From 594ec79caabfd1cf49cd2d06ecfa096a1588ab4e Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Tue, 20 Sep 2022 17:23:49 -0400 Subject: [PATCH] Fixes for 5.15 Signed-off-by: Sasha Levin --- ...n-not-eremoteio-when-a-file-already-.patch | 41 +++++++ ...l-keep-power-up-while-beep-is-enable.patch | 71 ++++++++++++ ...egra-align-bdl-entry-to-4kb-boundary.patch | 39 +++++++ ...-dts-juno-add-missing-mhu-secure-irq.patch | 39 +++++++ ...x-semaphore-unbalance-at-error-paths.patch | 101 ++++++++++++++++++ ...freq-set-opp-to-the-recommended-one-.patch | 66 ++++++++++++ ...irq-fix-octeon_irq_force_ciu_mapping.patch | 61 +++++++++++ ...-mismatch-of-l0-symbols-in-system.ma.patch | 39 +++++++ .../net-usb-qmi_wwan-add-quectel-rm520n.patch | 67 ++++++++++++ ...00-fix-the-global-out-of-bounds-acce.patch | 42 ++++++++ queue-5.15/rxrpc-fix-calc-of-resend-age.patch | 34 ++++++ ...fix-local-destruction-being-repeated.patch | 38 +++++++ ...-did_transport_disrupted-instead-of-.patch | 49 +++++++++ queue-5.15/series | 15 +++ ...xx-gcu-fix-integer-overflow-in-pxa3x.patch | 36 +++++++ ...wsim-check-length-for-virtio-packets.patch | 71 ++++++++++++ 16 files changed, 809 insertions(+) create mode 100644 queue-5.15/afs-return-eagain-not-eremoteio-when-a-file-already-.patch create mode 100644 queue-5.15/alsa-hda-sigmatel-keep-power-up-while-beep-is-enable.patch create mode 100644 queue-5.15/alsa-hda-tegra-align-bdl-entry-to-4kb-boundary.patch create mode 100644 queue-5.15/arm64-dts-juno-add-missing-mhu-secure-irq.patch create mode 100644 queue-5.15/asoc-nau8824-fix-semaphore-unbalance-at-error-paths.patch create mode 100644 queue-5.15/drm-panfrost-devfreq-set-opp-to-the-recommended-one-.patch create mode 100644 queue-5.15/mips-octeon-irq-fix-octeon_irq_force_ciu_mapping.patch create mode 100644 queue-5.15/mksysmap-fix-the-mismatch-of-l0-symbols-in-system.ma.patch create mode 100644 queue-5.15/net-usb-qmi_wwan-add-quectel-rm520n.patch create mode 100644 queue-5.15/regulator-pfuze100-fix-the-global-out-of-bounds-acce.patch create mode 100644 queue-5.15/rxrpc-fix-calc-of-resend-age.patch create mode 100644 queue-5.15/rxrpc-fix-local-destruction-being-repeated.patch create mode 100644 queue-5.15/scsi-lpfc-return-did_transport_disrupted-instead-of-.patch create mode 100644 queue-5.15/video-fbdev-pxa3xx-gcu-fix-integer-overflow-in-pxa3x.patch create mode 100644 queue-5.15/wifi-mac80211_hwsim-check-length-for-virtio-packets.patch diff --git a/queue-5.15/afs-return-eagain-not-eremoteio-when-a-file-already-.patch b/queue-5.15/afs-return-eagain-not-eremoteio-when-a-file-already-.patch new file mode 100644 index 00000000000..f1ff3f6d4ca --- /dev/null +++ b/queue-5.15/afs-return-eagain-not-eremoteio-when-a-file-already-.patch @@ -0,0 +1,41 @@ +From fffdc234d748e6c9f11de137c2534f5ca8dc40df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Sep 2022 22:09:11 +0100 +Subject: afs: Return -EAGAIN, not -EREMOTEIO, when a file already locked + +From: David Howells + +[ Upstream commit 0066f1b0e27556381402db3ff31f85d2a2265858 ] + +When trying to get a file lock on an AFS file, the server may return +UAEAGAIN to indicate that the lock is already held. This is currently +translated by the default path to -EREMOTEIO. + +Translate it instead to -EAGAIN so that we know we can retry it. + +Signed-off-by: David Howells +Reviewed-by: Jeffrey E Altman +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Link: https://lore.kernel.org/r/166075761334.3533338.2591992675160918098.stgit@warthog.procyon.org.uk/ +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/afs/misc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/afs/misc.c b/fs/afs/misc.c +index 933e67fcdab1..805328ca5428 100644 +--- a/fs/afs/misc.c ++++ b/fs/afs/misc.c +@@ -69,6 +69,7 @@ int afs_abort_to_error(u32 abort_code) + /* Unified AFS error table */ + case UAEPERM: return -EPERM; + case UAENOENT: return -ENOENT; ++ case UAEAGAIN: return -EAGAIN; + case UAEACCES: return -EACCES; + case UAEBUSY: return -EBUSY; + case UAEEXIST: return -EEXIST; +-- +2.35.1 + diff --git