From 38381c5b46ac780c89a44f7ea27fdb5fb27c366d Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 5 Sep 2022 08:52:10 -0400 Subject: [PATCH] Fixes for 5.10 Signed-off-by: Sasha Levin --- ...hlt-correct-the-handling-of-fmt_conf.patch | 57 +++++++ ...hlt-remove-use-of-__func__-in-dev_db.patch | 79 +++++++++ ...-kernel-bug-in-purge_effective_progs.patch | 107 ++++++++++++ ...e-dp_recovered_clock_out_en-to-fix-t.patch | 65 ++++++++ ...number-of-regulators-for-msm8996_dsi.patch | 39 +++++ ...-fix-number-of-regulators-for-sdm660.patch | 41 +++++ ...m-dsi-fix-the-inconsistent-indenting.patch | 43 +++++ ...fix-sleep-in-atomic-context-bug-in-n.patch | 57 +++++++ ...adf7242-defer-destroy_workqueue-call.patch | 60 +++++++ ...adc-mcp3911-make-use-of-the-sign-bit.patch | 37 +++++ .../kcm-fix-strp_init-order-and-cleanup.patch | 74 +++++++++ ...tdevice-reference-leaks-in-attach_de.patch | 111 +++++++++++++ ...n-t-call-qdisc_put-while-holding-tre.patch | 54 ++++++ ...c-remove-redundant-refcount-increase.patch | 37 +++++ ...-pmc_atom-fix-slp_typx-bitfield-mask.patch | 67 ++++++++ ...return-__net_xmit_stolen-when-consum.patch | 54 ++++++ ...xhci-turn-off-port-power-in-shutdown.patch | 94 +++++++++++ ...__net_xmit_stolen-when-consuming-enq.patch | 61 +++++++ queue-5.10/series | 25 +++ ...data-race-around-challenge_timestamp.patch | 47 ++++++ ...d-helper-functions-to-enable-disable.patch | 107 ++++++++++++ ...nfigure-wakeup-interrupts-during-sus.patch | 155 ++++++++++++++++++ ...-qcom-fix-peripheral-and-otg-suspend.patch | 78 +++++++++ .../usb-dwc3-qcom-fix-runtime-pm-wakeup.patch | 110 +++++++++++++ ...x-use-after-free-on-runtime-pm-wakeu.patch | 82 +++++++++ ...bugfs-fix-return-type-in-ht40allow_m.patch | 41 +++++ 26 files changed, 1782 insertions(+) create mode 100644 queue-5.10/alsa-hda-intel-nhlt-correct-the-handling-of-fmt_conf.patch create mode 100644 queue-5.10/alsa-hda-intel-nhlt-remove-use-of-__func__-in-dev_db.patch create mode 100644 queue-5.10/bpf-cgroup-fix-kernel-bug-in-purge_effective_progs.patch create mode 100644 queue-5.10/drm-msm-dp-delete-dp_recovered_clock_out_en-to-fix-t.patch create mode 100644 queue-5.10/drm-msm-dsi-fix-number-of-regulators-for-msm8996_dsi.patch create mode 100644 queue-5.10/drm-msm-dsi-fix-number-of-regulators-for-sdm660.patch create mode 100644 queue-5.10/drm-msm-dsi-fix-the-inconsistent-indenting.patch create mode 100644 queue-5.10/ethernet-rocker-fix-sleep-in-atomic-context-bug-in-n.patch create mode 100644 queue-5.10/ieee802154-adf7242-defer-destroy_workqueue-call.patch create mode 100644 queue-5.10/iio-adc-mcp3911-make-use-of-the-sign-bit.patch create mode 100644 queue-5.10/kcm-fix-strp_init-order-and-cleanup.patch create mode 100644 queue-5.10/net-sched-fix-netdevice-reference-leaks-in-attach_de.patch create mode 100644 queue-5.10/net-sched-tbf-don-t-call-qdisc_put-while-holding-tre.patch create mode 100644 queue-5.10/net-smc-remove-redundant-refcount-increase.patch create mode 100644 queue-5.10/platform-x86-pmc_atom-fix-slp_typx-bitfield-mask.patch create mode 100644 queue-5.10/revert-sch_cake-return-__net_xmit_stolen-when-consum.patch create mode 100644 queue-5.10/revert-xhci-turn-off-port-power-in-shutdown.patch create mode 100644 queue-5.10/sch_cake-return-__net_xmit_stolen-when-consuming-enq.patch create mode 100644 queue-5.10/series create mode 100644 queue-5.10/tcp-annotate-data-race-around-challenge_timestamp.patch create mode 100644 queue-5.10/usb-dwc3-qcom-add-helper-functions-to-enable-disable.patch create mode 100644 queue-5.10/usb-dwc3-qcom-configure-wakeup-interrupts-during-sus.patch create mode 100644 queue-5.10/usb-dwc3-qcom-fix-peripheral-and-otg-suspend.patch create mode 100644 queue-5.10/usb-dwc3-qcom-fix-runtime-pm-wakeup.patch create mode 100644 queue-5.10/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch create mode 100644 queue-5.10/wifi-cfg80211-debugfs-fix-return-type-in-ht40allow_m.patch diff --git a/queue-5.10/alsa-hda-intel-nhlt-correct-the-handling-of-fmt_conf.patch b/queue-5.10/alsa-hda-intel-nhlt-correct-the-handling-of-fmt_conf.patch new file mode 100644 index 00000000000..b949212a28f --- /dev/null +++ b/queue-5.10/alsa-hda-intel-nhlt-correct-the-handling-of-fmt_conf.patch @@ -0,0 +1,57 @@ +From 141d49b6cded5d08427e9574c788224a7a5db42f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 15:24:05 +0300 +Subject: ALSA: hda: intel-nhlt: Correct the handling of fmt_config flexible + array + +From: Peter Ujfalusi + +[ Upstream commit 2e6481a3f3ee6234ce577454e1d88aca55f51d47 ] + +The struct nhlt_format's fmt_config is a flexible array, it must not be +used as normal array. +When moving to the next nhlt_fmt_cfg we need to take into account the data +behind the ->config.caps (indicated by ->config.size). + +Fixes: a864e8f159b13 ("ALSA: hda: intel-nhlt: verify config type") +Signed-off-by: Peter Ujfalusi +Reviewed-by: Pierre-Louis Bossart +Reviewed-by: Jaska Uimonen +Link: https://lore.kernel.org/r/20220823122405.18464-1-peter.ujfalusi@linux.intel.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/intel-nhlt.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/sound/hda/intel-nhlt.c b/sound/hda/intel-nhlt.c +index 5e04fedaec49e..8714891f50b0a 100644 +--- a/sound/hda/intel-nhlt.c ++++ b/sound/hda/intel-nhlt.c +@@ -55,16 +55,22 @@ int intel_nhlt_get_dmic_geo(struct device *dev, struct nhlt_acpi_table *nhlt) + + /* find max number of channels based on format_configuration */ + if (fmt_configs->fmt_count) { ++ struct nhlt_fmt_cfg *fmt_cfg = fmt_configs->fmt_config; ++ + dev_dbg(dev, "found %d format definitions\n", + fmt_configs->fmt_count); + + for (i = 0; i < fmt_configs->fmt_count; i++) { + struct wav_fmt_ext *fmt_ext; + +- fmt_ext = &fmt_configs->fmt_config[i].fmt_ext; ++ fmt_ext = &fmt_cfg->fmt_ext; + + if (fmt_ext->fmt.channels > max_ch) + max_ch = fmt_ext->fmt.channels; ++ ++ /* Move to the next nhlt_fmt_cfg */ ++ fmt_cfg = (struct nhlt_fmt_cfg *)(fmt_cfg->config.caps + ++ fmt_cfg->config.size); + } + dev_dbg(dev, "max channels found %d\n", max_ch); + } else { +-- +2.35.1 + diff --git a/queue-5.10/alsa-hda-intel-nhlt-remove-use-of-__func__-in-dev_db.patch b/queue-5.10/alsa-hda-intel-nhlt-remove-use-of-__func__-in-dev_db.patch new file mode 100644 index 00000000000..c8fed1ff076 --- /dev/null +++ b/queue-5.10/alsa-hda-intel-nhlt-remove-use-of-__func__-in-dev_db.patch @@ -0,0 +1,79 @@ +From ab372913d69adafb4023a2b22e17e9429c82a9e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jun 2022 17:05:59 -0500 +Subject: ALSA: hda: intel-nhlt: remove use of __func__ in dev_dbg +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pierre-Louis Bossart + +[ Upstream commit 6376ab02374822e1e8758a848ee736a182786a2e ] + +The module and function information can be added with +'modprobe foo dyndbg=+pmf' + +Suggested-by: Greg KH +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Ranjani Sridharan +Reviewed-by: Péter Ujfalusi +Reviewed-by: Bard Liao +Link: https://lore.kernel.org/r/20220616220559.136160-1-pierre-louis.bossart@linux.intel.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/intel-nhlt.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/sound/hda/intel-nhlt.c b/sound/hda/intel-nhlt.c +index e2237239d922a..5e04fedaec49e 100644 +--- a/sound/hda/intel-nhlt.c ++++ b/sound/hda/intel-nhlt.c +@@ -55,8 +55,8 @@ int intel_nhlt_get_dmic_geo(struct device *dev, struct nhlt_acpi_table *nhlt) + + /* find max number of channels based on format_configuration */ + if (fmt_configs->fmt_count) { +- dev_dbg(dev, "%s: found %d format definitions\n", +- __func__, fmt_configs->fmt_count); ++ dev_dbg(dev, "found %d format definitions\n", ++ fmt_configs->fmt_count); + + for (i = 0; i < fmt_configs->fmt_count; i++) { + struct wav_fmt_ext *fmt_ext; +@@ -66,9 +66,9 @@ int intel_nhlt_get_dmic_geo(struct device *dev, struct nhlt_acpi_table *nhlt) + if (fmt_ext->fmt.channels > max_ch) + max_ch = fmt_ext->fmt.channels; + } +- dev_dbg(dev, "%s: max channels found %d\n", __func__, max_ch); ++ dev_dbg(dev, "max channels found %d\n", max_ch); + } else { +- dev_dbg(dev, "%s: No format information found\n", __func__); ++ dev_dbg(dev, "No format information found\n"); + } + + if (cfg->device_config.config_type != NHLT_CONFIG_TYPE_MIC_ARRAY) { +@@ -95,17 +95,16 @@ int intel_nhlt_get_dmic_geo(struct device *dev, struct nhlt_acpi_table *nhlt) + } + + if (dmic_geo > 0) { +- dev_dbg(dev, "%s: Array with %d dmics\n", __func__, dmic_geo); ++ dev_dbg(dev, "Array with %d dmics\n", dmic_geo); + } + if (max_ch > dmic_geo) { +- dev_dbg(dev, "%s: