From 2f05f542c31b9abe4cc05adf120ee6cb6bae8a1e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 6 May 2023 11:18:13 +0900 Subject: [PATCH] 5.15-stable patches added patches: arm64-always-load-shadow-stack-pointer-directly-from-the-task-struct.patch arm64-stash-shadow-stack-pointer-in-the-task-struct-on-interrupt.patch blk-crypto-make-blk_crypto_evict_key-more-robust.patch blk-crypto-make-blk_crypto_evict_key-return-void.patch blk-mq-release-crypto-keyslot-before-reporting-i-o-complete.patch ext4-use-ext4_journal_start-stop-for-fast-commit-transactions.patch hwmon-adt7475-use-device_property-apis-when-configuring-polarity.patch hwmon-k10temp-check-range-scale-when-cur_temp-register-is-read-write.patch ima-allow-fix-uml-builds.patch ipmi-fix-ssif-not-responding-under-certain-cond.patch ipmi-ssif-add-send_retries-increment.patch kheaders-use-array-declaration-instead-of-char.patch mips-fw-allow-firmware-to-pass-a-empty-env.patch pci-pciehp-fix-ab-ba-deadlock-between-reset_lock-and-device_lock.patch pci-qcom-fix-the-incorrect-register-usage-in-v2.7.0-config.patch posix-cpu-timers-implement-the-missing-timer_wait_running-callback.patch staging-iio-resolver-ads1210-fix-config-mode.patch tick-nohz-fix-cpu_is_hotpluggable-by-checking-with-nohz-subsystem.patch tty-prevent-writing-chars-during-tcsetattr-tcsadrain-flush.patch usb-dwc3-fix-runtime-pm-imbalance-on-probe-errors.patch usb-dwc3-fix-runtime-pm-imbalance-on-unbind.patch wifi-mt76-add-missing-locking-to-protect-against-concurrent-rx-status-calls.patch wifi-mt76-mt7921e-set-memory-space-enable-in-pci_command-if-unset.patch xhci-fix-debugfs-register-accesses-while-suspended.patch --- ...ointer-directly-from-the-task-struct.patch | 82 ++++++ ...nter-in-the-task-struct-on-interrupt.patch | 72 +++++ ...ake-blk_crypto_evict_key-more-robust.patch | 161 +++++++++++ ...ake-blk_crypto_evict_key-return-void.patch | 132 +++++++++ ...eyslot-before-reporting-i-o-complete.patch | 186 ++++++++++++ ...rt-stop-for-fast-commit-transactions.patch | 195 +++++++++++++ ...perty-apis-when-configuring-polarity.patch | 44 +++ ...when-cur_temp-register-is-read-write.patch | 76 +++++ queue-5.15/ima-allow-fix-uml-builds.patch | 51 ++++ ...if-not-responding-under-certain-cond.patch | 73 +++++ ...ipmi-ssif-add-send_retries-increment.patch | 34 +++ ...se-array-declaration-instead-of-char.patch | 75 +++++ ...w-allow-firmware-to-pass-a-empty-env.patch | 35 +++ ...k-between-reset_lock-and-device_lock.patch | 178 ++++++++++++ ...rect-register-usage-in-v2.7.0-config.patch | 44 +++ ...-missing-timer_wait_running-callback.patch | 268 ++++++++++++++++++ queue-5.15/series | 24 ++ ...iio-resolver-ads1210-fix-config-mode.patch | 37 +++ ...able-by-checking-with-nohz-subsystem.patch | 97 +++++++ ...ars-during-tcsetattr-tcsadrain-flush.patch | 126 ++++++++ ...runtime-pm-imbalance-on-probe-errors.patch | 57 ++++ ...3-fix-runtime-pm-imbalance-on-unbind.patch | 34 +++ ...t-against-concurrent-rx-status-calls.patch | 104 +++++++ ...space-enable-in-pci_command-if-unset.patch | 47 +++ ...fs-register-accesses-while-suspended.patch | 33 +++ 25 files changed, 2265 insertions(+) create mode 100644 queue-5.15/arm64-always-load-shadow-stack-pointer-directly-from-the-task-struct.patch create mode 100644 queue-5.15/arm64-stash-shadow-stack-pointer-in-the-task-struct-on-interrupt.patch create mode 100644 queue-5.15/blk-crypto-make-blk_crypto_evict_key-more-robust.patch create mode 100644 queue-5.15/blk-crypto-make-blk_crypto_evict_key-return-void.patch create mode 100644 queue-5.15/blk-mq-release-crypto-keyslot-before-reporting-i-o-complete.patch create mode 100644 queue-5.15/ext4-use-ext4_journal_start-stop-for-fast-commit-transactions.patch create mode 100644 queue-5.15/hwmon-adt7475-use-device_property-apis-when-configuring-polarity.patch create mode 100644 queue-5.15/hwmon-k10temp-check-range-scale-when-cur_temp-register-is-read-write.patch create mode 100644 queue-5.15/ima-allow-fix-uml-builds.patch create mode 100644 queue-5.15/ipmi-fix-ssif-not-responding-under-certain-cond.patch create mode 100644 queue-5.15/ipmi-ssif-add-send_retries-increment.patch create mode 100644 queue-5.15/kheaders-use-array-declaration-instead-of-char.patch create mode 100644 queue-5.15/mips-fw-allow-firmware-to-pass-a-empty-env.patch create mode 100644 queue-5.15/pci-pciehp-fix-ab-ba-deadlock-between-reset_lock-and-device_lock.patch create mode 100644 queue-5.15/pci-qcom-fix-the-incorrect-register-usage-in-v2.7.0-config.patch create mode 100644 queue-5.15/posix-cpu-timers-implement-the-missing-timer_wait_running-callback.patch create mode 100644 queue-5.15/staging-iio-resolver-ads1210-fix-config-mode.patch create mode 100644 queue-5.15/tick-nohz-fix-cpu_is_hotpluggable-by-checking-with-nohz-subsystem.patch create mode 100644 queue-5.15/tty-prevent-writing-chars-during-tcsetattr-tcsadrain-flush.patch create mode 100644 queue-5.15/usb-dwc3-fix-runtime-pm-imbalance-on-probe-errors.patch create mode 100644 queue-5.15/usb-dwc3-fix-runtime-pm-imbalance-on-unbind.patch create mode 100644 queue-5.15/wifi-mt76-add-missing-locking-to-protect-against-concurrent-rx-status-calls.patch create mode 100644 queue-5.15/wifi-mt76-mt7921e-set-memory-space-enable-in-pci_command-if-unset.patch create mode 100644 queue-5.15/xhci-fix-debugfs-register-accesses-while-suspended.patch diff --git a/queue-5.15/arm64-always-load-shadow-stack-pointer-directly-from-the-task-struct.patch b/queue-5.15/arm64-always-load-shadow-stack-pointer-directly-from-the-task-struct.patch new file mode 100644 index 00000000000..94fd649af50 --- /dev/null +++ b/queue-5.15/arm64-always-load-shadow-stack-pointer-directly-from-the-task-struct.patch @@ -0,0 +1,82 @@ +From 2198d07c509f1db4a1185d1f65aaada794c6ea59 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Mon, 9 Jan 2023 18:47:59 +0100 +Subject: arm64: Always load shadow stack pointer directly from the task struct + +From: Ard Biesheuvel + +commit 2198d07c509f1db4a1185d1f65aaada794c6ea59 upstream. + +All occurrences of the scs_load macro load the value of the shadow call +stack pointer from the task which is current at that point. So instead +of taking a task struct register argument in the scs_load macro to +specify the task struct to load from, let's always reference the current +task directly. This should make it much harder to exploit any +instruction sequences reloading the shadow call stack pointer register +from memory. + +Signed-off-by: Ard Biesheuvel +Acked-by: Mark Rutland +Reviewed-by: Kees Cook +Link: https://lore.kernel.org/r/20230109174800.3286265-2-ardb@kernel.org +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/scs.h | 7 ++++--- + arch/arm64/kernel/entry.S | 4 ++-- + arch/arm64/kernel/head.S | 2 +- + 3 files changed, 7 insertions(+), 6 deletions(-) + +--- a/arch/arm64/include/asm/scs.h ++++ b/arch/arm64/include/asm/scs.h +@@ -9,15 +9,16 @@ + #ifdef CONFIG_SHADOW_CALL_STACK + scs_sp .req x18 + +- .macro scs_load tsk +- ldr scs_sp, [\tsk, #TSK_TI_SCS_SP] ++ .macro scs_load_current ++ get_current_task scs_sp ++ ldr scs_sp, [scs_sp, #TSK_TI_SCS_SP] + .endm + + .macro scs_save tsk + str scs_sp, [\tsk, #TSK_TI_SCS_SP] + .endm + #else +- .macro scs_load tsk ++ .macro scs_load_current + .endm + + .macro scs_save tsk +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -272,7 +272,7 @@ alternative_if ARM64_HAS_ADDRESS_AUTH + alternative_else_nop_endif + 1: + +- scs_load tsk ++ scs_load_current + .else + add x21, sp, #PT_REGS_SIZE + get_current_task tsk +@@ -855,7 +855,7 @@ SYM_FUNC_START(cpu_switch_to) + msr sp_el0, x1 + ptrauth_keys_install_kernel x1, x8, x9, x10 + scs_save x0 +- scs_load x1 ++ scs_load_current + ret + SYM_FUNC_END(cpu_switch_to) + NOKPROBE(cpu_switch_to) +--- a/arch/arm64/kernel/head.S ++++ b/arch/arm64/kernel/head.S +@@ -409,7 +409,7 @@ SYM_FUNC_END(__create_page_tables) + stp xzr, xzr, [sp, #S_STACKFRAME] + add x29, sp, #S_STACKFRAME + +- scs_load \tsk ++ scs_load_current + + adr_l \tmp1, __per_cpu_offset + ldr w\tmp2, [\tsk, #TSK_CPU] diff --git a/queue-5.15/arm64-stash-shadow-stack-pointer-in-the-task-struct-on-interrupt.patch b/queue-5.15/arm64-stash-shadow-stack-pointer-in-the-task-struct-on-interrupt.patch new file mode 100644 index 00000000000..6846d31bd19 --- /dev/null +++ b/queue-5.15/arm64-stash-shadow-stack-pointer-in-the-task-struct-on-interrupt.patch @@ -0,0 +1,72 @@ +From 59b37fe52f49955791a460752c37145f1afdcad1 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Mon, 9 Jan 2023 18:48:00 +0100 +Subject: arm64: Stash shadow stack pointer in the task struct on interrupt + +From: Ard Biesheuvel + +commit 59b37fe52f49955791a460752c37145f1afdcad1 upstream. + +Instead of reloading the shadow call stack pointer from the ordinary +stack, which may be vulnerable to the kind of gadget based attacks +shadow call stacks were designed to prevent, let's store a task's shadow +call stack pointer in the task struct when switching to the shadow IRQ +stack. + +Given that currently, the task_struct::scs_sp field is only used to +preserve the shadow call stack pointer while a task is scheduled out or +running in user space, reusing this field to preserve and restore it +while running off the IRQ stack must be safe, as those occurrences are +guaranteed to never overlap. (The stack switching logic only switches +stacks when running from the task stack, and so the value being saved +here always corresponds to the task mode shadow stack) + +While at it, fold a mov/add/mov sequence into a single add. + +Signed-off-by: Ard Biesheuvel +Reviewed-by: Kees Cook +Acked-by: Mark Rutland +Link: https://lore.kernel.org/r/20230109174800.3286265-3-ardb@kernel.org +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/entry.S | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -883,19 +883,19 @@ NOKPROBE(ret_from_fork) + */ + SYM_FUNC_START(call_on_irq_stack) + #ifdef CONFIG_SHADOW_CALL_STACK +- stp scs_sp, xzr, [sp, #-16]! ++ get_current_task x16 ++ scs_save x16 + ldr_this_cpu scs_sp, irq_shadow_call_stack_ptr, x17 + #endif ++ + /* Create a frame record to save our LR and SP (implicit in FP) */ + stp x29, x30, [sp, #-16]! + mov x29, sp + + ldr_this_cpu x16, irq_stack_ptr, x17 +- mov x15, #IRQ_STACK_SIZE +- add x16, x16, x15 + + /* Move to the new stack and call the function there */ +- mov sp, x16 ++ add sp, x16, #IRQ_STACK_SIZE + blr x1 + + /* +@@ -904,9 +904,7 @@ SYM_FUNC_START(call_on_irq_stack) + */ + mov sp, x29 + ldp x29, x30, [sp], #16 +-#ifdef CONFIG_SHADOW_CALL_STACK +- ldp scs_sp, xzr, [sp], #16 +-#endif ++ scs_load_current + ret + SYM_FUNC_END(call_on_irq_stack) + NOKPROBE(call_on_irq_stack) diff --git a/queue-5.15/blk-crypto-make-blk_crypto_evict_key-more-robust.patch b/queue-5.15/blk-crypto-make-blk_crypto_evict_key-more-robust.patch new file mode 100644 index 00000000000..a04f09df1ac --- /dev/null +++ b/queue-5.15/blk-crypto-make-blk_crypto_evict_key-more-robust.patch @@ -0,0 +1,161 @@ +From stable-owner@vger.kernel.org Thu May 4 13:03:46 2023 +From: Eric Biggers +Date: Wed, 3 May 2023 21:03:29 -0700 +Subject: blk-crypto: make blk_crypto_evict_key() more robust +To: stable@vger.kernel.org +Cc: linux-block@vger.kernel.org, Christoph Hellwig , Jens Axboe +Message-ID: <20230504040329.106127-4-ebiggers@kernel.org> + +From: Eric Biggers + +commit 5c7cb94452901a93e90c2230632e2c12a681bc92 upstream. + +If blk_crypto_evict_key() sees that the key is still in-use (due to a +bug) or that ->keyslot_evict failed, it currently just returns while +leaving the key linked into the keyslot management structures. + +However, blk_crypto_evict_key() is only called in contexts such as inode +eviction where failure is not an option. So actually the caller +proceeds with freeing the blk_crypto_key regardless of the return value +of blk_crypto_evict_key(). + +These two assumptions don't match, and the result is that there can be a +use-after-free in blk_crypto_reprogram_all_keys() after one of these +errors occurs. (Note, these errors *shouldn't* happen; we're just +talking about what happens if they do anyway.) + +Fix this by making blk_crypto_evict_key() unlink the key from the +keyslot management structures even on failure. + +Also improve some comments. + +Fixes: 1b2628397058 ("block: Keyslot Manager for Inline Encryption") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20230315183907.53675-2-ebiggers@kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-crypto.c | 29 +++++++++++++++++++++-------- + block/keyslot-manager.c | 43 +++++++++++++++++++++---------------------- + 2 files changed, 42 insertions(+), 30 deletions(-) + +--- a/block/blk-crypto.c ++++ b/block/blk-crypto.c +@@ -385,15 +385,20 @@ int blk_crypto_start_using_key(const str + } + + /** +- * blk_crypto_evict_key() - Evict a key from any inline encryption hardware +- * it may have been programmed into +- * @q: The request queue who's associated inline encryption hardware this key +- * might have been programmed into +- * @key: The key to evict ++ * blk_crypto_evict_key() - Evict a blk_crypto_key from a request_queue ++ * @q: a request_queue on which I/O using the key may have been done ++ * @key: the key to evict + * +- * Upper layers (filesystems) must call this function to ensure that a key is +- * evicted from any hardware that it might have been programmed into. The key +- * must not be in use by any in-flight IO when this function is called. ++ * For a given request_queue, this function removes the given blk_crypto_key ++ * from the keyslot management structures and evicts it from any underlying ++ * hardware keyslot(s) or blk-crypto-fallback keyslot it may have been ++ * programmed into. ++ * ++ * Upper layers must call this before freeing the blk_crypto_key. It must be ++ * called for every request_queue the key may have been used on. The key must ++ * no longer be in use by any I/O when this function is called. ++ * ++ * Context: May sleep. + */ + void blk_crypto_evict_key(struct request_queue *q, + const struct blk_crypto_key *key) +@@ -404,6 +409,14 @@ void blk_crypto_evict_key(struct request + err = blk_ksm_evict_key(q->ksm, key); + else + err = blk_crypto_fallback_evict_key(key); ++ /* ++ * An error can only occur here if the key failed to be evicted from a ++ * keyslot (due to a hardware or driver issue) or is allegedly still in ++ * use by I/O (due to a kernel bug). Even in these cases, the key is ++ * still unlinked from the keyslot management structures, and the caller ++ * is allowed and expected to free it right away. There's nothing ++ * callers can do to handle errors, so just log them and return void. ++ */ + if (err) + pr_warn_ratelimited("error %d evicting key\n", err); + } +--- a/block/keyslot-manager.c ++++ b/block/keyslot-manager.c +@@ -343,25 +343,16 @@ bool blk_ksm_crypto_cfg_supported(struct + return true; + } + +-/** +- * blk_ksm_evict_key() - Evict a key from the lower layer device. +- * @ksm: The keyslot manager to evict from +- * @key: The key to evict +- * +- * Find the keyslot that the specified key was programmed into, and evict that +- * slot from the lower layer device. The slot must not be in use by any +- * in-flight IO when this function is called. +- * +- * Context: Process context. Takes and releases ksm->lock. +- * Return: 0 on success or if there's no keyslot with the specified key, -EBUSY +- * if the keyslot is still in use, or another -errno value on other +- * error. ++/* ++ * This is an internal function that evicts a key from an inline encryption ++ * device that can be either a real device or the blk-crypto-fallback "device". ++ * It is used only by blk_crypto_evict_key(); see that function for details. + */ + int blk_ksm_evict_key(struct blk_keyslot_manager *ksm, + const struct blk_crypto_key *key) + { + struct blk_ksm_keyslot *slot; +- int err = 0; ++ int err; + + if (blk_ksm_is_passthrough(ksm)) { + if (ksm->ksm_ll_ops.keyslot_evict) { +@@ -375,22 +366,30 @@ int blk_ksm_evict_key(struct blk_keyslot + + blk_ksm_hw_enter(ksm); + slot = blk_ksm_find_keyslot(ksm, key); +- if (!slot) +- goto out_unlock; ++ if (!slot) { ++ /* ++ * Not an error, since a key not in use by I/O is not guaranteed ++ * to be in a keyslot. There can be more keys than keyslots. ++ */ ++ err = 0; ++ goto out; ++ } + + if (WARN_ON_ONCE(atomic_read(&slot->slot_refs) != 0)) { ++ /* BUG: key is still in use by I/O */ + err = -EBUSY; +- goto out_unlock; ++ goto out_remove; + } + err = ksm->ksm_ll_ops.keyslot_evict(ksm, key, + blk_ksm_get_slot_idx(slot)); +- if (err) +- goto out_unlock; +- ++out_remove: ++ /* ++ * Callers free the key even on error, so unlink the key from the hash ++ * table and clear slot->key even on error. ++ */ + hlist_del(&slot->hash_node); + slot->key = NULL; +- err = 0; +-out_unlock: ++out: + blk_ksm_hw_exit(ksm); + return err; + } diff --git a/queue-5.15/blk-crypto-make-blk_crypto_evict_key-return-void.patch b/queue-5.15/blk-crypto-make-blk_crypto_evict_key-return-void.patch new file mode 100644 index 00000000000..cf3eff01bcd --- /dev/null +++ b/queue-5.15/blk-crypto-make-blk_crypto_evict_key-return-void.patch @@ -0,0 +1,132 @@ +From stable-owner@vger.kernel.org Thu May 4 13:03:45 2023 +From: Eric Biggers +Date: Wed, 3 May 2023 21:03:28 -0700 +Subject: blk-crypto: make blk_crypto_evict_key() return void +To: stable@vger.kernel.org +Cc: linux-block@vger.kernel.org, Christoph Hellwig , Jens Axboe +Message-ID: <20230504040329.106127-3-ebiggers@kernel.org> + +From: Eric Biggers + +commit 70493a63ba04f754f7a7dd53a4fcc82700181490 upstream. + +blk_crypto_evict_key() is only called in contexts such as inode eviction +where failure is not an option. So there is nothing the caller can do +with errors except log them. (dm-table.c does "use" the error code, but +only to pass on to upper layers, so it doesn't really count.) + +Just make blk_crypto_evict_key() return void and log errors itself. + +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20230315183907.53675-2-ebiggers@kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-crypto.c | 22 ++++++++++------------ + drivers/md/dm-table.c | 19 +++++-------------- + include/linux/blk-crypto.h | 4 ++-- + 3 files changed, 17 insertions(+), 28 deletions(-) + +--- a/block/blk-crypto.c ++++ b/block/blk-crypto.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include + + #include "blk-crypto-internal.h" +@@ -393,20 +394,17 @@ int blk_crypto_start_using_key(const str + * Upper layers (filesystems) must call this function to ensure that a key is + * evicted from any hardware that it might have been programmed into. The key + * must not be in use by any in-flight IO when this function is called. +- * +- * Return: 0 on success or if key is not present in the q's ksm, -err on error. + */ +-int blk_crypto_evict_key(struct request_queue *q, +- const struct blk_crypto_key *key) ++void blk_crypto_evict_key(struct request_queue *q, ++ const struct blk_crypto_key *key) + { +- if (blk_ksm_crypto_cfg_supported(q->ksm, &key->crypto_cfg)) +- return blk_ksm_evict_key(q->ksm, key); ++ int err; + +- /* +- * If the request queue's associated inline encryption hardware didn't +- * have support for the key, then the key might have been programmed +- * into the fallback keyslot manager, so try to evict from there. +- */ +- return blk_crypto_fallback_evict_key(key); ++ if (blk_ksm_crypto_cfg_supported(q->ksm, &key->crypto_cfg)) ++ err = blk_ksm_evict_key(q->ksm, key); ++ else ++ err = blk_crypto_fallback_evict_key(key); ++ if (err) ++ pr_warn_ratelimited("error %d evicting key\n", err); + } + EXPORT_SYMBOL_GPL(blk_crypto_evict_key); +--- a/drivers/md/dm-table.c ++++ b/drivers/md/dm-table.c +@@ -1191,21 +1191,12 @@ struct dm_keyslot_manager { + struct mapped_device *md; + }; + +-struct dm_keyslot_evict_args { +- const struct blk_crypto_key *key; +- int err; +-}; +- + static int dm_keyslot_evict_callback(struct dm_target *ti, struct dm_dev *dev, + sector_t start, sector_t len, void *data) + { +- struct dm_keyslot_evict_args *args = data; +- int err; ++ const struct blk_crypto_key *key = data; + +- err = blk_crypto_evict_key(bdev_get_queue(dev->bdev), args->key); +- if (!args->err) +- args->err = err; +- /* Always try to evict the key from all devices. */ ++ blk_crypto_evict_key(bdev_get_queue(dev->bdev), key); + return 0; + } + +@@ -1220,7 +1211,6 @@ static int dm_keyslot_evict(struct blk_k + struct dm_keyslot_manager, + ksm); + struct mapped_device *md = dksm->md; +- struct dm_keyslot_evict_args args = { key }; + struct dm_table *t; + int srcu_idx; + int i; +@@ -1233,10 +1223,11 @@ static int dm_keyslot_evict(struct blk_k + ti = dm_table_get_target(t, i); + if (!ti->type->iterate_devices) + continue; +- ti->type->iterate_devices(ti, dm_keyslot_evict_callback, &args); ++ ti->type->iterate_devices(ti, dm_keyslot_evict_callback, ++ (void *)key); + } + dm_put_live_table(md, srcu_idx); +- return args.err; ++ return 0; + } + + static const struct blk_ksm_ll_ops dm_ksm_ll_ops = { +--- a/include/linux/blk-crypto.h ++++ b/include/linux/blk-crypto.h +@@ -97,8 +97,8 @@ int blk_crypto_init_key(struct blk_crypt + int blk_crypto_start_using_key(const struct blk_crypto_key *key, + struct request_queue *q); + +-int blk_crypto_evict_key(struct request_queue *q, +- const struct blk_crypto_key *key); ++void blk_crypto_evict_key(struct request_queue *q, ++ const struct blk_crypto_key *key); + + bool blk_crypto_config_supported(struct request_queue *q, + const struct blk_crypto_config *cfg); diff --git a/queue-5.15/blk-mq-release-crypto-keyslot-before-reporting-i-o-complete.patch b/queue-5.15/blk-mq-release-crypto-keyslot-before-reporting-i-o-complete.patch new file mode 100644 index 00000000000..010a09126f2 --- /dev/null +++ b/queue-5.15/blk-mq-release-crypto-keyslot-before-reporting-i-o-complete.patch @@ -0,0 +1,186 @@ +From stable-owner@vger.kernel.org Thu May 4 13:03:41 2023 +From: Eric Biggers +Date: Wed, 3 May 2023 21:03:27 -0700 +Subject: blk-mq: release crypto keyslot before reporting I/O complete +To: stable@vger.kernel.org +Cc: linux-block@vger.kernel.org, Nathan Huckleberry , Christoph Hellwig , Jens