error state from counters even without +M16C_STATE_BUS_ERROR. + +The Error-Passive case seems superfluous as it is already set via +M16C_STATE_BUS_PASSIVE flag above, but it is kept for now. + +Tested with 0bfd:0124 Kvaser Mini PCI Express 2xHS FW 4.18.778. + +Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices") +Tested-by: Jimmy Assarsson +Signed-off-by: Anssi Hannula +Signed-off-by: Jimmy Assarsson +Link: https://lore.kernel.org/all/20221010185237.319219-6-extja@kvaser.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + .../net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 20 ++++++++----------- + 1 file changed, 8 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c +index 3c3e78992b55..b43631eaccf1 100644 +--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c ++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c +@@ -965,20 +965,16 @@ kvaser_usb_leaf_rx_error_update_can_state(struct kvaser_usb_net_priv *priv, + new_state = CAN_STATE_BUS_OFF; + } else if (es->status & M16C_STATE_BUS_PASSIVE) { + new_state = CAN_STATE_ERROR_PASSIVE; +- } else if (es->status & M16C_STATE_BUS_ERROR) { ++ } else if ((es->status & M16C_STATE_BUS_ERROR) && ++ cur_state >= CAN_STATE_BUS_OFF) { + /* Guard against spurious error events after a busoff */ +- if (cur_state < CAN_STATE_BUS_OFF) { +- if (es->txerr >= 128 || es->rxerr >= 128) +- new_state = CAN_STATE_ERROR_PASSIVE; +- else if (es->txerr >= 96 || es->rxerr >= 96) +- new_state = CAN_STATE_ERROR_WARNING; +- else if (cur_state > CAN_STATE_ERROR_ACTIVE) +- new_state = CAN_STATE_ERROR_ACTIVE; +- } +- } +- +- if (!es->status) ++ } else if (es->txerr >= 128 || es->rxerr >= 128) { ++ new_state = CAN_STATE_ERROR_PASSIVE; ++ } else if (es->txerr >= 96 || es->rxerr >= 96) { ++ new_state = CAN_STATE_ERROR_WARNING; ++ } else { + new_state = CAN_STATE_ERROR_ACTIVE; ++ } + + if (new_state != cur_state) { + tx_state = (es->txerr >= es->rxerr) ? new_state : 0; +-- +2.35.1 + diff --git a/queue-5.4/can-tcan4x5x-remove-invalid-write-in-clear_interrupt.patch b/queue-5.4/can-tcan4x5x-remove-invalid-write-in-clear_interrupt.patch new file mode 100644 index 00000000000..0654f1665f3 --- /dev/null +++ b/queue-5.4/can-tcan4x5x-remove-invalid-write-in-clear_interrupt.patch @@ -0,0 +1,44 @@ +From 4810956d85d1a809f4be83b4bf967bfa3c0e532c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Dec 2022 12:57:25 +0100 +Subject: can: tcan4x5x: Remove invalid write in clear_interrupts + +From: Markus Schneider-Pargmann + +[ Upstream commit 40c9e4f676abbe194541d88e796341c92d5a13c0 ] + +Register 0x824 TCAN4X5X_MCAN_INT_REG is a read-only register. Any writes +to this register do not have any effect. + +Remove this write. The m_can driver aldready clears the interrupts in +m_can_isr() by writing to M_CAN_IR which is translated to register +0x1050 which is a writable version of this register. + +Fixes: 5443c226ba91 ("can: tcan4x5x: Add tcan4x5x driver to the kernel") +Signed-off-by: Markus Schneider-Pargmann +Link: https://lore.kernel.org/all/20221206115728.1056014-9-msp@baylibre.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/m_can/tcan4x5x.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/net/can/m_can/tcan4x5x.c b/drivers/net/can/m_can/tcan4x5x.c +index 0d66582bd356..b312cbf30df7 100644 +--- a/drivers/net/can/m_can/tcan4x5x.c ++++ b/drivers/net/can/m_can/tcan4x5x.c +@@ -291,11 +291,6 @@ static int tcan4x5x_clear_interrupts(struct m_can_classdev *cdev) + if (ret) + return ret; + +- ret = tcan4x5x_write_tcan_reg(cdev, TCAN4X5X_MCAN_INT_REG, +- TCAN4X5X_ENABLE_MCAN_INT); +- if (ret) +- return ret; +- + ret = tcan4x5x_write_tcan_reg(cdev, TCAN4X5X_INT_FLAGS, + TCAN4X5X_CLEAR_ALL_INT); + if (ret) +-- +2.35.1 + diff --git a/queue-5.4/chardev-fix-error-handling-in-cdev_device_add.patch b/queue-5.4/chardev-fix-error-handling-in-cdev_device_add.patch new file mode 100644 index 00000000000..5ed38fe272c --- /dev/null +++ b/queue-5.4/chardev-fix-error-handling-in-cdev_device_add.patch @@ -0,0 +1,54 @@ +From 8c00d5837b8354b5a7e9d1a40a07ada253728758 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 11:02:37 +0800 +Subject: chardev: fix error handling in cdev_device_add() + +From: Yang Yingliang + +[ Upstream commit 11fa7fefe3d8fac7da56bc9aa3dd5fb3081ca797 ] + +While doing fault injection test, I got the following report: + +------------[ cut here ]------------ +kobject: '(null)' (0000000039956980): is not initialized, yet kobject_put() is being called. +WARNING: CPU: 3 PID: 6306 at kobject_put+0x23d/0x4e0 +CPU: 3 PID: 6306 Comm: 283 Tainted: G W 6.1.0-rc2-00005-g307c1086d7c9 #1253 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 +RIP: 0010:kobject_put+0x23d/0x4e0 +Call Trace: + + cdev_device_add+0x15e/0x1b0 + __iio_device_register+0x13b4/0x1af0 [industrialio] + __devm_iio_device_register+0x22/0x90 [industrialio] + max517_probe+0x3d8/0x6b4 [max517] + i2c_device_probe+0xa81/0xc00 + +When device_add() is injected fault and returns error, if dev->devt is not set, +cdev_add() is not called, cdev_del() is not needed. Fix this by checking dev->devt +in error path. + +Fixes: 233ed09d7fda ("chardev: add helper function to register char devs with a struct device") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221202030237.520280-1-yangyingliang@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + fs/char_dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/char_dev.c b/fs/char_dev.c +index c5e6eff5a381..36479b72d278 100644 +--- a/fs/char_dev.c ++++ b/fs/char_dev.c +@@ -544,7 +544,7 @@ int cdev_device_add(struct cdev *cdev, struct device *dev) + } + + rc = device_add(dev); +- if (rc) ++ if (rc && dev->devt) + cdev_del(cdev); + + return rc; +-- +2.35.1 + diff --git a/queue-5.4/class-fix-possible-memory-leak-in-__class_register.patch b/queue-5.4/class-fix-possible-memory-leak-in-__class_register.patch new file mode 100644 index 00000000000..40f524a4afd --- /dev/null +++ b/queue-5.4/class-fix-possible-memory-leak-in-__class_register.patch @@ -0,0 +1,71 @@ +From 31886254b3a96fac4a3017c8ba2bc94e309ec6de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Oct 2022 16:28:03 +0800 +Subject: class: fix possible memory leak in __class_register() + +From: Yang Yingliang + +[ Upstream commit 8c3e8a6bdb5253b97ad532570f8b5db5f7a06407 ] + +If class_add_groups() returns error, the 'cp->subsys' need be +unregister, and the 'cp' need be freed. + +We can not call kset_unregister() here, because the 'cls' will +be freed in callback function class_release() and it's also +freed in caller's error path, it will cause double free. + +So fix this by calling kobject_del() and kfree_const(name) to +cleanup kobject. Besides, call kfree() to free the 'cp'. + +Fault injection test can trigger this: + +unreferenced object 0xffff888102fa8190 (size 8): + comm "modprobe", pid 502, jiffies 4294906074 (age 49.296s) + hex dump (first 8 bytes): + 70 6b 74 63 64 76 64 00 pktcdvd. + backtrace: + [<00000000e7c7703d>] __kmalloc_track_caller+0x1ae/0x320 + [<000000005e4d70bc>] kstrdup+0x3a/0x70 + [<00000000c2e5e85a>] kstrdup_const+0x68/0x80 + [<000000000049a8c7>] kvasprintf_const+0x10b/0x190 + [<0000000029123163>] kobject_set_name_vargs+0x56/0x150 + [<00000000747219c9>] kobject_set_name+0xab/0xe0 + [<0000000005f1ea4e>] __class_register+0x15c/0x49a + +unreferenced object 0xffff888037274000 (size 1024): + comm "modprobe", pid 502, jiffies 4294906074 (age 49.296s) + hex dump (first 32 bytes): + 00 40 27 37 80 88 ff ff 00 40 27 37 80 88 ff ff .@'7.....@'7.... + 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... + backtrace: + [<00000000151f9600>] kmem_cache_alloc_trace+0x17c/0x2f0 + [<00000000ecf3dd95>] __class_register+0x86/0x49a + +Fixes: ced6473e7486 ("driver core: class: add class_groups support") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221026082803.3458760-1-yangyingliang@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/base/class.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/base/class.c b/drivers/base/class.c +index d8a6a5864c2e..61784503ca40 100644 +--- a/drivers/base/class.c ++++ b/drivers/base/class.c +@@ -191,6 +191,11 @@ int __class_register(struct class *cls, struct lock_class_key *key) + } + error = class_add_groups(class_get(cls), cls->class_groups); + class_put(cls); ++ if (error) { ++ kobject_del(&cp->subsys.kobj); ++ kfree_const(cp->subsys.kobj.name); ++ kfree(cp); ++ } + return error; + } + EXPORT_SYMBOL_GPL(__class_register); +-- +2.35.1 + diff --git a/queue-5.4/clk-imx-replace-osc_hdmi-with-dummy.patch b/queue-5.4/clk-imx-replace-osc_hdmi-with-dummy.patch new file mode 100644 index 00000000000..7407a242eb4 --- /dev/null +++ b/queue-5.4/clk-imx-replace-osc_hdmi-with-dummy.patch @@ -0,0 +1,70 @@ +From 18237fa21cacaec4586c8e4121e265251ed5a776 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 12:36:34 +0100 +Subject: clk: imx: replace osc_hdmi with dummy + +From: Dario Binacchi + +[ Upstream commit e7fa365ff66f16772dc06b480cd78f858d10856b ] + +There is no occurrence of the hdmi oscillator in the reference manual +(document IMX8MNRM Rev 2, 07/2022). Further, if we consider the indexes +76-81 and 134 of the "Clock Root" table of chapter 5 of the RM, there is +no entry for the source select bits 101b, which is the setting referenced +by "osc_hdmi". +Fix by renaming "osc_hdmi" with "dummy", a clock which has already been +used for missing source select bits. + +Tested on the BSH SystemMaster (SMM) S2 board. + +Fixes: 96d6392b54dbb ("clk: imx: Add support for i.MX8MN clock driver") +Signed-off-by: Dario Binacchi +Acked-by: Marco Felsch +Signed-off-by: Abel Vesa +Link: https://lore.kernel.org/r/20221117113637.1978703-3-dario.binacchi@amarulasolutions.com +Signed-off-by: Sasha Levin +--- + drivers/clk/imx/clk-imx8mn.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/clk/imx/clk-imx8mn.c b/drivers/clk/imx/clk-imx8mn.c +index d520a8c5eabb..9d33321c89bd 100644 +--- a/drivers/clk/imx/clk-imx8mn.c ++++ b/drivers/clk/imx/clk-imx8mn.c +@@ -189,27 +189,27 @@ static const char * const imx8mn_disp_pixel_sels[] = {"osc_24m", "video_pll1_out + "sys_pll3_out", "clk_ext4", }; + + static const char * const imx8mn_sai2_sels[] = {"osc_24m", "audio_pll1_out", "audio_pll2_out", +- "video_pll1_out", "sys_pll1_133m", "osc_hdmi", ++ "video_pll1_out", "sys_pll1_133m", "dummy", + "clk_ext3", "clk_ext4", }; + + static const char * const imx8mn_sai3_sels[] = {"osc_24m", "audio_pll1_out", "audio_pll2_out", +- "video_pll1_out", "sys_pll1_133m", "osc_hdmi", ++ "video_pll1_out", "sys_pll1_133m", "dummy", + "clk_ext3", "clk_ext4", }; + + static const char * const imx8mn_sai5_sels[] = {"osc_24m", "audio_pll1_out", "audio_pll2_out", +- "video_pll1_out", "sys_pll1_133m", "osc_hdmi", ++ "video_pll1_out", "sys_pll1_133m", "dummy", + "clk_ext2", "clk_ext3", }; + + static const char * const imx8mn_sai6_sels[] = {"osc_24m", "audio_pll1_out", "audio_pll2_out", +- "video_pll1_out", "sys_pll1_133m", "osc_hdmi", ++ "video_pll1_out", "sys_pll1_133m", "dummy", + "clk_ext3", "clk_ext4", }; + + static const char * const imx8mn_sai7_sels[] = {"osc_24m", "audio_pll1_out", "audio_pll2_out", +- "video_pll1_out", "sys_pll1_133m", "osc_hdmi", ++ "video_pll1_out", "sys_pll1_133m", "dummy", + "clk_ext3", "clk_ext4", }; + + static const char * const imx8mn_spdif1_sels[] = {"osc_24m", "audio_pll1_out", "audio_pll2_out", +- "video_pll1_out", "sys_pll1_133m", "osc_hdmi", ++ "video_pll1_out", "sys_pll1_133m", "dummy", + "clk_ext2", "clk_ext3", }; + + static const char * const imx8mn_enet_ref_sels[] = {"osc_24m", "sys_pll2_125m", "sys_pll2_50m", +-- +2.35.1 + diff --git a/queue-5.4/clk-imx8mn-correct-the-usb1_ctrl-parent-to-be-usb_bu.patch b/queue-5.4/clk-imx8mn-correct-the-usb1_ctrl-parent-to-be-usb_bu.patch new file mode 100644 index 00000000000..9f6e086a1e8 --- /dev/null +++ b/queue-5.4/clk-imx8mn-correct-the-usb1_ctrl-parent-to-be-usb_bu.patch @@ -0,0 +1,35 @@ +From 605978815365555327d9dadaedf004b8ddbfbb2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2019 08:06:17 +0000 +Subject: clk: imx8mn: correct the usb1_ctrl parent to be usb_bus + +From: Li Jun + +[ Upstream commit 134d43bb1ff09a696996f16ed8b28d404b770c8a ] + +Per latest imx8mn datasheet of CCM, the parent of usb1_ctrl_root_clk +should be usb_bus. + +Signed-off-by: Li Jun +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + drivers/clk/imx/clk-imx8mn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/imx/clk-imx8mn.c b/drivers/clk/imx/clk-imx8mn.c +index 882b42efd258..d520a8c5eabb 100644 +--- a/drivers/clk/imx/clk-imx8mn.c ++++ b/drivers/clk/imx/clk-imx8mn.c +@@ -582,7 +582,7 @@ static int imx8mn_clocks_probe(struct platform_device *pdev) + clks[IMX8MN_CLK_UART2_ROOT] = imx_clk_gate4("uart2_root_clk", "uart2", base + 0x44a0, 0); + clks[IMX8MN_CLK_UART3_ROOT] = imx_clk_gate4("uart3_root_clk", "uart3", base + 0x44b0, 0); + clks[IMX8MN_CLK_UART4_ROOT] = imx_clk_gate4("uart4_root_clk", "uart4", base + 0x44c0, 0); +- clks[IMX8MN_CLK_USB1_CTRL_ROOT] = imx_clk_gate4("usb1_ctrl_root_clk", "usb_core_ref", base + 0x44d0, 0); ++ clks[IMX8MN_CLK_USB1_CTRL_ROOT] = imx_clk_gate4("usb1_ctrl_root_clk", "usb_bus", base + 0x44d0, 0); + clks[IMX8MN_CLK_GPU_CORE_ROOT] = imx_clk_gate4("gpu_core_root_clk", "gpu_core_div", base + 0x44f0, 0); + clks[IMX8MN_CLK_USDHC1_ROOT] = imx_clk_gate4("usdhc1_root_clk", "usdhc1", base + 0x4510, 0); + clks[IMX8MN_CLK_USDHC2_ROOT] = imx_clk_gate4("usdhc2_root_clk", "usdhc2", base + 0x4520, 0); +-- +2.35.1 + diff --git a/queue-5.4/clk-qcom-clk-krait-fix-wrong-div2-functions.patch b/queue-5.4/clk-qcom-clk-krait-fix-wrong-div2-functions.patch new file mode 100644 index 00000000000..3cfc0b9bc8d --- /dev/null +++ b/queue-5.4/clk-qcom-clk-krait-fix-wrong-div2-functions.patch @@ -0,0 +1,40 @@ +From 60e1a2ea095e4004382a82f32cf7de7b52ac1e55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 22:56:25 +0100 +Subject: clk: qcom: clk-krait: fix wrong div2 functions + +From: Christian Marangi + +[ Upstream commit d676d3a3717cf726d3affedbe5ba98fc4ccad7b3 ] + +Currently div2 value is applied to the wrong bits. This is caused by a +bug in the code where the shift is done only for lpl, for anything +else the mask is not shifted to the correct bits. + +Fix this by correctly shift if lpl is not supported. + +Fixes: 4d7dc77babfe ("clk: qcom: Add support for Krait clocks") +Signed-off-by: Christian Marangi +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20221108215625.30186-1-ansuelsmth@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/clk-krait.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/clk/qcom/clk-krait.c b/drivers/clk/qcom/clk-krait.c +index 90046428693c..e74fc81a14d0 100644 +--- a/drivers/clk/qcom/clk-krait.c ++++ b/drivers/clk/qcom/clk-krait.c +@@ -98,6 +98,8 @@ static int krait_div2_set_rate(struct clk_hw *hw, unsigned long rate, + + if (d->lpl) + mask = mask << (d->shift + LPL_SHIFT) | mask << d->shift; ++ else ++ mask <<= d->shift; + + spin_lock_irqsave(&krait_clock_reg_lock, flags); + val = krait_get_l2_indirect_reg(d->offset); +-- +2.35.1 + diff --git a/queue-5.4/clk-renesas-r9a06g032-repair-grave-increment-error.patch b/queue-5.4/clk-renesas-r9a06g032-repair-grave-increment-error.patch new file mode 100644 index 00000000000..1d9a0626e95 --- /dev/null +++ b/queue-5.4/clk-renesas-r9a06g032-repair-grave-increment-error.patch @@ -0,0 +1,47 @@ +From 60522779bfeee1a09a20371a55d6d8e5e37565cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Oct 2022 13:38:34 +0200 +Subject: clk: renesas: r9a06g032: Repair grave increment error + +From: Marek Vasut + +[ Upstream commit 02693e11611e082e3c4d8653e8af028e43d31164 ] + +If condition (clkspec.np != pd->dev.of_node) is true, then the driver +ends up in an endless loop, forever, locking up the machine. + +Fixes: aad03a66f902 ("clk: renesas: r9a06g032: Add clock domain support") +Reviewed-by: Ralph Siemsen +Signed-off-by: Marek Vasut +Reviewed-by: Gareth Williams +Link: https://lore.kernel.org/r/20221028113834.7496-1-marex@denx.de +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + drivers/clk/renesas/r9a06g032-clocks.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/clk/renesas/r9a06g032-clocks.c b/drivers/clk/renesas/r9a06g032-clocks.c +index 80df4eb041cc..75954ac1fb9b 100644 +--- a/drivers/clk/renesas/r9a06g032-clocks.c ++++ b/drivers/clk/renesas/r9a06g032-clocks.c +@@ -386,7 +386,7 @@ static int r9a06g032_attach_dev(struct generic_pm_domain *pd, + int error; + int index; + +- while (!of_parse_phandle_with_args(np, "clocks", "#clock-cells", i, ++ while (!of_parse_phandle_with_args(np, "clocks", "#clock-cells", i++, + &clkspec)) { + if (clkspec.np != pd->dev.of_node) + continue; +@@ -399,7 +399,6 @@ static int r9a06g032_attach_dev(struct generic_pm_domain *pd, + if (error) + return error; + } +- i++; + } + + return 0; +-- +2.35.1 + diff --git a/queue-5.4/clk-rockchip-fix-memory-leak-in-rockchip_clk_registe.patch b/queue-5.4/clk-rockchip-fix-memory-leak-in-rockchip_clk_registe.patch new file mode 100644 index 00000000000..13b51b6a0ec --- /dev/null +++ b/queue-5.4/clk-rockchip-fix-memory-leak-in-rockchip_clk_registe.patch @@ -0,0 +1,37 @@ +From eec6a34f7bd45336dafcce14f0a62a6769c14160 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 17:12:01 +0800 +Subject: clk: rockchip: Fix memory leak in rockchip_clk_register_pll() + +From: Xiu Jianfeng + +[ Upstream commit 739a6a6bbdb793bd57938cb24aa5a6df89983546 ] + +If clk_register() fails, @pll->rate_table may have allocated memory by +kmemdup(), so it needs to be freed, otherwise will cause memory leak +issue, this patch fixes it. + +Fixes: 90c590254051 ("clk: rockchip: add clock type for pll clocks and pll used on rk3066") +Signed-off-by: Xiu Jianfeng +Link: https://lore.kernel.org/r/20221123091201.199819-1-xiujianfeng@huawei.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + drivers/clk/rockchip/clk-pll.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/rockchip/clk-pll.c b/drivers/clk/rockchip/clk-pll.c +index 198417d56300..aa8a299ff704 100644 +--- a/drivers/clk/rockchip/clk-pll.c ++++ b/drivers/clk/rockchip/clk-pll.c +@@ -963,6 +963,7 @@ struct clk *rockchip_clk_register_pll(struct rockchip_clk_provider *ctx, + return mux_clk; + + err_pll: ++ kfree(pll->rate_table); + clk_unregister(mux_clk); + mux_clk = pll_clk; + err_mux: +-- +2.35.1 + diff --git a/queue-5.4/clk-samsung-fix-memory-leak-in-_samsung_clk_register.patch b/queue-5.4/clk-samsung-fix-memory-leak-in-_samsung_clk_register.patch new file mode 100644 index 00000000000..a9d651e730e --- /dev/null +++ b/queue-5.4/clk-samsung-fix-memory-leak-in-_samsung_clk_register.patch @@ -0,0 +1,38 @@ +From 92777dee35835f202c5d46a172b3568d564e7d78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 11:20:15 +0800 +Subject: clk: samsung: Fix memory leak in _samsung_clk_register_pll() + +From: Xiu Jianfeng + +[ Upstream commit 5174e5b0d1b669a489524192b6adcbb3c54ebc72 ] + +If clk_register() fails, @pll->rate_table may have allocated memory by +kmemdup(), so it needs to be freed, otherwise will cause memory leak +issue, this patch fixes it. + +Fixes: 3ff6e0d8d64d ("clk: samsung: Add support to register rate_table for samsung plls") +Signed-off-by: Xiu Jianfeng +Link: https://lore.kernel.org/r/20221123032015.63980-1-xiujianfeng@huawei.com +Reviewed-by: Alim Akhtar +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/samsung/clk-pll.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/samsung/clk-pll.c b/drivers/clk/samsung/clk-pll.c +index ac70ad785d8e..33df20f813d5 100644 +--- a/drivers/clk/samsung/clk-pll.c ++++ b/drivers/clk/samsung/clk-pll.c +@@ -1390,6 +1390,7 @@ static void __init _samsung_clk_register_pll(struct samsung_clk_provider *ctx, + if (ret) { + pr_err("%s: failed to register pll clock %s : %d\n", + __func__, pll_clk->name, ret); ++ kfree(pll->rate_table); + kfree(pll); + return; + } +-- +2.35.1 + diff --git a/queue-5.4/clk-socfpga-clk-pll-remove-unused-variable-rc.patch b/queue-5.4/clk-socfpga-clk-pll-remove-unused-variable-rc.patch new file mode 100644 index 00000000000..9a495706dab --- /dev/null +++ b/queue-5.4/clk-socfpga-clk-pll-remove-unused-variable-rc.patch @@ -0,0 +1,55 @@ +From 8ca5ef89bbd55855eaf7da0aaa95322c500423e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jan 2021 09:30:27 +0000 +Subject: clk: socfpga: clk-pll: Remove unused variable 'rc' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lee Jones + +[ Upstream commit 75fddccbca32349570b2d53955982b4117fa5515 ] + +Fixes the following W=1 kernel build warning(s): + + drivers/clk/socfpga/clk-pll.c: In function ‘__socfpga_pll_init’: + drivers/clk/socfpga/clk-pll.c:83:6: warning: variable ‘rc’ set but not used [-Wunused-but-set-variable] + +Cc: Dinh Nguyen +Cc: Michael Turquette +Cc: Stephen Boyd +Cc: linux-clk@vger.kernel.org +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20210120093040.1719407-8-lee.jones@linaro.org +Acked-by: Dinh Nguyen +Signed-off-by: Stephen Boyd +Stable-dep-of: 0b8ba891ad4d ("clk: socfpga: Fix memory leak in socfpga_gate_init()") +Signed-off-by: Sasha Levin +--- + drivers/clk/socfpga/clk-pll.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/clk/socfpga/clk-pll.c b/drivers/clk/socfpga/clk-pll.c +index dc65cc0fd3bd..444f3948fff4 100644 +--- a/drivers/clk/socfpga/clk-pll.c ++++ b/drivers/clk/socfpga/clk-pll.c +@@ -80,7 +80,6 @@ static __init struct clk *__socfpga_pll_init(struct device_node *node, + const char *parent_name[SOCFPGA_MAX_PARENTS]; + struct clk_init_data init; + struct device_node *clkmgr_np; +- int rc; + + of_property_read_u32(node, "reg", ®); + +@@ -113,7 +112,7 @@ static __init struct clk *__socfpga_pll_init(struct device_node *node, + kfree(pll_clk); + return NULL; + } +- rc = of_clk_add_provider(node, of_clk_src_simple_get, clk); ++ of_clk_add_provider(node, of_clk_src_simple_get, clk); + return clk; + } + +-- +2.35.1 + diff --git a/queue-5.4/clk-socfpga-fix-memory-leak-in-socfpga_gate_init.patch b/queue-5.4/clk-socfpga-fix-memory-leak-in-socfpga_gate_init.patch new file mode 100644 index 00000000000..6ea6a4e9843 --- /dev/null +++ b/queue-5.4/clk-socfpga-fix-memory-leak-in-socfpga_gate_init.patch @@ -0,0 +1,48 @@ +From bd37a03814b56c02816bf783e2356724fe47f776 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 11:16:22 +0800 +Subject: clk: socfpga: Fix memory leak in socfpga_gate_init() + +From: Xiu Jianfeng + +[ Upstream commit 0b8ba891ad4d1ef6bfa4c72efc83f9f9f855f68b ] + +Free @socfpga_clk and @ops on the error path to avoid memory leak issue. + +Fixes: a30a67be7b6e ("clk: socfpga: Don't have get_parent for single parent ops") +Signed-off-by: Xiu Jianfeng +Link: https://lore.kernel.org/r/20221123031622.63171-1-xiujianfeng@huawei.com +Acked-by: Dinh Nguyen +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/socfpga/clk-gate.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/socfpga/clk-gate.c b/drivers/clk/socfpga/clk-gate.c +index 1ec9678d8cd3..ee2a2d284113 100644 +--- a/drivers/clk/socfpga/clk-gate.c ++++ b/drivers/clk/socfpga/clk-gate.c +@@ -188,8 +188,10 @@ void __init socfpga_gate_init(struct device_node *node) + return; + + ops = kmemdup(&gateclk_ops, sizeof(gateclk_ops), GFP_KERNEL); +- if (WARN_ON(!ops)) ++ if (WARN_ON(!ops)) { ++ kfree(socfpga_clk); + return; ++ } + + rc = of_property_read_u32_array(node, "clk-gate", clk_gate, 2); + if (rc) +@@ -243,6 +245,7 @@ void __init socfpga_gate_init(struct device_node *node) + + err = clk_hw_register(NULL, hw_clk); + if (err) { ++ kfree(ops); + kfree(socfpga_clk); + return; + } +-- +2.35.1 + diff --git a/queue-5.4/clk-socfpga-use-clk_hw_register-for-a5-c5.patch b/queue-5.4/clk-socfpga-use-clk_hw_register-for-a5-c5.patch new file mode 100644 index 00000000000..f3504f4f7c6 --- /dev/null +++ b/queue-5.4/clk-socfpga-use-clk_hw_register-for-a5-c5.patch @@ -0,0 +1,141 @@ +From 1d5203431185f8bbbadb833cb531d13b0e281028 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Mar 2021 15:41:49 -0600 +Subject: clk: socfpga: use clk_hw_register for a5/c5 + +From: Dinh Nguyen + +[ Upstream commit 2c2b9c6067170de2a63e7e3d9f5bb205b870de7c ] + +As recommended by Stephen Boyd, convert the cyclone5/arria5 clock driver +to use the clk_hw registration method. + +Suggested-by: Stephen Boyd +Signed-off-by: Dinh Nguyen +Link: https://lore.kernel.org/r/20210302214151.1333447-1-dinguyen@kernel.org +Signed-off-by: Stephen Boyd +Stable-dep-of: 0b8ba891ad4d ("clk: socfpga: Fix memory leak in socfpga_gate_init()") +Signed-off-by: Sasha Levin +--- + drivers/clk/socfpga/clk-gate.c | 11 +++++++---- + drivers/clk/socfpga/clk-periph.c | 8 ++++---- + drivers/clk/socfpga/clk-pll.c | 18 +++++++++++------- + 3 files changed, 22 insertions(+), 15 deletions(-) + +diff --git a/drivers/clk/socfpga/clk-gate.c b/drivers/clk/socfpga/clk-gate.c +index cf94a12459ea..1ec9678d8cd3 100644 +--- a/drivers/clk/socfpga/clk-gate.c ++++ b/drivers/clk/socfpga/clk-gate.c +@@ -174,13 +174,14 @@ void __init socfpga_gate_init(struct device_node *node) + u32 div_reg[3]; + u32 clk_phase[2]; + u32 fixed_div; +- struct clk *clk; ++ struct clk_hw *hw_clk; + struct socfpga_gate_clk *socfpga_clk; + const char *clk_name = node->name; + const char *parent_name[SOCFPGA_MAX_PARENTS]; + struct clk_init_data init; + struct clk_ops *ops; + int rc; ++ int err; + + socfpga_clk = kzalloc(sizeof(*socfpga_clk), GFP_KERNEL); + if (WARN_ON(!socfpga_clk)) +@@ -238,12 +239,14 @@ void __init socfpga_gate_init(struct device_node *node) + init.parent_names = parent_name; + socfpga_clk->hw.hw.init = &init; + +- clk = clk_register(NULL, &socfpga_clk->hw.hw); +- if (WARN_ON(IS_ERR(clk))) { ++ hw_clk = &socfpga_clk->hw.hw; ++ ++ err = clk_hw_register(NULL, hw_clk); ++ if (err) { + kfree(socfpga_clk); + return; + } +- rc = of_clk_add_provider(node, of_clk_src_simple_get, clk); ++ rc = of_clk_add_provider(node, of_clk_src_simple_get, hw_clk); + if (WARN_ON(rc)) + return; + } +diff --git a/drivers/clk/socfpga/clk-periph.c b/drivers/clk/socfpga/clk-periph.c +index 5e0c4b45f77f..43707e2d7248 100644 +--- a/drivers/clk/socfpga/clk-periph.c ++++ b/drivers/clk/socfpga/clk-periph.c +@@ -51,7 +51,7 @@ static __init void __socfpga_periph_init(struct device_node *node, + const struct clk_ops *ops) + { + u32 reg; +- struct clk *clk; ++ struct clk_hw *hw_clk; + struct socfpga_periph_clk *periph_clk; + const char *clk_name = node->name; + const char *parent_name[SOCFPGA_MAX_PARENTS]; +@@ -94,13 +94,13 @@ static __init void __socfpga_periph_init(struct device_node *node, + init.parent_names = parent_name; + + periph_clk->hw.hw.init = &init; ++ hw_clk = &periph_clk->hw.hw; + +- clk = clk_register(NULL, &periph_clk->hw.hw); +- if (WARN_ON(IS_ERR(clk))) { ++ if (clk_hw_register(NULL, hw_clk)) { + kfree(periph_clk); + return; + } +- rc = of_clk_add_provider(node, of_clk_src_simple_get, clk); ++ rc = of_clk_add_provider(node, of_clk_src_simple_get, hw_clk); + } + + void __init socfpga_periph_init(struct device_node *node) +diff --git a/drivers/clk/socfpga/clk-pll.c b/drivers/clk/socfpga/clk-pll.c +index 444f3948fff4..004e196492c4 100644 +--- a/drivers/clk/socfpga/clk-pll.c ++++ b/drivers/clk/socfpga/clk-pll.c +@@ -70,16 +70,18 @@ static struct clk_ops clk_pll_ops = { + .get_parent = clk_pll_get_parent, + }; + +-static __init struct clk *__socfpga_pll_init(struct device_node *node, ++static __init struct clk_hw *__socfpga_pll_init(struct device_node *node, + const struct clk_ops *ops) + { + u32 reg; +- struct clk *clk; ++ struct clk_hw *hw_clk; + struct socfpga_pll *pll_clk; + const char *clk_name = node->name; + const char *parent_name[SOCFPGA_MAX_PARENTS]; + struct clk_init_data init; + struct device_node *clkmgr_np; ++ int rc; ++ int err; + + of_property_read_u32(node, "reg", ®); + +@@ -107,13 +109,15 @@ static __init struct clk *__socfpga_pll_init(struct device_node *node, + clk_pll_ops.enable = clk_gate_ops.enable; + clk_pll_ops.disable = clk_gate_ops.disable; + +- clk = clk_register(NULL, &pll_clk->hw.hw); +- if (WARN_ON(IS_ERR(clk))) { ++ hw_clk = &pll_clk->hw.hw; ++ ++ err = clk_hw_register(NULL, hw_clk); ++ if (err) { + kfree(pll_clk); +- return NULL; ++ return ERR_PTR(err); + } +- of_clk_add_provider(node, of_clk_src_simple_get, clk); +- return clk; ++ rc = of_clk_add_provider(node, of_clk_src_simple_get, hw_clk); ++ return hw_clk; + } + + void __init socfpga_pll_init(struct device_node *node) +-- +2.35.1 + diff --git a/queue-5.4/clk-st-fix-memory-leak-in-st_of_quadfs_setup.patch b/queue-5.4/clk-st-fix-memory-leak-in-st_of_quadfs_setup.patch new file mode 100644 index 00000000000..390eab198d0 --- /dev/null +++ b/queue-5.4/clk-st-fix-memory-leak-in-st_of_quadfs_setup.patch @@ -0,0 +1,41 @@ +From 15cbf1cdb181cfb12411c598eabb1e034d8b832f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 21:36:14 +0800 +Subject: clk: st: Fix memory leak in st_of_quadfs_setup() + +From: Xiu Jianfeng + +[ Upstream commit cfd3ffb36f0d566846163118651d868e607300ba ] + +If st_clk_register_quadfs_pll() fails, @lock should be freed before goto +@err_exit, otherwise will cause meory leak issue, fix it. + +Signed-off-by: Xiu Jianfeng +Link: https://lore.kernel.org/r/20221122133614.184910-1-xiujianfeng@huawei.com +Reviewed-by: Patrice Chotard +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/st/clkgen-fsyn.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/st/clkgen-fsyn.c b/drivers/clk/st/clkgen-fsyn.c +index a156bd0c6af7..9eff05386ef9 100644 +--- a/drivers/clk/st/clkgen-fsyn.c ++++ b/drivers/clk/st/clkgen-fsyn.c +@@ -943,9 +943,10 @@ static void __init st_of_quadfs_setup(struct device_node *np, + + clk = st_clk_register_quadfs_pll(pll_name, clk_parent_name, data, + reg, lock); +- if (IS_ERR(clk)) ++ if (IS_ERR(clk)) { ++ kfree(lock); + goto err_exit; +- else ++ } else + pr_debug("%s: parent %s rate %u\n", + __clk_get_name(clk), + __clk_get_name(clk_get_parent(clk)), +-- +2.35.1 + diff --git a/queue-5.4/clocksource-drivers-sh_cmt-make-sure-channel-clock-s.patch b/queue-5.4/clocksource-drivers-sh_cmt-make-sure-channel-clock-s.patch new file mode 100644 index 00000000000..d95026cfe78 --- /dev/null +++ b/queue-5.4/clocksource-drivers-sh_cmt-make-sure-channel-clock-s.patch @@ -0,0 +1,107 @@ +From 358d597b17864bc0814c435e0f167c1d2bb363cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Dec 2020 20:46:48 +0100 +Subject: clocksource/drivers/sh_cmt: Make sure channel clock supply is enabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Geert Uytterhoeven + +[ Upstream commit 2a97d55333e4299f32c98cca6dc5c4db1c5855fc ] + +The Renesas Compare Match Timer 0 and 1 (CMT0/1) variants have a +register to control the clock supply to the individual channels. +Currently the driver does not touch this register, and relies on the +documented initial value, which has the clock supply enabled for all +channels present. + +However, when Linux starts on the APE6-EVM development board, only the +clock supply to the first CMT1 channel is enabled. Hence the first +channel (used as a clockevent) works, while the second channel (used as +a clocksource) does not. Note that the default system clocksource is +the Cortex-A15 architectured timer, and the user needs to manually +switch to the CMT1 clocksource to trigger the broken behavior. + +Fix this by removing the fragile dependency on implicit reset and/or +boot loader state, and by enabling the clock supply explicitly for all +channels used instead. This requires postponing the clk_disable() call, +else the timer's registers cannot be accessed in sh_cmt_setup_channel(). + +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Niklas Söderlund +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20201210194648.2901899-1-geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + drivers/clocksource/sh_cmt.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/drivers/clocksource/sh_cmt.c b/drivers/clocksource/sh_cmt.c +index a0570213170d..b1ec79ddb7f2 100644 +--- a/drivers/clocksource/sh_cmt.c ++++ b/drivers/clocksource/sh_cmt.c +@@ -231,6 +231,8 @@ static const struct sh_cmt_info sh_cmt_info[] = { + #define CMCNT 1 /* channel register */ + #define CMCOR 2 /* channel register */ + ++#define CMCLKE 0x1000 /* CLK Enable Register (R-Car Gen2) */ ++ + static inline u32 sh_cmt_read_cmstr(struct sh_cmt_channel *ch) + { + if (ch->iostart) +@@ -845,6 +847,7 @@ static int sh_cmt_setup_channel(struct sh_cmt_channel *ch, unsigned int index, + unsigned int hwidx, bool clockevent, + bool clocksource, struct sh_cmt_device *cmt) + { ++ u32 value; + int ret; + + /* Skip unused channels. */ +@@ -874,6 +877,11 @@ static int sh_cmt_setup_channel(struct sh_cmt_channel *ch, unsigned int index, + ch->iostart = cmt->mapbase + ch->hwidx * 0x100; + ch->ioctrl = ch->iostart + 0x10; + ch->timer_bit = 0; ++ ++ /* Enable the clock supply to the channel */ ++ value = ioread32(cmt->mapbase + CMCLKE); ++ value |= BIT(hwidx); ++ iowrite32(value, cmt->mapbase + CMCLKE); + break; + } + +@@ -1006,12 +1014,10 @@ static int sh_cmt_setup(struct sh_cmt_device *cmt, struct platform_device *pdev) + else + cmt->rate = clk_get_rate(cmt->clk) / 8; + +- clk_disable(cmt->clk); +- + /* Map the memory resource(s). */ + ret = sh_cmt_map_memory(cmt); + if (ret < 0) +- goto err_clk_unprepare; ++ goto err_clk_disable; + + /* Allocate and setup the channels. */ + cmt->num_channels = hweight8(cmt->hw_channels); +@@ -1039,6 +1045,8 @@ static int sh_cmt_setup(struct sh_cmt_device *cmt, struct platform_device *pdev) + mask &= ~(1 << hwidx); + } + ++ clk_disable(cmt->clk); ++ + platform_set_drvdata(pdev, cmt); + + return 0; +@@ -1046,6 +1054,8 @@ static int sh_cmt_setup(struct sh_cmt_device *cmt, struct platform_device *pdev) + err_unmap: + kfree(cmt->channels); + iounmap(cmt->mapbase); ++err_clk_disable: ++ clk_disable(cmt->clk); + err_clk_unprepare: + clk_unprepare(cmt->clk); + err_clk_put: +-- +2.35.1 + diff --git a/queue-5.4/configfs-fix-possible-memory-leak-in-configfs_create.patch b/queue-5.4/configfs-fix-possible-memory-leak-in-configfs_create.patch new file mode 100644 index 00000000000..a1c7b4fa611 --- /dev/null +++ b/queue-5.4/configfs-fix-possible-memory-leak-in-configfs_create.patch @@ -0,0 +1,102 @@ +From 7ef25a56cf5ce6a3d38af47fa4cc963ed47b1446 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Oct 2022 09:42:30 +0800 +Subject: configfs: fix possible memory leak in configfs_create_dir() + +From: Chen Zhongjin + +[ Upstream commit c65234b283a65cfbfc94619655e820a5e55199eb ] + +kmemleak reported memory leaks in configfs_create_dir(): + +unreferenced object 0xffff888009f6af00 (size 192): + comm "modprobe", pid 3777, jiffies 4295537735 (age 233.784s) + backtrace: + kmem_cache_alloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273) + new_fragment (./include/linux/slab.h:600 fs/configfs/dir.c:163) + configfs_register_subsystem (fs/configfs/dir.c:1857) + basic_write (drivers/hwtracing/stm/p_basic.c:14) stm_p_basic + do_one_initcall (init/main.c:1296) + do_init_module (kernel/module/main.c:2455) + ... + +unreferenced object 0xffff888003ba7180 (size 96): + comm "modprobe", pid 3777, jiffies 4295537735 (age 233.784s) + backtrace: + kmem_cache_alloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273) + configfs_new_dirent (./include/linux/slab.h:723 fs/configfs/dir.c:194) + configfs_make_dirent (fs/configfs/dir.c:248) + configfs_create_dir (fs/configfs/dir.c:296) + configfs_attach_group.isra.28 (fs/configfs/dir.c:816 fs/configfs/dir.c:852) + configfs_register_subsystem (fs/configfs/dir.c:1881) + basic_write (drivers/hwtracing/stm/p_basic.c:14) stm_p_basic + do_one_initcall (init/main.c:1296) + do_init_module (kernel/module/main.c:2455) + ... + +This is because the refcount is not correct in configfs_make_dirent(). +For normal stage, the refcount is changing as: + +configfs_register_subsystem() + configfs_create_dir() + configfs_make_dirent() + configfs_new_dirent() # set s_count = 1 + dentry->d_fsdata = configfs_get(sd); # s_count = 2 +... +configfs_unregister_subsystem() + configfs_remove_dir() + remove_dir() + configfs_remove_dirent() # s_count = 1 + dput() ... + *dentry_unlink_inode()* + configfs_d_iput() # s_count = 0, release + +However, if we failed in configfs_create(): + +configfs_register_subsystem() + configfs_create_dir() + configfs_make_dirent() # s_count = 2 + ... + configfs_create() # fail + ->out_remove: + configfs_remove_dirent(dentry) + configfs_put(sd) # s_count = 1 + return PTR_ERR(inode); + +There is no inode in the error path, so the configfs_d_iput() is lost +and makes sd and fragment memory leaked. + +To fix this, when we failed in configfs_create(), manually call +configfs_put(sd) to keep the refcount correct. + +Fixes: 7063fbf22611 ("[PATCH] configfs: User-driven configuration filesystem") +Signed-off-by: Chen Zhongjin +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + fs/configfs/dir.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c +index d73d88d9c259..bc27e3ad97ff 100644 +--- a/fs/configfs/dir.c ++++ b/fs/configfs/dir.c +@@ -317,6 +317,7 @@ static int configfs_create_dir(struct config_item *item, struct dentry *dentry, + return 0; + + out_remove: ++ configfs_put(dentry->d_fsdata); + configfs_remove_dirent(dentry); + return PTR_ERR(inode); + } +@@ -383,6 +384,7 @@ int configfs_create_link(struct configfs_dirent *target, struct dentry *parent, + return 0; + + out_remove: ++ configfs_put(dentry->d_fsdata); + configfs_remove_dirent(dentry); + return PTR_ERR(inode); + } +-- +2.35.1 + diff --git a/queue-5.4/counter-stm32-lptimer-cnt-fix-the-check-on-arr-and-c.patch b/queue-5.4/counter-stm32-lptimer-cnt-fix-the-check-on-arr-and-c.patch new file mode 100644 index 00000000000..62d80fb1447 --- /dev/null +++ b/queue-5.4/counter-stm32-lptimer-cnt-fix-the-check-on-arr-and-c.patch @@ -0,0 +1,42 @@ +From d3715f4a99ee6ba60910140093d1a901306e8ab1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 14:36:09 +0100 +Subject: counter: stm32-lptimer-cnt: fix the check on arr and cmp registers + update + +From: Fabrice Gasnier + +[ Upstream commit fd5ac974fc25feed084c2d1599d0dddb4e0556bc ] + +The ARR (auto reload register) and CMP (compare) registers are +successively written. The status bits to check the update of these +registers are polled together with regmap_read_poll_timeout(). +The condition to end the loop may become true, even if one of the register +isn't correctly updated. +So ensure both status bits are set before clearing them. + +Fixes: d8958824cf07 ("iio: counter: Add support for STM32 LPTimer") +Signed-off-by: Fabrice Gasnier +Link: https://lore.kernel.org/r/20221123133609.465614-1-fabrice.gasnier@foss.st.com/ +Signed-off-by: William Breathitt Gray +Signed-off-by: Sasha Levin +--- + drivers/counter/stm32-lptimer-cnt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/counter/stm32-lptimer-cnt.c b/drivers/counter/stm32-lptimer-cnt.c +index bbc930a5962c..95f8f2e217db 100644 +--- a/drivers/counter/stm32-lptimer-cnt.c ++++ b/drivers/counter/stm32-lptimer-cnt.c +@@ -69,7 +69,7 @@ static int stm32_lptim_set_enable_state(struct stm32_lptim_cnt *priv, + + /* ensure CMP & ARR registers are properly written */ + ret = regmap_read_poll_timeout(priv->regmap, STM32_LPTIM_ISR, val, +- (val & STM32_LPTIM_CMPOK_ARROK), ++ (val & STM32_LPTIM_CMPOK_ARROK) == STM32_LPTIM_CMPOK_ARROK, + 100, 1000); + if (ret) + return ret; +-- +2.35.1 + diff --git a/queue-5.4/cpufreq-amd_freq_sensitivity-add-missing-pci_dev_put.patch b/queue-5.4/cpufreq-amd_freq_sensitivity-add-missing-pci_dev_put.patch new file mode 100644 index 00000000000..e6327374268 --- /dev/null +++ b/queue-5.4/cpufreq-amd_freq_sensitivity-add-missing-pci_dev_put.patch @@ -0,0 +1,37 @@ +From 4867264428142382b4902c52826290e93f6b1ad9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 19:33:39 +0800 +Subject: cpufreq: amd_freq_sensitivity: Add missing pci_dev_put() + +From: Xiongfeng Wang + +[ Upstream commit 91fda1f88c0968f1491ab150bb01690525af150a ] + +pci_get_device() will increase the reference count for the returned +pci_dev. We need to use pci_dev_put() to decrease the reference count +after using pci_get_device(). Let's add it. + +Fixes: 59a3b3a8db16 ("cpufreq: AMD: Ignore the check for ProcFeedback in ST/CZ") +Signed-off-by: Xiongfeng Wang +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/amd_freq_sensitivity.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/cpufreq/amd_freq_sensitivity.c b/drivers/cpufreq/amd_freq_sensitivity.c +index 5107cbe2d64d..72fd06fa0b59 100644 +--- a/drivers/cpufreq/amd_freq_sensitivity.c ++++ b/drivers/cpufreq/amd_freq_sensitivity.c +@@ -124,6 +124,8 @@ static int __init amd_freq_sensitivity_init(void) + if (!pcidev) { + if (!boot_cpu_has(X86_FEATURE_PROC_FEEDBACK)) + return -ENODEV; ++ } else { ++ pci_dev_put(pcidev); + } + + if (rdmsrl_safe(MSR_AMD64_FREQ_SENSITIVITY_ACTUAL, &val)) +-- +2.35.1 + diff --git a/queue-5.4/cpuidle-dt-return-the-correct-numbers-of-parsed-idle.patch b/queue-5.4/cpuidle-dt-return-the-correct-numbers-of-parsed-idle.patch new file mode 100644 index 00000000000..68687ee1a41 --- /dev/null +++ b/queue-5.4/cpuidle-dt-return-the-correct-numbers-of-parsed-idle.patch @@ -0,0 +1,44 @@ +From c3916fc65d3278bcfe69394263ec13590bde93ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Oct 2022 17:10:12 +0200 +Subject: cpuidle: dt: Return the correct numbers of parsed idle states + +From: Ulf Hansson + +[ Upstream commit ee3c2c8ad6ba6785f14a60e4081d7c82e88162a2 ] + +While we correctly skips to initialize an idle state from a disabled idle +state node in DT, the returned value from dt_init_idle_driver() don't get +adjusted accordingly. Instead the number of found idle state nodes are +returned, while the callers are expecting the number of successfully +initialized idle states from DT. + +This leads to cpuidle drivers unnecessarily continues to initialize their +idle state specific data. Moreover, in the case when all idle states have +been disabled in DT, we would end up registering a cpuidle driver, rather +than relying on the default arch specific idle call. + +Fixes: 9f14da345599 ("drivers: cpuidle: implement DT based idle states infrastructure") +Signed-off-by: Ulf Hansson +Reviewed-by: Sudeep Holla +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpuidle/dt_idle_states.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/cpuidle/dt_idle_states.c b/drivers/cpuidle/dt_idle_states.c +index d06d21a9525d..74702065730c 100644 +--- a/drivers/cpuidle/dt_idle_states.c ++++ b/drivers/cpuidle/dt_idle_states.c +@@ -224,6 +224,6 @@ int dt_init_idle_driver(struct cpuidle_driver *drv, + * also be 0 on platforms with missing DT idle states or legacy DT + * configuration predating the DT idle states bindings. + */ +- return i; ++ return state_idx - start_idx; + } + EXPORT_SYMBOL_GPL(dt_init_idle_driver); +-- +2.35.1 + diff --git a/queue-5.4/crypto-ccree-make-cc_debugfs_global_fini-available-f.patch b/queue-5.4/crypto-ccree-make-cc_debugfs_global_fini-available-f.patch new file mode 100644 index 00000000000..4049c806ef9 --- /dev/null +++ b/queue-5.4/crypto-ccree-make-cc_debugfs_global_fini-available-f.patch @@ -0,0 +1,46 @@ +From 6fbaa0f2b5349a5b382d65f1b72ee56a94d5ed30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 18:22:36 +0100 +Subject: crypto: ccree - Make cc_debugfs_global_fini() available for module + init function +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 8e96729fc26c8967db45a3fb7a60387619f77a22 ] + +ccree_init() calls cc_debugfs_global_fini(), the former is an init +function and the latter an exit function though. + +A modular build emits: + + WARNING: modpost: drivers/crypto/ccree/ccree.o: section mismatch in reference: init_module (section: .init.text) -> cc_debugfs_global_fini (section: .exit.text) + +(with CONFIG_DEBUG_SECTION_MISMATCH=y). + +Fixes: 4f1c596df706 ("crypto: ccree - Remove debugfs when platform_driver_register failed") +Signed-off-by: Uwe Kleine-König +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ccree/cc_debugfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/ccree/cc_debugfs.c b/drivers/crypto/ccree/cc_debugfs.c +index 566999738698..47077dd77f5d 100644 +--- a/drivers/crypto/ccree/cc_debugfs.c ++++ b/drivers/crypto/ccree/cc_debugfs.c +@@ -59,7 +59,7 @@ void __init cc_debugfs_global_init(void) + cc_debugfs_dir = debugfs_create_dir("ccree", NULL); + } + +-void __exit cc_debugfs_global_fini(void) ++void cc_debugfs_global_fini(void) + { + debugfs_remove(cc_debugfs_dir); + } +-- +2.35.1 + diff --git a/queue-5.4/crypto-ccree-remove-debugfs-when-platform_driver_reg.patch b/queue-5.4/crypto-ccree-remove-debugfs-when-platform_driver_reg.patch new file mode 100644 index 00000000000..1c6fe8aa163 --- /dev/null +++ b/queue-5.4/crypto-ccree-remove-debugfs-when-platform_driver_reg.patch @@ -0,0 +1,49 @@ +From d69bd1960f2e3dd8849f460cc471b12852456fda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 16:29:12 +0800 +Subject: crypto: ccree - Remove debugfs when platform_driver_register failed + +From: Gaosheng Cui + +[ Upstream commit 4f1c596df706c9aca662b6c214fad84047ae2a97 ] + +When platform_driver_register failed, we need to remove debugfs, +which will caused a resource leak, fix it. + +Failed logs as follows: +[ 32.606488] debugfs: Directory 'ccree' with parent '/' already present! + +Fixes: 4c3f97276e15 ("crypto: ccree - introduce CryptoCell driver") +Signed-off-by: Gaosheng Cui +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ccree/cc_driver.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/ccree/cc_driver.c b/drivers/crypto/ccree/cc_driver.c +index 58ca59af0b2e..3d59fef1fbee 100644 +--- a/drivers/crypto/ccree/cc_driver.c ++++ b/drivers/crypto/ccree/cc_driver.c +@@ -653,9 +653,17 @@ static struct platform_driver ccree_driver = { + + static int __init ccree_init(void) + { ++ int rc; ++ + cc_debugfs_global_init(); + +- return platform_driver_register(&ccree_driver); ++ rc = platform_driver_register(&ccree_driver); ++ if (rc) { ++ cc_debugfs_global_fini(); ++ return rc; ++ } ++ ++ return 0; + } + module_init(ccree_init); + +-- +2.35.1 + diff --git a/queue-5.4/crypto-ccree-swap-sha384-and-sha512-larval-hashes-at.patch b/queue-5.4/crypto-ccree-swap-sha384-and-sha512-larval-hashes-at.patch new file mode 100644 index 00000000000..5f2b31e07bc --- /dev/null +++ b/queue-5.4/crypto-ccree-swap-sha384-and-sha512-larval-hashes-at.patch @@ -0,0 +1,135 @@ +From a715a12894c74f75a6ee6270bb5f37ff01445a98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Feb 2020 19:18:59 +0100 +Subject: crypto: ccree - swap SHA384 and SHA512 larval hashes at build time + +From: Geert Uytterhoeven + +[ Upstream commit f08b58501c74d6ec0828b55a0d4e0b2e840c2b9e ] + +Due to the way the hardware works, every double word in the SHA384 and +SHA512 larval hashes must be swapped. Currently this is done at run +time, during driver initialization. + +However, this swapping can easily be done at build time. Treating each +double word as two words has the benefit of changing the larval hashes' +types from u64[] to u32[], like for all other hashes, and allows +dropping the casts and size doublings when calling cc_set_sram_desc(). + +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Herbert Xu +Stable-dep-of: 4f1c596df706 ("crypto: ccree - Remove debugfs when platform_driver_register failed") +Signed-off-by: Sasha Levin +--- + drivers/crypto/ccree/cc_driver.c | 1 - + drivers/crypto/ccree/cc_hash.c | 49 +++++++++++--------------------- + drivers/crypto/ccree/cc_hash.h | 2 -- + 3 files changed, 17 insertions(+), 35 deletions(-) + +diff --git a/drivers/crypto/ccree/cc_driver.c b/drivers/crypto/ccree/cc_driver.c +index 8b8eee513c27..58ca59af0b2e 100644 +--- a/drivers/crypto/ccree/cc_driver.c ++++ b/drivers/crypto/ccree/cc_driver.c +@@ -653,7 +653,6 @@ static struct platform_driver ccree_driver = { + + static int __init ccree_init(void) + { +- cc_hash_global_init(); + cc_debugfs_global_init(); + + return platform_driver_register(&ccree_driver); +diff --git a/drivers/crypto/ccree/cc_hash.c b/drivers/crypto/ccree/cc_hash.c +index bc71bdf44a9f..9f67df0a4921 100644 +--- a/drivers/crypto/ccree/cc_hash.c ++++ b/drivers/crypto/ccree/cc_hash.c +@@ -39,12 +39,19 @@ static const u32 cc_sha256_init[] = { + SHA256_H3, SHA256_H2, SHA256_H1, SHA256_H0 }; + static const u32 cc_digest_len_sha512_init[] = { + 0x00000080, 0x00000000, 0x00000000, 0x00000000 }; +-static u64 cc_sha384_init[] = { +- SHA384_H7, SHA384_H6, SHA384_H5, SHA384_H4, +- SHA384_H3, SHA384_H2, SHA384_H1, SHA384_H0 }; +-static u64 cc_sha512_init[] = { +- SHA512_H7, SHA512_H6, SHA512_H5, SHA512_H4, +- SHA512_H3, SHA512_H2, SHA512_H1, SHA512_H0 }; ++ ++/* ++ * Due to the way the HW works, every double word in the SHA384 and SHA512 ++ * larval hashes must be stored in hi/lo order ++ */ ++#define hilo(x) upper_32_bits(x), lower_32_bits(x) ++static const u32 cc_sha384_init[] = { ++ hilo(SHA384_H7), hilo(SHA384_H6), hilo(SHA384_H5), hilo(SHA384_H4), ++ hilo(SHA384_H3), hilo(SHA384_H2), hilo(SHA384_H1), hilo(SHA384_H0) }; ++static const u32 cc_sha512_init[] = { ++ hilo(SHA512_H7), hilo(SHA512_H6), hilo(SHA512_H5), hilo(SHA512_H4), ++ hilo(SHA512_H3), hilo(SHA512_H2), hilo(SHA512_H1), hilo(SHA512_H0) }; ++ + static const u32 cc_sm3_init[] = { + SM3_IVH, SM3_IVG, SM3_IVF, SM3_IVE, + SM3_IVD, SM3_IVC, SM3_IVB, SM3_IVA }; +@@ -1948,8 +1955,8 @@ int cc_init_hash_sram(struct cc_drvdata *drvdata) + } + + if (large_sha_supported) { +- cc_set_sram_desc((u32 *)cc_sha384_init, sram_buff_ofs, +- (ARRAY_SIZE(cc_sha384_init) * 2), larval_seq, ++ cc_set_sram_desc(cc_sha384_init, sram_buff_ofs, ++ ARRAY_SIZE(cc_sha384_init), larval_seq, + &larval_seq_len); + rc = send_request_init(drvdata, larval_seq, larval_seq_len); + if (rc) +@@ -1957,8 +1964,8 @@ int cc_init_hash_sram(struct cc_drvdata *drvdata) + sram_buff_ofs += sizeof(cc_sha384_init); + larval_seq_len = 0; + +- cc_set_sram_desc((u32 *)cc_sha512_init, sram_buff_ofs, +- (ARRAY_SIZE(cc_sha512_init) * 2), larval_seq, ++ cc_set_sram_desc(cc_sha512_init, sram_buff_ofs, ++ ARRAY_SIZE(cc_sha512_init), larval_seq, + &larval_seq_len); + rc = send_request_init(drvdata, larval_seq, larval_seq_len); + if (rc) +@@ -1969,28 +1976,6 @@ int cc_init_hash_sram(struct cc_drvdata *drvdata) + return rc; + } + +-static void __init cc_swap_dwords(u32 *buf, unsigned long size) +-{ +- int i; +- u32 tmp; +- +- for (i = 0; i < size; i += 2) { +- tmp = buf[i]; +- buf[i] = buf[i + 1]; +- buf[i + 1] = tmp; +- } +-} +- +-/* +- * Due to the way the HW works we need to swap every +- * double word in the SHA384 and SHA512 larval hashes +- */ +-void __init cc_hash_global_init(void) +-{ +- cc_swap_dwords((u32 *)&cc_sha384_init, (ARRAY_SIZE(cc_sha384_init) * 2)); +- cc_swap_dwords((u32 *)&cc_sha512_init, (ARRAY_SIZE(cc_sha512_init) * 2)); +-} +- + int cc_hash_alloc(struct cc_drvdata *drvdata) + { + struct cc_hash_handle *hash_handle; +diff --git a/drivers/crypto/ccree/cc_hash.h b/drivers/crypto/ccree/cc_hash.h +index 0d6dc61484d7..3dbd0abefea0 100644 +--- a/drivers/crypto/ccree/cc_hash.h ++++ b/drivers/crypto/ccree/cc_hash.h +@@ -104,6 +104,4 @@ cc_digest_len_addr(void *drvdata, u32 mode); + */ + cc_sram_addr_t cc_larval_digest_addr(void *drvdata, u32 mode); + +-void cc_hash_global_init(void); +- + #endif /*__CC_HASH_H__*/ +-- +2.35.1 + diff --git a/queue-5.4/crypto-img-hash-fix-variable-dereferenced-before-che.patch b/queue-5.4/crypto-img-hash-fix-variable-dereferenced-before-che.patch new file mode 100644 index 00000000000..e761b67f816 --- /dev/null +++ b/queue-5.4/crypto-img-hash-fix-variable-dereferenced-before-che.patch @@ -0,0 +1,52 @@ +From 0898e5b2107c1bdff66714db8d61ea2ca62de865 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 14:25:26 +0800 +Subject: crypto: img-hash - Fix variable dereferenced before check 'hdev->req' + +From: Gaosheng Cui + +[ Upstream commit 04ba54e5af8f8f0137b08cb51a0b3a2e1ea46c94 ] + +Smatch report warning as follows: + +drivers/crypto/img-hash.c:366 img_hash_dma_task() warn: variable +dereferenced before check 'hdev->req' + +Variable dereferenced should be done after check 'hdev->req', +fix it. + +Fixes: d358f1abbf71 ("crypto: img-hash - Add Imagination Technologies hw hash accelerator") +Fixes: 10badea259fa ("crypto: img-hash - Fix null pointer exception") +Signed-off-by: Gaosheng Cui +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/img-hash.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/img-hash.c b/drivers/crypto/img-hash.c +index fe4cc8babe1c..17cc44f14e5c 100644 +--- a/drivers/crypto/img-hash.c ++++ b/drivers/crypto/img-hash.c +@@ -356,12 +356,16 @@ static int img_hash_dma_init(struct img_hash_dev *hdev) + static void img_hash_dma_task(unsigned long d) + { + struct img_hash_dev *hdev = (struct img_hash_dev *)d; +- struct img_hash_request_ctx *ctx = ahash_request_ctx(hdev->req); ++ struct img_hash_request_ctx *ctx; + u8 *addr; + size_t nbytes, bleft, wsend, len, tbc; + struct scatterlist tsg; + +- if (!hdev->req || !ctx->sg) ++ if (!hdev->req) ++ return; ++ ++ ctx = ahash_request_ctx(hdev->req); ++ if (!ctx->sg) + return; + + addr = sg_virt(ctx->sg); +-- +2.35.1 + diff --git a/queue-5.4/crypto-omap-sham-use-pm_runtime_resume_and_get-in-om.patch b/queue-5.4/crypto-omap-sham-use-pm_runtime_resume_and_get-in-om.patch new file mode 100644 index 00000000000..14d96553ca9 --- /dev/null +++ b/queue-5.4/crypto-omap-sham-use-pm_runtime_resume_and_get-in-om.patch @@ -0,0 +1,41 @@ +From 63f731ffa8f5a34fd9ce13790fe14a3e150f40a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 14:49:40 +0800 +Subject: crypto: omap-sham - Use pm_runtime_resume_and_get() in + omap_sham_probe() + +From: Shang XiaoJing + +[ Upstream commit 7bcceb4c9896b1b672b636ae70fe75110d6bf1ad ] + +omap_sham_probe() calls pm_runtime_get_sync() and calls +pm_runtime_put_sync() latter to put usage_counter. However, +pm_runtime_get_sync() will increment usage_counter even it failed. Fix +it by replacing it with pm_runtime_resume_and_get() to keep usage +counter balanced. + +Fixes: b359f034c8bf ("crypto: omap-sham - Convert to use pm_runtime API") +Signed-off-by: Shang XiaoJing +Acked-by: Mark Greer +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/omap-sham.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/omap-sham.c b/drivers/crypto/omap-sham.c +index f8a146554b1f..dbab9e38223e 100644 +--- a/drivers/crypto/omap-sham.c ++++ b/drivers/crypto/omap-sham.c +@@ -2141,7 +2141,7 @@ static int omap_sham_probe(struct platform_device *pdev) + pm_runtime_enable(dev); + pm_runtime_irq_safe(dev); + +- err = pm_runtime_get_sync(dev); ++ err = pm_runtime_resume_and_get(dev); + if (err < 0) { + dev_err(dev, "failed to get sync: %d\n", err); + goto err_pm; +-- +2.35.1 + diff --git a/queue-5.4/crypto-tcrypt-fix-multibuffer-skcipher-speed-test-me.patch b/queue-5.4/crypto-tcrypt-fix-multibuffer-skcipher-speed-test-me.patch new file mode 100644 index 00000000000..8c1b2f7abd9 --- /dev/null +++ b/queue-5.4/crypto-tcrypt-fix-multibuffer-skcipher-speed-test-me.patch @@ -0,0 +1,45 @@ +From 46333d670b378eb6bf9e813ce05fdc977e65ecb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 17:24:11 +0800 +Subject: crypto: tcrypt - Fix multibuffer skcipher speed test mem leak + +From: Zhang Yiqun + +[ Upstream commit 1aa33fc8d4032227253ceb736f47c52b859d9683 ] + +In the past, the data for mb-skcipher test has been allocated +twice, that means the first allcated memory area is without +free, which may cause a potential memory leakage. So this +patch is to remove one allocation to fix this error. + +Fixes: e161c5930c15 ("crypto: tcrypt - add multibuf skcipher...") +Signed-off-by: Zhang Yiqun +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/tcrypt.c | 9 --------- + 1 file changed, 9 deletions(-) + +diff --git a/crypto/tcrypt.c b/crypto/tcrypt.c +index 0cece1f883eb..12dab10d36b2 100644 +--- a/crypto/tcrypt.c ++++ b/crypto/tcrypt.c +@@ -1281,15 +1281,6 @@ static void test_mb_skcipher_speed(const char *algo, int enc, int secs, + goto out_free_tfm; + } + +- +- for (i = 0; i < num_mb; ++i) +- if (testmgr_alloc_buf(data[i].xbuf)) { +- while (i--) +- testmgr_free_buf(data[i].xbuf); +- goto out_free_tfm; +- } +- +- + for (i = 0; i < num_mb; ++i) { + data[i].req = skcipher_request_alloc(tfm, GFP_KERNEL); + if (!data[i].req) { +-- +2.35.1 + diff --git a/queue-5.4/cxl-fix-possible-null-ptr-deref-in-cxl_guest_init_af.patch b/queue-5.4/cxl-fix-possible-null-ptr-deref-in-cxl_guest_init_af.patch new file mode 100644 index 00000000000..b864b494e18 --- /dev/null +++ b/queue-5.4/cxl-fix-possible-null-ptr-deref-in-cxl_guest_init_af.patch @@ -0,0 +1,99 @@ +From d8fc48971cc4df4e0ad71316f7ce69816c6e9d8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 22:54:39 +0800 +Subject: cxl: fix possible null-ptr-deref in cxl_guest_init_afu|adapter() + +From: Yang Yingliang + +[ Upstream commit 61c80d1c3833e196256fb060382db94f24d3d9a7 ] + +If device_register() fails in cxl_register_afu|adapter(), the device +is not added, device_unregister() can not be called in the error path, +otherwise it will cause a null-ptr-deref because of removing not added +device. + +As comment of device_register() says, it should use put_device() to give +up the reference in the error path. So split device_unregister() into +device_del() and put_device(), then goes to put dev when register fails. + +Fixes: 14baf4d9c739 ("cxl: Add guest-specific code") +Signed-off-by: Yang Yingliang +Acked-by: Andrew Donnellan +Acked-by: Frederic Barrat +Link: https://lore.kernel.org/r/20221111145440.2426970-1-yangyingliang@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/cxl/guest.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +diff --git a/drivers/misc/cxl/guest.c b/drivers/misc/cxl/guest.c +index 186308f1f8eb..6334376826a9 100644 +--- a/drivers/misc/cxl/guest.c ++++ b/drivers/misc/cxl/guest.c +@@ -959,10 +959,10 @@ int cxl_guest_init_afu(struct cxl *adapter, int slice, struct device_node *afu_n + * if it returns an error! + */ + if ((rc = cxl_register_afu(afu))) +- goto err_put1; ++ goto err_put_dev; + + if ((rc = cxl_sysfs_afu_add(afu))) +- goto err_put1; ++ goto err_del_dev; + + /* + * pHyp doesn't expose the programming models supported by the +@@ -978,7 +978,7 @@ int cxl_guest_init_afu(struct cxl *adapter, int slice, struct device_node *afu_n + afu->modes_supported = CXL_MODE_DIRECTED; + + if ((rc = cxl_afu_select_best_mode(afu))) +- goto err_put2; ++ goto err_remove_sysfs; + + adapter->afu[afu->slice] = afu; + +@@ -998,10 +998,12 @@ int cxl_guest_init_afu(struct cxl *adapter, int slice, struct device_node *afu_n + + return 0; + +-err_put2: ++err_remove_sysfs: + cxl_sysfs_afu_remove(afu); +-err_put1: +- device_unregister(&afu->dev); ++err_del_dev: ++ device_del(&afu->dev); ++err_put_dev: ++ put_device(&afu->dev); + free = false; + guest_release_serr_irq(afu); + err2: +@@ -1135,18 +1137,20 @@ struct cxl *cxl_guest_init_adapter(struct device_node *np, struct platform_devic + * even if it returns an error! + */ + if ((rc = cxl_register_adapter(adapter))) +- goto err_put1; ++ goto err_put_dev; + + if ((rc = cxl_sysfs_adapter_add(adapter))) +- goto err_put1; ++ goto err_del_dev; + + /* release the context lock as the adapter is configured */ + cxl_adapter_context_unlock(adapter); + + return adapter; + +-err_put1: +- device_unregister(&adapter->dev); ++err_del_dev: ++ device_del(&adapter->dev); ++err_put_dev: ++ put_device(&adapter->dev); + free = false; + cxl_guest_remove_chardev(adapter); + err1: +-- +2.35.1 + diff --git a/queue-5.4/cxl-fix-possible-null-ptr-deref-in-cxl_pci_init_afu-.patch b/queue-5.4/cxl-fix-possible-null-ptr-deref-in-cxl_pci_init_afu-.patch new file mode 100644 index 00000000000..e551e58935c --- /dev/null +++ b/queue-5.4/cxl-fix-possible-null-ptr-deref-in-cxl_pci_init_afu-.patch @@ -0,0 +1,94 @@ +From f19cb7651af66d338b55c397643962a1fad5e8a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 22:54:40 +0800 +Subject: cxl: fix possible null-ptr-deref in cxl_pci_init_afu|adapter() + +From: Yang Yingliang + +[ Upstream commit 02cd3032b154fa02fdf90e7467abaeed889330b2 ] + +If device_register() fails in cxl_pci_afu|adapter(), the device +is not added, device_unregister() can not be called in the error +path, otherwise it will cause a null-ptr-deref because of removing +not added device. + +As comment of device_register() says, it should use put_device() to give +up the reference in the error path. So split device_unregister() into +device_del() and put_device(), then goes to put dev when register fails. + +Fixes: f204e0b8cedd ("cxl: Driver code for powernv PCIe based cards for userspace access") +Signed-off-by: Yang Yingliang +Acked-by: Frederic Barrat +Acked-by: Andrew Donnellan +Link: https://lore.kernel.org/r/20221111145440.2426970-2-yangyingliang@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/cxl/pci.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/drivers/misc/cxl/pci.c b/drivers/misc/cxl/pci.c +index 2ba899f5659f..0ac3f4cb88ac 100644 +--- a/drivers/misc/cxl/pci.c ++++ b/drivers/misc/cxl/pci.c +@@ -1164,10 +1164,10 @@ static int pci_init_afu(struct cxl *adapter, int slice, struct pci_dev *dev) + * if it returns an error! + */ + if ((rc = cxl_register_afu(afu))) +- goto err_put1; ++ goto err_put_dev; + + if ((rc = cxl_sysfs_afu_add(afu))) +- goto err_put1; ++ goto err_del_dev; + + adapter->afu[afu->slice] = afu; + +@@ -1176,10 +1176,12 @@ static int pci_init_afu(struct cxl *adapter, int slice, struct pci_dev *dev) + + return 0; + +-err_put1: ++err_del_dev: ++ device_del(&afu->dev); ++err_put_dev: + pci_deconfigure_afu(afu); + cxl_debugfs_afu_remove(afu); +- device_unregister(&afu->dev); ++ put_device(&afu->dev); + return rc; + + err_free_native: +@@ -1667,23 +1669,25 @@ static struct cxl *cxl_pci_init_adapter(struct pci_dev *dev) + * even if it returns an error! + */ + if ((rc = cxl_register_adapter(adapter))) +- goto err_put1; ++ goto err_put_dev; + + if ((rc = cxl_sysfs_adapter_add(adapter))) +- goto err_put1; ++ goto err_del_dev; + + /* Release the context lock as adapter is configured */ + cxl_adapter_context_unlock(adapter); + + return adapter; + +-err_put1: ++err_del_dev: ++ device_del(&adapter->dev); ++err_put_dev: + /* This should mirror cxl_remove_adapter, except without the + * sysfs parts + */ + cxl_debugfs_adapter_remove(adapter); + cxl_deconfigure_adapter(adapter); +- device_unregister(&adapter->dev); ++ put_device(&adapter->dev); + return ERR_PTR(rc); + + err_release: +-- +2.35.1 + diff --git a/queue-5.4/cxl-fix-refcount-leak-in-cxl_calc_capp_routing.patch b/queue-5.4/cxl-fix-refcount-leak-in-cxl_calc_capp_routing.patch new file mode 100644 index 00000000000..5c1f37f37b6 --- /dev/null +++ b/queue-5.4/cxl-fix-refcount-leak-in-cxl_calc_capp_routing.patch @@ -0,0 +1,41 @@ +From 83dd672bb09908fb5c7e161829322adaa96e5813 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Jun 2022 10:00:38 +0400 +Subject: cxl: Fix refcount leak in cxl_calc_capp_routing + +From: Miaoqian Lin + +[ Upstream commit 1d09697ff22908ae487fc8c4fbde1811732be523 ] + +of_get_next_parent() returns a node pointer with refcount incremented, +we should use of_node_put() on it when not need anymore. +This function only calls of_node_put() in normal path, +missing it in the error path. +Add missing of_node_put() to avoid refcount leak. + +Fixes: f24be42aab37 ("cxl: Add psl9 specific code") +Signed-off-by: Miaoqian Lin +Acked-by: Andrew Donnellan +Acked-by: Frederic Barrat +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220605060038.62217-1-linmq006@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/misc/cxl/pci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/misc/cxl/pci.c b/drivers/misc/cxl/pci.c +index 0ac3f4cb88ac..d183836d80e3 100644 +--- a/drivers/misc/cxl/pci.c ++++ b/drivers/misc/cxl/pci.c +@@ -387,6 +387,7 @@ int cxl_calc_capp_routing(struct pci_dev *dev, u64 *chipid, + rc = get_phb_index(np, phb_index); + if (rc) { + pr_err("cxl: invalid phb index\n"); ++ of_node_put(np); + return rc; + } + +-- +2.35.1 + diff --git a/queue-5.4/debugfs-fix-error-when-writing-negative-value-to-ato.patch b/queue-5.4/debugfs-fix-error-when-writing-negative-value-to-ato.patch new file mode 100644 index 00000000000..49bd24d5653 --- /dev/null +++ b/queue-5.4/debugfs-fix-error-when-writing-negative-value-to-ato.patch @@ -0,0 +1,198 @@ +From 58a7f73568385e80d2c40980166307f557a351f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 02:24:18 +0900 +Subject: debugfs: fix error when writing negative value to atomic_t debugfs + file + +From: Akinobu Mita + +[ Upstream commit d472cf797c4e268613dbce5ec9b95d0bcae19ecb ] + +The simple attribute files do not accept a negative value since the commit +488dac0c9237 ("libfs: fix error cast of negative value in +simple_attr_write()"), so we have to use a 64-bit value to write a +negative value for a debugfs file created by debugfs_create_atomic_t(). + +This restores the previous behaviour by introducing +DEFINE_DEBUGFS_ATTRIBUTE_SIGNED for a signed value. + +Link: https://lkml.kernel.org/r/20220919172418.45257-4-akinobu.mita@gmail.com +Fixes: 488dac0c9237 ("libfs: fix error cast of negative value in simple_attr_write()") +Signed-off-by: Akinobu Mita +Reported-by: Zhao Gongyi +Reviewed-by: David Hildenbrand +Reviewed-by: Greg Kroah-Hartman +Cc: Alexander Viro +Cc: Jonathan Corbet +Cc: Oscar Salvador +Cc: Rafael J. Wysocki +Cc: Shuah Khan +Cc: Wei Yongjun +Cc: Yicong Yang +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + .../fault-injection/fault-injection.rst | 10 +++---- + fs/debugfs/file.c | 28 +++++++++++++++---- + include/linux/debugfs.h | 19 +++++++++++-- + 3 files changed, 43 insertions(+), 14 deletions(-) + +diff --git a/Documentation/fault-injection/fault-injection.rst b/Documentation/fault-injection/fault-injection.rst +index e4056dc51e7f..49b577307385 100644 +--- a/Documentation/fault-injection/fault-injection.rst ++++ b/Documentation/fault-injection/fault-injection.rst +@@ -75,9 +75,7 @@ configuration of fault-injection capabilities. + - /sys/kernel/debug/fail*/times: + + specifies how many times failures may happen at most. A value of -1 +- means "no limit". Note, though, that this file only accepts unsigned +- values. So, if you want to specify -1, you better use 'printf' instead +- of 'echo', e.g.: $ printf %#x -1 > times ++ means "no limit". + + - /sys/kernel/debug/fail*/space: + +@@ -254,7 +252,7 @@ Application Examples + echo Y > /sys/kernel/debug/$FAILTYPE/task-filter + echo 10 > /sys/kernel/debug/$FAILTYPE/probability + echo 100 > /sys/kernel/debug/$FAILTYPE/interval +- printf %#x -1 > /sys/kernel/debug/$FAILTYPE/times ++ echo -1 > /sys/kernel/debug/$FAILTYPE/times + echo 0 > /sys/kernel/debug/$FAILTYPE/space + echo 2 > /sys/kernel/debug/$FAILTYPE/verbose + echo 1 > /sys/kernel/debug/$FAILTYPE/ignore-gfp-wait +@@ -308,7 +306,7 @@ Application Examples + echo N > /sys/kernel/debug/$FAILTYPE/task-filter + echo 10 > /sys/kernel/debug/$FAILTYPE/probability + echo 100 > /sys/kernel/debug/$FAILTYPE/interval +- printf %#x -1 > /sys/kernel/debug/$FAILTYPE/times ++ echo -1 > /sys/kernel/debug/$FAILTYPE/times + echo 0 > /sys/kernel/debug/$FAILTYPE/space + echo 2 > /sys/kernel/debug/$FAILTYPE/verbose + echo 1 > /sys/kernel/debug/$FAILTYPE/ignore-gfp-wait +@@ -339,7 +337,7 @@ Application Examples + echo N > /sys/kernel/debug/$FAILTYPE/task-filter + echo 100 > /sys/kernel/debug/$FAILTYPE/probability + echo 0 > /sys/kernel/debug/$FAILTYPE/interval +- printf %#x -1 > /sys/kernel/debug/$FAILTYPE/times ++ echo -1 > /sys/kernel/debug/$FAILTYPE/times + echo 0 > /sys/kernel/debug/$FAILTYPE/space + echo 1 > /sys/kernel/debug/$FAILTYPE/verbose + +diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c +index da87615ad69a..9efc243e991a 100644 +--- a/fs/debugfs/file.c ++++ b/fs/debugfs/file.c +@@ -377,8 +377,8 @@ ssize_t debugfs_attr_read(struct file *file, char __user *buf, + } + EXPORT_SYMBOL_GPL(debugfs_attr_read); + +-ssize_t debugfs_attr_write(struct file *file, const char __user *buf, +- size_t len, loff_t *ppos) ++static ssize_t debugfs_attr_write_xsigned(struct file *file, const char __user *buf, ++ size_t len, loff_t *ppos, bool is_signed) + { + struct dentry *dentry = F_DENTRY(file); + ssize_t ret; +@@ -386,12 +386,28 @@ ssize_t debugfs_attr_write(struct file *file, const char __user *buf, + ret = debugfs_file_get(dentry); + if (unlikely(ret)) + return ret; +- ret = simple_attr_write(file, buf, len, ppos); ++ if (is_signed) ++ ret = simple_attr_write_signed(file, buf, len, ppos); ++ else ++ ret = simple_attr_write(file, buf, len, ppos); + debugfs_file_put(dentry); + return ret; + } ++ ++ssize_t debugfs_attr_write(struct file *file, const char __user *buf, ++ size_t len, loff_t *ppos) ++{ ++ return debugfs_attr_write_xsigned(file, buf, len, ppos, false); ++} + EXPORT_SYMBOL_GPL(debugfs_attr_write); + ++ssize_t debugfs_attr_write_signed(struct file *file, const char __user *buf, ++ size_t len, loff_t *ppos) ++{ ++ return debugfs_attr_write_xsigned(file, buf, len, ppos, true); ++} ++EXPORT_SYMBOL_GPL(debugfs_attr_write_signed); ++ + static struct dentry *debugfs_create_mode_unsafe(const char *name, umode_t mode, + struct dentry *parent, void *value, + const struct file_operations *fops, +@@ -784,11 +800,11 @@ static int debugfs_atomic_t_get(void *data, u64 *val) + *val = atomic_read((atomic_t *)data); + return 0; + } +-DEFINE_DEBUGFS_ATTRIBUTE(fops_atomic_t, debugfs_atomic_t_get, ++DEFINE_DEBUGFS_ATTRIBUTE_SIGNED(fops_atomic_t, debugfs_atomic_t_get, + debugfs_atomic_t_set, "%lld\n"); +-DEFINE_DEBUGFS_ATTRIBUTE(fops_atomic_t_ro, debugfs_atomic_t_get, NULL, ++DEFINE_DEBUGFS_ATTRIBUTE_SIGNED(fops_atomic_t_ro, debugfs_atomic_t_get, NULL, + "%lld\n"); +-DEFINE_DEBUGFS_ATTRIBUTE(fops_atomic_t_wo, NULL, debugfs_atomic_t_set, ++DEFINE_DEBUGFS_ATTRIBUTE_SIGNED(fops_atomic_t_wo, NULL, debugfs_atomic_t_set, + "%lld\n"); + + /** +diff --git a/include/linux/debugfs.h b/include/linux/debugfs.h +index 7e4f156acc2f..d0238d3b2f31 100644 +--- a/include/linux/debugfs.h ++++ b/include/linux/debugfs.h +@@ -39,7 +39,7 @@ struct debugfs_regset32 { + + extern struct dentry *arch_debugfs_dir; + +-#define DEFINE_DEBUGFS_ATTRIBUTE(__fops, __get, __set, __fmt) \ ++#define DEFINE_DEBUGFS_ATTRIBUTE_XSIGNED(__fops, __get, __set, __fmt, __is_signed) \ + static int __fops ## _open(struct inode *inode, struct file *file) \ + { \ + __simple_attr_check_format(__fmt, 0ull); \ +@@ -50,10 +50,16 @@ static const struct file_operations __fops = { \ + .open = __fops ## _open, \ + .release = simple_attr_release, \ + .read = debugfs_attr_read, \ +- .write = debugfs_attr_write, \ ++ .write = (__is_signed) ? debugfs_attr_write_signed : debugfs_attr_write, \ + .llseek = no_llseek, \ + } + ++#define DEFINE_DEBUGFS_ATTRIBUTE(__fops, __get, __set, __fmt) \ ++ DEFINE_DEBUGFS_ATTRIBUTE_XSIGNED(__fops, __get, __set, __fmt, false) ++ ++#define DEFINE_DEBUGFS_ATTRIBUTE_SIGNED(__fops, __get, __set, __fmt) \ ++ DEFINE_DEBUGFS_ATTRIBUTE_XSIGNED(__fops, __get, __set, __fmt, true) ++ + typedef struct vfsmount *(*debugfs_automount_t)(struct dentry *, void *); + + #if defined(CONFIG_DEBUG_FS) +@@ -96,6 +102,8 @@ ssize_t debugfs_attr_read(struct file *file, char __user *buf, + size_t len, loff_t *ppos); + ssize_t debugfs_attr_write(struct file *file, const char __user *buf, + size_t len, loff_t *ppos); ++ssize_t debugfs_attr_write_signed(struct file *file, const char __user *buf, ++ size_t len, loff_t *ppos); + + struct dentry *debugfs_rename(struct dentry *old_dir, struct dentry *old_dentry, + struct dentry *new_dir, const char *new_name); +@@ -245,6 +253,13 @@ static inline ssize_t debugfs_attr_write(struct file *file, + return -ENODEV; + } + ++static inline ssize_t debugfs_attr_write_signed(struct file *file, ++ const char __user *buf, ++ size_t len, loff_t *ppos) ++{ ++ return -ENODEV; ++} ++ + static inline struct dentry *debugfs_rename(struct dentry *old_dir, struct dentry *old_dentry, + struct dentry *new_dir, char *new_name) + { +-- +2.35.1 + diff --git a/queue-5.4/debugobjects-free-per-cpu-pool-after-cpu-unplug.patch b/queue-5.4/debugobjects-free-per-cpu-pool-after-cpu-unplug.patch new file mode 100644 index 00000000000..acd19b497db --- /dev/null +++ b/queue-5.4/debugobjects-free-per-cpu-pool-after-cpu-unplug.patch @@ -0,0 +1,93 @@ +From 8b9bd2db0e9557b04fb4c8b36bd03900b3af3a8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 14:27:09 +0800 +Subject: debugobjects: Free per CPU pool after CPU unplug + +From: Zqiang + +[ Upstream commit 88451f2cd3cec2abc30debdf129422d2699d1eba ] + +If a CPU is offlined the debug objects per CPU pool is not cleaned up. If +the CPU is never onlined again then the objects in the pool are wasted. + +Add a CPU hotplug callback which is invoked after the CPU is dead to free +the pool. + +[ tglx: Massaged changelog and added comment about remote access safety ] + +Signed-off-by: Zqiang +Signed-off-by: Thomas Gleixner +Cc: Waiman Long +Link: https://lore.kernel.org/r/20200908062709.11441-1-qiang.zhang@windriver.com +Stable-dep-of: eabb7f1ace53 ("lib/debugobjects: fix stat count and optimize debug_objects_mem_init") +Signed-off-by: Sasha Levin +--- + include/linux/cpuhotplug.h | 1 + + lib/debugobjects.c | 25 +++++++++++++++++++++++++ + 2 files changed, 26 insertions(+) + +diff --git a/include/linux/cpuhotplug.h b/include/linux/cpuhotplug.h +index 15835f37bd5f..970b47fcd6ff 100644 +--- a/include/linux/cpuhotplug.h ++++ b/include/linux/cpuhotplug.h +@@ -36,6 +36,7 @@ enum cpuhp_state { + CPUHP_X86_MCE_DEAD, + CPUHP_VIRT_NET_DEAD, + CPUHP_SLUB_DEAD, ++ CPUHP_DEBUG_OBJ_DEAD, + CPUHP_MM_WRITEBACK_DEAD, + CPUHP_MM_VMSTAT_DEAD, + CPUHP_SOFTIRQ_DEAD, +diff --git a/lib/debugobjects.c b/lib/debugobjects.c +index 48054dbf1b51..746b632792b5 100644 +--- a/lib/debugobjects.c ++++ b/lib/debugobjects.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + + #define ODEBUG_HASH_BITS 14 + #define ODEBUG_HASH_SIZE (1 << ODEBUG_HASH_BITS) +@@ -433,6 +434,25 @@ static void free_object(struct debug_obj *obj) + } + } + ++#ifdef CONFIG_HOTPLUG_CPU ++static int object_cpu_offline(unsigned int cpu) ++{ ++ struct debug_percpu_free *percpu_pool; ++ struct hlist_node *tmp; ++ struct debug_obj *obj; ++ ++ /* Remote access is safe as the CPU is dead already */ ++ percpu_pool = per_cpu_ptr(&percpu_obj_pool, cpu); ++ hlist_for_each_entry_safe(obj, tmp, &percpu_pool->free_objs, node) { ++ hlist_del(&obj->node); ++ kmem_cache_free(obj_cache, obj); ++ } ++ percpu_pool->obj_free = 0; ++ ++ return 0; ++} ++#endif ++ + /* + * We run out of memory. That means we probably have tons of objects + * allocated. +@@ -1378,6 +1398,11 @@ void __init debug_objects_mem_init(void) + } else + debug_objects_selftest(); + ++#ifdef CONFIG_HOTPLUG_CPU ++ cpuhp_setup_state_nocalls(CPUHP_DEBUG_OBJ_DEAD, "object:offline", NULL, ++ object_cpu_offline); ++#endif ++ + /* + * Increase the thresholds for allocating and freeing objects + * according to the number of possible CPUs available in the system. +-- +2.35.1 + diff --git a/queue-5.4/docs-fault-injection-fix-non-working-usage-of-negati.patch b/queue-5.4/docs-fault-injection-fix-non-working-usage-of-negati.patch new file mode 100644 index 00000000000..136540970fd --- /dev/null +++ b/queue-5.4/docs-fault-injection-fix-non-working-usage-of-negati.patch @@ -0,0 +1,97 @@ +From 9d8a8987c1a48dfe506b85b2c1db8527b3f399f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jun 2021 14:58:41 +0200 +Subject: docs: fault-injection: fix non-working usage of negative values + +From: Wolfram Sang + +[ Upstream commit 005747526d4f3c2ec995891e95cb7625161022f9 ] + +Fault injection uses debugfs in a way that the provided values via sysfs +are interpreted as u64. Providing negative numbers results in an error: + +/sys/kernel/debug/fail_function# echo -1 > times +sh: write error: Invalid argument + +Update the docs and examples to use "printf %#x " in these cases. +For "retval", reword the paragraph a little and fix a typo. + +Signed-off-by: Wolfram Sang +Link: https://lore.kernel.org/r/20210603125841.27436-1-wsa+renesas@sang-engineering.com +Signed-off-by: Jonathan Corbet +Stable-dep-of: d472cf797c4e ("debugfs: fix error when writing negative value to atomic_t debugfs file") +Signed-off-by: Sasha Levin +--- + .../fault-injection/fault-injection.rst | 24 +++++++++++-------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +diff --git a/Documentation/fault-injection/fault-injection.rst b/Documentation/fault-injection/fault-injection.rst +index f51bb21d20e4..e4056dc51e7f 100644 +--- a/Documentation/fault-injection/fault-injection.rst ++++ b/Documentation/fault-injection/fault-injection.rst +@@ -74,8 +74,10 @@ configuration of fault-injection capabilities. + + - /sys/kernel/debug/fail*/times: + +- specifies how many times failures may happen at most. +- A value of -1 means "no limit". ++ specifies how many times failures may happen at most. A value of -1 ++ means "no limit". Note, though, that this file only accepts unsigned ++ values. So, if you want to specify -1, you better use 'printf' instead ++ of 'echo', e.g.: $ printf %#x -1 > times + + - /sys/kernel/debug/fail*/space: + +@@ -163,11 +165,13 @@ configuration of fault-injection capabilities. + - ERRNO: retval must be -1 to -MAX_ERRNO (-4096). + - ERR_NULL: retval must be 0 or -1 to -MAX_ERRNO (-4096). + +-- /sys/kernel/debug/fail_function//retval: ++- /sys/kernel/debug/fail_function//retval: + +- specifies the "error" return value to inject to the given +- function for given function. This will be created when +- user specifies new injection entry. ++ specifies the "error" return value to inject to the given function. ++ This will be created when the user specifies a new injection entry. ++ Note that this file only accepts unsigned values. So, if you want to ++ use a negative errno, you better use 'printf' instead of 'echo', e.g.: ++ $ printf %#x -12 > retval + + Boot option + ^^^^^^^^^^^ +@@ -250,7 +254,7 @@ Application Examples + echo Y > /sys/kernel/debug/$FAILTYPE/task-filter + echo 10 > /sys/kernel/debug/$FAILTYPE/probability + echo 100 > /sys/kernel/debug/$FAILTYPE/interval +- echo -1 > /sys/kernel/debug/$FAILTYPE/times ++ printf %#x -1 > /sys/kernel/debug/$FAILTYPE/times + echo 0 > /sys/kernel/debug/$FAILTYPE/space + echo 2 > /sys/kernel/debug/$FAILTYPE/verbose + echo 1 > /sys/kernel/debug/$FAILTYPE/ignore-gfp-wait +@@ -304,7 +308,7 @@ Application Examples + echo N > /sys/kernel/debug/$FAILTYPE/task-filter + echo 10 > /sys/kernel/debug/$FAILTYPE/probability + echo 100 > /sys/kernel/debug/$FAILTYPE/interval +- echo -1 > /sys/kernel/debug/$FAILTYPE/times ++ printf %#x -1 > /sys/kernel/debug/$FAILTYPE/times + echo 0 > /sys/kernel/debug/$FAILTYPE/space + echo 2 > /sys/kernel/debug/$FAILTYPE/verbose + echo 1 > /sys/kernel/debug/$FAILTYPE/ignore-gfp-wait +@@ -331,11 +335,11 @@ Application Examples + FAILTYPE=fail_function + FAILFUNC=open_ctree + echo $FAILFUNC > /sys/kernel/debug/$FAILTYPE/inject +- echo -12 > /sys/kernel/debug/$FAILTYPE/$FAILFUNC/retval ++ printf %#x -12 > /sys/kernel/debug/$FAILTYPE/$FAILFUNC/retval + echo N > /sys/kernel/debug/$FAILTYPE/task-filter + echo 100 > /sys/kernel/debug/$FAILTYPE/probability + echo 0 > /sys/kernel/debug/$FAILTYPE/interval +- echo -1 > /sys/kernel/debug/$FAILTYPE/times ++ printf %#x -1 > /sys/kernel/debug/$FAILTYPE/times + echo 0 > /sys/kernel/debug/$FAILTYPE/space + echo 1 > /sys/kernel/debug/$FAILTYPE/verbose + +-- +2.35.1 + diff --git a/queue-5.4/drivers-dio-fix-possible-memory-leak-in-dio_init.patch b/queue-5.4/drivers-dio-fix-possible-memory-leak-in-dio_init.patch new file mode 100644 index 00000000000..fef167796c9 --- /dev/null +++ b/queue-5.4/drivers-dio-fix-possible-memory-leak-in-dio_init.patch @@ -0,0 +1,60 @@ +From 669056194b19473982206618950f1c9dc32b0173 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 14:40:36 +0800 +Subject: drivers: dio: fix possible memory leak in dio_init() + +From: Yang Yingliang + +[ Upstream commit e63e99397b2613d50a5f4f02ed07307e67a190f1 ] + +If device_register() returns error, the 'dev' and name needs be +freed. Add a release function, and then call put_device() in the +error path, so the name is freed in kobject_cleanup() and to the +'dev' is freed in release function. + +Fixes: 2e4c77bea3d8 ("m68k: dio - Kill warn_unused_result warnings") +Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221109064036.1835346-1-yangyingliang@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/dio/dio.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/dio/dio.c b/drivers/dio/dio.c +index c9aa15fb86a9..d07bceb3e34b 100644 +--- a/drivers/dio/dio.c ++++ b/drivers/dio/dio.c +@@ -110,6 +110,12 @@ static char dio_no_name[] = { 0 }; + + #endif /* CONFIG_DIO_CONSTANTS */ + ++static void dio_dev_release(struct device *dev) ++{ ++ struct dio_dev *ddev = container_of(dev, typeof(struct dio_dev), dev); ++ kfree(ddev); ++} ++ + int __init dio_find(int deviceid) + { + /* Called to find a DIO device before the full bus scan has run. +@@ -222,6 +228,7 @@ static int __init dio_init(void) + dev->bus = &dio_bus; + dev->dev.parent = &dio_bus.dev; + dev->dev.bus = &dio_bus_type; ++ dev->dev.release = dio_dev_release; + dev->scode = scode; + dev->resource.start = pa; + dev->resource.end = pa + DIO_SIZE(scode, va); +@@ -249,6 +256,7 @@ static int __init dio_init(void) + if (error) { + pr_err("DIO: Error registering device %s\n", + dev->name); ++ put_device(&dev->dev); + continue; + } + error = dio_create_sysfs_dev_files(dev); +-- +2.35.1 + diff --git a/queue-5.4/drivers-mcb-fix-resource-leak-in-mcb_probe.patch b/queue-5.4/drivers-mcb-fix-resource-leak-in-mcb_probe.patch new file mode 100644 index 00000000000..420bde3d572 --- /dev/null +++ b/queue-5.4/drivers-mcb-fix-resource-leak-in-mcb_probe.patch @@ -0,0 +1,41 @@ +From c375e871699918b7011ca7523721091202af07d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 01:38:49 -0800 +Subject: drivers: mcb: fix resource leak in mcb_probe() + +From: Zhengchao Shao + +[ Upstream commit d7237462561fcd224fa687c56ccb68629f50fc0d ] + +When probe hook function failed in mcb_probe(), it doesn't put the device. +Compiled test only. + +Fixes: 7bc364097a89 ("mcb: Acquire reference to device in probe") +Signed-off-by: Zhengchao Shao +Signed-off-by: Johannes Thumshirn +Link: https://lore.kernel.org/r/9f87de36bfb85158b506cb78c6fc9db3f6a3bad1.1669624063.git.johannes.thumshirn@wdc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/mcb/mcb-core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mcb/mcb-core.c b/drivers/mcb/mcb-core.c +index c799bb81ab03..2df3ab3b76e4 100644 +--- a/drivers/mcb/mcb-core.c ++++ b/drivers/mcb/mcb-core.c +@@ -71,8 +71,10 @@ static int mcb_probe(struct device *dev) + + get_device(dev); + ret = mdrv->probe(mdev, found_id); +- if (ret) ++ if (ret) { + module_put(carrier_mod); ++ put_device(dev); ++ } + + return ret; + } +-- +2.35.1 + diff --git a/queue-5.4/drivers-md-md-bitmap-check-the-return-value-of-md_bi.patch b/queue-5.4/drivers-md-md-bitmap-check-the-return-value-of-md_bi.patch new file mode 100644 index 00000000000..91fd61becf5 --- /dev/null +++ b/queue-5.4/drivers-md-md-bitmap-check-the-return-value-of-md_bi.patch @@ -0,0 +1,65 @@ +From abc8c13a93c1cc179f2a2f4d3eeeb9995233b562 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Sep 2022 16:33:05 -0700 +Subject: drivers/md/md-bitmap: check the return value of + md_bitmap_get_counter() + +From: Li Zhong + +[ Upstream commit 3bd548e5b819b8c0f2c9085de775c5c7bff9052f ] + +Check the return value of md_bitmap_get_counter() in case it returns +NULL pointer, which will result in a null pointer dereference. + +v2: update the check to include other dereference + +Signed-off-by: Li Zhong +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/md-bitmap.c | 27 +++++++++++++++------------ + 1 file changed, 15 insertions(+), 12 deletions(-) + +diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c +index a95e20c3d0d4..72c30c99b29d 100644 +--- a/drivers/md/md-bitmap.c ++++ b/drivers/md/md-bitmap.c +@@ -2200,20 +2200,23 @@ int md_bitmap_resize(struct bitmap *bitmap, sector_t blocks, + + if (set) { + bmc_new = md_bitmap_get_counter(&bitmap->counts, block, &new_blocks, 1); +- if (*bmc_new == 0) { +- /* need to set on-disk bits too. */ +- sector_t end = block + new_blocks; +- sector_t start = block >> chunkshift; +- start <<= chunkshift; +- while (start < end) { +- md_bitmap_file_set_bit(bitmap, block); +- start += 1 << chunkshift; ++ if (bmc_new) { ++ if (*bmc_new == 0) { ++ /* need to set on-disk bits too. */ ++ sector_t end = block + new_blocks; ++ sector_t start = block >> chunkshift; ++ ++ start <<= chunkshift; ++ while (start < end) { ++ md_bitmap_file_set_bit(bitmap, block); ++ start += 1 << chunkshift; ++ } ++ *bmc_new = 2; ++ md_bitmap_count_page(&bitmap->counts, block, 1); ++ md_bitmap_set_pending(&bitmap->counts, block); + } +- *bmc_new = 2; +- md_bitmap_count_page(&bitmap->counts, block, 1); +- md_bitmap_set_pending(&bitmap->counts, block); ++ *bmc_new |= NEEDED_MASK; + } +- *bmc_new |= NEEDED_MASK; + if (new_blocks < old_blocks) + old_blocks = new_blocks; + } +-- +2.35.1 + diff --git a/queue-5.4/drivers-net-qlcnic-fix-potential-memory-leak-in-qlcn.patch b/queue-5.4/drivers-net-qlcnic-fix-potential-memory-leak-in-qlcn.patch new file mode 100644 index 00000000000..fc5b0916809 --- /dev/null +++ b/queue-5.4/drivers-net-qlcnic-fix-potential-memory-leak-in-qlcn.patch @@ -0,0 +1,38 @@ +From a1c0ee27d7f7f4dcaf01f0d160fbb72bf625e7c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 08:54:10 +0000 +Subject: drivers: net: qlcnic: Fix potential memory leak in + qlcnic_sriov_init() + +From: Yuan Can + +[ Upstream commit 01de1123322e4fe1bbd0fcdf0982511b55519c03 ] + +If vp alloc failed in qlcnic_sriov_init(), all previously allocated vp +needs to be freed. + +Fixes: f197a7aa6288 ("qlcnic: VF-PF communication channel implementation") +Signed-off-by: Yuan Can +Reviewed-by: Leon Romanovsky +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c +index 400bc2c3f222..7c782df3793d 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c +@@ -222,6 +222,8 @@ int qlcnic_sriov_init(struct qlcnic_adapter *adapter, int num_vfs) + return 0; + + qlcnic_destroy_async_wq: ++ while (i--) ++ kfree(sriov->vf_info[i].vp); + destroy_workqueue(bc->bc_async_wq); + + qlcnic_destroy_trans_wq: +-- +2.35.1 + diff --git a/queue-5.4/drivers-provide-devm_platform_get_and_ioremap_resour.patch b/queue-5.4/drivers-provide-devm_platform_get_and_ioremap_resour.patch new file mode 100644 index 00000000000..85008c00b1f --- /dev/null +++ b/queue-5.4/drivers-provide-devm_platform_get_and_ioremap_resour.patch @@ -0,0 +1,80 @@ +From 6763bf313a8ad82e11b8784177b510a10df1d844 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Mar 2020 00:06:08 +0800 +Subject: drivers: provide devm_platform_get_and_ioremap_resource() + +From: Dejin Zheng + +[ Upstream commit 890cc39a879906b63912482dfc41944579df2dc6 ] + +Since commit "drivers: provide devm_platform_ioremap_resource()", +it was wrap platform_get_resource() and devm_ioremap_resource() as +single helper devm_platform_ioremap_resource(). but now, many drivers +still used platform_get_resource() and devm_ioremap_resource() +together in the kernel tree. The reason can not be replaced is they +still need use the resource variables obtained by platform_get_resource(). +so provide this helper. + +Suggested-by: Geert Uytterhoeven +Suggested-by: Sergei Shtylyov +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Dejin Zheng +Link: https://lore.kernel.org/r/20200323160612.17277-2-zhengdejin5@gmail.com +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 2d47b79d2bd3 ("i2c: mux: reg: check return value after calling platform_get_resource()") +Signed-off-by: Sasha Levin +--- + drivers/base/platform.c | 22 ++++++++++++++++++++++ + include/linux/platform_device.h | 3 +++ + 2 files changed, 25 insertions(+) + +diff --git a/drivers/base/platform.c b/drivers/base/platform.c +index 75623b914b8c..05826c12fd29 100644 +--- a/drivers/base/platform.c ++++ b/drivers/base/platform.c +@@ -61,6 +61,28 @@ struct resource *platform_get_resource(struct platform_device *dev, + } + EXPORT_SYMBOL_GPL(platform_get_resource); + ++/** ++ * devm_platform_get_and_ioremap_resource - call devm_ioremap_resource() for a ++ * platform device and get resource ++ * ++ * @pdev: platform device to use both for memory resource lookup as well as ++ * resource management ++ * @index: resource index ++ * @res: optional output parameter to store a pointer to the obtained resource. ++ */ ++void __iomem * ++devm_platform_get_and_ioremap_resource(struct platform_device *pdev, ++ unsigned int index, struct resource **res) ++{ ++ struct resource *r; ++ ++ r = platform_get_resource(pdev, IORESOURCE_MEM, index); ++ if (res) ++ *res = r; ++ return devm_ioremap_resource(&pdev->dev, r); ++} ++EXPORT_SYMBOL_GPL(devm_platform_get_and_ioremap_resource); ++ + /** + * devm_platform_ioremap_resource - call devm_ioremap_resource() for a platform + * device +diff --git a/include/linux/platform_device.h b/include/linux/platform_device.h +index 569f446502be..cc4684254d3f 100644 +--- a/include/linux/platform_device.h ++++ b/include/linux/platform_device.h +@@ -55,6 +55,9 @@ extern struct device * + platform_find_device_by_driver(struct device *start, + const struct device_driver *drv); + extern void __iomem * ++devm_platform_get_and_ioremap_resource(struct platform_device *pdev, ++ unsigned int index, struct resource **res); ++extern void __iomem * + devm_platform_ioremap_resource(struct platform_device *pdev, + unsigned int index); + extern int platform_get_irq(struct platform_device *, unsigned int); +-- +2.35.1 + diff --git a/queue-5.4/drivers-soc-ti-knav_qmss_queue-mark-knav_acc_firmwar.patch b/queue-5.4/drivers-soc-ti-knav_qmss_queue-mark-knav_acc_firmwar.patch new file mode 100644 index 00000000000..852c0c55404 --- /dev/null +++ b/queue-5.4/drivers-soc-ti-knav_qmss_queue-mark-knav_acc_firmwar.patch @@ -0,0 +1,42 @@ +From a2fa58155692de36b84f0b3891dd381f60926155 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Oct 2022 23:32:12 +0800 +Subject: drivers: soc: ti: knav_qmss_queue: Mark knav_acc_firmwares as static + +From: Chen Jiahao + +[ Upstream commit adf85adc2a7199b41e7a4da083bd17274a3d6969 ] + +There is a sparse warning shown below: + +drivers/soc/ti/knav_qmss_queue.c:70:12: warning: symbol +'knav_acc_firmwares' was not declared. Should it be static? + +Since 'knav_acc_firmwares' is only called within knav_qmss_queue.c, +mark it as static to fix the warning. + +Fixes: 96ee19becc3b ("soc: ti: add firmware file name as part of the driver") +Signed-off-by: Chen Jiahao +Signed-off-by: Nishanth Menon +Link: https://lore.kernel.org/r/20221019153212.72350-1-chenjiahao16@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/soc/ti/knav_qmss_queue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/ti/knav_qmss_queue.c b/drivers/soc/ti/knav_qmss_queue.c +index b8210479ec99..d5fc00979628 100644 +--- a/drivers/soc/ti/knav_qmss_queue.c ++++ b/drivers/soc/ti/knav_qmss_queue.c +@@ -64,7 +64,7 @@ static DEFINE_MUTEX(knav_dev_lock); + * Newest followed by older ones. Search is done from start of the array + * until a firmware file is found. + */ +-const char *knav_acc_firmwares[] = {"ks2_qmss_pdsp_acc48.bin"}; ++static const char * const knav_acc_firmwares[] = {"ks2_qmss_pdsp_acc48.bin"}; + + static bool device_ready; + bool knav_qmss_device_ready(void) +-- +2.35.1 + diff --git a/queue-5.4/drm-amdgpu-fix-pci-device-refcount-leak-in-amdgpu_at.patch b/queue-5.4/drm-amdgpu-fix-pci-device-refcount-leak-in-amdgpu_at.patch new file mode 100644 index 00000000000..0460135228c --- /dev/null +++ b/queue-5.4/drm-amdgpu-fix-pci-device-refcount-leak-in-amdgpu_at.patch @@ -0,0 +1,40 @@ +From d054fea59ce044f6d085b0ad6a43174670f6e0e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 19:30:43 +0800 +Subject: drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios() + +From: Xiongfeng Wang + +[ Upstream commit ca54639c7752edf1304d92ff4d0c049d4efc9ba0 ] + +As comment of pci_get_class() says, it returns a pci_device with its +refcount increased and decreased the refcount for the input parameter +@from if it is not NULL. + +If we break the loop in amdgpu_atrm_get_bios() with 'pdev' not NULL, we +need to call pci_dev_put() to decrease the refcount. Add the missing +pci_dev_put() to avoid refcount leak. + +Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") +Signed-off-by: Xiongfeng Wang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c +index b1172d93c99c..ba604985cad9 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c +@@ -313,6 +313,7 @@ static bool amdgpu_atrm_get_bios(struct amdgpu_device *adev) + + if (!found) + return false; ++ pci_dev_put(pdev); + + adev->bios = kmalloc(size, GFP_KERNEL); + if (!adev->bios) { +-- +2.35.1 + diff --git a/queue-5.4/drm-etnaviv-add-missing-quirks-for-gc300.patch b/queue-5.4/drm-etnaviv-add-missing-quirks-for-gc300.patch new file mode 100644 index 00000000000..487c7bdca7b --- /dev/null +++ b/queue-5.4/drm-etnaviv-add-missing-quirks-for-gc300.patch @@ -0,0 +1,53 @@ +From d9716b30a483d415571ac8517f90ec71ee7bd0d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Sep 2022 13:29:38 -0700 +Subject: drm/etnaviv: add missing quirks for GC300 + +From: Doug Brown + +[ Upstream commit cc7d3fb446a91f24978a6aa59cbb578f92e22242 ] + +The GC300's features register doesn't specify that a 2D pipe is +available, and like the GC600, its idle register reports zero bits where +modules aren't present. + +Signed-off-by: Doug Brown +Reviewed-by: Christian Gmeiner +Signed-off-by: Lucas Stach +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/etnaviv/etnaviv_gpu.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/etnaviv/etnaviv_gpu.c b/drivers/gpu/drm/etnaviv/etnaviv_gpu.c +index db35736d47af..8c6f9752692d 100644 +--- a/drivers/gpu/drm/etnaviv/etnaviv_gpu.c ++++ b/drivers/gpu/drm/etnaviv/etnaviv_gpu.c +@@ -392,6 +392,12 @@ static void etnaviv_hw_identify(struct etnaviv_gpu *gpu) + if (gpu->identity.model == chipModel_GC700) + gpu->identity.features &= ~chipFeatures_FAST_CLEAR; + ++ /* These models/revisions don't have the 2D pipe bit */ ++ if ((gpu->identity.model == chipModel_GC500 && ++ gpu->identity.revision <= 2) || ++ gpu->identity.model == chipModel_GC300) ++ gpu->identity.features |= chipFeatures_PIPE_2D; ++ + if ((gpu->identity.model == chipModel_GC500 && + gpu->identity.revision < 2) || + (gpu->identity.model == chipModel_GC300 && +@@ -425,8 +431,9 @@ static void etnaviv_hw_identify(struct etnaviv_gpu *gpu) + gpu_read(gpu, VIVS_HI_CHIP_MINOR_FEATURE_5); + } + +- /* GC600 idle register reports zero bits where modules aren't present */ +- if (gpu->identity.model == chipModel_GC600) ++ /* GC600/300 idle register reports zero bits where modules aren't present */ ++ if (gpu->identity.model == chipModel_GC600 || ++ gpu->identity.model == chipModel_GC300) + gpu->idle_mask = VIVS_HI_IDLE_STATE_TX | + VIVS_HI_IDLE_STATE_RA | + VIVS_HI_IDLE_STATE_SE | +-- +2.35.1 + diff --git a/queue-5.4/drm-fsl-dcu-fix-return-type-of-fsl_dcu_drm_connector.patch b/queue-5.4/drm-fsl-dcu-fix-return-type-of-fsl_dcu_drm_connector.patch new file mode 100644 index 00000000000..98715322998 --- /dev/null +++ b/queue-5.4/drm-fsl-dcu-fix-return-type-of-fsl_dcu_drm_connector.patch @@ -0,0 +1,57 @@ +From e6b51d517eae791747ca7142dbd5ebf534a659ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 08:42:15 -0700 +Subject: drm/fsl-dcu: Fix return type of fsl_dcu_drm_connector_mode_valid() + +From: Nathan Chancellor + +[ Upstream commit 96d845a67b7e406cfed7880a724c8ca6121e022e ] + +With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), +indirect call targets are validated against the expected function +pointer prototype to make sure the call target is valid to help mitigate +ROP attacks. If they are not identical, there is a failure at run time, +which manifests as either a kernel panic or thread getting killed. A +proposed warning in clang aims to catch these at compile time, which +reveals: + + drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c:74:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict] + .mode_valid = fsl_dcu_drm_connector_mode_valid, + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 1 error generated. + +->mode_valid() in 'struct drm_connector_helper_funcs' expects a return +type of 'enum drm_mode_status', not 'int'. Adjust the return type of +fsl_dcu_drm_connector_mode_valid() to match the prototype's to resolve +the warning and CFI failure. + +Link: https://github.com/ClangBuiltLinux/linux/issues/1750 +Reported-by: Sami Tolvanen +Signed-off-by: Nathan Chancellor +Reviewed-by: Kees Cook +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20221102154215.78059-1-nathan@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c b/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c +index a92fd6c70b09..8de9bc8343a2 100644 +--- a/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c ++++ b/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c +@@ -70,8 +70,9 @@ static int fsl_dcu_drm_connector_get_modes(struct drm_connector *connector) + return drm_panel_get_modes(fsl_connector->panel); + } + +-static int fsl_dcu_drm_connector_mode_valid(struct drm_connector *connector, +- struct drm_display_mode *mode) ++static enum drm_mode_status ++fsl_dcu_drm_connector_mode_valid(struct drm_connector *connector, ++ struct drm_display_mode *mode) + { + if (mode->hdisplay & 0xf) + return MODE_ERROR; +-- +2.35.1 + diff --git a/queue-5.4/drm-mediatek-modify-dpi-power-on-off-sequence.patch b/queue-5.4/drm-mediatek-modify-dpi-power-on-off-sequence.patch new file mode 100644 index 00000000000..448056921e2 --- /dev/null +++ b/queue-5.4/drm-mediatek-modify-dpi-power-on-off-sequence.patch @@ -0,0 +1,66 @@ +From 33b09218fdb09f69e0181f534ee49cc98ecbf775 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 18:00:59 +0800 +Subject: drm/mediatek: Modify dpi power on/off sequence. + +From: Xinlei Lee + +[ Upstream commit ff446c0f6290185cefafe3b376bb86063a3a9f6a ] + +Modify dpi power on/off sequence so that the first gpio operation will +take effect. + +Fixes: 6bd4763fd532 ("drm/mediatek: set dpi pin mode to gpio low to avoid leakage current") +Signed-off-by: Xinlei Lee +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_dpi.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_dpi.c b/drivers/gpu/drm/mediatek/mtk_dpi.c +index 4a64d8aed9da..7c68a3933915 100644 +--- a/drivers/gpu/drm/mediatek/mtk_dpi.c ++++ b/drivers/gpu/drm/mediatek/mtk_dpi.c +@@ -364,9 +364,6 @@ static void mtk_dpi_power_off(struct mtk_dpi *dpi) + if (--dpi->refcount != 0) + return; + +- if (dpi->pinctrl && dpi->pins_gpio) +- pinctrl_select_state(dpi->pinctrl, dpi->pins_gpio); +- + mtk_dpi_disable(dpi); + clk_disable_unprepare(dpi->pixel_clk); + clk_disable_unprepare(dpi->engine_clk); +@@ -391,9 +388,6 @@ static int mtk_dpi_power_on(struct mtk_dpi *dpi) + goto err_pixel; + } + +- if (dpi->pinctrl && dpi->pins_dpi) +- pinctrl_select_state(dpi->pinctrl, dpi->pins_dpi); +- + return 0; + + err_pixel: +@@ -529,12 +523,18 @@ static void mtk_dpi_encoder_disable(struct drm_encoder *encoder) + struct mtk_dpi *dpi = mtk_dpi_from_encoder(encoder); + + mtk_dpi_power_off(dpi); ++ ++ if (dpi->pinctrl && dpi->pins_gpio) ++ pinctrl_select_state(dpi->pinctrl, dpi->pins_gpio); + } + + static void mtk_dpi_encoder_enable(struct drm_encoder *encoder) + { + struct mtk_dpi *dpi = mtk_dpi_from_encoder(encoder); + ++ if (dpi->pinctrl && dpi->pins_dpi) ++ pinctrl_select_state(dpi->pinctrl, dpi->pins_dpi); ++ + mtk_dpi_power_on(dpi); + mtk_dpi_set_display_mode(dpi, &dpi->mode); + mtk_dpi_enable(dpi); +-- +2.35.1 + diff --git a/queue-5.4/drm-panel-panel-sitronix-st7701-remove-panel-on-dsi-.patch b/queue-5.4/drm-panel-panel-sitronix-st7701-remove-panel-on-dsi-.patch new file mode 100644 index 00000000000..b989a41e358 --- /dev/null +++ b/queue-5.4/drm-panel-panel-sitronix-st7701-remove-panel-on-dsi-.patch @@ -0,0 +1,45 @@ +From c5ddb3809aecfa18fece891d5716a78b40021724 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Oct 2022 01:11:06 +0200 +Subject: drm/panel/panel-sitronix-st7701: Remove panel on DSI attach failure + +From: Marek Vasut + +[ Upstream commit c62102165dd79284d42383d2f7ed17301bd8e629 ] + +In case mipi_dsi_attach() fails, call drm_panel_remove() to +avoid memory leak. + +Fixes: 849b2e3ff969 ("drm/panel: Add Sitronix ST7701 panel driver") +Signed-off-by: Marek Vasut +Signed-off-by: Linus Walleij +Link: https://patchwork.freedesktop.org/patch/msgid/20221014231106.468063-1-marex@denx.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-sitronix-st7701.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/panel/panel-sitronix-st7701.c b/drivers/gpu/drm/panel/panel-sitronix-st7701.c +index 09c5d9a6f9fa..638f605acb2d 100644 +--- a/drivers/gpu/drm/panel/panel-sitronix-st7701.c ++++ b/drivers/gpu/drm/panel/panel-sitronix-st7701.c +@@ -392,7 +392,15 @@ static int st7701_dsi_probe(struct mipi_dsi_device *dsi) + st7701->dsi = dsi; + st7701->desc = desc; + +- return mipi_dsi_attach(dsi); ++ ret = mipi_dsi_attach(dsi); ++ if (ret) ++ goto err_attach; ++ ++ return 0; ++ ++err_attach: ++ drm_panel_remove(&st7701->panel); ++ return ret; + } + + static int st7701_dsi_remove(struct mipi_dsi_device *dsi) +-- +2.35.1 + diff --git a/queue-5.4/drm-radeon-add-the-missed-acpi_put_table-to-fix-memo.patch b/queue-5.4/drm-radeon-add-the-missed-acpi_put_table-to-fix-memo.patch new file mode 100644 index 00000000000..baf947a6677 --- /dev/null +++ b/queue-5.4/drm-radeon-add-the-missed-acpi_put_table-to-fix-memo.patch @@ -0,0 +1,86 @@ +From 043d6a3108c018c66c1be2a34257a5dad43ef358 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Nov 2022 17:50:02 +0800 +Subject: drm/radeon: Add the missed acpi_put_table() to fix memory leak + +From: Hanjun Guo + +[ Upstream commit 10276a20be1115e1f76c189330da2992df980eee ] + +When the radeon driver reads the bios information from ACPI +table in radeon_acpi_vfct_bios(), it misses to call acpi_put_table() +to release the ACPI memory after the init, so add acpi_put_table() +properly to fix the memory leak. + +v2: fix text formatting (Alex) + +Fixes: 268ba0a99f89 ("drm/radeon: implement ACPI VFCT vbios fetch (v3)") +Signed-off-by: Hanjun Guo +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_bios.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_bios.c b/drivers/gpu/drm/radeon/radeon_bios.c +index 756a50e8aff2..89939f0daefb 100644 +--- a/drivers/gpu/drm/radeon/radeon_bios.c ++++ b/drivers/gpu/drm/radeon/radeon_bios.c +@@ -612,13 +612,14 @@ static bool radeon_acpi_vfct_bios(struct radeon_device *rdev) + acpi_size tbl_size; + UEFI_ACPI_VFCT *vfct; + unsigned offset; ++ bool r = false; + + if (!ACPI_SUCCESS(acpi_get_table("VFCT", 1, &hdr))) + return false; + tbl_size = hdr->length; + if (tbl_size < sizeof(UEFI_ACPI_VFCT)) { + DRM_ERROR("ACPI VFCT table present but broken (too short #1)\n"); +- return false; ++ goto out; + } + + vfct = (UEFI_ACPI_VFCT *)hdr; +@@ -631,13 +632,13 @@ static bool radeon_acpi_vfct_bios(struct radeon_device *rdev) + offset += sizeof(VFCT_IMAGE_HEADER); + if (offset > tbl_size) { + DRM_ERROR("ACPI VFCT image header truncated\n"); +- return false; ++ goto out; + } + + offset += vhdr->ImageLength; + if (offset > tbl_size) { + DRM_ERROR("ACPI VFCT image truncated\n"); +- return false; ++ goto out; + } + + if (vhdr->ImageLength && +@@ -649,15 +650,18 @@ static bool radeon_acpi_vfct_bios(struct radeon_device *rdev) + rdev->bios = kmemdup(&vbios->VbiosContent, + vhdr->ImageLength, + GFP_KERNEL); ++ if (rdev->bios) ++ r = true; + +- if (!rdev->bios) +- return false; +- return true; ++ goto out; + } + } + + DRM_ERROR("ACPI VFCT table present but broken (too short #2)\n"); +- return false; ++ ++out: ++ acpi_put_table(hdr); ++ return r; + } + #else + static inline bool radeon_acpi_vfct_bios(struct radeon_device *rdev) +-- +2.35.1 + diff --git a/queue-5.4/drm-radeon-fix-pci-device-refcount-leak-in-radeon_at.patch b/queue-5.4/drm-radeon-fix-pci-device-refcount-leak-in-radeon_at.patch new file mode 100644 index 00000000000..947a68b7fee --- /dev/null +++ b/queue-5.4/drm-radeon-fix-pci-device-refcount-leak-in-radeon_at.patch @@ -0,0 +1,41 @@ +From fe38ff91dad3b865c6867bd07c803248f5c32337 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 19:30:42 +0800 +Subject: drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios() + +From: Xiongfeng Wang + +[ Upstream commit 725a521a18734f65de05b8d353b5bd0d3ca4c37a ] + +As comment of pci_get_class() says, it returns a pci_device with its +refcount increased and decreased the refcount for the input parameter +@from if it is not NULL. + +If we break the loop in radeon_atrm_get_bios() with 'pdev' not NULL, we +need to call pci_dev_put() to decrease the refcount. Add the missing +pci_dev_put() to avoid refcount leak. + +Fixes: d8ade3526b2a ("drm/radeon: handle non-VGA class pci devices with ATRM") +Fixes: c61e2775873f ("drm/radeon: split ATRM support out from the ATPX handler (v3)") +Signed-off-by: Xiongfeng Wang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_bios.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/radeon/radeon_bios.c b/drivers/gpu/drm/radeon/radeon_bios.c +index 89939f0daefb..8c8e13ec3cd6 100644 +--- a/drivers/gpu/drm/radeon/radeon_bios.c ++++ b/drivers/gpu/drm/radeon/radeon_bios.c +@@ -227,6 +227,7 @@ static bool radeon_atrm_get_bios(struct radeon_device *rdev) + + if (!found) + return false; ++ pci_dev_put(pdev); + + rdev->bios = kmalloc(size, GFP_KERNEL); + if (!rdev->bios) { +-- +2.35.1 + diff --git a/queue-5.4/drm-rockchip-use-drm_mode_copy.patch b/queue-5.4/drm-rockchip-use-drm_mode_copy.patch new file mode 100644 index 00000000000..7dcf51113d7 --- /dev/null +++ b/queue-5.4/drm-rockchip-use-drm_mode_copy.patch @@ -0,0 +1,124 @@ +From 35802b3bbee9f688b4984c05f98b910afb422f73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 21:25:44 +0200 +Subject: drm/rockchip: Use drm_mode_copy() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +[ Upstream commit 2bfaa28000d2830d3209161a4541cce0660e1b84 ] + +struct drm_display_mode embeds a list head, so overwriting +the full struct with another one will corrupt the list +(if the destination mode is on a list). Use drm_mode_copy() +instead which explicitly preserves the list head of +the destination mode. + +Even if we know the destination mode is not on any list +using drm_mode_copy() seems decent as it sets a good +example. Bad examples of not using it might eventually +get copied into code where preserving the list head +actually matters. + +Obviously one case not covered here is when the mode +itself is embedded in a larger structure and the whole +structure is copied. But if we are careful when copying +into modes embedded in structures I think we can be a +little more reassured that bogus list heads haven't been +propagated in. + +@is_mode_copy@ +@@ +drm_mode_copy(...) +{ +... +} + +@depends on !is_mode_copy@ +struct drm_display_mode *mode; +expression E, S; +@@ +( +- *mode = E ++ drm_mode_copy(mode, &E) +| +- memcpy(mode, E, S) ++ drm_mode_copy(mode, E) +) + +@depends on !is_mode_copy@ +struct drm_display_mode mode; +expression E; +@@ +( +- mode = E ++ drm_mode_copy(&mode, &E) +| +- memcpy(&mode, E, S) ++ drm_mode_copy(&mode, E) +) + +@@ +struct drm_display_mode *mode; +@@ +- &*mode ++ mode + +Signed-off-by: Ville Syrjälä +Cc: Sandy Huang +Cc: "Heiko Stübner" +Cc: linux-arm-kernel@lists.infradead.org +Cc: linux-rockchip@lists.infradead.org +Link: https://patchwork.freedesktop.org/patch/msgid/20221107192545.9896-7-ville.syrjala@linux.intel.com +Reviewed-by: Daniel Vetter +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/cdn-dp-core.c | 2 +- + drivers/gpu/drm/rockchip/inno_hdmi.c | 2 +- + drivers/gpu/drm/rockchip/rk3066_hdmi.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/rockchip/cdn-dp-core.c b/drivers/gpu/drm/rockchip/cdn-dp-core.c +index 67dae1354aa6..2ea672f4420d 100644 +--- a/drivers/gpu/drm/rockchip/cdn-dp-core.c ++++ b/drivers/gpu/drm/rockchip/cdn-dp-core.c +@@ -563,7 +563,7 @@ static void cdn_dp_encoder_mode_set(struct drm_encoder *encoder, + video->v_sync_polarity = !!(mode->flags & DRM_MODE_FLAG_NVSYNC); + video->h_sync_polarity = !!(mode->flags & DRM_MODE_FLAG_NHSYNC); + +- memcpy(&dp->mode, adjusted, sizeof(*mode)); ++ drm_mode_copy(&dp->mode, adjusted); + } + + static bool cdn_dp_check_link_status(struct cdn_dp_device *dp) +diff --git a/drivers/gpu/drm/rockchip/inno_hdmi.c b/drivers/gpu/drm/rockchip/inno_hdmi.c +index ed344a795b4d..f2e2cc66f489 100644 +--- a/drivers/gpu/drm/rockchip/inno_hdmi.c ++++ b/drivers/gpu/drm/rockchip/inno_hdmi.c +@@ -487,7 +487,7 @@ static void inno_hdmi_encoder_mode_set(struct drm_encoder *encoder, + inno_hdmi_setup(hdmi, adj_mode); + + /* Store the display mode for plugin/DPMS poweron events */ +- memcpy(&hdmi->previous_mode, adj_mode, sizeof(hdmi->previous_mode)); ++ drm_mode_copy(&hdmi->previous_mode, adj_mode); + } + + static void inno_hdmi_encoder_enable(struct drm_encoder *encoder) +diff --git a/drivers/gpu/drm/rockchip/rk3066_hdmi.c b/drivers/gpu/drm/rockchip/rk3066_hdmi.c +index 85fc5f01f761..4a81c5c8a550 100644 +--- a/drivers/gpu/drm/rockchip/rk3066_hdmi.c ++++ b/drivers/gpu/drm/rockchip/rk3066_hdmi.c +@@ -382,7 +382,7 @@ rk3066_hdmi_encoder_mode_set(struct drm_encoder *encoder, + struct rk3066_hdmi *hdmi = to_rk3066_hdmi(encoder); + + /* Store the display mode for plugin/DPMS poweron events. */ +- memcpy(&hdmi->previous_mode, adj_mode, sizeof(hdmi->previous_mode)); ++ drm_mode_copy(&hdmi->previous_mode, adj_mode); + } + + static void rk3066_hdmi_encoder_enable(struct drm_encoder *encoder) +-- +2.35.1 + diff --git a/queue-5.4/drm-sti-fix-return-type-of-sti_-dvo-hda-hdmi-_connec.patch b/queue-5.4/drm-sti-fix-return-type-of-sti_-dvo-hda-hdmi-_connec.patch new file mode 100644 index 00000000000..78e398e3369 --- /dev/null +++ b/queue-5.4/drm-sti-fix-return-type-of-sti_-dvo-hda-hdmi-_connec.patch @@ -0,0 +1,95 @@ +From 0761fa74183746265445189efe1fae57a15d3266 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 08:56:23 -0700 +Subject: drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid() + +From: Nathan Chancellor + +[ Upstream commit 0ad811cc08a937d875cbad0149c1bab17f84ba05 ] + +With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), +indirect call targets are validated against the expected function +pointer prototype to make sure the call target is valid to help mitigate +ROP attacks. If they are not identical, there is a failure at run time, +which manifests as either a kernel panic or thread getting killed. A +proposed warning in clang aims to catch these at compile time, which +reveals: + + drivers/gpu/drm/sti/sti_hda.c:637:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict] + .mode_valid = sti_hda_connector_mode_valid, + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ + drivers/gpu/drm/sti/sti_dvo.c:376:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict] + .mode_valid = sti_dvo_connector_mode_valid, + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ + drivers/gpu/drm/sti/sti_hdmi.c:1035:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict] + .mode_valid = sti_hdmi_connector_mode_valid, + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +->mode_valid() in 'struct drm_connector_helper_funcs' expects a return +type of 'enum drm_mode_status', not 'int'. Adjust the return type of +sti_{dvo,hda,hdmi}_connector_mode_valid() to match the prototype's to +resolve the warning and CFI failure. + +Link: https://github.com/ClangBuiltLinux/linux/issues/1750 +Signed-off-by: Nathan Chancellor +Reviewed-by: Kees Cook +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20221102155623.3042869-1-nathan@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/sti/sti_dvo.c | 5 +++-- + drivers/gpu/drm/sti/sti_hda.c | 5 +++-- + drivers/gpu/drm/sti/sti_hdmi.c | 5 +++-- + 3 files changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/sti/sti_dvo.c b/drivers/gpu/drm/sti/sti_dvo.c +index 3c65c73aa854..d0f1384d0fba 100644 +--- a/drivers/gpu/drm/sti/sti_dvo.c ++++ b/drivers/gpu/drm/sti/sti_dvo.c +@@ -345,8 +345,9 @@ static int sti_dvo_connector_get_modes(struct drm_connector *connector) + + #define CLK_TOLERANCE_HZ 50 + +-static int sti_dvo_connector_mode_valid(struct drm_connector *connector, +- struct drm_display_mode *mode) ++static enum drm_mode_status ++sti_dvo_connector_mode_valid(struct drm_connector *connector, ++ struct drm_display_mode *mode) + { + int target = mode->clock * 1000; + int target_min = target - CLK_TOLERANCE_HZ; +diff --git a/drivers/gpu/drm/sti/sti_hda.c b/drivers/gpu/drm/sti/sti_hda.c +index 158192680bea..b321e5525771 100644 +--- a/drivers/gpu/drm/sti/sti_hda.c ++++ b/drivers/gpu/drm/sti/sti_hda.c +@@ -600,8 +600,9 @@ static int sti_hda_connector_get_modes(struct drm_connector *connector) + + #define CLK_TOLERANCE_HZ 50 + +-static int sti_hda_connector_mode_valid(struct drm_connector *connector, +- struct drm_display_mode *mode) ++static enum drm_mode_status ++sti_hda_connector_mode_valid(struct drm_connector *connector, ++ struct drm_display_mode *mode) + { + int target = mode->clock * 1000; + int target_min = target - CLK_TOLERANCE_HZ; +diff --git a/drivers/gpu/drm/sti/sti_hdmi.c b/drivers/gpu/drm/sti/sti_hdmi.c +index c91ce51836ca..c5547fedebe3 100644 +--- a/drivers/gpu/drm/sti/sti_hdmi.c ++++ b/drivers/gpu/drm/sti/sti_hdmi.c +@@ -996,8 +996,9 @@ static int sti_hdmi_connector_get_modes(struct drm_connector *connector) + + #define CLK_TOLERANCE_HZ 50 + +-static int sti_hdmi_connector_mode_valid(struct drm_connector *connector, +- struct drm_display_mode *mode) ++static enum drm_mode_status ++sti_hdmi_connector_mode_valid(struct drm_connector *connector, ++ struct drm_display_mode *mode) + { + int target = mode->clock * 1000; + int target_min = target - CLK_TOLERANCE_HZ; +-- +2.35.1 + diff --git a/queue-5.4/drm-sti-use-drm_mode_copy.patch b/queue-5.4/drm-sti-use-drm_mode_copy.patch new file mode 100644 index 00000000000..f8e6c587b60 --- /dev/null +++ b/queue-5.4/drm-sti-use-drm_mode_copy.patch @@ -0,0 +1,121 @@ +From 498e2e418c94adc0d4f96d78b3fbd22dace5a1bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 21:25:45 +0200 +Subject: drm/sti: Use drm_mode_copy() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +[ Upstream commit 442cf8e22ba25a77cb9092d78733fdbac9844e50 ] + +struct drm_display_mode embeds a list head, so overwriting +the full struct with another one will corrupt the list +(if the destination mode is on a list). Use drm_mode_copy() +instead which explicitly preserves the list head of +the destination mode. + +Even if we know the destination mode is not on any list +using drm_mode_copy() seems decent as it sets a good +example. Bad examples of not using it might eventually +get copied into code where preserving the list head +actually matters. + +Obviously one case not covered here is when the mode +itself is embedded in a larger structure and the whole +structure is copied. But if we are careful when copying +into modes embedded in structures I think we can be a +little more reassured that bogus list heads haven't been +propagated in. + +@is_mode_copy@ +@@ +drm_mode_copy(...) +{ +... +} + +@depends on !is_mode_copy@ +struct drm_display_mode *mode; +expression E, S; +@@ +( +- *mode = E ++ drm_mode_copy(mode, &E) +| +- memcpy(mode, E, S) ++ drm_mode_copy(mode, E) +) + +@depends on !is_mode_copy@ +struct drm_display_mode mode; +expression E; +@@ +( +- mode = E ++ drm_mode_copy(&mode, &E) +| +- memcpy(&mode, E, S) ++ drm_mode_copy(&mode, E) +) + +@@ +struct drm_display_mode *mode; +@@ +- &*mode ++ mode + +Cc: Alain Volmat +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20221107192545.9896-8-ville.syrjala@linux.intel.com +Reviewed-by: Daniel Vetter +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/sti/sti_dvo.c | 2 +- + drivers/gpu/drm/sti/sti_hda.c | 2 +- + drivers/gpu/drm/sti/sti_hdmi.