max channels %d exceed dmic number %d\n", +- __func__, max_ch, dmic_geo); ++ dev_dbg(dev, "max channels %d exceed dmic number %d\n", ++ max_ch, dmic_geo); + } + } + } + +- dev_dbg(dev, "%s: dmic number %d max_ch %d\n", +- __func__, dmic_geo, max_ch); ++ dev_dbg(dev, "dmic number %d max_ch %d\n", dmic_geo, max_ch); + + return dmic_geo; + } +-- +2.35.1 + diff --git a/queue-5.10/bpf-cgroup-fix-kernel-bug-in-purge_effective_progs.patch b/queue-5.10/bpf-cgroup-fix-kernel-bug-in-purge_effective_progs.patch new file mode 100644 index 00000000000..16f67709979 --- /dev/null +++ b/queue-5.10/bpf-cgroup-fix-kernel-bug-in-purge_effective_progs.patch @@ -0,0 +1,107 @@ +From 4d09d59d32be41a787db0ff4f04817c8cf5d34fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Aug 2022 21:40:30 +0800 +Subject: bpf, cgroup: Fix kernel BUG in purge_effective_progs + +From: Pu Lehui + +[ Upstream commit 7d6620f107bae6ed687ff07668e8e8f855487aa9 ] + +Syzkaller reported a triggered kernel BUG as follows: + + ------------[ cut here ]------------ + kernel BUG at kernel/bpf/cgroup.c:925! + invalid opcode: 0000 [#1] PREEMPT SMP NOPTI + CPU: 1 PID: 194 Comm: detach Not tainted 5.19.0-14184-g69dac8e431af #8 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS + rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 + RIP: 0010:__cgroup_bpf_detach+0x1f2/0x2a0 + Code: 00 e8 92 60 30 00 84 c0 75 d8 4c 89 e0 31 f6 85 f6 74 19 42 f6 84 + 28 48 05 00 00 02 75 0e 48 8b 80 c0 00 00 00 48 85 c0 75 e5 <0f> 0b 48 + 8b 0c5 + RSP: 0018:ffffc9000055bdb0 EFLAGS: 00000246 + RAX: 0000000000000000 RBX: ffff888100ec0800 RCX: ffffc900000f1000 + RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff888100ec4578 + RBP: 0000000000000000 R08: ffff888100ec0800 R09: 0000000000000040 + R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100ec4000 + R13: 000000000000000d R14: ffffc90000199000 R15: ffff888100effb00 + FS: 00007f68213d2b80(0000) GS:ffff88813bc80000(0000) + knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 000055f74a0e5850 CR3: 0000000102836000 CR4: 00000000000006e0 + Call Trace: + + cgroup_bpf_prog_detach+0xcc/0x100 + __sys_bpf+0x2273/0x2a00 + __x64_sys_bpf+0x17/0x20 + do_syscall_64+0x3b/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + RIP: 0033:0x7f68214dbcb9 + Code: 08 44 89 e0 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 + f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 + f0 ff8 + RSP: 002b:00007ffeb487db68 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 + RAX: ffffffffffffffda RBX: 000000000000000b RCX: 00007f68214dbcb9 + RDX: 0000000000000090 RSI: 00007ffeb487db70 RDI: 0000000000000009 + RBP: 0000000000000003 R08: 0000000000000012 R09: 0000000b00000003 + R10: 00007ffeb487db70 R11: 0000000000000246 R12: 00007ffeb487dc20 + R13: 0000000000000004 R14: 0000000000000001 R15: 000055f74a1011b0 + + Modules linked in: + ---[ end trace 0000000000000000 ]--- + +Repetition steps: + +For the following cgroup tree, + + root + | + cg1 + | + cg2 + + 1. attach prog2 to cg2, and then attach prog1 to cg1, both bpf progs + attach type is NONE or OVERRIDE. + 2. write 1 to /proc/thread-self/fail-nth for failslab. + 3. detach prog1 for cg1, and then kernel BUG occur. + +Failslab injection will cause kmalloc fail and fall back to +purge_effective_progs. The problem is that cg2 have attached another prog, +so when go through cg2 layer, iteration will add pos to 1, and subsequent +operations will be skipped by the following condition, and cg will meet +NULL in the end. + + `if (pos && !(cg->bpf.flags[atype] & BPF_F_ALLOW_MULTI))` + +The NULL cg means no link or prog match, this is as expected, and it's not +a bug. So here just skip the no match situation. + +Fixes: 4c46091ee985 ("bpf: Fix KASAN use-after-free Read in compute_effective_progs") +Signed-off-by: Pu Lehui +Signed-off-by: Daniel Borkmann +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20220813134030.1972696-1-pulehui@huawei.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/cgroup.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c +index d154e52dd7ae0..6d92e393e1bc6 100644 +--- a/kernel/bpf/cgroup.c ++++ b/kernel/bpf/cgroup.c +@@ -695,8 +695,10 @@ static void purge_effective_progs(struct cgroup *cgrp, struct bpf_prog *prog, + pos++; + } + } ++ ++ /* no link or prog match, skip the cgroup of this layer */ ++ continue; + found: +- BUG_ON(!cg); + progs = rcu_dereference_protected( + desc->bpf.effective[type], + lockdep_is_held(&cgroup_mutex)); +-- +2.35.1 + diff --git a/queue-5.10/drm-msm-dp-delete-dp_recovered_clock_out_en-to-fix-t.patch b/queue-5.10/drm-msm-dp-delete-dp_recovered_clock_out_en-to-fix-t.patch new file mode 100644 index 00000000000..6771a8a37e1 --- /dev/null +++ b/queue-5.10/drm-msm-dp-delete-dp_recovered_clock_out_en-to-fix-t.patch @@ -0,0 +1,65 @@ +From 24257d08156d3edba786239603006bb359ec22d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Aug 2022 15:57:50 -0700 +Subject: drm/msm/dp: delete DP_RECOVERED_CLOCK_OUT_EN to fix tps4 + +From: Kuogee Hsieh + +[ Upstream commit 032d57960176ac01cc5adff5bcc5eb51317f8781 ] + +Data Symbols scrambled is required for tps4 at link training 2. +Therefore SCRAMBLING_DISABLE bit should not be set for tps4 to +work. + +RECOVERED_CLOCK_OUT_EN is for enable simple EYE test for jitter +measurement with minimal equipment for embedded applications purpose +and is not required to be set during normal operation. Current +implementation always have RECOVERED_CLOCK_OUT_EN bit set which +cause SCRAMBLING_DISABLE bit wrongly set at tps4 which prevent +tps4 from working. + +This patch delete setting RECOVERED_CLOCK_OUT_EN to fix +SCRAMBLING_DISABLE be wrongly set at tps4. + +Changes in v2: +-- fix Fixes tag + +Changes in v3: +-- revise commit text + +Changes in v4: +-- fix commit text newline + +Changes in v5: +-- fix commit text line over 75 chars + +Fixes: c943b4948b58 ("drm/msm/dp: add displayPort driver support") +Signed-off-by: Kuogee Hsieh + +Reviewed-by: Abhinav Kumar +Reviewed-by: Stephen Boyd +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/497194/ +Link: https://lore.kernel.org/r/1660258670-4200-1-git-send-email-quic_khsieh@quicinc.com +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dp/dp_ctrl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/dp/dp_ctrl.c b/drivers/gpu/drm/msm/dp/dp_ctrl.c +index b9ca844ce2ad0..9fac55c24214a 100644 +--- a/drivers/gpu/drm/msm/dp/dp_ctrl.c ++++ b/drivers/gpu/drm/msm/dp/dp_ctrl.c +@@ -1205,7 +1205,7 @@ static int dp_ctrl_link_train_2(struct dp_ctrl_private *ctrl, + if (ret) + return ret; + +- dp_ctrl_train_pattern_set(ctrl, pattern | DP_RECOVERED_CLOCK_OUT_EN); ++ dp_ctrl_train_pattern_set(ctrl, pattern); + + for (tries = 0; tries <= maximum_retries; tries++) { + drm_dp_link_train_channel_eq_delay(ctrl->panel->dpcd); +-- +2.35.1 + diff --git a/queue-5.10/drm-msm-dsi-fix-number-of-regulators-for-msm8996_dsi.patch b/queue-5.10/drm-msm-dsi-fix-number-of-regulators-for-msm8996_dsi.patch new file mode 100644 index 00000000000..16749d3b3da --- /dev/null +++ b/queue-5.10/drm-msm-dsi-fix-number-of-regulators-for-msm8996_dsi.patch @@ -0,0 +1,39 @@ +From b93f5ebcf2921d8e923dfec250ceb32e7c02b803 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Aug 2022 07:38:48 -0700 +Subject: drm/msm/dsi: Fix number of regulators for msm8996_dsi_cfg + +From: Douglas Anderson + +[ Upstream commit 1e00d6ac8a3422765bae37aeac2002dfd3c0bda6 ] + +3 regulators are listed but the number 2 is specified. Fix it. + +Fixes: 3a3ff88a0fc1 ("drm/msm/dsi: Add 8x96 info in dsi_cfg") +Signed-off-by: Douglas Anderson +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/496318/ +Link: https://lore.kernel.org/r/20220804073608.v4.1.I1056ee3f77f71287f333279efe4c85f88d403f65@changeid +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi_cfg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi_cfg.c b/drivers/gpu/drm/msm/dsi/dsi_cfg.c +index d255bea87ca41..6c93c215ed795 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_cfg.