Axboe +Message-ID: <20230504040329.106127-2-ebiggers@kernel.org> + +From: Eric Biggers + +commit 9cd1e566676bbcb8a126acd921e4e194e6339603 upstream. + +Once all I/O using a blk_crypto_key has completed, filesystems can call +blk_crypto_evict_key(). However, the block layer currently doesn't call +blk_crypto_put_keyslot() until the request is being freed, which happens +after upper layers have been told (via bio_endio()) the I/O has +completed. This causes a race condition where blk_crypto_evict_key() +can see 'slot_refs != 0' without there being an actual bug. + +This makes __blk_crypto_evict_key() hit the +'WARN_ON_ONCE(atomic_read(&slot->slot_refs) != 0)' and return without +doing anything, eventually causing a use-after-free in +blk_crypto_reprogram_all_keys(). (This is a very rare bug and has only +been seen when per-file keys are being used with fscrypt.) + +There are two options to fix this: either release the keyslot before +bio_endio() is called on the request's last bio, or make +__blk_crypto_evict_key() ignore slot_refs. Let's go with the first +solution, since it preserves the ability to report bugs (via +WARN_ON_ONCE) where a key is evicted while still in-use. + +Fixes: a892c8d52c02 ("block: Inline encryption support for blk-mq") +Cc: stable@vger.kernel.org +Reviewed-by: Nathan Huckleberry +Reviewed-by: Christoph Hellwig +Signed-off-by: Eric Biggers +Link: https://lore.kernel.org/r/20230315183907.53675-2-ebiggers@kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-core.c | 7 +++++++ + block/blk-crypto-internal.h | 25 +++++++++++++++++++++---- + block/blk-crypto.c | 24 ++++++++++++------------ + block/blk-merge.c | 2 ++ + block/blk-mq.c | 2 +- + 5 files changed, 43 insertions(+), 17 deletions(-) + +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -1421,6 +1421,13 @@ bool blk_update_request(struct request * + req->q->integrity.profile->complete_fn(req, nr_bytes); + #endif + ++ /* ++ * Upper layers may call blk_crypto_evict_key() anytime after the last ++ * bio_endio(). Therefore, the keyslot must be released before that. ++ */ ++ if (blk_crypto_rq_has_keyslot(req) && nr_bytes >= blk_rq_bytes(req)) ++ __blk_crypto_rq_put_keyslot(req); ++ + if (unlikely(error && !blk_rq_is_passthrough(req) && + !(req->rq_flags & RQF_QUIET))) + print_req_error(req, error, __func__); +--- a/block/blk-crypto-internal.h ++++ b/block/blk-crypto-internal.h +@@ -60,6 +60,11 @@ static inline bool blk_crypto_rq_is_encr + return rq->crypt_ctx; + } + ++static inline bool blk_crypto_rq_has_keyslot(struct request *rq) ++{ ++ return rq->crypt_keyslot; ++} ++ + #else /* CONFIG_BLK_INLINE_ENCRYPTION */ + + static inline bool bio_crypt_rq_ctx_compatible(struct request *rq, +@@ -93,6 +98,11 @@ static inline bool blk_crypto_rq_is_encr + return false; + } + ++static inline bool blk_crypto_rq_has_keyslot(struct request *rq) ++{ ++ return false; ++} ++ + #endif /* CONFIG_BLK_INLINE_ENCRYPTION */ + + void __bio_crypt_advance(struct bio *bio, unsigned int bytes); +@@ -127,14 +137,21 @@ static inline bool blk_crypto_bio_prep(s + return true; + } + +-blk_status_t __blk_crypto_init_request(struct request *rq); +-static inline blk_status_t blk_crypto_init_request(struct request *rq) ++blk_status_t __blk_crypto_rq_get_keyslot(struct request *rq); ++static inline blk_status_t blk_crypto_rq_get_keyslot(struct request *rq) + { + if (blk_crypto_rq_is_encrypted(rq)) +- return __blk_crypto_init_request(rq); ++ return __blk_crypto_rq_get_keyslot(rq); + return BLK_STS_OK; + } + ++void __blk_crypto_rq_put_keyslot(struct request *rq); ++static inline void blk_crypto_rq_put_keyslot(struct request *rq) ++{ ++ if (blk_crypto_rq_has_keyslot(rq)) ++ __blk_crypto_rq_put_keyslot(rq); ++} ++ + void __blk_crypto_free_request(struct request *rq); + static inline void blk_crypto_free_request(struct request *rq) + { +@@ -173,7 +190,7 @@ static inline blk_status_t blk_crypto_in + { + + if (blk_crypto_rq_is_encrypted(rq)) +- return blk_crypto_init_request(rq); ++ return blk_crypto_rq_get_keyslot(rq); + return BLK_STS_OK; + } + +--- a/block/blk-crypto.c ++++ b/block/blk-crypto.c +@@ -216,26 +216,26 @@ static bool bio_crypt_check_alignment(st + return true; + } + +-blk_status_t __blk_crypto_init_request(struct request *rq) ++blk_status_t __blk_crypto_rq_get_keyslot(struct request *rq) + { + return blk_ksm_get_slot_for_key(rq->q->ksm, rq->crypt_ctx->bc_key, + &rq->crypt_keyslot); + } + +-/** +- * __blk_crypto_free_request - Uninitialize the crypto fields of a request. +- * +- * @rq: The request whose crypto fields to uninitialize. +- * +- * Completely uninitializes the crypto fields of a request. If a keyslot has +- * been programmed into some inline encryption hardware, that keyslot is +- * released. The rq->crypt_ctx is also freed. +- */ +-void __blk_crypto_free_request(struct request *rq) ++void __blk_crypto_rq_put_keyslot(struct request *rq) + { + blk_ksm_put_slot(rq->crypt_keyslot); ++ rq->crypt_keyslot = NULL; ++} ++ ++void __blk_crypto_free_request(struct request *rq) ++{ ++ /* The keyslot, if one was needed, should have been released earlier. */ ++ if (WARN_ON_ONCE(rq->crypt_keyslot)) ++ __blk_crypto_rq_put_keyslot(rq); ++ + mempool_free(rq->crypt_ctx, bio_crypt_ctx_pool); +- blk_crypto_rq_set_defaults(rq); ++ rq->crypt_ctx = NULL; + } + + /** +--- a/block/blk-merge.c ++++ b/block/blk-merge.c +@@ -818,6 +818,8 @@ static struct request *attempt_merge(str + if (!blk_discard_mergable(req)) + elv_merge_requests(q, req, next); + ++ blk_crypto_rq_put_keyslot(next); ++ + /* + * 'next' is going away, so update stats accordingly + */ +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -2228,7 +2228,7 @@ blk_qc_t blk_mq_submit_bio(struct bio *b + + blk_mq_bio_to_request(rq, bio, nr_segs); + +- ret = blk_crypto_init_request(rq); ++ ret = blk_crypto_rq_get_keyslot(rq); + if (ret != BLK_STS_OK) { + bio->bi_status = ret; + bio_endio(bio); diff --git a/queue-5.15/ext4-use-ext4_journal_start-stop-for-fast-commit-transactions.patch b/queue-5.15/ext4-use-ext4_journal_start-stop-for-fast-commit-transactions.patch new file mode 100644 index 00000000000..df63e65edcb --- /dev/null +++ b/queue-5.15/ext4-use-ext4_journal_start-stop-for-fast-commit-transactions.patch @@ -0,0 +1,195 @@ +From 2729cfdcfa1cc49bef5a90d046fa4a187fdfcc69 Mon Sep 17 00:00:00 2001 +From: Harshad Shirwadkar +Date: Thu, 23 Dec 2021 12:21:37 -0800 +Subject: ext4: use ext4_journal_start/stop for fast commit transactions + +From: Harshad Shirwadkar + +commit 2729cfdcfa1cc49bef5a90d046fa4a187fdfcc69 upstream. + +This patch drops all calls to ext4_fc_start_update() and +ext4_fc_stop_update(). To ensure that there are no ongoing journal +updates during fast commit, we also make jbd2_fc_begin_commit() lock +journal for updates. This way we don't have to maintain two different +transaction start stop APIs for fast commit and full commit. This +patch doesn't remove the functions altogether since in future we want +to have inode level locking for fast commits. + +Signed-off-by: Harshad Shirwadkar +Link: https://lore.kernel.org/r/20211223202140.2061101-2-harshads@google.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/acl.c | 2 -- + fs/ext4/extents.c | 3 --- + fs/ext4/file.c | 4 ---- + fs/ext4/inode.c | 7 +------ + fs/ext4/ioctl.c | 10 +--------- + fs/jbd2/journal.c | 2 ++ + 6 files changed, 4 insertions(+), 24 deletions(-) + +--- a/fs/ext4/acl.c ++++ b/fs/ext4/acl.c +@@ -246,7 +246,6 @@ retry: + handle = ext4_journal_start(inode, EXT4_HT_XATTR, credits); + if (IS_ERR(handle)) + return PTR_ERR(handle); +- ext4_fc_start_update(inode); + + if ((type == ACL_TYPE_ACCESS) && acl) { + error = posix_acl_update_mode(mnt_userns, inode, &mode, &acl); +@@ -264,7 +263,6 @@ retry: + } + out_stop: + ext4_journal_stop(handle); +- ext4_fc_stop_update(inode); + if (error == -ENOSPC && ext4_should_retry_alloc(inode->i_sb, &retries)) + goto retry; + return error; +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -4701,8 +4701,6 @@ long ext4_fallocate(struct file *file, i + FALLOC_FL_INSERT_RANGE)) + return -EOPNOTSUPP; + +- ext4_fc_start_update(inode); +- + inode_lock(inode); + ret = ext4_convert_inline_data(inode); + inode_unlock(inode); +@@ -4772,7 +4770,6 @@ out: + inode_unlock(inode); + trace_ext4_fallocate_exit(inode, offset, max_blocks, ret); + exit: +- ext4_fc_stop_update(inode); + return ret; + } + +--- a/fs/ext4/file.c ++++ b/fs/ext4/file.c +@@ -259,7 +259,6 @@ static ssize_t ext4_buffered_write_iter( + if (iocb->ki_flags & IOCB_NOWAIT) + return -EOPNOTSUPP; + +- ext4_fc_start_update(inode); + inode_lock(inode); + ret = ext4_write_checks(iocb, from); + if (ret <= 0) +@@ -271,7 +270,6 @@ static ssize_t ext4_buffered_write_iter( + + out: + inode_unlock(inode); +- ext4_fc_stop_update(inode); + if (likely(ret > 0)) { + iocb->ki_pos += ret; + ret = generic_write_sync(iocb, ret); +@@ -558,9 +556,7 @@ static ssize_t ext4_dio_write_iter(struc + goto out; + } + +- ext4_fc_start_update(inode); + ret = ext4_orphan_add(handle, inode); +- ext4_fc_stop_update(inode); + if (ret) { + ext4_journal_stop(handle); + goto out; +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -5366,7 +5366,7 @@ int ext4_setattr(struct user_namespace * + if (error) + return error; + } +- ext4_fc_start_update(inode); ++ + if ((ia_valid & ATTR_UID && !uid_eq(attr->ia_uid, inode->i_uid)) || + (ia_valid & ATTR_GID && !gid_eq(attr->ia_gid, inode->i_gid))) { + handle_t *handle; +@@ -5390,7 +5390,6 @@ int ext4_setattr(struct user_namespace * + + if (error) { + ext4_journal_stop(handle); +- ext4_fc_stop_update(inode); + return error; + } + /* Update corresponding info in inode so that everything is in +@@ -5402,7 +5401,6 @@ int ext4_setattr(struct user_namespace * + error = ext4_mark_inode_dirty(handle, inode); + ext4_journal_stop(handle); + if (unlikely(error)) { +- ext4_fc_stop_update(inode); + return error; + } + } +@@ -5417,12 +5415,10 @@ int ext4_setattr(struct user_namespace * + struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb); + + if (attr->ia_size > sbi->s_bitmap_maxbytes) { +- ext4_fc_stop_update(inode); + return -EFBIG; + } + } + if (!S_ISREG(inode->i_mode)) { +- ext4_fc_stop_update(inode); + return -EINVAL; + } + +@@ -5548,7 +5544,6 @@ err_out: + ext4_std_error(inode->i_sb, error); + if (!error) + error = rc; +- ext4_fc_stop_update(inode); + return error; + } + +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -744,7 +744,6 @@ int ext4_fileattr_set(struct user_namesp + u32 flags = fa->flags; + int err = -EOPNOTSUPP; + +- ext4_fc_start_update(inode); + if (flags & ~EXT4_FL_USER_VISIBLE) + goto out; + +@@ -765,7 +764,6 @@ int ext4_fileattr_set(struct user_namesp + goto out; + err = ext4_ioctl_setproject(inode, fa->fsx_projid); + out: +- ext4_fc_stop_update(inode); + return err; + } + +@@ -1272,13 +1270,7 @@ resizefs_out: + + long ext4_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) + { +- long ret; +- +- ext4_fc_start_update(file_inode(filp)); +- ret = __ext4_ioctl(filp, cmd, arg); +- ext4_fc_stop_update(file_inode(filp)); +- +- return