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/sti/sti_dvo.c b/drivers/gpu/drm/sti/sti_dvo.c +index e55870190bf5..3c65c73aa854 100644 +--- a/drivers/gpu/drm/sti/sti_dvo.c ++++ b/drivers/gpu/drm/sti/sti_dvo.c +@@ -287,7 +287,7 @@ static void sti_dvo_set_mode(struct drm_bridge *bridge, + + DRM_DEBUG_DRIVER("\n"); + +- memcpy(&dvo->mode, mode, sizeof(struct drm_display_mode)); ++ drm_mode_copy(&dvo->mode, mode); + + /* According to the path used (main or aux), the dvo clocks should + * have a different parent clock. */ +diff --git a/drivers/gpu/drm/sti/sti_hda.c b/drivers/gpu/drm/sti/sti_hda.c +index 94e404f13234..158192680bea 100644 +--- a/drivers/gpu/drm/sti/sti_hda.c ++++ b/drivers/gpu/drm/sti/sti_hda.c +@@ -522,7 +522,7 @@ static void sti_hda_set_mode(struct drm_bridge *bridge, + + DRM_DEBUG_DRIVER("\n"); + +- memcpy(&hda->mode, mode, sizeof(struct drm_display_mode)); ++ drm_mode_copy(&hda->mode, mode); + + if (!hda_get_mode_idx(hda->mode, &mode_idx)) { + DRM_ERROR("Undefined mode\n"); +diff --git a/drivers/gpu/drm/sti/sti_hdmi.c b/drivers/gpu/drm/sti/sti_hdmi.c +index 9862c322f0c4..c91ce51836ca 100644 +--- a/drivers/gpu/drm/sti/sti_hdmi.c ++++ b/drivers/gpu/drm/sti/sti_hdmi.c +@@ -933,7 +933,7 @@ static void sti_hdmi_set_mode(struct drm_bridge *bridge, + DRM_DEBUG_DRIVER("\n"); + + /* Copy the drm display mode in the connector local structure */ +- memcpy(&hdmi->mode, mode, sizeof(struct drm_display_mode)); ++ drm_mode_copy(&hdmi->mode, mode); + + /* Update clock framerate according to the selected mode */ + ret = clk_set_rate(hdmi->clk_pix, mode->clock * 1000); +-- +2.35.1 + diff --git a/queue-5.4/drm-tegra-add-missing-clk_disable_unprepare-in-tegra.patch b/queue-5.4/drm-tegra-add-missing-clk_disable_unprepare-in-tegra.patch new file mode 100644 index 00000000000..6f589921b3f --- /dev/null +++ b/queue-5.4/drm-tegra-add-missing-clk_disable_unprepare-in-tegra.patch @@ -0,0 +1,39 @@ +From bee04707ed0bcf825505a8cb6760333544d44932 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Aug 2022 08:50:50 +0000 +Subject: drm/tegra: Add missing clk_disable_unprepare() in tegra_dc_probe() + +From: Zhang Zekun + +[ Upstream commit 7ad4384d53c67672a8720cdc2ef638d7d1710ab8 ] + +Add the missing clk_disable_unprepare() before return from +tegra_dc_probe() in the error handling path. + +Fixes: f68ba6912bd2 ("drm/tegra: dc: Link DC1 to DC0 on Tegra20") +Signed-off-by: Zhang Zekun +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/dc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/tegra/dc.c b/drivers/gpu/drm/tegra/dc.c +index c410221824c1..923899b95c88 100644 +--- a/drivers/gpu/drm/tegra/dc.c ++++ b/drivers/gpu/drm/tegra/dc.c +@@ -2458,8 +2458,10 @@ static int tegra_dc_probe(struct platform_device *pdev) + usleep_range(2000, 4000); + + err = reset_control_assert(dc->rst); +- if (err < 0) ++ if (err < 0) { ++ clk_disable_unprepare(dc->clk); + return err; ++ } + + usleep_range(2000, 4000); + +-- +2.35.1 + diff --git a/queue-5.4/edac-i10nm-fix-refcount-leak-in-pci_get_dev_wrapper.patch b/queue-5.4/edac-i10nm-fix-refcount-leak-in-pci_get_dev_wrapper.patch new file mode 100644 index 00000000000..5230c783129 --- /dev/null +++ b/queue-5.4/edac-i10nm-fix-refcount-leak-in-pci_get_dev_wrapper.patch @@ -0,0 +1,44 @@ +From 4de461c056bbe8108a771773316eec3d3b893435 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Nov 2022 14:55:12 +0800 +Subject: EDAC/i10nm: fix refcount leak in pci_get_dev_wrapper() + +From: Yang Yingliang + +[ Upstream commit 9c8921555907f4d723f01ed2d859b66f2d14f08e ] + +As the comment of pci_get_domain_bus_and_slot() says, it returns +a PCI device with refcount incremented, so it doesn't need to +call an extra pci_dev_get() in pci_get_dev_wrapper(), and the PCI +device needs to be put in the error path. + +Fixes: d4dc89d069aa ("EDAC, i10nm: Add a driver for Intel 10nm server processors") +Signed-off-by: Yang Yingliang +Reviewed-by: Qiuxu Zhuo +Signed-off-by: Tony Luck +Link: https://lore.kernel.org/r/20221128065512.3572550-1-yangyingliang@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/edac/i10nm_base.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/edac/i10nm_base.c b/drivers/edac/i10nm_base.c +index 29576922df78..a887c3313431 100644 +--- a/drivers/edac/i10nm_base.c ++++ b/drivers/edac/i10nm_base.c +@@ -53,11 +53,10 @@ static struct pci_dev *pci_get_dev_wrapper(int dom, unsigned int bus, + if (unlikely(pci_enable_device(pdev) < 0)) { + edac_dbg(2, "Failed to enable device %02x:%02x.%x\n", + bus, dev, fun); ++ pci_dev_put(pdev); + return NULL; + } + +- pci_dev_get(pdev); +- + return pdev; + } + +-- +2.35.1 + diff --git a/queue-5.4/ethernet-s2io-don-t-call-dev_kfree_skb-under-spin_lo.patch b/queue-5.4/ethernet-s2io-don-t-call-dev_kfree_skb-under-spin_lo.patch new file mode 100644 index 00000000000..30cb16e767e --- /dev/null +++ b/queue-5.4/ethernet-s2io-don-t-call-dev_kfree_skb-under-spin_lo.patch @@ -0,0 +1,45 @@ +From 300807de6d5811f4eca2b0be3ff9fe88a296283a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 20:01:21 +0800 +Subject: ethernet: s2io: don't call dev_kfree_skb() under spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 6cee96e09df54ae17784c0f38a49e0ed8229b825 ] + +It is not allowed to call kfree_skb() or consume_skb() from hardware +interrupt context or with hardware interrupts being disabled. + +It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead. +The difference between them is free reason, dev_kfree_skb_irq() means +the SKB is dropped in error and dev_consume_skb_irq() means the SKB +is consumed in normal. + +In this case, dev_kfree_skb() is called in free_tx_buffers() to drop +the SKBs in tx buffers, when the card is down, so replace it with +dev_kfree_skb_irq() here. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/neterion/s2io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/neterion/s2io.c b/drivers/net/ethernet/neterion/s2io.c +index 69316ddcf067..496052a6b9b8 100644 +--- a/drivers/net/ethernet/neterion/s2io.c ++++ b/drivers/net/ethernet/neterion/s2io.c +@@ -2375,7 +2375,7 @@ static void free_tx_buffers(struct s2io_nic *nic) + skb = s2io_txdl_getskb(&mac_control->fifos[i], txdp, j); + if (skb) { + swstats->mem_freed += skb->truesize; +- dev_kfree_skb(skb); ++ dev_kfree_skb_irq(skb); + cnt++; + } + } +-- +2.35.1 + diff --git a/queue-5.4/eventfd-change-int-to-__u64-in-eventfd_signal-ifndef.patch b/queue-5.4/eventfd-change-int-to-__u64-in-eventfd_signal-ifndef.patch new file mode 100644 index 00000000000..cff51b5a53f --- /dev/null +++ b/queue-5.4/eventfd-change-int-to-__u64-in-eventfd_signal-ifndef.patch @@ -0,0 +1,41 @@ +From 0739d92375aa23b5d8f52149ff8294369999fec2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 22:01:54 +0800 +Subject: eventfd: change int to __u64 in eventfd_signal() ifndef + CONFIG_EVENTFD + +From: Zhang Qilong + +[ Upstream commit fd4e60bf0ef8eb9edcfa12dda39e8b6ee9060492 ] + +Commit ee62c6b2dc93 ("eventfd: change int to __u64 in eventfd_signal()") +forgot to change int to __u64 in the CONFIG_EVENTFD=n stub function. + +Link: https://lkml.kernel.org/r/20221124140154.104680-1-zhangqilong3@huawei.com +Fixes: ee62c6b2dc93 ("eventfd: change int to __u64 in eventfd_signal()") +Signed-off-by: Zhang Qilong +Cc: Dylan Yudaken +Cc: Jens Axboe +Cc: Sha Zhengju +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/eventfd.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/eventfd.h b/include/linux/eventfd.h +index dc4fd8a6644d..3482f9365a4d 100644 +--- a/include/linux/eventfd.h ++++ b/include/linux/eventfd.h +@@ -61,7 +61,7 @@ static inline struct eventfd_ctx *eventfd_ctx_fdget(int fd) + return ERR_PTR(-ENOSYS); + } + +-static inline int eventfd_signal(struct eventfd_ctx *ctx, int n) ++static inline int eventfd_signal(struct eventfd_ctx *ctx, __u64 n) + { + return -ENOSYS; + } +-- +2.35.1 + diff --git a/queue-5.4/f2fs-avoid-victim-selection-from-previous-victim-sec.patch b/queue-5.4/f2fs-avoid-victim-selection-from-previous-victim-sec.patch new file mode 100644 index 00000000000..25ee19a92b2 --- /dev/null +++ b/queue-5.4/f2fs-avoid-victim-selection-from-previous-victim-sec.patch @@ -0,0 +1,48 @@ +From a6b97444bca6eb20997826037ad32281c686fd0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 18:03:20 +0900 +Subject: f2fs: avoid victim selection from previous victim section + +From: Yonggil Song + +[ Upstream commit e219aecfd4b766c4e878a3769057e9809f7fcadc ] + +When f2fs chooses GC victim in large section & LFS mode, +next_victim_seg[gc_type] is referenced first. After segment is freed, +next_victim_seg[gc_type] has the next segment number. +However, next_victim_seg[gc_type] still has the last segment number +even after the last segment of section is freed. In this case, when f2fs +chooses a victim for the next GC round, the last segment of previous victim +section is chosen as a victim. + +Initialize next_victim_seg[gc_type] to NULL_SEGNO for the last segment in +large section. + +Fixes: e3080b0120a1 ("f2fs: support subsectional garbage collection") +Signed-off-by: Yonggil Song +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/gc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c +index 3d3e414e2987..420591654ca0 100644 +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -1253,8 +1253,9 @@ static int do_garbage_collect(struct f2fs_sb_info *sbi, + seg_freed++; + migrated++; + +- if (__is_large_section(sbi) && segno + 1 < end_segno) +- sbi->next_victim_seg[gc_type] = segno + 1; ++ if (__is_large_section(sbi)) ++ sbi->next_victim_seg[gc_type] = ++ (segno + 1 < end_segno) ? segno + 1 : NULL_SEGNO; + skip: + f2fs_put_page(sum_page, 0); + } +-- +2.35.1 + diff --git a/queue-5.4/f2fs-fix-normal-discard-process.patch b/queue-5.4/f2fs-fix-normal-discard-process.patch new file mode 100644 index 00000000000..833c83e8488 --- /dev/null +++ b/queue-5.4/f2fs-fix-normal-discard-process.patch @@ -0,0 +1,43 @@ +From 4202a8a426958d2c9712203d180f2c7193624f2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Oct 2022 17:40:36 +0800 +Subject: f2fs: fix normal discard process + +From: Dongdong Zhang + +[ Upstream commit b5f1a218ae5e4339130d6e733f0e63d623e09a2c ] + +In the DPOLICY_BG mode, there is a conflict between +the two conditions "i + 1 < dpolicy->granularity" and +"i < DEFAULT_DISCARD_GRANULARITY". If i = 15, the first +condition is false, it will enter the second condition +and dispatch all small granularity discards in function + __issue_discard_cmd_orderly. The restrictive effect +of the first condition to small discards will be +invalidated. These two conditions should align. + +Fixes: 20ee4382322c ("f2fs: issue small discard by LBA order") +Signed-off-by: Dongdong Zhang +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/segment.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c +index 7759323bd775..e43b57755a7f 100644 +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -1486,7 +1486,7 @@ static int __issue_discard_cmd(struct f2fs_sb_info *sbi, + if (i + 1 < dpolicy->granularity) + break; + +- if (i < DEFAULT_DISCARD_GRANULARITY && dpolicy->ordered) ++ if (i + 1 < DEFAULT_DISCARD_GRANULARITY && dpolicy->ordered) + return __issue_discard_cmd_orderly(sbi, dpolicy); + + pend_list = &dcc->pend_list[i]; +-- +2.35.1 + diff --git a/queue-5.4/fbdev-pm2fb-fix-missing-pci_disable_device.patch b/queue-5.4/fbdev-pm2fb-fix-missing-pci_disable_device.patch new file mode 100644 index 00000000000..5dcb86f0534 --- /dev/null +++ b/queue-5.4/fbdev-pm2fb-fix-missing-pci_disable_device.patch @@ -0,0 +1,56 @@ +From 7666bd5509c240b24cb377f3bf03801d46681d60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Nov 2022 17:55:10 +0800 +Subject: fbdev: pm2fb: fix missing pci_disable_device() + +From: Yang Yingliang + +[ Upstream commit ed359a464846b48f76ea6cc5cd8257e545ac97f4 ] + +Add missing pci_disable_device() in error path of probe() and remove() path. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yang Yingliang +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/pm2fb.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/pm2fb.c b/drivers/video/fbdev/pm2fb.c +index 8ae010f07d7d..0ec4be2f2e8c 100644 +--- a/drivers/video/fbdev/pm2fb.c ++++ b/drivers/video/fbdev/pm2fb.c +@@ -1529,8 +1529,10 @@ static int pm2fb_probe(struct pci_dev *pdev, const struct pci_device_id *id) + } + + info = framebuffer_alloc(sizeof(struct pm2fb_par), &pdev->dev); +- if (!info) +- return -ENOMEM; ++ if (!info) { ++ err = -ENOMEM; ++ goto err_exit_disable; ++ } + default_par = info->par; + + switch (pdev->device) { +@@ -1711,6 +1713,8 @@ static int pm2fb_probe(struct pci_dev *pdev, const struct pci_device_id *id) + release_mem_region(pm2fb_fix.mmio_start, pm2fb_fix.mmio_len); + err_exit_neither: + framebuffer_release(info); ++ err_exit_disable: ++ pci_disable_device(pdev); + return retval; + } + +@@ -1737,6 +1741,7 @@ static void pm2fb_remove(struct pci_dev *pdev) + fb_dealloc_cmap(&info->cmap); + kfree(info->pixmap.addr); + framebuffer_release(info); ++ pci_disable_device(pdev); + } + + static const struct pci_device_id pm2fb_id_table[] = { +-- +2.35.1 + diff --git a/queue-5.4/fbdev-ssd1307fb-drop-optional-dependency.patch b/queue-5.4/fbdev-ssd1307fb-drop-optional-dependency.patch new file mode 100644 index 00000000000..0e608d7ccdf --- /dev/null +++ b/queue-5.4/fbdev-ssd1307fb-drop-optional-dependency.patch @@ -0,0 +1,38 @@ +From a66448dc4d5eec5707977c29d7f400903e6c1a9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Nov 2022 17:09:46 +0200 +Subject: fbdev: ssd1307fb: Drop optional dependency + +From: Andy Shevchenko + +[ Upstream commit 025e3b507a3a8e1ee96a3112bb67495c77d6cdb6 ] + +Only a single out of three devices need a PWM, so from driver it's +optional. Moreover it's a single driver in the entire kernel that +currently selects PWM. Unfortunately this selection is a root cause +of the circular dependencies when we want to enable optional PWM +for some other drivers that select GPIOLIB. + +Fixes: a2ed00da5047 ("drivers/video: add support for the Solomon SSD1307 OLED Controller") +Signed-off-by: Andy Shevchenko +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/video/fbdev/Kconfig b/drivers/video/fbdev/Kconfig +index a7e5f12687b7..124ed0e8454e 100644 +--- a/drivers/video/fbdev/Kconfig ++++ b/drivers/video/fbdev/Kconfig +@@ -2243,7 +2243,6 @@ config FB_SSD1307 + select FB_SYS_COPYAREA + select FB_SYS_IMAGEBLIT + select FB_DEFERRED_IO +- select PWM + select FB_BACKLIGHT + help + This driver implements support for the Solomon SSD1307 +-- +2.35.1 + diff --git a/queue-5.4/fbdev-uvesafb-fixes-an-error-handling-path-in-uvesaf.patch b/queue-5.4/fbdev-uvesafb-fixes-an-error-handling-path-in-uvesaf.patch new file mode 100644 index 00000000000..81c998453bb --- /dev/null +++ b/queue-5.4/fbdev-uvesafb-fixes-an-error-handling-path-in-uvesaf.patch @@ -0,0 +1,39 @@ +From 3d2427566a8415eae8ce0d216c6a45ea900db275 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Dec 2022 12:35:22 +0100 +Subject: fbdev: uvesafb: Fixes an error handling path in uvesafb_probe() + +From: Christophe JAILLET + +[ Upstream commit a94371040712031ba129c7e9d8ff04a06a2f8207 ] + +If an error occurs after a successful uvesafb_init_mtrr() call, it must be +undone by a corresponding arch_phys_wc_del() call, as already done in the +remove function. + +This has been added in the remove function in commit 63e28a7a5ffc +("uvesafb: Clean up MTRR code") + +Fixes: 8bdb3a2d7df4 ("uvesafb: the driver core") +Signed-off-by: Christophe JAILLET +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/uvesafb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/video/fbdev/uvesafb.c b/drivers/video/fbdev/uvesafb.c +index 439565cae7ab..7d3af1d19ad3 100644 +--- a/drivers/video/fbdev/uvesafb.c ++++ b/drivers/video/fbdev/uvesafb.c +@@ -1756,6 +1756,7 @@ static int uvesafb_probe(struct platform_device *dev) + out_unmap: + iounmap(info->screen_base); + out_mem: ++ arch_phys_wc_del(par->mtrr_handle); + release_mem_region(info->fix.smem_start, info->fix.smem_len); + out_reg: + release_region(0x3c0, 32); +-- +2.35.1 + diff --git a/queue-5.4/fbdev-vermilion-decrease-reference-count-in-error-pa.patch b/queue-5.4/fbdev-vermilion-decrease-reference-count-in-error-pa.patch new file mode 100644 index 00000000000..83535517013 --- /dev/null +++ b/queue-5.4/fbdev-vermilion-decrease-reference-count-in-error-pa.patch @@ -0,0 +1,40 @@ +From e9e543a3f02ba92917934c918f356c8b5f37569d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 16:56:54 +0800 +Subject: fbdev: vermilion: decrease reference count in error path + +From: Xiongfeng Wang + +[ Upstream commit 001f2cdb952a9566c77fb4b5470cc361db5601bb ] + +pci_get_device() will increase the reference count for the returned +pci_dev. For the error path, we need to use pci_dev_put() to decrease +the reference count. + +Fixes: dbe7e429fedb ("vmlfb: framebuffer driver for Intel Vermilion Range") +Signed-off-by: Xiongfeng Wang +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/vermilion/vermilion.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/vermilion/vermilion.c b/drivers/video/fbdev/vermilion/vermilion.c +index 498038a964ee..ea6671723606 100644 +--- a/drivers/video/fbdev/vermilion/vermilion.c ++++ b/drivers/video/fbdev/vermilion/vermilion.c +@@ -277,8 +277,10 @@ static int vmlfb_get_gpu(struct vml_par *par) + + mutex_unlock(&vml_mutex); + +- if (pci_enable_device(par->gpu) < 0) ++ if (pci_enable_device(par->gpu) < 0) { ++ pci_dev_put(par->gpu); + return -ENODEV; ++ } + + return 0; + } +-- +2.35.1 + diff --git a/queue-5.4/fbdev-via-fix-error-in-via_core_init.patch b/queue-5.4/fbdev-via-fix-error-in-via_core_init.patch new file mode 100644 index 00000000000..3930ba38e3c --- /dev/null +++ b/queue-5.4/fbdev-via-fix-error-in-via_core_init.patch @@ -0,0 +1,47 @@ +From a53e05d18342855183e90af5a18372eeb0eb63b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 09:08:52 +0800 +Subject: fbdev: via: Fix error in via_core_init() + +From: Shang XiaoJing + +[ Upstream commit 5886b130de953cfb8826f7771ec8640a79934a7f ] + +via_core_init() won't exit the driver when pci_register_driver() failed. +Exit the viafb-i2c and the viafb-gpio in failed path to prevent error. + +VIA Graphics Integration Chipset framebuffer 2.4 initializing +Error: Driver 'viafb-i2c' is already registered, aborting... +Error: Driver 'viafb-gpio' is already registered, aborting... + +Fixes: 7582eb9be85f ("viafb: Turn GPIO and i2c into proper platform devices") +Signed-off-by: Shang XiaoJing +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/via/via-core.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/via/via-core.c b/drivers/video/fbdev/via/via-core.c +index ffa2ca2d3f5e..ce366b80bda4 100644 +--- a/drivers/video/fbdev/via/via-core.c ++++ b/drivers/video/fbdev/via/via-core.c +@@ -732,7 +732,14 @@ static int __init via_core_init(void) + return ret; + viafb_i2c_init(); + viafb_gpio_init(); +- return pci_register_driver(&via_driver); ++ ret = pci_register_driver(&via_driver); ++ if (ret) { ++ viafb_gpio_exit(); ++ viafb_i2c_exit(); ++ return ret; ++ } ++ ++ return 0; + } + + static void __exit via_core_exit(void) +-- +2.35.1 + diff --git a/queue-5.4/fs-don-t-audit-the-capability-check-in-simple_xattr_.patch b/queue-5.4/fs-don-t-audit-the-capability-check-in-simple_xattr_.patch new file mode 100644 index 00000000000..0584ea97196 --- /dev/null +++ b/queue-5.4/fs-don-t-audit-the-capability-check-in-simple_xattr_.patch @@ -0,0 +1,54 @@ +From 7001106a08fb4fc4cd38d2ee710cd421a52bff0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 16:12:05 +0100 +Subject: fs: don't audit the capability check in simple_xattr_list() + +From: Ondrej Mosnacek + +[ Upstream commit e7eda157c4071cd1e69f4b1687b0fbe1ae5e6f46 ] + +The check being unconditional may lead to unwanted denials reported by +LSMs when a process has the capability granted by DAC, but denied by an +LSM. In the case of SELinux such denials are a problem, since they can't +be effectively filtered out via the policy and when not silenced, they +produce noise that may hide a true problem or an attack. + +Checking for the capability only if any trusted xattr is actually +present wouldn't really address the issue, since calling listxattr(2) on +such node on its own doesn't indicate an explicit attempt to see the +trusted xattrs. Additionally, it could potentially leak the presence of +trusted xattrs to an unprivileged user if they can check for the denials +(e.g. through dmesg). + +Therefore, it's best (and simplest) to keep the check unconditional and +instead use ns_capable_noaudit() that will silence any associated LSM +denials. + +Fixes: 38f38657444d ("xattr: extract simple_xattr code from tmpfs") +Reported-by: Martin Pitt +Suggested-by: Christian Brauner (Microsoft) +Signed-off-by: Ondrej Mosnacek +Reviewed-by: Christian Brauner (Microsoft) +Reviewed-by: Paul Moore +Signed-off-by: Christian Brauner (Microsoft) +Signed-off-by: Sasha Levin +--- + fs/xattr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/xattr.c b/fs/xattr.c +index f2854570d411..ee78012ec3a5 100644 +--- a/fs/xattr.c ++++ b/fs/xattr.c +@@ -1013,7 +1013,7 @@ static int xattr_list_one(char **buffer, ssize_t *remaining_size, + ssize_t simple_xattr_list(struct inode *inode, struct simple_xattrs *xattrs, + char *buffer, size_t size) + { +- bool trusted = capable(CAP_SYS_ADMIN); ++ bool trusted = ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN); + struct simple_xattr *xattr; + ssize_t remaining_size = size; + int err = 0; +-- +2.35.1 + diff --git a/queue-5.4/fs-jfs-fix-shift-out-of-bounds-in-dballocag.patch b/queue-5.4/fs-jfs-fix-shift-out-of-bounds-in-dballocag.patch new file mode 100644 index 00000000000..17daab59f9f --- /dev/null +++ b/queue-5.4/fs-jfs-fix-shift-out-of-bounds-in-dballocag.patch @@ -0,0 +1,90 @@ +From b876eb9c05078b4aff5a1e10d85d686e1c07356a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Oct 2022 08:48:07 -0500 +Subject: fs: jfs: fix shift-out-of-bounds in dbAllocAG + +From: Dongliang Mu + +[ Upstream commit 898f706695682b9954f280d95e49fa86ffa55d08 ] + +Syzbot found a crash : UBSAN: shift-out-of-bounds in dbAllocAG. The +underlying bug is the missing check of bmp->db_agl2size. The field can +be greater than 64 and trigger the shift-out-of-bounds. + +Fix this bug by adding a check of bmp->db_agl2size in dbMount since this +field is used in many following functions. The upper bound for this +field is L2MAXL2SIZE - L2MAXAG, thanks for the help of Dave Kleikamp. +Note that, for maintenance, I reorganized error handling code of dbMount. + +Reported-by: syzbot+15342c1aa6a00fb7a438@syzkaller.appspotmail.com +Signed-off-by: Dongliang Mu +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index d3cb27487c70..3bcf98d01733 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -155,7 +155,7 @@ int dbMount(struct inode *ipbmap) + struct bmap *bmp; + struct dbmap_disk *dbmp_le; + struct metapage *mp; +- int i; ++ int i, err; + + /* + * allocate/initialize the in-memory bmap descriptor +@@ -170,8 +170,8 @@ int dbMount(struct inode *ipbmap) + BMAPBLKNO << JFS_SBI(ipbmap->i_sb)->l2nbperpage, + PSIZE, 0); + if (mp == NULL) { +- kfree(bmp); +- return -EIO; ++ err = -EIO; ++ goto err_kfree_bmp; + } + + /* copy the on-disk bmap descriptor to its in-memory version. */ +@@ -181,9 +181,8 @@ int dbMount(struct inode *ipbmap) + bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage); + bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag); + if (!bmp->db_numag) { +- release_metapage(mp); +- kfree(bmp); +- return -EINVAL; ++ err = -EINVAL; ++ goto err_release_metapage; + } + + bmp->db_maxlevel = le32_to_cpu(dbmp_le->dn_maxlevel); +@@ -194,6 +193,11 @@ int dbMount(struct inode *ipbmap) + bmp->db_agwidth = le32_to_cpu(dbmp_le->dn_agwidth); + bmp->db_agstart = le32_to_cpu(dbmp_le->dn_agstart); + bmp->db_agl2size = le32_to_cpu(dbmp_le->dn_agl2size); ++ if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG) { ++ err = -EINVAL; ++ goto err_release_metapage; ++ } ++ + for (i = 0; i < MAXAG; i++) + bmp->db_agfree[i] = le64_to_cpu(dbmp_le->dn_agfree[i]); + bmp->db_agsize = le64_to_cpu(dbmp_le->dn_agsize); +@@ -214,6 +218,12 @@ int dbMount(struct inode *ipbmap) + BMAP_LOCK_INIT(bmp); + + return (0); ++ ++err_release_metapage: ++ release_metapage(mp); ++err_kfree_bmp: ++ kfree(bmp); ++ return err; + } + + +-- +2.35.1 + diff --git a/queue-5.4/fs-jfs-fix-shift-out-of-bounds-in-dbdiscardag.patch b/queue-5.4/fs-jfs-fix-shift-out-of-bounds-in-dbdiscardag.patch new file mode 100644 index 00000000000..d500e670c18 --- /dev/null +++ b/queue-5.4/fs-jfs-fix-shift-out-of-bounds-in-dbdiscardag.patch @@ -0,0 +1,39 @@ +From 6d71c926b5ea4c696e16b1c97b16c2ac75c5f3d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Oct 2022 23:20:45 +0800 +Subject: fs: jfs: fix shift-out-of-bounds in dbDiscardAG + +From: Hoi Pok Wu + +[ Upstream commit 25e70c6162f207828dd405b432d8f2a98dbf7082 ] + +This should be applied to most URSAN bugs found recently by syzbot, +by guarding the dbMount. As syzbot feeding rubbish into the bmap +descriptor. + +Signed-off-by: Hoi Pok Wu +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index 3bcf98d01733..aa4643854f94 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -198,6 +198,11 @@ int dbMount(struct inode *ipbmap) + goto err_release_metapage; + } + ++ if (((bmp->db_mapsize - 1) >> bmp->db_agl2size) > MAXAG) { ++ err = -EINVAL; ++ goto err_release_metapage; ++ } ++ + for (i = 0; i < MAXAG; i++) + bmp->db_agfree[i] = le64_to_cpu(dbmp_le->dn_agfree[i]); + bmp->db_agsize = le64_to_cpu(dbmp_le->dn_agsize); +-- +2.35.1 + diff --git a/queue-5.4/fs-sysv-fix-sysv_nblocks-returns-wrong-value.patch b/queue-5.4/fs-sysv-fix-sysv_nblocks-returns-wrong-value.patch new file mode 100644 index 00000000000..35f88ec0ee6 --- /dev/null +++ b/queue-5.4/fs-sysv-fix-sysv_nblocks-returns-wrong-value.patch @@ -0,0 +1,42 @@ +From ecb10a1be34d5c816c824ff901efc3419b0c009f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Dec 2022 18:04:48 +0800 +Subject: fs: sysv: Fix sysv_nblocks() returns wrong value + +From: Chen Zhongjin + +[ Upstream commit e0c49bd2b4d3cd1751491eb2d940bce968ac65e9 ] + +sysv_nblocks() returns 'blocks' rather than 'res', which only counting +the number of triple-indirect blocks and causing sysv_getattr() gets a +wrong result. + +[AV: this is actually a sysv counterpart of minixfs fix - +0fcd426de9d0 "[PATCH] minix block usage counting fix" in +historical tree; mea culpa, should've thought to check +fs/sysv back then...] + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Chen Zhongjin +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/sysv/itree.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/sysv/itree.c b/fs/sysv/itree.c +index bcb67b0cabe7..31f66053e239 100644 +--- a/fs/sysv/itree.c ++++ b/fs/sysv/itree.c +@@ -438,7 +438,7 @@ static unsigned sysv_nblocks(struct super_block *s, loff_t size) + res += blocks; + direct = 1; + } +- return blocks; ++ return res; + } + + int sysv_getattr(const struct path *path, struct kstat *stat, +-- +2.35.1 + diff --git a/queue-5.4/genirq-irqdesc-don-t-try-to-remove-non-existing-sysf.patch b/queue-5.4/genirq-irqdesc-don-t-try-to-remove-non-existing-sysf.patch new file mode 100644 index 00000000000..8a819d46a88 --- /dev/null +++ b/queue-5.4/genirq-irqdesc-don-t-try-to-remove-non-existing-sysf.patch @@ -0,0 +1,115 @@ +From c425434596e1ab8aa1953c348f33e37e65dd097c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Nov 2022 23:16:12 +0800 +Subject: genirq/irqdesc: Don't try to remove non-existing sysfs files + +From: Yang Yingliang + +[ Upstream commit 9049e1ca41983ab773d7ea244bee86d7835ec9f5 ] + +Fault injection tests trigger warnings like this: + + kernfs: can not remove 'chip_name', no directory + WARNING: CPU: 0 PID: 253 at fs/kernfs/dir.c:1616 kernfs_remove_by_name_ns+0xce/0xe0 + RIP: 0010:kernfs_remove_by_name_ns+0xce/0xe0 + Call Trace: + + remove_files.isra.1+0x3f/0xb0 + sysfs_remove_group+0x68/0xe0 + sysfs_remove_groups+0x41/0x70 + __kobject_del+0x45/0xc0 + kobject_del+0x29/0x40 + free_desc+0x42/0x70 + irq_free_descs+0x5e/0x90 + +The reason is that the interrupt descriptor sysfs handling does not roll +back on a failing kobject_add() during allocation. If the descriptor is +freed later on, kobject_del() is invoked with a not added kobject resulting +in the above warnings. + +A proper rollback in case of a kobject_add() failure would be the straight +forward solution. But this is not possible due to the way how interrupt +descriptor sysfs handling works. + +Interrupt descriptors are allocated before sysfs becomes available. So the +sysfs files for the early allocated descriptors are added later in the boot +process. At this point there can be nothing useful done about a failing +kobject_add(). For consistency the interrupt descriptor allocation always +treats kobject_add() failures as non-critical and just emits a warning. + +To solve this problem, keep track in the interrupt descriptor whether +kobject_add() was successful or not and make the invocation of +kobject_del() conditional on that. + +[ tglx: Massage changelog, comments and use a state bit. ] + +Fixes: ecb3f394c5db ("genirq: Expose interrupt information through sysfs") +Signed-off-by: Yang Yingliang +Signed-off-by: Thomas Gleixner +Reviewed-by: Greg Kroah-Hartman +Link: https://lore.kernel.org/r/20221128151612.1786122-1-yangyingliang@huawei.com +Signed-off-by: Sasha Levin +--- + kernel/irq/internals.h | 2 ++ + kernel/irq/irqdesc.c | 15 +++++++++------ + 2 files changed, 11 insertions(+), 6 deletions(-) + +diff --git a/kernel/irq/internals.h b/kernel/irq/internals.h +index ba4d742c1c65..7057b60afabe 100644 +--- a/kernel/irq/internals.h ++++ b/kernel/irq/internals.h +@@ -52,6 +52,7 @@ enum { + * IRQS_PENDING - irq is pending and replayed later + * IRQS_SUSPENDED - irq is suspended + * IRQS_NMI - irq line is used to deliver NMIs ++ * IRQS_SYSFS - descriptor has been added to sysfs + */ + enum { + IRQS_AUTODETECT = 0x00000001, +@@ -64,6 +65,7 @@ enum { + IRQS_SUSPENDED = 0x00000800, + IRQS_TIMINGS = 0x00001000, + IRQS_NMI = 0x00002000, ++ IRQS_SYSFS = 0x00004000, + }; + + #include "debug.h" +diff --git a/kernel/irq/irqdesc.c b/kernel/irq/irqdesc.c +index 172b5e6bc4c2..0272a2e36ae6 100644 +--- a/kernel/irq/irqdesc.c ++++ b/kernel/irq/irqdesc.c +@@ -288,22 +288,25 @@ static void irq_sysfs_add(int irq, struct irq_desc *desc) + if (irq_kobj_base) { + /* + * Continue even in case of failure as this is nothing +- * crucial. ++ * crucial and failures in the late irq_sysfs_init() ++ * cannot be rolled back. + */ + if (kobject_add(&desc->kobj, irq_kobj_base, "%d", irq)) + pr_warn("Failed to add kobject for irq %d\n", irq); ++ else ++ desc->istate |= IRQS_SYSFS; + } + } + + static void irq_sysfs_del(struct irq_desc *desc) + { + /* +- * If irq_sysfs_init() has not yet been invoked (early boot), then +- * irq_kobj_base is NULL and the descriptor was never added. +- * kobject_del() complains about a object with no parent, so make +- * it conditional. ++ * Only invoke kobject_del() when kobject_add() was successfully ++ * invoked for the descriptor. This covers both early boot, where ++ * sysfs is not initialized yet, and the case of a failed ++ * kobject_add() invocation. + */ +- if (irq_kobj_base) ++ if (desc->istate & IRQS_SYSFS) + kobject_del(&desc->kobj); + } + +-- +2.35.1 + diff --git a/queue-5.4/hamradio-baycom_epp-fix-return-type-of-baycom_send_p.patch b/queue-5.4/hamradio-baycom_epp-fix-return-type-of-baycom_send_p.patch new file mode 100644 index 00000000000..1e6428d48a6 --- /dev/null +++ b/queue-5.4/hamradio-baycom_epp-fix-return-type-of-baycom_send_p.patch @@ -0,0 +1,52 @@ +From 9662ba513ccc36dda9c4e99918dcdc6ac521c4c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 09:06:10 -0700 +Subject: hamradio: baycom_epp: Fix return type of baycom_send_packet() + +From: Nathan Chancellor + +[ Upstream commit c5733e5b15d91ab679646ec3149e192996a27d5d ] + +With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), +indirect call targets are validated against the expected function +pointer prototype to make sure the call target is valid to help mitigate +ROP attacks. If they are not identical, there is a failure at run time, +which manifests as either a kernel panic or thread getting killed. A +proposed warning in clang aims to catch these at compile time, which +reveals: + + drivers/net/hamradio/baycom_epp.c:1119:25: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] + .ndo_start_xmit = baycom_send_packet, + ^~~~~~~~~~~~~~~~~~ + 1 error generated. + +->ndo_start_xmit() in 'struct net_device_ops' expects a return type of +'netdev_tx_t', not 'int'. Adjust the return type of baycom_send_packet() +to match the prototype's to resolve the warning and CFI failure. + +Link: https://github.com/ClangBuiltLinux/linux/issues/1750 +Signed-off-by: Nathan Chancellor +Reviewed-by: Kees Cook +Link: https://lore.kernel.org/r/20221102160610.1186145-1-nathan@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/hamradio/baycom_epp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/hamradio/baycom_epp.c b/drivers/net/hamradio/baycom_epp.c +index 4476491b58f9..c5495ca5e8e6 100644 +--- a/drivers/net/hamradio/baycom_epp.c ++++ b/drivers/net/hamradio/baycom_epp.c +@@ -758,7 +758,7 @@ static void epp_bh(struct work_struct *work) + * ===================== network driver interface ========================= + */ + +-static int baycom_send_packet(struct sk_buff *skb, struct net_device *dev) ++static netdev_tx_t baycom_send_packet(struct sk_buff *skb, struct net_device *dev) + { + struct baycom_state *bc = netdev_priv(dev); + +-- +2.35.1 + diff --git a/queue-5.4/hamradio-don-t-call-dev_kfree_skb-under-spin_lock_ir.patch b/queue-5.4/hamradio-don-t-call-dev_kfree_skb-under-spin_lock_ir.patch new file mode 100644 index 00000000000..ae9fbb4588f --- /dev/null +++ b/queue-5.4/hamradio-don-t-call-dev_kfree_skb-under-spin_lock_ir.patch @@ -0,0 +1,62 @@ +From c8cc9da642146d2e6775cbdbd44d8308dea7819a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 22:21:46 +0800 +Subject: hamradio: don't call dev_kfree_skb() under spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 3727f742915f04f6fc550b80cf406999bd4e90d0 ] + +It is not allowed to call kfree_skb() or consume_skb() from hardware +interrupt context or with hardware interrupts being disabled. + +It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead. +The difference between them is free reason, dev_kfree_skb_irq() means +the SKB is dropped in error and dev_consume_skb_irq() means the SKB +is consumed in normal. + +In scc_discard_buffers(), dev_kfree_skb() is called to discard the SKBs, +so replace it with dev_kfree_skb_irq(). + +In scc_net_tx(), dev_kfree_skb() is called to drop the SKB that exceed +queue length, so replace it with dev_kfree_skb_irq(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/hamradio/scc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/hamradio/scc.c b/drivers/net/hamradio/scc.c +index 6c03932d8a6b..3dc4eb841aa1 100644 +--- a/drivers/net/hamradio/scc.c ++++ b/drivers/net/hamradio/scc.c +@@ -300,12 +300,12 @@ static inline void scc_discard_buffers(struct scc_channel *scc) + spin_lock_irqsave(&scc->lock, flags); + if (scc->tx_buff != NULL) + { +- dev_kfree_skb(scc->tx_buff); ++ dev_kfree_skb_irq(scc->tx_buff); + scc->tx_buff = NULL; + } + + while (!skb_queue_empty(&scc->tx_queue)) +- dev_kfree_skb(skb_dequeue(&scc->tx_queue)); ++ dev_kfree_skb_irq(skb_dequeue(&scc->tx_queue)); + + spin_unlock_irqrestore(&scc->lock, flags); + } +@@ -1667,7 +1667,7 @@ static netdev_tx_t scc_net_tx(struct sk_buff *skb, struct net_device *dev) + if (skb_queue_len(&scc->tx_queue) > scc->dev->tx_queue_len) { + struct sk_buff *skb_del; + skb_del = skb_dequeue(&scc->tx_queue); +- dev_kfree_skb(skb_del); ++ dev_kfree_skb_irq(skb_del); + } + skb_queue_tail(&scc->tx_queue, skb); + netif_trans_update(dev); +-- +2.35.1 + diff --git a/queue-5.4/hfs-fix-oob-read-in-__hfs_brec_find.patch b/queue-5.4/hfs-fix-oob-read-in-__hfs_brec_find.patch new file mode 100644 index 00000000000..00a1e019d67 --- /dev/null +++ b/queue-5.4/hfs-fix-oob-read-in-__hfs_brec_find.patch @@ -0,0 +1,81 @@ +From 81fb53cd4adff60536146b1d64c9783bab0d4f4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Nov 2022 06:59:59 +0000 +Subject: hfs: fix OOB Read in __hfs_brec_find + +From: ZhangPeng + +[ Upstream commit 8d824e69d9f3fa3121b2dda25053bae71e2460d2 ] + +Syzbot reported a OOB read bug: + +================================================================== +BUG: KASAN: slab-out-of-bounds in hfs_strcmp+0x117/0x190 +fs/hfs/string.c:84 +Read of size 1 at addr ffff88807eb62c4e by task kworker/u4:1/11 +CPU: 1 PID: 11 Comm: kworker/u4:1 Not tainted +6.1.0-rc6-syzkaller-00308-g644e9524388a #0 +Workqueue: writeback wb_workfn (flush-7:0) +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 + print_address_description+0x74/0x340 mm/kasan/report.c:284 + print_report+0x107/0x1f0 mm/kasan/report.c:395 + kasan_report+0xcd/0x100 mm/kasan/report.c:495 + hfs_strcmp+0x117/0x190 fs/hfs/string.c:84 + __hfs_brec_find+0x213/0x5c0 fs/hfs/bfind.c:75 + hfs_brec_find+0x276/0x520 fs/hfs/bfind.c:138 + hfs_write_inode+0x34c/0xb40 fs/hfs/inode.c:462 + write_inode fs/fs-writeback.c:1440 [inline] + +If the input inode of hfs_write_inode() is incorrect: +struct inode + struct hfs_inode_info + struct hfs_cat_key + struct hfs_name + u8 len # len is greater than HFS_NAMELEN(31) which is the +maximum length of an HFS filename + +OOB read occurred: +hfs_write_inode() + hfs_brec_find() + __hfs_brec_find() + hfs_cat_keycmp() + hfs_strcmp() # OOB read occurred due to len is too large + +Fix this by adding a Check on len in hfs_write_inode() before calling +hfs_brec_find(). + +Link: https://lkml.kernel.org/r/20221130065959.2168236-1-zhangpeng362@huawei.com +Signed-off-by: ZhangPeng +Reported-by: +Cc: Damien Le Moal +Cc: Ira Weiny +Cc: Jeff Layton +Cc: Kefeng Wang +Cc: Matthew Wilcox +Cc: Nanyong Sun +Cc: Viacheslav Dubeyko +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/hfs/inode.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/hfs/inode.c b/fs/hfs/inode.c +index da243c84e93b..9c5badc9db00 100644 +--- a/fs/hfs/inode.c ++++ b/fs/hfs/inode.c +@@ -453,6 +453,8 @@ int hfs_write_inode(struct inode *inode, struct writeback_control *wbc) + /* panic? */ + return -EIO; + ++ if (HFS_I(main_inode)->cat_key.CName.len > HFS_NAMELEN) ++ return -EIO; + fd.search_key->cat = HFS_I(main_inode)->cat_key; + if (hfs_brec_find(&fd)) + /* panic? */ +-- +2.35.1 + diff --git a/queue-5.4/hfs-fix-oob-write-in-hfs_asc2mac.patch b/queue-5.4/hfs-fix-oob-write-in-hfs_asc2mac.patch new file mode 100644 index 00000000000..6cdd507e84c --- /dev/null +++ b/queue-5.4/hfs-fix-oob-write-in-hfs_asc2mac.patch @@ -0,0 +1,66 @@ +From bfb6f35ab3a540be80e05e8e07473fe22ae7d9b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 03:00:38 +0000 +Subject: hfs: Fix OOB Write in hfs_asc2mac + +From: ZhangPeng + +[ Upstream commit c53ed55cb275344086e32a7080a6b19cb183650b ] + +Syzbot reported a OOB Write bug: + +loop0: detected capacity change from 0 to 64 +================================================================== +BUG: KASAN: slab-out-of-bounds in hfs_asc2mac+0x467/0x9a0 +fs/hfs/trans.c:133 +Write of size 1 at addr ffff88801848314e by task syz-executor391/3632 + +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 + print_address_description+0x74/0x340 mm/kasan/report.c:284 + print_report+0x107/0x1f0 mm/kasan/report.c:395 + kasan_report+0xcd/0x100 mm/kasan/report.c:495 + hfs_asc2mac+0x467/0x9a0 fs/hfs/trans.c:133 + hfs_cat_build_key+0x92/0x170 fs/hfs/catalog.c:28 + hfs_lookup+0x1ab/0x2c0 fs/hfs/dir.c:31 + lookup_open fs/namei.c:3391 [inline] + open_last_lookups fs/namei.c:3481 [inline] + path_openat+0x10e6/0x2df0 fs/namei.c:3710 + do_filp_open+0x264/0x4f0 fs/namei.c:3740 + +If in->len is much larger than HFS_NAMELEN(31) which is the maximum +length of an HFS filename, a OOB write could occur in hfs_asc2mac(). In +that case, when the dst reaches the boundary, the srclen is still +greater than 0, which causes a OOB write. +Fix this by adding a check on dstlen in while() before writing to dst +address. + +Link: https://lkml.kernel.org/r/20221202030038.1391945-1-zhangpeng362@huawei.com +Fixes: 328b92278650 ("[PATCH] hfs: NLS support") +Signed-off-by: ZhangPeng +Reviewed-by: Viacheslav Dubeyko +Reported-by: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/hfs/trans.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/hfs/trans.c b/fs/hfs/trans.c +index 39f5e343bf4d..fdb0edb8a607 100644 +--- a/fs/hfs/trans.c ++++ b/fs/hfs/trans.c +@@ -109,7 +109,7 @@ void hfs_asc2mac(struct super_block *sb, struct hfs_name *out, const struct qstr + if (nls_io) { + wchar_t ch; + +- while (srclen > 0) { ++ while (srclen > 0 && dstlen > 0) { + size = nls_io->char2uni(src, srclen, &ch); + if (size < 0) { + ch = '?'; +-- +2.35.1 + diff --git a/queue-5.4/hid-hid-sensor-custom-set-fixed-size-for-custom-attr.patch b/queue-5.4/hid-hid-sensor-custom-set-fixed-size-for-custom-attr.patch new file mode 100644 index 00000000000..6b410f43fa8 --- /dev/null +++ b/queue-5.4/hid-hid-sensor-custom-set-fixed-size-for-custom-attr.patch @@ -0,0 +1,48 @@ +From 8708d83bce69bb92414a65a569f8cfb85f42c418 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 13:13:26 +0100 +Subject: HID: hid-sensor-custom: set fixed size for custom attributes + +From: Marcus Folkesson + +[ Upstream commit 9d013910df22de91333a0acc81d1dbb115bd76f6 ] + +This is no bugfix (so no Fixes: tag is necessary) as it is +taken care of in hid_sensor_custom_add_attributes(). + +The motivation for this patch is that: +hid_sensor_custom_field.attr_name and +hid_sensor_custom_field.attrs +has the size of HID_CUSTOM_TOTAL_ATTRS and used in same context. + +We compare against HID_CUSTOM_TOTAL_ATTRS when +looping through hid_custom_attrs. + +We will silent the smatch error: +hid_sensor_custom_add_attributes() error: buffer overflow +'hid_custom_attrs' 8 <= 10 + +Signed-off-by: Marcus Folkesson +Acked-by: Jonathan Cameron +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-sensor-custom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-sensor-custom.c b/drivers/hid/hid-sensor-custom.c +index fb827c295842..825f011c7901 100644 +--- a/drivers/hid/hid-sensor-custom.c ++++ b/drivers/hid/hid-sensor-custom.c +@@ -59,7 +59,7 @@ struct hid_sensor_sample { + u32 raw_len; + } __packed; + +-static struct attribute hid_custom_attrs[] = { ++static struct attribute hid_custom_attrs[HID_CUSTOM_TOTAL_ATTRS] = { + {.name = "name", .mode = S_IRUGO}, + {.name = "units", .mode = S_IRUGO}, + {.name = "unit-expo", .mode = S_IRUGO}, +-- +2.35.1 + diff --git a/queue-5.4/hsi-omap_ssi_core-fix-error-handling-in-ssi_init.patch b/queue-5.4/hsi-omap_ssi_core-fix-error-handling-in-ssi_init.patch new file mode 100644 index 00000000000..1dacf8b866c --- /dev/null +++ b/queue-5.4/hsi-omap_ssi_core-fix-error-handling-in-ssi_init.patch @@ -0,0 +1,45 @@ +From ab2e3a9568f231ed7158555cd2d814cee4183028 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 11:33:32 +0000 +Subject: HSI: omap_ssi_core: Fix error handling in ssi_init() + +From: Yuan Can + +[ Upstream commit 3ffa9f713c39a213a08d9ff13ab983a8aa5d8b5d ] + +The ssi_init() returns the platform_driver_register() directly without +checking its return value, if platform_driver_register() failed, the +ssi_pdriver is not unregistered. +Fix by unregister ssi_pdriver when the last platform_driver_register() +failed. + +Fixes: 0fae198988b8 ("HSI: omap_ssi: built omap_ssi and omap_ssi_port into one module") +Signed-off-by: Yuan Can +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/hsi/controllers/omap_ssi_core.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/hsi/controllers/omap_ssi_core.c b/drivers/hsi/controllers/omap_ssi_core.c +index aca80357ccaa..329889bf42f9 100644 +--- a/drivers/hsi/controllers/omap_ssi_core.c ++++ b/drivers/hsi/controllers/omap_ssi_core.c +@@ -631,7 +631,13 @@ static int __init ssi_init(void) { + if (ret) + return ret; + +- return platform_driver_register(&ssi_port_pdriver); ++ ret = platform_driver_register(&ssi_port_pdriver); ++ if (ret) { ++ platform_driver_unregister(&ssi_pdriver); ++ return ret; ++ } ++ ++ return 0; + } + module_init(ssi_init); + +-- +2.35.1 + diff --git a/queue-5.4/hsi-omap_ssi_core-fix-possible-memory-leak-in-ssi_pr.patch b/queue-5.4/hsi-omap_ssi_core-fix-possible-memory-leak-in-ssi_pr.patch new file mode 100644 index 00000000000..f34ab403475 --- /dev/null +++ b/queue-5.4/hsi-omap_ssi_core-fix-possible-memory-leak-in-ssi_pr.patch @@ -0,0 +1,41 @@ +From 14e9c78ed8b3678c8a7d5ecdb64d26b41c23057b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Oct 2022 15:43:37 +0800 +Subject: HSI: omap_ssi_core: fix possible memory leak in ssi_probe() + +From: Yang Yingliang + +[ Upstream commit 1aff514e1d2bd47854dbbdf867970b9d463d4c57 ] + +If ssi_add_controller() returns error, it should call hsi_put_controller() +to give up the reference that was set in hsi_alloc_controller(), so that +it can call hsi_controller_release() to free controller and ports that +allocated in hsi_alloc_controller(). + +Fixes: b209e047bc74 ("HSI: Introduce OMAP SSI driver") +Signed-off-by: Yang Yingliang +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/hsi/controllers/omap_ssi_core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/hsi/controllers/omap_ssi_core.c b/drivers/hsi/controllers/omap_ssi_core.c +index 8b8d25c7dc50..aca80357ccaa 100644 +--- a/drivers/hsi/controllers/omap_ssi_core.c ++++ b/drivers/hsi/controllers/omap_ssi_core.c +@@ -502,8 +502,10 @@ static int ssi_probe(struct platform_device *pd) + platform_set_drvdata(pd, ssi); + + err = ssi_add_controller(ssi, pd); +- if (err < 0) ++ if (err < 0) { ++ hsi_put_controller(ssi); + goto out1; ++ } + + pm_runtime_enable(&pd->dev); + +-- +2.35.1 + diff --git a/queue-5.4/hsi-omap_ssi_core-fix-unbalanced-pm_runtime_disable.patch b/queue-5.4/hsi-omap_ssi_core-fix-unbalanced-pm_runtime_disable.patch new file mode 100644 index 00000000000..29f88dcb367 --- /dev/null +++ b/queue-5.4/hsi-omap_ssi_core-fix-unbalanced-pm_runtime_disable.patch @@ -0,0 +1,38 @@ +From 51fcc5e33b42f93b9a16cff8aa5e7c559695b488 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Nov 2022 11:41:18 +0800 +Subject: HSI: omap_ssi_core: fix unbalanced pm_runtime_disable() + +From: Yang Yingliang + +[ Upstream commit f5181c35ed7ba0ceb6e42872aad1334d994b0175 ] + +In error label 'out1' path in ssi_probe(), the pm_runtime_enable() +has not been called yet, so pm_runtime_disable() is not needed. + +Fixes: b209e047bc74 ("HSI: Introduce OMAP SSI driver") +Signed-off-by: Yang Yingliang +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/hsi/controllers/omap_ssi_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hsi/controllers/omap_ssi_core.c b/drivers/hsi/controllers/omap_ssi_core.c +index 5aa6955b609f..8b8d25c7dc50 100644 +--- a/drivers/hsi/controllers/omap_ssi_core.c ++++ b/drivers/hsi/controllers/omap_ssi_core.c +@@ -536,9 +536,9 @@ static int ssi_probe(struct platform_device *pd) + device_for_each_child(&pd->dev, NULL, ssi_remove_ports); + out2: + ssi_remove_controller(ssi); ++ pm_runtime_disable(&pd->dev); + out1: + platform_set_drvdata(pd, NULL); +- pm_runtime_disable(&pd->dev); + + return err; + } +-- +2.35.1 + diff --git a/queue-5.4/hsr-avoid-double-remove-of-a-node.patch b/queue-5.4/hsr-avoid-double-remove-of-a-node.patch new file mode 100644 index 00000000000..adeccfb35e8 --- /dev/null +++ b/queue-5.4/hsr-avoid-double-remove-of-a-node.patch @@ -0,0 +1,85 @@ +From 5aaa344777c613beb78a0c901e119290d79d7aff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Nov 2022 17:48:10 +0100 +Subject: hsr: Avoid double remove of a node. + +From: Sebastian Andrzej Siewior + +[ Upstream commit 0c74d9f79ec4299365bbe803baa736ae0068179e ] + +Due to the hashed-MAC optimisation one problem become visible: +hsr_handle_sup_frame() walks over the list of available nodes and merges +two node entries into one if based on the information in the supervision +both MAC addresses belong to one node. The list-walk happens on a RCU +protected list and delete operation happens under a lock. + +If the supervision arrives on both slave interfaces at the same time +then this delete operation can occur simultaneously on two CPUs. The +result is the first-CPU deletes the from the list and the second CPUs +BUGs while attempting to dereference a poisoned list-entry. This happens +more likely with the optimisation because a new node for the mac_B entry +is created once a packet has been received and removed (merged) once the +supervision frame has been received. + +Avoid removing/ cleaning up a hsr_node twice by adding a `removed' field +which is set to true after the removal and checked before the removal. + +Fixes: f266a683a4804 ("net/hsr: Better frame dispatch") +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/hsr/hsr_framereg.c | 16 +++++++++++----- + net/hsr/hsr_framereg.h | 1 + + 2 files changed, 12 insertions(+), 5 deletions(-) + +diff --git a/net/hsr/hsr_framereg.c b/net/hsr/hsr_framereg.c +index 4a9200729a32..783e741491ec 100644 +--- a/net/hsr/hsr_framereg.c ++++ b/net/hsr/hsr_framereg.c +@@ -269,9 +269,12 @@ void hsr_handle_sup_frame(struct sk_buff *skb, struct hsr_node *node_curr, + node_real->addr_B_port = port_rcv->type; + + spin_lock_bh(&hsr->list_lock); +- list_del_rcu(&node_curr->mac_list); ++ if (!node_curr->removed) { ++ list_del_rcu(&node_curr->mac_list); ++ node_curr->removed = true; ++ kfree_rcu(node_curr, rcu_head); ++ } + spin_unlock_bh(&hsr->list_lock); +- kfree_rcu(node_curr, rcu_head); + + done: + skb_push(skb, sizeof(struct hsrv1_ethhdr_sp)); +@@ -436,9 +439,12 @@ void hsr_prune_nodes(struct timer_list *t) + if (time_is_before_jiffies(timestamp + + msecs_to_jiffies(HSR_NODE_FORGET_TIME))) { + hsr_nl_nodedown(hsr, node->macaddress_A); +- list_del_rcu(&node->mac_list); +- /* Note that we need to free this entry later: */ +- kfree_rcu(node, rcu_head); ++ if (!node->removed) { ++ list_del_rcu(&node->mac_list); ++ node->removed = true; ++ /* Note that we need to free this entry later: */ ++ kfree_rcu(node, rcu_head); ++ } + } + } + spin_unlock_bh(&hsr->list_lock); +diff --git a/net/hsr/hsr_framereg.h b/net/hsr/hsr_framereg.h +index 0f0fa12b4329..01f4ef4ae494 100644 +--- a/net/hsr/hsr_framereg.h ++++ b/net/hsr/hsr_framereg.h +@@ -56,6 +56,7 @@ struct hsr_node { + unsigned long time_in[HSR_PT_PORTS]; + bool time_in_stale[HSR_PT_PORTS]; + u16 seq_out[HSR_PT_PORTS]; ++ bool removed; + struct rcu_head rcu_head; + }; + +-- +2.35.1 + diff --git a/queue-5.4/hugetlbfs-fix-null-ptr-deref-in-hugetlbfs_parse_para.patch b/queue-5.4/hugetlbfs-fix-null-ptr-deref-in-hugetlbfs_parse_para.patch new file mode 100644 index 00000000000..b3e6f20d0f6 --- /dev/null +++ b/queue-5.4/hugetlbfs-fix-null-ptr-deref-in-hugetlbfs_parse_para.patch @@ -0,0 +1,96 @@ +From 89977726768d3fe5123997ec97f1120df7fc237a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Oct 2022 07:16:08 +0800 +Subject: hugetlbfs: fix null-ptr-deref in hugetlbfs_parse_param() + +From: Hawkins Jiawei + +[ Upstream commit 26215b7ee923b9251f7bb12c4e5f09dc465d35f2 ] + +Syzkaller reports a null-ptr-deref bug as follows: +====================================================== +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +RIP: 0010:hugetlbfs_parse_param+0x1dd/0x8e0 fs/hugetlbfs/inode.c:1380 +[...] +Call Trace: + + vfs_parse_fs_param fs/fs_context.c:148 [inline] + vfs_parse_fs_param+0x1f9/0x3c0 fs/fs_context.c:129 + vfs_parse_fs_string+0xdb/0x170 fs/fs_context.c:191 + generic_parse_monolithic+0x16f/0x1f0 fs/fs_context.c:231 + do_new_mount fs/namespace.c:3036 [inline] + path_mount+0x12de/0x1e20 fs/namespace.c:3370 + do_mount fs/namespace.c:3383 [inline] + __do_sys_mount fs/namespace.c:3591 [inline] + __se_sys_mount fs/namespace.c:3568 [inline] + __x64_sys_mount+0x27f/0x300 fs/namespace.c:3568 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + [...] + +====================================================== + +According to commit "vfs: parse: deal with zero length string value", +kernel will set the param->string to null pointer in vfs_parse_fs_string() +if fs string has zero length. + +Yet the problem is that, hugetlbfs_parse_param() will dereference the +param->string, without checking whether it is a null pointer. To be more +specific, if hugetlbfs_parse_param() parses an illegal mount parameter, +such as "size=,", kernel will constructs struct fs_parameter with null +pointer in vfs_parse_fs_string(), then passes this struct fs_parameter to +hugetlbfs_parse_param(), which triggers the above null-ptr-deref bug. + +This patch solves it by adding sanity check on param->string +in hugetlbfs_parse_param(). + +Link: https://lkml.kernel.org/r/20221020231609.4810-1-yin31149@gmail.com +Reported-by: syzbot+a3e6acd85ded5c16a709@syzkaller.appspotmail.com +Tested-by: syzbot+a3e6acd85ded5c16a709@syzkaller.appspotmail.com + Link: https://lore.kernel.org/all/0000000000005ad00405eb7148c6@google.com/ +Signed-off-by: Hawkins Jiawei +Reviewed-by: Mike Kravetz +Cc: Hawkins Jiawei +Cc: Muchun Song +Cc: Ian Kent +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/hugetlbfs/inode.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c +index 7d039ba5ae28..b1d31c78fc9d 100644 +--- a/fs/hugetlbfs/inode.c ++++ b/fs/hugetlbfs/inode.c +@@ -1232,7 +1232,7 @@ static int hugetlbfs_parse_param(struct fs_context *fc, struct fs_parameter *par + + case Opt_size: + /* memparse() will accept a K/M/G without a digit */ +- if (!isdigit(param->string[0])) ++ if (!param->string || !isdigit(param->string[0])) + goto bad_val; + ctx->max_size_opt = memparse(param->string, &rest); + ctx->max_val_type = SIZE_STD; +@@ -1242,7 +1242,7 @@ static int hugetlbfs_parse_param(struct fs_context *fc, struct fs_parameter *par + + case Opt_nr_inodes: + /* memparse() will accept a K/M/G without a digit */ +- if (!isdigit(param->string[0])) ++ if (!param->string || !isdigit(param->string[0])) + goto bad_val; + ctx->nr_inodes = memparse(param->string, &rest); + return 0; +@@ -1258,7 +1258,7 @@ static int hugetlbfs_parse_param(struct fs_context *fc, struct fs_parameter *par + + case Opt_min_size: + /* memparse() will accept a K/M/G without a digit */ +- if (!isdigit(param->string[0])) ++ if (!param->string || !isdigit(param->string[0])) + goto bad_val; + ctx->min_size_opt = memparse(param->string, &rest); + ctx->min_val_type = SIZE_STD; +-- +2.35.1 + diff --git a/queue-5.4/hwrng-amd-fix-pci-device-refcount-leak.patch b/queue-5.4/hwrng-amd-fix-pci-device-refcount-leak.patch new file mode 100644 index 00000000000..6789ad02ae4 --- /dev/null +++ b/queue-5.4/hwrng-amd-fix-pci-device-refcount-leak.patch @@ -0,0 +1,76 @@ +From 69371169222dabda60b126694bc06bf18efeb596 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 21:22:33 +0800 +Subject: hwrng: amd - Fix PCI device refcount leak + +From: Xiongfeng Wang + +[ Upstream commit ecadb5b0111ea19fc7c240bb25d424a94471eb7d ] + +for_each_pci_dev() is implemented by pci_get_device(). The comment of +pci_get_device() says that it will increase the reference count for the +returned pci_dev and also decrease the reference count for the input +pci_dev @from if it is not NULL. + +If we break for_each_pci_dev() loop with pdev not NULL, we need to call +pci_dev_put() to decrease the reference count. Add the missing +pci_dev_put() for the normal and error path. + +Fixes: 96d63c0297cc ("[PATCH] Add AMD HW RNG driver") +Signed-off-by: Xiongfeng Wang +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/amd-rng.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/drivers/char/hw_random/amd-rng.c b/drivers/char/hw_random/amd-rng.c +index 9959c762da2f..db3dd467194c 100644 +--- a/drivers/char/hw_random/amd-rng.c ++++ b/drivers/char/hw_random/amd-rng.c +@@ -143,15 +143,19 @@ static int __init mod_init(void) + found: + err = pci_read_config_dword(pdev, 0x58, &pmbase); + if (err) +- return err; ++ goto put_dev; + + pmbase &= 0x0000FF00; +- if (pmbase == 0) +- return -EIO; ++ if (pmbase == 0) { ++ err = -EIO; ++ goto put_dev; ++ } + + priv = kzalloc(sizeof(*priv), GFP_KERNEL); +- if (!priv) +- return -ENOMEM; ++ if (!priv) { ++ err = -ENOMEM; ++ goto put_dev; ++ } + + if (!request_region(pmbase + PMBASE_OFFSET, PMBASE_SIZE, DRV_NAME)) { + dev_err(&pdev->dev, DRV_NAME " region 0x%x already in use!\n", +@@ -185,6 +189,8 @@ static int __init mod_init(void) + release_region(pmbase + PMBASE_OFFSET, PMBASE_SIZE); + out: + kfree(priv); ++put_dev: ++ pci_dev_put(pdev); + return err; + } + +@@ -200,6 +206,8 @@ static void __exit mod_exit(void) + + release_region(priv->pmbase + PMBASE_OFFSET, PMBASE_SIZE); + ++ pci_dev_put(priv->pcidev); ++ + kfree(priv); + } + +-- +2.35.1 + diff --git a/queue-5.4/hwrng-geode-fix-pci-device-refcount-leak.patch b/queue-5.4/hwrng-geode-fix-pci-device-refcount-leak.patch new file mode 100644 index 00000000000..683b5042445 --- /dev/null +++ b/queue-5.4/hwrng-geode-fix-pci-device-refcount-leak.patch @@ -0,0 +1,115 @@ +From f73249982aea3f5ea552c985f0f87d5410f6c656 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 21:22:34 +0800 +Subject: hwrng: geode - Fix PCI device refcount leak + +From: Xiongfeng Wang + +[ Upstream commit 9f6ec8dc574efb7f4f3d7ee9cd59ae307e78f445 ] + +for_each_pci_dev() is implemented by pci_get_device(). The comment of +pci_get_device() says that it will increase the reference count for the +returned pci_dev and also decrease the reference count for the input +pci_dev @from if it is not NULL. + +If we break for_each_pci_dev() loop with pdev not NULL, we need to call +pci_dev_put() to decrease the reference count. We add a new struct +'amd_geode_priv' to record pointer of the pci_dev and membase, and then +add missing pci_dev_put() for the normal and error path. + +Fixes: ef5d862734b8 ("[PATCH] Add Geode HW RNG driver") +Signed-off-by: Xiongfeng Wang +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/geode-rng.c | 36 +++++++++++++++++++++++------- + 1 file changed, 28 insertions(+), 8 deletions(-) + +diff --git a/drivers/char/hw_random/geode-rng.c b/drivers/char/hw_random/geode-rng.c +index e1d421a36a13..207272979f23 100644 +--- a/drivers/char/hw_random/geode-rng.c ++++ b/drivers/char/hw_random/geode-rng.c +@@ -51,6 +51,10 @@ static const struct pci_device_id pci_tbl[] = { + }; + MODULE_DEVICE_TABLE(pci, pci_tbl); + ++struct amd_geode_priv { ++ struct pci_dev *pcidev; ++ void __iomem *membase; ++}; + + static int geode_rng_data_read(struct hwrng *rng, u32 *data) + { +@@ -90,6 +94,7 @@ static int __init mod_init(void) + const struct pci_device_id *ent; + void __iomem *mem; + unsigned long rng_base; ++ struct amd_geode_priv *priv; + + for_each_pci_dev(pdev) { + ent = pci_match_id(pci_tbl, pdev); +@@ -97,17 +102,26 @@ static int __init mod_init(void) + goto found; + } + /* Device not found. */ +- goto out; ++ return err; + + found: ++ priv = kzalloc(sizeof(*priv), GFP_KERNEL); ++ if (!priv) { ++ err = -ENOMEM; ++ goto put_dev; ++ } ++ + rng_base = pci_resource_start(pdev, 0); + if (rng_base == 0) +- goto out; ++ goto free_priv; + err = -ENOMEM; + mem = ioremap(rng_base, 0x58); + if (!mem) +- goto out; +- geode_rng.priv = (unsigned long)mem; ++ goto free_priv; ++ ++ geode_rng.priv = (unsigned long)priv; ++ priv->membase = mem; ++ priv->pcidev = pdev; + + pr_info("AMD Geode RNG detected\n"); + err = hwrng_register(&geode_rng); +@@ -116,20 +130,26 @@ static int __init mod_init(void) + err); + goto err_unmap; + } +-out: + return err; + + err_unmap: + iounmap(mem); +- goto out; ++free_priv: ++ kfree(priv); ++put_dev: ++ pci_dev_put(pdev); ++ return err; + } + + static void __exit mod_exit(void) + { +- void __iomem *mem = (void __iomem *)geode_rng.priv; ++ struct amd_geode_priv *priv; + ++ priv = (struct amd_geode_priv *)geode_rng.priv; + hwrng_unregister(&geode_rng); +- iounmap(mem); ++ iounmap(priv->membase); ++ pci_dev_put(priv->pcidev); ++ kfree(priv); + } + + module_init(mod_init); +-- +2.35.1 + diff --git a/queue-5.4/i2c-ismt-fix-an-out-of-bounds-bug-in-ismt_access.patch b/queue-5.4/i2c-ismt-fix-an-out-of-bounds-bug-in-ismt_access.patch new file mode 100644 index 00000000000..e8c572044bb --- /dev/null +++ b/queue-5.4/i2c-ismt-fix-an-out-of-bounds-bug-in-ismt_access.patch @@ -0,0 +1,54 @@ +From 1aca57a6cb17615d3fceda83d6b1576d154e9bd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Jul 2022 19:02:16 +0800 +Subject: i2c: ismt: Fix an out-of-bounds bug in ismt_access() + +From: Zheyu Ma + +[ Upstream commit 39244cc754829bf707dccd12e2ce37510f5b1f8d ] + +When the driver does not check the data from the user, the variable +'data->block[0]' may be very large to cause an out-of-bounds bug. + +The following log can reveal it: + +[ 33.995542] i2c i2c-1: ioctl, cmd=0x720, arg=0x7ffcb3dc3a20 +[ 33.995978] ismt_smbus 0000:00:05.0: I2C_SMBUS_BLOCK_DATA: WRITE +[ 33.996475] ================================================================== +[ 33.996995] BUG: KASAN: out-of-bounds in ismt_access.cold+0x374/0x214b +[ 33.997473] Read of size 18446744073709551615 at addr ffff88810efcfdb1 by task ismt_poc/485 +[ 33.999450] Call Trace: +[ 34.001849] memcpy+0x20/0x60 +[ 34.002077] ismt_access.cold+0x374/0x214b +[ 34.003382] __i2c_smbus_xfer+0x44f/0xfb0 +[ 34.004007] i2c_smbus_xfer+0x10a/0x390 +[ 34.004291] i2cdev_ioctl_smbus+0x2c8/0x710 +[ 34.005196] i2cdev_ioctl+0x5ec/0x74c + +Fix this bug by checking the size of 'data->block[0]' first. + +Fixes: 13f35ac14cd0 ("i2c: Adding support for Intel iSMT SMBus 2.0 host controller") +Signed-off-by: Zheyu Ma +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-ismt.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/i2c/busses/i2c-ismt.c b/drivers/i2c/busses/i2c-ismt.c +index 53325419ec13..e69f79246606 100644 +--- a/drivers/i2c/busses/i2c-ismt.c ++++ b/drivers/i2c/busses/i2c-ismt.c +@@ -506,6 +506,9 @@ static int ismt_access(struct i2c_adapter *adap, u16 addr, + if (read_write == I2C_SMBUS_WRITE) { + /* Block Write */ + dev_dbg(dev, "I2C_SMBUS_BLOCK_DATA: WRITE\n"); ++ if (data->block[0] < 1 || data->block[0] > I2C_SMBUS_BLOCK_MAX) ++ return -EINVAL; ++ + dma_size = data->block[0] + 1; + dma_direction = DMA_TO_DEVICE; + desc->wr_len_cmd = dma_size; +-- +2.35.1 + diff --git a/queue-5.4/i2c-mux-reg-check-return-value-after-calling-platfor.patch b/queue-5.4/i2c-mux-reg-check-return-value-after-calling-platfor.patch new file mode 100644 index 00000000000..c6c863fe99a --- /dev/null +++ b/queue-5.4/i2c-mux-reg-check-return-value-after-calling-platfor.patch @@ -0,0 +1,46 @@ +From 6430aef7b949ffc4d4ea5577782b90ad33c63dad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Oct 2022 17:38:25 +0800 +Subject: i2c: mux: reg: check return value after calling + platform_get_resource() + +From: Yang Yingliang + +[ Upstream commit 2d47b79d2bd39cc6369eccf94a06568d84c906ae ] + +It will cause null-ptr-deref in resource_size(), if platform_get_resource() +returns NULL, move calling resource_size() after devm_ioremap_resource() that +will check 'res' to avoid null-ptr-deref. +And use devm_platform_get_and_ioremap_resource() to simplify code. + +Fixes: b3fdd32799d8 ("i2c: mux: Add register-based mux i2c-mux-reg") +Signed-off-by: Yang Yingliang +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/muxes/i2c-mux-reg.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/i2c/muxes/i2c-mux-reg.c b/drivers/i2c/muxes/i2c-mux-reg.c +index b59a62f8d7a6..ac7971c776fa 100644 +--- a/drivers/i2c/muxes/i2c-mux-reg.c ++++ b/drivers/i2c/muxes/i2c-mux-reg.c +@@ -187,13 +187,12 @@ static int i2c_mux_reg_probe(struct platform_device *pdev) + if (!mux->data.reg) { + dev_info(&pdev->dev, + "Register not set, using platform resource\n"); +- res = platform_get_resource(pdev, IORESOURCE_MEM, 0); +- mux->data.reg_size = resource_size(res); +- mux->data.reg = devm_ioremap_resource(&pdev->dev, res); ++ mux->data.reg = devm_platform_get_and_ioremap_resource(pdev, 0, &res); + if (IS_ERR(mux->data.reg)) { + ret = PTR_ERR(mux->data.reg); + goto err_put_parent; + } ++ mux->data.reg_size = resource_size(res); + } + + if (mux->data.reg_size != 4 && mux->data.reg_size != 2 && +-- +2.35.1 + diff --git a/queue-5.4/i2c-pxa-pci-fix-missing-pci_disable_device-on-error-.patch b/queue-5.4/i2c-pxa-pci-fix-missing-pci_disable_device-on-error-.patch new file mode 100644 index 00000000000..fe889dd3278 --- /dev/null +++ b/queue-5.4/i2c-pxa-pci-fix-missing-pci_disable_device-on-error-.patch @@ -0,0 +1,58 @@ +From e0b045aaab423335035285b11ca9243ea2048476 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 17:25:40 +0800 +Subject: i2c: pxa-pci: fix missing pci_disable_device() on error in + ce4100_i2c_probe + +From: Hui Tang + +[ Upstream commit d78a167332e1ca8113268ed922c1212fd71b73ad ] + +Using pcim_enable_device() to avoid missing pci_disable_device(). + +Fixes: 7e94dd154e93 ("i2c-pxa2xx: Add PCI support for PXA I2C controller") +Signed-off-by: Hui Tang +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-pxa-pci.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-pxa-pci.c b/drivers/i2c/busses/i2c-pxa-pci.c +index f614cade432b..30e38bc8b6db 100644 +--- a/drivers/i2c/busses/i2c-pxa-pci.c ++++ b/drivers/i2c/busses/i2c-pxa-pci.c +@@ -105,7 +105,7 @@ static int ce4100_i2c_probe(struct pci_dev *dev, + int i; + struct ce4100_devices *sds; + +- ret = pci_enable_device_mem(dev); ++ ret = pcim_enable_device(dev); + if (ret) + return ret; + +@@ -114,10 +114,8 @@ static int ce4100_i2c_probe(struct pci_dev *dev, + return -EINVAL; + } + sds = kzalloc(sizeof(*sds), GFP_KERNEL); +- if (!sds) { +- ret = -ENOMEM; +- goto err_mem; +- } ++ if (!sds) ++ return -ENOMEM; + + for (i = 0; i < ARRAY_SIZE(sds->pdev); i++) { + sds->pdev[i] = add_i2c_device(dev, i); +@@ -133,8 +131,6 @@ static int ce4100_i2c_probe(struct pci_dev *dev, + + err_dev_add: + kfree(sds); +-err_mem: +- pci_disable_device(dev); + return ret; + } + +-- +2.35.1 + diff --git a/queue-5.4/ib-ipoib-fix-queue-count-inconsistency-for-pkey-chil.patch b/queue-5.4/ib-ipoib-fix-queue-count-inconsistency-for-pkey-chil.patch new file mode 100644 index 00000000000..148e80c6067 --- /dev/null +++ b/queue-5.4/ib-ipoib-fix-queue-count-inconsistency-for-pkey-chil.patch @@ -0,0 +1,61 @@ +From 15e068301b354f8f6c54b3694ffc9ee26e5a55a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 09:52:54 +0200 +Subject: IB/IPoIB: Fix queue count inconsistency for PKEY child interfaces + +From: Dragos Tatulea + +[ Upstream commit dbc94a0fb81771a38733c0e8f2ea8c4fa6934dc1 ] + +There are 2 ways to create IPoIB PKEY child interfaces: +1) Writing a PKEY to /sys/class/net//create_child. +2) Using netlink with iproute. + +While with sysfs the child interface has the same number of tx and +rx queues as the parent, with netlink there will always be 1 tx +and 1 rx queue for the child interface. That's because the +get_num_tx/rx_queues() netlink ops are missing and the default value +of 1 is taken for the number of queues (in rtnl_create_link()). + +This change adds the get_num_tx/rx_queues() ops which allows for +interfaces with multiple queues to be created over netlink. This +constant only represents the max number of tx and rx queues on that +net device. + +Fixes: 9baa0b036410 ("IB/ipoib: Add rtnl_link_ops support") +Signed-off-by: Dragos Tatulea +Link: https://lore.kernel.org/r/f4a42c8aa43c02d5ae5559a60c3e5e0f18c82531.1670485816.git.leonro@nvidia.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/ipoib/ipoib_netlink.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_netlink.c b/drivers/infiniband/ulp/ipoib/ipoib_netlink.c +index 5b05cf3837da..28e9b70844e4 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib_netlink.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_netlink.c +@@ -42,6 +42,11 @@ static const struct nla_policy ipoib_policy[IFLA_IPOIB_MAX + 1] = { + [IFLA_IPOIB_UMCAST] = { .type = NLA_U16 }, + }; + ++static unsigned int ipoib_get_max_num_queues(void) ++{ ++ return min_t(unsigned int, num_possible_cpus(), 128); ++} ++ + static int ipoib_fill_info(struct sk_buff *skb, const struct net_device *dev) + { + struct ipoib_dev_priv *priv = ipoib_priv(dev); +@@ -173,6 +178,8 @@ static struct rtnl_link_ops ipoib_link_ops __read_mostly = { + .changelink = ipoib_changelink, + .get_size = ipoib_get_size, + .fill_info = ipoib_fill_info, ++ .get_num_rx_queues = ipoib_get_max_num_queues, ++ .get_num_tx_queues = ipoib_get_max_num_queues, + }; + + struct rtnl_link_ops *ipoib_get_link_ops(void) +-- +2.35.1 + diff --git a/queue-5.4/igb-do-not-free-q_vector-unless-new-one-was-allocate.patch b/queue-5.4/igb-do-not-free-q_vector-unless-new-one-was-allocate.patch new file mode 100644 index 00000000000..d65a73e9cfc --- /dev/null +++ b/queue-5.4/igb-do-not-free-q_vector-unless-new-one-was-allocate.patch @@ -0,0 +1,53 @@ +From 7d7bf52d32c68027dc4837240d879deacd146632 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Oct 2022 02:25:24 -0700 +Subject: igb: Do not free q_vector unless new one was allocated + +From: Kees Cook + +[ Upstream commit 0668716506ca66f90d395f36ccdaebc3e0e84801 ] + +Avoid potential use-after-free condition under memory pressure. If the +kzalloc() fails, q_vector will be freed but left in the original +adapter->q_vector[v_idx] array position. + +Cc: Jesse Brandeburg +Cc: Tony Nguyen +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: intel-wired-lan@lists.osuosl.org +Cc: netdev@vger.kernel.org +Signed-off-by: Kees Cook +Reviewed-by: Michael J. Ruhl +Reviewed-by: Jacob Keller +Tested-by: Gurucharan (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 37f174b41df3..10b16c292541 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -1213,8 +1213,12 @@ static int igb_alloc_q_vector(struct igb_adapter *adapter, + if (!q_vector) { + q_vector = kzalloc(size, GFP_KERNEL); + } else if (size > ksize(q_vector)) { +- kfree_rcu(q_vector, rcu); +- q_vector = kzalloc(size, GFP_KERNEL); ++ struct igb_q_vector *new_q_vector; ++ ++ new_q_vector = kzalloc(size, GFP_KERNEL); ++ if (new_q_vector) ++ kfree_rcu(q_vector, rcu); ++ q_vector = new_q_vector; + } else { + memset(q_vector, 0, size); + } +-- +2.35.1 + diff --git a/queue-5.4/ima-fix-fall-through-warnings-for-clang.patch b/queue-5.4/ima-fix-fall-through-warnings-for-clang.patch new file mode 100644 index 00000000000..1d77fbc1788 --- /dev/null +++ b/queue-5.4/ima-fix-fall-through-warnings-for-clang.patch @@ -0,0 +1,58 @@ +From dc99bac1323753dd7ba0575f2b0b654400b9d5e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Nov 2020 12:25:46 -0600 +Subject: ima: Fix fall-through warnings for Clang + +From: Gustavo A. R. Silva + +[ Upstream commit 28073eb09c5aa29e879490edb88cfd3e7073821e ] + +In preparation to enable -Wimplicit-fallthrough for Clang, fix multiple +warnings by explicitly adding multiple break statements instead of just +letting the code fall through to the next case. + +Link: https://github.com/KSPP/linux/issues/115 +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Mimi Zohar +Stable-dep-of: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") +Signed-off-by: Sasha Levin +--- + security/integrity/ima/ima_main.c | 1 + + security/integrity/ima/ima_policy.c | 2 ++ + 2 files changed, 3 insertions(+) + +diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c +index a768f37a0a4d..ce9d594ddbcd 100644 +--- a/security/integrity/ima/ima_main.c ++++ b/security/integrity/ima/ima_main.c +@@ -615,6 +615,7 @@ int ima_load_data(enum kernel_load_data_id id) + pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n"); + return -EACCES; /* INTEGRITY_UNKNOWN */ + } ++ break; + default: + break; + } +diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c +index 6cd2f663643c..7f352e85ffad 100644 +--- a/security/integrity/ima/ima_policy.c ++++ b/security/integrity/ima/ima_policy.c +@@ -434,6 +434,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, + rc = ima_filter_rule_match(secid, rule->lsm[i].type, + Audit_equal, + rule->lsm[i].rule); ++ break; + default: + break; + } +@@ -666,6 +667,7 @@ void __init ima_init_policy(void) + add_rules(default_measurement_rules, + ARRAY_SIZE(default_measurement_rules), + IMA_DEFAULT_POLICY); ++ break; + default: + break; + } +-- +2.35.1 + diff --git a/queue-5.4/ima-fix-misuse-of-dereference-of-pointer-in-template.patch b/queue-5.4/ima-fix-misuse-of-dereference-of-pointer-in-template.patch new file mode 100644 index 00000000000..75da877c1b7 --- /dev/null +++ b/queue-5.4/ima-fix-misuse-of-dereference-of-pointer-in-template.patch @@ -0,0 +1,47 @@ +From c38d40a9bce12e14d47446ec1785b8e85f843dad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Nov 2022 17:27:19 +0800 +Subject: ima: Fix misuse of dereference of pointer in + template_desc_init_fields() + +From: Xiu Jianfeng + +[ Upstream commit 25369175ce84813dd99d6604e710dc2491f68523 ] + +The input parameter @fields is type of struct ima_template_field ***, so +when allocates array memory for @fields, the size of element should be +sizeof(**field) instead of sizeof(*field). + +Actually the original code would not cause any runtime error, but it's +better to make it logically right. + +Fixes: adf53a778a0a ("ima: new templates management mechanism") +Signed-off-by: Xiu Jianfeng +Reviewed-by: Roberto Sassu +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + security/integrity/ima/ima_template.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c +index 2283051d063b..7721909b2615 100644 +--- a/security/integrity/ima/ima_template.c ++++ b/security/integrity/ima/ima_template.c +@@ -222,11 +222,11 @@ int template_desc_init_fields(const char *template_fmt, + } + + if (fields && num_fields) { +- *fields = kmalloc_array(i, sizeof(*fields), GFP_KERNEL); ++ *fields = kmalloc_array(i, sizeof(**fields), GFP_KERNEL); + if (*fields == NULL) + return -ENOMEM; + +- memcpy(*fields, found_fields, i * sizeof(*fields)); ++ memcpy(*fields, found_fields, i * sizeof(**fields)); + *num_fields = i; + } + +-- +2.35.1 + diff --git a/queue-5.4/ima-handle-estale-returned-by-ima_filter_rule_match.patch b/queue-5.4/ima-handle-estale-returned-by-ima_filter_rule_match.patch new file mode 100644 index 00000000000..d599c7e063a --- /dev/null +++ b/queue-5.4/ima-handle-estale-returned-by-ima_filter_rule_match.patch @@ -0,0 +1,114 @@ +From b13ae4b7731068214157b489bb6b76895f8d0883 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Sep 2022 20:58:04 +0800 +Subject: ima: Handle -ESTALE returned by ima_filter_rule_match() + +From: GUO Zihua + +[ Upstream commit c7423dbdbc9ecef7fff5239d144cad4b9887f4de ] + +IMA relies on the blocking LSM policy notifier callback to update the +LSM based IMA policy rules. + +When SELinux update its policies, IMA would be notified and starts +updating all its lsm rules one-by-one. During this time, -ESTALE would +be returned by ima_filter_rule_match() if it is called with a LSM rule +that has not yet been updated. In ima_match_rules(), -ESTALE is not +handled, and the LSM rule is considered a match, causing extra files +to be measured by IMA. + +Fix it by re-initializing a temporary rule if -ESTALE is returned by +ima_filter_rule_match(). The origin rule in the rule list would be +updated by the LSM policy notifier callback. + +Fixes: b16942455193 ("ima: use the lsm policy update notifier") +Signed-off-by: GUO Zihua +Reviewed-by: Roberto Sassu +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + security/integrity/ima/ima_policy.c | 41 ++++++++++++++++++++++------- + 1 file changed, 32 insertions(+), 9 deletions(-) + +diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c +index 7f352e85ffad..6df0436462ab 100644 +--- a/security/integrity/ima/ima_policy.c ++++ b/security/integrity/ima/ima_policy.c +@@ -370,6 +370,9 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, + enum ima_hooks func, int mask) + { + int i; ++ bool result = false; ++ struct ima_rule_entry *lsm_rule = rule; ++ bool rule_reinitialized = false; + + if (func == KEXEC_CMDLINE) { + if ((rule->flags & IMA_FUNC) && (rule->func == func)) +@@ -413,35 +416,55 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, + int rc = 0; + u32 osid; + +- if (!rule->lsm[i].rule) { +- if (!rule->lsm[i].args_p) ++ if (!lsm_rule->lsm[i].rule) { ++ if (!lsm_rule->lsm[i].args_p) + continue; + else + return false; + } ++ ++retry: + switch (i) { + case LSM_OBJ_USER: + case LSM_OBJ_ROLE: + case LSM_OBJ_TYPE: + security_inode_getsecid(inode, &osid); +- rc = ima_filter_rule_match(osid, rule->lsm[i].type, ++ rc = ima_filter_rule_match(osid, lsm_rule->lsm[i].type, + Audit_equal, +- rule->lsm[i].rule); ++ lsm_rule->lsm[i].rule); + break; + case LSM_SUBJ_USER: + case LSM_SUBJ_ROLE: + case LSM_SUBJ_TYPE: +- rc = ima_filter_rule_match(secid, rule->lsm[i].type, ++ rc = ima_filter_rule_match(secid, lsm_rule->lsm[i].type, + Audit_equal, +- rule->lsm[i].rule); ++ lsm_rule->lsm[i].rule); + break; + default: + break; + } +- if (!rc) +- return false; ++ ++ if (rc == -ESTALE && !rule_reinitialized) { ++ lsm_rule = ima_lsm_copy_rule(rule); ++ if (lsm_rule) { ++ rule_reinitialized = true; ++ goto retry; ++ } ++ } ++ if (!rc) { ++ result = false; ++ goto out; ++ } + } +- return true; ++ result = true; ++ ++out: ++ if (rule_reinitialized) { ++ for (i = 0; i < MAX_LSM_RULES; i++) ++ ima_filter_rule_free(lsm_rule->lsm[i].rule); ++ kfree(lsm_rule); ++ } ++ return result; + } + + /* +-- +2.35.1 + diff --git a/queue-5.4/ima-rename-internal-filter-rule-functions.patch b/queue-5.4/ima-rename-internal-filter-rule-functions.patch new file mode 100644 index 00000000000..3cbbc031db0 --- /dev/null +++ b/queue-5.4/ima-rename-internal-filter-rule-functions.patch @@ -0,0 +1,131 @@ +From f554f87e3c35625773410a2bc08e61339a938b3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jul 2020 15:37:50 -0500 +Subject: ima: Rename internal filter rule functions + +From: Tyler Hicks + +[ Upstream commit b8867eedcf76caef8ae6412da97cd9abfd092ff8 ] + +Rename IMA's internal filter rule functions from security_filter_rule_*() +to ima_filter_rule_*(). This avoids polluting the security_* namespace, +which is typically reserved for general security subsystem +infrastructure. + +Signed-off-by: Tyler Hicks +Suggested-by: Casey Schaufler +[zohar@linux.ibm.com: reword using the term "filter", not "audit"] +Signed-off-by: Mimi Zohar +Stable-dep-of: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") +Signed-off-by: Sasha Levin +--- + security/integrity/ima/ima.h | 16 +++++++-------- + security/integrity/ima/ima_policy.c | 30 +++++++++++++---------------- + 2 files changed, 21 insertions(+), 25 deletions(-) + +diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h +index 5fae6cfe8d91..146154e333e6 100644 +--- a/security/integrity/ima/ima.h ++++ b/security/integrity/ima/ima.h +@@ -361,24 +361,24 @@ static inline void ima_free_modsig(struct modsig *modsig) + /* LSM based policy rules require audit */ + #ifdef CONFIG_IMA_LSM_RULES + +-#define security_filter_rule_init security_audit_rule_init +-#define security_filter_rule_free security_audit_rule_free +-#define security_filter_rule_match security_audit_rule_match ++#define ima_filter_rule_init security_audit_rule_init ++#define ima_filter_rule_free security_audit_rule_free ++#define ima_filter_rule_match security_audit_rule_match + + #else + +-static inline int security_filter_rule_init(u32 field, u32 op, char *rulestr, +- void **lsmrule) ++static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr, ++ void **lsmrule) + { + return -EINVAL; + } + +-static inline void security_filter_rule_free(void *lsmrule) ++static inline void ima_filter_rule_free(void *lsmrule) + { + } + +-static inline int security_filter_rule_match(u32 secid, u32 field, u32 op, +- void *lsmrule) ++static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op, ++ void *lsmrule) + { + return -EINVAL; + } +diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c +index 14aef74d3588..6cd2f663643c 100644 +--- a/security/integrity/ima/ima_policy.c ++++ b/security/integrity/ima/ima_policy.c +@@ -254,7 +254,7 @@ static void ima_lsm_free_rule(struct ima_rule_entry *entry) + int i; + + for (i = 0; i < MAX_LSM_RULES; i++) { +- security_filter_rule_free(entry->lsm[i].rule); ++ ima_filter_rule_free(entry->lsm[i].rule); + kfree(entry->lsm[i].args_p); + } + kfree(entry); +@@ -286,10 +286,9 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) + if (!nentry->lsm[i].args_p) + goto out_err; + +- security_filter_rule_init(nentry->lsm[i].type, +- Audit_equal, +- nentry->lsm[i].args_p, +- &nentry->lsm[i].rule); ++ ima_filter_rule_init(nentry->lsm[i].type, Audit_equal, ++ nentry->lsm[i].args_p, ++ &nentry->lsm[i].rule); + if (!nentry->lsm[i].rule) + pr_warn("rule for LSM \'%s\' is undefined\n", + (char *)entry->lsm[i].args_p); +@@ -425,18 +424,16 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, + case LSM_OBJ_ROLE: + case LSM_OBJ_TYPE: + security_inode_getsecid(inode, &osid); +- rc = security_filter_rule_match(osid, +- rule->lsm[i].type, +- Audit_equal, +- rule->lsm[i].rule); ++ rc = ima_filter_rule_match(osid, rule->lsm[i].type, ++ Audit_equal, ++ rule->lsm[i].rule); + break; + case LSM_SUBJ_USER: + case LSM_SUBJ_ROLE: + case LSM_SUBJ_TYPE: +- rc = security_filter_rule_match(secid, +- rule->lsm[i].type, +- Audit_equal, +- rule->lsm[i].rule); ++ rc = ima_filter_rule_match(secid, rule->lsm[i].type, ++ Audit_equal, ++ rule->lsm[i].rule); + default: + break; + } +@@ -821,10 +818,9 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry, + return -ENOMEM; + + entry->lsm[lsm_rule].type = audit_type; +- result = security_filter_rule_init(entry->lsm[lsm_rule].type, +- Audit_equal, +- entry->lsm[lsm_rule].args_p, +- &entry->lsm[lsm_rule].rule); ++ result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, ++ entry->lsm[lsm_rule].args_p, ++ &entry->lsm[lsm_rule].rule); + if (!entry->lsm[lsm_rule].rule) { + pr_warn("rule for LSM \'%s\' is undefined\n", + (char *)entry->lsm[lsm_rule].args_p); +-- +2.35.1 + diff --git a/queue-5.4/include-uapi-linux-swab-fix-potentially-missing-__al.patch b/queue-5.4/include-uapi-linux-swab-fix-potentially-missing-__al.patch new file mode 100644 index 00000000000..d7a2b7ba39b --- /dev/null +++ b/queue-5.4/include-uapi-linux-swab-fix-potentially-missing-__al.patch @@ -0,0 +1,64 @@ +From cdf1a0a4f102c2107ee24d4811af2deda35a7181 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Sep 2022 14:52:56 -0700 +Subject: include/uapi/linux/swab: Fix potentially missing __always_inline +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matt Redfearn + +[ Upstream commit defbab270d45e32b068e7e73c3567232d745c60f ] + +Commit bc27fb68aaad ("include/uapi/linux/byteorder, swab: force inlining +of some byteswap operations") added __always_inline to swab functions +and commit 283d75737837 ("uapi/linux/stddef.h: Provide __always_inline to +userspace headers") added a definition of __always_inline for use in +exported headers when the kernel's compiler.h is not available. + +However, since swab.h does not include stddef.h, if the header soup does +not indirectly include it, the definition of __always_inline is missing, +resulting in a compilation failure, which was observed compiling the +perf tool using exported headers containing this commit: + +In file included from /usr/include/linux/byteorder/little_endian.h:12:0, + from /usr/include/asm/byteorder.h:14, + from tools/include/uapi/linux/perf_event.h:20, + from perf.h:8, + from builtin-bench.c:18: +/usr/include/linux/swab.h:160:8: error: unknown type name `__always_inline' + static __always_inline __u16 __swab16p(const __u16 *p) + +Fix this by replacing the inclusion of linux/compiler.h with +linux/stddef.h to ensure that we pick up that definition if required, +without relying on it's indirect inclusion. compiler.h is then included +indirectly, via stddef.h. + +Fixes: 283d75737837 ("uapi/linux/stddef.h: Provide __always_inline to userspace headers") +Signed-off-by: Matt Redfearn +Signed-off-by: Florian Fainelli +Signed-off-by: Arnd Bergmann +Tested-by: Nathan Chancellor +Reviewed-by: Petr Vaněk +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + include/uapi/linux/swab.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/linux/swab.h b/include/uapi/linux/swab.h +index 7272f85d6d6a..3736f2fe1541 100644 +--- a/include/uapi/linux/swab.h ++++ b/include/uapi/linux/swab.h +@@ -3,7 +3,7 @@ + #define _UAPI_LINUX_SWAB_H + + #include +-#include ++#include + #include + #include + +-- +2.35.1 + diff --git a/queue-5.4/input-elants_i2c-properly-handle-the-reset-gpio-when.patch b/queue-5.4/input-elants_i2c-properly-handle-the-reset-gpio-when.patch new file mode 100644 index 00000000000..1416744319d --- /dev/null +++ b/queue-5.4/input-elants_i2c-properly-handle-the-reset-gpio-when.patch @@ -0,0 +1,90 @@ +From ac7d820d4bfe486403afbadbdcd3c4449f593ecc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 21:49:19 -0800 +Subject: Input: elants_i2c - properly handle the reset GPIO when power is off + +From: Douglas Anderson + +[ Upstream commit a85fbd6498441694475716a4d5c65f9d3e073faf ] + +As can be seen in elants_i2c_power_off(), we want the reset GPIO +asserted when power is off. The reset GPIO is active low so we need +the reset line logic low when power is off to avoid leakage. + +We have a problem, though, at probe time. At probe time we haven't +powered the regulators on yet but we have: + + devm_gpiod_get(&client->dev, "reset", GPIOD_OUT_LOW); + +While that _looks_ right, it turns out that it's not. The +GPIOD_OUT_LOW doesn't mean to init the GPIO to low. It means init the +GPIO to "not asserted". Since this is an active low GPIO that inits it +to be high. + +Let's fix this to properly init the GPIO. Now after both probe and +power off the state of the GPIO is consistent (it's "asserted" or +level low). + +Once we fix this, we can see that at power on time we no longer to +assert the reset GPIO as the first thing. The reset GPIO is _always_ +asserted before powering on. Let's fix powering on to account for +this. + +Fixes: afe10358e47a ("Input: elants_i2c - wire up regulator support") +Signed-off-by: Douglas Anderson +Link: https://lore.kernel.org/r/20221117123805.1.I9959ac561dd6e1e8e1ce7085e4de6167b27c574f@changeid +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/elants_i2c.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/drivers/input/touchscreen/elants_i2c.c b/drivers/input/touchscreen/elants_i2c.c +index a51e7c85f581..4022816a4736 100644 +--- a/drivers/input/touchscreen/elants_i2c.c ++++ b/drivers/input/touchscreen/elants_i2c.c +@@ -1078,14 +1078,12 @@ static int elants_i2c_power_on(struct elants_data *ts) + if (IS_ERR_OR_NULL(ts->reset_gpio)) + return 0; + +- gpiod_set_value_cansleep(ts->reset_gpio, 1); +- + error = regulator_enable(ts->vcc33); + if (error) { + dev_err(&ts->client->dev, + "failed to enable vcc33 regulator: %d\n", + error); +- goto release_reset_gpio; ++ return error; + } + + error = regulator_enable(ts->vccio); +@@ -1094,7 +1092,7 @@ static int elants_i2c_power_on(struct elants_data *ts) + "failed to enable vccio regulator: %d\n", + error); + regulator_disable(ts->vcc33); +- goto release_reset_gpio; ++ return error; + } + + /* +@@ -1103,7 +1101,6 @@ static int elants_i2c_power_on(struct elants_data *ts) + */ + udelay(ELAN_POWERON_DELAY_USEC); + +-release_reset_gpio: + gpiod_set_value_cansleep(ts->reset_gpio, 0); + if (error) + return error; +@@ -1211,7 +1208,7 @@ static int elants_i2c_probe(struct i2c_client *client, + return error; + } + +- ts->reset_gpio = devm_gpiod_get(&client->dev, "reset", GPIOD_OUT_LOW); ++ ts->reset_gpio = devm_gpiod_get(&client->dev, "reset", GPIOD_OUT_HIGH); + if (IS_ERR(ts->reset_gpio)) { + error = PTR_ERR(ts->reset_gpio); + +-- +2.35.1 + diff --git a/queue-5.4/integrity-fix-memory-leakage-in-keyring-allocation-e.patch b/queue-5.4/integrity-fix-memory-leakage-in-keyring-allocation-e.patch new file mode 100644 index 00000000000..d69b726a037 --- /dev/null +++ b/queue-5.4/integrity-fix-memory-leakage-in-keyring-allocation-e.patch @@ -0,0 +1,47 @@ +From e6f5d606b8e369beb7b4b47548f0b312dff12daf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 18:13:17 +0800 +Subject: integrity: Fix memory leakage in keyring allocation error path + +From: GUO Zihua + +[ Upstream commit 39419ef7af0916cc3620ecf1ed42d29659109bf3 ] + +Key restriction is allocated in integrity_init_keyring(). However, if +keyring allocation failed, it is not freed, causing memory leaks. + +Fixes: 2b6aa412ff23 ("KEYS: Use structure to capture key restriction function and data") +Signed-off-by: GUO Zihua +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + security/integrity/digsig.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c +index ea1aae3d07b3..12bae4714211 100644 +--- a/security/integrity/digsig.c ++++ b/security/integrity/digsig.c +@@ -121,6 +121,7 @@ int __init integrity_init_keyring(const unsigned int id) + { + struct key_restriction *restriction; + key_perm_t perm; ++ int ret; + + perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW + | KEY_USR_READ | KEY_USR_SEARCH; +@@ -141,7 +142,10 @@ int __init integrity_init_keyring(const unsigned int id) + perm |= KEY_USR_WRITE; + + out: +- return __integrity_init_keyring(id, perm, restriction); ++ ret = __integrity_init_keyring(id, perm, restriction); ++ if (ret) ++ kfree(restriction); ++ return ret; + } + + int __init integrity_add_key(const unsigned int id, const void *data, +-- +2.35.1 + diff --git a/queue-5.4/iommu-amd-fix-pci-device-refcount-leak-in-ppr_notifi.patch b/queue-5.4/iommu-amd-fix-pci-device-refcount-leak-in-ppr_notifi.patch new file mode 100644 index 00000000000..ed11549d046 --- /dev/null +++ b/queue-5.4/iommu-amd-fix-pci-device-refcount-leak-in-ppr_notifi.patch @@ -0,0 +1,39 @@ +From 41849c9329c79e319bf5e3310c0ae8714423b8ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 17:36:04 +0800 +Subject: iommu/amd: Fix pci device refcount leak in ppr_notifier() + +From: Yang Yingliang + +[ Upstream commit 6cf0981c2233f97d56938d9d61845383d6eb227c ] + +As comment of pci_get_domain_bus_and_slot() says, it returns +a pci device with refcount increment, when finish using it, +the caller must decrement the reference count by calling +pci_dev_put(). So call it before returning from ppr_notifier() +to avoid refcount leak. + +Fixes: daae2d25a477 ("iommu/amd: Don't copy GCR3 table root pointer") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221118093604.216371-1-yangyingliang@huawei.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd_iommu_v2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/iommu/amd_iommu_v2.c b/drivers/iommu/amd_iommu_v2.c +index 05f3d93cf480..db391dd779c0 100644 +--- a/drivers/iommu/amd_iommu_v2.c ++++ b/drivers/iommu/amd_iommu_v2.c +@@ -591,6 +591,7 @@ static int ppr_notifier(struct notifier_block *nb, unsigned long e, void *data) + put_device_state(dev_state); + + out: ++ pci_dev_put(pdev); + return ret; + } + +-- +2.35.1 + diff --git a/queue-5.4/iommu-fsl_pamu-fix-resource-leak-in-fsl_pamu_probe.patch b/queue-5.4/iommu-fsl_pamu-fix-resource-leak-in-fsl_pamu_probe.patch new file mode 100644 index 00000000000..68f74381b12 --- /dev/null +++ b/queue-5.4/iommu-fsl_pamu-fix-resource-leak-in-fsl_pamu_probe.patch @@ -0,0 +1,38 @@ +From fda28a7efabe43393bab24fa52dbbd5d0da108d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 08:20:22 +0000 +Subject: iommu/fsl_pamu: Fix resource leak in fsl_pamu_probe() + +From: Yuan Can + +[ Upstream commit 73f5fc5f884ad0c5f7d57f66303af64f9f002526 ] + +The fsl_pamu_probe() returns directly when create_csd() failed, leaving +irq and memories unreleased. +Fix by jumping to error if create_csd() returns error. + +Fixes: 695093e38c3e ("iommu/fsl: Freescale PAMU driver and iommu implementation.") +Signed-off-by: Yuan Can +Link: https://lore.kernel.org/r/20221121082022.19091-1-yuancan@huawei.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/fsl_pamu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iommu/fsl_pamu.c b/drivers/iommu/fsl_pamu.c +index cde281b97afa..4dbecd14034a 100644 +--- a/drivers/iommu/fsl_pamu.c ++++ b/drivers/iommu/fsl_pamu.c +@@ -1122,7 +1122,7 @@ static int fsl_pamu_probe(struct platform_device *pdev) + ret = create_csd(ppaact_phys, mem_size, csd_port_id); + if (ret) { + dev_err(dev, "could not create coherence subdomain\n"); +- return ret; ++ goto error; + } + } + +-- +2.35.1 + diff --git a/queue-5.4/ipmi-fix-memleak-when-unload-ipmi-driver.patch b/queue-5.4/ipmi-fix-memleak-when-unload-ipmi-driver.patch new file mode 100644 index 00000000000..5f1be782552 --- /dev/null +++ b/queue-5.4/ipmi-fix-memleak-when-unload-ipmi-driver.patch @@ -0,0 +1,64 @@ +From 49877147b861031f1714cc39507c2c0bfe3fd9ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Oct 2022 17:26:17 +0800 +Subject: ipmi: fix memleak when unload ipmi driver + +From: Zhang Yuchen + +[ Upstream commit 36992eb6b9b83f7f9cdc8e74fb5799d7b52e83e9 ] + +After the IPMI disconnect problem, the memory kept rising and we tried +to unload the driver to free the memory. However, only part of the +free memory is recovered after the driver is uninstalled. Using +ebpf to hook free functions, we find that neither ipmi_user nor +ipmi_smi_msg is free, only ipmi_recv_msg is free. + +We find that the deliver_smi_err_response call in clean_smi_msgs does +the destroy processing on each message from the xmit_msg queue without +checking the return value and free ipmi_smi_msg. + +deliver_smi_err_response is called only at this location. Adding the +free handling has no effect. + +To verify, try using ebpf to trace the free function. + + $ bpftrace -e 'kretprobe:ipmi_alloc_recv_msg {printf("alloc rcv + %p\n",retval);} kprobe:free_recv_msg {printf("free recv %p\n", + arg0)} kretprobe:ipmi_alloc_smi_msg {printf("alloc smi %p\n", + retval);} kprobe:free_smi_msg {printf("free smi %p\n",arg0)}' + +Signed-off-by: Zhang Yuchen +Message-Id: <20221007092617.87597-4-zhangyuchen.lcr@bytedance.com> +[Fixed the comment above handle_one_recv_msg().] +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +--- + drivers/char/ipmi/ipmi_msghandler.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c +index 736970312bbc..55f38058c0b4 100644 +--- a/drivers/char/ipmi/ipmi_msghandler.c ++++ b/drivers/char/ipmi/ipmi_msghandler.c +@@ -3535,12 +3535,16 @@ static void deliver_smi_err_response(struct ipmi_smi *intf, + struct ipmi_smi_msg *msg, + unsigned char err) + { ++ int rv; + msg->rsp[0] = msg->data[0] | 4; + msg->rsp[1] = msg->data[1]; + msg->rsp[2] = err; + msg->rsp_size = 3; +- /* It's an error, so it will never requeue, no need to check return. */ +- handle_one_recv_msg(intf, msg); ++ ++ /* This will never requeue, but it may ask us to free the message. */ ++ rv = handle_one_recv_msg(intf, msg); ++ if (rv == 0) ++ ipmi_free_smi_msg(msg); + } + + static void cleanup_smi_msgs(struct ipmi_smi *intf) +-- +2.35.1 + diff --git a/queue-5.4/irqchip-gic-pm-use-pm_runtime_resume_and_get-in-gic_.patch b/queue-5.4/irqchip-gic-pm-use-pm_runtime_resume_and_get-in-gic_.patch new file mode 100644 index 00000000000..9b62f6092d8 --- /dev/null +++ b/queue-5.4/irqchip-gic-pm-use-pm_runtime_resume_and_get-in-gic_.patch @@ -0,0 +1,39 @@ +From 9a5ce68157628c66d6fb2604e714640e3552438a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 14:51:50 +0800 +Subject: irqchip: gic-pm: Use pm_runtime_resume_and_get() in gic_probe() + +From: Shang XiaoJing + +[ Upstream commit f9ee20c85b3a3ba0afd3672630ec4f93d339f015 ] + +gic_probe() calls pm_runtime_get_sync() and added fail path as +rpm_put to put usage_counter. However, pm_runtime_get_sync() +will increment usage_counter even it failed. Fix it by replacing it with +pm_runtime_resume_and_get() to keep usage counter balanced. + +Fixes: 9c8edddfc992 ("irqchip/gic: Add platform driver for non-root GICs that require RPM") +Signed-off-by: Shang XiaoJing +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20221124065150.22809-1-shangxiaojing@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-gic-pm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-gic-pm.c b/drivers/irqchip/irq-gic-pm.c +index 1337ceceb59b..8be7d136c3bf 100644 +--- a/drivers/irqchip/irq-gic-pm.c ++++ b/drivers/irqchip/irq-gic-pm.c +@@ -104,7 +104,7 @@ static int gic_probe(struct platform_device *pdev) + + pm_runtime_enable(dev); + +- ret = pm_runtime_get_sync(dev); ++ ret = pm_runtime_resume_and_get(dev); + if (ret < 0) + goto rpm_disable; + +-- +2.35.1 + diff --git a/queue-5.4/lib-debugobjects-fix-stat-count-and-optimize-debug_o.patch b/queue-5.4/lib-debugobjects-fix-stat-count-and-optimize-debug_o.patch new file mode 100644 index 00000000000..38b1343e66c --- /dev/null +++ b/queue-5.4/lib-debugobjects-fix-stat-count-and-optimize-debug_o.patch @@ -0,0 +1,76 @@ +From 55669547a3e0e8afd16ee7caf0fece14eae96399 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Jun 2022 21:06:34 +0800 +Subject: lib/debugobjects: fix stat count and optimize debug_objects_mem_init + +From: wuchi + +[ Upstream commit eabb7f1ace53e127309407b2b5e74e8199e85270 ] + +1. Var debug_objects_allocated tracks valid kmem_cache_alloc calls, so + track it in debug_objects_replace_static_objects. Do similar things in + object_cpu_offline. + +2. In debug_objects_mem_init, there is no need to call function + cpuhp_setup_state_nocalls when debug_objects_enabled = 0 (out of + memory). + +Link: https://lkml.kernel.org/r/20220611130634.99741-1-wuchi.zero@gmail.com +Fixes: 634d61f45d6f ("debugobjects: Percpu pool lookahead freeing/allocation") +Fixes: c4b73aabd098 ("debugobjects: Track number of kmem_cache_alloc/kmem_cache_free done") +Signed-off-by: wuchi +Reviewed-by: Waiman Long +Cc: Thomas Gleixner +Cc: Christoph Hellwig +Cc: Kees Cook +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + lib/debugobjects.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/lib/debugobjects.c b/lib/debugobjects.c +index 746b632792b5..7ca6459259fa 100644 +--- a/lib/debugobjects.c ++++ b/lib/debugobjects.c +@@ -440,6 +440,7 @@ static int object_cpu_offline(unsigned int cpu) + struct debug_percpu_free *percpu_pool; + struct hlist_node *tmp; + struct debug_obj *obj; ++ unsigned long flags; + + /* Remote access is safe as the CPU is dead already */ + percpu_pool = per_cpu_ptr(&percpu_obj_pool, cpu); +@@ -447,6 +448,12 @@ static int object_cpu_offline(unsigned int cpu) + hlist_del(&obj->node); + kmem_cache_free(obj_cache, obj); + } ++ ++ raw_spin_lock_irqsave(&pool_lock, flags); ++ obj_pool_used -= percpu_pool->obj_free; ++ debug_objects_freed += percpu_pool->obj_free; ++ raw_spin_unlock_irqrestore(&pool_lock, flags); ++ + percpu_pool->obj_free = 0; + + return 0; +@@ -1327,6 +1334,8 @@ static int __init debug_objects_replace_static_objects(void) + hlist_add_head(&obj->node, &objects); + } + ++ debug_objects_allocated += i; ++ + /* + * debug_objects_mem_init() is now called early that only one CPU is up + * and interrupts have been disabled, so it is safe to replace the +@@ -1395,6 +1404,7 @@ void __init debug_objects_mem_init(void) + debug_objects_enabled = 0; + kmem_cache_destroy(obj_cache); + pr_warn("out of memory.\n"); ++ return; + } else + debug_objects_selftest(); + +-- +2.35.1 + diff --git a/queue-5.4/lib-fonts-fix-undefined-behavior-in-bit-shift-for-ge.patch b/queue-5.4/lib-fonts-fix-undefined-behavior-in-bit-shift-for-ge.patch new file mode 100644 index 00000000000..3aa760c30e4 --- /dev/null +++ b/queue-5.4/lib-fonts-fix-undefined-behavior-in-bit-shift-for-ge.patch @@ -0,0 +1,79 @@ +From 67b4c63ada9b87efb4120d841cff3ea236a5e412 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Oct 2022 19:38:29 +0800 +Subject: lib/fonts: fix undefined behavior in bit shift for get_default_font + +From: Gaosheng Cui + +[ Upstream commit 6fe888c4d2fb174408e4540bb2d5602b9f507f90 ] + +Shifting signed 32-bit value by 31 bits is undefined, so changing +significant bit to unsigned. The UBSAN warning calltrace like below: + +UBSAN: shift-out-of-bounds in lib/fonts/fonts.c:139:20 +left shift of 1 by 31 places cannot be represented in type 'int' + + dump_stack_lvl+0x7d/0xa5 + dump_stack+0x15/0x1b + ubsan_epilogue+0xe/0x4e + __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c + get_default_font+0x1c7/0x1f0 + fbcon_startup+0x347/0x3a0 + do_take_over_console+0xce/0x270 + do_fbcon_takeover+0xa1/0x170 + do_fb_registered+0x2a8/0x340 + fbcon_fb_registered+0x47/0xe0 + register_framebuffer+0x294/0x4a0 + __drm_fb_helper_initial_config_and_unlock+0x43c/0x880 [drm_kms_helper] + drm_fb_helper_initial_config+0x52/0x80 [drm_kms_helper] + drm_fbdev_client_hotplug+0x156/0x1b0 [drm_kms_helper] + drm_fbdev_generic_setup+0xfc/0x290 [drm_kms_helper] + bochs_pci_probe+0x6ca/0x772 [bochs] + local_pci_probe+0x4d/0xb0 + pci_device_probe+0x119/0x320 + really_probe+0x181/0x550 + __driver_probe_device+0xc6/0x220 + driver_probe_device+0x32/0x100 + __driver_attach+0x195/0x200 + bus_for_each_dev+0xbb/0x120 + driver_attach+0x27/0x30 + bus_add_driver+0x22e/0x2f0 + driver_register+0xa9/0x190 + __pci_register_driver+0x90/0xa0 + bochs_pci_driver_init+0x52/0x1000 [bochs] + do_one_initcall+0x76/0x430 + do_init_module+0x61/0x28a + load_module+0x1f82/0x2e50 + __do_sys_finit_module+0xf8/0x190 + __x64_sys_finit_module+0x23/0x30 + do_syscall_64+0x58/0x80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + + +Link: https://lkml.kernel.org/r/20221031113829.4183153-1-cuigaosheng1@huawei.com +Fixes: c81f717cb9e0 ("fbcon: Fix typo and bogus logic in get_default_font") +Signed-off-by: Gaosheng Cui +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + lib/fonts/fonts.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/fonts/fonts.c b/lib/fonts/fonts.c +index e7258d8c252b..4da9707ad33d 100644 +--- a/lib/fonts/fonts.c ++++ b/lib/fonts/fonts.c +@@ -132,8 +132,8 @@ const struct font_desc *get_default_font(int xres, int yres, u32 font_w, + if (res > 20) + c += 20 - res; + +- if ((font_w & (1 << (f->width - 1))) && +- (font_h & (1 << (f->height - 1)))) ++ if ((font_w & (1U << (f->width - 1))) && ++ (font_h & (1U << (f->height - 1)))) + c += 1000; + + if (c > cc) { +-- +2.35.1 + diff --git a/queue-5.4/lib-notifier-error-inject-fix-error-when-writing-err.patch b/queue-5.4/lib-notifier-error-inject-fix-error-when-writing-err.patch new file mode 100644 index 00000000000..b3b0c058beb --- /dev/null +++ b/queue-5.4/lib-notifier-error-inject-fix-error-when-writing-err.patch @@ -0,0 +1,52 @@ +From 39dc93bb19efc098116f89336692bbc0bc587901 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 02:24:17 +0900 +Subject: lib/notifier-error-inject: fix error when writing -errno to debugfs + file + +From: Akinobu Mita + +[ Upstream commit f883c3edd2c432a2931ec8773c70a570115a50fe ] + +The simple attribute files do not accept a negative value since the commit +488dac0c9237 ("libfs: fix error cast of negative value in +simple_attr_write()"). + +This restores the previous behaviour by using newly introduced +DEFINE_SIMPLE_ATTRIBUTE_SIGNED instead of DEFINE_SIMPLE_ATTRIBUTE. + +Link: https://lkml.kernel.org/r/20220919172418.45257-3-akinobu.mita@gmail.com +Fixes: 488dac0c9237 ("libfs: fix error cast of negative value in simple_attr_write()") +Signed-off-by: Akinobu Mita +Reported-by: Zhao Gongyi +Reviewed-by: David Hildenbrand +Reviewed-by: Greg Kroah-Hartman +Cc: Alexander Viro +Cc: Jonathan Corbet +Cc: Oscar Salvador +Cc: Rafael J. Wysocki +Cc: Shuah Khan +Cc: Wei Yongjun +Cc: Yicong Yang +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + lib/notifier-error-inject.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/notifier-error-inject.c b/lib/notifier-error-inject.c +index 21016b32d313..2b24ea6c9497 100644 +--- a/lib/notifier-error-inject.c ++++ b/lib/notifier-error-inject.c +@@ -15,7 +15,7 @@ static int debugfs_errno_get(void *data, u64 *val) + return 0; + } + +-DEFINE_SIMPLE_ATTRIBUTE(fops_errno, debugfs_errno_get, debugfs_errno_set, ++DEFINE_SIMPLE_ATTRIBUTE_SIGNED(fops_errno, debugfs_errno_get, debugfs_errno_set, + "%lld\n"); + + static struct dentry *debugfs_create_errno(const char *name, umode_t mode, +-- +2.35.1 + diff --git a/queue-5.4/libfs-add-define_simple_attribute_signed-for-signed-.patch b/queue-5.4/libfs-add-define_simple_attribute_signed-for-signed-.patch new file mode 100644 index 00000000000..561d80e3f93 --- /dev/null +++ b/queue-5.4/libfs-add-define_simple_attribute_signed-for-signed-.patch @@ -0,0 +1,139 @@ +From 3c4ead2ca0ed1b063b0c3cdf2d4d46d1009652cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 02:24:16 +0900 +Subject: libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value + +From: Akinobu Mita + +[ Upstream commit 2e41f274f9aa71cdcc69dc1f26a3f9304a651804 ] + +Patch series "fix error when writing negative value to simple attribute +files". + +The simple attribute files do not accept a negative value since the commit +488dac0c9237 ("libfs: fix error cast of negative value in +simple_attr_write()"), but some attribute files want to accept a negative +value. + +This patch (of 3): + +The simple attribute files do not accept a negative value since the commit +488dac0c9237 ("libfs: fix error cast of negative value in +simple_attr_write()"), so we have to use a 64-bit value to write a +negative value. + +This adds DEFINE_SIMPLE_ATTRIBUTE_SIGNED for a signed value. + +Link: https://lkml.kernel.org/r/20220919172418.45257-1-akinobu.mita@gmail.com +Link: https://lkml.kernel.org/r/20220919172418.45257-2-akinobu.mita@gmail.com +Fixes: 488dac0c9237 ("libfs: fix error cast of negative value in simple_attr_write()") +Signed-off-by: Akinobu Mita +Reported-by: Zhao Gongyi +Reviewed-by: David Hildenbrand +Reviewed-by: Greg Kroah-Hartman +Cc: Alexander Viro +Cc: Jonathan Corbet +Cc: Oscar Salvador +Cc: Rafael J. Wysocki +Cc: Shuah Khan +Cc: Wei Yongjun +Cc: Yicong Yang +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/libfs.c | 22 +++++++++++++++++++--- + include/linux/fs.h | 12 ++++++++++-- + 2 files changed, 29 insertions(+), 5 deletions(-) + +diff --git a/fs/libfs.c b/fs/libfs.c +index 247b58a68240..e6f986da2a65 100644 +--- a/fs/libfs.c ++++ b/fs/libfs.c +@@ -883,8 +883,8 @@ ssize_t simple_attr_read(struct file *file, char __user *buf, + EXPORT_SYMBOL_GPL(simple_attr_read); + + /* interpret the buffer as a number to call the set function with */ +-ssize_t simple_attr_write(struct file *file, const char __user *buf, +- size_t len, loff_t *ppos) ++static ssize_t simple_attr_write_xsigned(struct file *file, const char __user *buf, ++ size_t len, loff_t *ppos, bool is_signed) + { + struct simple_attr *attr; + unsigned long long val; +@@ -905,7 +905,10 @@ ssize_t simple_attr_write(struct file *file, const char __user *buf, + goto out; + + attr->set_buf[size] = '\0'; +- ret = kstrtoull(attr->set_buf, 0, &val); ++ if (is_signed) ++ ret = kstrtoll(attr->set_buf, 0, &val); ++ else ++ ret = kstrtoull(attr->set_buf, 0, &val); + if (ret) + goto out; + ret = attr->set(attr->data, val); +@@ -915,8 +918,21 @@ ssize_t simple_attr_write(struct file *file, const char __user *buf, + mutex_unlock(&attr->mutex); + return ret; + } ++ ++ssize_t simple_attr_write(struct file *file, const char __user *buf, ++ size_t len, loff_t *ppos) ++{ ++ return simple_attr_write_xsigned(file, buf, len, ppos, false); ++} + EXPORT_SYMBOL_GPL(simple_attr_write); + ++ssize_t simple_attr_write_signed(struct file *file, const char __user *buf, ++ size_t len, loff_t *ppos) ++{ ++ return simple_attr_write_xsigned(file, buf, len, ppos, true); ++} ++EXPORT_SYMBOL_GPL(simple_attr_write_signed); ++ + /** + * generic_fh_to_dentry - generic helper for the fh_to_dentry export operation + * @sb: filesystem to do the file handle conversion on +diff --git a/include/linux/fs.h b/include/linux/fs.h +index 4ecbe12f6215..e003afcea3f3 100644 +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -3477,7 +3477,7 @@ void simple_transaction_set(struct file *file, size_t n); + * All attributes contain a text representation of a numeric value + * that are accessed with the get() and set() functions. + */ +-#define DEFINE_SIMPLE_ATTRIBUTE(__fops, __get, __set, __fmt) \ ++#define DEFINE_SIMPLE_ATTRIBUTE_XSIGNED(__fops, __get, __set, __fmt, __is_signed) \ + static int __fops ## _open(struct inode *inode, struct file *file) \ + { \ + __simple_attr_check_format(__fmt, 0ull); \ +@@ -3488,10 +3488,16 @@ static const struct file_operations __fops = { \ + .open = __fops ## _open, \ + .release = simple_attr_release, \ + .read = simple_attr_read, \ +- .write = simple_attr_write, \ ++ .write = (__is_signed) ? simple_attr_write_signed : simple_attr_write, \ + .llseek = generic_file_llseek, \ + } + ++#define DEFINE_SIMPLE_ATTRIBUTE(__fops, __get, __set, __fmt) \ ++ DEFINE_SIMPLE_ATTRIBUTE_XSIGNED(__fops, __get, __set, __fmt, false) ++ ++#define DEFINE_SIMPLE_ATTRIBUTE_SIGNED(__fops, __get, __set, __fmt) \ ++ DEFINE_SIMPLE_ATTRIBUTE_XSIGNED(__fops, __get, __set, __fmt, true) ++ + static inline __printf(1, 2) + void __simple_attr_check_format(const char *fmt, ...) + { +@@ -3506,6 +3512,8 @@ ssize_t simple_attr_read(struct file *file, char __user *buf, + size_t len, loff_t *ppos); + ssize_t simple_attr_write(struct file *file, const char __user *buf, + size_t len, loff_t *ppos); ++ssize_t simple_attr_write_signed(struct file *file, const char __user *buf, ++ size_t len, loff_t *ppos); + + struct ctl_table; + int proc_nr_files(struct ctl_table *table, int write, +-- +2.35.1 + diff --git a/queue-5.4/macintosh-fix-possible-memory-leak-in-macio_add_one_.patch b/queue-5.4/macintosh-fix-possible-memory-leak-in-macio_add_one_.patch new file mode 100644 index 00000000000..6eb47797727 --- /dev/null +++ b/queue-5.4/macintosh-fix-possible-memory-leak-in-macio_add_one_.patch @@ -0,0 +1,43 @@ +From d0d627dbb61dae2a6ffceb6d340c87a37bdd1422 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Nov 2022 11:25:51 +0800 +Subject: macintosh: fix possible memory leak in macio_add_one_device() + +From: Yang Yingliang + +[ Upstream commit 5ca86eae55a2f006e6c1edd2029b2cacb6979515 ] + +Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's +bus_id string array"), the name of device is allocated dynamically. It +needs to be freed when of_device_register() fails. Call put_device() to +give up the reference that's taken in device_initialize(), so that it +can be freed in kobject_cleanup() when the refcount hits 0. + +macio device is freed in macio_release_dev(), so the kfree() can be +removed. + +Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") +Signed-off-by: Yang Yingliang +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20221104032551.1075335-1-yangyingliang@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/macintosh/macio_asic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/macintosh/macio_asic.c b/drivers/macintosh/macio_asic.c +index 92d142d2b75f..176bbd062617 100644 +--- a/drivers/macintosh/macio_asic.c ++++ b/drivers/macintosh/macio_asic.c +@@ -425,7 +425,7 @@ static struct macio_dev * macio_add_one_device(struct macio_chip *chip, + if (of_device_register(&dev->ofdev) != 0) { + printk(KERN_DEBUG"macio: device registration error for %s!