a/queue-5.15/alsa-hda-sigmatel-keep-power-up-while-beep-is-enable.patch b/queue-5.15/alsa-hda-sigmatel-keep-power-up-while-beep-is-enable.patch new file mode 100644 index 00000000000..be02bd8af60 --- /dev/null +++ b/queue-5.15/alsa-hda-sigmatel-keep-power-up-while-beep-is-enable.patch @@ -0,0 +1,71 @@ +From bdd1fee3aff5cbe732ce6c9bb398dd0ac5434846 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Sep 2022 09:27:50 +0200 +Subject: ALSA: hda/sigmatel: Keep power up while beep is enabled + +From: Takashi Iwai + +[ Upstream commit 414d38ba871092aeac4ed097ac4ced89486646f7 ] + +It seems that the beep playback doesn't work well on IDT codec devices +when the codec auto-pm is enabled. Keep the power on while the beep +switch is enabled. + +Link: https://bugzilla.suse.com/show_bug.cgi?id=1200544 +Link: https://lore.kernel.org/r/20220904072750.26164-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_sigmatel.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/sound/pci/hda/patch_sigmatel.c b/sound/pci/hda/patch_sigmatel.c +index 61df4d33c48f..066bfccd2587 100644 +--- a/sound/pci/hda/patch_sigmatel.c ++++ b/sound/pci/hda/patch_sigmatel.c +@@ -209,6 +209,7 @@ struct sigmatel_spec { + + /* beep widgets */ + hda_nid_t anabeep_nid; ++ bool beep_power_on; + + /* SPDIF-out mux */ + const char * const *spdif_labels; +@@ -4443,6 +4444,26 @@ static int stac_suspend(struct hda_codec *codec) + + return 0; + } ++ ++static int stac_check_power_status(struct hda_codec *codec, hda_nid_t nid) ++{ ++ struct sigmatel_spec *spec = codec->spec; ++ int ret = snd_hda_gen_check_power_status(codec, nid); ++ ++#ifdef CONFIG_SND_HDA_INPUT_BEEP ++ if (nid == spec->gen.beep_nid && codec->beep) { ++ if (codec->beep->enabled != spec->beep_power_on) { ++ spec->beep_power_on = codec->beep->enabled; ++ if (spec->beep_power_on) ++ snd_hda_power_up_pm(codec); ++ else ++ snd_hda_power_down_pm(codec); ++ } ++ ret |= spec->beep_power_on; ++ } ++#endif ++ return ret; ++} + #else + #define stac_suspend NULL + #endif /* CONFIG_PM */ +@@ -4455,6 +4476,7 @@ static const struct hda_codec_ops stac_patch_ops = { + .unsol_event = snd_hda_jack_unsol_event, + #ifdef CONFIG_PM + .suspend = stac_suspend, ++ .check_power_status = stac_check_power_status, + #endif + }; + +-- +2.35.1 + diff --git a/queue-5.15/alsa-hda-tegra-align-bdl-entry-to-4kb-boundary.patch b/queue-5.15/alsa-hda-tegra-align-bdl-entry-to-4kb-boundary.patch new file mode 100644 index 00000000000..8b22c590bfe --- /dev/null +++ b/queue-5.15/alsa-hda-tegra-align-bdl-entry-to-4kb-boundary.patch @@ -0,0 +1,39 @@ +From 14c4c184ea2fdf4c94539c6d3834f64f3403a700 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Sep 2022 22:54:20 +0530 +Subject: ALSA: hda/tegra: Align BDL entry to 4KB boundary + +From: Mohan Kumar + +[ Upstream commit 8d44e6044a0e885acdd01813768a0b27906d64fd ] + +AZA HW may send a burst read/write request crossing 4K memory boundary. +The 4KB boundary is not guaranteed by Tegra HDA HW. Make SW change to +include the flag AZX_DCAPS_4K_BDLE_BOUNDARY to align BDLE to 4K +boundary. + +Signed-off-by: Mohan Kumar +Link: https://lore.kernel.org/r/20220905172420.3801-1-mkumard@nvidia.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_tegra.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/hda/hda_tegra.c b/sound/pci/hda/hda_tegra.c +index 773f4903550a..f0e556f2ccf6 100644 +--- a/sound/pci/hda/hda_tegra.c ++++ b/sound/pci/hda/hda_tegra.c +@@ -451,7 +451,8 @@ MODULE_DEVICE_TABLE(of, hda_tegra_match); + static int hda_tegra_probe(struct platform_device *pdev) + { + const unsigned int driver_flags = AZX_DCAPS_CORBRP_SELF_CLEAR | +- AZX_DCAPS_PM_RUNTIME; ++ AZX_DCAPS_PM_RUNTIME | ++ AZX_DCAPS_4K_BDLE_BOUNDARY; + struct snd_card *card; + struct azx *chip; + struct hda_tegra *hda; +-- +2.35.1 + diff --git a/queue-5.15/arm64-dts-juno-add-missing-mhu-secure-irq.patch b/queue-5.15/arm64-dts-juno-add-missing-mhu-secure-irq.patch new file mode 100644 index 00000000000..02a0017fb0b --- /dev/null +++ b/queue-5.15/arm64-dts-juno-add-missing-mhu-secure-irq.patch @@ -0,0 +1,39 @@ +From 