ret; ++ return __ext4_ioctl(filp, cmd, arg); + } + + #ifdef CONFIG_COMPAT +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -757,6 +757,7 @@ int jbd2_fc_begin_commit(journal_t *jour + } + journal->j_flags |= JBD2_FAST_COMMIT_ONGOING; + write_unlock(&journal->j_state_lock); ++ jbd2_journal_lock_updates(journal); + + return 0; + } +@@ -768,6 +769,7 @@ EXPORT_SYMBOL(jbd2_fc_begin_commit); + */ + static int __jbd2_fc_end_commit(journal_t *journal, tid_t tid, bool fallback) + { ++ jbd2_journal_unlock_updates(journal); + if (journal->j_fc_cleanup_callback) + journal->j_fc_cleanup_callback(journal, 0, tid); + write_lock(&journal->j_state_lock); diff --git a/queue-5.15/hwmon-adt7475-use-device_property-apis-when-configuring-polarity.patch b/queue-5.15/hwmon-adt7475-use-device_property-apis-when-configuring-polarity.patch new file mode 100644 index 00000000000..ae92076a0f9 --- /dev/null +++ b/queue-5.15/hwmon-adt7475-use-device_property-apis-when-configuring-polarity.patch @@ -0,0 +1,44 @@ +From 2a8e41ad337508fc5d598c0f9288890214f8e318 Mon Sep 17 00:00:00 2001 +From: Chris Packham +Date: Wed, 19 Apr 2023 11:36:55 +1200 +Subject: hwmon: (adt7475) Use device_property APIs when configuring polarity +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chris Packham + +commit 2a8e41ad337508fc5d598c0f9288890214f8e318 upstream. + +On DT unaware platforms of_property_read_u32_array() returns -ENOSYS +which wasn't handled by the code treating adi,pwm-active-state as +optional. Update the code to use device_property_read_u32_array() which +deals gracefully with DT unaware platforms. + +Fixes: 86da28eed4fb ("hwmon: (adt7475) Add support for inverting pwm output") +Reported-by: Mariusz Białończyk +Link: https://lore.kernel.org/linux-hwmon/52e26a67-9131-2dc0-40cb-db5c07370027@alliedtelesis.co.nz/T/#mdd0505801e0a4e72340de009a47c0fca4f771ed3 +Signed-off-by: Chris Packham +Link: https://lore.kernel.org/r/20230418233656.869055-2-chris.packham@alliedtelesis.co.nz +Cc: stable@vger.kernel.org +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/adt7475.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/hwmon/adt7475.c ++++ b/drivers/hwmon/adt7475.c +@@ -1515,9 +1515,9 @@ static int adt7475_set_pwm_polarity(stru + int ret, i; + u8 val; + +- ret = of_property_read_u32_array(client->dev.of_node, +- "adi,pwm-active-state", states, +- ARRAY_SIZE(states)); ++ ret = device_property_read_u32_array(&client->dev, ++ "adi,pwm-active-state", states, ++ ARRAY_SIZE(states)); + if (ret) + return ret; + diff --git a/queue-5.15/hwmon-k10temp-check-range-scale-when-cur_temp-register-is-read-write.patch b/queue-5.15/hwmon-k10temp-check-range-scale-when-cur_temp-register-is-read-write.patch new file mode 100644 index 00000000000..19d00df09fd --- /dev/null +++ b/queue-5.15/hwmon-k10temp-check-range-scale-when-cur_temp-register-is-read-write.patch @@ -0,0 +1,76 @@ +From 0c072385348e3ac5229145644055d3e2afb5b3db Mon Sep 17 00:00:00 2001 +From: Babu Moger +Date: Thu, 13 Apr 2023 16:39:58 -0500 +Subject: hwmon: (k10temp) Check range scale when CUR_TEMP register is read-write +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Babu Moger + +commit 0c072385348e3ac5229145644055d3e2afb5b3db upstream. + +Spec says, when CUR_TEMP_TJ_SEL == 3 and CUR_TEMP_RANGE_SEL == 0, +it should use RangeUnadjusted is 0, which is (CurTmp*0.125 -49) C. The +CUR_TEMP register is read-write when CUR_TEMP_TJ_SEL == 3 (bit 17-16). + +Add the check to detect it. + +Sensors command's output before the patch. +$sensors + k10temp-pci-00c3 + Adapter: PCI adapter + Tctl: +76.6°C <- Wrong value + Tccd1: +26.5°C + Tccd2: +27.5°C + Tccd3: +27.2°C + Tccd4: +27.5°C + Tccd5: +26.0°C + Tccd6: +26.2°C + Tccd7: +25.0°C + Tccd8: +26.5°C + +Sensors command's output after the patch. +$sensors + k10temp-pci-00c3 + Adapter: PCI adapter + Tctl: +28.8°C <- corrected value + Tccd1: +27.5°C + Tccd2: +28.5°C + Tccd3: +28.5°C + Tccd4: +28.5°C + Tccd5: +27.0°C + Tccd6: +27.5°C + Tccd7: +27.0°C + Tccd8: +27.5°C + +Signed-off-by: Babu Moger +Fixes: 1b59788979ac ("hwmon: (k10temp) Add temperature offset for Ryzen 2700X") +Link: https://lore.kernel.org/r/20230413213958.847634-1-babu.moger@amd.com +Cc: stable@vger.kernel.org +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/k10temp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/hwmon/k10temp.c ++++ b/drivers/hwmon/k10temp.c +@@ -75,6 +75,7 @@ static DEFINE_MUTEX(nb_smu_ind_mutex); + + #define ZEN_CUR_TEMP_SHIFT 21 + #define ZEN_CUR_TEMP_RANGE_SEL_MASK BIT(19) ++#define ZEN_CUR_TEMP_TJ_SEL_MASK GENMASK(17, 16) + + #define ZEN_SVI_BASE 0x0005A000 + +@@ -175,7 +176,8 @@ static long get_raw_temp(struct k10temp_ + + data->read_tempreg(data->pdev, ®val); + temp = (regval >> ZEN_CUR_TEMP_SHIFT) * 125; +- if (regval & data->temp_adjust_mask) ++ if ((regval & data->temp_adjust_mask) || ++ (regval & ZEN_CUR_TEMP_TJ_SEL_MASK) == ZEN_CUR_TEMP_TJ_SEL_MASK) + temp -= 49000; + return temp; + } diff --git a/queue-5.15/ima-allow-fix-uml-builds.patch b/queue-5.15/ima-allow-fix-uml-builds.patch new file mode 100644 index 00000000000..b2c8eaffec5 --- /dev/null +++ b/queue-5.15/ima-allow-fix-uml-builds.patch @@ -0,0 +1,51 @@ +From 644f17412f5acf01a19af9d04a921937a2bc86c6 Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Thu, 23 Feb 2023 19:27:03 -0800 +Subject: IMA: allow/fix UML builds + +From: Randy Dunlap + +commit 644f17412f5acf01a19af9d04a921937a2bc86c6 upstream. + +UML supports HAS_IOMEM since 0bbadafdc49d (um: allow disabling +NO_IOMEM). + +Current IMA build on UML fails on allmodconfig (with TCG_TPM=m): + +ld: security/integrity/ima/ima_queue.o: in function `ima_add_template_entry': +ima_queue.c:(.text+0x2d9): undefined reference to `tpm_pcr_extend' +ld: security/integrity/ima/ima_init.o: in function `ima_init': +ima_init.c:(.init.text+0x43f): undefined reference to `tpm_default_chip' +ld: security/integrity/ima/ima_crypto.o: in function `ima_calc_boot_aggregate_tfm': +ima_crypto.c:(.text+0x1044): undefined reference to `tpm_pcr_read' +ld: ima_crypto.c:(.text+0x10d8): undefined reference to `tpm_pcr_read' + +Modify the IMA Kconfig entry so that it selects TCG_TPM if HAS_IOMEM +is set, regardless of the UML Kconfig setting. +This updates TCG_TPM from =m to =y and fixes the linker errors. + +Fixes: f4a0391dfa91 ("ima: fix Kconfig dependencies") +Cc: Stable # v5.14+ +Signed-off-by: Randy Dunlap +Cc: Fabio Estevam +Cc: Richard Weinberger +Cc: Anton Ivanov +Cc: Johannes Berg +Cc: linux-um@lists.infradead.org +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/ima/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/integrity/ima/Kconfig ++++ b/security/integrity/ima/Kconfig +@@ -8,7 +8,7 @@ config IMA + select CRYPTO_HMAC + select CRYPTO_SHA1 + select CRYPTO_HASH_INFO +- select TCG_TPM if HAS_IOMEM && !UML ++ select TCG_TPM if HAS_IOMEM + select TCG_TIS if TCG_TPM && X86 + select TCG_CRB if TCG_TPM && ACPI + select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES diff --git a/queue-5.15/ipmi-fix-ssif-not-responding-under-certain-cond.patch b/queue-5.15/ipmi-fix-ssif-not-responding-under-certain-cond.patch new file mode 100644 index 00000000000..bde60cf8468 --- /dev/null +++ b/queue-5.15/ipmi-fix-ssif-not-responding-under-certain-cond.patch @@ -0,0 +1,73 @@ +From 6d2555cde2918409b0331560e66f84a0ad4849c6 Mon Sep 17 00:00:00 2001 +From: Zhang Yuchen +Date: Wed, 12 Apr 2023 15:49:07 +0800 +Subject: ipmi: fix SSIF not responding under certain cond. + +From: Zhang Yuchen + +commit 6d2555cde2918409b0331560e66f84a0ad4849c6 upstream. + +The ipmi communication is not restored after a specific version of BMC is +upgraded on our server. +The ipmi driver does not respond after printing the following log: + + ipmi_ssif: Invalid response getting flags: 1c 1 + +I found that after entering this branch, ssif_info->ssif_state always +holds SSIF_GETTING_FLAGS and never return to IDLE. + +As a result, the driver cannot be loaded, because the driver status is +checked during the unload process and must be IDLE in shutdown_ssif(): + + while (ssif_info->ssif_state != SSIF_IDLE) + schedule_timeout(1); + +The process trigger this problem is: + +1. One msg timeout and next msg start send, and call +ssif_set_need_watch(). + +2. ssif_set_need_watch()->watch_timeout()->start_flag_fetch() change +ssif_state to SSIF_GETTING_FLAGS. + +3. In msg_done_handler() ssif_state == SSIF_GETTING_FLAGS, if an error +message is received, the second branch does not modify the ssif_state. + +4. All retry action need IS_SSIF_IDLE() == True. Include retry action in +watch_timeout(), msg_done_handler(). Sending msg does not work either. +SSIF_IDLE is also checked in start_next_msg(). + +5. The only thing that can be triggered in the SSIF driver is +watch_timeout(), after destory_user(), this timer will stop too. + +So, if enter this branch, the ssif_state will remain SSIF_GETTING_FLAGS +and can't send msg, no timer started, can't unload. + +We did a comparative test before and after adding this patch, and the +result is effective. + +Fixes: 259307074bfc ("ipmi: Add SMBus interface driver (SSIF)") + +Cc: stable@vger.kernel.org +Signed-off-by: Zhang Yuchen +Message-Id: <20230412074907.80046-1-zhangyuchen.lcr@bytedance.com> +Signed-off-by: Corey Minyard +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/ipmi/ipmi_ssif.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/char/ipmi/ipmi_ssif.c ++++ b/drivers/char/ipmi/ipmi_ssif.c +@@ -794,9 +794,9 @@ static void msg_done_handler(struct ssif + } else if (data[0] != (IPMI_NETFN_APP_REQUEST | 1) << 2 + || data[1] != IPMI_GET_MSG_FLAGS_CMD) { + /* +- * Don't abort here, maybe it was a queued +- * response to a previous command. ++ * Recv error response, give up. + */ ++ ssif_info->ssif_state = SSIF_IDLE; + ipmi_ssif_unlock_cond(ssif_info, flags); + dev_warn(&ssif_info->client->dev, + "Invalid response getting flags: %x %x\n", diff --git a/queue-5.15/ipmi-ssif-add-send_retries-increment.patch b/queue-5.15/ipmi-ssif-add-send_retries-increment.patch new file mode 100644 index 00000000000..333f71d8d1d --- /dev/null +++ b/queue-5.15/ipmi-ssif-add-send_retries-increment.patch @@ -0,0 +1,34 @@ +From 6ce7995a43febe693d4894033c6e29314970646a Mon Sep 17 00:00:00 2001 +From: Corey Minyard +Date: Tue, 4 Apr 2023 12:09:14 +0000 +Subject: ipmi:ssif: Add send_retries increment + +From: Corey Minyard + +commit 6ce7995a43febe693d4894033c6e29314970646a upstream. + +A recent change removed an increment of send_retries, re-add it. + +Fixes: 95767ed78a18 ipmi:ssif: resend_msg() cannot fail +Reported-by: Pavel Machek +Cc: stable@vger.kernel.org +Signed-off-by: Corey Minyard +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/ipmi/ipmi_ssif.