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_cfg.c +@@ -117,7 +117,7 @@ static const char * const dsi_8996_bus_clk_names[] = { + static const struct msm_dsi_config msm8996_dsi_cfg = { + .io_offset = DSI_6G_REG_SHIFT, + .reg_cfg = { +- .num = 2, ++ .num = 3, + .regs = { + {"vdda", 18160, 1 }, /* 1.25 V */ + {"vcca", 17000, 32 }, /* 0.925 V */ +-- +2.35.1 + diff --git a/queue-5.10/drm-msm-dsi-fix-number-of-regulators-for-sdm660.patch b/queue-5.10/drm-msm-dsi-fix-number-of-regulators-for-sdm660.patch new file mode 100644 index 00000000000..fbd5b381ccc --- /dev/null +++ b/queue-5.10/drm-msm-dsi-fix-number-of-regulators-for-sdm660.patch @@ -0,0 +1,41 @@ +From a2cc33fe38270f6e3a5448f47f3bebea4fd55d45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Aug 2022 07:38:49 -0700 +Subject: drm/msm/dsi: Fix number of regulators for SDM660 + +From: Douglas Anderson + +[ Upstream commit a1653a75987749ba6dba94fa2e62f0f36b387d1a ] + +1 regulator is listed but the number 2 is specified. This presumably +means we try to get a regulator with no name. Fix it. + +Fixes: 462f7017a691 ("drm/msm/dsi: Fix DSI and DSI PHY regulator config from SDM660") +Signed-off-by: Douglas Anderson +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Marijn Suijten +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/496323/ +Link: https://lore.kernel.org/r/20220804073608.v4.2.I94b3c3e412b7c208061349f05659e126483171b1@changeid +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi_cfg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi_cfg.c b/drivers/gpu/drm/msm/dsi/dsi_cfg.c +index 6c93c215ed795..73f066ef6f406 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_cfg.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_cfg.c +@@ -156,7 +156,7 @@ static const char * const dsi_sdm660_bus_clk_names[] = { + static const struct msm_dsi_config sdm660_dsi_cfg = { + .io_offset = DSI_6G_REG_SHIFT, + .reg_cfg = { +- .num = 2, ++ .num = 1, + .regs = { + {"vdda", 12560, 4 }, /* 1.2 V */ + }, +-- +2.35.1 + diff --git a/queue-5.10/drm-msm-dsi-fix-the-inconsistent-indenting.patch b/queue-5.10/drm-msm-dsi-fix-the-inconsistent-indenting.patch new file mode 100644 index 00000000000..6a71d95e061 --- /dev/null +++ b/queue-5.10/drm-msm-dsi-fix-the-inconsistent-indenting.patch @@ -0,0 +1,43 @@ +From 6d9ef6df86223a675b8df5935ce31165f05376d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jul 2022 09:56:22 +0800 +Subject: drm/msm/dsi: fix the inconsistent indenting + +From: sunliming + +[ Upstream commit 2f25a1fb4ec516c5ad67afd754334b491b9f09a5 ] + +Fix the inconsistent indenting in function msm_dsi_dphy_timing_calc_v3(). + +Fix the following smatch warnings: + +drivers/gpu/drm/msm/dsi/phy/dsi_phy.c:350 msm_dsi_dphy_timing_calc_v3() warn: inconsistent indenting + +Fixes: f1fa7ff44056 ("drm/msm/dsi: implement auto PHY timing calculator for 10nm PHY") +Reported-by: kernel test robot +Signed-off-by: sunliming +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/494662/ +Link: https://lore.kernel.org/r/20220719015622.646718-1-sunliming@kylinos.cn +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/phy/dsi_phy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c b/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c +index e07986ab52c22..2e0be85ec3947 100644 +--- a/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c ++++ b/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c +@@ -345,7 +345,7 @@ int msm_dsi_dphy_timing_calc_v3(struct msm_dsi_dphy_timing *timing, + } else { + timing->shared_timings.clk_pre = + linear_inter(tmax, tmin, pcnt2, 0, false); +- timing->shared_timings.clk_pre_inc_by_2 = 0; ++ timing->shared_timings.clk_pre_inc_by_2 = 0; + } + + timing->ta_go = 3; +-- +2.35.1 + diff --git a/queue-5.10/ethernet-rocker-fix-sleep-in-atomic-context-bug-in-n.patch b/queue-5.10/ethernet-rocker-fix-sleep-in-atomic-context-bug-in-n.patch new file mode 100644 index 00000000000..72ec594dbe4 --- /dev/null +++ b/queue-5.10/ethernet-rocker-fix-sleep-in-atomic-context-bug-in-n.patch @@ -0,0 +1,57 @@ +From b8e01dc29231b5d74ae769b5d55de0c8031530fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Aug 2022 23:38:15 +0800 +Subject: ethernet: rocker: fix sleep in atomic context bug in + neigh_timer_handler + +From: Duoming Zhou + +[ Upstream commit c0955bf957be4bead01fae1d791476260da7325d ] + +The function neigh_timer_handler() is a timer handler that runs in an +atomic context. When used by rocker, neigh_timer_handler() calls +"kzalloc(.., GFP_KERNEL)" that may sleep. As a result, the sleep in +atomic context bug will happen. One of the processes is shown below: + +ofdpa_fib4_add() + ... + neigh_add_timer() + +(wait a timer) + +neigh_timer_handler() + neigh_release() + neigh_destroy() + rocker_port_neigh_destroy() + rocker_world_port_neigh_destroy() + ofdpa_port_neigh_destroy() + ofdpa_port_ipv4_neigh() + kzalloc(sizeof(.., GFP_KERNEL) //may sleep + +This patch changes the gfp_t parameter of kzalloc() from GFP_KERNEL to +GFP_ATOMIC in order to mitigate the bug. + +Fixes: 00fc0c51e35b ("rocker: Change world_ops API and implementation to be switchdev independant") +Signed-off-by: Duoming Zhou +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/rocker/rocker_ofdpa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/rocker/rocker_ofdpa.c b/drivers/net/ethernet/rocker/rocker_ofdpa.c +index 8157666209798..e4d919de7e3fc 100644 +--- a/drivers/net/ethernet/rocker/rocker_ofdpa.c ++++ b/drivers/net/ethernet/rocker/rocker_ofdpa.c +@@ -1273,7 +1273,7 @@ static int ofdpa_port_ipv4_neigh(struct ofdpa_port *ofdpa_port, + bool removing; + int err = 0; + +- entry = kzalloc(sizeof(*entry), GFP_KERNEL); ++ entry = kzalloc(sizeof(*entry), GFP_ATOMIC); + if (!entry) + return -ENOMEM; + +-- +2.35.1 + diff --git a/queue-5.10/ieee802154-adf7242-defer-destroy_workqueue-call.patch b/queue-5.10/ieee802154-adf7242-defer-destroy_workqueue-call.patch new file mode 100644 index 00000000000..eaec54b70f9 --- /dev/null +++ b/queue-5.10/ieee802154-adf7242-defer-destroy_workqueue-call.patch @@ -0,0 +1,60 @@ +From 547e13c59a47bfaec152194d45055e05de09ea5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Aug 2022 11:42:24 +0800 +Subject: ieee802154/adf7242: defer destroy_workqueue call + +From: Lin Ma + +[ Upstream commit afe7116f6d3b888778ed6d95e3cf724767b9aedf ] + +There is a possible race condition (use-after-free) like below + + (FREE) | (USE) + adf7242_remove | adf7242_channel + cancel_delayed_work_sync | + destroy_workqueue (1) | adf7242_cmd_rx + | mod_delayed_work (2) + | + +The root cause for this race is that the upper layer (ieee802154) is +unaware of this detaching event and the function adf7242_channel can +be called without any checks. + +To fix this, we can add a flag write at the beginning of adf7242_remove +and add flag check in adf7242_channel. Or we can just defer the +destructive operation like other commit 3e0588c291d6 ("hamradio: defer +ax25 kfree after unregister_netdev") which let the +ieee802154_unregister_hw() to handle the synchronization. This patch +takes the second option. + +Fixes: 58e9683d1475 ("net: ieee802154: adf7242: Fix OCL calibration +runs") +Signed-off-by: Lin Ma +Acked-by: Michael Hennerich +Link: https://lore.kernel.org/r/20220808034224.12642-1-linma@zju.edu.cn +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/adf7242.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ieee802154/adf7242.c b/drivers/net/ieee802154/adf7242.c +index 7db9cbd0f5ded..07adbeec19787 100644 +--- a/drivers/net/ieee802154/adf7242.c ++++ b/drivers/net/ieee802154/adf7242.c +@@ -1310,10 +1310,11 @@ static int adf7242_remove(struct spi_device *spi) + + debugfs_remove_recursive(lp->debugfs_root); + ++ ieee802154_unregister_hw(lp->hw); ++ + cancel_delayed_work_sync(&lp->work); + destroy_workqueue(lp->wqueue); + +- ieee802154_unregister_hw(lp->hw); + mutex_destroy(&lp->bmux); + ieee802154_free_hw(lp->hw); + +-- +2.35.1 + diff --git a/queue-5.10/iio-adc-mcp3911-make-use-of-the-sign-bit.patch b/queue-5.10/iio-adc-mcp3911-make-use-of-the-sign-bit.patch new file mode 100644 index 00000000000..5811c936ce2 --- /dev/null +++ b/queue-5.10/iio-adc-mcp3911-make-use-of-the-sign-bit.patch @@ -0,0 +1,37 @@ +From 078aba31827c5a2491e6fc956bae1cd5eff79d05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Jul 2022 15:07:18 +0200 +Subject: iio: adc: mcp3911: make use of the sign bit + +From: Marcus Folkesson + +[ Upstream commit 8f89e33bf040bbef66386c426198622180233178 ] + +The device supports negative values as well. + +Fixes: 3a89b289df5d ("iio: adc: add support for mcp3911") +Signed-off-by: Marcus Folkesson +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220722130726.7627-2-marcus.folkesson@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/mcp3911.