\n", + dev_name(&dev->ofdev.dev)); +- kfree(dev); ++ put_device(&dev->ofdev.dev); + return NULL; + } + +-- +2.35.1 + diff --git a/queue-5.4/macintosh-macio-adb-check-the-return-value-of-iorema.patch b/queue-5.4/macintosh-macio-adb-check-the-return-value-of-iorema.patch new file mode 100644 index 00000000000..55ad58fc84c --- /dev/null +++ b/queue-5.4/macintosh-macio-adb-check-the-return-value-of-iorema.patch @@ -0,0 +1,40 @@ +From b6501ebe81c7cc49df3d93778e16ba8a85011903 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Aug 2022 15:41:48 +0800 +Subject: macintosh/macio-adb: check the return value of ioremap() + +From: Xie Shaowen + +[ Upstream commit dbaa3105736d4d73063ea0a3b01cd7fafce924e6 ] + +The function ioremap() in macio_init() can fail, so its return value +should be checked. + +Fixes: 36874579dbf4c ("[PATCH] powerpc: macio-adb build fix") +Reported-by: Hacash Robot +Signed-off-by: Xie Shaowen +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220802074148.3213659-1-studentxswpy@163.com +Signed-off-by: Sasha Levin +--- + drivers/macintosh/macio-adb.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/macintosh/macio-adb.c b/drivers/macintosh/macio-adb.c +index eb3adfb7f88d..172a8b18c579 100644 +--- a/drivers/macintosh/macio-adb.c ++++ b/drivers/macintosh/macio-adb.c +@@ -106,6 +106,10 @@ int macio_init(void) + return -ENXIO; + } + adb = ioremap(r.start, sizeof(struct adb_regs)); ++ if (!adb) { ++ of_node_put(adbs); ++ return -ENOMEM; ++ } + + out_8(&adb->ctrl.r, 0); + out_8(&adb->intr.r, 0); +-- +2.35.1 + diff --git a/queue-5.4/mailbox-zynq-ipi-fix-error-handling-while-device_reg.patch b/queue-5.4/mailbox-zynq-ipi-fix-error-handling-while-device_reg.patch new file mode 100644 index 00000000000..373cab4ccb4 --- /dev/null +++ b/queue-5.4/mailbox-zynq-ipi-fix-error-handling-while-device_reg.patch @@ -0,0 +1,52 @@ +From 412f87347b5a78aaba086672764d1c2d833ce4fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 23:08:22 +0800 +Subject: mailbox: zynq-ipi: fix error handling while device_register() fails + +From: Yang Yingliang + +[ Upstream commit a6792a0cdef0b1c2d77920246283a72537e60e94 ] + +If device_register() fails, it has two issues: +1. The name allocated by dev_set_name() is leaked. +2. The parent of device is not NULL, device_unregister() is called + in zynqmp_ipi_free_mboxes(), it will lead a kernel crash because + of removing not added device. + +Call put_device() to give up the reference, so the name is freed in +kobject_cleanup(). Add device registered check in zynqmp_ipi_free_mboxes() +to avoid null-ptr-deref. + +Fixes: 4981b82ba2ff ("mailbox: ZynqMP IPI mailbox controller") +Signed-off-by: Yang Yingliang +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/zynqmp-ipi-mailbox.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mailbox/zynqmp-ipi-mailbox.c b/drivers/mailbox/zynqmp-ipi-mailbox.c +index f9cc674ba9b7..1d0b8abbafc3 100644 +--- a/drivers/mailbox/zynqmp-ipi-mailbox.c ++++ b/drivers/mailbox/zynqmp-ipi-mailbox.c +@@ -493,6 +493,7 @@ static int zynqmp_ipi_mbox_probe(struct zynqmp_ipi_mbox *ipi_mbox, + ret = device_register(&ipi_mbox->dev); + if (ret) { + dev_err(dev, "Failed to register ipi mbox dev.\n"); ++ put_device(&ipi_mbox->dev); + return ret; + } + mdev = &ipi_mbox->dev; +@@ -619,7 +620,8 @@ static void zynqmp_ipi_free_mboxes(struct zynqmp_ipi_pdata *pdata) + ipi_mbox = &pdata->ipi_mboxes[i]; + if (ipi_mbox->dev.parent) { + mbox_controller_unregister(&ipi_mbox->mbox); +- device_unregister(&ipi_mbox->dev); ++ if (device_is_registered(&ipi_mbox->dev)) ++ device_unregister(&ipi_mbox->dev); + } + } + } +-- +2.35.1 + diff --git a/queue-5.4/mcb-mcb-parse-fix-error-handing-in-chameleon_parse_g.patch b/queue-5.4/mcb-mcb-parse-fix-error-handing-in-chameleon_parse_g.patch new file mode 100644 index 00000000000..bcccb11862e --- /dev/null +++ b/queue-5.4/mcb-mcb-parse-fix-error-handing-in-chameleon_parse_g.patch @@ -0,0 +1,40 @@ +From d4d8b72624df2ef42aedb37598ef192b2bcc1ac5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 01:38:50 -0800 +Subject: mcb: mcb-parse: fix error handing in chameleon_parse_gdd() + +From: Yang Yingliang + +[ Upstream commit 728ac3389296caf68638628c987aeae6c8851e2d ] + +If mcb_device_register() returns error in chameleon_parse_gdd(), the refcount +of bus and device name are leaked. Fix this by calling put_device() to give up +the reference, so they can be released in mcb_release_dev() and kobject_cleanup(). + +Fixes: 3764e82e5150 ("drivers: Introduce MEN Chameleon Bus") +Reviewed-by: Johannes Thumshirn +Signed-off-by: Yang Yingliang +Signed-off-by: Johannes Thumshirn +Link: https://lore.kernel.org/r/ebfb06e39b19272f0197fa9136b5e4b6f34ad732.1669624063.git.johannes.thumshirn@wdc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/mcb/mcb-parse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mcb/mcb-parse.c b/drivers/mcb/mcb-parse.c +index 3b69e6aa3d88..cfe5c95ce0ce 100644 +--- a/drivers/mcb/mcb-parse.c ++++ b/drivers/mcb/mcb-parse.c +@@ -108,7 +108,7 @@ static int chameleon_parse_gdd(struct mcb_bus *bus, + return 0; + + err: +- mcb_free_dev(mdev); ++ put_device(&mdev->dev); + + return ret; + } +-- +2.35.1 + diff --git a/queue-5.4/md-raid1-stop-mdx_raid1-thread-when-raid1-array-run-.patch b/queue-5.4/md-raid1-stop-mdx_raid1-thread-when-raid1-array-run-.patch new file mode 100644 index 00000000000..87baf7e4ebb --- /dev/null +++ b/queue-5.4/md-raid1-stop-mdx_raid1-thread-when-raid1-array-run-.patch @@ -0,0 +1,71 @@ +From c4183ece5f95a10a01a7604b1bcc750055353488 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 22:16:59 +0800 +Subject: md/raid1: stop mdx_raid1 thread when raid1 array run failed + +From: Jiang Li + +[ Upstream commit b611ad14006e5be2170d9e8e611bf49dff288911 ] + +fail run raid1 array when we assemble array with the inactive disk only, +but the mdx_raid1 thread were not stop, Even if the associated resources +have been released. it will caused a NULL dereference when we do poweroff. + +This causes the following Oops: + [ 287.587787] BUG: kernel NULL pointer dereference, address: 0000000000000070 + [ 287.594762] #PF: supervisor read access in kernel mode + [ 287.599912] #PF: error_code(0x0000) - not-present page + [ 287.605061] PGD 0 P4D 0 + [ 287.607612] Oops: 0000 [#1] SMP NOPTI + [ 287.611287] CPU: 3 PID: 5265 Comm: md0_raid1 Tainted: G U 5.10.146 #0 + [ 287.619029] Hardware name: xxxxxxx/To be filled by O.E.M, BIOS 5.19 06/16/2022 + [ 287.626775] RIP: 0010:md_check_recovery+0x57/0x500 [md_mod] + [ 287.632357] Code: fe 01 00 00 48 83 bb 10 03 00 00 00 74 08 48 89 ...... + [ 287.651118] RSP: 0018:ffffc90000433d78 EFLAGS: 00010202 + [ 287.656347] RAX: 0000000000000000 RBX: ffff888105986800 RCX: 0000000000000000 + [ 287.663491] RDX: ffffc90000433bb0 RSI: 00000000ffffefff RDI: ffff888105986800 + [ 287.670634] RBP: ffffc90000433da0 R08: 0000000000000000 R09: c0000000ffffefff + [ 287.677771] R10: 0000000000000001 R11: ffffc90000433ba8 R12: ffff888105986800 + [ 287.684907] R13: 0000000000000000 R14: fffffffffffffe00 R15: ffff888100b6b500 + [ 287.692052] FS: 0000000000000000(0000) GS:ffff888277f80000(0000) knlGS:0000000000000000 + [ 287.700149] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 287.705897] CR2: 0000000000000070 CR3: 000000000320a000 CR4: 0000000000350ee0 + [ 287.713033] Call Trace: + [ 287.715498] raid1d+0x6c/0xbbb [raid1] + [ 287.719256] ? __schedule+0x1ff/0x760 + [ 287.722930] ? schedule+0x3b/0xb0 + [ 287.726260] ? schedule_timeout+0x1ed/0x290 + [ 287.730456] ? __switch_to+0x11f/0x400 + [ 287.734219] md_thread+0xe9/0x140 [md_mod] + [ 287.738328] ? md_thread+0xe9/0x140 [md_mod] + [ 287.742601] ? wait_woken+0x80/0x80 + [ 287.746097] ? md_register_thread+0xe0/0xe0 [md_mod] + [ 287.751064] kthread+0x11a/0x140 + [ 287.754300] ? kthread_park+0x90/0x90 + [ 287.757974] ret_from_fork+0x1f/0x30 + +In fact, when raid1 array run fail, we need to do +md_unregister_thread() before raid1_free(). + +Signed-off-by: Jiang Li +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/raid1.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c +index e87184645c54..1919de4c8c12 100644 +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -3132,6 +3132,7 @@ static int raid1_run(struct mddev *mddev) + * RAID1 needs at least one disk in active + */ + if (conf->raid_disks - mddev->degraded < 1) { ++ md_unregister_thread(&conf->thread); + ret = -EINVAL; + goto abort; + } +-- +2.35.1 + diff --git a/queue-5.4/media-c8sectpfe-add-of_node_put-when-breaking-out-of.patch b/queue-5.4/media-c8sectpfe-add-of_node_put-when-breaking-out-of.patch new file mode 100644 index 00000000000..9f18a17beb1 --- /dev/null +++ b/queue-5.4/media-c8sectpfe-add-of_node_put-when-breaking-out-of.patch @@ -0,0 +1,36 @@ +From 9a926d2cd1babcef59923a9a5b94a7945d8cf73a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jul 2022 22:10:23 +0800 +Subject: media: c8sectpfe: Add of_node_put() when breaking out of loop + +From: Liang He + +[ Upstream commit 63ff05a1ad242a5a0f897921c87b70d601bda59c ] + +In configure_channels(), we should call of_node_put() when breaking +out of for_each_child_of_node() which will automatically increase +and decrease the refcount. + +Fixes: c5f5d0f99794 ("[media] c8sectpfe: STiH407/10 Linux DVB demux support") +Signed-off-by: Liang He +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c b/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c +index 5baada4f65e5..69070b706831 100644 +--- a/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c ++++ b/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c +@@ -939,6 +939,7 @@ static int configure_channels(struct c8sectpfei *fei) + if (ret) { + dev_err(fei->dev, + "configure_memdma_and_inputblock failed\n"); ++ of_node_put(child); + goto err_unmap; + } + index++; +-- +2.35.1 + diff --git a/queue-5.4/media-camss-clean-up-received-buffers-on-failed-star.patch b/queue-5.4/media-camss-clean-up-received-buffers-on-failed-star.patch new file mode 100644 index 00000000000..6989f68ef29 --- /dev/null +++ b/queue-5.4/media-camss-clean-up-received-buffers-on-failed-star.patch @@ -0,0 +1,62 @@ +From 69d31cb322e890f9c7c9d4e4a8f1f6bce287cdaa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Jul 2022 10:44:37 +0100 +Subject: media: camss: Clean up received buffers on failed start of streaming + +From: Vladimir Zapolskiy + +[ Upstream commit c8f3582345e6a69da65ab588f7c4c2d1685b0e80 ] + +It is required to return the received buffers, if streaming can not be +started. For instance media_pipeline_start() may fail with EPIPE, if +a link validation between entities is not passed, and in such a case +a user gets a kernel warning: + + WARNING: CPU: 1 PID: 520 at drivers/media/common/videobuf2/videobuf2-core.c:1592 vb2_start_streaming+0xec/0x160 + + Call trace: + vb2_start_streaming+0xec/0x160 + vb2_core_streamon+0x9c/0x1a0 + vb2_ioctl_streamon+0x68/0xbc + v4l_streamon+0x30/0x3c + __video_do_ioctl+0x184/0x3e0 + video_usercopy+0x37c/0x7b0 + video_ioctl2+0x24/0x40 + v4l2_ioctl+0x4c/0x70 + +The fix is to correct the error path in video_start_streaming() of camss. + +Fixes: 0ac2586c410f ("media: camss: Add files which handle the video device nodes") +Signed-off-by: Vladimir Zapolskiy +Reviewed-by: Robert Foss +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/qcom/camss/camss-video.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/qcom/camss/camss-video.c b/drivers/media/platform/qcom/camss/camss-video.c +index 4c2675b43718..6a5ec133a957 100644 +--- a/drivers/media/platform/qcom/camss/camss-video.c ++++ b/drivers/media/platform/qcom/camss/camss-video.c +@@ -438,7 +438,7 @@ static int video_start_streaming(struct vb2_queue *q, unsigned int count) + + ret = media_pipeline_start(&vdev->entity, &video->pipe); + if (ret < 0) +- return ret; ++ goto flush_buffers; + + ret = video_check_format(video); + if (ret < 0) +@@ -467,6 +467,7 @@ static int video_start_streaming(struct vb2_queue *q, unsigned int count) + error: + media_pipeline_stop(&vdev->entity); + ++flush_buffers: + video->ops->flush_buffers(video, VB2_BUF_STATE_QUEUED); + + return ret; +-- +2.35.1 + diff --git a/queue-5.4/media-coda-add-check-for-dcoda_iram_alloc.patch b/queue-5.4/media-coda-add-check-for-dcoda_iram_alloc.patch new file mode 100644 index 00000000000..95c0ce99997 --- /dev/null +++ b/queue-5.4/media-coda-add-check-for-dcoda_iram_alloc.patch @@ -0,0 +1,47 @@ +From dc0d7f0023cf5ddb840adb5ddd6ed0211477f93f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 14:56:52 +0800 +Subject: media: coda: Add check for dcoda_iram_alloc + +From: Jiasheng Jiang + +[ Upstream commit 6b8082238fb8bb20f67e46388123e67a5bbc558d ] + +As the coda_iram_alloc may return NULL pointer, +it should be better to check the return value +in order to avoid NULL poineter dereference, +same as the others. + +Fixes: b313bcc9a467 ("[media] coda: simplify IRAM setup") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/coda/coda-bit.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c +index e6b68be09f8f..6dc59d7fe8df 100644 +--- a/drivers/media/platform/coda/coda-bit.c ++++ b/drivers/media/platform/coda/coda-bit.c +@@ -852,7 +852,7 @@ static void coda_setup_iram(struct coda_ctx *ctx) + /* Only H.264BP and H.263P3 are considered */ + iram_info->buf_dbk_y_use = coda_iram_alloc(iram_info, w64); + iram_info->buf_dbk_c_use = coda_iram_alloc(iram_info, w64); +- if (!iram_info->buf_dbk_c_use) ++ if (!iram_info->buf_dbk_y_use || !iram_info->buf_dbk_c_use) + goto out; + iram_info->axi_sram_use |= dbk_bits; + +@@ -876,7 +876,7 @@ static void coda_setup_iram(struct coda_ctx *ctx) + + iram_info->buf_dbk_y_use = coda_iram_alloc(iram_info, w128); + iram_info->buf_dbk_c_use = coda_iram_alloc(iram_info, w128); +- if (!iram_info->buf_dbk_c_use) ++ if (!iram_info->buf_dbk_y_use || !iram_info->buf_dbk_c_use) + goto out; + iram_info->axi_sram_use |= dbk_bits; + +-- +2.35.1 + diff --git a/queue-5.4/media-coda-add-check-for-kmalloc.patch b/queue-5.4/media-coda-add-check-for-kmalloc.patch new file mode 100644 index 00000000000..0879b63f0ec --- /dev/null +++ b/queue-5.4/media-coda-add-check-for-kmalloc.patch @@ -0,0 +1,48 @@ +From f62666490f6d826cef3455f7141b40652c5d655f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 15:02:36 +0800 +Subject: media: coda: Add check for kmalloc + +From: Jiasheng Jiang + +[ Upstream commit 6e5e5defdb8b0186312c2f855ace175aee6daf9b ] + +As the kmalloc may return NULL pointer, +it should be better to check the return value +in order to avoid NULL poineter dereference, +same as the others. + +Fixes: cb1d3a336371 ("[media] coda: add CODA7541 JPEG support") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/coda/coda-bit.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c +index 6dc59d7fe8df..73023d34d920 100644 +--- a/drivers/media/platform/coda/coda-bit.c ++++ b/drivers/media/platform/coda/coda-bit.c +@@ -1082,10 +1082,16 @@ static int coda_start_encoding(struct coda_ctx *ctx) + } + + if (dst_fourcc == V4L2_PIX_FMT_JPEG) { +- if (!ctx->params.jpeg_qmat_tab[0]) ++ if (!ctx->params.jpeg_qmat_tab[0]) { + ctx->params.jpeg_qmat_tab[0] = kmalloc(64, GFP_KERNEL); +- if (!ctx->params.jpeg_qmat_tab[1]) ++ if (!ctx->params.jpeg_qmat_tab[0]) ++ return -ENOMEM; ++ } ++ if (!ctx->params.jpeg_qmat_tab[1]) { + ctx->params.jpeg_qmat_tab[1] = kmalloc(64, GFP_KERNEL); ++ if (!ctx->params.jpeg_qmat_tab[1]) ++ return -ENOMEM; ++ } + coda_set_jpeg_compression_quality(ctx, ctx->params.jpeg_quality); + } + +-- +2.35.1 + diff --git a/queue-5.4/media-dvb-core-fix-ignored-return-value-in-dvb_regis.patch b/queue-5.4/media-dvb-core-fix-ignored-return-value-in-dvb_regis.patch new file mode 100644 index 00000000000..c2d356b8094 --- /dev/null +++ b/queue-5.4/media-dvb-core-fix-ignored-return-value-in-dvb_regis.patch @@ -0,0 +1,71 @@ +From 0ea47a4046ebad1f4f97a1018d6fa7834d64a13d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 03:30:05 +0000 +Subject: media: dvb-core: Fix ignored return value in dvb_register_frontend() + +From: Chen Zhongjin + +[ Upstream commit a574359e2e71ce16be212df3a082ed60a4bd2c5f ] + +In dvb_register_frontend(), dvb_register_device() is possible to fail +but its return value is ignored. + +It will cause use-after-free when module is removed, because in +dvb_unregister_frontend() it tries to unregister a not registered +device. + +BUG: KASAN: use-after-free in dvb_remove_device+0x18b/0x1f0 [dvb_core] +Read of size 4 at addr ffff88800dff4824 by task rmmod/428 +CPU: 3 PID: 428 Comm: rmmod +Call Trace: + + ... + dvb_remove_device+0x18b/0x1f0 [dvb_core] + dvb_unregister_frontend+0x7b/0x130 [dvb_core] + vidtv_bridge_remove+0x6e/0x160 [dvb_vidtv_bridge] + ... + +Fix this by catching return value of dvb_register_device(). +However the fe->refcount can't be put to zero immediately, because +there are still modules calling dvb_frontend_detach() when +dvb_register_frontend() fails. + +Link: https://lore.kernel.org/linux-media/20221108033005.169095-1-chenzhongjin@huawei.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Chen Zhongjin +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dvb_frontend.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c +index 06ea30a689d7..b28ea7204f23 100644 +--- a/drivers/media/dvb-core/dvb_frontend.c ++++ b/drivers/media/dvb-core/dvb_frontend.c +@@ -2961,6 +2961,7 @@ int dvb_register_frontend(struct dvb_adapter *dvb, + .name = fe->ops.info.name, + #endif + }; ++ int ret; + + dev_dbg(dvb->device, "%s:\n", __func__); + +@@ -2994,8 +2995,13 @@ int dvb_register_frontend(struct dvb_adapter *dvb, + "DVB: registering adapter %i frontend %i (%s)...\n", + fe->dvb->num, fe->id, fe->ops.info.name); + +- dvb_register_device(fe->dvb, &fepriv->dvbdev, &dvbdev_template, ++ ret = dvb_register_device(fe->dvb, &fepriv->dvbdev, &dvbdev_template, + fe, DVB_DEVICE_FRONTEND, 0); ++ if (ret) { ++ dvb_frontend_put(fe); ++ mutex_unlock(&frontend_mutex); ++ return ret; ++ } + + /* + * Initialize the cache to the proper values according with the +-- +2.35.1 + diff --git a/queue-5.4/media-dvb-frontends-fix-leak-of-memory-fw.patch b/queue-5.4/media-dvb-frontends-fix-leak-of-memory-fw.patch new file mode 100644 index 00000000000..9dfaef8d102 --- /dev/null +++ b/queue-5.4/media-dvb-frontends-fix-leak-of-memory-fw.patch @@ -0,0 +1,32 @@ +From 4d988597ab71d56655e447fa51b712c2117d8aa9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Apr 2022 07:19:25 +0100 +Subject: media: dvb-frontends: fix leak of memory fw + +From: Yan Lei + +[ Upstream commit a15fe8d9f1bf460a804bcf18a890bfd2cf0d5caa ] + +Link: https://lore.kernel.org/linux-media/20220410061925.4107-1-chinayanlei2002@163.com +Signed-off-by: Yan Lei +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/bcm3510.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/dvb-frontends/bcm3510.c b/drivers/media/dvb-frontends/bcm3510.c +index e92542b92d34..6457b0912d14 100644 +--- a/drivers/media/dvb-frontends/bcm3510.c ++++ b/drivers/media/dvb-frontends/bcm3510.c +@@ -649,6 +649,7 @@ static int bcm3510_download_firmware(struct dvb_frontend* fe) + deb_info("firmware chunk, addr: 0x%04x, len: 0x%04x, total length: 0x%04zx\n",addr,len,fw->size); + if ((ret = bcm3510_write_ram(st,addr,&b[i+4],len)) < 0) { + err("firmware download failed: %d\n",ret); ++ release_firmware(fw); + return ret; + } + i += 4 + len; +-- +2.35.1 + diff --git a/queue-5.4/media-dvb-usb-az6027-fix-null-ptr-deref-in-az6027_i2.patch b/queue-5.4/media-dvb-usb-az6027-fix-null-ptr-deref-in-az6027_i2.patch new file mode 100644 index 00000000000..4d4d476663f --- /dev/null +++ b/queue-5.4/media-dvb-usb-az6027-fix-null-ptr-deref-in-az6027_i2.patch @@ -0,0 +1,64 @@ +From 7cd19fa852ed42392d77dd5387821eef02499388 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Nov 2022 06:59:18 +0000 +Subject: media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer() + +From: Baisong Zhong + +[ Upstream commit 0ed554fd769a19ea8464bb83e9ac201002ef74ad ] + +Wei Chen reports a kernel bug as blew: + +general protection fault, probably for non-canonical address +KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] +... +Call Trace: + +__i2c_transfer+0x77e/0x1930 drivers/i2c/i2c-core-base.c:2109 +i2c_transfer+0x1d5/0x3d0 drivers/i2c/i2c-core-base.c:2170 +i2cdev_ioctl_rdwr+0x393/0x660 drivers/i2c/i2c-dev.c:297 +i2cdev_ioctl+0x75d/0x9f0 drivers/i2c/i2c-dev.c:458 +vfs_ioctl fs/ioctl.c:51 [inline] +__do_sys_ioctl fs/ioctl.c:870 [inline] +__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:856 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7fd834a8bded + +In az6027_i2c_xfer(), if msg[i].addr is 0x99, +a null-ptr-deref will caused when accessing msg[i].buf. +For msg[i].len is 0 and msg[i].buf is null. + +Fix this by checking msg[i].len in az6027_i2c_xfer(). + +Link: https://lore.kernel.org/lkml/CAO4mrfcPHB5aQJO=mpqV+p8mPLNg-Fok0gw8gZ=zemAfMGTzMg@mail.gmail.com/ + +Link: https://lore.kernel.org/linux-media/20221120065918.2160782-1-zhongbaisong@huawei.com +Fixes: 76f9a820c867 ("V4L/DVB: AZ6027: Initial import of the driver") +Reported-by: Wei Chen +Signed-off-by: Baisong Zhong +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/az6027.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/usb/dvb-usb/az6027.c b/drivers/media/usb/dvb-usb/az6027.c +index 5aa9c501ed9c..ffc0db67d4d6 100644 +--- a/drivers/media/usb/dvb-usb/az6027.c ++++ b/drivers/media/usb/dvb-usb/az6027.c +@@ -975,6 +975,10 @@ static int az6027_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int n + if (msg[i].addr == 0x99) { + req = 0xBE; + index = 0; ++ if (msg[i].len < 1) { ++ i = -EOPNOTSUPP; ++ break; ++ } + value = msg[i].buf[0] & 0x00ff; + length = 1; + az6027_usb_out_op(d, req, value, index, data, length); +-- +2.35.1 + diff --git a/queue-5.4/media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch b/queue-5.4/media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch new file mode 100644 index 00000000000..e3a51e510c3 --- /dev/null +++ b/queue-5.4/media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch @@ -0,0 +1,97 @@ +From a23c9c677f164fe3efd28a7af0517433584bbdb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 02:21:52 +0100 +Subject: media: dvb-usb: fix memory leak in dvb_usb_adapter_init() + +From: Mazin Al Haddad + +[ Upstream commit 94d90fb06b94a90c176270d38861bcba34ce377d ] + +Syzbot reports a memory leak in "dvb_usb_adapter_init()". +The leak is due to not accounting for and freeing current iteration's +adapter->priv in case of an error. Currently if an error occurs, +it will exit before incrementing "num_adapters_initalized", +which is used as a reference counter to free all adap->priv +in "dvb_usb_adapter_exit()". There are multiple error paths that +can exit from before incrementing the counter. Including the +error handling paths for "dvb_usb_adapter_stream_init()", +"dvb_usb_adapter_dvb_init()" and "dvb_usb_adapter_frontend_init()" +within "dvb_usb_adapter_init()". + +This means that in case of an error in any of these functions the +current iteration is not accounted for and the current iteration's +adap->priv is not freed. + +Fix this by freeing the current iteration's adap->priv in the +"stream_init_err:" label in the error path. The rest of the +(accounted for) adap->priv objects are freed in dvb_usb_adapter_exit() +as expected using the num_adapters_initalized variable. + +Syzbot report: + +BUG: memory leak +unreferenced object 0xffff8881172f1a00 (size 512): + comm "kworker/0:2", pid 139, jiffies 4294994873 (age 10.960s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +backtrace: + [] dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:75 [inline] + [] dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:184 [inline] + [] dvb_usb_device_init.cold+0x4e5/0x79e drivers/media/usb/dvb-usb/dvb-usb-init.c:308 + [] dib0700_probe+0x8d/0x1b0 drivers/media/usb/dvb-usb/dib0700_core.c:883 + [] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396 + [] call_driver_probe drivers/base/dd.c:542 [inline] + [] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621 + [] really_probe drivers/base/dd.c:583 [inline] + [] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752 + [] driver_probe_device+0x2a/0x120 drivers/base/dd.c:782 + [] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:899 + [] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427 + [] __device_attach+0x122/0x260 drivers/base/dd.c:970 + [] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487 + [] device_add+0x5fb/0xdf0 drivers/base/core.c:3405 + [] usb_set_configuration+0x8f2/0xb80 drivers/usb/core/message.c:2170 + [] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238 + [] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293 + [] call_driver_probe drivers/base/dd.c:542 [inline] + [] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621 + [] really_probe drivers/base/dd.c:583 [inline] + [] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752 + +Link: https://syzkaller.appspot.com/bug?extid=f66dd31987e6740657be +Reported-and-tested-by: syzbot+f66dd31987e6740657be@syzkaller.appspotmail.com + +Link: https://lore.kernel.org/linux-media/20220824012152.539788-1-mazinalhaddad05@gmail.com +Signed-off-by: Mazin Al Haddad +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/dvb-usb-init.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c +index e7720ff11d3d..cb5bf119df9f 100644 +--- a/drivers/media/usb/dvb-usb/dvb-usb-init.c ++++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c +@@ -81,7 +81,7 @@ static int dvb_usb_adapter_init(struct dvb_usb_device *d, short *adapter_nrs) + + ret = dvb_usb_adapter_stream_init(adap); + if (ret) +- return ret; ++ goto stream_init_err; + + ret = dvb_usb_adapter_dvb_init(adap, adapter_nrs); + if (ret) +@@ -114,6 +114,8 @@ static int dvb_usb_adapter_init(struct dvb_usb_device *d, short *adapter_nrs) + dvb_usb_adapter_dvb_exit(adap); + dvb_init_err: + dvb_usb_adapter_stream_exit(adap); ++stream_init_err: ++ kfree(adap->priv); + return ret; + } + +-- +2.35.1 + diff --git a/queue-5.4/media-dvbdev-adopts-refcnt-to-avoid-uaf.patch b/queue-5.4/media-dvbdev-adopts-refcnt-to-avoid-uaf.patch new file mode 100644 index 00000000000..513c9a022a8 --- /dev/null +++ b/queue-5.4/media-dvbdev-adopts-refcnt-to-avoid-uaf.patch @@ -0,0 +1,210 @@ +From bba9f084ed18af08909a0238cd5b55d9c4b4971b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Aug 2022 15:59:52 +0100 +Subject: media: dvbdev: adopts refcnt to avoid UAF + +From: Lin Ma + +[ Upstream commit 0fc044b2b5e2d05a1fa1fb0d7f270367a7855d79 ] + +dvb_unregister_device() is known that prone to use-after-free. +That is, the cleanup from dvb_unregister_device() releases the dvb_device +even if there are pointers stored in file->private_data still refer to it. + +This patch adds a reference counter into struct dvb_device and delays its +deallocation until no pointer refers to the object. + +Link: https://lore.kernel.org/linux-media/20220807145952.10368-1-linma@zju.edu.cn +Signed-off-by: Lin Ma +Reported-by: kernel test robot +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dvb_ca_en50221.c | 2 +- + drivers/media/dvb-core/dvb_frontend.c | 2 +- + drivers/media/dvb-core/dvbdev.c | 32 +++++++++++++++++++------ + include/media/dvbdev.h | 31 +++++++++++++----------- + 4 files changed, 44 insertions(+), 23 deletions(-) + +diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb-core/dvb_ca_en50221.c +index cfc27629444f..fd476536d32e 100644 +--- a/drivers/media/dvb-core/dvb_ca_en50221.c ++++ b/drivers/media/dvb-core/dvb_ca_en50221.c +@@ -157,7 +157,7 @@ static void dvb_ca_private_free(struct dvb_ca_private *ca) + { + unsigned int i; + +- dvb_free_device(ca->dvbdev); ++ dvb_device_put(ca->dvbdev); + for (i = 0; i < ca->slot_count; i++) + vfree(ca->slot_info[i].rx_buffer.data); + +diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c +index b28ea7204f23..b04638321b75 100644 +--- a/drivers/media/dvb-core/dvb_frontend.c ++++ b/drivers/media/dvb-core/dvb_frontend.c +@@ -135,7 +135,7 @@ static void __dvb_frontend_free(struct dvb_frontend *fe) + struct dvb_frontend_private *fepriv = fe->frontend_priv; + + if (fepriv) +- dvb_free_device(fepriv->dvbdev); ++ dvb_device_put(fepriv->dvbdev); + + dvb_frontend_invoke_release(fe, fe->ops.release); + +diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c +index 197cf17b246f..f4eb89aa9e98 100644 +--- a/drivers/media/dvb-core/dvbdev.c ++++ b/drivers/media/dvb-core/dvbdev.c +@@ -107,7 +107,7 @@ static int dvb_device_open(struct inode *inode, struct file *file) + new_fops = fops_get(dvbdev->fops); + if (!new_fops) + goto fail; +- file->private_data = dvbdev; ++ file->private_data = dvb_device_get(dvbdev); + replace_fops(file, new_fops); + if (file->f_op->open) + err = file->f_op->open(inode, file); +@@ -171,6 +171,9 @@ int dvb_generic_release(struct inode *inode, struct file *file) + } + + dvbdev->users++; ++ ++ dvb_device_put(dvbdev); ++ + return 0; + } + EXPORT_SYMBOL(dvb_generic_release); +@@ -487,6 +490,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + return -ENOMEM; + } + ++ kref_init(&dvbdev->ref); + memcpy(dvbdev, template, sizeof(struct dvb_device)); + dvbdev->type = type; + dvbdev->id = id; +@@ -517,7 +521,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + #endif + + dvbdev->minor = minor; +- dvb_minors[minor] = dvbdev; ++ dvb_minors[minor] = dvb_device_get(dvbdev); + up_write(&minor_rwsem); + + ret = dvb_register_media_device(dvbdev, type, minor, demux_sink_pads); +@@ -557,6 +561,7 @@ void dvb_remove_device(struct dvb_device *dvbdev) + + down_write(&minor_rwsem); + dvb_minors[dvbdev->minor] = NULL; ++ dvb_device_put(dvbdev); + up_write(&minor_rwsem); + + dvb_media_device_free(dvbdev); +@@ -568,21 +573,34 @@ void dvb_remove_device(struct dvb_device *dvbdev) + EXPORT_SYMBOL(dvb_remove_device); + + +-void dvb_free_device(struct dvb_device *dvbdev) ++static void dvb_free_device(struct kref *ref) + { +- if (!dvbdev) +- return; ++ struct dvb_device *dvbdev = container_of(ref, struct dvb_device, ref); + + kfree (dvbdev->fops); + kfree (dvbdev); + } +-EXPORT_SYMBOL(dvb_free_device); ++ ++ ++struct dvb_device *dvb_device_get(struct dvb_device *dvbdev) ++{ ++ kref_get(&dvbdev->ref); ++ return dvbdev; ++} ++EXPORT_SYMBOL(dvb_device_get); ++ ++ ++void dvb_device_put(struct dvb_device *dvbdev) ++{ ++ if (dvbdev) ++ kref_put(&dvbdev->ref, dvb_free_device); ++} + + + void dvb_unregister_device(struct dvb_device *dvbdev) + { + dvb_remove_device(dvbdev); +- dvb_free_device(dvbdev); ++ dvb_device_put(dvbdev); + } + EXPORT_SYMBOL(dvb_unregister_device); + +diff --git a/include/media/dvbdev.h b/include/media/dvbdev.h +index 551325858de3..b44ef98232f5 100644 +--- a/include/media/dvbdev.h ++++ b/include/media/dvbdev.h +@@ -156,6 +156,7 @@ struct dvb_adapter { + */ + struct dvb_device { + struct list_head list_head; ++ struct kref ref; + const struct file_operations *fops; + struct dvb_adapter *adapter; + enum dvb_device_type type; +@@ -187,6 +188,20 @@ struct dvb_device { + void *priv; + }; + ++/** ++ * dvb_device_get - Increase dvb_device reference ++ * ++ * @dvbdev: pointer to struct dvb_device ++ */ ++struct dvb_device *dvb_device_get(struct dvb_device *dvbdev); ++ ++/** ++ * dvb_device_get - Decrease dvb_device reference ++ * ++ * @dvbdev: pointer to struct dvb_device ++ */ ++void dvb_device_put(struct dvb_device *dvbdev); ++ + /** + * dvb_register_adapter - Registers a new DVB adapter + * +@@ -231,29 +246,17 @@ int dvb_register_device(struct dvb_adapter *adap, + /** + * dvb_remove_device - Remove a registered DVB device + * +- * This does not free memory. To do that, call dvb_free_device(). ++ * This does not free memory. dvb_free_device() will do that when ++ * reference counter is empty + * + * @dvbdev: pointer to struct dvb_device + */ + void dvb_remove_device(struct dvb_device *dvbdev); + +-/** +- * dvb_free_device - Free memory occupied by a DVB device. +- * +- * Call dvb_unregister_device() before calling this function. +- * +- * @dvbdev: pointer to struct dvb_device +- */ +-void dvb_free_device(struct dvb_device *dvbdev); + + /** + * dvb_unregister_device - Unregisters a DVB device + * +- * This is a combination of dvb_remove_device() and dvb_free_device(). +- * Using this function is usually a mistake, and is often an indicator +- * for a use-after-free bug (when a userspace process keeps a file +- * handle to a detached device). +- * + * @dvbdev: pointer to struct dvb_device + */ + void dvb_unregister_device(struct dvb_device *dvbdev); +-- +2.35.1 + diff --git a/queue-5.4/media-i2c-ad5820-fix-error-path.patch b/queue-5.4/media-i2c-ad5820-fix-error-path.patch new file mode 100644 index 00000000000..532d5e3e039 --- /dev/null +++ b/queue-5.4/media-i2c-ad5820-fix-error-path.patch @@ -0,0 +1,51 @@ +From 3ad946bf9b92bdc597faf51d35b91ad3bf7a3d71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Sep 2022 13:38:00 +0200 +Subject: media: i2c: ad5820: Fix error path + +From: Ricardo Ribalda + +[ Upstream commit 9fce241660f37d9e95e93c0ae6fba8cfefa5797b ] + +Error path seems to be swaped. Fix the order and provide some meaningful +names. + +Fixes: bee3d5115611 ("[media] ad5820: Add driver for auto-focus coil") +Signed-off-by: Ricardo Ribalda +Signed-off-by: Sakari Ailus +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ad5820.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/media/i2c/ad5820.c b/drivers/media/i2c/ad5820.c +index 7a49651f4d1f..d7d85edeedd5 100644 +--- a/drivers/media/i2c/ad5820.c ++++ b/drivers/media/i2c/ad5820.c +@@ -314,18 +314,18 @@ static int ad5820_probe(struct i2c_client *client, + + ret = media_entity_pads_init(&coil->subdev.entity, 0, NULL); + if (ret < 0) +- goto cleanup2; ++ goto clean_mutex; + + ret = v4l2_async_register_subdev(&coil->subdev); + if (ret < 0) +- goto cleanup; ++ goto clean_entity; + + return ret; + +-cleanup2: +- mutex_destroy(&coil->power_lock); +-cleanup: ++clean_entity: + media_entity_cleanup(&coil->subdev.entity); ++clean_mutex: ++ mutex_destroy(&coil->power_lock); + return ret; + } + +-- +2.35.1 + diff --git a/queue-5.4/media-imon-fix-a-race-condition-in-send_packet.patch b/queue-5.4/media-imon-fix-a-race-condition-in-send_packet.patch new file mode 100644 index 00000000000..642f9e82287 --- /dev/null +++ b/queue-5.4/media-imon-fix-a-race-condition-in-send_packet.patch @@ -0,0 +1,79 @@ +From 95fb66a9f589dca76b958fb531e972d1209d73cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Oct 2022 06:02:14 +0100 +Subject: media: imon: fix a race condition in send_packet() + +From: Gautam Menghani + +[ Upstream commit 813ceef062b53d68f296aa3cb944b21a091fabdb ] + +The function send_packet() has a race condition as follows: + +func send_packet() +{ + // do work + call usb_submit_urb() + mutex_unlock() + wait_for_event_interruptible() <-- lock gone + mutex_lock() +} + +func vfd_write() +{ + mutex_lock() + call send_packet() <- prev call is not completed + mutex_unlock() +} + +When the mutex is unlocked and the function send_packet() waits for the +call to complete, vfd_write() can start another call, which leads to the +"URB submitted while active" warning in usb_submit_urb(). +Fix this by removing the mutex_unlock() call in send_packet() and using +mutex_lock_interruptible(). + +Link: https://syzkaller.appspot.com/bug?id=e378e6a51fbe6c5cc43e34f131cc9a315ef0337e + +Fixes: 21677cfc562a ("V4L/DVB: ir-core: add imon driver") +Reported-by: syzbot+0c3cb6dc05fbbdc3ad66@syzkaller.appspotmail.com +Signed-off-by: Gautam Menghani +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/rc/imon.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c +index c683a244b9fa..d8401ef9b0a7 100644 +--- a/drivers/media/rc/imon.c ++++ b/drivers/media/rc/imon.c +@@ -604,15 +604,14 @@ static int send_packet(struct imon_context *ictx) + pr_err_ratelimited("error submitting urb(%d)\n", retval); + } else { + /* Wait for transmission to complete (or abort) */ +- mutex_unlock(&ictx->lock); + retval = wait_for_completion_interruptible( + &ictx->tx.finished); + if (retval) { + usb_kill_urb(ictx->tx_urb); + pr_err_ratelimited("task interrupted\n"); + } +- mutex_lock(&ictx->lock); + ++ ictx->tx.busy = false; + retval = ictx->tx.status; + if (retval) + pr_err_ratelimited("packet tx failed (%d)\n", retval); +@@ -919,7 +918,8 @@ static ssize_t vfd_write(struct file *file, const char __user *buf, + return -ENODEV; + } + +- mutex_lock(&ictx->lock); ++ if (mutex_lock_interruptible(&ictx->lock)) ++ return -ERESTARTSYS; + + if (!ictx->dev_present_intf0) { + pr_err_ratelimited("no iMON device present\n"); +-- +2.35.1 + diff --git a/queue-5.4/media-platform-exynos4-is-fix-error-handling-in-fimc.patch b/queue-5.4/media-platform-exynos4-is-fix-error-handling-in-fimc.patch new file mode 100644 index 00000000000..0b3d08df7c3 --- /dev/null +++ b/queue-5.4/media-platform-exynos4-is-fix-error-handling-in-fimc.patch @@ -0,0 +1,75 @@ +From 6d07c4d191b280cd1f10aa533355fc36c1d177b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 06:08:53 +0000 +Subject: media: platform: exynos4-is: Fix error handling in fimc_md_init() + +From: Yuan Can + +[ Upstream commit b434422c45282a0573d8123239abc41fa72665d4 ] + +A problem about modprobe s5p_fimc failed is triggered with the +following log given: + + [ 272.075275] Error: Driver 'exynos4-fimc' is already registered, aborting... + modprobe: ERROR: could not insert 's5p_fimc': Device or resource busy + +The reason is that fimc_md_init() returns platform_driver_register() +directly without checking its return value, if platform_driver_register() +failed, it returns without unregister fimc_driver, resulting the +s5p_fimc can never be installed later. +A simple call graph is shown as below: + + fimc_md_init() + fimc_register_driver() # register fimc_driver + platform_driver_register() + platform_driver_register() + driver_register() + bus_add_driver() + dev = kzalloc(...) # OOM happened + # return without unregister fimc_driver + +Fix by unregister fimc_driver when platform_driver_register() returns +error. + +Fixes: d3953223b090 ("[media] s5p-fimc: Add the media device driver") +Signed-off-by: Yuan Can +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/exynos4-is/fimc-core.c | 2 +- + drivers/media/platform/exynos4-is/media-dev.c | 6 +++++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/exynos4-is/fimc-core.c b/drivers/media/platform/exynos4-is/fimc-core.c +index cde60fbb23a8..5b06c83f5c99 100644 +--- a/drivers/media/platform/exynos4-is/fimc-core.c ++++ b/drivers/media/platform/exynos4-is/fimc-core.c +@@ -1231,7 +1231,7 @@ int __init fimc_register_driver(void) + return platform_driver_register(&fimc_driver); + } + +-void __exit fimc_unregister_driver(void) ++void fimc_unregister_driver(void) + { + platform_driver_unregister(&fimc_driver); + } +diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c +index a07d796f63df..707feb35a950 100644 +--- a/drivers/media/platform/exynos4-is/media-dev.c ++++ b/drivers/media/platform/exynos4-is/media-dev.c +@@ -1581,7 +1581,11 @@ static int __init fimc_md_init(void) + if (ret) + return ret; + +- return platform_driver_register(&fimc_md_driver); ++ ret = platform_driver_register(&fimc_md_driver); ++ if (ret) ++ fimc_unregister_driver(); ++ ++ return ret; + } + + static void __exit fimc_md_exit(void) +-- +2.35.1 + diff --git a/queue-5.4/media-s5p-mfc-add-variant-data-for-mfc-v7-hardware-f.patch b/queue-5.4/media-s5p-mfc-add-variant-data-for-mfc-v7-hardware-f.patch new file mode 100644 index 00000000000..6c5e0bb06a8 --- /dev/null +++ b/queue-5.4/media-s5p-mfc-add-variant-data-for-mfc-v7-hardware-f.patch @@ -0,0 +1,66 @@ +From 5e9796c95876d46e0ecd1b6041aa479a27522ad2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 11:50:23 +0000 +Subject: media: s5p-mfc: Add variant data for MFC v7 hardware for Exynos 3250 + SoC + +From: Aakarsh Jain + +[ Upstream commit f50ebe10f5d8092c37e2bd430c78e03bf38b1e20 ] + +Commit 5441e9dafdfc6dc40 ("[media] s5p-mfc: Core support for MFC v7") +which adds mfc v7 support for Exynos3250 and use the same compatible +string as used by Exynos5240 but both the IPs are a bit different in +terms of IP clock. +Add variant driver data based on the new compatible string +"samsung,exynos3250-mfc" for Exynos3250 SoC. + +Suggested-by: Alim Akhtar +Fixes: 5441e9dafdfc ("[media] s5p-mfc: Core support for MFC v7") +Signed-off-by: Aakarsh Jain +Reviewed-by: Alim Akhtar +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/s5p-mfc/s5p_mfc.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc.c b/drivers/media/platform/s5p-mfc/s5p_mfc.c +index 9faecd049002..d3fd3375ce19 100644 +--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c ++++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c +@@ -1580,8 +1580,18 @@ static struct s5p_mfc_variant mfc_drvdata_v7 = { + .port_num = MFC_NUM_PORTS_V7, + .buf_size = &buf_size_v7, + .fw_name[0] = "s5p-mfc-v7.fw", +- .clk_names = {"mfc", "sclk_mfc"}, +- .num_clocks = 2, ++ .clk_names = {"mfc"}, ++ .num_clocks = 1, ++}; ++ ++static struct s5p_mfc_variant mfc_drvdata_v7_3250 = { ++ .version = MFC_VERSION_V7, ++ .version_bit = MFC_V7_BIT, ++ .port_num = MFC_NUM_PORTS_V7, ++ .buf_size = &buf_size_v7, ++ .fw_name[0] = "s5p-mfc-v7.fw", ++ .clk_names = {"mfc", "sclk_mfc"}, ++ .num_clocks = 2, + }; + + static struct s5p_mfc_buf_size_v6 mfc_buf_size_v8 = { +@@ -1651,6 +1661,9 @@ static const struct of_device_id exynos_mfc_match[] = { + }, { + .compatible = "samsung,mfc-v7", + .data = &mfc_drvdata_v7, ++ }, { ++ .compatible = "samsung,exynos3250-mfc", ++ .data = &mfc_drvdata_v7_3250, + }, { + .compatible = "samsung,mfc-v8", + .data = &mfc_drvdata_v8, +-- +2.35.1 + diff --git a/queue-5.4/media-saa7164-fix-missing-pci_disable_device.patch b/queue-5.4/media-saa7164-fix-missing-pci_disable_device.patch new file mode 100644 index 00000000000..540159ad96c --- /dev/null +++ b/queue-5.4/media-saa7164-fix-missing-pci_disable_device.patch @@ -0,0 +1,45 @@ +From 36ed03916cde0abcbcb3df604fc1f2557c47bd7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Nov 2022 11:31:26 +0000 +Subject: media: saa7164: fix missing pci_disable_device() + +From: Liu Shixin + +[ Upstream commit 57fb35d7542384cac8f198cd1c927540ad38b61a ] + +Add missing pci_disable_device() in the error path in saa7164_initdev(). + +Fixes: 443c1228d505 ("V4L/DVB (12923): SAA7164: Add support for the NXP SAA7164 silicon") +Signed-off-by: Liu Shixin +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/saa7164/saa7164-core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/pci/saa7164/saa7164-core.c b/drivers/media/pci/saa7164/saa7164-core.c +index 9ae04e18e6c6..59b039b953bb 100644 +--- a/drivers/media/pci/saa7164/saa7164-core.c ++++ b/drivers/media/pci/saa7164/saa7164-core.c +@@ -1227,7 +1227,7 @@ static int saa7164_initdev(struct pci_dev *pci_dev, + + if (saa7164_dev_setup(dev) < 0) { + err = -EINVAL; +- goto fail_free; ++ goto fail_dev; + } + + /* print pci info */ +@@ -1395,6 +1395,8 @@ static int saa7164_initdev(struct pci_dev *pci_dev, + + fail_irq: + saa7164_dev_unregister(dev); ++fail_dev: ++ pci_disable_device(pci_dev); + fail_free: + v4l2_device_unregister(&dev->v4l2_dev); + kfree(dev); +-- +2.35.1 + diff --git a/queue-5.4/media-si470x-fix-use-after-free-in-si470x_int_in_cal.patch b/queue-5.4/media-si470x-fix-use-after-free-in-si470x_int_in_cal.patch new file mode 100644 index 00000000000..77e9047336e --- /dev/null +++ b/queue-5.4/media-si470x-fix-use-after-free-in-si470x_int_in_cal.patch @@ -0,0 +1,64 @@ +From 887dcd0049da53d3dca9aa5454e5e59459130913 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 03:51:59 +0900 +Subject: media: si470x: Fix use-after-free in si470x_int_in_callback() + +From: Shigeru Yoshida + +[ Upstream commit 7d21e0b1b41b21d628bf2afce777727bd4479aa5 ] + +syzbot reported use-after-free in si470x_int_in_callback() [1]. This +indicates that urb->context, which contains struct si470x_device +object, is freed when si470x_int_in_callback() is called. + +The cause of this issue is that si470x_int_in_callback() is called for +freed urb. + +si470x_usb_driver_probe() calls si470x_start_usb(), which then calls +usb_submit_urb() and si470x_start(). If si470x_start_usb() fails, +si470x_usb_driver_probe() doesn't kill urb, but it just frees struct +si470x_device object, as depicted below: + +si470x_usb_driver_probe() + ... + si470x_start_usb() + ... + usb_submit_urb() + retval = si470x_start() + return retval + if (retval < 0) + free struct si470x_device object, but don't kill urb + +This patch fixes this issue by killing urb when si470x_start_usb() +fails and urb is submitted. If si470x_start_usb() fails and urb is +not submitted, i.e. submitting usb fails, it just frees struct +si470x_device object. + +Reported-by: syzbot+9ca7a12fd736d93e0232@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=94ed6dddd5a55e90fd4bab942aa4bb297741d977 [1] +Signed-off-by: Shigeru Yoshida +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/radio/si470x/radio-si470x-usb.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/radio/si470x/radio-si470x-usb.c b/drivers/media/radio/si470x/radio-si470x-usb.c +index 3f8634a46573..1365ae732b79 100644 +--- a/drivers/media/radio/si470x/radio-si470x-usb.c ++++ b/drivers/media/radio/si470x/radio-si470x-usb.c +@@ -733,8 +733,10 @@ static int si470x_usb_driver_probe(struct usb_interface *intf, + + /* start radio */ + retval = si470x_start_usb(radio); +- if (retval < 0) ++ if (retval < 0 && !radio->int_in_running) + goto err_buf; ++ else if (retval < 0) /* in case of radio->int_in_running == 1 */ ++ goto err_all; + + /* set initial frequency */ + si470x_set_freq(radio, 87.5 * FREQ_MUL); /* available in all regions */ +-- +2.35.1 + diff --git a/queue-5.4/media-solo6x10-fix-possible-memory-leak-in-solo_sysf.patch b/queue-5.4/media-solo6x10-fix-possible-memory-leak-in-solo_sysf.patch new file mode 100644 index 00000000000..320abbb78b4 --- /dev/null +++ b/queue-5.4/media-solo6x10-fix-possible-memory-leak-in-solo_sysf.patch @@ -0,0 +1,38 @@ +From eb4d7022ec6a940901254108302fb6ba6f2e3f8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 16:24:23 +0800 +Subject: media: solo6x10: fix possible memory leak in solo_sysfs_init() + +From: Yang Yingliang + +[ Upstream commit 7f5866dd96d95b74e439f6ee17b8abd8195179fb ] + +If device_register() returns error in solo_sysfs_init(), the +name allocated by dev_set_name() need be freed. As comment of +device_register() says, it should use put_device() to give up +the reference in the error path. So fix this by calling +put_device(), then the name can be freed in kobject_cleanup(). + +Fixes: dcae5dacbce5 ("[media] solo6x10: sync to latest code from Bluecherry's git repo") +Signed-off-by: Yang Yingliang +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/pci/solo6x10/solo6x10-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/pci/solo6x10/solo6x10-core.c b/drivers/media/pci/solo6x10/solo6x10-core.c +index 6e1ba4846ea4..c52ee141b8cc 100644 +--- a/drivers/media/pci/solo6x10/solo6x10-core.c ++++ b/drivers/media/pci/solo6x10/solo6x10-core.c +@@ -420,6 +420,7 @@ static int solo_sysfs_init(struct solo_dev *solo_dev) + solo_dev->nr_chans); + + if (device_register(dev)) { ++ put_device(dev); + dev->parent = NULL; + return -ENOMEM; + } +-- +2.35.1 + diff --git a/queue-5.4/media-videobuf-dma-contig-use-dma_mmap_coherent.patch b/queue-5.4/media-videobuf-dma-contig-use-dma_mmap_coherent.patch new file mode 100644 index 00000000000..be164898681 --- /dev/null +++ b/queue-5.4/media-videobuf-dma-contig-use-dma_mmap_coherent.patch @@ -0,0 +1,87 @@ +From eadfe0a64bf71d3ab487dba28acd59a2101753be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2019 11:39:07 +0100 +Subject: media: videobuf-dma-contig: use dma_mmap_coherent + +From: Christoph Hellwig + +[ Upstream commit b3dc3f8e49577840dc8ac8a365c5b3da4edb10b8 ] + +dma_alloc_coherent does not return a physical address, but a DMA address, +which might be remapped or have an offset. Passing the DMA address to +vm_iomap_memory is thus broken. + +Use the proper dma_mmap_coherent helper instead, and stop passing +__GFP_COMP to dma_alloc_coherent, as the memory management inside the +DMA allocator is hidden from the callers and does not require it. + +With this the gfp_t argument to __videobuf_dc_alloc can be removed and +hard coded to GFP_KERNEL. + +Fixes: a8f3c203e19b ("[media] videobuf-dma-contig: add cache support") +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/media/v4l2-core/videobuf-dma-contig.c | 22 +++++++------------ + 1 file changed, 8 insertions(+), 14 deletions(-) + +diff --git a/drivers/media/v4l2-core/videobuf-dma-contig.c b/drivers/media/v4l2-core/videobuf-dma-contig.c +index aeb2f497c683..6a6cd046cefb 100644 +--- a/drivers/media/v4l2-core/videobuf-dma-contig.c ++++ b/drivers/media/v4l2-core/videobuf-dma-contig.c +@@ -36,12 +36,11 @@ struct videobuf_dma_contig_memory { + + static int __videobuf_dc_alloc(struct device *dev, + struct videobuf_dma_contig_memory *mem, +- unsigned long size, gfp_t flags) ++ unsigned long size) + { + mem->size = size; +- mem->vaddr = dma_alloc_coherent(dev, mem->size, +- &mem->dma_handle, flags); +- ++ mem->vaddr = dma_alloc_coherent(dev, mem->size, &mem->dma_handle, ++ GFP_KERNEL); + if (!mem->vaddr) { + dev_err(dev, "memory alloc size %ld failed\n", mem->size); + return -ENOMEM; +@@ -258,8 +257,7 @@ static int __videobuf_iolock(struct videobuf_queue *q, + return videobuf_dma_contig_user_get(mem, vb); + + /* allocate memory for the read() method */ +- if (__videobuf_dc_alloc(q->dev, mem, PAGE_ALIGN(vb->size), +- GFP_KERNEL)) ++ if (__videobuf_dc_alloc(q->dev, mem, PAGE_ALIGN(vb->size))) + return -ENOMEM; + break; + case V4L2_MEMORY_OVERLAY: +@@ -295,22 +293,18 @@ static int __videobuf_mmap_mapper(struct videobuf_queue *q, + BUG_ON(!mem); + MAGIC_CHECK(mem->magic, MAGIC_DC_MEM); + +- if (__videobuf_dc_alloc(q->dev, mem, PAGE_ALIGN(buf->bsize), +- GFP_KERNEL | __GFP_COMP)) ++ if (__videobuf_dc_alloc(q->dev, mem, PAGE_ALIGN(buf->bsize))) + goto error; + +- /* Try to remap memory */ +- vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot); +- + /* the "vm_pgoff" is just used in v4l2 to find the + * corresponding buffer data structure which is allocated + * earlier and it does not mean the offset from the physical + * buffer start address as usual. So set it to 0 to pass +- * the sanity check in vm_iomap_memory(). ++ * the sanity check in dma_mmap_coherent(). + */ + vma->vm_pgoff = 0; +- +- retval = vm_iomap_memory(vma, mem->dma_handle, mem->size); ++ retval = dma_mmap_coherent(q->dev, vma, mem->vaddr, mem->dma_handle, ++ mem->size); + if (retval) { + dev_err(q->dev, "mmap: remap failed with error %d. ", + retval); +-- +2.35.1 + diff --git a/queue-5.4/media-vivid-fix-compose-size-exceed-boundary.patch b/queue-5.4/media-vivid-fix-compose-size-exceed-boundary.patch new file mode 100644 index 00000000000..2934efa4d2d --- /dev/null +++ b/queue-5.4/media-vivid-fix-compose-size-exceed-boundary.patch @@ -0,0 +1,57 @@ +From 1a51bc358b72583db256743d32b64b13533baeb0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Oct 2022 20:38:55 +0800 +Subject: media: vivid: fix compose size exceed boundary + +From: Liu Shixin + +[ Upstream commit 94a7ad9283464b75b12516c5512541d467cefcf8 ] + +syzkaller found a bug: + + BUG: unable to handle page fault for address: ffffc9000a3b1000 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + PGD 100000067 P4D 100000067 PUD 10015f067 PMD 1121ca067 PTE 0 + Oops: 0002 [#1] PREEMPT SMP + CPU: 0 PID: 23489 Comm: vivid-000-vid-c Not tainted 6.1.0-rc1+ #512 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 + RIP: 0010:memcpy_erms+0x6/0x10 +[...] + Call Trace: + + ? tpg_fill_plane_buffer+0x856/0x15b0 + vivid_fillbuff+0x8ac/0x1110 + vivid_thread_vid_cap_tick+0x361/0xc90 + vivid_thread_vid_cap+0x21a/0x3a0 + kthread+0x143/0x180 + ret_from_fork+0x1f/0x30 + + +This is because we forget to check boundary after adjust compose->height +int V4L2_SEL_TGT_CROP case. Add v4l2_rect_map_inside() to fix this problem +for this case. + +Fixes: ef834f7836ec ("[media] vivid: add the video capture and output parts") +Signed-off-by: Liu Shixin +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/vivid/vivid-vid-cap.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/platform/vivid/vivid-vid-cap.c b/drivers/media/platform/vivid/vivid-vid-cap.c +index 208807d3733f..842ebfe9b117 100644 +--- a/drivers/media/platform/vivid/vivid-vid-cap.c ++++ b/drivers/media/platform/vivid/vivid-vid-cap.c +@@ -935,6 +935,7 @@ int vivid_vid_cap_s_selection(struct file *file, void *fh, struct v4l2_selection + if (dev->has_compose_cap) { + v4l2_rect_set_min_size(compose, &min_rect); + v4l2_rect_set_max_size(compose, &max_rect); ++ v4l2_rect_map_inside(compose, &fmt); + } + dev->fmt_cap_rect = fmt; + tpg_s_buf_height(&dev->tpg, fmt.height); +-- +2.35.1 + diff --git a/queue-5.4/mips-bcm63xx-add-check-for-null-for-clk-in-clk_enabl.patch b/queue-5.4/mips-bcm63xx-add-check-for-null-for-clk-in-clk_enabl.patch new file mode 100644 index 00000000000..9ae03be9feb --- /dev/null +++ b/queue-5.4/mips-bcm63xx-add-check-for-null-for-clk-in-clk_enabl.patch @@ -0,0 +1,44 @@ +From ef1b210448488fd23ca0618cfb3679c97b058e28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Dec 2022 13:05:50 +0300 +Subject: MIPS: BCM63xx: Add check for NULL for clk in clk_enable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Anastasia Belova + +[ Upstream commit ee9ef11bd2a59c2fefaa0959e5efcdf040d7c654 ] + +Check clk for NULL before calling clk_enable_unlocked where clk +is dereferenced. There is such check in other implementations +of clk_enable. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: e7300d04bd08 ("MIPS: BCM63xx: Add support for the Broadcom BCM63xx family of SOCs.") +Signed-off-by: Anastasia Belova +Reviewed-by: Philippe Mathieu-Daudé +Acked-by: Florian Fainelli +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/bcm63xx/clk.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/mips/bcm63xx/clk.c b/arch/mips/bcm63xx/clk.c +index dcfa0ea912fe..f183c45503ce 100644 +--- a/arch/mips/bcm63xx/clk.c ++++ b/arch/mips/bcm63xx/clk.c +@@ -361,6 +361,8 @@ static struct clk clk_periph = { + */ + int clk_enable(struct clk *clk) + { ++ if (!clk) ++ return 0; + mutex_lock(&clocks_mutex); + clk_enable_unlocked(clk); + mutex_unlock(&clocks_mutex); +-- +2.35.1 + diff --git a/queue-5.4/mips-octeon-warn-only-once-if-deprecated-link-status.patch b/queue-5.4/mips-octeon-warn-only-once-if-deprecated-link-status.patch new file mode 100644 index 00000000000..c7c069d30ba --- /dev/null +++ b/queue-5.4/mips-octeon-warn-only-once-if-deprecated-link-status.patch @@ -0,0 +1,53 @@ +From 4fbef0b11a08d32abee917b9384c105a08b23e48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 12:25:57 +0100 +Subject: MIPS: OCTEON: warn only once if deprecated link status is being used +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ladislav Michl + +[ Upstream commit 4c587a982603d7e7e751b4925809a1512099a690 ] + +Avoid flooding kernel log with warnings. + +Fixes: 2c0756d306c2 ("MIPS: OCTEON: warn if deprecated link status is being used") +Signed-off-by: Ladislav Michl +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/cavium-octeon/executive/cvmx-helper-board.c | 2 +- + arch/mips/cavium-octeon/executive/cvmx-helper.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/cavium-octeon/executive/cvmx-helper-board.c b/arch/mips/cavium-octeon/executive/cvmx-helper-board.c +index 2e2d45bc850d..601afad60bfe 100644 +--- a/arch/mips/cavium-octeon/executive/cvmx-helper-board.c ++++ b/arch/mips/cavium-octeon/executive/cvmx-helper-board.c +@@ -211,7 +211,7 @@ cvmx_helper_link_info_t __cvmx_helper_board_link_get(int ipd_port) + { + cvmx_helper_link_info_t result; + +- WARN(!octeon_is_simulation(), ++ WARN_ONCE(!octeon_is_simulation(), + "Using deprecated link status - please update your DT"); + + /* Unless we fix it later, all links are defaulted to down */ +diff --git a/arch/mips/cavium-octeon/executive/cvmx-helper.c b/arch/mips/cavium-octeon/executive/cvmx-helper.c +index de391541d6f7..89a397c73aa6 100644 +--- a/arch/mips/cavium-octeon/executive/cvmx-helper.c ++++ b/arch/mips/cavium-octeon/executive/cvmx-helper.c +@@ -1100,7 +1100,7 @@ cvmx_helper_link_info_t cvmx_helper_link_get(int ipd_port) + if (index == 0) + result = __cvmx_helper_rgmii_link_get(ipd_port); + else { +- WARN(1, "Using deprecated link status - please update your DT"); ++ WARN_ONCE(1, "Using deprecated link status - please update your DT"); + result.s.full_duplex = 1; + result.s.link_up = 1; + result.s.speed = 1000; +-- +2.35.1 + diff --git a/queue-5.4/mips-vpe-cmp-fix-possible-memory-leak-while-module-e.patch b/queue-5.4/mips-vpe-cmp-fix-possible-memory-leak-while-module-e.patch new file mode 100644 index 00000000000..18a581e0fd6 --- /dev/null +++ b/queue-5.4/mips-vpe-cmp-fix-possible-memory-leak-while-module-e.patch @@ -0,0 +1,55 @@ +From 140fd13063afea9ed656a8d0d960f84c5c9ec23d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Nov 2022 11:39:45 +0800 +Subject: MIPS: vpe-cmp: fix possible memory leak while module exiting + +From: Yang Yingliang + +[ Upstream commit c5ed1fe0801f0c66b0fbce2785239a5664629057 ] + +dev_set_name() allocates memory for name, it need be freed +when module exiting, call put_device() to give up reference, +so that it can be freed in kobject_cleanup() when the refcount +hit to 0. The vpe_device is static, so remove kfree() from +vpe_device_release(). + +Fixes: 17a1d523aa58 ("MIPS: APRP: Add VPE loader support for CMP platforms.") +Signed-off-by: Yang Yingliang +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/kernel/vpe-cmp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/kernel/vpe-cmp.c b/arch/mips/kernel/vpe-cmp.c +index 9268ebc0f61e..903c07bdc92d 100644 +--- a/arch/mips/kernel/vpe-cmp.c ++++ b/arch/mips/kernel/vpe-cmp.c +@@ -75,7 +75,6 @@ ATTRIBUTE_GROUPS(vpe); + + static void vpe_device_release(struct device *cd) + { +- kfree(cd); + } + + static struct class vpe_class = { +@@ -157,6 +156,7 @@ int __init vpe_module_init(void) + device_del(&vpe_device); + + out_class: ++ put_device(&vpe_device); + class_unregister(&vpe_class); + + out_chrdev: +@@ -169,7 +169,7 @@ void __exit vpe_module_exit(void) + { + struct vpe *v, *n; + +- device_del(&vpe_device); ++ device_unregister(&vpe_device); + class_unregister(&vpe_class); + unregister_chrdev(major, VPE_MODULE_NAME); + +-- +2.35.1 + diff --git a/queue-5.4/mips-vpe-mt-fix-possible-memory-leak-while-module-ex.patch b/queue-5.4/mips-vpe-mt-fix-possible-memory-leak-while-module-ex.patch new file mode 100644 index 00000000000..cecc5a8ddb4 --- /dev/null +++ b/queue-5.4/mips-vpe-mt-fix-possible-memory-leak-while-module-ex.patch @@ -0,0 +1,56 @@ +From a0b2bcfffbd994cb69e730cb97a2478e7bfc6ffc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Nov 2022 11:39:44 +0800 +Subject: MIPS: vpe-mt: fix possible memory leak while module exiting + +From: Yang Yingliang + +[ Upstream commit 5822e8cc84ee37338ab0bdc3124f6eec04dc232d ] + +Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's +bus_id string array"), the name of device is allocated dynamically, +it need be freed when module exiting, call put_device() to give up +reference, so that it can be freed in kobject_cleanup() when the +refcount hit to 0. The vpe_device is static, so remove kfree() from +vpe_device_release(). + +Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") +Signed-off-by: Yang Yingliang +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/kernel/vpe-mt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/kernel/vpe-mt.c b/arch/mips/kernel/vpe-mt.c +index 2e003b11a098..9fd7cd48ea1d 100644 +--- a/arch/mips/kernel/vpe-mt.c ++++ b/arch/mips/kernel/vpe-mt.c +@@ -313,7 +313,6 @@ ATTRIBUTE_GROUPS(vpe); + + static void vpe_device_release(struct device *cd) + { +- kfree(cd); + } + + static struct class vpe_class = { +@@ -497,6 +496,7 @@ int __init vpe_module_init(void) + device_del(&vpe_device); + + out_class: ++ put_device(&vpe_device); + class_unregister(&vpe_class); + + out_chrdev: +@@ -509,7 +509,7 @@ void __exit vpe_module_exit(void) + { + struct vpe *v, *n; + +- device_del(&vpe_device); ++ device_unregister(&vpe_device); + class_unregister(&vpe_class); + unregister_chrdev(major, VPE_MODULE_NAME); + +-- +2.35.1 + diff --git a/queue-5.4/misc-ocxl-fix-possible-name-leak-in-ocxl_file_regist.patch b/queue-5.4/misc-ocxl-fix-possible-name-leak-in-ocxl_file_regist.patch new file mode 100644 index 00000000000..fe0948512e2 --- /dev/null +++ b/queue-5.4/misc-ocxl-fix-possible-name-leak-in-ocxl_file_regist.patch @@ -0,0 +1,48 @@ +From b0f32025d6585c809f5c0855ffa76a82e02136f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 22:59:29 +0800 +Subject: misc: ocxl: fix possible name leak in ocxl_file_register_afu() + +From: Yang Yingliang + +[ Upstream commit a4cb1004aeed2ab893a058fad00a5b41a12c4691 ] + +If device_register() returns error in ocxl_file_register_afu(), +the name allocated by dev_set_name() need be freed. As comment +of device_register() says, it should use put_device() to give +up the reference in the error path. So fix this by calling +put_device(), then the name can be freed in kobject_cleanup(), +and info is freed in info_release(). + +Fixes: 75ca758adbaf ("ocxl: Create a clear delineation between ocxl backend & frontend") +Signed-off-by: Yang Yingliang +Acked-by: Andrew Donnellan +Acked-by: Frederic Barrat +Link: https://lore.kernel.org/r/20221111145929.2429271-1-yangyingliang@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/ocxl/file.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/misc/ocxl/file.c b/drivers/misc/ocxl/file.c +index e094809b54ff..524ded87964d 100644 +--- a/drivers/misc/ocxl/file.c ++++ b/drivers/misc/ocxl/file.c +@@ -543,8 +543,11 @@ int ocxl_file_register_afu(struct ocxl_afu *afu) + goto err_put; + + rc = device_register(&info->dev); +- if (rc) +- goto err_put; ++ if (rc) { ++ free_minor(info); ++ put_device(&info->dev); ++ return rc; ++ } + + rc = ocxl_sysfs_register_afu(info); + if (rc) +-- +2.35.1 + diff --git a/queue-5.4/misc-sgi-gru-fix-use-after-free-error-in-gru_set_con.patch b/queue-5.4/misc-sgi-gru-fix-use-after-free-error-in-gru_set_con.patch new file mode 100644 index 00000000000..dc5cef69c5b --- /dev/null +++ b/queue-5.4/misc-sgi-gru-fix-use-after-free-error-in-gru_set_con.patch @@ -0,0 +1,140 @@ +From 8a5e29698fd0c04f4a3c490ee8086ba0f295e652 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 11:50:33 +0800 +Subject: misc: sgi-gru: fix use-after-free error in gru_set_context_option, + gru_fault and gru_handle_user_call_os + +From: Zheng Wang + +[ Upstream commit 643a16a0eb1d6ac23744bb6e90a00fc21148a9dc ] + +In some bad situation, the gts may be freed gru_check_chiplet_assignment. +The call chain can be gru_unload_context->gru_free_gru_context->gts_drop +and kfree finally. However, the caller didn't know if the gts is freed +or not and use it afterwards. This will trigger a Use after Free bug. + +Fix it by introducing a return value to see if it's in error path or not. +Free the gts in caller if gru_check_chiplet_assignment check failed. + +Fixes: 55484c45dbec ("gru: allow users to specify gru chiplet 2") +Signed-off-by: Zheng Wang +Acked-by: Dimitri Sivanich +Link: https://lore.kernel.org/r/20221110035033.19498-1-zyytlz.wz@163.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/sgi-gru/grufault.c | 13 +++++++++++-- + drivers/misc/sgi-gru/grumain.c | 22 ++++++++++++++++++---- + drivers/misc/sgi-gru/grutables.h | 2 +- + 3 files changed, 30 insertions(+), 7 deletions(-) + +diff --git a/drivers/misc/sgi-gru/grufault.c b/drivers/misc/sgi-gru/grufault.c +index 4b713a80b572..7f26a78bb403 100644 +--- a/drivers/misc/sgi-gru/grufault.c ++++ b/drivers/misc/sgi-gru/grufault.c +@@ -648,6 +648,7 @@ int gru_handle_user_call_os(unsigned long cb) + if ((cb & (GRU_HANDLE_STRIDE - 1)) || ucbnum >= GRU_NUM_CB) + return -EINVAL; + ++again: + gts = gru_find_lock_gts(cb); + if (!gts) + return -EINVAL; +@@ -656,7 +657,11 @@ int gru_handle_user_call_os(unsigned long cb) + if (ucbnum >= gts->ts_cbr_au_count * GRU_CBR_AU_SIZE) + goto exit; + +- gru_check_context_placement(gts); ++ if (gru_check_context_placement(gts)) { ++ gru_unlock_gts(gts); ++ gru_unload_context(gts, 1); ++ goto again; ++ } + + /* + * CCH may contain stale data if ts_force_cch_reload is set. +@@ -874,7 +879,11 @@ int gru_set_context_option(unsigned long arg) + } else { + gts->ts_user_blade_id = req.val1; + gts->ts_user_chiplet_id = req.val0; +- gru_check_context_placement(gts); ++ if (gru_check_context_placement(gts)) { ++ gru_unlock_gts(gts); ++ gru_unload_context(gts, 1); ++ return ret; ++ } + } + break; + case sco_gseg_owner: +diff --git a/drivers/misc/sgi-gru/grumain.c b/drivers/misc/sgi-gru/grumain.c +index 40ac59dd018c..e2325e3d077e 100644 +--- a/drivers/misc/sgi-gru/grumain.c ++++ b/drivers/misc/sgi-gru/grumain.c +@@ -716,9 +716,10 @@ static int gru_check_chiplet_assignment(struct gru_state *gru, + * chiplet. Misassignment can occur if the process migrates to a different + * blade or if the user changes the selected blade/chiplet. + */ +-void gru_check_context_placement(struct gru_thread_state *gts) ++int gru_check_context_placement(struct gru_thread_state *gts) + { + struct gru_state *gru; ++ int ret = 0; + + /* + * If the current task is the context owner, verify that the +@@ -726,15 +727,23 @@ void gru_check_context_placement(struct gru_thread_state *gts) + * references. Pthread apps use non-owner references to the CBRs. + */ + gru = gts->ts_gru; ++ /* ++ * If gru or gts->ts_tgid_owner isn't initialized properly, return ++ * success to indicate that the caller does not need to unload the ++ * gru context.The caller is responsible for their inspection and ++ * reinitialization if needed. ++ */ + if (!gru || gts->ts_tgid_owner != current->tgid) +- return; ++ return ret; + + if (!gru_check_chiplet_assignment(gru, gts)) { + STAT(check_context_unload); +- gru_unload_context(gts, 1); ++ ret = -EINVAL; + } else if (gru_retarget_intr(gts)) { + STAT(check_context_retarget_intr); + } ++ ++ return ret; + } + + +@@ -934,7 +943,12 @@ vm_fault_t gru_fault(struct vm_fault *vmf) + mutex_lock(>s->ts_ctxlock); + preempt_disable(); + +- gru_check_context_placement(gts); ++ if (gru_check_context_placement(gts)) { ++ preempt_enable(); ++ mutex_unlock(>s->ts_ctxlock); ++ gru_unload_context(gts, 1); ++ return VM_FAULT_NOPAGE; ++ } + + if (!gts->ts_gru) { + STAT(load_user_context); +diff --git a/drivers/misc/sgi-gru/grutables.h b/drivers/misc/sgi-gru/grutables.h +index a7e44b2eb413..6cebec4dd316 100644 +--- a/drivers/misc/sgi-gru/grutables.h ++++ b/drivers/misc/sgi-gru/grutables.h +@@ -637,7 +637,7 @@ extern int gru_user_flush_tlb(unsigned long arg); + extern int gru_user_unload_context(unsigned long arg); + extern int gru_get_exception_detail(unsigned long arg); + extern int gru_set_context_option(unsigned long address); +-extern void gru_check_context_placement(struct gru_thread_state *gts); ++extern int gru_check_context_placement(struct gru_thread_state *gts); + extern int gru_cpu_fault_map_id(void); + extern struct vm_area_struct *gru_find_vma(unsigned long vaddr); + extern void gru_flush_all_tlb(struct gru_state *gru); +-- +2.35.1 + diff --git a/queue-5.4/misc-tifm-fix-possible-memory-leak-in-tifm_7xx1_swit.patch b/queue-5.4/misc-tifm-fix-possible-memory-leak-in-tifm_7xx1_swit.patch new file mode 100644 index 00000000000..7322e006a4d --- /dev/null +++ b/queue-5.4/misc-tifm-fix-possible-memory-leak-in-tifm_7xx1_swit.patch @@ -0,0 +1,42 @@ +From abe17a8e76188b5e52466b1b0c6dcdc31ce7347c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 14:47:25 +0800 +Subject: misc: tifm: fix possible memory leak in tifm_7xx1_switch_media() + +From: ruanjinjie + +[ Upstream commit fd2c930cf6a5b9176382c15f9acb1996e76e25ad ] + +If device_register() returns error in tifm_7xx1_switch_media(), +name of kobject which is allocated in dev_set_name() called in device_add() +is leaked. + +Never directly free @dev after calling device_register(), even +if it returned an error! Always use put_device() to give up the +reference initialized. + +Fixes: 2428a8fe2261 ("tifm: move common device management tasks from tifm_7xx1 to tifm_core") +Signed-off-by: ruanjinjie +Link: https://lore.kernel.org/r/20221117064725.3478402-1-ruanjinjie@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/tifm_7xx1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/misc/tifm_7xx1.c b/drivers/misc/tifm_7xx1.c +index e6b40aa8fb42..8f0ffb46bf15 100644 +--- a/drivers/misc/tifm_7xx1.c ++++ b/drivers/misc/tifm_7xx1.c +@@ -190,7 +190,7 @@ static void tifm_7xx1_switch_media(struct work_struct *work) + spin_unlock_irqrestore(&fm->lock, flags); + } + if (sock) +- tifm_free_device(&sock->dev); ++ put_device(&sock->dev); + } + spin_lock_irqsave(&fm->lock, flags); + } +-- +2.35.1 + diff --git a/queue-5.4/misdn-hfcmulti-don-t-call-dev_kfree_skb-kfree_skb-un.patch b/queue-5.4/misdn-hfcmulti-don-t-call-dev_kfree_skb-kfree_skb-un.patch new file mode 100644 index 00000000000..fce15a11826 --- /dev/null +++ b/queue-5.4/misdn-hfcmulti-don-t-call-dev_kfree_skb-kfree_skb-un.patch @@ -0,0 +1,112 @@ +From 89309bb19d5535f95e386c92e677666dc6cf7fc0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Dec 2022 16:41:39 +0800 +Subject: mISDN: hfcmulti: don't call dev_kfree_skb/kfree_skb() under + spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 1232946cf522b8de9e398828bde325d7c41f29dd ] + +It is not allowed to call kfree_skb() or consume_skb() from hardware +interrupt context or with hardware interrupts being disabled. + +skb_queue_purge() is called under spin_lock_irqsave() in handle_dmsg() +and hfcm_l1callback(), kfree_skb() is called in them, to fix this, use +skb_queue_splice_init() to move the dch->squeue to a free queue, also +enqueue the tx_skb and rx_skb, at last calling __skb_queue_purge() to +free the SKBs afer unlock. + +Fixes: af69fb3a8ffa ("Add mISDN HFC multiport driver") +Signed-off-by: Yang Yingliang +Reviewed-by: Alexander Duyck +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/isdn/hardware/mISDN/hfcmulti.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/drivers/isdn/hardware/mISDN/hfcmulti.c b/drivers/isdn/hardware/mISDN/hfcmulti.c +index 86669ec8b977..2c7406465233 100644 +--- a/drivers/isdn/hardware/mISDN/hfcmulti.c ++++ b/drivers/isdn/hardware/mISDN/hfcmulti.c +@@ -3219,6 +3219,7 @@ static int + hfcm_l1callback(struct dchannel *dch, u_int cmd) + { + struct hfc_multi *hc = dch->hw; ++ struct sk_buff_head free_queue; + u_long flags; + + switch (cmd) { +@@ -3247,6 +3248,7 @@ hfcm_l1callback(struct dchannel *dch, u_int cmd) + l1_event(dch->l1, HW_POWERUP_IND); + break; + case HW_DEACT_REQ: ++ __skb_queue_head_init(&free_queue); + /* start deactivation */ + spin_lock_irqsave(&hc->lock, flags); + if (hc->ctype == HFC_TYPE_E1) { +@@ -3266,20 +3268,21 @@ hfcm_l1callback(struct dchannel *dch, u_int cmd) + plxsd_checksync(hc, 0); + } + } +- skb_queue_purge(&dch->squeue); ++ skb_queue_splice_init(&dch->squeue, &free_queue); + if (dch->tx_skb) { +- dev_kfree_skb(dch->tx_skb); ++ __skb_queue_tail(&free_queue, dch->tx_skb); + dch->tx_skb = NULL; + } + dch->tx_idx = 0; + if (dch->rx_skb) { +- dev_kfree_skb(dch->rx_skb); ++ __skb_queue_tail(&free_queue, dch->rx_skb); + dch->rx_skb = NULL; + } + test_and_clear_bit(FLG_TX_BUSY, &dch->Flags); + if (test_and_clear_bit(FLG_BUSY_TIMER, &dch->Flags)) + del_timer(&dch->timer); + spin_unlock_irqrestore(&hc->lock, flags); ++ __skb_queue_purge(&free_queue); + break; + case HW_POWERUP_REQ: + spin_lock_irqsave(&hc->lock, flags); +@@ -3386,6 +3389,9 @@ handle_dmsg(struct mISDNchannel *ch, struct sk_buff *skb) + case PH_DEACTIVATE_REQ: + test_and_clear_bit(FLG_L2_ACTIVATED, &dch->Flags); + if (dch->dev.D.protocol != ISDN_P_TE_S0) { ++ struct sk_buff_head free_queue; ++ ++ __skb_queue_head_init(&free_queue); + spin_lock_irqsave(&hc->lock, flags); + if (debug & DEBUG_HFCMULTI_MSG) + printk(KERN_DEBUG +@@ -3407,14 +3413,14 @@ handle_dmsg(struct mISDNchannel *ch, struct sk_buff *skb) + /* deactivate */ + dch->state = 1; + } +- skb_queue_purge(&dch->squeue); ++ skb_queue_splice_init(&dch->squeue, &free_queue); + if (dch->tx_skb) { +- dev_kfree_skb(dch->tx_skb); ++ __skb_queue_tail(&free_queue, dch->tx_skb); + dch->tx_skb = NULL; + } + dch->tx_idx = 0; + if (dch->rx_skb) { +- dev_kfree_skb(dch->rx_skb); ++ __skb_queue_tail(&free_queue, dch->rx_skb); + dch->rx_skb = NULL; + } + test_and_clear_bit(FLG_TX_BUSY, &dch->Flags); +@@ -3426,6 +3432,7 @@ handle_dmsg(struct mISDNchannel *ch, struct sk_buff *skb) + #endif + ret = 0; + spin_unlock_irqrestore(&hc->lock, flags); ++ __skb_queue_purge(&free_queue); + } else + ret = l1_event(dch->l1, hh->prim); + break; +-- +2.35.1 + diff --git a/queue-5.4/misdn-hfcpci-don-t-call-dev_kfree_skb-kfree_skb-unde.patch b/queue-5.4/misdn-hfcpci-don-t-call-dev_kfree_skb-kfree_skb-unde.patch new file mode 100644 index 00000000000..477beed3313 --- /dev/null +++ b/queue-5.4/misdn-hfcpci-don-t-call-dev_kfree_skb-kfree_skb-unde.patch @@ -0,0 +1,71 @@ +From ae4a39b4d50c425bb44da810cc5f22ac7cd2c0cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Dec 2022 16:41:38 +0800 +Subject: mISDN: hfcpci: don't call dev_kfree_skb/kfree_skb() under + spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit f0f596bd75a9d573ca9b587abb39cee0b916bb82 ] + +It is not allowed to call kfree_skb() or consume_skb() from hardware +interrupt context or with hardware interrupts being disabled. + +skb_queue_purge() is called under spin_lock_irqsave() in hfcpci_l2l1D(), +kfree_skb() is called in it, to fix this, use skb_queue_splice_init() +to move the dch->squeue to a free queue, also enqueue the tx_skb and +rx_skb, at last calling __skb_queue_purge() to free the SKBs afer unlock. + +Fixes: 1700fe1a10dc ("Add mISDN HFC PCI driver") +Signed-off-by: Yang Yingliang +Reviewed-by: Alexander Duyck +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/isdn/hardware/mISDN/hfcpci.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/isdn/hardware/mISDN/hfcpci.c b/drivers/isdn/hardware/mISDN/hfcpci.c +index a2b2ce1dfec8..41ff2e3dc843 100644 +--- a/drivers/isdn/hardware/mISDN/hfcpci.c ++++ b/drivers/isdn/hardware/mISDN/hfcpci.c +@@ -1617,16 +1617,19 @@ hfcpci_l2l1D(struct mISDNchannel *ch, struct sk_buff *skb) + test_and_clear_bit(FLG_L2_ACTIVATED, &dch->Flags); + spin_lock_irqsave(&hc->lock, flags); + if (hc->hw.protocol == ISDN_P_NT_S0) { ++ struct sk_buff_head free_queue; ++ ++ __skb_queue_head_init(&free_queue); + /* prepare deactivation */ + Write_hfc(hc, HFCPCI_STATES, 0x40); +- skb_queue_purge(&dch->squeue); ++ skb_queue_splice_init(&dch->squeue, &free_queue); + if (dch->tx_skb) { +- dev_kfree_skb(dch->tx_skb); ++ __skb_queue_tail(&free_queue, dch->tx_skb); + dch->tx_skb = NULL; + } + dch->tx_idx = 0; + if (dch->rx_skb) { +- dev_kfree_skb(dch->rx_skb); ++ __skb_queue_tail(&free_queue, dch->rx_skb); + dch->rx_skb = NULL; + } + test_and_clear_bit(FLG_TX_BUSY, &dch->Flags); +@@ -1639,10 +1642,12 @@ hfcpci_l2l1D(struct mISDNchannel *ch, struct sk_buff *skb) + hc->hw.mst_m &= ~HFCPCI_MASTER; + Write_hfc(hc, HFCPCI_MST_MODE, hc->hw.mst_m); + ret = 0; ++ spin_unlock_irqrestore(&hc->lock, flags); ++ __skb_queue_purge(&free_queue); + } else { + ret = l1_event(dch->l1, hh->prim); ++ spin_unlock_irqrestore(&hc->lock, flags); + } +- spin_unlock_irqrestore(&hc->lock, flags); + break; + } + if (!ret) +-- +2.35.1 + diff --git a/queue-5.4/misdn-hfcsusb-don-t-call-dev_kfree_skb-kfree_skb-und.patch b/queue-5.4/misdn-hfcsusb-don-t-call-dev_kfree_skb-kfree_skb-und.patch new file mode 100644 index 00000000000..2d1c9992a00 --- /dev/null +++ b/queue-5.4/misdn-hfcsusb-don-t-call-dev_kfree_skb-kfree_skb-und.patch @@ -0,0 +1,79 @@ +From 3e8a24c23e4d0ec5f079f9f0838bbf453121ba04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Dec 2022 16:41:37 +0800 +Subject: mISDN: hfcsusb: don't call dev_kfree_skb/kfree_skb() under + spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit ddc9648db162eee556edd5222d2808fe33730203 ] + +It is not allowed to call kfree_skb() or consume_skb() from hardware +interrupt context or with hardware interrupts being disabled. + +It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead. +The difference between them is free reason, dev_kfree_skb_irq() means +the SKB is dropped in error and dev_consume_skb_irq() means the SKB +is consumed in normal. + +skb_queue_purge() is called under spin_lock_irqsave() in hfcusb_l2l1D(), +kfree_skb() is called in it, to fix this, use skb_queue_splice_init() +to move the dch->squeue to a free queue, also enqueue the tx_skb and +rx_skb, at last calling __skb_queue_purge() to free the SKBs afer unlock. + +In tx_iso_complete(), dev_kfree_skb() is called to consume the transmitted +SKB, so replace it with dev_consume_skb_irq(). + +Fixes: 69f52adb2d53 ("mISDN: Add HFC USB driver") +Signed-off-by: Yang Yingliang +Reviewed-by: Alexander Duyck +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/isdn/hardware/mISDN/hfcsusb.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c +index 1f89378b5623..111a597ef23c 100644 +--- a/drivers/isdn/hardware/mISDN/hfcsusb.c ++++ b/drivers/isdn/hardware/mISDN/hfcsusb.c +@@ -327,20 +327,24 @@ hfcusb_l2l1D(struct mISDNchannel *ch, struct sk_buff *skb) + test_and_clear_bit(FLG_L2_ACTIVATED, &dch->Flags); + + if (hw->protocol == ISDN_P_NT_S0) { ++ struct sk_buff_head free_queue; ++ ++ __skb_queue_head_init(&free_queue); + hfcsusb_ph_command(hw, HFC_L1_DEACTIVATE_NT); + spin_lock_irqsave(&hw->lock, flags); +- skb_queue_purge(&dch->squeue); ++ skb_queue_splice_init(&dch->squeue, &free_queue); + if (dch->tx_skb) { +- dev_kfree_skb(dch->tx_skb); ++ __skb_queue_tail(&free_queue, dch->tx_skb); + dch->tx_skb = NULL; + } + dch->tx_idx = 0; + if (dch->rx_skb) { +- dev_kfree_skb(dch->rx_skb); ++ __skb_queue_tail(&free_queue, dch->rx_skb); + dch->rx_skb = NULL; + } + test_and_clear_bit(FLG_TX_BUSY, &dch->Flags); + spin_unlock_irqrestore(&hw->lock, flags); ++ __skb_queue_purge(&free_queue); + #ifdef FIXME + if (test_and_clear_bit(FLG_L1_BUSY, &dch->Flags)) + dchannel_sched_event(&hc->dch, D_CLEARBUSY); +@@ -1331,7 +1335,7 @@ tx_iso_complete(struct urb *urb) + printk("\n"); + } + +- dev_kfree_skb(tx_skb); ++ dev_consume_skb_irq(tx_skb); + tx_skb = NULL; + if (fifo->dch && get_next_dframe(fifo->dch)) + tx_skb = fifo->dch->tx_skb; +-- +2.35.1 + diff --git a/queue-5.4/mmc-alcor-fix-return-value-check-of-mmc_add_host.patch b/queue-5.4/mmc-alcor-fix-return-value-check-of-mmc_add_host.patch new file mode 100644 index 00000000000..326684dd71b --- /dev/null +++ b/queue-5.4/mmc-alcor-fix-return-value-check-of-mmc_add_host.patch @@ -0,0 +1,44 @@ +From 0d9beae0c9b6e36aaab7302ade03955c62e829d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Nov 2022 14:30:15 +0800 +Subject: mmc: alcor: fix return value check of mmc_add_host() + +From: Yang Yingliang + +[ Upstream commit e93d1468f429475a753d6baa79b853b7ee5ef8c0 ] + +mmc_add_host() may return error, if we ignore its return value, the memory +that allocated in mmc_alloc_host() will be leaked and it will lead a kernel +crash because of deleting not added device in the remove path. + +So fix this by checking the return value and calling mmc_free_host() in the +error path. + +Fixes: c5413ad815a6 ("mmc: add new Alcor Micro Cardreader SD/MMC driver") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221101063023.1664968-2-yangyingliang@huawei.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/alcor.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/alcor.c b/drivers/mmc/host/alcor.c +index 026ca9194ce5..a8ec2e6fefa8 100644 +--- a/drivers/mmc/host/alcor.c ++++ b/drivers/mmc/host/alcor.c +@@ -1114,7 +1114,10 @@ static int alcor_pci_sdmmc_drv_probe(struct platform_device *pdev) + alcor_hw_init(host); + + dev_set_drvdata(&pdev->dev, host); +- mmc_add_host(mmc); ++ ret = mmc_add_host(mmc); ++ if (ret) ++ goto free_host; ++ + return 0; + + free_host: +-- +2.35.1 + diff --git a/queue-5.4/mmc-atmel-mci-fix-return-value-check-of-mmc_add_host.patch b/queue-5.4/mmc-atmel-mci-fix-return-value-check-of-mmc_add_host.patch new file mode 100644 index 00000000000..df0d133b9f1 --- /dev/null +++ b/queue-5.4/mmc-atmel-mci-fix-return-value-check-of-mmc_add_host.patch @@ -0,0 +1,60 @@ +From 9fe13fa52f079f7eed48640340940e681811597b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 20:28:19 +0800 +Subject: mmc: atmel-mci: fix return value check of mmc_add_host() + +From: Yang Yingliang + +[ Upstream commit 9e6e8c43726673ca2abcaac87640b9215fd72f4c ] + +mmc_add_host() may return error, if we ignore its return value, +it will lead two issues: +1. The memory that allocated in mmc_alloc_host() is leaked. +2. In the remove() path, mmc_remove_host() will be called to + delete device, but it's not added yet, it will lead a kernel + crash because of null-ptr-deref in device_del(). + +So fix this by checking the return value and calling mmc_free_host() +in the error path. + +Fixes: 7d2be0749a59 ("atmel-mci: Driver for Atmel on-chip MMC controllers") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221108122819.429975-1-yangyingliang@huawei.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/atmel-mci.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/mmc/host/atmel-mci.c b/drivers/mmc/host/atmel-mci.c +index c26fbe5f2222..9c084f64f7db 100644 +--- a/drivers/mmc/host/atmel-mci.c ++++ b/drivers/mmc/host/atmel-mci.c +@@ -2217,6 +2217,7 @@ static int atmci_init_slot(struct atmel_mci *host, + { + struct mmc_host *mmc; + struct atmel_mci_slot *slot; ++ int ret; + + mmc = mmc_alloc_host(sizeof(struct atmel_mci_slot), &host->pdev->dev); + if (!mmc) +@@ -2300,11 +2301,13 @@ static int atmci_init_slot(struct atmel_mci *host, + + host->slot[id] = slot; + mmc_regulator_get_supply(mmc); +- mmc_add_host(mmc); ++ ret = mmc_add_host(mmc); ++ if (ret) { ++ mmc_free_host(mmc); ++ return ret; ++ } + + if (gpio_is_valid(slot->detect_pin)) { +- int ret; +- + timer_setup(&slot->detect_timer, atmci_detect_change, 0); + + ret = request_irq(gpio_to_irq(slot->detect_pin), +-- +2.35.1 + diff --git a/queue-5.4/mmc-f-sdh30-add-quirks-for-broken-timeout-clock-capa.patch b/queue-5.4/mmc-f-sdh30-add-quirks-for-broken-timeout-clock-capa.patch new file mode 100644 index 00000000000..1e9c13555ce --- /dev/null +++ b/queue-5.4/mmc-f-sdh30-add-quirks-for-broken-timeout-clock-capa.patch @@ -0,0 +1,38 @@ +From 7d4a416f8c4625b64b62f9c2e7b1bebec21a981c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 17:10:33 +0900 +Subject: mmc: f-sdh30: Add quirks for broken timeout clock capability + +From: Kunihiko Hayashi + +[ Upstream commit aae9d3a440736691b3c1cb09ae2c32c4f1ee2e67 ] + +There is a case where the timeout clock is not supplied to the capability. +Add a quirk for that. + +Signed-off-by: Kunihiko Hayashi +Acked-by: Jassi Brar +Link: https://lore.kernel.org/r/20221111081033.3813-7-hayashi.kunihiko@socionext.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci_f_sdh30.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/mmc/host/sdhci_f_sdh30.c b/drivers/mmc/host/sdhci_f_sdh30.c +index f8b939e63e02..9548d022d52b 100644 +--- a/drivers/mmc/host/sdhci_f_sdh30.c ++++ b/drivers/mmc/host/sdhci_f_sdh30.c +@@ -194,6 +194,9 @@ static int sdhci_f_sdh30_probe(struct platform_device *pdev) + if (reg & SDHCI_CAN_DO_8BIT) + priv->vendor_hs200 = F_SDH30_EMMC_HS200; + ++ if (!(reg & SDHCI_TIMEOUT_CLK_MASK)) ++ host->quirks |= SDHCI_QUIRK_DATA_TIMEOUT_USES_SDCLK; ++ + ret = sdhci_add_host(host); + if (ret) + goto err_add_host; +-- +2.35.1 + diff --git a/queue-5.4/mmc-meson-gx-fix-return-value-check-of-mmc_add_host.patch b/queue-5.4/mmc-meson-gx-fix-return-value-check-of-mmc_add_host.patch new file mode 100644 index 00000000000..5c91dda0328 --- /dev/null +++ b/queue-5.4/mmc-meson-gx-fix-return-value-check-of-mmc_add_host.patch @@ -0,0 +1,47 @@ +From c18b6f5ef713340e8bb8ac70c63c0aa120d5d821 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 20:34:17 +0800 +Subject: mmc: meson-gx: fix return value check of mmc_add_host() + +From: Yang Yingliang + +[ Upstream commit 90935f16f2650ab7416fa2ffbe5c28cb39cf3f1e ] + +mmc_add_host() may return error, if we ignore its return value, +it will lead two issues: +1. The memory that allocated in mmc_alloc_host() is leaked. +2. In the remove() path, mmc_remove_host() will be called to + delete device, but it's not added yet, it will lead a kernel + crash because of null-ptr-deref in device_del(). + +Fix this by checking the return value and goto error path which +will call mmc_free_host(). + +Fixes: 51c5d8447bd7 ("MMC: meson: initial support for GX platforms") +Signed-off-by: Yang Yingliang +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20221108123417.479045-1-yangyingliang@huawei.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/meson-gx-mmc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/meson-gx-mmc.c b/drivers/mmc/host/meson-gx-mmc.c +index 9044faf0050a..95a8ba4cf3da 100644 +--- a/drivers/mmc/host/meson-gx-mmc.c ++++ b/drivers/mmc/host/meson-gx-mmc.c +@@ -1289,7 +1289,9 @@ static int meson_mmc_probe(struct platform_device *pdev) + } + + mmc->ops = &meson_mmc_ops; +- mmc_add_host(mmc); ++ ret = mmc_add_host(mmc); ++ if (ret) ++ goto err_free_irq; + + return 0; + +-- +2.35.1 + diff --git a/queue-5.4/mmc-mmci-fix-return-value-check-of-mmc_add_host.patch b/queue-5.4/mmc-mmci-fix-return-value-check-of-mmc_add_host.patch new file mode 100644 index 00000000000..1d28f8c7566 --- /dev/null +++ b/queue-5.4/mmc-mmci-fix-return-value-check-of-mmc_add_host.patch @@ -0,0 +1,46 @@ +From 073a6b56ce083dc2bbc305e45363f6f3ac534ea3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 21:35:39 +0800 +Subject: mmc: mmci: fix return value check of mmc_add_host() + +From: Yang Yingliang + +[ Upstream commit b38a20f29a49ae04d23750d104b25400b792b98c ] + +mmc_add_host() may return error, if we ignore its return value, +it will lead two issues: +1. The memory that allocated in mmc_alloc_host() is leaked. +2. In the remove() path, mmc_remove_host() will be called to + delete device, but it's not added yet, it will lead a kernel + crash because of null-ptr-deref in device_del(). + +So fix this by checking the return value and goto error path which +will call mmc_free_host(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221109133539.3275664-1-yangyingliang@huawei.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/mmci.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/mmci.c b/drivers/mmc/host/mmci.c +index 7e4bc9124efd..1e5e2442b748 100644 +--- a/drivers/mmc/host/mmci.c ++++ b/drivers/mmc/host/mmci.c +@@ -2079,7 +2079,9 @@ static int mmci_probe(struct amba_device *dev, + pm_runtime_set_autosuspend_delay(&dev->dev, 50); + pm_runtime_use_autosuspend(&dev->dev); + +- mmc_add_host(mmc); ++ ret = mmc_add_host(mmc); ++ if (ret) ++ goto clk_disable; + + pm_runtime_put(&dev->dev); + return 0; +-- +2.35.1 + diff --git a/queue-5.4/mmc-moxart-fix-return-value-check-of-mmc_add_host.patch b/queue-5.4/mmc-moxart-fix-return-value-check-of-mmc_add_host.patch new file mode 100644 index 00000000000..6d8d2961396 --- /dev/null +++ b/queue-5.4/mmc-moxart-fix-return-value-check-of-mmc_add_host.patch @@ -0,0 +1,43 @@ +From 8ae1784b8e52d2704ea1ca08e33c22d284b2f704 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Nov 2022 14:30:16 +0800 +Subject: mmc: moxart: fix return value check of mmc_add_host() + +From: Yang Yingliang + +[ Upstream commit 0ca18d09c744fb030ae9bc5836c3e357e0237dea ] + +mmc_add_host() may return error, if we ignore its return value, the memory +that allocated in mmc_alloc_host() will be leaked and it will lead a kernel +crash because of deleting not added device in the remove path. + +So fix this by checking the return value and goto error path which will call +mmc_free_host(). + +Fixes: 1b66e94e6b99 ("mmc: moxart: Add MOXA ART SD/MMC driver") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221101063023.1664968-3-yangyingliang@huawei.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/moxart-mmc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/moxart-mmc.c b/drivers/mmc/host/moxart-mmc.c +index 1552d1f09c5c..52307dce08ba 100644 +--- a/drivers/mmc/host/moxart-mmc.c ++++ b/drivers/mmc/host/moxart-mmc.c +@@ -660,7 +660,9 @@ static int moxart_probe(struct platform_device *pdev) + goto out; + + dev_set_drvdata(dev, mmc); +- mmc_add_host(mmc); ++ ret = mmc_add_host(mmc); ++ if (ret) ++ goto out; + + dev_dbg(dev, "IRQ=%d, FIFO is %d bytes\n", irq, host->fifo_width); + +-- +2.35.1 + diff --git a/queue-5.4/mmc-mxcmmc-fix-return-value-check-of-mmc_add_host.patch b/queue-5.4/mmc-mxcmmc-fix-return-value-check-of-mmc_add_host.patch new file mode 100644 index 00000000000..b86f7125fdb --- /dev/null +++ b/queue-5.4/mmc-mxcmmc-fix-return-value-check-of-mmc_add_host.patch @@ -0,0 +1,43 @@ +From 367284567796ae91c0e4470d95d13ae4e896e114 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Nov 2022 14:30:17 +0800 +Subject: mmc: mxcmmc: fix return value check of mmc_add_host() + +From: Yang Yingliang + +[ Upstream commit cde600af7b413c9fe03e85c58c4279df90e91d13 ] + +mmc_add_host() may return error, if we ignore its return value, the memory +that allocated in mmc_alloc_host() will be leaked and it will lead a kernel +crash because of deleting not added device in the remove path. + +So fix this by checking the return value and goto error path which will call +mmc_free_host(). + +Fixes: d96be879ff46 ("mmc: Add a MX2/MX3 specific SDHC driver") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221101063023.1664968-4-yangyingliang@huawei.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/mxcmmc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/mxcmmc.c b/drivers/mmc/host/mxcmmc.c +index 011b59a3602e..9165af4760e3 100644 +--- a/drivers/mmc/host/mxcmmc.c ++++ b/drivers/mmc/host/mxcmmc.c +@@ -1158,7 +1158,9 @@ static int mxcmci_probe(struct platform_device *pdev) + + timer_setup(&host->watchdog, mxcmci_watchdog, 0); + +- mmc_add_host(mmc); ++ ret = mmc_add_host(mmc); ++ if (ret) ++ goto out_free_dma; + + return 0; + +-- +2.35.1 + diff --git a/queue-5.4/mmc-omap_hsmmc-fix-return-value-check-of-mmc_add_hos.patch b/queue-5.4/mmc-omap_hsmmc-fix-return-value-check-of-mmc_add_hos.patch new file mode 100644 index 00000000000..658c8b47704 --- /dev/null +++ b/queue-5.4/mmc-omap_hsmmc-fix-return-value-check-of-mmc_add_hos.patch @@ -0,0 +1,46 @@ +From abdd8f24b4fabafd731bdbb7eeb4d9a5c8da9221 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 20:13:16 +0800 +Subject: mmc: omap_hsmmc: fix return value check of mmc_add_host() + +From: Yang Yingliang + +[ Upstream commit a525cad241c339ca00bf7ebf03c5180f2a9b767c ] + +mmc_add_host() may return error, if we ignore its return value, +it will lead two issues: +1. The memory that allocated in mmc_alloc_host() is leaked. +2. In the remove() path, mmc_remove_host() will be called to + delete device, but it's not added yet, it will lead a kernel + crash because of null-ptr-deref in device_del(). + +Fix this by checking the return value and goto error path wihch +will call mmc_free_host(). + +Fixes: a45c6cb81647 ("[ARM] 5369/1: omap mmc: Add new omap hsmmc controller for 2430 and 34xx, v3") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221108121316.340354-1-yangyingliang@huawei.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/omap_hsmmc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/omap_hsmmc.c b/drivers/mmc/host/omap_hsmmc.c +index d0df054b0b47..ee9edf817a32 100644 +--- a/drivers/mmc/host/omap_hsmmc.c ++++ b/drivers/mmc/host/omap_hsmmc.c +@@ -1998,7 +1998,9 @@ static int omap_hsmmc_probe(struct platform_device *pdev) + if (!ret) + mmc->caps |= MMC_CAP_SDIO_IRQ; + +- mmc_add_host(mmc); ++ ret = mmc_add_host(mmc); ++ if (ret) ++ goto err_irq; + + if (mmc_pdata(host)->name != NULL) { + ret = device_create_file(&mmc->class_dev, &dev_attr_slot_name); +-- +2.35.1 + diff --git a/queue-5.4/mmc-pxamci-fix-return-value-check-of-mmc_add_host.patch b/queue-5.4/mmc-pxamci-fix-return-value-check-of-mmc_add_host.patch new file mode 100644 index 00000000000..08a4a2870bb --- /dev/null +++ b/queue-5.4/mmc-pxamci-fix-return-value-check-of-mmc_add_host.patch @@ -0,0 +1,46 @@ +From 93184a3d8f9a0c396d44ada99f299cdcf044e6b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Nov 2022 14:30:18 +0800 +Subject: mmc: pxamci: fix return value check of mmc_add_host() + +From: Yang Yingliang + +[ Upstream commit 80e1ef3afb8bfbe768380b70ffe1b6cab87d1a3b ] + +mmc_add_host() may return error, if we ignore its return value, the memory +that allocated in mmc_alloc_host() will be leaked and it will lead a kernel +crash because of deleting not added device in the remove path. + +So fix this by checking the return value and goto error path which will call +mmc_free_host(), besides, ->exit() need be called to uninit the pdata. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221101063023.1664968-5-yangyingliang@huawei.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/pxamci.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/pxamci.c b/drivers/mmc/host/pxamci.c +index 99f3958a037c..7f96df4d2a87 100644 +--- a/drivers/mmc/host/pxamci.c ++++ b/drivers/mmc/host/pxamci.c +@@ -761,7 +761,12 @@ static int pxamci_probe(struct platform_device *pdev) + dev_warn(dev, "gpio_ro and get_ro() both defined\n"); + } + +- mmc_add_host(mmc); ++ ret = mmc_add_host(mmc); ++ if (ret) { ++ if (host->pdata && host->pdata->exit) ++ host->pdata->exit(dev, mmc); ++ goto out; ++ } + + return 0; + +-- +2.35.1 + diff --git a/queue-5.4/mmc-rtsx_usb_sdmmc-fix-return-value-check-of-mmc_add.patch b/queue-5.4/mmc-rtsx_usb_sdmmc-fix-return-value-check-of-mmc_add.patch new file mode 100644 index 00000000000..be59a931cfa --- /dev/null +++ b/queue-5.4/mmc-rtsx_usb_sdmmc-fix-return-value-check-of-mmc_add.patch @@ -0,0 +1,58 @@ +From 76cbebc24a1d471fbb646656252c14a8aaa7fdf2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Nov 2022 14:30:20 +0800 +Subject: mmc: rtsx_usb_sdmmc: fix return value check of mmc_add_host() + +From: Yang Yingliang + +[ Upstream commit fc38a5a10e9e5a75eb9189854abeb8405b214cc9 ] + +mmc_add_host() may return error, if we ignore its return value, the memory +that allocated in mmc_alloc_host() will be leaked and it will lead a kernel +crash because of deleting not added device in the remove path. + +So fix this by checking the return value and calling mmc_free_host() in the +error path, besides, led_classdev_unregister() and pm_runtime_disable() also +need be called. + +Fixes: c7f6558d84af ("mmc: Add realtek USB sdmmc host driver") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221101063023.1664968-7-yangyingliang@huawei.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/rtsx_usb_sdmmc.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/rtsx_usb_sdmmc.c b/drivers/mmc/host/rtsx_usb_sdmmc.c +index 81d0dfe553a8..3261560bede4 100644 +--- a/drivers/mmc/host/rtsx_usb_sdmmc.c ++++ b/drivers/mmc/host/rtsx_usb_sdmmc.c +@@ -1338,6 +1338,7 @@ static int rtsx_usb_sdmmc_drv_probe(struct platform_device *pdev) + #ifdef RTSX_USB_USE_LEDS_CLASS + int err; + #endif ++ int ret; + + ucr = usb_get_intfdata(to_usb_interface(pdev->dev.parent)); + if (!ucr) +@@ -1374,7 +1375,15 @@ static int rtsx_usb_sdmmc_drv_probe(struct platform_device *pdev) + INIT_WORK(&host->led_work, rtsx_usb_update_led); + + #endif +- mmc_add_host(mmc); ++ ret = mmc_add_host(mmc); ++ if (ret) { ++#ifdef RTSX_USB_USE_LEDS_CLASS ++ led_classdev_unregister(&host->led); ++#endif ++ mmc_free_host(mmc); ++ pm_runtime_disable(&pdev->dev); ++ return ret; ++ } + + return 0; + } +-- +2.35.1 + diff --git a/queue-5.4/mmc-toshsd-fix-return-value-check-of-mmc_add_host.patch b/queue-5.4/mmc-toshsd-fix-return-value-check-of-mmc_add_host.patch new file mode 100644 index 00000000000..1de723bae27 --- /dev/null +++ b/queue-5.4/mmc-toshsd-fix-return-value-check-of-mmc_add_host.patch @@ -0,0 +1,52 @@ +From 7f215d19e2beca5141a6712989c07ec2bc42542c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Nov 2022 14:30:21 +0800 +Subject: mmc: toshsd: fix return value check of mmc_add_host() + +From: Yang Yingliang + +[ Upstream commit f670744a316ea983113a65313dcd387b5a992444 ] + +mmc_add_host() may return error, if we ignore its return value, the memory +that allocated in mmc_alloc_host() will be leaked and it will lead a kernel +crash because of deleting not added device in the remove path. + +So fix this by checking the return value and goto error path which will call +mmc_free_host(), besides, free_irq() also needs be called. + +Fixes: a5eb8bbd66cc ("mmc: add Toshiba PCI SD controller driver") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221101063023.1664968-8-yangyingliang@huawei.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/toshsd.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/toshsd.c b/drivers/mmc/host/toshsd.c +index 8d037c2071ab..497791ffada6 100644 +--- a/drivers/mmc/host/toshsd.c ++++ b/drivers/mmc/host/toshsd.c +@@ -651,7 +651,9 @@ static int toshsd_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + if (ret) + goto unmap; + +- mmc_add_host(mmc); ++ ret = mmc_add_host(mmc); ++ if (ret) ++ goto free_irq; + + base = pci_resource_start(pdev, 0); + dev_dbg(&pdev->dev, "MMIO %pa, IRQ %d\n", &base, pdev->irq); +@@ -660,6 +662,8 @@ static int toshsd_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + return 0; + ++free_irq: ++ free_irq(pdev->irq, host); + unmap: + pci_iounmap(pdev, host->ioaddr); + release: +-- +2.35.1 + diff --git a/queue-5.4/mmc-via-sdmmc-fix-return-value-check-of-mmc_add_host.patch b/queue-5.4/mmc-via-sdmmc-fix-return-value-check-of-mmc_add_host.patch new file mode 100644 index 00000000000..08cb1e8e45a --- /dev/null +++ b/queue-5.4/mmc-via-sdmmc-fix-return-value-check-of-mmc_add_host.patch @@ -0,0 +1,46 @@ +From 5940a6d57159ad2f8889bd86b534d881deb89a26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 21:09:49 +0800 +Subject: mmc: via-sdmmc: fix return value check of mmc_add_host() + +From: Yang Yingliang + +[ Upstream commit e4e46fb61e3bb4628170810d3f2b996b709b90d9 ] + +mmc_add_host() may return error, if we ignore its return value, +it will lead two issues: +1. The memory that allocated in mmc_alloc_host() is leaked. +2. In the remove() path, mmc_remove_host() will be called to + delete device, but it's not added yet, it will lead a kernel + crash because of null-ptr-deref in device_del(). + +Fix this by checking the return value and goto error path which +will call mmc_free_host(). + +Fixes: f0bf7f61b840 ("mmc: Add new via-sdmmc host controller driver") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221108130949.1067699-1-yangyingliang@huawei.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/via-sdmmc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/via-sdmmc.c b/drivers/mmc/host/via-sdmmc.c +index 721e5dd1eb7d..2c4d390a8acd 100644 +--- a/drivers/mmc/host/via-sdmmc.c ++++ b/drivers/mmc/host/via-sdmmc.c +@@ -1154,7 +1154,9 @@ static int via_sd_probe(struct pci_dev *pcidev, + pcidev->subsystem_device == 0x3891) + sdhost->quirks = VIA_CRDR_QUIRK_300MS_PWRDELAY; + +- mmc_add_host(mmc); ++ ret = mmc_add_host(mmc); ++ if (ret) ++ goto unmap; + + return 0; + +-- +2.35.1 + diff --git a/queue-5.4/mmc-vub300-fix-return-value-check-of-mmc_add_host.patch b/queue-5.4/mmc-vub300-fix-return-value-check-of-mmc_add_host.patch new file mode 100644 index 00000000000..caedc9af2d4 --- /dev/null +++ b/queue-5.4/mmc-vub300-fix-return-value-check-of-mmc_add_host.patch @@ -0,0 +1,67 @@ +From ac858d03a9ce529ec9308f3f8d3d2170e50a16cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Nov 2022 14:30:22 +0800 +Subject: mmc: vub300: fix return value check of mmc_add_host() + +From: Yang Yingliang + +[ Upstream commit 0613ad2401f88bdeae5594c30afe318e93b14676 ] + +mmc_add_host() may return error, if we ignore its return value, the memory +that allocated in mmc_alloc_host() will be leaked and it will lead a kernel +crash because of deleting not added device in the remove path. + +So fix this by checking the return value and goto error path which will call +mmc_free_host(), besides, the timer added before mmc_add_host() needs be del. + +And this patch fixes another missing call mmc_free_host() if usb_control_msg() +fails. + +Fixes: 88095e7b473a ("mmc: Add new VUB300 USB-to-SD/SDIO/MMC driver") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221101063023.1664968-9-yangyingliang@huawei.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/vub300.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/mmc/host/vub300.c b/drivers/mmc/host/vub300.c +index 5e1d7025dbf7..a02cc091a978 100644 +--- a/drivers/mmc/host/vub300.c ++++ b/drivers/mmc/host/vub300.c +@@ -2306,14 +2306,14 @@ static int vub300_probe(struct usb_interface *interface, + 0x0000, 0x0000, &vub300->system_port_status, + sizeof(vub300->system_port_status), 1000); + if (retval < 0) { +- goto error4; ++ goto error5; + } else if (sizeof(vub300->system_port_status) == retval) { + vub300->card_present = + (0x0001 & vub300->system_port_status.port_flags) ? 1 : 0; + vub300->read_only = + (0x0010 & vub300->system_port_status.port_flags) ? 1 : 0; + } else { +- goto error4; ++ goto error5; + } + usb_set_intfdata(interface, vub300); + INIT_DELAYED_WORK(&vub300->pollwork, vub300_pollwork_thread); +@@ -2336,8 +2336,13 @@ static int vub300_probe(struct usb_interface *interface, + "USB vub300 remote SDIO host controller[%d]" + "connected with no SD/SDIO card inserted\n", + interface_to_InterfaceNumber(interface)); +- mmc_add_host(mmc); ++ retval = mmc_add_host(mmc); ++ if (retval) ++ goto error6; ++ + return 0; ++error6: ++ del_timer_sync(&vub300->inactivity_timer); + error5: + mmc_free_host(mmc); + /* +-- +2.35.1 + diff --git a/queue-5.4/mmc-wbsd-fix-return-value-check-of-mmc_add_host.patch b/queue-5.4/mmc-wbsd-fix-return-value-check-of-mmc_add_host.patch new file mode 100644 index 00000000000..4920a732a9a --- /dev/null +++ b/queue-5.4/mmc-wbsd-fix-return-value-check-of-mmc_add_host.patch @@ -0,0 +1,55 @@ +From acecc5877bafd92bb1f8b3972fd3719e4e68ada6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 21:32:37 +0800 +Subject: mmc: wbsd: fix return value check of mmc_add_host() + +From: Yang Yingliang + +[ Upstream commit dc5b9b50fc9d1334407e316e6e29a5097ef833bd ] + +mmc_add_host() may return error, if we ignore its return value, +it will lead two issues: +1. The memory that allocated in mmc_alloc_host() is leaked. +2. In the remove() path, mmc_remove_host() will be called to + delete device, but it's not added yet, it will lead a kernel + crash because of null-ptr-deref in device_del(). + +So fix this by checking the return value and goto error path which +will call mmc_free_host(), besides, other resources also need be +released. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221109133237.3273558-1-yangyingliang@huawei.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/wbsd.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/wbsd.c b/drivers/mmc/host/wbsd.c +index 740179f42cf2..639f87ba1606 100644 +--- a/drivers/mmc/host/wbsd.c ++++ b/drivers/mmc/host/wbsd.c +@@ -1701,7 +1701,17 @@ static int wbsd_init(struct device *dev, int base, int irq, int dma, + */ + wbsd_init_device(host); + +- mmc_add_host(mmc); ++ ret = mmc_add_host(mmc); ++ if (ret) { ++ if (!pnp) ++ wbsd_chip_poweroff(host); ++ ++ wbsd_release_resources(host); ++ wbsd_free_mmc(dev); ++ ++ mmc_free_host(mmc); ++ return ret; ++ } + + pr_info("%s: W83L51xD", mmc_hostname(mmc)); + if (host->chip_id != 0) +-- +2.35.1 + diff --git a/queue-5.4/mmc-wmt-sdmmc-fix-return-value-check-of-mmc_add_host.patch b/queue-5.4/mmc-wmt-sdmmc-fix-return-value-check-of-mmc_add_host.patch new file mode 100644 index 00000000000..1e7243a6c57 --- /dev/null +++ b/queue-5.4/mmc-wmt-sdmmc-fix-return-value-check-of-mmc_add_host.patch @@ -0,0 +1,49 @@ +From e6578e82c4eb3c21f7a106205eade81051651908 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Nov 2022 14:30:23 +0800 +Subject: mmc: wmt-sdmmc: fix return value check of mmc_add_host() + +From: Yang Yingliang + +[ Upstream commit 29276d56f6ed138db0f38cd31aedc0b725c8c76c ] + +mmc_add_host() may return error, if we ignore its return value, the memory +that allocated in mmc_alloc_host() will be leaked and it will lead a kernel +crash because of deleting not added device in the remove path. + +So fix this by checking the return value and goto error path which will call +mmc_free_host(), besides, clk_disable_unprepare() also needs be called. + +Fixes: 3a96dff0f828 ("mmc: SD/MMC Host Controller for Wondermedia WM8505/WM8650") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221101063023.1664968-10-yangyingliang@huawei.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/wmt-sdmmc.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/wmt-sdmmc.c b/drivers/mmc/host/wmt-sdmmc.c +index d774068dba30..b1e4199f8292 100644 +--- a/drivers/mmc/host/wmt-sdmmc.c ++++ b/drivers/mmc/host/wmt-sdmmc.c +@@ -859,11 +859,15 @@ static int wmt_mci_probe(struct platform_device *pdev) + /* configure the controller to a known 'ready' state */ + wmt_reset_hardware(mmc); + +- mmc_add_host(mmc); ++ ret = mmc_add_host(mmc); ++ if (ret) ++ goto fail7; + + dev_info(&pdev->dev, "WMT SDHC Controller initialized\n"); + + return 0; ++fail7: ++ clk_disable_unprepare(priv->clk_sdmmc); + fail6: + clk_put(priv->clk_sdmmc); + fail5_and_a_half: +-- +2.35.1 + diff --git a/queue-5.4/mrp-introduce-active-flags-to-prevent-uaf-when-appli.patch b/queue-5.4/mrp-introduce-active-flags-to-prevent-uaf-when-appli.patch new file mode 100644 index 00000000000..5156d2a81b2 --- /dev/null +++ b/queue-5.4/mrp-introduce-active-flags-to-prevent-uaf-when-appli.patch @@ -0,0 +1,126 @@ +From a1fe41efadbd3c225eb6cde7c970f9ff778e9e6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 19:45:11 +0800 +Subject: mrp: introduce active flags to prevent UAF when applicant uninit + +From: Schspa Shi + +[ Upstream commit ab0377803dafc58f1e22296708c1c28e309414d6 ] + +The caller of del_timer_sync must prevent restarting of the timer, If +we have no this synchronization, there is a small probability that the +cancellation will not be successful. + +And syzbot report the fellowing crash: +================================================================== +BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:929 [inline] +BUG: KASAN: use-after-free in enqueue_timer+0x18/0xa4 kernel/time/timer.c:605 +Write at addr f9ff000024df6058 by task syz-fuzzer/2256 +Pointer tag: [f9], memory tag: [fe] + +CPU: 1 PID: 2256 Comm: syz-fuzzer Not tainted 6.1.0-rc5-syzkaller-00008- +ge01d50cbd6ee #0 +Hardware name: linux,dummy-virt (DT) +Call trace: + dump_backtrace.part.0+0xe0/0xf0 arch/arm64/kernel/stacktrace.c:156 + dump_backtrace arch/arm64/kernel/stacktrace.c:162 [inline] + show_stack+0x18/0x40 arch/arm64/kernel/stacktrace.c:163 + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x68/0x84 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:284 [inline] + print_report+0x1a8/0x4a0 mm/kasan/report.c:395 + kasan_report+0x94/0xb4 mm/kasan/report.c:495 + __do_kernel_fault+0x164/0x1e0 arch/arm64/mm/fault.c:320 + do_bad_area arch/arm64/mm/fault.c:473 [inline] + do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:749 + do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:825 + el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:367 + el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:427 + el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:576 + hlist_add_head include/linux/list.h:929 [inline] + enqueue_timer+0x18/0xa4 kernel/time/timer.c:605 + mod_timer+0x14/0x20 kernel/time/timer.c:1161 + mrp_periodic_timer_arm net/802/mrp.c:614 [inline] + mrp_periodic_timer+0xa0/0xc0 net/802/mrp.c:627 + call_timer_fn.constprop.0+0x24/0x80 kernel/time/timer.c:1474 + expire_timers+0x98/0xc4 kernel/time/timer.c:1519 + +To fix it, we can introduce a new active flags to make sure the timer will +not restart. + +Reported-by: syzbot+6fd64001c20aa99e34a4@syzkaller.appspotmail.com + +Signed-off-by: Schspa Shi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/mrp.h | 1 + + net/802/mrp.c | 18 +++++++++++++----- + 2 files changed, 14 insertions(+), 5 deletions(-) + +diff --git a/include/net/mrp.h b/include/net/mrp.h +index ef58b4a07190..c6c53370e390 100644 +--- a/include/net/mrp.h ++++ b/include/net/mrp.h +@@ -120,6 +120,7 @@ struct mrp_applicant { + struct sk_buff *pdu; + struct rb_root mad; + struct rcu_head rcu; ++ bool active; + }; + + struct mrp_port { +diff --git a/net/802/mrp.c b/net/802/mrp.c +index 5b804dbe2d08..486becf6c78d 100644 +--- a/net/802/mrp.c ++++ b/net/802/mrp.c +@@ -606,7 +606,10 @@ static void mrp_join_timer(struct timer_list *t) + spin_unlock(&app->lock); + + mrp_queue_xmit(app); +- mrp_join_timer_arm(app); ++ spin_lock(&app->lock); ++ if (likely(app->active)) ++ mrp_join_timer_arm(app); ++ spin_unlock(&app->lock); + } + + static void mrp_periodic_timer_arm(struct mrp_applicant *app) +@@ -620,11 +623,12 @@ static void mrp_periodic_timer(struct timer_list *t) + struct mrp_applicant *app = from_timer(app, t, periodic_timer); + + spin_lock(&app->lock); +- mrp_mad_event(app, MRP_EVENT_PERIODIC); +- mrp_pdu_queue(app); ++ if (likely(app->active)) { ++ mrp_mad_event(app, MRP_EVENT_PERIODIC); ++ mrp_pdu_queue(app); ++ mrp_periodic_timer_arm(app); ++ } + spin_unlock(&app->lock); +- +- mrp_periodic_timer_arm(app); + } + + static int mrp_pdu_parse_end_mark(struct sk_buff *skb, int *offset) +@@ -872,6 +876,7 @@ int mrp_init_applicant(struct net_device *dev, struct mrp_application *appl) + app->dev = dev; + app->app = appl; + app->mad = RB_ROOT; ++ app->active = true; + spin_lock_init(&app->lock); + skb_queue_head_init(&app->queue); + rcu_assign_pointer(dev->mrp_port->applicants[appl->type], app); +@@ -900,6 +905,9 @@ void mrp_uninit_applicant(struct net_device *dev, struct mrp_application *appl) + + RCU_INIT_POINTER(port->applicants[appl->type], NULL); + ++ spin_lock_bh(&app->lock); ++ app->active = false; ++ spin_unlock_bh(&app->lock); + /* Delete timer and generate a final TX event to flush out + * all pending messages before the applicant is gone. + */ +-- +2.35.1 + diff --git a/queue-5.4/mtd-fix-device-name-leak-when-register-device-failed.patch b/queue-5.4/mtd-fix-device-name-leak-when-register-device-failed.patch new file mode 100644 index 00000000000..a079f9651d8 --- /dev/null +++ b/queue-5.4/mtd-fix-device-name-leak-when-register-device-failed.patch @@ -0,0 +1,62 @@ +From a25e55f8d002b3eaced2b9a2c2d0138964a7481c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Oct 2022 20:13:52 +0800 +Subject: mtd: Fix device name leak when register device failed in + add_mtd_device() + +From: Zhang Xiaoxu + +[ Upstream commit 895d68a39481a75c680aa421546931fb11942fa6 ] + +There is a kmemleak when register device failed: + unreferenced object 0xffff888101aab550 (size 8): + comm "insmod", pid 3922, jiffies 4295277753 (age 925.408s) + hex dump (first 8 bytes): + 6d 74 64 30 00 88 ff ff mtd0.... + backtrace: + [<00000000bde26724>] __kmalloc_node_track_caller+0x4e/0x150 + [<000000003c32b416>] kvasprintf+0xb0/0x130 + [<000000001f7a8f15>] kobject_set_name_vargs+0x2f/0xb0 + [<000000006e781163>] dev_set_name+0xab/0xe0 + [<00000000e30d0c78>] add_mtd_device+0x4bb/0x700 + [<00000000f3d34de7>] mtd_device_parse_register+0x2ac/0x3f0 + [<00000000c0d88488>] 0xffffffffa0238457 + [<00000000b40d0922>] 0xffffffffa02a008f + [<0000000023d17b9d>] do_one_initcall+0x87/0x2a0 + [<00000000770f6ca6>] do_init_module+0xdf/0x320 + [<000000007b6768fe>] load_module+0x2f98/0x3330 + [<00000000346bed5a>] __do_sys_finit_module+0x113/0x1b0 + [<00000000674c2290>] do_syscall_64+0x35/0x80 + [<000000004c6a8d97>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +If register device failed, should call put_device() to give up the +reference. + +Fixes: 1f24b5a8ecbb ("[MTD] driver model updates") +Signed-off-by: Zhang Xiaoxu +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20221022121352.2534682-1-zhangxiaoxu5@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/mtdcore.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mtd/mtdcore.c b/drivers/mtd/mtdcore.c +index ac5d3b6db9b8..83012d74dcd5 100644 +--- a/drivers/mtd/mtdcore.c ++++ b/drivers/mtd/mtdcore.c +@@ -673,8 +673,10 @@ int add_mtd_device(struct mtd_info *mtd) + dev_set_drvdata(&mtd->dev, mtd); + of_node_get(mtd_get_of_node(mtd)); + error = device_register(&mtd->dev); +- if (error) ++ if (error) { ++ put_device(&mtd->dev); + goto fail_added; ++ } + + /* Add the nvmem provider */ + error = mtd_nvmem_add(mtd); +-- +2.35.1 + diff --git a/queue-5.4/mtd-lpddr2_nvm-fix-possible-null-ptr-deref.patch b/queue-5.4/mtd-lpddr2_nvm-fix-possible-null-ptr-deref.patch new file mode 100644 index 00000000000..c4df25d6aff --- /dev/null +++ b/queue-5.4/mtd-lpddr2_nvm-fix-possible-null-ptr-deref.patch @@ -0,0 +1,41 @@ +From 28474b9331c5cb2f86d553eb9c8b382f0c7e285b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 17:02:40 +0800 +Subject: mtd: lpddr2_nvm: Fix possible null-ptr-deref +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hui Tang + +[ Upstream commit 6bdd45d795adf9e73b38ced5e7f750cd199499ff ] + +It will cause null-ptr-deref when resource_size(add_range) invoked, +if platform_get_resource() returns NULL. + +Fixes: 96ba9dd65788 ("mtd: lpddr: add driver for LPDDR2-NVM PCM memories") +Signed-off-by: Hui Tang +Acked-by: Uwe Kleine-König +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20221114090240.244172-1-tanghui20@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/lpddr/lpddr2_nvm.