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/char/ipmi/ipmi_ssif.c ++++ b/drivers/char/ipmi/ipmi_ssif.c +@@ -564,8 +564,10 @@ static void retry_timeout(struct timer_l + + if (waiting) + start_get(ssif_info); +- if (resend) ++ if (resend) { + start_resend(ssif_info); ++ ssif_inc_stat(ssif_info, send_retries); ++ } + } + + static void watch_timeout(struct timer_list *t) diff --git a/queue-5.15/kheaders-use-array-declaration-instead-of-char.patch b/queue-5.15/kheaders-use-array-declaration-instead-of-char.patch new file mode 100644 index 00000000000..0db69d95c2a --- /dev/null +++ b/queue-5.15/kheaders-use-array-declaration-instead-of-char.patch @@ -0,0 +1,75 @@ +From b69edab47f1da8edd8e7bfdf8c70f51a2a5d89fb Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Thu, 2 Mar 2023 14:49:50 -0800 +Subject: kheaders: Use array declaration instead of char + +From: Kees Cook + +commit b69edab47f1da8edd8e7bfdf8c70f51a2a5d89fb upstream. + +Under CONFIG_FORTIFY_SOURCE, memcpy() will check the size of destination +and source buffers. Defining kernel_headers_data as "char" would trip +this check. Since these addresses are treated as byte arrays, define +them as arrays (as done everywhere else). + +This was seen with: + + $ cat /sys/kernel/kheaders.tar.xz >> /dev/null + + detected buffer overflow in memcpy + kernel BUG at lib/string_helpers.c:1027! + ... + RIP: 0010:fortify_panic+0xf/0x20 + [...] + Call Trace: + + ikheaders_read+0x45/0x50 [kheaders] + kernfs_fop_read_iter+0x1a4/0x2f0 + ... + +Reported-by: Jakub Kicinski +Link: https://lore.kernel.org/bpf/20230302112130.6e402a98@kernel.org/ +Acked-by: Joel Fernandes (Google) +Reviewed-by: Alexander Lobakin +Tested-by: Jakub Kicinski +Fixes: 43d8ce9d65a5 ("Provide in-kernel headers to make extending kernel easier") +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20230302224946.never.243-kees@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + kernel/kheaders.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/kernel/kheaders.c ++++ b/kernel/kheaders.c +@@ -26,15 +26,15 @@ asm ( + " .popsection \n" + ); + +-extern char kernel_headers_data; +-extern char kernel_headers_data_end; ++extern char kernel_headers_data[]; ++extern char kernel_headers_data_end[]; + + static ssize_t + ikheaders_read(struct file *file, struct kobject *kobj, + struct bin_attribute *bin_attr, + char *buf, loff_t off, size_t len) + { +- memcpy(buf, &kernel_headers_data + off, len); ++ memcpy(buf, &kernel_headers_data[off], len); + return len; + } + +@@ -48,8 +48,8 @@ static struct bin_attribute kheaders_att + + static int __init ikheaders_init(void) + { +- kheaders_attr.size = (&kernel_headers_data_end - +- &kernel_headers_data); ++ kheaders_attr.size = (kernel_headers_data_end - ++ kernel_headers_data); + return sysfs_create_bin_file(kernel_kobj, &kheaders_attr); + } + diff --git a/queue-5.15/mips-fw-allow-firmware-to-pass-a-empty-env.patch b/queue-5.15/mips-fw-allow-firmware-to-pass-a-empty-env.patch new file mode 100644 index 00000000000..051ff595482 --- /dev/null +++ b/queue-5.15/mips-fw-allow-firmware-to-pass-a-empty-env.patch @@ -0,0 +1,35 @@ +From ee1809ed7bc456a72dc8410b475b73021a3a68d5 Mon Sep 17 00:00:00 2001 +From: Jiaxun Yang +Date: Tue, 11 Apr 2023 12:14:26 +0100 +Subject: MIPS: fw: Allow firmware to pass a empty env + +From: Jiaxun Yang + +commit ee1809ed7bc456a72dc8410b475b73021a3a68d5 upstream. + +fw_getenv will use env entry to determine style of env, +however it is legal for firmware to just pass a empty list. + +Check if first entry exist before running strchr to avoid +null pointer dereference. + +Cc: stable@vger.kernel.org +Link: https://github.com/clbr/n64bootloader/issues/5 +Signed-off-by: Jiaxun Yang +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/fw/lib/cmdline.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/fw/lib/cmdline.c ++++ b/arch/mips/fw/lib/cmdline.c +@@ -53,7 +53,7 @@ char *fw_getenv(char *envname) + { + char *result = NULL; + +- if (_fw_envp != NULL) { ++ if (_fw_envp != NULL && fw_envp(0) != NULL) { + /* + * Return a pointer to the given environment variable. + * YAMON uses "name", "value" pairs, while U-Boot uses diff --git a/queue-5.15/pci-pciehp-fix-ab-ba-deadlock-between-reset_lock-and-device_lock.patch b/queue-5.15/pci-pciehp-fix-ab-ba-deadlock-between-reset_lock-and-device_lock.patch new file mode 100644 index 00000000000..38ef98435ef --- /dev/null +++ b/queue-5.15/pci-pciehp-fix-ab-ba-deadlock-between-reset_lock-and-device_lock.patch @@ -0,0 +1,178 @@ +From f5eff5591b8f9c5effd25c92c758a127765f74c1 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Tue, 11 Apr 2023 08:21:02 +0200 +Subject: PCI: pciehp: Fix AB-BA deadlock between reset_lock and device_lock + +From: Lukas Wunner + +commit f5eff5591b8f9c5effd25c92c758a127765f74c1 upstream. + +In 2013, commits + + 2e35afaefe64 ("PCI: pciehp: Add reset_slot() method") + 608c388122c7 ("PCI: Add slot reset option to pci_dev_reset()") + +amended PCIe hotplug to mask Presence Detect Changed events during a +Secondary Bus Reset. The reset thus no longer causes gratuitous slot +bringdown and bringup. + +However the commits neglected to serialize reset with code paths reading +slot registers. For instance, a slot bringup due to an earlier hotplug +event may see the Presence Detect State bit cleared during a concurrent +Secondary Bus Reset. + +In 2018, commit + + 5b3f7b7d062b ("PCI: pciehp: Avoid slot access during reset") + +retrofitted the missing locking. It introduced a reset_lock which +serializes a Secondary Bus Reset with other parts of pciehp. + +Unfortunately the locking turns out to be overzealous: reset_lock is +held for the entire enumeration and de-enumeration of hotplugged devices, +including driver binding and unbinding. + +Driver binding and unbinding acquires device_lock while the reset_lock +of the ancestral hotplug port is held. A concurrent Secondary Bus Reset +acquires the ancestral reset_lock while already holding the device_lock. +The asymmetric locking order in the two code paths can lead to AB-BA +deadlocks. + +Michael Haeuptle reports such deadlocks on simultaneous hot-removal and +vfio release (the latter implies a Secondary Bus Reset): + + pciehp_ist() # down_read(reset_lock) + pciehp_handle_presence_or_link_change() + pciehp_disable_slot() + __pciehp_disable_slot() + remove_board() + pciehp_unconfigure_device() + pci_stop_and_remove_bus_device() + pci_stop_bus_device() + pci_stop_dev() + device_release_driver() + device_release_driver_internal() + __device_driver_lock() # device_lock() + + SYS_munmap() + vfio_device_fops_release() + vfio_device_group_close() + vfio_device_close() + vfio_device_last_close() + vfio_pci_core_close_device() + vfio_pci_core_disable() # device_lock() + __pci_reset_function_locked() + pci_reset_bus_function() + pci_dev_reset_slot_function() + pci_reset_hotplug_slot() + pciehp_reset_slot() # down_write(reset_lock) + +Ian May reports the same deadlock on simultaneous hot-removal and an +AER-induced Secondary Bus Reset: + + aer_recover_work_func() + pcie_do_recovery() + aer_root_reset() + pci_bus_error_reset() + pci_slot_reset() + pci_slot_lock() # device_lock() + pci_reset_hotplug_slot() + pciehp_reset_slot() # down_write(reset_lock) + +Fix by releasing the reset_lock during driver binding and unbinding, +thereby splitting and shrinking the critical section. + +Driver binding and unbinding is protected by the device_lock() and thus +serialized with a Secondary Bus Reset. There's no need to additionally +protect it with the reset_lock. However, pciehp does not bind and +unbind devices directly, but rather invokes PCI core functions which +also perform certain enumeration and de-enumeration steps. + +The reset_lock's purpose is to protect slot registers, not enumeration +and de-enumeration of hotplugged devices. That would arguably be the +job of the PCI core, not the PCIe hotplug driver. After all, an +AER-induced Secondary Bus Reset may as well happen during boot-time +enumeration of the PCI hierarchy and there's no locking to prevent that +either. + +Exempting *de-enumeration* from the reset_lock is relatively harmless: +A concurrent Secondary Bus Reset may foil config space accesses such as +PME interrupt disablement. But if the device is physically gone, those +accesses are pointless anyway. If the device is physically present and +only logically removed through an Attention Button press or the sysfs +"power" attribute, PME interrupts as well as DMA cannot come through +because pciehp_unconfigure_device() disables INTx and Bus Master bits. +That's still protected by the reset_lock in the present commit. + +Exempting *enumeration* from the reset_lock also has limited impact: +The exempted call to pci_bus_add_device() may perform device accesses +through pcibios_bus_add_device() and pci_fixup_device() which are now +no longer protected from a concurrent Secondary Bus Reset. Otherwise +there should be no impact. + +In essence, the present commit seeks to fix the AB-BA deadlocks while +still retaining a best-effort reset protection for enumeration and +de-enumeration of hotplugged devices -- until a general solution is +implemented in the PCI core. + +Link: https://lore.kernel.org/linux-pci/CS1PR8401MB0728FC6FDAB8A35C22BD90EC95F10@CS1PR8401MB0728.NAMPRD84.PROD.OUTLOOK.COM +Link: https://lore.kernel.org/linux-pci/20200615143250.438252-1-ian.may@canonical.com +Link: https://lore.kernel.org/linux-pci/ce878dab-c0c4-5bd0-a725-9805a075682d@amd.com +Link: https://lore.kernel.org/linux-pci/ed831249-384a-6d35-0831-70af191e9bce@huawei.com +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215590 +Fixes: 5b3f7b7d062b ("PCI: pciehp: Avoid slot access during reset") +Link: https://lore.kernel.org/r/fef2b2e9edf245c049a8c5b94743c0f74ff5008a.1681191902.git.lukas@wunner.de +Reported-by: Michael Haeuptle +Reported-by: Ian May +Reported-by: Andrey Grodzovsky +Reported-by: Rahul Kumar +Reported-by: Jialin Zhang +Tested-by: Anatoli Antonovitch +Signed-off-by: Lukas Wunner +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org # v4.19+ +Cc: Dan Stein +Cc: Ashok Raj +Cc: Alex Michon +Cc: Xiongfeng Wang +Cc: Alex Williamson +Cc: Mika Westerberg +Cc: Sathyanarayanan Kuppuswamy +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/hotplug/pciehp_pci.