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/iio/adc/mcp3911.c b/drivers/iio/adc/mcp3911.c +index e573da5397bb3..81eeb00842112 100644 +--- a/drivers/iio/adc/mcp3911.c ++++ b/drivers/iio/adc/mcp3911.c +@@ -111,6 +111,8 @@ static int mcp3911_read_raw(struct iio_dev *indio_dev, + if (ret) + goto out; + ++ *val = sign_extend32(*val, 23); ++ + ret = IIO_VAL_INT; + break; + +-- +2.35.1 + diff --git a/queue-5.10/kcm-fix-strp_init-order-and-cleanup.patch b/queue-5.10/kcm-fix-strp_init-order-and-cleanup.patch new file mode 100644 index 00000000000..654cba67a1c --- /dev/null +++ b/queue-5.10/kcm-fix-strp_init-order-and-cleanup.patch @@ -0,0 +1,74 @@ +From 4d3fce2689e4095de3e6931f5a84d308bfe79d14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Aug 2022 11:13:14 -0700 +Subject: kcm: fix strp_init() order and cleanup + +From: Cong Wang + +[ Upstream commit 8fc29ff3910f3af08a7c40a75d436b5720efe2bf ] + +strp_init() is called just a few lines above this csk->sk_user_data +check, it also initializes strp->work etc., therefore, it is +unnecessary to call strp_done() to cancel the freshly initialized +work. + +And if sk_user_data is already used by KCM, psock->strp should not be +touched, particularly strp->work state, so we need to move strp_init() +after the csk->sk_user_data check. + +This also makes a lockdep warning reported by syzbot go away. + +Reported-and-tested-by: syzbot+9fc084a4348493ef65d2@syzkaller.appspotmail.com +Reported-by: syzbot+e696806ef96cdd2d87cd@syzkaller.appspotmail.com +Fixes: e5571240236c ("kcm: Check if sk_user_data already set in kcm_attach") +Fixes: dff8baa26117 ("kcm: Call strp_stop before strp_done in kcm_attach") +Cc: Tom Herbert +Signed-off-by: Cong Wang +Link: https://lore.kernel.org/r/20220827181314.193710-1-xiyou.wangcong@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/kcm/kcmsock.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c +index 56dad9565bc93..18469f1f707e5 100644 +--- a/net/kcm/kcmsock.c ++++ b/net/kcm/kcmsock.c +@@ -1411,12 +1411,6 @@ static int kcm_attach(struct socket *sock, struct socket *csock, + psock->sk = csk; + psock->bpf_prog = prog; + +- err = strp_init(&psock->strp, csk, &cb); +- if (err) { +- kmem_cache_free(kcm_psockp, psock); +- goto out; +- } +- + write_lock_bh(&csk->sk_callback_lock); + + /* Check if sk_user_data is aready by KCM or someone else. +@@ -1424,13 +1418,18 @@ static int kcm_attach(struct socket *sock, struct socket *csock, + */ + if (csk->sk_user_data) { + write_unlock_bh(&csk->sk_callback_lock); +- strp_stop(&psock->strp); +- strp_done(&psock->strp); + kmem_cache_free(kcm_psockp, psock); + err = -EALREADY; + goto out; + } + ++ err = strp_init(&psock->strp, csk, &cb); ++ if (err) { ++ write_unlock_bh(&csk->sk_callback_lock); ++ kmem_cache_free(kcm_psockp, psock); ++ goto out; ++ } ++ + psock->save_data_ready = csk->sk_data_ready; + psock->save_write_space = csk->sk_write_space; + psock->save_state_change = csk->sk_state_change; +-- +2.35.1 + diff --git a/queue-5.10/net-sched-fix-netdevice-reference-leaks-in-attach_de.patch b/queue-5.10/net-sched-fix-netdevice-reference-leaks-in-attach_de.patch new file mode 100644 index 00000000000..eed6bcb79a8 --- /dev/null +++ b/queue-5.10/net-sched-fix-netdevice-reference-leaks-in-attach_de.patch @@ -0,0 +1,111 @@ +From 6af123f9a7311c91742481d896261b8087f1cc35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 17:00:55 +0800 +Subject: net/sched: fix netdevice reference leaks in attach_default_qdiscs() + +From: Wang Hai + +[ Upstream commit f612466ebecb12a00d9152344ddda6f6345f04dc ] + +In attach_default_qdiscs(), if a dev has multiple queues and queue 0 fails +to attach qdisc because there is no memory in attach_one_default_qdisc(). +Then dev->qdisc will be noop_qdisc by default. But the other queues may be +able to successfully attach to default qdisc. + +In this case, the fallback to noqueue process will be triggered. If the +original attached qdisc is not released and a new one is directly +attached, this will cause netdevice reference leaks. + +The following is the bug log: + +veth0: default qdisc (fq_codel) fail, fallback to noqueue +unregister_netdevice: waiting for veth0 to become free. Usage count = 32 +leaked reference. + qdisc_alloc+0x12e/0x210 + qdisc_create_dflt+0x62/0x140 + attach_one_default_qdisc.constprop.41+0x44/0x70 + dev_activate+0x128/0x290 + __dev_open+0x12a/0x190 + __dev_change_flags+0x1a2/0x1f0 + dev_change_flags+0x23/0x60 + do_setlink+0x332/0x1150 + __rtnl_newlink+0x52f/0x8e0 + rtnl_newlink+0x43/0x70 + rtnetlink_rcv_msg+0x140/0x3b0 + netlink_rcv_skb+0x50/0x100 + netlink_unicast+0x1bb/0x290 + netlink_sendmsg+0x37c/0x4e0 + sock_sendmsg+0x5f/0x70 + ____sys_sendmsg+0x208/0x280 + +Fix this bug by clearing any non-noop qdiscs that may have been assigned +before trying to re-attach. + +Fixes: bf6dba76d278 ("net: sched: fallback to qdisc noqueue if default qdisc setup fail") +Signed-off-by: Wang Hai +Link: https://lore.kernel.org/r/20220826090055.24424-1-wanghai38@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sched/sch_generic.c | 31 ++++++++++++++++--------------- + 1 file changed, 16 insertions(+), 15 deletions(-) + +diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c +index 68f1e89430b3b..ecdd9e83f2f49 100644 +--- a/net/sched/sch_generic.c ++++ b/net/sched/sch_generic.c +@@ -1057,6 +1057,21 @@ struct Qdisc *dev_graft_qdisc(struct netdev_queue *dev_queue, + } + EXPORT_SYMBOL(dev_graft_qdisc); + ++static void shutdown_scheduler_queue(struct net_device *dev, ++ struct netdev_queue *dev_queue, ++ void *_qdisc_default) ++{ ++ struct Qdisc *qdisc = dev_queue->qdisc_sleeping; ++ struct Qdisc *qdisc_default = _qdisc_default; ++ ++ if (qdisc) { ++ rcu_assign_pointer(dev_queue->qdisc, qdisc_default); ++ dev_queue->qdisc_sleeping = qdisc_default; ++ ++ qdisc_put(qdisc); ++ } ++} ++ + static void attach_one_default_qdisc(struct net_device *dev, + struct netdev_queue *dev_queue, + void *_unused) +@@ -1104,6 +1119,7 @@ static void attach_default_qdiscs(struct net_device *dev) + if (qdisc == &noop_qdisc) { + netdev_warn(dev, "default qdisc (%s) fail, fallback to %s\n", + default_qdisc_ops->id, noqueue_qdisc_ops.id); ++ netdev_for_each_tx_queue(dev, shutdown_scheduler_queue, &noop_qdisc); + dev->priv_flags |= IFF_NO_QUEUE; + netdev_for_each_tx_queue(dev, attach_one_default_qdisc, NULL); + qdisc = txq->qdisc_sleeping; +@@ -1357,21 +1373,6 @@ void dev_init_scheduler(struct net_device *dev) + timer_setup(&dev->watchdog_timer, dev_watchdog, 0); + } + +-static void shutdown_scheduler_queue(struct net_device *dev, +- struct netdev_queue *dev_queue, +- void *_qdisc_default) +-{ +- struct Qdisc *qdisc = dev_queue->qdisc_sleeping; +- struct Qdisc *qdisc_default = _qdisc_default; +- +- if (qdisc) { +- rcu_assign_pointer(dev_queue->qdisc, qdisc_default); +- dev_queue->qdisc_sleeping = qdisc_default; +- +- qdisc_put(qdisc); +- } +-} +- + void dev_shutdown(struct net_device *dev) + { + netdev_for_each_tx_queue(dev, shutdown_scheduler_queue, &noop_qdisc); +-- +2.35.1 + diff --git a/queue-5.10/net-sched-tbf-don-t-call-qdisc_put-while-holding-tre.patch b/queue-5.10/net-sched-tbf-don-t-call-qdisc_put-while-holding-tre.patch new file mode 100644 index 00000000000..b75e00c833f --- /dev/null +++ b/queue-5.10/net-sched-tbf-don-t-call-qdisc_put-while-holding-tre.patch @@ -0,0 +1,54 @@ +From ed6da85e62ca5cd68f7f059b10eaecba22f7591b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 09:39:30 +0800 +Subject: net: sched: tbf: don't call qdisc_put() while holding tree lock + +From: Zhengchao Shao + +[ Upstream commit b05972f01e7d30419987a1f221b5593668fd6448 ] + +The issue is the same to commit c2999f7fb05b ("net: sched: multiq: don't +call qdisc_put() while holding tree lock"). Qdiscs call qdisc_put() while +holding sch tree spinlock, which results sleeping-while-atomic BUG. + +Fixes: c266f64dbfa2 ("net: sched: protect block state with mutex") +Signed-off-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20220826013930.340121-1-shaozhengchao@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sched/sch_tbf.