14d6f620177f3cca238824b1dc24c24b0fbcb45f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Aug 2022 09:10:05 -0500 +Subject: arm64: dts: juno: Add missing MHU secure-irq + +From: Jassi Brar + +[ Upstream commit 422ab8fe15e30066d4c8e236b747c77069bfca45 ] + +The MHU secure interrupt exists physically but is missing in the DT node. + +Specify the interrupt in DT node to fix a warning on Arm Juno board: + mhu@2b1f0000: interrupts: [[0, 36, 4], [0, 35, 4]] is too short + +Link: https://lore.kernel.org/r/20220801141005.599258-1-jassisinghbrar@gmail.com +Signed-off-by: Jassi Brar +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/arm/juno-base.dtsi | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/arm/juno-base.dtsi b/arch/arm64/boot/dts/arm/juno-base.dtsi +index a2635b14da30..34e5549ea748 100644 +--- a/arch/arm64/boot/dts/arm/juno-base.dtsi ++++ b/arch/arm64/boot/dts/arm/juno-base.dtsi +@@ -26,7 +26,8 @@ + compatible = "arm,mhu", "arm,primecell"; + reg = <0x0 0x2b1f0000 0x0 0x1000>; + interrupts = , +- ; ++ , ++ ; + #mbox-cells = <1>; + clocks = <&soc_refclk100mhz>; + clock-names = "apb_pclk"; +-- +2.35.1 + diff --git a/queue-5.15/asoc-nau8824-fix-semaphore-unbalance-at-error-paths.patch b/queue-5.15/asoc-nau8824-fix-semaphore-unbalance-at-error-paths.patch new file mode 100644 index 00000000000..31a996dc652 --- /dev/null +++ b/queue-5.15/asoc-nau8824-fix-semaphore-unbalance-at-error-paths.patch @@ -0,0 +1,101 @@ +From 7d9174fc2350f0159aaa21381b4de42894562798 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 10:09:57 +0200 +Subject: ASoC: nau8824: Fix semaphore unbalance at error paths + +From: Takashi Iwai + +[ Upstream commit 5628560e90395d3812800a8e44a01c32ffa429ec ] + +The semaphore of nau8824 wasn't properly unlocked at some error +handling code paths, hence this may result in the unbalance (and +potential lock-up). Fix them to handle the semaphore up properly. + +Signed-off-by: Takashi Iwai +Link: https://lore.kernel.org/r/20220823081000.2965-3-tiwai@suse.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/nau8824.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/sound/soc/codecs/nau8824.c b/sound/soc/codecs/nau8824.c +index f7018f2dd21f..27589900f4fb 100644 +--- a/sound/soc/codecs/nau8824.c ++++ b/sound/soc/codecs/nau8824.c +@@ -1042,6 +1042,7 @@ static int nau8824_hw_params(struct snd_pcm_substream *substream, + struct snd_soc_component *component = dai->component; + struct nau8824 *nau8824 = snd_soc_component_get_drvdata(component); + unsigned int val_len = 0, osr, ctrl_val, bclk_fs, bclk_div; ++ int err = -EINVAL; + + nau8824_sema_acquire(nau8824, HZ); + +@@ -1058,7 +1059,7 @@ static int nau8824_hw_params(struct snd_pcm_substream *substream, + osr &= NAU8824_DAC_OVERSAMPLE_MASK; + if (nau8824_clock_check(nau8824, substream->stream, + nau8824->fs, osr)) +- return -EINVAL; ++ goto error; + regmap_update_bits(nau8824->regmap, NAU8824_REG_CLK_DIVIDER, + NAU8824_CLK_DAC_SRC_MASK, + osr_dac_sel[osr].clk_src << NAU8824_CLK_DAC_SRC_SFT); +@@ -1068,7 +1069,7 @@ static int nau8824_hw_params(struct snd_pcm_substream *substream, + osr &= NAU8824_ADC_SYNC_DOWN_MASK; + if (nau8824_clock_check(nau8824, substream->stream, + nau8824->fs, osr)) +- return -EINVAL; ++ goto error; + regmap_update_bits(nau8824->regmap, NAU8824_REG_CLK_DIVIDER, + NAU8824_CLK_ADC_SRC_MASK, + osr_adc_sel[osr].clk_src << NAU8824_CLK_ADC_SRC_SFT); +@@ -1089,7 +1090,7 @@ static int nau8824_hw_params(struct snd_pcm_substream *substream, + else if (bclk_fs <= 256) + bclk_div = 0; + else +- return -EINVAL; ++ goto error; + regmap_update_bits(nau8824->regmap, + NAU8824_REG_PORT0_I2S_PCM_CTRL_2, + NAU8824_I2S_LRC_DIV_MASK | NAU8824_I2S_BLK_DIV_MASK, +@@ -1110,15 +1111,17 @@ static int nau8824_hw_params(struct snd_pcm_substream *substream, + val_len |= NAU8824_I2S_DL_32; + break; + default: +- return -EINVAL; ++ goto error; + } + + regmap_update_bits(nau8824->regmap, NAU8824_REG_PORT0_I2S_PCM_CTRL_1, + NAU8824_I2S_DL_MASK, val_len); ++ err = 0; + ++ error: + nau8824_sema_release(nau8824); + +- return 0; ++ return err; + } + + static int nau8824_set_fmt(struct snd_soc_dai *dai, unsigned