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/mtd/lpddr/lpddr2_nvm.c b/drivers/mtd/lpddr/lpddr2_nvm.c +index 72f5c7b30079..add4386f99f0 100644 +--- a/drivers/mtd/lpddr/lpddr2_nvm.c ++++ b/drivers/mtd/lpddr/lpddr2_nvm.c +@@ -433,6 +433,8 @@ static int lpddr2_nvm_probe(struct platform_device *pdev) + + /* lpddr2_nvm address range */ + add_range = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ if (!add_range) ++ return -ENODEV; + + /* Populate map_info data structure */ + *map = (struct map_info) { +-- +2.35.1 + diff --git a/queue-5.4/mtd-maps-pxa2xx-flash-fix-memory-leak-in-probe.patch b/queue-5.4/mtd-maps-pxa2xx-flash-fix-memory-leak-in-probe.patch new file mode 100644 index 00000000000..6702112e026 --- /dev/null +++ b/queue-5.4/mtd-maps-pxa2xx-flash-fix-memory-leak-in-probe.patch @@ -0,0 +1,44 @@ +From 61cc2b045033ea2cd26501ca42c10a1a17aec31c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Nov 2022 07:33:07 +0000 +Subject: mtd: maps: pxa2xx-flash: fix memory leak in probe + +From: Zheng Yongjun + +[ Upstream commit 2399401feee27c639addc5b7e6ba519d3ca341bf ] + +Free 'info' upon remapping error to avoid a memory leak. + +Fixes: e644f7d62894 ("[MTD] MAPS: Merge Lubbock and Mainstone drivers into common PXA2xx driver") +Signed-off-by: Zheng Yongjun +[: Reword the commit log] +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20221119073307.22929-1-zhengyongjun3@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/maps/pxa2xx-flash.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/mtd/maps/pxa2xx-flash.c b/drivers/mtd/maps/pxa2xx-flash.c +index 7d96758a8f04..6e5e55755970 100644 +--- a/drivers/mtd/maps/pxa2xx-flash.c ++++ b/drivers/mtd/maps/pxa2xx-flash.c +@@ -66,6 +66,7 @@ static int pxa2xx_flash_probe(struct platform_device *pdev) + if (!info->map.virt) { + printk(KERN_WARNING "Failed to ioremap %s\n", + info->map.name); ++ kfree(info); + return -ENOMEM; + } + info->map.cached = ioremap_cache(info->map.phys, info->map.size); +@@ -87,6 +88,7 @@ static int pxa2xx_flash_probe(struct platform_device *pdev) + iounmap((void *)info->map.virt); + if (info->map.cached) + iounmap(info->map.cached); ++ kfree(info); + return -EIO; + } + info->mtd->dev.parent = &pdev->dev; +-- +2.35.1 + diff --git a/queue-5.4/myri10ge-fix-an-error-handling-path-in-myri10ge_prob.patch b/queue-5.4/myri10ge-fix-an-error-handling-path-in-myri10ge_prob.patch new file mode 100644 index 00000000000..17205e2a46f --- /dev/null +++ b/queue-5.4/myri10ge-fix-an-error-handling-path-in-myri10ge_prob.patch @@ -0,0 +1,37 @@ +From 5350ca50cd93bad19e72f7e7bd441e3348637049 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Dec 2022 19:08:40 +0100 +Subject: myri10ge: Fix an error handling path in myri10ge_probe() + +From: Christophe JAILLET + +[ Upstream commit d83b950d44d2982c0e62e3d81b0f35ab09431008 ] + +Some memory allocated in myri10ge_probe_slices() is not released in the +error handling path of myri10ge_probe(). + +Add the corresponding kfree(), as already done in the remove function. + +Fixes: 0dcffac1a329 ("myri10ge: add multislices support") +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/myricom/myri10ge/myri10ge.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c +index c4c716094982..5aee774768bc 100644 +--- a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c ++++ b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c +@@ -3956,6 +3956,7 @@ static int myri10ge_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + myri10ge_free_slices(mgp); + + abort_with_firmware: ++ kfree(mgp->msix_vectors); + myri10ge_dummy_rdma(mgp, 0); + + abort_with_ioremap: +-- +2.35.1 + diff --git a/queue-5.4/net-add-atomic_long_t-to-net_device_stats-fields.patch b/queue-5.4/net-add-atomic_long_t-to-net_device_stats-fields.patch new file mode 100644 index 00000000000..89847989bda --- /dev/null +++ b/queue-5.4/net-add-atomic_long_t-to-net_device_stats-fields.patch @@ -0,0 +1,165 @@ +From e5d27f9c02cf3a035a81b6b405cf57f0661aa850 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 08:53:55 +0000 +Subject: net: add atomic_long_t to net_device_stats fields + +From: Eric Dumazet + +[ Upstream commit 6c1c5097781f563b70a81683ea6fdac21637573b ] + +Long standing KCSAN issues are caused by data-race around +some dev->stats changes. + +Most performance critical paths already use per-cpu +variables, or per-queue ones. + +It is reasonable (and more correct) to use atomic operations +for the slow paths. + +This patch adds an union for each field of net_device_stats, +so that we can convert paths that are not yet protected +by a spinlock or a mutex. + +netdev_stats_to_stats64() no longer has an #if BITS_PER_LONG==64 + +Note that the memcpy() we were using on 64bit arches +had no provision to avoid load-tearing, +while atomic_long_read() is providing the needed protection +at no cost. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/netdevice.h | 58 +++++++++++++++++++++++---------------- + include/net/dst.h | 5 ++-- + net/core/dev.c | 14 ++-------- + 3 files changed, 40 insertions(+), 37 deletions(-) + +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index c70b79dba1dc..73bc0f53303f 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -160,31 +160,38 @@ static inline bool dev_xmit_complete(int rc) + * (unsigned long) so they can be read and written atomically. + */ + ++#define NET_DEV_STAT(FIELD) \ ++ union { \ ++ unsigned long FIELD; \ ++ atomic_long_t __##FIELD; \ ++ } ++ + struct net_device_stats { +- unsigned long rx_packets; +- unsigned long tx_packets; +- unsigned long rx_bytes; +- unsigned long tx_bytes; +- unsigned long rx_errors; +- unsigned long tx_errors; +- unsigned long rx_dropped; +- unsigned long tx_dropped; +- unsigned long multicast; +- unsigned long collisions; +- unsigned long rx_length_errors; +- unsigned long rx_over_errors; +- unsigned long rx_crc_errors; +- unsigned long rx_frame_errors; +- unsigned long rx_fifo_errors; +- unsigned long rx_missed_errors; +- unsigned long tx_aborted_errors; +- unsigned long tx_carrier_errors; +- unsigned long tx_fifo_errors; +- unsigned long tx_heartbeat_errors; +- unsigned long tx_window_errors; +- unsigned long rx_compressed; +- unsigned long tx_compressed; ++ NET_DEV_STAT(rx_packets); ++ NET_DEV_STAT(tx_packets); ++ NET_DEV_STAT(rx_bytes); ++ NET_DEV_STAT(tx_bytes); ++ NET_DEV_STAT(rx_errors); ++ NET_DEV_STAT(tx_errors); ++ NET_DEV_STAT(rx_dropped); ++ NET_DEV_STAT(tx_dropped); ++ NET_DEV_STAT(multicast); ++ NET_DEV_STAT(collisions); ++ NET_DEV_STAT(rx_length_errors); ++ NET_DEV_STAT(rx_over_errors); ++ NET_DEV_STAT(rx_crc_errors); ++ NET_DEV_STAT(rx_frame_errors); ++ NET_DEV_STAT(rx_fifo_errors); ++ NET_DEV_STAT(rx_missed_errors); ++ NET_DEV_STAT(tx_aborted_errors); ++ NET_DEV_STAT(tx_carrier_errors); ++ NET_DEV_STAT(tx_fifo_errors); ++ NET_DEV_STAT(tx_heartbeat_errors); ++ NET_DEV_STAT(tx_window_errors); ++ NET_DEV_STAT(rx_compressed); ++ NET_DEV_STAT(tx_compressed); + }; ++#undef NET_DEV_STAT + + + #include +@@ -4936,4 +4943,9 @@ do { \ + + extern struct net_device *blackhole_netdev; + ++/* Note: Avoid these macros in fast path, prefer per-cpu or per-queue counters. */ ++#define DEV_STATS_INC(DEV, FIELD) atomic_long_inc(&(DEV)->stats.__##FIELD) ++#define DEV_STATS_ADD(DEV, FIELD, VAL) \ ++ atomic_long_add((VAL), &(DEV)->stats.__##FIELD) ++ + #endif /* _LINUX_NETDEVICE_H */ +diff --git a/include/net/dst.h b/include/net/dst.h +index 433f7c1ce8a9..34185e527726 100644 +--- a/include/net/dst.h ++++ b/include/net/dst.h +@@ -357,9 +357,8 @@ static inline void __skb_tunnel_rx(struct sk_buff *skb, struct net_device *dev, + static inline void skb_tunnel_rx(struct sk_buff *skb, struct net_device *dev, + struct net *net) + { +- /* TODO : stats should be SMP safe */ +- dev->stats.rx_packets++; +- dev->stats.rx_bytes += skb->len; ++ DEV_STATS_INC(dev, rx_packets); ++ DEV_STATS_ADD(dev, rx_bytes, skb->len); + __skb_tunnel_rx(skb, dev, net); + } + +diff --git a/net/core/dev.c b/net/core/dev.c +index 84bc6d0e8560..296bed9431f3 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -9461,24 +9461,16 @@ void netdev_run_todo(void) + void netdev_stats_to_stats64(struct rtnl_link_stats64 *stats64, + const struct net_device_stats *netdev_stats) + { +-#if BITS_PER_LONG == 64 +- BUILD_BUG_ON(sizeof(*stats64) < sizeof(*netdev_stats)); +- memcpy(stats64, netdev_stats, sizeof(*netdev_stats)); +- /* zero out counters that only exist in rtnl_link_stats64 */ +- memset((char *)stats64 + sizeof(*netdev_stats), 0, +- sizeof(*stats64) - sizeof(*netdev_stats)); +-#else +- size_t i, n = sizeof(*netdev_stats) / sizeof(unsigned long); +- const unsigned long *src = (const unsigned long *)netdev_stats; ++ size_t i, n = sizeof(*netdev_stats) / sizeof(atomic_long_t); ++ const atomic_long_t *src = (atomic_long_t *)netdev_stats; + u64 *dst = (u64 *)stats64; + + BUILD_BUG_ON(n > sizeof(*stats64) / sizeof(u64)); + for (i = 0; i < n; i++) +- dst[i] = src[i]; ++ dst[i] = atomic_long_read(&src[i]); + /* zero out counters that only exist in rtnl_link_stats64 */ + memset((char *)stats64 + n * sizeof(u64), 0, + sizeof(*stats64) - n * sizeof(u64)); +-#endif + } + EXPORT_SYMBOL(netdev_stats_to_stats64); + +-- +2.35.1 + diff --git a/queue-5.4/net-amd-lance-don-t-call-dev_kfree_skb-under-spin_lo.patch b/queue-5.4/net-amd-lance-don-t-call-dev_kfree_skb-under-spin_lo.patch new file mode 100644 index 00000000000..4ee5059e5c8 --- /dev/null +++ b/queue-5.4/net-amd-lance-don-t-call-dev_kfree_skb-under-spin_lo.patch @@ -0,0 +1,58 @@ +From db3d859effea48987622d1fdc2bc37d65e2fadff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 22:21:47 +0800 +Subject: net: amd: lance: don't call dev_kfree_skb() under spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 6151d105dfce8c23edf30eed35e97f3d9b96a35c ] + +It is not allowed to call kfree_skb() or consume_skb() from hardware +interrupt context or with hardware interrupts being disabled. + +It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead. +The difference between them is free reason, dev_kfree_skb_irq() means +the SKB is dropped in error and dev_consume_skb_irq() means the SKB +is consumed in normal. + +In these two cases, dev_kfree_skb() is called consume the xmited SKB, +so replace it with dev_consume_skb_irq(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/atarilance.c | 2 +- + drivers/net/ethernet/amd/lance.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/amd/atarilance.c b/drivers/net/ethernet/amd/atarilance.c +index d3d44e07afbc..414b990827e8 100644 +--- a/drivers/net/ethernet/amd/atarilance.c ++++ b/drivers/net/ethernet/amd/atarilance.c +@@ -825,7 +825,7 @@ lance_start_xmit(struct sk_buff *skb, struct net_device *dev) + lp->memcpy_f( PKTBUF_ADDR(head), (void *)skb->data, skb->len ); + head->flag = TMD1_OWN_CHIP | TMD1_ENP | TMD1_STP; + dev->stats.tx_bytes += skb->len; +- dev_kfree_skb( skb ); ++ dev_consume_skb_irq(skb); + lp->cur_tx++; + while( lp->cur_tx >= TX_RING_SIZE && lp->dirty_tx >= TX_RING_SIZE ) { + lp->cur_tx -= TX_RING_SIZE; +diff --git a/drivers/net/ethernet/amd/lance.c b/drivers/net/ethernet/amd/lance.c +index f90b454b1642..7ba3da856105 100644 +--- a/drivers/net/ethernet/amd/lance.c ++++ b/drivers/net/ethernet/amd/lance.c +@@ -997,7 +997,7 @@ static netdev_tx_t lance_start_xmit(struct sk_buff *skb, + skb_copy_from_linear_data(skb, &lp->tx_bounce_buffs[entry], skb->len); + lp->tx_ring[entry].base = + ((u32)isa_virt_to_bus((lp->tx_bounce_buffs + entry)) & 0xffffff) | 0x83000000; +- dev_kfree_skb(skb); ++ dev_consume_skb_irq(skb); + } else { + lp->tx_skbuff[entry] = skb; + lp->tx_ring[entry].base = ((u32)isa_virt_to_bus(skb->data) & 0xffffff) | 0x83000000; +-- +2.35.1 + diff --git a/queue-5.4/net-amd-xgbe-check-only-the-minimum-speed-for-active.patch b/queue-5.4/net-amd-xgbe-check-only-the-minimum-speed-for-active.patch new file mode 100644 index 00000000000..0eda2f0892a --- /dev/null +++ b/queue-5.4/net-amd-xgbe-check-only-the-minimum-speed-for-active.patch @@ -0,0 +1,75 @@ +From 0344fe4ac6f82087b789d4cfa4bfd7ead5928ec7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 10:22:25 -0600 +Subject: net: amd-xgbe: Check only the minimum speed for active/passive cables + +From: Tom Lendacky + +[ Upstream commit f8ab263d4d48e6dab752029bf562f20a2ee630ed ] + +There are cables that exist that can support speeds in excess of 10GbE. +The driver, however, restricts the EEPROM advertised nominal bitrate to +a specific range, which can prevent usage of cables that can support, +for example, up to 25GbE. + +Rather than checking that an active or passive cable supports a specific +range, only check for a minimum supported speed. + +Fixes: abf0a1c2b26a ("amd-xgbe: Add support for SFP+ modules") +Signed-off-by: Tom Lendacky +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 14 ++------------ + 1 file changed, 2 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +index 2cd5fd95af03..0a15c617c702 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +@@ -236,10 +236,7 @@ enum xgbe_sfp_speed { + + #define XGBE_SFP_BASE_BR 12 + #define XGBE_SFP_BASE_BR_1GBE_MIN 0x0a +-#define XGBE_SFP_BASE_BR_1GBE_MAX 0x0d + #define XGBE_SFP_BASE_BR_10GBE_MIN 0x64 +-#define XGBE_SFP_BASE_BR_10GBE_MAX 0x68 +-#define XGBE_MOLEX_SFP_BASE_BR_10GBE_MAX 0x78 + + #define XGBE_SFP_BASE_CU_CABLE_LEN 18 + +@@ -826,29 +823,22 @@ static void xgbe_phy_sfp_phy_settings(struct xgbe_prv_data *pdata) + static bool xgbe_phy_sfp_bit_rate(struct xgbe_sfp_eeprom *sfp_eeprom, + enum xgbe_sfp_speed sfp_speed) + { +- u8 *sfp_base, min, max; ++ u8 *sfp_base, min; + + sfp_base = sfp_eeprom->base; + + switch (sfp_speed) { + case XGBE_SFP_SPEED_1000: + min = XGBE_SFP_BASE_BR_1GBE_MIN; +- max = XGBE_SFP_BASE_BR_1GBE_MAX; + break; + case XGBE_SFP_SPEED_10000: + min = XGBE_SFP_BASE_BR_10GBE_MIN; +- if (memcmp(&sfp_eeprom->base[XGBE_SFP_BASE_VENDOR_NAME], +- XGBE_MOLEX_VENDOR, XGBE_SFP_BASE_VENDOR_NAME_LEN) == 0) +- max = XGBE_MOLEX_SFP_BASE_BR_10GBE_MAX; +- else +- max = XGBE_SFP_BASE_BR_10GBE_MAX; + break; + default: + return false; + } + +- return ((sfp_base[XGBE_SFP_BASE_BR] >= min) && +- (sfp_base[XGBE_SFP_BASE_BR] <= max)); ++ return sfp_base[XGBE_SFP_BASE_BR] >= min; + } + + static void xgbe_phy_free_phy_device(struct xgbe_prv_data *pdata) +-- +2.35.1 + diff --git a/queue-5.4/net-amd-xgbe-fix-logic-around-active-and-passive-cab.patch b/queue-5.4/net-amd-xgbe-fix-logic-around-active-and-passive-cab.patch new file mode 100644 index 00000000000..dd51f426f0a --- /dev/null +++ b/queue-5.4/net-amd-xgbe-fix-logic-around-active-and-passive-cab.patch @@ -0,0 +1,63 @@ +From 299effa3b5284a5c507295e20059e38fd731fd61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 10:22:24 -0600 +Subject: net: amd-xgbe: Fix logic around active and passive cables + +From: Tom Lendacky + +[ Upstream commit 4998006c73afe44e2f639d55bd331c6c26eb039f ] + +SFP+ active and passive cables are copper cables with fixed SFP+ end +connectors. Due to a misinterpretation of this, SFP+ active cables could +end up not being recognized, causing the driver to fail to establish a +connection. + +Introduce a new enum in SFP+ cable types, XGBE_SFP_CABLE_FIBER, that is +the default cable type, and handle active and passive cables when they are +specifically detected. + +Fixes: abf0a1c2b26a ("amd-xgbe: Add support for SFP+ modules") +Signed-off-by: Tom Lendacky +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +index b76138cd0935..2cd5fd95af03 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +@@ -188,6 +188,7 @@ enum xgbe_sfp_cable { + XGBE_SFP_CABLE_UNKNOWN = 0, + XGBE_SFP_CABLE_ACTIVE, + XGBE_SFP_CABLE_PASSIVE, ++ XGBE_SFP_CABLE_FIBER, + }; + + enum xgbe_sfp_base { +@@ -1148,16 +1149,18 @@ static void xgbe_phy_sfp_parse_eeprom(struct xgbe_prv_data *pdata) + phy_data->sfp_tx_fault = xgbe_phy_check_sfp_tx_fault(phy_data); + phy_data->sfp_rx_los = xgbe_phy_check_sfp_rx_los(phy_data); + +- /* Assume ACTIVE cable unless told it is PASSIVE */ ++ /* Assume FIBER cable unless told otherwise */ + if (sfp_base[XGBE_SFP_BASE_CABLE] & XGBE_SFP_BASE_CABLE_PASSIVE) { + phy_data->sfp_cable = XGBE_SFP_CABLE_PASSIVE; + phy_data->sfp_cable_len = sfp_base[XGBE_SFP_BASE_CU_CABLE_LEN]; +- } else { ++ } else if (sfp_base[XGBE_SFP_BASE_CABLE] & XGBE_SFP_BASE_CABLE_ACTIVE) { + phy_data->sfp_cable = XGBE_SFP_CABLE_ACTIVE; ++ } else { ++ phy_data->sfp_cable = XGBE_SFP_CABLE_FIBER; + } + + /* Determine the type of SFP */ +- if (phy_data->sfp_cable == XGBE_SFP_CABLE_PASSIVE && ++ if (phy_data->sfp_cable != XGBE_SFP_CABLE_FIBER && + xgbe_phy_sfp_bit_rate(sfp_eeprom, XGBE_SFP_SPEED_10000)) + phy_data->sfp_base = XGBE_SFP_BASE_10000_CR; + else if (sfp_base[XGBE_SFP_BASE_10GBE_CC] & XGBE_SFP_BASE_10GBE_CC_SR) +-- +2.35.1 + diff --git a/queue-5.4/net-apple-bmac-don-t-call-dev_kfree_skb-under-spin_l.patch b/queue-5.4/net-apple-bmac-don-t-call-dev_kfree_skb-under-spin_l.patch new file mode 100644 index 00000000000..6db751e93a8 --- /dev/null +++ b/queue-5.4/net-apple-bmac-don-t-call-dev_kfree_skb-under-spin_l.patch @@ -0,0 +1,45 @@ +From 882999509a88faf7e2160762e167a5287e85e04f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 21:37:35 +0800 +Subject: net: apple: bmac: don't call dev_kfree_skb() under + spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 5fe02e046e6422c4adfdbc50206ec7186077da24 ] + +It is not allowed to call kfree_skb() or consume_skb() from hardware +interrupt context or with hardware interrupts being disabled. + +It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead. +The difference between them is free reason, dev_kfree_skb_irq() means +the SKB is dropped in error and dev_consume_skb_irq() means the SKB +is consumed in normal. + +In this case, dev_kfree_skb() is called in bmac_tx_timeout() to drop +the SKB, when tx timeout, so replace it with dev_kfree_skb_irq(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/apple/bmac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/apple/bmac.c b/drivers/net/ethernet/apple/bmac.c +index 3e3711b60d01..11d9884eb14d 100644 +--- a/drivers/net/ethernet/apple/bmac.c ++++ b/drivers/net/ethernet/apple/bmac.c +@@ -1511,7 +1511,7 @@ static void bmac_tx_timeout(struct timer_list *t) + i = bp->tx_empty; + ++dev->stats.tx_errors; + if (i != bp->tx_fill) { +- dev_kfree_skb(bp->tx_bufs[i]); ++ dev_kfree_skb_irq(bp->tx_bufs[i]); + bp->tx_bufs[i] = NULL; + if (++i >= N_TX_RING) i = 0; + bp->tx_empty = i; +-- +2.35.1 + diff --git a/queue-5.4/net-apple-mace-don-t-call-dev_kfree_skb-under-spin_l.patch b/queue-5.4/net-apple-mace-don-t-call-dev_kfree_skb-under-spin_l.patch new file mode 100644 index 00000000000..e4c257953dd --- /dev/null +++ b/queue-5.4/net-apple-mace-don-t-call-dev_kfree_skb-under-spin_l.patch @@ -0,0 +1,45 @@ +From 87de330efe9d89620340c46f002ab864d0738758 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 21:37:34 +0800 +Subject: net: apple: mace: don't call dev_kfree_skb() under + spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 3dfe3486c1cd4f82b466b7d307f23777137b8acc ] + +It is not allowed to call kfree_skb() or consume_skb() from hardware +interrupt context or with hardware interrupts being disabled. + +It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead. +The difference between them is free reason, dev_kfree_skb_irq() means +the SKB is dropped in error and dev_consume_skb_irq() means the SKB +is consumed in normal. + +In this case, dev_kfree_skb() is called in mace_tx_timeout() to drop +the SKB, when tx timeout, so replace it with dev_kfree_skb_irq(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/apple/mace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/apple/mace.c b/drivers/net/ethernet/apple/mace.c +index b8ba2abf5b3a..65ed373d04f5 100644 +--- a/drivers/net/ethernet/apple/mace.c ++++ b/drivers/net/ethernet/apple/mace.c +@@ -841,7 +841,7 @@ static void mace_tx_timeout(struct timer_list *t) + if (mp->tx_bad_runt) { + mp->tx_bad_runt = 0; + } else if (i != mp->tx_fill) { +- dev_kfree_skb(mp->tx_bufs[i]); ++ dev_kfree_skb_irq(mp->tx_bufs[i]); + if (++i >= N_TX_RING) + i = 0; + mp->tx_empty = i; +-- +2.35.1 + diff --git a/queue-5.4/net-defxx-fix-missing-err-handling-in-dfx_init.patch b/queue-5.4/net-defxx-fix-missing-err-handling-in-dfx_init.patch new file mode 100644 index 00000000000..78bbccc4d18 --- /dev/null +++ b/queue-5.4/net-defxx-fix-missing-err-handling-in-dfx_init.patch @@ -0,0 +1,61 @@ +From bc1cf3ab5a5f4d371ea5d5fcd35acc644311ddca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 07:20:45 +0000 +Subject: net: defxx: Fix missing err handling in dfx_init() + +From: Yongqiang Liu + +[ Upstream commit ae18dcdff0f8d7e84cd3fd9f496518b5e72d185d ] + +When eisa_driver_register() or tc_register_driver() failed, +the modprobe defxx would fail with some err log as follows: + + Error: Driver 'defxx' is already registered, aborting... + +Fix this issue by adding err hanling in dfx_init(). + +Fixes: e89a2cfb7d7b5 ("[TC] defxx: TURBOchannel support") +Signed-off-by: Yongqiang Liu +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/fddi/defxx.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/fddi/defxx.c b/drivers/net/fddi/defxx.c +index c866f58dab70..28bf530cb005 100644 +--- a/drivers/net/fddi/defxx.c ++++ b/drivers/net/fddi/defxx.c +@@ -3844,10 +3844,24 @@ static int dfx_init(void) + int status; + + status = pci_register_driver(&dfx_pci_driver); +- if (!status) +- status = eisa_driver_register(&dfx_eisa_driver); +- if (!status) +- status = tc_register_driver(&dfx_tc_driver); ++ if (status) ++ goto err_pci_register; ++ ++ status = eisa_driver_register(&dfx_eisa_driver); ++ if (status) ++ goto err_eisa_register; ++ ++ status = tc_register_driver(&dfx_tc_driver); ++ if (status) ++ goto err_tc_register; ++ ++ return 0; ++ ++err_tc_register: ++ eisa_driver_unregister(&dfx_eisa_driver); ++err_eisa_register: ++ pci_unregister_driver(&dfx_pci_driver); ++err_pci_register: + return status; + } + +-- +2.35.1 + diff --git a/queue-5.4/net-emaclite-don-t-call-dev_kfree_skb-under-spin_loc.patch b/queue-5.4/net-emaclite-don-t-call-dev_kfree_skb-under-spin_loc.patch new file mode 100644 index 00000000000..841728e1a02 --- /dev/null +++ b/queue-5.4/net-emaclite-don-t-call-dev_kfree_skb-under-spin_loc.patch @@ -0,0 +1,44 @@ +From 1071abbf9ca60ae84ea4c6352bc23f5d103cf005 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 22:21:44 +0800 +Subject: net: emaclite: don't call dev_kfree_skb() under spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit d1678bf45f21fa5ae4a456f821858679556ea5f8 ] + +It is not allowed to call kfree_skb() or consume_skb() from hardware +interrupt context or with hardware interrupts being disabled. + +It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead. +The difference between them is free reason, dev_kfree_skb_irq() means +the SKB is dropped in error and dev_consume_skb_irq() means the SKB +is consumed in normal. + +In this case, dev_kfree_skb() is called in xemaclite_tx_timeout() to +drop the SKB, when tx timeout, so replace it with dev_kfree_skb_irq(). + +Fixes: bb81b2ddfa19 ("net: add Xilinx emac lite device driver") +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xilinx/xilinx_emaclite.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/xilinx/xilinx_emaclite.c b/drivers/net/ethernet/xilinx/xilinx_emaclite.c +index 6e5ea68b6a7e..951482d899f9 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_emaclite.c ++++ b/drivers/net/ethernet/xilinx/xilinx_emaclite.c +@@ -541,7 +541,7 @@ static void xemaclite_tx_timeout(struct net_device *dev) + xemaclite_enable_interrupts(lp); + + if (lp->deferred_skb) { +- dev_kfree_skb(lp->deferred_skb); ++ dev_kfree_skb_irq(lp->deferred_skb); + lp->deferred_skb = NULL; + dev->stats.tx_errors++; + } +-- +2.35.1 + diff --git a/queue-5.4/net-ethernet-dnet-don-t-call-dev_kfree_skb-under-spi.patch b/queue-5.4/net-ethernet-dnet-don-t-call-dev_kfree_skb-under-spi.patch new file mode 100644 index 00000000000..38cd3ae1bae --- /dev/null +++ b/queue-5.4/net-ethernet-dnet-don-t-call-dev_kfree_skb-under-spi.patch @@ -0,0 +1,45 @@ +From 29d0c2628859b4ec0526f8254f75a7e35c8f9b13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 22:21:45 +0800 +Subject: net: ethernet: dnet: don't call dev_kfree_skb() under + spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit f07fadcbee2a5e84caa67c7c445424200bffb60b ] + +It is not allowed to call kfree_skb() or consume_skb() from hardware +interrupt context or with hardware interrupts being disabled. + +In this case, the lock is used to protected 'bp', so we can move +dev_kfree_skb() after the spin_unlock_irqrestore(). + +Fixes: 4796417417a6 ("dnet: Dave DNET ethernet controller driver (updated)") +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/dnet.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/dnet.c b/drivers/net/ethernet/dnet.c +index e24979010969..da9f9ec3e123 100644 +--- a/drivers/net/ethernet/dnet.c ++++ b/drivers/net/ethernet/dnet.c +@@ -553,11 +553,11 @@ static netdev_tx_t dnet_start_xmit(struct sk_buff *skb, struct net_device *dev) + + skb_tx_timestamp(skb); + ++ spin_unlock_irqrestore(&bp->lock, flags); ++ + /* free the buffer */ + dev_kfree_skb(skb); + +- spin_unlock_irqrestore(&bp->lock, flags); +- + return NETDEV_TX_OK; + } + +-- +2.35.1 + diff --git a/queue-5.4/net-ethernet-ti-fix-return-type-of-netcp_ndo_start_x.patch b/queue-5.4/net-ethernet-ti-fix-return-type-of-netcp_ndo_start_x.patch new file mode 100644 index 00000000000..ee09849286d --- /dev/null +++ b/queue-5.4/net-ethernet-ti-fix-return-type-of-netcp_ndo_start_x.patch @@ -0,0 +1,53 @@ +From dc39343e82e4ab1d7fd6fda86ffb27e8f789c32d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 09:09:33 -0700 +Subject: net: ethernet: ti: Fix return type of netcp_ndo_start_xmit() + +From: Nathan Chancellor + +[ Upstream commit 63fe6ff674a96cfcfc0fa8df1051a27aa31c70b4 ] + +With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), +indirect call targets are validated against the expected function +pointer prototype to make sure the call target is valid to help mitigate +ROP attacks. If they are not identical, there is a failure at run time, +which manifests as either a kernel panic or thread getting killed. A +proposed warning in clang aims to catch these at compile time, which +reveals: + + drivers/net/ethernet/ti/netcp_core.c:1944:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] + .ndo_start_xmit = netcp_ndo_start_xmit, + ^~~~~~~~~~~~~~~~~~~~ + 1 error generated. + +->ndo_start_xmit() in 'struct net_device_ops' expects a return type of +'netdev_tx_t', not 'int'. Adjust the return type of +netcp_ndo_start_xmit() to match the prototype's to resolve the warning +and CFI failure. + +Link: https://github.com/ClangBuiltLinux/linux/issues/1750 +Signed-off-by: Nathan Chancellor +Reviewed-by: Kees Cook +Link: https://lore.kernel.org/r/20221102160933.1601260-1-nathan@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/netcp_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ti/netcp_core.c b/drivers/net/ethernet/ti/netcp_core.c +index 4154c48d1ddf..5dbb4ed1b132 100644 +--- a/drivers/net/ethernet/ti/netcp_core.c ++++ b/drivers/net/ethernet/ti/netcp_core.c +@@ -1262,7 +1262,7 @@ static int netcp_tx_submit_skb(struct netcp_intf *netcp, + } + + /* Submit the packet */ +-static int netcp_ndo_start_xmit(struct sk_buff *skb, struct net_device *ndev) ++static netdev_tx_t netcp_ndo_start_xmit(struct sk_buff *skb, struct net_device *ndev) + { + struct netcp_intf *netcp = netdev_priv(ndev); + struct netcp_stats *tx_stats = &netcp->stats; +-- +2.35.1 + diff --git a/queue-5.4/net-farsync-fix-kmemleak-when-rmmods-farsync.patch b/queue-5.4/net-farsync-fix-kmemleak-when-rmmods-farsync.patch new file mode 100644 index 00000000000..87c8235fa36 --- /dev/null +++ b/queue-5.4/net-farsync-fix-kmemleak-when-rmmods-farsync.patch @@ -0,0 +1,75 @@ +From 4fb022cabcad4a147963d3f2dbab662539fc5902 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 20:05:40 +0800 +Subject: net: farsync: Fix kmemleak when rmmods farsync + +From: Li Zetao + +[ Upstream commit 2f623aaf9f31de968dea6169849706a2f9be444c ] + +There are two memory leaks reported by kmemleak: + + unreferenced object 0xffff888114b20200 (size 128): + comm "modprobe", pid 4846, jiffies 4295146524 (age 401.345s) + hex dump (first 32 bytes): + e0 62 57 09 81 88 ff ff e0 62 57 09 81 88 ff ff .bW......bW..... + 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kmalloc_trace+0x22/0x60 + [] __hw_addr_add_ex+0x198/0x6c0 + [] dev_addr_init+0x13d/0x230 + [] alloc_netdev_mqs+0x10d/0xe50 + [] alloc_hdlcdev+0x2e/0x80 + [] fst_add_one+0x601/0x10e0 [farsync] + ... + + unreferenced object 0xffff88810b85b000 (size 1024): + comm "modprobe", pid 4846, jiffies 4295146523 (age 401.346s) + hex dump (first 32 bytes): + 00 00 b0 02 00 c9 ff ff 00 70 0a 00 00 c9 ff ff .........p...... + 00 00 00 f2 00 00 00 f3 0a 00 00 00 02 00 00 00 ................ + backtrace: + [] kmalloc_trace+0x22/0x60 + [] fst_add_one+0x154/0x10e0 [farsync] + [] local_pci_probe+0xd3/0x170 + ... + +The root cause is traced to the netdev and fst_card_info are not freed +when removes one fst in fst_remove_one(), which may trigger oom if +repeated insmod and rmmod module. + +Fix it by adding free_netdev() and kfree() in fst_remove_one(), just as +the operations on the error handling path in fst_add_one(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Li Zetao +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wan/farsync.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wan/farsync.c b/drivers/net/wan/farsync.c +index 1901ec7948d8..a2527351f8a7 100644 +--- a/drivers/net/wan/farsync.c ++++ b/drivers/net/wan/farsync.c +@@ -2613,6 +2613,7 @@ fst_remove_one(struct pci_dev *pdev) + for (i = 0; i < card->nports; i++) { + struct net_device *dev = port_to_dev(&card->ports[i]); + unregister_hdlc_device(dev); ++ free_netdev(dev); + } + + fst_disable_intr(card); +@@ -2633,6 +2634,7 @@ fst_remove_one(struct pci_dev *pdev) + card->tx_dma_handle_card); + } + fst_card_array[card->card_no] = NULL; ++ kfree(card); + } + + static struct pci_driver fst_driver = { +-- +2.35.1 + diff --git a/queue-5.4/net-lan9303-fix-read-error-execution-path.patch b/queue-5.4/net-lan9303-fix-read-error-execution-path.patch new file mode 100644 index 00000000000..6874f12384c --- /dev/null +++ b/queue-5.4/net-lan9303-fix-read-error-execution-path.patch @@ -0,0 +1,44 @@ +From 31cab8aaaa19a4a19ca3bf02645c544b6197013d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Dec 2022 09:35:02 -0600 +Subject: net: lan9303: Fix read error execution path + +From: Jerry Ray + +[ Upstream commit 8964916d206071b058c6351f88b1966bd58cbde0 ] + +This patch fixes an issue where a read failure of a port statistic counter +will return unknown results. While it is highly unlikely the read will +ever fail, it is much cleaner to return a zero for the stat count. + +Fixes: a1292595e006 ("net: dsa: add new DSA switch driver for the SMSC-LAN9303") +Signed-off-by: Jerry Ray +Reviewed-by: Vladimir Oltean +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20221209153502.7429-1-jerry.ray@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/lan9303-core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/lan9303-core.c b/drivers/net/dsa/lan9303-core.c +index e981b0184077..625db92792da 100644 +--- a/drivers/net/dsa/lan9303-core.c ++++ b/drivers/net/dsa/lan9303-core.c +@@ -1001,9 +1001,11 @@ static void lan9303_get_ethtool_stats(struct dsa_switch *ds, int port, + ret = lan9303_read_switch_port( + chip, port, lan9303_mib[u].offset, ®); + +- if (ret) ++ if (ret) { + dev_warn(chip->dev, "Reading status port %d reg %u failed\n", + port, lan9303_mib[u].offset); ++ reg = 0; ++ } + data[u] = reg; + } + } +-- +2.35.1 + diff --git a/queue-5.4/net-proc-provide-proc_fs-n-fallback-for-proc_create_.patch b/queue-5.4/net-proc-provide-proc_fs-n-fallback-for-proc_create_.patch new file mode 100644 index 00000000000..65f26516b76 --- /dev/null +++ b/queue-5.4/net-proc-provide-proc_fs-n-fallback-for-proc_create_.patch @@ -0,0 +1,43 @@ +From cf06f47584e5793150a754184cb33be9444dd8aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Oct 2022 07:34:21 +0100 +Subject: net, proc: Provide PROC_FS=n fallback for + proc_create_net_single_write() + +From: David Howells + +[ Upstream commit c3d96f690a790074b508fe183a41e36a00cd7ddd ] + +Provide a CONFIG_PROC_FS=n fallback for proc_create_net_single_write(). + +Also provide a fallback for proc_create_net_data_write(). + +Fixes: 564def71765c ("proc: Add a way to make network proc files writable") +Reported-by: kernel test robot +Signed-off-by: David Howells +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +cc: netdev@vger.kernel.org +Signed-off-by: Sasha Levin +--- + include/linux/proc_fs.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h +index 865d02c224ad..b8d41d0e7b46 100644 +--- a/include/linux/proc_fs.h ++++ b/include/linux/proc_fs.h +@@ -127,8 +127,10 @@ static inline void proc_remove(struct proc_dir_entry *de) {} + static inline int remove_proc_subtree(const char *name, struct proc_dir_entry *parent) { return 0; } + + #define proc_create_net_data(name, mode, parent, ops, state_size, data) ({NULL;}) ++#define proc_create_net_data_write(name, mode, parent, ops, write, state_size, data) ({NULL;}) + #define proc_create_net(name, mode, parent, state_size, ops) ({NULL;}) + #define proc_create_net_single(name, mode, parent, show, data) ({NULL;}) ++#define proc_create_net_single_write(name, mode, parent, show, write, data) ({NULL;}) + + static inline struct pid *tgid_pidfd_to_pid(const struct file *file) + { +-- +2.35.1 + diff --git a/queue-5.4/net-stmmac-selftests-fix-potential-memleak-in-stmmac.patch b/queue-5.4/net-stmmac-selftests-fix-potential-memleak-in-stmmac.patch new file mode 100644 index 00000000000..3b8aff551d3 --- /dev/null +++ b/queue-5.4/net-stmmac-selftests-fix-potential-memleak-in-stmmac.patch @@ -0,0 +1,50 @@ +From 81aa792db58e165d4bcd3b32000b8e8a88a62996 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 16:31:59 +0800 +Subject: net: stmmac: selftests: fix potential memleak in + stmmac_test_arpoffload() + +From: Zhang Changzhong + +[ Upstream commit f150b63f3fa5fdd81e0dd6151e8850268e29438c ] + +The skb allocated by stmmac_test_get_arp_skb() hasn't been released in +some error handling case, which will lead to a memory leak. Fix this up +by adding kfree_skb() to release skb. + +Compile tested only. + +Fixes: 5e3fb0a6e2b3 ("net: stmmac: selftests: Implement the ARP Offload test") +Signed-off-by: Zhang Changzhong +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_selftests.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_selftests.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_selftests.c +index ba03a2d77434..e65577f1da54 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_selftests.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_selftests.c +@@ -1614,12 +1614,16 @@ static int stmmac_test_arpoffload(struct stmmac_priv *priv) + } + + ret = stmmac_set_arp_offload(priv, priv->hw, true, ip_addr); +- if (ret) ++ if (ret) { ++ kfree_skb(skb); + goto cleanup; ++ } + + ret = dev_set_promiscuity(priv->dev, 1); +- if (ret) ++ if (ret) { ++ kfree_skb(skb); + goto cleanup; ++ } + + skb_set_queue_mapping(skb, 0); + ret = dev_queue_xmit(skb); +-- +2.35.1 + diff --git a/queue-5.4/net-stream-purge-sk_error_queue-in-sk_stream_kill_qu.patch b/queue-5.4/net-stream-purge-sk_error_queue-in-sk_stream_kill_qu.patch new file mode 100644 index 00000000000..3e37eb74091 --- /dev/null +++ b/queue-5.4/net-stream-purge-sk_error_queue-in-sk_stream_kill_qu.patch @@ -0,0 +1,69 @@ +From 72d4d6d69a551f843865e7c53daaeea486798150 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Dec 2022 16:29:17 +0000 +Subject: net: stream: purge sk_error_queue in sk_stream_kill_queues() + +From: Eric Dumazet + +[ Upstream commit e0c8bccd40fc1c19e1d246c39bcf79e357e1ada3 ] + +Changheon Lee reported TCP socket leaks, with a nice repro. + +It seems we leak TCP sockets with the following sequence: + +1) SOF_TIMESTAMPING_TX_ACK is enabled on the socket. + + Each ACK will cook an skb put in error queue, from __skb_tstamp_tx(). + __skb_tstamp_tx() is using skb_clone(), unless + SOF_TIMESTAMPING_OPT_TSONLY was also requested. + +2) If the application is also using MSG_ZEROCOPY, then we put in the + error queue cloned skbs that had a struct ubuf_info attached to them. + + Whenever an struct ubuf_info is allocated, sock_zerocopy_alloc() + does a sock_hold(). + + As long as the cloned skbs are still in sk_error_queue, + socket refcount is kept elevated. + +3) Application closes the socket, while error queue is not empty. + +Since tcp_close() no longer purges the socket error queue, +we might end up with a TCP socket with at least one skb in +error queue keeping the socket alive forever. + +This bug can be (ab)used to consume all kernel memory +and freeze the host. + +We need to purge the error queue, with proper synchronization +against concurrent writers. + +Fixes: 24bcbe1cc69f ("net: stream: don't purge sk_error_queue in sk_stream_kill_queues()") +Reported-by: Changheon Lee +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/stream.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/core/stream.c b/net/core/stream.c +index a61130504827..d7c5413d16d5 100644 +--- a/net/core/stream.c ++++ b/net/core/stream.c +@@ -196,6 +196,12 @@ void sk_stream_kill_queues(struct sock *sk) + /* First the read buffer. */ + __skb_queue_purge(&sk->sk_receive_queue); + ++ /* Next, the error queue. ++ * We need to use queue lock, because other threads might ++ * add packets to the queue without socket lock being held. ++ */ ++ skb_queue_purge(&sk->sk_error_queue); ++ + /* Next, the write queue. */ + WARN_ON(!skb_queue_empty(&sk->sk_write_queue)); + +-- +2.35.1 + diff --git a/queue-5.4/net-tunnel-wait-until-all-sk_user_data-reader-finish.patch b/queue-5.4/net-tunnel-wait-until-all-sk_user_data-reader-finish.patch new file mode 100644 index 00000000000..4a7c2849481 --- /dev/null +++ b/queue-5.4/net-tunnel-wait-until-all-sk_user_data-reader-finish.patch @@ -0,0 +1,75 @@ +From e7ab8893e7cb8c63a089a3302ea0bfbe7574c156 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 20:04:52 +0800 +Subject: net/tunnel: wait until all sk_user_data reader finish before + releasing the sock + +From: Hangbin Liu + +[ Upstream commit 3cf7203ca620682165706f70a1b12b5194607dce ] + +There is a race condition in vxlan that when deleting a vxlan device +during receiving packets, there is a possibility that the sock is +released after getting vxlan_sock vs from sk_user_data. Then in +later vxlan_ecn_decapsulate(), vxlan_get_sk_family() we will got +NULL pointer dereference. e.g. + + #0 [ffffa25ec6978a38] machine_kexec at ffffffff8c669757 + #1 [ffffa25ec6978a90] __crash_kexec at ffffffff8c7c0a4d + #2 [ffffa25ec6978b58] crash_kexec at ffffffff8c7c1c48 + #3 [ffffa25ec6978b60] oops_end at ffffffff8c627f2b + #4 [ffffa25ec6978b80] page_fault_oops at ffffffff8c678fcb + #5 [ffffa25ec6978bd8] exc_page_fault at ffffffff8d109542 + #6 [ffffa25ec6978c00] asm_exc_page_fault at ffffffff8d200b62 + [exception RIP: vxlan_ecn_decapsulate+0x3b] + RIP: ffffffffc1014e7b RSP: ffffa25ec6978cb0 RFLAGS: 00010246 + RAX: 0000000000000008 RBX: ffff8aa000888000 RCX: 0000000000000000 + RDX: 000000000000000e RSI: ffff8a9fc7ab803e RDI: ffff8a9fd1168700 + RBP: ffff8a9fc7ab803e R8: 0000000000700000 R9: 00000000000010ae + R10: ffff8a9fcb748980 R11: 0000000000000000 R12: ffff8a9fd1168700 + R13: ffff8aa000888000 R14: 00000000002a0000 R15: 00000000000010ae + ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 + #7 [ffffa25ec6978ce8] vxlan_rcv at ffffffffc10189cd [vxlan] + #8 [ffffa25ec6978d90] udp_queue_rcv_one_skb at ffffffff8cfb6507 + #9 [ffffa25ec6978dc0] udp_unicast_rcv_skb at ffffffff8cfb6e45 + #10 [ffffa25ec6978dc8] __udp4_lib_rcv at ffffffff8cfb8807 + #11 [ffffa25ec6978e20] ip_protocol_deliver_rcu at ffffffff8cf76951 + #12 [ffffa25ec6978e48] ip_local_deliver at ffffffff8cf76bde + #13 [ffffa25ec6978ea0] __netif_receive_skb_one_core at ffffffff8cecde9b + #14 [ffffa25ec6978ec8] process_backlog at ffffffff8cece139 + #15 [ffffa25ec6978f00] __napi_poll at ffffffff8ceced1a + #16 [ffffa25ec6978f28] net_rx_action at ffffffff8cecf1f3 + #17 [ffffa25ec6978fa0] __softirqentry_text_start at ffffffff8d4000ca + #18 [ffffa25ec6978ff0] do_softirq at ffffffff8c6fbdc3 + +Reproducer: https://github.com/Mellanox/ovs-tests/blob/master/test-ovs-vxlan-remove-tunnel-during-traffic.sh + +Fix this by waiting for all sk_user_data reader to finish before +releasing the sock. + +Reported-by: Jianlin Shi +Suggested-by: Jakub Sitnicki +Fixes: 6a93cc905274 ("udp-tunnel: Add a few more UDP tunnel APIs") +Signed-off-by: Hangbin Liu +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/udp_tunnel.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv4/udp_tunnel.c b/net/ipv4/udp_tunnel.c +index 150e6f0fdbf5..bbe4eca42d36 100644 +--- a/net/ipv4/udp_tunnel.c ++++ b/net/ipv4/udp_tunnel.c +@@ -196,6 +196,7 @@ EXPORT_SYMBOL_GPL(udp_tunnel_xmit_skb); + void udp_tunnel_sock_release(struct socket *sock) + { + rcu_assign_sk_user_data(sock->sk, NULL); ++ synchronize_rcu(); + kernel_sock_shutdown(sock, SHUT_RDWR); + sock_release(sock); + } +-- +2.35.1 + diff --git a/queue-5.4/net-vmw_vsock-vmci-check-memcpy_from_msg.patch b/queue-5.4/net-vmw_vsock-vmci-check-memcpy_from_msg.patch new file mode 100644 index 00000000000..cbe8028f578 --- /dev/null +++ b/queue-5.4/net-vmw_vsock-vmci-check-memcpy_from_msg.patch @@ -0,0 +1,47 @@ +From 2642a9aa174f2af51d4bb7efbc43dfb0e21cce24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Dec 2022 09:58:34 +0300 +Subject: net: vmw_vsock: vmci: Check memcpy_from_msg() + +From: Artem Chernyshev + +[ Upstream commit 44aa5a6dba8283bfda28b1517af4de711c5652a4 ] + +vmci_transport_dgram_enqueue() does not check the return value +of memcpy_from_msg(). If memcpy_from_msg() fails, it is possible that +uninitialized memory contents are sent unintentionally instead of user's +message in the datagram to the destination. Return with an error if +memcpy_from_msg() fails. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 0f7db23a07af ("vmci_transport: switch ->enqeue_dgram, ->enqueue_stream and ->dequeue_stream to msghdr") +Signed-off-by: Artem Chernyshev +Reviewed-by: Stefano Garzarella +Reviewed-by: Vishnu Dasa +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/vmci_transport.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c +index aaabcd84268a..85488e19dffc 100644 +--- a/net/vmw_vsock/vmci_transport.c ++++ b/net/vmw_vsock/vmci_transport.c +@@ -1725,7 +1725,11 @@ static int vmci_transport_dgram_enqueue( + if (!dg) + return -ENOMEM; + +- memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len); ++ err = memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len); ++ if (err) { ++ kfree(dg); ++ return err; ++ } + + dg->dst = vmci_make_handle(remote_addr->svm_cid, + remote_addr->svm_port); +-- +2.35.1 + diff --git a/queue-5.4/net_sched-reject-tcf_em_simple-case-for-complex-emat.patch b/queue-5.4/net_sched-reject-tcf_em_simple-case-for-complex-emat.patch new file mode 100644 index 00000000000..e0310cd7a8b --- /dev/null +++ b/queue-5.4/net_sched-reject-tcf_em_simple-case-for-complex-emat.patch @@ -0,0 +1,52 @@ +From c2cd887553e1326733bed86e60431df9bc0bc737 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Dec 2022 14:17:07 -0800 +Subject: net_sched: reject TCF_EM_SIMPLE case for complex ematch module + +From: Cong Wang + +[ Upstream commit 9cd3fd2054c3b3055163accbf2f31a4426f10317 ] + +When TCF_EM_SIMPLE was introduced, it is supposed to be convenient +for ematch implementation: + +https://lore.kernel.org/all/20050105110048.GO26856@postel.suug.ch/ + +"You don't have to, providing a 32bit data chunk without TCF_EM_SIMPLE +set will simply result in allocating & copy. It's an optimization, +nothing more." + +So if an ematch module provides ops->datalen that means it wants a +complex data structure (saved in its em->data) instead of a simple u32 +value. We should simply reject such a combination, otherwise this u32 +could be misinterpreted as a pointer. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-and-tested-by: syzbot+4caeae4c7103813598ae@syzkaller.appspotmail.com +Reported-by: Jun Nie +Cc: Jamal Hadi Salim +Cc: Paolo Abeni +Signed-off-by: Cong Wang +Acked-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/ematch.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/sched/ematch.c b/net/sched/ematch.c +index dd3b8c11a2e0..43bfb33629e9 100644 +--- a/net/sched/ematch.c ++++ b/net/sched/ematch.c +@@ -255,6 +255,8 @@ static int tcf_em_validate(struct tcf_proto *tp, + * the value carried. + */ + if (em_hdr->flags & TCF_EM_SIMPLE) { ++ if (em->ops->datalen > 0) ++ goto errout; + if (data_len < sizeof(u32)) + goto errout; + em->data = *(u32 *) data; +-- +2.35.1 + diff --git a/queue-5.4/netfilter-conntrack-set-icmpv6-redirects-as-related.patch b/queue-5.4/netfilter-conntrack-set-icmpv6-redirects-as-related.patch new file mode 100644 index 00000000000..07d2aabafa3 --- /dev/null +++ b/queue-5.4/netfilter-conntrack-set-icmpv6-redirects-as-related.patch @@ -0,0 +1,173 @@ +From 24aca4cd438d3ca07840a5945b380033413e34c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 16:00:09 +0100 +Subject: netfilter: conntrack: set icmpv6 redirects as RELATED + +From: Florian Westphal + +[ Upstream commit 7d7cfb48d81353e826493d24c7cec7360950968f ] + +icmp conntrack will set icmp redirects as RELATED, but icmpv6 will not +do this. + +For icmpv6, only icmp errors (code <= 128) are examined for RELATED state. +ICMPV6 Redirects are part of neighbour discovery mechanism, those are +handled by marking a selected subset (e.g. neighbour solicitations) as +UNTRACKED, but not REDIRECT -- they will thus be flagged as INVALID. + +Add minimal support for REDIRECTs. No parsing of neighbour options is +added for simplicity, so this will only check that we have the embeeded +original header (ND_OPT_REDIRECT_HDR), and then attempt to do a flow +lookup for this tuple. + +Also extend the existing test case to cover redirects. + +Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.") +Reported-by: Eric Garver +Link: https://github.com/firewalld/firewalld/issues/1046 +Signed-off-by: Florian Westphal +Acked-by: Eric Garver +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_proto_icmpv6.c | 53 +++++++++++++++++++ + .../netfilter/conntrack_icmp_related.sh | 36 ++++++++++++- + 2 files changed, 87 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_proto_icmpv6.c b/net/netfilter/nf_conntrack_proto_icmpv6.c +index 6f9144e1f1c1..ee45dbf1b035 100644 +--- a/net/netfilter/nf_conntrack_proto_icmpv6.c ++++ b/net/netfilter/nf_conntrack_proto_icmpv6.c +@@ -128,6 +128,56 @@ static void icmpv6_error_log(const struct sk_buff *skb, + IPPROTO_ICMPV6, "%s", msg); + } + ++static noinline_for_stack int ++nf_conntrack_icmpv6_redirect(struct nf_conn *tmpl, struct sk_buff *skb, ++ unsigned int dataoff, ++ const struct nf_hook_state *state) ++{ ++ u8 hl = ipv6_hdr(skb)->hop_limit; ++ union nf_inet_addr outer_daddr; ++ union { ++ struct nd_opt_hdr nd_opt; ++ struct rd_msg rd_msg; ++ } tmp; ++ const struct nd_opt_hdr *nd_opt; ++ const struct rd_msg *rd_msg; ++ ++ rd_msg = skb_header_pointer(skb, dataoff, sizeof(*rd_msg), &tmp.rd_msg); ++ if (!rd_msg) { ++ icmpv6_error_log(skb, state, "short redirect"); ++ return -NF_ACCEPT; ++ } ++ ++ if (rd_msg->icmph.icmp6_code != 0) ++ return NF_ACCEPT; ++ ++ if (hl != 255 || !(ipv6_addr_type(&ipv6_hdr(skb)->saddr) & IPV6_ADDR_LINKLOCAL)) { ++ icmpv6_error_log(skb, state, "invalid saddr or hoplimit for redirect"); ++ return -NF_ACCEPT; ++ } ++ ++ dataoff += sizeof(*rd_msg); ++ ++ /* warning: rd_msg no longer usable after this call */ ++ nd_opt = skb_header_pointer(skb, dataoff, sizeof(*nd_opt), &tmp.nd_opt); ++ if (!nd_opt || nd_opt->nd_opt_len == 0) { ++ icmpv6_error_log(skb, state, "redirect without options"); ++ return -NF_ACCEPT; ++ } ++ ++ /* We could call ndisc_parse_options(), but it would need ++ * skb_linearize() and a bit more work. ++ */ ++ if (nd_opt->nd_opt_type != ND_OPT_REDIRECT_HDR) ++ return NF_ACCEPT; ++ ++ memcpy(&outer_daddr.ip6, &ipv6_hdr(skb)->daddr, ++ sizeof(outer_daddr.ip6)); ++ dataoff += 8; ++ return nf_conntrack_inet_error(tmpl, skb, dataoff, state, ++ IPPROTO_ICMPV6, &outer_daddr); ++} ++ + int nf_conntrack_icmpv6_error(struct nf_conn *tmpl, + struct sk_buff *skb, + unsigned int dataoff, +@@ -158,6 +208,9 @@ int nf_conntrack_icmpv6_error(struct nf_conn *tmpl, + return NF_ACCEPT; + } + ++ if (icmp6h->icmp6_type == NDISC_REDIRECT) ++ return nf_conntrack_icmpv6_redirect(tmpl, skb, dataoff, state); ++ + /* is not error message ? */ + if (icmp6h->icmp6_type >= 128) + return NF_ACCEPT; +diff --git a/tools/testing/selftests/netfilter/conntrack_icmp_related.sh b/tools/testing/selftests/netfilter/conntrack_icmp_related.sh +index b48e1833bc89..76645aaf2b58 100755 +--- a/tools/testing/selftests/netfilter/conntrack_icmp_related.sh ++++ b/tools/testing/selftests/netfilter/conntrack_icmp_related.sh +@@ -35,6 +35,8 @@ cleanup() { + for i in 1 2;do ip netns del nsrouter$i;done + } + ++trap cleanup EXIT ++ + ipv4() { + echo -n 192.168.$1.2 + } +@@ -146,11 +148,17 @@ ip netns exec nsclient1 nft -f - < /dev/null ++ ++expect="packets 1 bytes 112" ++check_counter nsclient1 "redir4" "$expect" ++if [ $? -ne 0 ];then ++ ret=1 ++fi ++ ++ip netns exec "nsclient1" ping -c 1 dead:1::42 > /dev/null ++expect="packets 1 bytes 192" ++check_counter nsclient1 "redir6" "$expect" ++if [ $? -ne 0 ];then ++ ret=1 ++fi ++ ++if [ $ret -eq 0 ];then ++ echo "PASS: icmp redirects had RELATED state" ++else ++ echo "ERROR: icmp redirect RELATED state test has failed" ++fi ++ + exit $ret +-- +2.35.1 + diff --git a/queue-5.4/nfc-pn533-clear-nfc_target-before-being-used.patch b/queue-5.4/nfc-pn533-clear-nfc_target-before-being-used.patch new file mode 100644 index 00000000000..a96f8ce2bf8 --- /dev/null +++ b/queue-5.4/nfc-pn533-clear-nfc_target-before-being-used.patch @@ -0,0 +1,73 @@ +From e1b688272a7bc203586a2367a4ce0715b40128fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Dec 2022 10:51:39 +0900 +Subject: nfc: pn533: Clear nfc_target before being used + +From: Minsuk Kang + +[ Upstream commit 9f28157778ede0d4f183f7ab3b46995bb400abbe ] + +Fix a slab-out-of-bounds read that occurs in nla_put() called from +nfc_genl_send_target() when target->sensb_res_len, which is duplicated +from an nfc_target in pn533, is too large as the nfc_target is not +properly initialized and retains garbage values. Clear nfc_targets with +memset() before they are used. + +Found by a modified version of syzkaller. + +BUG: KASAN: slab-out-of-bounds in nla_put +Call Trace: + memcpy + nla_put + nfc_genl_dump_targets + genl_lock_dumpit + netlink_dump + __netlink_dump_start + genl_family_rcv_msg_dumpit + genl_rcv_msg + netlink_rcv_skb + genl_rcv + netlink_unicast + netlink_sendmsg + sock_sendmsg + ____sys_sendmsg + ___sys_sendmsg + __sys_sendmsg + do_syscall_64 + +Fixes: 673088fb42d0 ("NFC: pn533: Send ATR_REQ directly for active device detection") +Fixes: 361f3cb7f9cf ("NFC: DEP link hook implementation for pn533") +Signed-off-by: Minsuk Kang +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20221214015139.119673-1-linuxlovemin@yonsei.ac.kr +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/nfc/pn533/pn533.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/nfc/pn533/pn533.c b/drivers/nfc/pn533/pn533.c +index 807b7b37d9dc..1e90ff17f87d 100644 +--- a/drivers/nfc/pn533/pn533.c ++++ b/drivers/nfc/pn533/pn533.c +@@ -1293,6 +1293,8 @@ static int pn533_poll_dep_complete(struct pn533 *dev, void *arg, + if (IS_ERR(resp)) + return PTR_ERR(resp); + ++ memset(&nfc_target, 0, sizeof(struct nfc_target)); ++ + rsp = (struct pn533_cmd_jump_dep_response *)resp->data; + + rc = rsp->status & PN533_CMD_RET_MASK; +@@ -1774,6 +1776,8 @@ static int pn533_in_dep_link_up_complete(struct pn533 *dev, void *arg, + + dev_dbg(dev->dev, "Creating new target\n"); + ++ memset(&nfc_target, 0, sizeof(struct nfc_target)); ++ + nfc_target.supported_protocols = NFC_PROTO_NFC_DEP_MASK; + nfc_target.nfcid1_len = 10; + memcpy(nfc_target.nfcid1, rsp->nfcid3t, nfc_target.nfcid1_len); +-- +2.35.1 + diff --git a/queue-5.4/nfsd-add-tracepoints-to-nfsd-s-duplicate-reply-cache.patch b/queue-5.4/nfsd-add-tracepoints-to-nfsd-s-duplicate-reply-cache.patch new file mode 100644 index 00000000000..3d5fee10566 --- /dev/null +++ b/queue-5.4/nfsd-add-tracepoints-to-nfsd-s-duplicate-reply-cache.patch @@ -0,0 +1,244 @@ +From 9504649b8af86fbc59126e182fcc87b7ca26e905 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 May 2020 11:34:40 -0400 +Subject: NFSD: Add tracepoints to NFSD's duplicate reply cache + +From: Chuck Lever + +[ Upstream commit 0b175b18648ebedfe255b11a7792f1d76848a8f7 ] + +Try to capture DRC failures. + +Two additional clean-ups: +- Introduce Doxygen-style comments for the main entry points +- Remove a dprintk that fires for an allocation failure. This was + the only dprintk in the REPCACHE class. + +Reported-by: kbuild test robot +[ cel: force typecast for display of checksum values ] +Signed-off-by: Chuck Lever +Stable-dep-of: 3bc8edc98bd4 ("nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure") +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfscache.c | 57 +++++++++++++++++++++++++++----------------- + fs/nfsd/trace.h | 59 ++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 94 insertions(+), 22 deletions(-) + +diff --git a/fs/nfsd/nfscache.c b/fs/nfsd/nfscache.c +index 670e97dd67f0..80c90fc231a5 100644 +--- a/fs/nfsd/nfscache.c ++++ b/fs/nfsd/nfscache.c +@@ -20,8 +20,7 @@ + + #include "nfsd.h" + #include "cache.h" +- +-#define NFSDDBG_FACILITY NFSDDBG_REPCACHE ++#include "trace.h" + + /* + * We use this value to determine the number of hash buckets from the max +@@ -324,8 +323,10 @@ nfsd_cache_key_cmp(const struct svc_cacherep *key, + const struct svc_cacherep *rp, struct nfsd_net *nn) + { + if (key->c_key.k_xid == rp->c_key.k_xid && +- key->c_key.k_csum != rp->c_key.k_csum) ++ key->c_key.k_csum != rp->c_key.k_csum) { + ++nn->payload_misses; ++ trace_nfsd_drc_mismatch(nn, key, rp); ++ } + + return memcmp(&key->c_key, &rp->c_key, sizeof(key->c_key)); + } +@@ -378,15 +379,22 @@ nfsd_cache_insert(struct nfsd_drc_bucket *b, struct svc_cacherep *key, + return ret; + } + +-/* ++/** ++ * nfsd_cache_lookup - Find an entry in the duplicate reply cache ++ * @rqstp: Incoming Call to find ++ * + * Try to find an entry matching the current call in the cache. When none + * is found, we try to grab the oldest expired entry off the LRU list. If + * a suitable one isn't there, then drop the cache_lock and allocate a + * new one, then search again in case one got inserted while this thread + * didn't hold the lock. ++ * ++ * Return values: ++ * %RC_DOIT: Process the request normally ++ * %RC_REPLY: Reply from cache ++ * %RC_DROPIT: Do not process the request further + */ +-int +-nfsd_cache_lookup(struct svc_rqst *rqstp) ++int nfsd_cache_lookup(struct svc_rqst *rqstp) + { + struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id); + struct svc_cacherep *rp, *found; +@@ -400,7 +408,7 @@ nfsd_cache_lookup(struct svc_rqst *rqstp) + rqstp->rq_cacherep = NULL; + if (type == RC_NOCACHE) { + nfsdstats.rcnocache++; +- return rtn; ++ goto out; + } + + csum = nfsd_cache_csum(rqstp); +@@ -410,10 +418,8 @@ nfsd_cache_lookup(struct svc_rqst *rqstp) + * preallocate an entry. + */ + rp = nfsd_reply_cache_alloc(rqstp, csum, nn); +- if (!rp) { +- dprintk("nfsd: unable to allocate DRC entry!\n"); +- return rtn; +- } ++ if (!rp) ++ goto out; + + spin_lock(&b->cache_lock); + found = nfsd_cache_insert(b, rp, nn); +@@ -432,8 +438,10 @@ nfsd_cache_lookup(struct svc_rqst *rqstp) + + /* go ahead and prune the cache */ + prune_bucket(b, nn); +- out: ++ ++out_unlock: + spin_unlock(&b->cache_lock); ++out: + return rtn; + + found_entry: +@@ -443,13 +451,13 @@ nfsd_cache_lookup(struct svc_rqst *rqstp) + + /* Request being processed */ + if (rp->c_state == RC_INPROG) +- goto out; ++ goto out_trace; + + /* From the hall of fame of impractical attacks: + * Is this a user who tries to snoop on the cache? */ + rtn = RC_DOIT; + if (!test_bit(RQ_SECURE, &rqstp->rq_flags) && rp->c_secure) +- goto out; ++ goto out_trace; + + /* Compose RPC reply header */ + switch (rp->c_type) { +@@ -461,20 +469,26 @@ nfsd_cache_lookup(struct svc_rqst *rqstp) + break; + case RC_REPLBUFF: + if (!nfsd_cache_append(rqstp, &rp->c_replvec)) +- goto out; /* should not happen */ ++ goto out_unlock; /* should not happen */ + rtn = RC_REPLY; + break; + default: + WARN_ONCE(1, "nfsd: bad repcache type %d\n", rp->c_type); + } + +- goto out; ++out_trace: ++ trace_nfsd_drc_found(nn, rqstp, rtn); ++ goto out_unlock; + } + +-/* +- * Update a cache entry. This is called from nfsd_dispatch when +- * the procedure has been executed and the complete reply is in +- * rqstp->rq_res. ++/** ++ * nfsd_cache_update - Update an entry in the duplicate reply cache. ++ * @rqstp: svc_rqst with a finished Reply ++ * @cachetype: which cache to update ++ * @statp: Reply's status code ++ * ++ * This is called from nfsd_dispatch when the procedure has been ++ * executed and the complete reply is in rqstp->rq_res. + * + * We're copying around data here rather than swapping buffers because + * the toplevel loop requires max-sized buffers, which would be a waste +@@ -487,8 +501,7 @@ nfsd_cache_lookup(struct svc_rqst *rqstp) + * nfsd failed to encode a reply that otherwise would have been cached. + * In this case, nfsd_cache_update is called with statp == NULL. + */ +-void +-nfsd_cache_update(struct svc_rqst *rqstp, int cachetype, __be32 *statp) ++void nfsd_cache_update(struct svc_rqst *rqstp, int cachetype, __be32 *statp) + { + struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id); + struct svc_cacherep *rp = rqstp->rq_cacherep; +diff --git a/fs/nfsd/trace.h b/fs/nfsd/trace.h +index dc6aae4ef41d..9d37d09d7ca8 100644 +--- a/fs/nfsd/trace.h ++++ b/fs/nfsd/trace.h +@@ -310,6 +310,65 @@ TRACE_EVENT(nfsd_file_fsnotify_handle_event, + __entry->nlink, __entry->mode, __entry->mask) + ); + ++#include "cache.h" ++ ++TRACE_DEFINE_ENUM(RC_DROPIT); ++TRACE_DEFINE_ENUM(RC_REPLY); ++TRACE_DEFINE_ENUM(RC_DOIT); ++ ++#define show_drc_retval(x) \ ++ __print_symbolic(x, \ ++ { RC_DROPIT, "DROPIT" }, \ ++ { RC_REPLY, "REPLY" }, \ ++ { RC_DOIT, "DOIT" }) ++ ++TRACE_EVENT(nfsd_drc_found, ++ TP_PROTO( ++ const struct nfsd_net *nn, ++ const struct svc_rqst *rqstp, ++ int result ++ ), ++ TP_ARGS(nn, rqstp, result), ++ TP_STRUCT__entry( ++ __field(unsigned long long, boot_time) ++ __field(unsigned long, result) ++ __field(u32, xid) ++ ), ++ TP_fast_assign( ++ __entry->boot_time = nn->boot_time; ++ __entry->result = result; ++ __entry->xid = be32_to_cpu(rqstp->rq_xid); ++ ), ++ TP_printk("boot_time=%16llx xid=0x%08x result=%s", ++ __entry->boot_time, __entry->xid, ++ show_drc_retval(__entry->result)) ++ ++); ++ ++TRACE_EVENT(nfsd_drc_mismatch, ++ TP_PROTO( ++ const struct nfsd_net *nn, ++ const struct svc_cacherep *key, ++ const struct svc_cacherep *rp ++ ), ++ TP_ARGS(nn, key, rp), ++ TP_STRUCT__entry( ++ __field(unsigned long long, boot_time) ++ __field(u32, xid) ++ __field(u32, cached) ++ __field(u32, ingress) ++ ), ++ TP_fast_assign( ++ __entry->boot_time = nn->boot_time; ++ __entry->xid = be32_to_cpu(key->c_key.k_xid); ++ __entry->cached = (__force u32)key->c_key.k_csum; ++ __entry->ingress = (__force u32)rp->c_key.k_csum; ++ ), ++ TP_printk("boot_time=%16llx xid=0x%08x cached-csum=0x%08x ingress-csum=0x%08x", ++ __entry->boot_time, __entry->xid, __entry->cached, ++ __entry->ingress) ++); ++ + #endif /* _NFSD_TRACE_H */ + + #undef TRACE_INCLUDE_PATH +-- +2.35.1 + diff --git a/queue-5.4/nfsd-define-the-file-access-mode-enum-for-tracing.patch b/queue-5.4/nfsd-define-the-file-access-mode-enum-for-tracing.patch new file mode 100644 index 00000000000..45e286adc2a --- /dev/null +++ b/queue-5.4/nfsd-define-the-file-access-mode-enum-for-tracing.patch @@ -0,0 +1,37 @@ +From 43821cf1a9bd597e5e1d390f46d0c77a3aa83d7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jan 2020 12:00:22 -0500 +Subject: nfsd: Define the file access mode enum for tracing + +From: Trond Myklebust + +[ Upstream commit c19285596de699e4602f9c89785e6b8c29422286 ] + +Signed-off-by: Trond Myklebust +Signed-off-by: J. Bruce Fields +Stable-dep-of: 3bc8edc98bd4 ("nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure") +Signed-off-by: Sasha Levin +--- + fs/nfsd/trace.h | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/nfsd/trace.h b/fs/nfsd/trace.h +index 127db5351d01..dc6aae4ef41d 100644 +--- a/fs/nfsd/trace.h ++++ b/fs/nfsd/trace.h +@@ -166,6 +166,12 @@ DEFINE_STATEID_EVENT(layout_recall_done); + DEFINE_STATEID_EVENT(layout_recall_fail); + DEFINE_STATEID_EVENT(layout_recall_release); + ++TRACE_DEFINE_ENUM(NFSD_FILE_HASHED); ++TRACE_DEFINE_ENUM(NFSD_FILE_PENDING); ++TRACE_DEFINE_ENUM(NFSD_FILE_BREAK_READ); ++TRACE_DEFINE_ENUM(NFSD_FILE_BREAK_WRITE); ++TRACE_DEFINE_ENUM(NFSD_FILE_REFERENCED); ++ + #define show_nf_flags(val) \ + __print_flags(val, "|", \ + { 1 << NFSD_FILE_HASHED, "HASHED" }, \ +-- +2.35.1 + diff --git a/queue-5.4/nfsd-don-t-call-nfsd_file_put-from-client-states-seq.patch b/queue-5.4/nfsd-don-t-call-nfsd_file_put-from-client-states-seq.patch new file mode 100644 index 00000000000..166a342f267 --- /dev/null +++ b/queue-5.4/nfsd-don-t-call-nfsd_file_put-from-client-states-seq.patch @@ -0,0 +1,147 @@ +From b3664ab00b81423a849fd4a4a8715d3de5be6fc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Oct 2022 08:13:53 -0400 +Subject: nfsd: don't call nfsd_file_put from client states seqfile display + +From: Jeff Layton + +[ Upstream commit e0aa651068bfd520afcd357af8ecd2de005fc83d ] + +We had a report of this: + + BUG: sleeping function called from invalid context at fs/nfsd/filecache.c:440 + +...with a stack trace showing nfsd_file_put being called from +nfs4_show_open. This code has always tried to call fput while holding a +spinlock, but we recently changed this to use the filecache, and that +started triggering the might_sleep() in nfsd_file_put. + +states_start takes and holds the cl_lock while iterating over the +client's states, and we can't sleep with that held. + +Have the various nfs4_show_* functions instead hold the fi_lock instead +of taking a nfsd_file reference. + +Fixes: 78599c42ae3c ("nfsd4: add file to display list of client's opens") +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2138357 +Reported-by: Zhi Li +Signed-off-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4state.c | 51 +++++++++++++++++++++++++++++---------------- + 1 file changed, 33 insertions(+), 18 deletions(-) + +diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c +index 228c2b0753dc..de2c3809d15a 100644 +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -508,15 +508,26 @@ find_any_file(struct nfs4_file *f) + return ret; + } + +-static struct nfsd_file *find_deleg_file(struct nfs4_file *f) ++static struct nfsd_file *find_any_file_locked(struct nfs4_file *f) + { +- struct nfsd_file *ret = NULL; ++ lockdep_assert_held(&f->fi_lock); ++ ++ if (f->fi_fds[O_RDWR]) ++ return f->fi_fds[O_RDWR]; ++ if (f->fi_fds[O_WRONLY]) ++ return f->fi_fds[O_WRONLY]; ++ if (f->fi_fds[O_RDONLY]) ++ return f->fi_fds[O_RDONLY]; ++ return NULL; ++} ++ ++static struct nfsd_file *find_deleg_file_locked(struct nfs4_file *f) ++{ ++ lockdep_assert_held(&f->fi_lock); + +- spin_lock(&f->fi_lock); + if (f->fi_deleg_file) +- ret = nfsd_file_get(f->fi_deleg_file); +- spin_unlock(&f->fi_lock); +- return ret; ++ return f->fi_deleg_file; ++ return NULL; + } + + static atomic_long_t num_delegations; +@@ -2402,9 +2413,11 @@ static int nfs4_show_open(struct seq_file *s, struct nfs4_stid *st) + ols = openlockstateid(st); + oo = ols->st_stateowner; + nf = st->sc_file; +- file = find_any_file(nf); ++ ++ spin_lock(&nf->fi_lock); ++ file = find_any_file_locked(nf); + if (!file) +- return 0; ++ goto out; + + seq_printf(s, "- 0x%16phN: { type: open, ", &st->sc_stateid); + +@@ -2422,8 +2435,8 @@ static int nfs4_show_open(struct seq_file *s, struct nfs4_stid *st) + seq_printf(s, ", "); + nfs4_show_owner(s, oo); + seq_printf(s, " }\n"); +- nfsd_file_put(file); +- ++out: ++ spin_unlock(&nf->fi_lock); + return 0; + } + +@@ -2437,9 +2450,10 @@ static int nfs4_show_lock(struct seq_file *s, struct nfs4_stid *st) + ols = openlockstateid(st); + oo = ols->st_stateowner; + nf = st->sc_file; +- file = find_any_file(nf); ++ spin_lock(&nf->fi_lock); ++ file = find_any_file_locked(nf); + if (!file) +- return 0; ++ goto out; + + seq_printf(s, "- 0x%16phN: { type: lock, ", &st->sc_stateid); + +@@ -2455,8 +2469,8 @@ static int nfs4_show_lock(struct seq_file *s, struct nfs4_stid *st) + seq_printf(s, ", "); + nfs4_show_owner(s, oo); + seq_printf(s, " }\n"); +- nfsd_file_put(file); +- ++out: ++ spin_unlock(&nf->fi_lock); + return 0; + } + +@@ -2468,9 +2482,10 @@ static int nfs4_show_deleg(struct seq_file *s, struct nfs4_stid *st) + + ds = delegstateid(st); + nf = st->sc_file; +- file = find_deleg_file(nf); ++ spin_lock(&nf->fi_lock); ++ file = find_deleg_file_locked(nf); + if (!file) +- return 0; ++ goto out; + + seq_printf(s, "- 0x%16phN: { type: deleg, ", &st->sc_stateid); + +@@ -2482,8 +2497,8 @@ static int nfs4_show_deleg(struct seq_file *s, struct nfs4_stid *st) + + nfs4_show_superblock(s, file); + seq_printf(s, " }\n"); +- nfsd_file_put(file); +- ++out: ++ spin_unlock(&nf->fi_lock); + return 0; + } + +-- +2.35.1 + diff --git a/queue-5.4/nfsd-under-nfsv4.1-fix-double-svc_xprt_put-on-rpc_cr.patch b/queue-5.4/nfsd-under-nfsv4.1-fix-double-svc_xprt_put-on-rpc_cr.patch new file mode 100644 index 00000000000..2605f5d68e2 --- /dev/null +++ b/queue-5.4/nfsd-under-nfsv4.1-fix-double-svc_xprt_put-on-rpc_cr.patch @@ -0,0 +1,87 @@ +From d69f345f95d42231fe0767ed2912e48d72211f4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Dec 2022 13:11:06 +0200 +Subject: nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure + +From: Dan Aloni + +[ Upstream commit 3bc8edc98bd43540dbe648e4ef91f443d6d20a24 ] + +On error situation `clp->cl_cb_conn.cb_xprt` should not be given +a reference to the xprt otherwise both client cleanup and the +error handling path of the caller call to put it. Better to +delay handing over the reference to a later branch. + +[ 72.530665] refcount_t: underflow; use-after-free. +[ 72.531933] WARNING: CPU: 0 PID: 173 at lib/refcount.c:28 refcount_warn_saturate+0xcf/0x120 +[ 72.533075] Modules linked in: nfsd(OE) nfsv4(OE) nfsv3(OE) nfs(OE) lockd(OE) compat_nfs_ssc(OE) nfs_acl(OE) rpcsec_gss_krb5(OE) auth_rpcgss(OE) rpcrdma(OE) dns_resolver fscache netfs grace rdma_cm iw_cm ib_cm sunrpc(OE) mlx5_ib mlx5_core mlxfw pci_hyperv_intf ib_uverbs ib_core xt_MASQUERADE nf_conntrack_netlink nft_counter xt_addrtype nft_compat br_netfilter bridge stp llc nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set overlay nf_tables nfnetlink crct10dif_pclmul crc32_pclmul ghash_clmulni_intel xfs serio_raw virtio_net virtio_blk net_failover failover fuse [last unloaded: sunrpc] +[ 72.540389] CPU: 0 PID: 173 Comm: kworker/u16:5 Tainted: G OE 5.15.82-dan #1 +[ 72.541511] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-3.module+el8.7.0+1084+97b81f61 04/01/2014 +[ 72.542717] Workqueue: nfsd4_callbacks nfsd4_run_cb_work [nfsd] +[ 72.543575] RIP: 0010:refcount_warn_saturate+0xcf/0x120 +[ 72.544299] Code: 55 00 0f 0b 5d e9 01 50 98 00 80 3d 75 9e 39 08 00 0f 85 74 ff ff ff 48 c7 c7 e8 d1 60 8e c6 05 61 9e 39 08 01 e8 f6 51 55 00 <0f> 0b 5d e9 d9 4f 98 00 80 3d 4b 9e 39 08 00 0f 85 4c ff ff ff 48 +[ 72.546666] RSP: 0018:ffffb3f841157cf0 EFLAGS: 00010286 +[ 72.547393] RAX: 0000000000000026 RBX: ffff89ac6231d478 RCX: 0000000000000000 +[ 72.548324] RDX: ffff89adb7c2c2c0 RSI: ffff89adb7c205c0 RDI: ffff89adb7c205c0 +[ 72.549271] RBP: ffffb3f841157cf0 R08: 0000000000000000 R09: c0000000ffefffff +[ 72.550209] R10: 0000000000000001 R11: ffffb3f841157ad0 R12: ffff89ac6231d180 +[ 72.551142] R13: ffff89ac6231d478 R14: ffff89ac40c06180 R15: ffff89ac6231d4b0 +[ 72.552089] FS: 0000000000000000(0000) GS:ffff89adb7c00000(0000) knlGS:0000000000000000 +[ 72.553175] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 72.553934] CR2: 0000563a310506a8 CR3: 0000000109a66000 CR4: 0000000000350ef0 +[ 72.554874] Call Trace: +[ 72.555278] +[ 72.555614] svc_xprt_put+0xaf/0xe0 [sunrpc] +[ 72.556276] nfsd4_process_cb_update.isra.11+0xb7/0x410 [nfsd] +[ 72.557087] ? update_load_avg+0x82/0x610 +[ 72.557652] ? cpuacct_charge+0x60/0x70 +[ 72.558212] ? dequeue_entity+0xdb/0x3e0 +[ 72.558765] ? queued_spin_unlock+0x9/0x20 +[ 72.559358] nfsd4_run_cb_work+0xfc/0x270 [nfsd] +[ 72.560031] process_one_work+0x1df/0x390 +[ 72.560600] worker_thread+0x37/0x3b0 +[ 72.561644] ? process_one_work+0x390/0x390 +[ 72.562247] kthread+0x12f/0x150 +[ 72.562710] ? set_kthread_struct+0x50/0x50 +[ 72.563309] ret_from_fork+0x22/0x30 +[ 72.563818] +[ 72.564189] ---[ end trace 031117b1c72ec616 ]--- +[ 72.566019] list_add corruption. next->prev should be prev (ffff89ac4977e538), but was ffff89ac4763e018. (next=ffff89ac4763e018). +[ 72.567647] ------------[ cut here ]------------ + +Fixes: a4abc6b12eb1 ("nfsd: Fix svc_xprt refcnt leak when setup callback client failed") +Cc: Xiyu Yang +Cc: J. Bruce Fields +Signed-off-by: Dan Aloni +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4callback.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c +index 3c50d18fe8a9..ffc2b838b123 100644 +--- a/fs/nfsd/nfs4callback.c ++++ b/fs/nfsd/nfs4callback.c +@@ -880,7 +880,6 @@ static int setup_callback_client(struct nfs4_client *clp, struct nfs4_cb_conn *c + } else { + if (!conn->cb_xprt) + return -EINVAL; +- clp->cl_cb_conn.cb_xprt = conn->cb_xprt; + clp->cl_cb_session = ses; + args.bc_xprt = conn->cb_xprt; + args.prognumber = clp->cl_cb_session->se_cb_prog; +@@ -900,6 +899,9 @@ static int setup_callback_client(struct nfs4_client *clp, struct nfs4_cb_conn *c + rpc_shutdown_client(client); + return -ENOMEM; + } ++ ++ if (clp->cl_minorversion != 0) ++ clp->cl_cb_conn.cb_xprt = conn->cb_xprt; + clp->cl_cb_client = client; + clp->cl_cb_cred = cred; + return 0; +-- +2.35.1 + diff --git a/queue-5.4/nfsv4-fix-a-deadlock-between-nfs4_open_recover_helpe.patch b/queue-5.4/nfsv4-fix-a-deadlock-between-nfs4_open_recover_helpe.patch new file mode 100644 index 00000000000..8bb29c8a924 --- /dev/null +++ b/queue-5.4/nfsv4-fix-a-deadlock-between-nfs4_open_recover_helpe.patch @@ -0,0 +1,73 @@ +From 5e06cf5168c9781c26644a982aa6012d59c1c349 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Nov 2022 13:20:01 -0400 +Subject: NFSv4: Fix a deadlock between nfs4_open_recover_helper() and + delegreturn + +From: Trond Myklebust + +[ Upstream commit 51069e4aef6257b0454057359faed0ab0c9af083 ] + +If we're asked to recover open state while a delegation return is +outstanding, then the state manager thread cannot use a cached open, so +if the server returns a delegation, we can end up deadlocked behind the +pending delegreturn. +To avoid this problem, let's just ask the server not to give us a +delegation unless we're explicitly reclaiming one. + +Fixes: be36e185bd26 ("NFSv4: nfs4_open_recover_helper() must set share access") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 3da48dd67b83..a76550d927e7 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -2085,18 +2085,18 @@ static struct nfs4_opendata *nfs4_open_recoverdata_alloc(struct nfs_open_context + } + + static int nfs4_open_recover_helper(struct nfs4_opendata *opendata, +- fmode_t fmode) ++ fmode_t fmode) + { + struct nfs4_state *newstate; ++ struct nfs_server *server = NFS_SB(opendata->dentry->d_sb); ++ int openflags = opendata->o_arg.open_flags; + int ret; + + if (!nfs4_mode_match_open_stateid(opendata->state, fmode)) + return 0; +- opendata->o_arg.open_flags = 0; + opendata->o_arg.fmode = fmode; +- opendata->o_arg.share_access = nfs4_map_atomic_open_share( +- NFS_SB(opendata->dentry->d_sb), +- fmode, 0); ++ opendata->o_arg.share_access = ++ nfs4_map_atomic_open_share(server, fmode, openflags); + memset(&opendata->o_res, 0, sizeof(opendata->o_res)); + memset(&opendata->c_res, 0, sizeof(opendata->c_res)); + nfs4_init_opendata_res(opendata); +@@ -2671,10 +2671,15 @@ static int _nfs4_open_expired(struct nfs_open_context *ctx, struct nfs4_state *s + struct nfs4_opendata *opendata; + int ret; + +- opendata = nfs4_open_recoverdata_alloc(ctx, state, +- NFS4_OPEN_CLAIM_FH); ++ opendata = nfs4_open_recoverdata_alloc(ctx, state, NFS4_OPEN_CLAIM_FH); + if (IS_ERR(opendata)) + return PTR_ERR(opendata); ++ /* ++ * We're not recovering a delegation, so ask for no delegation. ++ * Otherwise the recovery thread could deadlock with an outstanding ++ * delegation return. ++ */ ++ opendata->o_arg.open_flags = O_DIRECT; + ret = nfs4_open_recover(opendata, state); + if (ret == -ESTALE) + d_drop(ctx->dentry); +-- +2.35.1 + diff --git a/queue-5.4/nfsv4.2-clear-fattr4_word2_security_label-when-done-.patch b/queue-5.4/nfsv4.2-clear-fattr4_word2_security_label-when-done-.patch new file mode 100644 index 00000000000..957fea2ca04 --- /dev/null +++ b/queue-5.4/nfsv4.2-clear-fattr4_word2_security_label-when-done-.patch @@ -0,0 +1,42 @@ +From 272a807fa760e7cbea168540af00c77f6b620255 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Oct 2022 16:44:47 -0400 +Subject: NFSv4.2: Clear FATTR4_WORD2_SECURITY_LABEL when done decoding + +From: Trond Myklebust + +[ Upstream commit eef7314caf2d73a94b68ba293cd105154d3a664e ] + +We need to clear the FATTR4_WORD2_SECURITY_LABEL bitmap flag +irrespective of whether or not the label is too long. + +Fixes: aa9c2669626c ("NFS: Client implementation of Labeled-NFS") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4xdr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c +index 2b7741fe42ea..ac9ffe184451 100644 +--- a/fs/nfs/nfs4xdr.c ++++ b/fs/nfs/nfs4xdr.c +@@ -4169,6 +4169,7 @@ static int decode_attr_security_label(struct xdr_stream *xdr, uint32_t *bitmap, + p = xdr_inline_decode(xdr, len); + if (unlikely(!p)) + return -EIO; ++ bitmap[2] &= ~FATTR4_WORD2_SECURITY_LABEL; + if (len < NFS4_MAXLABELLEN) { + if (label) { + if (label->len) { +@@ -4181,7 +4182,6 @@ static int decode_attr_security_label(struct xdr_stream *xdr, uint32_t *bitmap, + label->lfs = lfs; + status = NFS_ATTR_FATTR_V4_SECURITY_LABEL; + } +- bitmap[2] &= ~FATTR4_WORD2_SECURITY_LABEL; + } else + printk(KERN_WARNING "%s: label too long (%u)!\n", + __func__, len); +-- +2.35.1 + diff --git a/queue-5.4/nfsv4.2-fix-a-memory-stomp-in-decode_attr_security_l.patch b/queue-5.4/nfsv4.2-fix-a-memory-stomp-in-decode_attr_security_l.patch new file mode 100644 index 00000000000..45f30898603 --- /dev/null +++ b/queue-5.4/nfsv4.2-fix-a-memory-stomp-in-decode_attr_security_l.patch @@ -0,0 +1,43 @@ +From 4666cc26ad18b7e4ee17cf728389fa2e7eb51cfd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Oct 2022 18:21:14 -0400 +Subject: NFSv4.2: Fix a memory stomp in decode_attr_security_label + +From: Trond Myklebust + +[ Upstream commit 43c1031f7110967c240cb6e922adcfc4b8899183 ] + +We must not change the value of label->len if it is zero, since that +indicates we stored a label. + +Fixes: b4487b935452 ("nfs: Fix getxattr kernel panic and memory overflow") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4xdr.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c +index ac9ffe184451..a3592becae4a 100644 +--- a/fs/nfs/nfs4xdr.c ++++ b/fs/nfs/nfs4xdr.c +@@ -4171,12 +4171,10 @@ static int decode_attr_security_label(struct xdr_stream *xdr, uint32_t *bitmap, + return -EIO; + bitmap[2] &= ~FATTR4_WORD2_SECURITY_LABEL; + if (len < NFS4_MAXLABELLEN) { +- if (label) { +- if (label->len) { +- if (label->len < len) +- return -ERANGE; +- memcpy(label->label, p, len); +- } ++ if (label && label->len) { ++ if (label->len < len) ++ return -ERANGE; ++ memcpy(label->label, p, len); + label->len = len; + label->pi = pi; + label->lfs = lfs; +-- +2.35.1 + diff --git a/queue-5.4/nfsv4.2-fix-initialisation-of-struct-nfs4_label.patch b/queue-5.4/nfsv4.2-fix-initialisation-of-struct-nfs4_label.patch new file mode 100644 index 00000000000..3a64bafcd85 --- /dev/null +++ b/queue-5.4/nfsv4.2-fix-initialisation-of-struct-nfs4_label.patch @@ -0,0 +1,83 @@ +From 8c9121f71ecee134a427c51fa7fe54352a2fa089 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Oct 2022 13:12:11 -0400 +Subject: NFSv4.2: Fix initialisation of struct nfs4_label + +From: Trond Myklebust + +[ Upstream commit c528f70f504434eaff993a5ddd52203a2010d51f ] + +The call to nfs4_label_init_security() should return a fully initialised +label. + +Fixes: aa9c2669626c ("NFS: Client implementation of Labeled-NFS") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 77c2c88621be..3da48dd67b83 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -121,6 +121,11 @@ nfs4_label_init_security(struct inode *dir, struct dentry *dentry, + if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL) == 0) + return NULL; + ++ label->lfs = 0; ++ label->pi = 0; ++ label->len = 0; ++ label->label = NULL; ++ + err = security_dentry_init_security(dentry, sattr->ia_mode, + &dentry->d_name, (void **)&label->label, &label->len); + if (err == 0) +@@ -3742,7 +3747,7 @@ nfs4_atomic_open(struct inode *dir, struct nfs_open_context *ctx, + int open_flags, struct iattr *attr, int *opened) + { + struct nfs4_state *state; +- struct nfs4_label l = {0, 0, 0, NULL}, *label = NULL; ++ struct nfs4_label l, *label; + + label = nfs4_label_init_security(dir, ctx->dentry, attr, &l); + +@@ -4497,7 +4502,7 @@ nfs4_proc_create(struct inode *dir, struct dentry *dentry, struct iattr *sattr, + int flags) + { + struct nfs_server *server = NFS_SERVER(dir); +- struct nfs4_label l, *ilabel = NULL; ++ struct nfs4_label l, *ilabel; + struct nfs_open_context *ctx; + struct nfs4_state *state; + int status = 0; +@@ -4850,7 +4855,7 @@ static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry, + struct nfs4_exception exception = { + .interruptible = true, + }; +- struct nfs4_label l, *label = NULL; ++ struct nfs4_label l, *label; + int err; + + label = nfs4_label_init_security(dir, dentry, sattr, &l); +@@ -4891,7 +4896,7 @@ static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry, + struct nfs4_exception exception = { + .interruptible = true, + }; +- struct nfs4_label l, *label = NULL; ++ struct nfs4_label l, *label; + int err; + + label = nfs4_label_init_security(dir, dentry, sattr, &l); +@@ -5012,7 +5017,7 @@ static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry, + struct nfs4_exception exception = { + .interruptible = true, + }; +- struct nfs4_label l, *label = NULL; ++ struct nfs4_label l, *label; + int err; + + label = nfs4_label_init_security(dir, dentry, sattr, &l); +-- +2.35.1 + diff --git a/queue-5.4/nfsv4.x-fail-client-initialisation-if-state-manager-.patch b/queue-5.4/nfsv4.x-fail-client-initialisation-if-state-manager-.patch new file mode 100644 index 00000000000..c5369d7ee3c --- /dev/null +++ b/queue-5.4/nfsv4.x-fail-client-initialisation-if-state-manager-.patch @@ -0,0 +1,37 @@ +From c0b25610cee5d21a559937ac2f151e6bf544a6b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Dec 2022 12:42:59 -0500 +Subject: NFSv4.x: Fail client initialisation if state manager thread can't run + +From: Trond Myklebust + +[ Upstream commit b4e4f66901658fae0614dea5bf91062a5387eda7 ] + +If the state manager thread fails to start, then we should just mark the +client initialisation as failed so that other processes or threads don't +get stuck in nfs_wait_client_init_complete(). + +Reported-by: ChenXiaoSong +Fixes: 4697bd5e9419 ("NFSv4: Fix a race in the net namespace mount notification") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4state.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c +index c60b3a1f6d2b..2ee30ffeb6b9 100644 +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -1224,6 +1224,8 @@ void nfs4_schedule_state_manager(struct nfs_client *clp) + if (IS_ERR(task)) { + printk(KERN_ERR "%s: kthread_run: %ld\n", + __func__, PTR_ERR(task)); ++ if (!nfs_client_init_is_complete(clp)) ++ nfs_mark_client_ready(clp, PTR_ERR(task)); + nfs4_clear_state_manager_bit(clp); + nfs_put_client(clp); + module_put(THIS_MODULE); +-- +2.35.1 + diff --git a/queue-5.4/nilfs2-fix-shift-out-of-bounds-overflow-in-nilfs_sb2.patch b/queue-5.4/nilfs2-fix-shift-out-of-bounds-overflow-in-nilfs_sb2.patch new file mode 100644 index 00000000000..3a11be71a86 --- /dev/null +++ b/queue-5.4/nilfs2-fix-shift-out-of-bounds-overflow-in-nilfs_sb2.patch @@ -0,0 +1,114 @@ +From 33b3bcb0e382600fefa33c9a42a05309392f7fe8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Oct 2022 13:43:05 +0900 +Subject: nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset() + +From: Ryusuke Konishi + +[ Upstream commit 610a2a3d7d8be3537458a378ec69396a76c385b6 ] + +Patch series "nilfs2: fix UBSAN shift-out-of-bounds warnings on mount +time". + +The first patch fixes a bug reported by syzbot, and the second one fixes +the remaining bug of the same kind. Although they are triggered by the +same super block data anomaly, I divided it into the above two because the +details of the issues and how to fix it are different. + +Both are required to eliminate the shift-out-of-bounds issues at mount +time. + +This patch (of 2): + +If the block size exponent information written in an on-disk superblock is +corrupted, nilfs_sb2_bad_offset helper function can trigger +shift-out-of-bounds warning followed by a kernel panic (if panic_on_warn +is set): + + shift exponent 38983 is too large for 64-bit type 'unsigned long long' + Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 + ubsan_epilogue lib/ubsan.c:151 [inline] + __ubsan_handle_shift_out_of_bounds+0x33d/0x3b0 lib/ubsan.c:322 + nilfs_sb2_bad_offset fs/nilfs2/the_nilfs.c:449 [inline] + nilfs_load_super_block+0xdf5/0xe00 fs/nilfs2/the_nilfs.c:523 + init_nilfs+0xb7/0x7d0 fs/nilfs2/the_nilfs.c:577 + nilfs_fill_super+0xb1/0x5d0 fs/nilfs2/super.c:1047 + nilfs_mount+0x613/0x9b0 fs/nilfs2/super.c:1317 + ... + +In addition, since nilfs_sb2_bad_offset() performs multiplication without +considering the upper bound, the computation may overflow if the disk +layout parameters are not normal. + +This fixes these issues by inserting preliminary sanity checks for those +parameters and by converting the comparison from one involving +multiplication and left bit-shifting to one using division and right +bit-shifting. + +Link: https://lkml.kernel.org/r/20221027044306.42774-1-konishi.ryusuke@gmail.com +Link: https://lkml.kernel.org/r/20221027044306.42774-2-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+e91619dd4c11c4960706@syzkaller.appspotmail.com +Tested-by: Ryusuke Konishi +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/nilfs2/the_nilfs.c | 31 +++++++++++++++++++++++++++---- + 1 file changed, 27 insertions(+), 4 deletions(-) + +diff --git a/fs/nilfs2/the_nilfs.c b/fs/nilfs2/the_nilfs.c +index fb61c33c6004..74ef3d313686 100644 +--- a/fs/nilfs2/the_nilfs.c ++++ b/fs/nilfs2/the_nilfs.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include + #include "nilfs.h" + #include "segment.h" +@@ -448,11 +449,33 @@ static int nilfs_valid_sb(struct nilfs_super_block *sbp) + return crc == le32_to_cpu(sbp->s_sum); + } + +-static int nilfs_sb2_bad_offset(struct nilfs_super_block *sbp, u64 offset) ++/** ++ * nilfs_sb2_bad_offset - check the location of the second superblock ++ * @sbp: superblock raw data buffer ++ * @offset: byte offset of second superblock calculated from device size ++ * ++ * nilfs_sb2_bad_offset() checks if the position on the second ++ * superblock is valid or not based on the filesystem parameters ++ * stored in @sbp. If @offset points to a location within the segment ++ * area, or if the parameters themselves are not normal, it is ++ * determined to be invalid. ++ * ++ * Return Value: true if invalid, false if valid. ++ */ ++static bool nilfs_sb2_bad_offset(struct nilfs_super_block *sbp, u64 offset) + { +- return offset < ((le64_to_cpu(sbp->s_nsegments) * +- le32_to_cpu(sbp->s_blocks_per_segment)) << +- (le32_to_cpu(sbp->s_log_block_size) + 10)); ++ unsigned int shift_bits = le32_to_cpu(sbp->s_log_block_size); ++ u32 blocks_per_segment = le32_to_cpu(sbp->s_blocks_per_segment); ++ u64 nsegments = le64_to_cpu(sbp->s_nsegments); ++ u64 index; ++ ++ if (blocks_per_segment < NILFS_SEG_MIN_BLOCKS || ++ shift_bits > ilog2(NILFS_MAX_BLOCK_SIZE) - BLOCK_SIZE_BITS) ++ return true; ++ ++ index = offset >> (shift_bits + BLOCK_SIZE_BITS); ++ do_div(index, blocks_per_segment); ++ return index < nsegments; + } + + static void nilfs_release_super_block(struct the_nilfs *nilfs) +-- +2.35.1 + diff --git a/queue-5.4/ntb_netdev-use-dev_kfree_skb_any-in-interrupt-contex.patch b/queue-5.4/ntb_netdev-use-dev_kfree_skb_any-in-interrupt-contex.patch new file mode 100644 index 00000000000..36b7968267d --- /dev/null +++ b/queue-5.4/ntb_netdev-use-dev_kfree_skb_any-in-interrupt-contex.patch @@ -0,0 +1,73 @@ +From 987cdfdb69fcaba7620b4aa32ace2cad7663d332 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 16:06:59 -0800 +Subject: ntb_netdev: Use dev_kfree_skb_any() in interrupt context + +From: Eric Pilmore + +[ Upstream commit 5f7d78b2b12a9d561f48fa00bab29b40f4616dad ] + +TX/RX callback handlers (ntb_netdev_tx_handler(), +ntb_netdev_rx_handler()) can be called in interrupt +context via the DMA framework when the respective +DMA operations have completed. As such, any calls +by these routines to free skb's, should use the +interrupt context safe dev_kfree_skb_any() function. + +Previously, these callback handlers would call the +interrupt unsafe version of dev_kfree_skb(). This has +not presented an issue on Intel IOAT DMA engines as +that driver utilizes tasklets rather than a hard +interrupt handler, like the AMD PTDMA DMA driver. +On AMD systems, a kernel WARNING message is +encountered, which is being issued from +skb_release_head_state() due to in_hardirq() +being true. + +Besides the user visible WARNING from the kernel, +the other symptom of this bug was that TCP/IP performance +across the ntb_netdev interface was very poor, i.e. +approximately an order of magnitude below what was +expected. With the repair to use dev_kfree_skb_any(), +kernel WARNINGs from skb_release_head_state() ceased +and TCP/IP performance, as measured by iperf, was on +par with expected results, approximately 20 Gb/s on +AMD Milan based server. Note that this performance +is comparable with Intel based servers. + +Fixes: 765ccc7bc3d91 ("ntb_netdev: correct skb leak") +Fixes: 548c237c0a997 ("net: Add support for NTB virtual ethernet device") +Signed-off-by: Eric Pilmore +Reviewed-by: Dave Jiang +Link: https://lore.kernel.org/r/20221209000659.8318-1-epilmore@gigaio.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ntb_netdev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ntb_netdev.c b/drivers/net/ntb_netdev.c +index 1b7d588ff3c5..b701ee83e64a 100644 +--- a/drivers/net/ntb_netdev.c ++++ b/drivers/net/ntb_netdev.c +@@ -137,7 +137,7 @@ static void ntb_netdev_rx_handler(struct ntb_transport_qp *qp, void *qp_data, + enqueue_again: + rc = ntb_transport_rx_enqueue(qp, skb, skb->data, ndev->mtu + ETH_HLEN); + if (rc) { +- dev_kfree_skb(skb); ++ dev_kfree_skb_any(skb); + ndev->stats.rx_errors++; + ndev->stats.rx_fifo_errors++; + } +@@ -192,7 +192,7 @@ static void ntb_netdev_tx_handler(struct ntb_transport_qp *qp, void *qp_data, + ndev->stats.tx_aborted_errors++; + } + +- dev_kfree_skb(skb); ++ dev_kfree_skb_any(skb); + + if (ntb_transport_tx_free_entry(dev->qp) >= tx_start) { + /* Make sure anybody stopping the queue after this sees the new +-- +2.35.1 + diff --git a/queue-5.4/ocfs2-fix-memory-leak-in-ocfs2_mount_volume.patch b/queue-5.4/ocfs2-fix-memory-leak-in-ocfs2_mount_volume.patch new file mode 100644 index 00000000000..38537b16666 --- /dev/null +++ b/queue-5.4/ocfs2-fix-memory-leak-in-ocfs2_mount_volume.patch @@ -0,0 +1,121 @@ +From 0f71861b1bc50b2e0910e7a3634bb367ff2a6ad8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 15:46:27 +0800 +Subject: ocfs2: fix memory leak in ocfs2_mount_volume() + +From: Li Zetao + +[ Upstream commit ce2fcf1516d674a174d9b34d1e1024d64de9fba3 ] + +There is a memory leak reported by kmemleak: + + unreferenced object 0xffff88810cc65e60 (size 32): + comm "mount.ocfs2", pid 23753, jiffies 4302528942 (age 34735.105s) + hex dump (first 32 bytes): + 10 00 00 00 00 00 00 00 00 01 01 01 01 01 01 01 ................ + 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00 00 ................ + backtrace: + [] __kmalloc+0x4d/0x150 + [] ocfs2_compute_replay_slots+0x121/0x330 [ocfs2] + [] ocfs2_check_volume+0x485/0x900 [ocfs2] + [] ocfs2_mount_volume.isra.0+0x1e9/0x650 [ocfs2] + [] ocfs2_fill_super+0xe0b/0x1740 [ocfs2] + [] mount_bdev+0x312/0x400 + [] legacy_get_tree+0xed/0x1d0 + [] vfs_get_tree+0x7d/0x230 + [] path_mount+0xd62/0x1760 + [] do_mount+0xca/0xe0 + [] __x64_sys_mount+0x12c/0x1a0 + [] do_syscall_64+0x35/0x80 + [] entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +This call stack is related to two problems. Firstly, the ocfs2 super uses +"replay_map" to trace online/offline slots, in order to recover offline +slots during recovery and mount. But when ocfs2_truncate_log_init() +returns an error in ocfs2_mount_volume(), the memory of "replay_map" will +not be freed in error handling path. Secondly, the memory of "replay_map" +will not be freed if d_make_root() returns an error in ocfs2_fill_super(). +But the memory of "replay_map" will be freed normally when completing +recovery and mount in ocfs2_complete_mount_recovery(). + +Fix the first problem by adding error handling path to free "replay_map" +when ocfs2_truncate_log_init() fails. And fix the second problem by +calling ocfs2_free_replay_slots(osb) in the error handling path +"out_dismount". In addition, since ocfs2_free_replay_slots() is static, +it is necessary to remove its static attribute and declare it in header +file. + +Link: https://lkml.kernel.org/r/20221109074627.2303950-1-lizetao1@huawei.com +Fixes: 9140db04ef18 ("ocfs2: recover orphans in offline slots during recovery and mount") +Signed-off-by: Li Zetao +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/ocfs2/journal.c | 2 +- + fs/ocfs2/journal.h | 1 + + fs/ocfs2/super.c | 5 ++++- + 3 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/fs/ocfs2/journal.c b/fs/ocfs2/journal.c +index 900e4ef686bf..da95ed79c12e 100644 +--- a/fs/ocfs2/journal.c ++++ b/fs/ocfs2/journal.c +@@ -159,7 +159,7 @@ static void ocfs2_queue_replay_slots(struct ocfs2_super *osb, + replay_map->rm_state = REPLAY_DONE; + } + +-static void ocfs2_free_replay_slots(struct ocfs2_super *osb) ++void ocfs2_free_replay_slots(struct ocfs2_super *osb) + { + struct ocfs2_replay_map *replay_map = osb->replay_map; + +diff --git a/fs/ocfs2/journal.h b/fs/ocfs2/journal.h +index bfe611ed1b1d..eb7a21bac71e 100644 +--- a/fs/ocfs2/journal.h ++++ b/fs/ocfs2/journal.h +@@ -152,6 +152,7 @@ int ocfs2_recovery_init(struct ocfs2_super *osb); + void ocfs2_recovery_exit(struct ocfs2_super *osb); + + int ocfs2_compute_replay_slots(struct ocfs2_super *osb); ++void ocfs2_free_replay_slots(struct ocfs2_super *osb); + /* + * Journal Control: + * Initialize, Load, Shutdown, Wipe a journal. +diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c +index 38e51868c2d3..bf4291e0c6bf 100644 +--- a/fs/ocfs2/super.c ++++ b/fs/ocfs2/super.c +@@ -1164,6 +1164,7 @@ static int ocfs2_fill_super(struct super_block *sb, void *data, int silent) + out_dismount: + atomic_set(&osb->vol_state, VOLUME_DISABLED); + wake_up(&osb->osb_mount_event); ++ ocfs2_free_replay_slots(osb); + ocfs2_dismount_volume(sb, 1); + goto out; + +@@ -1829,12 +1830,14 @@ static int ocfs2_mount_volume(struct super_block *sb) + status = ocfs2_truncate_log_init(osb); + if (status < 0) { + mlog_errno(status); +- goto out_system_inodes; ++ goto out_check_volume; + } + + ocfs2_super_unlock(osb, 1); + return 0; + ++out_check_volume: ++ ocfs2_free_replay_slots(osb); + out_system_inodes: + if (osb->local_alloc_state == OCFS2_LA_ENABLED) + ocfs2_shutdown_local_alloc(osb); +-- +2.35.1 + diff --git a/queue-5.4/ocfs2-fix-memory-leak-in-ocfs2_stack_glue_init.patch b/queue-5.4/ocfs2-fix-memory-leak-in-ocfs2_stack_glue_init.patch new file mode 100644 index 00000000000..4be2788800a --- /dev/null +++ b/queue-5.4/ocfs2-fix-memory-leak-in-ocfs2_stack_glue_init.patch @@ -0,0 +1,73 @@ +From 9cf33a7b32efa610afce9e2ea53d4219626cb507 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Nov 2022 19:15:33 +0800 +Subject: ocfs2: fix memory leak in ocfs2_stack_glue_init() + +From: Shang XiaoJing + +[ Upstream commit 13b6269dd022aaa69ca8d1df374ab327504121cf ] + +ocfs2_table_header should be free in ocfs2_stack_glue_init() if +ocfs2_sysfs_init() failed, otherwise kmemleak will report memleak. + +BUG: memory leak +unreferenced object 0xffff88810eeb5800 (size 128): + comm "modprobe", pid 4507, jiffies 4296182506 (age 55.888s) + hex dump (first 32 bytes): + c0 40 14 a0 ff ff ff ff 00 00 00 00 01 00 00 00 .@.............. + 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<000000001e59e1cd>] __register_sysctl_table+0xca/0xef0 + [<00000000c04f70f7>] 0xffffffffa0050037 + [<000000001bd12912>] do_one_initcall+0xdb/0x480 + [<0000000064f766c9>] do_init_module+0x1cf/0x680 + [<000000002ba52db0>] load_module+0x6441/0x6f20 + [<000000009772580d>] __do_sys_finit_module+0x12f/0x1c0 + [<00000000380c1f22>] do_syscall_64+0x3f/0x90 + [<000000004cf473bc>] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Link: https://lkml.kernel.org/r/41651ca1-432a-db34-eb97-d35744559de1@linux.alibaba.com +Fixes: 3878f110f71a ("ocfs2: Move the hb_ctl_path sysctl into the stack glue.") +Signed-off-by: Shang XiaoJing +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/ocfs2/stackglue.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/ocfs2/stackglue.c b/fs/ocfs2/stackglue.c +index 188038760136..9f0326672af6 100644 +--- a/fs/ocfs2/stackglue.c ++++ b/fs/ocfs2/stackglue.c +@@ -707,6 +707,8 @@ static struct ctl_table_header *ocfs2_table_header; + + static int __init ocfs2_stack_glue_init(void) + { ++ int ret; ++ + strcpy(cluster_stack_name, OCFS2_STACK_PLUGIN_O2CB); + + ocfs2_table_header = register_sysctl_table(ocfs2_root_table); +@@ -716,7 +718,11 @@ static int __init ocfs2_stack_glue_init(void) + return -ENOMEM; /* or something. */ + } + +- return ocfs2_sysfs_init(); ++ ret = ocfs2_sysfs_init(); ++ if (ret) ++ unregister_sysctl_table(ocfs2_table_header); ++ ++ return ret; + } + + static void __exit ocfs2_stack_glue_exit(void) +-- +2.35.1 + diff --git a/queue-5.4/ocfs2-ocfs2_mount_volume-does-cleanup-job-before-ret.patch b/queue-5.4/ocfs2-ocfs2_mount_volume-does-cleanup-job-before-ret.patch new file mode 100644 index 00000000000..996cea95f91 --- /dev/null +++ b/queue-5.4/ocfs2-ocfs2_mount_volume-does-cleanup-job-before-ret.patch @@ -0,0 +1,115 @@ +From d1baf4dd545133b07d36fe63cdb644e7e3b46414 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Apr 2022 14:37:58 -0700 +Subject: ocfs2: ocfs2_mount_volume does cleanup job before return error + +From: Heming Zhao via Ocfs2-devel + +[ Upstream commit 0737e01de9c411e4db87dcedf4a9789d41b1c5c1 ] + +After this patch, when error, ocfs2_fill_super doesn't take care to +release resources which are allocated in ocfs2_mount_volume. + +Link: https://lkml.kernel.org/r/20220424130952.2436-5-heming.zhao@suse.com +Signed-off-by: Heming Zhao +Reviewed-by: Joseph Qi +Cc: Changwei Ge +Cc: Gang He +Cc: Joel Becker +Cc: Jun Piao +Cc: Junxiao Bi +Cc: Mark Fasheh +Signed-off-by: Andrew Morton +Stable-dep-of: ce2fcf1516d6 ("ocfs2: fix memory leak in ocfs2_mount_volume()") +Signed-off-by: Sasha Levin +--- + fs/ocfs2/super.c | 35 +++++++++++++++++++++++------------ + 1 file changed, 23 insertions(+), 12 deletions(-) + +diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c +index c1cf67b24c19..ead43f95bb43 100644 +--- a/fs/ocfs2/super.c ++++ b/fs/ocfs2/super.c +@@ -1787,11 +1787,10 @@ static int ocfs2_get_sector(struct super_block *sb, + static int ocfs2_mount_volume(struct super_block *sb) + { + int status = 0; +- int unlock_super = 0; + struct ocfs2_super *osb = OCFS2_SB(sb); + + if (ocfs2_is_hard_readonly(osb)) +- goto leave; ++ goto out; + + mutex_init(&osb->obs_trim_fs_mutex); + +@@ -1801,44 +1800,56 @@ static int ocfs2_mount_volume(struct super_block *sb) + if (status == -EBADR && ocfs2_userspace_stack(osb)) + mlog(ML_ERROR, "couldn't mount because cluster name on" + " disk does not match the running cluster name.\n"); +- goto leave; ++ goto out; + } + + status = ocfs2_super_lock(osb, 1); + if (status < 0) { + mlog_errno(status); +- goto leave; ++ goto out_dlm; + } +- unlock_super = 1; + + /* This will load up the node map and add ourselves to it. */ + status = ocfs2_find_slot(osb); + if (status < 0) { + mlog_errno(status); +- goto leave; ++ goto out_super_lock; + } + + /* load all node-local system inodes */ + status = ocfs2_init_local_system_inodes(osb); + if (status < 0) { + mlog_errno(status); +- goto leave; ++ goto out_super_lock; + } + + status = ocfs2_check_volume(osb); + if (status < 0) { + mlog_errno(status); +- goto leave; ++ goto out_system_inodes; + } + + status = ocfs2_truncate_log_init(osb); +- if (status < 0) ++ if (status < 0) { + mlog_errno(status); ++ goto out_system_inodes; ++ } + +-leave: +- if (unlock_super) +- ocfs2_super_unlock(osb, 1); ++ ocfs2_super_unlock(osb, 1); ++ return 0; + ++out_system_inodes: ++ if (osb->local_alloc_state == OCFS2_LA_ENABLED) ++ ocfs2_shutdown_local_alloc(osb); ++ ocfs2_release_system_inodes(osb); ++ /* before journal shutdown, we should release slot_info */ ++ ocfs2_free_slot_info(osb); ++ ocfs2_journal_shutdown(osb); ++out_super_lock: ++ ocfs2_super_unlock(osb, 1); ++out_dlm: ++ ocfs2_dlm_shutdown(osb, 0); ++out: + return status; + } + +-- +2.35.1 + diff --git a/queue-5.4/ocfs2-rewrite-error-handling-of-ocfs2_fill_super.patch b/queue-5.4/ocfs2-rewrite-error-handling-of-ocfs2_fill_super.patch new file mode 100644 index 00000000000..583fe7f5162 --- /dev/null +++ b/queue-5.4/ocfs2-rewrite-error-handling-of-ocfs2_fill_super.patch @@ -0,0 +1,200 @@ +From 7802c2180ba9fee0389fd097212d8334f02eb5f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Apr 2022 14:37:58 -0700 +Subject: ocfs2: rewrite error handling of ocfs2_fill_super + +From: Heming Zhao via Ocfs2-devel + +[ Upstream commit f1e75d128b46e3b066e7b2e7cfca10491109d44d ] + +Current ocfs2_fill_super() uses one goto label "read_super_error" to +handle all error cases. And with previous serial patches, the error +handling should fork more branches to handle different error cases. This +patch rewrite the error handling of ocfs2_fill_super. + +Link: https://lkml.kernel.org/r/20220424130952.2436-6-heming.zhao@suse.com +Signed-off-by: Heming Zhao +Reviewed-by: Joseph Qi +Cc: Changwei Ge +Cc: Gang He +Cc: Joel Becker +Cc: Jun Piao +Cc: Junxiao Bi +Cc: Mark Fasheh +Signed-off-by: Andrew Morton +Stable-dep-of: ce2fcf1516d6 ("ocfs2: fix memory leak in ocfs2_mount_volume()") +Signed-off-by: Sasha Levin +--- + fs/ocfs2/super.c | 67 +++++++++++++++++++++++------------------------- + 1 file changed, 32 insertions(+), 35 deletions(-) + +diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c +index ead43f95bb43..38e51868c2d3 100644 +--- a/fs/ocfs2/super.c ++++ b/fs/ocfs2/super.c +@@ -984,28 +984,27 @@ static int ocfs2_fill_super(struct super_block *sb, void *data, int silent) + + if (!ocfs2_parse_options(sb, data, &parsed_options, 0)) { + status = -EINVAL; +- goto read_super_error; ++ goto out; + } + + /* probe for superblock */ + status = ocfs2_sb_probe(sb, &bh, §or_size, &stats); + if (status < 0) { + mlog(ML_ERROR, "superblock probe failed!\n"); +- goto read_super_error; ++ goto out; + } + + status = ocfs2_initialize_super(sb, bh, sector_size, &stats); +- osb = OCFS2_SB(sb); +- if (status < 0) { +- mlog_errno(status); +- goto read_super_error; +- } + brelse(bh); + bh = NULL; ++ if (status < 0) ++ goto out; ++ ++ osb = OCFS2_SB(sb); + + if (!ocfs2_check_set_options(sb, &parsed_options)) { + status = -EINVAL; +- goto read_super_error; ++ goto out_super; + } + osb->s_mount_opt = parsed_options.mount_opt; + osb->s_atime_quantum = parsed_options.atime_quantum; +@@ -1022,7 +1021,7 @@ static int ocfs2_fill_super(struct super_block *sb, void *data, int silent) + + status = ocfs2_verify_userspace_stack(osb, &parsed_options); + if (status) +- goto read_super_error; ++ goto out_super; + + sb->s_magic = OCFS2_SUPER_MAGIC; + +@@ -1036,7 +1035,7 @@ static int ocfs2_fill_super(struct super_block *sb, void *data, int silent) + status = -EACCES; + mlog(ML_ERROR, "Readonly device detected but readonly " + "mount was not specified.\n"); +- goto read_super_error; ++ goto out_super; + } + + /* You should not be able to start a local heartbeat +@@ -1045,7 +1044,7 @@ static int ocfs2_fill_super(struct super_block *sb, void *data, int silent) + status = -EROFS; + mlog(ML_ERROR, "Local heartbeat specified on readonly " + "device.\n"); +- goto read_super_error; ++ goto out_super; + } + + status = ocfs2_check_journals_nolocks(osb); +@@ -1054,9 +1053,7 @@ static int ocfs2_fill_super(struct super_block *sb, void *data, int silent) + mlog(ML_ERROR, "Recovery required on readonly " + "file system, but write access is " + "unavailable.\n"); +- else +- mlog_errno(status); +- goto read_super_error; ++ goto out_super; + } + + ocfs2_set_ro_flag(osb, 1); +@@ -1072,10 +1069,8 @@ static int ocfs2_fill_super(struct super_block *sb, void *data, int silent) + } + + status = ocfs2_verify_heartbeat(osb); +- if (status < 0) { +- mlog_errno(status); +- goto read_super_error; +- } ++ if (status < 0) ++ goto out_super; + + osb->osb_debug_root = debugfs_create_dir(osb->uuid_str, + ocfs2_debugfs_root); +@@ -1089,15 +1084,14 @@ static int ocfs2_fill_super(struct super_block *sb, void *data, int silent) + + status = ocfs2_mount_volume(sb); + if (status < 0) +- goto read_super_error; ++ goto out_debugfs; + + if (osb->root_inode) + inode = igrab(osb->root_inode); + + if (!inode) { + status = -EIO; +- mlog_errno(status); +- goto read_super_error; ++ goto out_dismount; + } + + osb->osb_dev_kset = kset_create_and_add(sb->s_id, NULL, +@@ -1105,7 +1099,7 @@ static int ocfs2_fill_super(struct super_block *sb, void *data, int silent) + if (!osb->osb_dev_kset) { + status = -ENOMEM; + mlog(ML_ERROR, "Unable to create device kset %s.\n", sb->s_id); +- goto read_super_error; ++ goto out_dismount; + } + + /* Create filecheck sysfs related directories/files at +@@ -1114,14 +1108,13 @@ static int ocfs2_fill_super(struct super_block *sb, void *data, int silent) + status = -ENOMEM; + mlog(ML_ERROR, "Unable to create filecheck sysfs directory at " + "/sys/fs/ocfs2/%s/filecheck.\n", sb->s_id); +- goto read_super_error; ++ goto out_dismount; + } + + root = d_make_root(inode); + if (!root) { + status = -ENOMEM; +- mlog_errno(status); +- goto read_super_error; ++ goto out_dismount; + } + + sb->s_root = root; +@@ -1168,17 +1161,21 @@ static int ocfs2_fill_super(struct super_block *sb, void *data, int silent) + + return status; + +-read_super_error: +- brelse(bh); +- +- if (status) +- mlog_errno(status); ++out_dismount: ++ atomic_set(&osb->vol_state, VOLUME_DISABLED); ++ wake_up(&osb->osb_mount_event); ++ ocfs2_dismount_volume(sb, 1); ++ goto out; + +- if (osb) { +- atomic_set(&osb->vol_state, VOLUME_DISABLED); +- wake_up(&osb->osb_mount_event); +- ocfs2_dismount_volume(sb, 1); +- } ++out_debugfs: ++ debugfs_remove_recursive(osb->osb_debug_root); ++out_super: ++ ocfs2_release_system_inodes(osb); ++ kfree(osb->recovery_map); ++ ocfs2_delete_osb(osb); ++ kfree(osb); ++out: ++ mlog_errno(status); + + return status; + } +-- +2.35.1 + diff --git a/queue-5.4/of-overlay-fix-null-pointer-dereferencing-in-find_du.patch b/queue-5.4/of-overlay-fix-null-pointer-dereferencing-in-find_du.patch new file mode 100644 index 00000000000..a5e9fa70054 --- /dev/null +++ b/queue-5.4/of-overlay-fix-null-pointer-dereferencing-in-find_du.patch @@ -0,0 +1,47 @@ +From 6523d9785db67be5ad10c20939bdd325f8eb8823 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Dec 2022 10:33:37 +0800 +Subject: of: overlay: fix null pointer dereferencing in + find_dup_cset_node_entry() and find_dup_cset_prop() + +From: ruanjinjie + +[ Upstream commit ee9d7a0e754568180a2f8ebc4aad226278a9116f ] + +When kmalloc() fail to allocate memory in kasprintf(), fn_1 or fn_2 will +be NULL, and strcmp() will cause null pointer dereference. + +Fixes: 2fe0e8769df9 ("of: overlay: check prevents multiple fragments touching same property") +Signed-off-by: ruanjinjie +Link: https://lore.kernel.org/r/20221211023337.592266-1-ruanjinjie@huawei.com +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/overlay.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/of/overlay.c b/drivers/of/overlay.c +index 8420ef42d89e..dc298775f762 100644 +--- a/drivers/of/overlay.c ++++ b/drivers/of/overlay.c +@@ -547,7 +547,7 @@ static int find_dup_cset_node_entry(struct overlay_changeset *ovcs, + + fn_1 = kasprintf(GFP_KERNEL, "%pOF", ce_1->np); + fn_2 = kasprintf(GFP_KERNEL, "%pOF", ce_2->np); +- node_path_match = !strcmp(fn_1, fn_2); ++ node_path_match = !fn_1 || !fn_2 || !strcmp(fn_1, fn_2); + kfree(fn_1); + kfree(fn_2); + if (node_path_match) { +@@ -582,7 +582,7 @@ static int find_dup_cset_prop(struct overlay_changeset *ovcs, + + fn_1 = kasprintf(GFP_KERNEL, "%pOF", ce_1->np); + fn_2 = kasprintf(GFP_KERNEL, "%pOF", ce_2->np); +- node_path_match = !strcmp(fn_1, fn_2); ++ node_path_match = !fn_1 || !fn_2 || !strcmp(fn_1, fn_2); + kfree(fn_1); + kfree(fn_2); + if (node_path_match && +-- +2.35.1 + diff --git a/queue-5.4/openvswitch-fix-flow-lookup-to-use-unmasked-key.patch b/queue-5.4/openvswitch-fix-flow-lookup-to-use-unmasked-key.patch new file mode 100644 index 00000000000..4df5097efab --- /dev/null +++ b/queue-5.4/openvswitch-fix-flow-lookup-to-use-unmasked-key.patch @@ -0,0 +1,121 @@ +From e7f4082083e2d1600f73c66a3075723b10a93157 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Dec 2022 15:46:33 +0100 +Subject: openvswitch: Fix flow lookup to use unmasked key + +From: Eelco Chaudron + +[ Upstream commit 68bb10101e6b0a6bb44e9c908ef795fc4af99eae ] + +The commit mentioned below causes the ovs_flow_tbl_lookup() function +to be called with the masked key. However, it's supposed to be called +with the unmasked key. This due to the fact that the datapath supports +installing wider flows, and OVS relies on this behavior. For example +if ipv4(src=1.1.1.1/192.0.0.0, dst=1.1.1.2/192.0.0.0) exists, a wider +flow (smaller mask) of ipv4(src=192.1.1.1/128.0.0.0,dst=192.1.1.2/ +128.0.0.0) is allowed to be added. + +However, if we try to add a wildcard rule, the installation fails: + +$ ovs-appctl dpctl/add-flow system@myDP "in_port(1),eth_type(0x0800), \ + ipv4(src=1.1.1.1/192.0.0.0,dst=1.1.1.2/192.0.0.0,frag=no)" 2 +$ ovs-appctl dpctl/add-flow system@myDP "in_port(1),eth_type(0x0800), \ + ipv4(src=192.1.1.1/0.0.0.0,dst=49.1.1.2/0.0.0.0,frag=no)" 2 +ovs-vswitchd: updating flow table (File exists) + +The reason is that the key used to determine if the flow is already +present in the system uses the original key ANDed with the mask. +This results in the IP address not being part of the (miniflow) key, +i.e., being substituted with an all-zero value. When doing the actual +lookup, this results in the key wrongfully matching the first flow, +and therefore the flow does not get installed. + +This change reverses the commit below, but rather than having the key +on the stack, it's allocated. + +Fixes: 190aa3e77880 ("openvswitch: Fix Frame-size larger than 1024 bytes warning.") + +Signed-off-by: Eelco Chaudron +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/openvswitch/datapath.c | 25 ++++++++++++++++--------- + 1 file changed, 16 insertions(+), 9 deletions(-) + +diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c +index 5dc517d64965..a8a8396dd983 100644 +--- a/net/openvswitch/datapath.c ++++ b/net/openvswitch/datapath.c +@@ -910,6 +910,7 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info) + struct sw_flow_mask mask; + struct sk_buff *reply; + struct datapath *dp; ++ struct sw_flow_key *key; + struct sw_flow_actions *acts; + struct sw_flow_match match; + u32 ufid_flags = ovs_nla_get_ufid_flags(a[OVS_FLOW_ATTR_UFID_FLAGS]); +@@ -937,24 +938,26 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info) + } + + /* Extract key. */ +- ovs_match_init(&match, &new_flow->key, false, &mask); ++ key = kzalloc(sizeof(*key), GFP_KERNEL); ++ if (!key) { ++ error = -ENOMEM; ++ goto err_kfree_key; ++ } ++ ++ ovs_match_init(&match, key, false, &mask); + error = ovs_nla_get_match(net, &match, a[OVS_FLOW_ATTR_KEY], + a[OVS_FLOW_ATTR_MASK], log); + if (error) + goto err_kfree_flow; + ++ ovs_flow_mask_key(&new_flow->key, key, true, &mask); ++ + /* Extract flow identifier. */ + error = ovs_nla_get_identifier(&new_flow->id, a[OVS_FLOW_ATTR_UFID], +- &new_flow->key, log); ++ key, log); + if (error) + goto err_kfree_flow; + +- /* unmasked key is needed to match when ufid is not used. */ +- if (ovs_identifier_is_key(&new_flow->id)) +- match.key = new_flow->id.unmasked_key; +- +- ovs_flow_mask_key(&new_flow->key, &new_flow->key, true, &mask); +- + /* Validate actions. */ + error = ovs_nla_copy_actions(net, a[OVS_FLOW_ATTR_ACTIONS], + &new_flow->key, &acts, log); +@@ -981,7 +984,7 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info) + if (ovs_identifier_is_ufid(&new_flow->id)) + flow = ovs_flow_tbl_lookup_ufid(&dp->table, &new_flow->id); + if (!flow) +- flow = ovs_flow_tbl_lookup(&dp->table, &new_flow->key); ++ flow = ovs_flow_tbl_lookup(&dp->table, key); + if (likely(!flow)) { + rcu_assign_pointer(new_flow->sf_acts, acts); + +@@ -1051,6 +1054,8 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info) + + if (reply) + ovs_notify(&dp_flow_genl_family, reply, info); ++ ++ kfree(key); + return 0; + + err_unlock_ovs: +@@ -1060,6 +1065,8 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info) + ovs_nla_free_flow_actions(acts); + err_kfree_flow: + ovs_flow_free(new_flow, false); ++err_kfree_key: ++ kfree(key); + error: + return error; + } +-- +2.35.1 + diff --git a/queue-5.4/orangefs-fix-kmemleak-in-orangefs_-kernel-client-_de.patch b/queue-5.4/orangefs-fix-kmemleak-in-orangefs_-kernel-client-_de.patch new file mode 100644 index 00000000000..50604927b54 --- /dev/null +++ b/queue-5.4/orangefs-fix-kmemleak-in-orangefs_-kernel-client-_de.patch @@ -0,0 +1,107 @@ +From 810ac78e00a002f7ceb7ccf657b6e17ff9d004c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Oct 2022 12:40:07 +0800 +Subject: orangefs: Fix kmemleak in orangefs_{kernel,client}_debug_init() + +From: Zhang Xiaoxu + +[ Upstream commit 31720a2b109b3080eb77e97b8f6f50a27b4ae599 ] + +When insert and remove the orangefs module, there are memory leaked +as below: + +unreferenced object 0xffff88816b0cc000 (size 2048): + comm "insmod", pid 783, jiffies 4294813439 (age 65.512s) + hex dump (first 32 bytes): + 6e 6f 6e 65 0a 00 00 00 00 00 00 00 00 00 00 00 none............ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<0000000031ab7788>] kmalloc_trace+0x27/0xa0 + [<000000005b405fee>] orangefs_debugfs_init.cold+0xaf/0x17f + [<00000000e5a0085b>] 0xffffffffa02780f9 + [<000000004232d9f7>] do_one_initcall+0x87/0x2a0 + [<0000000054f22384>] do_init_module+0xdf/0x320 + [<000000003263bdea>] load_module+0x2f98/0x3330 + [<0000000052cd4153>] __do_sys_finit_module+0x113/0x1b0 + [<00000000250ae02b>] do_syscall_64+0x35/0x80 + [<00000000f11c03c7>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Use the golbal variable as the buffer rather than dynamic allocate to +slove the problem. + +Signed-off-by: Zhang Xiaoxu +Signed-off-by: Mike Marshall +Signed-off-by: Sasha Levin +--- + fs/orangefs/orangefs-debugfs.c | 26 +++----------------------- + 1 file changed, 3 insertions(+), 23 deletions(-) + +diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c +index a848b6ef9599..1b508f543384 100644 +--- a/fs/orangefs/orangefs-debugfs.c ++++ b/fs/orangefs/orangefs-debugfs.c +@@ -194,15 +194,10 @@ void orangefs_debugfs_init(int debug_mask) + */ + static void orangefs_kernel_debug_init(void) + { +- int rc = -ENOMEM; +- char *k_buffer = NULL; ++ static char k_buffer[ORANGEFS_MAX_DEBUG_STRING_LEN] = { }; + + gossip_debug(GOSSIP_DEBUGFS_DEBUG, "%s: start\n", __func__); + +- k_buffer = kzalloc(ORANGEFS_MAX_DEBUG_STRING_LEN, GFP_KERNEL); +- if (!k_buffer) +- goto out; +- + if (strlen(kernel_debug_string) + 1 < ORANGEFS_MAX_DEBUG_STRING_LEN) { + strcpy(k_buffer, kernel_debug_string); + strcat(k_buffer, "\n"); +@@ -213,9 +208,6 @@ static void orangefs_kernel_debug_init(void) + + debugfs_create_file(ORANGEFS_KMOD_DEBUG_FILE, 0444, debug_dir, k_buffer, + &kernel_debug_fops); +- +-out: +- gossip_debug(GOSSIP_DEBUGFS_DEBUG, "%s: rc:%d:\n", __func__, rc); + } + + +@@ -299,18 +291,13 @@ static int help_show(struct seq_file *m, void *v) + /* + * initialize the client-debug file. + */ +-static int orangefs_client_debug_init(void) ++static void orangefs_client_debug_init(void) + { + +- int rc = -ENOMEM; +- char *c_buffer = NULL; ++ static char c_buffer[ORANGEFS_MAX_DEBUG_STRING_LEN] = { }; + + gossip_debug(GOSSIP_DEBUGFS_DEBUG, "%s: start\n", __func__); + +- c_buffer = kzalloc(ORANGEFS_MAX_DEBUG_STRING_LEN, GFP_KERNEL); +- if (!c_buffer) +- goto out; +- + if (strlen(client_debug_string) + 1 < ORANGEFS_MAX_DEBUG_STRING_LEN) { + strcpy(c_buffer, client_debug_string); + strcat(c_buffer, "\n"); +@@ -324,13 +311,6 @@ static int orangefs_client_debug_init(void) + debug_dir, + c_buffer, + &kernel_debug_fops); +- +- rc = 0; +- +-out: +- +- gossip_debug(GOSSIP_DEBUGFS_DEBUG, "%s: rc:%d:\n", __func__, rc); +- return rc; + } + + /* open ORANGEFS_KMOD_DEBUG_FILE or ORANGEFS_CLIENT_DEBUG_FILE.