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c +index 78e79029dc631..6eb17004a9e44 100644 +--- a/net/sched/sch_tbf.c ++++ b/net/sched/sch_tbf.c +@@ -342,6 +342,7 @@ static int tbf_change(struct Qdisc *sch, struct nlattr *opt, + struct nlattr *tb[TCA_TBF_MAX + 1]; + struct tc_tbf_qopt *qopt; + struct Qdisc *child = NULL; ++ struct Qdisc *old = NULL; + struct psched_ratecfg rate; + struct psched_ratecfg peak; + u64 max_size; +@@ -433,7 +434,7 @@ static int tbf_change(struct Qdisc *sch, struct nlattr *opt, + sch_tree_lock(sch); + if (child) { + qdisc_tree_flush_backlog(q->qdisc); +- qdisc_put(q->qdisc); ++ old = q->qdisc; + q->qdisc = child; + } + q->limit = qopt->limit; +@@ -453,6 +454,7 @@ static int tbf_change(struct Qdisc *sch, struct nlattr *opt, + memcpy(&q->peak, &peak, sizeof(struct psched_ratecfg)); + + sch_tree_unlock(sch); ++ qdisc_put(old); + err = 0; + + tbf_offload_change(sch); +-- +2.35.1 + diff --git a/queue-5.10/net-smc-remove-redundant-refcount-increase.patch b/queue-5.10/net-smc-remove-redundant-refcount-increase.patch new file mode 100644 index 00000000000..ca4e06574e3 --- /dev/null +++ b/queue-5.10/net-smc-remove-redundant-refcount-increase.patch @@ -0,0 +1,37 @@ +From 22e1c85b5effe697ce5c00a2656d78b7275a58a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 23:23:14 +0800 +Subject: net/smc: Remove redundant refcount increase + +From: Yacan Liu + +[ Upstream commit a8424a9b4522a3ab9f32175ad6d848739079071f ] + +For passive connections, the refcount increment has been done in +smc_clcsock_accept()-->smc_sock_alloc(). + +Fixes: 3b2dec2603d5 ("net/smc: restructure client and server code in af_smc") +Signed-off-by: Yacan Liu +Reviewed-by: Tony Lu +Link: https://lore.kernel.org/r/20220830152314.838736-1-liuyacan@corp.netease.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index 5d7710dd95145..41cbc7c89c9d2 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -1325,7 +1325,6 @@ static void smc_listen_out_connected(struct smc_sock *new_smc) + { + struct sock *newsmcsk = &new_smc->sk; + +- sk_refcnt_debug_inc(newsmcsk); + if (newsmcsk->sk_state == SMC_INIT) + newsmcsk->sk_state = SMC_ACTIVE; + +-- +2.35.1 + diff --git a/queue-5.10/platform-x86-pmc_atom-fix-slp_typx-bitfield-mask.patch b/queue-5.10/platform-x86-pmc_atom-fix-slp_typx-bitfield-mask.patch new file mode 100644 index 00000000000..15bea161e48 --- /dev/null +++ b/queue-5.10/platform-x86-pmc_atom-fix-slp_typx-bitfield-mask.patch @@ -0,0 +1,67 @@ +From 4b61341508963162b2f7e2310cb28499dab56d78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Aug 2022 14:37:31 +0300 +Subject: platform/x86: pmc_atom: Fix SLP_TYPx bitfield mask + +From: Andy Shevchenko + +[ Upstream commit 0a90ed8d0cfa29735a221eba14d9cb6c735d35b6 ] + +On Intel hardware the SLP_TYPx bitfield occupies bits 10-12 as per ACPI +specification (see Table 4.13 "PM1 Control Registers Fixed Hardware +Feature Control Bits" for the details). + +Fix the mask and other related definitions accordingly. + +Fixes: 93e5eadd1f6e ("x86/platform: New Intel Atom SOC power management controller driver") +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220801113734.36131-1-andriy.shevchenko@linux.intel.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/pmc_atom.c | 2 +- + include/linux/platform_data/x86/pmc_atom.h | 6 ++++-- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/platform/x86/pmc_atom.c b/drivers/platform/x86/pmc_atom.c +index a9d2a4b98e570..4b0739f95f8b9 100644 +--- a/drivers/platform/x86/pmc_atom.c ++++ b/drivers/platform/x86/pmc_atom.c +@@ -244,7 +244,7 @@ static void pmc_power_off(void) + pm1_cnt_port = acpi_base_addr + PM1_CNT; + + pm1_cnt_value = inl(pm1_cnt_port); +- pm1_cnt_value &= SLEEP_TYPE_MASK; ++ pm1_cnt_value &= ~SLEEP_TYPE_MASK; + pm1_cnt_value |= SLEEP_TYPE_S5; + pm1_cnt_value |= SLEEP_ENABLE; + +diff --git a/include/linux/platform_data/x86/pmc_atom.h b/include/linux/platform_data/x86/pmc_atom.h +index 022bcea9edec5..99a9b09dc839d 100644 +--- a/include/linux/platform_data/x86/pmc_atom.h ++++ b/include/linux/platform_data/x86/pmc_atom.h +@@ -7,6 +7,8 @@ + #ifndef PMC_ATOM_H + #define PMC_ATOM_H + ++#include ++ + /* ValleyView Power Control Unit PCI Device ID */ + #define PCI_DEVICE_ID_VLV_PMC 0x0F1C + /* CherryTrail Power Control Unit PCI Device ID */ +@@ -139,9 +141,9 @@ + #define ACPI_MMIO_REG_LEN 0x100 + + #define PM1_CNT 0x4 +-#define SLEEP_TYPE_MASK 0xFFFFECFF ++#define SLEEP_TYPE_MASK GENMASK(12, 10) + #define SLEEP_TYPE_S5 0x1C00 +-#define SLEEP_ENABLE 0x2000 ++#define SLEEP_ENABLE BIT(13) + + extern int pmc_atom_read(int offset, u32 *value); + extern int pmc_atom_write(int offset, u32 value); +-- +2.35.1 + diff --git a/queue-5.10/revert-sch_cake-return-__net_xmit_stolen-when-consum.patch b/queue-5.10/revert-sch_cake-return-__net_xmit_stolen-when-consum.patch new file mode 100644 index 00000000000..a20c999e93c --- /dev/null +++ b/queue-5.10/revert-sch_cake-return-__net_xmit_stolen-when-consum.patch @@ -0,0 +1,54 @@ +From ee8b30d7fa2a2882197b53e954cb1a633aa85932 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Aug 2022 20:01:32 -0700 +Subject: Revert "sch_cake: Return __NET_XMIT_STOLEN when consuming enqueued + skb" + +From: Jakub Kicinski + +[ Upstream commit 0b4f688d53fdc2a731b9d9cdf0c96255bc024ea6 ] + +This reverts commit 90fabae8a2c225c4e4936723c38857887edde5cc. + +Patch was applied hastily, revert and let the v2 be reviewed. + +Fixes: 90fabae8a2c2 ("sch_cake: Return __NET_XMIT_STOLEN when consuming enqueued skb") +Link: https://lore.kernel.org/all/87wnao2ha3.fsf@toke.dk/ +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_cake.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c +index 4e380534dbc92..c580139fcedec 100644 +--- a/net/sched/sch_cake.c ++++ b/net/sched/sch_cake.c +@@ -1713,7 +1713,6 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch, + } + idx--; + flow = &b->flows[idx]; +- ret = NET_XMIT_SUCCESS; + + /* ensure shaper state isn't stale */ + if (!b->tin_backlog) { +@@ -1772,7 +1771,6 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch, + + qdisc_tree_reduce_backlog(sch, 1-numsegs, len-slen); + consume_skb(skb); +- ret |= __NET_XMIT_STOLEN; + } else { + /* not splitting */ + cobalt_set_enqueue_time(skb, now); +@@ -1906,7 +1904,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch, + } + b->drop_overlimit += dropped; + } +- return ret; ++ return NET_XMIT_SUCCESS; + } + + static struct sk_buff *cake_dequeue_one(struct Qdisc *sch) +-- +2.35.1 + diff --git a/queue-5.10/revert-xhci-turn-off-port-power-in-shutdown.patch b/queue-5.10/revert-xhci-turn-off-port-power-in-shutdown.patch new file mode 100644 index 00000000000..4a4f5bff0b8 --- /dev/null +++ b/queue-5.10/revert-xhci-turn-off-port-power-in-shutdown.patch @@ -0,0 +1,94 @@ +From 70231eb33f393c2f515b8713949b99187e7f2de3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 18:08:40 +0300 +Subject: Revert "xhci: turn off port power in shutdown" + +From: Mathias Nyman + +[ Upstream commit 8531aa1659f7278d4f2ec7408cc000eaa8d85217 ] + +This reverts commit 83810f84ecf11dfc5a9414a8b762c3501b328185. + +Turning off port power in shutdown did cause issues such as a laptop not +proprly powering off, and some specific usb devies failing to enumerate the +subsequent boot after a warm reset. + +So revert this. + +Fixes: 83810f84ecf1 ("xhci: turn off port power in shutdown") +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20220825150840.132216-4-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-hub.c | 2 +- + drivers/usb/host/xhci.c | 15 ++------------- + drivers/usb/host/xhci.h | 2 -- + 3 files changed, 3 insertions(+), 16 deletions(-) + +diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c +index 94adae8b19f00..1eb3b5deb940e 100644 +--- a/drivers/usb/host/xhci-hub.c ++++ b/drivers/usb/host/xhci-hub.c +@@ -566,7 +566,7 @@ struct xhci_hub *xhci_get_rhub(struct usb_hcd *hcd) + * It will release and re-aquire the lock while calling ACPI + * method. + */ +-void xhci_set_port_power(struct xhci_hcd *xhci, struct usb_hcd *hcd, ++static void xhci_set_port_power(struct xhci_hcd *xhci, struct usb_hcd *hcd, + u16 index, bool on, unsigned long *flags) + __must_hold(&xhci->lock) + { +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index 997de5f294f15..a1ed5e0d06128 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -775,8 +775,6 @@ static void xhci_stop(struct usb_hcd *hcd) + void xhci_shutdown(struct usb_hcd *hcd) + { + struct xhci_hcd *xhci = hcd_to_xhci(hcd); +- unsigned long flags; +- int i; + + if (xhci->quirks & XHCI_SPURIOUS_REBOOT) + usb_disable_xhci_ports(to_pci_dev(hcd->self.sysdev)); +@@ -792,21 +790,12 @@ void xhci_shutdown(struct usb_hcd *hcd) + del_timer_sync(&xhci->shared_hcd->rh_timer); + } + +- spin_lock_irqsave(&xhci->lock, flags); ++ spin_lock_irq(&xhci->lock); + xhci_halt(xhci); +- +- /* Power off USB2 ports*/ +- for (i = 0; i < xhci->usb2_rhub.num_ports; i++) +- xhci_set_port_power(xhci, xhci->main_hcd, i, false, &flags); +- +- /* Power off USB3 ports*/ +- for (i = 0; i < xhci->usb3_rhub.num_ports; i++) +- xhci_set_port_power(xhci, xhci->shared_hcd, i, false, &flags); +- + /* Workaround for spurious wakeups at shutdown with HSW */ + if (xhci->quirks & XHCI_SPURIOUS_WAKEUP) + xhci_reset(xhci, XHCI_RESET_SHORT_USEC); +- spin_unlock_irqrestore(&xhci->lock, flags); ++ spin_unlock_irq(&xhci->lock); + + xhci_cleanup_msix(xhci); + +diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h +index f87e5fe57f225..3fd150ef8fca9 100644 +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -2162,8 +2162,6 @@ int xhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue, u16 wIndex, + int xhci_hub_status_data(struct usb_hcd *hcd, char *buf); + int xhci_find_raw_port_number(struct usb_hcd *hcd, int port1); + struct xhci_hub *xhci_get_rhub(struct usb_hcd *hcd); +-void xhci_set_port_power(struct xhci_hcd *xhci, struct usb_hcd *hcd, u16 index, +- bool on, unsigned long *flags); + + void xhci_hc_died(struct xhci_hcd *xhci); + +-- +2.35.1 + diff --git a/queue-5.10/sch_cake-return-__net_xmit_stolen-when-consuming-enq.patch b/queue-5.10/sch_cake-return-__net_xmit_stolen-when-consuming-enq.patch new file mode 100644 index 00000000000..33018804c5d --- /dev/null +++ b/queue-5.10/sch_cake-return-__net_xmit_stolen-when-consuming-enq.patch @@ -0,0 +1,61 @@ +From c825b55dacf303036b4fd55d1dbb3ca305363014 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Aug 2022 11:21:03 +0200 +Subject: sch_cake: Return __NET_XMIT_STOLEN when consuming enqueued skb +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 90fabae8a2c225c4e4936723c38857887edde5cc ] + +When the GSO splitting feature of sch_cake is enabled, GSO superpackets +will be broken up and the resulting segments enqueued in place of the +original skb. In this case, CAKE calls consume_skb() on the original skb, +but still returns NET_XMIT_SUCCESS. This can confuse parent qdiscs into +assuming the original skb still exists, when it really has been freed. Fix +this by adding the __NET_XMIT_STOLEN flag to the return value in this case. + +Fixes: 0c850344d388 ("sch_cake: Conditionally split GSO segments") +Signed-off-by: Toke Høiland-Jørgensen +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-18231 +Link: https://lore.kernel.org/r/20220831092103.442868-1-toke@toke.dk +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_cake.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c +index c580139fcedec..4e380534dbc92 100644 +--- a/net/sched/sch_cake.c ++++ b/net/sched/sch_cake.c +@@ -1713,6 +1713,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch, + } + idx--; + flow = &b->flows[idx]; ++ ret = NET_XMIT_SUCCESS; + + /* ensure shaper state isn't stale */ + if (!b->tin_backlog) { +@@ -1771,6 +1772,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch, + + qdisc_tree_reduce_backlog(sch, 1-numsegs, len-slen); + consume_skb(skb); ++ ret |= __NET_XMIT_STOLEN; + } else { + /* not splitting */ + cobalt_set_enqueue_time(skb, now); +@@ -1904,7 +1906,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch, + } + b->drop_overlimit += dropped; + } +- return NET_XMIT_SUCCESS; ++ return ret; + } + + static struct sk_buff *cake_dequeue_one(struct Qdisc *sch) +-- +2.35.1 + diff --git a/queue-5.10/series b/queue-5.10/series new file mode 100644 index 00000000000..422d381e3ee --- /dev/null +++ b/queue-5.10/series @@ -0,0 +1,25 @@ +drm-msm-dsi-fix-the-inconsistent-indenting.patch +drm-msm-dp-delete-dp_recovered_clock_out_en-to-fix-t.patch +drm-msm-dsi-fix-number-of-regulators-for-msm8996_dsi.patch +drm-msm-dsi-fix-number-of-regulators-for-sdm660.patch +platform-x86-pmc_atom-fix-slp_typx-bitfield-mask.patch +iio-adc-mcp3911-make-use-of-the-sign-bit.patch +usb-dwc3-qcom-add-helper-functions-to-enable-disable.patch +usb-dwc3-qcom-configure-wakeup-interrupts-during-sus.patch +usb-dwc3-qcom-fix-runtime-pm-wakeup.patch +usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch +usb-dwc3-qcom-fix-peripheral-and-otg-suspend.patch +bpf-cgroup-fix-kernel-bug-in-purge_effective_progs.patch +ieee802154-adf7242-defer-destroy_workqueue-call.patch +alsa-hda-intel-nhlt-remove-use-of-__func__-in-dev_db.patch +alsa-hda-intel-nhlt-correct-the-handling-of-fmt_conf.patch +wifi-cfg80211-debugfs-fix-return-type-in-ht40allow_m.patch +revert-xhci-turn-off-port-power-in-shutdown.patch +net-sched-tbf-don-t-call-qdisc_put-while-holding-tre.patch +net-sched-fix-netdevice-reference-leaks-in-attach_de.patch +ethernet-rocker-fix-sleep-in-atomic-context-bug-in-n.patch +kcm-fix-strp_init-order-and-cleanup.patch +sch_cake-return-__net_xmit_stolen-when-consuming-enq.patch +tcp-annotate-data-race-around-challenge_timestamp.patch +revert-sch_cake-return-__net_xmit_stolen-when-consum.patch +net-smc-remove-redundant-refcount-increase.patch diff --git a/queue-5.10/tcp-annotate-data-race-around-challenge_timestamp.patch b/queue-5.10/tcp-annotate-data-race-around-challenge_timestamp.patch new file mode 100644 index 00000000000..a3dcfb858ef --- /dev/null +++ b/queue-5.10/tcp-annotate-data-race-around-challenge_timestamp.patch @@ -0,0 +1,47 @@ +From 6257013bbba4a177e029b7d0cd12b17e9073e0c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 11:56:55 -0700 +Subject: tcp: annotate data-race around challenge_timestamp + +From: Eric Dumazet + +[ Upstream commit 8c70521238b7863c2af607e20bcba20f974c969b ] + +challenge_timestamp can be read an written by concurrent threads. + +This was expected, but we need to annotate the race to avoid potential issues. + +Following patch moves challenge_timestamp and challenge_count +to per-netns storage to provide better isolation. + +Fixes: 354e4aa391ed ("tcp: RFC 5961 5.2 Blind Data Injection Attack Mitigation") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Acked-by: Neal Cardwell +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 41b44b311e8a0..e62500d6fe0d0 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -3599,11 +3599,11 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb) + + /* Then check host-wide RFC 5961 rate limit. */ + now = jiffies / HZ; +- if (now != challenge_timestamp) { ++ if (now != READ_ONCE(challenge_timestamp)) { + u32 ack_limit = READ_ONCE(net->ipv4.sysctl_tcp_challenge_ack_limit); + u32 half = (ack_limit + 1) >> 1; + +- challenge_timestamp = now; ++ WRITE_ONCE(challenge_timestamp, now); + WRITE_ONCE(challenge_count, half + prandom_u32_max(ack_limit)); + } + count = READ_ONCE(challenge_count); +-- +2.35.1 + diff --git a/queue-5.10/usb-dwc3-qcom-add-helper-functions-to-enable-disable.patch b/queue-5.10/usb-dwc3-qcom-add-helper-functions-to-enable-disable.patch new file mode 100644 index 00000000000..b1377371d79 --- /dev/null +++ b/queue-5.10/usb-dwc3-qcom-add-helper-functions-to-enable-disable.patch @@ -0,0 +1,107 @@ +From 9eeb2d8aded7ceb9c5c9d0c8d40bd1b5705fb099 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jun 2022 10:00:52 +0530 +Subject: usb: dwc3: qcom: Add helper functions to enable,disable wake irqs + +From: Sandeep Maheswaram + +[ Upstream commit 360e8230516de94d74d30c64f0cdcf228b8e8b67 ] + +Adding helper functions to enable,disable wake irqs to make +the code simple and readable. + +Reviewed-by: Matthias Kaehlcke +Reviewed-by: Pavankumar Kondeti +Signed-off-by: Sandeep Maheswaram +Signed-off-by: Krishna Kurapati +Link: https://lore.kernel.org/r/1655094654-24052-4-git-send-email-quic_kriskura@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-qcom.c | 58 ++++++++++++++++-------------------- + 1 file changed, 26 insertions(+), 32 deletions(-) + +diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c +index 915fa4197d770..1ae854d1d1d83 100644 +--- a/drivers/usb/dwc3/dwc3-qcom.c ++++ b/drivers/usb/dwc3/dwc3-qcom.c +@@ -296,50 +296,44 @@ static void dwc3_qcom_interconnect_exit(struct dwc3_qcom *qcom) + icc_put(qcom->icc_path_apps); + } + ++static void dwc3_qcom_enable_wakeup_irq(int irq) ++{ ++ if (!irq) ++ return; ++ ++ enable_irq(irq); ++ enable_irq_wake(irq); ++} ++ ++static void dwc3_qcom_disable_wakeup_irq(int irq) ++{ ++ if (!irq) ++ return; ++ ++ disable_irq_wake(irq); ++ disable_irq_nosync(irq); ++} ++ + static void dwc3_qcom_disable_interrupts(struct dwc3_qcom *qcom) + { +- if (qcom->hs_phy_irq) { +- disable_irq_wake(qcom->hs_phy_irq); +- disable_irq_nosync(qcom->hs_phy_irq); +- } ++ dwc3_qcom_disable_wakeup_irq(qcom->hs_phy_irq); + +- if (qcom->dp_hs_phy_irq) { +- disable_irq_wake(qcom->dp_hs_phy_irq); +- disable_irq_nosync(qcom->dp_hs_phy_irq); +- } ++ dwc3_qcom_disable_wakeup_irq(qcom->dp_hs_phy_irq); + +- if (qcom->dm_hs_phy_irq) { +- disable_irq_wake(qcom->dm_hs_phy_irq); +- disable_irq_nosync(qcom->dm_hs_phy_irq); +- } ++ dwc3_qcom_disable_wakeup_irq(qcom->dm_hs_phy_irq); + +- if (qcom->ss_phy_irq) { +- disable_irq_wake(qcom->ss_phy_irq); +- disable_irq_nosync(qcom->ss_phy_irq); +- } ++ dwc3_qcom_disable_wakeup_irq(qcom->ss_phy_irq); + } + + static void