int fmt) +@@ -1127,8 +1130,6 @@ static int nau8824_set_fmt(struct snd_soc_dai *dai, unsigned int fmt) + struct nau8824 *nau8824 = snd_soc_component_get_drvdata(component); + unsigned int ctrl1_val = 0, ctrl2_val = 0; + +- nau8824_sema_acquire(nau8824, HZ); +- + switch (fmt & SND_SOC_DAIFMT_MASTER_MASK) { + case SND_SOC_DAIFMT_CBM_CFM: + ctrl2_val |= NAU8824_I2S_MS_MASTER; +@@ -1170,6 +1171,8 @@ static int nau8824_set_fmt(struct snd_soc_dai *dai, unsigned int fmt) + return -EINVAL; + } + ++ nau8824_sema_acquire(nau8824, HZ); ++ + regmap_update_bits(nau8824->regmap, NAU8824_REG_PORT0_I2S_PCM_CTRL_1, + NAU8824_I2S_DF_MASK | NAU8824_I2S_BP_MASK | + NAU8824_I2S_PCMB_EN, ctrl1_val); +-- +2.35.1 + diff --git a/queue-5.15/drm-panfrost-devfreq-set-opp-to-the-recommended-one-.patch b/queue-5.15/drm-panfrost-devfreq-set-opp-to-the-recommended-one-.patch new file mode 100644 index 00000000000..45e14a66328 --- /dev/null +++ b/queue-5.15/drm-panfrost-devfreq-set-opp-to-the-recommended-one-.patch @@ -0,0 +1,66 @@ +From 2d9b89a5a3bc2c99427213c084fe477a381fcb49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Sep 2022 17:30:33 +0200 +Subject: drm/panfrost: devfreq: set opp to the recommended one to configure + regulator +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Clément Péron + +[ Upstream commit d76034a427a2660b080bc155e4fd8f6393eefb48 ] + +Enabling panfrost GPU OPP with dynamic regulator will make OPP +responsible to enable and configure it. + +Unfortunately OPP configure and enable the regulator when an OPP +is asked to be set, which is not the case during +panfrost_devfreq_init(). + +This leave the regulator unconfigured and if no GPU load is +triggered, no OPP is asked to be set which make the regulator framework +switching it off during regulator_late_cleanup() without +noticing and therefore make the board hang as any access to GPU +memory space make bus locks up. + +Call dev_pm_opp_set_opp() with the recommend OPP in +panfrost_devfreq_init() to enable the regulator, this will properly +configure and enable the regulator and will avoid any switch off +by regulator_late_cleanup(). + +Suggested-by: Viresh Kumar +Signed-off-by: Clément Péron +Reviewed-by: Steven Price +Signed-off-by: Steven Price +Link: https://patchwork.freedesktop.org/patch/msgid/20220906153034.153321-5-peron.clem@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panfrost/panfrost_devfreq.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/gpu/drm/panfrost/panfrost_devfreq.c b/drivers/gpu/drm/panfrost/panfrost_devfreq.c +index 194af7f607a6..be36dd060a2b 100644 +--- a/drivers/gpu/drm/panfrost/panfrost_devfreq.c ++++ b/drivers/gpu/drm/panfrost/panfrost_devfreq.c +@@ -132,6 +132,17 @@ int panfrost_devfreq_init(struct panfrost_device *pfdev) + return PTR_ERR(opp); + + panfrost_devfreq_profile.initial_freq = cur_freq; ++ ++ /* ++ * Set the recommend OPP this will enable and configure the regulator ++ * if any and will avoid a switch off by regulator_late_cleanup() ++ */ ++ ret = dev_pm_opp_set_opp(dev, opp); ++ if (ret) { ++ DRM_DEV_ERROR(dev, "Couldn't set recommended OPP\n"); ++ return ret; ++ } ++ + dev_pm_opp_put(opp); + + /* +-- +2.35.1 + diff --git a/queue-5.15/mips-octeon-irq-fix-octeon_irq_force_ciu_mapping.patch b/queue-5.15/mips-octeon-irq-fix-octeon_irq_force_ciu_mapping.patch new file mode 100644 index 00000000000..e2659b6921c --- /dev/null +++ b/queue-5.15/mips-octeon-irq-fix-octeon_irq_force_ciu_mapping.patch @@ -0,0 +1,61 @@ +From 00dbf371cf56908cc6058891942d376d654f9284 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Sep 2022 11:59:43 +0200 +Subject: MIPS: OCTEON: irq: Fix octeon_irq_force_ciu_mapping() + +From: Alexander Sverdlin + +[ Upstream commit ba912afbd611d3a5f22af247721a071ad1d5b9e0 ] + +For irq_domain_associate() to work the virq descriptor has to be +pre-allocated in advance. Otherwise the following happens: + +WARNING: CPU: 0 PID: 0 at .../kernel/irq/irqdomain.c:527 irq_domain_associate+0x298/0x2e8 +error: virq128 is not allocated +Modules linked in: +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.19.78-... #1 + ... +Call Trace: +[] show_stack+0x9c/0x130 +[] dump_stack+0x90/0xd0 +[] __warn+0x118/0x130 +[] warn_slowpath_fmt+0x4c/0x70 +[] irq_domain_associate+0x298/0x2e8 +[] octeon_irq_init_ciu+0x4c8/0x53c +[] of_irq_init+0x1e0/0x388 +[] init_IRQ+0x4c/0xf4 +[] start_kernel+0x404/0x698 + +Use irq_alloc_desc_at() to avoid the above problem. + +Signed-off-by: Alexander Sverdlin +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/cavium-octeon/octeon-irq.