*/ +-- +2.35.1 + diff --git a/queue-5.4/orangefs-fix-kmemleak-in-orangefs_prepare_debugfs_he.patch b/queue-5.4/orangefs-fix-kmemleak-in-orangefs_prepare_debugfs_he.patch new file mode 100644 index 00000000000..a17c3a88eae --- /dev/null +++ b/queue-5.4/orangefs-fix-kmemleak-in-orangefs_prepare_debugfs_he.patch @@ -0,0 +1,62 @@ +From 7e9f4a211d18e866b083564542daaf8c42a633d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Oct 2022 12:40:05 +0800 +Subject: orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string() + +From: Zhang Xiaoxu + +[ Upstream commit d23417a5bf3a3afc55de5442eb46e1e60458b0a1 ] + +When insert and remove the orangefs module, then debug_help_string will +be leaked: + + unreferenced object 0xffff8881652ba000 (size 4096): + comm "insmod", pid 1701, jiffies 4294893639 (age 13218.530s) + hex dump (first 32 bytes): + 43 6c 69 65 6e 74 20 44 65 62 75 67 20 4b 65 79 Client Debug Key + 77 6f 72 64 73 20 61 72 65 20 75 6e 6b 6e 6f 77 words are unknow + backtrace: + [<0000000004e6f8e3>] kmalloc_trace+0x27/0xa0 + [<0000000006f75d85>] orangefs_prepare_debugfs_help_string+0x5e/0x480 [orangefs] + [<0000000091270a2a>] _sub_I_65535_1+0x57/0xf70 [crc_itu_t] + [<000000004b1ee1a3>] do_one_initcall+0x87/0x2a0 + [<000000001d0614ae>] do_init_module+0xdf/0x320 + [<00000000efef068c>] load_module+0x2f98/0x3330 + [<000000006533b44d>] __do_sys_finit_module+0x113/0x1b0 + [<00000000a0da6f99>] do_syscall_64+0x35/0x80 + [<000000007790b19b>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +When remove the module, should always free debug_help_string. Should +always free the allocated buffer when change the free_debug_help_string. + +Signed-off-by: Zhang Xiaoxu +Signed-off-by: Mike Marshall +Signed-off-by: Sasha Levin +--- + fs/orangefs/orangefs-debugfs.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c +index 29eaa4544372..a848b6ef9599 100644 +--- a/fs/orangefs/orangefs-debugfs.c ++++ b/fs/orangefs/orangefs-debugfs.c +@@ -222,6 +222,8 @@ static void orangefs_kernel_debug_init(void) + void orangefs_debugfs_cleanup(void) + { + debugfs_remove_recursive(debug_dir); ++ kfree(debug_help_string); ++ debug_help_string = NULL; + } + + /* open ORANGEFS_KMOD_DEBUG_HELP_FILE */ +@@ -671,6 +673,7 @@ int orangefs_prepare_debugfs_help_string(int at_boot) + memset(debug_help_string, 0, DEBUG_HELP_STRING_SIZE); + strlcat(debug_help_string, new, string_size); + mutex_unlock(&orangefs_help_file_lock); ++ kfree(new); + } + + rc = 0; +-- +2.35.1 + diff --git a/queue-5.4/orangefs-fix-sysfs-not-cleanup-when-dev-init-failed.patch b/queue-5.4/orangefs-fix-sysfs-not-cleanup-when-dev-init-failed.patch new file mode 100644 index 00000000000..1a5c2c2fbf0 --- /dev/null +++ b/queue-5.4/orangefs-fix-sysfs-not-cleanup-when-dev-init-failed.patch @@ -0,0 +1,74 @@ +From bf79a0385d6f41d9c8fb1605361079c73a5abc09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Oct 2022 12:40:04 +0800 +Subject: orangefs: Fix sysfs not cleanup when dev init failed + +From: Zhang Xiaoxu + +[ Upstream commit ea60a4ad0cf88b411cde6888b8c890935686ecd7 ] + +When the dev init failed, should cleanup the sysfs, otherwise, the +module will never be loaded since can not create duplicate sysfs +directory: + + sysfs: cannot create duplicate filename '/fs/orangefs' + + CPU: 1 PID: 6549 Comm: insmod Tainted: G W 6.0.0+ #44 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 + Call Trace: + + dump_stack_lvl+0x34/0x44 + sysfs_warn_dup.cold+0x17/0x24 + sysfs_create_dir_ns+0x16d/0x180 + kobject_add_internal+0x156/0x3a0 + kobject_init_and_add+0xcf/0x120 + orangefs_sysfs_init+0x7e/0x3a0 [orangefs] + orangefs_init+0xfe/0x1000 [orangefs] + do_one_initcall+0x87/0x2a0 + do_init_module+0xdf/0x320 + load_module+0x2f98/0x3330 + __do_sys_finit_module+0x113/0x1b0 + do_syscall_64+0x35/0x80 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + + kobject_add_internal failed for orangefs with -EEXIST, don't try to register things with the same name in the same directory. + +Fixes: 2f83ace37181 ("orangefs: put register_chrdev immediately before register_filesystem") +Signed-off-by: Zhang Xiaoxu +Signed-off-by: Mike Marshall +Signed-off-by: Sasha Levin +--- + fs/orangefs/orangefs-mod.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/orangefs/orangefs-mod.c b/fs/orangefs/orangefs-mod.c +index c010c1fddafc..6aa7a23b04df 100644 +--- a/fs/orangefs/orangefs-mod.c ++++ b/fs/orangefs/orangefs-mod.c +@@ -141,7 +141,7 @@ static int __init orangefs_init(void) + gossip_err("%s: could not initialize device subsystem %d!\n", + __func__, + ret); +- goto cleanup_device; ++ goto cleanup_sysfs; + } + + ret = register_filesystem(&orangefs_fs_type); +@@ -153,11 +153,11 @@ static int __init orangefs_init(void) + goto out; + } + +- orangefs_sysfs_exit(); +- +-cleanup_device: + orangefs_dev_cleanup(); + ++cleanup_sysfs: ++ orangefs_sysfs_exit(); ++ + sysfs_init_failed: + orangefs_debugfs_cleanup(); + +-- +2.35.1 + diff --git a/queue-5.4/pata_ipx4xx_cf-fix-unsigned-comparison-with-less-tha.patch b/queue-5.4/pata_ipx4xx_cf-fix-unsigned-comparison-with-less-tha.patch new file mode 100644 index 00000000000..db76862938e --- /dev/null +++ b/queue-5.4/pata_ipx4xx_cf-fix-unsigned-comparison-with-less-tha.patch @@ -0,0 +1,46 @@ +From faaf7cb663513286a316fb72cee30ffda68f0314 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Apr 2021 21:54:26 +0800 +Subject: pata_ipx4xx_cf: Fix unsigned comparison with less than zero + +From: Junlin Yang + +[ Upstream commit c38ae56ee034623c59e39c0130ca0dec086c1a39 ] + +The return from the call to platform_get_irq() is int, it can be +a negative error code, however this is being assigned to an unsigned +int variable 'irq', so making 'irq' an int, and change the position to +keep the code format. + +./drivers/ata/pata_ixp4xx_cf.c:168:5-8: +WARNING: Unsigned expression compared with zero: irq > 0 + +Signed-off-by: Junlin Yang +Link: https://lore.kernel.org/r/20210409135426.1773-1-angkery@163.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/pata_ixp4xx_cf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ata/pata_ixp4xx_cf.c b/drivers/ata/pata_ixp4xx_cf.c +index abc0e87ca1a8..43215a4c1e54 100644 +--- a/drivers/ata/pata_ixp4xx_cf.c ++++ b/drivers/ata/pata_ixp4xx_cf.c +@@ -135,12 +135,12 @@ static void ixp4xx_setup_port(struct ata_port *ap, + + static int ixp4xx_pata_probe(struct platform_device *pdev) + { +- unsigned int irq; + struct resource *cs0, *cs1; + struct ata_host *host; + struct ata_port *ap; + struct ixp4xx_pata_data *data = dev_get_platdata(&pdev->dev); + int ret; ++ int irq; + + cs0 = platform_get_resource(pdev, IORESOURCE_MEM, 0); + cs1 = platform_get_resource(pdev, IORESOURCE_MEM, 1); +-- +2.35.1 + diff --git a/queue-5.4/pci-check-for-alloc-failure-in-pci_request_irq.patch b/queue-5.4/pci-check-for-alloc-failure-in-pci_request_irq.patch new file mode 100644 index 00000000000..069aeba71fc --- /dev/null +++ b/queue-5.4/pci-check-for-alloc-failure-in-pci_request_irq.patch @@ -0,0 +1,39 @@ +From 373cbd6518c55a208d35535adcb20928db9c7a78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 10:00:29 +0800 +Subject: PCI: Check for alloc failure in pci_request_irq() + +From: Zeng Heng + +[ Upstream commit 2d9cd957d40c3ac491b358e7cff0515bb07a3a9c ] + +When kvasprintf() fails to allocate memory, it returns a NULL pointer. +Return error from pci_request_irq() so we don't dereference it. + +[bhelgaas: commit log] +Fixes: 704e8953d3e9 ("PCI/irq: Add pci_request_irq() and pci_free_irq() helpers") +Link: https://lore.kernel.org/r/20221121020029.3759444-1-zengheng4@huawei.com +Signed-off-by: Zeng Heng +Signed-off-by: Bjorn Helgaas +Reviewed-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/pci/irq.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/pci/irq.c b/drivers/pci/irq.c +index a1de501a2729..3f6a5d520259 100644 +--- a/drivers/pci/irq.c ++++ b/drivers/pci/irq.c +@@ -94,6 +94,8 @@ int pci_request_irq(struct pci_dev *dev, unsigned int nr, irq_handler_t handler, + va_start(ap, fmt); + devname = kvasprintf(GFP_KERNEL, fmt, ap); + va_end(ap); ++ if (!devname) ++ return -ENOMEM; + + ret = request_threaded_irq(pci_irq_vector(dev, nr), handler, thread_fn, + irqflags, devname, dev_id); +-- +2.35.1 + diff --git a/queue-5.4/perf-arm_dsu-fix-hotplug-callback-leak-in-dsu_pmu_in.patch b/queue-5.4/perf-arm_dsu-fix-hotplug-callback-leak-in-dsu_pmu_in.patch new file mode 100644 index 00000000000..9a509c2f636 --- /dev/null +++ b/queue-5.4/perf-arm_dsu-fix-hotplug-callback-leak-in-dsu_pmu_in.patch @@ -0,0 +1,46 @@ +From dd061ef0c6d9eb7a107b03bd550fc20ad2fab3db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 07:02:06 +0000 +Subject: perf: arm_dsu: Fix hotplug callback leak in dsu_pmu_init() + +From: Yuan Can + +[ Upstream commit facafab7611f7b872c6b9eeaff53461ef11f482e ] + +dsu_pmu_init() won't remove the callback added by cpuhp_setup_state_multi() +when platform_driver_register() failed. Remove the callback by +cpuhp_remove_multi_state() in fail path. + +Similar to the handling of arm_ccn_init() in commit 26242b330093 ("bus: +arm-ccn: Prevent hotplug callback leak") + +Fixes: 7520fa99246d ("perf: ARM DynamIQ Shared Unit PMU support") +Signed-off-by: Yuan Can +Acked-by: Suzuki K Poulose +Link: https://lore.kernel.org/r/20221115070207.32634-2-yuancan@huawei.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/arm_dsu_pmu.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/perf/arm_dsu_pmu.c b/drivers/perf/arm_dsu_pmu.c +index 4594e2ed13d5..96e76915da56 100644 +--- a/drivers/perf/arm_dsu_pmu.c ++++ b/drivers/perf/arm_dsu_pmu.c +@@ -816,7 +816,11 @@ static int __init dsu_pmu_init(void) + if (ret < 0) + return ret; + dsu_pmu_cpuhp_state = ret; +- return platform_driver_register(&dsu_pmu_driver); ++ ret = platform_driver_register(&dsu_pmu_driver); ++ if (ret) ++ cpuhp_remove_multi_state(dsu_pmu_cpuhp_state); ++ ++ return ret; + } + + static void __exit dsu_pmu_exit(void) +-- +2.35.1 + diff --git a/queue-5.4/perf-fix-possible-memleak-in-pmu_dev_alloc.patch b/queue-5.4/perf-fix-possible-memleak-in-pmu_dev_alloc.patch new file mode 100644 index 00000000000..b7fba0a406b --- /dev/null +++ b/queue-5.4/perf-fix-possible-memleak-in-pmu_dev_alloc.patch @@ -0,0 +1,71 @@ +From 68cfdb2b24b1cfaca9c09ae078f09866f3a0182c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 18:36:53 +0800 +Subject: perf: Fix possible memleak in pmu_dev_alloc() + +From: Chen Zhongjin + +[ Upstream commit e8d7a90c08ce963c592fb49845f2ccc606a2ac21 ] + +In pmu_dev_alloc(), when dev_set_name() failed, it will goto free_dev +and call put_device(pmu->dev) to release it. +However pmu->dev->release is assigned after this, which makes warning +and memleak. +Call dev_set_name() after pmu->dev->release = pmu_dev_release to fix it. + + Device '(null)' does not have a release() function... + WARNING: CPU: 2 PID: 441 at drivers/base/core.c:2332 device_release+0x1b9/0x240 + ... + Call Trace: + + kobject_put+0x17f/0x460 + put_device+0x20/0x30 + pmu_dev_alloc+0x152/0x400 + perf_pmu_register+0x96b/0xee0 + ... + kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak) + unreferenced object 0xffff888014759000 (size 2048): + comm "modprobe", pid 441, jiffies 4294931444 (age 38.332s) + backtrace: + [<0000000005aed3b4>] kmalloc_trace+0x27/0x110 + [<000000006b38f9b8>] pmu_dev_alloc+0x50/0x400 + [<00000000735f17be>] perf_pmu_register+0x96b/0xee0 + [<00000000e38477f1>] 0xffffffffc0ad8603 + [<000000004e162216>] do_one_initcall+0xd0/0x4e0 + ... + +Fixes: abe43400579d ("perf: Sysfs enumeration") +Signed-off-by: Chen Zhongjin +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20221111103653.91058-1-chenzhongjin@huawei.com +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 0a54780e0942..a1c89b675b0b 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -10035,13 +10035,15 @@ static int pmu_dev_alloc(struct pmu *pmu) + + pmu->dev->groups = pmu->attr_groups; + device_initialize(pmu->dev); +- ret = dev_set_name(pmu->dev, "%s", pmu->name); +- if (ret) +- goto free_dev; + + dev_set_drvdata(pmu->dev, pmu); + pmu->dev->bus = &pmu_bus; + pmu->dev->release = pmu_dev_release; ++ ++ ret = dev_set_name(pmu->dev, "%s", pmu->name); ++ if (ret) ++ goto free_dev; ++ + ret = device_add(pmu->dev); + if (ret) + goto free_dev; +-- +2.35.1 + diff --git a/queue-5.4/perf-smmuv3-fix-hotplug-callback-leak-in-arm_smmu_pm.patch b/queue-5.4/perf-smmuv3-fix-hotplug-callback-leak-in-arm_smmu_pm.patch new file mode 100644 index 00000000000..5bfbe9a74ed --- /dev/null +++ b/queue-5.4/perf-smmuv3-fix-hotplug-callback-leak-in-arm_smmu_pm.patch @@ -0,0 +1,55 @@ +From 4dadeda0a7a60eab85f65cb238a0c8d7adbf1276 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 19:55:40 +0800 +Subject: perf/smmuv3: Fix hotplug callback leak in arm_smmu_pmu_init() + +From: Shang XiaoJing + +[ Upstream commit 6f2d566b46436a50a80d6445e82879686b89588c ] + +arm_smmu_pmu_init() won't remove the callback added by +cpuhp_setup_state_multi() when platform_driver_register() failed. Remove +the callback by cpuhp_remove_multi_state() in fail path. + +Similar to the handling of arm_ccn_init() in commit 26242b330093 ("bus: +arm-ccn: Prevent hotplug callback leak") + +Fixes: 7d839b4b9e00 ("perf/smmuv3: Add arm64 smmuv3 pmu driver") +Signed-off-by: Shang XiaoJing +Reviewed-by: Punit Agrawal +Link: https://lore.kernel.org/r/20221115115540.6245-3-shangxiaojing@huawei.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/arm_smmuv3_pmu.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/perf/arm_smmuv3_pmu.c b/drivers/perf/arm_smmuv3_pmu.c +index 6a3fa1f69e68..0b6af7719641 100644 +--- a/drivers/perf/arm_smmuv3_pmu.c ++++ b/drivers/perf/arm_smmuv3_pmu.c +@@ -872,6 +872,8 @@ static struct platform_driver smmu_pmu_driver = { + + static int __init arm_smmu_pmu_init(void) + { ++ int ret; ++ + cpuhp_state_num = cpuhp_setup_state_multi(CPUHP_AP_ONLINE_DYN, + "perf/arm/pmcg:online", + NULL, +@@ -879,7 +881,11 @@ static int __init arm_smmu_pmu_init(void) + if (cpuhp_state_num < 0) + return cpuhp_state_num; + +- return platform_driver_register(&smmu_pmu_driver); ++ ret = platform_driver_register(&smmu_pmu_driver); ++ if (ret) ++ cpuhp_remove_multi_state(cpuhp_state_num); ++ ++ return ret; + } + module_init(arm_smmu_pmu_init); + +-- +2.35.1 + diff --git a/queue-5.4/perf-symbol-correction-while-adjusting-symbol.patch b/queue-5.4/perf-symbol-correction-while-adjusting-symbol.patch new file mode 100644 index 00000000000..237b628f745 --- /dev/null +++ b/queue-5.4/perf-symbol-correction-while-adjusting-symbol.patch @@ -0,0 +1,76 @@ +From aa15c7e3c855e2c8b3d7051e7adde9854bc0a80e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 15:48:16 +0530 +Subject: perf symbol: correction while adjusting symbol + +From: Ajay Kaher + +[ Upstream commit 6f520ce17920b3cdfbd2479b3ccf27f9706219d0 ] + +perf doesn't provide proper symbol information for specially crafted +.debug files. + +Sometimes .debug file may not have similar program header as runtime +ELF file. For example if we generate .debug file using objcopy +--only-keep-debug resulting file will not contain .text, .data and +other runtime sections. That means corresponding program headers will +have zero FileSiz and modified Offset. + +Example: program header of text section of libxxx.so: + +Type Offset VirtAddr PhysAddr + FileSiz MemSiz Flags Align +LOAD 0x00000000003d3000 0x00000000003d3000 0x00000000003d3000 + 0x000000000055ae80 0x000000000055ae80 R E 0x1000 + +Same program header after executing: +objcopy --only-keep-debug libxxx.so libxxx.so.debug + +LOAD 0x0000000000001000 0x00000000003d3000 0x00000000003d3000 + 0x0000000000000000 0x000000000055ae80 R E 0x1000 + +Offset and FileSiz have been changed. + +Following formula will not provide correct value, if program header +taken from .debug file (syms_ss): + + sym.st_value -= phdr.p_vaddr - phdr.p_offset; + +Correct program header information is located inside runtime ELF +file (runtime_ss). + +Fixes: 2d86612aacb7805f ("perf symbol: Correct address for bss symbols") +Signed-off-by: Ajay Kaher +Cc: Alexander Shishkin +Cc: Alexey Makhalov +Cc: Jiri Olsa +Cc: Leo Yan +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Srivatsa S. Bhat +Cc: Steven Rostedt (VMware) +Cc: Vasavi Sirnapalli +Link: http://lore.kernel.org/lkml/1669198696-50547-1-git-send-email-akaher@vmware.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/symbol-elf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/symbol-elf.c b/tools/perf/util/symbol-elf.c +index f15258fbe9db..4fef8d6bc225 100644 +--- a/tools/perf/util/symbol-elf.c ++++ b/tools/perf/util/symbol-elf.c +@@ -1157,7 +1157,7 @@ int dso__load_sym(struct dso *dso, struct map *map, struct symsrc *syms_ss, + (!used_opd && syms_ss->adjust_symbols)) { + GElf_Phdr phdr; + +- if (elf_read_program_header(syms_ss->elf, ++ if (elf_read_program_header(runtime_ss->elf, + (u64)sym.st_value, &phdr)) { + pr_debug4("%s: failed to find program header for " + "symbol: %s st_value: %#" PRIx64 "\n", +-- +2.35.1 + diff --git a/queue-5.4/perf-trace-add-a-strtoul-method-to-struct-syscall_ar.patch b/queue-5.4/perf-trace-add-a-strtoul-method-to-struct-syscall_ar.patch new file mode 100644 index 00000000000..ff93b47615a --- /dev/null +++ b/queue-5.4/perf-trace-add-a-strtoul-method-to-struct-syscall_ar.patch @@ -0,0 +1,64 @@ +From 2024793dba037c184d0e53f48426b08e0f86efa6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2019 16:06:43 -0300 +Subject: perf trace: Add a strtoul() method to 'struct syscall_arg_fmt' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 3f41b77843b338e836f52cc2d486be689d6cb9c1 ] + +This will go from a string to a number, so that filter expressions can +be constructed with strings and then, before applying the tracepoint +filters (or eBPF, in the future) we can map those strings to numbers. + +The first one will be for 'msr' tracepoint arguments, but real quickly +we will be able to reuse all strarrays for that. + +Cc: Adrian Hunter +Cc: Brendan Gregg +Cc: Jiri Olsa +Cc: Luis Cláudio Gonçalves +Cc: Namhyung Kim +Link: https://lkml.kernel.org/n/tip-wgqq48agcgr95b8dmn6fygtr@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Stable-dep-of: 03e9a5d8eb55 ("perf trace: Handle failure when trace point folder is missed") +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-trace.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c +index 02cf39970ed0..4cb3252623f5 100644 +--- a/tools/perf/builtin-trace.c ++++ b/tools/perf/builtin-trace.c +@@ -86,8 +86,12 @@ + # define F_LINUX_SPECIFIC_BASE 1024 + #endif + ++/* ++ * strtoul: Go from a string to a value, i.e. for msr: MSR_FS_BASE to 0xc0000100 ++ */ + struct syscall_arg_fmt { + size_t (*scnprintf)(char *bf, size_t size, struct syscall_arg *arg); ++ bool (*strtoul)(char *bf, size_t size, struct syscall_arg *arg, u64 *val); + unsigned long (*mask_val)(struct syscall_arg *arg, unsigned long val); + void *parm; + const char *name; +@@ -1515,8 +1519,10 @@ syscall_arg_fmt__init_array(struct syscall_arg_fmt *arg, struct tep_format_field + } else { + struct syscall_arg_fmt *fmt = syscall_arg_fmt__find_by_name(field->name); + +- if (fmt) ++ if (fmt) { + arg->scnprintf = fmt->scnprintf; ++ arg->strtoul = fmt->strtoul; ++ } + } + } + +-- +2.35.1 + diff --git a/queue-5.4/perf-trace-add-the-syscall_arg_fmt-pointer-to-syscal.patch b/queue-5.4/perf-trace-add-the-syscall_arg_fmt-pointer-to-syscal.patch new file mode 100644 index 00000000000..04fd8a22127 --- /dev/null +++ b/queue-5.4/perf-trace-add-the-syscall_arg_fmt-pointer-to-syscal.patch @@ -0,0 +1,123 @@ +From e6a3c55a4b2d8c87c9871d4346d66a01df804035 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Oct 2019 14:52:30 -0300 +Subject: perf trace: Add the syscall_arg_fmt pointer to syscall_arg +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 888ca854e275fcfbb13206d32bb01c0576fc5546 ] + +So that the scnprintf beautifiers can access it, as will be the case +with the char array one in the following csets, that needs to know +the number of elements in an array. + +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Luis Cláudio Gonçalves +Cc: Namhyung Kim +Link: https://lkml.kernel.org/n/tip-01qmjqv6cb1nj1qy4khdexce@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Stable-dep-of: 03e9a5d8eb55 ("perf trace: Handle failure when trace point folder is missed") +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-trace.c | 45 ++++++++++++++++---------------- + tools/perf/trace/beauty/beauty.h | 3 +++ + 2 files changed, 26 insertions(+), 22 deletions(-) + +diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c +index 175150e90cdc..e01952883cbc 100644 +--- a/tools/perf/builtin-trace.c ++++ b/tools/perf/builtin-trace.c +@@ -86,6 +86,28 @@ + # define F_LINUX_SPECIFIC_BASE 1024 + #endif + ++struct syscall_arg_fmt { ++ size_t (*scnprintf)(char *bf, size_t size, struct syscall_arg *arg); ++ unsigned long (*mask_val)(struct syscall_arg *arg, unsigned long val); ++ void *parm; ++ const char *name; ++ bool show_zero; ++}; ++ ++struct syscall_fmt { ++ const char *name; ++ const char *alias; ++ struct { ++ const char *sys_enter, ++ *sys_exit; ++ } bpf_prog_name; ++ struct syscall_arg_fmt arg[6]; ++ u8 nr_args; ++ bool errpid; ++ bool timeout; ++ bool hexret; ++}; ++ + struct trace { + struct perf_tool tool; + struct syscalltbl *sctbl; +@@ -694,28 +716,6 @@ static size_t syscall_arg__scnprintf_getrandom_flags(char *bf, size_t size, + #include "trace/beauty/socket_type.c" + #include "trace/beauty/waitid_options.c" + +-struct syscall_arg_fmt { +- size_t (*scnprintf)(char *bf, size_t size, struct syscall_arg *arg); +- unsigned long (*mask_val)(struct syscall_arg *arg, unsigned long val); +- void *parm; +- const char *name; +- bool show_zero; +-}; +- +-struct syscall_fmt { +- const char *name; +- const char *alias; +- struct { +- const char *sys_enter, +- *sys_exit; +- } bpf_prog_name; +- struct syscall_arg_fmt arg[6]; +- u8 nr_args; +- bool errpid; +- bool timeout; +- bool hexret; +-}; +- + static struct syscall_fmt syscall_fmts[] = { + { .name = "access", + .arg = { [1] = { .scnprintf = SCA_ACCMODE, /* mode */ }, }, }, +@@ -1746,6 +1746,7 @@ static size_t syscall__scnprintf_args(struct syscall *sc, char *bf, size_t size, + if (arg.mask & bit) + continue; + ++ arg.fmt = &sc->arg_fmt[arg.idx]; + val = syscall_arg__val(&arg, arg.idx); + /* + * Some syscall args need some mask, most don't and +diff --git a/tools/perf/trace/beauty/beauty.h b/tools/perf/trace/beauty/beauty.h +index 7e06605f7c76..4cc4f6b3d4a1 100644 +--- a/tools/perf/trace/beauty/beauty.h ++++ b/tools/perf/trace/beauty/beauty.h +@@ -78,6 +78,8 @@ struct augmented_arg { + u64 value[]; + }; + ++struct syscall_arg_fmt; ++ + /** + * @val: value of syscall argument being formatted + * @args: All the args, use syscall_args__val(arg, nth) to access one +@@ -94,6 +96,7 @@ struct augmented_arg { + struct syscall_arg { + unsigned long val; + unsigned char *args; ++ struct syscall_arg_fmt *fmt; + struct { + struct augmented_arg *args; + int size; +-- +2.35.1 + diff --git a/queue-5.4/perf-trace-allow-associating-scnprintf-routines-with.patch b/queue-5.4/perf-trace-allow-associating-scnprintf-routines-with.patch new file mode 100644 index 00000000000..aaf44f88bab --- /dev/null +++ b/queue-5.4/perf-trace-allow-associating-scnprintf-routines-with.patch @@ -0,0 +1,74 @@ +From 4633c53bb25998d8a4824c9249b4a63fc817076a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2019 15:50:15 -0300 +Subject: perf trace: Allow associating scnprintf routines with well known arg + names + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 5d88099bc00dccddf5da18e25e1223f01644f7a2 ] + +For instance 'msr' appears in several tracepoints, so we can associate +it with a single scnprintf() routine auto-generated from kernel headers, +as will be done in followup patches. + +Start with an empty array of associations. + +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Namhyung Kim +Link: https://lkml.kernel.org/n/tip-89ptht6s5fez82lykuwq1eyb@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Stable-dep-of: 03e9a5d8eb55 ("perf trace: Handle failure when trace point folder is missed") +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-trace.c | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c +index e01952883cbc..02cf39970ed0 100644 +--- a/tools/perf/builtin-trace.c ++++ b/tools/perf/builtin-trace.c +@@ -1455,6 +1455,27 @@ static int syscall__alloc_arg_fmts(struct syscall *sc, int nr_args) + return 0; + } + ++static struct syscall_arg_fmt syscall_arg_fmts__by_name[] = { ++}; ++ ++static int syscall_arg_fmt__cmp(const void *name, const void *fmtp) ++{ ++ const struct syscall_arg_fmt *fmt = fmtp; ++ return strcmp(name, fmt->name); ++} ++ ++static struct syscall_arg_fmt * ++__syscall_arg_fmt__find_by_name(struct syscall_arg_fmt *fmts, const int nmemb, const char *name) ++{ ++ return bsearch(name, fmts, nmemb, sizeof(struct syscall_arg_fmt), syscall_arg_fmt__cmp); ++} ++ ++static struct syscall_arg_fmt *syscall_arg_fmt__find_by_name(const char *name) ++{ ++ const int nmemb = ARRAY_SIZE(syscall_arg_fmts__by_name); ++ return __syscall_arg_fmt__find_by_name(syscall_arg_fmts__by_name, nmemb, name); ++} ++ + static struct tep_format_field * + syscall_arg_fmt__init_array(struct syscall_arg_fmt *arg, struct tep_format_field *field) + { +@@ -1491,6 +1512,11 @@ syscall_arg_fmt__init_array(struct syscall_arg_fmt *arg, struct tep_format_field + * 7 unsigned long + */ + arg->scnprintf = SCA_FD; ++ } else { ++ struct syscall_arg_fmt *fmt = syscall_arg_fmt__find_by_name(field->name); ++ ++ if (fmt) ++ arg->scnprintf = fmt->scnprintf; + } + } + +-- +2.35.1 + diff --git a/queue-5.4/perf-trace-factor-out-the-initialization-of-syscal_a.patch b/queue-5.4/perf-trace-factor-out-the-initialization-of-syscal_a.patch new file mode 100644 index 00000000000..12b50bbed4d --- /dev/null +++ b/queue-5.4/perf-trace-factor-out-the-initialization-of-syscal_a.patch @@ -0,0 +1,97 @@ +From 5f5b34beec14ecafa38fa6bcee856d4a2db29121 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Oct 2019 15:57:42 -0300 +Subject: perf trace: Factor out the initialization of + syscal_arg_fmt->scnprintf +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 8d1d4ff5e239d9ef385444bc0d855127d7b32754 ] + +We set the default scnprint routines for the syscall args based on its +type or on heuristics based on its names, now we'll use this for +tracepoints as well, so move it out of syscall__set_arg_fmts() and into +a routine that receive just an array of syscall_arg_fmt entries + the +tracepoint format fields list. + +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Luis Cláudio Gonçalves +Cc: Namhyung Kim +Link: https://lkml.kernel.org/n/tip-xs3x0zzyes06c7scdsjn01ty@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Stable-dep-of: 03e9a5d8eb55 ("perf trace: Handle failure when trace point folder is missed") +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-trace.c | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c +index 5dc8b123d3f5..175150e90cdc 100644 +--- a/tools/perf/builtin-trace.c ++++ b/tools/perf/builtin-trace.c +@@ -1455,15 +1455,16 @@ static int syscall__alloc_arg_fmts(struct syscall *sc, int nr_args) + return 0; + } + +-static int syscall__set_arg_fmts(struct syscall *sc) ++static struct tep_format_field * ++syscall_arg_fmt__init_array(struct syscall_arg_fmt *arg, struct tep_format_field *field) + { +- struct tep_format_field *field, *last_field = NULL; +- int idx = 0, len; ++ struct tep_format_field *last_field = NULL; ++ int len; + +- for (field = sc->args; field; field = field->next, ++idx) { ++ for (; field; field = field->next, ++arg) { + last_field = field; + +- if (sc->fmt && sc->fmt->arg[idx].scnprintf) ++ if (arg->scnprintf) + continue; + + len = strlen(field->name); +@@ -1471,13 +1472,13 @@ static int syscall__set_arg_fmts(struct syscall *sc) + if (strcmp(field->type, "const char *") == 0 && + ((len >= 4 && strcmp(field->name + len - 4, "name") == 0) || + strstr(field->name, "path") != NULL)) +- sc->arg_fmt[idx].scnprintf = SCA_FILENAME; ++ arg->scnprintf = SCA_FILENAME; + else if ((field->flags & TEP_FIELD_IS_POINTER) || strstr(field->name, "addr")) +- sc->arg_fmt[idx].scnprintf = SCA_PTR; ++ arg->scnprintf = SCA_PTR; + else if (strcmp(field->type, "pid_t") == 0) +- sc->arg_fmt[idx].scnprintf = SCA_PID; ++ arg->scnprintf = SCA_PID; + else if (strcmp(field->type, "umode_t") == 0) +- sc->arg_fmt[idx].scnprintf = SCA_MODE_T; ++ arg->scnprintf = SCA_MODE_T; + else if ((strcmp(field->type, "int") == 0 || + strcmp(field->type, "unsigned int") == 0 || + strcmp(field->type, "long") == 0) && +@@ -1489,10 +1490,17 @@ static int syscall__set_arg_fmts(struct syscall *sc) + * 23 unsigned int + * 7 unsigned long + */ +- sc->arg_fmt[idx].scnprintf = SCA_FD; ++ arg->scnprintf = SCA_FD; + } + } + ++ return last_field; ++} ++ ++static int syscall__set_arg_fmts(struct syscall *sc) ++{ ++ struct tep_format_field *last_field = syscall_arg_fmt__init_array(sc->arg_fmt, sc->args); ++ + if (last_field) + sc->args_size = last_field->offset + last_field->size; + +-- +2.35.1 + diff --git a/queue-5.4/perf-trace-handle-failure-when-trace-point-folder-is.patch b/queue-5.4/perf-trace-handle-failure-when-trace-point-folder-is.patch new file mode 100644 index 00000000000..4a5f1397c6c --- /dev/null +++ b/queue-5.4/perf-trace-handle-failure-when-trace-point-folder-is.patch @@ -0,0 +1,93 @@ +From 9fd96327381d364d81d251b688f70e05f222dbf8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 07:52:35 +0000 +Subject: perf trace: Handle failure when trace point folder is missed + +From: Leo Yan + +[ Upstream commit 03e9a5d8eb552a1bf692a9c8a5ecd50f4e428006 ] + +On Arm64 a case is perf tools fails to find the corresponding trace +point folder for system calls listed in the table 'syscalltbl_arm64', +e.g. the generated system call table contains "lookup_dcookie" but we +cannot find out the matched trace point folder for it. + +We need to figure out if there have any issue for the generated system +call table, on the other hand, we need to handle the case when trace +point folder is missed under sysfs, this patch sets the flag +syscall::nonexistent as true and returns the error from +trace__read_syscall_info(). + +Another problem is for trace__syscall_info(), it returns two different +values if a system call doesn't exist: at the first time calling +trace__syscall_info() it returns NULL when the system call doesn't exist, +later if call trace__syscall_info() again for the same missed system +call, it returns pointer of syscall. trace__syscall_info() checks the +condition 'syscalls.table[id].name == NULL', but the name will be +assigned in the first invoking even the system call is not found. + +So checking system call's name in trace__syscall_info() is not the right +thing to do, this patch simply checks flag syscall::nonexistent to make +decision if a system call exists or not, finally trace__syscall_info() +returns the consistent result (NULL) if a system call doesn't existed. + +Fixes: b8b1033fcaa091d8 ("perf trace: Mark syscall ids that are not allocated to avoid unnecessary error messages") +Signed-off-by: Leo Yan +Acked-by: Ian Rogers +Cc: Alexander Shishkin +Cc: bpf@vger.kernel.org +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20221121075237.127706-4-leo.yan@linaro.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-trace.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c +index e41b6ffafbd3..6052eb057821 100644 +--- a/tools/perf/builtin-trace.c ++++ b/tools/perf/builtin-trace.c +@@ -1573,13 +1573,19 @@ static int trace__read_syscall_info(struct trace *trace, int id) + sc->tp_format = trace_event__tp_format("syscalls", tp_name); + } + ++ /* ++ * Fails to read trace point format via sysfs node, so the trace point ++ * doesn't exist. Set the 'nonexistent' flag as true. ++ */ ++ if (IS_ERR(sc->tp_format)) { ++ sc->nonexistent = true; ++ return PTR_ERR(sc->tp_format); ++ } ++ + if (syscall__alloc_arg_fmts(sc, IS_ERR(sc->tp_format) ? + RAW_SYSCALL_ARGS_NUM : sc->tp_format->format.nr_fields)) + return -ENOMEM; + +- if (IS_ERR(sc->tp_format)) +- return PTR_ERR(sc->tp_format); +- + sc->args = sc->tp_format->format.fields; + /* + * We need to check and discard the first variable '__syscall_nr' +@@ -1871,11 +1877,8 @@ static struct syscall *trace__syscall_info(struct trace *trace, + (err = trace__read_syscall_info(trace, id)) != 0) + goto out_cant_read; + +- if (trace->syscalls.table[id].name == NULL) { +- if (trace->syscalls.table[id].nonexistent) +- return NULL; ++ if (trace->syscalls.table && trace->syscalls.table[id].nonexistent) + goto out_cant_read; +- } + + return &trace->syscalls.table[id]; + +-- +2.35.1 + diff --git a/queue-5.4/perf-trace-return-error-if-a-system-call-doesn-t-exi.patch b/queue-5.4/perf-trace-return-error-if-a-system-call-doesn-t-exi.patch new file mode 100644 index 00000000000..0b716326099 --- /dev/null +++ b/queue-5.4/perf-trace-return-error-if-a-system-call-doesn-t-exi.patch @@ -0,0 +1,55 @@ +From b2e2173d8fcbb6fc1d40b2766965ec1c780bd3d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 07:52:34 +0000 +Subject: perf trace: Return error if a system call doesn't exist + +From: Leo Yan + +[ Upstream commit d4223e1776c30b2ce8d0e6eaadcbf696e60fca3c ] + +When a system call is not detected, the reason is either because the +system call ID is out of scope or failure to find the corresponding path +in the sysfs, trace__read_syscall_info() returns zero. Finally, without +returning an error value it introduces confusion for the caller. + +This patch lets the function trace__read_syscall_info() to return +-EEXIST when a system call doesn't exist. + +Fixes: b8b1033fcaa091d8 ("perf trace: Mark syscall ids that are not allocated to avoid unnecessary error messages") +Signed-off-by: Leo Yan +Acked-by: Ian Rogers +Cc: Alexander Shishkin +Cc: bpf@vger.kernel.org +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20221121075237.127706-3-leo.yan@linaro.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-trace.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c +index a5201de1a191..d333f6c86c98 100644 +--- a/tools/perf/builtin-trace.c ++++ b/tools/perf/builtin-trace.c +@@ -1511,11 +1511,11 @@ static int trace__read_syscall_info(struct trace *trace, int id) + + sc = trace->syscalls.table + id; + if (sc->nonexistent) +- return 0; ++ return -EEXIST; + + if (name == NULL) { + sc->nonexistent = true; +- return 0; ++ return -EEXIST; + } + + sc->name = name; +-- +2.35.1 + diff --git a/queue-5.4/perf-trace-separate-struct-syscall_fmt-definition-fr.patch b/queue-5.4/perf-trace-separate-struct-syscall_fmt-definition-fr.patch new file mode 100644 index 00000000000..fd7ad584d62 --- /dev/null +++ b/queue-5.4/perf-trace-separate-struct-syscall_fmt-definition-fr.patch @@ -0,0 +1,70 @@ +From 75bcae265fcddc779189268e258686a5c8a8a1ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2019 15:16:33 -0300 +Subject: perf trace: Separate 'struct syscall_fmt' definition from + syscall_fmts variable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 9b2036cd329924082acfa5dec58deec12fa1f5e8 ] + +As this has all the things needed to format tracepoints events, not just +syscalls, that, after all, are just tracepoints with a set in stone ABI, +i.e. order and number of parameters. + +For tracepoints we'll create a + + static struct syscall_fmt tracepoint_fmts[] + +array and will fill the ->arg[] entries with the beautifier for each +positional argument and record the name, then, when we need it, we'll +just check that the position has the same name, maybe even type, so that +we can do some check that the tracepoint hasn't changed, if it has, we +can even reorder things. + +Keep calling it syscall_fmt but use it as well for tracepoints, do it +this way to minimize changes and reuse what is in place for syscalls, +we'll see. + +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Luis Cláudio Gonçalves +Cc: Namhyung Kim +Link: https://lkml.kernel.org/n/tip-2x1jgiev13zt4njaanlnne0d@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Stable-dep-of: 03e9a5d8eb55 ("perf trace: Handle failure when trace point folder is missed") +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-trace.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c +index d333f6c86c98..5dc8b123d3f5 100644 +--- a/tools/perf/builtin-trace.c ++++ b/tools/perf/builtin-trace.c +@@ -702,7 +702,7 @@ struct syscall_arg_fmt { + bool show_zero; + }; + +-static struct syscall_fmt { ++struct syscall_fmt { + const char *name; + const char *alias; + struct { +@@ -714,7 +714,9 @@ static struct syscall_fmt { + bool errpid; + bool timeout; + bool hexret; +-} syscall_fmts[] = { ++}; ++ ++static struct syscall_fmt syscall_fmts[] = { + { .name = "access", + .arg = { [1] = { .scnprintf = SCA_ACCMODE, /* mode */ }, }, }, + { .name = "arch_prctl", +-- +2.35.1 + diff --git a/queue-5.4/perf-trace-use-macro-raw_syscall_args_num-to-replace.patch b/queue-5.4/perf-trace-use-macro-raw_syscall_args_num-to-replace.patch new file mode 100644 index 00000000000..d83c7214779 --- /dev/null +++ b/queue-5.4/perf-trace-use-macro-raw_syscall_args_num-to-replace.patch @@ -0,0 +1,82 @@ +From 5c3137af704d9ef957c7b5b4af0d149196c2643c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 07:52:33 +0000 +Subject: perf trace: Use macro RAW_SYSCALL_ARGS_NUM to replace number + +From: Leo Yan + +[ Upstream commit eadcab4c7a66e1df03d32da0db55d89fd9343fcc ] + +This patch defines a macro RAW_SYSCALL_ARGS_NUM to replace the open +coded number '6'. + +Signed-off-by: Leo Yan +Acked-by: Ian Rogers +Cc: Alexander Shishkin +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: bpf@vger.kernel.org +Link: https://lore.kernel.org/r/20221121075237.127706-2-leo.yan@linaro.org +Signed-off-by: Arnaldo Carvalho de Melo +Stable-dep-of: 03e9a5d8eb55 ("perf trace: Handle failure when trace point folder is missed") +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-trace.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c +index 4cb3252623f5..e41b6ffafbd3 100644 +--- a/tools/perf/builtin-trace.c ++++ b/tools/perf/builtin-trace.c +@@ -86,6 +86,8 @@ + # define F_LINUX_SPECIFIC_BASE 1024 + #endif + ++#define RAW_SYSCALL_ARGS_NUM 6 ++ + /* + * strtoul: Go from a string to a value, i.e. for msr: MSR_FS_BASE to 0xc0000100 + */ +@@ -105,7 +107,7 @@ struct syscall_fmt { + const char *sys_enter, + *sys_exit; + } bpf_prog_name; +- struct syscall_arg_fmt arg[6]; ++ struct syscall_arg_fmt arg[RAW_SYSCALL_ARGS_NUM]; + u8 nr_args; + bool errpid; + bool timeout; +@@ -1018,7 +1020,7 @@ struct syscall { + */ + struct bpf_map_syscall_entry { + bool enabled; +- u16 string_args_len[6]; ++ u16 string_args_len[RAW_SYSCALL_ARGS_NUM]; + }; + + /* +@@ -1443,7 +1445,7 @@ static int syscall__alloc_arg_fmts(struct syscall *sc, int nr_args) + { + int idx; + +- if (nr_args == 6 && sc->fmt && sc->fmt->nr_args != 0) ++ if (nr_args == RAW_SYSCALL_ARGS_NUM && sc->fmt && sc->fmt->nr_args != 0) + nr_args = sc->fmt->nr_args; + + sc->arg_fmt = calloc(nr_args, sizeof(*sc->arg_fmt)); +@@ -1571,7 +1573,8 @@ static int trace__read_syscall_info(struct trace *trace, int id) + sc->tp_format = trace_event__tp_format("syscalls", tp_name); + } + +- if (syscall__alloc_arg_fmts(sc, IS_ERR(sc->tp_format) ? 6 : sc->tp_format->format.nr_fields)) ++ if (syscall__alloc_arg_fmts(sc, IS_ERR(sc->tp_format) ? ++ RAW_SYSCALL_ARGS_NUM : sc->tp_format->format.nr_fields)) + return -ENOMEM; + + if (IS_ERR(sc->tp_format)) +-- +2.35.1 + diff --git a/queue-5.4/perf-x86-intel-uncore-fix-reference-count-leak-in-hs.patch b/queue-5.4/perf-x86-intel-uncore-fix-reference-count-leak-in-hs.patch new file mode 100644 index 00000000000..36edb0c6316 --- /dev/null +++ b/queue-5.4/perf-x86-intel-uncore-fix-reference-count-leak-in-hs.patch @@ -0,0 +1,40 @@ +From 1937fe677f820cb640e4ee4ab3012ccce93996e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 14:31:35 +0800 +Subject: perf/x86/intel/uncore: Fix reference count leak in + hswep_has_limit_sbox() + +From: Xiongfeng Wang + +[ Upstream commit 1ff9dd6e7071a561f803135c1d684b13c7a7d01d ] + +pci_get_device() will increase the reference count for the returned +'dev'. We need to call pci_dev_put() to decrease the reference count. +Since 'dev' is only used in pci_read_config_dword(), let's add +pci_dev_put() right after it. + +Fixes: 9d480158ee86 ("perf/x86/intel/uncore: Remove uncore extra PCI dev HSWEP_PCI_PCU_3") +Signed-off-by: Xiongfeng Wang +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Kan Liang +Link: https://lore.kernel.org/r/20221118063137.121512-3-wangxiongfeng2@huawei.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/uncore_snbep.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c +index 0f61f46e6086..fe2edc760e60 100644 +--- a/arch/x86/events/intel/uncore_snbep.c ++++ b/arch/x86/events/intel/uncore_snbep.c +@@ -2762,6 +2762,7 @@ static bool hswep_has_limit_sbox(unsigned int device) + return false; + + pci_read_config_dword(dev, HSWEP_PCU_CAPID4_OFFET, &capid4); ++ pci_dev_put(dev); + if (!hswep_get_chop(capid4)) + return true; + +-- +2.35.1 + diff --git a/queue-5.4/pinctrl-pinconf-generic-add-missing-of_node_put.patch b/queue-5.4/pinctrl-pinconf-generic-add-missing-of_node_put.patch new file mode 100644 index 00000000000..c51e72dadb6 --- /dev/null +++ b/queue-5.4/pinctrl-pinconf-generic-add-missing-of_node_put.patch @@ -0,0 +1,40 @@ +From e469887168ff3ef55954bda757dc59b8065a8d4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 07:01:56 +0000 +Subject: pinctrl: pinconf-generic: add missing of_node_put() + +From: ZhangPeng + +[ Upstream commit 5ead93289815a075d43c415e35c8beafafb801c9 ] + +of_node_put() needs to be called when jumping out of the loop, since +for_each_available_child_of_node() will increase the refcount of node. + +Fixes: c7289500e29d ("pinctrl: pinconf-generic: scan also referenced phandle node") +Signed-off-by: ZhangPeng +Link: https://lore.kernel.org/r/20221125070156.3535855-1-zhangpeng362@huawei.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinconf-generic.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/pinconf-generic.c b/drivers/pinctrl/pinconf-generic.c +index 355bc4c748e2..02c015577cf9 100644 +--- a/drivers/pinctrl/pinconf-generic.c ++++ b/drivers/pinctrl/pinconf-generic.c +@@ -391,8 +391,10 @@ int pinconf_generic_dt_node_to_map(struct pinctrl_dev *pctldev, + for_each_available_child_of_node(np_config, np) { + ret = pinconf_generic_dt_subnode_to_map(pctldev, np, map, + &reserved_maps, num_maps, type); +- if (ret < 0) ++ if (ret < 0) { ++ of_node_put(np); + goto exit; ++ } + } + return 0; + +-- +2.35.1 + diff --git a/queue-5.4/platform-x86-mxm-wmi-fix-memleak-in-mxm_wmi_call_mx-.patch b/queue-5.4/platform-x86-mxm-wmi-fix-memleak-in-mxm_wmi_call_mx-.patch new file mode 100644 index 00000000000..a159ed1d492 --- /dev/null +++ b/queue-5.4/platform-x86-mxm-wmi-fix-memleak-in-mxm_wmi_call_mx-.patch @@ -0,0 +1,62 @@ +From 7dbf52b0eb363b559190358d64b32a996035fb96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Nov 2022 09:11:01 +0800 +Subject: platform/x86: mxm-wmi: fix memleak in mxm_wmi_call_mx[ds|mx]() + +From: Yu Liao + +[ Upstream commit 727cc0147f5066e359aca65cc6cc5e6d64cc15d8 ] + +The ACPI buffer memory (out.pointer) returned by wmi_evaluate_method() +is not freed after the call, so it leads to memory leak. + +The method results in ACPI buffer is not used, so just pass NULL to +wmi_evaluate_method() which fixes the memory leak. + +Fixes: 99b38b4acc0d ("platform/x86: add MXM WMI driver.") +Signed-off-by: Yu Liao +Link: https://lore.kernel.org/r/20221129011101.2042315-1-liaoyu15@huawei.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/mxm-wmi.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/drivers/platform/x86/mxm-wmi.c b/drivers/platform/x86/mxm-wmi.c +index 9a19fbd2f734..9a457956025a 100644 +--- a/drivers/platform/x86/mxm-wmi.c ++++ b/drivers/platform/x86/mxm-wmi.c +@@ -35,13 +35,11 @@ int mxm_wmi_call_mxds(int adapter) + .xarg = 1, + }; + struct acpi_buffer input = { (acpi_size)sizeof(args), &args }; +- struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL }; + acpi_status status; + + printk("calling mux switch %d\n", adapter); + +- status = wmi_evaluate_method(MXM_WMMX_GUID, 0x0, adapter, &input, +- &output); ++ status = wmi_evaluate_method(MXM_WMMX_GUID, 0x0, adapter, &input, NULL); + + if (ACPI_FAILURE(status)) + return status; +@@ -60,13 +58,11 @@ int mxm_wmi_call_mxmx(int adapter) + .xarg = 1, + }; + struct acpi_buffer input = { (acpi_size)sizeof(args), &args }; +- struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL }; + acpi_status status; + + printk("calling mux switch %d\n", adapter); + +- status = wmi_evaluate_method(MXM_WMMX_GUID, 0x0, adapter, &input, +- &output); ++ status = wmi_evaluate_method(MXM_WMMX_GUID, 0x0, adapter, &input, NULL); + + if (ACPI_FAILURE(status)) + return status; +-- +2.35.1 + diff --git a/queue-5.4/pm-hibernate-fix-mistake-in-kerneldoc-comment.patch b/queue-5.4/pm-hibernate-fix-mistake-in-kerneldoc-comment.patch new file mode 100644 index 00000000000..948497103a5 --- /dev/null +++ b/queue-5.4/pm-hibernate-fix-mistake-in-kerneldoc-comment.patch @@ -0,0 +1,45 @@ +From 0bbbc9cc49c60727953cb9a4e42eb6aed5240c3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Nov 2022 10:28:39 +0800 +Subject: PM: hibernate: Fix mistake in kerneldoc comment + +From: xiongxin + +[ Upstream commit 6e5d7300cbe7c3541bc31f16db3e9266e6027b4b ] + +The actual maximum image size formula in hibernate_preallocate_memory() +is as follows: + +max_size = (count - (size + PAGES_FOR_IO)) / 2 + - 2 * DIV_ROUND_UP(reserved_size, PAGE_SIZE); + +but the one in the kerneldoc comment of the function is different and +incorrect. + +Fixes: ddeb64870810 ("PM / Hibernate: Add sysfs knob to control size of memory for drivers") +Signed-off-by: xiongxin +[ rjw: Subject and changelog rewrite ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/power/snapshot.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c +index 46455aa7951e..5092b8bfa1db 100644 +--- a/kernel/power/snapshot.c ++++ b/kernel/power/snapshot.c +@@ -1680,8 +1680,8 @@ static unsigned long minimum_image_size(unsigned long saveable) + * /sys/power/reserved_size, respectively). To make this happen, we compute the + * total number of available page frames and allocate at least + * +- * ([page frames total] + PAGES_FOR_IO + [metadata pages]) / 2 +- * + 2 * DIV_ROUND_UP(reserved_size, PAGE_SIZE) ++ * ([page frames total] - PAGES_FOR_IO - [metadata pages]) / 2 ++ * - 2 * DIV_ROUND_UP(reserved_size, PAGE_SIZE) + * + * of them, which corresponds to the maximum size of a hibernation image. + * +-- +2.35.1 + diff --git a/queue-5.4/pm-runtime-do-not-call-__rpm_callback-from-rpm_idle.patch b/queue-5.4/pm-runtime-do-not-call-__rpm_callback-from-rpm_idle.patch new file mode 100644 index 00000000000..b91f229dd96 --- /dev/null +++ b/queue-5.4/pm-runtime-do-not-call-__rpm_callback-from-rpm_idle.patch @@ -0,0 +1,54 @@ +From 110aaedb4ee40899a36a273475b4e53795d06486 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 15:30:28 +0100 +Subject: PM: runtime: Do not call __rpm_callback() from rpm_idle() + +From: Rafael J. Wysocki + +[ Upstream commit bc80c2e438dcbfcf748452ec0f7ad5b79ff3ad88 ] + +Calling __rpm_callback() from rpm_idle() after adding device links +support to the former is a clear mistake. + +Not only it causes rpm_idle() to carry out unnecessary actions, but it +is also against the assumption regarding the stability of PM-runtime +status across __rpm_callback() invocations, because rpm_suspend() and +rpm_resume() may run in parallel with __rpm_callback() when it is called +by rpm_idle() and the device's PM-runtime status can be updated by any +of them. + +Fixes: 21d5c57b3726 ("PM / runtime: Use device links") +Link: https://lore.kernel.org/linux-pm/36aed941-a73e-d937-2721-4f0decd61ce0@quicinc.com +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Adrian Hunter +Signed-off-by: Sasha Levin +--- + drivers/base/power/runtime.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c +index 24a3013728c3..9ee58bf49d13 100644 +--- a/drivers/base/power/runtime.c ++++ b/drivers/base/power/runtime.c +@@ -465,7 +465,17 @@ static int rpm_idle(struct device *dev, int rpmflags) + + dev->power.idle_notification = true; + +- retval = __rpm_callback(callback, dev); ++ if (dev->power.irq_safe) ++ spin_unlock(&dev->power.lock); ++ else ++ spin_unlock_irq(&dev->power.lock); ++ ++ retval = callback(dev); ++ ++ if (dev->power.irq_safe) ++ spin_lock(&dev->power.lock); ++ else ++ spin_lock_irq(&dev->power.lock); + + dev->power.idle_notification = false; + wake_up_all(&dev->power.wait_queue); +-- +2.35.1 + diff --git a/queue-5.4/pm-runtime-improve-path-in-rpm_idle-when-no-callback.patch b/queue-5.4/pm-runtime-improve-path-in-rpm_idle-when-no-callback.patch new file mode 100644 index 00000000000..4926411ed4c --- /dev/null +++ b/queue-5.4/pm-runtime-improve-path-in-rpm_idle-when-no-callback.patch @@ -0,0 +1,59 @@ +From bdf8c9e1261928cdc82fb80eec29415dec852717 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jun 2021 11:02:48 +0200 +Subject: PM: runtime: Improve path in rpm_idle() when no callback + +From: Ulf Hansson + +[ Upstream commit 5a2bd1b1c64e1ac5627db3767ac465f18606315c ] + +When pm_runtime_no_callbacks() has been called for a struct device to set +the dev->power.no_callbacks flag for it, it enables rpm_idle() to take a +slightly quicker path by assuming that a ->runtime_idle() callback would +have returned 0 to indicate success. + +A device that does not have the dev->power.no_callbacks flag set for it, +may still be missing a corresponding ->runtime_idle() callback, in which +case the slower path in rpm_idle() is taken. Let's improve the behaviour +for this case, by aligning code to the quicker path. + +Signed-off-by: Ulf Hansson +Acked-by: Alan Stern +Signed-off-by: Rafael J. Wysocki +Stable-dep-of: bc80c2e438dc ("PM: runtime: Do not call __rpm_callback() from rpm_idle()") +Signed-off-by: Sasha Levin +--- + drivers/base/power/runtime.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c +index 8fbd376471de..24a3013728c3 100644 +--- a/drivers/base/power/runtime.c ++++ b/drivers/base/power/runtime.c +@@ -446,7 +446,10 @@ static int rpm_idle(struct device *dev, int rpmflags) + /* Pending requests need to be canceled. */ + dev->power.request = RPM_REQ_NONE; + +- if (dev->power.no_callbacks) ++ callback = RPM_GET_CALLBACK(dev, runtime_idle); ++ ++ /* If no callback assume success. */ ++ if (!callback || dev->power.no_callbacks) + goto out; + + /* Carry out an asynchronous or a synchronous idle notification. */ +@@ -462,10 +465,7 @@ static int rpm_idle(struct device *dev, int rpmflags) + + dev->power.idle_notification = true; + +- callback = RPM_GET_CALLBACK(dev, runtime_idle); +- +- if (callback) +- retval = __rpm_callback(callback, dev); ++ retval = __rpm_callback(callback, dev); + + dev->power.idle_notification = false; + wake_up_all(&dev->power.wait_queue); +-- +2.35.1 + diff --git a/queue-5.4/pnp-fix-name-memory-leak-in-pnp_alloc_dev.patch b/queue-5.4/pnp-fix-name-memory-leak-in-pnp_alloc_dev.patch new file mode 100644 index 00000000000..81a00f1388b --- /dev/null +++ b/queue-5.4/pnp-fix-name-memory-leak-in-pnp_alloc_dev.patch @@ -0,0 +1,46 @@ +From eeed4d71c0eb57b88059c40ef015deb055cdbe59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 09:23:58 +0800 +Subject: PNP: fix name memory leak in pnp_alloc_dev() + +From: Yang Yingliang + +[ Upstream commit 110d7b0325c55ff3620073ba4201845f59e22ebf ] + +After commit 1fa5ae857bb1 ("driver core: get rid of struct device's +bus_id string array"), the name of device is allocated dynamically, +move dev_set_name() after pnp_add_id() to avoid memory leak. + +Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") +Signed-off-by: Yang Yingliang +Reviewed-by: Hanjun Guo +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/pnp/core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/pnp/core.c b/drivers/pnp/core.c +index 3bf18d718975..131b925b820d 100644 +--- a/drivers/pnp/core.c ++++ b/drivers/pnp/core.c +@@ -160,14 +160,14 @@ struct pnp_dev *pnp_alloc_dev(struct pnp_protocol *protocol, int id, + dev->dev.coherent_dma_mask = dev->dma_mask; + dev->dev.release = &pnp_release_device; + +- dev_set_name(&dev->dev, "%02x:%02x", dev->protocol->number, dev->number); +- + dev_id = pnp_add_id(dev, pnpid); + if (!dev_id) { + kfree(dev); + return NULL; + } + ++ dev_set_name(&dev->dev, "%02x:%02x", dev->protocol->number, dev->number); ++ + return dev; + } + +-- +2.35.1 + diff --git a/queue-5.4/power-supply-fix-null-pointer-dereferencing-in-power.patch b/queue-5.4/power-supply-fix-null-pointer-dereferencing-in-power.patch new file mode 100644 index 00000000000..8ecd6e075b8 --- /dev/null +++ b/queue-5.4/power-supply-fix-null-pointer-dereferencing-in-power.patch @@ -0,0 +1,44 @@ +From c7d9e26abc77c3e6ee1dc66e5e83242ff7fdb2f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Dec 2022 15:51:53 +0800 +Subject: power: supply: fix null pointer dereferencing in + power_supply_get_battery_info + +From: ruanjinjie + +[ Upstream commit 104bb8a663451404a26331263ce5b96c34504049 ] + +when kmalloc() fail to allocate memory in kasprintf(), propname +will be NULL, strcmp() called by of_get_property() will cause +null pointer dereference. + +So return ENOMEM if kasprintf() return NULL pointer. + +Fixes: 3afb50d7125b ("power: supply: core: Add some helpers to use the battery OCV capacity table") +Signed-off-by: ruanjinjie +Reviewed-by: Baolin Wang +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/power_supply_core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/power/supply/power_supply_core.c b/drivers/power/supply/power_supply_core.c +index 3afc0b833eb8..fd24254d9014 100644 +--- a/drivers/power/supply/power_supply_core.c ++++ b/drivers/power/supply/power_supply_core.c +@@ -648,6 +648,11 @@ int power_supply_get_battery_info(struct power_supply *psy, + int i, tab_len, size; + + propname = kasprintf(GFP_KERNEL, "ocv-capacity-table-%d", index); ++ if (!propname) { ++ power_supply_put_battery_info(psy, info); ++ err = -ENOMEM; ++ goto out_put_node; ++ } + list = of_get_property(battery_np, propname, &size); + if (!list || !size) { + dev_err(&psy->dev, "failed to get %s\n", propname); +-- +2.35.1 + diff --git a/queue-5.4/power-supply-fix-residue-sysfs-file-in-error-handle-.patch b/queue-5.4/power-supply-fix-residue-sysfs-file-in-error-handle-.patch new file mode 100644 index 00000000000..168220299a3 --- /dev/null +++ b/queue-5.4/power-supply-fix-residue-sysfs-file-in-error-handle-.patch @@ -0,0 +1,50 @@ +From bd1ddd89ede7010056402887f6a8b8c79543db72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 16:32:19 +0800 +Subject: power: supply: fix residue sysfs file in error handle route of + __power_supply_register() + +From: Zeng Heng + +[ Upstream commit 5b79480ce1978864ac3f06f2134dfa3b6691fe74 ] + +If device_add() succeeds, we should call device_del() when want to +get rid of it, so move it into proper jump symbol. + +Otherwise, when __power_supply_register() returns fail and goto +wakeup_init_failed to exit, there is still residue device file in sysfs. +When attempt to probe device again, sysfs would complain as below: + +sysfs: cannot create duplicate filename '/devices/platform/i2c/i2c-0/0-001c/power_supply/adp5061' +Call Trace: + dump_stack_lvl+0x68/0x85 + sysfs_warn_dup.cold+0x1c/0x29 + sysfs_create_dir_ns+0x1b1/0x1d0 + kobject_add_internal+0x143/0x390 + kobject_add+0x108/0x170 + +Fixes: 80c6463e2fa3 ("power_supply: Fix Oops from NULL pointer dereference from wakeup_source_activate") +Signed-off-by: Zeng Heng +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/power_supply_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/power/supply/power_supply_core.c b/drivers/power/supply/power_supply_core.c +index a2f56a68c50d..3afc0b833eb8 100644 +--- a/drivers/power/supply/power_supply_core.c ++++ b/drivers/power/supply/power_supply_core.c +@@ -1104,8 +1104,8 @@ __power_supply_register(struct device *parent, + register_cooler_failed: + psy_unregister_thermal(psy); + register_thermal_failed: +- device_del(dev); + wakeup_init_failed: ++ device_del(dev); + device_add_failed: + check_supplies_failed: + dev_set_name_failed: +-- +2.35.1 + diff --git a/queue-5.4/powerpc-52xx-fix-a-resource-leak-in-an-error-handlin.patch b/queue-5.4/powerpc-52xx-fix-a-resource-leak-in-an-error-handlin.patch new file mode 100644 index 00000000000..ce654f7949a --- /dev/null +++ b/queue-5.4/powerpc-52xx-fix-a-resource-leak-in-an-error-handlin.patch @@ -0,0 +1,38 @@ +From e77627440433cfcd5131e2cf49ada0d396ac42a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Jan 2022 08:16:04 +0100 +Subject: powerpc/52xx: Fix a resource leak in an error handling path + +From: Christophe JAILLET + +[ Upstream commit 5836947613ef33d311b4eff6a32d019580a214f5 ] + +The error handling path of mpc52xx_lpbfifo_probe() has a request_irq() +that is not balanced by a corresponding free_irq(). + +Add the missing call, as already done in the remove function. + +Fixes: 3c9059d79f5e ("powerpc/5200: add LocalPlus bus FIFO device driver") +Signed-off-by: Christophe JAILLET +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/dec1496d46ccd5311d0f6e9f9ca4238be11bf6a6.1643440531.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/52xx/mpc52xx_lpbfifo.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/platforms/52xx/mpc52xx_lpbfifo.c b/arch/powerpc/platforms/52xx/mpc52xx_lpbfifo.c +index 05e19470d523..22e264bd3ed2 100644 +--- a/arch/powerpc/platforms/52xx/mpc52xx_lpbfifo.c ++++ b/arch/powerpc/platforms/52xx/mpc52xx_lpbfifo.c +@@ -530,6 +530,7 @@ static int mpc52xx_lpbfifo_probe(struct platform_device *op) + err_bcom_rx_irq: + bcom_gen_bd_rx_release(lpbfifo.bcom_rx_task); + err_bcom_rx: ++ free_irq(lpbfifo.irq, &lpbfifo); + err_irq: + iounmap(lpbfifo.regs); + lpbfifo.regs = NULL; +-- +2.35.1 + diff --git a/queue-5.4/powerpc-83xx-mpc832x_rdb-call-platform_device_put-in.patch b/queue-5.4/powerpc-83xx-mpc832x_rdb-call-platform_device_put-in.patch new file mode 100644 index 00000000000..13187c1cdd8 --- /dev/null +++ b/queue-5.4/powerpc-83xx-mpc832x_rdb-call-platform_device_put-in.patch @@ -0,0 +1,39 @@ +From 450ccc2d6ff3d26ecf10888d91f7ad8114913441 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Oct 2022 19:16:26 +0800 +Subject: powerpc/83xx/mpc832x_rdb: call platform_device_put() in error case in + of_fsl_spi_probe() + +From: Yang Yingliang + +[ Upstream commit 4d0eea415216fe3791da2f65eb41399e70c7bedf ] + +If platform_device_add() is not called or failed, it can not call +platform_device_del() to clean up memory, it should call +platform_device_put() in error case. + +Fixes: 26f6cb999366 ("[POWERPC] fsl_soc: add support for fsl_spi") +Signed-off-by: Yang Yingliang +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20221029111626.429971-1-yangyingliang@huawei.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/83xx/mpc832x_rdb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/platforms/83xx/mpc832x_rdb.c b/arch/powerpc/platforms/83xx/mpc832x_rdb.c +index 4588ce632484..b6354054f883 100644 +--- a/arch/powerpc/platforms/83xx/mpc832x_rdb.c ++++ b/arch/powerpc/platforms/83xx/mpc832x_rdb.c +@@ -107,7 +107,7 @@ static int __init of_fsl_spi_probe(char *type, char *compatible, u32 sysclk, + + goto next; + unreg: +- platform_device_del(pdev); ++ platform_device_put(pdev); + err: + pr_err("%pOF: registration failed\n", np); + next: +-- +2.35.1 + diff --git a/queue-5.4/powerpc-dts-t208x-mark-mac1-and-mac2-as-10g.patch b/queue-5.4/powerpc-dts-t208x-mark-mac1-and-mac2-as-10g.patch new file mode 100644 index 00000000000..221c1967b43 --- /dev/null +++ b/queue-5.4/powerpc-dts-t208x-mark-mac1-and-mac2-as-10g.patch @@ -0,0 +1,142 @@ +From 5060b24b8797480f15616087e4f6fe903ec72599 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Oct 2022 16:22:39 -0400 +Subject: powerpc: dts: t208x: Mark MAC1 and MAC2 as 10G + +From: Sean Anderson + +[ Upstream commit 36926a7d70c2d462fca1ed85bfee000d17fd8662 ] + +On the T208X SoCs, MAC1 and MAC2 support XGMII. Add some new MAC dtsi +fragments, and mark the QMAN ports as 10G. + +Fixes: da414bb923d9 ("powerpc/mpc85xx: Add FSL QorIQ DPAA FMan support to the SoC device tree(s)") +Signed-off-by: Sean Anderson +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../boot/dts/fsl/qoriq-fman3-0-10g-2.dtsi | 44 +++++++++++++++++++ + .../boot/dts/fsl/qoriq-fman3-0-10g-3.dtsi | 44 +++++++++++++++++++ + arch/powerpc/boot/dts/fsl/t2081si-post.dtsi | 4 +- + 3 files changed, 90 insertions(+), 2 deletions(-) + create mode 100644 arch/powerpc/boot/dts/fsl/qoriq-fman3-0-10g-2.dtsi + create mode 100644 arch/powerpc/boot/dts/fsl/qoriq-fman3-0-10g-3.dtsi + +diff --git a/arch/powerpc/boot/dts/fsl/qoriq-fman3-0-10g-2.dtsi b/arch/powerpc/boot/dts/fsl/qoriq-fman3-0-10g-2.dtsi +new file mode 100644 +index 000000000000..437dab3fc017 +--- /dev/null ++++ b/arch/powerpc/boot/dts/fsl/qoriq-fman3-0-10g-2.dtsi +@@ -0,0 +1,44 @@ ++// SPDX-License-Identifier: BSD-3-Clause OR GPL-2.0-or-later ++/* ++ * QorIQ FMan v3 10g port #2 device tree stub [ controller @ offset 0x400000 ] ++ * ++ * Copyright 2022 Sean Anderson ++ * Copyright 2012 - 2015 Freescale Semiconductor Inc. ++ */ ++ ++fman@400000 { ++ fman0_rx_0x08: port@88000 { ++ cell-index = <0x8>; ++ compatible = "fsl,fman-v3-port-rx"; ++ reg = <0x88000 0x1000>; ++ fsl,fman-10g-port; ++ }; ++ ++ fman0_tx_0x28: port@a8000 { ++ cell-index = <0x28>; ++ compatible = "fsl,fman-v3-port-tx"; ++ reg = <0xa8000 0x1000>; ++ fsl,fman-10g-port; ++ }; ++ ++ ethernet@e0000 { ++ cell-index = <0>; ++ compatible = "fsl,fman-memac"; ++ reg = <0xe0000 0x1000>; ++ fsl,fman-ports = <&fman0_rx_0x08 &fman0_tx_0x28>; ++ ptp-timer = <&ptp_timer0>; ++ pcsphy-handle = <&pcsphy0>; ++ }; ++ ++ mdio@e1000 { ++ #address-cells = <1>; ++ #size-cells = <0>; ++ compatible = "fsl,fman-memac-mdio", "fsl,fman-xmdio"; ++ reg = <0xe1000 0x1000>; ++ fsl,erratum-a011043; /* must ignore read errors */ ++ ++ pcsphy0: ethernet-phy@0 { ++ reg = <0x0>; ++ }; ++ }; ++}; +diff --git a/arch/powerpc/boot/dts/fsl/qoriq-fman3-0-10g-3.dtsi b/arch/powerpc/boot/dts/fsl/qoriq-fman3-0-10g-3.dtsi +new file mode 100644 +index 000000000000..ad116b17850a +--- /dev/null ++++ b/arch/powerpc/boot/dts/fsl/qoriq-fman3-0-10g-3.dtsi +@@ -0,0 +1,44 @@ ++// SPDX-License-Identifier: BSD-3-Clause OR GPL-2.0-or-later ++/* ++ * QorIQ FMan v3 10g port #3 device tree stub [ controller @ offset 0x400000 ] ++ * ++ * Copyright 2022 Sean Anderson ++ * Copyright 2012 - 2015 Freescale Semiconductor Inc. ++ */ ++ ++fman@400000 { ++ fman0_rx_0x09: port@89000 { ++ cell-index = <0x9>; ++ compatible = "fsl,fman-v3-port-rx"; ++ reg = <0x89000 0x1000>; ++ fsl,fman-10g-port; ++ }; ++ ++ fman0_tx_0x29: port@a9000 { ++ cell-index = <0x29>; ++ compatible = "fsl,fman-v3-port-tx"; ++ reg = <0xa9000 0x1000>; ++ fsl,fman-10g-port; ++ }; ++ ++ ethernet@e2000 { ++ cell-index = <1>; ++ compatible = "fsl,fman-memac"; ++ reg = <0xe2000 0x1000>; ++ fsl,fman-ports = <&fman0_rx_0x09 &fman0_tx_0x29>; ++ ptp-timer = <&ptp_timer0>; ++ pcsphy-handle = <&pcsphy1>; ++ }; ++ ++ mdio@e3000 { ++ #address-cells = <1>; ++ #size-cells = <0>; ++ compatible = "fsl,fman-memac-mdio", "fsl,fman-xmdio"; ++ reg = <0xe3000 0x1000>; ++ fsl,erratum-a011043; /* must ignore read errors */ ++ ++ pcsphy1: ethernet-phy@0 { ++ reg = <0x0>; ++ }; ++ }; ++}; +diff --git a/arch/powerpc/boot/dts/fsl/t2081si-post.dtsi b/arch/powerpc/boot/dts/fsl/t2081si-post.dtsi +index ecbb447920bc..74e17e134387 100644 +--- a/arch/powerpc/boot/dts/fsl/t2081si-post.dtsi ++++ b/arch/powerpc/boot/dts/fsl/t2081si-post.dtsi +@@ -609,8 +609,8 @@ usb1: usb@211000 { + /include/ "qoriq-bman1.dtsi" + + /include/ "qoriq-fman3-0.dtsi" +-/include/ "qoriq-fman3-0-1g-0.dtsi" +-/include/ "qoriq-fman3-0-1g-1.dtsi" ++/include/ "qoriq-fman3-0-10g-2.dtsi" ++/include/ "qoriq-fman3-0-10g-3.dtsi" + /include/ "qoriq-fman3-0-1g-2.dtsi" + /include/ "qoriq-fman3-0-1g-3.dtsi" + /include/ "qoriq-fman3-0-1g-4.dtsi" +-- +2.35.1 + diff --git a/queue-5.4/powerpc-eeh-drop-redundant-spinlock-initialization.patch b/queue-5.4/powerpc-eeh-drop-redundant-spinlock-initialization.patch new file mode 100644 index 00000000000..ce1e3cad8cd --- /dev/null +++ b/queue-5.4/powerpc-eeh-drop-redundant-spinlock-initialization.patch @@ -0,0 +1,38 @@ +From 86876db2705a1ebfcf17c0dcbc7ed2f6cd314552 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 May 2022 09:27:56 +0800 +Subject: powerpc/eeh: Drop redundant spinlock initialization + +From: Haowen Bai + +[ Upstream commit 3def164a5cedad9117859dd4610cae2cc59cb6d2 ] + +slot_errbuf_lock has declared and initialized by DEFINE_SPINLOCK, +so we don't need to spin_lock_init again, drop it. + +Signed-off-by: Haowen Bai +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1652232476-9696-1-git-send-email-baihaowen@meizu.com +Stable-dep-of: 9aafbfa5f57a ("powerpc/pseries/eeh: use correct API for error log size") +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/eeh_pseries.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/eeh_pseries.c b/arch/powerpc/platforms/pseries/eeh_pseries.c +index 4232ba62b1c3..7e36c617282f 100644 +--- a/arch/powerpc/platforms/pseries/eeh_pseries.c ++++ b/arch/powerpc/platforms/pseries/eeh_pseries.c +@@ -867,8 +867,7 @@ static int __init eeh_pseries_init(void) + return -EINVAL; + } + +- /* Initialize error log lock and size */ +- spin_lock_init(&slot_errbuf_lock); ++ /* Initialize error log size */ + eeh_error_buf_size = rtas_token("rtas-error-log-max"); + if (eeh_error_buf_size == RTAS_UNKNOWN_SERVICE) { + pr_info("%s: unknown EEH error log size\n", +-- +2.35.1 + diff --git a/queue-5.4/powerpc-eeh-fix-pseries_eeh_configure_bridge.patch b/queue-5.4/powerpc-eeh-fix-pseries_eeh_configure_bridge.patch new file mode 100644 index 00000000000..4a126f02d35 --- /dev/null +++ b/queue-5.4/powerpc-eeh-fix-pseries_eeh_configure_bridge.patch @@ -0,0 +1,55 @@ +From c90dfe7b8aa57a67b77af290483d57eaa533aabc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Apr 2020 13:45:05 +1000 +Subject: powerpc/eeh: Fix pseries_eeh_configure_bridge() + +From: Sam Bobroff + +[ Upstream commit 6fa13640aea7bb0760846981aa2da4245307bd26 ] + +If a device is hot unplgged during EEH recovery, it's possible for the +RTAS call to ibm,configure-pe in pseries_eeh_configure() to return +parameter error (-3), however negative return values are not checked +for and this leads to an infinite loop. + +Fix this by correctly bailing out on negative values. + +Signed-off-by: Sam Bobroff +Signed-off-by: Michael Ellerman +Reviewed-by: Nathan Lynch +Link: https://lore.kernel.org/r/1b0a6010a647dc915816e44845b64d72066676a7.1588045502.git.sbobroff@linux.ibm.com +Stable-dep-of: 9aafbfa5f57a ("powerpc/pseries/eeh: use correct API for error log size") +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/eeh_pseries.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/platforms/pseries/eeh_pseries.c b/arch/powerpc/platforms/pseries/eeh_pseries.c +index 893ba3f562c4..04c1ed79bc6e 100644 +--- a/arch/powerpc/platforms/pseries/eeh_pseries.c ++++ b/arch/powerpc/platforms/pseries/eeh_pseries.c +@@ -607,6 +607,8 @@ static int pseries_eeh_configure_bridge(struct eeh_pe *pe) + + if (!ret) + return ret; ++ if (ret < 0) ++ break; + + /* + * If RTAS returns a delay value that's above 100ms, cut it +@@ -627,7 +629,11 @@ static int pseries_eeh_configure_bridge(struct eeh_pe *pe) + + pr_warn("%s: Unable to configure bridge PHB#%x-PE#%x (%d)\n", + __func__, pe->phb->global_number, pe->addr, ret); +- return ret; ++ /* PAPR defines -3 as "Parameter Error" for this function: */ ++ if (ret == -3) ++ return -EINVAL; ++ else ++ return -EIO; + } + + /** +-- +2.35.1 + diff --git a/queue-5.4/powerpc-hv-gpci-fix-hv_gpci-event-list.patch b/queue-5.4/powerpc-hv-gpci-fix-hv_gpci-event-list.patch new file mode 100644 index 00000000000..17edb3fb111 --- /dev/null +++ b/queue-5.4/powerpc-hv-gpci-fix-hv_gpci-event-list.patch @@ -0,0 +1,174 @@ +From 8d39737274a03a5570e24ea695a3d3a42e03f0e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Nov 2022 23:15:13 +0530 +Subject: powerpc/hv-gpci: Fix hv_gpci event list + +From: Kajol Jain + +[ Upstream commit 03f7c1d2a49acd30e38789cd809d3300721e9b0e ] + +Based on getPerfCountInfo v1.018 documentation, some of the +hv_gpci events were deprecated for platform firmware that +supports counter_info_version 0x8 or above. + +Fix the hv_gpci event list by adding a new attribute group +called "hv_gpci_event_attrs_v6" and a "ENABLE_EVENTS_COUNTERINFO_V6" +macro to enable these events for platform firmware +that supports counter_info_version 0x6 or below. And assigning +the hv_gpci event list based on output counter info version +of underlying plaform. + +Fixes: 97bf2640184f ("powerpc/perf/hv-gpci: add the remaining gpci requests") +Signed-off-by: Kajol Jain +Reviewed-by: Madhavan Srinivasan +Reviewed-by: Athira Rajeev +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20221130174513.87501-1-kjain@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/perf/hv-gpci-requests.h | 4 ++++ + arch/powerpc/perf/hv-gpci.c | 33 +++++++++++++++++++++++++++- + arch/powerpc/perf/hv-gpci.h | 1 + + arch/powerpc/perf/req-gen/perf.h | 20 +++++++++++++++++ + 4 files changed, 57 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/perf/hv-gpci-requests.h b/arch/powerpc/perf/hv-gpci-requests.h +index 8965b4463d43..5e86371a20c7 100644 +--- a/arch/powerpc/perf/hv-gpci-requests.h ++++ b/arch/powerpc/perf/hv-gpci-requests.h +@@ -79,6 +79,7 @@ REQUEST(__field(0, 8, partition_id) + ) + #include I(REQUEST_END) + ++#ifdef ENABLE_EVENTS_COUNTERINFO_V6 + /* + * Not available for counter_info_version >= 0x8, use + * run_instruction_cycles_by_partition(0x100) instead. +@@ -92,6 +93,7 @@ REQUEST(__field(0, 8, partition_id) + __count(0x10, 8, cycles) + ) + #include I(REQUEST_END) ++#endif + + #define REQUEST_NAME system_performance_capabilities + #define REQUEST_NUM 0x40 +@@ -103,6 +105,7 @@ REQUEST(__field(0, 1, perf_collect_privileged) + ) + #include I(REQUEST_END) + ++#ifdef ENABLE_EVENTS_COUNTERINFO_V6 + #define REQUEST_NAME processor_bus_utilization_abc_links + #define REQUEST_NUM 0x50 + #define REQUEST_IDX_KIND "hw_chip_id=?" +@@ -194,6 +197,7 @@ REQUEST(__field(0, 4, phys_processor_idx) + __count(0x28, 8, instructions_completed) + ) + #include I(REQUEST_END) ++#endif + + /* Processor_core_power_mode (0x95) skipped, no counters */ + /* Affinity_domain_information_by_virtual_processor (0xA0) skipped, +diff --git a/arch/powerpc/perf/hv-gpci.c b/arch/powerpc/perf/hv-gpci.c +index 732cfc53e260..ac3f3df57fe3 100644 +--- a/arch/powerpc/perf/hv-gpci.c ++++ b/arch/powerpc/perf/hv-gpci.c +@@ -70,7 +70,7 @@ static struct attribute_group format_group = { + + static struct attribute_group event_group = { + .name = "events", +- .attrs = hv_gpci_event_attrs, ++ /* .attrs is set in init */ + }; + + #define HV_CAPS_ATTR(_name, _format) \ +@@ -280,6 +280,7 @@ static int hv_gpci_init(void) + int r; + unsigned long hret; + struct hv_perf_caps caps; ++ struct hv_gpci_request_buffer *arg; + + hv_gpci_assert_offsets_correct(); + +@@ -298,6 +299,36 @@ static int hv_gpci_init(void) + /* sampling not supported */ + h_gpci_pmu.capabilities |= PERF_PMU_CAP_NO_INTERRUPT; + ++ arg = (void *)get_cpu_var(hv_gpci_reqb); ++ memset(arg, 0, HGPCI_REQ_BUFFER_SIZE); ++ ++ /* ++ * hcall H_GET_PERF_COUNTER_INFO populates the output ++ * counter_info_version value based on the system hypervisor. ++ * Pass the counter request 0x10 corresponds to request type ++ * 'Dispatch_timebase_by_processor', to get the supported ++ * counter_info_version. ++ */ ++ arg->params.counter_request = cpu_to_be32(0x10); ++ ++ r = plpar_hcall_norets(H_GET_PERF_COUNTER_INFO, ++ virt_to_phys(arg), HGPCI_REQ_BUFFER_SIZE); ++ if (r) { ++ pr_devel("hcall failed, can't get supported counter_info_version: 0x%x\n", r); ++ arg->params.counter_info_version_out = 0x8; ++ } ++ ++ /* ++ * Use counter_info_version_out value to assign ++ * required hv-gpci event list. ++ */ ++ if (arg->params.counter_info_version_out >= 0x8) ++ event_group.attrs = hv_gpci_event_attrs; ++ else ++ event_group.attrs = hv_gpci_event_attrs_v6; ++ ++ put_cpu_var(hv_gpci_reqb); ++ + r = perf_pmu_register(&h_gpci_pmu, h_gpci_pmu.name, -1); + if (r) + return r; +diff --git a/arch/powerpc/perf/hv-gpci.h b/arch/powerpc/perf/hv-gpci.h +index a3053eda5dcc..060e464d35c6 100644 +--- a/arch/powerpc/perf/hv-gpci.h ++++ b/arch/powerpc/perf/hv-gpci.h +@@ -53,6 +53,7 @@ enum { + #define REQUEST_FILE "../hv-gpci-requests.h" + #define NAME_LOWER hv_gpci + #define NAME_UPPER HV_GPCI ++#define ENABLE_EVENTS_COUNTERINFO_V6 + #include "req-gen/perf.h" + #undef REQUEST_FILE + #undef NAME_LOWER +diff --git a/arch/powerpc/perf/req-gen/perf.h b/arch/powerpc/perf/req-gen/perf.h +index fa9bc804e67a..6b2a59fefffa 100644 +--- a/arch/powerpc/perf/req-gen/perf.h ++++ b/arch/powerpc/perf/req-gen/perf.h +@@ -139,6 +139,26 @@ PMU_EVENT_ATTR_STRING( \ + #define REQUEST_(r_name, r_value, r_idx_1, r_fields) \ + r_fields + ++/* Generate event list for platforms with counter_info_version 0x6 or below */ ++static __maybe_unused struct attribute *hv_gpci_event_attrs_v6[] = { ++#include REQUEST_FILE ++ NULL ++}; ++ ++/* ++ * Based on getPerfCountInfo v1.018 documentation, some of the hv-gpci ++ * events were deprecated for platform firmware that supports ++ * counter_info_version 0x8 or above. ++ * Those deprecated events are still part of platform firmware that ++ * support counter_info_version 0x6 and below. As per the getPerfCountInfo ++ * v1.018 documentation there is no counter_info_version 0x7. ++ * Undefining macro ENABLE_EVENTS_COUNTERINFO_V6, to disable the addition of ++ * deprecated events in "hv_gpci_event_attrs" attribute group, for platforms ++ * that supports counter_info_version 0x8 or above. ++ */ ++#undef ENABLE_EVENTS_COUNTERINFO_V6 ++ ++/* Generate event list for platforms with counter_info_version 0x8 or above*/ + static __maybe_unused struct attribute *hv_gpci_event_attrs[] = { + #include REQUEST_FILE + NULL +-- +2.35.1 + diff --git a/queue-5.4/powerpc-perf-callchain-validate-kernel-stack-pointer.patch b/queue-5.4/powerpc-perf-callchain-validate-kernel-stack-pointer.patch new file mode 100644 index 00000000000..7f0a3613f79 --- /dev/null +++ b/queue-5.4/powerpc-perf-callchain-validate-kernel-stack-pointer.patch @@ -0,0 +1,46 @@ +From 6f76193e3a59625be9c12c311b35737e9ac00f45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Nov 2022 22:49:28 +1000 +Subject: powerpc/perf: callchain validate kernel stack pointer bounds + +From: Nicholas Piggin + +[ Upstream commit 32c5209214bd8d4f8c4e9d9b630ef4c671f58e79 ] + +The interrupt frame detection and loads from the hypothetical pt_regs +are not bounds-checked. The next-frame validation only bounds-checks +STACK_FRAME_OVERHEAD, which does not include the pt_regs. Add another +test for this. + +The user could set r1 to be equal to the address matching the first +interrupt frame - STACK_INT_FRAME_SIZE, which is in the previous page +due to the kernel redzone, and induce the kernel to load the marker from +there. Possibly this could cause a crash at least. If the user could +induce the previous page to contain a valid marker, then it might be +able to direct perf to read specific memory addresses in a way that +could be transmitted back to the user in the perf data. + +Fixes: 20002ded4d93 ("perf_counter: powerpc: Add callchain support") +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20221127124942.1665522-4-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/perf/callchain.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/perf/callchain.c b/arch/powerpc/perf/callchain.c +index c84bbd4298a0..4c9aaedd2b1b 100644 +--- a/arch/powerpc/perf/callchain.c ++++ b/arch/powerpc/perf/callchain.c +@@ -64,6 +64,7 @@ perf_callchain_kernel(struct perf_callchain_entry_ctx *entry, struct pt_regs *re + next_sp = fp[0]; + + if (next_sp == sp + STACK_INT_FRAME_SIZE && ++ validate_sp(sp, current, STACK_INT_FRAME_SIZE) && + fp[STACK_FRAME_MARKER] == STACK_FRAME_REGS_MARKER) { + /* + * This looks like an interrupt frame for an +-- +2.35.1 + diff --git a/queue-5.4/powerpc-pseries-eeh-use-correct-api-for-error-log-si.patch b/queue-5.4/powerpc-pseries-eeh-use-correct-api-for-error-log-si.patch new file mode 100644 index 00000000000..49946e81d85 --- /dev/null +++ b/queue-5.4/powerpc-pseries-eeh-use-correct-api-for-error-log-si.patch @@ -0,0 +1,49 @@ +From f31586566c1f971dc3fd14a3713f5681566430b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 09:07:43 -0600 +Subject: powerpc/pseries/eeh: use correct API for error log size + +From: Nathan Lynch + +[ Upstream commit 9aafbfa5f57a4b75bafd3bed0191e8429c5fa618 ] + +rtas-error-log-max is not the name of an RTAS function, so rtas_token() +is not the appropriate API for retrieving its value. We already have +rtas_get_error_log_max() which returns a sensible value if the property +is absent for any reason, so use that instead. + +Fixes: 8d633291b4fc ("powerpc/eeh: pseries platform EEH error log retrieval") +Signed-off-by: Nathan Lynch +[mpe: Drop no-longer possible error handling as noticed by ajd] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20221118150751.469393-6-nathanl@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/eeh_pseries.c | 11 +---------- + 1 file changed, 1 insertion(+), 10 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/eeh_pseries.c b/arch/powerpc/platforms/pseries/eeh_pseries.c +index 7e36c617282f..33c1dd7ee432 100644 +--- a/arch/powerpc/platforms/pseries/eeh_pseries.c ++++ b/arch/powerpc/platforms/pseries/eeh_pseries.c +@@ -868,16 +868,7 @@ static int __init eeh_pseries_init(void) + } + + /* Initialize error log size */ +- eeh_error_buf_size = rtas_token("rtas-error-log-max"); +- if (eeh_error_buf_size == RTAS_UNKNOWN_SERVICE) { +- pr_info("%s: unknown EEH error log size\n", +- __func__); +- eeh_error_buf_size = 1024; +- } else if (eeh_error_buf_size > RTAS_ERROR_LOG_MAX) { +- pr_info("%s: EEH error log size %d exceeds the maximal %d\n", +- __func__, eeh_error_buf_size, RTAS_ERROR_LOG_MAX); +- eeh_error_buf_size = RTAS_ERROR_LOG_MAX; +- } ++ eeh_error_buf_size = rtas_get_error_log_max(); + + /* Set EEH probe mode */ + eeh_add_flag(EEH_PROBE_MODE_DEVTREE | EEH_ENABLE_IO_FOR_LOG); +-- +2.35.1 + diff --git a/queue-5.4/powerpc-pseries-pcie-phb-reset.patch b/queue-5.4/powerpc-pseries-pcie-phb-reset.patch new file mode 100644 index 00000000000..e531c4678bc --- /dev/null +++ b/queue-5.4/powerpc-pseries-pcie-phb-reset.patch @@ -0,0 +1,326 @@ +From aa9036f1f3c1396968eeb5776efe0740e69dd61a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jul 2020 09:39:33 -0500 +Subject: powerpc/pseries: PCIE PHB reset + +From: Wen Xiong + +[ Upstream commit 5a090f7c363fdc09b99222eae679506a58e7cc68 ] + +Several device drivers hit EEH(Extended Error handling) when +triggering kdump on Pseries PowerVM. This patch implemented a reset of +the PHBs in pci general code when triggering kdump. PHB reset stop all +PCI transactions from normal kernel. We have tested the patch in +several enviroments: + - direct slot adapters + - adapters under the switch + - a VF adapter in PowerVM + - a VF adapter/adapter in KVM guest. + +Signed-off-by: Wen Xiong +[mpe: Fix broken whitespace, subject & SOB formatting] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1594651173-32166-1-git-send-email-wenxiong@linux.vnet.ibm.com +Stable-dep-of: 9aafbfa5f57a ("powerpc/pseries/eeh: use correct API for error log size") +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/eeh_pseries.c | 232 ++++++++++++++----- + 1 file changed, 169 insertions(+), 63 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/eeh_pseries.c b/arch/powerpc/platforms/pseries/eeh_pseries.c +index 04c1ed79bc6e..bb34ce56312a 100644 +--- a/arch/powerpc/platforms/pseries/eeh_pseries.c ++++ b/arch/powerpc/platforms/pseries/eeh_pseries.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -81,6 +82,152 @@ void pseries_pcibios_bus_add_device(struct pci_dev *pdev) + eeh_sysfs_add_device(pdev); + } + ++ ++/** ++ * pseries_eeh_get_config_addr - Retrieve config address ++ * ++ * Retrieve the assocated config address. Actually, there're 2 RTAS ++ * function calls dedicated for the purpose. We need implement ++ * it through the new function and then the old one. Besides, ++ * you should make sure the config address is figured out from ++ * FDT node before calling the function. ++ * ++ * It's notable that zero'ed return value means invalid PE config ++ * address. ++ */ ++static int pseries_eeh_get_config_addr(struct pci_controller *phb, int config_addr) ++{ ++ int ret = 0; ++ int rets[3]; ++ ++ if (ibm_get_config_addr_info2 != RTAS_UNKNOWN_SERVICE) { ++ /* ++ * First of all, we need to make sure there has one PE ++ * associated with the device. Otherwise, PE address is ++ * meaningless. ++ */ ++ ret = rtas_call(ibm_get_config_addr_info2, 4, 2, rets, ++ config_addr, BUID_HI(phb->buid), ++ BUID_LO(phb->buid), 1); ++ if (ret || (rets[0] == 0)) ++ return 0; ++ ++ /* Retrieve the associated PE config address */ ++ ret = rtas_call(ibm_get_config_addr_info2, 4, 2, rets, ++ config_addr, BUID_HI(phb->buid), ++ BUID_LO(phb->buid), 0); ++ if (ret) { ++ pr_warn("%s: Failed to get address for PHB#%x-PE#%x\n", ++ __func__, phb->global_number, config_addr); ++ return 0; ++ } ++ ++ return rets[0]; ++ } ++ ++ if (ibm_get_config_addr_info != RTAS_UNKNOWN_SERVICE) { ++ ret = rtas_call(ibm_get_config_addr_info, 4, 2, rets, ++ config_addr, BUID_HI(phb->buid), ++ BUID_LO(phb->buid), 0); ++ if (ret) { ++ pr_warn("%s: Failed to get address for PHB#%x-PE#%x\n", ++ __func__, phb->global_number, config_addr); ++ return 0; ++ } ++ ++ return rets[0]; ++ } ++ ++ return ret; ++} ++ ++/** ++ * pseries_eeh_phb_reset - Reset the specified PHB ++ * @phb: PCI controller ++ * @config_adddr: the associated config address ++ * @option: reset option ++ * ++ * Reset the specified PHB/PE ++ */ ++static int pseries_eeh_phb_reset(struct pci_controller *phb, int config_addr, int option) ++{ ++ int ret; ++ ++ /* Reset PE through RTAS call */ ++ ret = rtas_call(ibm_set_slot_reset, 4, 1, NULL, ++ config_addr, BUID_HI(phb->buid), ++ BUID_LO(phb->buid), option); ++ ++ /* If fundamental-reset not supported, try hot-reset */ ++ if (option == EEH_RESET_FUNDAMENTAL && ++ ret == -8) { ++ option = EEH_RESET_HOT; ++ ret = rtas_call(ibm_set_slot_reset, 4, 1, NULL, ++ config_addr, BUID_HI(phb->buid), ++ BUID_LO(phb->buid), option); ++ } ++ ++ /* We need reset hold or settlement delay */ ++ if (option == EEH_RESET_FUNDAMENTAL || ++ option == EEH_RESET_HOT) ++ msleep(EEH_PE_RST_HOLD_TIME); ++ else ++ msleep(EEH_PE_RST_SETTLE_TIME); ++ ++ return ret; ++} ++ ++/** ++ * pseries_eeh_phb_configure_bridge - Configure PCI bridges in the indicated PE ++ * @phb: PCI controller ++ * @config_adddr: the associated config address ++ * ++ * The function will be called to reconfigure the bridges included ++ * in the specified PE so that the mulfunctional PE would be recovered ++ * again. ++ */ ++static int pseries_eeh_phb_configure_bridge(struct pci_controller *phb, int config_addr) ++{ ++ int ret; ++ /* Waiting 0.2s maximum before skipping configuration */ ++ int max_wait = 200; ++ ++ while (max_wait > 0) { ++ ret = rtas_call(ibm_configure_pe, 3, 1, NULL, ++ config_addr, BUID_HI(phb->buid), ++ BUID_LO(phb->buid)); ++ ++ if (!ret) ++ return ret; ++ if (ret < 0) ++ break; ++ ++ /* ++ * If RTAS returns a delay value that's above 100ms, cut it ++ * down to 100ms in case firmware made a mistake. For more ++ * on how these delay values work see rtas_busy_delay_time ++ */ ++ if (ret > RTAS_EXTENDED_DELAY_MIN+2 && ++ ret <= RTAS_EXTENDED_DELAY_MAX) ++ ret = RTAS_EXTENDED_DELAY_MIN+2; ++ ++ max_wait -= rtas_busy_delay_time(ret); ++ ++ if (max_wait < 0) ++ break; ++ ++ rtas_busy_delay(ret); ++ } ++ ++ pr_warn("%s: Unable to configure bridge PHB#%x-PE#%x (%d)\n", ++ __func__, phb->global_number, config_addr, ret); ++ /* PAPR defines -3 as "Parameter Error" for this function: */ ++ if (ret == -3) ++ return -EINVAL; ++ else ++ return -EIO; ++} ++ + /* + * Buffer for reporting slot-error-detail rtas calls. Its here + * in BSS, and not dynamically alloced, so that it ends up in +@@ -97,6 +244,10 @@ static int eeh_error_buf_size; + */ + static int pseries_eeh_init(void) + { ++ struct pci_controller *phb; ++ struct pci_dn *pdn; ++ int addr, config_addr; ++ + /* figure out EEH RTAS function call tokens */ + ibm_set_eeh_option = rtas_token("ibm,set-eeh-option"); + ibm_set_slot_reset = rtas_token("ibm,set-slot-reset"); +@@ -149,6 +300,22 @@ static int pseries_eeh_init(void) + /* Set EEH machine dependent code */ + ppc_md.pcibios_bus_add_device = pseries_pcibios_bus_add_device; + ++ if (is_kdump_kernel() || reset_devices) { ++ pr_info("Issue PHB reset ...\n"); ++ list_for_each_entry(phb, &hose_list, list_node) { ++ pdn = list_first_entry(&PCI_DN(phb->dn)->child_list, struct pci_dn, list); ++ addr = (pdn->busno << 16) | (pdn->devfn << 8); ++ config_addr = pseries_eeh_get_config_addr(phb, addr); ++ /* invalid PE config addr */ ++ if (config_addr == 0) ++ continue; ++ ++ pseries_eeh_phb_reset(phb, config_addr, EEH_RESET_FUNDAMENTAL); ++ pseries_eeh_phb_reset(phb, config_addr, EEH_RESET_DEACTIVATE); ++ pseries_eeh_phb_configure_bridge(phb, config_addr); ++ } ++ } ++ + return 0; + } + +@@ -512,35 +679,13 @@ static int pseries_eeh_get_state(struct eeh_pe *pe, int *delay) + static int pseries_eeh_reset(struct eeh_pe *pe, int option) + { + int config_addr; +- int ret; + + /* Figure out PE address */ + config_addr = pe->config_addr; + if (pe->addr) + config_addr = pe->addr; + +- /* Reset PE through RTAS call */ +- ret = rtas_call(ibm_set_slot_reset, 4, 1, NULL, +- config_addr, BUID_HI(pe->phb->buid), +- BUID_LO(pe->phb->buid), option); +- +- /* If fundamental-reset not supported, try hot-reset */ +- if (option == EEH_RESET_FUNDAMENTAL && +- ret == -8) { +- option = EEH_RESET_HOT; +- ret = rtas_call(ibm_set_slot_reset, 4, 1, NULL, +- config_addr, BUID_HI(pe->phb->buid), +- BUID_LO(pe->phb->buid), option); +- } +- +- /* We need reset hold or settlement delay */ +- if (option == EEH_RESET_FUNDAMENTAL || +- option == EEH_RESET_HOT) +- msleep(EEH_PE_RST_HOLD_TIME); +- else +- msleep(EEH_PE_RST_SETTLE_TIME); +- +- return ret; ++ return pseries_eeh_phb_reset(pe->phb, config_addr, option); + } + + /** +@@ -584,56 +729,17 @@ static int pseries_eeh_get_log(struct eeh_pe *pe, int severity, char *drv_log, u + * pseries_eeh_configure_bridge - Configure PCI bridges in the indicated PE + * @pe: EEH PE + * +- * The function will be called to reconfigure the bridges included +- * in the specified PE so that the mulfunctional PE would be recovered +- * again. + */ + static int pseries_eeh_configure_bridge(struct eeh_pe *pe) + { + int config_addr; +- int ret; +- /* Waiting 0.2s maximum before skipping configuration */ +- int max_wait = 200; + + /* Figure out the PE address */ + config_addr = pe->config_addr; + if (pe->addr) + config_addr = pe->addr; + +- while (max_wait > 0) { +- ret = rtas_call(ibm_configure_pe, 3, 1, NULL, +- config_addr, BUID_HI(pe->phb->buid), +- BUID_LO(pe->phb->buid)); +- +- if (!ret) +- return ret; +- if (ret < 0) +- break; +- +- /* +- * If RTAS returns a delay value that's above 100ms, cut it +- * down to 100ms in case firmware made a mistake. For more +- * on how these delay values work see rtas_busy_delay_time +- */ +- if (ret > RTAS_EXTENDED_DELAY_MIN+2 && +- ret <= RTAS_EXTENDED_DELAY_MAX) +- ret = RTAS_EXTENDED_DELAY_MIN+2; +- +- max_wait -= rtas_busy_delay_time(ret); +- +- if (max_wait < 0) +- break; +- +- rtas_busy_delay(ret); +- } +- +- pr_warn("%s: Unable to configure bridge PHB#%x-PE#%x (%d)\n", +- __func__, pe->phb->global_number, pe->addr, ret); +- /* PAPR defines -3 as "Parameter Error" for this function: */ +- if (ret == -3) +- return -EINVAL; +- else +- return -EIO; ++ return pseries_eeh_phb_configure_bridge(pe->phb, config_addr); + } + + /** +-- +2.35.1 + diff --git a/queue-5.4/powerpc-pseries-stop-using-eeh_ops-init.patch b/queue-5.4/powerpc-pseries-stop-using-eeh_ops-init.patch new file mode 100644 index 00000000000..b8001955c1e --- /dev/null +++ b/queue-5.4/powerpc-pseries-stop-using-eeh_ops-init.patch @@ -0,0 +1,205 @@ +From 9d075ba78a32fa2907c5e9875ac1f3c30f72b4e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Sep 2020 19:30:44 +1000 +Subject: powerpc/pseries: Stop using eeh_ops->init() + +From: Oliver O'Halloran + +[ Upstream commit 1f8fa0cd6a848ff072bffe0ee776554387128f60 ] + +Fold pseries_eeh_init() into eeh_pseries_init() rather than having +eeh_init() call it via eeh_ops->init(). It's simpler and it'll let us +delete eeh_ops.init. + +Signed-off-by: Oliver O'Halloran +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200918093050.37344-3-oohall@gmail.com +Stable-dep-of: 9aafbfa5f57a ("powerpc/pseries/eeh: use correct API for error log size") +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/eeh_pseries.c | 155 +++++++++---------- + 1 file changed, 71 insertions(+), 84 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/eeh_pseries.c b/arch/powerpc/platforms/pseries/eeh_pseries.c +index bb34ce56312a..4232ba62b1c3 100644 +--- a/arch/powerpc/platforms/pseries/eeh_pseries.c ++++ b/arch/powerpc/platforms/pseries/eeh_pseries.c +@@ -237,88 +237,6 @@ static unsigned char slot_errbuf[RTAS_ERROR_LOG_MAX]; + static DEFINE_SPINLOCK(slot_errbuf_lock); + static int eeh_error_buf_size; + +-/** +- * pseries_eeh_init - EEH platform dependent initialization +- * +- * EEH platform dependent initialization on pseries. +- */ +-static int pseries_eeh_init(void) +-{ +- struct pci_controller *phb; +- struct pci_dn *pdn; +- int addr, config_addr; +- +- /* figure out EEH RTAS function call tokens */ +- ibm_set_eeh_option = rtas_token("ibm,set-eeh-option"); +- ibm_set_slot_reset = rtas_token("ibm,set-slot-reset"); +- ibm_read_slot_reset_state2 = rtas_token("ibm,read-slot-reset-state2"); +- ibm_read_slot_reset_state = rtas_token("ibm,read-slot-reset-state"); +- ibm_slot_error_detail = rtas_token("ibm,slot-error-detail"); +- ibm_get_config_addr_info2 = rtas_token("ibm,get-config-addr-info2"); +- ibm_get_config_addr_info = rtas_token("ibm,get-config-addr-info"); +- ibm_configure_pe = rtas_token("ibm,configure-pe"); +- +- /* +- * ibm,configure-pe and ibm,configure-bridge have the same semantics, +- * however ibm,configure-pe can be faster. If we can't find +- * ibm,configure-pe then fall back to using ibm,configure-bridge. +- */ +- if (ibm_configure_pe == RTAS_UNKNOWN_SERVICE) +- ibm_configure_pe = rtas_token("ibm,configure-bridge"); +- +- /* +- * Necessary sanity check. We needn't check "get-config-addr-info" +- * and its variant since the old firmware probably support address +- * of domain/bus/slot/function for EEH RTAS operations. +- */ +- if (ibm_set_eeh_option == RTAS_UNKNOWN_SERVICE || +- ibm_set_slot_reset == RTAS_UNKNOWN_SERVICE || +- (ibm_read_slot_reset_state2 == RTAS_UNKNOWN_SERVICE && +- ibm_read_slot_reset_state == RTAS_UNKNOWN_SERVICE) || +- ibm_slot_error_detail == RTAS_UNKNOWN_SERVICE || +- ibm_configure_pe == RTAS_UNKNOWN_SERVICE) { +- pr_info("EEH functionality not supported\n"); +- return -EINVAL; +- } +- +- /* Initialize error log lock and size */ +- spin_lock_init(&slot_errbuf_lock); +- eeh_error_buf_size = rtas_token("rtas-error-log-max"); +- if (eeh_error_buf_size == RTAS_UNKNOWN_SERVICE) { +- pr_info("%s: unknown EEH error log size\n", +- __func__); +- eeh_error_buf_size = 1024; +- } else if (eeh_error_buf_size > RTAS_ERROR_LOG_MAX) { +- pr_info("%s: EEH error log size %d exceeds the maximal %d\n", +- __func__, eeh_error_buf_size, RTAS_ERROR_LOG_MAX); +- eeh_error_buf_size = RTAS_ERROR_LOG_MAX; +- } +- +- /* Set EEH probe mode */ +- eeh_add_flag(EEH_PROBE_MODE_DEVTREE | EEH_ENABLE_IO_FOR_LOG); +- +- /* Set EEH machine dependent code */ +- ppc_md.pcibios_bus_add_device = pseries_pcibios_bus_add_device; +- +- if (is_kdump_kernel() || reset_devices) { +- pr_info("Issue PHB reset ...\n"); +- list_for_each_entry(phb, &hose_list, list_node) { +- pdn = list_first_entry(&PCI_DN(phb->dn)->child_list, struct pci_dn, list); +- addr = (pdn->busno << 16) | (pdn->devfn << 8); +- config_addr = pseries_eeh_get_config_addr(phb, addr); +- /* invalid PE config addr */ +- if (config_addr == 0) +- continue; +- +- pseries_eeh_phb_reset(phb, config_addr, EEH_RESET_FUNDAMENTAL); +- pseries_eeh_phb_reset(phb, config_addr, EEH_RESET_DEACTIVATE); +- pseries_eeh_phb_configure_bridge(phb, config_addr); +- } +- } +- +- return 0; +-} +- + static int pseries_eeh_cap_start(struct pci_dn *pdn) + { + u32 status; +@@ -887,7 +805,6 @@ static int pseries_notify_resume(struct pci_dn *pdn) + + static struct eeh_ops pseries_eeh_ops = { + .name = "pseries", +- .init = pseries_eeh_init, + .probe = pseries_eeh_probe, + .set_option = pseries_eeh_set_option, + .get_pe_addr = pseries_eeh_get_pe_addr, +@@ -913,7 +830,77 @@ static struct eeh_ops pseries_eeh_ops = { + */ + static int __init eeh_pseries_init(void) + { +- int ret; ++ struct pci_controller *phb; ++ struct pci_dn *pdn; ++ int ret, addr, config_addr; ++ ++ /* figure out EEH RTAS function call tokens */ ++ ibm_set_eeh_option = rtas_token("ibm,set-eeh-option"); ++ ibm_set_slot_reset = rtas_token("ibm,set-slot-reset"); ++ ibm_read_slot_reset_state2 = rtas_token("ibm,read-slot-reset-state2"); ++ ibm_read_slot_reset_state = rtas_token("ibm,read-slot-reset-state"); ++ ibm_slot_error_detail = rtas_token("ibm,slot-error-detail"); ++ ibm_get_config_addr_info2 = rtas_token("ibm,get-config-addr-info2"); ++ ibm_get_config_addr_info = rtas_token("ibm,get-config-addr-info"); ++ ibm_configure_pe = rtas_token("ibm,configure-pe"); ++ ++ /* ++ * ibm,configure-pe and ibm,configure-bridge have the same semantics, ++ * however ibm,configure-pe can be faster. If we can't find ++ * ibm,configure-pe then fall back to using ibm,configure-bridge. ++ */ ++ if (ibm_configure_pe == RTAS_UNKNOWN_SERVICE) ++ ibm_configure_pe = rtas_token("ibm,configure-bridge"); ++ ++ /* ++ * Necessary sanity check. We needn't check "get-config-addr-info" ++ * and its variant since the old firmware probably support address ++ * of domain/bus/slot/function for EEH RTAS operations. ++ */ ++ if (ibm_set_eeh_option == RTAS_UNKNOWN_SERVICE || ++ ibm_set_slot_reset == RTAS_UNKNOWN_SERVICE || ++ (ibm_read_slot_reset_state2 == RTAS_UNKNOWN_SERVICE && ++ ibm_read_slot_reset_state == RTAS_UNKNOWN_SERVICE) || ++ ibm_slot_error_detail == RTAS_UNKNOWN_SERVICE || ++ ibm_configure_pe == RTAS_UNKNOWN_SERVICE) { ++ pr_info("EEH functionality not supported\n"); ++ return -EINVAL; ++ } ++ ++ /* Initialize error log lock and size */ ++ spin_lock_init(&slot_errbuf_lock); ++ eeh_error_buf_size = rtas_token("rtas-error-log-max"); ++ if (eeh_error_buf_size == RTAS_UNKNOWN_SERVICE) { ++ pr_info("%s: unknown EEH error log size\n", ++ __func__); ++ eeh_error_buf_size = 1024; ++ } else if (eeh_error_buf_size > RTAS_ERROR_LOG_MAX) { ++ pr_info("%s: EEH error log size %d exceeds the maximal %d\n", ++ __func__, eeh_error_buf_size, RTAS_ERROR_LOG_MAX); ++ eeh_error_buf_size = RTAS_ERROR_LOG_MAX; ++ } ++ ++ /* Set EEH probe mode */ ++ eeh_add_flag(EEH_PROBE_MODE_DEVTREE | EEH_ENABLE_IO_FOR_LOG); ++ ++ /* Set EEH machine dependent code */ ++ ppc_md.pcibios_bus_add_device = pseries_pcibios_bus_add_device; ++ ++ if (is_kdump_kernel() || reset_devices) { ++ pr_info("Issue PHB reset ...\n"); ++ list_for_each_entry(phb, &hose_list, list_node) { ++ pdn = list_first_entry(&PCI_DN(phb->dn)->child_list, struct pci_dn, list); ++ addr = (pdn->busno << 16) | (pdn->devfn << 8); ++ config_addr = pseries_eeh_get_config_addr(phb, addr); ++ /* invalid PE config addr */ ++ if (config_addr == 0) ++ continue; ++ ++ pseries_eeh_phb_reset(phb, config_addr, EEH_RESET_FUNDAMENTAL); ++ pseries_eeh_phb_reset(phb, config_addr, EEH_RESET_DEACTIVATE); ++ pseries_eeh_phb_configure_bridge(phb, config_addr); ++ } ++ } + + ret = eeh_ops_register(&pseries_eeh_ops); + if (!ret) +-- +2.35.1 + diff --git a/queue-5.4/powerpc-xive-add-missing-iounmap-in-error-path-in-xi.patch b/queue-5.4/powerpc-xive-add-missing-iounmap-in-error-path-in-xi.patch new file mode 100644 index 00000000000..fedc88716f8 --- /dev/null +++ b/queue-5.4/powerpc-xive-add-missing-iounmap-in-error-path-in-xi.patch @@ -0,0 +1,41 @@ +From b8f35f68dd94b4fdc0b4b16d7f03e34ee2c21488 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Oct 2022 11:23:33 +0800 +Subject: powerpc/xive: add missing iounmap() in error path in + xive_spapr_populate_irq_data() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yang Yingliang + +[ Upstream commit 8b49670f3bb3f10cd4d5a6dca17f5a31b173ecdc ] + +If remapping 'data->trig_page' fails, the 'data->eoi_mmio' need be unmapped +before returning from xive_spapr_populate_irq_data(). + +Fixes: eac1e731b59e ("powerpc/xive: guest exploitation of the XIVE interrupt controller") +Signed-off-by: Yang Yingliang +Reviewed-by: Cédric Le Goater +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20221017032333.1852406-1-yangyingliang@huawei.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/sysdev/xive/spapr.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/sysdev/xive/spapr.c b/arch/powerpc/sysdev/xive/spapr.c +index b21d71badaec..e6788bc06584 100644 +--- a/arch/powerpc/sysdev/xive/spapr.c ++++ b/arch/powerpc/sysdev/xive/spapr.c +@@ -422,6 +422,7 @@ static int xive_spapr_populate_irq_data(u32 hw_irq, struct xive_irq_data *data) + + data->trig_mmio = ioremap(data->trig_page, 1u << data->esb_shift); + if (!data->trig_mmio) { ++ iounmap(data->eoi_mmio); + pr_err("Failed to map trigger page for irq 0x%x\n", hw_irq); + return -ENOMEM; + } +-- +2.35.1 + diff --git a/queue-5.4/ppp-associate-skb-with-a-device-at-tx.patch b/queue-5.4/ppp-associate-skb-with-a-device-at-tx.patch new file mode 100644 index 00000000000..acd0ba70af7 --- /dev/null +++ b/queue-5.4/ppp-associate-skb-with-a-device-at-tx.patch @@ -0,0 +1,62 @@ +From 86464bbdaccbbea36509750d438b77d514ed4c68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 10:29:13 -0800 +Subject: ppp: associate skb with a device at tx + +From: Stanislav Fomichev + +[ Upstream commit 9f225444467b98579cf28d94f4ad053460dfdb84 ] + +Syzkaller triggered flow dissector warning with the following: + +r0 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000000), 0xc0802, 0x0) +ioctl$PPPIOCNEWUNIT(r0, 0xc004743e, &(0x7f00000000c0)) +ioctl$PPPIOCSACTIVE(r0, 0x40107446, &(0x7f0000000240)={0x2, &(0x7f0000000180)=[{0x20, 0x0, 0x0, 0xfffff034}, {0x6}]}) +pwritev(r0, &(0x7f0000000040)=[{&(0x7f0000000140)='\x00!', 0x2}], 0x1, 0x0, 0x0) + +[ 9.485814] WARNING: CPU: 3 PID: 329 at net/core/flow_dissector.c:1016 __skb_flow_dissect+0x1ee0/0x1fa0 +[ 9.485929] skb_get_poff+0x53/0xa0 +[ 9.485937] bpf_skb_get_pay_offset+0xe/0x20 +[ 9.485944] ? ppp_send_frame+0xc2/0x5b0 +[ 9.485949] ? _raw_spin_unlock_irqrestore+0x40/0x60 +[ 9.485958] ? __ppp_xmit_process+0x7a/0xe0 +[ 9.485968] ? ppp_xmit_process+0x5b/0xb0 +[ 9.485974] ? ppp_write+0x12a/0x190 +[ 9.485981] ? do_iter_write+0x18e/0x2d0 +[ 9.485987] ? __import_iovec+0x30/0x130 +[ 9.485997] ? do_pwritev+0x1b6/0x240 +[ 9.486016] ? trace_hardirqs_on+0x47/0x50 +[ 9.486023] ? __x64_sys_pwritev+0x24/0x30 +[ 9.486026] ? do_syscall_64+0x3d/0x80 +[ 9.486031] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Flow dissector tries to find skb net namespace either via device +or via socket. Neigher is set in ppp_send_frame, so let's manually +use ppp->dev. + +Cc: Paul Mackerras +Cc: linux-ppp@vger.kernel.org +Reported-by: syzbot+41cab52ab62ee99ed24a@syzkaller.appspotmail.com +Signed-off-by: Stanislav Fomichev +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ppp/ppp_generic.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c +index a085213dc2ea..078c0f474f96 100644 +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -1522,6 +1522,8 @@ ppp_send_frame(struct ppp *ppp, struct sk_buff *skb) + int len; + unsigned char *cp; + ++ skb->dev = ppp->dev; ++ + if (proto < 0x8000) { + #ifdef CONFIG_PPP_FILTER + /* check if we should pass this packet */ +-- +2.35.1 + diff --git a/queue-5.4/proc-fixup-uptime-selftest.patch b/queue-5.4/proc-fixup-uptime-selftest.patch new file mode 100644 index 00000000000..e3413b75aed --- /dev/null +++ b/queue-5.4/proc-fixup-uptime-selftest.patch @@ -0,0 +1,48 @@ +From b853487123289dcd44efb561f6301b21a5f0ae81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Oct 2022 21:08:09 +0300 +Subject: proc: fixup uptime selftest + +From: Alexey Dobriyan + +[ Upstream commit 5cc81d5c81af0dee54da9a67a3ebe4be076a13db ] + +syscall(3) returns -1 and sets errno on error, unlike "syscall" +instruction. + +Systems which have <= 32/64 CPUs are unaffected. Test won't bounce +to all CPUs before completing if there are more of them. + +Link: https://lkml.kernel.org/r/Y1bUiT7VRXlXPQa1@p183 +Fixes: 1f5bd0547654 ("proc: selftests: test /proc/uptime") +Signed-off-by: Alexey Dobriyan +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/proc/proc-uptime-002.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/proc/proc-uptime-002.c b/tools/testing/selftests/proc/proc-uptime-002.c +index e7ceabed7f51..7d0aa22bdc12 100644 +--- a/tools/testing/selftests/proc/proc-uptime-002.c ++++ b/tools/testing/selftests/proc/proc-uptime-002.c +@@ -17,6 +17,7 @@ + // while shifting across CPUs. + #undef NDEBUG + #include ++#include + #include + #include + #include +@@ -54,7 +55,7 @@ int main(void) + len += sizeof(unsigned long); + free(m); + m = malloc(len); +- } while (sys_sched_getaffinity(0, len, m) == -EINVAL); ++ } while (sys_sched_getaffinity(0, len, m) == -1 && errno == EINVAL); + + fd = open("/proc/uptime", O_RDONLY); + assert(fd >= 0); +-- +2.35.1 + diff --git a/queue-5.4/pstore-avoid-kcore-oops-by-vmap-ing-with-vm_ioremap.patch b/queue-5.4/pstore-avoid-kcore-oops-by-vmap-ing-with-vm_ioremap.patch new file mode 100644 index 00000000000..417dcb475bc --- /dev/null +++ b/queue-5.4/pstore-avoid-kcore-oops-by-vmap-ing-with-vm_ioremap.patch @@ -0,0 +1,103 @@ +From 49febbb23103955ad9fd0b489536ebd7ea4b3f78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Dec 2022 15:31:36 -0800 +Subject: pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP + +From: Stephen Boyd + +[ Upstream commit e6b842741b4f39007215fd7e545cb55aa3d358a2 ] + +An oops can be induced by running 'cat /proc/kcore > /dev/null' on +devices using pstore with the ram backend because kmap_atomic() assumes +lowmem pages are accessible with __va(). + + Unable to handle kernel paging request at virtual address ffffff807ff2b000 + Mem abort info: + ESR = 0x96000006 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x06: level 2 translation fault + Data abort info: + ISV = 0, ISS = 0x00000006 + CM = 0, WnR = 0 + swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000081d87000 + [ffffff807ff2b000] pgd=180000017fe18003, p4d=180000017fe18003, pud=180000017fe18003, pmd=0000000000000000 + Internal error: Oops: 96000006 [#1] PREEMPT SMP + Modules linked in: dm_integrity + CPU: 7 PID: 21179 Comm: perf Not tainted 5.15.67-10882-ge4eb2eb988cd #1 baa443fb8e8477896a370b31a821eb2009f9bfba + Hardware name: Google Lazor (rev3 - 8) (DT) + pstate: a0400009 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : __memcpy+0x110/0x260 + lr : vread+0x194/0x294 + sp : ffffffc013ee39d0 + x29: ffffffc013ee39f0 x28: 0000000000001000 x27: ffffff807ff2b000 + x26: 0000000000001000 x25: ffffffc0085a2000 x24: ffffff802d4b3000 + x23: ffffff80f8a60000 x22: ffffff802d4b3000 x21: ffffffc0085a2000 + x20: ffffff8080b7bc68 x19: 0000000000001000 x18: 0000000000000000 + x17: 0000000000000000 x16: 0000000000000000 x15: ffffffd3073f2e60 + x14: ffffffffad588000 x13: 0000000000000000 x12: 0000000000000001 + x11: 00000000000001a2 x10: 00680000fff2bf0b x9 : 03fffffff807ff2b + x8 : 0000000000000001 x7 : 0000000000000000 x6 : 0000000000000000 + x5 : ffffff802d4b4000 x4 : ffffff807ff2c000 x3 : ffffffc013ee3a78 + x2 : 0000000000001000 x1 : ffffff807ff2b000 x0 : ffffff802d4b3000 + Call trace: + __memcpy+0x110/0x260 + read_kcore+0x584/0x778 + proc_reg_read+0xb4/0xe4 + +During early boot, memblock reserves the pages for the ramoops reserved +memory node in DT that would otherwise be part of the direct lowmem +mapping. Pstore's ram backend reuses those reserved pages to change the +memory type (writeback or non-cached) by passing the pages to vmap() +(see pfn_to_page() usage in persistent_ram_vmap() for more details) with +specific flags. When read_kcore() starts iterating over the vmalloc +region, it runs over the virtual address that vmap() returned for +ramoops. In aligned_vread() the virtual address is passed to +vmalloc_to_page() which returns the page struct for the reserved lowmem +area. That lowmem page is passed to kmap_atomic(), which effectively +calls page_to_virt() that assumes a lowmem page struct must be directly +accessible with __va() and friends. These pages are mapped via vmap() +though, and the lowmem mapping was never made, so accessing them via the +lowmem virtual address oopses like above. + +Let's side-step this problem by passing VM_IOREMAP to vmap(). This will +tell vread() to not include the ramoops region in the kcore. Instead the +area will look like a bunch of zeros. The alternative is to teach kmap() +about vmalloc areas that intersect with lowmem. Presumably such a change +isn't a one-liner, and there isn't much interest in inspecting the +ramoops region in kcore files anyway, so the most expedient route is +taken for now. + +Cc: Brian Geffon +Cc: Mike Rapoport +Cc: Andrew Morton +Fixes: 404a6043385d ("staging: android: persistent_ram: handle reserving and mapping memory") +Signed-off-by: Stephen Boyd +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20221205233136.3420802-1-swboyd@chromium.org +Signed-off-by: Sasha Levin +--- + fs/pstore/ram_core.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c +index 1f4d8c06f9be..286340f312dc 100644 +--- a/fs/pstore/ram_core.c ++++ b/fs/pstore/ram_core.c +@@ -427,7 +427,11 @@ static void *persistent_ram_vmap(phys_addr_t start, size_t size, + phys_addr_t addr = page_start + i * PAGE_SIZE; + pages[i] = pfn_to_page(addr >> PAGE_SHIFT); + } +- vaddr = vmap(pages, page_count, VM_MAP, prot); ++ /* ++ * VM_IOREMAP used here to bypass this region during vread() ++ * and kmap_atomic() (i.e. kcore) to avoid __va() failures. ++ */ ++ vaddr = vmap(pages, page_count, VM_MAP | VM_IOREMAP, prot); + kfree(pages); + + /* +-- +2.35.1 + diff --git a/queue-5.4/pstore-ram-fix-error-return-code-in-ramoops_probe.patch b/queue-5.4/pstore-ram-fix-error-return-code-in-ramoops_probe.patch new file mode 100644 index 00000000000..7d46fb0348e --- /dev/null +++ b/queue-5.4/pstore-ram-fix-error-return-code-in-ramoops_probe.patch @@ -0,0 +1,45 @@ +From 0939f495c1a2861e925423fdefcbebd545f769f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 16:22:54 +0800 +Subject: pstore/ram: Fix error return code in ramoops_probe() + +From: Wang Yufen + +[ Upstream commit e1fce564900f8734edf15b87f028c57e14f6e28d ] + +In the if (dev_of_node(dev) && !pdata) path, the "err" may be assigned a +value of 0, so the error return code -EINVAL may be incorrectly set +to 0. To fix set valid return code before calling to goto. + +Fixes: 35da60941e44 ("pstore/ram: add Device Tree bindings") +Signed-off-by: Wang Yufen +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/1669969374-46582-1-git-send-email-wangyufen@huawei.com +Signed-off-by: Sasha Levin +--- + fs/pstore/ram.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/pstore/ram.c b/fs/pstore/ram.c +index 013486b5125e..65cbc8a60ca3 100644 +--- a/fs/pstore/ram.c ++++ b/fs/pstore/ram.c +@@ -759,6 +759,7 @@ static int ramoops_probe(struct platform_device *pdev) + /* Make sure we didn't get bogus platform data pointer. */ + if (!pdata) { + pr_err("NULL platform data\n"); ++ err = -EINVAL; + goto fail_out; + } + +@@ -766,6 +767,7 @@ static int ramoops_probe(struct platform_device *pdev) + !pdata->ftrace_size && !pdata->pmsg_size)) { + pr_err("The memory size and the record/console size must be " + "non-zero\n"); ++ err = -EINVAL; + goto fail_out; + } + +-- +2.35.1 + diff --git a/queue-5.4/pwm-sifive-call-pwm_sifive_update_clock-while-mutex-.patch b/queue-5.4/pwm-sifive-call-pwm_sifive_update_clock-while-mutex-.patch new file mode 100644 index 00000000000..dd41a16d1d9 --- /dev/null +++ b/queue-5.4/pwm-sifive-call-pwm_sifive_update_clock-while-mutex-.patch @@ -0,0 +1,50 @@ +From 53c04d4a466308001e998a1bc60a9c56f349a78b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 19:35:05 +0100 +Subject: pwm: sifive: Call pwm_sifive_update_clock() while mutex is held +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 45558b3abb87eeb2cedb8a59cb2699c120b5102a ] + +As was documented in commit 0f02f491b786 ("pwm: sifive: Reduce time the +controller lock is held") a caller of pwm_sifive_update_clock() must +hold the mutex. So fix pwm_sifive_clock_notifier() to grab the lock. + +While this necessity was only documented later, the race exists since +the driver was introduced. + +Fixes: 9e37a53eb051 ("pwm: sifive: Add a driver for SiFive SoC PWM") +Reported-by: Emil Renner Berthing +Reviewed-by: Emil Renner Berthing +Link: https://lore.kernel.org/r/20221018061656.1428111-1-u.kleine-koenig@pengutronix.de +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-sifive.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/pwm/pwm-sifive.c b/drivers/pwm/pwm-sifive.c +index cc63f9baa481..538297ef8255 100644 +--- a/drivers/pwm/pwm-sifive.c ++++ b/drivers/pwm/pwm-sifive.c +@@ -221,8 +221,11 @@ static int pwm_sifive_clock_notifier(struct notifier_block *nb, + struct pwm_sifive_ddata *ddata = + container_of(nb, struct pwm_sifive_ddata, notifier); + +- if (event == POST_RATE_CHANGE) ++ if (event == POST_RATE_CHANGE) { ++ mutex_lock(&ddata->lock); + pwm_sifive_update_clock(ddata, ndata->new_rate); ++ mutex_unlock(&ddata->lock); ++ } + + return NOTIFY_OK; + } +-- +2.35.1 + diff --git a/queue-5.4/r6040-fix-kmemleak-in-probe-and-remove.patch b/queue-5.4/r6040-fix-kmemleak-in-probe-and-remove.patch new file mode 100644 index 00000000000..5b50d5b70b4 --- /dev/null +++ b/queue-5.4/r6040-fix-kmemleak-in-probe-and-remove.patch @@ -0,0 +1,96 @@ +From 01317ee7bb015141bff6e9f9edffc0bb33e1bec0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Dec 2022 20:56:14 +0800 +Subject: r6040: Fix kmemleak in probe and remove + +From: Li Zetao + +[ Upstream commit 7e43039a49c2da45edc1d9d7c9ede4003ab45a5f ] + +There is a memory leaks reported by kmemleak: + + unreferenced object 0xffff888116111000 (size 2048): + comm "modprobe", pid 817, jiffies 4294759745 (age 76.502s) + hex dump (first 32 bytes): + 00 c4 0a 04 81 88 ff ff 08 10 11 16 81 88 ff ff ................ + 08 10 11 16 81 88 ff ff 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kmalloc_trace+0x22/0x60 + [] phy_device_create+0x4e/0x90 + [] get_phy_device+0xd2/0x220 + [] mdiobus_scan+0xa4/0x2e0 + [] __mdiobus_register+0x482/0x8b0 + [] r6040_init_one+0x714/0xd2c [r6040] + ... + +The problem occurs in probe process as follows: + r6040_init_one: + mdiobus_register + mdiobus_scan <- alloc and register phy_device, + the reference count of phy_device is 3 + r6040_mii_probe + phy_connect <- connect to the first phy_device, + so the reference count of the first + phy_device is 4, others are 3 + register_netdev <- fault inject succeeded, goto error handling path + + // error handling path + err_out_mdio_unregister: + mdiobus_unregister(lp->mii_bus); + err_out_mdio: + mdiobus_free(lp->mii_bus); <- the reference count of the first + phy_device is 1, it is not released + and other phy_devices are released + // similarly, the remove process also has the same problem + +The root cause is traced to the phy_device is not disconnected when +removes one r6040 device in r6040_remove_one() or on error handling path +after r6040_mii probed successfully. In r6040_mii_probe(), a net ethernet +device is connected to the first PHY device of mii_bus, in order to +notify the connected driver when the link status changes, which is the +default behavior of the PHY infrastructure to handle everything. +Therefore the phy_device should be disconnected when removes one r6040 +device or on error handling path. + +Fix it by adding phy_disconnect() when removes one r6040 device or on +error handling path after r6040_mii probed successfully. + +Fixes: 3831861b4ad8 ("r6040: implement phylib") +Signed-off-by: Li Zetao +Reviewed-by: Leon Romanovsky +Link: https://lore.kernel.org/r/20221213125614.927754-1-lizetao1@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/rdc/r6040.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/rdc/r6040.c b/drivers/net/ethernet/rdc/r6040.c +index f158fdf3aab2..b66689e0e6f2 100644 +--- a/drivers/net/ethernet/rdc/r6040.c ++++ b/drivers/net/ethernet/rdc/r6040.c +@@ -1162,10 +1162,12 @@ static int r6040_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + err = register_netdev(dev); + if (err) { + dev_err(&pdev->dev, "Failed to register net device\n"); +- goto err_out_mdio_unregister; ++ goto err_out_phy_disconnect; + } + return 0; + ++err_out_phy_disconnect: ++ phy_disconnect(dev->phydev); + err_out_mdio_unregister: + mdiobus_unregister(lp->mii_bus); + err_out_mdio: +@@ -1189,6 +1191,7 @@ static void r6040_remove_one(struct pci_dev *pdev) + struct r6040_private *lp = netdev_priv(dev); + + unregister_netdev(dev); ++ phy_disconnect(dev->phydev); + mdiobus_unregister(lp->mii_bus); + mdiobus_free(lp->mii_bus); + netif_napi_del(&lp->napi); +-- +2.35.1 + diff --git a/queue-5.4/rapidio-devices-fix-missing-put_device-in-mport_cdev.patch b/queue-5.4/rapidio-devices-fix-missing-put_device-in-mport_cdev.patch new file mode 100644 index 00000000000..f1db3b08791 --- /dev/null +++ b/queue-5.4/rapidio-devices-fix-missing-put_device-in-mport_cdev.patch @@ -0,0 +1,44 @@ +From 3f57cac01b5f400c515064803aae651e422fb77a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Dec 2022 08:57:21 +0000 +Subject: rapidio: devices: fix missing put_device in mport_cdev_open + +From: Cai Xinchen + +[ Upstream commit d5b6e6eba3af11cb2a2791fa36a2524990fcde1a ] + +When kfifo_alloc fails, the refcount of chdev->dev is left incremental. +We should use put_device(&chdev->dev) to decrease the ref count of +chdev->dev to avoid refcount leak. + +Link: https://lkml.kernel.org/r/20221203085721.13146-1-caixinchen1@huawei.com +Fixes: e8de370188d0 ("rapidio: add mport char device driver") +Signed-off-by: Cai Xinchen +Cc: Alexandre Bounine +Cc: Dan Carpenter +Cc: Jakob Koschel +Cc: John Hubbard +Cc: Matt Porter +Cc: Wang Weiyang +Cc: Yang Yingliang +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + drivers/rapidio/devices/rio_mport_cdev.