dwc3_qcom_enable_interrupts(struct dwc3_qcom *qcom) + { +- if (qcom->hs_phy_irq) { +- enable_irq(qcom->hs_phy_irq); +- enable_irq_wake(qcom->hs_phy_irq); +- } ++ dwc3_qcom_enable_wakeup_irq(qcom->hs_phy_irq); + +- if (qcom->dp_hs_phy_irq) { +- enable_irq(qcom->dp_hs_phy_irq); +- enable_irq_wake(qcom->dp_hs_phy_irq); +- } ++ dwc3_qcom_enable_wakeup_irq(qcom->dp_hs_phy_irq); + +- if (qcom->dm_hs_phy_irq) { +- enable_irq(qcom->dm_hs_phy_irq); +- enable_irq_wake(qcom->dm_hs_phy_irq); +- } ++ dwc3_qcom_enable_wakeup_irq(qcom->dm_hs_phy_irq); + +- if (qcom->ss_phy_irq) { +- enable_irq(qcom->ss_phy_irq); +- enable_irq_wake(qcom->ss_phy_irq); +- } ++ dwc3_qcom_enable_wakeup_irq(qcom->ss_phy_irq); + } + + static int dwc3_qcom_suspend(struct dwc3_qcom *qcom) +-- +2.35.1 + diff --git a/queue-5.10/usb-dwc3-qcom-configure-wakeup-interrupts-during-sus.patch b/queue-5.10/usb-dwc3-qcom-configure-wakeup-interrupts-during-sus.patch new file mode 100644 index 00000000000..6f35f7c150a --- /dev/null +++ b/queue-5.10/usb-dwc3-qcom-configure-wakeup-interrupts-during-sus.patch @@ -0,0 +1,155 @@ +From e041255870d231569973af30854589feb52ca733 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jun 2022 10:00:53 +0530 +Subject: usb: dwc3: qcom: Configure wakeup interrupts during suspend + +From: Sandeep Maheswaram + +[ Upstream commit 6895ea55c385c9afdd2aec1eef27ec24917a112f ] + +Configure DP/DM line interrupts based on the USB2 device attached to +the root hub port. When HS/FS device is connected, configure the DP line +as falling edge to detect both disconnect and remote wakeup scenarios. When +LS device is connected, configure DM line as falling edge to detect both +disconnect and remote wakeup. When no device is connected, configure both +DP and DM lines as rising edge to detect HS/HS/LS device connect scenario. + +Reviewed-by: Pavankumar Kondeti +Reviewed-by: Matthias Kaehlcke +Signed-off-by: Sandeep Maheswaram +Signed-off-by: Krishna Kurapati +Link: https://lore.kernel.org/r/1655094654-24052-5-git-send-email-quic_kriskura@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-qcom.c | 72 +++++++++++++++++++++++++++++++----- + 1 file changed, 62 insertions(+), 10 deletions(-) + +diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c +index 1ae854d1d1d83..53722a54207a6 100644 +--- a/drivers/usb/dwc3/dwc3-qcom.c ++++ b/drivers/usb/dwc3/dwc3-qcom.c +@@ -20,7 +20,8 @@ + #include + #include + #include +- ++#include ++#include + #include "core.h" + + /* USB QSCRATCH Hardware registers */ +@@ -76,6 +77,7 @@ struct dwc3_qcom { + int dp_hs_phy_irq; + int dm_hs_phy_irq; + int ss_phy_irq; ++ enum usb_device_speed usb2_speed; + + struct extcon_dev *edev; + struct extcon_dev *host_edev; +@@ -296,11 +298,34 @@ static void dwc3_qcom_interconnect_exit(struct dwc3_qcom *qcom) + icc_put(qcom->icc_path_apps); + } + +-static void dwc3_qcom_enable_wakeup_irq(int irq) ++static enum usb_device_speed dwc3_qcom_read_usb2_speed(struct dwc3_qcom *qcom) ++{ ++ struct dwc3 *dwc = platform_get_drvdata(qcom->dwc3); ++ struct usb_hcd *hcd = platform_get_drvdata(dwc->xhci); ++ struct usb_device *udev; ++ ++ /* ++ * It is possible to query the speed of all children of ++ * USB2.0 root hub via usb_hub_for_each_child(). DWC3 code ++ * currently supports only 1 port per controller. So ++ * this is sufficient. ++ */ ++ udev = usb_hub_find_child(hcd->self.root_hub, 1); ++ ++ if (!udev) ++ return USB_SPEED_UNKNOWN; ++ ++ return udev->speed; ++} ++ ++static void dwc3_qcom_enable_wakeup_irq(int irq, unsigned int polarity) + { + if (!irq) + return; + ++ if (polarity) ++ irq_set_irq_type(irq, polarity); ++ + enable_irq(irq); + enable_irq_wake(irq); + } +@@ -318,22 +343,47 @@ static void dwc3_qcom_disable_interrupts(struct dwc3_qcom *qcom) + { + dwc3_qcom_disable_wakeup_irq(qcom->hs_phy_irq); + +- dwc3_qcom_disable_wakeup_irq(qcom->dp_hs_phy_irq); +- +- dwc3_qcom_disable_wakeup_irq(qcom->dm_hs_phy_irq); ++ if (qcom->usb2_speed == USB_SPEED_LOW) { ++ dwc3_qcom_disable_wakeup_irq(qcom->dm_hs_phy_irq); ++ } else if ((qcom->usb2_speed == USB_SPEED_HIGH) || ++ (qcom->usb2_speed == USB_SPEED_FULL)) { ++ dwc3_qcom_disable_wakeup_irq(qcom->dp_hs_phy_irq); ++ } else { ++ dwc3_qcom_disable_wakeup_irq(qcom->dp_hs_phy_irq); ++ dwc3_qcom_disable_wakeup_irq(qcom->dm_hs_phy_irq); ++ } + + dwc3_qcom_disable_wakeup_irq(qcom->ss_phy_irq); + } + + static void dwc3_qcom_enable_interrupts(struct dwc3_qcom *qcom) + { +- dwc3_qcom_enable_wakeup_irq(qcom->hs_phy_irq); ++ dwc3_qcom_enable_wakeup_irq(qcom->hs_phy_irq, 0); + +- dwc3_qcom_enable_wakeup_irq(qcom->dp_hs_phy_irq); ++ /* ++ * Configure DP/DM line interrupts based on the USB2 device attached to ++ * the root hub port. When HS/FS device is connected, configure the DP line ++ * as falling edge to detect both disconnect and remote wakeup scenarios. When ++ * LS device is connected, configure DM line as falling edge to detect both ++ * disconnect and remote wakeup. When no device is connected, configure both ++ * DP and DM lines as rising edge to detect HS/HS/LS device connect scenario. ++ */ + +- dwc3_qcom_enable_wakeup_irq(qcom->dm_hs_phy_irq); ++ if (qcom->usb2_speed == USB_SPEED_LOW) { ++ dwc3_qcom_enable_wakeup_irq(qcom->dm_hs_phy_irq, ++ IRQ_TYPE_EDGE_FALLING); ++ } else if ((qcom->usb2_speed == USB_SPEED_HIGH) || ++ (qcom->usb2_speed == USB_SPEED_FULL)) { ++ dwc3_qcom_enable_wakeup_irq(qcom->dp_hs_phy_irq, ++ IRQ_TYPE_EDGE_FALLING); ++ } else { ++ dwc3_qcom_enable_wakeup_irq(qcom->dp_hs_phy_irq, ++ IRQ_TYPE_EDGE_RISING); ++ dwc3_qcom_enable_wakeup_irq(qcom->dm_hs_phy_irq, ++ IRQ_TYPE_EDGE_RISING); ++ } + +- dwc3_qcom_enable_wakeup_irq(qcom->ss_phy_irq); ++ dwc3_qcom_enable_wakeup_irq(qcom->ss_phy_irq, 0); + } + + static int dwc3_qcom_suspend(struct dwc3_qcom *qcom) +@@ -355,8 +405,10 @@ static int dwc3_qcom_suspend(struct dwc3_qcom *qcom) + if (ret) + dev_warn(qcom->dev, "failed to disable interconnect: %d\n", ret); + +- if (device_may_wakeup(qcom->dev)) ++ if (device_may_wakeup(qcom->dev)) { ++ qcom->usb2_speed = dwc3_qcom_read_usb2_speed(qcom); + dwc3_qcom_enable_interrupts(qcom); ++ } + + qcom->is_suspended = true; + +-- +2.35.1 + diff --git a/queue-5.10/usb-dwc3-qcom-fix-peripheral-and-otg-suspend.patch b/queue-5.10/usb-dwc3-qcom-fix-peripheral-and-otg-suspend.patch new file mode 100644 index 00000000000..41f2e846db7 --- /dev/null +++ b/queue-5.10/usb-dwc3-qcom-fix-peripheral-and-otg-suspend.patch @@ -0,0 +1,78 @@ +From 945d90c923bf7d66ca297b7f46804cb642606aaf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Aug 2022 17:09:58 +0200 +Subject: usb: dwc3: qcom: fix peripheral and OTG suspend + +From: Johan Hovold + +[ Upstream commit c5f14abeb52b0177b940fd734133d383da3521d8 ] + +A recent commit implementing wakeup support in host mode instead broke +suspend for peripheral and OTG mode. + +The hack that was added in the suspend path to determine the speed of +any device connected to the USB2 bus not only accesses internal driver +data for a child device, but also dereferences a NULL pointer or +accesses freed data when the controller is not acting as host. + +There's no quick fix to the layering violation, but since reverting +would leave us with broken suspend in host mode with wakeup triggering +immediately, let's keep the hack for now. + +Fix the immediate issues by only checking the host bus speed and +enabling wakeup interrupts when acting as host. + +Fixes: 6895ea55c385 ("usb: dwc3: qcom: Configure wakeup interrupts during suspend") +Reported-by: kernel test robot +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20220804151001.23612-7-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-qcom.