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/drivers/pci/hotplug/pciehp_pci.c ++++ b/drivers/pci/hotplug/pciehp_pci.c +@@ -63,7 +63,14 @@ int pciehp_configure_device(struct contr + + pci_assign_unassigned_bridge_resources(bridge); + pcie_bus_configure_settings(parent); ++ ++ /* ++ * Release reset_lock during driver binding ++ * to avoid AB-BA deadlock with device_lock. ++ */ ++ up_read(&ctrl->reset_lock); + pci_bus_add_devices(parent); ++ down_read_nested(&ctrl->reset_lock, ctrl->depth); + + out: + pci_unlock_rescan_remove(); +@@ -104,7 +111,15 @@ void pciehp_unconfigure_device(struct co + list_for_each_entry_safe_reverse(dev, temp, &parent->devices, + bus_list) { + pci_dev_get(dev); ++ ++ /* ++ * Release reset_lock during driver unbinding ++ * to avoid AB-BA deadlock with device_lock. ++ */ ++ up_read(&ctrl->reset_lock); + pci_stop_and_remove_bus_device(dev); ++ down_read_nested(&ctrl->reset_lock, ctrl->depth); ++ + /* + * Ensure that no new Requests will be generated from + * the device. diff --git a/queue-5.15/pci-qcom-fix-the-incorrect-register-usage-in-v2.7.0-config.patch b/queue-5.15/pci-qcom-fix-the-incorrect-register-usage-in-v2.7.0-config.patch new file mode 100644 index 00000000000..19a1d9232b7 --- /dev/null +++ b/queue-5.15/pci-qcom-fix-the-incorrect-register-usage-in-v2.7.0-config.patch @@ -0,0 +1,44 @@ +From 2542e16c392508800f1d9037feee881a9c444951 Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Thu, 16 Mar 2023 13:40:59 +0530 +Subject: PCI: qcom: Fix the incorrect register usage in v2.7.0 config + +From: Manivannan Sadhasivam + +commit 2542e16c392508800f1d9037feee881a9c444951 upstream. + +Qcom PCIe IP version v2.7.0 and its derivatives don't contain the +PCIE20_PARF_AXI_MSTR_WR_ADDR_HALT register. Instead, they have the new +PCIE20_PARF_AXI_MSTR_WR_ADDR_HALT_V2 register. So fix the incorrect +register usage which is modifying a different register. + +Also in this IP version, this register change doesn't depend on MSI +being enabled. So remove that check also. + +Link: https://lore.kernel.org/r/20230316081117.14288-2-manivannan.sadhasivam@linaro.org +Fixes: ed8cc3b1fc84 ("PCI: qcom: Add support for SDM845 PCIe controller") +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Lorenzo Pieralisi +Cc: # 5.6+ +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/dwc/pcie-qcom.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/pci/controller/dwc/pcie-qcom.c ++++ b/drivers/pci/controller/dwc/pcie-qcom.c +@@ -1228,11 +1228,9 @@ static int qcom_pcie_init_2_7_0(struct q + val |= BIT(4); + writel(val, pcie->parf + PCIE20_PARF_MHI_CLOCK_RESET_CTRL); + +- if (IS_ENABLED(CONFIG_PCI_MSI)) { +- val = readl(pcie->parf + PCIE20_PARF_AXI_MSTR_WR_ADDR_HALT); +- val |= BIT(31); +- writel(val, pcie->parf + PCIE20_PARF_AXI_MSTR_WR_ADDR_HALT); +- } ++ val = readl(pcie->parf + PCIE20_PARF_AXI_MSTR_WR_ADDR_HALT_V2); ++ val |= BIT(31); ++ writel(val, pcie->parf + PCIE20_PARF_AXI_MSTR_WR_ADDR_HALT_V2); + + return 0; + err_disable_clocks: diff --git a/queue-5.15/posix-cpu-timers-implement-the-missing-timer_wait_running-callback.patch b/queue-5.15/posix-cpu-timers-implement-the-missing-timer_wait_running-callback.patch new file mode 100644 index 00000000000..5b16c1bc6a9 --- /dev/null +++ b/queue-5.15/posix-cpu-timers-implement-the-missing-timer_wait_running-callback.patch @@ -0,0 +1,268 @@ +From f7abf14f0001a5a47539d9f60bbdca649e43536b Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Mon, 17 Apr 2023 15:37:55 +0200 +Subject: posix-cpu-timers: Implement the missing timer_wait_running callback + +From: Thomas Gleixner + +commit f7abf14f0001a5a47539d9f60bbdca649e43536b upstream. + +For some unknown reason the introduction of the timer_wait_running callback +missed to fixup posix CPU timers, which went unnoticed for almost four years. +Marco reported recently that the WARN_ON() in timer_wait_running() +triggers with a posix CPU timer test case. + +Posix CPU timers have two execution models for expiring timers depending on +CONFIG_POSIX_CPU_TIMERS_TASK_WORK: + +1) If not enabled, the expiry happens in hard interrupt context so + spin waiting on the remote CPU is reasonably time bound. + + Implement an empty stub function for that case. + +2) If enabled, the expiry happens in task work before returning to user + space or guest mode. The expired timers are marked as firing and moved + from the timer queue to a local list head with sighand lock held. Once + the timers are moved, sighand lock is dropped and the expiry happens in + fully preemptible context. That means the expiring task can be scheduled + out, migrated, interrupted etc. So spin waiting on it is more than + suboptimal. + + The timer wheel has a timer_wait_running() mechanism for RT, which uses + a per CPU timer-base expiry lock which is held by the expiry code and the + task waiting for the timer function to complete blocks on that lock. + + This does not work in the same way for posix CPU timers as there is no + timer base and expiry for process wide timers can run on any task + belonging to that process, but the concept of waiting on an expiry lock + can be used too in a slightly different way: + + - Add a mutex to struct posix_cputimers_work. This struct is per task + and used to schedule the expiry task work from the timer interrupt. + + - Add a task_struct pointer to struct cpu_timer which is used to store + a the task which runs the expiry. That's filled in when the task + moves the expired timers to the local expiry list. That's not + affecting the size of the k_itimer union as there are bigger union + members already + + - Let the task take the expiry mutex around the expiry function + + - Let the waiter acquire a task reference with rcu_read_lock() held and + block on the expiry mutex + + This avoids spin-waiting on a task which might not even be on a CPU and + works nicely for RT too. + +Fixes: ec8f954a40da ("posix-timers: Use a callback for cancel synchronization on PREEMPT_RT") +Reported-by: Marco Elver +Signed-off-by: Thomas Gleixner +Tested-by: Marco Elver +Tested-by: Sebastian Andrzej Siewior +Reviewed-by: Frederic Weisbecker +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/87zg764ojw.ffs@tglx +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/posix-timers.h | 17 +++++--- + kernel/time/posix-cpu-timers.c | 81 +++++++++++++++++++++++++++++++++-------- + kernel/time/posix-timers.c | 4 ++ + 3 files changed, 82 insertions(+), 20 deletions(-) + +--- a/include/linux/posix-timers.h ++++ b/include/linux/posix-timers.h +@@ -4,6 +4,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -63,16 +64,18 @@ static inline int clockid_to_fd(const cl + * cpu_timer - Posix CPU timer representation for k_itimer + * @node: timerqueue node to queue in the task/sig + * @head: timerqueue head on which this timer is queued +- * @task: Pointer to target task ++ * @pid: Pointer to target task PID + * @elist: List head for the expiry list + * @firing: Timer is currently firing ++ * @handling: Pointer to the task which handles expiry + */ + struct cpu_timer { +- struct timerqueue_node node; +- struct timerqueue_head *head; +- struct pid *pid; +- struct list_head elist; +- int firing; ++ struct timerqueue_node node; ++ struct timerqueue_head *head; ++ struct pid *pid; ++ struct list_head elist; ++ int firing; ++ struct task_struct __rcu *handling; + }; + + static inline bool cpu_timer_enqueue(struct timerqueue_head *head, +@@ -136,10 +139,12 @@ struct posix_cputimers { + /** + * posix_cputimers_work - Container for task work based posix CPU timer expiry + * @work: The task work to be scheduled ++ * @mutex: Mutex held around expiry in context of this task work + * @scheduled: @work has been scheduled already, no further processing + */ + struct posix_cputimers_work { + struct callback_head work; ++ struct mutex mutex; + unsigned int scheduled; + }; + +--- a/kernel/time/posix-cpu-timers.c ++++ b/kernel/time/posix-cpu-timers.c +@@ -840,6 +840,8 @@ static u64 collect_timerqueue(struct tim + return expires; + + ctmr->firing = 1; ++ /* See posix_cpu_timer_wait_running() */ ++ rcu_assign_pointer(ctmr->handling, current); + cpu_timer_dequeue(ctmr); + list_add_tail(&ctmr->elist, firing); + } +@@ -1155,7 +1157,49 @@ static void handle_posix_cpu_timers(stru + #ifdef CONFIG_POSIX_CPU_TIMERS_TASK_WORK + static void posix_cpu_timers_work(struct callback_head *work) + { ++ struct posix_cputimers_work *cw = container_of(work, typeof(*cw), work); ++ ++ mutex_lock(&cw->mutex); + handle_posix_cpu_timers(current); ++ mutex_unlock(&cw->mutex); ++} ++ ++/* ++ * Invoked from the posix-timer core when a cancel operation failed because ++ * the timer is marked firing. The caller holds rcu_read_lock(), which ++ * protects the timer and the task which is expiring it from being freed. ++ */ ++static void posix_cpu_timer_wait_running(struct k_itimer *timr) ++{ ++ struct task_struct *tsk = rcu_dereference(timr->it.cpu.handling); ++ ++ /* Has the handling task completed expiry already? */ ++ if (!tsk) ++ return; ++ ++ /* Ensure that the task cannot go away */ ++ get_task_struct(tsk); ++ /* Now drop the RCU protection so the mutex can be locked */ ++ rcu_read_unlock(); ++ /* Wait on the expiry mutex */ ++ mutex_lock(&tsk->posix_cputimers_work.mutex); ++ /* Release it immediately again. */ ++ mutex_unlock(&tsk->posix_cputimers_work.mutex); ++ /* Drop the task reference. */ ++ put_task_struct(tsk); ++ /* Relock RCU so the callsite is balanced */ ++ rcu_read_lock(); ++} ++ ++static void posix_cpu_timer_wait_running_nsleep(struct k_itimer *timr) ++{ ++ /* Ensure that timr->it.cpu.handling task cannot go away */ ++ rcu_read_lock(); ++ spin_unlock_irq(&timr->it_lock); ++ posix_cpu_timer_wait_running(timr); ++ rcu_read_unlock(); ++ /* @timr is on stack and is valid */ ++ spin_lock_irq(&timr->it_lock); + } + + /* +@@ -1171,6 +1215,7 @@ void clear_posix_cputimers_work(struct t + sizeof(p->posix_cputimers_work.work)); + init_task_work(&p->posix_cputimers_work.work, + posix_cpu_timers_work); ++ mutex_init(&p->posix_cputimers_work.mutex); + p->posix_cputimers_work.scheduled = false; + } + +@@ -1249,6 +1294,18 @@ static inline void __run_posix_cpu_timer + lockdep_posixtimer_exit(); + } + ++static void posix_cpu_timer_wait_running(struct k_itimer *timr) ++{ ++ cpu_relax(); ++} ++ ++static void posix_cpu_timer_wait_running_nsleep(struct k_itimer *timr) ++{ ++ spin_unlock_irq(&timr->it_lock); ++ cpu_relax(); ++ spin_lock_irq(&timr->it_lock); ++} ++ + static inline bool posix_cpu_timers_work_scheduled(struct task_struct *tsk) + { + return false; +@@ -1357,6 +1414,8 @@ static void handle_posix_cpu_timers(stru + */ + if (likely(cpu_firing >= 0)) + cpu_timer_fire(timer); ++ /* See posix_cpu_timer_wait_running() */ ++ rcu_assign_pointer(timer->it.cpu.handling, NULL); + spin_unlock(&timer->it_lock); + } + } +@@ -1491,23 +1550,16 @@ static int do_cpu_nanosleep(const clocki + expires = cpu_timer_getexpires(&timer.it.cpu); + error = posix_cpu_timer_set(&timer, 0, &zero_it, &it); + if (!error) { +- /* +- * Timer is now unarmed, deletion can not fail. +- */ ++ /* Timer is now unarmed, deletion can not fail. */ + posix_cpu_timer_del(&timer); ++ } else { ++ while (error == TIMER_RETRY) { ++ posix_cpu_timer_wait_running_nsleep(&timer); ++ error = posix_cpu_timer_del(&timer); ++ } + } +- spin_unlock_irq(&timer.it_lock); + +- while (error == TIMER_RETRY) { +- /* +- * We need to handle case when timer was or is in the +- * middle of firing. In other cases we already freed +- * resources. +- */ +- spin_lock_irq(&timer.it_lock); +- error = posix_cpu_timer_del(&timer); +- spin_unlock_irq(&timer.it_lock); +- } ++ spin_unlock_irq(&timer.it_lock); + + if ((it.it_value.tv_sec | it.it_value.tv_nsec) == 0) { + /* +@@ -1617,6 +1669,7 @@ const struct k_clock clock_posix_cpu = { + .timer_del = posix_cpu_timer_del, + .timer_get = posix_cpu_timer_get, + .timer_rearm = posix_cpu_timer_rearm, ++ .timer_wait_running = posix_cpu_timer_wait_running, + }; + + const struct k_clock clock_process = { +--- a/kernel/time/posix-timers.c ++++ b/kernel/time/posix-timers.c +@@ -846,6 +846,10 @@ static struct k_itimer *timer_wait_runni + rcu_read_lock(); + unlock_timer(timer, *flags); + ++ /* ++ * kc->timer_wait_running() might drop RCU lock. So @timer ++ * cannot be touched anymore after the function returns! ++ */ + if (!WARN_ON_ONCE(!kc->timer_wait_running)) + kc->timer_wait_running(timer); + diff --git a/queue-5.15/series b/queue-5.15/series index 03c019d263e..2f57a790539 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -7,3 +7,27 @@ selftests-mount-fix-mount_setattr_test-builds-failed.patch asm-generic-io.h-suppress-endianness-warnings-for-re.patch x86-cpu-add-model-number-for-intel-arrow-lake-proces.patch wireguard-timers-cast-enum-limits-members-to-int-in-prints.patch +wifi-mt76-mt7921e-set-memory-space-enable-in-pci_command-if-unset.patch +arm64-always-load-shadow-stack-pointer-directly-from-the-task-struct.patch +arm64-stash-shadow-stack-pointer-in-the-task-struct-on-interrupt.patch +pci-pciehp-fix-ab-ba-deadlock-between-reset_lock-and-device_lock.patch +pci-qcom-fix-the-incorrect-register-usage-in-v2.7.0-config.patch +ima-allow-fix-uml-builds.patch +usb-dwc3-fix-runtime-pm-imbalance-on-probe-errors.patch +usb-dwc3-fix-runtime-pm-imbalance-on-unbind.patch +hwmon-k10temp-check-range-scale-when-cur_temp-register-is-read-write.patch +hwmon-adt7475-use-device_property-apis-when-configuring-polarity.patch +posix-cpu-timers-implement-the-missing-timer_wait_running-callback.patch +blk-mq-release-crypto-keyslot-before-reporting-i-o-complete.patch +blk-crypto-make-blk_crypto_evict_key-return-void.patch +blk-crypto-make-blk_crypto_evict_key-more-robust.patch +ext4-use-ext4_journal_start-stop-for-fast-commit-transactions.patch +staging-iio-resolver-ads1210-fix-config-mode.patch +tty-prevent-writing-chars-during-tcsetattr-tcsadrain-flush.patch +xhci-fix-debugfs-register-accesses-while-suspended.patch +tick-nohz-fix-cpu_is_hotpluggable-by-checking-with-nohz-subsystem.patch +mips-fw-allow-firmware-to-pass-a-empty-env.patch +ipmi-ssif-add-send_retries-increment.patch +ipmi-fix-ssif-not-responding-under-certain-cond.patch +kheaders-use-array-declaration-instead-of-char.patch +wifi-mt76-add-missing-locking-to-protect-against-concurrent-rx-status-calls.patch diff --git a/queue-5.15/staging-iio-resolver-ads1210-fix-config-mode.patch b/queue-5.15/staging-iio-resolver-ads1210-fix-config-mode.patch new file mode 100644 index 00000000000..6f853d0c46c --- /dev/null +++ b/queue-5.15/staging-iio-resolver-ads1210-fix-config-mode.patch @@ -0,0 +1,37 @@ +From 16313403d873ff17a587818b61f84c8cb4971cef Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nuno=20S=C3=A1?= +Date: Mon, 27 Mar 2023 16:54:14 +0200 +Subject: staging: iio: resolver: ads1210: fix config mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nuno Sá + +commit 16313403d873ff17a587818b61f84c8cb4971cef upstream. + +As stated in the device datasheet [1], bits a0 and a1 have to be set to +1 for the configuration mode. + +[1]: https://www.analog.com/media/en/technical-documentation/data-sheets/ad2s1210.pdf + +Fixes: b19e9ad5e2cb9 ("staging:iio:resolver:ad2s1210 general driver cleanup") +Cc: stable +Signed-off-by: Nuno Sá +Link: https://lore.kernel.org/r/20230327145414.1505537-1-nuno.sa@analog.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/iio/resolver/ad2s1210.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/iio/resolver/ad2s1210.c ++++ b/drivers/staging/iio/resolver/ad2s1210.c +@@ -101,7 +101,7 @@ struct ad2s1210_state { + static const int ad2s1210_mode_vals[4][2] = { + [MOD_POS] = { 0, 0 }, + [MOD_VEL] = { 0, 1 }, +- [MOD_CONFIG] = { 1, 0 }, ++ [MOD_CONFIG] = { 1, 1 }, + }; + + static inline void ad2s1210_set_mode(enum ad2s1210_mode mode, diff --git a/queue-5.15/tick-nohz-fix-cpu_is_hotpluggable-by-checking-with-nohz-subsystem.patch b/queue-5.15/tick-nohz-fix-cpu_is_hotpluggable-by-checking-with-nohz-subsystem.patch new file mode 100644 index 00000000000..17831c012fe --- /dev/null +++ b/queue-5.15/tick-nohz-fix-cpu_is_hotpluggable-by-checking-with-nohz-subsystem.patch @@ -0,0 +1,97 @@ +From 58d7668242647e661a20efe065519abd6454287e Mon Sep 17 00:00:00 2001 +From: "Joel Fernandes (Google)" +Date: Tue, 24 Jan 2023 17:31:26 +0000 +Subject: tick/nohz: Fix cpu_is_hotpluggable() by checking with nohz subsystem + +From: Joel Fernandes (Google) + +commit 58d7668242647e661a20efe065519abd6454287e upstream. + +For CONFIG_NO_HZ_FULL systems, the tick_do_timer_cpu cannot be offlined. +However, cpu_is_hotpluggable() still returns true for those CPUs. This causes +torture tests that do offlining to end up trying to offline this CPU causing +test failures. Such failure happens on all architectures. + +Fix the repeated error messages thrown by this (even if the hotplug errors are +harmless) by asking the opinion of the nohz subsystem on whether the CPU can be +hotplugged. + +[ Apply Frederic Weisbecker feedback on refactoring tick_nohz_cpu_down(). ] + +For drivers/base/ portion: +Acked-by: Greg Kroah-Hartman +Acked-by: Frederic Weisbecker +Cc: Frederic Weisbecker +Cc: "Paul E. McKenney" +Cc: Zhouyi Zhou +Cc: Will Deacon +Cc: Marc Zyngier +Cc: rcu +Cc: stable@vger.kernel.org +Fixes: 2987557f52b9 ("driver-core/cpu: Expose hotpluggability to the rest of the kernel") +Signed-off-by: Paul E. McKenney +Signed-off-by: Joel Fernandes (Google) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/cpu.c | 3 ++- + include/linux/tick.h | 2 ++ + kernel/time/tick-sched.c | 11 ++++++++--- + 3 files changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/base/cpu.c ++++ b/drivers/base/cpu.c +@@ -487,7 +487,8 @@ static const struct attribute_group *cpu + bool cpu_is_hotpluggable(unsigned int cpu) + { + struct device *dev = get_cpu_device(cpu); +- return dev && container_of(dev, struct cpu, dev)->hotpluggable; ++ return dev && container_of(dev, struct cpu, dev)->hotpluggable ++ && tick_nohz_cpu_hotpluggable(cpu); + } + EXPORT_SYMBOL_GPL(cpu_is_hotpluggable); + +--- a/include/linux/tick.h ++++ b/include/linux/tick.h +@@ -216,6 +216,7 @@ extern void tick_nohz_dep_set_signal(str + enum tick_dep_bits bit); + extern void tick_nohz_dep_clear_signal(struct signal_struct *signal, + enum tick_dep_bits bit); ++extern bool tick_nohz_cpu_hotpluggable(unsigned int cpu); + + /* + * The below are tick_nohz_[set,clear]_dep() wrappers that optimize off-cases +@@ -280,6 +281,7 @@ static inline void tick_nohz_full_add_cp + + static inline void tick_nohz_dep_set_cpu(int cpu, enum tick_dep_bits bit) { } + static inline void tick_nohz_dep_clear_cpu(int cpu, enum tick_dep_bits bit) { } ++static inline bool tick_nohz_cpu_hotpluggable(unsigned int cpu) { return true; } + + static inline void tick_dep_set(enum tick_dep_bits bit) { } + static inline void tick_dep_clear(enum tick_dep_bits bit) { } +--- a/kernel/time/tick-sched.c ++++ b/kernel/time/tick-sched.c +@@ -510,7 +510,7 @@ void __init tick_nohz_full_setup(cpumask + tick_nohz_full_running = true; + } + +-static int tick_nohz_cpu_down(unsigned int cpu) ++bool tick_nohz_cpu_hotpluggable(unsigned int cpu) + { + /* + * The tick_do_timer_cpu CPU handles housekeeping duty (unbound +@@ -518,8 +518,13 @@ static int tick_nohz_cpu_down(unsigned i + * CPUs. It must remain online when nohz full is enabled. + */ + if (tick_nohz_full_running && tick_do_timer_cpu == cpu) +- return -EBUSY; +- return 0; ++ return false; ++ return true; ++} ++ ++static int tick_nohz_cpu_down(unsigned int cpu) ++{ ++ return tick_nohz_cpu_hotpluggable(cpu) ? 0 : -EBUSY; + } + + void __init tick_nohz_init(void) diff --git a/queue-5.15/tty-prevent-writing-chars-during-tcsetattr-tcsadrain-flush.patch b/queue-5.15/tty-prevent-writing-chars-during-tcsetattr-tcsadrain-flush.patch new file mode 100644 index 00000000000..a29f0c16be7 --- /dev/null +++ b/queue-5.15/tty-prevent-writing-chars-during-tcsetattr-tcsadrain-flush.patch @@ -0,0 +1,126 @@ +From 094fb49a2d0d6827c86d2e0840873e6db0c491d2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= +Date: Fri, 17 Mar 2023 13:33:17 +0200 +Subject: tty: Prevent writing chars during tcsetattr TCSADRAIN/FLUSH +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +commit 094fb49a2d0d6827c86d2e0840873e6db0c491d2 upstream. + +If userspace races tcsetattr() with a write, the drained condition +might not be guaranteed by the kernel. There is a race window after +checking Tx is empty before tty_set_termios() takes termios_rwsem for +write. During that race window, more characters can be queued by a +racing writer. + +Any ongoing transmission might produce garbage during HW's +->set_termios() call. The intent of TCSADRAIN/FLUSH seems to be +preventing such a character corruption. If those flags are set, take +tty's write lock to stop any writer before performing the lower layer +Tx empty check and wait for the pending characters to be sent (if any). + +The initial wait for all-writers-done must be placed outside of tty's +write lock to avoid deadlock which makes it impossible to use +tty_wait_until_sent(). The write lock is retried if a racing write is +detected. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20230317113318.31327-2-ilpo.jarvinen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/tty.h | 2 ++ + drivers/tty/tty_io.c | 4 ++-- + drivers/tty/tty_ioctl.c | 45 +++++++++++++++++++++++++++++++++------------ + 3 files changed, 37 insertions(+), 14 deletions(-) + +--- a/drivers/tty/tty.h ++++ b/drivers/tty/tty.h +@@ -62,6 +62,8 @@ int __tty_check_change(struct tty_struct + int tty_check_change(struct tty_struct *tty); + void __stop_tty(struct tty_struct *tty); + void __start_tty(struct tty_struct *tty); ++void tty_write_unlock(struct tty_struct *tty); ++int tty_write_lock(struct tty_struct *tty, int ndelay); + void tty_vhangup_session(struct tty_struct *tty); + void tty_open_proc_set_tty(struct file *filp, struct tty_struct *tty); + int tty_signal_session_leader(struct tty_struct *tty, int exit_session); +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -950,13 +950,13 @@ static ssize_t tty_read(struct kiocb *io + return i; + } + +-static void tty_write_unlock(struct tty_struct *tty) ++void tty_write_unlock(struct tty_struct *tty) + { + mutex_unlock(&tty->atomic_write_lock); + wake_up_interruptible_poll(&tty->write_wait, EPOLLOUT); + } + +-static int tty_write_lock(struct tty_struct *tty, int ndelay) ++int tty_write_lock(struct tty_struct *tty, int ndelay) + { + if (!mutex_trylock(&tty->atomic_write_lock)) { + if (ndelay) +--- a/drivers/tty/tty_ioctl.c ++++ b/drivers/tty/tty_ioctl.c +@@ -421,21 +421,42 @@ static int set_termios(struct tty_struct + tmp_termios.c_ispeed = tty_termios_input_baud_rate(&tmp_termios); + tmp_termios.c_ospeed = tty_termios_baud_rate(&tmp_termios); + +- ld = tty_ldisc_ref(tty); ++ if (opt & (TERMIOS_FLUSH|TERMIOS_WAIT)) { ++retry_write_wait: ++ retval = wait_event_interruptible(tty->write_wait, !tty_chars_in_buffer(tty)); ++ if (retval < 0) ++ return retval; + +- if (ld != NULL) { +- if ((opt & TERMIOS_FLUSH) && ld->ops->flush_buffer) +- ld->ops->flush_buffer(tty); +- tty_ldisc_deref(ld); +- } ++ if (tty_write_lock(tty, 0) < 0) ++ goto retry_write_wait; + +- if (opt & TERMIOS_WAIT) { +- tty_wait_until_sent(tty, 0); +- if (signal_pending(current)) +- return -ERESTARTSYS; +- } ++ /* Racing writer? */ ++ if (tty_chars_in_buffer(tty)) { ++ tty_write_unlock(tty); ++ goto retry_write_wait; ++ } ++ ++ ld = tty_ldisc_ref(tty); ++ if (ld != NULL) { ++ if ((opt & TERMIOS_FLUSH) && ld->ops->flush_buffer) ++ ld->ops->flush_buffer(tty); ++ tty_ldisc_deref(ld); ++ } + +- tty_set_termios(tty, &tmp_termios); ++ if ((opt & TERMIOS_WAIT) && tty->ops->wait_until_sent) { ++ tty->ops->wait_until_sent(tty, 0); ++ if (signal_pending(current)) { ++ tty_write_unlock(tty); ++ return -ERESTARTSYS; ++ } ++ } ++ ++ tty_set_termios(tty, &tmp_termios); ++ ++ tty_write_unlock(tty); ++ } else { ++ tty_set_termios(tty, &tmp_termios); ++ } + + /* FIXME: Arguably if tmp_termios == tty->termios AND the + actual requested termios was not tmp_termios then we may diff --git a/queue-5.15/usb-dwc3-fix-runtime-pm-imbalance-on-probe-errors.patch b/queue-5.15/usb-dwc3-fix-runtime-pm-imbalance-on-probe-errors.patch new file mode 100644 index 00000000000..72853bed753 --- /dev/null +++ b/queue-5.15/usb-dwc3-fix-runtime-pm-imbalance-on-probe-errors.patch @@ -0,0 +1,57 @@ +From 9a8ad10c9f2e0925ff26308ec6756b93fc2f4977 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 4 Apr 2023 09:25:14 +0200 +Subject: USB: dwc3: fix runtime pm imbalance on probe errors + +From: Johan Hovold + +commit 9a8ad10c9f2e0925ff26308ec6756b93fc2f4977 upstream. + +Make sure not to suspend the device when probe fails to avoid disabling +clocks and phys multiple times. + +Fixes: 328082376aea ("usb: dwc3: fix runtime PM in error path") +Cc: stable@vger.kernel.org # 4.8 +Cc: Roger Quadros +Acked-by: Thinh Nguyen +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20230404072524.19014-2-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/core.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -1642,13 +1642,11 @@ static int dwc3_probe(struct platform_de + spin_lock_init(&dwc->lock); + mutex_init(&dwc->mutex); + ++ pm_runtime_get_noresume(dev); + pm_runtime_set_active(dev); + pm_runtime_use_autosuspend(dev); + pm_runtime_set_autosuspend_delay(dev, DWC3_DEFAULT_AUTOSUSPEND_DELAY); + pm_runtime_enable(dev); +- ret = pm_runtime_get_sync(dev); +- if (ret < 0) +- goto err1; + + pm_runtime_forbid(dev); + +@@ -1707,12 +1705,10 @@ err3: + dwc3_free_event_buffers(dwc); + + err2: +- pm_runtime_allow(&pdev->dev); +- +-err1: +- pm_runtime_put_sync(&pdev->dev); +- pm_runtime_disable(&pdev->dev); +- ++ pm_runtime_allow(dev); ++ pm_runtime_disable(dev); ++ pm_runtime_set_suspended(dev); ++ pm_runtime_put_noidle(dev); + disable_clks: + clk_bulk_disable_unprepare(dwc->num_clks, dwc->clks); + assert_reset: diff --git a/queue-5.15/usb-dwc3-fix-runtime-pm-imbalance-on-unbind.patch b/queue-5.15/usb-dwc3-fix-runtime-pm-imbalance-on-unbind.patch new file mode 100644 index 00000000000..1d10156b710 --- /dev/null +++ b/queue-5.15/usb-dwc3-fix-runtime-pm-imbalance-on-unbind.patch @@ -0,0 +1,34 @@ +From 44d257e9012ee8040e41d224d0e5bfb5ef5427ea Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 4 Apr 2023 09:25:15 +0200 +Subject: USB: dwc3: fix runtime pm imbalance on unbind + +From: Johan Hovold + +commit 44d257e9012ee8040e41d224d0e5bfb5ef5427ea upstream. + +Make sure to balance the runtime PM usage count on driver unbind by +adding back the pm_runtime_allow() call that had been erroneously +removed. + +Fixes: 266d0493900a ("usb: dwc3: core: don't trigger runtime pm when remove driver") +Cc: stable@vger.kernel.org # 5.9 +Cc: Li Jun +Acked-by: Thinh Nguyen +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20230404072524.19014-3-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -1732,6 +1732,7 @@ static int dwc3_remove(struct platform_d + dwc3_core_exit(dwc); + dwc3_ulpi_exit(dwc); + ++ pm_runtime_allow(&pdev->dev); + pm_runtime_disable(&pdev->dev); + pm_runtime_put_noidle(&pdev->dev); + pm_runtime_set_suspended(&pdev->dev); diff --git a/queue-5.15/wifi-mt76-add-missing-locking-to-protect-against-concurrent-rx-status-calls.patch b/queue-5.15/wifi-mt76-add-missing-locking-to-protect-against-concurrent-rx-status-calls.patch new file mode 100644 index 00000000000..e4de284f90e --- /dev/null +++ b/queue-5.15/wifi-mt76-add-missing-locking-to-protect-against-concurrent-rx-status-calls.patch @@ -0,0 +1,104 @@ +From 5b8ccdfb943f6a03c676d2ea816dd38c149e920b Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Fri, 14 Apr 2023 14:10:54 +0200 +Subject: wifi: mt76: add missing locking to protect against concurrent rx/status calls + +From: Felix Fietkau + +commit 5b8ccdfb943f6a03c676d2ea816dd38c149e920b upstream. + +According to the documentation, ieee80211_rx_list must not run concurrently +with ieee80211_tx_status (or its variants). + +Cc: stable@vger.kernel.org +Fixes: 88046b2c9f6d ("mt76: add support for reporting tx status with skb") +Reported-by: Brian Coverstone +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/dma.c | 2 ++ + drivers/net/wireless/mediatek/mt76/mt7603/mac.c | 5 ++++- + drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 5 ++++- + drivers/net/wireless/mediatek/mt76/mt76x02_mac.c | 5 ++++- + drivers/net/wireless/mediatek/mt76/tx.c | 4 ++++ + 5 files changed, 18 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/mediatek/mt76/dma.c ++++ b/drivers/net/wireless/mediatek/mt76/dma.c +@@ -434,7 +434,9 @@ free: + free_skb: + status.skb = tx_info.skb; + hw = mt76_tx_status_get_hw(dev, tx_info.skb); ++ spin_lock_bh(&dev->rx_lock); + ieee80211_tx_status_ext(hw, &status); ++ spin_unlock_bh(&dev->rx_lock); + + return ret; + } +--- a/drivers/net/wireless/mediatek/mt76/mt7603/mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7603/mac.c +@@ -1284,8 +1284,11 @@ void mt7603_mac_add_txs(struct mt7603_de + if (wcidx >= MT7603_WTBL_STA || !sta) + goto out; + +- if (mt7603_fill_txs(dev, msta, &info, txs_data)) ++ if (mt7603_fill_txs(dev, msta, &info, txs_data)) { ++ spin_lock_bh(&dev->mt76.rx_lock); + ieee80211_tx_status_noskb(mt76_hw(dev), sta, &info); ++ spin_unlock_bh(&dev->mt76.rx_lock); ++ } + + out: + rcu_read_unlock(); +--- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c +@@ -1496,8 +1496,11 @@ static void mt7615_mac_add_txs(struct mt + if (wcid->ext_phy && dev->mt76.phy2) + mphy = dev->mt76.phy2; + +- if (mt7615_fill_txs(dev, msta, &info, txs_data)) ++ if (mt7615_fill_txs(dev, msta, &info, txs_data)) { ++ spin_lock_bh(&dev->mt76.rx_lock); + ieee80211_tx_status_noskb(mphy->hw, sta, &info); ++ spin_unlock_bh(&dev->mt76.rx_lock); ++ } + + out: + rcu_read_unlock(); +--- a/drivers/net/wireless/mediatek/mt76/mt76x02_mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76x02_mac.c +@@ -631,8 +631,11 @@ void mt76x02_send_tx_status(struct mt76x + + mt76_tx_status_unlock(mdev, &list); + +- if (!status.skb) ++ if (!status.skb) { ++ spin_lock_bh(&dev->mt76.rx_lock); + ieee80211_tx_status_ext(mt76_hw(dev), &status); ++ spin_unlock_bh(&dev->mt76.rx_lock); ++ } + + if (!len) + goto out; +--- a/drivers/net/wireless/mediatek/mt76/tx.c ++++ b/drivers/net/wireless/mediatek/mt76/tx.c +@@ -68,7 +68,9 @@ mt76_tx_status_unlock(struct mt76_dev *d + status.sta = wcid_to_sta(wcid); + + hw = mt76_tx_status_get_hw(dev, skb); ++ spin_lock_bh(&dev->rx_lock); + ieee80211_tx_status_ext(hw, &status); ++ spin_unlock_bh(&dev->rx_lock); + } + rcu_read_unlock(); + } +@@ -229,7 +231,9 @@ void __mt76_tx_complete_skb(struct mt76_ + if (!skb->prev) { + hw = mt76_tx_status_get_hw(dev, skb); + status.sta = wcid_to_sta(wcid); ++ spin_lock_bh(&dev->rx_lock); + ieee80211_tx_status_ext(hw, &status); ++ spin_unlock_bh(&dev->rx_lock); + goto out; + } + diff --git a/queue-5.15/wifi-mt76-mt7921e-set-memory-space-enable-in-pci_command-if-unset.patch b/queue-5.15/wifi-mt76-mt7921e-set-memory-space-enable-in-pci_command-if-unset.patch new file mode 100644 index 00000000000..e09088d17c1 --- /dev/null +++ b/queue-5.15/wifi-mt76-mt7921e-set-memory-space-enable-in-pci_command-if-unset.patch @@ -0,0 +1,47 @@ +From 09d4d6da1b65d09414e7bce61459593f3c80ead1 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Wed, 29 Mar 2023 14:57:58 -0500 +Subject: wifi: mt76: mt7921e: Set memory space enable in PCI_COMMAND if unset + +From: Mario Limonciello + +commit 09d4d6da1b65d09414e7bce61459593f3c80ead1 upstream. + +When the BIOS has been configured for Fast Boot, systems with mt7921e +have non-functional wifi. Turning on Fast boot caused both bus master +enable and memory space enable bits in PCI_COMMAND not to get configured. + +The mt7921 driver already sets bus master enable, but explicitly check +and set memory access enable as well to fix this problem. + +Tested-by: Anson Tsao +Signed-off-by: Mario Limonciello +Acked-by: Sean Wang +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt7921/pci.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/wireless/mediatek/mt76/mt7921/pci.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/pci.c +@@ -218,6 +218,7 @@ static int mt7921_pci_probe(struct pci_d + struct mt7921_dev *dev; + struct mt76_dev *mdev; + int ret; ++ u16 cmd; + + ret = pcim_enable_device(pdev); + if (ret) +@@ -227,6 +228,11 @@ static int mt7921_pci_probe(struct pci_d + if (ret) + return ret; + ++ pci_read_config_word(pdev, PCI_COMMAND, &cmd); ++ if (!(cmd & PCI_COMMAND_MEMORY)) { ++ cmd |= PCI_COMMAND_MEMORY; ++ pci_write_config_word(pdev, PCI_COMMAND, cmd); ++ } + pci_set_master(pdev); + + ret = pci_alloc_irq_vectors(pdev, 1, 1, PCI_IRQ_ALL_TYPES); diff --git a/queue-5.15/xhci-fix-debugfs-register-accesses-while-suspended.patch b/queue-5.15/xhci-fix-debugfs-register-accesses-while-suspended.patch new file mode 100644 index 00000000000..6f7010a1564 --- /dev/null +++ b/queue-5.15/xhci-fix-debugfs-register-accesses-while-suspended.patch @@ -0,0 +1,33 @@ +From 735baf1b23458f71a8b15cb924af22c9ff9cd125 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 5 Apr 2023 11:03:42 +0200 +Subject: xhci: fix debugfs register accesses while suspended + +From: Johan Hovold + +commit 735baf1b23458f71a8b15cb924af22c9ff9cd125 upstream. + +Wire up the debugfs regset device pointer so that the controller is +resumed before accessing registers to avoid crashing or locking up if it +happens to be runtime suspended. + +Fixes: 02b6fdc2a153 ("usb: xhci: Add debugfs interface for xHCI driver") +Cc: stable@vger.kernel.org # 4.15: 30332eeefec8: debugfs: regset32: Add Runtime PM support +Cc: stable@vger.kernel.org # 4.15 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20230405090342.7363-1-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-debugfs.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/host/xhci-debugfs.c ++++ b/drivers/usb/host/xhci-debugfs.c +@@ -133,6 +133,7 @@ static void xhci_debugfs_regset(struct x + regset->regs = regs; + regset->nregs = nregs; + regset->base = hcd->regs + base; ++ regset->dev = hcd->self.controller; + + debugfs_create_regset32((const char *)rgs->name, 0444, parent, regset); + } -- 2.47.3