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c +index 8a420dfd5ee1..2371151bc8fc 100644 +--- a/drivers/rapidio/devices/rio_mport_cdev.c ++++ b/drivers/rapidio/devices/rio_mport_cdev.c +@@ -1915,6 +1915,7 @@ static int mport_cdev_open(struct inode *inode, struct file *filp) + sizeof(struct rio_event) * MPORT_EVENT_DEPTH, + GFP_KERNEL); + if (ret < 0) { ++ put_device(&chdev->dev); + dev_err(&chdev->dev, DRV_NAME ": kfifo_alloc failed\n"); + ret = -ENOMEM; + goto err_fifo; +-- +2.35.1 + diff --git a/queue-5.4/rapidio-fix-possible-name-leaks-when-rio_add_device-.patch b/queue-5.4/rapidio-fix-possible-name-leaks-when-rio_add_device-.patch new file mode 100644 index 00000000000..d29c7470ed0 --- /dev/null +++ b/queue-5.4/rapidio-fix-possible-name-leaks-when-rio_add_device-.patch @@ -0,0 +1,76 @@ +From 1f57d0ad3f4ebccf5f8659713c87355abacdf8fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 23:26:35 +0800 +Subject: rapidio: fix possible name leaks when rio_add_device() fails + +From: Yang Yingliang + +[ Upstream commit f9574cd48679926e2a569e1957a5a1bcc8a719ac ] + +Patch series "rapidio: fix three possible memory leaks". + +This patchset fixes three name leaks in error handling. + - patch #1 fixes two name leaks while rio_add_device() fails. + - patch #2 fixes a name leak while rio_register_mport() fails. + +This patch (of 2): + +If rio_add_device() returns error, the name allocated by dev_set_name() +need be freed. It should use put_device() to give up the reference in the +error path, so that the name can be freed in kobject_cleanup(), and the +'rdev' can be freed in rio_release_dev(). + +Link: https://lkml.kernel.org/r/20221114152636.2939035-1-yangyingliang@huawei.com +Link: https://lkml.kernel.org/r/20221114152636.2939035-2-yangyingliang@huawei.com +Fixes: e8de370188d0 ("rapidio: add mport char device driver") +Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") +Signed-off-by: Yang Yingliang +Cc: Alexandre Bounine +Cc: Matt Porter +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + drivers/rapidio/devices/rio_mport_cdev.c | 7 +++++-- + drivers/rapidio/rio-scan.c | 8 ++++++-- + 2 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c +index 2b08fdeb87c1..51440668ee79 100644 +--- a/drivers/rapidio/devices/rio_mport_cdev.c ++++ b/drivers/rapidio/devices/rio_mport_cdev.c +@@ -1807,8 +1807,11 @@ static int rio_mport_add_riodev(struct mport_cdev_priv *priv, + rio_init_dbell_res(&rdev->riores[RIO_DOORBELL_RESOURCE], + 0, 0xffff); + err = rio_add_device(rdev); +- if (err) +- goto cleanup; ++ if (err) { ++ put_device(&rdev->dev); ++ return err; ++ } ++ + rio_dev_get(rdev); + + return 0; +diff --git a/drivers/rapidio/rio-scan.c b/drivers/rapidio/rio-scan.c +index 0e90c5d4bb2b..b1cd6e028f2b 100644 +--- a/drivers/rapidio/rio-scan.c ++++ b/drivers/rapidio/rio-scan.c +@@ -456,8 +456,12 @@ static struct rio_dev *rio_setup_device(struct rio_net *net, + 0, 0xffff); + + ret = rio_add_device(rdev); +- if (ret) +- goto cleanup; ++ if (ret) { ++ if (rswitch) ++ kfree(rswitch->route_table); ++ put_device(&rdev->dev); ++ return NULL; ++ } + + rio_dev_get(rdev); + +-- +2.35.1 + diff --git a/queue-5.4/rapidio-fix-possible-uaf-when-kfifo_alloc-fails.patch b/queue-5.4/rapidio-fix-possible-uaf-when-kfifo_alloc-fails.patch new file mode 100644 index 00000000000..45e3295f2c4 --- /dev/null +++ b/queue-5.4/rapidio-fix-possible-uaf-when-kfifo_alloc-fails.patch @@ -0,0 +1,58 @@ +From 05be36f4b5d654ce315781375159ab80b7ec6329 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 17:51:47 +0800 +Subject: rapidio: fix possible UAF when kfifo_alloc() fails + +From: Wang Weiyang + +[ Upstream commit 02d7d89f816951e0862147d751b1150d67aaebdd ] + +If kfifo_alloc() fails in mport_cdev_open(), goto err_fifo and just free +priv. But priv is still in the chdev->file_list, then list traversal +may cause UAF. This fixes the following smatch warning: + +drivers/rapidio/devices/rio_mport_cdev.c:1930 mport_cdev_open() warn: '&priv->list' not removed from list + +Link: https://lkml.kernel.org/r/20221123095147.52408-1-wangweiyang2@huawei.com +Fixes: e8de370188d0 ("rapidio: add mport char device driver") +Signed-off-by: Wang Weiyang +Cc: Alexandre Bounine +Cc: Dan Carpenter +Cc: Jakob Koschel +Cc: John Hubbard +Cc: Matt Porter +Cc: Yang Yingliang +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + drivers/rapidio/devices/rio_mport_cdev.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c +index 51440668ee79..8a420dfd5ee1 100644 +--- a/drivers/rapidio/devices/rio_mport_cdev.c ++++ b/drivers/rapidio/devices/rio_mport_cdev.c +@@ -1907,10 +1907,6 @@ static int mport_cdev_open(struct inode *inode, struct file *filp) + + priv->md = chdev; + +- mutex_lock(&chdev->file_mutex); +- list_add_tail(&priv->list, &chdev->file_list); +- mutex_unlock(&chdev->file_mutex); +- + INIT_LIST_HEAD(&priv->db_filters); + INIT_LIST_HEAD(&priv->pw_filters); + spin_lock_init(&priv->fifo_lock); +@@ -1929,6 +1925,9 @@ static int mport_cdev_open(struct inode *inode, struct file *filp) + spin_lock_init(&priv->req_lock); + mutex_init(&priv->dma_lock); + #endif ++ mutex_lock(&chdev->file_mutex); ++ list_add_tail(&priv->list, &chdev->file_list); ++ mutex_unlock(&chdev->file_mutex); + + filp->private_data = priv; + goto out; +-- +2.35.1 + diff --git a/queue-5.4/rapidio-rio-fix-possible-name-leak-in-rio_register_m.patch b/queue-5.4/rapidio-rio-fix-possible-name-leak-in-rio_register_m.patch new file mode 100644 index 00000000000..c82ea65d583 --- /dev/null +++ b/queue-5.4/rapidio-rio-fix-possible-name-leak-in-rio_register_m.patch @@ -0,0 +1,51 @@ +From 720a40a06e4f245ba79b56d794f12c721399318b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 23:26:36 +0800 +Subject: rapidio: rio: fix possible name leak in rio_register_mport() + +From: Yang Yingliang + +[ Upstream commit e92a216d16bde65d21a3227e0fb2aa0794576525 ] + +If device_register() returns error, the name allocated by dev_set_name() +need be freed. It should use put_device() to give up the reference in the +error path, so that the name can be freed in kobject_cleanup(), and +list_del() is called to delete the port from rio_mports. + +Link: https://lkml.kernel.org/r/20221114152636.2939035-3-yangyingliang@huawei.com +Fixes: 2aaf308b95b2 ("rapidio: rework device hierarchy and introduce mport class of devices") +Signed-off-by: Yang Yingliang +Cc: Alexandre Bounine +Cc: Matt Porter +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + drivers/rapidio/rio.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/rapidio/rio.c b/drivers/rapidio/rio.c +index 606986c5ba2c..fcab174e5888 100644 +--- a/drivers/rapidio/rio.c ++++ b/drivers/rapidio/rio.c +@@ -2267,11 +2267,16 @@ int rio_register_mport(struct rio_mport *port) + atomic_set(&port->state, RIO_DEVICE_RUNNING); + + res = device_register(&port->dev); +- if (res) ++ if (res) { + dev_err(&port->dev, "RIO: mport%d registration failed ERR=%d\n", + port->id, res); +- else ++ mutex_lock(&rio_mport_list_lock); ++ list_del(&port->node); ++ mutex_unlock(&rio_mport_list_lock); ++ put_device(&port->dev); ++ } else { + dev_dbg(&port->dev, "RIO: registered mport%d\n", port->id); ++ } + + return res; + } +-- +2.35.1 + diff --git a/queue-5.4/rcu-fix-__this_cpu_read-lockdep-warning-in-rcu_force.patch b/queue-5.4/rcu-fix-__this_cpu_read-lockdep-warning-in-rcu_force.patch new file mode 100644 index 00000000000..95cff7f6eb7 --- /dev/null +++ b/queue-5.4/rcu-fix-__this_cpu_read-lockdep-warning-in-rcu_force.patch @@ -0,0 +1,60 @@ +From 56c5c65f0ae184b085de7de57184415234670ec2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Oct 2022 12:41:48 +0800 +Subject: rcu: Fix __this_cpu_read() lockdep warning in + rcu_force_quiescent_state() + +From: Zqiang + +[ Upstream commit ceb1c8c9b8aa9199da46a0f29d2d5f08d9b44c15 ] + +Running rcutorture with non-zero fqs_duration module parameter in a +kernel built with CONFIG_PREEMPTION=y results in the following splat: + +BUG: using __this_cpu_read() in preemptible [00000000] +code: rcu_torture_fqs/398 +caller is __this_cpu_preempt_check+0x13/0x20 +CPU: 3 PID: 398 Comm: rcu_torture_fqs Not tainted 6.0.0-rc1-yoctodev-standard+ +Call Trace: + +dump_stack_lvl+0x5b/0x86 +dump_stack+0x10/0x16 +check_preemption_disabled+0xe5/0xf0 +__this_cpu_preempt_check+0x13/0x20 +rcu_force_quiescent_state.part.0+0x1c/0x170 +rcu_force_quiescent_state+0x1e/0x30 +rcu_torture_fqs+0xca/0x160 +? rcu_torture_boost+0x430/0x430 +kthread+0x192/0x1d0 +? kthread_complete_and_exit+0x30/0x30 +ret_from_fork+0x22/0x30 + + +The problem is that rcu_force_quiescent_state() uses __this_cpu_read() +in preemptible code instead of the proper raw_cpu_read(). This commit +therefore changes __this_cpu_read() to raw_cpu_read(). + +Signed-off-by: Zqiang +Reviewed-by: Joel Fernandes (Google) +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + kernel/rcu/tree.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c +index 5797cf2909b0..615283404d9d 100644 +--- a/kernel/rcu/tree.c ++++ b/kernel/rcu/tree.c +@@ -2317,7 +2317,7 @@ void rcu_force_quiescent_state(void) + struct rcu_node *rnp_old = NULL; + + /* Funnel through hierarchy to reduce memory contention. */ +- rnp = __this_cpu_read(rcu_data.mynode); ++ rnp = raw_cpu_read(rcu_data.mynode); + for (; rnp != NULL; rnp = rnp->parent) { + ret = (READ_ONCE(rcu_state.gp_flags) & RCU_GP_FLAG_FQS) || + !raw_spin_trylock(&rnp->fqslock); +-- +2.35.1 + diff --git a/queue-5.4/rdma-core-fix-order-of-nldev_exit-call.patch b/queue-5.4/rdma-core-fix-order-of-nldev_exit-call.patch new file mode 100644 index 00000000000..e123d59ed55 --- /dev/null +++ b/queue-5.4/rdma-core-fix-order-of-nldev_exit-call.patch @@ -0,0 +1,38 @@ +From bffd293f7d37659e2643349316ed82c97b41e2c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Oct 2022 10:37:13 +0300 +Subject: RDMA/core: Fix order of nldev_exit call + +From: Leon Romanovsky + +[ Upstream commit 4508d32ccced24c972bc4592104513e1ff8439b5 ] + +Create symmetrical exit flow by calling to nldev_exit() after +call to rdma_nl_unregister(RDMA_NL_LS). + +Fixes: 6c80b41abe22 ("RDMA/netlink: Add nldev initialization flows") +Signed-off-by: Leon Romanovsky +Link: https://lore.kernel.org/r/64e676774a53a406f4cde265d5a4cfd6b8e97df9.1666683334.git.leonro@nvidia.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c +index 372ca5347d3c..a12ee8ef27a8 100644 +--- a/drivers/infiniband/core/device.c ++++ b/drivers/infiniband/core/device.c +@@ -2796,8 +2796,8 @@ static int __init ib_core_init(void) + static void __exit ib_core_cleanup(void) + { + roce_gid_mgmt_cleanup(); +- nldev_exit(); + rdma_nl_unregister(RDMA_NL_LS); ++ nldev_exit(); + unregister_pernet_device(&rdma_dev_net_ops); + unregister_blocking_lsm_notifier(&ibdev_lsm_nb); + ib_sa_cleanup(); +-- +2.35.1 + diff --git a/queue-5.4/rdma-hfi-decrease-pci-device-reference-count-in-erro.patch b/queue-5.4/rdma-hfi-decrease-pci-device-reference-count-in-erro.patch new file mode 100644 index 00000000000..1499cf4763f --- /dev/null +++ b/queue-5.4/rdma-hfi-decrease-pci-device-reference-count-in-erro.patch @@ -0,0 +1,42 @@ +From cb7659a365fa41c8ed28c046e4b5a43be00d521a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 21:15:46 +0800 +Subject: RDMA/hfi: Decrease PCI device reference count in error path + +From: Xiongfeng Wang + +[ Upstream commit 9b51d072da1d27e1193e84708201c48e385ad912 ] + +pci_get_device() will increase the reference count for the returned +pci_dev, and also decrease the reference count for the input parameter +*from* if it is not NULL. + +If we break out the loop in node_affinity_init() with 'dev' not NULL, we +need to call pci_dev_put() to decrease the reference count. Add missing +pci_dev_put() in error path. + +Fixes: c513de490f80 ("IB/hfi1: Invalid NUMA node information can cause a divide by zero") +Signed-off-by: Xiongfeng Wang +Link: https://lore.kernel.org/r/20221117131546.113280-1-wangxiongfeng2@huawei.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/affinity.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/hw/hfi1/affinity.c b/drivers/infiniband/hw/hfi1/affinity.c +index 1aeea5d65c01..832b878fa67e 100644 +--- a/drivers/infiniband/hw/hfi1/affinity.c ++++ b/drivers/infiniband/hw/hfi1/affinity.c +@@ -218,6 +218,8 @@ int node_affinity_init(void) + for (node = 0; node < node_affinity.num_possible_nodes; node++) + hfi1_per_node_cntr[node] = 1; + ++ pci_dev_put(dev); ++ + return 0; + } + +-- +2.35.1 + diff --git a/queue-5.4/rdma-hfi1-fix-error-return-code-in-parse_platform_co.patch b/queue-5.4/rdma-hfi1-fix-error-return-code-in-parse_platform_co.patch new file mode 100644 index 00000000000..3fb4f4950c2 --- /dev/null +++ b/queue-5.4/rdma-hfi1-fix-error-return-code-in-parse_platform_co.patch @@ -0,0 +1,78 @@ +From e42c1bb0315a4999f1e3b992c728d115461bc8be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 12:00:37 +0800 +Subject: RDMA/hfi1: Fix error return code in parse_platform_config() + +From: Wang Yufen + +[ Upstream commit 725349f8ba1e78a146c6ff8f3ee5e2712e517106 ] + +In the previous iteration of the while loop, the "ret" may have been +assigned a value of 0, so the error return code -EINVAL may have been +incorrectly set to 0. To fix set valid return code before calling to +goto. + +Fixes: 97167e813415 ("staging/rdma/hfi1: Tune for unknown channel if configuration file is absent") +Signed-off-by: Wang Yufen +Link: https://lore.kernel.org/r/1669953638-11747-1-git-send-email-wangyufen@huawei.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/firmware.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/infiniband/hw/hfi1/firmware.c b/drivers/infiniband/hw/hfi1/firmware.c +index c09080712485..747ec08dec0d 100644 +--- a/drivers/infiniband/hw/hfi1/firmware.c ++++ b/drivers/infiniband/hw/hfi1/firmware.c +@@ -1786,6 +1786,7 @@ int parse_platform_config(struct hfi1_devdata *dd) + + if (!dd->platform_config.data) { + dd_dev_err(dd, "%s: Missing config file\n", __func__); ++ ret = -EINVAL; + goto bail; + } + ptr = (u32 *)dd->platform_config.data; +@@ -1794,6 +1795,7 @@ int parse_platform_config(struct hfi1_devdata *dd) + ptr++; + if (magic_num != PLATFORM_CONFIG_MAGIC_NUM) { + dd_dev_err(dd, "%s: Bad config file\n", __func__); ++ ret = -EINVAL; + goto bail; + } + +@@ -1817,6 +1819,7 @@ int parse_platform_config(struct hfi1_devdata *dd) + if (file_length > dd->platform_config.size) { + dd_dev_info(dd, "%s:File claims to be larger than read size\n", + __func__); ++ ret = -EINVAL; + goto bail; + } else if (file_length < dd->platform_config.size) { + dd_dev_info(dd, +@@ -1837,6 +1840,7 @@ int parse_platform_config(struct hfi1_devdata *dd) + dd_dev_err(dd, "%s: Failed validation at offset %ld\n", + __func__, (ptr - (u32 *) + dd->platform_config.data)); ++ ret = -EINVAL; + goto bail; + } + +@@ -1883,6 +1887,7 @@ int parse_platform_config(struct hfi1_devdata *dd) + __func__, table_type, + (ptr - (u32 *) + dd->platform_config.data)); ++ ret = -EINVAL; + goto bail; /* We don't trust this file now */ + } + pcfgcache->config_tables[table_type].table = ptr; +@@ -1907,6 +1912,7 @@ int parse_platform_config(struct hfi1_devdata *dd) + __func__, table_type, + (ptr - + (u32 *)dd->platform_config.data)); ++ ret = -EINVAL; + goto bail; /* We don't trust this file now */ + } + pcfgcache->config_tables[table_type].table_metadata = +-- +2.35.1 + diff --git a/queue-5.4/rdma-nldev-add-checks-for-nla_nest_start-in-fill_sta.patch b/queue-5.4/rdma-nldev-add-checks-for-nla_nest_start-in-fill_sta.patch new file mode 100644 index 00000000000..72bf37b1b1e --- /dev/null +++ b/queue-5.4/rdma-nldev-add-checks-for-nla_nest_start-in-fill_sta.patch @@ -0,0 +1,38 @@ +From e913106d95ed3d2a34cc47fa18ae7da7db81c83b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Nov 2022 04:34:10 +0000 +Subject: RDMA/nldev: Add checks for nla_nest_start() in + fill_stat_counter_qps() + +From: Yuan Can + +[ Upstream commit ea5ef136e215fdef35f14010bc51fcd6686e6922 ] + +As the nla_nest_start() may fail with NULL returned, the return value needs +to be checked. + +Fixes: c4ffee7c9bdb ("RDMA/netlink: Implement counter dumpit calback") +Signed-off-by: Yuan Can +Link: https://lore.kernel.org/r/20221126043410.85632-1-yuancan@huawei.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/nldev.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/core/nldev.c b/drivers/infiniband/core/nldev.c +index 93cc60e92d82..88c68d77e6b1 100644 +--- a/drivers/infiniband/core/nldev.c ++++ b/drivers/infiniband/core/nldev.c +@@ -694,6 +694,8 @@ static int fill_stat_counter_qps(struct sk_buff *msg, + int ret = 0; + + table_attr = nla_nest_start(msg, RDMA_NLDEV_ATTR_RES_QP); ++ if (!table_attr) ++ return -EMSGSIZE; + + rt = &counter->device->res[RDMA_RESTRACK_QP]; + xa_lock(&rt->xa); +-- +2.35.1 + diff --git a/queue-5.4/rdma-nldev-return-eagain-if-the-cm_id-isn-t-from-exp.patch b/queue-5.4/rdma-nldev-return-eagain-if-the-cm_id-isn-t-from-exp.patch new file mode 100644 index 00000000000..9c19f3551fe --- /dev/null +++ b/queue-5.4/rdma-nldev-return-eagain-if-the-cm_id-isn-t-from-exp.patch @@ -0,0 +1,51 @@ +From 990e4fe5a14ae246d7d50d41b002df2a7cd1bc4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 10:51:36 +0200 +Subject: RDMA/nldev: Return "-EAGAIN" if the cm_id isn't from expected port + +From: Mark Zhang + +[ Upstream commit ecacb3751f254572af0009b9501e2cdc83a30b6a ] + +When filling a cm_id entry, return "-EAGAIN" instead of 0 if the cm_id +doesn'the have the same port as requested, otherwise an incomplete entry +may be returned, which causes "rdam res show cm_id" to return an error. + +For example on a machine with two rdma devices with "rping -C 1 -v -s" +running background, the "rdma" command fails: + $ rdma -V + rdma utility, iproute2-5.19.0 + $ rdma res show cm_id + link mlx5_0/- cm-idn 0 state LISTEN ps TCP pid 28056 comm rping src-addr 0.0.0.0:7174 + error: Protocol not available + +While with this fix it succeeds: + $ rdma res show cm_id + link mlx5_0/- cm-idn 0 state LISTEN ps TCP pid 26395 comm rping src-addr 0.0.0.0:7174 + link mlx5_1/- cm-idn 0 state LISTEN ps TCP pid 26395 comm rping src-addr 0.0.0.0:7174 + +Fixes: 00313983cda6 ("RDMA/nldev: provide detailed CM_ID information") +Signed-off-by: Mark Zhang +Link: https://lore.kernel.org/r/a08e898cdac5e28428eb749a99d9d981571b8ea7.1667810736.git.leonro@nvidia.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/nldev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/nldev.c b/drivers/infiniband/core/nldev.c +index 81b70f1f1290..93cc60e92d82 100644 +--- a/drivers/infiniband/core/nldev.c ++++ b/drivers/infiniband/core/nldev.c +@@ -493,7 +493,7 @@ static int fill_res_cm_id_entry(struct sk_buff *msg, bool has_cap_net_admin, + struct rdma_cm_id *cm_id = &id_priv->id; + + if (port && port != cm_id->port_num) +- return 0; ++ return -EAGAIN; + + if (cm_id->port_num && + nla_put_u32(msg, RDMA_NLDEV_ATTR_PORT_INDEX, cm_id->port_num)) +-- +2.35.1 + diff --git a/queue-5.4/rdma-rxe-fix-null-ptr-deref-in-rxe_qp_do_cleanup-whe.patch b/queue-5.4/rdma-rxe-fix-null-ptr-deref-in-rxe_qp_do_cleanup-whe.patch new file mode 100644 index 00000000000..83c55493cb6 --- /dev/null +++ b/queue-5.4/rdma-rxe-fix-null-ptr-deref-in-rxe_qp_do_cleanup-whe.patch @@ -0,0 +1,78 @@ +From 30ce1233e8967025c5de2e979dbbe502238afec0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 23:14:37 +0800 +Subject: RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket + create failed + +From: Zhang Xiaoxu + +[ Upstream commit f67376d801499f4fa0838c18c1efcad8840e550d ] + +There is a null-ptr-deref when mount.cifs over rdma: + + BUG: KASAN: null-ptr-deref in rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe] + Read of size 8 at addr 0000000000000018 by task mount.cifs/3046 + + CPU: 2 PID: 3046 Comm: mount.cifs Not tainted 6.1.0-rc5+ #62 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc3 + Call Trace: + + dump_stack_lvl+0x34/0x44 + kasan_report+0xad/0x130 + rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe] + execute_in_process_context+0x25/0x90 + __rxe_cleanup+0x101/0x1d0 [rdma_rxe] + rxe_create_qp+0x16a/0x180 [rdma_rxe] + create_qp.part.0+0x27d/0x340 + ib_create_qp_kernel+0x73/0x160 + rdma_create_qp+0x100/0x230 + _smbd_get_connection+0x752/0x20f0 + smbd_get_connection+0x21/0x40 + cifs_get_tcp_session+0x8ef/0xda0 + mount_get_conns+0x60/0x750 + cifs_mount+0x103/0xd00 + cifs_smb3_do_mount+0x1dd/0xcb0 + smb3_get_tree+0x1d5/0x300 + vfs_get_tree+0x41/0xf0 + path_mount+0x9b3/0xdd0 + __x64_sys_mount+0x190/0x1d0 + do_syscall_64+0x35/0x80 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +The root cause of the issue is the socket create failed in +rxe_qp_init_req(). + +So move the reset rxe_qp_do_cleanup() after the NULL ptr check. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/20221122151437.1057671-1-zhangxiaoxu5@huawei.com +Signed-off-by: Zhang Xiaoxu +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_qp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c +index 89f6d54a4312..5dd9bcef5921 100644 +--- a/drivers/infiniband/sw/rxe/rxe_qp.c ++++ b/drivers/infiniband/sw/rxe/rxe_qp.c +@@ -842,12 +842,12 @@ static void rxe_qp_do_cleanup(struct work_struct *work) + qp->resp.mr = NULL; + } + +- if (qp_type(qp) == IB_QPT_RC) +- sk_dst_reset(qp->sk->sk); +- + free_rd_atomic_resources(qp); + + if (qp->sk) { ++ if (qp_type(qp) == IB_QPT_RC) ++ sk_dst_reset(qp->sk->sk); ++ + kernel_sock_shutdown(qp->sk, SHUT_RDWR); + sock_release(qp->sk); + } +-- +2.35.1 + diff --git a/queue-5.4/rdma-siw-fix-immediate-work-request-flush-to-complet.patch b/queue-5.4/rdma-siw-fix-immediate-work-request-flush-to-complet.patch new file mode 100644 index 00000000000..34037e2c479 --- /dev/null +++ b/queue-5.4/rdma-siw-fix-immediate-work-request-flush-to-complet.patch @@ -0,0 +1,137 @@ +From 640ffdb4dd3675b5842bc6652072de5f23e1ffeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 15:50:57 +0100 +Subject: RDMA/siw: Fix immediate work request flush to completion queue + +From: Bernard Metzler + +[ Upstream commit bdf1da5df9da680589a7f74448dd0a94dd3e1446 ] + +Correctly set send queue element opcode during immediate work request +flushing in post sendqueue operation, if the QP is in ERROR state. +An undefined ocode value results in out-of-bounds access to an array +for mapping the opcode between siw internal and RDMA core representation +in work completion generation. It resulted in a KASAN BUG report +of type 'global-out-of-bounds' during NFSoRDMA testing. + +This patch further fixes a potential case of a malicious user which may +write undefined values for completion queue elements status or opcode, +if the CQ is memory mapped to user land. It avoids the same out-of-bounds +access to arrays for status and opcode mapping as described above. + +Fixes: 303ae1cdfdf7 ("rdma/siw: application interface") +Fixes: b0fff7317bb4 ("rdma/siw: completion queue methods") +Reported-by: Olga Kornievskaia +Reviewed-by: Tom Talpey +Signed-off-by: Bernard Metzler +Link: https://lore.kernel.org/r/20221107145057.895747-1-bmt@zurich.ibm.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/siw/siw_cq.c | 24 ++++++++++++++-- + drivers/infiniband/sw/siw/siw_verbs.c | 40 ++++++++++++++++++++++++--- + 2 files changed, 58 insertions(+), 6 deletions(-) + +diff --git a/drivers/infiniband/sw/siw/siw_cq.c b/drivers/infiniband/sw/siw/siw_cq.c +index d8db3bee9da7..26d4eb44a9d0 100644 +--- a/drivers/infiniband/sw/siw/siw_cq.c ++++ b/drivers/infiniband/sw/siw/siw_cq.c +@@ -56,8 +56,6 @@ int siw_reap_cqe(struct siw_cq *cq, struct ib_wc *wc) + if (READ_ONCE(cqe->flags) & SIW_WQE_VALID) { + memset(wc, 0, sizeof(*wc)); + wc->wr_id = cqe->id; +- wc->status = map_cqe_status[cqe->status].ib; +- wc->opcode = map_wc_opcode[cqe->opcode]; + wc->byte_len = cqe->bytes; + + /* +@@ -71,10 +69,32 @@ int siw_reap_cqe(struct siw_cq *cq, struct ib_wc *wc) + wc->wc_flags = IB_WC_WITH_INVALIDATE; + } + wc->qp = cqe->base_qp; ++ wc->opcode = map_wc_opcode[cqe->opcode]; ++ wc->status = map_cqe_status[cqe->status].ib; + siw_dbg_cq(cq, + "idx %u, type %d, flags %2x, id 0x%pK\n", + cq->cq_get % cq->num_cqe, cqe->opcode, + cqe->flags, (void *)(uintptr_t)cqe->id); ++ } else { ++ /* ++ * A malicious user may set invalid opcode or ++ * status in the user mmapped CQE array. ++ * Sanity check and correct values in that case ++ * to avoid out-of-bounds access to global arrays ++ * for opcode and status mapping. ++ */ ++ u8 opcode = cqe->opcode; ++ u16 status = cqe->status; ++ ++ if (opcode >= SIW_NUM_OPCODES) { ++ opcode = 0; ++ status = IB_WC_GENERAL_ERR; ++ } else if (status >= SIW_NUM_WC_STATUS) { ++ status = IB_WC_GENERAL_ERR; ++ } ++ wc->opcode = map_wc_opcode[opcode]; ++ wc->status = map_cqe_status[status].ib; ++ + } + WRITE_ONCE(cqe->flags, 0); + cq->cq_get++; +diff --git a/drivers/infiniband/sw/siw/siw_verbs.c b/drivers/infiniband/sw/siw/siw_verbs.c +index b9ca54e372b4..c8c2014b79d2 100644 +--- a/drivers/infiniband/sw/siw/siw_verbs.c ++++ b/drivers/infiniband/sw/siw/siw_verbs.c +@@ -694,13 +694,45 @@ static int siw_copy_inline_sgl(const struct ib_send_wr *core_wr, + static int siw_sq_flush_wr(struct siw_qp *qp, const struct ib_send_wr *wr, + const struct ib_send_wr **bad_wr) + { +- struct siw_sqe sqe = {}; + int rv = 0; + + while (wr) { +- sqe.id = wr->wr_id; +- sqe.opcode = wr->opcode; +- rv = siw_sqe_complete(qp, &sqe, 0, SIW_WC_WR_FLUSH_ERR); ++ struct siw_sqe sqe = {}; ++ ++ switch (wr->opcode) { ++ case IB_WR_RDMA_WRITE: ++ sqe.opcode = SIW_OP_WRITE; ++ break; ++ case IB_WR_RDMA_READ: ++ sqe.opcode = SIW_OP_READ; ++ break; ++ case IB_WR_RDMA_READ_WITH_INV: ++ sqe.opcode = SIW_OP_READ_LOCAL_INV; ++ break; ++ case IB_WR_SEND: ++ sqe.opcode = SIW_OP_SEND; ++ break; ++ case IB_WR_SEND_WITH_IMM: ++ sqe.opcode = SIW_OP_SEND_WITH_IMM; ++ break; ++ case IB_WR_SEND_WITH_INV: ++ sqe.opcode = SIW_OP_SEND_REMOTE_INV; ++ break; ++ case IB_WR_LOCAL_INV: ++ sqe.opcode = SIW_OP_INVAL_STAG; ++ break; ++ case IB_WR_REG_MR: ++ sqe.opcode = SIW_OP_REG_MR; ++ break; ++ default: ++ rv = -EINVAL; ++ break; ++ } ++ if (!rv) { ++ sqe.id = wr->wr_id; ++ rv = siw_sqe_complete(qp, &sqe, 0, ++ SIW_WC_WR_FLUSH_ERR); ++ } + if (rv) { + if (bad_wr) + *bad_wr = wr; +-- +2.35.1 + diff --git a/queue-5.4/rdma-siw-fix-pointer-cast-warning.patch b/queue-5.4/rdma-siw-fix-pointer-cast-warning.patch new file mode 100644 index 00000000000..db39adeeb6b --- /dev/null +++ b/queue-5.4/rdma-siw-fix-pointer-cast-warning.patch @@ -0,0 +1,47 @@ +From 4a60c505c21936a844746f21a23254988da197bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Dec 2022 18:03:43 +0100 +Subject: RDMA/siw: Fix pointer cast warning + +From: Arnd Bergmann + +[ Upstream commit 5244ca88671a1981ceec09c5c8809f003e6a62aa ] + +The previous build fix left a remaining issue in configurations with +64-bit dma_addr_t on 32-bit architectures: + +drivers/infiniband/sw/siw/siw_qp_tx.c: In function 'siw_get_pblpage': +drivers/infiniband/sw/siw/siw_qp_tx.c:32:37: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast] + 32 | return virt_to_page((void *)paddr); + | ^ + +Use the same double cast here that the driver uses elsewhere to convert +between dma_addr_t and void*. + +Fixes: 0d1b756acf60 ("RDMA/siw: Pass a pointer to virt_to_page()") +Link: https://lore.kernel.org/r/20221215170347.2612403-1-arnd@kernel.org +Signed-off-by: Arnd Bergmann +Acked-by: Bernard Metzler +Reviewed-by: Linus Walleij +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/siw/siw_qp_tx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/sw/siw/siw_qp_tx.c b/drivers/infiniband/sw/siw/siw_qp_tx.c +index 5e6d96bd2eb1..2b5120a13e37 100644 +--- a/drivers/infiniband/sw/siw/siw_qp_tx.c ++++ b/drivers/infiniband/sw/siw/siw_qp_tx.c +@@ -29,7 +29,7 @@ static struct page *siw_get_pblpage(struct siw_mem *mem, u64 addr, int *idx) + dma_addr_t paddr = siw_pbl_get_buffer(pbl, offset, NULL, idx); + + if (paddr) +- return virt_to_page((void *)paddr); ++ return virt_to_page((void *)(uintptr_t)paddr); + + return NULL; + } +-- +2.35.1 + diff --git a/queue-5.4/rdma-siw-set-defined-status-for-work-completion-with.patch b/queue-5.4/rdma-siw-set-defined-status-for-work-completion-with.patch new file mode 100644 index 00000000000..5386d32b203 --- /dev/null +++ b/queue-5.4/rdma-siw-set-defined-status-for-work-completion-with.patch @@ -0,0 +1,52 @@ +From 135a5c6609ff7ae25218bf1f276ca63e0f08c5fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 18:07:47 +0100 +Subject: RDMA/siw: Set defined status for work completion with undefined + status + +From: Bernard Metzler + +[ Upstream commit 60da2d11fcbc043304910e4d2ca82f9bab953e63 ] + +A malicious user may write undefined values into memory mapped completion +queue elements status or opcode. Undefined status or opcode values will +result in out-of-bounds access to an array mapping siw internal +representation of opcode and status to RDMA core representation when +reaping CQ elements. While siw detects those undefined values, it did not +correctly set completion status to a defined value, thus defeating the +whole purpose of the check. + +This bug leads to the following Smatch static checker warning: + + drivers/infiniband/sw/siw/siw_cq.c:96 siw_reap_cqe() + error: buffer overflow 'map_cqe_status' 10 <= 21 + +Fixes: bdf1da5df9da ("RDMA/siw: Fix immediate work request flush to completion queue") +Link: https://lore.kernel.org/r/20221115170747.1263298-1-bmt@zurich.ibm.com +Reported-by: Dan Carpenter +Signed-off-by: Bernard Metzler +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/siw/siw_cq.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/sw/siw/siw_cq.c b/drivers/infiniband/sw/siw/siw_cq.c +index 26d4eb44a9d0..214714afacb7 100644 +--- a/drivers/infiniband/sw/siw/siw_cq.c ++++ b/drivers/infiniband/sw/siw/siw_cq.c +@@ -88,9 +88,9 @@ int siw_reap_cqe(struct siw_cq *cq, struct ib_wc *wc) + + if (opcode >= SIW_NUM_OPCODES) { + opcode = 0; +- status = IB_WC_GENERAL_ERR; ++ status = SIW_WC_GENERAL_ERR; + } else if (status >= SIW_NUM_WC_STATUS) { +- status = IB_WC_GENERAL_ERR; ++ status = SIW_WC_GENERAL_ERR; + } + wc->opcode = map_wc_opcode[opcode]; + wc->status = map_cqe_status[status].ib; +-- +2.35.1 + diff --git a/queue-5.4/regulator-core-fix-module-refcount-leak-in-set_suppl.patch b/queue-5.4/regulator-core-fix-module-refcount-leak-in-set_suppl.patch new file mode 100644 index 00000000000..c8b1ec64517 --- /dev/null +++ b/queue-5.4/regulator-core-fix-module-refcount-leak-in-set_suppl.patch @@ -0,0 +1,36 @@ +From d031d1672b0fb2f95bd7fa4971b17a400c8b8a03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 20:27:05 +0800 +Subject: regulator: core: fix module refcount leak in set_supply() + +From: Yang Yingliang + +[ Upstream commit da46ee19cbd8344d6860816b4827a7ce95764867 ] + +If create_regulator() fails in set_supply(), the module refcount +needs be put to keep refcount balanced. + +Fixes: e2c09ae7a74d ("regulator: core: Increase refcount for regulator supply's module") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221201122706.4055992-2-yangyingliang@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index 9b4783bf63f7..3f2a18536fce 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -1431,6 +1431,7 @@ static int set_supply(struct regulator_dev *rdev, + + rdev->supply = create_regulator(supply_rdev, &rdev->dev, "SUPPLY"); + if (rdev->supply == NULL) { ++ module_put(supply_rdev->owner); + err = -ENOMEM; + return err; + } +-- +2.35.1 + diff --git a/queue-5.4/regulator-core-fix-resource-leak-in-regulator_regist.patch b/queue-5.4/regulator-core-fix-resource-leak-in-regulator_regist.patch new file mode 100644 index 00000000000..97c3a7607b3 --- /dev/null +++ b/queue-5.4/regulator-core-fix-resource-leak-in-regulator_regist.patch @@ -0,0 +1,71 @@ +From 1ae10c272a713bf91dd86b52f773aee210bf6dc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 10:51:11 +0800 +Subject: regulator: core: fix resource leak in regulator_register() + +From: Yang Yingliang + +[ Upstream commit ba62319a42c50e6254e98b3f316464fac8e77968 ] + +I got some resource leak reports while doing fault injection test: + + OF: ERROR: memory leak, expected refcount 1 instead of 100, + of_node_get()/of_node_put() unbalanced - destroy cset entry: + attach overlay node /i2c/pmic@64/regulators/buck1 + +unreferenced object 0xffff88810deea000 (size 512): + comm "490-i2c-rt5190a", pid 253, jiffies 4294859840 (age 5061.046s) + hex dump (first 32 bytes): + 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... + ff ff ff ff ff ff ff ff a0 1e 00 a1 ff ff ff ff ................ + backtrace: + [<00000000d78541e2>] kmalloc_trace+0x21/0x110 + [<00000000b343d153>] device_private_init+0x32/0xd0 + [<00000000be1f0c70>] device_add+0xb2d/0x1030 + [<00000000e3e6344d>] regulator_register+0xaf2/0x12a0 + [<00000000e2f5e754>] devm_regulator_register+0x57/0xb0 + [<000000008b898197>] rt5190a_probe+0x52a/0x861 [rt5190a_regulator] + +unreferenced object 0xffff88810b617b80 (size 32): + comm "490-i2c-rt5190a", pid 253, jiffies 4294859904 (age 5060.983s) + hex dump (first 32 bytes): + 72 65 67 75 6c 61 74 6f 72 2e 32 38 36 38 2d 53 regulator.2868-S + 55 50 50 4c 59 00 ff ff 29 00 00 00 2b 00 00 00 UPPLY...)...+... + backtrace: + [<000000009da9280d>] __kmalloc_node_track_caller+0x44/0x1b0 + [<0000000025c6a4e5>] kstrdup+0x3a/0x70 + [<00000000790efb69>] create_regulator+0xc0/0x4e0 + [<0000000005ed203a>] regulator_resolve_supply+0x2d4/0x440 + [<0000000045796214>] regulator_register+0x10b3/0x12a0 + [<00000000e2f5e754>] devm_regulator_register+0x57/0xb0 + [<000000008b898197>] rt5190a_probe+0x52a/0x861 [rt5190a_regulator] + +After calling regulator_resolve_supply(), the 'rdev->supply' is set +by set_supply(), after this set, in the error path, the resources +need be released, so call regulator_put() to avoid the leaks. + +Fixes: aea6cb99703e ("regulator: resolve supply after creating regulator") +Fixes: 8a866d527ac0 ("regulator: core: Resolve supply name earlier to prevent double-init") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221202025111.496402-1-yangyingliang@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index 3f2a18536fce..5dd17a341577 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -5268,6 +5268,7 @@ regulator_register(const struct regulator_desc *regulator_desc, + regulator_remove_coupling(rdev); + mutex_unlock(®ulator_list_mutex); + wash: ++ regulator_put(rdev->supply); + kfree(rdev->coupling_desc.coupled_rdevs); + mutex_lock(®ulator_list_mutex); + regulator_ena_gpio_free(rdev); +-- +2.35.1 + diff --git a/queue-5.4/regulator-core-fix-unbalanced-of-node-refcount-in-re.patch b/queue-5.4/regulator-core-fix-unbalanced-of-node-refcount-in-re.patch new file mode 100644 index 00000000000..c62ae685fde --- /dev/null +++ b/queue-5.4/regulator-core-fix-unbalanced-of-node-refcount-in-re.patch @@ -0,0 +1,43 @@ +From 6e645456910893531fe635f5c3749a73aa97c15a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 17:15:08 +0800 +Subject: regulator: core: fix unbalanced of node refcount in + regulator_dev_lookup() + +From: Yang Yingliang + +[ Upstream commit f2b41b748c19962b82709d9f23c6b2b0ce9d2f91 ] + +I got the the following report: + + OF: ERROR: memory leak, expected refcount 1 instead of 2, + of_node_get()/of_node_put() unbalanced - destroy cset entry: + attach overlay node /i2c/pmic@62/regulators/exten + +In of_get_regulator(), the node is returned from of_parse_phandle() +with refcount incremented, after using it, of_node_put() need be called. + +Fixes: 69511a452e6d ("regulator: map consumer regulator based on device tree") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221115091508.900752-1-yangyingliang@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index 7d15312d6792..ee71dcb009bf 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -1734,6 +1734,7 @@ static struct regulator_dev *regulator_dev_lookup(struct device *dev, + node = of_get_regulator(dev, supply); + if (node) { + r = of_find_regulator_by_node(node); ++ of_node_put(node); + if (r) + return r; + +-- +2.35.1 + diff --git a/queue-5.4/regulator-core-fix-use_count-leakage-when-handling-b.patch b/queue-5.4/regulator-core-fix-use_count-leakage-when-handling-b.patch new file mode 100644 index 00000000000..c13a67d7743 --- /dev/null +++ b/queue-5.4/regulator-core-fix-use_count-leakage-when-handling-b.patch @@ -0,0 +1,62 @@ +From e59c5cf1b56d040d448d1409894048d5ef0d187c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 11:38:06 +0800 +Subject: regulator: core: fix use_count leakage when handling boot-on +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rui Zhang + +[ Upstream commit 0591b14ce0398125439c759f889647369aa616a0 ] + +I found a use_count leakage towards supply regulator of rdev with +boot-on option. + +┌───────────────────┐ ┌───────────────────┐ +│ regulator_dev A │ │ regulator_dev B │ +│ (boot-on) │ │ (boot-on) │ +│ use_count=0 │◀──supply──│ use_count=1 │ +│ │ │ │ +└───────────────────┘ └───────────────────┘ + +In case of rdev(A) configured with `regulator-boot-on', the use_count +of supplying regulator(B) will increment inside +regulator_enable(rdev->supply). + +Thus, B will acts like always-on, and further balanced +regulator_enable/disable cannot actually disable it anymore. + +However, B was also configured with `regulator-boot-on', we wish it +could be disabled afterwards. + +Signed-off-by: Rui Zhang +Link: https://lore.kernel.org/r/20221201033806.2567812-1-zr.zhang@vivo.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/core.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index 5dd17a341577..f2214e7c75b3 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -1387,7 +1387,13 @@ static int set_machine_constraints(struct regulator_dev *rdev) + if (rdev->supply_name && !rdev->supply) + return -EPROBE_DEFER; + +- if (rdev->supply) { ++ /* If supplying regulator has already been enabled, ++ * it's not intended to have use_count increment ++ * when rdev is only boot-on. ++ */ ++ if (rdev->supply && ++ (rdev->constraints->always_on || ++ !regulator_is_enabled(rdev->supply))) { + ret = regulator_enable(rdev->supply); + if (ret < 0) { + _regulator_put(rdev->supply); +-- +2.35.1 + diff --git a/queue-5.4/regulator-core-use-kfree_const-to-free-space-conditi.patch b/queue-5.4/regulator-core-use-kfree_const-to-free-space-conditi.patch new file mode 100644 index 00000000000..71d9c4b87d9 --- /dev/null +++ b/queue-5.4/regulator-core-use-kfree_const-to-free-space-conditi.patch @@ -0,0 +1,38 @@ +From 24d045ce5a8eea1fe99f62d45c7659bd5d136079 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 11:46:16 +0800 +Subject: regulator: core: use kfree_const() to free space conditionally + +From: Wang ShaoBo + +[ Upstream commit dc8d006d15b623c1d80b90b45d6dcb6e890dad09 ] + +Use kfree_const() to free supply_name conditionally in create_regulator() +as supply_name may be allocated from kmalloc() or directly from .rodata +section. + +Fixes: 87fe29b61f95 ("regulator: push allocations in create_regulator() outside of lock") +Signed-off-by: Wang ShaoBo +Link: https://lore.kernel.org/r/20221123034616.3609537-1-bobo.shaobowang@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index ee71dcb009bf..9b4783bf63f7 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -1604,7 +1604,7 @@ static struct regulator *create_regulator(struct regulator_dev *rdev, + + regulator = kzalloc(sizeof(*regulator), GFP_KERNEL); + if (regulator == NULL) { +- kfree(supply_name); ++ kfree_const(supply_name); + return NULL; + } + +-- +2.35.1 + diff --git a/queue-5.4/relay-fix-type-mismatch-when-allocating-memory-in-re.patch b/queue-5.4/relay-fix-type-mismatch-when-allocating-memory-in-re.patch new file mode 100644 index 00000000000..362ae8dbe45 --- /dev/null +++ b/queue-5.4/relay-fix-type-mismatch-when-allocating-memory-in-re.patch @@ -0,0 +1,49 @@ +From 67be3624d18e59ae9668d17e25d1d2579af0d84d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Nov 2022 09:23:38 +0000 +Subject: relay: fix type mismatch when allocating memory in relay_create_buf() + +From: Gavrilov Ilia + +[ Upstream commit 4d8586e04602fe42f0a782d2005956f8b6302678 ] + +The 'padding' field of the 'rchan_buf' structure is an array of 'size_t' +elements, but the memory is allocated for an array of 'size_t *' elements. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Link: https://lkml.kernel.org/r/20221129092002.3538384-1-Ilia.Gavrilov@infotecs.ru +Fixes: b86ff981a825 ("[PATCH] relay: migrate from relayfs to a generic relay API") +Signed-off-by: Ilia.Gavrilov +Cc: Colin Ian King +Cc: Jens Axboe +Cc: wuchi +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + kernel/relay.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/relay.c b/kernel/relay.c +index d3940becf2fc..9b1cfcd8dc6b 100644 +--- a/kernel/relay.c ++++ b/kernel/relay.c +@@ -163,13 +163,13 @@ static struct rchan_buf *relay_create_buf(struct rchan *chan) + { + struct rchan_buf *buf; + +- if (chan->n_subbufs > KMALLOC_MAX_SIZE / sizeof(size_t *)) ++ if (chan->n_subbufs > KMALLOC_MAX_SIZE / sizeof(size_t)) + return NULL; + + buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL); + if (!buf) + return NULL; +- buf->padding = kmalloc_array(chan->n_subbufs, sizeof(size_t *), ++ buf->padding = kmalloc_array(chan->n_subbufs, sizeof(size_t), + GFP_KERNEL); + if (!buf->padding) + goto free_buf; +-- +2.35.1 + diff --git a/queue-5.4/remoteproc-qcom_q6v5_pas-fix-missing-of_node_put-in-.patch b/queue-5.4/remoteproc-qcom_q6v5_pas-fix-missing-of_node_put-in-.patch new file mode 100644 index 00000000000..3ba3610fa15 --- /dev/null +++ b/queue-5.4/remoteproc-qcom_q6v5_pas-fix-missing-of_node_put-in-.patch @@ -0,0 +1,37 @@ +From 7c3e259c8c8cc9c4fa54e13630a54ad0d73b3977 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Dec 2022 07:06:39 +0000 +Subject: remoteproc: qcom_q6v5_pas: Fix missing of_node_put() in + adsp_alloc_memory_region() + +From: Yuan Can + +[ Upstream commit 38e7d9c19276832ebb0277f415b9214bf7baeb37 ] + +The pointer node is returned by of_parse_phandle() with refcount +incremented. We should use of_node_put() on it when done. + +Fixes: b9e718e950c3 ("remoteproc: Introduce Qualcomm ADSP PIL") +Signed-off-by: Yuan Can +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20221203070639.15128-1-yuancan@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/qcom_q6v5_pas.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/remoteproc/qcom_q6v5_pas.c b/drivers/remoteproc/qcom_q6v5_pas.c +index db4b3c4bacd7..d48f4b5c8df7 100644 +--- a/drivers/remoteproc/qcom_q6v5_pas.c ++++ b/drivers/remoteproc/qcom_q6v5_pas.c +@@ -230,6 +230,7 @@ static int adsp_alloc_memory_region(struct qcom_adsp *adsp) + } + + ret = of_address_to_resource(node, 0, &r); ++ of_node_put(node); + if (ret) + return ret; + +-- +2.35.1 + diff --git a/queue-5.4/remoteproc-sysmon-fix-memory-leak-in-qcom_add_sysmon.patch b/queue-5.4/remoteproc-sysmon-fix-memory-leak-in-qcom_add_sysmon.patch new file mode 100644 index 00000000000..cbe5ee1744b --- /dev/null +++ b/queue-5.4/remoteproc-sysmon-fix-memory-leak-in-qcom_add_sysmon.patch @@ -0,0 +1,48 @@ +From a96f4783d04da3e75496bbd16493c42e04182597 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Nov 2022 18:56:50 +0800 +Subject: remoteproc: sysmon: fix memory leak in qcom_add_sysmon_subdev() + +From: Gaosheng Cui + +[ Upstream commit e01ce676aaef3b13d02343d7e70f9637d93a3367 ] + +The kfree() should be called when of_irq_get_byname() fails or +devm_request_threaded_irq() fails in qcom_add_sysmon_subdev(), +otherwise there will be a memory leak, so add kfree() to fix it. + +Fixes: 027045a6e2b7 ("remoteproc: qcom: Add shutdown-ack irq") +Signed-off-by: Gaosheng Cui +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20221129105650.1539187-1-cuigaosheng1@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/qcom_sysmon.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/remoteproc/qcom_sysmon.c b/drivers/remoteproc/qcom_sysmon.c +index c231314eab66..b7d0c35c5058 100644 +--- a/drivers/remoteproc/qcom_sysmon.c ++++ b/drivers/remoteproc/qcom_sysmon.c +@@ -518,7 +518,9 @@ struct qcom_sysmon *qcom_add_sysmon_subdev(struct rproc *rproc, + if (sysmon->shutdown_irq != -ENODATA) { + dev_err(sysmon->dev, + "failed to retrieve shutdown-ack IRQ\n"); +- return ERR_PTR(sysmon->shutdown_irq); ++ ret = sysmon->shutdown_irq; ++ kfree(sysmon); ++ return ERR_PTR(ret); + } + } else { + ret = devm_request_threaded_irq(sysmon->dev, +@@ -529,6 +531,7 @@ struct qcom_sysmon *qcom_add_sysmon_subdev(struct rproc *rproc, + if (ret) { + dev_err(sysmon->dev, + "failed to acquire shutdown-ack IRQ\n"); ++ kfree(sysmon); + return ERR_PTR(ret); + } + } +-- +2.35.1 + diff --git a/queue-5.4/rtc-cmos-call-cmos_wake_setup-from-cmos_do_probe.patch b/queue-5.4/rtc-cmos-call-cmos_wake_setup-from-cmos_do_probe.patch new file mode 100644 index 00000000000..9c197699178 --- /dev/null +++ b/queue-5.4/rtc-cmos-call-cmos_wake_setup-from-cmos_do_probe.patch @@ -0,0 +1,147 @@ +From 6eea237199270a5da9375be969c1296dd7efd68b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 13:07:08 +0100 +Subject: rtc: cmos: Call cmos_wake_setup() from cmos_do_probe() + +From: Rafael J. Wysocki + +[ Upstream commit 508ccdfb86b21da37ad091003a4d4567709d5dfb ] + +Notice that cmos_wake_setup() is the only user of acpi_rtc_info and it +can operate on the cmos_rtc variable directly, so it need not set the +platform_data pointer before cmos_do_probe() is called. Instead, it +can be called by cmos_do_probe() in the case when the platform_data +pointer is not set to implement the default behavior (which is to use +the FADT information as long as ACPI support is enabled). + +Modify the code accordingly. + +While at it, drop a comment that doesn't really match the code it is +supposed to be describing. + +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Zhang Rui +Tested-by: Zhang Rui +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/4803444.31r3eYUQgx@kreacher +Signed-off-by: Alexandre Belloni +Stable-dep-of: 83ebb7b3036d ("rtc: cmos: Disable ACPI RTC event on removal") +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-cmos.c | 47 ++++++++++++++++++++---------------------- + 1 file changed, 22 insertions(+), 25 deletions(-) + +diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c +index 3e9168cfbe5c..fa0098390315 100644 +--- a/drivers/rtc/rtc-cmos.c ++++ b/drivers/rtc/rtc-cmos.c +@@ -698,6 +698,8 @@ static irqreturn_t cmos_interrupt(int irq, void *p) + return IRQ_NONE; + } + ++static void cmos_wake_setup(struct device *dev); ++ + #ifdef CONFIG_PNP + #define INITSECTION + +@@ -781,19 +783,27 @@ cmos_do_probe(struct device *dev, struct resource *ports, int rtc_irq) + if (info->address_space) + address_space = info->address_space; + +- if (info->rtc_day_alarm && info->rtc_day_alarm < 128) +- cmos_rtc.day_alrm = info->rtc_day_alarm; +- if (info->rtc_mon_alarm && info->rtc_mon_alarm < 128) +- cmos_rtc.mon_alrm = info->rtc_mon_alarm; +- if (info->rtc_century && info->rtc_century < 128) +- cmos_rtc.century = info->rtc_century; ++ cmos_rtc.day_alrm = info->rtc_day_alarm; ++ cmos_rtc.mon_alrm = info->rtc_mon_alarm; ++ cmos_rtc.century = info->rtc_century; + + if (info->wake_on && info->wake_off) { + cmos_rtc.wake_on = info->wake_on; + cmos_rtc.wake_off = info->wake_off; + } ++ } else { ++ cmos_wake_setup(dev); + } + ++ if (cmos_rtc.day_alrm >= 128) ++ cmos_rtc.day_alrm = 0; ++ ++ if (cmos_rtc.mon_alrm >= 128) ++ cmos_rtc.mon_alrm = 0; ++ ++ if (cmos_rtc.century >= 128) ++ cmos_rtc.century = 0; ++ + cmos_rtc.dev = dev; + dev_set_drvdata(dev, &cmos_rtc); + +@@ -1218,13 +1228,6 @@ static void use_acpi_alarm_quirks(void) + static inline void use_acpi_alarm_quirks(void) { } + #endif + +-/* Every ACPI platform has a mc146818 compatible "cmos rtc". Here we find +- * its device node and pass extra config data. This helps its driver use +- * capabilities that the now-obsolete mc146818 didn't have, and informs it +- * that this board's RTC is wakeup-capable (per ACPI spec). +- */ +-static struct cmos_rtc_board_info acpi_rtc_info; +- + static void cmos_wake_setup(struct device *dev) + { + if (acpi_disabled) +@@ -1232,26 +1235,23 @@ static void cmos_wake_setup(struct device *dev) + + use_acpi_alarm_quirks(); + +- acpi_rtc_info.wake_on = rtc_wake_on; +- acpi_rtc_info.wake_off = rtc_wake_off; ++ cmos_rtc.wake_on = rtc_wake_on; ++ cmos_rtc.wake_off = rtc_wake_off; + +- /* workaround bug in some ACPI tables */ ++ /* ACPI tables bug workaround. */ + if (acpi_gbl_FADT.month_alarm && !acpi_gbl_FADT.day_alarm) { + dev_dbg(dev, "bogus FADT month_alarm (%d)\n", + acpi_gbl_FADT.month_alarm); + acpi_gbl_FADT.month_alarm = 0; + } + +- acpi_rtc_info.rtc_day_alarm = acpi_gbl_FADT.day_alarm; +- acpi_rtc_info.rtc_mon_alarm = acpi_gbl_FADT.month_alarm; +- acpi_rtc_info.rtc_century = acpi_gbl_FADT.century; ++ cmos_rtc.day_alrm = acpi_gbl_FADT.day_alarm; ++ cmos_rtc.mon_alrm = acpi_gbl_FADT.month_alarm; ++ cmos_rtc.century = acpi_gbl_FADT.century; + +- /* NOTE: S4_RTC_WAKE is NOT currently useful to Linux */ + if (acpi_gbl_FADT.flags & ACPI_FADT_S4_RTC_WAKE) + dev_info(dev, "RTC can wake from S4\n"); + +- dev->platform_data = &acpi_rtc_info; +- + /* RTC always wakes from S1/S2/S3, and often S4/STD */ + device_init_wakeup(dev, 1); + } +@@ -1302,8 +1302,6 @@ static int cmos_pnp_probe(struct pnp_dev *pnp, const struct pnp_device_id *id) + { + int irq, ret; + +- cmos_wake_setup(&pnp->dev); +- + if (pnp_port_start(pnp, 0) == 0x70 && !pnp_irq_valid(pnp, 0)) { + irq = 0; + #ifdef CONFIG_X86 +@@ -1411,7 +1409,6 @@ static int __init cmos_platform_probe(struct platform_device *pdev) + int irq, ret; + + cmos_of_init(pdev); +- cmos_wake_setup(&pdev->dev); + + if (RTC_IOMAPPED) + resource = platform_get_resource(pdev, IORESOURCE_IO, 0); +-- +2.35.1 + diff --git a/queue-5.4/rtc-cmos-call-rtc_wake_setup-from-cmos_do_probe.patch b/queue-5.4/rtc-cmos-call-rtc_wake_setup-from-cmos_do_probe.patch new file mode 100644 index 00000000000..1f53a165a74 --- /dev/null +++ b/queue-5.4/rtc-cmos-call-rtc_wake_setup-from-cmos_do_probe.patch @@ -0,0 +1,103 @@ +From 139b75c7bb068023f0cef78e233d4c42858dcca5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 13:09:07 +0100 +Subject: rtc: cmos: Call rtc_wake_setup() from cmos_do_probe() + +From: Rafael J. Wysocki + +[ Upstream commit 375bbba09692fe4c5218eddee8e312dd733fa846 ] + +To reduce code duplication, move the invocation of rtc_wake_setup() +into cmos_do_probe() and simplify the callers of the latter. + +No intentional functional impact. + +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Zhang Rui +Tested-by: Zhang Rui +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/2143522.irdbgypaU6@kreacher +Signed-off-by: Alexandre Belloni +Stable-dep-of: 83ebb7b3036d ("rtc: cmos: Disable ACPI RTC event on removal") +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-cmos.c | 28 ++++++++++++---------------- + 1 file changed, 12 insertions(+), 16 deletions(-) + +diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c +index fa0098390315..27150d86f5ed 100644 +--- a/drivers/rtc/rtc-cmos.c ++++ b/drivers/rtc/rtc-cmos.c +@@ -698,6 +698,7 @@ static irqreturn_t cmos_interrupt(int irq, void *p) + return IRQ_NONE; + } + ++static inline void rtc_wake_setup(struct device *dev); + static void cmos_wake_setup(struct device *dev); + + #ifdef CONFIG_PNP +@@ -885,6 +886,13 @@ cmos_do_probe(struct device *dev, struct resource *ports, int rtc_irq) + if (rtc_nvmem_register(cmos_rtc.rtc, &nvmem_cfg)) + dev_err(dev, "nvmem registration failed\n"); + ++ /* ++ * Everything has gone well so far, so by default register a handler for ++ * the ACPI RTC fixed event. ++ */ ++ if (!info) ++ rtc_wake_setup(dev); ++ + dev_info(dev, "%s%s, %d bytes nvram%s\n", + !is_valid_irq(rtc_irq) ? "no alarms" : + cmos_rtc.mon_alrm ? "alarms up to one year" : +@@ -1300,7 +1308,7 @@ static void rtc_wake_setup(struct device *dev) + + static int cmos_pnp_probe(struct pnp_dev *pnp, const struct pnp_device_id *id) + { +- int irq, ret; ++ int irq; + + if (pnp_port_start(pnp, 0) == 0x70 && !pnp_irq_valid(pnp, 0)) { + irq = 0; +@@ -1316,13 +1324,7 @@ static int cmos_pnp_probe(struct pnp_dev *pnp, const struct pnp_device_id *id) + irq = pnp_irq(pnp, 0); + } + +- ret = cmos_do_probe(&pnp->dev, pnp_get_resource(pnp, IORESOURCE_IO, 0), irq); +- if (ret) +- return ret; +- +- rtc_wake_setup(&pnp->dev); +- +- return 0; ++ return cmos_do_probe(&pnp->dev, pnp_get_resource(pnp, IORESOURCE_IO, 0), irq); + } + + static void cmos_pnp_remove(struct pnp_dev *pnp) +@@ -1406,7 +1408,7 @@ static inline void cmos_of_init(struct platform_device *pdev) {} + static int __init cmos_platform_probe(struct platform_device *pdev) + { + struct resource *resource; +- int irq, ret; ++ int irq; + + cmos_of_init(pdev); + +@@ -1418,13 +1420,7 @@ static int __init cmos_platform_probe(struct platform_device *pdev) + if (irq < 0) + irq = -1; + +- ret = cmos_do_probe(&pdev->dev, resource, irq); +- if (ret) +- return ret; +- +- rtc_wake_setup(&pdev->dev); +- +- return 0; ++ return cmos_do_probe(&pdev->dev, resource, irq); + } + + static int cmos_platform_remove(struct platform_device *pdev) +-- +2.35.1 + diff --git a/queue-5.4/rtc-cmos-disable-acpi-rtc-event-on-removal.patch b/queue-5.4/rtc-cmos-disable-acpi-rtc-event-on-removal.patch new file mode 100644 index 00000000000..3a25df8abd5 --- /dev/null +++ b/queue-5.4/rtc-cmos-disable-acpi-rtc-event-on-removal.patch @@ -0,0 +1,68 @@ +From 206c1090d35d5c5f0e864b6d690149560273c0ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 13:15:36 +0100 +Subject: rtc: cmos: Disable ACPI RTC event on removal + +From: Rafael J. Wysocki + +[ Upstream commit 83ebb7b3036d151ee39a4a752018665648fc3bd4 ] + +Make cmos_do_remove() drop the ACPI RTC fixed event handler so as to +prevent it from operating on stale data in case the event triggers +after driver removal. + +Fixes: 311ee9c151ad ("rtc: cmos: allow using ACPI for RTC alarm instead of HPET") +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Zhang Rui +Tested-by: Zhang Rui +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/2224609.iZASKD2KPV@kreacher +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-cmos.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c +index 203f41afe8c1..636d6ef45481 100644 +--- a/drivers/rtc/rtc-cmos.c ++++ b/drivers/rtc/rtc-cmos.c +@@ -752,6 +752,14 @@ static void acpi_rtc_event_setup(struct device *dev) + acpi_disable_event(ACPI_EVENT_RTC, 0); + } + ++static void acpi_rtc_event_cleanup(void) ++{ ++ if (acpi_disabled) ++ return; ++ ++ acpi_remove_fixed_event_handler(ACPI_EVENT_RTC, rtc_handler); ++} ++ + static void rtc_wake_on(struct device *dev) + { + acpi_clear_event(ACPI_EVENT_RTC); +@@ -838,6 +846,10 @@ static inline void acpi_rtc_event_setup(struct device *dev) + { + } + ++static inline void acpi_rtc_event_cleanup(void) ++{ ++} ++ + static inline void acpi_cmos_wake_setup(struct device *dev) + { + } +@@ -1085,6 +1097,9 @@ static void cmos_do_remove(struct device *dev) + hpet_unregister_irq_handler(cmos_interrupt); + } + ++ if (!dev_get_platdata(dev)) ++ acpi_rtc_event_cleanup(); ++ + cmos->rtc = NULL; + + ports = cmos->iomem; +-- +2.35.1 + diff --git a/queue-5.4/rtc-cmos-eliminate-forward-declarations-of-some-func.patch b/queue-5.4/rtc-cmos-eliminate-forward-declarations-of-some-func.patch new file mode 100644 index 00000000000..56afe041f54 --- /dev/null +++ b/queue-5.4/rtc-cmos-eliminate-forward-declarations-of-some-func.patch @@ -0,0 +1,362 @@ +From 5791c7bcd6b741cb574e145f02b48952d3e5310d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 13:09:32 +0100 +Subject: rtc: cmos: Eliminate forward declarations of some functions + +From: Rafael J. Wysocki + +[ Upstream commit dca4d3b71c8a09a16951add656711fbd6f5bfbb0 ] + +Reorder the ACPI-related code before cmos_do_probe() so as to eliminate +excessive forward declarations of some functions. + +While at it, for consistency, add the inline modifier to the +definitions of empty stub static funtions and remove it from the +corresponding definitions of functions with non-empty bodies. + +No intentional functional impact. + +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Zhang Rui +Tested-by: Zhang Rui +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/13157911.uLZWGnKmhe@kreacher +Signed-off-by: Alexandre Belloni +Stable-dep-of: 83ebb7b3036d ("rtc: cmos: Disable ACPI RTC event on removal") +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-cmos.c | 304 ++++++++++++++++++++--------------------- + 1 file changed, 149 insertions(+), 155 deletions(-) + +diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c +index 27150d86f5ed..bc8f65014025 100644 +--- a/drivers/rtc/rtc-cmos.c ++++ b/drivers/rtc/rtc-cmos.c +@@ -698,8 +698,155 @@ static irqreturn_t cmos_interrupt(int irq, void *p) + return IRQ_NONE; + } + +-static inline void rtc_wake_setup(struct device *dev); +-static void cmos_wake_setup(struct device *dev); ++#ifdef CONFIG_ACPI ++ ++#include ++ ++static u32 rtc_handler(void *context) ++{ ++ struct device *dev = context; ++ struct cmos_rtc *cmos = dev_get_drvdata(dev); ++ unsigned char rtc_control = 0; ++ unsigned char rtc_intr; ++ unsigned long flags; ++ ++ ++ /* ++ * Always update rtc irq when ACPI is used as RTC Alarm. ++ * Or else, ACPI SCI is enabled during suspend/resume only, ++ * update rtc irq in that case. ++ */ ++ if (cmos_use_acpi_alarm()) ++ cmos_interrupt(0, (void *)cmos->rtc); ++ else { ++ /* Fix me: can we use cmos_interrupt() here as well? */ ++ spin_lock_irqsave(&rtc_lock, flags); ++ if (cmos_rtc.suspend_ctrl) ++ rtc_control = CMOS_READ(RTC_CONTROL); ++ if (rtc_control & RTC_AIE) { ++ cmos_rtc.suspend_ctrl &= ~RTC_AIE; ++ CMOS_WRITE(rtc_control, RTC_CONTROL); ++ rtc_intr = CMOS_READ(RTC_INTR_FLAGS); ++ rtc_update_irq(cmos->rtc, 1, rtc_intr); ++ } ++ spin_unlock_irqrestore(&rtc_lock, flags); ++ } ++ ++ pm_wakeup_hard_event(dev); ++ acpi_clear_event(ACPI_EVENT_RTC); ++ acpi_disable_event(ACPI_EVENT_RTC, 0); ++ return ACPI_INTERRUPT_HANDLED; ++} ++ ++static void rtc_wake_setup(struct device *dev) ++{ ++ if (acpi_disabled) ++ return; ++ ++ acpi_install_fixed_event_handler(ACPI_EVENT_RTC, rtc_handler, dev); ++ /* ++ * After the RTC handler is installed, the Fixed_RTC event should ++ * be disabled. Only when the RTC alarm is set will it be enabled. ++ */ ++ acpi_clear_event(ACPI_EVENT_RTC); ++ acpi_disable_event(ACPI_EVENT_RTC, 0); ++} ++ ++static void rtc_wake_on(struct device *dev) ++{ ++ acpi_clear_event(ACPI_EVENT_RTC); ++ acpi_enable_event(ACPI_EVENT_RTC, 0); ++} ++ ++static void rtc_wake_off(struct device *dev) ++{ ++ acpi_disable_event(ACPI_EVENT_RTC, 0); ++} ++ ++#ifdef CONFIG_X86 ++/* Enable use_acpi_alarm mode for Intel platforms no earlier than 2015 */ ++static void use_acpi_alarm_quirks(void) ++{ ++ if (boot_cpu_data.x86_vendor != X86_VENDOR_INTEL) ++ return; ++ ++ if (!is_hpet_enabled()) ++ return; ++ ++ if (dmi_get_bios_year() < 2015) ++ return; ++ ++ use_acpi_alarm = true; ++} ++#else ++static inline void use_acpi_alarm_quirks(void) { } ++#endif ++ ++static void cmos_wake_setup(struct device *dev) ++{ ++ if (acpi_disabled) ++ return; ++ ++ use_acpi_alarm_quirks(); ++ ++ cmos_rtc.wake_on = rtc_wake_on; ++ cmos_rtc.wake_off = rtc_wake_off; ++ ++ /* ACPI tables bug workaround. */ ++ if (acpi_gbl_FADT.month_alarm && !acpi_gbl_FADT.day_alarm) { ++ dev_dbg(dev, "bogus FADT month_alarm (%d)\n", ++ acpi_gbl_FADT.month_alarm); ++ acpi_gbl_FADT.month_alarm = 0; ++ } ++ ++ cmos_rtc.day_alrm = acpi_gbl_FADT.day_alarm; ++ cmos_rtc.mon_alrm = acpi_gbl_FADT.month_alarm; ++ cmos_rtc.century = acpi_gbl_FADT.century; ++ ++ if (acpi_gbl_FADT.flags & ACPI_FADT_S4_RTC_WAKE) ++ dev_info(dev, "RTC can wake from S4\n"); ++ ++ /* RTC always wakes from S1/S2/S3, and often S4/STD */ ++ device_init_wakeup(dev, 1); ++} ++ ++static void cmos_check_acpi_rtc_status(struct device *dev, ++ unsigned char *rtc_control) ++{ ++ struct cmos_rtc *cmos = dev_get_drvdata(dev); ++ acpi_event_status rtc_status; ++ acpi_status status; ++ ++ if (acpi_gbl_FADT.flags & ACPI_FADT_FIXED_RTC) ++ return; ++ ++ status = acpi_get_event_status(ACPI_EVENT_RTC, &rtc_status); ++ if (ACPI_FAILURE(status)) { ++ dev_err(dev, "Could not get RTC status\n"); ++ } else if (rtc_status & ACPI_EVENT_FLAG_SET) { ++ unsigned char mask; ++ *rtc_control &= ~RTC_AIE; ++ CMOS_WRITE(*rtc_control, RTC_CONTROL); ++ mask = CMOS_READ(RTC_INTR_FLAGS); ++ rtc_update_irq(cmos->rtc, 1, mask); ++ } ++} ++ ++#else /* !CONFIG_ACPI */ ++ ++static inline void rtc_wake_setup(struct device *dev) ++{ ++} ++ ++static inline void cmos_wake_setup(struct device *dev) ++{ ++} ++ ++static inline void cmos_check_acpi_rtc_status(struct device *dev, ++ unsigned char *rtc_control) ++{ ++} ++#endif /* CONFIG_ACPI */ + + #ifdef CONFIG_PNP + #define INITSECTION +@@ -1083,9 +1230,6 @@ static void cmos_check_wkalrm(struct device *dev) + } + } + +-static void cmos_check_acpi_rtc_status(struct device *dev, +- unsigned char *rtc_control); +- + static int __maybe_unused cmos_resume(struct device *dev) + { + struct cmos_rtc *cmos = dev_get_drvdata(dev); +@@ -1152,156 +1296,6 @@ static SIMPLE_DEV_PM_OPS(cmos_pm_ops, cmos_suspend, cmos_resume); + * predate even PNPBIOS should set up platform_bus devices. + */ + +-#ifdef CONFIG_ACPI +- +-#include +- +-static u32 rtc_handler(void *context) +-{ +- struct device *dev = context; +- struct cmos_rtc *cmos = dev_get_drvdata(dev); +- unsigned char rtc_control = 0; +- unsigned char rtc_intr; +- unsigned long flags; +- +- +- /* +- * Always update rtc irq when ACPI is used as RTC Alarm. +- * Or else, ACPI SCI is enabled during suspend/resume only, +- * update rtc irq in that case. +- */ +- if (cmos_use_acpi_alarm()) +- cmos_interrupt(0, (void *)cmos->rtc); +- else { +- /* Fix me: can we use cmos_interrupt() here as well? */ +- spin_lock_irqsave(&rtc_lock, flags); +- if (cmos_rtc.suspend_ctrl) +- rtc_control = CMOS_READ(RTC_CONTROL); +- if (rtc_control & RTC_AIE) { +- cmos_rtc.suspend_ctrl &= ~RTC_AIE; +- CMOS_WRITE(rtc_control, RTC_CONTROL); +- rtc_intr = CMOS_READ(RTC_INTR_FLAGS); +- rtc_update_irq(cmos->rtc, 1, rtc_intr); +- } +- spin_unlock_irqrestore(&rtc_lock, flags); +- } +- +- pm_wakeup_hard_event(dev); +- acpi_clear_event(ACPI_EVENT_RTC); +- acpi_disable_event(ACPI_EVENT_RTC, 0); +- return ACPI_INTERRUPT_HANDLED; +-} +- +-static inline void rtc_wake_setup(struct device *dev) +-{ +- if (acpi_disabled) +- return; +- +- acpi_install_fixed_event_handler(ACPI_EVENT_RTC, rtc_handler, dev); +- /* +- * After the RTC handler is installed, the Fixed_RTC event should +- * be disabled. Only when the RTC alarm is set will it be enabled. +- */ +- acpi_clear_event(ACPI_EVENT_RTC); +- acpi_disable_event(ACPI_EVENT_RTC, 0); +-} +- +-static void rtc_wake_on(struct device *dev) +-{ +- acpi_clear_event(ACPI_EVENT_RTC); +- acpi_enable_event(ACPI_EVENT_RTC, 0); +-} +- +-static void rtc_wake_off(struct device *dev) +-{ +- acpi_disable_event(ACPI_EVENT_RTC, 0); +-} +- +-#ifdef CONFIG_X86 +-/* Enable use_acpi_alarm mode for Intel platforms no earlier than 2015 */ +-static void use_acpi_alarm_quirks(void) +-{ +- if (boot_cpu_data.x86_vendor != X86_VENDOR_INTEL) +- return; +- +- if (!is_hpet_enabled()) +- return; +- +- if (dmi_get_bios_year() < 2015) +- return; +- +- use_acpi_alarm = true; +-} +-#else +-static inline void use_acpi_alarm_quirks(void) { } +-#endif +- +-static void cmos_wake_setup(struct device *dev) +-{ +- if (acpi_disabled) +- return; +- +- use_acpi_alarm_quirks(); +- +- cmos_rtc.wake_on = rtc_wake_on; +- cmos_rtc.wake_off = rtc_wake_off; +- +- /* ACPI tables bug workaround. */ +- if (acpi_gbl_FADT.month_alarm && !acpi_gbl_FADT.day_alarm) { +- dev_dbg(dev, "bogus FADT month_alarm (%d)\n", +- acpi_gbl_FADT.month_alarm); +- acpi_gbl_FADT.month_alarm = 0; +- } +- +- cmos_rtc.day_alrm = acpi_gbl_FADT.day_alarm; +- cmos_rtc.mon_alrm = acpi_gbl_FADT.month_alarm; +- cmos_rtc.century = acpi_gbl_FADT.century; +- +- if (acpi_gbl_FADT.flags & ACPI_FADT_S4_RTC_WAKE) +- dev_info(dev, "RTC can wake from S4\n"); +- +- /* RTC always wakes from S1/S2/S3, and often S4/STD */ +- device_init_wakeup(dev, 1); +-} +- +-static void cmos_check_acpi_rtc_status(struct device *dev, +- unsigned char *rtc_control) +-{ +- struct cmos_rtc *cmos = dev_get_drvdata(dev); +- acpi_event_status rtc_status; +- acpi_status status; +- +- if (acpi_gbl_FADT.flags & ACPI_FADT_FIXED_RTC) +- return; +- +- status = acpi_get_event_status(ACPI_EVENT_RTC, &rtc_status); +- if (ACPI_FAILURE(status)) { +- dev_err(dev, "Could not get RTC status\n"); +- } else if (rtc_status & ACPI_EVENT_FLAG_SET) { +- unsigned char mask; +- *rtc_control &= ~RTC_AIE; +- CMOS_WRITE(*rtc_control, RTC_CONTROL); +- mask = CMOS_READ(RTC_INTR_FLAGS); +- rtc_update_irq(cmos->rtc, 1, mask); +- } +-} +- +-#else +- +-static void cmos_wake_setup(struct device *dev) +-{ +-} +- +-static void cmos_check_acpi_rtc_status(struct device *dev, +- unsigned char *rtc_control) +-{ +-} +- +-static void rtc_wake_setup(struct device *dev) +-{ +-} +-#endif +- + #ifdef CONFIG_PNP + + #include +-- +2.35.1 + diff --git a/queue-5.4/rtc-cmos-fix-build-on-non-acpi-platforms.patch b/queue-5.4/rtc-cmos-fix-build-on-non-acpi-platforms.patch new file mode 100644 index 00000000000..345eb58a612 --- /dev/null +++ b/queue-5.4/rtc-cmos-fix-build-on-non-acpi-platforms.patch @@ -0,0 +1,38 @@ +From 23376b7e939681259de40cc0972aeb24db288fbc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Oct 2022 22:35:11 +0200 +Subject: rtc: cmos: fix build on non-ACPI platforms + +From: Alexandre Belloni + +[ Upstream commit db4e955ae333567dea02822624106c0b96a2f84f ] + +Now that rtc_wake_setup is called outside of cmos_wake_setup, it also need +to be defined on non-ACPI platforms. + +Reported-by: kernel test robot +Link: https://lore.kernel.org/r/20221018203512.2532407-1-alexandre.belloni@bootlin.com +Signed-off-by: Alexandre Belloni +Stable-dep-of: 83ebb7b3036d ("rtc: cmos: Disable ACPI RTC event on removal") +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-cmos.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c +index e5f752ce28f9..3e9168cfbe5c 100644 +--- a/drivers/rtc/rtc-cmos.c ++++ b/drivers/rtc/rtc-cmos.c +@@ -1289,6 +1289,9 @@ static void cmos_check_acpi_rtc_status(struct device *dev, + { + } + ++static void rtc_wake_setup(struct device *dev) ++{ ++} + #endif + + #ifdef CONFIG_PNP +-- +2.35.1 + diff --git a/queue-5.4/rtc-cmos-fix-event-handler-registration-ordering-iss.patch b/queue-5.4/rtc-cmos-fix-event-handler-registration-ordering-iss.patch new file mode 100644 index 00000000000..023d1fc0e22 --- /dev/null +++ b/queue-5.4/rtc-cmos-fix-event-handler-registration-ordering-iss.patch @@ -0,0 +1,124 @@ +From 1d849e6cf7ad36abc5669345ba6982289bff2321 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Oct 2022 20:07:01 +0200 +Subject: rtc: cmos: Fix event handler registration ordering issue + +From: Rafael J. Wysocki + +[ Upstream commit 4919d3eb2ec0ee364f7e3cf2d99646c1b224fae8 ] + +Because acpi_install_fixed_event_handler() enables the event +automatically on success, it is incorrect to call it before the +handler routine passed to it is ready to handle events. + +Unfortunately, the rtc-cmos driver does exactly the incorrect thing +by calling cmos_wake_setup(), which passes rtc_handler() to +acpi_install_fixed_event_handler(), before cmos_do_probe(), because +rtc_handler() uses dev_get_drvdata() to get to the cmos object +pointer and the driver data pointer is only populated in +cmos_do_probe(). + +This leads to a NULL pointer dereference in rtc_handler() on boot +if the RTC fixed event happens to be active at the init time. + +To address this issue, change the initialization ordering of the +driver so that cmos_wake_setup() is always called after a successful +cmos_do_probe() call. + +While at it, change cmos_pnp_probe() to call cmos_do_probe() after +the initial if () statement used for computing the IRQ argument to +be passed to cmos_do_probe() which is cleaner than calling it in +each branch of that if () (local variable "irq" can be of type int, +because it is passed to that function as an argument of type int). + +Note that commit 6492fed7d8c9 ("rtc: rtc-cmos: Do not check +ACPI_FADT_LOW_POWER_S0") caused this issue to affect a larger number +of systems, because previously it only affected systems with +ACPI_FADT_LOW_POWER_S0 set, but it is present regardless of that +commit. + +Fixes: 6492fed7d8c9 ("rtc: rtc-cmos: Do not check ACPI_FADT_LOW_POWER_S0") +Fixes: a474aaedac99 ("rtc-cmos: move wake setup from ACPI glue into RTC driver") +Link: https://lore.kernel.org/linux-acpi/20221010141630.zfzi7mk7zvnmclzy@techsingularity.net/ +Reported-by: Mel Gorman +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Bjorn Helgaas +Tested-by: Mel Gorman +Link: https://lore.kernel.org/r/5629262.DvuYhMxLoT@kreacher +Signed-off-by: Alexandre Belloni +Stable-dep-of: 83ebb7b3036d ("rtc: cmos: Disable ACPI RTC event on removal") +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-cmos.c | 29 +++++++++++++++++++---------- + 1 file changed, 19 insertions(+), 10 deletions(-) + +diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c +index 398b4fb8d934..5ba7de382ab2 100644 +--- a/drivers/rtc/rtc-cmos.c ++++ b/drivers/rtc/rtc-cmos.c +@@ -1295,10 +1295,10 @@ static void cmos_check_acpi_rtc_status(struct device *dev, + + static int cmos_pnp_probe(struct pnp_dev *pnp, const struct pnp_device_id *id) + { +- cmos_wake_setup(&pnp->dev); ++ int irq, ret; + + if (pnp_port_start(pnp, 0) == 0x70 && !pnp_irq_valid(pnp, 0)) { +- unsigned int irq = 0; ++ irq = 0; + #ifdef CONFIG_X86 + /* Some machines contain a PNP entry for the RTC, but + * don't define the IRQ. It should always be safe to +@@ -1307,13 +1307,17 @@ static int cmos_pnp_probe(struct pnp_dev *pnp, const struct pnp_device_id *id) + if (nr_legacy_irqs()) + irq = 8; + #endif +- return cmos_do_probe(&pnp->dev, +- pnp_get_resource(pnp, IORESOURCE_IO, 0), irq); + } else { +- return cmos_do_probe(&pnp->dev, +- pnp_get_resource(pnp, IORESOURCE_IO, 0), +- pnp_irq(pnp, 0)); ++ irq = pnp_irq(pnp, 0); + } ++ ++ ret = cmos_do_probe(&pnp->dev, pnp_get_resource(pnp, IORESOURCE_IO, 0), irq); ++ if (ret) ++ return ret; ++ ++ cmos_wake_setup(&pnp->dev); ++ ++ return 0; + } + + static void cmos_pnp_remove(struct pnp_dev *pnp) +@@ -1397,10 +1401,9 @@ static inline void cmos_of_init(struct platform_device *pdev) {} + static int __init cmos_platform_probe(struct platform_device *pdev) + { + struct resource *resource; +- int irq; ++ int irq, ret; + + cmos_of_init(pdev); +- cmos_wake_setup(&pdev->dev); + + if (RTC_IOMAPPED) + resource = platform_get_resource(pdev, IORESOURCE_IO, 0); +@@ -1410,7 +1413,13 @@ static int __init cmos_platform_probe(struct platform_device *pdev) + if (irq < 0) + irq = -1; + +- return cmos_do_probe(&pdev->dev, resource, irq); ++ ret = cmos_do_probe(&pdev->dev, resource, irq); ++ if (ret) ++ return ret; ++ ++ cmos_wake_setup(&pdev->dev); ++ ++ return 0; + } + + static int cmos_platform_remove(struct platform_device *pdev) +-- +2.35.1 + diff --git a/queue-5.4/rtc-cmos-fix-wake-alarm-breakage.patch b/queue-5.4/rtc-cmos-fix-wake-alarm-breakage.patch new file mode 100644 index 00000000000..5cb4944f55f --- /dev/null +++ b/queue-5.4/rtc-cmos-fix-wake-alarm-breakage.patch @@ -0,0 +1,92 @@ +From 9d26123b8f35fea9f3dc945a5df9966b34c1030c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Oct 2022 18:09:31 +0200 +Subject: rtc: cmos: Fix wake alarm breakage + +From: Rafael J. Wysocki + +[ Upstream commit 0782b66ed2fbb035dda76111df0954515e417b24 ] + +Commit 4919d3eb2ec0 ("rtc: cmos: Fix event handler registration +ordering issue") overlooked the fact that cmos_do_probe() depended +on the preparations carried out by cmos_wake_setup() and the wake +alarm stopped working after the ordering of them had been changed. + +Address this by partially reverting commit 4919d3eb2ec0 so that +cmos_wake_setup() is called before cmos_do_probe() again and moving +the rtc_wake_setup() invocation from cmos_wake_setup() directly to the +callers of cmos_do_probe() where it will happen after a successful +completion of the latter. + +Fixes: 4919d3eb2ec0 ("rtc: cmos: Fix event handler registration ordering issue") +Reported-by: Zhang Rui +Reported-by: Todd Brandt +Signed-off-by: Rafael J. Wysocki +Link: https://lore.kernel.org/r/5887691.lOV4Wx5bFT@kreacher +Signed-off-by: Alexandre Belloni +Stable-dep-of: 83ebb7b3036d ("rtc: cmos: Disable ACPI RTC event on removal") +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-cmos.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c +index 5ba7de382ab2..e5f752ce28f9 100644 +--- a/drivers/rtc/rtc-cmos.c ++++ b/drivers/rtc/rtc-cmos.c +@@ -1176,6 +1176,9 @@ static u32 rtc_handler(void *context) + + static inline void rtc_wake_setup(struct device *dev) + { ++ if (acpi_disabled) ++ return; ++ + acpi_install_fixed_event_handler(ACPI_EVENT_RTC, rtc_handler, dev); + /* + * After the RTC handler is installed, the Fixed_RTC event should +@@ -1229,7 +1232,6 @@ static void cmos_wake_setup(struct device *dev) + + use_acpi_alarm_quirks(); + +- rtc_wake_setup(dev); + acpi_rtc_info.wake_on = rtc_wake_on; + acpi_rtc_info.wake_off = rtc_wake_off; + +@@ -1297,6 +1299,8 @@ static int cmos_pnp_probe(struct pnp_dev *pnp, const struct pnp_device_id *id) + { + int irq, ret; + ++ cmos_wake_setup(&pnp->dev); ++ + if (pnp_port_start(pnp, 0) == 0x70 && !pnp_irq_valid(pnp, 0)) { + irq = 0; + #ifdef CONFIG_X86 +@@ -1315,7 +1319,7 @@ static int cmos_pnp_probe(struct pnp_dev *pnp, const struct pnp_device_id *id) + if (ret) + return ret; + +- cmos_wake_setup(&pnp->dev); ++ rtc_wake_setup(&pnp->dev); + + return 0; + } +@@ -1404,6 +1408,7 @@ static int __init cmos_platform_probe(struct platform_device *pdev) + int irq, ret; + + cmos_of_init(pdev); ++ cmos_wake_setup(&pdev->dev); + + if (RTC_IOMAPPED) + resource = platform_get_resource(pdev, IORESOURCE_IO, 0); +@@ -1417,7 +1422,7 @@ static int __init cmos_platform_probe(struct platform_device *pdev) + if (ret) + return ret; + +- cmos_wake_setup(&pdev->dev); ++ rtc_wake_setup(&pdev->dev); + + return 0; + } +-- +2.35.1 + diff --git a/queue-5.4/rtc-cmos-refactor-code-by-using-the-new-dmi_get_bios.patch b/queue-5.4/rtc-cmos-refactor-code-by-using-the-new-dmi_get_bios.patch new file mode 100644 index 00000000000..58444d57542 --- /dev/null +++ b/queue-5.4/rtc-cmos-refactor-code-by-using-the-new-dmi_get_bios.patch @@ -0,0 +1,55 @@ +From 580ea6ef977ad83e0e2e37db9dc68b9ed4d6f534 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jan 2020 15:14:37 +0200 +Subject: rtc: cmos: Refactor code by using the new dmi_get_bios_year() helper + +From: Andy Shevchenko + +[ Upstream commit 604c521259c8051b7607c000eda7938f7a705d92 ] + +Refactor code by using the new dmi_get_bios_year() helper instead of +open coding its functionality. This also makes logic slightly clearer. + +No changes intended. + +Cc: Hans de Goede +Signed-off-by: Andy Shevchenko +Tested-by: Guilherme G. Piccoli +Reviewed-by: Hans de Goede +Link: https://lore.kernel.org/r/20200123131437.28157-3-andriy.shevchenko@linux.intel.com +Signed-off-by: Alexandre Belloni +Stable-dep-of: 83ebb7b3036d ("rtc: cmos: Disable ACPI RTC event on removal") +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-cmos.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c +index c0dc03ffa817..60271ea2a28d 100644 +--- a/drivers/rtc/rtc-cmos.c ++++ b/drivers/rtc/rtc-cmos.c +@@ -1200,8 +1200,6 @@ static void rtc_wake_off(struct device *dev) + /* Enable use_acpi_alarm mode for Intel platforms no earlier than 2015 */ + static void use_acpi_alarm_quirks(void) + { +- int year; +- + if (boot_cpu_data.x86_vendor != X86_VENDOR_INTEL) + return; + +@@ -1211,8 +1209,10 @@ static void use_acpi_alarm_quirks(void) + if (!is_hpet_enabled()) + return; + +- if (dmi_get_date(DMI_BIOS_DATE, &year, NULL, NULL) && year >= 2015) +- use_acpi_alarm = true; ++ if (dmi_get_bios_year() < 2015) ++ return; ++ ++ use_acpi_alarm = true; + } + #else + static inline void use_acpi_alarm_quirks(void) { } +-- +2.35.1 + diff --git a/queue-5.4/rtc-cmos-rename-acpi-related-functions.patch b/queue-5.4/rtc-cmos-rename-acpi-related-functions.patch new file mode 100644 index 00000000000..56569aea115 --- /dev/null +++ b/queue-5.4/rtc-cmos-rename-acpi-related-functions.patch @@ -0,0 +1,87 @@ +From 1eda1ed7aed77f58f5b1a3eb18ba1037a1800e8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 13:12:00 +0100 +Subject: rtc: cmos: Rename ACPI-related functions + +From: Rafael J. Wysocki + +[ Upstream commit d13e9ad9f5146f066a5c5a1cc993d09e4fb21ead ] + +The names of rtc_wake_setup() and cmos_wake_setup() don't indicate +that these functions are ACPI-related, which is the case, and the +former doesn't really reflect the role of the function. + +Rename them to acpi_rtc_event_setup() and acpi_cmos_wake_setup(), +respectively, to address this shortcoming. + +No intentional functional impact. + +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Zhang Rui +Tested-by: Zhang Rui +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/3225614.44csPzL39Z@kreacher +Signed-off-by: Alexandre Belloni +Stable-dep-of: 83ebb7b3036d ("rtc: cmos: Disable ACPI RTC event on removal") +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-cmos.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c +index bc8f65014025..203f41afe8c1 100644 +--- a/drivers/rtc/rtc-cmos.c ++++ b/drivers/rtc/rtc-cmos.c +@@ -738,7 +738,7 @@ static u32 rtc_handler(void *context) + return ACPI_INTERRUPT_HANDLED; + } + +-static void rtc_wake_setup(struct device *dev) ++static void acpi_rtc_event_setup(struct device *dev) + { + if (acpi_disabled) + return; +@@ -782,7 +782,7 @@ static void use_acpi_alarm_quirks(void) + static inline void use_acpi_alarm_quirks(void) { } + #endif + +-static void cmos_wake_setup(struct device *dev) ++static void acpi_cmos_wake_setup(struct device *dev) + { + if (acpi_disabled) + return; +@@ -834,11 +834,11 @@ static void cmos_check_acpi_rtc_status(struct device *dev, + + #else /* !CONFIG_ACPI */ + +-static inline void rtc_wake_setup(struct device *dev) ++static inline void acpi_rtc_event_setup(struct device *dev) + { + } + +-static inline void cmos_wake_setup(struct device *dev) ++static inline void acpi_cmos_wake_setup(struct device *dev) + { + } + +@@ -940,7 +940,7 @@ cmos_do_probe(struct device *dev, struct resource *ports, int rtc_irq) + cmos_rtc.wake_off = info->wake_off; + } + } else { +- cmos_wake_setup(dev); ++ acpi_cmos_wake_setup(dev); + } + + if (cmos_rtc.day_alrm >= 128) +@@ -1038,7 +1038,7 @@ cmos_do_probe(struct device *dev, struct resource *ports, int rtc_irq) + * the ACPI RTC fixed event. + */ + if (!info) +- rtc_wake_setup(dev); ++ acpi_rtc_event_setup(dev); + + dev_info(dev, "%s%s, %d bytes nvram%s\n", + !is_valid_irq(rtc_irq) ? "no alarms" : +-- +2.35.1 + diff --git a/queue-5.4/rtc-mxc_v2-add-missing-clk_disable_unprepare.patch b/queue-5.4/rtc-mxc_v2-add-missing-clk_disable_unprepare.patch new file mode 100644 index 00000000000..1050cb62cbe --- /dev/null +++ b/queue-5.4/rtc-mxc_v2-add-missing-clk_disable_unprepare.patch @@ -0,0 +1,40 @@ +From 16d9f6433aa06f3e315b79e82e537236db6b1034 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 16:50:46 +0800 +Subject: rtc: mxc_v2: Add missing clk_disable_unprepare() + +From: GUO Zihua + +[ Upstream commit 55d5a86618d3b1a768bce01882b74cbbd2651975 ] + +The call to clk_disable_unprepare() is left out in the error handling of +devm_rtc_allocate_device. Add it back. + +Fixes: 5490a1e018a4 ("rtc: mxc_v2: fix possible race condition") +Signed-off-by: GUO Zihua +Link: https://lore.kernel.org/r/20221122085046.21689-1-guozihua@huawei.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-mxc_v2.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/rtc/rtc-mxc_v2.c b/drivers/rtc/rtc-mxc_v2.c +index d349cef09cb7..48595b00ebb3 100644 +--- a/drivers/rtc/rtc-mxc_v2.c ++++ b/drivers/rtc/rtc-mxc_v2.c +@@ -337,8 +337,10 @@ static int mxc_rtc_probe(struct platform_device *pdev) + } + + pdata->rtc = devm_rtc_allocate_device(&pdev->dev); +- if (IS_ERR(pdata->rtc)) ++ if (IS_ERR(pdata->rtc)) { ++ clk_disable_unprepare(pdata->clk); + return PTR_ERR(pdata->rtc); ++ } + + pdata->rtc->ops = &mxc_rtc_ops; + pdata->rtc->range_max = U32_MAX; +-- +2.35.1 + diff --git a/queue-5.4/rtc-pcf85063-fix-reading-alarm.patch b/queue-5.4/rtc-pcf85063-fix-reading-alarm.patch new file mode 100644 index 00000000000..d17bbcfc9b7 --- /dev/null +++ b/queue-5.4/rtc-pcf85063-fix-reading-alarm.patch @@ -0,0 +1,46 @@ +From bbb04b9a2a79fe6d6aaefa5b01b9e6cd1942fa87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Sep 2022 09:41:41 +0200 +Subject: rtc: pcf85063: Fix reading alarm + +From: Alexander Stein + +[ Upstream commit a6ceee26fd5ed9b5bd37322b1ca88e4548cee4a3 ] + +If the alarms are disabled the topmost bit (AEN_*) is set in the alarm +registers. This is also interpreted in BCD number leading to this warning: +rtc rtc0: invalid alarm value: 2022-09-21T80:80:80 + +Fix this by masking alarm enabling and reserved bits. + +Fixes: 05cb3a56ee8c ("rtc: pcf85063: add alarm support") +Signed-off-by: Alexander Stein +Link: https://lore.kernel.org/r/20220921074141.3903104-1-alexander.stein@ew.tq-group.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-pcf85063.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/rtc/rtc-pcf85063.c b/drivers/rtc/rtc-pcf85063.c +index 1afa6d9fa9fb..3e7ea5244562 100644 +--- a/drivers/rtc/rtc-pcf85063.c ++++ b/drivers/rtc/rtc-pcf85063.c +@@ -159,10 +159,10 @@ static int pcf85063_rtc_read_alarm(struct device *dev, struct rtc_wkalrm *alrm) + if (ret) + return ret; + +- alrm->time.tm_sec = bcd2bin(buf[0]); +- alrm->time.tm_min = bcd2bin(buf[1]); +- alrm->time.tm_hour = bcd2bin(buf[2]); +- alrm->time.tm_mday = bcd2bin(buf[3]); ++ alrm->time.tm_sec = bcd2bin(buf[0] & 0x7f); ++ alrm->time.tm_min = bcd2bin(buf[1] & 0x7f); ++ alrm->time.tm_hour = bcd2bin(buf[2] & 0x3f); ++ alrm->time.tm_mday = bcd2bin(buf[3] & 0x3f); + + ret = regmap_read(pcf85063->regmap, PCF85063_REG_CTRL2, &val); + if (ret) +-- +2.35.1 + diff --git a/queue-5.4/rtc-pic32-move-devm_rtc_allocate_device-earlier-in-p.patch b/queue-5.4/rtc-pic32-move-devm_rtc_allocate_device-earlier-in-p.patch new file mode 100644 index 00000000000..ecfad1c107a --- /dev/null +++ b/queue-5.4/rtc-pic32-move-devm_rtc_allocate_device-earlier-in-p.patch @@ -0,0 +1,52 @@ +From a2bd4fcb1272c3a2f9c11514d09277b3b8630e75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 09:59:53 +0800 +Subject: rtc: pic32: Move devm_rtc_allocate_device earlier in + pic32_rtc_probe() + +From: Gaosheng Cui + +[ Upstream commit 90cd5c88830140c9fade92a8027e0fb2c6e4cc49 ] + +The pic32_rtc_enable(pdata, 0) and clk_disable_unprepare(pdata->clk) +should be called in the error handling of devm_rtc_allocate_device(), +so we should move devm_rtc_allocate_device earlier in pic32_rtc_probe() +to fix it. + +Fixes: 6515e23b9fde ("rtc: pic32: convert to devm_rtc_allocate_device") +Signed-off-by: Gaosheng Cui +Link: https://lore.kernel.org/r/20221123015953.1998521-1-cuigaosheng1@huawei.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-pic32.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/rtc/rtc-pic32.c b/drivers/rtc/rtc-pic32.c +index 17653ed52ebb..40f293621b01 100644 +--- a/drivers/rtc/rtc-pic32.c ++++ b/drivers/rtc/rtc-pic32.c +@@ -326,16 +326,16 @@ static int pic32_rtc_probe(struct platform_device *pdev) + + spin_lock_init(&pdata->alarm_lock); + ++ pdata->rtc = devm_rtc_allocate_device(&pdev->dev); ++ if (IS_ERR(pdata->rtc)) ++ return PTR_ERR(pdata->rtc); ++ + clk_prepare_enable(pdata->clk); + + pic32_rtc_enable(pdata, 1); + + device_init_wakeup(&pdev->dev, 1); + +- pdata->rtc = devm_rtc_allocate_device(&pdev->dev); +- if (IS_ERR(pdata->rtc)) +- return PTR_ERR(pdata->rtc); +- + pdata->rtc->ops = &pic32_rtcops; + pdata->rtc->range_min = RTC_TIMESTAMP_BEGIN_2000; + pdata->rtc->range_max = RTC_TIMESTAMP_END_2099; +-- +2.35.1 + diff --git a/queue-5.4/rtc-rtc-cmos-do-not-check-acpi_fadt_low_power_s0.patch b/queue-5.4/rtc-rtc-cmos-do-not-check-acpi_fadt_low_power_s0.patch new file mode 100644 index 00000000000..a2df349485d --- /dev/null +++ b/queue-5.4/rtc-rtc-cmos-do-not-check-acpi_fadt_low_power_s0.patch @@ -0,0 +1,58 @@ +From 3870d76e5891bf7a187273dfb80fb21c6ccb955d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Aug 2022 20:23:59 +0200 +Subject: rtc: rtc-cmos: Do not check ACPI_FADT_LOW_POWER_S0 + +From: Rafael J. Wysocki + +[ Upstream commit 6492fed7d8c95f53b0b804ef541324d924d95d41 ] + +The ACPI_FADT_LOW_POWER_S0 flag merely means that it is better to +use low-power S0 idle on the given platform than S3 (provided that +the latter is supported) and it doesn't preclude using either of +them (which of them will be used depends on the choices made by user +space). + +For this reason, there is no benefit from checking that flag in +use_acpi_alarm_quirks(). + +First off, it cannot be a bug to do S3 with use_acpi_alarm set, +because S3 can be used on systems with ACPI_FADT_LOW_POWER_S0 and it +must work if really supported, so the ACPI_FADT_LOW_POWER_S0 check is +not needed to protect the S3-capable systems from failing. + +Second, suspend-to-idle can be carried out on a system with +ACPI_FADT_LOW_POWER_S0 unset and it is expected to work, so if setting +use_acpi_alarm is needed to handle that case correctly, it should be +set regardless of the ACPI_FADT_LOW_POWER_S0 value. + +Accordingly, drop the ACPI_FADT_LOW_POWER_S0 check from +use_acpi_alarm_quirks(). + +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Mario Limonciello +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/12054246.O9o76ZdvQC@kreacher +Stable-dep-of: 83ebb7b3036d ("rtc: cmos: Disable ACPI RTC event on removal") +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-cmos.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c +index 60271ea2a28d..398b4fb8d934 100644 +--- a/drivers/rtc/rtc-cmos.c ++++ b/drivers/rtc/rtc-cmos.c +@@ -1203,9 +1203,6 @@ static void use_acpi_alarm_quirks(void) + if (boot_cpu_data.x86_vendor != X86_VENDOR_INTEL) + return; + +- if (!(acpi_gbl_FADT.flags & ACPI_FADT_LOW_POWER_S0)) +- return; +- + if (!is_hpet_enabled()) + return; + +-- +2.35.1 + diff --git a/queue-5.4/rtc-snvs-allow-a-time-difference-on-clock-register-r.patch b/queue-5.4/rtc-snvs-allow-a-time-difference-on-clock-register-r.patch new file mode 100644 index 00000000000..b32061cb596 --- /dev/null +++ b/queue-5.4/rtc-snvs-allow-a-time-difference-on-clock-register-r.patch @@ -0,0 +1,92 @@ +From d7bd4901060550c64588312e4540b259c06a43af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Nov 2022 12:59:15 +0100 +Subject: rtc: snvs: Allow a time difference on clock register read + +From: Stefan Eichenberger + +[ Upstream commit 0462681e207ccc44778a77b3297af728b1cf5b9f ] + +On an iMX6ULL the following message appears when a wakealarm is set: + +echo 0 > /sys/class/rtc/rtc1/wakealarm +rtc rtc1: Timeout trying to get valid LPSRT Counter read + +This does not always happen but is reproducible quite often (7 out of 10 +times). The problem appears because the iMX6ULL is not able to read the +registers within one 32kHz clock cycle which is the base clock of the +RTC. Therefore, this patch allows a difference of up to 320 cycles +(10ms). 10ms was chosen to be big enough even on systems with less cpu +power (e.g. iMX6ULL). According to the reference manual a difference is +fine: +- If the two consecutive reads are similar, the value is correct. +The values have to be similar, not equal. + +Fixes: cd7f3a249dbe ("rtc: snvs: Add timeouts to avoid kernel lockups") +Reviewed-by: Francesco Dolcini +Signed-off-by: Stefan Eichenberger +Signed-off-by: Francesco Dolcini +Link: https://lore.kernel.org/r/20221106115915.7930-1-francesco@dolcini.it +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-snvs.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/rtc/rtc-snvs.c b/drivers/rtc/rtc-snvs.c +index 757f4daa7181..0f1e544ac8db 100644 +--- a/drivers/rtc/rtc-snvs.c ++++ b/drivers/rtc/rtc-snvs.c +@@ -33,6 +33,14 @@ + #define SNVS_LPPGDR_INIT 0x41736166 + #define CNTR_TO_SECS_SH 15 + ++/* The maximum RTC clock cycles that are allowed to pass between two ++ * consecutive clock counter register reads. If the values are corrupted a ++ * bigger difference is expected. The RTC frequency is 32kHz. With 320 cycles ++ * we end at 10ms which should be enough for most cases. If it once takes ++ * longer than expected we do a retry. ++ */ ++#define MAX_RTC_READ_DIFF_CYCLES 320 ++ + struct snvs_rtc_data { + struct rtc_device *rtc; + struct regmap *regmap; +@@ -57,6 +65,7 @@ static u64 rtc_read_lpsrt(struct snvs_rtc_data *data) + static u32 rtc_read_lp_counter(struct snvs_rtc_data *data) + { + u64 read1, read2; ++ s64 diff; + unsigned int timeout = 100; + + /* As expected, the registers might update between the read of the LSB +@@ -67,7 +76,8 @@ static u32 rtc_read_lp_counter(struct snvs_rtc_data *data) + do { + read2 = read1; + read1 = rtc_read_lpsrt(data); +- } while (read1 != read2 && --timeout); ++ diff = read1 - read2; ++ } while (((diff < 0) || (diff > MAX_RTC_READ_DIFF_CYCLES)) && --timeout); + if (!timeout) + dev_err(&data->rtc->dev, "Timeout trying to get valid LPSRT Counter read\n"); + +@@ -79,13 +89,15 @@ static u32 rtc_read_lp_counter(struct snvs_rtc_data *data) + static int rtc_read_lp_counter_lsb(struct snvs_rtc_data *data, u32 *lsb) + { + u32 count1, count2; ++ s32 diff; + unsigned int timeout = 100; + + regmap_read(data->regmap, data->offset + SNVS_LPSRTCLR, &count1); + do { + count2 = count1; + regmap_read(data->regmap, data->offset + SNVS_LPSRTCLR, &count1); +- } while (count1 != count2 && --timeout); ++ diff = count1 - count2; ++ } while (((diff < 0) || (diff > MAX_RTC_READ_DIFF_CYCLES)) && --timeout); + if (!timeout) { + dev_err(&data->rtc->dev, "Timeout trying to get valid LPSRT Counter read\n"); + return -ETIMEDOUT; +-- +2.35.1 + diff --git a/queue-5.4/rtc-st-lpc-add-missing-clk_disable_unprepare-in-st_r.patch b/queue-5.4/rtc-st-lpc-add-missing-clk_disable_unprepare-in-st_r.patch new file mode 100644 index 00000000000..b9c1a5497f7 --- /dev/null +++ b/queue-5.4/rtc-st-lpc-add-missing-clk_disable_unprepare-in-st_r.patch @@ -0,0 +1,36 @@ +From c7df008fe0447b2607a70fc999a4330e38f6dd3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 09:48:05 +0800 +Subject: rtc: st-lpc: Add missing clk_disable_unprepare in st_rtc_probe() + +From: Gaosheng Cui + +[ Upstream commit 5fb733d7bd6949e90028efdce8bd528c6ab7cf1e ] + +The clk_disable_unprepare() should be called in the error handling +of clk_get_rate(), fix it. + +Fixes: b5b2bdfc2893 ("rtc: st: Add new driver for ST's LPC RTC") +Signed-off-by: Gaosheng Cui +Link: https://lore.kernel.org/r/20221123014805.1993052-1-cuigaosheng1@huawei.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-st-lpc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/rtc/rtc-st-lpc.c b/drivers/rtc/rtc-st-lpc.c +index 49474a31c66d..27261b020f8d 100644 +--- a/drivers/rtc/rtc-st-lpc.c ++++ b/drivers/rtc/rtc-st-lpc.c +@@ -241,6 +241,7 @@ static int st_rtc_probe(struct platform_device *pdev) + + rtc->clkrate = clk_get_rate(rtc->clk); + if (!rtc->clkrate) { ++ clk_disable_unprepare(rtc->clk); + dev_err(&pdev->dev, "Unable to fetch clock rate\n"); + return -EINVAL; + } +-- +2.35.1 + diff --git a/queue-5.4/rxrpc-fix-ack.buffersize-to-be-0-when-generating-an-.patch b/queue-5.4/rxrpc-fix-ack.buffersize-to-be-0-when-generating-an-.patch new file mode 100644 index 00000000000..87dbd908503 --- /dev/null +++ b/queue-5.4/rxrpc-fix-ack.buffersize-to-be-0-when-generating-an-.patch @@ -0,0 +1,37 @@ +From 0bd63f0abdedec73d86dbbb5a0aaaa9462fbe5b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Sep 2022 19:17:29 +0100 +Subject: rxrpc: Fix ack.bufferSize to be 0 when generating an ack + +From: David Howells + +[ Upstream commit 8889a711f9b4dcf4dd1330fa493081beebd118c9 ] + +ack.bufferSize should be set to 0 when generating an ack. + +Fixes: 8d94aa381dab ("rxrpc: Calls shouldn't hold socket refs") +Reported-by: Jeffrey Altman +Signed-off-by: David Howells +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Signed-off-by: Sasha Levin +--- + net/rxrpc/output.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/rxrpc/output.c b/net/rxrpc/output.c +index 6202d2e32914..09fcc54245c7 100644 +--- a/net/rxrpc/output.c ++++ b/net/rxrpc/output.c +@@ -93,7 +93,7 @@ static size_t rxrpc_fill_out_ack(struct rxrpc_connection *conn, + *_hard_ack = hard_ack; + *_top = top; + +- pkt->ack.bufferSpace = htons(8); ++ pkt->ack.bufferSpace = htons(0); + pkt->ack.maxSkew = htons(0); + pkt->ack.firstPacket = htonl(hard_ack + 1); + pkt->ack.previousPacket = htonl(call->ackr_highest_seq); +-- +2.35.1 + diff --git a/queue-5.4/rxrpc-fix-missing-unlock-in-rxrpc_do_sendmsg.patch b/queue-5.4/rxrpc-fix-missing-unlock-in-rxrpc_do_sendmsg.patch new file mode 100644 index 00000000000..a3571e08d9e --- /dev/null +++ b/queue-5.4/rxrpc-fix-missing-unlock-in-rxrpc_do_sendmsg.patch @@ -0,0 +1,47 @@ +From ace4688b34f37b2b745d8fc3e11014f15318e492 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Dec 2022 16:19:47 +0000 +Subject: rxrpc: Fix missing unlock in rxrpc_do_sendmsg() + +From: David Howells + +[ Upstream commit 4feb2c44629e6f9b459b41a5a60491069d346a95 ] + +One of the error paths in rxrpc_do_sendmsg() doesn't unlock the call mutex +before returning. Fix it to do this. + +Note that this still doesn't get rid of the checker warning: + + ../net/rxrpc/sendmsg.c:617:5: warning: context imbalance in 'rxrpc_do_sendmsg' - wrong count at exit + +I think the interplay between the socket lock and the call's user_mutex may +be too complicated for checker to analyse, especially as +rxrpc_new_client_call_for_sendmsg(), which it calls, returns with the +call's user_mutex if successful but unconditionally drops the socket lock. + +Fixes: e754eba685aa ("rxrpc: Provide a cmsg to specify the amount of Tx data for a call") +Signed-off-by: David Howells +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rxrpc/sendmsg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c +index 22f020099214..1cb90d32d553 100644 +--- a/net/rxrpc/sendmsg.c ++++ b/net/rxrpc/sendmsg.c +@@ -718,7 +718,7 @@ int rxrpc_do_sendmsg(struct rxrpc_sock *rx, struct msghdr *msg, size_t len) + if (call->tx_total_len != -1 || + call->tx_pending || + call->tx_top != 0) +- goto error_put; ++ goto out_put_unlock; + call->tx_total_len = p.call.tx_total_len; + } + } +-- +2.35.1 + diff --git a/queue-5.4/s390-ctcm-fix-return-type-of-ctc-mp-m_tx.patch b/queue-5.4/s390-ctcm-fix-return-type-of-ctc-mp-m_tx.patch new file mode 100644 index 00000000000..a574094e1fa --- /dev/null +++ b/queue-5.4/s390-ctcm-fix-return-type-of-ctc-mp-m_tx.patch @@ -0,0 +1,76 @@ +From a1278776395b73c884169f8a7a52234e5eb3c142 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 10:01:28 -0700 +Subject: s390/ctcm: Fix return type of ctc{mp,}m_tx() + +From: Nathan Chancellor + +[ Upstream commit aa5bf80c3c067b82b4362cd6e8e2194623bcaca6 ] + +With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), +indirect call targets are validated against the expected function +pointer prototype to make sure the call target is valid to help mitigate +ROP attacks. If they are not identical, there is a failure at run time, +which manifests as either a kernel panic or thread getting killed. A +proposed warning in clang aims to catch these at compile time, which +reveals: + + drivers/s390/net/ctcm_main.c:1064:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] + .ndo_start_xmit = ctcm_tx, + ^~~~~~~ + drivers/s390/net/ctcm_main.c:1072:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] + .ndo_start_xmit = ctcmpc_tx, + ^~~~~~~~~ + +->ndo_start_xmit() in 'struct net_device_ops' expects a return type of +'netdev_tx_t', not 'int'. Adjust the return type of ctc{mp,}m_tx() to +match the prototype's to resolve the warning and potential CFI failure, +should s390 select ARCH_SUPPORTS_CFI_CLANG in the future. + +Additionally, while in the area, remove a comment block that is no +longer relevant. + +Link: https://github.com/ClangBuiltLinux/linux/issues/1750 +Reviewed-by: Alexandra Winter +Reviewed-by: Kees Cook +Signed-off-by: Nathan Chancellor +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/s390/net/ctcm_main.c | 11 ++--------- + 1 file changed, 2 insertions(+), 9 deletions(-) + +diff --git a/drivers/s390/net/ctcm_main.c b/drivers/s390/net/ctcm_main.c +index 437a6d822105..87d05b13fbd5 100644 +--- a/drivers/s390/net/ctcm_main.c ++++ b/drivers/s390/net/ctcm_main.c +@@ -865,16 +865,9 @@ static int ctcmpc_transmit_skb(struct channel *ch, struct sk_buff *skb) + /** + * Start transmission of a packet. + * Called from generic network device layer. +- * +- * skb Pointer to buffer containing the packet. +- * dev Pointer to interface struct. +- * +- * returns 0 if packet consumed, !0 if packet rejected. +- * Note: If we return !0, then the packet is free'd by +- * the generic network layer. + */ + /* first merge version - leaving both functions separated */ +-static int ctcm_tx(struct sk_buff *skb, struct net_device *dev) ++static netdev_tx_t ctcm_tx(struct sk_buff *skb, struct net_device *dev) + { + struct ctcm_priv *priv = dev->ml_priv; + +@@ -917,7 +910,7 @@ static int ctcm_tx(struct sk_buff *skb, struct net_device *dev) + } + + /* unmerged MPC variant of ctcm_tx */ +-static int ctcmpc_tx(struct sk_buff *skb, struct net_device *dev) ++static netdev_tx_t ctcmpc_tx(struct sk_buff *skb, struct net_device *dev) + { + int len = 0; + struct ctcm_priv *priv = dev->ml_priv; +-- +2.35.1 + diff --git a/queue-5.4/s390-lcs-fix-return-type-of-lcs_start_xmit.patch b/queue-5.4/s390-lcs-fix-return-type-of-lcs_start_xmit.patch new file mode 100644 index 00000000000..174bb3e2395 --- /dev/null +++ b/queue-5.4/s390-lcs-fix-return-type-of-lcs_start_xmit.patch @@ -0,0 +1,68 @@ +From 11154f6a2fa2635d7610684482cca685b137e606 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 10:01:30 -0700 +Subject: s390/lcs: Fix return type of lcs_start_xmit() + +From: Nathan Chancellor + +[ Upstream commit bb16db8393658e0978c3f0d30ae069e878264fa3 ] + +With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), +indirect call targets are validated against the expected function +pointer prototype to make sure the call target is valid to help mitigate +ROP attacks. If they are not identical, there is a failure at run time, +which manifests as either a kernel panic or thread getting killed. A +proposed warning in clang aims to catch these at compile time, which +reveals: + + drivers/s390/net/lcs.c:2090:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] + .ndo_start_xmit = lcs_start_xmit, + ^~~~~~~~~~~~~~ + drivers/s390/net/lcs.c:2097:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] + .ndo_start_xmit = lcs_start_xmit, + ^~~~~~~~~~~~~~ + +->ndo_start_xmit() in 'struct net_device_ops' expects a return type of +'netdev_tx_t', not 'int'. Adjust the return type of lcs_start_xmit() to +match the prototype's to resolve the warning and potential CFI failure, +should s390 select ARCH_SUPPORTS_CFI_CLANG in the future. + +Link: https://github.com/ClangBuiltLinux/linux/issues/1750 +Reviewed-by: Alexandra Winter +Reviewed-by: Kees Cook +Signed-off-by: Nathan Chancellor +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/s390/net/lcs.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/s390/net/lcs.c b/drivers/s390/net/lcs.c +index 4eec7bfb5de9..73708166b255 100644 +--- a/drivers/s390/net/lcs.c ++++ b/drivers/s390/net/lcs.c +@@ -1518,9 +1518,8 @@ lcs_txbuffer_cb(struct lcs_channel *channel, struct lcs_buffer *buffer) + /** + * Packet transmit function called by network stack + */ +-static int +-__lcs_start_xmit(struct lcs_card *card, struct sk_buff *skb, +- struct net_device *dev) ++static netdev_tx_t __lcs_start_xmit(struct lcs_card *card, struct sk_buff *skb, ++ struct net_device *dev) + { + struct lcs_header *header; + int rc = NETDEV_TX_OK; +@@ -1581,8 +1580,7 @@ __lcs_start_xmit(struct lcs_card *card, struct sk_buff *skb, + return rc; + } + +-static int +-lcs_start_xmit(struct sk_buff *skb, struct net_device *dev) ++static netdev_tx_t lcs_start_xmit(struct sk_buff *skb, struct net_device *dev) + { + struct lcs_card *card; + int rc; +-- +2.35.1 + diff --git a/queue-5.4/s390-netiucv-fix-return-type-of-netiucv_tx.patch b/queue-5.4/s390-netiucv-fix-return-type-of-netiucv_tx.patch new file mode 100644 index 00000000000..2aec06b2127 --- /dev/null +++ b/queue-5.4/s390-netiucv-fix-return-type-of-netiucv_tx.patch @@ -0,0 +1,63 @@ +From f66379c9ad88d83ba986cc9a70a4534f3f505a88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 10:01:29 -0700 +Subject: s390/netiucv: Fix return type of netiucv_tx() + +From: Nathan Chancellor + +[ Upstream commit 88d86d18d7cf7e9137c95f9d212bb9fff8a1b4be ] + +With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), +indirect call targets are validated against the expected function +pointer prototype to make sure the call target is valid to help mitigate +ROP attacks. If they are not identical, there is a failure at run time, +which manifests as either a kernel panic or thread getting killed. A +proposed warning in clang aims to catch these at compile time, which +reveals: + + drivers/s390/net/netiucv.c:1854:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] + .ndo_start_xmit = netiucv_tx, + ^~~~~~~~~~ + +->ndo_start_xmit() in 'struct net_device_ops' expects a return type of +'netdev_tx_t', not 'int'. Adjust the return type of netiucv_tx() to +match the prototype's to resolve the warning and potential CFI failure, +should s390 select ARCH_SUPPORTS_CFI_CLANG in the future. + +Additionally, while in the area, remove a comment block that is no +longer relevant. + +Link: https://github.com/ClangBuiltLinux/linux/issues/1750 +Reviewed-by: Alexandra Winter +Reviewed-by: Kees Cook +Signed-off-by: Nathan Chancellor +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/s390/net/netiucv.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/drivers/s390/net/netiucv.c b/drivers/s390/net/netiucv.c +index 5ce2424ca729..e2984b54447b 100644 +--- a/drivers/s390/net/netiucv.c ++++ b/drivers/s390/net/netiucv.c +@@ -1344,15 +1344,8 @@ static int netiucv_pm_restore_thaw(struct device *dev) + /** + * Start transmission of a packet. + * Called from generic network device layer. +- * +- * @param skb Pointer to buffer containing the packet. +- * @param dev Pointer to interface struct. +- * +- * @return 0 if packet consumed, !0 if packet rejected. +- * Note: If we return !0, then the packet is free'd by +- * the generic network layer. + */ +-static int netiucv_tx(struct sk_buff *skb, struct net_device *dev) ++static netdev_tx_t netiucv_tx(struct sk_buff *skb, struct net_device *dev) + { + struct netiucv_priv *privptr = netdev_priv(dev); + int rc; +-- +2.35.1 + diff --git a/queue-5.4/samples-vfio-mdev-fix-missing-pci_disable_device-in-.patch b/queue-5.4/samples-vfio-mdev-fix-missing-pci_disable_device-in-.patch new file mode 100644 index 00000000000..dfac1d3ddd0 --- /dev/null +++ b/queue-5.4/samples-vfio-mdev-fix-missing-pci_disable_device-in-.patch @@ -0,0 +1,59 @@ +From e60eb585fd692b12c9d57811b6dd313dbe7728e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 09:33:41 +0800 +Subject: samples: vfio-mdev: Fix missing pci_disable_device() in + mdpy_fb_probe() + +From: Shang XiaoJing + +[ Upstream commit d1f0f50fbbbbca1e3e8157e51934613bf88f6d44 ] + +Add missing pci_disable_device() in fail path of mdpy_fb_probe(). +Besides, fix missing release functions in mdpy_fb_remove(). + +Fixes: cacade1946a4 ("sample: vfio mdev display - guest driver") +Signed-off-by: Shang XiaoJing +Link: https://lore.kernel.org/r/20221208013341.3999-1-shangxiaojing@huawei.com +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + samples/vfio-mdev/mdpy-fb.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/samples/vfio-mdev/mdpy-fb.c b/samples/vfio-mdev/mdpy-fb.c +index a760e130bd0d..8ad1aa13ddd9 100644 +--- a/samples/vfio-mdev/mdpy-fb.c ++++ b/samples/vfio-mdev/mdpy-fb.c +@@ -109,7 +109,7 @@ static int mdpy_fb_probe(struct pci_dev *pdev, + + ret = pci_request_regions(pdev, "mdpy-fb"); + if (ret < 0) +- return ret; ++ goto err_disable_dev; + + pci_read_config_dword(pdev, MDPY_FORMAT_OFFSET, &format); + pci_read_config_dword(pdev, MDPY_WIDTH_OFFSET, &width); +@@ -191,6 +191,9 @@ static int mdpy_fb_probe(struct pci_dev *pdev, + err_release_regions: + pci_release_regions(pdev); + ++err_disable_dev: ++ pci_disable_device(pdev); ++ + return ret; + } + +@@ -199,7 +202,10 @@ static void mdpy_fb_remove(struct pci_dev *pdev) + struct fb_info *info = pci_get_drvdata(pdev); + + unregister_framebuffer(info); ++ iounmap(info->screen_base); + framebuffer_release(info); ++ pci_release_regions(pdev); ++ pci_disable_device(pdev); + } + + static struct pci_device_id mdpy_fb_pci_table[] = { +-- +2.35.1 + diff --git a/queue-5.4/scsi-fcoe-fix-possible-name-leak-when-device_registe.patch b/queue-5.4/scsi-fcoe-fix-possible-name-leak-when-device_registe.patch new file mode 100644 index 00000000000..f7d044a76fa --- /dev/null +++ b/queue-5.4/scsi-fcoe-fix-possible-name-leak-when-device_registe.patch @@ -0,0 +1,78 @@ +From 7481b683bab3a4be2e9f2ffa34f6566b16997485 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Nov 2022 17:43:10 +0800 +Subject: scsi: fcoe: Fix possible name leak when device_register() fails + +From: Yang Yingliang + +[ Upstream commit 47b6a122c7b69a876c7ee2fc064a26b09627de9d ] + +If device_register() returns an error, the name allocated by dev_set_name() +needs to be freed. As the comment of device_register() says, one should use +put_device() to give up the reference in the error path. Fix this by +calling put_device(), then the name can be freed in kobject_cleanup(). + +The 'fcf' is freed in fcoe_fcf_device_release(), so the kfree() in the +error path can be removed. + +The 'ctlr' is freed in fcoe_ctlr_device_release(), so don't use the error +label, just return NULL after calling put_device(). + +Fixes: 9a74e884ee71 ("[SCSI] libfcoe: Add fcoe_sysfs") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221112094310.3633291-1-yangyingliang@huawei.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/fcoe/fcoe_sysfs.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/drivers/scsi/fcoe/fcoe_sysfs.c b/drivers/scsi/fcoe/fcoe_sysfs.c +index 2cb7a8c93a15..b3086cf40617 100644 +--- a/drivers/scsi/fcoe/fcoe_sysfs.c ++++ b/drivers/scsi/fcoe/fcoe_sysfs.c +@@ -830,14 +830,15 @@ struct fcoe_ctlr_device *fcoe_ctlr_device_add(struct device *parent, + + dev_set_name(&ctlr->dev, "ctlr_%d", ctlr->id); + error = device_register(&ctlr->dev); +- if (error) +- goto out_del_q2; ++ if (error) { ++ destroy_workqueue(ctlr->devloss_work_q); ++ destroy_workqueue(ctlr->work_q); ++ put_device(&ctlr->dev); ++ return NULL; ++ } + + return ctlr; + +-out_del_q2: +- destroy_workqueue(ctlr->devloss_work_q); +- ctlr->devloss_work_q = NULL; + out_del_q: + destroy_workqueue(ctlr->work_q); + ctlr->work_q = NULL; +@@ -1036,16 +1037,16 @@ struct fcoe_fcf_device *fcoe_fcf_device_add(struct fcoe_ctlr_device *ctlr, + fcf->selected = new_fcf->selected; + + error = device_register(&fcf->dev); +- if (error) +- goto out_del; ++ if (error) { ++ put_device(&fcf->dev); ++ goto out; ++ } + + fcf->state = FCOE_FCF_STATE_CONNECTED; + list_add_tail(&fcf->peers, &ctlr->fcfs); + + return fcf; + +-out_del: +- kfree(fcf); + out: + return NULL; + } +-- +2.35.1 + diff --git a/queue-5.4/scsi-fcoe-fix-transport-not-deattached-when-fcoe_if_.patch b/queue-5.4/scsi-fcoe-fix-transport-not-deattached-when-fcoe_if_.patch new file mode 100644 index 00000000000..022be38e8a7 --- /dev/null +++ b/queue-5.4/scsi-fcoe-fix-transport-not-deattached-when-fcoe_if_.patch @@ -0,0 +1,46 @@ +From 9c9df6b6a0b3f8255a1df68606c58da9f2f40417 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 17:24:42 +0800 +Subject: scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails + +From: Chen Zhongjin + +[ Upstream commit 4155658cee394b22b24c6d64e49247bf26d95b92 ] + +fcoe_init() calls fcoe_transport_attach(&fcoe_sw_transport), but when +fcoe_if_init() fails, &fcoe_sw_transport is not detached and leaves freed +&fcoe_sw_transport on fcoe_transports list. This causes panic when +reinserting module. + + BUG: unable to handle page fault for address: fffffbfff82e2213 + RIP: 0010:fcoe_transport_attach+0xe1/0x230 [libfcoe] + Call Trace: + + do_one_initcall+0xd0/0x4e0 + load_module+0x5eee/0x7210 + ... + +Fixes: 78a582463c1e ("[SCSI] fcoe: convert fcoe.ko to become an fcoe transport provider driver") +Signed-off-by: Chen Zhongjin +Link: https://lore.kernel.org/r/20221115092442.133088-1-chenzhongjin@huawei.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/fcoe/fcoe.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/fcoe/fcoe.c b/drivers/scsi/fcoe/fcoe.c +index 25dae9f0b205..00ddb3fd940f 100644 +--- a/drivers/scsi/fcoe/fcoe.c ++++ b/drivers/scsi/fcoe/fcoe.c +@@ -2506,6 +2506,7 @@ static int __init fcoe_init(void) + + out_free: + mutex_unlock(&fcoe_config_mutex); ++ fcoe_transport_detach(&fcoe_sw_transport); + out_destroy: + destroy_workqueue(fcoe_wq); + return rc; +-- +2.35.1 + diff --git a/queue-5.4/scsi-hpsa-fix-error-handling-in-hpsa_add_sas_host.patch b/queue-5.4/scsi-hpsa-fix-error-handling-in-hpsa_add_sas_host.patch new file mode 100644 index 00000000000..6fdeb067cfb --- /dev/null +++ b/queue-5.4/scsi-hpsa-fix-error-handling-in-hpsa_add_sas_host.patch @@ -0,0 +1,54 @@ +From d559bb65d01745f4b47a53515f53e8339c49a55a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 23:11:29 +0800 +Subject: scsi: hpsa: Fix error handling in hpsa_add_sas_host() + +From: Yang Yingliang + +[ Upstream commit 4ef174a3ad9b5d73c1b6573e244ebba2b0d86eac ] + +hpsa_sas_port_add_phy() does: + ... + sas_phy_add() -> may return error here + sas_port_add_phy() + ... + +Whereas hpsa_free_sas_phy() does: + ... + sas_port_delete_phy() + sas_phy_delete() + ... + +If hpsa_sas_port_add_phy() returns an error, hpsa_free_sas_phy() can not be +called to free the memory because the port and the phy have not been added +yet. + +Replace hpsa_free_sas_phy() with sas_phy_free() and kfree() to avoid kernel +crash in this case. + +Fixes: d04e62b9d63a ("hpsa: add in sas transport class") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221110151129.394389-1-yangyingliang@huawei.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hpsa.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c +index 88dc42fdaa80..9d5d0c911130 100644 +--- a/drivers/scsi/hpsa.c ++++ b/drivers/scsi/hpsa.c +@@ -9763,7 +9763,8 @@ static int hpsa_add_sas_host(struct ctlr_info *h) + return 0; + + free_sas_phy: +- hpsa_free_sas_phy(hpsa_sas_phy); ++ sas_phy_free(hpsa_sas_phy->phy); ++ kfree(hpsa_sas_phy); + free_sas_port: + hpsa_free_sas_port(hpsa_sas_port); + free_sas_node: +-- +2.35.1 + diff --git a/queue-5.4/scsi-hpsa-fix-possible-memory-leak-in-hpsa_add_sas_d.patch b/queue-5.4/scsi-hpsa-fix-possible-memory-leak-in-hpsa_add_sas_d.patch new file mode 100644 index 00000000000..c19fd4cdde6 --- /dev/null +++ b/queue-5.4/scsi-hpsa-fix-possible-memory-leak-in-hpsa_add_sas_d.patch @@ -0,0 +1,43 @@ +From 43055ecc1b1de3c47cb21d2e81499a98ff0b05cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 12:30:12 +0800 +Subject: scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device() + +From: Yang Yingliang + +[ Upstream commit fda34a5d304d0b98cc967e8763b52221b66dc202 ] + +If hpsa_sas_port_add_rphy() returns an error, the 'rphy' allocated in +sas_end_device_alloc() needs to be freed. Address this by calling +sas_rphy_free() in the error path. + +Fixes: d04e62b9d63a ("hpsa: add in sas transport class") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221111043012.1074466-1-yangyingliang@huawei.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hpsa.