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/arch/mips/cavium-octeon/octeon-irq.c b/arch/mips/cavium-octeon/octeon-irq.c +index be5d4afcd30f..353dfeee0a6d 100644 +--- a/arch/mips/cavium-octeon/octeon-irq.c ++++ b/arch/mips/cavium-octeon/octeon-irq.c +@@ -127,6 +127,16 @@ static void octeon_irq_free_cd(struct irq_domain *d, unsigned int irq) + static int octeon_irq_force_ciu_mapping(struct irq_domain *domain, + int irq, int line, int bit) + { ++ struct device_node *of_node; ++ int ret; ++ ++ of_node = irq_domain_get_of_node(domain); ++ if (!of_node) ++ return -EINVAL; ++ ret = irq_alloc_desc_at(irq, of_node_to_nid(of_node)); ++ if (ret < 0) ++ return ret; ++ + return irq_domain_associate(domain, irq, line << 6 | bit); + } + +-- +2.35.1 + diff --git a/queue-5.15/mksysmap-fix-the-mismatch-of-l0-symbols-in-system.ma.patch b/queue-5.15/mksysmap-fix-the-mismatch-of-l0-symbols-in-system.ma.patch new file mode 100644 index 00000000000..92703cbd95c --- /dev/null +++ b/queue-5.15/mksysmap-fix-the-mismatch-of-l0-symbols-in-system.ma.patch @@ -0,0 +1,39 @@ +From 394f2bd345cc66e404d337e4308eb1415c89867d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 19:10:59 +0800 +Subject: mksysmap: Fix the mismatch of 'L0' symbols in System.map + +From: Youling Tang + +[ Upstream commit c17a2538704f926ee4d167ba625e09b1040d8439 ] + +When System.map was generated, the kernel used mksysmap to filter the +kernel symbols, we need to filter "L0" symbols in LoongArch architecture. + +$ cat System.map | grep L0 +9000000000221540 t L0 + +The L0 symbol exists in System.map, but not in .tmp_System.map. When +"cmp -s System.map .tmp_System.map" will show "Inconsistent kallsyms +data" error message in link-vmlinux.sh script. + +Signed-off-by: Youling Tang +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/mksysmap | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/mksysmap b/scripts/mksysmap +index 9aa23d15862a..ad8bbc52267d 100755 +--- a/scripts/mksysmap ++++ b/scripts/mksysmap +@@ -41,4 +41,4 @@ + # so we just ignore them to let readprofile continue to work. + # (At least sparc64 has __crc_ in the middle). + +-$NM -n $1 | grep -v '\( [aNUw] \)\|\(__crc_\)\|\( \$[adt]\)\|\( \.L\)' > $2 ++$NM -n $1 | grep -v '\( [aNUw] \)\|\(__crc_\)\|\( \$[adt]\)\|\( \.L\)\|\( L0\)' > $2 +-- +2.35.1 + diff --git a/queue-5.15/net-usb-qmi_wwan-add-quectel-rm520n.patch b/queue-5.15/net-usb-qmi_wwan-add-quectel-rm520n.patch new file mode 100644 index 00000000000..bfbbc178cf3 --- /dev/null +++ b/queue-5.15/net-usb-qmi_wwan-add-quectel-rm520n.patch @@ -0,0 +1,67 @@ +From 2a156c1a63a87d83d6998f0fe5351e4ffe160948 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Sep 2022 09:24:52 +0800 +Subject: net: usb: qmi_wwan: add Quectel RM520N +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: jerry.meng + +[ Upstream commit e1091e226a2bab4ded1fe26efba2aee1aab06450 ] + +add support for Quectel RM520N which is based on Qualcomm SDX62 chip. + +0x0801: DIAG + NMEA + AT + MODEM + RMNET + +T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=02 Dev#= 10 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=2c7c ProdID=0801 Rev= 5.04 +S: Manufacturer=Quectel +S: Product=RM520N-GL +S: SerialNumber=384af524 +C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=option +E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +E: Ad=88(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Signed-off-by: jerry.meng +Acked-by: Bjørn Mork +Link: https://lore.kernel.org/r/tencent_E50CA8A206904897C2D20DDAE90731183C05@qq.