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c +index 456ade31ef795..c77cfcf3bca96 100644 +--- a/drivers/usb/dwc3/dwc3-qcom.c ++++ b/drivers/usb/dwc3/dwc3-qcom.c +@@ -309,8 +309,13 @@ static bool dwc3_qcom_is_host(struct dwc3_qcom *qcom) + static enum usb_device_speed dwc3_qcom_read_usb2_speed(struct dwc3_qcom *qcom) + { + struct dwc3 *dwc = platform_get_drvdata(qcom->dwc3); +- struct usb_hcd *hcd = platform_get_drvdata(dwc->xhci); + struct usb_device *udev; ++ struct usb_hcd *hcd; ++ ++ /* ++ * FIXME: Fix this layering violation. ++ */ ++ hcd = platform_get_drvdata(dwc->xhci); + + /* + * It is possible to query the speed of all children of +@@ -413,7 +418,11 @@ static int dwc3_qcom_suspend(struct dwc3_qcom *qcom, bool wakeup) + if (ret) + dev_warn(qcom->dev, "failed to disable interconnect: %d\n", ret); + +- if (wakeup) { ++ /* ++ * The role is stable during suspend as role switching is done from a ++ * freezable workqueue. ++ */ ++ if (dwc3_qcom_is_host(qcom) && wakeup) { + qcom->usb2_speed = dwc3_qcom_read_usb2_speed(qcom); + dwc3_qcom_enable_interrupts(qcom); + } +@@ -431,7 +440,7 @@ static int dwc3_qcom_resume(struct dwc3_qcom *qcom, bool wakeup) + if (!qcom->is_suspended) + return 0; + +- if (wakeup) ++ if (dwc3_qcom_is_host(qcom) && wakeup) + dwc3_qcom_disable_interrupts(qcom); + + for (i = 0; i < qcom->num_clocks; i++) { +-- +2.35.1 + diff --git a/queue-5.10/usb-dwc3-qcom-fix-runtime-pm-wakeup.patch b/queue-5.10/usb-dwc3-qcom-fix-runtime-pm-wakeup.patch new file mode 100644 index 00000000000..037f6b810a7 --- /dev/null +++ b/queue-5.10/usb-dwc3-qcom-fix-runtime-pm-wakeup.patch @@ -0,0 +1,110 @@ +From 86eb3d39a11ea5c5ccd24a89f7e2a88050fb2588 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Aug 2022 17:09:57 +0200 +Subject: usb: dwc3: qcom: fix runtime PM wakeup + +From: Johan Hovold + +[ Upstream commit 6498a96c8c9ce8ae4078e586a607851491e29a33 ] + +A device must enable wakeups during runtime suspend regardless of +whether it is capable and allowed to wake the system up from system +suspend. + +Fixes: 2664deb09306 ("usb: dwc3: qcom: Honor wakeup enabled/disabled state") +Tested-by: Matthias Kaehlcke +Reviewed-by: Matthias Kaehlcke +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20220804151001.23612-6-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-qcom.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c +index 53722a54207a6..d8b47b91ed6f7 100644 +--- a/drivers/usb/dwc3/dwc3-qcom.c ++++ b/drivers/usb/dwc3/dwc3-qcom.c +@@ -386,7 +386,7 @@ static void dwc3_qcom_enable_interrupts(struct dwc3_qcom *qcom) + dwc3_qcom_enable_wakeup_irq(qcom->ss_phy_irq, 0); + } + +-static int dwc3_qcom_suspend(struct dwc3_qcom *qcom) ++static int dwc3_qcom_suspend(struct dwc3_qcom *qcom, bool wakeup) + { + u32 val; + int i, ret; +@@ -405,7 +405,7 @@ static int dwc3_qcom_suspend(struct dwc3_qcom *qcom) + if (ret) + dev_warn(qcom->dev, "failed to disable interconnect: %d\n", ret); + +- if (device_may_wakeup(qcom->dev)) { ++ if (wakeup) { + qcom->usb2_speed = dwc3_qcom_read_usb2_speed(qcom); + dwc3_qcom_enable_interrupts(qcom); + } +@@ -415,7 +415,7 @@ static int dwc3_qcom_suspend(struct dwc3_qcom *qcom) + return 0; + } + +-static int dwc3_qcom_resume(struct dwc3_qcom *qcom) ++static int dwc3_qcom_resume(struct dwc3_qcom *qcom, bool wakeup) + { + int ret; + int i; +@@ -423,7 +423,7 @@ static int dwc3_qcom_resume(struct dwc3_qcom *qcom) + if (!qcom->is_suspended) + return 0; + +- if (device_may_wakeup(qcom->dev)) ++ if (wakeup) + dwc3_qcom_disable_interrupts(qcom); + + for (i = 0; i < qcom->num_clocks; i++) { +@@ -919,9 +919,11 @@ static int dwc3_qcom_remove(struct platform_device *pdev) + static int __maybe_unused dwc3_qcom_pm_suspend(struct device *dev) + { + struct dwc3_qcom *qcom = dev_get_drvdata(dev); ++ bool wakeup = device_may_wakeup(dev); + int ret = 0; + +- ret = dwc3_qcom_suspend(qcom); ++ ++ ret = dwc3_qcom_suspend(qcom, wakeup); + if (!ret) + qcom->pm_suspended = true; + +@@ -931,9 +933,10 @@ static int __maybe_unused dwc3_qcom_pm_suspend(struct device *dev) + static int __maybe_unused dwc3_qcom_pm_resume(struct device *dev) + { + struct dwc3_qcom *qcom = dev_get_drvdata(dev); ++ bool wakeup = device_may_wakeup(dev); + int ret; + +- ret = dwc3_qcom_resume(qcom); ++ ret = dwc3_qcom_resume(qcom, wakeup); + if (!ret) + qcom->pm_suspended = false; + +@@ -944,14 +947,14 @@ static int __maybe_unused dwc3_qcom_runtime_suspend(struct device *dev) + { + struct dwc3_qcom *qcom = dev_get_drvdata(dev); + +- return dwc3_qcom_suspend(qcom); ++ return dwc3_qcom_suspend(qcom, true); + } + + static int __maybe_unused dwc3_qcom_runtime_resume(struct device *dev) + { + struct dwc3_qcom *qcom = dev_get_drvdata(dev); + +- return dwc3_qcom_resume(qcom); ++ return dwc3_qcom_resume(qcom, true); + } + + static const struct dev_pm_ops dwc3_qcom_dev_pm_ops = { +-- +2.35.1 + diff --git a/queue-5.10/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch b/queue-5.10/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch new file mode 100644 index 00000000000..b2ee2380119 --- /dev/null +++ b/queue-5.10/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch @@ -0,0 +1,82 @@ +From a9a03e025fe91afcfb38b9083ec3069d54a4f831 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Aug 2022 17:09:56 +0200 +Subject: usb: dwc3: qcom: fix use-after-free on runtime-PM wakeup + +From: Johan Hovold + +[ Upstream commit a872ab303d5ddd4c965f9cd868677781a33ce35a ] + +The Qualcomm dwc3 runtime-PM implementation checks the xhci +platform-device pointer in the wakeup-interrupt handler to determine +whether the controller is in host mode and if so triggers a resume. + +After a role switch in OTG mode the xhci platform-device would have been +freed and the next wakeup from runtime suspend would access the freed +memory. + +Note that role switching is executed from a freezable workqueue, which +guarantees that the pointer is stable during suspend. + +Also note that runtime PM has been broken since commit 2664deb09306 +("usb: dwc3: qcom: Honor wakeup enabled/disabled state"), which +incidentally also prevents this issue from being triggered. + +Fixes: a4333c3a6ba9 ("usb: dwc3: Add Qualcomm DWC3 glue driver") +Cc: stable@vger.kernel.org # 4.18 +Reviewed-by: Matthias Kaehlcke +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20220804151001.23612-5-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-qcom.c | 14 +++++++++++++- + drivers/usb/dwc3/host.c | 1 + + 2 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c +index d8b47b91ed6f7..456ade31ef795 100644 +--- a/drivers/usb/dwc3/dwc3-qcom.c ++++ b/drivers/usb/dwc3/dwc3-qcom.c +@@ -298,6 +298,14 @@ static void dwc3_qcom_interconnect_exit(struct dwc3_qcom *qcom) + icc_put(qcom->icc_path_apps); + } + ++/* Only usable in contexts where the role can not change. */ ++static bool dwc3_qcom_is_host(struct dwc3_qcom *qcom) ++{ ++ struct dwc3 *dwc = platform_get_drvdata(qcom->dwc3); ++ ++ return dwc->xhci; ++} ++ + static enum usb_device_speed dwc3_qcom_read_usb2_speed(struct dwc3_qcom *qcom) + { + struct dwc3 *dwc = platform_get_drvdata(qcom->dwc3); +@@ -457,7 +465,11 @@ static irqreturn_t qcom_dwc3_resume_irq(int irq, void *data) + if (qcom->pm_suspended) + return IRQ_HANDLED; + +- if (dwc->xhci) ++ /* ++ * This is safe as role switching is done from a freezable workqueue ++ * and the wakeup interrupts are disabled as part of resume. ++ */ ++ if (dwc3_qcom_is_host(qcom)) + pm_runtime_resume(&dwc->xhci->dev); + + return IRQ_HANDLED; +diff --git a/drivers/usb/dwc3/host.c b/drivers/usb/dwc3/host.c +index e195176580de1..b06ab85f8187e 100644 +--- a/drivers/usb/dwc3/host.c ++++ b/drivers/usb/dwc3/host.c +@@ -130,4 +130,5 @@ int dwc3_host_init(struct dwc3 *dwc) + void dwc3_host_exit(struct dwc3 *dwc) + { + platform_device_unregister(dwc->xhci); ++ dwc->xhci = NULL; + } +-- +2.35.1 + diff --git a/queue-5.10/wifi-cfg80211-debugfs-fix-return-type-in-ht40allow_m.patch b/queue-5.10/wifi-cfg80211-debugfs-fix-return-type-in-ht40allow_m.patch new file mode 100644 index 00000000000..103df587ce6 --- /dev/null +++ b/queue-5.10/wifi-cfg80211-debugfs-fix-return-type-in-ht40allow_m.patch @@ -0,0 +1,41 @@ +From d3891e47168fecf588048cd5e19e1226180f7807 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Aug 2022 10:03:21 +0300 +Subject: wifi: cfg80211: debugfs: fix return type in ht40allow_map_read() + +From: Dan Carpenter + +[ Upstream commit d776763f48084926b5d9e25507a3ddb7c9243d5e ] + +The return type is supposed to be ssize_t, which is signed long, +but "r" was declared as unsigned int. This means that on 64 bit systems +we return positive values instead of negative error codes. + +Fixes: 80a3511d70e8 ("cfg80211: add debugfs HT40 allow map") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/YutvOQeJm0UjLhwU@kili +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/debugfs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/debugfs.c b/net/wireless/debugfs.c +index 76b845f68ac89..d80b06d669593 100644 +--- a/net/wireless/debugfs.c ++++ b/net/wireless/debugfs.c +@@ -65,9 +65,10 @@ static ssize_t ht40allow_map_read(struct file *file, + { + struct wiphy *wiphy = file->private_data; + char *buf; +- unsigned int offset = 0, buf_size = PAGE_SIZE, i, r; ++ unsigned int offset = 0, buf_size = PAGE_SIZE, i; + enum nl80211_band band; + struct ieee80211_supported_band *sband; ++ ssize_t r; + + buf = kzalloc(buf_size, GFP_KERNEL); + if (!buf) +-- +2.35.1 + -- 2.47.3