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c +index 9d5d0c911130..ba125ed7e06a 100644 +--- a/drivers/scsi/hpsa.c ++++ b/drivers/scsi/hpsa.c +@@ -9800,10 +9800,12 @@ static int hpsa_add_sas_device(struct hpsa_sas_node *hpsa_sas_node, + + rc = hpsa_sas_port_add_rphy(hpsa_sas_port, rphy); + if (rc) +- goto free_sas_port; ++ goto free_sas_rphy; + + return 0; + ++free_sas_rphy: ++ sas_rphy_free(rphy); + free_sas_port: + hpsa_free_sas_port(hpsa_sas_port); + device->sas_port = NULL; +-- +2.35.1 + diff --git a/queue-5.4/scsi-hpsa-fix-possible-memory-leak-in-hpsa_init_one.patch b/queue-5.4/scsi-hpsa-fix-possible-memory-leak-in-hpsa_init_one.patch new file mode 100644 index 00000000000..10fe34f9527 --- /dev/null +++ b/queue-5.4/scsi-hpsa-fix-possible-memory-leak-in-hpsa_init_one.patch @@ -0,0 +1,42 @@ +From af49713d1ca02bbfaf5cea98ee43debb726b5688 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 01:57:51 +0000 +Subject: scsi: hpsa: Fix possible memory leak in hpsa_init_one() + +From: Yuan Can + +[ Upstream commit 9c9ff300e0de07475796495d86f449340d454a0c ] + +The hpda_alloc_ctlr_info() allocates h and its field reply_map. However, in +hpsa_init_one(), if alloc_percpu() failed, the hpsa_init_one() jumps to +clean1 directly, which frees h and leaks the h->reply_map. + +Fix by calling hpda_free_ctlr_info() to release h->replay_map and h instead +free h directly. + +Fixes: 8b834bff1b73 ("scsi: hpsa: fix selection of reply queue") +Signed-off-by: Yuan Can +Link: https://lore.kernel.org/r/20221122015751.87284-1-yuancan@huawei.com +Reviewed-by: Ming Lei +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hpsa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c +index bac705990a96..88dc42fdaa80 100644 +--- a/drivers/scsi/hpsa.c ++++ b/drivers/scsi/hpsa.c +@@ -8903,7 +8903,7 @@ static int hpsa_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + destroy_workqueue(h->monitor_ctlr_wq); + h->monitor_ctlr_wq = NULL; + } +- kfree(h); ++ hpda_free_ctlr_info(h); + return rc; + } + +-- +2.35.1 + diff --git a/queue-5.4/scsi-ipr-fix-warning-in-ipr_init.patch b/queue-5.4/scsi-ipr-fix-warning-in-ipr_init.patch new file mode 100644 index 00000000000..f358d51450b --- /dev/null +++ b/queue-5.4/scsi-ipr-fix-warning-in-ipr_init.patch @@ -0,0 +1,73 @@ +From 0ccf2f2ad395f64dd845d29983b7088b9abd3558 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Nov 2022 14:45:13 +0800 +Subject: scsi: ipr: Fix WARNING in ipr_init() + +From: Shang XiaoJing + +[ Upstream commit e6f108bffc3708ddcff72324f7d40dfcd0204894 ] + +ipr_init() will not call unregister_reboot_notifier() when +pci_register_driver() fails, which causes a WARNING. Call +unregister_reboot_notifier() when pci_register_driver() fails. + +notifier callback ipr_halt [ipr] already registered +WARNING: CPU: 3 PID: 299 at kernel/notifier.c:29 +notifier_chain_register+0x16d/0x230 +Modules linked in: ipr(+) xhci_pci_renesas xhci_hcd ehci_hcd usbcore +led_class gpu_sched drm_buddy video wmi drm_ttm_helper ttm +drm_display_helper drm_kms_helper drm drm_panel_orientation_quirks +agpgart cfbft +CPU: 3 PID: 299 Comm: modprobe Tainted: G W +6.1.0-rc1-00190-g39508d23b672-dirty #332 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 +RIP: 0010:notifier_chain_register+0x16d/0x230 +Call Trace: + + __blocking_notifier_chain_register+0x73/0xb0 + ipr_init+0x30/0x1000 [ipr] + do_one_initcall+0xdb/0x480 + do_init_module+0x1cf/0x680 + load_module+0x6a50/0x70a0 + __do_sys_finit_module+0x12f/0x1c0 + do_syscall_64+0x3f/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Fixes: f72919ec2bbb ("[SCSI] ipr: implement shutdown changes and remove obsolete write cache parameter") +Signed-off-by: Shang XiaoJing +Link: https://lore.kernel.org/r/20221113064513.14028-1-shangxiaojing@huawei.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ipr.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c +index a163fd9331b3..a42837340edf 100644 +--- a/drivers/scsi/ipr.c ++++ b/drivers/scsi/ipr.c +@@ -10843,11 +10843,19 @@ static struct notifier_block ipr_notifier = { + **/ + static int __init ipr_init(void) + { ++ int rc; ++ + ipr_info("IBM Power RAID SCSI Device Driver version: %s %s\n", + IPR_DRIVER_VERSION, IPR_DRIVER_DATE); + + register_reboot_notifier(&ipr_notifier); +- return pci_register_driver(&ipr_driver); ++ rc = pci_register_driver(&ipr_driver); ++ if (rc) { ++ unregister_reboot_notifier(&ipr_notifier); ++ return rc; ++ } ++ ++ return 0; + } + + /** +-- +2.35.1 + diff --git a/queue-5.4/scsi-mpt3sas-fix-possible-resource-leaks-in-mpt3sas_.patch b/queue-5.4/scsi-mpt3sas-fix-possible-resource-leaks-in-mpt3sas_.patch new file mode 100644 index 00000000000..35a62bf3ada --- /dev/null +++ b/queue-5.4/scsi-mpt3sas-fix-possible-resource-leaks-in-mpt3sas_.patch @@ -0,0 +1,67 @@ +From cf62fdcc646790a2438e113613368f8c3a83a7e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 11:24:03 +0800 +Subject: scsi: mpt3sas: Fix possible resource leaks in + mpt3sas_transport_port_add() + +From: Yang Yingliang + +[ Upstream commit 78316e9dfc24906dd474630928ed1d3c562b568e ] + +In mpt3sas_transport_port_add(), if sas_rphy_add() returns error, +sas_rphy_free() needs be called to free the resource allocated in +sas_end_device_alloc(). Otherwise a kernel crash will happen: + +Unable to handle kernel NULL pointer dereference at virtual address 0000000000000108 +CPU: 45 PID: 37020 Comm: bash Kdump: loaded Tainted: G W 6.1.0-rc1+ #189 +pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : device_del+0x54/0x3d0 +lr : device_del+0x37c/0x3d0 +Call trace: + device_del+0x54/0x3d0 + attribute_container_class_device_del+0x28/0x38 + transport_remove_classdev+0x6c/0x80 + attribute_container_device_trigger+0x108/0x110 + transport_remove_device+0x28/0x38 + sas_rphy_remove+0x50/0x78 [scsi_transport_sas] + sas_port_delete+0x30/0x148 [scsi_transport_sas] + do_sas_phy_delete+0x78/0x80 [scsi_transport_sas] + device_for_each_child+0x68/0xb0 + sas_remove_children+0x30/0x50 [scsi_transport_sas] + sas_rphy_remove+0x38/0x78 [scsi_transport_sas] + sas_port_delete+0x30/0x148 [scsi_transport_sas] + do_sas_phy_delete+0x78/0x80 [scsi_transport_sas] + device_for_each_child+0x68/0xb0 + sas_remove_children+0x30/0x50 [scsi_transport_sas] + sas_remove_host+0x20/0x38 [scsi_transport_sas] + scsih_remove+0xd8/0x420 [mpt3sas] + +Because transport_add_device() is not called when sas_rphy_add() fails, the +device is not added. When sas_rphy_remove() is subsequently called to +remove the device in the remove() path, a NULL pointer dereference happens. + +Fixes: f92363d12359 ("[SCSI] mpt3sas: add new driver supporting 12GB SAS") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221109032403.1636422-1-yangyingliang@huawei.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mpt3sas/mpt3sas_transport.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/scsi/mpt3sas/mpt3sas_transport.c b/drivers/scsi/mpt3sas/mpt3sas_transport.c +index 5324662751bf..b909cf100ea4 100644 +--- a/drivers/scsi/mpt3sas/mpt3sas_transport.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_transport.c +@@ -712,6 +712,8 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, + if ((sas_rphy_add(rphy))) { + ioc_err(ioc, "failure at %s:%d/%s()!\n", + __FILE__, __LINE__, __func__); ++ sas_rphy_free(rphy); ++ rphy = NULL; + } + + if (mpt3sas_port->remote_identify.device_type == SAS_END_DEVICE) { +-- +2.35.1 + diff --git a/queue-5.4/scsi-scsi_debug-fix-a-warning-in-resp_write_scat.patch b/queue-5.4/scsi-scsi_debug-fix-a-warning-in-resp_write_scat.patch new file mode 100644 index 00000000000..e6defd0b87f --- /dev/null +++ b/queue-5.4/scsi-scsi_debug-fix-a-warning-in-resp_write_scat.patch @@ -0,0 +1,66 @@ +From d3d55ce0c9b7bc9dd51de330b6df068188a882b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 02:05:25 -0800 +Subject: scsi: scsi_debug: Fix a warning in resp_write_scat() + +From: Harshit Mogalapalli + +[ Upstream commit 216e179724c1d9f57a8ababf8bd7aaabef67f01b ] + +As 'lbdof_blen' is coming from user, if the size in kzalloc() is >= +MAX_ORDER then we hit a warning. + +Call trace: + +sg_ioctl + sg_ioctl_common + scsi_ioctl + sg_scsi_ioctl + blk_execute_rq + blk_mq_sched_insert_request + blk_mq_run_hw_queue + __blk_mq_delay_run_hw_queue + __blk_mq_run_hw_queue + blk_mq_sched_dispatch_requests + __blk_mq_sched_dispatch_requests + blk_mq_dispatch_rq_list + scsi_queue_rq + scsi_dispatch_cmd + scsi_debug_queuecommand + schedule_resp + resp_write_scat + +If you try to allocate a memory larger than(>=) MAX_ORDER, then kmalloc() +will definitely fail. It creates a stack trace and messes up dmesg. The +user controls the size here so if they specify a too large size it will +fail. + +Add __GFP_NOWARN in order to avoid too large allocation warning. This is +detected by static analysis using smatch. + +Fixes: 481b5e5c7949 ("scsi: scsi_debug: add resp_write_scat function") +Signed-off-by: Harshit Mogalapalli +Link: https://lore.kernel.org/r/20221111100526.1790533-1-harshit.m.mogalapalli@oracle.com +Acked-by: Douglas Gilbert +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_debug.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c +index 408166bd20f3..2c86ed1dc4b5 100644 +--- a/drivers/scsi/scsi_debug.c ++++ b/drivers/scsi/scsi_debug.c +@@ -3139,7 +3139,7 @@ static int resp_write_scat(struct scsi_cmnd *scp, + mk_sense_buffer(scp, ILLEGAL_REQUEST, INVALID_FIELD_IN_CDB, 0); + return illegal_condition_result; + } +- lrdp = kzalloc(lbdof_blen, GFP_ATOMIC); ++ lrdp = kzalloc(lbdof_blen, GFP_ATOMIC | __GFP_NOWARN); + if (lrdp == NULL) + return SCSI_MLQUEUE_HOST_BUSY; + if (sdebug_verbose) +-- +2.35.1 + diff --git a/queue-5.4/scsi-snic-fix-possible-uaf-in-snic_tgt_create.patch b/queue-5.4/scsi-snic-fix-possible-uaf-in-snic_tgt_create.patch new file mode 100644 index 00000000000..a2aa93b2804 --- /dev/null +++ b/queue-5.4/scsi-snic-fix-possible-uaf-in-snic_tgt_create.patch @@ -0,0 +1,47 @@ +From 316fd9d6191b783d9db0f06663faa01793c2318c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 11:51:00 +0800 +Subject: scsi: snic: Fix possible UAF in snic_tgt_create() + +From: Gaosheng Cui + +[ Upstream commit e118df492320176af94deec000ae034cc92be754 ] + +Smatch reports a warning as follows: + +drivers/scsi/snic/snic_disc.c:307 snic_tgt_create() warn: + '&tgt->list' not removed from list + +If device_add() fails in snic_tgt_create(), tgt will be freed, but +tgt->list will not be removed from snic->disc.tgt_list, then list traversal +may cause UAF. + +Remove from snic->disc.tgt_list before free(). + +Fixes: c8806b6c9e82 ("snic: driver for Cisco SCSI HBA") +Signed-off-by: Gaosheng Cui +Link: https://lore.kernel.org/r/20221117035100.2944812-1-cuigaosheng1@huawei.com +Acked-by: Narsimhulu Musini +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/snic/snic_disc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/scsi/snic/snic_disc.c b/drivers/scsi/snic/snic_disc.c +index e9ccfb97773f..7cf871323b2c 100644 +--- a/drivers/scsi/snic/snic_disc.c ++++ b/drivers/scsi/snic/snic_disc.c +@@ -318,6 +318,9 @@ snic_tgt_create(struct snic *snic, struct snic_tgt_id *tgtid) + ret); + + put_device(&snic->shost->shost_gendev); ++ spin_lock_irqsave(snic->shost->host_lock, flags); ++ list_del(&tgt->list); ++ spin_unlock_irqrestore(snic->shost->host_lock, flags); + kfree(tgt); + tgt = NULL; + +-- +2.35.1 + diff --git a/queue-5.4/selftests-efivarfs-add-checking-of-the-test-return-v.patch b/queue-5.4/selftests-efivarfs-add-checking-of-the-test-return-v.patch new file mode 100644 index 00000000000..abd88965005 --- /dev/null +++ b/queue-5.4/selftests-efivarfs-add-checking-of-the-test-return-v.patch @@ -0,0 +1,39 @@ +From a2454a19869268b622d4738d53265f4542900042 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 19:26:26 +0800 +Subject: selftests/efivarfs: Add checking of the test return value + +From: Zhao Gongyi + +[ Upstream commit c93924267fe6f2b44af1849f714ae9cd8117a9cd ] + +Add checking of the test return value, otherwise it will report success +forever for test_create_read(). + +Fixes: dff6d2ae56d0 ("selftests/efivarfs: clean up test files from test_create*()") +Signed-off-by: Zhao Gongyi +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/efivarfs/efivarfs.sh | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/tools/testing/selftests/efivarfs/efivarfs.sh b/tools/testing/selftests/efivarfs/efivarfs.sh +index a90f394f9aa9..d374878cc0ba 100755 +--- a/tools/testing/selftests/efivarfs/efivarfs.sh ++++ b/tools/testing/selftests/efivarfs/efivarfs.sh +@@ -87,6 +87,11 @@ test_create_read() + { + local file=$efivarfs_mount/$FUNCNAME-$test_guid + ./create-read $file ++ if [ $? -ne 0 ]; then ++ echo "create and read $file failed" ++ file_cleanup $file ++ exit 1 ++ fi + file_cleanup $file + } + +-- +2.35.1 + diff --git a/queue-5.4/selftests-ftrace-event_triggers-wait-longer-for-test.patch b/queue-5.4/selftests-ftrace-event_triggers-wait-longer-for-test.patch new file mode 100644 index 00000000000..bc9ab73ce24 --- /dev/null +++ b/queue-5.4/selftests-ftrace-event_triggers-wait-longer-for-test.patch @@ -0,0 +1,57 @@ +From fbcf1b8e174994652617055d8fea55cd778eca71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Nov 2022 10:09:31 +0800 +Subject: selftests/ftrace: event_triggers: wait longer for test_event_enable + +From: Yipeng Zou + +[ Upstream commit a1d6cd88c8973cfb08ee85722488b1d6d5d16327 ] + +In some platform, the schedule event may came slowly, delay 100ms can't +cover it. + +I was notice that on my board which running in low cpu_freq,and this +selftests allways gose fail. + +So maybe we can check more times here to wait longer. + +Fixes: 43bb45da82f9 ("selftests: ftrace: Add a selftest to test event enable/disable func trigger") +Signed-off-by: Yipeng Zou +Acked-by: Masami Hiramatsu (Google) +Acked-by: Steven Rostedt (Google) +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + .../ftrace/test.d/ftrace/func_event_triggers.tc | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func_event_triggers.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func_event_triggers.tc +index ca2ffd7957f9..f261eeccfaf6 100644 +--- a/tools/testing/selftests/ftrace/test.d/ftrace/func_event_triggers.tc ++++ b/tools/testing/selftests/ftrace/test.d/ftrace/func_event_triggers.tc +@@ -42,11 +42,18 @@ cnt_trace() { + + test_event_enabled() { + val=$1 ++ check_times=10 # wait for 10 * SLEEP_TIME at most + +- e=`cat $EVENT_ENABLE` +- if [ "$e" != $val ]; then +- fail "Expected $val but found $e" +- fi ++ while [ $check_times -ne 0 ]; do ++ e=`cat $EVENT_ENABLE` ++ if [ "$e" == $val ]; then ++ return 0 ++ fi ++ sleep $SLEEP_TIME ++ check_times=$((check_times - 1)) ++ done ++ ++ fail "Expected $val but found $e" + } + + run_enable_disable() { +-- +2.35.1 + diff --git a/queue-5.4/selftests-powerpc-fix-resource-leaks.patch b/queue-5.4/selftests-powerpc-fix-resource-leaks.patch new file mode 100644 index 00000000000..30b00c4247e --- /dev/null +++ b/queue-5.4/selftests-powerpc-fix-resource-leaks.patch @@ -0,0 +1,51 @@ +From d48de542f7b2292674276991efcd91bf56013bc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Dec 2022 12:44:27 +0400 +Subject: selftests/powerpc: Fix resource leaks + +From: Miaoqian Lin + +[ Upstream commit 8f4ab7da904ab7027ccd43ddb4f0094e932a5877 ] + +In check_all_cpu_dscr_defaults, opendir() opens the directory stream. +Add missing closedir() in the error path to release it. + +In check_cpu_dscr_default, open() creates an open file descriptor. +Add missing close() in the error path to release it. + +Fixes: ebd5858c904b ("selftests/powerpc: Add test for all DSCR sysfs interfaces") +Signed-off-by: Miaoqian Lin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20221205084429.570654-1-linmq006@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/powerpc/dscr/dscr_sysfs_test.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/powerpc/dscr/dscr_sysfs_test.c b/tools/testing/selftests/powerpc/dscr/dscr_sysfs_test.c +index 02f6b4efde14..e54d7a4089ea 100644 +--- a/tools/testing/selftests/powerpc/dscr/dscr_sysfs_test.c ++++ b/tools/testing/selftests/powerpc/dscr/dscr_sysfs_test.c +@@ -24,6 +24,7 @@ static int check_cpu_dscr_default(char *file, unsigned long val) + rc = read(fd, buf, sizeof(buf)); + if (rc == -1) { + perror("read() failed"); ++ close(fd); + return 1; + } + close(fd); +@@ -65,8 +66,10 @@ static int check_all_cpu_dscr_defaults(unsigned long val) + if (access(file, F_OK)) + continue; + +- if (check_cpu_dscr_default(file, val)) ++ if (check_cpu_dscr_default(file, val)) { ++ closedir(sysfs); + return 1; ++ } + } + closedir(sysfs); + return 0; +-- +2.35.1 + diff --git a/queue-5.4/serial-altera_uart-fix-locking-in-polling-mode.patch b/queue-5.4/serial-altera_uart-fix-locking-in-polling-mode.patch new file mode 100644 index 00000000000..85b1801f252 --- /dev/null +++ b/queue-5.4/serial-altera_uart-fix-locking-in-polling-mode.patch @@ -0,0 +1,51 @@ +From 6e9783eb04d089581965e9a831667a98b2fcf211 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 15:04:26 -0500 +Subject: serial: altera_uart: fix locking in polling mode + +From: Gabriel Somlo + +[ Upstream commit 1307c5d33cce8a41dd77c2571e4df65a5b627feb ] + +Since altera_uart_interrupt() may also be called from +a poll timer in "serving_softirq" context, use +spin_[lock_irqsave|unlock_irqrestore] variants, which +are appropriate for both softirq and hardware interrupt +contexts. + +Fixes: 2f8b9c15cd88 ("altera_uart: Add support for polling mode (IRQ-less)") +Signed-off-by: Gabriel Somlo +Link: https://lore.kernel.org/r/20221122200426.888349-1-gsomlo@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/altera_uart.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/serial/altera_uart.c b/drivers/tty/serial/altera_uart.c +index 20c610440133..d91f76b1d353 100644 +--- a/drivers/tty/serial/altera_uart.c ++++ b/drivers/tty/serial/altera_uart.c +@@ -280,16 +280,17 @@ static irqreturn_t altera_uart_interrupt(int irq, void *data) + { + struct uart_port *port = data; + struct altera_uart *pp = container_of(port, struct altera_uart, port); ++ unsigned long flags; + unsigned int isr; + + isr = altera_uart_readl(port, ALTERA_UART_STATUS_REG) & pp->imr; + +- spin_lock(&port->lock); ++ spin_lock_irqsave(&port->lock, flags); + if (isr & ALTERA_UART_STATUS_RRDY_MSK) + altera_uart_rx_chars(port); + if (isr & ALTERA_UART_STATUS_TRDY_MSK) + altera_uart_tx_chars(port); +- spin_unlock(&port->lock); ++ spin_unlock_irqrestore(&port->lock, flags); + + return IRQ_RETVAL(isr); + } +-- +2.35.1 + diff --git a/queue-5.4/serial-amba-pl011-avoid-sbsa-uart-accessing-dmacr-re.patch b/queue-5.4/serial-amba-pl011-avoid-sbsa-uart-accessing-dmacr-re.patch new file mode 100644 index 00000000000..b186c19c406 --- /dev/null +++ b/queue-5.4/serial-amba-pl011-avoid-sbsa-uart-accessing-dmacr-re.patch @@ -0,0 +1,93 @@ +From c76db63a5e88fe27e56d127b42084eb3bd5eeb39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 18:32:37 +0800 +Subject: serial: amba-pl011: avoid SBSA UART accessing DMACR register + +From: Jiamei Xie + +[ Upstream commit 94cdb9f33698478b0e7062586633c42c6158a786 ] + +Chapter "B Generic UART" in "ARM Server Base System Architecture" [1] +documentation describes a generic UART interface. Such generic UART +does not support DMA. In current code, sbsa_uart_pops and +amba_pl011_pops share the same stop_rx operation, which will invoke +pl011_dma_rx_stop, leading to an access of the DMACR register. This +commit adds a using_rx_dma check in pl011_dma_rx_stop to avoid the +access to DMACR register for SBSA UARTs which does not support DMA. + +When the kernel enables DMA engine with "CONFIG_DMA_ENGINE=y", Linux +SBSA PL011 driver will access PL011 DMACR register in some functions. +For most real SBSA Pl011 hardware implementations, the DMACR write +behaviour will be ignored. So these DMACR operations will not cause +obvious problems. But for some virtual SBSA PL011 hardware, like Xen +virtual SBSA PL011 (vpl011) device, the behaviour might be different. +Xen vpl011 emulation will inject a data abort to guest, when guest is +accessing an unimplemented UART register. As Xen VPL011 is SBSA +compatible, it will not implement DMACR register. So when Linux SBSA +PL011 driver access DMACR register, it will get an unhandled data abort +fault and the application will get a segmentation fault: +Unhandled fault at 0xffffffc00944d048 +Mem abort info: + ESR = 0x96000000 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x00: ttbr address size fault +Data abort info: + ISV = 0, ISS = 0x00000000 + CM = 0, WnR = 0 +swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000020e2e000 +[ffffffc00944d048] pgd=100000003ffff803, p4d=100000003ffff803, pud=100000003ffff803, pmd=100000003fffa803, pte=006800009c090f13 +Internal error: ttbr address size fault: 96000000 [#1] PREEMPT SMP +... +Call trace: + pl011_stop_rx+0x70/0x80 + tty_port_shutdown+0x7c/0xb4 + tty_port_close+0x60/0xcc + uart_close+0x34/0x8c + tty_release+0x144/0x4c0 + __fput+0x78/0x220 + ____fput+0x1c/0x30 + task_work_run+0x88/0xc0 + do_notify_resume+0x8d0/0x123c + el0_svc+0xa8/0xc0 + el0t_64_sync_handler+0xa4/0x130 + el0t_64_sync+0x1a0/0x1a4 +Code: b9000083 b901f001 794038a0 8b000042 (b9000041) +---[ end trace 83dd93df15c3216f ]--- +note: bootlogd[132] exited with preempt_count 1 +/etc/rcS.d/S07bootlogd: line 47: 132 Segmentation fault start-stop-daemon + +This has been discussed in the Xen community, and we think it should fix +this in Linux. See [2] for more information. + +[1] https://developer.arm.com/documentation/den0094/c/?lang=en +[2] https://lists.xenproject.org/archives/html/xen-devel/2022-11/msg00543.html + +Fixes: 0dd1e247fd39 (drivers: PL011: add support for the ARM SBSA generic UART) +Signed-off-by: Jiamei Xie +Reviewed-by: Andre Przywara +Link: https://lore.kernel.org/r/20221117103237.86856-1-jiamei.xie@arm.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/amba-pl011.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/tty/serial/amba-pl011.c b/drivers/tty/serial/amba-pl011.c +index 52b7d559b44b..44485689333e 100644 +--- a/drivers/tty/serial/amba-pl011.c ++++ b/drivers/tty/serial/amba-pl011.c +@@ -1053,6 +1053,9 @@ static void pl011_dma_rx_callback(void *data) + */ + static inline void pl011_dma_rx_stop(struct uart_amba_port *uap) + { ++ if (!uap->using_rx_dma) ++ return; ++ + /* FIXME. Just disable the DMA enable */ + uap->dmacr &= ~UART011_RXDMAE; + pl011_write(uap->dmacr, uap, REG_DMACR); +-- +2.35.1 + diff --git a/queue-5.4/serial-pch-fix-pci-device-refcount-leak-in-pch_reque.patch b/queue-5.4/serial-pch-fix-pci-device-refcount-leak-in-pch_reque.patch new file mode 100644 index 00000000000..e082aa02404 --- /dev/null +++ b/queue-5.4/serial-pch-fix-pci-device-refcount-leak-in-pch_reque.patch @@ -0,0 +1,58 @@ +From c17ad747615436a6115b7c613c66b25e9dd42d97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 19:45:59 +0800 +Subject: serial: pch: Fix PCI device refcount leak in pch_request_dma() + +From: Xiongfeng Wang + +[ Upstream commit 8be3a7bf773700534a6e8f87f6ed2ed111254be5 ] + +As comment of pci_get_slot() says, it returns a pci_device with its +refcount increased. The caller must decrement the reference count by +calling pci_dev_put(). + +Since 'dma_dev' is only used to filter the channel in filter(), we can +call pci_dev_put() before exiting from pch_request_dma(). Add the +missing pci_dev_put() for the normal and error path. + +Fixes: 3c6a483275f4 ("Serial: EG20T: add PCH_UART driver") +Signed-off-by: Xiongfeng Wang +Link: https://lore.kernel.org/r/20221122114559.27692-1-wangxiongfeng2@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/pch_uart.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/tty/serial/pch_uart.c b/drivers/tty/serial/pch_uart.c +index 77f18445bb98..a8b6759140dd 100644 +--- a/drivers/tty/serial/pch_uart.c ++++ b/drivers/tty/serial/pch_uart.c +@@ -718,6 +718,7 @@ static void pch_request_dma(struct uart_port *port) + if (!chan) { + dev_err(priv->port.dev, "%s:dma_request_channel FAILS(Tx)\n", + __func__); ++ pci_dev_put(dma_dev); + return; + } + priv->chan_tx = chan; +@@ -734,6 +735,7 @@ static void pch_request_dma(struct uart_port *port) + __func__); + dma_release_channel(priv->chan_tx); + priv->chan_tx = NULL; ++ pci_dev_put(dma_dev); + return; + } + +@@ -741,6 +743,8 @@ static void pch_request_dma(struct uart_port *port) + priv->rx_buf_virt = dma_alloc_coherent(port->dev, port->fifosize, + &priv->rx_buf_dma, GFP_KERNEL); + priv->chan_rx = chan; ++ ++ pci_dev_put(dma_dev); + } + + static void pch_dma_rx_complete(void *arg) +-- +2.35.1 + diff --git a/queue-5.4/serial-pl011-do-not-clear-rx-fifo-rx-interrupt-in-un.patch b/queue-5.4/serial-pl011-do-not-clear-rx-fifo-rx-interrupt-in-un.patch new file mode 100644 index 00000000000..2806e7b1c64 --- /dev/null +++ b/queue-5.4/serial-pl011-do-not-clear-rx-fifo-rx-interrupt-in-un.patch @@ -0,0 +1,52 @@ +From 120333385201d4102785a6e44e1544ade77ee674 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 10:01:08 +0800 +Subject: serial: pl011: Do not clear RX FIFO & RX interrupt in unthrottle. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: delisun + +[ Upstream commit 032d5a71ed378ffc6a2d41a187d8488a4f9fe415 ] + +Clearing the RX FIFO will cause data loss. +Copy the pl011_enabl_interrupts implementation, and remove the clear +interrupt and FIFO part of the code. + +Fixes: 211565b10099 ("serial: pl011: UPSTAT_AUTORTS requires .throttle/unthrottle") +Signed-off-by: delisun +Reviewed-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20221110020108.7700-1-delisun@pateo.com.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/amba-pl011.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/amba-pl011.c b/drivers/tty/serial/amba-pl011.c +index 44485689333e..86084090232d 100644 +--- a/drivers/tty/serial/amba-pl011.c ++++ b/drivers/tty/serial/amba-pl011.c +@@ -1771,8 +1771,17 @@ static void pl011_enable_interrupts(struct uart_amba_port *uap) + static void pl011_unthrottle_rx(struct uart_port *port) + { + struct uart_amba_port *uap = container_of(port, struct uart_amba_port, port); ++ unsigned long flags; + +- pl011_enable_interrupts(uap); ++ spin_lock_irqsave(&uap->port.lock, flags); ++ ++ uap->im = UART011_RTIM; ++ if (!pl011_dma_rx_running(uap)) ++ uap->im |= UART011_RXIM; ++ ++ pl011_write(uap->im, uap, REG_IMSC); ++ ++ spin_unlock_irqrestore(&uap->port.lock, flags); + } + + static int pl011_startup(struct uart_port *port) +-- +2.35.1 + diff --git a/queue-5.4/serial-sunsab-fix-error-handling-in-sunsab_init.patch b/queue-5.4/serial-sunsab-fix-error-handling-in-sunsab_init.patch new file mode 100644 index 00000000000..49394b385f9 --- /dev/null +++ b/queue-5.4/serial-sunsab-fix-error-handling-in-sunsab_init.patch @@ -0,0 +1,46 @@ +From 5114ab8c497d7d2d5265f52d9461b21aa934863a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 06:12:12 +0000 +Subject: serial: sunsab: Fix error handling in sunsab_init() + +From: Yuan Can + +[ Upstream commit 1a6ec673fb627c26e2267ca0a03849f91dbd9b40 ] + +The sunsab_init() returns the platform_driver_register() directly without +checking its return value, if platform_driver_register() failed, the +allocated sunsab_ports is leaked. +Fix by free sunsab_ports and set it to NULL when platform_driver_register() +failed. + +Fixes: c4d37215a824 ("[SERIAL] sunsab: Convert to of_driver framework.") +Signed-off-by: Yuan Can +Link: https://lore.kernel.org/r/20221123061212.52593-1-yuancan@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/sunsab.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/sunsab.c b/drivers/tty/serial/sunsab.c +index 72131b5e132e..beca02c30498 100644 +--- a/drivers/tty/serial/sunsab.c ++++ b/drivers/tty/serial/sunsab.c +@@ -1140,7 +1140,13 @@ static int __init sunsab_init(void) + } + } + +- return platform_driver_register(&sab_driver); ++ err = platform_driver_register(&sab_driver); ++ if (err) { ++ kfree(sunsab_ports); ++ sunsab_ports = NULL; ++ } ++ ++ return err; + } + + static void __exit sunsab_exit(void) +-- +2.35.1 + diff --git a/queue-5.4/serial-tegra-read-dma-status-before-terminating.patch b/queue-5.4/serial-tegra-read-dma-status-before-terminating.patch new file mode 100644 index 00000000000..c01768072d6 --- /dev/null +++ b/queue-5.4/serial-tegra-read-dma-status-before-terminating.patch @@ -0,0 +1,60 @@ +From 46db702855f95a60585ed50f11708bc13ea068c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Oct 2022 20:28:06 +0530 +Subject: serial: tegra: Read DMA status before terminating +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kartik + +[ Upstream commit 109a951a9f1fd8a34ebd1896cbbd5d5cede880a7 ] + +Read the DMA status before terminating the DMA, as doing so deletes +the DMA desc. + +Also, to get the correct transfer status information, pause the DMA +using dmaengine_pause() before reading the DMA status. + +Fixes: e9ea096dd225 ("serial: tegra: add serial driver") +Reviewed-by: Jon Hunter +Reviewed-by: Ilpo Järvinen +Acked-by: Thierry Reding +Signed-off-by: Akhil R +Signed-off-by: Kartik +Link: https://lore.kernel.org/r/1666105086-17326-1-git-send-email-kkartik@nvidia.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/serial-tegra.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/serial/serial-tegra.c b/drivers/tty/serial/serial-tegra.c +index 431edb89e90f..aa67ca08fb26 100644 +--- a/drivers/tty/serial/serial-tegra.c ++++ b/drivers/tty/serial/serial-tegra.c +@@ -613,8 +613,9 @@ static void tegra_uart_stop_tx(struct uart_port *u) + if (tup->tx_in_progress != TEGRA_UART_TX_DMA) + return; + +- dmaengine_terminate_all(tup->tx_dma_chan); ++ dmaengine_pause(tup->tx_dma_chan); + dmaengine_tx_status(tup->tx_dma_chan, tup->tx_cookie, &state); ++ dmaengine_terminate_all(tup->tx_dma_chan); + count = tup->tx_bytes_requested - state.residue; + async_tx_ack(tup->tx_dma_desc); + uart_xmit_advance(&tup->uport, count); +@@ -753,8 +754,9 @@ static void tegra_uart_terminate_rx_dma(struct tegra_uart_port *tup) + if (!tup->rx_dma_active) + return; + +- dmaengine_terminate_all(tup->rx_dma_chan); ++ dmaengine_pause(tup->rx_dma_chan); + dmaengine_tx_status(tup->rx_dma_chan, tup->rx_cookie, &state); ++ dmaengine_terminate_all(tup->rx_dma_chan); + + tegra_uart_rx_buffer_push(tup, state.residue); + tup->rx_dma_active = false; +-- +2.35.1 + diff --git a/queue-5.4/series b/queue-5.4/series index 649b5440057..671d0ff3399 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -16,3 +16,417 @@ hid-ite-enable-quirk_touchpad_on_off_report-on-acer-.patch-30680 hid-uclogic-add-hid_quirk_hidinput_force-quirk.patch bluetooth-l2cap-fix-u8-overflow.patch net-loopback-use-net_name_predictable-for-name_assig.patch +usb-musb-remove-extra-check-in-musb_gadget_vbus_draw.patch +arm-dts-qcom-apq8064-fix-coresight-compatible.patch +arm64-dts-qcom-sdm845-cheza-fix-ap-suspend-pin-bias.patch +drivers-soc-ti-knav_qmss_queue-mark-knav_acc_firmwar.patch +soc-qcom-llcc-cleanup-to-get-rid-of-sdm845-specific-.patch +soc-qcom-rename-llcc-slice-to-llcc-qcom.patch +soc-qcom-llcc-make-irq-truly-optional.patch +arm-dts-spear600-fix-clcd-interrupt.patch +soc-ti-knav_qmss_queue-use-pm_runtime_resume_and_get.patch +soc-ti-knav_qmss_queue-fix-pm-disable-depth-imbalanc.patch +soc-ti-smartreflex-fix-pm-disable-depth-imbalance-in.patch +perf-arm_dsu-fix-hotplug-callback-leak-in-dsu_pmu_in.patch +perf-smmuv3-fix-hotplug-callback-leak-in-arm_smmu_pm.patch +arm64-dts-mt2712e-fix-unit_address_vs_reg-warning-fo.patch +arm64-dts-mt2712e-fix-unit-address-for-pinctrl-node.patch +arm64-dts-mt2712-evb-fix-vproc-fixed-regulators-unit.patch +arm64-dts-mt2712-evb-fix-usb-vbus-regulators-unit-na.patch +arm64-dts-mediatek-mt6797-fix-26m-oscillator-unit-na.patch +arm-dts-dove-fix-assigned-addresses-for-every-pcie-r.patch +arm-dts-armada-370-fix-assigned-addresses-for-every-.patch +arm-dts-armada-xp-fix-assigned-addresses-for-every-p.patch +arm-dts-armada-375-fix-assigned-addresses-for-every-.patch +arm-dts-armada-38x-fix-assigned-addresses-for-every-.patch +arm-dts-armada-39x-fix-assigned-addresses-for-every-.patch +arm-dts-turris-omnia-add-ethernet-aliases.patch +arm-dts-turris-omnia-add-switch-port-6-node.patch +arm-dts-armada-38x-fix-compatible-string-for-gpios.patch +arm-dts-armada-39x-fix-compatible-string-for-gpios.patch +arm64-dts-armada-3720-turris-mox-add-missing-interru.patch +pstore-ram-fix-error-return-code-in-ramoops_probe.patch +arm-mmp-fix-timer_read-delay.patch +pstore-avoid-kcore-oops-by-vmap-ing-with-vm_ioremap.patch +tpm-tpm_crb-fix-error-message-in-__crb_relinquish_lo.patch +cpuidle-dt-return-the-correct-numbers-of-parsed-idle.patch +alpha-fix-syscall-entry-in-audut_syscall-case.patch +pm-hibernate-fix-mistake-in-kerneldoc-comment.patch +fs-don-t-audit-the-capability-check-in-simple_xattr_.patch +selftests-ftrace-event_triggers-wait-longer-for-test.patch +perf-fix-possible-memleak-in-pmu_dev_alloc.patch +debugobjects-free-per-cpu-pool-after-cpu-unplug.patch +lib-debugobjects-fix-stat-count-and-optimize-debug_o.patch +timerqueue-use-rb_entry_safe-in-timerqueue_getnext.patch +proc-fixup-uptime-selftest.patch +lib-fonts-fix-undefined-behavior-in-bit-shift-for-ge.patch +ocfs2-fix-memory-leak-in-ocfs2_stack_glue_init.patch +mips-vpe-mt-fix-possible-memory-leak-while-module-ex.patch +mips-vpe-cmp-fix-possible-memory-leak-while-module-e.patch +selftests-efivarfs-add-checking-of-the-test-return-v.patch +pnp-fix-name-memory-leak-in-pnp_alloc_dev.patch +perf-x86-intel-uncore-fix-reference-count-leak-in-hs.patch +irqchip-gic-pm-use-pm_runtime_resume_and_get-in-gic_.patch +edac-i10nm-fix-refcount-leak-in-pci_get_dev_wrapper.patch +nfsd-don-t-call-nfsd_file_put-from-client-states-seq.patch +genirq-irqdesc-don-t-try-to-remove-non-existing-sysf.patch +cpufreq-amd_freq_sensitivity-add-missing-pci_dev_put.patch +libfs-add-define_simple_attribute_signed-for-signed-.patch +lib-notifier-error-inject-fix-error-when-writing-err.patch +docs-fault-injection-fix-non-working-usage-of-negati.patch +debugfs-fix-error-when-writing-negative-value-to-ato.patch +ocfs2-ocfs2_mount_volume-does-cleanup-job-before-ret.patch +ocfs2-rewrite-error-handling-of-ocfs2_fill_super.patch +ocfs2-fix-memory-leak-in-ocfs2_mount_volume.patch +rapidio-fix-possible-name-leaks-when-rio_add_device-.patch +rapidio-rio-fix-possible-name-leak-in-rio_register_m.patch +clocksource-drivers-sh_cmt-make-sure-channel-clock-s.patch +acpica-fix-use-after-free-in-acpi_ut_copy_ipackage_t.patch +uprobes-x86-allow-to-probe-a-nop-instruction-with-0x.patch +xen-events-only-register-debug-interrupt-for-2-level.patch +x86-xen-fix-memory-leak-in-xen_smp_intr_init-_pv.patch +x86-xen-fix-memory-leak-in-xen_init_lock_cpu.patch +xen-privcmd-fix-a-possible-warning-in-privcmd_ioctl_.patch +pm-runtime-improve-path-in-rpm_idle-when-no-callback.patch +pm-runtime-do-not-call-__rpm_callback-from-rpm_idle.patch +platform-x86-mxm-wmi-fix-memleak-in-mxm_wmi_call_mx-.patch +mips-bcm63xx-add-check-for-null-for-clk-in-clk_enabl.patch +mips-octeon-warn-only-once-if-deprecated-link-status.patch +fs-sysv-fix-sysv_nblocks-returns-wrong-value.patch +rapidio-fix-possible-uaf-when-kfifo_alloc-fails.patch +eventfd-change-int-to-__u64-in-eventfd_signal-ifndef.patch +relay-fix-type-mismatch-when-allocating-memory-in-re.patch +hfs-fix-oob-write-in-hfs_asc2mac.patch +rapidio-devices-fix-missing-put_device-in-mport_cdev.patch +wifi-ath9k-hif_usb-fix-memory-leak-of-urbs-in-ath9k_.patch +wifi-ath9k-hif_usb-fix-use-after-free-in-ath9k_hif_u.patch +wifi-rtl8xxxu-fix-reading-the-vendor-of-combo-chips.patch +pata_ipx4xx_cf-fix-unsigned-comparison-with-less-tha.patch +powerpc-dts-t208x-mark-mac1-and-mac2-as-10g.patch +media-i2c-ad5820-fix-error-path.patch +can-kvaser_usb-do-not-increase-tx-statistics-when-se.patch +can-kvaser_usb-kvaser_usb_leaf-get-capabilities-from.patch +can-kvaser_usb-kvaser_usb_leaf-rename-leaf-usbcan-_c.patch +can-kvaser_usb-kvaser_usb_leaf-handle-cmd_error_even.patch +can-kvaser_usb_leaf-set-warning-state-even-without-b.patch +can-kvaser_usb_leaf-fix-improved-state-not-being-rep.patch +can-kvaser_usb_leaf-fix-wrong-can-state-after-stoppi.patch +can-kvaser_usb_leaf-fix-bogus-restart-events.patch +can-kvaser_usb-add-struct-kvaser_usb_busparams.patch +can-kvaser_usb-compare-requested-bittiming-parameter.patch +clk-renesas-r9a06g032-repair-grave-increment-error.patch +spi-update-reference-to-struct-spi_controller.patch +drm-panel-panel-sitronix-st7701-remove-panel-on-dsi-.patch +ima-rename-internal-filter-rule-functions.patch +ima-fix-fall-through-warnings-for-clang.patch +ima-handle-estale-returned-by-ima_filter_rule_match.patch +media-vivid-fix-compose-size-exceed-boundary.patch +bpf-propagate-precision-in-alu-alu64-operations.patch +mtd-fix-device-name-leak-when-register-device-failed.patch +wifi-rsi-fix-handling-of-802.3-eapol-frames-sent-via.patch +media-camss-clean-up-received-buffers-on-failed-star.patch +net-proc-provide-proc_fs-n-fallback-for-proc_create_.patch +rxrpc-fix-ack.buffersize-to-be-0-when-generating-an-.patch +drm-radeon-add-the-missed-acpi_put_table-to-fix-memo.patch +drm-mediatek-modify-dpi-power-on-off-sequence.patch +asoc-pxa-fix-null-pointer-dereference-in-filter.patch +regulator-core-fix-unbalanced-of-node-refcount-in-re.patch +amdgpu-pm-prevent-array-underflow-in-vega20_odn_edit.patch +integrity-fix-memory-leakage-in-keyring-allocation-e.patch +ima-fix-misuse-of-dereference-of-pointer-in-template.patch +wifi-ath10k-fix-return-value-in-ath10k_pci_init.patch +mtd-lpddr2_nvm-fix-possible-null-ptr-deref.patch +input-elants_i2c-properly-handle-the-reset-gpio-when.patch +media-solo6x10-fix-possible-memory-leak-in-solo_sysf.patch +media-platform-exynos4-is-fix-error-handling-in-fimc.patch +media-videobuf-dma-contig-use-dma_mmap_coherent.patch +bpf-move-skb-len-0-checks-into-__bpf_redirect.patch +hid-hid-sensor-custom-set-fixed-size-for-custom-attr.patch +alsa-pcm-fix-undefined-behavior-in-bit-shift-for-snd.patch +alsa-seq-fix-undefined-behavior-in-bit-shift-for-snd.patch +regulator-core-use-kfree_const-to-free-space-conditi.patch +clk-rockchip-fix-memory-leak-in-rockchip_clk_registe.patch +bonding-export-skip-slave-logic-to-function.patch +bonding-rename-slave_arr-to-usable_slaves.patch +bonding-fix-link-recovery-in-mode-2-when-updelay-is-.patch +mtd-maps-pxa2xx-flash-fix-memory-leak-in-probe.patch +media-imon-fix-a-race-condition-in-send_packet.patch +clk-imx8mn-correct-the-usb1_ctrl-parent-to-be-usb_bu.patch +clk-imx-replace-osc_hdmi-with-dummy.patch +pinctrl-pinconf-generic-add-missing-of_node_put.patch +media-dvb-core-fix-ignored-return-value-in-dvb_regis.patch +media-dvb-usb-az6027-fix-null-ptr-deref-in-az6027_i2.patch +media-s5p-mfc-add-variant-data-for-mfc-v7-hardware-f.patch +drm-tegra-add-missing-clk_disable_unprepare-in-tegra.patch +asoc-dt-bindings-wcd9335-fix-reset-line-polarity-in-.patch +asoc-mediatek-mtk-btcvsd-add-checks-for-write-and-re.patch +nfsv4.2-clear-fattr4_word2_security_label-when-done-.patch +nfsv4.2-fix-a-memory-stomp-in-decode_attr_security_l.patch +nfsv4.2-fix-initialisation-of-struct-nfs4_label.patch +nfsv4-fix-a-deadlock-between-nfs4_open_recover_helpe.patch +alsa-asihpi-fix-missing-pci_disable_device.patch +wifi-iwlwifi-mvm-fix-double-free-on-tx-path.patch +asoc-mediatek-mt8173-enable-irq-when-pdata-is-ready.patch +drm-radeon-fix-pci-device-refcount-leak-in-radeon_at.patch +drm-amdgpu-fix-pci-device-refcount-leak-in-amdgpu_at.patch +asoc-pcm512x-fix-pm-disable-depth-imbalance-in-pcm51.patch +netfilter-conntrack-set-icmpv6-redirects-as-related.patch +bpf-sockmap-fix-repeated-calls-to-sock_put-when-msg-.patch +bpf-sockmap-fix-data-loss-caused-by-using-apply_byte.patch +bonding-uninitialized-variable-in-bond_miimon_inspec.patch +spi-spidev-mask-spi_cs_high-in-spi_ioc_rd_mode.patch +wifi-mac80211-fix-memory-leak-in-ieee80211_if_add.patch +wifi-cfg80211-fix-not-unregister-reg_pdev-when-load_.patch +regulator-core-fix-module-refcount-leak-in-set_suppl.patch +clk-qcom-clk-krait-fix-wrong-div2-functions.patch +hsr-avoid-double-remove-of-a-node.patch +configfs-fix-possible-memory-leak-in-configfs_create.patch +regulator-core-fix-resource-leak-in-regulator_regist.patch +bpf-sockmap-fix-race-in-sock_map_free.patch +media-saa7164-fix-missing-pci_disable_device.patch +alsa-mts64-fix-possible-null-ptr-defer-in-snd_mts64_.patch +xprtrdma-fix-regbuf-data-not-freed-in-rpcrdma_req_cr.patch +sunrpc-fix-missing-release-socket-in-rpc_sockname.patch +nfsv4.x-fail-client-initialisation-if-state-manager-.patch +mmc-alcor-fix-return-value-check-of-mmc_add_host.patch +mmc-moxart-fix-return-value-check-of-mmc_add_host.patch +mmc-mxcmmc-fix-return-value-check-of-mmc_add_host.patch +mmc-pxamci-fix-return-value-check-of-mmc_add_host.patch +mmc-rtsx_usb_sdmmc-fix-return-value-check-of-mmc_add.patch +mmc-toshsd-fix-return-value-check-of-mmc_add_host.patch +mmc-vub300-fix-return-value-check-of-mmc_add_host.patch +mmc-wmt-sdmmc-fix-return-value-check-of-mmc_add_host.patch +mmc-atmel-mci-fix-return-value-check-of-mmc_add_host.patch +mmc-omap_hsmmc-fix-return-value-check-of-mmc_add_hos.patch +mmc-meson-gx-fix-return-value-check-of-mmc_add_host.patch +mmc-via-sdmmc-fix-return-value-check-of-mmc_add_host.patch +mmc-wbsd-fix-return-value-check-of-mmc_add_host.patch +mmc-mmci-fix-return-value-check-of-mmc_add_host.patch +media-c8sectpfe-add-of_node_put-when-breaking-out-of.patch +media-coda-add-check-for-dcoda_iram_alloc.patch +media-coda-add-check-for-kmalloc.patch +clk-samsung-fix-memory-leak-in-_samsung_clk_register.patch +spi-spi-gpio-don-t-set-mosi-as-an-input-if-not-3wire.patch +wifi-rtl8xxxu-add-__packed-to-struct-rtl8723bu_c2h.patch +wifi-brcmfmac-fix-error-return-code-in-brcmf_sdio_do.patch +blktrace-fix-output-non-blktrace-event-when-blk_clas.patch +clk-socfpga-clk-pll-remove-unused-variable-rc.patch +clk-socfpga-use-clk_hw_register-for-a5-c5.patch +clk-socfpga-fix-memory-leak-in-socfpga_gate_init.patch +net-vmw_vsock-vmci-check-memcpy_from_msg.patch +net-defxx-fix-missing-err-handling-in-dfx_init.patch +net-stmmac-selftests-fix-potential-memleak-in-stmmac.patch +drivers-net-qlcnic-fix-potential-memory-leak-in-qlcn.patch +of-overlay-fix-null-pointer-dereferencing-in-find_du.patch +ethernet-s2io-don-t-call-dev_kfree_skb-under-spin_lo.patch +net-farsync-fix-kmemleak-when-rmmods-farsync.patch +net-tunnel-wait-until-all-sk_user_data-reader-finish.patch +net-apple-mace-don-t-call-dev_kfree_skb-under-spin_l.patch +net-apple-bmac-don-t-call-dev_kfree_skb-under-spin_l.patch +net-emaclite-don-t-call-dev_kfree_skb-under-spin_loc.patch +net-ethernet-dnet-don-t-call-dev_kfree_skb-under-spi.patch +hamradio-don-t-call-dev_kfree_skb-under-spin_lock_ir.patch +net-amd-lance-don-t-call-dev_kfree_skb-under-spin_lo.patch +net-amd-xgbe-fix-logic-around-active-and-passive-cab.patch +net-amd-xgbe-check-only-the-minimum-speed-for-active.patch +can-tcan4x5x-remove-invalid-write-in-clear_interrupt.patch +net-lan9303-fix-read-error-execution-path.patch +ntb_netdev-use-dev_kfree_skb_any-in-interrupt-contex.patch +bluetooth-btusb-don-t-call-kfree_skb-under-spin_lock.patch +bluetooth-hci_qca-don-t-call-kfree_skb-under-spin_lo.patch +bluetooth-hci_ll-don-t-call-kfree_skb-under-spin_loc.patch +bluetooth-hci_h5-don-t-call-kfree_skb-under-spin_loc.patch +bluetooth-hci_bcsp-don-t-call-kfree_skb-under-spin_l.patch +bluetooth-hci_core-don-t-call-kfree_skb-under-spin_l.patch +bluetooth-rfcomm-don-t-call-kfree_skb-under-spin_loc.patch +stmmac-fix-potential-division-by-0.patch +apparmor-fix-a-memleak-in-multi_transaction_new.patch +apparmor-fix-lockdep-warning-when-removing-a-namespa.patch +apparmor-fix-abi-check-to-include-v8-abi.patch +apparmor-use-pointer-to-struct-aa_label-for-lbs_cred.patch +rdma-core-fix-order-of-nldev_exit-call.patch +f2fs-fix-normal-discard-process.patch +rdma-siw-fix-immediate-work-request-flush-to-complet.patch +rdma-nldev-return-eagain-if-the-cm_id-isn-t-from-exp.patch +rdma-siw-set-defined-status-for-work-completion-with.patch +scsi-scsi_debug-fix-a-warning-in-resp_write_scat.patch +crypto-ccree-swap-sha384-and-sha512-larval-hashes-at.patch +crypto-ccree-remove-debugfs-when-platform_driver_reg.patch +pci-check-for-alloc-failure-in-pci_request_irq.patch +rdma-hfi-decrease-pci-device-reference-count-in-erro.patch +crypto-ccree-make-cc_debugfs_global_fini-available-f.patch +rdma-rxe-fix-null-ptr-deref-in-rxe_qp_do_cleanup-whe.patch +scsi-hpsa-fix-possible-memory-leak-in-hpsa_init_one.patch +crypto-tcrypt-fix-multibuffer-skcipher-speed-test-me.patch +scsi-mpt3sas-fix-possible-resource-leaks-in-mpt3sas_.patch +scsi-hpsa-fix-error-handling-in-hpsa_add_sas_host.patch +scsi-hpsa-fix-possible-memory-leak-in-hpsa_add_sas_d.patch +scsi-fcoe-fix-possible-name-leak-when-device_registe.patch +scsi-ipr-fix-warning-in-ipr_init.patch +scsi-fcoe-fix-transport-not-deattached-when-fcoe_if_.patch +scsi-snic-fix-possible-uaf-in-snic_tgt_create.patch +rdma-nldev-add-checks-for-nla_nest_start-in-fill_sta.patch +f2fs-avoid-victim-selection-from-previous-victim-sec.patch +crypto-omap-sham-use-pm_runtime_resume_and_get-in-om.patch +rdma-hfi1-fix-error-return-code-in-parse_platform_co.patch +orangefs-fix-sysfs-not-cleanup-when-dev-init-failed.patch +crypto-img-hash-fix-variable-dereferenced-before-che.patch +hwrng-amd-fix-pci-device-refcount-leak.patch +hwrng-geode-fix-pci-device-refcount-leak.patch +ib-ipoib-fix-queue-count-inconsistency-for-pkey-chil.patch +drivers-dio-fix-possible-memory-leak-in-dio_init.patch +tty-serial-tegra-activate-rx-dma-transfer-by-request.patch +serial-tegra-read-dma-status-before-terminating.patch +class-fix-possible-memory-leak-in-__class_register.patch +vfio-platform-do-not-pass-return-buffer-to-acpi-_rst.patch +uio-uio_dmem_genirq-fix-missing-unlock-in-irq-config.patch +uio-uio_dmem_genirq-fix-deadlock-between-irq-config-.patch +usb-fotg210-udc-fix-ages-old-endianness-issues.patch +staging-vme_user-fix-possible-uaf-in-tsi148_dma_list.patch +usb-typec-check-for-ops-exit-instead-of-ops-enter-in.patch +usb-typec-tcpci-fix-of-node-refcount-leak-in-tcpci_r.patch +serial-amba-pl011-avoid-sbsa-uart-accessing-dmacr-re.patch +serial-pl011-do-not-clear-rx-fifo-rx-interrupt-in-un.patch +serial-pch-fix-pci-device-refcount-leak-in-pch_reque.patch +tty-serial-clean-up-stop-tx-part-in-altera_uart_tx_c.patch +tty-serial-altera_uart_-r-t-x_chars-need-only-uart_p.patch +serial-altera_uart-fix-locking-in-polling-mode.patch +serial-sunsab-fix-error-handling-in-sunsab_init.patch +test_firmware-fix-memory-leak-in-test_firmware_init.patch +misc-ocxl-fix-possible-name-leak-in-ocxl_file_regist.patch +misc-tifm-fix-possible-memory-leak-in-tifm_7xx1_swit.patch +misc-sgi-gru-fix-use-after-free-error-in-gru_set_con.patch +cxl-fix-possible-null-ptr-deref-in-cxl_guest_init_af.patch +cxl-fix-possible-null-ptr-deref-in-cxl_pci_init_afu-.patch +counter-stm32-lptimer-cnt-fix-the-check-on-arr-and-c.patch +usb-roles-fix-of-node-refcount-leak-in-usb_role_swit.patch +usb-gadget-f_hid-optional-setup-set_report-mode.patch +usb-gadget-f_hid-fix-f_hidg-lifetime-vs-cdev.patch +usb-gadget-f_hid-fix-refcount-leak-on-error-path.patch +drivers-mcb-fix-resource-leak-in-mcb_probe.patch +mcb-mcb-parse-fix-error-handing-in-chameleon_parse_g.patch +chardev-fix-error-handling-in-cdev_device_add.patch +i2c-pxa-pci-fix-missing-pci_disable_device-on-error-.patch +staging-rtl8192u-fix-use-after-free-in-ieee80211_rx.patch +staging-rtl8192e-fix-potential-use-after-free-in-rtl.patch +vme-fix-error-not-catched-in-fake_init.patch +drivers-provide-devm_platform_get_and_ioremap_resour.patch +i2c-mux-reg-check-return-value-after-calling-platfor.patch +i2c-ismt-fix-an-out-of-bounds-bug-in-ismt_access.patch +usb-storage-add-check-for-kcalloc.patch +tracing-hist-fix-issue-of-losting-command-info-in-er.patch +samples-vfio-mdev-fix-missing-pci_disable_device-in-.patch +fbdev-ssd1307fb-drop-optional-dependency.patch +fbdev-pm2fb-fix-missing-pci_disable_device.patch +fbdev-via-fix-error-in-via_core_init.patch +fbdev-vermilion-decrease-reference-count-in-error-pa.patch +fbdev-uvesafb-fixes-an-error-handling-path-in-uvesaf.patch +hsi-omap_ssi_core-fix-unbalanced-pm_runtime_disable.patch +hsi-omap_ssi_core-fix-possible-memory-leak-in-ssi_pr.patch +power-supply-fix-residue-sysfs-file-in-error-handle-.patch +perf-trace-return-error-if-a-system-call-doesn-t-exi.patch +perf-trace-separate-struct-syscall_fmt-definition-fr.patch +perf-trace-factor-out-the-initialization-of-syscal_a.patch +perf-trace-add-the-syscall_arg_fmt-pointer-to-syscal.patch +perf-trace-allow-associating-scnprintf-routines-with.patch +perf-trace-add-a-strtoul-method-to-struct-syscall_ar.patch +perf-trace-use-macro-raw_syscall_args_num-to-replace.patch +perf-trace-handle-failure-when-trace-point-folder-is.patch +perf-symbol-correction-while-adjusting-symbol.patch +hsi-omap_ssi_core-fix-error-handling-in-ssi_init.patch +power-supply-fix-null-pointer-dereferencing-in-power.patch +rdma-siw-fix-pointer-cast-warning.patch +include-uapi-linux-swab-fix-potentially-missing-__al.patch +rtc-cmos-refactor-code-by-using-the-new-dmi_get_bios.patch +rtc-rtc-cmos-do-not-check-acpi_fadt_low_power_s0.patch +rtc-cmos-fix-event-handler-registration-ordering-iss.patch +rtc-cmos-fix-wake-alarm-breakage.patch +rtc-cmos-fix-build-on-non-acpi-platforms.patch +rtc-cmos-call-cmos_wake_setup-from-cmos_do_probe.patch +rtc-cmos-call-rtc_wake_setup-from-cmos_do_probe.patch +rtc-cmos-eliminate-forward-declarations-of-some-func.patch +rtc-cmos-rename-acpi-related-functions.patch +rtc-cmos-disable-acpi-rtc-event-on-removal.patch +rtc-snvs-allow-a-time-difference-on-clock-register-r.patch +rtc-pcf85063-fix-reading-alarm.patch +iommu-amd-fix-pci-device-refcount-leak-in-ppr_notifi.patch +iommu-fsl_pamu-fix-resource-leak-in-fsl_pamu_probe.patch +macintosh-fix-possible-memory-leak-in-macio_add_one_.patch +macintosh-macio-adb-check-the-return-value-of-iorema.patch +powerpc-52xx-fix-a-resource-leak-in-an-error-handlin.patch +cxl-fix-refcount-leak-in-cxl_calc_capp_routing.patch +powerpc-xive-add-missing-iounmap-in-error-path-in-xi.patch +powerpc-perf-callchain-validate-kernel-stack-pointer.patch +powerpc-83xx-mpc832x_rdb-call-platform_device_put-in.patch +powerpc-hv-gpci-fix-hv_gpci-event-list.patch +selftests-powerpc-fix-resource-leaks.patch +pwm-sifive-call-pwm_sifive_update_clock-while-mutex-.patch +remoteproc-sysmon-fix-memory-leak-in-qcom_add_sysmon.patch +remoteproc-qcom_q6v5_pas-fix-missing-of_node_put-in-.patch +powerpc-eeh-fix-pseries_eeh_configure_bridge.patch +powerpc-pseries-pcie-phb-reset.patch +powerpc-pseries-stop-using-eeh_ops-init.patch +powerpc-eeh-drop-redundant-spinlock-initialization.patch +powerpc-pseries-eeh-use-correct-api-for-error-log-si.patch +rtc-st-lpc-add-missing-clk_disable_unprepare-in-st_r.patch +rtc-pic32-move-devm_rtc_allocate_device-earlier-in-p.patch +nfsd-define-the-file-access-mode-enum-for-tracing.patch +nfsd-add-tracepoints-to-nfsd-s-duplicate-reply-cache.patch +nfsd-under-nfsv4.1-fix-double-svc_xprt_put-on-rpc_cr.patch +misdn-hfcsusb-don-t-call-dev_kfree_skb-kfree_skb-und.patch +misdn-hfcpci-don-t-call-dev_kfree_skb-kfree_skb-unde.patch +misdn-hfcmulti-don-t-call-dev_kfree_skb-kfree_skb-un.patch +nfc-pn533-clear-nfc_target-before-being-used.patch +r6040-fix-kmemleak-in-probe-and-remove.patch +rtc-mxc_v2-add-missing-clk_disable_unprepare.patch +openvswitch-fix-flow-lookup-to-use-unmasked-key.patch +skbuff-account-for-tail-adjustment-during-pull-opera.patch +mailbox-zynq-ipi-fix-error-handling-while-device_reg.patch +net_sched-reject-tcf_em_simple-case-for-complex-emat.patch +rxrpc-fix-missing-unlock-in-rxrpc_do_sendmsg.patch +myri10ge-fix-an-error-handling-path-in-myri10ge_prob.patch +net-stream-purge-sk_error_queue-in-sk_stream_kill_qu.patch +rcu-fix-__this_cpu_read-lockdep-warning-in-rcu_force.patch +binfmt_misc-fix-shift-out-of-bounds-in-check_special.patch +fs-jfs-fix-shift-out-of-bounds-in-dballocag.patch +udf-avoid-double-brelse-in-udf_rename.patch +fs-jfs-fix-shift-out-of-bounds-in-dbdiscardag.patch +acpica-fix-error-code-path-in-acpi_ds_call_control_m.patch +nilfs2-fix-shift-out-of-bounds-overflow-in-nilfs_sb2.patch +acct-fix-potential-integer-overflow-in-encode_comp_t.patch +hfs-fix-oob-read-in-__hfs_brec_find.patch +drm-etnaviv-add-missing-quirks-for-gc300.patch +brcmfmac-return-error-when-getting-invalid-max_flowr.patch +wifi-ath9k-verify-the-expected-usb_endpoints-are-pre.patch +wifi-ar5523-fix-use-after-free-on-ar5523_cmd-timed-o.patch +asoc-codecs-rt298-add-quirk-for-kbl-r-rvp-platform.patch +ipmi-fix-memleak-when-unload-ipmi-driver.patch +bpf-make-sure-skb-len-0-when-redirecting-to-a-tunnel.patch +net-ethernet-ti-fix-return-type-of-netcp_ndo_start_x.patch +hamradio-baycom_epp-fix-return-type-of-baycom_send_p.patch +wifi-brcmfmac-fix-potential-shift-out-of-bounds-in-b.patch +igb-do-not-free-q_vector-unless-new-one-was-allocate.patch +s390-ctcm-fix-return-type-of-ctc-mp-m_tx.patch +s390-netiucv-fix-return-type-of-netiucv_tx.patch +s390-lcs-fix-return-type-of-lcs_start_xmit.patch +drm-rockchip-use-drm_mode_copy.patch +drm-sti-use-drm_mode_copy.patch +drivers-md-md-bitmap-check-the-return-value-of-md_bi.patch +md-raid1-stop-mdx_raid1-thread-when-raid1-array-run-.patch +net-add-atomic_long_t-to-net_device_stats-fields.patch +mrp-introduce-active-flags-to-prevent-uaf-when-appli.patch +ppp-associate-skb-with-a-device-at-tx.patch +bpf-prevent-decl_tag-from-being-referenced-in-func_p.patch +media-dvb-frontends-fix-leak-of-memory-fw.patch +media-dvbdev-adopts-refcnt-to-avoid-uaf.patch +media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch +blk-mq-fix-possible-memleak-when-register-hctx-faile.patch +regulator-core-fix-use_count-leakage-when-handling-b.patch +mmc-f-sdh30-add-quirks-for-broken-timeout-clock-capa.patch +media-si470x-fix-use-after-free-in-si470x_int_in_cal.patch +clk-st-fix-memory-leak-in-st_of_quadfs_setup.patch +hugetlbfs-fix-null-ptr-deref-in-hugetlbfs_parse_para.patch +drm-fsl-dcu-fix-return-type-of-fsl_dcu_drm_connector.patch +drm-sti-fix-return-type-of-sti_-dvo-hda-hdmi-_connec.patch +orangefs-fix-kmemleak-in-orangefs_prepare_debugfs_he.patch +orangefs-fix-kmemleak-in-orangefs_-kernel-client-_de.patch diff --git a/queue-5.4/skbuff-account-for-tail-adjustment-during-pull-opera.patch b/queue-5.4/skbuff-account-for-tail-adjustment-during-pull-opera.patch new file mode 100644 index 00000000000..800b5da1337 --- /dev/null +++ b/queue-5.4/skbuff-account-for-tail-adjustment-during-pull-opera.patch @@ -0,0 +1,66 @@ +From f1427bf3704426459da2fe513e2ab7dbaa7324ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Dec 2022 23:11:58 -0700 +Subject: skbuff: Account for tail adjustment during pull operations + +From: Subash Abhinov Kasiviswanathan + +[ Upstream commit 2d7afdcbc9d32423f177ee12b7c93783aea338fb ] + +Extending the tail can have some unexpected side effects if a program uses +a helper like BPF_FUNC_skb_pull_data to read partial content beyond the +head skb headlen when all the skbs in the gso frag_list are linear with no +head_frag - + + kernel BUG at net/core/skbuff.c:4219! + pc : skb_segment+0xcf4/0xd2c + lr : skb_segment+0x63c/0xd2c + Call trace: + skb_segment+0xcf4/0xd2c + __udp_gso_segment+0xa4/0x544 + udp4_ufo_fragment+0x184/0x1c0 + inet_gso_segment+0x16c/0x3a4 + skb_mac_gso_segment+0xd4/0x1b0 + __skb_gso_segment+0xcc/0x12c + udp_rcv_segment+0x54/0x16c + udp_queue_rcv_skb+0x78/0x144 + udp_unicast_rcv_skb+0x8c/0xa4 + __udp4_lib_rcv+0x490/0x68c + udp_rcv+0x20/0x30 + ip_protocol_deliver_rcu+0x1b0/0x33c + ip_local_deliver+0xd8/0x1f0 + ip_rcv+0x98/0x1a4 + deliver_ptype_list_skb+0x98/0x1ec + __netif_receive_skb_core+0x978/0xc60 + +Fix this by marking these skbs as GSO_DODGY so segmentation can handle +the tail updates accordingly. + +Fixes: 3dcbdb134f32 ("net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list") +Signed-off-by: Sean Tranchetti +Signed-off-by: Subash Abhinov Kasiviswanathan +Reviewed-by: Alexander Duyck +Link: https://lore.kernel.org/r/1671084718-24796-1-git-send-email-quic_subashab@quicinc.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/skbuff.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index e9c796e2944e..0547aa2c8b13 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -2115,6 +2115,9 @@ void *__pskb_pull_tail(struct sk_buff *skb, int delta) + insp = list; + } else { + /* Eaten partially. */ ++ if (skb_is_gso(skb) && !list->head_frag && ++ skb_headlen(list)) ++ skb_shinfo(skb)->gso_type |= SKB_GSO_DODGY; + + if (skb_shared(list)) { + /* Sucks! We need to fork list. :-( */ +-- +2.35.1 + diff --git a/queue-5.4/soc-qcom-llcc-cleanup-to-get-rid-of-sdm845-specific-.patch b/queue-5.4/soc-qcom-llcc-cleanup-to-get-rid-of-sdm845-specific-.patch new file mode 100644 index 00000000000..479284d1c76 --- /dev/null +++ b/queue-5.4/soc-qcom-llcc-cleanup-to-get-rid-of-sdm845-specific-.patch @@ -0,0 +1,361 @@ +From d32095a22ff3e4994e74422f3a96a5b5be74a12f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jul 2019 18:32:36 +0530 +Subject: soc: qcom: llcc cleanup to get rid of sdm845 specific driver file + +From: Vivek Gautam + +[ Upstream commit a14b820316e84310b1bad3701a8d4c9159377633 ] + +A single file should suffice the need to program the llcc for +various platforms. Get rid of sdm845 specific driver file to +make way for a more generic driver. + +Signed-off-by: Vivek Gautam +Signed-off-by: Bjorn Andersson +Stable-dep-of: c882c899ead3 ("soc: qcom: llcc: make irq truly optional") +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/Kconfig | 14 +--- + drivers/soc/qcom/Makefile | 1 - + drivers/soc/qcom/llcc-sdm845.c | 100 ----------------------------- + drivers/soc/qcom/llcc-slice.c | 60 +++++++++++++++-- + include/linux/soc/qcom/llcc-qcom.h | 57 ++++++---------- + 5 files changed, 77 insertions(+), 155 deletions(-) + delete mode 100644 drivers/soc/qcom/llcc-sdm845.c + +diff --git a/drivers/soc/qcom/Kconfig b/drivers/soc/qcom/Kconfig +index 661e47acc354..c6df8b43fa6d 100644 +--- a/drivers/soc/qcom/Kconfig ++++ b/drivers/soc/qcom/Kconfig +@@ -58,17 +58,9 @@ config QCOM_LLCC + depends on ARCH_QCOM || COMPILE_TEST + help + Qualcomm Technologies, Inc. platform specific +- Last Level Cache Controller(LLCC) driver. This provides interfaces +- to clients that use the LLCC. Say yes here to enable LLCC slice +- driver. +- +-config QCOM_SDM845_LLCC +- tristate "Qualcomm Technologies, Inc. SDM845 LLCC driver" +- depends on QCOM_LLCC +- help +- Say yes here to enable the LLCC driver for SDM845. This provides +- data required to configure LLCC so that clients can start using the +- LLCC slices. ++ Last Level Cache Controller(LLCC) driver for platforms such as, ++ SDM845. This provides interfaces to clients that use the LLCC. ++ Say yes here to enable LLCC slice driver. + + config QCOM_MDT_LOADER + tristate +diff --git a/drivers/soc/qcom/Makefile b/drivers/soc/qcom/Makefile +index 162788701a77..28d45b2e87e8 100644 +--- a/drivers/soc/qcom/Makefile ++++ b/drivers/soc/qcom/Makefile +@@ -22,6 +22,5 @@ obj-$(CONFIG_QCOM_SOCINFO) += socinfo.o + obj-$(CONFIG_QCOM_WCNSS_CTRL) += wcnss_ctrl.o + obj-$(CONFIG_QCOM_APR) += apr.o + obj-$(CONFIG_QCOM_LLCC) += llcc-slice.o +-obj-$(CONFIG_QCOM_SDM845_LLCC) += llcc-sdm845.o + obj-$(CONFIG_QCOM_RPMHPD) += rpmhpd.o + obj-$(CONFIG_QCOM_RPMPD) += rpmpd.o +diff --git a/drivers/soc/qcom/llcc-sdm845.c b/drivers/soc/qcom/llcc-sdm845.c +deleted file mode 100644 +index 86600d97c36d..000000000000 +--- a/drivers/soc/qcom/llcc-sdm845.c ++++ /dev/null +@@ -1,100 +0,0 @@ +-// SPDX-License-Identifier: GPL-2.0 +-/* +- * Copyright (c) 2017-2018, The Linux Foundation. All rights reserved. +- * +- */ +- +-#include +-#include +-#include +-#include +-#include +- +-/* +- * SCT(System Cache Table) entry contains of the following members: +- * usecase_id: Unique id for the client's use case +- * slice_id: llcc slice id for each client +- * max_cap: The maximum capacity of the cache slice provided in KB +- * priority: Priority of the client used to select victim line for replacement +- * fixed_size: Boolean indicating if the slice has a fixed capacity +- * bonus_ways: Bonus ways are additional ways to be used for any slice, +- * if client ends up using more than reserved cache ways. Bonus +- * ways are allocated only if they are not reserved for some +- * other client. +- * res_ways: Reserved ways for the cache slice, the reserved ways cannot +- * be used by any other client than the one its assigned to. +- * cache_mode: Each slice operates as a cache, this controls the mode of the +- * slice: normal or TCM(Tightly Coupled Memory) +- * probe_target_ways: Determines what ways to probe for access hit. When +- * configured to 1 only bonus and reserved ways are probed. +- * When configured to 0 all ways in llcc are probed. +- * dis_cap_alloc: Disable capacity based allocation for a client +- * retain_on_pc: If this bit is set and client has maintained active vote +- * then the ways assigned to this client are not flushed on power +- * collapse. +- * activate_on_init: Activate the slice immediately after the SCT is programmed +- */ +-#define SCT_ENTRY(uid, sid, mc, p, fs, bway, rway, cmod, ptw, dca, rp, a) \ +- { \ +- .usecase_id = uid, \ +- .slice_id = sid, \ +- .max_cap = mc, \ +- .priority = p, \ +- .fixed_size = fs, \ +- .bonus_ways = bway, \ +- .res_ways = rway, \ +- .cache_mode = cmod, \ +- .probe_target_ways = ptw, \ +- .dis_cap_alloc = dca, \ +- .retain_on_pc = rp, \ +- .activate_on_init = a, \ +- } +- +-static struct llcc_slice_config sdm845_data[] = { +- SCT_ENTRY(LLCC_CPUSS, 1, 2816, 1, 0, 0xffc, 0x2, 0, 0, 1, 1, 1), +- SCT_ENTRY(LLCC_VIDSC0, 2, 512, 2, 1, 0x0, 0x0f0, 0, 0, 1, 1, 0), +- SCT_ENTRY(LLCC_VIDSC1, 3, 512, 2, 1, 0x0, 0x0f0, 0, 0, 1, 1, 0), +- SCT_ENTRY(LLCC_ROTATOR, 4, 563, 2, 1, 0x0, 0x00e, 2, 0, 1, 1, 0), +- SCT_ENTRY(LLCC_VOICE, 5, 2816, 1, 0, 0xffc, 0x2, 0, 0, 1, 1, 0), +- SCT_ENTRY(LLCC_AUDIO, 6, 2816, 1, 0, 0xffc, 0x2, 0, 0, 1, 1, 0), +- SCT_ENTRY(LLCC_MDMHPGRW, 7, 1024, 2, 0, 0xfc, 0xf00, 0, 0, 1, 1, 0), +- SCT_ENTRY(LLCC_MDM, 8, 2816, 1, 0, 0xffc, 0x2, 0, 0, 1, 1, 0), +- SCT_ENTRY(LLCC_CMPT, 10, 2816, 1, 0, 0xffc, 0x2, 0, 0, 1, 1, 0), +- SCT_ENTRY(LLCC_GPUHTW, 11, 512, 1, 1, 0xc, 0x0, 0, 0, 1, 1, 0), +- SCT_ENTRY(LLCC_GPU, 12, 2304, 1, 0, 0xff0, 0x2, 0, 0, 1, 1, 0), +- SCT_ENTRY(LLCC_MMUHWT, 13, 256, 2, 0, 0x0, 0x1, 0, 0, 1, 0, 1), +- SCT_ENTRY(LLCC_CMPTDMA, 15, 2816, 1, 0, 0xffc, 0x2, 0, 0, 1, 1, 0), +- SCT_ENTRY(LLCC_DISP, 16, 2816, 1, 0, 0xffc, 0x2, 0, 0, 1, 1, 0), +- SCT_ENTRY(LLCC_VIDFW, 17, 2816, 1, 0, 0xffc, 0x2, 0, 0, 1, 1, 0), +- SCT_ENTRY(LLCC_MDMHPFX, 20, 1024, 2, 1, 0x0, 0xf00, 0, 0, 1, 1, 0), +- SCT_ENTRY(LLCC_MDMPNG, 21, 1024, 0, 1, 0x1e, 0x0, 0, 0, 1, 1, 0), +- SCT_ENTRY(LLCC_AUDHW, 22, 1024, 1, 1, 0xffc, 0x2, 0, 0, 1, 1, 0), +-}; +- +-static int sdm845_qcom_llcc_remove(struct platform_device *pdev) +-{ +- return qcom_llcc_remove(pdev); +-} +- +-static int sdm845_qcom_llcc_probe(struct platform_device *pdev) +-{ +- return qcom_llcc_probe(pdev, sdm845_data, ARRAY_SIZE(sdm845_data)); +-} +- +-static const struct of_device_id sdm845_qcom_llcc_of_match[] = { +- { .compatible = "qcom,sdm845-llcc", }, +- { } +-}; +- +-static struct platform_driver sdm845_qcom_llcc_driver = { +- .driver = { +- .name = "sdm845-llcc", +- .of_match_table = sdm845_qcom_llcc_of_match, +- }, +- .probe = sdm845_qcom_llcc_probe, +- .remove = sdm845_qcom_llcc_remove, +-}; +-module_platform_driver(sdm845_qcom_llcc_driver); +- +-MODULE_DESCRIPTION("QCOM sdm845 LLCC driver"); +-MODULE_LICENSE("GPL v2"); +diff --git a/drivers/soc/qcom/llcc-slice.c b/drivers/soc/qcom/llcc-slice.c +index 4a6111635f82..19039f19af97 100644 +--- a/drivers/soc/qcom/llcc-slice.c ++++ b/drivers/soc/qcom/llcc-slice.c +@@ -1,6 +1,6 @@ + // SPDX-License-Identifier: GPL-2.0 + /* +- * Copyright (c) 2017-2018, The Linux Foundation. All rights reserved. ++ * Copyright (c) 2017-2019, The Linux Foundation. All rights reserved. + * + */ + +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -46,6 +47,27 @@ + + #define BANK_OFFSET_STRIDE 0x80000 + ++static struct llcc_slice_config sdm845_data[] = { ++ { LLCC_CPUSS, 1, 2816, 1, 0, 0xffc, 0x2, 0, 0, 1, 1, 1 }, ++ { LLCC_VIDSC0, 2, 512, 2, 1, 0x0, 0x0f0, 0, 0, 1, 1, 0 }, ++ { LLCC_VIDSC1, 3, 512, 2, 1, 0x0, 0x0f0, 0, 0, 1, 1, 0 }, ++ { LLCC_ROTATOR, 4, 563, 2, 1, 0x0, 0x00e, 2, 0, 1, 1, 0 }, ++ { LLCC_VOICE, 5, 2816, 1, 0, 0xffc, 0x2, 0, 0, 1, 1, 0 }, ++ { LLCC_AUDIO, 6, 2816, 1, 0, 0xffc, 0x2, 0, 0, 1, 1, 0 }, ++ { LLCC_MDMHPGRW, 7, 1024, 2, 0, 0xfc, 0xf00, 0, 0, 1, 1, 0 }, ++ { LLCC_MDM, 8, 2816, 1, 0, 0xffc, 0x2, 0, 0, 1, 1, 0 }, ++ { LLCC_CMPT, 10, 2816, 1, 0, 0xffc, 0x2, 0, 0, 1, 1, 0 }, ++ { LLCC_GPUHTW, 11, 512, 1, 1, 0xc, 0x0, 0, 0, 1, 1, 0 }, ++ { LLCC_GPU, 12, 2304, 1, 0, 0xff0, 0x2, 0, 0, 1, 1, 0 }, ++ { LLCC_MMUHWT, 13, 256, 2, 0, 0x0, 0x1, 0, 0, 1, 0, 1 }, ++ { LLCC_CMPTDMA, 15, 2816, 1, 0, 0xffc, 0x2, 0, 0, 1, 1, 0 }, ++ { LLCC_DISP, 16, 2816, 1, 0, 0xffc, 0x2, 0, 0, 1, 1, 0 }, ++ { LLCC_VIDFW, 17, 2816, 1, 0, 0xffc, 0x2, 0, 0, 1, 1, 0 }, ++ { LLCC_MDMHPFX, 20, 1024, 2, 1, 0x0, 0xf00, 0, 0, 1, 1, 0 }, ++ { LLCC_MDMPNG, 21, 1024, 0, 1, 0x1e, 0x0, 0, 0, 1, 1, 0 }, ++ { LLCC_AUDHW, 22, 1024, 1, 1, 0xffc, 0x2, 0, 0, 1, 1, 0 }, ++}; ++ + static struct llcc_drv_data *drv_data = (void *) -EPROBE_DEFER; + + static struct regmap_config llcc_regmap_config = { +@@ -301,13 +323,12 @@ static int qcom_llcc_cfg_program(struct platform_device *pdev) + return ret; + } + +-int qcom_llcc_remove(struct platform_device *pdev) ++static int qcom_llcc_remove(struct platform_device *pdev) + { + /* Set the global pointer to a error code to avoid referencing it */ + drv_data = ERR_PTR(-ENODEV); + return 0; + } +-EXPORT_SYMBOL_GPL(qcom_llcc_remove); + + static struct regmap *qcom_llcc_init_mmio(struct platform_device *pdev, + const char *name) +@@ -327,8 +348,8 @@ static struct regmap *qcom_llcc_init_mmio(struct platform_device *pdev, + return devm_regmap_init_mmio(&pdev->dev, base, &llcc_regmap_config); + } + +-int qcom_llcc_probe(struct platform_device *pdev, +- const struct llcc_slice_config *llcc_cfg, u32 sz) ++static int qcom_llcc_probe(struct platform_device *pdev, ++ const struct llcc_slice_config *llcc_cfg, u32 sz) + { + u32 num_banks; + struct device *dev = &pdev->dev; +@@ -408,6 +429,31 @@ int qcom_llcc_probe(struct platform_device *pdev, + drv_data = ERR_PTR(-ENODEV); + return ret; + } +-EXPORT_SYMBOL_GPL(qcom_llcc_probe); ++ ++static int sdm845_qcom_llcc_remove(struct platform_device *pdev) ++{ ++ return qcom_llcc_remove(pdev); ++} ++ ++static int sdm845_qcom_llcc_probe(struct platform_device *pdev) ++{ ++ return qcom_llcc_probe(pdev, sdm845_data, ARRAY_SIZE(sdm845_data)); ++} ++ ++static const struct of_device_id sdm845_qcom_llcc_of_match[] = { ++ { .compatible = "qcom,sdm845-llcc", }, ++ { } ++}; ++ ++static struct platform_driver sdm845_qcom_llcc_driver = { ++ .driver = { ++ .name = "sdm845-llcc", ++ .of_match_table = sdm845_qcom_llcc_of_match, ++ }, ++ .probe = sdm845_qcom_llcc_probe, ++ .remove = sdm845_qcom_llcc_remove, ++}; ++module_platform_driver(sdm845_qcom_llcc_driver); ++ ++MODULE_DESCRIPTION("QCOM sdm845 LLCC driver"); + MODULE_LICENSE("GPL v2"); +-MODULE_DESCRIPTION("Qualcomm Last Level Cache Controller"); +diff --git a/include/linux/soc/qcom/llcc-qcom.h b/include/linux/soc/qcom/llcc-qcom.h +index eb71a50b8afc..d5cad6f7953c 100644 +--- a/include/linux/soc/qcom/llcc-qcom.h ++++ b/include/linux/soc/qcom/llcc-qcom.h +@@ -39,18 +39,27 @@ struct llcc_slice_desc { + + /** + * llcc_slice_config - Data associated with the llcc slice +- * @usecase_id: usecase id for which the llcc slice is used +- * @slice_id: llcc slice id assigned to each slice +- * @max_cap: maximum capacity of the llcc slice +- * @priority: priority of the llcc slice +- * @fixed_size: whether the llcc slice can grow beyond its size +- * @bonus_ways: bonus ways associated with llcc slice +- * @res_ways: reserved ways associated with llcc slice +- * @cache_mode: mode of the llcc slice +- * @probe_target_ways: Probe only reserved and bonus ways on a cache miss +- * @dis_cap_alloc: Disable capacity based allocation +- * @retain_on_pc: Retain through power collapse +- * @activate_on_init: activate the slice on init ++ * @usecase_id: Unique id for the client's use case ++ * @slice_id: llcc slice id for each client ++ * @max_cap: The maximum capacity of the cache slice provided in KB ++ * @priority: Priority of the client used to select victim line for replacement ++ * @fixed_size: Boolean indicating if the slice has a fixed capacity ++ * @bonus_ways: Bonus ways are additional ways to be used for any slice, ++ * if client ends up using more than reserved cache ways. Bonus ++ * ways are allocated only if they are not reserved for some ++ * other client. ++ * @res_ways: Reserved ways for the cache slice, the reserved ways cannot ++ * be used by any other client than the one its assigned to. ++ * @cache_mode: Each slice operates as a cache, this controls the mode of the ++ * slice: normal or TCM(Tightly Coupled Memory) ++ * @probe_target_ways: Determines what ways to probe for access hit. When ++ * configured to 1 only bonus and reserved ways are probed. ++ * When configured to 0 all ways in llcc are probed. ++ * @dis_cap_alloc: Disable capacity based allocation for a client ++ * @retain_on_pc: If this bit is set and client has maintained active vote ++ * then the ways assigned to this client are not flushed on power ++ * collapse. ++ * @activate_on_init: Activate the slice immediately after it is programmed + */ + struct llcc_slice_config { + u32 usecase_id; +@@ -154,20 +163,6 @@ int llcc_slice_activate(struct llcc_slice_desc *desc); + */ + int llcc_slice_deactivate(struct llcc_slice_desc *desc); + +-/** +- * qcom_llcc_probe - program the sct table +- * @pdev: platform device pointer +- * @table: soc sct table +- * @sz: Size of the config table +- */ +-int qcom_llcc_probe(struct platform_device *pdev, +- const struct llcc_slice_config *table, u32 sz); +- +-/** +- * qcom_llcc_remove - remove the sct table +- * @pdev: Platform device pointer +- */ +-int qcom_llcc_remove(struct platform_device *pdev); + #else + static inline struct llcc_slice_desc *llcc_slice_getd(u32 uid) + { +@@ -197,16 +192,6 @@ static inline int llcc_slice_deactivate(struct llcc_slice_desc *desc) + { + return -EINVAL; + } +-static inline int qcom_llcc_probe(struct platform_device *pdev, +- const struct llcc_slice_config *table, u32 sz) +-{ +- return -ENODEV; +-} +- +-static inline int qcom_llcc_remove(struct platform_device *pdev) +-{ +- return -ENODEV; +-} + #endif + + #endif +-- +2.35.1 + diff --git a/queue-5.4/soc-qcom-llcc-make-irq-truly-optional.patch b/queue-5.4/soc-qcom-llcc-make-irq-truly-optional.patch new file mode 100644 index 00000000000..785487989b0 --- /dev/null +++ b/queue-5.4/soc-qcom-llcc-make-irq-truly-optional.patch @@ -0,0 +1,40 @@ +From 90b2ebda483b7719456e32b44f2353dd467e50e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Nov 2022 16:30:41 +0100 +Subject: soc: qcom: llcc: make irq truly optional + +From: Luca Weiss + +[ Upstream commit c882c899ead3545102a4d71b5fbe73b9e4bc2657 ] + +The function platform_get_irq prints an error message into the kernel +log when the irq isn't found. + +Since the interrupt is actually optional and not provided by some SoCs, +use platform_get_irq_optional which does not print an error message. + +Fixes: c081f3060fab ("soc: qcom: Add support to register LLCC EDAC driver") +Signed-off-by: Luca Weiss +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20221104153041.412020-1-luca.weiss@fairphone.com +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/llcc-qcom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/qcom/llcc-qcom.c b/drivers/soc/qcom/llcc-qcom.c +index 19039f19af97..69abc99b812d 100644 +--- a/drivers/soc/qcom/llcc-qcom.c ++++ b/drivers/soc/qcom/llcc-qcom.c +@@ -415,7 +415,7 @@ static int qcom_llcc_probe(struct platform_device *pdev, + if (ret) + goto err; + +- drv_data->ecc_irq = platform_get_irq(pdev, 0); ++ drv_data->ecc_irq = platform_get_irq_optional(pdev, 0); + if (drv_data->ecc_irq >= 0) { + llcc_edac = platform_device_register_data(&pdev->dev, + "qcom_llcc_edac", -1, drv_data, +-- +2.35.1 + diff --git a/queue-5.4/soc-qcom-rename-llcc-slice-to-llcc-qcom.patch b/queue-5.4/soc-qcom-rename-llcc-slice-to-llcc-qcom.patch new file mode 100644 index 00000000000..e3d54f43438 --- /dev/null +++ b/queue-5.4/soc-qcom-rename-llcc-slice-to-llcc-qcom.patch @@ -0,0 +1,42 @@ +From 135b3b022829c5a0fc6695beced956d316477c04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jul 2019 18:32:37 +0530 +Subject: soc: qcom: Rename llcc-slice to llcc-qcom + +From: Vivek Gautam + +[ Upstream commit a0e72a5ba48ae9c6449a32130d74506a854b79d2 ] + +The cleaning up was done without changing the driver file name +to ensure a cleaner bisect. Change the file name now to facilitate +making the driver generic in subsequent patch. + +Signed-off-by: Vivek Gautam +Signed-off-by: Bjorn Andersson +Stable-dep-of: c882c899ead3 ("soc: qcom: llcc: make irq truly optional") +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/Makefile | 2 +- + drivers/soc/qcom/{llcc-slice.c => llcc-qcom.c} | 0 + 2 files changed, 1 insertion(+), 1 deletion(-) + rename drivers/soc/qcom/{llcc-slice.c => llcc-qcom.c} (100%) + +diff --git a/drivers/soc/qcom/Makefile b/drivers/soc/qcom/Makefile +index 28d45b2e87e8..2559fe948ce0 100644 +--- a/drivers/soc/qcom/Makefile ++++ b/drivers/soc/qcom/Makefile +@@ -21,6 +21,6 @@ obj-$(CONFIG_QCOM_SMSM) += smsm.o + obj-$(CONFIG_QCOM_SOCINFO) += socinfo.o + obj-$(CONFIG_QCOM_WCNSS_CTRL) += wcnss_ctrl.o + obj-$(CONFIG_QCOM_APR) += apr.o +-obj-$(CONFIG_QCOM_LLCC) += llcc-slice.o ++obj-$(CONFIG_QCOM_LLCC) += llcc-qcom.o + obj-$(CONFIG_QCOM_RPMHPD) += rpmhpd.o + obj-$(CONFIG_QCOM_RPMPD) += rpmpd.o +diff --git a/drivers/soc/qcom/llcc-slice.c b/drivers/soc/qcom/llcc-qcom.c +similarity index 100% +rename from drivers/soc/qcom/llcc-slice.c +rename to drivers/soc/qcom/llcc-qcom.c +-- +2.35.1 + diff --git a/queue-5.4/soc-ti-knav_qmss_queue-fix-pm-disable-depth-imbalanc.patch b/queue-5.4/soc-ti-knav_qmss_queue-fix-pm-disable-depth-imbalanc.patch new file mode 100644 index 00000000000..0a75381501f --- /dev/null +++ b/queue-5.4/soc-ti-knav_qmss_queue-fix-pm-disable-depth-imbalanc.patch @@ -0,0 +1,38 @@ +From 1438b8a4a0cf9c7ec7a95c68635ea096e7e1dc87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 16:03:21 +0800 +Subject: soc: ti: knav_qmss_queue: Fix PM disable depth imbalance in + knav_queue_probe + +From: Zhang Qilong + +[ Upstream commit e961c0f19450fd4a26bd043dd2979990bf12caf6 ] + +The pm_runtime_enable will increase power disable depth. Thus +a pairing decrement is needed on the error handling path to +keep it balanced according to context. + +Fixes: 41f93af900a2 ("soc: ti: add Keystone Navigator QMSS driver") +Signed-off-by: Zhang Qilong +Signed-off-by: Nishanth Menon +Link: https://lore.kernel.org/r/20221108080322.52268-2-zhangqilong3@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/soc/ti/knav_qmss_queue.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/soc/ti/knav_qmss_queue.c b/drivers/soc/ti/knav_qmss_queue.c +index 593df764eb57..341f1c7caa89 100644 +--- a/drivers/soc/ti/knav_qmss_queue.c ++++ b/drivers/soc/ti/knav_qmss_queue.c +@@ -1791,6 +1791,7 @@ static int knav_queue_probe(struct platform_device *pdev) + pm_runtime_enable(&pdev->dev); + ret = pm_runtime_resume_and_get(&pdev->dev); + if (ret < 0) { ++ pm_runtime_disable(&pdev->dev); + dev_err(dev, "Failed to enable QMSS\n"); + return ret; + } +-- +2.35.1 + diff --git a/queue-5.4/soc-ti-knav_qmss_queue-use-pm_runtime_resume_and_get.patch b/queue-5.4/soc-ti-knav_qmss_queue-use-pm_runtime_resume_and_get.patch new file mode 100644 index 00000000000..a59c82fa5e0 --- /dev/null +++ b/queue-5.4/soc-ti-knav_qmss_queue-use-pm_runtime_resume_and_get.patch @@ -0,0 +1,41 @@ +From a2894b5f08ed103265d7f47f1cc555ed3b9c4ab7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Apr 2022 06:29:55 +0000 +Subject: soc: ti: knav_qmss_queue: Use pm_runtime_resume_and_get instead of + pm_runtime_get_sync + +From: Minghao Chi + +[ Upstream commit 12eeb74925da70eb39d90abead9de9793be3d4c8 ] + +Using pm_runtime_resume_and_get is more appropriate for simplifying +code. + +Reported-by: Zeal Robot +Signed-off-by: Minghao Chi +Signed-off-by: Nishanth Menon +Link: https://lore.kernel.org/r/20220418062955.2557949-1-chi.minghao@zte.com.cn +Stable-dep-of: e961c0f19450 ("soc: ti: knav_qmss_queue: Fix PM disable depth imbalance in knav_queue_probe") +Signed-off-by: Sasha Levin +--- + drivers/soc/ti/knav_qmss_queue.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/soc/ti/knav_qmss_queue.c b/drivers/soc/ti/knav_qmss_queue.c +index d5fc00979628..593df764eb57 100644 +--- a/drivers/soc/ti/knav_qmss_queue.c ++++ b/drivers/soc/ti/knav_qmss_queue.c +@@ -1789,9 +1789,8 @@ static int knav_queue_probe(struct platform_device *pdev) + INIT_LIST_HEAD(&kdev->pdsps); + + pm_runtime_enable(&pdev->dev); +- ret = pm_runtime_get_sync(&pdev->dev); ++ ret = pm_runtime_resume_and_get(&pdev->dev); + if (ret < 0) { +- pm_runtime_put_noidle(&pdev->dev); + dev_err(dev, "Failed to enable QMSS\n"); + return ret; + } +-- +2.35.1 + diff --git a/queue-5.4/soc-ti-smartreflex-fix-pm-disable-depth-imbalance-in.patch b/queue-5.4/soc-ti-smartreflex-fix-pm-disable-depth-imbalance-in.patch new file mode 100644 index 00000000000..0ea5eba7753 --- /dev/null +++ b/queue-5.4/soc-ti-smartreflex-fix-pm-disable-depth-imbalance-in.patch @@ -0,0 +1,37 @@ +From 5b0a239da7d832e9168e4e185b4496dc601b0cee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 16:03:22 +0800 +Subject: soc: ti: smartreflex: Fix PM disable depth imbalance in omap_sr_probe + +From: Zhang Qilong + +[ Upstream commit 69460e68eb662064ab4188d4e129ff31c1f23ed9 ] + +The pm_runtime_enable will increase power disable depth. Thus +a pairing decrement is needed on the error handling path to +keep it balanced according to context. + +Fixes: 984aa6dbf4ca ("OMAP3: PM: Adding smartreflex driver support.") +Signed-off-by: Zhang Qilong +Signed-off-by: Nishanth Menon +Link: https://lore.kernel.org/r/20221108080322.52268-3-zhangqilong3@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/power/avs/smartreflex.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/power/avs/smartreflex.c b/drivers/power/avs/smartreflex.c +index 4684e7df833a..2365efe2dae1 100644 +--- a/drivers/power/avs/smartreflex.c ++++ b/drivers/power/avs/smartreflex.c +@@ -942,6 +942,7 @@ static int omap_sr_probe(struct platform_device *pdev) + err_debugfs: + debugfs_remove_recursive(sr_info->dbg_dir); + err_list_del: ++ pm_runtime_disable(&pdev->dev); + list_del(&sr_info->node); + + pm_runtime_put_sync(&pdev->dev); +-- +2.35.1 + diff --git a/queue-5.4/spi-spi-gpio-don-t-set-mosi-as-an-input-if-not-3wire.patch b/queue-5.4/spi-spi-gpio-don-t-set-mosi-as-an-input-if-not-3wire.patch new file mode 100644 index 00000000000..0ec72c40c41 --- /dev/null +++ b/queue-5.4/spi-spi-gpio-don-t-set-mosi-as-an-input-if-not-3wire.patch @@ -0,0 +1,64 @@ +From 09c330a5a20d0609c3dd2d42de7e0386c1ddf205 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 15:08:53 -0800 +Subject: spi: spi-gpio: Don't set MOSI as an input if not 3WIRE mode + +From: Kris Bahnsen + +[ Upstream commit 3a6f994f848a69deb2bf3cd9d130dd0c09730e55 ] + +The addition of 3WIRE support would affect MOSI direction even +when still in standard (4 wire) mode. This can lead to MOSI being +at an invalid logic level when a device driver sets an SPI +message with a NULL tx_buf. + +spi.h states that if tx_buf is NULL then "zeros will be shifted +out ... " If MOSI is tristated then the data shifted out is subject +to pull resistors, keepers, or in the absence of those, noise. + +This issue came to light when using spi-gpio connected to an +ADS7843 touchscreen controller. MOSI pulled high when clocking +MISO data in caused the SPI device to interpret this as a command +which would put the device in an unexpected and non-functional +state. + +Fixes: 4b859db2c606 ("spi: spi-gpio: add SPI_3WIRE support") +Fixes: 5132b3d28371 ("spi: gpio: Support 3WIRE high-impedance turn-around") +Signed-off-by: Kris Bahnsen +Link: https://lore.kernel.org/r/20221207230853.6174-1-kris@embeddedTS.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-gpio.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/drivers/spi/spi-gpio.c b/drivers/spi/spi-gpio.c +index e7dc1fad4a87..282c5ee41a62 100644 +--- a/drivers/spi/spi-gpio.c ++++ b/drivers/spi/spi-gpio.c +@@ -244,9 +244,19 @@ static int spi_gpio_set_direction(struct spi_device *spi, bool output) + if (output) + return gpiod_direction_output(spi_gpio->mosi, 1); + +- ret = gpiod_direction_input(spi_gpio->mosi); +- if (ret) +- return ret; ++ /* ++ * Only change MOSI to an input if using 3WIRE mode. ++ * Otherwise, MOSI could be left floating if there is ++ * no pull resistor connected to the I/O pin, or could ++ * be left logic high if there is a pull-up. Transmitting ++ * logic high when only clocking MISO data in can put some ++ * SPI devices in to a bad state. ++ */ ++ if (spi->mode & SPI_3WIRE) { ++ ret = gpiod_direction_input(spi_gpio->mosi); ++ if (ret) ++ return ret; ++ } + /* + * Send a turnaround high impedance cycle when switching + * from output to input. Theoretically there should be +-- +2.35.1 + diff --git a/queue-5.4/spi-spidev-mask-spi_cs_high-in-spi_ioc_rd_mode.patch b/queue-5.4/spi-spidev-mask-spi_cs_high-in-spi_ioc_rd_mode.patch new file mode 100644 index 00000000000..1eb3c911059 --- /dev/null +++ b/queue-5.4/spi-spidev-mask-spi_cs_high-in-spi_ioc_rd_mode.patch @@ -0,0 +1,83 @@ +From 66ece64840ebc54ddd14b1f2d6081d79d1d49fd0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Nov 2022 17:29:27 +0100 +Subject: spi: spidev: mask SPI_CS_HIGH in SPI_IOC_RD_MODE + +From: Alexander Sverdlin + +[ Upstream commit 7dbfa445ff7393d1c4c066c1727c9e0af1251958 ] + +Commit f3186dd87669 ("spi: Optionally use GPIO descriptors for CS GPIOs") +has changed the user-space interface so that bogus SPI_CS_HIGH started +to appear in the mask returned by SPI_IOC_RD_MODE even for active-low CS +pins. Commit 138c9c32f090 +("spi: spidev: Fix CS polarity if GPIO descriptors are used") fixed only +SPI_IOC_WR_MODE part of the problem. Let's fix SPI_IOC_RD_MODE +symmetrically. + +Test case: + + #include + #include + #include + + int main(int argc, char **argv) + { + char modew = SPI_CPHA; + char moder; + int f = open("/dev/spidev0.0", O_RDWR); + + if (f < 0) + return 1; + + ioctl(f, SPI_IOC_WR_MODE, &modew); + ioctl(f, SPI_IOC_RD_MODE, &moder); + + return moder == modew ? 0 : 2; + } + +Fixes: f3186dd87669 ("spi: Optionally use GPIO descriptors for CS GPIOs") +Signed-off-by: Alexander Sverdlin +Link: https://lore.kernel.org/r/20221130162927.539512-1-alexander.sverdlin@siemens.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spidev.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c +index be503a0e6ef7..2478ae471f4e 100644 +--- a/drivers/spi/spidev.c ++++ b/drivers/spi/spidev.c +@@ -373,12 +373,23 @@ spidev_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) + switch (cmd) { + /* read requests */ + case SPI_IOC_RD_MODE: +- retval = put_user(spi->mode & SPI_MODE_MASK, +- (__u8 __user *)arg); +- break; + case SPI_IOC_RD_MODE32: +- retval = put_user(spi->mode & SPI_MODE_MASK, +- (__u32 __user *)arg); ++ tmp = spi->mode; ++ ++ { ++ struct spi_controller *ctlr = spi->controller; ++ ++ if (ctlr->use_gpio_descriptors && ctlr->cs_gpiods && ++ ctlr->cs_gpiods[spi->chip_select]) ++ tmp &= ~SPI_CS_HIGH; ++ } ++ ++ if (cmd == SPI_IOC_RD_MODE) ++ retval = put_user(tmp & SPI_MODE_MASK, ++ (__u8 __user *)arg); ++ else ++ retval = put_user(tmp & SPI_MODE_MASK, ++ (__u32 __user *)arg); + break; + case SPI_IOC_RD_LSB_FIRST: + retval = put_user((spi->mode & SPI_LSB_FIRST) ? 1 : 0, +-- +2.35.1 + diff --git a/queue-5.4/spi-update-reference-to-struct-spi_controller.patch b/queue-5.4/spi-update-reference-to-struct-spi_controller.patch new file mode 100644 index 00000000000..f3301cffa2d --- /dev/null +++ b/queue-5.4/spi-update-reference-to-struct-spi_controller.patch @@ -0,0 +1,42 @@ +From ef52a98d70a116bc9b6f60eae54e49b8c6c1f113 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Nov 2022 18:32:51 +0100 +Subject: spi: Update reference to struct spi_controller +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonathan Neuschäfer + +[ Upstream commit bf585ccee22faf469d82727cf375868105b362f7 ] + +struct spi_master has been renamed to struct spi_controller. Update the +reference in spi.rst to make it clickable again. + +Fixes: 8caab75fd2c2 ("spi: Generalize SPI "master" to "controller"") +Signed-off-by: Jonathan Neuschäfer +Link: https://lore.kernel.org/r/20221101173252.1069294-1-j.neuschaefer@gmx.net +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + Documentation/driver-api/spi.rst | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Documentation/driver-api/spi.rst b/Documentation/driver-api/spi.rst +index f64cb666498a..f28887045049 100644 +--- a/Documentation/driver-api/spi.rst ++++ b/Documentation/driver-api/spi.rst +@@ -25,8 +25,8 @@ hardware, which may be as simple as a set of GPIO pins or as complex as + a pair of FIFOs connected to dual DMA engines on the other side of the + SPI shift register (maximizing throughput). Such drivers bridge between + whatever bus they sit on (often the platform bus) and SPI, and expose +-the SPI side of their device as a :c:type:`struct spi_master +-`. SPI devices are children of that master, ++the SPI side of their device as a :c:type:`struct spi_controller ++`. SPI devices are children of that master, + represented as a :c:type:`struct spi_device ` and + manufactured from :c:type:`struct spi_board_info + ` descriptors which are usually provided by +-- +2.35.1 + diff --git a/queue-5.4/staging-rtl8192e-fix-potential-use-after-free-in-rtl.patch b/queue-5.4/staging-rtl8192e-fix-potential-use-after-free-in-rtl.patch new file mode 100644 index 00000000000..4035dcfc271 --- /dev/null +++ b/queue-5.4/staging-rtl8192e-fix-potential-use-after-free-in-rtl.patch @@ -0,0 +1,41 @@ +From 4e079bb99981d4337046917a56792556963ca16a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 16:12:53 +0800 +Subject: staging: rtl8192e: Fix potential use-after-free in + rtllib_rx_Monitor() + +From: YueHaibing + +[ Upstream commit d30f4436f364b4ad915ca2c09be07cd0f93ceb44 ] + +The skb is delivered to netif_rx() in rtllib_monitor_rx(), which may free it, +after calling this, dereferencing skb may trigger use-after-free. +Found by Smatch. + +Fixes: 94a799425eee ("From: wlanfae [PATCH 1/8] rtl8192e: Import new version of driver from realtek") +Signed-off-by: YueHaibing +Link: https://lore.kernel.org/r/20221123081253.22296-1-yuehaibing@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8192e/rtllib_rx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/rtl8192e/rtllib_rx.c b/drivers/staging/rtl8192e/rtllib_rx.c +index 83c30e2d82f5..a78f914082fe 100644 +--- a/drivers/staging/rtl8192e/rtllib_rx.c ++++ b/drivers/staging/rtl8192e/rtllib_rx.c +@@ -1490,9 +1490,9 @@ static int rtllib_rx_Monitor(struct rtllib_device *ieee, struct sk_buff *skb, + hdrlen += 4; + } + +- rtllib_monitor_rx(ieee, skb, rx_stats, hdrlen); + ieee->stats.rx_packets++; + ieee->stats.rx_bytes += skb->len; ++ rtllib_monitor_rx(ieee, skb, rx_stats, hdrlen); + + return 1; + } +-- +2.35.1 + diff --git a/queue-5.4/staging-rtl8192u-fix-use-after-free-in-ieee80211_rx.patch b/queue-5.4/staging-rtl8192u-fix-use-after-free-in-ieee80211_rx.patch new file mode 100644 index 00000000000..f511a5684fb --- /dev/null +++ b/queue-5.4/staging-rtl8192u-fix-use-after-free-in-ieee80211_rx.patch @@ -0,0 +1,41 @@ +From b5331ca61606cf6aaf7bdb594e1dd7093bb52554 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 09:43:14 +0300 +Subject: staging: rtl8192u: Fix use after free in ieee80211_rx() + +From: Dan Carpenter + +[ Upstream commit bcc5e2dcf09089b337b76fc1a589f6ff95ca19ac ] + +We cannot dereference the "skb" pointer after calling +ieee80211_monitor_rx(), because it is a use after free. + +Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/Y33BArx3k/aw6yv/@kili +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c b/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c +index 00e34c392a38..d51f734aca26 100644 +--- a/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c ++++ b/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c +@@ -943,9 +943,11 @@ int ieee80211_rx(struct ieee80211_device *ieee, struct sk_buff *skb, + #endif + + if (ieee->iw_mode == IW_MODE_MONITOR) { ++ unsigned int len = skb->len; ++ + ieee80211_monitor_rx(ieee, skb, rx_stats); + stats->rx_packets++; +- stats->rx_bytes += skb->len; ++ stats->rx_bytes += len; + return 1; + } + +-- +2.35.1 + diff --git a/queue-5.4/staging-vme_user-fix-possible-uaf-in-tsi148_dma_list.patch b/queue-5.4/staging-vme_user-fix-possible-uaf-in-tsi148_dma_list.patch new file mode 100644 index 00000000000..481199596ab --- /dev/null +++ b/queue-5.4/staging-vme_user-fix-possible-uaf-in-tsi148_dma_list.patch @@ -0,0 +1,44 @@ +From 53292ef73e3415579e745ac38fa7165917370301 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 11:59:14 +0800 +Subject: staging: vme_user: Fix possible UAF in tsi148_dma_list_add + +From: Gaosheng Cui + +[ Upstream commit 357057ee55d3c99a5de5abe8150f7bca04f8e53b ] + +Smatch report warning as follows: + +drivers/staging/vme_user/vme_tsi148.c:1757 tsi148_dma_list_add() warn: + '&entry->list' not removed from list + +In tsi148_dma_list_add(), the error path "goto err_dma" will not +remove entry->list from list->entries, but entry will be freed, +then list traversal may cause UAF. + +Fix by removeing it from list->entries before free(). + +Fixes: b2383c90a9d6 ("vme: tsi148: fix first DMA item mapping") +Signed-off-by: Gaosheng Cui +Link: https://lore.kernel.org/r/20221117035914.2954454-1-cuigaosheng1@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/vme/bridges/vme_tsi148.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/vme/bridges/vme_tsi148.c b/drivers/vme/bridges/vme_tsi148.c +index 7e079d39bd76..f2da16bf1439 100644 +--- a/drivers/vme/bridges/vme_tsi148.c ++++ b/drivers/vme/bridges/vme_tsi148.c +@@ -1771,6 +1771,7 @@ static int tsi148_dma_list_add(struct vme_dma_list *list, + return 0; + + err_dma: ++ list_del(&entry->list); + err_dest: + err_source: + err_align: +-- +2.35.1 + diff --git a/queue-5.4/stmmac-fix-potential-division-by-0.patch b/queue-5.4/stmmac-fix-potential-division-by-0.patch new file mode 100644 index 00000000000..ff9cfeefee0 --- /dev/null +++ b/queue-5.4/stmmac-fix-potential-division-by-0.patch @@ -0,0 +1,89 @@ +From da049a5444716887e062c0fb34582ab22da15b30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Dec 2022 23:37:22 +0100 +Subject: stmmac: fix potential division by 0 + +From: Piergiorgio Beruto + +[ Upstream commit ede5a389852d3640a28e7187fb32b7f204380901 ] + +When the MAC is connected to a 10 Mb/s PHY and the PTP clock is derived +from the MAC reference clock (default), the clk_ptp_rate becomes too +small and the calculated sub second increment becomes 0 when computed by +the stmmac_config_sub_second_increment() function within +stmmac_init_tstamp_counter(). + +Therefore, the subsequent div_u64 in stmmac_init_tstamp_counter() +operation triggers a divide by 0 exception as shown below. + +[ 95.062067] socfpga-dwmac ff700000.ethernet eth0: Register MEM_TYPE_PAGE_POOL RxQ-0 +[ 95.076440] socfpga-dwmac ff700000.ethernet eth0: PHY [stmmac-0:08] driver [NCN26000] (irq=49) +[ 95.095964] dwmac1000: Master AXI performs any burst length +[ 95.101588] socfpga-dwmac ff700000.ethernet eth0: No Safety Features support found +[ 95.109428] Division by zero in kernel. +[ 95.113447] CPU: 0 PID: 239 Comm: ifconfig Not tainted 6.1.0-rc7-centurion3-1.0.3.0-01574-gb624218205b7-dirty #77 +[ 95.123686] Hardware name: Altera SOCFPGA +[ 95.127695] unwind_backtrace from show_stack+0x10/0x14 +[ 95.132938] show_stack from dump_stack_lvl+0x40/0x4c +[ 95.137992] dump_stack_lvl from Ldiv0+0x8/0x10 +[ 95.142527] Ldiv0 from __aeabi_uidivmod+0x8/0x18 +[ 95.147232] __aeabi_uidivmod from div_u64_rem+0x1c/0x40 +[ 95.152552] div_u64_rem from stmmac_init_tstamp_counter+0xd0/0x164 +[ 95.158826] stmmac_init_tstamp_counter from stmmac_hw_setup+0x430/0xf00 +[ 95.165533] stmmac_hw_setup from __stmmac_open+0x214/0x2d4 +[ 95.171117] __stmmac_open from stmmac_open+0x30/0x44 +[ 95.176182] stmmac_open from __dev_open+0x11c/0x134 +[ 95.181172] __dev_open from __dev_change_flags+0x168/0x17c +[ 95.186750] __dev_change_flags from dev_change_flags+0x14/0x50 +[ 95.192662] dev_change_flags from devinet_ioctl+0x2b4/0x604 +[ 95.198321] devinet_ioctl from inet_ioctl+0x1ec/0x214 +[ 95.203462] inet_ioctl from sock_ioctl+0x14c/0x3c4 +[ 95.208354] sock_ioctl from vfs_ioctl+0x20/0x38 +[ 95.212984] vfs_ioctl from sys_ioctl+0x250/0x844 +[ 95.217691] sys_ioctl from ret_fast_syscall+0x0/0x4c +[ 95.222743] Exception stack(0xd0ee1fa8 to 0xd0ee1ff0) +[ 95.227790] 1fa0: 00574c4f be9aeca4 00000003 00008914 be9aeca4 be9aec50 +[ 95.235945] 1fc0: 00574c4f be9aeca4 0059f078 00000036 be9aee8c be9aef7a 00000015 00000000 +[ 95.244096] 1fe0: 005a01f0 be9aec38 004d7484 b6e67d74 + +Signed-off-by: Piergiorgio Beruto +Fixes: 91a2559c1dc5 ("net: stmmac: Fix sub-second increment") +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/de4c64ccac9084952c56a06a8171d738604c4770.1670678513.git.piergiorgio.beruto@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c | 3 ++- + drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c +index 8c14c9966394..79546810bb3d 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c +@@ -43,7 +43,8 @@ static void config_sub_second_increment(void __iomem *ioaddr, + if (!(value & PTP_TCR_TSCTRLSSR)) + data = (data * 1000) / 465; + +- data &= PTP_SSIR_SSINC_MASK; ++ if (data > PTP_SSIR_SSINC_MAX) ++ data = PTP_SSIR_SSINC_MAX; + + reg_value = data; + if (gmac4) +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h +index 7abb1d47e7da..60e6b085e2f6 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h +@@ -61,7 +61,7 @@ + #define PTP_TCR_TSENMACADDR BIT(18) + + /* SSIR defines */ +-#define PTP_SSIR_SSINC_MASK 0xff ++#define PTP_SSIR_SSINC_MAX 0xff + #define GMAC4_PTP_SSIR_SSINC_SHIFT 16 + + #endif /* __STMMAC_PTP_H__ */ +-- +2.35.1 + diff --git a/queue-5.4/sunrpc-fix-missing-release-socket-in-rpc_sockname.patch b/queue-5.4/sunrpc-fix-missing-release-socket-in-rpc_sockname.patch new file mode 100644 index 00000000000..ef1b3341b77 --- /dev/null +++ b/queue-5.4/sunrpc-fix-missing-release-socket-in-rpc_sockname.patch @@ -0,0 +1,37 @@ +From 891b771e96086bb0de7955bbaadec90a55890663 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 17:23:42 +0800 +Subject: SUNRPC: Fix missing release socket in rpc_sockname() + +From: Wang ShaoBo + +[ Upstream commit 50fa355bc0d75911fe9d5072a5ba52cdb803aff7 ] + +socket dynamically created is not released when getting an unintended +address family type in rpc_sockname(), direct to out_release for calling +sock_release(). + +Fixes: 2e738fdce22f ("SUNRPC: Add API to acquire source address") +Signed-off-by: Wang ShaoBo +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + net/sunrpc/clnt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c +index 1893203cc94f..012b0504264d 100644 +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -1354,7 +1354,7 @@ static int rpc_sockname(struct net *net, struct sockaddr *sap, size_t salen, + break; + default: + err = -EAFNOSUPPORT; +- goto out; ++ goto out_release; + } + if (err < 0) { + dprintk("RPC: can't bind UDP socket (%d)\n", err); +-- +2.35.1 + diff --git a/queue-5.4/test_firmware-fix-memory-leak-in-test_firmware_init.patch b/queue-5.4/test_firmware-fix-memory-leak-in-test_firmware_init.patch new file mode 100644 index 00000000000..bf3f427567c --- /dev/null +++ b/queue-5.4/test_firmware-fix-memory-leak-in-test_firmware_init.patch @@ -0,0 +1,54 @@ +From af2818522c2c8ee59a8eb60f842678b673ff6a2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Nov 2022 11:57:21 +0800 +Subject: test_firmware: fix memory leak in test_firmware_init() + +From: Zhengchao Shao + +[ Upstream commit 7610615e8cdb3f6f5bbd9d8e7a5d8a63e3cabf2e ] + +When misc_register() failed in test_firmware_init(), the memory pointed +by test_fw_config->name is not released. The memory leak information is +as follows: +unreferenced object 0xffff88810a34cb00 (size 32): + comm "insmod", pid 7952, jiffies 4294948236 (age 49.060s) + hex dump (first 32 bytes): + 74 65 73 74 2d 66 69 72 6d 77 61 72 65 2e 62 69 test-firmware.bi + 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 n............... + backtrace: + [] __kmalloc_node_track_caller+0x4b/0xc0 + [] kstrndup+0x46/0xc0 + [] __test_firmware_config_init+0x29/0x380 [test_firmware] + [] 0xffffffffa040f068 + [] do_one_initcall+0x141/0x780 + [] do_init_module+0x1c3/0x630 + [] load_module+0x623e/0x76a0 + [] __do_sys_finit_module+0x181/0x240 + [] do_syscall_64+0x39/0xb0 + [] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Fixes: c92316bf8e94 ("test_firmware: add batched firmware tests") +Signed-off-by: Zhengchao Shao +Acked-by: Luis Chamberlain +Link: https://lore.kernel.org/r/20221119035721.18268-1-shaozhengchao@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + lib/test_firmware.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/test_firmware.c b/lib/test_firmware.c +index 251213c872b5..0169073ec2b9 100644 +--- a/lib/test_firmware.c ++++ b/lib/test_firmware.c +@@ -940,6 +940,7 @@ static int __init test_firmware_init(void) + + rc = misc_register(&test_fw_misc_device); + if (rc) { ++ __test_firmware_config_free(); + kfree(test_fw_config); + pr_err("could not register misc device: %d\n", rc); + return rc; +-- +2.35.1 + diff --git a/queue-5.4/timerqueue-use-rb_entry_safe-in-timerqueue_getnext.patch b/queue-5.4/timerqueue-use-rb_entry_safe-in-timerqueue_getnext.patch new file mode 100644 index 00000000000..d3a53e546f7 --- /dev/null +++ b/queue-5.4/timerqueue-use-rb_entry_safe-in-timerqueue_getnext.patch @@ -0,0 +1,44 @@ +From 774bcf49cc0332863e2ba004d5d9b750451243fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 19:54:23 +0000 +Subject: timerqueue: Use rb_entry_safe() in timerqueue_getnext() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Barnabás Pőcze + +[ Upstream commit 2f117484329b233455ee278f2d9b0a4356835060 ] + +When `timerqueue_getnext()` is called on an empty timer queue, it will +use `rb_entry()` on a NULL pointer, which is invalid. Fix that by using +`rb_entry_safe()` which handles NULL pointers. + +This has not caused any issues so far because the offset of the `rb_node` +member in `timerqueue_node` is 0, so `rb_entry()` is essentially a no-op. + +Fixes: 511885d7061e ("lib/timerqueue: Rely on rbtree semantics for next timer") +Signed-off-by: Barnabás Pőcze +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/r/20221114195421.342929-1-pobrn@protonmail.com +Signed-off-by: Sasha Levin +--- + include/linux/timerqueue.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/timerqueue.h b/include/linux/timerqueue.h +index 93884086f392..adc80e29168e 100644 +--- a/include/linux/timerqueue.h ++++ b/include/linux/timerqueue.h +@@ -35,7 +35,7 @@ struct timerqueue_node *timerqueue_getnext(struct timerqueue_head *head) + { + struct rb_node *leftmost = rb_first_cached(&head->rb_root); + +- return rb_entry(leftmost, struct timerqueue_node, node); ++ return rb_entry_safe(leftmost, struct timerqueue_node, node); + } + + static inline void timerqueue_init(struct timerqueue_node *node) +-- +2.35.1 + diff --git a/queue-5.4/tpm-tpm_crb-fix-error-message-in-__crb_relinquish_lo.patch b/queue-5.4/tpm-tpm_crb-fix-error-message-in-__crb_relinquish_lo.patch new file mode 100644 index 00000000000..dbd75ca1232 --- /dev/null +++ b/queue-5.4/tpm-tpm_crb-fix-error-message-in-__crb_relinquish_lo.patch @@ -0,0 +1,38 @@ +From 38489dde21f216b64bd744f5fcf70ea5b64d52f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 11:38:53 -0800 +Subject: tpm/tpm_crb: Fix error message in __crb_relinquish_locality() + +From: Michael Kelley + +[ Upstream commit f5264068071964b56dc02c9dab3d11574aaca6ff ] + +The error message in __crb_relinquish_locality() mentions requestAccess +instead of Relinquish. Fix it. + +Fixes: 888d867df441 ("tpm: cmd_ready command can be issued only after granting locality") +Signed-off-by: Michael Kelley +Acked-by: Tomas Winkler +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +--- + drivers/char/tpm/tpm_crb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c +index a9dcf31eadd2..35c5227f3a88 100644 +--- a/drivers/char/tpm/tpm_crb.c ++++ b/drivers/char/tpm/tpm_crb.c +@@ -252,7 +252,7 @@ static int __crb_relinquish_locality(struct device *dev, + iowrite32(CRB_LOC_CTRL_RELINQUISH, &priv->regs_h->loc_ctrl); + if (!crb_wait_for_reg_32(&priv->regs_h->loc_state, mask, value, + TPM2_TIMEOUT_C)) { +- dev_warn(dev, "TPM_LOC_STATE_x.requestAccess timed out\n"); ++ dev_warn(dev, "TPM_LOC_STATE_x.Relinquish timed out\n"); + return -ETIME; + } + +-- +2.35.1 + diff --git a/queue-5.4/tracing-hist-fix-issue-of-losting-command-info-in-er.patch b/queue-5.4/tracing-hist-fix-issue-of-losting-command-info-in-er.patch new file mode 100644 index 00000000000..fbd42c3e0f9 --- /dev/null +++ b/queue-5.4/tracing-hist-fix-issue-of-losting-command-info-in-er.patch @@ -0,0 +1,93 @@ +From 8d84109995d41c246af4e36ece551691f9039c61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 21:53:26 +0800 +Subject: tracing/hist: Fix issue of losting command info in error_log + +From: Zheng Yejian + +[ Upstream commit 608c6ed3337850c767ab0dd6c583477922233e29 ] + +When input some constructed invalid 'trigger' command, command info +in 'error_log' are lost [1]. + +The root cause is that there is a path that event_hist_trigger_parse() +is recursely called once and 'last_cmd' which save origin command is +cleared, then later calling of hist_err() will no longer record origin +command info: + + event_hist_trigger_parse() { + last_cmd_set() // <1> 'last_cmd' save origin command here at first + create_actions() { + onmatch_create() { + action_create() { + trace_action_create() { + trace_action_create_field_var() { + create_field_var_hist() { + event_hist_trigger_parse() { // <2> recursely called once + hist_err_clear() // <3> 'last_cmd' is cleared here + } + hist_err() // <4> No longer find origin command!!! + +Since 'glob' is empty string while running into the recurse call, we +can trickly check it and bypass the call of hist_err_clear() to solve it. + +[1] + # cd /sys/kernel/tracing + # echo "my_synth_event int v1; int v2; int v3;" >> synthetic_events + # echo 'hist:keys=pid' >> events/sched/sched_waking/trigger + # echo "hist:keys=next_pid:onmatch(sched.sched_waking).my_synth_event(\ +pid,pid1)" >> events/sched/sched_switch/trigger + # cat error_log +[ 8.405018] hist:sched:sched_switch: error: Couldn't find synthetic event + Command: +hist:keys=next_pid:onmatch(sched.sched_waking).my_synth_event(pid,pid1) + ^ +[ 8.816902] hist:sched:sched_switch: error: Couldn't find field + Command: +hist:keys=next_pid:onmatch(sched.sched_waking).my_synth_event(pid,pid1) + ^ +[ 8.816902] hist:sched:sched_switch: error: Couldn't parse field variable + Command: +hist:keys=next_pid:onmatch(sched.sched_waking).my_synth_event(pid,pid1) + ^ +[ 8.999880] : error: Couldn't find field + Command: + ^ +[ 8.999880] : error: Couldn't parse field variable + Command: + ^ +[ 8.999880] : error: Couldn't find field + Command: + ^ +[ 8.999880] : error: Couldn't create histogram for field + Command: + ^ + +Link: https://lore.kernel.org/linux-trace-kernel/20221207135326.3483216-1-zhengyejian1@huawei.com + +Cc: +Cc: +Fixes: f404da6e1d46 ("tracing: Add 'last error' error facility for hist triggers") +Signed-off-by: Zheng Yejian +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_events_hist.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c +index b8f1f0eadd2e..96d159af5194 100644 +--- a/kernel/trace/trace_events_hist.c ++++ b/kernel/trace/trace_events_hist.c +@@ -6433,7 +6433,7 @@ static int event_hist_trigger_func(struct event_command *cmd_ops, + /* Just return zero, not the number of registered triggers */ + ret = 0; + out: +- if (ret == 0) ++ if (ret == 0 && glob[0]) + hist_err_clear(); + + return ret; +-- +2.35.1 + diff --git a/queue-5.4/tty-serial-altera_uart_-r-t-x_chars-need-only-uart_p.patch b/queue-5.4/tty-serial-altera_uart_-r-t-x_chars-need-only-uart_p.patch new file mode 100644 index 00000000000..9cc5f249df9 --- /dev/null +++ b/queue-5.4/tty-serial-altera_uart_-r-t-x_chars-need-only-uart_p.patch @@ -0,0 +1,71 @@ +From 47e801358377b8e9e38ecf4794e5c88122c977ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 07:20:43 +0200 +Subject: tty: serial: altera_uart_{r,t}x_chars() need only uart_port +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jiri Slaby + +[ Upstream commit 3af44d9bb0539d5fa27d6159d696fda5f3747bff ] + +Both altera_uart_{r,t}x_chars() need only uart_port, not altera_uart. So +pass the former from altera_uart_interrupt() directly. + +Apart it maybe saves a dereference, this makes the transition of +altera_uart_tx_chars() easier to follow in the next patch. + +Cc: Tobias Klauser +Reviewed-by: Ilpo Järvinen +Acked-by: Tobias Klauser +Signed-off-by: Jiri Slaby +Link: https://lore.kernel.org/r/20220920052049.20507-4-jslaby@suse.cz +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 1307c5d33cce ("serial: altera_uart: fix locking in polling mode") +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/altera_uart.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/drivers/tty/serial/altera_uart.c b/drivers/tty/serial/altera_uart.c +index 508a3c2b7781..20c610440133 100644 +--- a/drivers/tty/serial/altera_uart.c ++++ b/drivers/tty/serial/altera_uart.c +@@ -199,9 +199,8 @@ static void altera_uart_set_termios(struct uart_port *port, + */ + } + +-static void altera_uart_rx_chars(struct altera_uart *pp) ++static void altera_uart_rx_chars(struct uart_port *port) + { +- struct uart_port *port = &pp->port; + unsigned char ch, flag; + unsigned short status; + +@@ -248,9 +247,8 @@ static void altera_uart_rx_chars(struct altera_uart *pp) + spin_lock(&port->lock); + } + +-static void altera_uart_tx_chars(struct altera_uart *pp) ++static void altera_uart_tx_chars(struct uart_port *port) + { +- struct uart_port *port = &pp->port; + struct circ_buf *xmit = &port->state->xmit; + + if (port->x_char) { +@@ -288,9 +286,9 @@ static irqreturn_t altera_uart_interrupt(int irq, void *data) + + spin_lock(&port->lock); + if (isr & ALTERA_UART_STATUS_RRDY_MSK) +- altera_uart_rx_chars(pp); ++ altera_uart_rx_chars(port); + if (isr & ALTERA_UART_STATUS_TRDY_MSK) +- altera_uart_tx_chars(pp); ++ altera_uart_tx_chars(port); + spin_unlock(&port->lock); + + return IRQ_RETVAL(isr); +-- +2.35.1 + diff --git a/queue-5.4/tty-serial-clean-up-stop-tx-part-in-altera_uart_tx_c.patch b/queue-5.4/tty-serial-clean-up-stop-tx-part-in-altera_uart_tx_c.patch new file mode 100644 index 00000000000..895ac554253 --- /dev/null +++ b/queue-5.4/tty-serial-clean-up-stop-tx-part-in-altera_uart_tx_c.patch @@ -0,0 +1,48 @@ +From 8fee09d50794ae7d2a9eedc9b37b7ea76e56cbba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 07:20:42 +0200 +Subject: tty: serial: clean up stop-tx part in altera_uart_tx_chars() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jiri Slaby + +[ Upstream commit d9c128117da41cf4cb0e80ae565b5d3ac79dffac ] + +The "stop TX" path in altera_uart_tx_chars() is open-coded, so: +* use uart_circ_empty() to check if the buffer is empty, and +* when true, call altera_uart_stop_tx(). + +Cc: Tobias Klauser +Reviewed-by: Ilpo Järvinen +Acked-by: Tobias Klauser +Signed-off-by: Jiri Slaby +Link: https://lore.kernel.org/r/20220920052049.20507-3-jslaby@suse.cz +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 1307c5d33cce ("serial: altera_uart: fix locking in polling mode") +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/altera_uart.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/tty/serial/altera_uart.c b/drivers/tty/serial/altera_uart.c +index 0e487ce091ac..508a3c2b7781 100644 +--- a/drivers/tty/serial/altera_uart.c ++++ b/drivers/tty/serial/altera_uart.c +@@ -274,10 +274,8 @@ static void altera_uart_tx_chars(struct altera_uart *pp) + if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS) + uart_write_wakeup(port); + +- if (xmit->head == xmit->tail) { +- pp->imr &= ~ALTERA_UART_CONTROL_TRDY_MSK; +- altera_uart_update_ctrl_reg(pp); +- } ++ if (uart_circ_empty(xmit)) ++ altera_uart_stop_tx(port); + } + + static irqreturn_t altera_uart_interrupt(int irq, void *data) +-- +2.35.1 + diff --git a/queue-5.4/tty-serial-tegra-activate-rx-dma-transfer-by-request.patch b/queue-5.4/tty-serial-tegra-activate-rx-dma-transfer-by-request.patch new file mode 100644 index 00000000000..17a088de2fe --- /dev/null +++ b/queue-5.4/tty-serial-tegra-activate-rx-dma-transfer-by-request.patch @@ -0,0 +1,217 @@ +From 6b4662c5de74328b0558294102a3394905e0815b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Jan 2020 21:09:18 +0300 +Subject: tty: serial: tegra: Activate RX DMA transfer by request + +From: Dmitry Osipenko + +[ Upstream commit d5e3fadb70125c6c41f692cf1c0e626c12e11de1 ] + +This allows DMA engine to go into runtime-suspended mode whenever there is +no data to receive, instead of keeping DMA active all the time while TTY +is opened (i.e. permanently active in practice, like in the case of UART +Bluetooth). + +Signed-off-by: Dmitry Osipenko +Link: https://lore.kernel.org/r/20200112180919.5194-2-digetx@gmail.com +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 109a951a9f1f ("serial: tegra: Read DMA status before terminating") +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/serial-tegra.c | 78 ++++++++++++++++++------------- + 1 file changed, 46 insertions(+), 32 deletions(-) + +diff --git a/drivers/tty/serial/serial-tegra.c b/drivers/tty/serial/serial-tegra.c +index c5f43cd39664..431edb89e90f 100644 +--- a/drivers/tty/serial/serial-tegra.c ++++ b/drivers/tty/serial/serial-tegra.c +@@ -141,6 +141,7 @@ struct tegra_uart_port { + int configured_rate; + bool use_rx_pio; + bool use_tx_pio; ++ bool rx_dma_active; + }; + + static void tegra_uart_start_next_tx(struct tegra_uart_port *tup); +@@ -733,6 +734,7 @@ static void tegra_uart_rx_dma_complete(void *args) + if (tup->rts_active) + set_rts(tup, false); + ++ tup->rx_dma_active = false; + tegra_uart_rx_buffer_push(tup, 0); + tegra_uart_start_rx_dma(tup); + +@@ -744,18 +746,27 @@ static void tegra_uart_rx_dma_complete(void *args) + spin_unlock_irqrestore(&u->lock, flags); + } + +-static void tegra_uart_handle_rx_dma(struct tegra_uart_port *tup) ++static void tegra_uart_terminate_rx_dma(struct tegra_uart_port *tup) + { + struct dma_tx_state state; + +- /* Deactivate flow control to stop sender */ +- if (tup->rts_active) +- set_rts(tup, false); ++ if (!tup->rx_dma_active) ++ return; + + dmaengine_terminate_all(tup->rx_dma_chan); + dmaengine_tx_status(tup->rx_dma_chan, tup->rx_cookie, &state); ++ + tegra_uart_rx_buffer_push(tup, state.residue); +- tegra_uart_start_rx_dma(tup); ++ tup->rx_dma_active = false; ++} ++ ++static void tegra_uart_handle_rx_dma(struct tegra_uart_port *tup) ++{ ++ /* Deactivate flow control to stop sender */ ++ if (tup->rts_active) ++ set_rts(tup, false); ++ ++ tegra_uart_terminate_rx_dma(tup); + + if (tup->rts_active) + set_rts(tup, true); +@@ -765,6 +776,9 @@ static int tegra_uart_start_rx_dma(struct tegra_uart_port *tup) + { + unsigned int count = TEGRA_UART_RX_DMA_BUFFER_SIZE; + ++ if (tup->rx_dma_active) ++ return 0; ++ + tup->rx_dma_desc = dmaengine_prep_slave_single(tup->rx_dma_chan, + tup->rx_dma_buf_phys, count, DMA_DEV_TO_MEM, + DMA_PREP_INTERRUPT); +@@ -773,6 +787,7 @@ static int tegra_uart_start_rx_dma(struct tegra_uart_port *tup) + return -EIO; + } + ++ tup->rx_dma_active = true; + tup->rx_dma_desc->callback = tegra_uart_rx_dma_complete; + tup->rx_dma_desc->callback_param = tup; + dma_sync_single_for_device(tup->uport.dev, tup->rx_dma_buf_phys, +@@ -822,6 +837,7 @@ static irqreturn_t tegra_uart_isr(int irq, void *data) + struct uart_port *u = &tup->uport; + unsigned long iir; + unsigned long ier; ++ bool is_rx_start = false; + bool is_rx_int = false; + unsigned long flags; + +@@ -834,10 +850,12 @@ static irqreturn_t tegra_uart_isr(int irq, void *data) + if (tup->rx_in_progress) { + ier = tup->ier_shadow; + ier |= (UART_IER_RLSI | UART_IER_RTOIE | +- TEGRA_UART_IER_EORD); ++ TEGRA_UART_IER_EORD | UART_IER_RDI); + tup->ier_shadow = ier; + tegra_uart_write(tup, ier, UART_IER); + } ++ } else if (is_rx_start) { ++ tegra_uart_start_rx_dma(tup); + } + spin_unlock_irqrestore(&u->lock, flags); + return IRQ_HANDLED; +@@ -856,17 +874,23 @@ static irqreturn_t tegra_uart_isr(int irq, void *data) + + case 4: /* End of data */ + case 6: /* Rx timeout */ +- case 2: /* Receive */ +- if (!tup->use_rx_pio && !is_rx_int) { +- is_rx_int = true; ++ if (!tup->use_rx_pio) { ++ is_rx_int = tup->rx_in_progress; + /* Disable Rx interrupts */ + ier = tup->ier_shadow; +- ier |= UART_IER_RDI; +- tegra_uart_write(tup, ier, UART_IER); + ier &= ~(UART_IER_RDI | UART_IER_RLSI | + UART_IER_RTOIE | TEGRA_UART_IER_EORD); + tup->ier_shadow = ier; + tegra_uart_write(tup, ier, UART_IER); ++ break; ++ } ++ /* Fall through */ ++ case 2: /* Receive */ ++ if (!tup->use_rx_pio) { ++ is_rx_start = tup->rx_in_progress; ++ tup->ier_shadow &= ~UART_IER_RDI; ++ tegra_uart_write(tup, tup->ier_shadow, ++ UART_IER); + } else { + do_handle_rx_pio(tup); + } +@@ -888,7 +912,6 @@ static void tegra_uart_stop_rx(struct uart_port *u) + { + struct tegra_uart_port *tup = to_tegra_uport(u); + struct tty_port *port = &tup->uport.state->port; +- struct dma_tx_state state; + unsigned long ier; + + if (tup->rts_active) +@@ -905,13 +928,11 @@ static void tegra_uart_stop_rx(struct uart_port *u) + tup->ier_shadow = ier; + tegra_uart_write(tup, ier, UART_IER); + tup->rx_in_progress = 0; +- if (tup->rx_dma_chan && !tup->use_rx_pio) { +- dmaengine_terminate_all(tup->rx_dma_chan); +- dmaengine_tx_status(tup->rx_dma_chan, tup->rx_cookie, &state); +- tegra_uart_rx_buffer_push(tup, state.residue); +- } else { ++ ++ if (!tup->use_rx_pio) ++ tegra_uart_terminate_rx_dma(tup); ++ else + tegra_uart_handle_rx_pio(tup, port); +- } + } + + static void tegra_uart_hw_deinit(struct tegra_uart_port *tup) +@@ -1056,12 +1077,6 @@ static int tegra_uart_hw_init(struct tegra_uart_port *tup) + tup->lcr_shadow = TEGRA_UART_DEFAULT_LSR; + tup->fcr_shadow |= UART_FCR_DMA_SELECT; + tegra_uart_write(tup, tup->fcr_shadow, UART_FCR); +- +- ret = tegra_uart_start_rx_dma(tup); +- if (ret < 0) { +- dev_err(tup->uport.dev, "Not able to start Rx DMA\n"); +- return ret; +- } + } else { + tegra_uart_write(tup, tup->fcr_shadow, UART_FCR); + } +@@ -1071,10 +1086,6 @@ static int tegra_uart_hw_init(struct tegra_uart_port *tup) + * Enable IE_RXS for the receive status interrupts like line errros. + * Enable IE_RX_TIMEOUT to get the bytes which cannot be DMA'd. + * +- * If using DMA mode, enable EORD instead of receive interrupt which +- * will interrupt after the UART is done with the receive instead of +- * the interrupt when the FIFO "threshold" is reached. +- * + * EORD is different interrupt than RX_TIMEOUT - RX_TIMEOUT occurs when + * the DATA is sitting in the FIFO and couldn't be transferred to the + * DMA as the DMA size alignment (4 bytes) is not met. EORD will be +@@ -1085,11 +1096,14 @@ static int tegra_uart_hw_init(struct tegra_uart_port *tup) + * both the EORD as well as RX_TIMEOUT - SW sees RX_TIMEOUT first + * then the EORD. + */ ++ tup->ier_shadow = UART_IER_RLSI | UART_IER_RTOIE | UART_IER_RDI; ++ ++ /* ++ * If using DMA mode, enable EORD interrupt to notify about RX ++ * completion. ++ */ + if (!tup->use_rx_pio) +- tup->ier_shadow = UART_IER_RLSI | UART_IER_RTOIE | +- TEGRA_UART_IER_EORD; +- else +- tup->ier_shadow = UART_IER_RLSI | UART_IER_RTOIE | UART_IER_RDI; ++ tup->ier_shadow |= TEGRA_UART_IER_EORD; + + tegra_uart_write(tup, tup->ier_shadow, UART_IER); + return 0; +-- +2.35.1 + diff --git a/queue-5.4/udf-avoid-double-brelse-in-udf_rename.patch b/queue-5.4/udf-avoid-double-brelse-in-udf_rename.patch new file mode 100644 index 00000000000..c89f3612a53 --- /dev/null +++ b/queue-5.4/udf-avoid-double-brelse-in-udf_rename.patch @@ -0,0 +1,93 @@ +From afb93d812259e53a1cd953be995c7a8a9bbe034b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Oct 2022 18:57:41 +0900 +Subject: udf: Avoid double brelse() in udf_rename() + +From: Shigeru Yoshida + +[ Upstream commit c791730f2554a9ebb8f18df9368dc27d4ebc38c2 ] + +syzbot reported a warning like below [1]: + +VFS: brelse: Trying to free free buffer +WARNING: CPU: 2 PID: 7301 at fs/buffer.c:1145 __brelse+0x67/0xa0 +... +Call Trace: + + invalidate_bh_lru+0x99/0x150 + smp_call_function_many_cond+0xe2a/0x10c0 + ? generic_remap_file_range_prep+0x50/0x50 + ? __brelse+0xa0/0xa0 + ? __mutex_lock+0x21c/0x12d0 + ? smp_call_on_cpu+0x250/0x250 + ? rcu_read_lock_sched_held+0xb/0x60 + ? lock_release+0x587/0x810 + ? __brelse+0xa0/0xa0 + ? generic_remap_file_range_prep+0x50/0x50 + on_each_cpu_cond_mask+0x3c/0x80 + blkdev_flush_mapping+0x13a/0x2f0 + blkdev_put_whole+0xd3/0xf0 + blkdev_put+0x222/0x760 + deactivate_locked_super+0x96/0x160 + deactivate_super+0xda/0x100 + cleanup_mnt+0x222/0x3d0 + task_work_run+0x149/0x240 + ? task_work_cancel+0x30/0x30 + do_exit+0xb29/0x2a40 + ? reacquire_held_locks+0x4a0/0x4a0 + ? do_raw_spin_lock+0x12a/0x2b0 + ? mm_update_next_owner+0x7c0/0x7c0 + ? rwlock_bug.part.0+0x90/0x90 + ? zap_other_threads+0x234/0x2d0 + do_group_exit+0xd0/0x2a0 + __x64_sys_exit_group+0x3a/0x50 + do_syscall_64+0x34/0xb0 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +The cause of the issue is that brelse() is called on both ofibh.sbh +and ofibh.ebh by udf_find_entry() when it returns NULL. However, +brelse() is called by udf_rename(), too. So, b_count on buffer_head +becomes unbalanced. + +This patch fixes the issue by not calling brelse() by udf_rename() +when udf_find_entry() returns NULL. + +Link: https://syzkaller.appspot.com/bug?id=8297f45698159c6bca8a1f87dc983667c1a1c851 [1] +Reported-by: syzbot+7902cd7684bc35306224@syzkaller.appspotmail.com +Signed-off-by: Shigeru Yoshida +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20221023095741.271430-1-syoshida@redhat.com +Signed-off-by: Sasha Levin +--- + fs/udf/namei.