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 3e1aab1e894e..15c90441285c 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1085,6 +1085,7 @@ static const struct usb_device_id products[] = { + {QMI_MATCH_FF_FF_FF(0x2c7c, 0x0512)}, /* Quectel EG12/EM12 */ + {QMI_MATCH_FF_FF_FF(0x2c7c, 0x0620)}, /* Quectel EM160R-GL */ + {QMI_MATCH_FF_FF_FF(0x2c7c, 0x0800)}, /* Quectel RM500Q-GL */ ++ {QMI_MATCH_FF_FF_FF(0x2c7c, 0x0801)}, /* Quectel RM520N */ + + /* 3. Combined interface devices matching on interface number */ + {QMI_FIXED_INTF(0x0408, 0xea42, 4)}, /* Yota / Megafon M100-1 */ +-- +2.35.1 + diff --git a/queue-5.15/regulator-pfuze100-fix-the-global-out-of-bounds-acce.patch b/queue-5.15/regulator-pfuze100-fix-the-global-out-of-bounds-acce.patch new file mode 100644 index 00000000000..f7865602d6d --- /dev/null +++ b/queue-5.15/regulator-pfuze100-fix-the-global-out-of-bounds-acce.patch @@ -0,0 +1,42 @@ +From 737c6742c37ae30efa4f72717c0c346b1695e2c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 19:19:22 +0800 +Subject: regulator: pfuze100: Fix the global-out-of-bounds access in + pfuze100_regulator_probe() + +From: Xiaolei Wang + +[ Upstream commit 78e1e867f44e6bdc72c0e6a2609a3407642fb30b ] + +The pfuze_chip::regulator_descs is an array of size +PFUZE100_MAX_REGULATOR, the pfuze_chip::pfuze_regulators +is the pointer to the real regulators of a specific device. +The number of real regulator is supposed to be less than +the PFUZE100_MAX_REGULATOR, so we should use the size of +'regulator_num * sizeof(struct pfuze_regulator)' in memcpy(). +This fixes the out of bounds access bug reported by KASAN. + +Signed-off-by: Xiaolei Wang +Link: https://lore.kernel.org/r/20220825111922.1368055-1-xiaolei.wang@windriver.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/pfuze100-regulator.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/regulator/pfuze100-regulator.c b/drivers/regulator/pfuze100-regulator.c +index aa55cfca9e40..a9a0bd918d1e 100644 +--- a/drivers/regulator/pfuze100-regulator.c ++++ b/drivers/regulator/pfuze100-regulator.c +@@ -763,7 +763,7 @@ static int pfuze100_regulator_probe(struct i2c_client *client, + ((pfuze_chip->chip_id == PFUZE3000) ? "3000" : "3001")))); + + memcpy(pfuze_chip->regulator_descs, pfuze_chip->pfuze_regulators, +- sizeof(pfuze_chip->regulator_descs)); ++ regulator_num * sizeof(struct pfuze_regulator)); + + ret = pfuze_parse_regulators_dt(pfuze_chip); + if (ret) +-- +2.35.1 + diff --git a/queue-5.15/rxrpc-fix-calc-of-resend-age.patch b/queue-5.15/rxrpc-fix-calc-of-resend-age.patch new file mode 100644 index 00000000000..6d1c6e007f2 --- /dev/null +++ b/queue-5.15/rxrpc-fix-calc-of-resend-age.patch @@ -0,0 +1,34 @@ +From 92b52291c54c47070294283317e10f901a11a2e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Apr 2022 13:34:09 +0100 +Subject: rxrpc: Fix calc of resend age + +From: David Howells + +[ Upstream commit 214a9dc7d852216e83acac7b75bc18f01ce184c2 ] + +Fix the calculation of the resend age to add a microsecond value as +microseconds, not nanoseconds. + +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + net/rxrpc/call_event.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/rxrpc/call_event.c b/net/rxrpc/call_event.c +index f8ecad2b730e..2a93e7b5fbd0 100644 +--- a/net/rxrpc/call_event.c ++++ b/net/rxrpc/call_event.c +@@ -166,7 +166,7 @@ static void rxrpc_resend(struct rxrpc_call *call, unsigned long now_j) + _enter("{%d,%d}", call->tx_hard_ack, call->tx_top); + + now = ktime_get_real(); +- max_age = ktime_sub(now, jiffies_to_usecs(call->peer->rto_j)); ++ max_age = ktime_sub_us(now, jiffies_to_usecs(call->peer->rto_j)); + + spin_lock_bh(&call->lock); + +-- +2.35.1 + diff --git a/queue-5.15/rxrpc-fix-local-destruction-being-repeated.patch b/queue-5.15/rxrpc-fix-local-destruction-being-repeated.patch new file mode 100644 index 00000000000..d24d1892c9f --- /dev/null +++ b/queue-5.15/rxrpc-fix-local-destruction-being-repeated.patch @@ -0,0 +1,38 @@ +From ac32b373b6a6500af601af194738acddfaebbcd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 May 2022 23:55:21 +0100 +Subject: rxrpc: Fix local destruction being repeated + +From: David Howells + +[ Upstream commit d3d863036d688313f8d566b87acd7d99daf82749 ] + +If the local processor work item for the rxrpc local endpoint gets requeued +by an event (such as an incoming packet) between it getting scheduled for +destruction and the UDP socket being closed, the rxrpc_local_destroyer() +function can get run twice. The second time it can hang because it can end +up waiting for cleanup events that will never happen. + +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + net/rxrpc/local_object.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/rxrpc/local_object.c b/net/rxrpc/local_object.c +index ef43fe8bdd2f..1d15940f61d7 100644 +--- a/net/rxrpc/local_object.c ++++ b/net/rxrpc/local_object.c +@@ -406,6 +406,9 @@ static void rxrpc_local_processor(struct work_struct *work) + container_of(work, struct rxrpc_local, processor); + bool again; + ++ if (local->dead) ++ return; ++ + trace_rxrpc_local(local->debug_id, rxrpc_local_processing, + atomic_read(&local->usage), NULL); + +-- +2.35.1 + diff --git a/queue-5.15/scsi-lpfc-return-did_transport_disrupted-instead-of-.patch b/queue-5.15/scsi-lpfc-return-did_transport_disrupted-instead-of-.patch new file mode 100644 index 00000000000..43f332ab214 --- /dev/null +++ b/queue-5.15/scsi-lpfc-return-did_transport_disrupted-instead-of-.patch @@ -0,0 +1,49 @@ +From f2c3ed5747f51accbfc5f7c69a537642abb015d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 08:00:33 +0200 +Subject: scsi: lpfc: Return DID_TRANSPORT_DISRUPTED instead of DID_REQUEUE + +From: Hannes Reinecke + +[ Upstream commit c0a50cd389c3ed54831e240023dd12bafa56b3a6 ] + +When the driver hits an internal error condition returning DID_REQUEUE the +I/O will be retried on the same ITL nexus. This will inhibit multipathing, +resulting in endless retries even if the error could have been resolved by +using a different ITL nexus. Return DID_TRANSPORT_DISRUPTED to allow for +multipath to engage and route I/O to another ITL nexus. + +Link: https://lore.kernel.org/r/20220824060033.138661-1-hare@suse.de +Reviewed-by: James Smart +Signed-off-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_scsi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c +index 7da8e4c845df..41313fcaf84a 100644 +--- a/drivers/scsi/lpfc/lpfc_scsi.c ++++ b/drivers/scsi/lpfc/lpfc_scsi.c +@@ -4278,7 +4278,7 @@ lpfc_fcp_io_cmd_wqe_cmpl(struct lpfc_hba *phba, struct lpfc_iocbq *pwqeIn, + lpfc_cmd->result == IOERR_NO_RESOURCES || + lpfc_cmd->result == IOERR_ABORT_REQUESTED || + lpfc_cmd->result == IOERR_SLER_CMD_RCV_FAILURE) { +- cmd->result = DID_REQUEUE << 16; ++ cmd->result = DID_TRANSPORT_DISRUPTED << 16; + break; + } + if ((lpfc_cmd->result == IOERR_RX_DMA_FAILED || +@@ -4567,7 +4567,7 @@ lpfc_scsi_cmd_iocb_cmpl(struct lpfc_hba *phba, struct lpfc_iocbq *pIocbIn, + lpfc_cmd->result == IOERR_NO_RESOURCES || + lpfc_cmd->result == IOERR_ABORT_REQUESTED || + lpfc_cmd->result == IOERR_SLER_CMD_RCV_FAILURE) { +- cmd->result = DID_REQUEUE << 16; ++ cmd->result = DID_TRANSPORT_DISRUPTED << 16; + break; + } + if ((lpfc_cmd->result == IOERR_RX_DMA_FAILED || +-- +2.35.1 + diff --git a/queue-5.15/series b/queue-5.15/series index 7528a922557..3c9de9b37c1 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -25,3 +25,18 @@ drm-amdgpu-move-nbio-ih_doorbell_range-into-ih-code-for-vega.patch drm-amdgpu-move-nbio-sdma_doorbell_range-into-sdma-code-for-vega.patch binder-remove-inaccurate-mmap_assert_locked.patch video-fbdev-i740fb-error-out-if-pixclock-equals-zero.patch +arm64-dts-juno-add-missing-mhu-secure-irq.patch +asoc-nau8824-fix-semaphore-unbalance-at-error-paths.patch +regulator-pfuze100-fix-the-global-out-of-bounds-acce.patch +scsi-lpfc-return-did_transport_disrupted-instead-of-.patch +rxrpc-fix-local-destruction-being-repeated.patch +rxrpc-fix-calc-of-resend-age.patch +wifi-mac80211_hwsim-check-length-for-virtio-packets.patch +alsa-hda-sigmatel-keep-power-up-while-beep-is-enable.patch +alsa-hda-tegra-align-bdl-entry-to-4kb-boundary.patch +net-usb-qmi_wwan-add-quectel-rm520n.patch +afs-return-eagain-not-eremoteio-when-a-file-already-.patch +mips-octeon-irq-fix-octeon_irq_force_ciu_mapping.patch +drm-panfrost-devfreq-set-opp-to-the-recommended-one-.patch +mksysmap-fix-the-mismatch-of-l0-symbols-in-system.ma.patch +video-fbdev-pxa3xx-gcu-fix-integer-overflow-in-pxa3x.patch diff --git a/queue-5.15/video-fbdev-pxa3xx-gcu-fix-integer-overflow-in-pxa3x.patch b/queue-5.15/video-fbdev-pxa3xx-gcu-fix-integer-overflow-in-pxa3x.patch new file mode 100644 index 00000000000..38eaa6fdb85 --- /dev/null +++ b/queue-5.15/video-fbdev-pxa3xx-gcu-fix-integer-overflow-in-pxa3x.patch @@ -0,0 +1,36 @@ +From 2e2313fb823cc5292ac77f2f8734119df81a1147 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jun 2022 07:17:46 -0700 +Subject: video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write + +From: Hyunwoo Kim + +[ Upstream commit a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7 ] + +In pxa3xx_gcu_write, a count parameter of type size_t is passed to words of +type int. Then, copy_from_user() may cause a heap overflow because it is used +as the third argument of copy_from_user(). + +Signed-off-by: Hyunwoo Kim +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/pxa3xx-gcu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/pxa3xx-gcu.c b/drivers/video/fbdev/pxa3xx-gcu.c +index 9421d14d0eb0..9e9888e40c57 100644 +--- a/drivers/video/fbdev/pxa3xx-gcu.c ++++ b/drivers/video/fbdev/pxa3xx-gcu.c +@@ -381,7 +381,7 @@ pxa3xx_gcu_write(struct file *file, const char *buff, + struct pxa3xx_gcu_batch *buffer; + struct pxa3xx_gcu_priv *priv = to_pxa3xx_gcu_priv(file); + +- int words = count / 4; ++ size_t words = count / 4; + + /* Does not need to be atomic. There's a lock in user space, + * but anyhow, this is just for statistics. */ +-- +2.35.1 + diff --git a/queue-5.15/wifi-mac80211_hwsim-check-length-for-virtio-packets.patch b/queue-5.15/wifi-mac80211_hwsim-check-length-for-virtio-packets.patch new file mode 100644 index 00000000000..4236cbf3135 --- /dev/null +++ b/queue-5.15/wifi-mac80211_hwsim-check-length-for-virtio-packets.patch @@ -0,0 +1,71 @@ +From 3372733275303bed289f9089fbb41d183ba37ec9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 10:19:58 +0200 +Subject: wifi: mac80211_hwsim: check length for virtio packets + +From: Soenke Huster + +[ Upstream commit 8c0427842aaef161a38ac83b7e8d8fe050b4be04 ] + +An invalid packet with a length shorter than the specified length in the +netlink header can lead to use-after-frees and slab-out-of-bounds in the +processing of the netlink attributes, such as the following: + + BUG: KASAN: slab-out-of-bounds in __nla_validate_parse+0x1258/0x2010 + Read of size 2 at addr ffff88800ac7952c by task kworker/0:1/12 + + Workqueue: events hwsim_virtio_rx_work + Call Trace: + + dump_stack_lvl+0x45/0x5d + print_report.cold+0x5e/0x5e5 + kasan_report+0xb1/0x1c0 + __nla_validate_parse+0x1258/0x2010 + __nla_parse+0x22/0x30 + hwsim_virtio_handle_cmd.isra.0+0x13f/0x2d0 + hwsim_virtio_rx_work+0x1b2/0x370 + process_one_work+0x8df/0x1530 + worker_thread+0x575/0x11a0 + kthread+0x29d/0x340 + ret_from_fork+0x22/0x30 + + +Discarding packets with an invalid length solves this. +Therefore, skb->len must be set at reception. + +Change-Id: Ieaeb9a4c62d3beede274881a7c2722c6c6f477b6 +Signed-off-by: Soenke Huster +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mac80211_hwsim.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index feddf4045a8c..52a2574b7d13 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -4278,6 +4278,10 @@ static int hwsim_virtio_handle_cmd(struct sk_buff *skb) + + nlh = nlmsg_hdr(skb); + gnlh = nlmsg_data(nlh); ++ ++ if (skb->len < nlh->nlmsg_len) ++ return -EINVAL; ++ + err = genlmsg_parse(nlh, &hwsim_genl_family, tb, HWSIM_ATTR_MAX, + hwsim_genl_policy, NULL); + if (err) { +@@ -4320,7 +4324,8 @@ static void hwsim_virtio_rx_work(struct work_struct *work) + spin_unlock_irqrestore(&hwsim_virtio_lock, flags); + + skb->data = skb->head; +- skb_set_tail_pointer(skb, len); ++ skb_reset_tail_pointer(skb); ++ skb_put(skb, len); + hwsim_virtio_handle_cmd(skb); + + spin_lock_irqsave(&hwsim_virtio_lock, flags); +-- +2.35.1 + -- 2.47.3