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/udf/namei.c b/fs/udf/namei.c +index 1f418d68e2ee..c062b41a1e70 100644 +--- a/fs/udf/namei.c ++++ b/fs/udf/namei.c +@@ -1091,8 +1091,9 @@ static int udf_rename(struct inode *old_dir, struct dentry *old_dentry, + return -EINVAL; + + ofi = udf_find_entry(old_dir, &old_dentry->d_name, &ofibh, &ocfi); +- if (IS_ERR(ofi)) { +- retval = PTR_ERR(ofi); ++ if (!ofi || IS_ERR(ofi)) { ++ if (IS_ERR(ofi)) ++ retval = PTR_ERR(ofi); + goto end_rename; + } + +@@ -1101,8 +1102,7 @@ static int udf_rename(struct inode *old_dir, struct dentry *old_dentry, + + brelse(ofibh.sbh); + tloc = lelb_to_cpu(ocfi.icb.extLocation); +- if (!ofi || udf_get_lb_pblock(old_dir->i_sb, &tloc, 0) +- != old_inode->i_ino) ++ if (udf_get_lb_pblock(old_dir->i_sb, &tloc, 0) != old_inode->i_ino) + goto end_rename; + + nfi = udf_find_entry(new_dir, &new_dentry->d_name, &nfibh, &ncfi); +-- +2.35.1 + diff --git a/queue-5.4/uio-uio_dmem_genirq-fix-deadlock-between-irq-config-.patch b/queue-5.4/uio-uio_dmem_genirq-fix-deadlock-between-irq-config-.patch new file mode 100644 index 00000000000..37413cfa5a4 --- /dev/null +++ b/queue-5.4/uio-uio_dmem_genirq-fix-deadlock-between-irq-config-.patch @@ -0,0 +1,64 @@ +From 529cf225f8f1acbb1c90d2d578a0dc8d8a415e63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Sep 2022 19:40:58 -0300 +Subject: uio: uio_dmem_genirq: Fix deadlock between irq config and handling + +From: Rafael Mendonca + +[ Upstream commit 118b918018175d9fcd8db667f905012e986cc2c9 ] + +This fixes a concurrency issue addressed in commit 34cb27528398 ("UIO: Fix +concurrency issue"): + + "In a SMP case there was a race condition issue between + Uio_pdrv_genirq_irqcontrol() running on one CPU and irq handler on + another CPU. Fix it by spin_locking shared resources access inside irq + handler." + +The implementation of "uio_dmem_genirq" was based on "uio_pdrv_genirq" and +it is used in a similar manner to the "uio_pdrv_genirq" driver with respect +to interrupt configuration and handling. At the time "uio_dmem_genirq" was +merged, both had the same implementation of the 'uio_info' handlers +irqcontrol() and handler(), thus, both had the same concurrency issue +mentioned by the above commit. However, the above patch was only applied to +the "uio_pdrv_genirq" driver. + +Split out from commit 34cb27528398 ("UIO: Fix concurrency issue"). + +Fixes: 0a0c3b5a24bd ("Add new uio device for dynamic memory allocation") +Signed-off-by: Rafael Mendonca +Link: https://lore.kernel.org/r/20220930224100.816175-3-rafaelmendsr@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/uio/uio_dmem_genirq.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/uio/uio_dmem_genirq.c b/drivers/uio/uio_dmem_genirq.c +index 588b88fdb0c4..39dbd8c56249 100644 +--- a/drivers/uio/uio_dmem_genirq.c ++++ b/drivers/uio/uio_dmem_genirq.c +@@ -110,8 +110,10 @@ static irqreturn_t uio_dmem_genirq_handler(int irq, struct uio_info *dev_info) + * remember the state so we can allow user space to enable it later. + */ + ++ spin_lock(&priv->lock); + if (!test_and_set_bit(0, &priv->flags)) + disable_irq_nosync(irq); ++ spin_unlock(&priv->lock); + + return IRQ_HANDLED; + } +@@ -125,7 +127,8 @@ static int uio_dmem_genirq_irqcontrol(struct uio_info *dev_info, s32 irq_on) + * in the interrupt controller, but keep track of the + * state to prevent per-irq depth damage. + * +- * Serialize this operation to support multiple tasks. ++ * Serialize this operation to support multiple tasks and concurrency ++ * with irq handler on SMP systems. + */ + + spin_lock_irqsave(&priv->lock, flags); +-- +2.35.1 + diff --git a/queue-5.4/uio-uio_dmem_genirq-fix-missing-unlock-in-irq-config.patch b/queue-5.4/uio-uio_dmem_genirq-fix-missing-unlock-in-irq-config.patch new file mode 100644 index 00000000000..5566f9072e1 --- /dev/null +++ b/queue-5.4/uio-uio_dmem_genirq-fix-missing-unlock-in-irq-config.patch @@ -0,0 +1,127 @@ +From ca10e3ed88c44710c191b344bd80a55c3ac02bd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Sep 2022 19:40:57 -0300 +Subject: uio: uio_dmem_genirq: Fix missing unlock in irq configuration + +From: Rafael Mendonca + +[ Upstream commit 9de255c461d1b3f0242b3ad1450c3323a3e00b34 ] + +Commit b74351287d4b ("uio: fix a sleep-in-atomic-context bug in +uio_dmem_genirq_irqcontrol()") started calling disable_irq() without +holding the spinlock because it can sleep. However, that fix introduced +another bug: if interrupt is already disabled and a new disable request +comes in, then the spinlock is not unlocked: + +root@localhost:~# printf '\x00\x00\x00\x00' > /dev/uio0 +root@localhost:~# printf '\x00\x00\x00\x00' > /dev/uio0 +root@localhost:~# [ 14.851538] BUG: scheduling while atomic: bash/223/0x00000002 +[ 14.851991] Modules linked in: uio_dmem_genirq uio myfpga(OE) bochs drm_vram_helper drm_ttm_helper ttm drm_kms_helper drm snd_pcm ppdev joydev psmouse snd_timer snd e1000fb_sys_fops syscopyarea parport sysfillrect soundcore sysimgblt input_leds pcspkr i2c_piix4 serio_raw floppy evbug qemu_fw_cfg mac_hid pata_acpi ip_tables x_tables autofs4 [last unloaded: parport_pc] +[ 14.854206] CPU: 0 PID: 223 Comm: bash Tainted: G OE 6.0.0-rc7 #21 +[ 14.854786] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +[ 14.855664] Call Trace: +[ 14.855861] +[ 14.856025] dump_stack_lvl+0x4d/0x67 +[ 14.856325] dump_stack+0x14/0x1a +[ 14.856583] __schedule_bug.cold+0x4b/0x5c +[ 14.856915] __schedule+0xe81/0x13d0 +[ 14.857199] ? idr_find+0x13/0x20 +[ 14.857456] ? get_work_pool+0x2d/0x50 +[ 14.857756] ? __flush_work+0x233/0x280 +[ 14.858068] ? __schedule+0xa95/0x13d0 +[ 14.858307] ? idr_find+0x13/0x20 +[ 14.858519] ? get_work_pool+0x2d/0x50 +[ 14.858798] schedule+0x6c/0x100 +[ 14.859009] schedule_hrtimeout_range_clock+0xff/0x110 +[ 14.859335] ? tty_write_room+0x1f/0x30 +[ 14.859598] ? n_tty_poll+0x1ec/0x220 +[ 14.859830] ? tty_ldisc_deref+0x1a/0x20 +[ 14.860090] schedule_hrtimeout_range+0x17/0x20 +[ 14.860373] do_select+0x596/0x840 +[ 14.860627] ? __kernel_text_address+0x16/0x50 +[ 14.860954] ? poll_freewait+0xb0/0xb0 +[ 14.861235] ? poll_freewait+0xb0/0xb0 +[ 14.861517] ? rpm_resume+0x49d/0x780 +[ 14.861798] ? common_interrupt+0x59/0xa0 +[ 14.862127] ? asm_common_interrupt+0x2b/0x40 +[ 14.862511] ? __uart_start.isra.0+0x61/0x70 +[ 14.862902] ? __check_object_size+0x61/0x280 +[ 14.863255] core_sys_select+0x1c6/0x400 +[ 14.863575] ? vfs_write+0x1c9/0x3d0 +[ 14.863853] ? vfs_write+0x1c9/0x3d0 +[ 14.864121] ? _copy_from_user+0x45/0x70 +[ 14.864526] do_pselect.constprop.0+0xb3/0xf0 +[ 14.864893] ? do_syscall_64+0x6d/0x90 +[ 14.865228] ? do_syscall_64+0x6d/0x90 +[ 14.865556] __x64_sys_pselect6+0x76/0xa0 +[ 14.865906] do_syscall_64+0x60/0x90 +[ 14.866214] ? syscall_exit_to_user_mode+0x2a/0x50 +[ 14.866640] ? do_syscall_64+0x6d/0x90 +[ 14.866972] ? do_syscall_64+0x6d/0x90 +[ 14.867286] ? do_syscall_64+0x6d/0x90 +[ 14.867626] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[...] stripped +[ 14.872959] + +('myfpga' is a simple 'uio_dmem_genirq' driver I wrote to test this) + +The implementation of "uio_dmem_genirq" was based on "uio_pdrv_genirq" and +it is used in a similar manner to the "uio_pdrv_genirq" driver with respect +to interrupt configuration and handling. At the time "uio_dmem_genirq" was +introduced, both had the same implementation of the 'uio_info' handlers +irqcontrol() and handler(). Then commit 34cb27528398 ("UIO: Fix concurrency +issue"), which was only applied to "uio_pdrv_genirq", ended up making them +a little different. That commit, among other things, changed disable_irq() +to disable_irq_nosync() in the implementation of irqcontrol(). The +motivation there was to avoid a deadlock between irqcontrol() and +handler(), since it added a spinlock in the irq handler, and disable_irq() +waits for the completion of the irq handler. + +By changing disable_irq() to disable_irq_nosync() in irqcontrol(), we also +avoid the sleeping-while-atomic bug that commit b74351287d4b ("uio: fix a +sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol()") was trying to +fix. Thus, this fixes the missing unlock in irqcontrol() by importing the +implementation of irqcontrol() handler from the "uio_pdrv_genirq" driver. +In the end, it reverts commit b74351287d4b ("uio: fix a +sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol()") and change +disable_irq() to disable_irq_nosync(). + +It is worth noting that this still does not address the concurrency issue +fixed by commit 34cb27528398 ("UIO: Fix concurrency issue"). It will be +addressed separately in the next commits. + +Split out from commit 34cb27528398 ("UIO: Fix concurrency issue"). + +Fixes: b74351287d4b ("uio: fix a sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol()") +Signed-off-by: Rafael Mendonca +Link: https://lore.kernel.org/r/20220930224100.816175-2-rafaelmendsr@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/uio/uio_dmem_genirq.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/uio/uio_dmem_genirq.c b/drivers/uio/uio_dmem_genirq.c +index 44858f70f5f5..588b88fdb0c4 100644 +--- a/drivers/uio/uio_dmem_genirq.c ++++ b/drivers/uio/uio_dmem_genirq.c +@@ -132,13 +132,11 @@ static int uio_dmem_genirq_irqcontrol(struct uio_info *dev_info, s32 irq_on) + if (irq_on) { + if (test_and_clear_bit(0, &priv->flags)) + enable_irq(dev_info->irq); +- spin_unlock_irqrestore(&priv->lock, flags); + } else { +- if (!test_and_set_bit(0, &priv->flags)) { +- spin_unlock_irqrestore(&priv->lock, flags); +- disable_irq(dev_info->irq); +- } ++ if (!test_and_set_bit(0, &priv->flags)) ++ disable_irq_nosync(dev_info->irq); + } ++ spin_unlock_irqrestore(&priv->lock, flags); + + return 0; + } +-- +2.35.1 + diff --git a/queue-5.4/uprobes-x86-allow-to-probe-a-nop-instruction-with-0x.patch b/queue-5.4/uprobes-x86-allow-to-probe-a-nop-instruction-with-0x.patch new file mode 100644 index 00000000000..07199afc0ba --- /dev/null +++ b/queue-5.4/uprobes-x86-allow-to-probe-a-nop-instruction-with-0x.patch @@ -0,0 +1,53 @@ +From aa110826ab1b5045428a706730183cd31dc31b98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Dec 2022 18:39:33 +0100 +Subject: uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix + +From: Oleg Nesterov + +[ Upstream commit cefa72129e45313655d53a065b8055aaeb01a0c9 ] + +Intel ICC -hotpatch inserts 2-byte "0x66 0x90" NOP at the start of each +function to reserve extra space for hot-patching, and currently it is not +possible to probe these functions because branch_setup_xol_ops() wrongly +rejects NOP with REP prefix as it treats them like word-sized branch +instructions. + +Fixes: 250bbd12c2fe ("uprobes/x86: Refuse to attach uprobe to "word-sized" branch insns") +Reported-by: Seiji Nishikawa +Suggested-by: Denys Vlasenko +Signed-off-by: Oleg Nesterov +Signed-off-by: Thomas Gleixner +Acked-by: Masami Hiramatsu (Google) +Link: https://lore.kernel.org/r/20221204173933.GA31544@redhat.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/uprobes.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/uprobes.c b/arch/x86/kernel/uprobes.c +index fae5b00cbccf..f51fc7fde3a0 100644 +--- a/arch/x86/kernel/uprobes.c ++++ b/arch/x86/kernel/uprobes.c +@@ -722,8 +722,9 @@ static int branch_setup_xol_ops(struct arch_uprobe *auprobe, struct insn *insn) + switch (opc1) { + case 0xeb: /* jmp 8 */ + case 0xe9: /* jmp 32 */ +- case 0x90: /* prefix* + nop; same as jmp with .offs = 0 */ + break; ++ case 0x90: /* prefix* + nop; same as jmp with .offs = 0 */ ++ goto setup; + + case 0xe8: /* call relative */ + branch_clear_offset(auprobe, insn); +@@ -753,6 +754,7 @@ static int branch_setup_xol_ops(struct arch_uprobe *auprobe, struct insn *insn) + return -ENOTSUPP; + } + ++setup: + auprobe->branch.opc1 = opc1; + auprobe->branch.ilen = insn->length; + auprobe->branch.offs = insn->immediate.value; +-- +2.35.1 + diff --git a/queue-5.4/usb-fotg210-udc-fix-ages-old-endianness-issues.patch b/queue-5.4/usb-fotg210-udc-fix-ages-old-endianness-issues.patch new file mode 100644 index 00000000000..b0bdfc2c8d1 --- /dev/null +++ b/queue-5.4/usb-fotg210-udc-fix-ages-old-endianness-issues.patch @@ -0,0 +1,71 @@ +From abded495d73d65106f48c5680a77b617417d51ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 10:03:17 +0100 +Subject: usb: fotg210-udc: Fix ages old endianness issues + +From: Linus Walleij + +[ Upstream commit 46ed6026ca2181c917c8334a82e3eaf40a6234dd ] + +The code in the FOTG210 driver isn't entirely endianness-agnostic +as reported by the kernel robot sparse testing. This came to +the surface while moving the files around. + +The driver is only used on little-endian systems, so this causes +no real-world regression, but it is nice to be strict and have +some compile coverage also on big endian machines, so fix it +up with the right LE accessors. + +Fixes: b84a8dee23fd ("usb: gadget: add Faraday fotg210_udc driver") +Reported-by: kernel test robot +Link: https://lore.kernel.org/linux-usb/202211110910.0dJ7nZCn-lkp@intel.com/ +Signed-off-by: Linus Walleij +Link: https://lore.kernel.org/r/20221111090317.94228-1-linus.walleij@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/fotg210-udc.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/usb/gadget/udc/fotg210-udc.c b/drivers/usb/gadget/udc/fotg210-udc.c +index c313d07ec16f..30389e966e42 100644 +--- a/drivers/usb/gadget/udc/fotg210-udc.c ++++ b/drivers/usb/gadget/udc/fotg210-udc.c +@@ -629,10 +629,10 @@ static void fotg210_request_error(struct fotg210_udc *fotg210) + static void fotg210_set_address(struct fotg210_udc *fotg210, + struct usb_ctrlrequest *ctrl) + { +- if (ctrl->wValue >= 0x0100) { ++ if (le16_to_cpu(ctrl->wValue) >= 0x0100) { + fotg210_request_error(fotg210); + } else { +- fotg210_set_dev_addr(fotg210, ctrl->wValue); ++ fotg210_set_dev_addr(fotg210, le16_to_cpu(ctrl->wValue)); + fotg210_set_cxdone(fotg210); + } + } +@@ -713,17 +713,17 @@ static void fotg210_get_status(struct fotg210_udc *fotg210, + + switch (ctrl->bRequestType & USB_RECIP_MASK) { + case USB_RECIP_DEVICE: +- fotg210->ep0_data = 1 << USB_DEVICE_SELF_POWERED; ++ fotg210->ep0_data = cpu_to_le16(1 << USB_DEVICE_SELF_POWERED); + break; + case USB_RECIP_INTERFACE: +- fotg210->ep0_data = 0; ++ fotg210->ep0_data = cpu_to_le16(0); + break; + case USB_RECIP_ENDPOINT: + epnum = ctrl->wIndex & USB_ENDPOINT_NUMBER_MASK; + if (epnum) + fotg210->ep0_data = +- fotg210_is_epnstall(fotg210->ep[epnum]) +- << USB_ENDPOINT_HALT; ++ cpu_to_le16(fotg210_is_epnstall(fotg210->ep[epnum]) ++ << USB_ENDPOINT_HALT); + else + fotg210_request_error(fotg210); + break; +-- +2.35.1 + diff --git a/queue-5.4/usb-gadget-f_hid-fix-f_hidg-lifetime-vs-cdev.patch b/queue-5.4/usb-gadget-f_hid-fix-f_hidg-lifetime-vs-cdev.patch new file mode 100644 index 00000000000..2412a01c2ea --- /dev/null +++ b/queue-5.4/usb-gadget-f_hid-fix-f_hidg-lifetime-vs-cdev.patch @@ -0,0 +1,164 @@ +From 33ecf2965f6872135f300339b29401b359f3729c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 12:35:21 +0000 +Subject: usb: gadget: f_hid: fix f_hidg lifetime vs cdev + +From: John Keeping + +[ Upstream commit 89ff3dfac604614287ad5aad9370c3f984ea3f4b ] + +The embedded struct cdev does not have its lifetime correctly tied to +the enclosing struct f_hidg, so there is a use-after-free if /dev/hidgN +is held open while the gadget is deleted. + +This can readily be replicated with libusbgx's example programs (for +conciseness - operating directly via configfs is equivalent): + + gadget-hid + exec 3<> /dev/hidg0 + gadget-vid-pid-remove + exec 3<&- + +Pull the existing device up in to struct f_hidg and make use of the +cdev_device_{add,del}() helpers. This changes the lifetime of the +device object to match struct f_hidg, but note that it is still added +and deleted at the same time. + +Fixes: 71adf1189469 ("USB: gadget: add HID gadget driver") +Tested-by: Lee Jones +Reviewed-by: Andrzej Pietrasiewicz +Reviewed-by: Lee Jones +Signed-off-by: John Keeping +Link: https://lore.kernel.org/r/20221122123523.3068034-2-john@metanate.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_hid.c | 52 ++++++++++++++++------------- + 1 file changed, 28 insertions(+), 24 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c +index 6fb2e1f560ec..464e0b376f7f 100644 +--- a/drivers/usb/gadget/function/f_hid.c ++++ b/drivers/usb/gadget/function/f_hid.c +@@ -71,7 +71,7 @@ struct f_hidg { + wait_queue_head_t write_queue; + struct usb_request *req; + +- int minor; ++ struct device dev; + struct cdev cdev; + struct usb_function func; + +@@ -84,6 +84,14 @@ static inline struct f_hidg *func_to_hidg(struct usb_function *f) + return container_of(f, struct f_hidg, func); + } + ++static void hidg_release(struct device *dev) ++{ ++ struct f_hidg *hidg = container_of(dev, struct f_hidg, dev); ++ ++ kfree(hidg->set_report_buf); ++ kfree(hidg); ++} ++ + /*-------------------------------------------------------------------------*/ + /* Static descriptors */ + +@@ -910,9 +918,7 @@ static int hidg_bind(struct usb_configuration *c, struct usb_function *f) + struct usb_ep *ep; + struct f_hidg *hidg = func_to_hidg(f); + struct usb_string *us; +- struct device *device; + int status; +- dev_t dev; + + /* maybe allocate device-global string IDs, and patch descriptors */ + us = usb_gstrings_attach(c->cdev, ct_func_strings, +@@ -1005,21 +1011,11 @@ static int hidg_bind(struct usb_configuration *c, struct usb_function *f) + + /* create char device */ + cdev_init(&hidg->cdev, &f_hidg_fops); +- dev = MKDEV(major, hidg->minor); +- status = cdev_add(&hidg->cdev, dev, 1); ++ status = cdev_device_add(&hidg->cdev, &hidg->dev); + if (status) + goto fail_free_descs; + +- device = device_create(hidg_class, NULL, dev, NULL, +- "%s%d", "hidg", hidg->minor); +- if (IS_ERR(device)) { +- status = PTR_ERR(device); +- goto del; +- } +- + return 0; +-del: +- cdev_del(&hidg->cdev); + fail_free_descs: + usb_free_all_descriptors(f); + fail: +@@ -1250,9 +1246,7 @@ static void hidg_free(struct usb_function *f) + + hidg = func_to_hidg(f); + opts = container_of(f->fi, struct f_hid_opts, func_inst); +- kfree(hidg->report_desc); +- kfree(hidg->set_report_buf); +- kfree(hidg); ++ put_device(&hidg->dev); + mutex_lock(&opts->lock); + --opts->refcnt; + mutex_unlock(&opts->lock); +@@ -1262,8 +1256,7 @@ static void hidg_unbind(struct usb_configuration *c, struct usb_function *f) + { + struct f_hidg *hidg = func_to_hidg(f); + +- device_destroy(hidg_class, MKDEV(major, hidg->minor)); +- cdev_del(&hidg->cdev); ++ cdev_device_del(&hidg->cdev, &hidg->dev); + + usb_free_all_descriptors(f); + } +@@ -1272,6 +1265,7 @@ static struct usb_function *hidg_alloc(struct usb_function_instance *fi) + { + struct f_hidg *hidg; + struct f_hid_opts *opts; ++ int ret; + + /* allocate and initialize one new instance */ + hidg = kzalloc(sizeof(*hidg), GFP_KERNEL); +@@ -1283,17 +1277,27 @@ static struct usb_function *hidg_alloc(struct usb_function_instance *fi) + mutex_lock(&opts->lock); + ++opts->refcnt; + +- hidg->minor = opts->minor; ++ device_initialize(&hidg->dev); ++ hidg->dev.release = hidg_release; ++ hidg->dev.class = hidg_class; ++ hidg->dev.devt = MKDEV(major, opts->minor); ++ ret = dev_set_name(&hidg->dev, "hidg%d", opts->minor); ++ if (ret) { ++ --opts->refcnt; ++ mutex_unlock(&opts->lock); ++ return ERR_PTR(ret); ++ } ++ + hidg->bInterfaceSubClass = opts->subclass; + hidg->bInterfaceProtocol = opts->protocol; + hidg->report_length = opts->report_length; + hidg->report_desc_length = opts->report_desc_length; + if (opts->report_desc) { +- hidg->report_desc = kmemdup(opts->report_desc, +- opts->report_desc_length, +- GFP_KERNEL); ++ hidg->report_desc = devm_kmemdup(&hidg->dev, opts->report_desc, ++ opts->report_desc_length, ++ GFP_KERNEL); + if (!hidg->report_desc) { +- kfree(hidg); ++ put_device(&hidg->dev); + mutex_unlock(&opts->lock); + return ERR_PTR(-ENOMEM); + } +-- +2.35.1 + diff --git a/queue-5.4/usb-gadget-f_hid-fix-refcount-leak-on-error-path.patch b/queue-5.4/usb-gadget-f_hid-fix-refcount-leak-on-error-path.patch new file mode 100644 index 00000000000..40e5f1efc21 --- /dev/null +++ b/queue-5.4/usb-gadget-f_hid-fix-refcount-leak-on-error-path.patch @@ -0,0 +1,40 @@ +From 3008ffbc4d9813364ec430a9111e839726d3b15c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 12:35:22 +0000 +Subject: usb: gadget: f_hid: fix refcount leak on error path + +From: John Keeping + +[ Upstream commit 70a3288a7586526315105c699b687d78cd32559a ] + +When failing to allocate report_desc, opts->refcnt has already been +incremented so it needs to be decremented to avoid leaving the options +structure permanently locked. + +Fixes: 21a9476a7ba8 ("usb: gadget: hid: add configfs support") +Tested-by: Lee Jones +Reviewed-by: Andrzej Pietrasiewicz +Reviewed-by: Lee Jones +Signed-off-by: John Keeping +Link: https://lore.kernel.org/r/20221122123523.3068034-3-john@metanate.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_hid.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c +index 464e0b376f7f..c9d61d4dc9f5 100644 +--- a/drivers/usb/gadget/function/f_hid.c ++++ b/drivers/usb/gadget/function/f_hid.c +@@ -1298,6 +1298,7 @@ static struct usb_function *hidg_alloc(struct usb_function_instance *fi) + GFP_KERNEL); + if (!hidg->report_desc) { + put_device(&hidg->dev); ++ --opts->refcnt; + mutex_unlock(&opts->lock); + return ERR_PTR(-ENOMEM); + } +-- +2.35.1 + diff --git a/queue-5.4/usb-gadget-f_hid-optional-setup-set_report-mode.patch b/queue-5.4/usb-gadget-f_hid-optional-setup-set_report-mode.patch new file mode 100644 index 00000000000..f6afff6089e --- /dev/null +++ b/queue-5.4/usb-gadget-f_hid-optional-setup-set_report-mode.patch @@ -0,0 +1,508 @@ +From ebc8e1be917d77a3625fb0b9d4b19ec26c38ec1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Aug 2021 16:40:04 +0300 +Subject: usb: gadget: f_hid: optional SETUP/SET_REPORT mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maxim Devaev + +[ Upstream commit d7428bc26fc767942c38d74b80299bcd4f01e7cb ] + +f_hid provides the OUT Endpoint as only way for receiving reports +from the host. SETUP/SET_REPORT method is not supported, and this causes +a number of compatibility problems with various host drivers, especially +in the case of keyboard emulation using f_hid. + + - Some hosts do not support the OUT Endpoint and ignore it, + so it becomes impossible for the gadget to receive a report + from the host. In the case of a keyboard, the gadget loses + the ability to receive the status of the LEDs. + + - Some BIOSes/UEFIs can't work with HID devices with the OUT Endpoint + at all. This may be due to their bugs or incomplete implementation + of the HID standard. + For example, absolutely all Apple UEFIs can't handle the OUT Endpoint + if it goes after IN Endpoint in the descriptor and require the reverse + order (OUT, IN) which is a violation of the standard. + Other hosts either do not initialize gadgets with a descriptor + containing the OUT Endpoint completely (like some HP and DELL BIOSes + and embedded firmwares like on KVM switches), or initialize them, + but will not poll the IN Endpoint. + +This patch adds configfs option no_out_endpoint=1 to disable +the OUT Endpoint and allows f_hid to receive reports from the host +via SETUP/SET_REPORT. + +Previously, there was such a feature in f_hid, but it was replaced +by the OUT Endpoint [1] in the commit 99c515005857 ("usb: gadget: hidg: +register OUT INT endpoint for SET_REPORT"). So this patch actually +returns the removed functionality while making it optional. +For backward compatibility reasons, the OUT Endpoint mode remains +the default behaviour. + + - The OUT Endpoint mode provides the report queue and reduces + USB overhead (eliminating SETUP routine) on transmitting a report + from the host. + + - If the SETUP/SET_REPORT mode is used, there is no report queue, + so the userspace will only read last report. For classic HID devices + like keyboards this is not a problem, since it's intended to transmit + the status of the LEDs and only the last report is important. + This mode provides better compatibility with strange and buggy + host drivers. + +Both modes passed USBCV tests. Checking with the USB protocol analyzer +also confirmed that everything is working as it should and the new mode +ensures operability in all of the described cases. + +Link: https://www.spinics.net/lists/linux-usb/msg65494.html [1] +Reviewed-by: Maciej Żenczykowski +Acked-by: Felipe Balbi +Signed-off-by: Maxim Devaev +Link: https://lore.kernel.org/r/20210821134004.363217-1-mdevaev@gmail.com +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 89ff3dfac604 ("usb: gadget: f_hid: fix f_hidg lifetime vs cdev") +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_hid.c | 220 +++++++++++++++++++++++----- + drivers/usb/gadget/function/u_hid.h | 1 + + 2 files changed, 188 insertions(+), 33 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c +index e4d71410a4b1..6fb2e1f560ec 100644 +--- a/drivers/usb/gadget/function/f_hid.c ++++ b/drivers/usb/gadget/function/f_hid.c +@@ -45,12 +45,25 @@ struct f_hidg { + unsigned short report_desc_length; + char *report_desc; + unsigned short report_length; ++ /* ++ * use_out_ep - if true, the OUT Endpoint (interrupt out method) ++ * will be used to receive reports from the host ++ * using functions with the "intout" suffix. ++ * Otherwise, the OUT Endpoint will not be configured ++ * and the SETUP/SET_REPORT method ("ssreport" suffix) ++ * will be used to receive reports. ++ */ ++ bool use_out_ep; + + /* recv report */ +- struct list_head completed_out_req; + spinlock_t read_spinlock; + wait_queue_head_t read_queue; ++ /* recv report - interrupt out only (use_out_ep == 1) */ ++ struct list_head completed_out_req; + unsigned int qlen; ++ /* recv report - setup set_report only (use_out_ep == 0) */ ++ char *set_report_buf; ++ unsigned int set_report_length; + + /* send report */ + spinlock_t write_spinlock; +@@ -79,7 +92,7 @@ static struct usb_interface_descriptor hidg_interface_desc = { + .bDescriptorType = USB_DT_INTERFACE, + /* .bInterfaceNumber = DYNAMIC */ + .bAlternateSetting = 0, +- .bNumEndpoints = 2, ++ /* .bNumEndpoints = DYNAMIC (depends on use_out_ep) */ + .bInterfaceClass = USB_CLASS_HID, + /* .bInterfaceSubClass = DYNAMIC */ + /* .bInterfaceProtocol = DYNAMIC */ +@@ -140,7 +153,7 @@ static struct usb_ss_ep_comp_descriptor hidg_ss_out_comp_desc = { + /* .wBytesPerInterval = DYNAMIC */ + }; + +-static struct usb_descriptor_header *hidg_ss_descriptors[] = { ++static struct usb_descriptor_header *hidg_ss_descriptors_intout[] = { + (struct usb_descriptor_header *)&hidg_interface_desc, + (struct usb_descriptor_header *)&hidg_desc, + (struct usb_descriptor_header *)&hidg_ss_in_ep_desc, +@@ -150,6 +163,14 @@ static struct usb_descriptor_header *hidg_ss_descriptors[] = { + NULL, + }; + ++static struct usb_descriptor_header *hidg_ss_descriptors_ssreport[] = { ++ (struct usb_descriptor_header *)&hidg_interface_desc, ++ (struct usb_descriptor_header *)&hidg_desc, ++ (struct usb_descriptor_header *)&hidg_ss_in_ep_desc, ++ (struct usb_descriptor_header *)&hidg_ss_in_comp_desc, ++ NULL, ++}; ++ + /* High-Speed Support */ + + static struct usb_endpoint_descriptor hidg_hs_in_ep_desc = { +@@ -176,7 +197,7 @@ static struct usb_endpoint_descriptor hidg_hs_out_ep_desc = { + */ + }; + +-static struct usb_descriptor_header *hidg_hs_descriptors[] = { ++static struct usb_descriptor_header *hidg_hs_descriptors_intout[] = { + (struct usb_descriptor_header *)&hidg_interface_desc, + (struct usb_descriptor_header *)&hidg_desc, + (struct usb_descriptor_header *)&hidg_hs_in_ep_desc, +@@ -184,6 +205,13 @@ static struct usb_descriptor_header *hidg_hs_descriptors[] = { + NULL, + }; + ++static struct usb_descriptor_header *hidg_hs_descriptors_ssreport[] = { ++ (struct usb_descriptor_header *)&hidg_interface_desc, ++ (struct usb_descriptor_header *)&hidg_desc, ++ (struct usb_descriptor_header *)&hidg_hs_in_ep_desc, ++ NULL, ++}; ++ + /* Full-Speed Support */ + + static struct usb_endpoint_descriptor hidg_fs_in_ep_desc = { +@@ -210,7 +238,7 @@ static struct usb_endpoint_descriptor hidg_fs_out_ep_desc = { + */ + }; + +-static struct usb_descriptor_header *hidg_fs_descriptors[] = { ++static struct usb_descriptor_header *hidg_fs_descriptors_intout[] = { + (struct usb_descriptor_header *)&hidg_interface_desc, + (struct usb_descriptor_header *)&hidg_desc, + (struct usb_descriptor_header *)&hidg_fs_in_ep_desc, +@@ -218,6 +246,13 @@ static struct usb_descriptor_header *hidg_fs_descriptors[] = { + NULL, + }; + ++static struct usb_descriptor_header *hidg_fs_descriptors_ssreport[] = { ++ (struct usb_descriptor_header *)&hidg_interface_desc, ++ (struct usb_descriptor_header *)&hidg_desc, ++ (struct usb_descriptor_header *)&hidg_fs_in_ep_desc, ++ NULL, ++}; ++ + /*-------------------------------------------------------------------------*/ + /* Strings */ + +@@ -241,8 +276,8 @@ static struct usb_gadget_strings *ct_func_strings[] = { + /*-------------------------------------------------------------------------*/ + /* Char Device */ + +-static ssize_t f_hidg_read(struct file *file, char __user *buffer, +- size_t count, loff_t *ptr) ++static ssize_t f_hidg_intout_read(struct file *file, char __user *buffer, ++ size_t count, loff_t *ptr) + { + struct f_hidg *hidg = file->private_data; + struct f_hidg_req_list *list; +@@ -258,15 +293,15 @@ static ssize_t f_hidg_read(struct file *file, char __user *buffer, + + spin_lock_irqsave(&hidg->read_spinlock, flags); + +-#define READ_COND (!list_empty(&hidg->completed_out_req)) ++#define READ_COND_INTOUT (!list_empty(&hidg->completed_out_req)) + + /* wait for at least one buffer to complete */ +- while (!READ_COND) { ++ while (!READ_COND_INTOUT) { + spin_unlock_irqrestore(&hidg->read_spinlock, flags); + if (file->f_flags & O_NONBLOCK) + return -EAGAIN; + +- if (wait_event_interruptible(hidg->read_queue, READ_COND)) ++ if (wait_event_interruptible(hidg->read_queue, READ_COND_INTOUT)) + return -ERESTARTSYS; + + spin_lock_irqsave(&hidg->read_spinlock, flags); +@@ -316,6 +351,60 @@ static ssize_t f_hidg_read(struct file *file, char __user *buffer, + return count; + } + ++#define READ_COND_SSREPORT (hidg->set_report_buf != NULL) ++ ++static ssize_t f_hidg_ssreport_read(struct file *file, char __user *buffer, ++ size_t count, loff_t *ptr) ++{ ++ struct f_hidg *hidg = file->private_data; ++ char *tmp_buf = NULL; ++ unsigned long flags; ++ ++ if (!count) ++ return 0; ++ ++ spin_lock_irqsave(&hidg->read_spinlock, flags); ++ ++ while (!READ_COND_SSREPORT) { ++ spin_unlock_irqrestore(&hidg->read_spinlock, flags); ++ if (file->f_flags & O_NONBLOCK) ++ return -EAGAIN; ++ ++ if (wait_event_interruptible(hidg->read_queue, READ_COND_SSREPORT)) ++ return -ERESTARTSYS; ++ ++ spin_lock_irqsave(&hidg->read_spinlock, flags); ++ } ++ ++ count = min_t(unsigned int, count, hidg->set_report_length); ++ tmp_buf = hidg->set_report_buf; ++ hidg->set_report_buf = NULL; ++ ++ spin_unlock_irqrestore(&hidg->read_spinlock, flags); ++ ++ if (tmp_buf != NULL) { ++ count -= copy_to_user(buffer, tmp_buf, count); ++ kfree(tmp_buf); ++ } else { ++ count = -ENOMEM; ++ } ++ ++ wake_up(&hidg->read_queue); ++ ++ return count; ++} ++ ++static ssize_t f_hidg_read(struct file *file, char __user *buffer, ++ size_t count, loff_t *ptr) ++{ ++ struct f_hidg *hidg = file->private_data; ++ ++ if (hidg->use_out_ep) ++ return f_hidg_intout_read(file, buffer, count, ptr); ++ else ++ return f_hidg_ssreport_read(file, buffer, count, ptr); ++} ++ + static void f_hidg_req_complete(struct usb_ep *ep, struct usb_request *req) + { + struct f_hidg *hidg = (struct f_hidg *)ep->driver_data; +@@ -439,14 +528,20 @@ static __poll_t f_hidg_poll(struct file *file, poll_table *wait) + if (WRITE_COND) + ret |= EPOLLOUT | EPOLLWRNORM; + +- if (READ_COND) +- ret |= EPOLLIN | EPOLLRDNORM; ++ if (hidg->use_out_ep) { ++ if (READ_COND_INTOUT) ++ ret |= EPOLLIN | EPOLLRDNORM; ++ } else { ++ if (READ_COND_SSREPORT) ++ ret |= EPOLLIN | EPOLLRDNORM; ++ } + + return ret; + } + + #undef WRITE_COND +-#undef READ_COND ++#undef READ_COND_SSREPORT ++#undef READ_COND_INTOUT + + static int f_hidg_release(struct inode *inode, struct file *fd) + { +@@ -473,7 +568,7 @@ static inline struct usb_request *hidg_alloc_ep_req(struct usb_ep *ep, + return alloc_ep_req(ep, length); + } + +-static void hidg_set_report_complete(struct usb_ep *ep, struct usb_request *req) ++static void hidg_intout_complete(struct usb_ep *ep, struct usb_request *req) + { + struct f_hidg *hidg = (struct f_hidg *) req->context; + struct usb_composite_dev *cdev = hidg->func.config->cdev; +@@ -508,6 +603,37 @@ static void hidg_set_report_complete(struct usb_ep *ep, struct usb_request *req) + } + } + ++static void hidg_ssreport_complete(struct usb_ep *ep, struct usb_request *req) ++{ ++ struct f_hidg *hidg = (struct f_hidg *)req->context; ++ struct usb_composite_dev *cdev = hidg->func.config->cdev; ++ char *new_buf = NULL; ++ unsigned long flags; ++ ++ if (req->status != 0 || req->buf == NULL || req->actual == 0) { ++ ERROR(cdev, ++ "%s FAILED: status=%d, buf=%p, actual=%d\n", ++ __func__, req->status, req->buf, req->actual); ++ return; ++ } ++ ++ spin_lock_irqsave(&hidg->read_spinlock, flags); ++ ++ new_buf = krealloc(hidg->set_report_buf, req->actual, GFP_ATOMIC); ++ if (new_buf == NULL) { ++ spin_unlock_irqrestore(&hidg->read_spinlock, flags); ++ return; ++ } ++ hidg->set_report_buf = new_buf; ++ ++ hidg->set_report_length = req->actual; ++ memcpy(hidg->set_report_buf, req->buf, req->actual); ++ ++ spin_unlock_irqrestore(&hidg->read_spinlock, flags); ++ ++ wake_up(&hidg->read_queue); ++} ++ + static int hidg_setup(struct usb_function *f, + const struct usb_ctrlrequest *ctrl) + { +@@ -555,7 +681,11 @@ static int hidg_setup(struct usb_function *f, + case ((USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE) << 8 + | HID_REQ_SET_REPORT): + VDBG(cdev, "set_report | wLength=%d\n", ctrl->wLength); +- goto stall; ++ if (hidg->use_out_ep) ++ goto stall; ++ req->complete = hidg_ssreport_complete; ++ req->context = hidg; ++ goto respond; + break; + + case ((USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE) << 8 +@@ -643,15 +773,18 @@ static void hidg_disable(struct usb_function *f) + unsigned long flags; + + usb_ep_disable(hidg->in_ep); +- usb_ep_disable(hidg->out_ep); + +- spin_lock_irqsave(&hidg->read_spinlock, flags); +- list_for_each_entry_safe(list, next, &hidg->completed_out_req, list) { +- free_ep_req(hidg->out_ep, list->req); +- list_del(&list->list); +- kfree(list); ++ if (hidg->out_ep) { ++ usb_ep_disable(hidg->out_ep); ++ ++ spin_lock_irqsave(&hidg->read_spinlock, flags); ++ list_for_each_entry_safe(list, next, &hidg->completed_out_req, list) { ++ free_ep_req(hidg->out_ep, list->req); ++ list_del(&list->list); ++ kfree(list); ++ } ++ spin_unlock_irqrestore(&hidg->read_spinlock, flags); + } +- spin_unlock_irqrestore(&hidg->read_spinlock, flags); + + spin_lock_irqsave(&hidg->write_spinlock, flags); + if (!hidg->write_pending) { +@@ -697,8 +830,7 @@ static int hidg_set_alt(struct usb_function *f, unsigned intf, unsigned alt) + } + } + +- +- if (hidg->out_ep != NULL) { ++ if (hidg->use_out_ep && hidg->out_ep != NULL) { + /* restart endpoint */ + usb_ep_disable(hidg->out_ep); + +@@ -723,7 +855,7 @@ static int hidg_set_alt(struct usb_function *f, unsigned intf, unsigned alt) + hidg_alloc_ep_req(hidg->out_ep, + hidg->report_length); + if (req) { +- req->complete = hidg_set_report_complete; ++ req->complete = hidg_intout_complete; + req->context = hidg; + status = usb_ep_queue(hidg->out_ep, req, + GFP_ATOMIC); +@@ -749,7 +881,8 @@ static int hidg_set_alt(struct usb_function *f, unsigned intf, unsigned alt) + } + return 0; + disable_out_ep: +- usb_ep_disable(hidg->out_ep); ++ if (hidg->out_ep) ++ usb_ep_disable(hidg->out_ep); + free_req_in: + if (req_in) + free_ep_req(hidg->in_ep, req_in); +@@ -801,14 +934,21 @@ static int hidg_bind(struct usb_configuration *c, struct usb_function *f) + goto fail; + hidg->in_ep = ep; + +- ep = usb_ep_autoconfig(c->cdev->gadget, &hidg_fs_out_ep_desc); +- if (!ep) +- goto fail; +- hidg->out_ep = ep; ++ hidg->out_ep = NULL; ++ if (hidg->use_out_ep) { ++ ep = usb_ep_autoconfig(c->cdev->gadget, &hidg_fs_out_ep_desc); ++ if (!ep) ++ goto fail; ++ hidg->out_ep = ep; ++ } ++ ++ /* used only if use_out_ep == 1 */ ++ hidg->set_report_buf = NULL; + + /* set descriptor dynamic values */ + hidg_interface_desc.bInterfaceSubClass = hidg->bInterfaceSubClass; + hidg_interface_desc.bInterfaceProtocol = hidg->bInterfaceProtocol; ++ hidg_interface_desc.bNumEndpoints = hidg->use_out_ep ? 2 : 1; + hidg->protocol = HID_REPORT_PROTOCOL; + hidg->idle = 1; + hidg_ss_in_ep_desc.wMaxPacketSize = cpu_to_le16(hidg->report_length); +@@ -839,9 +979,19 @@ static int hidg_bind(struct usb_configuration *c, struct usb_function *f) + hidg_ss_out_ep_desc.bEndpointAddress = + hidg_fs_out_ep_desc.bEndpointAddress; + +- status = usb_assign_descriptors(f, hidg_fs_descriptors, +- hidg_hs_descriptors, hidg_ss_descriptors, +- hidg_ss_descriptors); ++ if (hidg->use_out_ep) ++ status = usb_assign_descriptors(f, ++ hidg_fs_descriptors_intout, ++ hidg_hs_descriptors_intout, ++ hidg_ss_descriptors_intout, ++ hidg_ss_descriptors_intout); ++ else ++ status = usb_assign_descriptors(f, ++ hidg_fs_descriptors_ssreport, ++ hidg_hs_descriptors_ssreport, ++ hidg_ss_descriptors_ssreport, ++ hidg_ss_descriptors_ssreport); ++ + if (status) + goto fail; + +@@ -956,6 +1106,7 @@ CONFIGFS_ATTR(f_hid_opts_, name) + + F_HID_OPT(subclass, 8, 255); + F_HID_OPT(protocol, 8, 255); ++F_HID_OPT(no_out_endpoint, 8, 1); + F_HID_OPT(report_length, 16, 65535); + + static ssize_t f_hid_opts_report_desc_show(struct config_item *item, char *page) +@@ -1015,6 +1166,7 @@ CONFIGFS_ATTR_RO(f_hid_opts_, dev); + static struct configfs_attribute *hid_attrs[] = { + &f_hid_opts_attr_subclass, + &f_hid_opts_attr_protocol, ++ &f_hid_opts_attr_no_out_endpoint, + &f_hid_opts_attr_report_length, + &f_hid_opts_attr_report_desc, + &f_hid_opts_attr_dev, +@@ -1099,6 +1251,7 @@ static void hidg_free(struct usb_function *f) + hidg = func_to_hidg(f); + opts = container_of(f->fi, struct f_hid_opts, func_inst); + kfree(hidg->report_desc); ++ kfree(hidg->set_report_buf); + kfree(hidg); + mutex_lock(&opts->lock); + --opts->refcnt; +@@ -1145,6 +1298,7 @@ static struct usb_function *hidg_alloc(struct usb_function_instance *fi) + return ERR_PTR(-ENOMEM); + } + } ++ hidg->use_out_ep = !opts->no_out_endpoint; + + mutex_unlock(&opts->lock); + +diff --git a/drivers/usb/gadget/function/u_hid.h b/drivers/usb/gadget/function/u_hid.h +index 1594bfa312eb..90d8b1c0f25f 100644 +--- a/drivers/usb/gadget/function/u_hid.h ++++ b/drivers/usb/gadget/function/u_hid.h +@@ -20,6 +20,7 @@ struct f_hid_opts { + int minor; + unsigned char subclass; + unsigned char protocol; ++ unsigned char no_out_endpoint; + unsigned short report_length; + unsigned short report_desc_length; + unsigned char *report_desc; +-- +2.35.1 + diff --git a/queue-5.4/usb-musb-remove-extra-check-in-musb_gadget_vbus_draw.patch b/queue-5.4/usb-musb-remove-extra-check-in-musb_gadget_vbus_draw.patch new file mode 100644 index 00000000000..bba626b6f6b --- /dev/null +++ b/queue-5.4/usb-musb-remove-extra-check-in-musb_gadget_vbus_draw.patch @@ -0,0 +1,47 @@ +From bc9e726e9fc40480c8603c41cc132d6107e6747f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 20:21:15 +0200 +Subject: usb: musb: remove extra check in musb_gadget_vbus_draw + +From: Ivaylo Dimitrov + +[ Upstream commit ecec4b20d29c3d6922dafe7d2555254a454272d2 ] + +The checks for musb->xceiv and musb->xceiv->set_power duplicate those in +usb_phy_set_power(), so there is no need of them. Moreover, not calling +usb_phy_set_power() results in usb_phy_set_charger_current() not being +called, so current USB config max current is not propagated through USB +charger framework and charger drivers may try to draw more current than +allowed or possible. + +Fix that by removing those extra checks and calling usb_phy_set_power() +directly. + +Tested on Motorola Droid4 and Nokia N900 + +Fixes: a9081a008f84 ("usb: phy: Add USB charger support") +Cc: stable +Signed-off-by: Ivaylo Dimitrov +Link: https://lore.kernel.org/r/1669400475-4762-1-git-send-email-ivo.g.dimitrov.75@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/musb/musb_gadget.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/usb/musb/musb_gadget.c b/drivers/usb/musb/musb_gadget.c +index 8e83995fc3bd..b8fc818c154a 100644 +--- a/drivers/usb/musb/musb_gadget.c ++++ b/drivers/usb/musb/musb_gadget.c +@@ -1629,8 +1629,6 @@ static int musb_gadget_vbus_draw(struct usb_gadget *gadget, unsigned mA) + { + struct musb *musb = gadget_to_musb(gadget); + +- if (!musb->xceiv->set_power) +- return -EOPNOTSUPP; + return usb_phy_set_power(musb->xceiv, mA); + } + +-- +2.35.1 + diff --git a/queue-5.4/usb-roles-fix-of-node-refcount-leak-in-usb_role_swit.patch b/queue-5.4/usb-roles-fix-of-node-refcount-leak-in-usb_role_swit.patch new file mode 100644 index 00000000000..36f40755884 --- /dev/null +++ b/queue-5.4/usb-roles-fix-of-node-refcount-leak-in-usb_role_swit.patch @@ -0,0 +1,51 @@ +From c2b0e746439d3071decf85741115129a39bfe279 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 19:12:26 +0800 +Subject: usb: roles: fix of node refcount leak in usb_role_switch_is_parent() + +From: Yang Yingliang + +[ Upstream commit 1ab30c610630da5391a373cddb8a065bf4c4bc01 ] + +I got the following report while doing device(mt6370-tcpc) load +test with CONFIG_OF_UNITTEST and CONFIG_OF_DYNAMIC enabled: + + OF: ERROR: memory leak, expected refcount 1 instead of 2, + of_node_get()/of_node_put() unbalanced - destroy cset entry: + attach overlay node /i2c/pmic@34 + +The 'parent' returned by fwnode_get_parent() with refcount incremented. +it needs be put after using. + +Fixes: 6fadd72943b8 ("usb: roles: get usb-role-switch from parent") +Reviewed-by: Heikki Krogerus +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221122111226.251588-1-yangyingliang@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/roles/class.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/roles/class.c b/drivers/usb/roles/class.c +index 97e3d75b19a3..873d89823f5b 100644 +--- a/drivers/usb/roles/class.c ++++ b/drivers/usb/roles/class.c +@@ -108,10 +108,13 @@ usb_role_switch_is_parent(struct fwnode_handle *fwnode) + struct fwnode_handle *parent = fwnode_get_parent(fwnode); + struct device *dev; + +- if (!parent || !fwnode_property_present(parent, "usb-role-switch")) ++ if (!fwnode_property_present(parent, "usb-role-switch")) { ++ fwnode_handle_put(parent); + return NULL; ++ } + + dev = class_find_device_by_fwnode(role_class, parent); ++ fwnode_handle_put(parent); + return dev ? to_role_switch(dev) : ERR_PTR(-EPROBE_DEFER); + } + +-- +2.35.1 + diff --git a/queue-5.4/usb-storage-add-check-for-kcalloc.patch b/queue-5.4/usb-storage-add-check-for-kcalloc.patch new file mode 100644 index 00000000000..bb98c434f8a --- /dev/null +++ b/queue-5.4/usb-storage-add-check-for-kcalloc.patch @@ -0,0 +1,39 @@ +From 92397206a12d4f24b660f41a5e585151f59bfcbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 19:00:58 +0800 +Subject: usb: storage: Add check for kcalloc + +From: Jiasheng Jiang + +[ Upstream commit c35ca10f53c51eeb610d3f8fbc6dd6d511b58a58 ] + +As kcalloc may return NULL pointer, the return value should +be checked and return error if fails as same as the ones in +alauda_read_map. + +Fixes: e80b0fade09e ("[PATCH] USB Storage: add alauda support") +Acked-by: Alan Stern +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20221208110058.12983-1-jiasheng@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/storage/alauda.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/storage/alauda.c b/drivers/usb/storage/alauda.c +index ddab2cd3d2e7..de62421d9670 100644 +--- a/drivers/usb/storage/alauda.c ++++ b/drivers/usb/storage/alauda.c +@@ -438,6 +438,8 @@ static int alauda_init_media(struct us_data *us) + + MEDIA_INFO(us).blockshift + MEDIA_INFO(us).pageshift); + MEDIA_INFO(us).pba_to_lba = kcalloc(num_zones, sizeof(u16*), GFP_NOIO); + MEDIA_INFO(us).lba_to_pba = kcalloc(num_zones, sizeof(u16*), GFP_NOIO); ++ if (MEDIA_INFO(us).pba_to_lba == NULL || MEDIA_INFO(us).lba_to_pba == NULL) ++ return USB_STOR_TRANSPORT_ERROR; + + if (alauda_reset_media(us) != USB_STOR_XFER_GOOD) + return USB_STOR_TRANSPORT_ERROR; +-- +2.35.1 + diff --git a/queue-5.4/usb-typec-check-for-ops-exit-instead-of-ops-enter-in.patch b/queue-5.4/usb-typec-check-for-ops-exit-instead-of-ops-enter-in.patch new file mode 100644 index 00000000000..61fd93c5a5a --- /dev/null +++ b/queue-5.4/usb-typec-check-for-ops-exit-instead-of-ops-enter-in.patch @@ -0,0 +1,39 @@ +From c8b80d3af32e58b9f943389e2e5a977d70611dab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 17:59:24 +0100 +Subject: usb: typec: Check for ops->exit instead of ops->enter in altmode_exit + +From: Sven Peter + +[ Upstream commit b6ddd180e3d9f92c1e482b3cdeec7dda086b1341 ] + +typec_altmode_exit checks if ops->enter is not NULL but then calls +ops->exit a few lines below. Fix that and check for the function +pointer it's about to call instead. + +Fixes: 8a37d87d72f0 ("usb: typec: Bus type for alternate modes") +Signed-off-by: Sven Peter +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20221114165924.33487-1-sven@svenpeter.dev +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/typec/bus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/typec/bus.c b/drivers/usb/typec/bus.c +index c950171556d8..0369ad92a1c8 100644 +--- a/drivers/usb/typec/bus.c ++++ b/drivers/usb/typec/bus.c +@@ -126,7 +126,7 @@ int typec_altmode_exit(struct typec_altmode *adev) + if (!adev || !adev->active) + return 0; + +- if (!pdev->ops || !pdev->ops->enter) ++ if (!pdev->ops || !pdev->ops->exit) + return -EOPNOTSUPP; + + /* Moving to USB Safe State */ +-- +2.35.1 + diff --git a/queue-5.4/usb-typec-tcpci-fix-of-node-refcount-leak-in-tcpci_r.patch b/queue-5.4/usb-typec-tcpci-fix-of-node-refcount-leak-in-tcpci_r.patch new file mode 100644 index 00000000000..f8b61fdcefb --- /dev/null +++ b/queue-5.4/usb-typec-tcpci-fix-of-node-refcount-leak-in-tcpci_r.patch @@ -0,0 +1,60 @@ +From 787b0961c9e314bc47e30f5bdd71ebba57335376 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 14:24:16 +0800 +Subject: usb: typec: tcpci: fix of node refcount leak in tcpci_register_port() + +From: Yang Yingliang + +[ Upstream commit 0384e87e3fec735e47f1c133c796f32ef7a72a9b ] + +I got the following report while doing device(mt6370-tcpc) load +test with CONFIG_OF_UNITTEST and CONFIG_OF_DYNAMIC enabled: + + OF: ERROR: memory leak, expected refcount 1 instead of 2, + of_node_get()/of_node_put() unbalanced - destroy cset entry: + attach overlay node /i2c/pmic@34/tcpc/connector + +The 'fwnode' set in tcpci_parse_config() which is called +in tcpci_register_port(), its node refcount is increased +in device_get_named_child_node(). It needs be put while +exiting, so call fwnode_handle_put() in the error path of +tcpci_register_port() and in tcpci_unregister_port() to +avoid leak. + +Fixes: 5e85a04c8c0d ("usb: typec: add fwnode to tcpc") +Signed-off-by: Yang Yingliang +Acked-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20221121062416.1026192-1-yangyingliang@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/typec/tcpm/tcpci.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/typec/tcpm/tcpci.c b/drivers/usb/typec/tcpm/tcpci.c +index 6caed68ce1be..84b23ae48aee 100644 +--- a/drivers/usb/typec/tcpm/tcpci.c ++++ b/drivers/usb/typec/tcpm/tcpci.c +@@ -551,8 +551,10 @@ struct tcpci *tcpci_register_port(struct device *dev, struct tcpci_data *data) + return ERR_PTR(err); + + tcpci->port = tcpm_register_port(tcpci->dev, &tcpci->tcpc); +- if (IS_ERR(tcpci->port)) ++ if (IS_ERR(tcpci->port)) { ++ fwnode_handle_put(tcpci->tcpc.fwnode); + return ERR_CAST(tcpci->port); ++ } + + return tcpci; + } +@@ -561,6 +563,7 @@ EXPORT_SYMBOL_GPL(tcpci_register_port); + void tcpci_unregister_port(struct tcpci *tcpci) + { + tcpm_unregister_port(tcpci->port); ++ fwnode_handle_put(tcpci->tcpc.fwnode); + } + EXPORT_SYMBOL_GPL(tcpci_unregister_port); + +-- +2.35.1 + diff --git a/queue-5.4/vfio-platform-do-not-pass-return-buffer-to-acpi-_rst.patch b/queue-5.4/vfio-platform-do-not-pass-return-buffer-to-acpi-_rst.patch new file mode 100644 index 00000000000..582fdd30f87 --- /dev/null +++ b/queue-5.4/vfio-platform-do-not-pass-return-buffer-to-acpi-_rst.patch @@ -0,0 +1,43 @@ +From 076084a58fd13e0c264d47c93a9410a97fcdcd00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Oct 2022 12:28:25 -0300 +Subject: vfio: platform: Do not pass return buffer to ACPI _RST method + +From: Rafael Mendonca + +[ Upstream commit e67e070632a665c932d534b8b800477bb3111449 ] + +The ACPI _RST method has no return value, there's no need to pass a return +buffer to acpi_evaluate_object(). + +Fixes: d30daa33ec1d ("vfio: platform: call _RST method when using ACPI") +Signed-off-by: Rafael Mendonca +Reviewed-by: Eric Auger +Link: https://lore.kernel.org/r/20221018152825.891032-1-rafaelmendsr@gmail.com +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/platform/vfio_platform_common.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/vfio/platform/vfio_platform_common.c b/drivers/vfio/platform/vfio_platform_common.c +index 6f727034679f..46a72fe39719 100644 +--- a/drivers/vfio/platform/vfio_platform_common.c ++++ b/drivers/vfio/platform/vfio_platform_common.c +@@ -72,12 +72,11 @@ static int vfio_platform_acpi_call_reset(struct vfio_platform_device *vdev, + const char **extra_dbg) + { + #ifdef CONFIG_ACPI +- struct acpi_buffer buffer = { ACPI_ALLOCATE_BUFFER, NULL }; + struct device *dev = vdev->device; + acpi_handle handle = ACPI_HANDLE(dev); + acpi_status acpi_ret; + +- acpi_ret = acpi_evaluate_object(handle, "_RST", NULL, &buffer); ++ acpi_ret = acpi_evaluate_object(handle, "_RST", NULL, NULL); + if (ACPI_FAILURE(acpi_ret)) { + if (extra_dbg) + *extra_dbg = acpi_format_exception(acpi_ret); +-- +2.35.1 + diff --git a/queue-5.4/vme-fix-error-not-catched-in-fake_init.patch b/queue-5.4/vme-fix-error-not-catched-in-fake_init.patch new file mode 100644 index 00000000000..a9045ecd958 --- /dev/null +++ b/queue-5.4/vme-fix-error-not-catched-in-fake_init.patch @@ -0,0 +1,49 @@ +From b89aac5a873713d78159f8bfe2d82c794faef2a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Dec 2022 16:48:05 +0800 +Subject: vme: Fix error not catched in fake_init() + +From: Chen Zhongjin + +[ Upstream commit 7bef797d707f1744f71156b21d41e3b8c946631f ] + +In fake_init(), __root_device_register() is possible to fail but it's +ignored, which can cause unregistering vme_root fail when exit. + + general protection fault, + probably for non-canonical address 0xdffffc000000008c + KASAN: null-ptr-deref in range [0x0000000000000460-0x0000000000000467] + RIP: 0010:root_device_unregister+0x26/0x60 + Call Trace: + + __x64_sys_delete_module+0x34f/0x540 + do_syscall_64+0x38/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Return error when __root_device_register() fails. + +Fixes: 658bcdae9c67 ("vme: Adding Fake VME driver") +Signed-off-by: Chen Zhongjin +Link: https://lore.kernel.org/r/20221205084805.147436-1-chenzhongjin@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/vme/bridges/vme_fake.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/vme/bridges/vme_fake.c b/drivers/vme/bridges/vme_fake.c +index 6a1bc284f297..eae78366eb02 100644 +--- a/drivers/vme/bridges/vme_fake.c ++++ b/drivers/vme/bridges/vme_fake.c +@@ -1073,6 +1073,8 @@ static int __init fake_init(void) + + /* We need a fake parent device */ + vme_root = __root_device_register("vme", THIS_MODULE); ++ if (IS_ERR(vme_root)) ++ return PTR_ERR(vme_root); + + /* If we want to support more than one bridge at some point, we need to + * dynamically allocate this so we get one per device. +-- +2.35.1 + diff --git a/queue-5.4/wifi-ar5523-fix-use-after-free-on-ar5523_cmd-timed-o.patch b/queue-5.4/wifi-ar5523-fix-use-after-free-on-ar5523_cmd-timed-o.patch new file mode 100644 index 00000000000..53b9567a0d1 --- /dev/null +++ b/queue-5.4/wifi-ar5523-fix-use-after-free-on-ar5523_cmd-timed-o.patch @@ -0,0 +1,110 @@ +From 87d47edb241a57dfacc882f12721228ed7132e3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Oct 2022 03:32:23 +0900 +Subject: wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out + +From: Shigeru Yoshida + +[ Upstream commit b6702a942a069c2a975478d719e98d83cdae1797 ] + +syzkaller reported use-after-free with the stack trace like below [1]: + +[ 38.960489][ C3] ================================================================== +[ 38.963216][ C3] BUG: KASAN: use-after-free in ar5523_cmd_tx_cb+0x220/0x240 +[ 38.964950][ C3] Read of size 8 at addr ffff888048e03450 by task swapper/3/0 +[ 38.966363][ C3] +[ 38.967053][ C3] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.0.0-09039-ga6afa4199d3d-dirty #18 +[ 38.968464][ C3] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014 +[ 38.969959][ C3] Call Trace: +[ 38.970841][ C3] +[ 38.971663][ C3] dump_stack_lvl+0xfc/0x174 +[ 38.972620][ C3] print_report.cold+0x2c3/0x752 +[ 38.973626][ C3] ? ar5523_cmd_tx_cb+0x220/0x240 +[ 38.974644][ C3] kasan_report+0xb1/0x1d0 +[ 38.975720][ C3] ? ar5523_cmd_tx_cb+0x220/0x240 +[ 38.976831][ C3] ar5523_cmd_tx_cb+0x220/0x240 +[ 38.978412][ C3] __usb_hcd_giveback_urb+0x353/0x5b0 +[ 38.979755][ C3] usb_hcd_giveback_urb+0x385/0x430 +[ 38.981266][ C3] dummy_timer+0x140c/0x34e0 +[ 38.982925][ C3] ? notifier_call_chain+0xb5/0x1e0 +[ 38.984761][ C3] ? rcu_read_lock_sched_held+0xb/0x60 +[ 38.986242][ C3] ? lock_release+0x51c/0x790 +[ 38.987323][ C3] ? _raw_read_unlock_irqrestore+0x37/0x70 +[ 38.988483][ C3] ? __wake_up_common_lock+0xde/0x130 +[ 38.989621][ C3] ? reacquire_held_locks+0x4a0/0x4a0 +[ 38.990777][ C3] ? lock_acquire+0x472/0x550 +[ 38.991919][ C3] ? rcu_read_lock_sched_held+0xb/0x60 +[ 38.993138][ C3] ? lock_acquire+0x472/0x550 +[ 38.994890][ C3] ? dummy_urb_enqueue+0x860/0x860 +[ 38.996266][ C3] ? do_raw_spin_unlock+0x16f/0x230 +[ 38.997670][ C3] ? dummy_urb_enqueue+0x860/0x860 +[ 38.999116][ C3] call_timer_fn+0x1a0/0x6a0 +[ 39.000668][ C3] ? add_timer_on+0x4a0/0x4a0 +[ 39.002137][ C3] ? reacquire_held_locks+0x4a0/0x4a0 +[ 39.003809][ C3] ? __next_timer_interrupt+0x226/0x2a0 +[ 39.005509][ C3] __run_timers.part.0+0x69a/0xac0 +[ 39.007025][ C3] ? dummy_urb_enqueue+0x860/0x860 +[ 39.008716][ C3] ? call_timer_fn+0x6a0/0x6a0 +[ 39.010254][ C3] ? cpuacct_percpu_seq_show+0x10/0x10 +[ 39.011795][ C3] ? kvm_sched_clock_read+0x14/0x40 +[ 39.013277][ C3] ? sched_clock_cpu+0x69/0x2b0 +[ 39.014724][ C3] run_timer_softirq+0xb6/0x1d0 +[ 39.016196][ C3] __do_softirq+0x1d2/0x9be +[ 39.017616][ C3] __irq_exit_rcu+0xeb/0x190 +[ 39.019004][ C3] irq_exit_rcu+0x5/0x20 +[ 39.020361][ C3] sysvec_apic_timer_interrupt+0x8f/0xb0 +[ 39.021965][ C3] +[ 39.023237][ C3] + +In ar5523_probe(), ar5523_host_available() calls ar5523_cmd() as below +(there are other functions which finally call ar5523_cmd()): + +ar5523_probe() +-> ar5523_host_available() + -> ar5523_cmd_read() + -> ar5523_cmd() + +If ar5523_cmd() timed out, then ar5523_host_available() failed and +ar5523_probe() freed the device structure. So, ar5523_cmd_tx_cb() +might touch the freed structure. + +This patch fixes this issue by canceling in-flight tx cmd if submitted +urb timed out. + +Link: https://syzkaller.appspot.com/bug?id=9e12b2d54300842b71bdd18b54971385ff0d0d3a [1] +Reported-by: syzbot+95001b1fd6dfcc716c29@syzkaller.appspotmail.com +Signed-off-by: Shigeru Yoshida +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221009183223.420015-1-syoshida@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ar5523/ar5523.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c +index 58e189ec672f..5d3cf354f6cb 100644 +--- a/drivers/net/wireless/ath/ar5523/ar5523.c ++++ b/drivers/net/wireless/ath/ar5523/ar5523.c +@@ -241,6 +241,11 @@ static void ar5523_cmd_tx_cb(struct urb *urb) + } + } + ++static void ar5523_cancel_tx_cmd(struct ar5523 *ar) ++{ ++ usb_kill_urb(ar->tx_cmd.urb_tx); ++} ++ + static int ar5523_cmd(struct ar5523 *ar, u32 code, const void *idata, + int ilen, void *odata, int olen, int flags) + { +@@ -280,6 +285,7 @@ static int ar5523_cmd(struct ar5523 *ar, u32 code, const void *idata, + } + + if (!wait_for_completion_timeout(&cmd->done, 2 * HZ)) { ++ ar5523_cancel_tx_cmd(ar); + cmd->odata = NULL; + ar5523_err(ar, "timeout waiting for command %02x reply\n", + code); +-- +2.35.1 + diff --git a/queue-5.4/wifi-ath10k-fix-return-value-in-ath10k_pci_init.patch b/queue-5.4/wifi-ath10k-fix-return-value-in-ath10k_pci_init.patch new file mode 100644 index 00000000000..8dfa00ae21e --- /dev/null +++ b/queue-5.4/wifi-ath10k-fix-return-value-in-ath10k_pci_init.patch @@ -0,0 +1,63 @@ +From a1a96ec4d51f499778317167f90f1cb49fc6f44c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 14:19:26 +0800 +Subject: wifi: ath10k: Fix return value in ath10k_pci_init() + +From: Xiu Jianfeng + +[ Upstream commit 2af7749047d8d6ad43feff69f555a13a6a6c2831 ] + +This driver is attempting to register to support two different buses. +if either of these is successful then ath10k_pci_init() should return 0 +so that hardware attached to the successful bus can be probed and +supported. only if both of these are unsuccessful should ath10k_pci_init() +return an errno. + +Fixes: 0b523ced9a3c ("ath10k: add basic skeleton to support ahb") +Signed-off-by: Xiu Jianfeng +Reviewed-by: Jeff Johnson +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221110061926.18163-1-xiujianfeng@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/pci.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c +index 0f055e577749..c28328c96307 100644 +--- a/drivers/net/wireless/ath/ath10k/pci.c ++++ b/drivers/net/wireless/ath/ath10k/pci.c +@@ -3769,18 +3769,22 @@ static struct pci_driver ath10k_pci_driver = { + + static int __init ath10k_pci_init(void) + { +- int ret; ++ int ret1, ret2; + +- ret = pci_register_driver(&ath10k_pci_driver); +- if (ret) ++ ret1 = pci_register_driver(&ath10k_pci_driver); ++ if (ret1) + printk(KERN_ERR "failed to register ath10k pci driver: %d\n", +- ret); ++ ret1); + +- ret = ath10k_ahb_init(); +- if (ret) +- printk(KERN_ERR "ahb init failed: %d\n", ret); ++ ret2 = ath10k_ahb_init(); ++ if (ret2) ++ printk(KERN_ERR "ahb init failed: %d\n", ret2); + +- return ret; ++ if (ret1 && ret2) ++ return ret1; ++ ++ /* registered to at least one bus */ ++ return 0; + } + module_init(ath10k_pci_init); + +-- +2.35.1 + diff --git a/queue-5.4/wifi-ath9k-hif_usb-fix-memory-leak-of-urbs-in-ath9k_.patch b/queue-5.4/wifi-ath9k-hif_usb-fix-memory-leak-of-urbs-in-ath9k_.patch new file mode 100644 index 00000000000..5403d35a766 --- /dev/null +++ b/queue-5.4/wifi-ath9k-hif_usb-fix-memory-leak-of-urbs-in-ath9k_.patch @@ -0,0 +1,61 @@ +From 2ceb82afcd225ff1fa6d38801e13d578abfd78ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Jul 2022 18:13:59 +0300 +Subject: wifi: ath9k: hif_usb: fix memory leak of urbs in + ath9k_hif_usb_dealloc_tx_urbs() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fedor Pchelkin + +[ Upstream commit c2a94de38c74e86f49124ac14f093d6a5c377a90 ] + +Syzkaller reports a long-known leak of urbs in +ath9k_hif_usb_dealloc_tx_urbs(). + +The cause of the leak is that usb_get_urb() is called but usb_free_urb() +(or usb_put_urb()) is not called inside usb_kill_urb() as urb->dev or +urb->ep fields have not been initialized and usb_kill_urb() returns +immediately. + +The patch removes trying to kill urbs located in hif_dev->tx.tx_buf +because hif_dev->tx.tx_buf is not supposed to contain urbs which are in +pending state (the pending urbs are stored in hif_dev->tx.tx_pending). +The tx.tx_lock is acquired so there should not be any changes in the list. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 03fb92a432ea ("ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs()") +Signed-off-by: Fedor Pchelkin +Signed-off-by: Alexey Khoroshilov +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220725151359.283704-1-pchelkin@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c +index c8c7afe0e343..4290753a2002 100644 +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -781,14 +781,10 @@ static void ath9k_hif_usb_dealloc_tx_urbs(struct hif_device_usb *hif_dev) + spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); + list_for_each_entry_safe(tx_buf, tx_buf_tmp, + &hif_dev->tx.tx_buf, list) { +- usb_get_urb(tx_buf->urb); +- spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); +- usb_kill_urb(tx_buf->urb); + list_del(&tx_buf->list); + usb_free_urb(tx_buf->urb); + kfree(tx_buf->buf); + kfree(tx_buf); +- spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); + } + spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + +-- +2.35.1 + diff --git a/queue-5.4/wifi-ath9k-hif_usb-fix-use-after-free-in-ath9k_hif_u.patch b/queue-5.4/wifi-ath9k-hif_usb-fix-use-after-free-in-ath9k_hif_u.patch new file mode 100644 index 00000000000..1205baa1b26 --- /dev/null +++ b/queue-5.4/wifi-ath9k-hif_usb-fix-use-after-free-in-ath9k_hif_u.patch @@ -0,0 +1,118 @@ +From a438ab899629b5f90df6ea6cedd80174a46f8958 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Oct 2022 14:49:17 +0300 +Subject: wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fedor Pchelkin + +[ Upstream commit dd95f2239fc846795fc926787c3ae0ca701c9840 ] + +It is possible that skb is freed in ath9k_htc_rx_msg(), then +usb_submit_urb() fails and we try to free skb again. It causes +use-after-free bug. Moreover, if alloc_skb() fails, urb->context becomes +NULL but rx_buf is not freed and there can be a memory leak. + +The patch removes unnecessary nskb and makes skb processing more clear: it +is supposed that ath9k_htc_rx_msg() either frees old skb or passes its +managing to another callback function. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 3deff76095c4 ("ath9k_htc: Increase URB count for REG_IN pipe") +Signed-off-by: Fedor Pchelkin +Signed-off-by: Alexey Khoroshilov +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221008114917.21404-1-pchelkin@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 28 +++++++++++++----------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c +index 4290753a2002..d872459c51cc 100644 +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -709,14 +709,13 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb) + struct rx_buf *rx_buf = (struct rx_buf *)urb->context; + struct hif_device_usb *hif_dev = rx_buf->hif_dev; + struct sk_buff *skb = rx_buf->skb; +- struct sk_buff *nskb; + int ret; + + if (!skb) + return; + + if (!hif_dev) +- goto free; ++ goto free_skb; + + switch (urb->status) { + case 0: +@@ -725,7 +724,7 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb) + case -ECONNRESET: + case -ENODEV: + case -ESHUTDOWN: +- goto free; ++ goto free_skb; + default: + skb_reset_tail_pointer(skb); + skb_trim(skb, 0); +@@ -736,25 +735,27 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb) + if (likely(urb->actual_length != 0)) { + skb_put(skb, urb->actual_length); + +- /* Process the command first */ ++ /* ++ * Process the command first. ++ * skb is either freed here or passed to be ++ * managed to another callback function. ++ */ + ath9k_htc_rx_msg(hif_dev->htc_handle, skb, + skb->len, USB_REG_IN_PIPE); + +- +- nskb = alloc_skb(MAX_REG_IN_BUF_SIZE, GFP_ATOMIC); +- if (!nskb) { ++ skb = alloc_skb(MAX_REG_IN_BUF_SIZE, GFP_ATOMIC); ++ if (!skb) { + dev_err(&hif_dev->udev->dev, + "ath9k_htc: REG_IN memory allocation failure\n"); +- urb->context = NULL; +- return; ++ goto free_rx_buf; + } + +- rx_buf->skb = nskb; ++ rx_buf->skb = skb; + + usb_fill_int_urb(urb, hif_dev->udev, + usb_rcvintpipe(hif_dev->udev, + USB_REG_IN_PIPE), +- nskb->data, MAX_REG_IN_BUF_SIZE, ++ skb->data, MAX_REG_IN_BUF_SIZE, + ath9k_hif_usb_reg_in_cb, rx_buf, 1); + } + +@@ -763,12 +764,13 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb) + ret = usb_submit_urb(urb, GFP_ATOMIC); + if (ret) { + usb_unanchor_urb(urb); +- goto free; ++ goto free_skb; + } + + return; +-free: ++free_skb: + kfree_skb(skb); ++free_rx_buf: + kfree(rx_buf); + urb->context = NULL; + } +-- +2.35.1 + diff --git a/queue-5.4/wifi-ath9k-verify-the-expected-usb_endpoints-are-pre.patch b/queue-5.4/wifi-ath9k-verify-the-expected-usb_endpoints-are-pre.patch new file mode 100644 index 00000000000..209429476d0 --- /dev/null +++ b/queue-5.4/wifi-ath9k-verify-the-expected-usb_endpoints-are-pre.patch @@ -0,0 +1,80 @@ +From 250cee001a84377d24e3db8a755adfa4d966c1ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Oct 2022 00:15:32 +0300 +Subject: wifi: ath9k: verify the expected usb_endpoints are present +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fedor Pchelkin + +[ Upstream commit 16ef02bad239f11f322df8425d302be62f0443ce ] + +The bug arises when a USB device claims to be an ATH9K but doesn't +have the expected endpoints. (In this case there was an interrupt +endpoint where the driver expected a bulk endpoint.) The kernel +needs to be able to handle such devices without getting an internal error. + +usb 1-1: BOGUS urb xfer, pipe 3 != type 1 +WARNING: CPU: 3 PID: 500 at drivers/usb/core/urb.c:493 usb_submit_urb+0xce2/0x1430 drivers/usb/core/urb.c:493 +Modules linked in: +CPU: 3 PID: 500 Comm: kworker/3:2 Not tainted 5.10.135-syzkaller #0 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 +Workqueue: events request_firmware_work_func +RIP: 0010:usb_submit_urb+0xce2/0x1430 drivers/usb/core/urb.c:493 +Call Trace: + ath9k_hif_usb_alloc_rx_urbs drivers/net/wireless/ath/ath9k/hif_usb.c:908 [inline] + ath9k_hif_usb_alloc_urbs+0x75e/0x1010 drivers/net/wireless/ath/ath9k/hif_usb.c:1019 + ath9k_hif_usb_dev_init drivers/net/wireless/ath/ath9k/hif_usb.c:1109 [inline] + ath9k_hif_usb_firmware_cb+0x142/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1242 + request_firmware_work_func+0x12e/0x240 drivers/base/firmware_loader/main.c:1097 + process_one_work+0x9af/0x1600 kernel/workqueue.c:2279 + worker_thread+0x61d/0x12f0 kernel/workqueue.c:2425 + kthread+0x3b4/0x4a0 kernel/kthread.c:313 + ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:299 + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Suggested-by: Alan Stern +Signed-off-by: Fedor Pchelkin +Signed-off-by: Alexey Khoroshilov +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221008211532.74583-1-pchelkin@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c +index d872459c51cc..8a18a33b5b59 100644 +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -1328,10 +1328,24 @@ static int send_eject_command(struct usb_interface *interface) + static int ath9k_hif_usb_probe(struct usb_interface *interface, + const struct usb_device_id *id) + { ++ struct usb_endpoint_descriptor *bulk_in, *bulk_out, *int_in, *int_out; + struct usb_device *udev = interface_to_usbdev(interface); ++ struct usb_host_interface *alt; + struct hif_device_usb *hif_dev; + int ret = 0; + ++ /* Verify the expected endpoints are present */ ++ alt = interface->cur_altsetting; ++ if (usb_find_common_endpoints(alt, &bulk_in, &bulk_out, &int_in, &int_out) < 0 || ++ usb_endpoint_num(bulk_in) != USB_WLAN_RX_PIPE || ++ usb_endpoint_num(bulk_out) != USB_WLAN_TX_PIPE || ++ usb_endpoint_num(int_in) != USB_REG_IN_PIPE || ++ usb_endpoint_num(int_out) != USB_REG_OUT_PIPE) { ++ dev_err(&udev->dev, ++ "ath9k_htc: Device endpoint numbers are not the expected ones\n"); ++ return -ENODEV; ++ } ++ + if (id->driver_info == STORAGE_DEVICE) + return send_eject_command(interface); + +-- +2.35.1 + diff --git a/queue-5.4/wifi-brcmfmac-fix-error-return-code-in-brcmf_sdio_do.patch b/queue-5.4/wifi-brcmfmac-fix-error-return-code-in-brcmf_sdio_do.patch new file mode 100644 index 00000000000..3ccfa52eb2a --- /dev/null +++ b/queue-5.4/wifi-brcmfmac-fix-error-return-code-in-brcmf_sdio_do.patch @@ -0,0 +1,53 @@ +From a51706767e0ae4f3ccae4d6e85e242072b918aa4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 13:35:42 +0800 +Subject: wifi: brcmfmac: Fix error return code in + brcmf_sdio_download_firmware() + +From: Wang Yufen + +[ Upstream commit c2f2924bc7f9ea75ef8d95863e710168f8196256 ] + +Fix to return a negative error code instead of 0 when +brcmf_chip_set_active() fails. In addition, change the return +value for brcmf_pcie_exit_download_state() to keep consistent. + +Fixes: d380ebc9b6fb ("brcmfmac: rename chip download functions") +Signed-off-by: Wang Yufen +Reviewed-by: Arend van Spriel +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1669959342-27144-1-git-send-email-wangyufen@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 2 +- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c +index b5d2e5b9f67c..c3ea31ca857a 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c +@@ -616,7 +616,7 @@ static int brcmf_pcie_exit_download_state(struct brcmf_pciedev_info *devinfo, + } + + if (!brcmf_chip_set_active(devinfo->ci, resetintr)) +- return -EINVAL; ++ return -EIO; + return 0; + } + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +index ddc999670484..5874f56c12da 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +@@ -3367,6 +3367,7 @@ static int brcmf_sdio_download_firmware(struct brcmf_sdio *bus, + /* Take arm out of reset */ + if (!brcmf_chip_set_active(bus->ci, rstvec)) { + brcmf_err("error getting out of ARM core reset\n"); ++ bcmerror = -EIO; + goto err; + } + +-- +2.35.1 + diff --git a/queue-5.4/wifi-brcmfmac-fix-potential-shift-out-of-bounds-in-b.patch b/queue-5.4/wifi-brcmfmac-fix-potential-shift-out-of-bounds-in-b.patch new file mode 100644 index 00000000000..9fc2afd00ae --- /dev/null +++ b/queue-5.4/wifi-brcmfmac-fix-potential-shift-out-of-bounds-in-b.patch @@ -0,0 +1,149 @@ +From 4d3feeb6eed05eaf6d24f5d3203b8df44061c99f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Oct 2022 16:13:29 +0900 +Subject: wifi: brcmfmac: Fix potential shift-out-of-bounds in + brcmf_fw_alloc_request() + +From: Minsuk Kang + +[ Upstream commit 81d17f6f3331f03c8eafdacea68ab773426c1e3c ] + +This patch fixes a shift-out-of-bounds in brcmfmac that occurs in +BIT(chiprev) when a 'chiprev' provided by the device is too large. +It should also not be equal to or greater than BITS_PER_TYPE(u32) +as we do bitwise AND with a u32 variable and BIT(chiprev). The patch +adds a check that makes the function return NULL if that is the case. +Note that the NULL case is later handled by the bus-specific caller, +brcmf_usb_probe_cb() or brcmf_usb_reset_resume(), for example. + +Found by a modified version of syzkaller. + +UBSAN: shift-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c +shift exponent 151055786 is too large for 64-bit type 'long unsigned int' +CPU: 0 PID: 1885 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 +Workqueue: usb_hub_wq hub_event +Call Trace: + dump_stack_lvl+0x57/0x7d + ubsan_epilogue+0x5/0x40 + __ubsan_handle_shift_out_of_bounds.cold+0x53/0xdb + ? lock_chain_count+0x20/0x20 + brcmf_fw_alloc_request.cold+0x19/0x3ea + ? brcmf_fw_get_firmwares+0x250/0x250 + ? brcmf_usb_ioctl_resp_wait+0x1a7/0x1f0 + brcmf_usb_get_fwname+0x114/0x1a0 + ? brcmf_usb_reset_resume+0x120/0x120 + ? number+0x6c4/0x9a0 + brcmf_c_process_clm_blob+0x168/0x590 + ? put_dec+0x90/0x90 + ? enable_ptr_key_workfn+0x20/0x20 + ? brcmf_common_pd_remove+0x50/0x50 + ? rcu_read_lock_sched_held+0xa1/0xd0 + brcmf_c_preinit_dcmds+0x673/0xc40 + ? brcmf_c_set_joinpref_default+0x100/0x100 + ? rcu_read_lock_sched_held+0xa1/0xd0 + ? rcu_read_lock_bh_held+0xb0/0xb0 + ? lock_acquire+0x19d/0x4e0 + ? find_held_lock+0x2d/0x110 + ? brcmf_usb_deq+0x1cc/0x260 + ? mark_held_locks+0x9f/0xe0 + ? lockdep_hardirqs_on_prepare+0x273/0x3e0 + ? _raw_spin_unlock_irqrestore+0x47/0x50 + ? trace_hardirqs_on+0x1c/0x120 + ? brcmf_usb_deq+0x1a7/0x260 + ? brcmf_usb_rx_fill_all+0x5a/0xf0 + brcmf_attach+0x246/0xd40 + ? wiphy_new_nm+0x1476/0x1d50 + ? kmemdup+0x30/0x40 + brcmf_usb_probe+0x12de/0x1690 + ? brcmf_usbdev_qinit.constprop.0+0x470/0x470 + usb_probe_interface+0x25f/0x710 + really_probe+0x1be/0xa90 + __driver_probe_device+0x2ab/0x460 + ? usb_match_id.part.0+0x88/0xc0 + driver_probe_device+0x49/0x120 + __device_attach_driver+0x18a/0x250 + ? driver_allows_async_probing+0x120/0x120 + bus_for_each_drv+0x123/0x1a0 + ? bus_rescan_devices+0x20/0x20 + ? lockdep_hardirqs_on_prepare+0x273/0x3e0 + ? trace_hardirqs_on+0x1c/0x120 + __device_attach+0x207/0x330 + ? device_bind_driver+0xb0/0xb0 + ? kobject_uevent_env+0x230/0x12c0 + bus_probe_device+0x1a2/0x260 + device_add+0xa61/0x1ce0 + ? __mutex_unlock_slowpath+0xe7/0x660 + ? __fw_devlink_link_to_suppliers+0x550/0x550 + usb_set_configuration+0x984/0x1770 + ? kernfs_create_link+0x175/0x230 + usb_generic_driver_probe+0x69/0x90 + usb_probe_device+0x9c/0x220 + really_probe+0x1be/0xa90 + __driver_probe_device+0x2ab/0x460 + driver_probe_device+0x49/0x120 + __device_attach_driver+0x18a/0x250 + ? driver_allows_async_probing+0x120/0x120 + bus_for_each_drv+0x123/0x1a0 + ? bus_rescan_devices+0x20/0x20 + ? lockdep_hardirqs_on_prepare+0x273/0x3e0 + ? trace_hardirqs_on+0x1c/0x120 + __device_attach+0x207/0x330 + ? device_bind_driver+0xb0/0xb0 + ? kobject_uevent_env+0x230/0x12c0 + bus_probe_device+0x1a2/0x260 + device_add+0xa61/0x1ce0 + ? __fw_devlink_link_to_suppliers+0x550/0x550 + usb_new_device.cold+0x463/0xf66 + ? hub_disconnect+0x400/0x400 + ? _raw_spin_unlock_irq+0x24/0x30 + hub_event+0x10d5/0x3330 + ? hub_port_debounce+0x280/0x280 + ? __lock_acquire+0x1671/0x5790 + ? wq_calc_node_cpumask+0x170/0x2a0 + ? lock_release+0x640/0x640 + ? rcu_read_lock_sched_held+0xa1/0xd0 + ? rcu_read_lock_bh_held+0xb0/0xb0 + ? lockdep_hardirqs_on_prepare+0x273/0x3e0 + process_one_work+0x873/0x13e0 + ? lock_release+0x640/0x640 + ? pwq_dec_nr_in_flight+0x320/0x320 + ? rwlock_bug.part.0+0x90/0x90 + worker_thread+0x8b/0xd10 + ? __kthread_parkme+0xd9/0x1d0 + ? process_one_work+0x13e0/0x13e0 + kthread+0x379/0x450 + ? _raw_spin_unlock_irq+0x24/0x30 + ? set_kthread_struct+0x100/0x100 + ret_from_fork+0x1f/0x30 + +Reported-by: Dokyung Song +Reported-by: Jisoo Jang +Reported-by: Minsuk Kang +Signed-off-by: Minsuk Kang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221024071329.504277-1-linuxlovemin@yonsei.ac.kr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c +index 544ad80629a9..47e33fe53eeb 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c +@@ -703,6 +703,11 @@ brcmf_fw_alloc_request(u32 chip, u32 chiprev, + u32 i, j; + char end = '\0'; + ++ if (chiprev >= BITS_PER_TYPE(u32)) { ++ brcmf_err("Invalid chip revision %u\n", chiprev); ++ return NULL; ++ } ++ + for (i = 0; i < table_size; i++) { + if (mapping_table[i].chipid == chip && + mapping_table[i].revmask & BIT(chiprev)) +-- +2.35.1 + diff --git a/queue-5.4/wifi-cfg80211-fix-not-unregister-reg_pdev-when-load_.patch b/queue-5.4/wifi-cfg80211-fix-not-unregister-reg_pdev-when-load_.patch new file mode 100644 index 00000000000..b39c64c9cce --- /dev/null +++ b/queue-5.4/wifi-cfg80211-fix-not-unregister-reg_pdev-when-load_.patch @@ -0,0 +1,57 @@ +From 3532ed7063b164e69f15f7e22be059b51c19b5f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 17:02:37 +0800 +Subject: wifi: cfg80211: Fix not unregister reg_pdev when + load_builtin_regdb_keys() fails + +From: Chen Zhongjin + +[ Upstream commit 833a9fd28c9b7ccb39a334721379e992dc1c0c89 ] + +In regulatory_init_db(), when it's going to return a error, reg_pdev +should be unregistered. When load_builtin_regdb_keys() fails it doesn't +do it and makes cfg80211 can't be reload with report: + +sysfs: cannot create duplicate filename '/devices/platform/regulatory.0' + ... + + dump_stack_lvl+0x79/0x9b + sysfs_warn_dup.cold+0x1c/0x29 + sysfs_create_dir_ns+0x22d/0x290 + kobject_add_internal+0x247/0x800 + kobject_add+0x135/0x1b0 + device_add+0x389/0x1be0 + platform_device_add+0x28f/0x790 + platform_device_register_full+0x376/0x4b0 + regulatory_init+0x9a/0x4b2 [cfg80211] + cfg80211_init+0x84/0x113 [cfg80211] + ... + +Fixes: 90a53e4432b1 ("cfg80211: implement regdb signature checking") +Signed-off-by: Chen Zhongjin +Link: https://lore.kernel.org/r/20221109090237.214127-1-chenzhongjin@huawei.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/reg.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/reg.c b/net/wireless/reg.c +index 4db397db2fb4..1f5ea82b58bf 100644 +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -3970,8 +3970,10 @@ static int __init regulatory_init_db(void) + return -EINVAL; + + err = load_builtin_regdb_keys(); +- if (err) ++ if (err) { ++ platform_device_unregister(reg_pdev); + return err; ++ } + + /* We always try to get an update for the static regdomain */ + err = regulatory_hint_core(cfg80211_world_regdom->alpha2); +-- +2.35.1 + diff --git a/queue-5.4/wifi-iwlwifi-mvm-fix-double-free-on-tx-path.patch b/queue-5.4/wifi-iwlwifi-mvm-fix-double-free-on-tx-path.patch new file mode 100644 index 00000000000..ae299b39959 --- /dev/null +++ b/queue-5.4/wifi-iwlwifi-mvm-fix-double-free-on-tx-path.patch @@ -0,0 +1,215 @@ +From 938de62beb145716230be097f35915d888326343 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 23:02:06 +0200 +Subject: wifi: iwlwifi: mvm: fix double free on tx path. + +From: Ben Greear + +[ Upstream commit 0473cbae2137b963bd0eaa74336131cb1d3bc6c3 ] + +We see kernel crashes and lockups and KASAN errors related to ax210 +firmware crashes. One of the KASAN dumps pointed at the tx path, +and it appears there is indeed a way to double-free an skb. + +If iwl_mvm_tx_skb_sta returns non-zero, then the 'skb' sent into the +method will be freed. But, in case where we build TSO skb buffer, +the skb may also be freed in error case. So, return 0 in that particular +error case and do cleanup manually. + +BUG: KASAN: use-after-free in __list_del_entry_valid+0x12/0x90 +iwlwifi 0000:06:00.0: 0x00000000 | tsf hi +Read of size 8 at addr ffff88813cfa4ba0 by task btserver/9650 + +CPU: 4 PID: 9650 Comm: btserver Tainted: G W 5.19.8+ #5 +iwlwifi 0000:06:00.0: 0x00000000 | time gp1 +Hardware name: Default string Default string/SKYBAY, BIOS 5.12 02/19/2019 +Call Trace: + + dump_stack_lvl+0x55/0x6d + print_report.cold.12+0xf2/0x684 +iwlwifi 0000:06:00.0: 0x1D0915A8 | time gp2 + ? __list_del_entry_valid+0x12/0x90 + kasan_report+0x8b/0x180 +iwlwifi 0000:06:00.0: 0x00000001 | uCode revision type + ? __list_del_entry_valid+0x12/0x90 + __list_del_entry_valid+0x12/0x90 +iwlwifi 0000:06:00.0: 0x00000048 | uCode version major + tcp_update_skb_after_send+0x5d/0x170 + __tcp_transmit_skb+0xb61/0x15c0 +iwlwifi 0000:06:00.0: 0xDAA05125 | uCode version minor + ? __tcp_select_window+0x490/0x490 +iwlwifi 0000:06:00.0: 0x00000420 | hw version + ? trace_kmalloc_node+0x29/0xd0 + ? __kmalloc_node_track_caller+0x12a/0x260 + ? memset+0x1f/0x40 + ? __build_skb_around+0x125/0x150 + ? __alloc_skb+0x1d4/0x220 + ? skb_zerocopy_clone+0x55/0x230 +iwlwifi 0000:06:00.0: 0x00489002 | board version + ? kmalloc_reserve+0x80/0x80 + ? rcu_read_lock_bh_held+0x60/0xb0 + tcp_write_xmit+0x3f1/0x24d0 +iwlwifi 0000:06:00.0: 0x034E001C | hcmd + ? __check_object_size+0x180/0x350 +iwlwifi 0000:06:00.0: 0x24020000 | isr0 + tcp_sendmsg_locked+0x8a9/0x1520 +iwlwifi 0000:06:00.0: 0x01400000 | isr1 + ? tcp_sendpage+0x50/0x50 +iwlwifi 0000:06:00.0: 0x48F0000A | isr2 + ? lock_release+0xb9/0x400 + ? tcp_sendmsg+0x14/0x40 +iwlwifi 0000:06:00.0: 0x00C3080C | isr3 + ? lock_downgrade+0x390/0x390 + ? do_raw_spin_lock+0x114/0x1d0 +iwlwifi 0000:06:00.0: 0x00200000 | isr4 + ? rwlock_bug.part.2+0x50/0x50 +iwlwifi 0000:06:00.0: 0x034A001C | last cmd Id + ? rwlock_bug.part.2+0x50/0x50 + ? lockdep_hardirqs_on_prepare+0xe/0x200 +iwlwifi 0000:06:00.0: 0x0000C2F0 | wait_event + ? __local_bh_enable_ip+0x87/0xe0 + ? inet_send_prepare+0x220/0x220 +iwlwifi 0000:06:00.0: 0x000000C4 | l2p_control + tcp_sendmsg+0x22/0x40 + sock_sendmsg+0x5f/0x70 +iwlwifi 0000:06:00.0: 0x00010034 | l2p_duration + __sys_sendto+0x19d/0x250 +iwlwifi 0000:06:00.0: 0x00000007 | l2p_mhvalid + ? __ia32_sys_getpeername+0x40/0x40 +iwlwifi 0000:06:00.0: 0x00000000 | l2p_addr_match + ? rcu_read_lock_held_common+0x12/0x50 + ? rcu_read_lock_sched_held+0x5a/0xd0 + ? rcu_read_lock_bh_held+0xb0/0xb0 + ? rcu_read_lock_sched_held+0x5a/0xd0 + ? rcu_read_lock_sched_held+0x5a/0xd0 + ? lock_release+0xb9/0x400 + ? lock_downgrade+0x390/0x390 + ? ktime_get+0x64/0x130 + ? ktime_get+0x8d/0x130 + ? rcu_read_lock_held_common+0x12/0x50 + ? rcu_read_lock_sched_held+0x5a/0xd0 + ? rcu_read_lock_held_common+0x12/0x50 + ? rcu_read_lock_sched_held+0x5a/0xd0 + ? rcu_read_lock_bh_held+0xb0/0xb0 + ? rcu_read_lock_bh_held+0xb0/0xb0 + __x64_sys_sendto+0x6f/0x80 + do_syscall_64+0x34/0xb0 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 +RIP: 0033:0x7f1d126e4531 +Code: 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 35 80 0c 00 41 89 ca 8b 00 85 c0 75 1c 45 31 c9 45 31 c0 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 67 c3 66 0f 1f 44 00 00 55 48 83 ec 20 48 89 +RSP: 002b:00007ffe21a679d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 000000000000ffdc RCX: 00007f1d126e4531 +RDX: 0000000000010000 RSI: 000000000374acf0 RDI: 0000000000000014 +RBP: 00007ffe21a67ac0 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000010 +R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000 + + +Allocated by task 9650: + kasan_save_stack+0x1c/0x40 + __kasan_slab_alloc+0x6d/0x90 + kmem_cache_alloc_node+0xf3/0x2b0 + __alloc_skb+0x191/0x220 + tcp_stream_alloc_skb+0x3f/0x330 + tcp_sendmsg_locked+0x67c/0x1520 + tcp_sendmsg+0x22/0x40 + sock_sendmsg+0x5f/0x70 + __sys_sendto+0x19d/0x250 + __x64_sys_sendto+0x6f/0x80 + do_syscall_64+0x34/0xb0 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Freed by task 9650: + kasan_save_stack+0x1c/0x40 + kasan_set_track+0x21/0x30 + kasan_set_free_info+0x20/0x30 + __kasan_slab_free+0x102/0x170 + kmem_cache_free+0xc8/0x3e0 + iwl_mvm_mac_itxq_xmit+0x124/0x270 [iwlmvm] + ieee80211_queue_skb+0x874/0xd10 [mac80211] + ieee80211_xmit_fast+0xf80/0x1180 [mac80211] + __ieee80211_subif_start_xmit+0x287/0x680 [mac80211] + ieee80211_subif_start_xmit+0xcd/0x730 [mac80211] + dev_hard_start_xmit+0xf6/0x420 + __dev_queue_xmit+0x165b/0x1b50 + ip_finish_output2+0x66e/0xfb0 + __ip_finish_output+0x487/0x6d0 + ip_output+0x11c/0x350 + __ip_queue_xmit+0x36b/0x9d0 + __tcp_transmit_skb+0xb35/0x15c0 + tcp_write_xmit+0x3f1/0x24d0 + tcp_sendmsg_locked+0x8a9/0x1520 + tcp_sendmsg+0x22/0x40 + sock_sendmsg+0x5f/0x70 + __sys_sendto+0x19d/0x250 + __x64_sys_sendto+0x6f/0x80 + do_syscall_64+0x34/0xb0 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +The buggy address belongs to the object at ffff88813cfa4b40 + which belongs to the cache skbuff_fclone_cache of size 472 +The buggy address is located 96 bytes inside of + 472-byte region [ffff88813cfa4b40, ffff88813cfa4d18) + +The buggy address belongs to the physical page: +page:ffffea0004f3e900 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88813cfa6c40 pfn:0x13cfa4 +head:ffffea0004f3e900 order:2 compound_mapcount:0 compound_pincount:0 +flags: 0x5fff8000010200(slab|head|node=0|zone=2|lastcpupid=0x3fff) +raw: 005fff8000010200 ffffea0004656b08 ffffea0008e8cf08 ffff8881081a5240 +raw: ffff88813cfa6c40 0000000000170015 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88813cfa4a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88813cfa4b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb +>ffff88813cfa4b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff88813cfa4c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff88813cfa4c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +================================================================== + +Fixes: 08f7d8b69aaf ("iwlwifi: mvm: bring back mvm GSO code") +Link: https://lore.kernel.org/linux-wireless/20220928193057.16132-1-greearb@candelatech.com/ +Tested-by: Amol Jawale +Signed-off-by: Ben Greear +Link: https://lore.kernel.org/r/20221123225313.21b1ee31d666.I3b3ba184433dd2a544d91eeeda29b467021824ae@changeid +Signed-off-by: Gregory Greenman +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +index d46e606b7b02..9a81ce299d0d 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +@@ -1209,6 +1209,7 @@ int iwl_mvm_tx_skb_sta(struct iwl_mvm *mvm, struct sk_buff *skb, + struct sk_buff_head mpdus_skbs; + unsigned int payload_len; + int ret; ++ struct sk_buff *orig_skb = skb; + + if (WARN_ON_ONCE(!mvmsta)) + return -1; +@@ -1241,8 +1242,17 @@ int iwl_mvm_tx_skb_sta(struct iwl_mvm *mvm, struct sk_buff *skb, + + ret = iwl_mvm_tx_mpdu(mvm, skb, &info, sta); + if (ret) { ++ /* Free skbs created as part of TSO logic that have not yet been dequeued */ + __skb_queue_purge(&mpdus_skbs); +- return ret; ++ /* skb here is not necessarily same as skb that entered this method, ++ * so free it explicitly. ++ */ ++ if (skb == orig_skb) ++ ieee80211_free_txskb(mvm->hw, skb); ++ else ++ kfree_skb(skb); ++ /* there was error, but we consumed skb one way or another, so return 0 */ ++ return 0; + } + } + +-- +2.35.1 + diff --git a/queue-5.4/wifi-mac80211-fix-memory-leak-in-ieee80211_if_add.patch b/queue-5.4/wifi-mac80211-fix-memory-leak-in-ieee80211_if_add.patch new file mode 100644 index 00000000000..48cf0cc1a20 --- /dev/null +++ b/queue-5.4/wifi-mac80211-fix-memory-leak-in-ieee80211_if_add.patch @@ -0,0 +1,36 @@ +From 678d04a238d7c121236b07f18dad4837efd29d2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 14:45:00 +0800 +Subject: wifi: mac80211: fix memory leak in ieee80211_if_add() + +From: Zhengchao Shao + +[ Upstream commit 13e5afd3d773c6fc6ca2b89027befaaaa1ea7293 ] + +When register_netdevice() failed in ieee80211_if_add(), ndev->tstats +isn't released. Fix it. + +Fixes: 5a490510ba5f ("mac80211: use per-CPU TX/RX statistics") +Signed-off-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20221117064500.319983-1-shaozhengchao@huawei.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/iface.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c +index ddc001ad9055..cb06439e087c 100644 +--- a/net/mac80211/iface.c ++++ b/net/mac80211/iface.c +@@ -1888,6 +1888,7 @@ int ieee80211_if_add(struct ieee80211_local *local, const char *name, + + ret = register_netdevice(ndev); + if (ret) { ++ ieee80211_if_free(ndev); + free_netdev(ndev); + return ret; + } +-- +2.35.1 + diff --git a/queue-5.4/wifi-rsi-fix-handling-of-802.3-eapol-frames-sent-via.patch b/queue-5.4/wifi-rsi-fix-handling-of-802.3-eapol-frames-sent-via.patch new file mode 100644 index 00000000000..59836214ab0 --- /dev/null +++ b/queue-5.4/wifi-rsi-fix-handling-of-802.3-eapol-frames-sent-via.patch @@ -0,0 +1,92 @@ +From a500584da47c5b1790b127ae371a3ae3eaaaff7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Nov 2022 17:33:39 +0100 +Subject: wifi: rsi: Fix handling of 802.3 EAPOL frames sent via control port + +From: Marek Vasut + +[ Upstream commit b8f6efccbb9dc0ff5dee7e20d69a4747298ee603 ] + +When using wpa_supplicant v2.10, this driver is no longer able to +associate with any AP and fails in the EAPOL 4-way handshake while +sending the 2/4 message to the AP. The problem is not present in +wpa_supplicant v2.9 or older. The problem stems from HostAP commit +144314eaa ("wpa_supplicant: Send EAPOL frames over nl80211 where available") +which changes the way EAPOL frames are sent, from them being send +at L2 frames to them being sent via nl80211 control port. + +An EAPOL frame sent as L2 frame is passed to the WiFi driver with +skb->protocol ETH_P_PAE, while EAPOL frame sent via nl80211 control +port has skb->protocol set to ETH_P_802_3 . The later happens in +ieee80211_tx_control_port(), where the EAPOL frame is encapsulated +into 802.3 frame. + +The rsi_91x driver handles ETH_P_PAE EAPOL frames as high-priority +frames and sends them via highest-priority transmit queue, while +the ETH_P_802_3 frames are sent as regular frames. The EAPOL 4-way +handshake frames must be sent as highest-priority, otherwise the +4-way handshake times out. + +Therefore, to fix this problem, inspect the skb control flags and +if flag IEEE80211_TX_CTRL_PORT_CTRL_PROTO is set, assume this is +an EAPOL frame and transmit the frame via high-priority queue just +like other ETH_P_PAE frames. + +Fixes: 0eb42586cf87 ("rsi: data packet descriptor enhancements") +Signed-off-by: Marek Vasut +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221104163339.227432-1-marex@denx.de +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/rsi/rsi_91x_core.c | 4 +++- + drivers/net/wireless/rsi/rsi_91x_hal.c | 6 +++++- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/rsi/rsi_91x_core.c b/drivers/net/wireless/rsi/rsi_91x_core.c +index c6c29034b2ea..a939b552a8e4 100644 +--- a/drivers/net/wireless/rsi/rsi_91x_core.c ++++ b/drivers/net/wireless/rsi/rsi_91x_core.c +@@ -466,7 +466,9 @@ void rsi_core_xmit(struct rsi_common *common, struct sk_buff *skb) + tid, 0); + } + } +- if (skb->protocol == cpu_to_be16(ETH_P_PAE)) { ++ ++ if (IEEE80211_SKB_CB(skb)->control.flags & ++ IEEE80211_TX_CTRL_PORT_CTRL_PROTO) { + q_num = MGMT_SOFT_Q; + skb->priority = q_num; + } +diff --git a/drivers/net/wireless/rsi/rsi_91x_hal.c b/drivers/net/wireless/rsi/rsi_91x_hal.c +index 7d0b44fd5690..062c5da74104 100644 +--- a/drivers/net/wireless/rsi/rsi_91x_hal.c ++++ b/drivers/net/wireless/rsi/rsi_91x_hal.c +@@ -162,12 +162,16 @@ int rsi_prepare_data_desc(struct rsi_common *common, struct sk_buff *skb) + u8 header_size; + u8 vap_id = 0; + u8 dword_align_bytes; ++ bool tx_eapol; + u16 seq_num; + + info = IEEE80211_SKB_CB(skb); + vif = info->control.vif; + tx_params = (struct skb_info *)info->driver_data; + ++ tx_eapol = IEEE80211_SKB_CB(skb)->control.flags & ++ IEEE80211_TX_CTRL_PORT_CTRL_PROTO; ++ + header_size = FRAME_DESC_SZ + sizeof(struct rsi_xtended_desc); + if (header_size > skb_headroom(skb)) { + rsi_dbg(ERR_ZONE, "%s: Unable to send pkt\n", __func__); +@@ -231,7 +235,7 @@ int rsi_prepare_data_desc(struct rsi_common *common, struct sk_buff *skb) + } + } + +- if (skb->protocol == cpu_to_be16(ETH_P_PAE)) { ++ if (tx_eapol) { + rsi_dbg(INFO_ZONE, "*** Tx EAPOL ***\n"); + + data_desc->frame_info = cpu_to_le16(RATE_INFO_ENABLE); +-- +2.35.1 + diff --git a/queue-5.4/wifi-rtl8xxxu-add-__packed-to-struct-rtl8723bu_c2h.patch b/queue-5.4/wifi-rtl8xxxu-add-__packed-to-struct-rtl8723bu_c2h.patch new file mode 100644 index 00000000000..917ab9405f1 --- /dev/null +++ b/queue-5.4/wifi-rtl8xxxu-add-__packed-to-struct-rtl8723bu_c2h.patch @@ -0,0 +1,41 @@ +From 3542439f19302635e6300d199f4e215ac30167aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 16:13:57 +0200 +Subject: wifi: rtl8xxxu: Add __packed to struct rtl8723bu_c2h + +From: Bitterblue Smith + +[ Upstream commit dd469a754afdb782ba3033cee102147493dc39f4 ] + +This struct is used to access a sequence of bytes received from the +wifi chip. It must not have any padding bytes between the members. + +This doesn't change anything on my system, possibly because currently +none of the members need more than byte alignment. + +Fixes: b2b43b7837ba ("rtl8xxxu: Initial functionality to handle C2H events for 8723bu") +Signed-off-by: Bitterblue Smith +Reviewed-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1a270918-da22-ff5f-29fc-7855f740c5ba@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h +index 6858f7de0915..2a02d4d72dec 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h +@@ -1178,7 +1178,7 @@ struct rtl8723bu_c2h { + u8 dummy3_0; + } __packed ra_report; + }; +-}; ++} __packed; + + struct rtl8xxxu_fileops; + +-- +2.35.1 + diff --git a/queue-5.4/wifi-rtl8xxxu-fix-reading-the-vendor-of-combo-chips.patch b/queue-5.4/wifi-rtl8xxxu-fix-reading-the-vendor-of-combo-chips.patch new file mode 100644 index 00000000000..71aefa0f6cf --- /dev/null +++ b/queue-5.4/wifi-rtl8xxxu-fix-reading-the-vendor-of-combo-chips.patch @@ -0,0 +1,83 @@ +From 27229d2aa90dceb2c3788cb4108fea59c62e4572 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Oct 2022 13:56:09 +0300 +Subject: wifi: rtl8xxxu: Fix reading the vendor of combo chips + +From: Bitterblue Smith + +[ Upstream commit 6f103aeb5e985ac08f3a4a049a2c17294f40cff9 ] + +The wifi + bluetooth combo chips (RTL8723AU and RTL8723BU) read the +chip vendor from the wrong register because the val32 variable gets +overwritten. Add one more variable to avoid this. + +This had no real effect on RTL8723BU. It may have had an effect on +RTL8723AU. + +Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)") +Signed-off-by: Bitterblue Smith +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/24af8024-2f07-552b-93d8-38823d8e3cb0@gmail.com +Signed-off-by: Sasha Levin +--- + .../wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +index b472dc4c551e..4a81e810a0ce 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -1608,18 +1608,18 @@ static void rtl8xxxu_print_chipinfo(struct rtl8xxxu_priv *priv) + static int rtl8xxxu_identify_chip(struct rtl8xxxu_priv *priv) + { + struct device *dev = &priv->udev->dev; +- u32 val32, bonding; ++ u32 val32, bonding, sys_cfg; + u16 val16; + +- val32 = rtl8xxxu_read32(priv, REG_SYS_CFG); +- priv->chip_cut = (val32 & SYS_CFG_CHIP_VERSION_MASK) >> ++ sys_cfg = rtl8xxxu_read32(priv, REG_SYS_CFG); ++ priv->chip_cut = (sys_cfg & SYS_CFG_CHIP_VERSION_MASK) >> + SYS_CFG_CHIP_VERSION_SHIFT; +- if (val32 & SYS_CFG_TRP_VAUX_EN) { ++ if (sys_cfg & SYS_CFG_TRP_VAUX_EN) { + dev_info(dev, "Unsupported test chip\n"); + return -ENOTSUPP; + } + +- if (val32 & SYS_CFG_BT_FUNC) { ++ if (sys_cfg & SYS_CFG_BT_FUNC) { + if (priv->chip_cut >= 3) { + sprintf(priv->chip_name, "8723BU"); + priv->rtl_chip = RTL8723B; +@@ -1641,7 +1641,7 @@ static int rtl8xxxu_identify_chip(struct rtl8xxxu_priv *priv) + if (val32 & MULTI_GPS_FUNC_EN) + priv->has_gps = 1; + priv->is_multi_func = 1; +- } else if (val32 & SYS_CFG_TYPE_ID) { ++ } else if (sys_cfg & SYS_CFG_TYPE_ID) { + bonding = rtl8xxxu_read32(priv, REG_HPON_FSM); + bonding &= HPON_FSM_BONDING_MASK; + if (priv->fops->tx_desc_size == +@@ -1689,7 +1689,7 @@ static int rtl8xxxu_identify_chip(struct rtl8xxxu_priv *priv) + case RTL8188E: + case RTL8192E: + case RTL8723B: +- switch (val32 & SYS_CFG_VENDOR_EXT_MASK) { ++ switch (sys_cfg & SYS_CFG_VENDOR_EXT_MASK) { + case SYS_CFG_VENDOR_ID_TSMC: + sprintf(priv->chip_vendor, "TSMC"); + break; +@@ -1706,7 +1706,7 @@ static int rtl8xxxu_identify_chip(struct rtl8xxxu_priv *priv) + } + break; + default: +- if (val32 & SYS_CFG_VENDOR_ID) { ++ if (sys_cfg & SYS_CFG_VENDOR_ID) { + sprintf(priv->chip_vendor, "UMC"); + priv->vendor_umc = 1; + } else { +-- +2.35.1 + diff --git a/queue-5.4/x86-xen-fix-memory-leak-in-xen_init_lock_cpu.patch b/queue-5.4/x86-xen-fix-memory-leak-in-xen_init_lock_cpu.patch new file mode 100644 index 00000000000..406c3c8df3c --- /dev/null +++ b/queue-5.4/x86-xen-fix-memory-leak-in-xen_init_lock_cpu.patch @@ -0,0 +1,64 @@ +From f91f56eff3e6b6ec0fdf0da135e9e7d6dbc812ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 23:58:58 +0800 +Subject: x86/xen: Fix memory leak in xen_init_lock_cpu() + +From: Xiu Jianfeng + +[ Upstream commit ca84ce153d887b1dc8b118029976cc9faf2a9b40 ] + +In xen_init_lock_cpu(), the @name has allocated new string by kasprintf(), +if bind_ipi_to_irqhandler() fails, it should be freed, otherwise may lead +to a memory leak issue, fix it. + +Fixes: 2d9e1e2f58b5 ("xen: implement Xen-specific spinlocks") +Signed-off-by: Xiu Jianfeng +Reviewed-by: Juergen Gross +Link: https://lore.kernel.org/r/20221123155858.11382-3-xiujianfeng@huawei.com +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + arch/x86/xen/spinlock.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/xen/spinlock.c b/arch/x86/xen/spinlock.c +index d817b7c862a6..00d2ec73017e 100644 +--- a/arch/x86/xen/spinlock.c ++++ b/arch/x86/xen/spinlock.c +@@ -75,6 +75,7 @@ void xen_init_lock_cpu(int cpu) + cpu, per_cpu(lock_kicker_irq, cpu)); + + name = kasprintf(GFP_KERNEL, "spinlock%d", cpu); ++ per_cpu(irq_name, cpu) = name; + irq = bind_ipi_to_irqhandler(XEN_SPIN_UNLOCK_VECTOR, + cpu, + dummy_handler, +@@ -85,7 +86,6 @@ void xen_init_lock_cpu(int cpu) + if (irq >= 0) { + disable_irq(irq); /* make sure it's never delivered */ + per_cpu(lock_kicker_irq, cpu) = irq; +- per_cpu(irq_name, cpu) = name; + } + + printk("cpu %d spinlock event irq %d\n", cpu, irq); +@@ -98,6 +98,8 @@ void xen_uninit_lock_cpu(int cpu) + if (!xen_pvspin) + return; + ++ kfree(per_cpu(irq_name, cpu)); ++ per_cpu(irq_name, cpu) = NULL; + /* + * When booting the kernel with 'mitigations=auto,nosmt', the secondary + * CPUs are not activated, and lock_kicker_irq is not initialized. +@@ -108,8 +110,6 @@ void xen_uninit_lock_cpu(int cpu) + + unbind_from_irqhandler(irq, NULL); + per_cpu(lock_kicker_irq, cpu) = -1; +- kfree(per_cpu(irq_name, cpu)); +- per_cpu(irq_name, cpu) = NULL; + } + + PV_CALLEE_SAVE_REGS_THUNK(xen_vcpu_stolen); +-- +2.35.1 + diff --git a/queue-5.4/x86-xen-fix-memory-leak-in-xen_smp_intr_init-_pv.patch b/queue-5.4/x86-xen-fix-memory-leak-in-xen_smp_intr_init-_pv.patch new file mode 100644 index 00000000000..e23b6a0fa28 --- /dev/null +++ b/queue-5.4/x86-xen-fix-memory-leak-in-xen_smp_intr_init-_pv.patch @@ -0,0 +1,178 @@ +From e1f74d966885535cd414b9c238d7a8cebd68a9e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 23:58:57 +0800 +Subject: x86/xen: Fix memory leak in xen_smp_intr_init{_pv}() + +From: Xiu Jianfeng + +[ Upstream commit 69143f60868b3939ddc89289b29db593b647295e ] + +These local variables @{resched|pmu|callfunc...}_name saves the new +string allocated by kasprintf(), and when bind_{v}ipi_to_irqhandler() +fails, it goes to the @fail tag, and calls xen_smp_intr_free{_pv}() to +free resource, however the new string is not saved, which cause a memory +leak issue. fix it. + +Fixes: 9702785a747a ("i386: move xen") +Signed-off-by: Xiu Jianfeng +Reviewed-by: Juergen Gross +Link: https://lore.kernel.org/r/20221123155858.11382-2-xiujianfeng@huawei.com +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + arch/x86/xen/smp.c | 24 ++++++++++++------------ + arch/x86/xen/smp_pv.c | 12 ++++++------ + 2 files changed, 18 insertions(+), 18 deletions(-) + +diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c +index 63a3605b2225..a1cc855c539c 100644 +--- a/arch/x86/xen/smp.c ++++ b/arch/x86/xen/smp.c +@@ -32,30 +32,30 @@ static irqreturn_t xen_reschedule_interrupt(int irq, void *dev_id) + + void xen_smp_intr_free(unsigned int cpu) + { ++ kfree(per_cpu(xen_resched_irq, cpu).name); ++ per_cpu(xen_resched_irq, cpu).name = NULL; + if (per_cpu(xen_resched_irq, cpu).irq >= 0) { + unbind_from_irqhandler(per_cpu(xen_resched_irq, cpu).irq, NULL); + per_cpu(xen_resched_irq, cpu).irq = -1; +- kfree(per_cpu(xen_resched_irq, cpu).name); +- per_cpu(xen_resched_irq, cpu).name = NULL; + } ++ kfree(per_cpu(xen_callfunc_irq, cpu).name); ++ per_cpu(xen_callfunc_irq, cpu).name = NULL; + if (per_cpu(xen_callfunc_irq, cpu).irq >= 0) { + unbind_from_irqhandler(per_cpu(xen_callfunc_irq, cpu).irq, NULL); + per_cpu(xen_callfunc_irq, cpu).irq = -1; +- kfree(per_cpu(xen_callfunc_irq, cpu).name); +- per_cpu(xen_callfunc_irq, cpu).name = NULL; + } ++ kfree(per_cpu(xen_debug_irq, cpu).name); ++ per_cpu(xen_debug_irq, cpu).name = NULL; + if (per_cpu(xen_debug_irq, cpu).irq >= 0) { + unbind_from_irqhandler(per_cpu(xen_debug_irq, cpu).irq, NULL); + per_cpu(xen_debug_irq, cpu).irq = -1; +- kfree(per_cpu(xen_debug_irq, cpu).name); +- per_cpu(xen_debug_irq, cpu).name = NULL; + } ++ kfree(per_cpu(xen_callfuncsingle_irq, cpu).name); ++ per_cpu(xen_callfuncsingle_irq, cpu).name = NULL; + if (per_cpu(xen_callfuncsingle_irq, cpu).irq >= 0) { + unbind_from_irqhandler(per_cpu(xen_callfuncsingle_irq, cpu).irq, + NULL); + per_cpu(xen_callfuncsingle_irq, cpu).irq = -1; +- kfree(per_cpu(xen_callfuncsingle_irq, cpu).name); +- per_cpu(xen_callfuncsingle_irq, cpu).name = NULL; + } + } + +@@ -65,6 +65,7 @@ int xen_smp_intr_init(unsigned int cpu) + char *resched_name, *callfunc_name, *debug_name; + + resched_name = kasprintf(GFP_KERNEL, "resched%d", cpu); ++ per_cpu(xen_resched_irq, cpu).name = resched_name; + rc = bind_ipi_to_irqhandler(XEN_RESCHEDULE_VECTOR, + cpu, + xen_reschedule_interrupt, +@@ -74,9 +75,9 @@ int xen_smp_intr_init(unsigned int cpu) + if (rc < 0) + goto fail; + per_cpu(xen_resched_irq, cpu).irq = rc; +- per_cpu(xen_resched_irq, cpu).name = resched_name; + + callfunc_name = kasprintf(GFP_KERNEL, "callfunc%d", cpu); ++ per_cpu(xen_callfunc_irq, cpu).name = callfunc_name; + rc = bind_ipi_to_irqhandler(XEN_CALL_FUNCTION_VECTOR, + cpu, + xen_call_function_interrupt, +@@ -86,10 +87,10 @@ int xen_smp_intr_init(unsigned int cpu) + if (rc < 0) + goto fail; + per_cpu(xen_callfunc_irq, cpu).irq = rc; +- per_cpu(xen_callfunc_irq, cpu).name = callfunc_name; + + if (!xen_fifo_events) { + debug_name = kasprintf(GFP_KERNEL, "debug%d", cpu); ++ per_cpu(xen_debug_irq, cpu).name = debug_name; + rc = bind_virq_to_irqhandler(VIRQ_DEBUG, cpu, + xen_debug_interrupt, + IRQF_PERCPU | IRQF_NOBALANCING, +@@ -97,10 +98,10 @@ int xen_smp_intr_init(unsigned int cpu) + if (rc < 0) + goto fail; + per_cpu(xen_debug_irq, cpu).irq = rc; +- per_cpu(xen_debug_irq, cpu).name = debug_name; + } + + callfunc_name = kasprintf(GFP_KERNEL, "callfuncsingle%d", cpu); ++ per_cpu(xen_callfuncsingle_irq, cpu).name = callfunc_name; + rc = bind_ipi_to_irqhandler(XEN_CALL_FUNCTION_SINGLE_VECTOR, + cpu, + xen_call_function_single_interrupt, +@@ -110,7 +111,6 @@ int xen_smp_intr_init(unsigned int cpu) + if (rc < 0) + goto fail; + per_cpu(xen_callfuncsingle_irq, cpu).irq = rc; +- per_cpu(xen_callfuncsingle_irq, cpu).name = callfunc_name; + + return 0; + +diff --git a/arch/x86/xen/smp_pv.c b/arch/x86/xen/smp_pv.c +index 9d9777ded5f7..928fbe63c96f 100644 +--- a/arch/x86/xen/smp_pv.c ++++ b/arch/x86/xen/smp_pv.c +@@ -98,18 +98,18 @@ asmlinkage __visible void cpu_bringup_and_idle(void) + + void xen_smp_intr_free_pv(unsigned int cpu) + { ++ kfree(per_cpu(xen_irq_work, cpu).name); ++ per_cpu(xen_irq_work, cpu).name = NULL; + if (per_cpu(xen_irq_work, cpu).irq >= 0) { + unbind_from_irqhandler(per_cpu(xen_irq_work, cpu).irq, NULL); + per_cpu(xen_irq_work, cpu).irq = -1; +- kfree(per_cpu(xen_irq_work, cpu).name); +- per_cpu(xen_irq_work, cpu).name = NULL; + } + ++ kfree(per_cpu(xen_pmu_irq, cpu).name); ++ per_cpu(xen_pmu_irq, cpu).name = NULL; + if (per_cpu(xen_pmu_irq, cpu).irq >= 0) { + unbind_from_irqhandler(per_cpu(xen_pmu_irq, cpu).irq, NULL); + per_cpu(xen_pmu_irq, cpu).irq = -1; +- kfree(per_cpu(xen_pmu_irq, cpu).name); +- per_cpu(xen_pmu_irq, cpu).name = NULL; + } + } + +@@ -119,6 +119,7 @@ int xen_smp_intr_init_pv(unsigned int cpu) + char *callfunc_name, *pmu_name; + + callfunc_name = kasprintf(GFP_KERNEL, "irqwork%d", cpu); ++ per_cpu(xen_irq_work, cpu).name = callfunc_name; + rc = bind_ipi_to_irqhandler(XEN_IRQ_WORK_VECTOR, + cpu, + xen_irq_work_interrupt, +@@ -128,10 +129,10 @@ int xen_smp_intr_init_pv(unsigned int cpu) + if (rc < 0) + goto fail; + per_cpu(xen_irq_work, cpu).irq = rc; +- per_cpu(xen_irq_work, cpu).name = callfunc_name; + + if (is_xen_pmu) { + pmu_name = kasprintf(GFP_KERNEL, "pmu%d", cpu); ++ per_cpu(xen_pmu_irq, cpu).name = pmu_name; + rc = bind_virq_to_irqhandler(VIRQ_XENPMU, cpu, + xen_pmu_irq_handler, + IRQF_PERCPU|IRQF_NOBALANCING, +@@ -139,7 +140,6 @@ int xen_smp_intr_init_pv(unsigned int cpu) + if (rc < 0) + goto fail; + per_cpu(xen_pmu_irq, cpu).irq = rc; +- per_cpu(xen_pmu_irq, cpu).name = pmu_name; + } + + return 0; +-- +2.35.1 + diff --git a/queue-5.4/xen-events-only-register-debug-interrupt-for-2-level.patch b/queue-5.4/xen-events-only-register-debug-interrupt-for-2-level.patch new file mode 100644 index 00000000000..6c1ca7f7d42 --- /dev/null +++ b/queue-5.4/xen-events-only-register-debug-interrupt-for-2-level.patch @@ -0,0 +1,100 @@ +From 53cd536e2e297c62abb699716cae916bbfd16eb5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Oct 2020 11:49:05 +0200 +Subject: xen/events: only register debug interrupt for 2-level events + +From: Juergen Gross + +[ Upstream commit d04b1ae5a9b0c868dda8b4b34175ef08f3cb9e93 ] + +xen_debug_interrupt() is specific to 2-level event handling. So don't +register it with fifo event handling being active. + +Signed-off-by: Juergen Gross +Reviewed-by: Jan Beulich +Link: https://lore.kernel.org/r/20201022094907.28560-4-jgross@suse.com +Signed-off-by: Boris Ostrovsky +Stable-dep-of: 69143f60868b ("x86/xen: Fix memory leak in xen_smp_intr_init{_pv}()") +Signed-off-by: Sasha Levin +--- + arch/x86/xen/smp.c | 19 +++++++++++-------- + arch/x86/xen/xen-ops.h | 2 ++ + drivers/xen/events/events_base.c | 10 ++++++---- + 3 files changed, 19 insertions(+), 12 deletions(-) + +diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c +index 7a43b2ae19f1..63a3605b2225 100644 +--- a/arch/x86/xen/smp.c ++++ b/arch/x86/xen/smp.c +@@ -88,14 +88,17 @@ int xen_smp_intr_init(unsigned int cpu) + per_cpu(xen_callfunc_irq, cpu).irq = rc; + per_cpu(xen_callfunc_irq, cpu).name = callfunc_name; + +- debug_name = kasprintf(GFP_KERNEL, "debug%d", cpu); +- rc = bind_virq_to_irqhandler(VIRQ_DEBUG, cpu, xen_debug_interrupt, +- IRQF_PERCPU | IRQF_NOBALANCING, +- debug_name, NULL); +- if (rc < 0) +- goto fail; +- per_cpu(xen_debug_irq, cpu).irq = rc; +- per_cpu(xen_debug_irq, cpu).name = debug_name; ++ if (!xen_fifo_events) { ++ debug_name = kasprintf(GFP_KERNEL, "debug%d", cpu); ++ rc = bind_virq_to_irqhandler(VIRQ_DEBUG, cpu, ++ xen_debug_interrupt, ++ IRQF_PERCPU | IRQF_NOBALANCING, ++ debug_name, NULL); ++ if (rc < 0) ++ goto fail; ++ per_cpu(xen_debug_irq, cpu).irq = rc; ++ per_cpu(xen_debug_irq, cpu).name = debug_name; ++ } + + callfunc_name = kasprintf(GFP_KERNEL, "callfuncsingle%d", cpu); + rc = bind_ipi_to_irqhandler(XEN_CALL_FUNCTION_SINGLE_VECTOR, +diff --git a/arch/x86/xen/xen-ops.h b/arch/x86/xen/xen-ops.h +index 45a441c33d6d..120e2bcf20f8 100644 +--- a/arch/x86/xen/xen-ops.h ++++ b/arch/x86/xen/xen-ops.h +@@ -30,6 +30,8 @@ extern struct start_info *xen_start_info; + extern struct shared_info xen_dummy_shared_info; + extern struct shared_info *HYPERVISOR_shared_info; + ++extern bool xen_fifo_events; ++ + void xen_setup_mfn_list_list(void); + void xen_build_mfn_list_list(void); + void xen_setup_machphys_mapping(void); +diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c +index 87cfadd70d0d..544711104989 100644 +--- a/drivers/xen/events/events_base.c ++++ b/drivers/xen/events/events_base.c +@@ -2101,8 +2101,8 @@ void xen_callback_vector(void) + void xen_callback_vector(void) {} + #endif + +-static bool fifo_events = true; +-module_param(fifo_events, bool, 0); ++bool xen_fifo_events = true; ++module_param_named(fifo_events, xen_fifo_events, bool, 0); + + static int xen_evtchn_cpu_prepare(unsigned int cpu) + { +@@ -2131,10 +2131,12 @@ void __init xen_init_IRQ(void) + int ret = -EINVAL; + unsigned int evtchn; + +- if (fifo_events) ++ if (xen_fifo_events) + ret = xen_evtchn_fifo_init(); +- if (ret < 0) ++ if (ret < 0) { + xen_evtchn_2l_init(); ++ xen_fifo_events = false; ++ } + + xen_cpu_init_eoi(smp_processor_id()); + +-- +2.35.1 + diff --git a/queue-5.4/xen-privcmd-fix-a-possible-warning-in-privcmd_ioctl_.patch b/queue-5.4/xen-privcmd-fix-a-possible-warning-in-privcmd_ioctl_.patch new file mode 100644 index 00000000000..e5c573f4a62 --- /dev/null +++ b/queue-5.4/xen-privcmd-fix-a-possible-warning-in-privcmd_ioctl_.patch @@ -0,0 +1,46 @@ +From 1803bac9cffc431e383fd0ad0a268aaff5d95f25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 21:07:45 -0800 +Subject: xen/privcmd: Fix a possible warning in privcmd_ioctl_mmap_resource() + +From: Harshit Mogalapalli + +[ Upstream commit 8b997b2bb2c53b76a6db6c195930e9ab8e4b0c79 ] + +As 'kdata.num' is user-controlled data, if user tries to allocate +memory larger than(>=) MAX_ORDER, then kcalloc() will fail, it +creates a stack trace and messes up dmesg with a warning. + +Call trace: +-> privcmd_ioctl +--> privcmd_ioctl_mmap_resource + +Add __GFP_NOWARN in order to avoid too large allocation warning. +This is detected by static analysis using smatch. + +Fixes: 3ad0876554ca ("xen/privcmd: add IOCTL_PRIVCMD_MMAP_RESOURCE") +Signed-off-by: Harshit Mogalapalli +Reviewed-by: Juergen Gross +Link: https://lore.kernel.org/r/20221126050745.778967-1-harshit.m.mogalapalli@oracle.com +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/privcmd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/xen/privcmd.c b/drivers/xen/privcmd.c +index d4ff944cd16e..c4b0de4a542b 100644 +--- a/drivers/xen/privcmd.c ++++ b/drivers/xen/privcmd.c +@@ -766,7 +766,7 @@ static long privcmd_ioctl_mmap_resource(struct file *file, + goto out; + } + +- pfns = kcalloc(kdata.num, sizeof(*pfns), GFP_KERNEL); ++ pfns = kcalloc(kdata.num, sizeof(*pfns), GFP_KERNEL | __GFP_NOWARN); + if (!pfns) { + rc = -ENOMEM; + goto out; +-- +2.35.1 + diff --git a/queue-5.4/xprtrdma-fix-regbuf-data-not-freed-in-rpcrdma_req_cr.patch b/queue-5.4/xprtrdma-fix-regbuf-data-not-freed-in-rpcrdma_req_cr.patch new file mode 100644 index 00000000000..b6024bec241 --- /dev/null +++ b/queue-5.4/xprtrdma-fix-regbuf-data-not-freed-in-rpcrdma_req_cr.patch @@ -0,0 +1,35 @@ +From 7b121b772d0b6e44ec121af3dfe4ec3e07b731b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Nov 2022 15:34:29 +0800 +Subject: xprtrdma: Fix regbuf data not freed in rpcrdma_req_create() + +From: Zhang Xiaoxu + +[ Upstream commit 9181f40fb2952fd59ecb75e7158620c9c669eee3 ] + +If rdma receive buffer allocate failed, should call rpcrdma_regbuf_free() +to free the send buffer, otherwise, the buffer data will be leaked. + +Fixes: bb93a1ae2bf4 ("xprtrdma: Allocate req's regbufs at xprt create time") +Signed-off-by: Zhang Xiaoxu +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + net/sunrpc/xprtrdma/verbs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c +index 0f4d39fdb48f..e13115bbe719 100644 +--- a/net/sunrpc/xprtrdma/verbs.c ++++ b/net/sunrpc/xprtrdma/verbs.c +@@ -1037,6 +1037,7 @@ struct rpcrdma_req *rpcrdma_req_create(struct rpcrdma_xprt *r_xprt, size_t size, + kfree(req->rl_sendbuf); + out3: + kfree(req->rl_rdmabuf); ++ rpcrdma_regbuf_free(req->rl_sendbuf); + out2: + kfree(req); + out1: +-- +2.35.1 +